15

Recently I did some web design work for a person. I continued to show him progress by giving him a link to his new site on my development server. Nearing the end of completion, he dropped all contact with me and I was completely unable to get a hold of him. I took a look at his site recently, and he mixed a combination of his old site, with the new one I was creating. I thought maybe he redesigned it himself after looking at my version, however a quick look at his source code shows that the parts I recognized were full out just copied by viewing the source code on my dev server. So he completely stiffed me and I received no payment from him.

Just wondering if there's anyway to prevent that in the future?

My first thought was obfuscation, but a quick search shows that doing that to html is not recommended and not foolproof anyway.

Obviously this is a lesson learned for me to get some sort of up front payment first, but being able to prevent work from being so easily stolen in the future would be nice.

Are there any developers that have come across similar issues? How do you show someone the progress of your work without giving them plain as day access to your source?

Sam Spencer
  • 8,158
  • 12
  • 70
  • 130
Badams
  • 559
  • 6
  • 25
  • 16
    One word: contracts – Diodeus - James MacFarlane Jan 29 '13 at 19:16
  • 8
    Just write really bad code. That way, nobody will want to steal it :) Or an NDA. – Cory Danielson Jan 29 '13 at 19:24
  • You might consider posting this on Programmers (http://programmers.stackexchange.com/) not SO in the future, though this question is in a bit of a grey area. – AlexMA Jan 29 '13 at 19:41
  • @Diodeus Contracts are one thing, but more specifically, progressive payments matched with deliverables are the way to go with new clients. – iambriansreed Jan 29 '13 at 19:51
  • @Diodeus obviously I know to do that now, but a piece of paper wont necessarily prevent theft, it would merely provide a solution in the end, however I do appreciate your comment! – Badams Jan 29 '13 at 23:00
  • @AlexMA Thats why I was not sure, as I had the same thought, that it is a bit of a gray area. Although my story probably suits programmers, the question was more directed towards the code portion which is why I chose SO – Badams Jan 29 '13 at 23:01
  • @CoryDanielson lol, I guess writing bad code is one way to do it. Looks very bad as a professional though :P – Badams Jan 29 '13 at 23:02
  • @Badams Cool, was just throwing it out there. My 2 cents: In theory there's no real way to hide code or trade secrets in code if they're running on someone else's hardware--even if it's compiled, encrypted, and/or obfuscated. In practice though you could probably whip something up if you know your client is not very tech savvy (though he might have a friend...). iOS app vendors have been vocal lately on this issue from what I've seen. – AlexMA Jan 30 '13 at 16:27

7 Answers7

6

IMHO a good way would be presentations e.g. with TeamViewer or a similar software when you cannot go to your customer.

You could also provide screenshots or a basic remote access with vnc or so, where you customer can see but not touch the site.

rekire
  • 45,039
  • 29
  • 149
  • 249
  • I had some time a *customer* who needed a prototype for his bank. So I build a mock page with the full functionality (just the front end for the customers) for free I thought I would get a job for the real page. Then I heared 7 month later again from the person which told me happy that the page is now online and ready for customers. That was great! How should I react on that!? – rekire Jan 29 '13 at 19:26
  • I do like the remote access idea. I wish I had considered that before. Screenshots was what I was thinking about in the future, but I will probably setup a virtual machine for just TeamViewer with the ability to access my dev server. Thanks for the suggestion!! – Badams Jan 29 '13 at 23:47
6

The other answers here are just a set of hacks that can be undone.

The client side, HTML, CSS, and JS is made up of all open source technologies. While you could spend a lot of time trying to obfuscate your client side code, your best bet is just to practice better business logic.

The options open up widely on protections for server side code but your question seems to focus on client side code.

For well established trustworthy clients I am much more flexible but new clients I am super careful with. I demand progressive payments. For each deliverable there is a payment involved. That way if the relationship is ever severed both parties have what they want.

When you make yourself an easy mark for scammers you only attract scammers.

iambriansreed
  • 20,961
  • 6
  • 58
  • 73
  • Yes I realize now better business logic is the answer, unfortunately something bad had to happen in order for me to learn that. Could you clarify on what sort of protections on server side code? Usually I develop in php and make it output html. While php is a server side code, its still outputting plain html as far as the client side is concerned. Maybe I'm not fully understanding where your going with that? – Badams Jan 29 '13 at 23:42
  • @Badams For protecting PHP you want a [PHP Obfuscator](https://www.google.com/search?q=PHP+Obfuscator). I learned the lesson the hard way too. It's ok to make mistakes just as long as they are different. – iambriansreed Jan 30 '13 at 03:43
0

What you could do, is use HTML Image Maps with screenshots to create a basic, interactive version of the final product.

