Protecting Java Source Code From Being Accessed

Question

Last week, I had to create a little GUI for homework. None of my school mates did it. They have stolen my one from where we had to upload it and then they uploaded it again as theirs. When I told my teacher it was all my work he did not believe me.

So I thought of putting a useless method or something inside with a proof that I coded it. I thought of encryption. My best idea up till now:

String key = ("ZGV2ZWxvcGVkIGJ5IFdhckdvZE5U"); //My proof in base64

Can you think of some other better ways?

Develope a unique coding style, if copied by others, you will notice and your teacher too... hopefully — Tobias, Apr 17 '13 at 14:15
Are you saying they could download your code from where you uploaded it? That seems crazy. You should question the teacher's methods. Preferably by talking to his/her boss since he/she seems to be slightly unreasonable. — keyser, Apr 17 '13 at 14:17
You could sign your jar and give the key to your tutor to verify it's yours. Edit: oh, someone already answered that! :) — James, Apr 17 '13 at 14:18
Epic fail one of your homeworks and let the whole class fail. — heldt, Apr 17 '13 at 14:18
@keyser I had the same problem as a teacher in php courses: the directory public_html must be readable by apache, so it was also readable by other students... — Kartoch, Apr 17 '13 at 14:21
@Keyser I will talk with the teacher abaut a beter method. no timestamps nothing its like i copied it in a folder who is acessible to everyone — LoremIpsum, Apr 17 '13 at 14:30
Several thoughts: 1) Base64 is an encoding, not an encryption. 2) Even if you put in a key the way you suggested, what would keep them from replacing it by their own key or even just deleting it? 3) The real problem seems to be the assignment system that allows copy&paste. Obviously, it doesn't meet the "security constraint" (maybe not the right lingo, I'm not a security expert) that can be formulated as "Students should not be able to access each others solutions". Do you know how they stole it? — cyroxx, Apr 17 '13 at 14:34
Just upload your solution within the last minute of the deadline, your "colleagues" won't be able to copy and paste your solution that fast and reupload it. — Manuel, Apr 17 '13 at 14:34
Did they copy it 1:1, or did they copy and modify it? In the latter case, the best way would be to make algorithms overly complicated. Or, upload a subtly faulty "honey pot" some time before the deadline, and overwrite it with you proper solution later. — tobias_k, Apr 17 '13 at 14:35
@tobias_k - Making algorithms overly complicated will frequently be harmful to your own grade. — Andy Thomas, Apr 17 '13 at 14:37
@tobias_k They did Copy it nearly 1:1 the one with the Honeypot is genius hah i will catch them all :) — LoremIpsum, Apr 17 '13 at 14:42
If you need to use tricks just to do your homework something is going bad in that class. — Averroes, Apr 17 '13 at 14:49
The only sensible thing to do in this situation is try to rectify the problem by talking to the teacher about how you upload your homework. Uploading it into an area where you can download everyone else's submissions is just plain stupid - I'm not sure a teacher that thinks that approach is a good one should really be teaching! — Michael Berry, Apr 17 '13 at 15:15
Just run your code through a code obfuscator. Have it obfuscate things to a maximum. That ought to make it ugly. If that doesn't make you happy, write your own custom classloader which loads your encrypted classes (see here: http://www.javaworld.com/javaqa/2003-05/01-qa-0509-jcrypt.html?page=1). You can even make it store the sources in the encrypted files, if you make your own format. Then give your teacher the key by e-mail. If you do that, I think you can start skipping classes. On a regular basis. :) — carlspring, Apr 17 '13 at 15:30
If you know you/they all are using Windows, you can simply change the newline char of your sources to a Unix one. This is easy to check and no one will notice. — carlspring, Apr 17 '13 at 15:37
@carlspring That wouldn't work too well if OP wants extra credit on his work. — Ryan Amos, Apr 17 '13 at 19:26
@WarGodNT, If you do the signature/proof thing then I hope you'll come back here and update us on how it turned out! I'd love to hear how badly they got burned. Cheating is bad enough, but actually stealing a fellow student's work and taking credit for it is just *low*. How much of a useless asshole do you have to be to do something like that?? Why are they even studying this if they're not gonna do the work? What kind of career do they expect to develop as programmers if they can't even do their homework themselves? Sorry to get riled up, it just irks me when people are so self-serving :/ — Supr, Apr 17 '13 at 20:42
@Supr sadly i got no homework for tommorow couse i have a java exam. But the next time we have to upload our source i will pick one of the awesome ideas you guys gave me and trap them all:). And after i will come back her and tell you the story.Have to say i am new here on SO but it's such a great Community. Never thaught so much Crative and useful ideas come together THANKS.! — LoremIpsum, Apr 17 '13 at 21:45
maybe the teacher is not honest. we had a language teacher who would allow us to cheat so she does not look as bad as she was. — tgkprog, Apr 18 '13 at 04:56
If you copied it into a regular directory it is very likely that there are timestamps. — keyser, Apr 18 '13 at 07:41
ask your teacher to ask the students about the code, after all, odds are you understand it and they don't, right? — user2153497, Apr 18 '13 at 08:43

