Code Security

Adam Hoult
Copyright May 19, 2000

URL: http://www.vbgamer.com/tutorial.asp?ndx=34


Page 1

...how to try and stop those pesky code thieves!

Introduction

Securing your code is a very tricky subject, recently I found a guy who had been stealing my code (and others) and passing it off as his own without changing anything. Luckily in my case he had been using all the same files, he had just added his own copyright info. In this article I will go over a few things ways that I have come up with, so that, if this happens to you, you will be able to prove that the code is yours. Copyright theft (be it code, music, compiled exe's whatever) is a punishable offense in most places around the world, but this doesn't stop people. It has happened to hundreds if not thousands of people around the world, but many of us do not understand our rights to this code. Unfortunately in a court of law, if you cannot prove that it is your code (or even to prove to the webmaster of the site it is on) then you have little chance in getting something done about it. We are not talking about people taking your code and using it to advance their own knowledge, and incorporate what they have learned, into their own project, that is a separate issue, and most of us don't mind that, what I will discuss is ways to secure your code, against people simply taking the whole thing, and passing it off as their own, and also some ways to stop those "Cut and Paste" pirates from claiming that the work is their own (this is more complex and is not a complete solution but it can be used effectively.). Now I'm not saying that these ideas will rule these things out completely, and I'm not even saying that they are completely effective (because I know that's not always the case), but put it this way, if you have an alarm box on your house, the thief is more likely to go somewhere else, where there is no alarm right ??

So what can I do?

OK well the key to this situation is knowledge, you have to have the upper hand, and "KNOW" something about your code that the "Pirate" does not. In all of these examples they are just a starting point, from which you can design your own security methods, I urge you to change things around and really think about it to suit your needs. What you really have to do, is plant traps in your code which the thief couldn't possibly know about. Here are just a few ways of doing this, the ones below are fairly simple to spot, but try them for yourself.

The Package Thief

These guys are low, they will find a whole source code package, change a few things here and there (i.e. copyright comments), and then redistribute it as their own work. The first thing to do is make sure that the VersionCompanyName field in the VBP file is your name, your company name, your website name or a coded version of it. I have found that a lot of thieves overlook this, and you can download their so called version with your name in tact inside the vbp. To edit this open up the vbp file in notepad and check it. You could implement your own coding system, by supplementing the letters for numbers for example, or any other method. As long as you know the method, and can explain how to decode it when you contact a webmaster (or in a court of law), so that he/she can get your name from that code. It is less likely that the thief will bother to change it, if it doesn't contain your name/company name, it also stops them from doing a simple text search through all the files looking for your name etc. As long as the thief doesn't know the coding method (and doesn't change the company name), the method is a success. Of course you shouldn't just use 1 method, the key is to place as many traps as possible, in the hope that they will miss one. The second way I have discovered is to hide security codes into your .frm files. Again open the file in notepad, and you have a wide amount of little hidey holes which you can create for yourself. In this example I will use a simple method for hiding a security key, which will be easy to decode (for example purposes) but is fairly well hidden. So what do you need to do ?? Take a look at the example below.

  1. VERSION 5.00  
  2. Begin  
  3. VB.Form Form1  
  4.      BackColor = &H00000000&  
  5.      BorderStyle = 0 'None  
  6.      ClientHeight = 5940  
  7.      ClientLeft = 1140  
  8.      ClientTop = 1515  
  9.      ClientWidth = 6690  
  10.      ForeColor = &H00FFFFFF&  
  11.      LinkTopic = "Form1"  
  12.      PaletteMode = 1 'UseZOrder  
  13.      ScaleHeight = 5940  
  14.      ScaleWidth = 6690  
  15.      ShowInTaskbar = 0 'False  
  16.      WindowState = 2 'Maximized  
  17.      'Securecheck = 1,4,1,13,0,8,15,21,12,20  
  18. End


So you have probably already spotted the security check since it's named SecureCheck =) You will also notice that there is an apostrophe in front (to block this from actually being read by VB's frm loader). So what does this code mean, well I've encoded my name into that field, 1=A 4=D 1=A 13=M 0=Space (ADAM) etc. Now you can make this more complex, as long as it's easy enough for a webmaster (or court =) to understand how to decode it. Place this type of thing in EVERY form inside your project. It's very rare that the thief will open the form in notepad and check everything for coding like this, you could also change the method for each form.

There are other places to place this type of thing, so that they will not be read by the frm loader (and will not appear in vb), such as control definitions etc., so experiment with it. Note : If you do something incorrectly it will complain in VB and say the Header Is Corrupt when you try and load your project, or when you try and open the form designer it will say that a field is wrong etc. This cannot be done with modules as everything in a module text file will appear in VB.

The next method that I have come up with is resource files. Even if your project does not use resource files, you can always add one just for this purpose, they do not take up much space. As with the form's etc., the "package thief" is not likely to open up and discover a disguised string inside a resource file. In my experience most of these people are "script kiddies" who don't even know what half this stuff does, and just package it off anyway, under their name. You can put anything in there (as with the other methods), which should be encoded, but must be something you can prove pertains to you (i.e. your website/name whatever).

Lastly, embed watermarks in all your loaded images (where possible). Most good paint packages (such as Paint Shop Pro 5+) will allow you to do this. You can embed things such as your name inside all your images, which can be read by the webmaster in PSP to prove that it IS yours.

The cut & paste pirate

This is a little more tricky. It may happen that the thief is cutting/pasting directly from your code, and reconstructing your project with their own form's/graphics/project files. In this case it is almost impossible to use any of the methods above. So what can you do about it ? Well there is not a lot you can do easily. In this case we fall back to a method used by many authors/poets etc. to place their own signature into their work. For example, a member of my family, writes verses for greetings cards, I mentioned to her a way of coding into the verses, an amount of security so that if that verse was found in anyone else's cards without authorisation, she could prove that it was hers, simply because she could tell the court exactly what the coding method was, and the "thief" could not. I explained to here, that a lot of people do things such as having always having a certain number of letters/words in every 5th paragraph for example, or a certain number of E's in ever line. This can include punctuation or other characters. In her case, she came up with a coding method where in every verse, there would always be at least one S and one O using Morse code, encoded into it. Basically this means that there will always be at least three dot's and three dashes in each greeting card. Unless you are extremely observant, there is no way you would spot this, as the dot's and dashes are place where they should actually be place inside the verse (i.e. not just in random places =) It takes a little bit more work to successfully pull this off, and most people would not bother, but it is an extremely effective way of placing inside your text, your own signature to prove that it is yours. So how do we apply this to our VB code. Well this could be anywhere from your comments, to your message boxes, you could always have a certain number of commas inside your comments, or some other clever method of placing your own fingerprint inside your code. Have a think about it, and see what you can come up with.

A Final Statement

This is not meant to be a holy bible of how to secure your code, and it will not work for every case, but it's a great start. These methods can be changed and used however you wish to use them, and if you employ most of them, you should be able to prove using one method or another, that it really is your code. Unfortunately it's come to the point where most people in the "Open Source" community, simply do not bother to release their code anymore, because of this situation. If it gets worse, people will simply become too paranoid, and the market for knowledge and growth in VB Coding will simply dry up. How many of you have downloaded a sample which does exactly what you need to do, and thought great !!!! ? Then you have dissected the code, and found out how it works, so that you have the knowledge to implement that method yourself ? Nobody is saying that this is not allowed, that's the whole reason why people place source code for general download, but most people draw the line at people simply taking your hard work, which could have taken weeks, and then passing it off as their own. I hope that this helps at least 1 person out there, and that if code theft happens to you, that you will have success in proving that it really is yours.