Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
What is the guideline on creating a program or part of a program based on a non-free code, for example from codes Microsoft's sample code for .net or code found in someone's blog? The codes are there to help a programmer's work right? If one feels that part of such code is helpful in his work, does he have to reimplement them from scratch, or is it okay to copy and paste some codes? What is the limit?
In addition to the general advice of "go ask a lawyer," here are some other thoughts.
I am not a lawyer, but I am responsible, as a senior product line manager, for making the decision of when to discuss something with a lawyer.
If you work at a company that has staff lawyers, then it is always a fine idea to go talk to them. Usually you'll want to discuss with your manager first. If you're in a product development group then you should also talk with your product manager.
Generally speaking, there is no such thing as public domain code. Rather, every bit of code should have an license.
Re: can I use Microsoft sample code? Yes, as their web page says: The .NET Framework documentation includes code examples that you can copy directly from topics and paste into your own projects. -- Quoted from their web page that you referenced in your original question.
Added: The one liner from the MS site is a summary of their license. The actual license is longer and refuses responsibility for what the code may or may not do, suitability, etc etc. But the one line summary, especially for sample code, is clear enough.
Re: can I use code samples from blogs Yes and no. Blogs should include a license for their software postings. Some do, many do not. If they don't, consider writing to the blogger and asking something like Which license covers your software examples from your blog? The BSD license (example from Yahoo: http://developer.yahoo.com/yui/license.html) or similar?
The reason you'd suggest that the blogger consider the BSD license is that it is very open. But, for example, the blogger could come back and say, "My examples are licensed under GPL 3."
In that case, you'd be bound by GPL 3 if you use the blogger's code.
Added: Can I use software examples from StackOverflow? Per the above, you should look for a software license from the blogger. And guess what? There is one for Stack Overflow. See the Legal link at the bottom of each SO page. On the Legal page, see section 3, "Subscriber content." That section gives you the license for all code samples on SO.
Conclusion If you want to be living within the licenses from the sw writers, then you need to know what those licenses are. If you don't know, then you run the risk of not actually having the right to use/re-license the software.
A different question, is "must I always have a proper license for software that I'm using?" The answer to that question depends on many things. The simple answer, especially if you work for any government, public or private institution is "yes." And, of course, as a proper member of society, you should also only use licensed software, for the obvious reasons.
Suppose, for instance, you see some sample code on a blog. The code is very useful to you. You want to use it. But there is no license for the code on the blog. You write the blogger, but get no reply. Can you use it? You could, but there is a risk (probably small), that the software's owner (the blogger) could decide to sue you. So then the real question is, should I assume the business risk? That's a business decision, not a technical decision. A reasonable business decision might then be, "Yes, let's use the software and take the risk of a problem."
Added: Microsoft Public license-- Microsoft (MS) licenses its sample code via its "Microsoft Public License." Also known as the Ms-PL. The license. Example of a .Net sample referring to the Ms-PL. Another example of Microsoft sample code.
I doubt copying somebody's "Hello World" or "How to connect to a database" code would be much of a copyright issue, and example code usually gives the basics. The issue here is that there are only so many ways to do something in a programming language, as long as you're not directly copying significant portions of code you should be fine.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
I'm having some trouble recently with the open source licenses. I started to feel like if they are somehow tricky! So, I'm just asking about the rights, attribution and so on..
Know, if I for example used a Ruby Gem, licensed under GPL, I install the gem, use it, my web app works! But there is no referring to the Gem, how is behind it, its license. I can't just believe that I have to include those for every gem I'm using. Do I have to? Or can I just use it silently?
So, a website with Rails (MIT), some GPL ruby gems, and so on, what should I include publicly? I think I'm not going to modify the source code of any of those gems.. Yeah, and if I have to attribute in my web pages, do I have to link to the licenses or even worse distribute my source code under the same license?
Also, if I found a tutorial or something like that that is licensed under Creative Commons BY-NC, should I distribute my whole work or put it under the same license, if I wasn't going to run them outside my own server? What if I wanted to distribute my software, which used ideas (and modified code) from the tutorial?
What about using formulas, which are more general than being owned? One-liner commands from stackoverflow when a gem doesn't install - Should I attribute that I used that to install the gem?! I think of course not, but just asking to make sure of the whole thing..
