Shroud+ Perl obfuscator....

[Andrzej Jan Taramina <an...@chaeron.com>]

I extended Robert Jones' Perl Obfuscator, Shroud into what I am calling Shroud+. I 
needed it to protect some rather extensive scripts I have developed for 
Inventory and Image Gallery management on client web sites.

It seems to work just fine with mp2 and my source code, so I thought I would 
let folks know about it here, in case they find it useful.

New stuff includes:

- Specification of input/output directories

- Writing of status info to STDOUT

- Replacement of internal subroutine names (those beginning with an   
  underscore "_" character).  

- Optionally replace public subroutine names if the input
  is a perl Module (.pm file) AND if you specify that an externalmap should be   
  created. 

- For scripts (not .pm modules ) it will optionally take an externalmap file and 
  use this to rename subroutine calls to be consistent with the Perl Module that 
  was used to create the externalmap file.

- Replacement of  'use constants' definitions with capitalized shrouded 
  identifiers

- Replace object-oriented attributes that take the form
  '$self->{ "_attr" } = "something";' and that are found inside a constructor (sub 
  new).

- removal of tabs and condensing of multiple spaces

- removal of newlines

- POD updated to reflect the above and more bugs/features/caveats noted.


It's posted on http://www.chaeron.com

Regards,


Andrzej Jan Taramina
Chaeron Corporation: Enterprise System Solutions
http://www.chaeron.com

Re: Shroud+ Perl obfuscator....

[Jean-Michel Hiver <jh...@mkdoc.com>]

> I just want to go on the record to say that I consider your action
> personally offensive and ethically questionable.

I agree with the 'ethically questionable' part. Copyright laws should be
enough to protect your source. As far as I'm concerned if you encrypt
your source it's because you want to hide the fact that you've stolen
some code from somewhere else - but that's a personal point of view.

However I don't find his action very offensive. This guy is just making
a tool and sharing the source with us. You can't blame him for that.


> A lot of people have worked very hard to bring you an open source
> platform to stand on.
> 
> And now you spit in their face, by trying to pretend YOUR work is
> worthy of more locking up than the source code you are using to create
> your work.

Those people chose to work under a license which allows this kind of
stuff to be done. To me it means that they have explicitly given their
permission to do so. If you are - quite understandably - unhappy with
this matter, make your own license for the software you write.


Best Regards,
-- 
Building a better web - http://www.mkdoc.com/
---------------------------------------------
Jean-Michel Hiver
jhiver@mkdoc.com  - +44 (0)114 255 8097
Homepage: http://www.webmatrix.net/

Re: 2 proxying and mod_perl questions

[Larry Leszczynski <la...@furph.com>]

Hi George -

> I want to do a reverse proxy of an external site using Apache:
> 
> <VirtualHost prague>
> ProxyRequests on

You will want to set "ProxyRequests off" for a reverse proxy, otherwise
someone could use you as a forward proxy to get to someplace else.


> ProxyPass / http://www.externalsite.com
> ProxyPassReverse / http://www.externalsite.com

Not sure if it matters, but might need a trailing slash on those, i.e.:
  ProxyPass        / http://www.externalsite.com/
  ProxyPassReverse / http://www.externalsite.com/


> ServerName prague
> </VirtualHost>
> 
> This works fine AFICT except if there is a page on the remote site
> that has a form or other link that uses POST.

Have you looked at the URL specified in the form ACTION to see if it is an
absolute URL?  For example, suppose I point my browser at
http://www.george.com/showform.html.  Your proxy then sends me the content
of http://www.externalsite.com/showform.html.  If the form on that page
POSTs to "http://www.externalsite.com/cgi-bin/form.cgi" (instead of
"/cgi-bin/form.cgi"), then when I submit I will go directly to
www.externalsite.com and bypass your proxy.  The same would be true of any
URL in the site that is specified absolute rather then relative.


> The maybe off-topic question is: Is this documented anywhere? I
> haven't been able to find a good explanation why this is. Is there a
> workaround?

You would need to rewrite any URLs in the page before you send it to the
browser, to either turn them into relative URLs, or to point them to
www.george.com instead of www.externalsite.com.  I'm pretty sure you can't
do that with mod_proxy or mod_rewrite alone (although I have seen people
do some crazy stuff with mod_rerwite).


