Calendar

July 2017
Mo Tu We Th Fr Sa Su
<< >>
12
3456789
10111213141516
17181920212223
24252627282930
31

Langs

Open Source and Morality

Posted on Sep 30 2009

Joa Ebert is questioning on his blog whereas having an open source decompiler/obfuscator software would make sense.

I can maybe help a bit with this choice, since I was confronted to the same one a few years ago. At this time I wrote an AS2 decompiler as well as a SWF obfuscator that we are still using at Motion-Twin.

People that have met me know that I'm a big proponent of open source and open protocols, so why didn't I open sourced these software after writing them ? There are good reasons behind these choices.

Decompilers

While decompilers are a very good tool for the expert to learn about the way a given compiler can optimize code, in the hand for the average user they are mainly used to look through other people code.

I'm all for open source and code sharing, but I think that someone should get the original developer agreement before looking at his code. I don't consider that decompiling is the same as stealing, since the original code is not lost in any way (this is somehow similar to downloading an MP3) but in practice, you will often find people decompiling for the sake of just copying, only because they are too lazy to solve a given problem or because they have a deadline and just don't care reusing someone else work without asking.

While an open source decompiler is a great tool for hackers (but in that case a disassembler is already quite enough), it becomes an immoral tool in the hands of mister everybody. So I guess that from a moral point of view, an open source decompiler would not fit any particular "good usage".

Obfuscator

Somehow the entire opposite from the previous one, since the only usage one might have from an obfuscator is to protect his code from being decompiled.

Some side story : in early 2009 I have been working on an Flash9 obfuscator prototype that is working nicely. We thought to sell it by making a partnership with PowerFlasher (the company behind FDT IDE) but we found that using the software was hard and required a good knowledge of the theory being a virtual machine, as well as many code changes in some cases. We then recently decided to not push further the project, although we will be using the obfuscator in-house at Motion-Twin for our Flash9/10 projects.

So yes, I have no problem with selling an obfuscator software. Since I think that it should be the developer choice to either share its software or not, one should also have the choice to protect himself from people using decompilers.

However, I'm having a problem with the idea of an open source obfuscator, since the two ideas of "open source" and "protecting your code" are clearly opposite.

Also, I don't think that people should be encouraged to protect their code, and I don't think that someone should provide them an easy+free way of doing so. Because the best people feel their code is "secure" the more they will be sensible to their code being "reused", even if it's not at all the same code but the same behavior or same principles.

I think that developers in general should first focus on improving their skills instead of thinking about protecting the things they have been written and that almost nobody would actually like to copy.

Obfuscators and similar technologies are putting too much emphasis on the notion of property of code, and since I'm also a big opponent to software patents, I don't want such ideas to become mainstream : we don't have software patents in Europe and this is something that we should really defend.

Of course obfuscators don't have anything to do directly with software patents, but at the same time first someone might want his code to be protected, then later he want not only that, but also the ideas behind his code to be protected. And that's where software patents start being a problem.

There are still a few valid reasons to use obfuscators : for instance we are mainly using it not to protect our games implementation (because we don't care) but to protect the protocols used to save the score or exchange data between client and server, since we don't want these to be exploited by malicious players that would ruin the fun of other players (such exploits are not possible in secured games when the server handle the gamelogic, but for arcade games you don't really have the choice).

In conclusion, this is not because your are making an open source software that you are doing a "good thing". There are some cases where helping a software go mainstream can actually go against what you were thinking at first. Open Source and (sense of) Morality are two different things, but when combined they become extremely powerful.

And I guess that's all I had to say on the subject :)

11 comments
  • Sep 30, 2009 at 23:54

    Excellent words, Nicolas, I was trying to say something very much like this in my comment on Joa's blog.

    Though I don't think you are, but to those who may doubt Joa's motivations for opening or not opening his code to the public, I would assert he has the best of intentions, and was simply unsure which course of action would be the best for the community as a whole.

    Nicolas, I think your extended experience with the subject at hand, and the many ways in which you have given to the flash community gives you solid grounds to say- yes open source is great and we all love open source... but there are some things where it just doesn't do anyone any good to open it up to the public.

    Thanks for the article!

  • Oct 01, 2009 at 00:27

    Great writeup, Nicolas. Most people do not take time to look at the nuances of this issue. I'm glad you shared your insight - you are uniquely qualified to comment on this.

  • Oct 01, 2009 at 02:54

    Well said Nicolas, I couldn't agree more with you.

    But the protocols used to send scores and things to the server can be always replicated sending headers from a php page.

    Check "Live HTTP Headers" extension for firefox while you are sending some data to the server. It will sourprise you that you can actually see all data going to and from the server.

    Regards,

    Jaime

  • Laurent Debacker
    Oct 01, 2009 at 12:39

    When somebody obfuscates code, he would like to make sure that the obfuscator does not insert evil code (malware) in your resulting binary file. So, like a compiler, it should be open source.

