Protecting Your IPR
Last Tuesday's question seemed to go down quite well. Carleen was so happy with the answers she bought me a treat off my Wishlist. Thanks Carleen!
In an attempt to get more gifts promote more discussion I have another question to pose. Again, I got asked this in an email but I was unable to answer. Hopefully you can help the guy out and maybe help us all out.
The problem is two-fold. The first part requires a fool-proof way of hiding the design of a database. Secondly, a way is needed to time-limit a trial version of a database.
We all know you can hide the design of a database fairly easily. But you've probably heard it's just as easy to unlock it. Is this the case? If so, what's the best way to really lock it?
How would you limit a trial to a certain period? Would every element need to check a time value each time it's opened?
Well, I export my code and then do a %INCLUDE to get it back in - that way you definatly only have the compiled code in there - or am I just kidding myself and there is a way around it?
I did start automating this using DXL but never finished the project - will need to get it going again and as the exporting and importing is a real hassle when you are debugging :o(
Trial software => you could create a MD5 key using the end of the month and some hidden phrase - you could then check if the key is the same at runtime. I did something similar but only to validate using a specific piece of software - MD5 the domain and some hidden key. Should also work with a date - haven't tried it though ;o)
Keep up the good work Jake
Ursus
Maybe there is a simple answer: Hide the design of the database template and code as much as you can within agents or Script-Libraries. Unlocking the design only shows parts like forms and View, your script-sourcecode is not part of your "hidden" template. When you save the design of a form from a broken template, script code gets lost. There are only "binaries".
When you use script to lock a demo-template, you can restrict certain function (like opening a document) after your trial-period. You can use profile documents (this form should not be part of the template) to trigger when a database ist first used. Copying a database with documents transfers the profile document to the new copy.
What I haven't found yet: You can't close the complete database after opening it in a notes-client and you cannot restrict other databases reading your demo-db.
Putting your code into .lss files are all very well for the average joe user. But some of us techy bods can turn the qcode back into script with little fuss. It's one of the subjects in my "hacking the Domino server" article that I am putting together for Jake. {Link}
As far as I can see you cannot lock down the design sufficient to keep it secure. There are always ways and means. It's just a matter of making it as awkward as possible to get at the code. The standard hiding of the design in the traditional way is good enough for 99.9% of the applications.
I've used the password hash as a quick and easy method to time-lock a database. Pick a range of values for the next few months that you want to lock the database for, plus a hidden key (oh, and I suggest the database ID as well) to produce a series of hash values. Then, as Ursus suggests, check against these values. Profile docs work well as quick hiding places.
Although there are better places. Ever looked at what NoteIDs NTFFFFxxxx map to? It is possible to use them if you're careful.
Creating an Evaluation Copy of a Database
Here's a quick and easy way to cripple a database after the expired time period.
All this code does is close the window after the post event has executed.
* Note: You must also hide the database design for this to work!
In the database script:
(Declarations)
Declare Function NEMGetCurrentSubprogramWindow Lib "nnotesws.dll" () As Long
Declare Function NEMStopSubprogramWindow Lib "nnotesws.dll" (Byval hwnd As Long) As Integer
Sub Postopen(Source As Notesuidatabase)
If Cdat("11/22/2004 (This is the day to end the application)") < Cdat(Today) Then
Dim wHandle As Long
' Get window handle
wHandle = NEMGetCurrentSubprogramWindow
' Close current window
Call NEMStopSubprogramWindow(wHandle)
End If
End Sub
Not sure about the design hiding, but when I've done time limit db's I've used formula in the PostOpen of the database script.
I store the start date & time of the trial in a profile document (or set it if there isn't one - i.e. first time they open it).
I also store the date & time they last opened the database.
Then I do a couple of checks to make sure the current date isn't before the start date, and before the last opened date and also is not outside the trial period time limit. If it is, I do an @Command( [FileCloseWindow] ) to shut the database down again.
There are likely ways around it, but if you call your profile document something not very obvious it should help, and it works pretty well.
Thanks guys. One thing though, all this talk of PostOpen scripts to check a date value is client-only, is it not?
Database scripts don't work on the web do they? We've got webqueryopen but this can't redirect. Maybe we could have it display a message on the page saying "Eval Copy" or something.
For a *really* simple solution, I'd have a 1 frame frameset, which calculated its value. If you were out of date - display a "your eval is over" page, otherwise display the normal info.
Obviously you could get round that by opening other URL's but as a very quick catch-all it would be OK.