> I should note that I am using mod_proxy rather than mod_rewrite
> because it is my (possibly incorrect) understanding that requests
> proxied via mod_rewrite will not end up in my local logs.

I have not found that to be the case.


Larry Leszczynski
larryl@furph.com

2 proxying and mod_perl questions

[George Valpak <gv...@yahoo.com>]

Hi -

I have 2 questions, one might be off topic for the list, so please be gentle about it - seems to have been a rough week for OT posters here.....


Anyway my situation is this:

I want to do a reverse proxy of an external site using Apache:

<VirtualHost prague>
ProxyRequests on
ProxyPass / http://www.externalsite.com
ProxyPassReverse / http://www.externalsite.com
ServerName prague
</VirtualHost>

This works fine AFICT except if there is a page on the remote site that has a form or other link that uses POST.

The maybe off-topic question is: Is this documented anywhere? I haven't been able to find a good explanation why this is. Is there a workaround? 

I should note that I am using mod_proxy rather than mod_rewrite because it is my (possibly incorrect) understanding that requests proxied via mod_rewrite will not end up in my local logs. I haven't actually tested that yet, but  in this case I strongly prefer to have a record of the request in the logs. If mod_rewrite would leave me a record in the logs and solve the POST issue, then that is probably an acceptable workaround.

Anyway, pointers to help or explanations on this question are welcomed.

More on topic for this list is this question:

I would like the local server to examine the HTML for the remote server and possibly modify it before sending it to the client. I would like to write a mod_perl handler for this, but I am not sure which phase I should do it at. 

[time passes ...] Oh wait, I see there is a section in the Eagle book (p 374) that shows how to do that - are there any gotchas or more modern examples I should know about?

Thanks in advance!

GV

Re: Shroud+ Perl obfuscator....

[Les Mikesell <le...@attbi.com>]

From: "Randal L. Schwartz" <me...@stonehenge.com>
> 
> Andrzej> I extended Robert Jones' Perl Obfuscator, Shroud into what I
> Andrzej> am calling Shroud+. I needed it to protect some rather
> Andrzej> extensive scripts I have developed for Inventory and Image
> Andrzej> Gallery management on client web sites.
> 
> I just want to go on the record to say that I consider your action
> personally offensive and ethically questionable.

Yep, if we could just make all those damn consultants, book authors,
and training professionals give away all their work for free whether
they choose to or not....  But then we wouldn't need the Artistic license.

--
   Les Mikesell
       lesmikesell@attbi.com

Re: Shroud+ Perl obfuscator....

[Daniel Jacobowitz <dr...@false.org>]

On Sat, Dec 21, 2002 at 12:53:34AM -0500, kyle dawkins wrote:
> Are you for real?
> 
> Or is this some lame attempt at sarcasm?
> 
> Andrzej posts to the list, SHARING some code he's written in case some 
> people actually might use it, and he gets bitchslapped with some 
> holier-than-thou rhetoric?  Puh-leaze.  Take your total bullshit 
> somewhere else because you're about as constructive as 
> Richard-f**king-Stallman.
> 
> You may not know this, but people actually use perl for things other 
> than one-liners.  Commercial projects actually use perl, and oftentimes 
> these commercial projects are sensitive and copyrighted.  And 
> occasionally, just occasionally, these projects actually want to have 
> some level of security, for numerous reasons that I'm sure Andrzej 
> could explain quite easily to us if he were asked.

And if they do have something to protect, they should put their
thinking caps on and realize that this sort of "security" is called
obfuscation for a reason: it does not accomplish anything except to
make the results hard to read.  If you're giving away or selling the
perl source, obfuscating it doesn't have any significant effect.

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer

Re: Shroud+ Perl obfuscator....

[Ged Haywood <ge...@www2.jubileegroup.co.uk>]

Hi all,

On Sat, 21 Dec 2002, kyle dawkins wrote:

> Are you for real?
> [snip]
> You may not know this, but...[snip]

Er, I think you'd better have a look at the Camel Book before you dig
yourself any deeper into that particular hole. :)

And I really don't think this discussion should go any further on the
mod_perl List than it already has.

