|
Our company keeps all the code (all the versions, branches) in a file server. It is accessible for all employees, and anyone can copy arbitrary amount of files to their thumb drives. However, each file is protected with a copyright notice on top of the file stating that "IT IS COMPANY PROPERTY, AND YOU SHOULDN'T MESS WITH IT!".
I think that's enough protection. Because nobody cares to steel it, it's so easily accessible.
|
|
|
|
|
No, we don't. Our stuff is mostly internal and away from prying eyes.
"the meat from that butcher is just the dogs danglies, absolutely amazing cuts of beef." - DaveAuld (2011) "No, that is just the earthly manifestation of the Great God Retardon." - Nagy Vilmos (2011)
"It is the celestial scrotum of good luck!" - Nagy Vilmos (2011)
|
|
|
|
|
Anyone who worked back in the day of the K&R C probably had a disassembler (so you could optimize parts of your code) which would generate labeled subroutines, variables, etc. You could then use grep to find tokens and replace them with more meaningful names.
Seriously, obfuscation is a silly exercise which saves your code for a better thief and if you were really interested in protecting your code you would go with encryption.
m.bergman
For Bruce Schneier, quanta only have one state : afraid.
To succeed in the world it is not enough to be stupid, you must also be well-mannered. -- Voltaire
Honesty is the best policy, but insanity is a better defense. -- Steve Landesberg
|
|
|
|
|
As our apps are in-house only (or rather, so-far), I document them continuously as they're written in an attempt to make it as plain as possibly what's going on.
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "As far as we know, our computer has never had an undetected error." - Weisert | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
Our customers are all internal, and all code is run on internal servers that can't be seen from the outside.
|
|
|
|
|
I don't think we do any obfucation per se, but we do minify[^] our JavaScript code and it ends up pretty obfuscated.
|
|
|
|
|
At least thats what the other programmers in the office say...
If you vote me down, my score will only get lower
|
|
|
|
|
I've done it for one set of apps; where Customer A brokered our selling something we originally developed for them to Customer B; but insisted that we preclude non-trivial reverse engineering.
Since every .net obfuscator tool company also claims their advanced reflection tool is able to break every competitors obfuscation tool; I suspect that A just ordered us to waste a few thousand of B's money directly; and a few more thousand if they want to be snoopy. With our contract in the 7 figure range and the total system being significantly more the roadblocks put in added up to rounding error.
OTOH our software lead says if he knew about this requirement back when we started deving for Customer A; he'd've insisted on MFC, and that without being able to give A a security blanket we'd've probably had to port all the backend logic to C/C++ before selling to B, so I guess it wasn't entirely a waste.
Other than this we haven't bothered because the whole thing is a crock of elephanting fertilizer; which actually should be a 2nd new option: No because anyone with skills can still reverse it.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Agreed, there should be a sometimes option.
|
|
|
|
|
Obfuscation is about making it harder to reverse engineer an application.
Its purpose is not to completely stop a decompile of an .NET application, but to discourage it.
Anyone with the required skills, given the resources, can decompile even a Win32/VC++ application which is compiled to assembly language.
|
|
|
|
|
As I said the intent was to preclude "preclude non-trivial reverse engineering". Any yahoo can fire up a reflector and have a useable source listing of a standard .net program in minutes. There's no general purpose tool to convert asm back to C/C++ that I'm aware of; so anyone wanting to muck around in your codebase will have to work for it.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
IDA Pro Advanced with the HexRays plugin does a pretty good job of turning machine-code (binary executables for all sorts of platforms) back into C.
Used it ages ago to work out how windows calculator draws coloured text on it's buttons. Sure, I could have custom-coded it - but the approach used allows for the colours to fade gently as they do in calc after a button has been moused-over.
|
|
|
|
|
Thanks for the tip; I'll have to take a look at it sometime.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
My code is so badly written that people either cannot read it or do not wish to.
---------------------------------
I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave
CCC Link[ ^]
English League Tables - Live
|
|
|
|
|
Brilliant.
"the meat from that butcher is just the dogs danglies, absolutely amazing cuts of beef." - DaveAuld (2011) "No, that is just the earthly manifestation of the Great God Retardon." - Nagy Vilmos (2011)
"It is the celestial scrotum of good luck!" - Nagy Vilmos (2011)
|
|
|
|
|
despite this achivement you aren't the lead architect at Microsoft
|
|
|
|
|
What about the option - we don't, but we're considering it. I know that as more of our companies code becomes managed, we're starting to consider obfuscation.
|
|
|
|
|
Many years ago, my ex-colleague used to use an .NET tool on trial mode. Using reflector, he can see that there is a method called GenerateKey. He wrote an app to call that method and used the generated key to input into the tool to turn it to a full fledged product.
I believe developer should not have added product key generator capability into the the software. I wondered how many developers gotten that tool for free.
|
|
|
|
|
Yeah, I used to use .NET Reflector like that.
The best bit was you could use it to modify the program itself, before re-assembling it.
The advantage? Didn't even need to create another program to run the GenerateKey routine..
I just edited the code that showed the MessageBox telling me the key was wrong, such that the message-box just showed me the valid key. Simple, write it down, try again - success!
I never used .NET and it was the first time I ever used .NET Reflector. It took about 45 mins to gain access to a $130 program.
So, with the increasing prevalence of .NET, one could reasonably expect that obfuscation will become more popular.
|
|
|
|
|
Actually I don't see much sense in doing so.
1. Our client base is small and rather friendly.
2. To much legacy code with hard-coded strings on our flag ship, management won't let us waste time on such "trivialities".
3. Our clients have databases on "our" servers, so we focus on protecting databases.
4. Most developers and technically oriented management are dongle fans.
5. If there is some secretive piece of code we ship it as native code library.
5. To be honest, is there really bullet-proof obfuscation method for managed code?
|
|
|
|
|
Message Removed
modified 27-Feb-12 15:32pm.
|
|
|
|
|
No need for me as I don't use the technologies that are proposed here... (VC++ here).
Apart of that I understand that hiding code is an important measure for people who work on them.
|
|
|
|
|
When you'd see some of our code you couldn't tell the difference anyway
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}
|
|
|
|
|
Looks like I might qualify for a position then!
I don't speak Idiot - please talk slowly and clearly
'This space for rent'
Driven to the arms of Heineken by the wife
|
|
|
|