score 105 · Accepted Answer · edited Jun 20 '20 at 09:12

105

I had the same problem as you a long time ago. We had Windows 2000 machines and uploaded files to a Novel network folder that everyone could see. I used several tricks to beat even the best thieves: whitespace watermarking; metadata watermarking; unusual characters; trusted timestamping; modus operandi. Here's them in order.

Whitespace watermarking:

This is my original contribution to watermarking. I needed an invisible watermark that worked in text files. The trick I came up with was to put in a specific pattern of whitespace between programming statements (or paragraphs). The file looked the same to them: some programming statements and line breaks. Selecting the text carefully would show the whitespace. Each empty line would contain a certain number of spaces that's obviously not random or accidental. (eg 17) In practice, this method did the work for me because they couldn't figure out what I was embedding in the documents.

Metadata watermarking

This is where you change the file's metadata to contain information. You can embed your name, a hash, etc. in unseen parts of a file, especially EXE's. In NT days, Alternate Data Streams were popular.

Unusual characters

I'll throw this one in just for kicks. An old IRC impersonation trick was to make a name with letters that look similar to another person's name. You can use this in watermarking. The Character Map in Windows will give you many unusual characters that look similar to, but aren't, a letter or number you might use in your source code. These showing up in a specific spot in someone else's work can't be accidental.

Trusted Timestamping

In a nutshell, you send a file (or its hash) to a third party who then appends a timestamp to it and signs it with a private key. Anyone wanting proof of when you created a document can go to the trusted third party, often a website, to verify your proof of creation time. These have been used in court cases for intellectual property disputes so they are a very strong form of evidence. They're the standard way to accomplish the proof you're seeking. (I included the others first b/c they're easy, they're more fun and will probably work.)

This Wikipedia article might help your instructor understand your evidence and the external links section has many providers, including free ones. I'd run test files through free ones for a few days before using them for something important.

Modus operandi

So, you did something and you now have proof right? No, the students can still say you stole the idea from them or some other nonsense. My fix for this was to, in private, establish one or more of my methods with my instructor. I tell the instructor to look for the whitespace, look for certain symbols, etc. but to never tell the others what the watermark was. If the instructor will agree to keep your simple techniques secret, they will probably continue to work fine. If not, there's always trusted timestamping. ;)

edited Jun 20 '20 at 09:12

Community

1
1

answered Apr 17 '13 at 17:34

Nick P

1,477
1
11
14

A decent text editor will make this "watermarking" method obvious. – Apr 17 '13 at 22:01
Your very welcome WarGodNT. @ g33kz0r it can if they're looking for it but how many lazy source stealers that you know spontaneously decide to highlight normal looking line breaks, count the amount of spaces in them and look for mathematical patterns in them? Or analyze letters in source individually with char map? It usually just... doesn't happen. I call it using slackers main trait against them. ;) – Nick P Apr 17 '13 at 22:24
5

