2

We have developed an application that is sold as an online service. After some time we realized that some of customers would need/prefer/require to have it installed locally on their intranet. However the application was developed using scripting language and we wouldn't want to allow clients to access the source code.

The question is: What are the technical downsides of distributing application as a virtual machine image?

Improve this question
13
  • 5
    You're asking me to put a virtual machine on the network that I can't see what its doing? Not just an application, but an entire machine that I don't even have root on? Commented Jan 20, 2014 at 15:26
  • 2
    @MichaelT if you agree to put my application compiled into binary and allow it access your company network why would you be so suspicious about virtual machine? To elaborate - yes, virtual machine can contain some spying application, but same can be done with commercial software. Moreover many companies willingly install applications the source code of which the do not know and therefore those apps can do some harmful activities. Do we all know source code of Windows or Photoshop or MS Office? But still we allow those in our office. This is out of question here. Commented Jan 20, 2014 at 15:43
  • 2
    What kind of customer (behavior) are you expecting that justifies these contortions? If they're not out to steal your code, they won't do so if the code just lies around. If they are, wrapping it up in a virtual machine will at best slow them down a bit, not prevent it or even make it unfeasible. Commented Jan 20, 2014 at 16:11
  • 1
    @AlexKey: So what's stopping me downloading your VM image and running that? Or what's stopping me from taking your VM image, booting it up, and just extracting the code? DRM is a rabbit hole, and not one which anybody here can give you a good answer to. If we could, we could sell it to you and everyone else for a lot of money, because nobody's figured it out. Commented Jan 20, 2014 at 16:20
  • 3
    @MichaelT Google will sell you a physical server preconfigured with their mapping service on it. Companies install those and we know Google steals your data :) Commented Jan 20, 2014 at 16:39

2 Answers 2

Reset to default
3

I think what you're suggesting is a variant of a turnkey project.

On the pro side, a turnkey project:

  • Can make it easier for a customer to get up and running quickly
  • Shields the customer from all of the necessary configurations
  • Can lower support costs because a standard image is used for the project

On the down side:

  • You'll now need to maintain updates to the OS and supporting tools within your master or golden image
  • You'll always have clients that want distro baz instead of the foo and bar that you already provide

Regarding protecting source code -- If the bulk of your company's intellectual property is encapsulated within the various configuration scripts, then this may be a decent approach to protecting that information. You would:

  1. copy the scripts on to the system that will be the master image
  2. run the scripts to configure things
  3. remove the scripts from the system
  4. make copies of the master image and distribute.

This is probably only beneficial to you if there are a lot of configuration steps that have to be made. If it's a trivial number of steps, then diligent customers can figure out exactly what your scripts set up for them. There decision point for you is if there are enough configuration points so that the resource cost of recreating your scripts outweighs the financial cost of purchasing a system.

If you're hoping that you can provide a system and then keep control of the system account(s), I think you're going to have a harder time. User privilege escalation exploits occur frequently across all operating systems, especially when someone already has log in access to the system.

In summary, I would only consider providing a turnkey system if you can remove all of the configuration scripts that you are concerned about prior to distribution.

Additional considerations
Any binary files you have would likely be safe from casual investigation. Based upon the comments, it doesn't sound like you're worried about individuals with debuggers or reverse-engineering tools.

Database schemas will be exposed, and I don't think there's a lot you can do to protect those. Whether or not the schema is meaningful to someone else is a different matter. If the schema is large, obfuscation can be surprisingly effective at keeping prying eyes out of a database.

Improve this answer
1
  • Thanks for detailed answer. It is not our intention to build perfect protection, but some basic would be enough. Commented Jan 20, 2014 at 16:50
1

It is not so easy - even if it is a virtual machine, the client still would have access to its harddisk. I see no pros installing it on a VM. Better solution is to create agreement with no rights of selling You app, and "special" price for that customer - it means HIGH ENOUGH to sell Your sourcecode...

Improve this answer
6
  • I do not understand about client having access to its harddrive, could you please show me an example how one would access data on harddrive on the VM on my ESXi or Xen server if they do not have an access to login to that instance? I am just unsure about how it can be done. If it can be done, then this definitely is a blocker for this distribution way. Commented Jan 20, 2014 at 15:52
  • 3
    Unless the disk image is encrypted in some way, I can easily mount a virtual disk image to another running VM, then peruse the contents at will. Commented Jan 20, 2014 at 16:15
  • 1
    Do You believie, thas someone is so insane, to allow You to put yous server to their server room and connect to the company's LAN ;)? try to think different - sell the app with source code - but source code costs. Why You dont believe them, they wont use Your code, and want them to believe You, that your server wont do anything wrong? TRUST and MONEY are basis for this case, thats my opinion Commented Jan 20, 2014 at 16:19
  • @BrianKnoblauch Thanks, missed that. You are right, that would work only with encrypted disk. Commented Jan 20, 2014 at 16:21
  • 1
    @GregS Some companies do distribute their software this way, and pretty much successfully. This is not the question of sanity. For selling with source code, see one of my comments to the question itself. We have already an example of source code being uploaded to public access by one of customers engineers. Commented Jan 20, 2014 at 16:22

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.