Encode 3.0

[Mark]

I remember back to the flame war days of licenses and customers running the tool before it was disabled. Then people started faking output. Chunks of threads were shut down, the mod stick, the ban stick, and the admin stick were out alot during that time. Then people started making threads I reported MarkhamLA for piracy but his site is still up?!?!?!? WTF?!?!?!?!?! Then it started all over again. I pray these days NEVER return. /shudder

I will say that I hope there is no license server in the mix. Validation is a PITA. I already have to play wiht MS to get Vista and Office validated. I don't want to start playing those games wiht my website.

Regardless of how this turns out people will be pissed. If IPS doesn't enocde something people will whine that their purchases aren't protected because Joe Shmoe can go d/l IPB from warez.com. If they do encode it people will whine that they can't modify any or that one specific file that they want to. There is no fool proof system that will make every single person happy. IPS has the right to protect thier IP however they want to. If they want to hire more staff to manage "activation" issues they can, but expect to see the price go up.

What happens when something on my server goes corrupt, just enough to cause my activation to fail. Do my mods stop working? Does my forum display a message to my users saying "This forum isn't validated"? People that say that can't happen, look at Vista/XP. Sometimes the activation data goes bad. I have seen it happen. What happens if IPS's call back serer is down? My forum needs to call home to verify the license is STILL valid, but it can't reach the server. Does my forum shut off or does the site still continue to operate? If it continues why won't the person block that site on the server firewall? I could do that on my VPS. Costs (including the customers costs in dealing wiht issues) vs. benefits does not seem to be at that level.

I still think the best system to put in place is what we have. if I find a questionable site I report it and forget about it. IPS will take care of it from then on.

One would hope that the person designing the system would think about these things.

As I have said, a project I work with has a licensing system and since going "gold" - in fact since we left ALPHA testing - there have been no activation problems (besides the odd idiot who calls up that doesn't actually have a license key that thinks we're just going to give them one because they call and pretend) and we have all sorts of things in place (we can limit what version people can use, copyright removal is handled by the normal license keys, etc.)

Things with like the server going down, etc. what we do is if there is a problem on our end, we assume that the license key is fine but make a note (on their installation) that there was a problem and check again later. If there is a problem with the server that is going to take a while to fix, we stick a file up on a "backup" server which tells the software to just assume all license keys are fine until we remove that file. If there are multiple failed attempts and server status is okay (or for some reason it can't reach the backup server) it will either E-Mail the piracy department or stop working.

If someone *deliberatly* tries to play with the system, that is obviously going to create problems - but when people see an error message after deliberately messing about with it, they tend to give up.

[Louis M.]

I guess its going to come down to IPS deciding if the Cost vs. Benefit is worth it. I am not against having to "activate" my software as long as its not a PITA. I look at it like this, if something causes my software to stop working, that is profit loss for me. I know when I install my forums and get it up and configured the site will run with out hiccups (minus Murphy's law). I can go on vacation and my moderators will handle the daily stuff. But what happens if my license is corrupted or somehow invalidates (from no fault of my own ie not pirated). I may be travelling and not have access to the site or the tools to fix it.

Like I said though, I understand the need to protect IP and I have no issues with the suggested features as long as I (and all the other legit end users) do not have to play silly games to validate or maintain its validated state. I get treated like a thief with Microsoft, I would like t get treated like a customer with IPS.

[Mark]

I'm actually indifferent, by the way, I just think it's an option that shouldn't be ignored.

Anyway, you need to realise however, that IPS isn't Microsoft. IPS develops web sofware which is going to immediatly change the playing field.
Think about things that might de-activate your Windows license, the main thing that springs to my mind is changing your hardware. With IPS it's going to be changing the URL - now Microsoft can't check if there is still a computer using your old hardware, whereas if IPS detects that the license key is now being used under a different URL, rather than shut off your system like Microsoft might do it can either: check what URL you have in the client area, and allow use on that one only -or- it can send an E-Mail to the piracy department letting them know the before and after URLs and asking them to do something about it rather than handling it themself.
I suppose that's what it comes down to, with Windows Licensing, if it's unsure it assumes you're a pirate - with web-software licensing, if it's unsure it can ask a real person.

[Louis M.]

I'm actually indifferent, by the way, I just think it's an option that shouldn't be ignored.

Anyway, you need to realise however, that IPS isn't Microsoft. IPS develops web sofware which is going to immediatly change the playing field.