SeinopSys
  • 8,028
  • 9
  • 55
  • 102
  • Actually I never thought of that! I may have to consider this for any future large projects, but the general consensus seems to be to get everything in writing, which I realize I really should be doing anyway. Thanks for the suggestion! – Badams Jan 29 '13 at 23:06
0

Use a website that have an escrow service, or an escrow-like service, where the employer pays all the money upfront to the website, and it will only be released to the coder after achieving a predefined goal.

Many freelancing websites provides this service.

sharp12345
  • 3,690
  • 3
  • 20
  • 36
  • Do you have any suggestions on services that do this? I would like to look into that further. I usually just get hired via word of mouth so it's mostly been cash payments and I've never had an issue before. – Badams Jan 29 '13 at 23:03
  • @Badams , elance.com , odesk.com -- a nice one is freelancer.com and it has fees that range between 3% and 10% based on you membership type -- you can google "list of freelancing sites". – sharp12345 Jan 29 '13 at 23:19
-1

It's possible to encrypt your source code with javascript. Try this website: http://www.iwebtool.com/html_encrypter I never used this tool myself and I don't know if everything works well, but I think it's worth giving a shot. You can always upload the normal source code after being paid. Also, make sure that you have the right contact information of your client in the future. I also highly recommend using a contract in the future so that your client is legally bonded to pay you. Another possible option is giving your client nothing but a screenshot of the site, but of course your site will become static.

SeinopSys
  • 8,028
  • 9
  • 55
  • 102
falidoro
  • 280
  • 2
  • 11
  • There is no way to "reliably" encrypt HTML/JavaScript. Once it hits my browser, I can inspect the DOM and get your source code. P.S. All that "tool" does is: `document.write(unescape(...))`. – Rocket Hazmat Jan 29 '13 at 20:01
-2

I've built a tool, which really encrypts your JS-sources - no simple obscurity by obfuscation, but good security by encryption.

See how it works here: http://ec2-176-34-64-10.eu-west-1.compute.amazonaws.com/nopro/xscroll - it's a demo only for hiding the script xscroll.js.

When you inspect the DOM in your client, all you see is: nplreq(url) for each script you bind into HTML head.

Encryption and decryption are totally transparent to the browser. It is tested with Firefox, Chrome, Opera, Konqueror, IE8-10, Dolphin and Safari on an Android tablet.

Encryption with AES (Rijndael 256) using one-shot-keys which are negotiated between client and (liblock-)server using Diffie-Hellman.

The sources are securely hidden, and only with really great efforts they may be reached again.

nhahtdh
  • 52,949
  • 15
  • 113
  • 149
wowei
  • 1
  • 1
    The source is hidden when you don't execute them. I can see the source with Firebug easily. – nhahtdh Mar 13 '13 at 18:58
  • no you cant. The only thing that you see there is the init of liblock.php and nothing else. The init only holds the base64-, bigint-, diffie-hellman- and aes-functions. – wowei Mar 15 '13 at 18:33
  • Yes, you cannot steal it directly easily (by looking at the source code and stuffs), but a good plugin can grab the eval code. This looks like xscroll.js: http://pastebin.com/im2p7fpK (and all of this takes 10 seconds) – nhahtdh Mar 15 '13 at 19:10
  • 1
    This is completely insecure (as was demonstrated in the comments to your [other answer](http://stackoverflow.com/questions/15172939/how-can-i-prevent-javascript-code-theft/15437976#15437976)). It takes mere seconds to pull up your "encrypted" data in the console. Even if somehow you managed to secure it from casual snooping, Webkit and FF are open source and a savvy attacker could easily hook into the script parser. Bottom line: **don't use this**. – Tim Medora Mar 16 '13 at 02:00
-3

You could either just run the site on your laptop or put the entire site behind a login page that requires a password. You would be able to do live demos, but the client would not have access to the site until you have been paid.

Shane
  • 2,573
  • 5
  • 31
  • 39
  • 3
    This wouldn't necessarily stop the stealing of the HTML/CSS source code. Specifically, the hide behind a login suggestion. – WhoaItsAFactorial Jan 29 '13 at 19:23
  • @Jermey1026 - I was thinking of the question in terms of Java, which allows you to put the JSP/HTML in WEB-INF, which is not accessible if you don't go through the login servlet. – Shane Feb 05 '13 at 20:41