A couple of years ago I wrote here about serial protection - eventually I did drop the idea (php serial validation/blacklist - I hadn't the time to develop it) - yet the problem persists: chances are that Adobe Exchange will provide some kind of DRM API in the near future, but so far releasing a commercial, unprotected extension/script (as my friend said) is just like leaving a baked cake to cool out of the window and leave the house.
I know this is a particularly delicate topic, but I'd be interested in hear if and how you take care that your work is not (massively) pirated - even though we all know that some of it will be anyway. I mean, not to add even a mild protection seems to me unfair to the ones that legally bought your piece of work.
So a friend of mine and I are currently brainstorming about the topic (we rely both on Exchange and a personal e-store to sell extensions and scripts).
Among the issues we're discussing there are:
1. Serial/Licence file (may be a binary JSX?) generation / deployment.
2. Serial/Licence validation and blacklist.
3. Serial/Licence persistence (encrypted files, or customOptions maybe? They look appealing to me but may have drawbacks that I'm not aware of).
There are also interesting but a bit complex variations involving self modifying scripts, but I don't want to go too far now, I'd like to set up a general framework first.
Thanks in advance to those willing to contribute with their experience!
Davide
Script protection
-
undavide
Script protection
While you elaborate your suggestions ( ), I guess I've found a decent compromise between effort, needs and safety following this scheme.
I still have doubts about the way to store such informations. It seems Photoshop registry isn't a good place, since a Preferences reset will wipe out registration info. Yet it will eliminate the need for encrypting a file (how/where, etc).
As an alternative, I could ship a license file (instead of the serial) - with Public-key cryptography (it sounds a bit oversized for my needs).
Apparently, this is a topic that makes people very sensitive: I've dug StackOverflow looking for suggestions and it seems 95% of developers there are quite abrupt when someone ask questions regarding software protection - pointing out that you'd be better off focusing on good software rather than armoring it. Which I could agree, or rather: I do agree, but it's nevertheless a fair question (how to implement such a system) and in my opinion it's strange that so many developers decline to give a technically detailed answer - mind you, I'm referring to what I've read in StackOverflow only.
Davide
I still have doubts about the way to store such informations. It seems Photoshop registry isn't a good place, since a Preferences reset will wipe out registration info. Yet it will eliminate the need for encrypting a file (how/where, etc).
As an alternative, I could ship a license file (instead of the serial) - with Public-key cryptography (it sounds a bit oversized for my needs).
Apparently, this is a topic that makes people very sensitive: I've dug StackOverflow looking for suggestions and it seems 95% of developers there are quite abrupt when someone ask questions regarding software protection - pointing out that you'd be better off focusing on good software rather than armoring it. Which I could agree, or rather: I do agree, but it's nevertheless a fair question (how to implement such a system) and in my opinion it's strange that so many developers decline to give a technically detailed answer - mind you, I'm referring to what I've read in StackOverflow only.
Davide
-
Mike Hale
Script protection
I think that scripting is not really suited for that kind of software protection. I think that Adobe considers scripts similar to actions which also don't have any built-in protection mechanism and had expected( or hoped ) users would share with each other.
I am not saying that you should not protect your script nor it's a bad thing if you do. I just don't think there is a good way to have a well protected script.
I am not saying that you should not protect your script nor it's a bad thing if you do. I just don't think there is a good way to have a well protected script.
-
undavide
Script protection
Mike,
this is what I thought some time ago, actually.
But if you consider either binary export, the fact that JS lets you implement a large set of cryptography tools, and ExtendScript allows you to manage files (read/write - a script can also, interestingly enough, rewrite itself), that's all we need and there's nothing that prevents the platform to be able to work, from the protection point of view imho. Flex extensions may fit even better in the scheme - possibly.
Whether this is needed, profitable, a waste of time compared to the outcome - that's another topic, we know.
Yet I agree Adobe doesn't seem to focus on such things - or at least they're not high in the priority list.
Davide
this is what I thought some time ago, actually.
But if you consider either binary export, the fact that JS lets you implement a large set of cryptography tools, and ExtendScript allows you to manage files (read/write - a script can also, interestingly enough, rewrite itself), that's all we need and there's nothing that prevents the platform to be able to work, from the protection point of view imho. Flex extensions may fit even better in the scheme - possibly.
Whether this is needed, profitable, a waste of time compared to the outcome - that's another topic, we know.
Yet I agree Adobe doesn't seem to focus on such things - or at least they're not high in the priority list.
Davide
-
undavide
Script protection
As a side note, I've written an introductory tutorial about CryptoJS - just in case someone is interested implementing that library in his/her work.
Cheers,
Davide
Cheers,
Davide