Think about things that might de-activate your Windows license, the main thing that springs to my mind is changing your hardware. With IPS it's going to be changing the URL - now Microsoft can't check if there is still a computer using your old hardware, whereas if IPS detects that the license key is now being used under a different URL, rather than shut off your system like Microsoft might do it can either: check what URL you have in the client area, and allow use on that one only -or- it can send an E-Mail to the piracy department letting them know the before and after URLs and asking them to do something about it rather than handling it themself.

I suppose that's what it comes down to, with Windows Licensing, if it's unsure it assumes you're a pirate - with web-software licensing, if it's unsure it can ask a real person.

I do like the URL thing.... the local install could validate itself that way. That might work.

Oh I know MS isnt IPS.... MS can't hang at IPS's level LOL.

[GregF]

Encoding only hinders the legitimate customers.

I remember reading a blog where someone was able to view php code encoded by ioncube by modifying the php source code and compiling it for his machine. It then saved the code to a file before sending it to the zend engine. I guess my point is, if someone really wants to pirate a php script, then they will.

[bfarber]

Encoding only hinders the legitimate customers.

I remember reading a blog where someone was able to view php code encoded by ioncube by modifying the php source code and compiling it for his machine. It then saved the code to a file before sending it to the zend engine. I guess my point is, if someone really wants to pirate a php script, then they will.

That was fixed long ago by the way. It was the same with all the major encoders - someone found a way to load another extension to PHP would would log the code as it was being compiled by Zend. The resulting code wasn't identical, but functioned identically (i.e. elseif statements got turned into else with a nested if statement inside, things like that).

Anyways, all the major encoders released updates about a year or two ago to patch that hole. Although I agree that nothing is going to stop determined hackers in the long run.

[GregF]

That was fixed long ago by the way. It was the same with all the major encoders - someone found a way to load another extension to PHP would would log the code as it was being compiled by Zend. The resulting code wasn't identical, but functioned identically (i.e. elseif statements got turned into else with a nested if statement inside, things like that).

That's a good to know, I can't say I am up to date on decryption news.

I have always enjoyed IPB's openness and the ability to customize it to my needs. If you were to encode your products I would think you would need a fairly good hooks system and documentation.

[bfarber]

That's a good to know, I can't say I am up to date on decryption news.

I have always enjoyed IPB's openness and the ability to customize it to my needs. If you were to encode your products I would think you would need a fairly good hooks system and documentation.

I'd agree - in order for encoding to be possible on software that people want to be able to change, you need to have a way for that to happen - which largely does not exist presently.

[Jaggi]

i think encoding of files has no real benefit at the moment, it'll just seperate developers from the fun of creating mods and remove access that invision has to thousands of modifications. I think its something you can think about but not something to be taken lightly and not something that i think is possible anytime soon.

[Lindsey_]

Ok this may sound dumb but if IPS only encode the install folder or even just the /install/index.php file

How would this affect mods ? :(

[bfarber]

It wouldn't necessarily, but it also wouldn't really stop piracy. It would be trivial for one valid user trying to pirate the software to do a real install and just dump the database immediately after installation, then provide that and you have a stock board without using the installer (well, still need conf_global.php, but that's easy too).

[Yoso]

i think the only effect of encoding (also only in peaces) is to annoy the Customers who have no Iconcube or Zend Optimizer installed, or only an to old version and so the resulting problems with it

the software pirates have no problems with this barrier, i think. so its absolutly useless to encode the software, unless IPS has to much money or would reduce her client base :rolleyes:

and at last, the license for youre encoding is not for free, and i think you can use our money better as to pay for this purpose pointless encoders

[Mark]

i think the only effect of encoding (also only in peaces) is to annoy the Customers who have no Iconcube or Zend Optimizer installed, or only an to old version and so the resulting problems with it

the software pirates have no problems with this barrier, i think. so its absolutly useless to encode the software, unless IPS has to much money or would reduce her client base :rolleyes:

and at last, the license for youre encoding is not for free, and i think you can use our money better as to pay for this purpose pointless encoders

I would imagine that IPS already has the encoder as they encode Coverge and Nexus.
Also, Ioncube doesn't need installing in most cases as it can run off the included loaders.

[Mat Barrie]

I would imagine that IPS already has the encoder as they encode Coverge and Nexus.

Also, Ioncube doesn't need installing in most cases as it can run off the included loaders.

The problem is that most is not all. I have seen instances of hosts where, say, dl() is disabled. No ionCube for you. What if they then refuse to install Zend? Well, tough. Off you go to get vBulletin (and a very angry customer either blasting IPS or just outright charging back the transaction. Ouch)!

Myself, I just wont run ionCube or Zend on general principle. Mostly because the second I install one of those on my web servers, PHP starts bombing like mad and just being an outright annoyance with the incessant crashing of PHP (in CGI mode) or all of IIS (in ISAPI mode) - which pops up a message box on the interactive desktop no less.

