[Private modules] New way of securing code?


#1

Following the recent announcement that is removing private modules as we know them, my business has essentially been ruined (for now). Naturally, I’m very angry about this, but I’ll stay calm on the forum and look for a solution. Anyone with a business feel free to weigh in, I’d love to know your thoughts.

I have a few options:

  1. Open source my system. I’d lose essentially all my income.

  2. Find a new way to keep my code secure so people will buy a license instead of pirating it.

Essentially my question is, what would be better/new ways of securing my code now that I have no choice but to make the private module free? Thanks in advance.


#2

What service are you providing? There is no information listed.


#3

It would be helpful if you could describe the service you are providing. Right now I am not sure of what you are offering to players, and as a result I can’t give you any alternatives.


#4

CheckMein, receptionist system for hotels.

It uses a private module to run the entirety of the system. A configuration module is passed as an argument in the require;

require(asset)(configuration)

In the private module, the script makes an http call and checks whether the game owner is on a whitelist. (license)
If yes, the system proceeds to load. If no, the system aborts loading and shows a purchase GUI for the owner of the game.

Please let me know if you need to know more, and what.

EDIT: The system itself consists of numerous regular scripts that are parented to ServerScriptService once the system starts running. After this, the main private module is essentially no longer used.


#5

Yeah this seems like a hard sell without fencing off the code. There are plenty of companies out there that develop purely open-source and make a profit (you’re using one of such products right now actually – this forum is called Discourse and it’s open source; the developers profit because they also offer hosting and maintenance for forum instances). What you would want to do is extend your product so that it needs a service to operate correctly, that way you can fence off this service off-site where it can be private, and customers need an API key to access it. You could i.e. allow group owners to buy an API key to use it in all of their places, and the “hotel check-in data” would be stored on a cloud location somewhere, and then advertise that your service works cross-places if people pay a fee. That way, you can sell the service instead of the product, and you can make it a repeat fee (like every X amount of time).

Think about why there are so many free-to-play games at the moment and why they are so successful: they let everyone use it, but all of the interaction happens through their fenced-off services, on which you can spend money to give you certain benefits in these games. You already have the game, you’re paying money for services. It should be the same with all your modules wherever possible (sometimes it won’t make sense though, in which case you’d probably be better off investing your time entirely elsewhere).


#6

I guess something ‘good’ can come from this. It’s been a great year for my service, so I could give back to my community by making the next version open source and free. I’m seriously considering this.

[making off-site features really just goes past my expertise, and it’s not worth it in my opinion if updates like these can so easily break things entirely. I’m not trying to be salty, just realistic.]


#7

Updates wouldn’t really be an issue for @buildthomas’ suggestion, since most of the logic and data exists offsite. To be honest, it’s really a great idea and a very common concept in the enterprise realm. It’s also a very valuable skill to have if you were ever looking into becoming a professional developer some day. There are numerous tutorials showing how to achieve this sort of thing for a variable cornucopia of languages. A particularly easy (in my opinion) language to use is Node, which is essentially JavaScript.

Even if you weren’t interested in learning how to do this, you could probably hire a developer to do it for you and then continue on with a subscription or license based service. You could even extend that further into other products. As far as this goes, you probably wouldn’t have much trouble finding a developer that could do this for you if you really don’t want to try it yourself. There is a learning curve, but I honestly believe that if you put time into it you could do it.


#8

You could always obfuscate it but, it isn’t guaranteed that it will be completely secure.


#9

I personally, and many of the people who you should care about as potential customers, are not going to want to use your code for payment if it’s obfuscated. If I’m using your code in a project I want it to be crystal clear and follow a style guide so I can easily see what it is doing and what it is not.

If a contractor would provide me with code that is obfuscated or somehow made harder to read, that contract would end right there.


#10

I don’t think people should be hiding their code


#11

Even if it’s out of shame? :grimacing:


#12

If you’re going to be releasing code for other developers to use, those developers should have the right to modify them as they see fit. Private modules/obfuscation is dumb.


#13

Me and my team are having similar issues and I think your best option would either either be to obscure the code, or setup an external web server that holds the code? Not sure :confused:


#14

Pretty sure that’d make your code even more insecure, if you mean what I think you mean, as you’d have to have loadstring enabled, plus anyone could just access your web server’s endpoint and pull the code…

OT: if your product is commercial, you could have data loaded from a web server, as said before, to work with the plugin. Another option is add in the ability for your product to support plugins, then offer to “commission” plugins for your customers for a certain price, which they can put into a folder or something somewhere.

The only real solutions I see here are providing a reason to the user to use a web service in some way, or to just commission plugins for your product. Obfuscation shouldn’t even be considered as it can be undone eventually and, even then, your scripts will look dodgy to the consumer if they ever open them and they might be put off.


#15

The whole crux of the issue here is respecting intellectual property (IP) vs security. Here is a scary quote for you developers out there from the Roblox Terms of Use 6-B-3 that will give many of you nightmares:

IP Rights Encourage Innovation and Reward Entrepreneurs

IP is a MAJOR part of any thriving economy. Roblox would not survive as a platform if it did not respect game creator’s IP.

