Hi Denis,

<snip>
>There are several decompilers and I think they should be all taken to court.
>
>Usually when a developer makes a contract for a customer it'll contain a clause stipulating that it is forbidden to try to decompile, to copy for somebody else...
>
>I understand that a decompiler have its place and that place is only for allowing a developer to get back his code. Not for a thief to get somebody else's code.
>
>It would be so easy if makers of ReFox had a conscience.
>
>Here's how I see it. If the string "ReFox is not welcome in that application" is present as a comment in the first line for a given prg then ReFox would'nt work.
>
>Really easy is'nt it? Do you think that makers of ReFox did'nt think about a similar solution?

I am not sure this would work, for several reasons. Firstly because in the event that you really did need a decompiler you would be screwed becuase you used the special string to avoid it. Then Refox would need another way to get around that limitation for special circumstances. Secondly, the crackers would just get around this trick, probably quite easily by searching your app for the specia string or the "encrypted" version of it. Thirdly, crackers would just build another decompiler for your app if they felt it warranted the effort.


>
>I'm sure they did but why would they do it. A business goal is to make money. And more and more businesses don't have anything else in mind then that goal. Who cares about principles anymore? If no laws are broken that it must mean that it's ok.

Look, I don't own Refox and have never needed to use it (touch wood) but how many people on this forum alone have had their butt's saved by someone decompiling some exe for them to get back their source code? I'm sure they are happy the tool existed.


>
>The only time that I would've needed ReFox is for an app that I had to support and that was made by another developer. For my app I just hope that I'll never need it. I do back-ups regularly.

But you admit you did needed it once. And you are a legitimate user.


>
>Makers of ReFox know that many Fox developers will never need their product so they made sure that developers know that their app is at risk when not protected with ReFox.

This is not true becuase I, for example, don't have it or use it and I suspect niether do you. In fact, I suspect most VFP developers do not have a copy of refox.


>
>If no business is sued because they let illegal things happen then it sends a signal to others that it's ok to build those tools.
>
>Many can't be sued because it's hard to trace the developer. For ReFox it's quite easy to find them

So instead of getting the crook we get the manufacturer? This is the part that doesn't quite work for me. This part requires some more thought and working out.


>
>So by warning ReFox to change its tactics it would be an interesting beginning and a clear message sent to others that they're looking for trouble if they continue making such tools.
>
>And after that they could concentrate on finding individual makers of those decompilers. In recent cases it's been proven that anybody can be found on the net. It's just a matter of putting the energy and money to do it.

Denis, I think this is the wrong approach. You cannot legislate the crackers out of existence. Stopping Refox or other decompiler makers will just create new decompilers from other crackers. You just drive the whole thing underground.

Secondly, once you start down this slippery slope then you will need to go after your o/s manufacturer for developing an insecure o/s. Then the dev tool manufacturer for developing insecure coding tools. Then you will need to go after the developer him/herself for failing to apply proper secure coding techniques. Then you will need to go after sys admins who fail to properly secure the networks. Then the end-users themselves for failing to follow the proper security guidelines such as choosing strong passwords, etc, etc, etc.


I think there are two approaches which are practically more effective:

1) Apply the appropiate level of protection to your code. What needs protection, from who, for how long. Products exist that can help you with this ranging in price from a few hundred dollars to several thousand dollars. If it is worth that much to you then you apply whatever you need to.


2) Bruce Schneier is a top security writer and he advocates that the IT industry, this would include protecting source code, needs to become an insurable business. Then the insurers, who have a lot of political and financial muscle, will require and enforce appropiate levels of security such as secure o/s, coding tools, etc. This in turn will afect the manufacturers of those tools and also the users of those tools. Now the industry becomes regulated.

However, even then I do not think you stop the crackers. What you do is probably improve the quality of the tools we use and hold accountable the tool manufacturers. This is a good thing. Thats why cars are getting safer each generation. But you will still be at risk from crackers. I think it is really quite a complicated issue with many angles and potential pitfalls.

Personally, for now, I think spending a few hunderd dollars (or thousand dollars) to add a good degree of protection to your apps is worth it (assuming your code is worth protecting for that money).