A website is normally the output of a program. Like you save a text-document with your word processor in disk, the document itself does not fall under the reciprocal license of the proprietary word processor (MS Word) or the reciprocal and permissive licenses of the free software word processor (Open or Libre Office Writer).
Only in case you create and distribute derivative or combined works (e.g. packaging multiple programs together in one package) you need to care about the licenses.
That for sure always depends on the concrete things you do. You need to document these concrete things, then go to your lawyer and then find out for the stuff you exactly do if and how copyright is in effect and based on the licenses used and if in effect, which steps you need to do.
Here on SO we are all only software developers (or if lawyers, not your lawyer) so we can not give you any legal support.
Usually stuff about licences can be a little confusing with open source software being released under different licences and usually the license documentation is usually written in lawyer jargon which proves difficult to understand for a lot of people.
Luckily this kind of question has been asked alot of times in SO. Just look at the licensing tag and order the questions by votes and you should find a few questions that pretty much answer your questions. In particular look at this question.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I want to monitor my network against DDoS and found a screen shot of DDoS monitoring alert by someone. Can any one let me know which software is this after seeing snap shot.
I don't recognise this specific gui, but it could be a customization of snort Gui's.
You can use snort to achive your goal, there are 4 snort gui project active by today.
here is a description:
BASE
The Basic Analysis and Security Engine was based off of the old ACID code codebase. The ACID GUI interface (which is now dead, and has been for about five or six years) was a college project written by an attendee of Carnegie Mellon. It hasn't been actively developed since about 2003. BASE, a fork of the ACID code, picked up where the original author left off, added a bunch of new features, and made it easy to use, multi-language, and a highly functional GUI. There were plans for a redesign of BASE, including the database format that it reads from, but Kevin Johnson, the original BASE project manager has since left the project and turned the project over to new management. However, it remains the most popular Snort GUI interface with over 215,000 downloads. BASE is written in PHP, and has several dependencies. BASE has it's own IRC channel #secureideas, although there is rarely anyone there, so most people come to the default #snort for help.
Snorby
A relative newcomer to the Snort GUI area, Snorby uses a lot of "Web 2.0" effects and rendering providing the user with a very sharp and beautifully functioning tool. This seems to be the current "go-to" web interface for Snort. While it has many of the features of BASE (and a lot more, hotkeys, classifications, an iOS interface, and actual pdf reporting), and not as featured as SGUIL (in terms of architecture), it's extremely easy to deploy, looks fantastic, and functions as an alert browser very well. Snorby's code is hosted on Github, here. Another advantage of Snorby is that it integrates with the OpenFPC project. Functioning similar to how SGUIL collects all information on the network using Full Packet Capture (FPC), Snorby gives you the ability to not only view the Snort alert, but also to view the alerts in context with the rest of the packet flow on the network. Snorby's IRC channel can be found at #snorby.
SQueRT
Paul wrote in about SQueRT. SQueRT uses the SGuil database format and is also web based. You can see the screenshots and download it at the link above.
There is a comparison of that three too here
There are many more projects but are currently inactive with exception of the squil. The most active projects by today, that you can use are SQueRT and Snorby
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
I am looking a tool for protect and licensing my commercial software, Ideally must provide an SDK compatible with Delphi 7-2010, support AES encryption, Keys generator and capacity to create trial editions of my application.
I am currently evaluating ICE License. Someone has experience with this software?
Here's my list of software protection solutions. I'm looking at switching from ASProtect to another protection so I'm also in the process of analyzing most of these programs:
Themida (Oreans)
http://www.oreans.com/products.php
There are unpacking tutorials for all the versions of Themida. There is however the possibility of requesting "custom" builds which might help avoid this.
Code Virtualizer (Oreans)
http://www.oreans.com/products.php
Allows to protect specific parts of the application with a Virtual Machine. A cracker on a forum said he "made a CodeUnvirtualizer to fully convert Virtual Opcodes to Assembler Language".
EXECryptor
Very difficult to unpack. GUI does not work under Vista. Appears to no longer be developed.
ASProtect
Small protection overhead. Appears to no longer be developed.
TTProtect - $179 / $259
13 MB download. Chinese developer. Adds about xxx overhead to the exe.
http://www.ttprotect.com/en/index.htm
VMProtect - $159 / $319 (now $199/$399)
http://www.vmprotect.ru/
10 MB download. Russian developer. Seems to be updated frequently. Supports 32 and 64-bit. Uncrackable according with one exetools post, but there seems to be an unpacking tutorial already.