73,
Ged.

Re: Shroud+ Perl obfuscator....

[kyle dawkins <ky...@centralparksoftware.com>]

Are you for real?

Or is this some lame attempt at sarcasm?

Andrzej posts to the list, SHARING some code he's written in case some 
people actually might use it, and he gets bitchslapped with some 
holier-than-thou rhetoric?  Puh-leaze.  Take your total bullshit 
somewhere else because you're about as constructive as 
Richard-f**king-Stallman.

You may not know this, but people actually use perl for things other 
than one-liners.  Commercial projects actually use perl, and oftentimes 
these commercial projects are sensitive and copyrighted.  And 
occasionally, just occasionally, these projects actually want to have 
some level of security, for numerous reasons that I'm sure Andrzej 
could explain quite easily to us if he were asked.

Andrzej: thanks for sharing your code with us.

Kyle Dawkins
Central Park Software


On Friday, Dec 20, 2002, at 22:44 US/Eastern, Randal L. Schwartz wrote:

>>>>>> "Andrzej" == Andrzej Jan Taramina <an...@chaeron.com> writes:
>
> Andrzej> I extended Robert Jones' Perl Obfuscator, Shroud into what I
> Andrzej> am calling Shroud+. I needed it to protect some rather
> Andrzej> extensive scripts I have developed for Inventory and Image
> Andrzej> Gallery management on client web sites.
>
> I just want to go on the record to say that I consider your action
> personally offensive and ethically questionable.
>
> A lot of people have worked very hard to bring you an open source
> platform to stand on.
>
> And now you spit in their face, by trying to pretend YOUR work is
> worthy of more locking up than the source code you are using to create
> your work.
>
> Sir, on their behalf, and my own as a contributor to the open source
> movement, and Perl in particular, you offend me.
>
> -- 
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 
> 0095
> <me...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
> See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl 
> training!
>

RE: Shroud+ Perl obfuscator....

["Beau E. Cox" <be...@beaucox.com>]

Even thought I am new to the Open Source Community
I agree with Randal Schwartz. I find the idea of
creating AND sharing much more enriching than the
way things are done in the MS world where I have spent the
bulk of my career.

Maybe we should come up with UnShroud+.

Beau E. Cox

-----Original Message-----
From: Randal L. Schwartz [mailto:merlyn@stonehenge.com]
Sent: Friday, December 20, 2002 5:45 PM
To: Andrzej Jan Taramina
Cc: modperl@perl.apache.org
Subject: Re: Shroud+ Perl obfuscator....


>>>>> "Andrzej" == Andrzej Jan Taramina <an...@chaeron.com> writes:

Andrzej> I extended Robert Jones' Perl Obfuscator, Shroud into what I
Andrzej> am calling Shroud+. I needed it to protect some rather
Andrzej> extensive scripts I have developed for Inventory and Image
Andrzej> Gallery management on client web sites.

I just want to go on the record to say that I consider your action
personally offensive and ethically questionable.

A lot of people have worked very hard to bring you an open source
platform to stand on.

And now you spit in their face, by trying to pretend YOUR work is
worthy of more locking up than the source code you are using to create
your work.

Sir, on their behalf, and my own as a contributor to the open source
movement, and Perl in particular, you offend me.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<me...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl
training!

Re: Shroud+ Perl obfuscator....

["Randal L. Schwartz" <me...@stonehenge.com>]

>>>>> "Andrzej" == Andrzej Jan Taramina <an...@chaeron.com> writes:

Andrzej> I extended Robert Jones' Perl Obfuscator, Shroud into what I
Andrzej> am calling Shroud+. I needed it to protect some rather
Andrzej> extensive scripts I have developed for Inventory and Image
Andrzej> Gallery management on client web sites.

I just want to go on the record to say that I consider your action
personally offensive and ethically questionable.

A lot of people have worked very hard to bring you an open source
platform to stand on.

And now you spit in their face, by trying to pretend YOUR work is
worthy of more locking up than the source code you are using to create
your work.

Sir, on their behalf, and my own as a contributor to the open source
movement, and Perl in particular, you offend me.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<me...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!