One more idea: Encode your initials in variable names, field names, method names, class names, etc. The thief will have hard time to rewrite everything. (I mentioned it here, since it's a good collection) – gaborsch Apr 17 '13 at 22:30
1

+1 GaborSch. That's a nice addition. If you don't loose points for ambiguous method names, then the tactic can be made less obvious that way and the initials themselves can be spread within the names. – Nick P Apr 17 '13 at 22:58
4

Another idea GaborSch's comment inspired: intentionally misspell certain things. Do a very uncommon misspelling of some function or variable name. 10 other people did the same thing on their own? Yeah right... (Note: one prominent critic of New World bible translation claimed it was a KJV knockoff and the evidence was that a rare grammatical error in KJV was in "brand new" NWT. So, there's a precedent for this working.) – Nick P Apr 17 '13 at 23:01
1

@NickP you mean like `sercive` instead of `service`? Nice idea, proves the common source, but does not prove that you were the originator. Anyway, good enough for a watermark. – gaborsch Apr 17 '13 at 23:21
1

That's what the trusted timestamp is for. ;) Oh, one thing I've used in the past to avoid trusted cryptographic timestamps is sending web-based emails or private forum messages to myself. Each of these has a timestamp on them controlled by a third party. So, they make a believable, free and reliable timestamp, although not secure. Has been good enough to convince third parties in the past who liked the convenience of letting me just pull up a web page in front of them for proof, rather than cumbersome verifications. – Nick P Apr 17 '13 at 23:24
This seems good for anyone looking for a link to [trusted timestamping](http://easytimestamping.com) – StackExchange User Apr 18 '13 at 00:39
besides the instructor tell someone else of your plan outside of your family. maybe a councellor – tgkprog Apr 18 '13 at 05:12
8

One point to note on "whitespace watermarking" is that if the IDE (re)format your code (e.g. VS C#/Eclipse), they will be gone. – Alvin Wong Apr 18 '13 at 06:17
Good point Alvin. Upvote. I forgot to mention that it's best to do any text/whitespace-based watermarking in Notepad after you're done with the code. Good catch again. – Nick P Apr 18 '13 at 18:56

Jonathan S. Fisher · Answer 2 · 2013-04-18T00:46:00.977

63

If your classmates stole your code from the upload site, I would encrypt your homework and email the key to the teacher. You can do this with PGP if you want to be complicated, or something as simple as a Zip file with a password.

EDIT: PGP would allow you to encrypt/sign without revealing your key, but you can't beat the shear simplicity of a Zip file with a password, so just pick a new key every homework assignment. Beauty in simplicity :)

edited Apr 18 '13 at 00:46

answered Apr 17 '13 at 14:18

Jonathan S. Fisher

8,189
6
46
84

2

How do you prove that the code is yours? I can steal your code, and zip as if it were mine. – gaborsch Apr 17 '13 at 18:44
4

@GaborSch, if I upload my code to a zip file with a password, I'll see your stolen version shortly after the heat death of the sun (with appropriately chosen password) – SeanC Apr 17 '13 at 19:10
1

@SeanCheshire You're too optimistic, there are many other ways to get the code, not just that one. If this would be the only issue, then the *upload timestamp* should have been enough. – gaborsch Apr 17 '13 at 19:21
11

You could prove it was your code by successfully providing the decryption key. – Jonathan S. Fisher Apr 17 '13 at 20:22
1

Substantiate your claims, GaborSch, what other ways? If the file he uploads is password protected (i.e. encrypted), then there's no way for them to just steal the code from it. That's what encryption was invented for. The proof is thee fact that he's the only one who can decrypt it for the teacher. – Supr Apr 17 '13 at 20:52
1

You are narrowing the problem, there are millions of security holes in every system. E.g. OP chooses a weak Win password, leaves his laptop unattended, chooses a weak password/weak encryption to the zip, the teacher uses a weak password on his mailbox, the teacher leaves his machine open on the course, etc. Do you think that if something is encrypted, then it cannot be retrieved? Why do bank security uses a *marker ink* for the stolen banknotes? Because they also know, that everything can be stolen, but with that method they will make it worthless. **Marking** is the key momentum, not defense. – gaborsch Apr 17 '13 at 22:24
11