[Lindsey_]

Well thanks for the feedback.
We dont wont people going to Vbulletin.

[uberjon]

Ok this may sound dumb but if IPS only encode the install folder or even just the /install/index.php file

How would this affect mods ? :(

possibly gave me an idea.

*waits for this to get shot down*

in theory..

encode just /index.php and have index.php have a hooks system.

no need to encode every file. and create a hooks system for every file...

id like to see a forum run without index.php......

[joke]
theoretical anti piracy

[Lindsey_]

Well im worried that all there hard work will go to waste

[bfarber]

It wouldn't be overly difficult to come up with a new index.php that mimicks the functionality.

For any sort of encoding to be effective you'd have to encode ENOUGH of the source code so that the software simply couldn't be rebuilt without that portion.

I fail to see the big deal with ioncube myself - the whole "out of principle" argument seems improper. Piracy is a huge problem, and a huge cost to paying customers in the long run. Imagine if there are 10,000 pirates. Say 5,000 would buy the software if they couldn't pirate it (some people just refuse to pay for software). If the license cost was spread out amongst 5000 more people, in theory it could be a lot lower and still make the same amount of overall revenue. Hypothetical mind you.

Personally I'd have no problem running an ioncube-encoded script if it accomplished what I wanted (and fit my other needs, i.e. price, support, and so on).

As Lindy said before, there are no immediate plans to entirely encode IPB, and before any plans could even be considered (partial or entirely) there would need to be hooks and so forth so that developers could still accomplish everything they can now. This shouldn't be an immediate concern for everyone, and I'm sure if the position changed there would be plenty of advance notice for users.

[Lindy]

The problem is that most is not all. I have seen instances of hosts where, say, dl() is disabled. No ionCube for you. What if they then refuse to install Zend? Well, tough. Off you go to get vBulletin (and a very angry customer either blasting IPS or just outright charging back the transaction. Ouch)!

Myself, I just wont run ionCube or Zend on general principle. Mostly because the second I install one of those on my web servers, PHP starts bombing like mad and just being an outright annoyance with the incessant crashing of PHP (in CGI mode) or all of IIS (in ISAPI mode) - which pops up a message box on the interactive desktop no less.

Unfortunately, the "honor system" on the Internet isn't as honorable as it once was. There's not just the issue of piracy and use of the software itself, but also the theft of key code that we've found in dozens of other "projects." Like most serious software companies, we spend a significant amount of time, money and resources to bring you quality products and services. We of course are obligated to protect those efforts. There is most definitely a line between IP protection and mass customer inconvenience; should we ever consider encoding in any fashion, that is a line we have no intentions of crossing. I will say that the handful of hosts who prohibit (direct or indirect) IonCube could not be given significant weight in the decision, although we would do our best to find solutions.

Anyone closely involved in the web software arena can tell you that there are signs that your average open source software availability is unfortunately slipping. The abuse is high, the interest and attention span are low and commercially supported alternatives are now a viable option. As this happens, you see more and more commercial web applications offered as encoded. Unfortunately, many equate viewable source with open source. You also don't see many of those encoded software packages floating on file sharing networks and those that do slip through (as they will) are much more easy to contain in vastly smaller amounts.

As said previously, nothing is set in stone in terms of encoding IPB. We have a ways to go before we'd feel comfortable entertaining the notion of even partial encoding; hooks would have to be solid and we would have to ensure that those who customize their forum would be minimally impacted. We're nearly stressing the point behind encoding as most, if not all, products we release in the future will be encoded.

[FrostedPopTart]

Unfortunately, the "honor system" on the Internet isn't as honorable as it once was. There's not just the issue of piracy and use of the software itself, but also the theft of key code that we've found in dozens of other "projects." Like most serious software companies, we spend a significant amount of time, money and resources to bring you quality products and services. We of course are obligated to protect those efforts. There is most definitely a line between IP protection and mass customer inconvenience; should we ever consider encoding in any fashion, that is a line we have no intentions of crossing. I will say that the handful of hosts who prohibit (direct or indirect) IonCube could not be given significant weight in the decision, although we would do our best to find solutions.

Anyone closely involved in the web software arena can tell you that there are signs that your average open source software availability is unfortunately slipping. The abuse is high, the interest and attention span are low and commercially supported alternatives are now a viable option. As this happens, you see more and more commercial web applications offered as encoded. Unfortunately, many equate viewable source with open source. You also don't see many of those encoded software packages floating on file sharing networks and those that do slip through (as they will) are much more easy to contain in vastly smaller amounts.