Consider a difficult task that most developers do not fully understand or requires lots of time and effort. These are stumbling blocks to the progression of the Roblox platform. Without a guarantee of the integrity of their IP, developers have no strong incentives to create solutions unless they have encountered the problem themselves (perhaps in their own game). What you get is that some of the brightest developers who are actually able to solve some of the toughest problems on the platform and games in general instead spend most of their time working on their own game(s) instead. In addition, it is counter productive to fuel their competition by sharing their solutions although some do (like me, because I owe a lot to Roblox).

Again, from a great article titled What is Intellectual Property from WIPO (World Intellectual Property Organization) says this:

I find it ironic that the platform that claims to “power imagination” is attacking its developers by undermining their IP and breaking a system which fosters creativity and innovation. Even if Roblox was to back out of this move, I’m sure relations with hundreds of developers have been damaged by this perceived breach of trust.

Roblox Internally Encourages IP

When I was an intern at Roblox, I felt safe and respected. At the front desk, where they took the picture for my badge is a display case. Karen, who works at the front desk and is the sweetest individual I’ve ever met welcomed us all showed us this display case containing patents and awards. Many of the patents were made by some of the founding fathers of Roblox themselves, David Baszucki (builderman) and Eric Cassel. I remember seeing the patent for some of Roblox’s internal architecture designed by Eric, of which Keith Lucas said this:

Karen explained to us, as well as others in the orientation meeting, that Roblox respects their employee’s IP. If we as an employee wanted to have something patented, they would work with us! At Roblox, they treat interns just like any other employee and encourage us to share our ideas. It was such a positive environment founded on trust, the pinnacle of innovation and creativity. It is probably one of the best places to work as a developer, and I’m sure attracts a lot of great talent because of that. I’m glad to see this kind of environment is fostered in the real world and that companies see the value in it.

Conclusion

Treating developers as risks, restricting, and attacking them is not in Roblox’s best interest and is damaging. Developers should be treated as the companies holiest assets, empowered, and trusted. When questions of security arise, great care should be taken to not restrict developers. The real world economy and systems should be looked to as an example to solve security issues in Roblox. Sandboxing scripts will not be sufficient if social engineering can play a role and sharing modules with a select developers is simply targeting a select group of developers with an attack. Perhaps a third party, trusted by both the private module developer and the user, could certify that the code is safe without having to place restrictions on them. This is how website security (HTTPS), application security (Apple, Microsoft, Google), and any other web of trust system works. Ultimately, this the is ONLY form of true security, just being applied statically rather than dynamically at run time.

Edit:
Some of you may be wondering how I reconcile my opinion of IP with my love for open source. If you will recall, I strongly encourage Roblox to move most of its API to Lua and make it open source, although some things will have to happen before that can be done. Dropbox has a great article titled Balancing open source and proprietary ip: they can coexist which sums up my feelings on the matter.


#16

Some people will simply not allow other people to use their work in order to protect their IP as there’s now no way of stopping people from taking it and using it as their own work, a problem for those of us that would like other people to use our work but not copy it or see how we’ve solved specific problems, sort of like a trade secret.

This is damaging the business of groups in communities such as some in the Roblox Aviation community who write closed source modules to sell to their members who are creating Flight Simulators. For these products to continue working in places that rely on them the groups will have to open source the modules thus no longer able make Robux this way.

Ideally Roblox look into a way of allowing developers to set a Closed Source Module as public and have it go through some sort of approval process before it can be loaded by other developers or users.


#17

I most certainly agree. Roblox should have introduced a replacement feature along with retiring private modules. Right now, I’m simply stumped.

I wouldn’t mind having a module approval system, where an actual moderator looks at your code and posting updates would cost a fee. (similar to audio tracks)
I feel like the above wouldn’t be too hard to implement, and it could work well as a temporary solution. But this is just one of the many potential solutions the devforum community members have thought of.

It’s sad to see my business go, because now I’m going to have to start doing commissions again.

Side note, I’m not ashamed of my code. It may not be the best, but I’m certainly not using private modules to hide it. I’m using private modules to protect my product from people looking for an easy bypass.


#18

I don’t think this would make a lot of sense for scripts. There are many different circumstances where code would be considered malicious or not. A script that sets a bunch of stuff on fire might make sense for one game, but not another.

Honestly, I don’t have an issue with this. I’ve never seen an actual use case for private modules. I think open source is the future. There are so many libraries, plugins, utilities, and examples on this forum alone that people have sunk hours or days into developing and given it away to the community, and I just love that.


#19

Yeah, this will ruin the majority of war groups on Roblox that a lot of mature age people enjoy participating in.

I had a subscription service for tech to use in the colonial era of Roblox war groups and that way every group would use the same guns, ships etc at their base.

I retired that, but someone else offers that and their system is used in more than 100 games. It’s not going to be looking good for the community.


#20

Yes it is nice to see when people are willing to share their hard work open source. The problem here is that by removing the choice to allow people to use your work in a closed source format you are unable to stop people from just copying your work, re-releasing it and claiming to be the original creator. Plus there’s no way to monitize on your hard work which is what the OP is concerned about.

Edit:
This also means that anyone who considers certain code in their scripts to be proprietary can now no longer let anyone else use it.