Watermarking a java source file?

Nicholas Leippe nick at leippe.com
Thu Sep 13 23:03:14 MDT 2012


On Thu, Sep 13, 2012 at 10:33 PM, Andy Bradford <amb-plugg at bradfords.org> wrote:
> Thus said "S. Dale Morrey" on Thu, 13 Sep 2012 22:26:21 MDT:
>
>> It's b, sorry if I wasn't clear.  I'm giving some files to someone for
>> review. I  don't want these  to become distributed since  they contain
>> secret sauce recipes and  if they leak I want to be  able to blame the
>> correct person.
>
> Automatically  generate every  piece of  your code.  The function  names
> should be generated  as well as variable names. Make  the function names
> look non-random. Then, give out  a different, randomly generated copy of
> the code to  the various parties and keep track  of which party received
> which randomly generated version of the code.
>
> Would this work?

In theory, yes, in practice, no :)

Obfuscated code is *really* hard to review--thus defeating his goal.

This topic was kind of on slashdot just the other day--about the new
gimmick McAfee has for controlling photo distribution on facebook.
It's really simple: if you don't want something distributed, you can't
let it out of the bag.

That being said, you don't have many options to *guarantee* anything.

Your best bet is to require them to view the code in *your* house,
under your supervision and control, w/o any means to copy it.

Once they do have the source code in their possession, they could
modify it as they see fit--how could you prove that they are
distributing binaries employing your secret algorithms?

At the very least you need a solid NDA in place that has severe
penalties for breach.
Which leaves me back at your original dilemma--how to at least detect
a breach? That may require understanding your
product/codebase/situation--who is the reviewer and why are they
seeing your code? It's still probably intractable.

It's hard enough (really not possible) to even protect *binaries* from
being distributed. (Some attempt to use dongles, but they can *all* be
circumvented, others use network-access-DRM--e.g. Ubisoft). *Source
code* however, is truly a Pandora's box.

Also, just how "secret" is your code? Is it really that novel? I know
lots of employers that think the code they've paid for is worth
protecting, when it's really just glue that's been written time and
again by every web shop on the planet. I'm not saying yours isn't--I
don't know--but egos aside, is it really?

And if it really is, how much effort would be involved in monetizing
it? How much supporting infrastructure, customer base, etc would they
have to build up that would be serviced specifically by your exact
algorithm? IOW, how big is the risk really? Seems (without more
details), that if it's easily monetized, it should be easy to detect a
breach--go sue for the reparations in the NDA--and if it's not easily
monetized, the risk may be low enough to not worry--just get the NDA
then let them review it.

One last option occurs to me: can you remove your secret sauce and
replace it with stubs in the review copy? Or are they specifically
reviewing your secret sauce?


More information about the PLUG mailing list