Enigma Protect - $149
http://enigmaprotector.com/en/home.html
7 MB download. Russian developer. Regarded as very difficult to crack. Adds about xxx overhead to the exe.
NoobyProtect - $289
http://www.safengine.com/
10.5 MB download. Chinese developer. Regarded as very difficult to crack. Adds about 1.5 MB overhead to the exe.
ZProtect - $179
http://www.peguard.com
RLPack
http://www.reversinglabs.com/products/RLPack.php
KeyGen already available.
One thing to note is that the more protection options you enable on the software protector, the bigger the possibility of the protected file being flagged by an anti-virus as a false-positive. For example, on Themida, checking the option to encrypt the file, will most likely create a few false-positives by a few anti-virus programs.
I'll update this answer once I get more replies from a hackers forum where I asked some questions about these tools.
And finally, don't use the build-in serial number/license management of these tools. Although they might be more secure than using your own, you will be tied up to that specific tool. If you decide to change software protection in the future, you will also have to manage all the customer keys transfer to a new system.
Don't bother. It's not worth the hassle. Only a perfect licensing system would actually do you any good, and there's no such thing. And in the age of the Internet, if your system isn't perfect, all it takes is for one person anywhere in the world to produce a crack and upload it somewhere, and anyone who wants a free copy of your program can get it. (And using a pre-existing library just gives them a head start on cracking it.)
If you want people to pay for your software instead of just downloading it, the one and only way to do so is to make your software good enough that people are willing to pay money for it. Anyone who tells you otherwise is lying.
I have used OnGuard (using the Delphi 2009/2010 source from SongBeamer) along with Lockbox to handle encryption with success. Both are commercial quality libraries and are free to use with full source.
I did once also use IceLicense, but switched to OnGuard/Lockbox which allowed me greater control over the key generation process which we embedded directly into our CRM system.
Of course there is no %100 bullet-proof protection suite, but having some type of protection is better than having nothing.
I worked with WinLicense in Delphi 2009 and Delphi 2010 on Windows XP and Vista. It is a good product with lots of protection options, and customizations. It provides a SDK for developers, and has nice documentation and samples. It also provides a license manager for you. They provide trial download too.
As far as I remember, they offer some customer specific versions too; that means they are willing to provide a custom-built product which is customized according to your needs, but of course that will cost more.
Since WinLicense is a well-known and popular protection suit, many crackers are after it. As you know, the more famous a tool is, the more appealing it is to crackers. But the good thing about Oreans is that they actively monitor underground forums, and provide frequent updates to their products.
So IMHO, if you are supposed to buy a prebuilt protection suite, then you'd better go for WinLicense.
A little late to the post, but check out Marx Software Security (http://www.cryptotech.com) they have a USB device with RSA & AES on chip, with network based license management.
I bought a license for ICE License in 2007. Unfortunatly (as far as I know) the component haven't been updated since June 2007. Back then a Vista compatible version was in the work but never came out of beta. I don't think they updated the component for Delphi 2009 and 2010 yet.
Ionworx is an one man company which might explain the lack of updates and lack of answer to support questions (emailed them 2-3 times since 2007 and never got back to me). They also removed their support forum from their site.
ICE License is better than nothing but I would stay away from this product because the lack of updates & support.
I investigated this a few years ago, and came to the following conclusions:
All copy protection can be broken
Nag screens on load irritate people to the point where they may stop using the product
Random nag screens can interrupt the users work flow to the point where they perceive it to be a reduction in the speed of the application
Set up compiler options, so that you have a version as a demo (perhaps with save functions removed), reduce multi user versions so that only one client can connect at a time (not using, for ex:
if connection=1 then reject
but reducing the viability for multiple connections in code)
Themida has good protection, and I think it built with Delphi too ;-)
if you have a better budget, you can look at winLicense and other tools from same company.
Have a look at this question which is pretty similar, and includes many of the tools.
Take a look at InstallShield. We've been using it for a while ourselves, and it has a lot of capabilities for trial support, licensing, and others. I don't know about key generation off the top of my head as our use doesn't require keys, but there's a lot available to you from them.
