Has Zend Source Encryption Been Rendered Useless?

tinkertim asks: "Recently I happened upon this freelance job posting and was intrigued by the domain name suggesting Zend decoding. After looking around a bit and finding the sandbox testing, I realized this is not a gimmick. Reverse engineering used to be a service one had to look for at length, and now there's companies offering it hoping to get on the Google top 10. Obviously - they aren't afraid of lawsuits or police action. If Zend and Source Guardian are so easily broken, are PHP developers wasting their time? Should companies selling scripts just open source them now so they have some control over what seems to be the inevitable release of their code? And what happens when vulnerabilities in popular PHP based billing applications that rely on security via obscurity are found from released decoded source?"

SEO?

[marcsherman]

I can't shake the feeling that this Ask Slashdot article was posted as part of the SEO contract solicited in TFJobPosting.

100% spam

[nacturation]

As someone else pointed out, it's an even bigger non-story. The freelance job posted is asking for someone to promote zendecode.com to the top of Google, MSN, etc. and posting on Slashdot certainly helps. The link to "Zen decoding" just goes to zendecode.com. The "sandbox testing" link goes to the forums on zendecode.com. And finally, the link to "popular PHP-based billing applications" just goes to modernbill.com and doesn't link to any reports of bugs. The whole thing is 100% spam backed by FUD. Whoever submitted this is trying to get the keywords "zen decoding" and "sandbox testing" ranked in search engines as being popular terms for zendecode.com. And they're perhaps trying to promote ModernBill for keywords such as "PHP billing application" as well.

Re:DRM

[SanityInAnarchy]

I actually got a response from one company, who called themselves "American Computer Systems". I followed a link from a spam, and they were actually relatively advanced -- they use JavaScript to construct your source from a very long string of alphanumeric characters. At the end, they document.write it. They show this effect off on their homepage. So, I made a textarea in the original page, swapped "document.write(foo)" for "document.(the.text.area).value = foo", then sent it all back to them. Here's the first email I sent them:

Well, that was an interesting little project. Too bad client-side JavaScript will always be vulnerable to a little tweak here and there, and you didn't even bother to crunch the HTML down ahead of time. It is nice, clean, and readable... Why is it you used to play WMA music? Ah, nevermind, wouldn't have worked, I'm on a Mac at the moment.

Really, why do you bother? All this does is provide a fun exercise for people like me. I actually automated the process, just for fun. All this does is make the page completely unreadable to people who don't have JavaScript enabled, and it makes it impossible to save bandwidth by compressing the page, as it's now encrypted. Oh, it does compress, but the compressed version of your encrypted JavaScript is twice as big as the compressed version of the original source.

Anyway, I've found the source code to your main frame, and I've attached it to this email. Now, please stop spamming me, and please find something better to do with your life. And while you're at it, you should read a bit about open source philosophy.

Now that I look at it, I can see why you'd want to keep it a secret. Looks like you're borrowing source code just like everyone else. That's not a bad thing, but everyone else isn't trying to sell a product on the idea of wanting to not share source code. Someone shared their code with you, but you don't want to share back?

Well, if you're going to be that way, I guess I won't give you the source code to the program I have which now decrypts the results of your software.

To my astonishment, I actually got a response. A response somehow defending the position of "encrypting" websites.

Hi David.

Thanks for your message. Is nice to read your opinion.You know there is always a better or faster or cheaper way.
With this program it is the same as with a car. There is no 100% protection, but it help's a lot to lock it.
By the way I dont steal code to produce my websafe. It is 100% maded here. By the way the original code is abt. the same size
as the scrambled one. We dont write code like the one you send me. He is already stripped.

I have seen that your hometown isin the east of the USA. My self I was living quit a while im Maryland. Was a good time David.
Ok I hope I'm not wasting your time.

Thanks for your message.

Erwin

ps. The wma comes back. Just a filesize problem with one of my providers.

Funny, I could swear I saw the WMA bit commented out? Ah, well, I'll give him that one, but this is too fun to stop now...

Erwin Jabor wrote:
> >
> > Hi David.
> >
> > Thanks for your message. Is nice to read your opinion.You know there is
> > always a better or faster or cheaper way.
> > With this program it is the same as with a car. There is no 100%
> > protection, but it help's a lot to lock it.

Only, in this case, I have the equivalent of a master key. You're
better off simply not putting so much value on your HTML design.

> > By the way I dont steal code to produce my websafe. It is 100% maded
> > here.

I meant the code for your website, not your software, and no, it's not.
You actually give credit to the place you got your hit counter and
other such things. I can point it out for you if you like.

The difference is, most w