13

I was looking at a javascript framework that looks pretty cool. I like the demos, when I looked at the page source and the attached .js file, I noticed the file has this "testing and evaluation purposes only, protected by copyright, this software is not free and is licensed to you for testing only"

but right under that, the entire code is there (because it is javascript). I could see if you had a compiled project and someone would have to break into a system unauthorized to get the source code, but how would you even begin to enforce a plain text language like this?

After removing their comments, find+replace renaming of the variables, re-arranging the functions, it would be impossible to even know if someone was using it with a web spider. Thats a 5 second way to lose business.

I am genuinely curious because this product seems to be their entire business plan, but all their trade secrets are available in plain within the demo. The country does not provide for adequate remedies for this sort of thing so the burden is on the creator to protect it (I mean if that is their business plan after all)

Do you have any insight into this? Solutions I completely overlooked? I am little perplexed on why someone would devote so much effort into something that they don't intend to be free, but are giving it away for free.

user
  • 86,916
  • 18
  • 197
  • 190
CQM
  • 42,592
  • 75
  • 224
  • 366
  • Thats basically the same idea as any industry. One would assume they have a timeout of some sort on the demo. – Naftali May 23 '11 at 16:01
  • Yes, but this is plain text that does not query any server or anything. I like to assume a lot of things, but then I have to act surprised when Skype uses an unhashed database, or when my identity is compromised at Sony – CQM May 23 '11 at 16:06
  • @RD this question is the same as "How do I defend againts piracy". It's equally easy to just download movies and music, but why do music and movie companies still make money? – Raynos May 23 '11 at 16:12
  • @Raynos, I am aware the music and movie companies go to great lengths to defeat piracy, although arguably ineffective. – CQM May 23 '11 at 16:20
  • @RD What I'm pointing out is that the loss of revenue due to piracy isn't as large as you think. And it's a calculated risk. It's just a fact of the software business in general. – Raynos May 23 '11 at 16:26
  • If someonr thinks he is stealing something, he will be less likely to annoy your email with questions and problems about your code. That is the best thing about 'copywriting' scripts online. – kennebec May 23 '11 at 18:12

5 Answers5

12

There is no way to "encrypt" JavaScript code other than obfuscating it so yes, it's true there is no way to reliably copy-protect a commercial JavaScript product.

They are still worth offering because

  • Most corporate customers in western countries will not dare risk steal software due to the risk of getting caught and sued for vast amounts of money - if not through the code, then maybe through a disgruntled intern blowing the whistle

  • Different from pirated office software, the theft is publicly just as visible and accessible as the original piece of JavaScript - you never know what techniques may exist (or come up) to find stolen JavaScript code using an algorithmic approach.

  • The real loss of business is probably not as heavy as one might think: People cheap enough to steal a JavaScript widget would simply fall back to a free one if that one wouldn't be available to steal. Commercial JavaScript widgets usually don't offer any unique functionality - popular things tend to get cloned quickly - their selling point is usually that they do what dozens of Open Source solutions do too, but extremely well, fast, cleanly, and well-documented.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • 3
    Also, obfuscators can be easily undone with tools like http://jsbeautifier.org/ – gen_Eric May 23 '11 at 16:09
  • 3
    @Rocket that's not really correct, beautifiers can beautify the code. The indentation and layout of the code is probably the most minor form of obfuscation out there. – Tom Gullen May 23 '11 at 16:11
3

There's always obfustication tools: http://www.javascriptobfuscator.com/default.aspx

This so question throughly hashes out (pun intended) the pros AND cons of obfustication practices

Community
  • 1
  • 1
Michael Jasper
  • 7,962
  • 4
  • 40
  • 60
  • 4
    These can be easily undone: http://jsbeautifier.org/ – gen_Eric May 23 '11 at 16:07
  • Yes, but with the architecture of client-side interpreted scripting languages, thats the closest you will ever come. – Michael Jasper May 23 '11 at 16:10
  • There's always deobfustication tools: http://www.gosu.pl/decoder/ , and yes the beautifiers, from there again, simple find and replace of the variables is a simple matter, especially with regex – CQM May 23 '11 at 16:11
2

You cannot enforce the license, I suppose.
Perhaps they rely on honesty on the part of the companies planning to use their product...

After all, you have some open source projects with dual license: GPL for free / open projects, commercial otherwise (iText, for example, IIRC). The same reasoning applies for these projects.

Beside, you can make public a crippled version of the software. Of course, if you find a site of somebody using it and having paid to have the full version, it is easy to steal it too.

Often, like most open source softwares sold by companies, they rely on services around the software to make money: you buy their software, you get premium support, like fast fixes and updates, customizations, etc.

PhiLho
  • 40,535
  • 6
  • 96
  • 134
1

That's the result of conflict between the web being an open technology, where all client side data is open to be viewed by anyone, conflicted with the proprietary and monetary interests of businesses and profiteering individuals, and the result is, attempts at obfuscation.

All obfuscation ultimately is securty through obscurity, so it's important to reiterate if it's on the web, someone can pick it apart, just depends if they can be bothered or not. The more valuable your software is, the more likely this is to be so.

A lot of businesses and individuals seem fearful that their software will be stolen, and this is usually misguided as more than often they are grossly over estimating the uniqueness of their software which unfortunately isn't a special snowflake most of the time.

The only way you can protect your Javascript is through obfuscation really, there are lots of online tools for this, one of the best being Google's Closure Compiler. Obfuscation goes some way to remove semantics from the code, for example useful variable names, and some such as the closure compiler actually can change the logic of the code. But, the code is still code, it's still logical, and someone can figure out what it does.

Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
  • 1
    obfuscation is only useful to stop competitors stealing your high level code structure. It doesnt stop actual code theft. – Raynos May 23 '11 at 16:14
1
  1. There's no such thing as a "compiled project" in JavaScript.
  2. You do not have to "break into a system unauthorized to get the source code". As soon as your page has loaded, you have access to every bit of JavaScript the page is using.
  3. Copyrights offer a marginal amount of protection. If you find a piece of JavaScript on the net that is of interest, you're completely free to go through it and rewrite it in your own style. If you only copy and paste copyrighted code then you may have some potential liability but it's unlikely.
  4. The only true protection is through a patent but there's no protection without litigation.
ic3b3rg
  • 14,629
  • 4
  • 30
  • 53