AppProtect wraps an EXE or APP file with computer unique password or Serial Number based online activation. QuickLicense is a more comprehensive tool that support all license types (trial, product, subscription, floating, etc.) and support both a wrapping approach or API to apply the license to any kind of software. Both are available from Excel Software at www.excelsoftware.com.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
Is "Continuous Implementation" the name of a software
development methodology? If so, what is it exactly?
Do you have experience using it?
Note that I know what continuous integration is, but not continuous implementation.
Background: today I learned (second hand) of a company that
uses "Continuous Implementation" in the context of their
software development. Is it formally defined or is it part
of some agile software development methodology?
The best I could find was this paper in the European Journal of
Information Systems:
Agility Through Scenario Development And Continuous Implementation
"... a business and IS/IT initiative at Volvo ...
development and implementation of an agile aftermarket
supply chain. ... to create a platform, Web services, and
a Web portal for selling spare parts over the Internet. "
Try searching for "Continuous Integration". It's a Good Thing(TM), in my opinion. "Continuous Implementation" would only be a good development methodology in the Dilbert universe. ;)
Edit:
The original question was simply asking what "continuous implementation" is. Since this site is StackOverflow, not EconomicsOverflow or PolymerEngineeringOverflow, the correct answer is "nothing."
The question was edited afterward to expand the scope, but that doesn't really change my answer.
All references of this term I can find in the realm of software development appear to be a mistake where the author is really meant continuous integration, a common agile technique.
The OP now referenced a a paper using the term in the context of use of the term in an "agile" supply-chain management implementation. Even so, despite the publication, the term has not entered common parlance in SCM, much less software development, and thus has no generally-accepted definition.
I think, the OP is referring to 'Continuous Implementation' only. It is not a commonly used term.
I didn't hear the term, but in the Agile or Scrum methodology, the implementations happen frequently than the traditional waterfall model (but obviously not continuously as in 'Continuous Implementation').
At the company I work, we follow Scrum methodology to deliver the new version every 6 months. Since ours is a product company offering Software-as-Service, the implementations are in our control. We eventually plan to have more frequent implementations. This is much different from the pre-Scrum days, when the new version comes typically every 2 years.
Continuous implementation is a term used in game theory. See here for example. I doubt that this is what you're after, but there you are anyway.
MIKE, an information systems management approach, also uses the term; see here. The Volvo reference in the OP may be referring to MIKE or something similar.
Richard is likely correct that you mean Continuous Integration, a practice whose primary element is frequent builds to ensure the incremental addition of working functionality to your software.
The seminal article on this practice is "Continuous Integration" by Martin Fowler (this is the original, there is a link at the top to an updated version).
Sounds like marketing people mismatched the terminology. Happens all the time.
Actually, I think that this new animal comes from a Lean background (which makes sense in the context of Volvo). Nothing formal though. In other words, it sounds Agile, it taste Agile but nobody knows exactly what it means and, for these reasons, I'm sure Volvo's C-level managers like it a lot :) This makes my bullshit detector ring very loudly actually.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
BE AWARE! Creating spyware, computer viruses and similar nasties can be illegal where you live and is considered extremely unethical by almost everyone. Still, I need to ask this to raise awareness about how easy it is to create one. I am asking this after the W32/Induc-A was introduced to this world by someone who came up with a nasty way to spread one. So I want to know how a virus can be created so I will be able to recognise them in the future!
Recently a new virus was discovered which spreads itself by replacing the developers' copies of library code. Actually, through the source code of Delphi 4 through 7. What happened is that there's a virus in the wild which searches the computer for a file called SYSCONST.PAS, to which it will add itself as source code. This file happens to be a source file for the runtime libraries of Delphi. (This runtime source code is available for Delphi developers.) As a result, after being infected a programmer would create lots of new versions of this virus without even knowing it. Since virus scanners sometimes generate false positives many developers might thus decide to ignore the warnings of the scanner and maybe they'll even disable their scanner while building their project. To make it worse, their project might even trigger the scanners of their customers so it's likely that those programmers won't check their source code but will just try to fool the scanner somehow. That is, if a virus scanner is even able to recognise the virus, which isn't very likely. Thus, we software developers might be creating viruses without realizing what we're doing!
So, how to create a virus? Simple: get your source code infected by a virus and you're done!
Okay, so the source code of Delphi 4 through 7 might be infected. All Delphi developers, please check your source files! The case is just a proof-of-concept and apparently it can be very successful. Besides, most virus scanners won't check source code but just focus on executables. This virus could stay undetected for quite a while.
