Has Zend Source Encryption Been Rendered Useless?

← Back to Stories (view on slashdot.org)

Has Zend Source Encryption Been Rendered Useless?

Posted by ryuzaki0 on Saturday July 15, 2006 @02:35PM from the decompilers-ain't-nothing-new dept.

tinkertim asks: "Recently I happened upon this freelance job posting and was intrigued by the domain name suggesting Zend decoding. After looking around a bit and finding the sandbox testing, I realized this is not a gimmick. Reverse engineering used to be a service one had to look for at length, and now there's companies offering it hoping to get on the Google top 10. Obviously - they aren't afraid of lawsuits or police action. If Zend and Source Guardian are so easily broken, are PHP developers wasting their time? Should companies selling scripts just open source them now so they have some control over what seems to be the inevitable release of their code? And what happens when vulnerabilities in popular PHP based billing applications that rely on security via obscurity are found from released decoded source?"

6 of 60 comments (clear)

Min score:

Reason:

Sort:

Non-Story by Angst+Badger · 2006-07-15 14:43 · Score: 5, Insightful

The original poster raises two questions: If the source of obfuscated PHP scripts can be recovered, should PHP script vendors just open source their products now so that they have some control over them? And what about products that depend on security through obscurity?

In the first case, vendors already have control. It's called copyright. If you misappropriate copyrighted code, there are an amazing vast number of avenues for the aggrieved party to take through a very well-developed legal system. Frequent Slashdot readers are painfully well aware of this system, both through its abuses (SCO) and its creative uses (GPL). If you're trying to conceal trade secrets, that's another matter, but then, if you're trying to conceal trade secrets, you probably aren't implementing them in PHP.

The second question has the same answer it always has: security through obscurity is weak security. Making the source available makes it easier to crack, but that's all. Inherently weak systems that try to avoid attack by concealing their weakness always fail. PHP is neither here nor there as far as that issue is concerned.

--
Proud member of the Weirdo-American community.
Lame by nacturation · 2006-07-15 15:31 · Score: 2, Insightful

This article should be marked troll. Door locks are there to protect you against thieves by offering a pretty good level of protection against the scum of society. Just because a small percentage of people have figured out how to pick locks, should we do as the poster suggests and simply not lock our doors because it's clearly futile? Obviously not. Things like Zend exist to offer a pretty good level of protection against those who would use the results a person or company's hard work without paying for it. Just because some people are dishonest enough to break that protection doesn't mean that the protection doesn't serve a purpose in the first place.

--
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
1. Re:Lame by senzafine · 2006-07-15 16:15 · Score: 2, Insightful
  
  I agree completely. For the most part...even if you don't have the source it only takes a decent programmer to "reverse engineer" the application into code. Zend's encoder serves a purpose...but one of them isn't "make your code impossible for anyone to decode".
  
  --
  Better than Flickr - Manage, Share, Archive
Wow... by mysidia · 2006-07-15 15:50 · Score: 3, Insightful

Front page on slashdot.. it would appear they are getting their money's worth, in that SEO posting, before that little reverse auction even closes...

I suppose a link to the site appearing on slashdot front page won't hurt the chances appearing on top of google, et al, right?
Re:ModernBill Security by Anonymous Coward · 2006-07-15 20:43 · Score: 1, Insightful

Of course you take application security seriously, would you have any customers if you didn't? I think the article submitter was implying that you obfuscated your PHP code, which doesn't enhance security in any way. The only gain for obfuscation in a commercial web app is to make it enough of a pain for average users to install the system on multiple hosts without licensing that they bite the proprietry bullet. You know it, I know it and your customers know it.
BTW: Software is covered by copyright, the authors or there employers hold the copyright on their work. Anybody who talks about protecting 'IP' is obfuscating the issue as 'Intellectual Property' implies ownership and you don't 'own' a copyright, you 'hold' or are assigned a copyright.
Fool proof method discovered by SlappyBastard · 2006-07-16 01:26 · Score: 3, Insightful

Learn C++. Shhh... don't tell anyone. They're still trying to figure out where the compiler is on their Linux server.
I code the bulk of my stuff in PHP for the same reason I have no problem using HTML, XML or JavaScript: because I really, really don't think what I code is amazing flaming shit that the Russian mafia is trying to steal.
I'm still baffled by the number of people who completely lack any perspective about their own coding.
Most of this business is selling the service, not the product. There aren't many webservices that are so unique that the people involved have to specifically make an effort to control the secret sauce for fear that others will enter thir industry. Yahoo does search quite actively without having Google's code.
Only HTML "programmers" would be dumb enough to think something like PHP obfuscation was big shit.
That said, PHP obfuscation sounds like a good business. No one ever went broke selling people's asses back to them.

--
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.