Sure, there are many holes in theory, but realistically it is unlikely anyone would gain access to his files if he sends it encrypted: There are limits to how far they would go, and there are limits to their abilities. If they can't manage to write a GUI for their homework, then chances are they won't be cracking passwords or hacking into anyones computer any time soon. – Supr Apr 17 '13 at 22:44
And there's a big difference between downloading a file from an open FTP server which you're already connected to versus physically accessing his (much less the teacher's) computer, just like digital music piracy is abundant yet you don't see the same folks stealing physical CDs from the brick-and-mortar store. I agree though that there are still ways to get the file, I just think that this solution would be 99% sure to prevent it :) – Supr Apr 17 '13 at 22:45
1

Don't bet on that. You wanted examples, you got it. I was sure that you will misinterpret it, along with your preconception, and you will only use it to prove your truth. Please, **read what others are talking about**, open your mind, and do not stick to one solution. There are million ways. The debate is over. – gaborsch Apr 17 '13 at 22:53
I don't get what you are complaining about. What preconception? What am I trying to prove? I even said I agree with you that there are other ways. I just expect the proposed solution to be very effective, whereas you seemed to imply that is was completely useless. And I certainly don't see how your proposed solution of embedding a single, easily removable encrypted string inside plain text code could be any more effective than encrypting the entire delivery... – Supr Apr 17 '13 at 23:13
OK, some misunderstandings: I didn't say it's useless to protect your code, I said that - if we are using the proposed way here - there are other ways that should have enough power to prove the origin. I would argue that the markers (be any kind of) are easily recognizable and removable - see also my last comment on NickP answer. And also, I still don't think that simply password-protecting any data in a zip file would provide enough protection against dozens of IT students. – gaborsch Apr 17 '13 at 23:35
1

But don't you agree that an encrypted file is *significantly* more tamper-proof than plain text markers which - like you say - are easily removed? Of course the password protection idea presumes that he choses a scheme that *works* and can't be cracked easily. IT-students yes, but IT-students who can't even write their own GUI code... ;) – Supr Apr 17 '13 at 23:59

score 39 · Answer 3 · edited May 23 '17 at 12:13

39

If you are giving source code to the teacher, then simply add a serialVersionUID to one of your class files that is an encrypted version of your name. You can decrypt it to the teacher yourself.

That does not mean anything to the others, just for you. You can say it's a generated code, if they're stealing it, probably won't bother to modify it at all.

If you want to do it in a stylish way, you could use this trick, if you find the random seed that produces your name. :) That would be your number then, and wherever it appears that would prove that it was you who made that code.

edited May 23 '17 at 12:13

Community

1
1

answered Apr 17 '13 at 14:15

gaborsch

15,408
6
37
48

the problem is we have to upload it to a public place and the teacher has to be able to look at the source code. – LoremIpsum Apr 17 '13 at 14:18
But they probably had to provide the sources. – NeplatnyUdaj Apr 17 '13 at 14:19
5

A thief may make cosmetic changes to the code, to make the theft less obvious. A serial version UID would be an easy cosmetic change. – Andy Thomas Apr 17 '13 at 14:30
2

@AndyThomas-Cramer yes i should programm a method with my crypted name in it and if it is removed the programm wont work haha – LoremIpsum Apr 17 '13 at 14:33
2

@AndyThomas-Cramer In theory yes. In practice most cheaters are lazy and only do the absolute minimum they think necessary. (Probably replacing `//written by WarGodNT` with `//Written by ImaCheata`.) It's also unlikely that many of them even know the svUID could bust them. Even if a few of them are that smart; if most of the class is cheating a few are almost certain to get caught. At a minimum that should be sufficient to convince the teacher to unfubar his process. – Dan Is Fiddling By Firelight Apr 17 '13 at 17:14
1

