[Image] [Image] Some programmers don't like the idea of other people reading their source code. Some companies even feel that they might as well open their source repository to the public. While decompilation isn't new (there are decompilers for C, Visual Basic, Clipper, etc.) the circumstances are. So what can be done? Now There is only one good defense: don't distribute (the vital parts of) your software as .class files. Instead, design your applications as a light Java front end that talks to a back-end on your server. Hide all your trade secrets in the back-end. A side benefit of this is that the user doesn't have to wait for a bulky applet to download. Of course, a drawback of this approach is the additional load on your server. Another, but weaker, defense against Mocha is to "obfuscate" your software, for instance by using many unnecessary local variables, meaningless method and class names, monolithic methods, etc. And don't include debug information. The [Image]effectiveness of such strategies depends a lot on the size of the program; for small applets it hardly makes a difference, but for large packages like Mocha itself it can be quite effective. If you want to keep your sources clean and clear, you can use an obfuscation tool like Crema. Crema processes groups of .class files and actually goes far beyond what you can achieve by obfuscating your source code. You can, of course, also forget about Java altogether and build ActiveX controls in C/C++. Future Some people have suggested encryption of .class files as the ultimate solution to the threat of decompilation. Encryption by itself is not the answer however: if a virtual machine (VM) can decrypt a .class file, so can a decompiler. Maybe a combination of encryption and authentication (where only VM's blessed by some authority get the decryption key) could work. But that will require changes to the .class format, the VM's, and even the servers. [Image]