    I think that you see this from a community perspective (collaboration, etc). But there is another perspective: the end-user who want access to the source code to see what the developer want his computer to do. When you pay software, you should ask for the source code, since you paid the developer for the program. For example, thanks to the code, you can make sure that the program you paid for will still be running in 15 years, by adjusting the code, etc. But if you don't pay, actually, you don't have much to ask, you're already lucky that someone is giving away something for free.

  • Oct 01, 2009 at 13:24

    For decompiler i think so the open sourcing is better way.
    Make open source the obfuscator, it is better to learn how to protect you online apps against cheaters and participate to make a powerful tool to do that (like making an unpredictable obfuscation)

    @Jaime: I think Nicloas & his team have already thinks about it and they found a solution for secure connection exchanges between client and server + checking integrity of client.

  • kik
    Oct 02, 2009 at 12:46

    I'm radical, but I would prefer everything openSource, it improves the community, the actionScript, the projects. And the new programmers that can read and learn from the code. I've learned many things decompiling code, and really have to be really interested for decompiling and read all the code

  • Oct 04, 2009 at 00:17

    Just in case you havent seen this:
    http://www.thepencilfarm.com/blog/2008/02/snow_day_at_the_beijing_olympi.html

    It is a serious example of not opening the source of a decompiler.

  • Oct 07, 2009 at 06:50

    You say "I think that someone should get the original developer agreement before looking at his code", and also " I don't think that people should be encouraged to protect their code".
    I think there is some contradiction here.
    The competing sides are 1. Stop bad guys and 2. Help good guys. Obfuscator for 1, Decompiler for 2. But I think using 2 as a teaching technique is only the best option for people interested in the compiler/VM rather than the code.

    One idea might be "encourage people to protect their PRODUCTS (ie, swfs), but also share their code/techniques". So the reusable bits can be shared, and the unique bits can produce income for the developer.
    One way of doing this may be in the license of the obfusactor - some clause that says "by using this software you agree to help like minded developers by writing articles or releasing some of the code used in the product". Something like that anyhow.

    Open Source for Open Source sake is not a great goal IMHO, I think the more interesting goal is "to maximize reusable code libraries". Open Source may then be one way to do this, but there may be other options that also push towards this goal in different, but still effective, ways.

  • Sebastian
    Oct 10, 2009 at 17:30

    Your words made sense when I first read them, but an hour later I started up Reflector.NET (a .NET/IL decompiler) to see how a, now obsolete, method in the .NET-framework was implemented so I would know how to rewrite my code correctly. The documentation had not told me enough. This is not an unusual situation when you don't have the source and even with the source, it is often faster to find the code with Reflector than hunt down the right version of the right source file and read the code there.

    Now that there are more and more libraries out there for flash programs, the usefulness of decompilers for flash programs are increasing as well.

    Looking at it from a moral standpoint I don't see the harm if someone "steals" some code. What's the point of everyone making the same misstakes, the same workarounds around some bugs and solving the same problems over and over?
    Sure, they can produce a program slightly faster that way and thereby get some slight "unfair" advantage over their competitors, but if they need to steal, I doubt the value of their product is so high anyway.

  • Richard
    Oct 12, 2009 at 00:14

    Before I go on, I'd like to first say that I have a lot of respect for people who develop ANYTHING (music, games etc.) and feel that they should be rewarded where they merit it. However, and this is NOT a 'but' moment, I myself would find tools similar to Joa Ebert's TAAS of great use, namely for migrating code to other programming languages. Notice I say 'migrate'.

    In my case, I've being looking into the usage of some publicly available, legally licensed, open source projects held on sites such as Google code or Sourceforge. However, these projects are written in Flash/Action Script, and I'm a Java developer of some years. Now, I COULD spend several months porting the algorithms held within this code to Java, however, all I really want to do is progress my idea and to benefit from the freely offered code base, ASAP. So, the decompiler tool would help me to port the logic to another language, this can be do using Abstract-Syntax-Tree-based tools.

    Yes, the technology can and probably will be abused, but also, there will be many like me who would see such tech as a god send in speeding up their development process (i.e. integrating freely-available foreign code).

  • VisitorG
    Oct 12, 2009 at 00:19

    Hi,

    I am a flash video-games developer and it is something I have been wondering for some time now.
    Other than obfuscation and cyphered communications, there is nothing else that can be done, is there?

    If there is, I would take any hint please (a book reference, some keywords...)

    Otherwise, about the obfuscator, the question Sir Ebert (sounds good) asked wasn't about the profit he could make, but about being opensource.
    If there was a good reason to protect the code, not control the use, I would agree with you (and then why not make profit, I would pay for a good tool who deserve it).
    But if it has a price, people will just crack it, and for the same result the product will not be opened (open is good, I won't learn this to you...).

    As for the decompilers, their has and will always be some.
    At best someone has a heads up if at the moment code can't be decompiled... (the beginning of AS3 for example).
    And their are some good use for decompilers, as you said, for the understanding of how a compiler woks (I hope I will get their someday).
    So why not make it open and good.
    At least people while learn from it and try to protect their code.
    And at least other people will not make money selling decompilers to people who intend to steal code (double bad is worst than bad).

    My vision is fatalist, but I'm afraid it is accurate...

Name : Email : Website : Message :