@DanNeely - Agreed, given a sufficient number of plagiarists, it would probably catch some. However, since it is highly visible, frequently unnecessary to satisfy the requirements, and easily deleted or modified, I wouldn't rely on it as the sole proof of ownership. – Andy Thomas Apr 17 '13 at 17:49
@AndyThomas-Cramer It always depends on the teacher. If OP proves that a number of students copied *his* stuff, that may be enough. It also helps if this `serialVersionUID` is put into **all classes**, so, if *any trace* is left there, the thief if caught. – gaborsch Apr 17 '13 at 17:57
It's pretty easy to tell when code has been copied. If your prof doesn't think it was copied it is fair to trust their judgement. – Darth Egregious Apr 17 '13 at 18:48
3

@WilQu: You won't be signing your own code with someone else's name or private key, will you? – Kuba hasn't forgotten Monica Apr 17 '13 at 22:51
@KubaOber no, that's the point: the others can replace the author's signature with their own. A signature can prove that you uploaded the code, but it can't prove that you are the original author. – WilQu Apr 18 '13 at 07:43
@GaborSch exabrial recommended encryption, which is different from signing. With encryption, the others can copy your code since they can't read it and can't provide the password/key to the teacher. – WilQu Apr 18 '13 at 08:56
@GaborSch you can remove it but mention that that was in your answer before taking comments into account. – WilQu Apr 18 '13 at 11:16
@WilQu: I think if those students knew any of that, they wouldn't be stealing any code anyway. – Kuba hasn't forgotten Monica Apr 18 '13 at 20:20

Andy Thomas · Answer 4 · 2013-04-17T18:40:44.627

35

This happened with a pair of my students who lived in the same apartment. One stole the source code from a disk left in a desk drawer.

The thief slightly modified the stolen source, so that it wouldn't be obvious. I noticed the similarity of the code anyway, and examined the source in an editor. Some of the lines had extra spaces at the ends. Each student's source had the same number of extra spaces.

You could exploit this to encode information without making it visible. You could encode your initials or your student ID at the ends of some lines, with spaces.

A thief will likely make cosmetic changes to the visible code, but may miss the non-visible characters.

EDIT:

Thinking about this a little more, you could use spaces and tabs as Morse-code dits and dahs, and put your name at the end of multiple lines. A thief could remove, reorder or retype some lines without destroying your identification.

EDIT 2:

"Whitespace steganography" is the term for concealing messages in whitespace. Googling it reveals this open-source implementation dating back to the '90s, using Huffman encoding instead of Morse code.

edited Apr 17 '13 at 18:40

answered Apr 17 '13 at 14:27

Andy Thomas

84,978
11
107
151

1

Any Java IDE can format the code removing all invisible characters ;-) Still the morse-code idea is nice :-) – Prakash K Apr 17 '13 at 15:03
5

Extension: In any string literal, replace some blanks with a character that looks like a blank. Like character #255 in ASCII, or the "unwrappable blank" in unicode. Most newbies won´t note the difference, and it will allow you to indiciate who (probably!) stole your sources. – TheBlastOne Apr 17 '13 at 15:03
@PrakashK - Yes, that would counter this measure. A combination of measures is probably best. – Andy Thomas Apr 17 '13 at 15:26
@TheBlastOne - Nice idea. Doesn't by itself identify you, but it's not lost if the thief reformats. – Andy Thomas Apr 17 '13 at 15:29

score 20 · Answer 5 · answered Apr 17 '13 at 18:48

It seems like an IT administration problem to me. Each student should have there own upload area which cannot accessed by other students.

The teacher would be a higher level up, being able to access each student upload folder. If this is not possible go with @exabrial answer as that is the simpliest solution.

score 8 · Answer 6 · answered Apr 18 '13 at 00:06

8

The best thing you can do is to just zip the source code with a password and e-mail the password to the teacher.

Problem solved.

answered Apr 18 '13 at 00:06

Omid

823
1
11
31

score 6 · Answer 7 · answered Apr 17 '13 at 14:20

6

Use a distributed (=standalone) version control system, like git. Might be useful too.