This virus also was successful because it misused source code. Delphi is a commercial project and the source code is available. But who is sure that these hackers won't be attacking open-source projects in similar ways? There are lots of open-source projects out there and who is going to check them all making sure they're all behaving in a decent way? And if someone is checking the code, will he be able to recognise if something is malicious code?
So, to make sure we can recognize malicious source code, I have to ask: How do I create a virus? How do I recognise the code that will create a virus? What is it that most malware will want to do?
There is a bit of discussion about the Delphi runtime source code, about this code being open-source or not. Borland uses a dual-license for their source code from the moment when they started to support Linux with Kylix. As a result, the source code has a "GPL" symbol declared which indicates if the libraries are compiled as GPL code or not. As GPL, the source code would be open-source. This also happens to be the source version that was attacked by the virus. Anyway, to avoid discussions here, I've asked this question here so we can focus more on the virus problem and less on Delphi. Basically, we're talking about a virus that attacks source code. Technically, all source code could be at risk but open source code is a likely candidate since hackers know it's structure and can target those files that are rarely modified, thus rarely checked. (And if they can hack their way into a CVS system, they could even erase the traces of their modifications, thus no one might notice the modiifications!)
While this does not really answer your question, I think a really interesting paper to read is Reflections on Trusting Trust by Ken Thompson. It raises a fascinating point that even if your source code is free of defects (viruses, trojans, etc.), you might still be producing defective executables if your compiler is defective. And even if you rebuild the compiler from clean source code, you can still have the same problem.
Unless you're building your computer from the ground up with your own microchips, hand-assembling your own BIOS, writing your own operating system, compiler, and software, you have to draw the line somewhere and trust that the hardware and software upon which you're building your systems are correct.
You could check for the Evil Bit on incoming packets... http://en.wikipedia.org/wiki/Evil_bit
If you want to recognize malware, you must know how it works. This means researching malware and aquirering the skill to produce malware.
search for 29A - they wrote papers on virus
read about rootkits (there are even books on it)
read about reverse engineering
read source code of malware - there's plenty of it in the web.
learn assembler
learn about your OS
reverse the os-kernel
get clam-av, check the source
I won't provide links here. They are easily found though.
If you really want to learn, and are willing to put in the time, your time is probably better spent on google to find then participate in a greyhat community. this topic is highly complex.
if your question is as simple as "what's an easy way to recognize a virus from its source code", well, it probably won't be easy, because there's infinite ways to go about it.
You ask "What is it that most malware will want to do?".
An excellent source for this sort of information is The Hacker Quarterly, which is so mainstream, you may find it at your local bookstore, or you can subscribe online to get it mailed to you.
It was started to help hackers and phreakers share information. It is still very popular with hackers today and is considered by many to be controversial in nature.
Contents of the Current Issue include:
Not The Enemy
Regaining Privacy in a Digital World
The Security-Conscious Uncle
Why the "No-Fly List" is a Fraud
TELECOM INFORMER
Finding Information in the Library of Congress
Hacking the DI-524 Interface
Simple How-to on Wireless and Windows Cracking
If You Can't Stand the Heat, Hack the Computers!
Security: Truth Versus Fiction
Hacking the Beamz
HACKER PERSPECTIVE: Jason Scott
iTunes Stored Credit Card Vulnerability
Zipcar's Information Infrastructure
The How and Why of Hacking the U.N.
Listen to Radio Hackers!
HACKER SPACES - EUROPE
Abusing Metadata
Verizon FIOS Wireless Insecurities
TRANSMISSIONS
Using Network Recon to Solve a Problem
Suing Telemarketers for Fun and Profit
HACKER HAPPENINGS
Plus LETTERS and MARKETPLACE
There is also an excellent series of articles on Hacking at Wikipedia and on Computer Viruses.
... And yes, it is important for programmers to understand how hacking and code breaking works, so they can do the best they can to circumvent it in their programs.
There is no difference between malicious code and an unintentional security bug.
You might as well be asking "How can I write a useful program that has no bugs and is impossible to exploit".
As we all learn in CS its impossible to even write debuggers to catch infinite loops let alone intelligent malevolence.
My advice for security conscious applications is an ex(p|t)ensive code review and use of commercially available static analysis software.