My next immediate thought to try and stop a change to every element would be to try and use the :before css tag. If all the pages start with a header, perhaps you could add something with that. I think :before is one of those tags not very well supported though isn't it?
Actually, that gives me another thought. Change the background image through some computed text on the stylesheet to show an "evaluation version" background.
Perhaps I'll stop whittering now! :■)
Tulio,
turn on LotusScript Debugger. You should be able to bypass your code.
Also - anyone can put a text file called "designer.exe" in their data directory and their standard client application will now have full designer client as well.
You could then edit any code you wanted.
I think there is not a solution, but you can make it very difficult for people to re-use your code or steal it - but if they are determined they will.
Ursus has mentioned what I have seen to be the best way to hide code with a balance of fuss to implement. To make it more secure yet, however, I've seen one publisher create a c++ .dll to hold the bulk of their super secret code and only include interfaces to it in the .nsf, which in turn has both obsfucated, hidden, and binary only code to access the .dll. Obviously, you need to know c++, feel comfortable creating COM objects that can be called from Lotus Script, and really have a unique design that warrants the time and effort.
Unless you're going to patent it too, there's really no point... and if you're doing that, you've got both the investment in legal fees and the legal protection, so while you probably would be able to justify the cost to go to such lengths, with the legal protection and the right to sue violators (potentially more profitable these days than even selling software), leaving it unlocked could be desirable.
You can effect a redirect with webqueryopen, Jake. I've spent a lot of effort figuring out the best way but it boils down to two steps. If your event has triggered (ie exp date passed) on open of a form, empty the context document object by looping through doc.items and nulling each value. Set your HTMLHEAD to perform a script redirect (see links below) with the inclusion of a field for displaying computed HTML that shows a link, perhaps back to the vendors website indicating the trial period of the application has expired. Combined with design hiding / locking, this would make it fairly sufficient - though a very determined person could change what happens on WQO.
Redirect discussions:
{Link}
{Link}
Fascinating topic... err Whats all this about creating a text file called designer.exe in your data drive?
Doe it really give you a designer?
A.
For the web why dont you provide the person with a user name and pw. Capture the date when the user first logs into the demo site. i.e. force the user to log in, each time checking how many days since the first logged in.
I cant think of anything better for the client than already mentioned.
A.
We occasionally send demo CDs of our product out to clients who use Lotus Notes (and some have in-house developers) so we've anguished over these problems. As far as hiding the code, we came to the conclusion that anyone who was determined enough could get anything they wanted out of the application, much as others have described above. We hid the design and decided that if anyone was crazy enough to try and figure out the code, more power to them! :)
We ended up with a different approach the to time-limit problem, however. We chose to limit the total number of documents in the database instead of worrying about restricting the user to a certain period of time. This is far easier to do in Notes programming (no matter your implementation). This approach also had the added benefit that the end user could always delete some old documents to use the crippleware application again and see other functions or to even show it to someone else.
For having multiple version of the same app, I have used a view note to store data on. If you export the code that does the lookup to the view note, then it is very difficult for someone to workout where the licensing info is found. I was also able to have multiple versions easily with no change to my source code. The OpenArchive project over at OpenNTF has/had some of this code in it.
I suggest you leave the design open for all to see (and marvel at). That way you are forced to write decent code:)
As for time locking evaluation copies - trust the good nature of others. Most Notes/Domino apps. are for large/medium businesses anyway, and they tend to pay for the software they use (stick a copywrite notice somewhere).
Notes programming sometimes leads to a "standard application", build to be used by many customers. When you leave your design open, your customers are able to build localized versions, incompatible to your own standard. With this "localized Version" you aren't able to simply change the template. This won't really hurt as long as your customer pays for your maintanance, but in case of errors ...
I can tell about a customer and his demo-version: payments were send just after trial-period has ended and full version was needed to access their documents in the demo-database.
Instead of trying to lock people out by showing an evaluation message couldn't you just check this in certain key places. For example, don't allow documents to be saved after the trial period.
Yeah - but by locking them out (via ACL) you prevent the end clients developers from poking around and removing your code (which prevents saving documents)
I meant in a combination with hiding the design. Not perfect, but is it really worth the effort to do any more than hide the design?
Allen,
try it - create a text file in your data directory and fill it with junk.
rename it "designer.exe' and voila - you have the full designer client.
(at least pre-6, but I'm sure it works on 6 too)
anyone out there interested in protecting IPR i mean those who are really concerned in legal issues pertaining to IPR can email me vimmi17@rediffmail.com. We are a group of budding Lawyers who wish to start a club on protecting IP. contribute to a good cause. Only those genuinely interested could mail back.