A version history with your name, and dates might be sufficiently convincing.

answered Apr 17 '13 at 14:20

Joop Eggen

107,315
7
83
138

2

But OP does not fail to prove that his source was created by him. He has a hard time proving that schoolmates use his sources for theirs. – TheBlastOne Apr 17 '13 at 15:06
2

A distributed VCS is quite complex. All the author needs is to prove originality of the content and/or copying. This can be accomplished with any file submission mechanism that timestamps the submission, identifies the submitter and doesn't allow students to delete submissions. This can be done with something as simple as a FTP or web server. – Nick P Apr 17 '13 at 21:25
1

It's pretty easy to write a script that will scan the commit log and recreate a new repo with the same history but a different user. – mikerobi Apr 17 '13 at 21:34
@mikerobi `git filter-branch` was built for [crazy stuff like that, that shouldn't be easy](http://stackoverflow.com/questions/750172/how-do-i-change-the-author-of-a-commit-in-git) – Izkata Apr 17 '13 at 21:47
@Izkata, I didn't consider the possibility of changing the revision history. I was thinking of a script that checks out the first revision and commits it to another repo, then checks out the second revision and patches the new repo commits, repeats. Similar to how some tools to convert from one VCS to another work. – mikerobi Apr 17 '13 at 22:01
@mikerobi The issue with that is the timestamp for every commit is going to be about the same. `filter-branch` retains the original – Izkata Apr 17 '13 at 23:09
Good points all; thanks for the thoughts on using a VCS. (1) A VCS is a good (non-intrusive, non-objectional) tool to use. It is simple, `commit` would almost suffice. (2) He would probably the first. (3) It demonstrates a historical development. (4) It is safer than steganography (like whitespace or a comment where the initals of words form ones name). (5) Hacking would take effort and time too. (6) It is not fool proof. – Joop Eggen Apr 18 '13 at 06:51
@Izkata, both git and mercurial allow you to override the commit date. – mikerobi Apr 18 '13 at 13:45

score 3 · Answer 8 · answered Apr 17 '13 at 14:20

What was stolen ?

The source ? You can put random Strings in it (but it can be changed). You can also try to add a special behavior know only from you (a special keypress will change a color row), you can then ask to the teacher "the others know this special combo ?". Best way will be to crash the program if a empty useless file is not present in the archive after 5 minutes of activity, your school mates will be too lazy to wait this ammount of time.
The binary ? Just comparing the checksum of each .class will be enough (your school mates are too lazy to rewrite the class files)

score 3 · Answer 9 · answered Apr 18 '13 at 23:05

3

Just post your solution at the last minute. This won't give time to anyone to copy it.

And send a feedback to the administrator to disallow students to see other students assignments.

answered Apr 18 '13 at 23:05

Eduardo

22,574
11
76
94

Michael d · Answer 10 · 2013-04-19T02:04:02.540

If you upload the file in a .zip with password encryption, anyone can just crack the password by downloading the .zip file and have their cpu run a million queries at it if they are that big of a cheat thief. Unfortunately, some are and it's easy to do.

Your source can be viewed on the shared server by the other students. The teacher should really be giving you your own password encrypted directory to upload to. This could be done easily just by adding subdomains. But perhaps the teacher might allow you to upload the files to your own server for him to access them there.

It's also possible to obfuscate the script so that it has a document.write('This page was written by xxxxx'), forcing anyone who copies your work to not be able to remove the credit unless they first decrypt it. But the real answer is that your school needs to give each of its students their own password protected directories.

score 0 · Answer 11 · answered Apr 18 '13 at 03:36

In my case, my teachers came with a better approach. The questions they provided has something to do with our registration number. Ex:

Input to a function/theory is our Registration number, which is different for each student

So, answers or the approach to the solution are relatively different from each student.This make the necessarily of all students has to do their homework on their own, or at-least get to know how to hack the approach with their own registration[it may be harder than learning the lession ;)].

Hope your lecturer will read this thread before his next tutorial :D