As said previously, nothing is set in stone in terms of encoding IPB. We have a ways to go before we'd feel comfortable entertaining the notion of even partial encoding; hooks would have to be solid and we would have to ensure that those who customize their forum would be minimally impacted. [size=3][color="#FF0000"][font="Arial"][u][b]We're nearly stressing the point behind encoding as most, if not all, products we release in the future will be encoded.[/b][/u][/font][/color][/size]

That is highly unfortunate and I am sorry to hear that. I will not be buying Nexus or any other product then if they will be encoded.

[zigs]

Why can't mods Just be made as components? I have had a mod made for my board, which allows users to select which forums they want to view and also whether they want to view shoutbox or not, it is a component and doesn't effect IPB files :unsure: surely mods like these are easier to install and aren't affected by IPB upgrades?

Disclaimer: I may be talking a load of rubbish!

[Lindsey_]

I understand you Zigzag.
I like them as component's . Why do mods need file edits anyway.

Thanks!

[bfarber]

Unfortunately, some modifications can't work as components - it's something we realize, and mod developers realize as well.

A popular example is the "group name indicator" that Michael released. To add that little legend in the board index, you have to modify a file (or multiple files) to display that. Now, while much of the code CAN be extracted, you still need to tell the php script that when it gets to that part of rendering the page "Oh yeah, come look at this that I want to add to the page too". That, presently requires a modification.

That's where the notion of hooks comes into play. If there was a way that mod developers could get a notice while the page is being rendered that IPB is at a specific section and wants to know (from modifications) if there's anything else it needs to do or add, the modification can reply to IPB and tell it "yes, add this here" without actually requiring the IPB code to be edited.

Long story short, many modifications are only possible as actual modifications, and not as plugins/components. Until those can be accommodated, it would be hard to encode the files that are frequently modified. That's the point we were getting at.

[Digi]

Myself, I just wont run ionCube or Zend on general principle. Mostly because the second I install one of those on my web servers, PHP starts bombing like mad and just being an outright annoyance with the incessant crashing of PHP (in CGI mode) or all of IIS (in ISAPI mode) - which pops up a message box on the interactive desktop no less.

I'm sorry, but your win configuration is wacked out then. We've installed both IonCube and Zend on IIS running PHP5 is all 3 modes (ISAPI, CGI, fast-CGI) and at no time have we ever had issues like you are specifying, nor have we noticed any sort of instability on the php system (I have php posting to syslog jsut so I can track these sorts of issues). Are you running thread safe binaries? We use the non-thread safe binaries for fast-cgi.

A popular example is the "group name indicator" that Michael released.

Nah, template file includes work perfect for this modification, so this is a very bad example. The problem is, a lot of IPB developers don't understand the software enough to create modifications in a manner that requires minimal file edits (if any are needed at all) and works in the modt efficient manner possible. I can't count how many modifications for 2.2/2.3 still use the "create and act= page" format. Even when they do it right and create it as a component they jsut do a blatent copy/paste and tweak on the gallery (or other ipb component) style formatting, which is a horrible example imho.

There are SOME modifications that will need file edits, I will agree to that. However, IPS could do much better by IPB than to simply implement an unnecessary hooks system. The most common modifications today affect the global look (easily modified/hooked using the template include method) or the topic view. For the topic view, most modifications are for BBcodes not supported because they require php in order to process them. Adding a php plugin system here would greatly benefit the IPB community without all the overhead of a hook system.

That's where the notion of hooks comes into play. If there was a way that mod developers could get a notice while the page is being rendered that IPB is at a specific section and wants to know (from modifications) if there's anything else it needs to do or add, the modification can reply to IPB and tell it "yes, add this here" without actually requiring the IPB code to be edited.

Long story short, many modifications are only possible as actual modifications, and not as plugins/components. Until those can be accommodated, it would be hard to encode the files that are frequently modified. That's the point we were getting at.

Plugins out do hooks anyday and compliment components and file/url includes in the template files all too well. Expanding this to the extent of possibility I think should be IPS's short term goal. Will everything be possible with out some inline hooks? No. However, by pushing plugins and inline edits to the limit first, IPS can minimizing hooks to those key, untouchable, areas (like "post submitted, I want to add points here") would compliment the system rather than ruin it. When you guys start developing a hook system, I hope you keep those sorts of things in mind.

[Alex]

Loads of good points here, but for some modifications, if developers took the time to study the <if> tags in the IP.Board templates, you could accomplish alot more with less file edits, you could just use <if="include_once()"> etc. to get the right information at the right time, and use global $ipsclass; to get $ipsclass up and running.