Agile Ajax

A double dose of "I told you so" today: as it turns out, stealing an idea is hard work, while stealing an implementation is dead easy. By that I mean that if you want to steal a server-based web application, you either have to hack in to steal the code or do the hard work of reverse engineering and coding a clone. But if you're developing client-side code in JavaScript, you are vulnerable to theft. It's the recurring theme of Ajax and Leaky Business Logic, and I'm going to keep talking about it until it doesn't happen anymore.

You remember the incident where the image editing webapp Snipshot was ripped off by Cellsea? Well it looks like it's happened again, this time with one of Emil Eklund's WebFX tools -- LiteSpellChecker -- being ripped off by SpellingCow. Emil reviews the code and appearance of his original program with the derivative one and finds several suspicious similarities. His program was a demo, but copying code whether demo or not without attribution is a big no no.

If you are going to write business logic on the client side rather than just sticking to display logic, you need to at least obfuscate your code to make maintenance and reverse engineering a headache. Better yet, stick to writing Ajax applications in server-side frameworks like Echo2 and ZK.

Update: Thanks to Doug Clinton for pointing out the update from Emil. I guess all I can add is the only thing that makes this not a ripoff is Emil's laid back attitude.

Technorati : ajax, code theft, javascript, obfuscation

Via Ajaxian we get an object lesson in the dangers of exposing business logic in the browser:

Beau Hartshorne of Snipshot (formerly Pixoh) says "massive chunks" of Cellsea code are identical to Snipshot. "This is not an accidental inspiration. Check out the cropping code, the resizing code, and so on. We've also noticed that portions of their website are also stolen directly from ours ... We are contributors to MochiKit open source project. However, the code in question is proprietary and was taken directly from out site."

Can I say "I told you so?" I've blogged about the danger of Ajax and Leaky Business Logic before. What is the danger here and the lesson the be learned?

• Don't put your crown jewels in the browser. See if you can't lock a fair bit of your business logic on the server side by using a server-side component framework like Echo2 or ZK.
• If you're going to deploy meaningful applications in Javascript, do what people have been doing with script source code for decades: obfuscate. You can do something simple like renaming all of your variable to one or two character names, or you can use a code generation framework like GWT or Morfik that produce unreadable code from the beginning. Be forewarned that code generators can be vulnerable to decompilers -- in short, if someone knows how GWT generates it's code, you could possibly reverse the process and produce the original source code.
• Build in anti-theft mechanisms. This could be something as simple as a method that checks to see that the url the application is running on is the correct one, otherwise display a nasty message. You could make this as tricky and complicated as you like, all the way to encrypting big chunks of code with the website url and only decrypting them at runtime.
• Hold out for "byte compiled" Javascript.

A combination of all of these may be what we end up with. I'm not sure I'd want to run any script in my browser, though, that I can't understand. Still, you would hate to be the victim of code-theft as has apparently happened to Snipshot.

How similar are these two programs? Well, Cellsea offers a bunch more functions, but they do look very similar, both in terms of the UI and the underlying code. The original Snipshot is here and the knock off here. You be the judge.

If you are really hungry for a good AJAX image editing app, the best of the bunch of them may be Phixr, which gives you preview, the ability to marquee select for certain operations, etc. Slick, even if the UI is a bit jumpy.