|
Obfuscation, no matter how it's implemented, is still security through obscurity.
Anything that can be "seen", from a right-click disabled image or text block on the web or in-memory opcode, can be copied and it just requires some extra effort. That's just the way it is.
The only guaranteed (sort of) way around it is to implement software as a service. That still leaves the source server vulnerable to anyone on the inside.
Proving once again, the most dangerous thing in love and war, is a mole. Fairness be damned.
|
|
|
|
|
It's obvious from looking at the STL source code that they were big fans of obfuscation
|
|
|
|
|
template<typename _CHTYPE, typename _H, typename _HD, typename _PFN>
class DesktopSwitcher
_CHTYPE is wchar_t, _H is HWINSTA, _HD is HDESK, PFN is a function pointer (exercise left for the reader)
Deobfuscate this, mofo.
Nuclear launch detected
|
|
|
|
|
We obfuscate (using a pretty good freebie obfuscator: Eazfuscator) for two reasons:
1. It makes bypassing the dongle licensing in our software more difficult. We use software leases to force customers in Asia to make the final payments for the machines they buy from us (often millions of dollars).
2. We don't want the competition laughing at our code.
I doubt anyone would really be interested in a "awesome algorithm". Every programmer I know thinks they could write better code than whatever happens to be before them at the moment.
If you wanted to write your own new version of something (say Excel), you would play with Excel, then design it the way you wanted. Looking at the old code would probably just hold you back from doing an even better design than the legacy code holding the old authors back.
|
|
|
|
|
obfuscation is time-consuming.
It is not impossible to reverse, engineer a program.
In Java, it limits the use of the Reflection application programming interface on the obfuscated code.
|
|
|
|
|
Finally I find my job title: "the obfuscator"
William Shakespeare
Three sentences for getting SUCCESS:
a) Know more than other.
b) Work more than other.
c) Expect less than other.
|
|
|
|
|
Don't forget to wear a mask and a cape.
Why can't I be applicable like John? - Me, April 2011 ----- Beidh ceol, caint agus craic againn - Seán Bán Breathnach ----- Da mihi sis crustum Etruscum cum omnibus in eo! ----- Just because a thing is new don’t mean that it’s better - Will Rogers, September 4, 1932
|
|
|
|
|
I obfuscate less than 1% of my code. Only one or two crucial assemblies. The rest of the code is unobfuscated.
Why can't I be applicable like John? - Me, April 2011 ----- Beidh ceol, caint agus craic againn - Seán Bán Breathnach ----- Da mihi sis crustum Etruscum cum omnibus in eo! ----- Just because a thing is new don’t mean that it’s better - Will Rogers, September 4, 1932
|
|
|
|
|
Interesting, why do you only obfuscate those 2 assemblies? I would think of obfuscation as an all or nothing venture.
I think by obfuscating the "important" stuff you don't want me to see you, you're telling me which stuff is the important stuff you don't want me to see. Whereas if you obfuscated everything it would take more work to determine where the good stuff was.
|
|
|
|
|
You're right to a certain point, but I'm lazy so I'm only obfuscating the licensing components... The rest of the code is of no use to 99% of the people who would look at it as it is an application aimed at a very narrow niche.
Why can't I be applicable like John? - Me, April 2011 ----- Beidh ceol, caint agus craic againn - Seán Bán Breathnach ----- Da mihi sis crustum Etruscum cum omnibus in eo! ----- Just because a thing is new don’t mean that it’s better - Will Rogers, September 4, 1932
|
|
|
|
|
If you obfuscate only the licensing components then you are basically waving a red flag in front of this code saying "this is really really really important." People will know not to waste their time on the unobfuscated code and get to work on the really really really important code.
Just a thought.
m.bergman
For Bruce Schneier, quanta only have one state : afraid.
To succeed in the world it is not enough to be stupid, you must also be well-mannered. -- Voltaire
Honesty is the best policy, but insanity is a better defense. -- Steve Landesberg
|
|
|
|
|
You're right, but as I mentioned it's an app targeted at a very select clientele, and almost all of them will not know anything about how to crack software, probably not even be interested in it. Just a precaution to keep curious eyes away. If somebody cracks it all the same, it's not that big of a deal. You can't protect yourself completely anyway.
Why can't I be applicable like John? - Me, April 2011 ----- Beidh ceol, caint agus craic againn - Seán Bán Breathnach ----- Da mihi sis crustum Etruscum cum omnibus in eo! ----- Just because a thing is new don’t mean that it’s better - Will Rogers, September 4, 1932
|
|
|
|
|
The same principle works when Google Maps (and others) blacks out certain areas.
|
|
|
|
|
Obfuscation protects IP? Who are we kidding here. It does nothing of the sort. The only thing it does it making it harder for the average script kiddie to reverse engineer your code - and he'll just download a de-obfuscator so it wouldn't even be That hard.
A script kiddie isn't going eat into your profits. Professionals will have no trouble reverse engineering your code - even assuming "worse than anything currently on the market" obfuscation they could fire up OllyDbg or equivalent and read the JITted code.
No, it's not going to actually help. What it can do though is make your manager/boss/legal dept. happy.
|
|
|
|
|
If done correctly it can be just another layer of CYA. One place I worked was actually hard coding connection strings to the DB in their software. Obfuscation would at least make that harder to spot. If somebody is going to rip you off you might not be able to stop them but you can at least make them work for it.
And as everybody knows connection strings belong in plain text config files sitting in your projects root directory.
|
|
|
|
|
Connection strings do not belong anywhere. If you put them anywhere in any form, that's security by obscurity at best.
|
|
|
|
|
If you have some secret algorithms, it might make sense to hide it, but if it's Plain old Programming, I don't think there's much advantage to obfuscating it. My sense is that obfuscation serves either to hide algorithms, or to make your work unmaintainable as shipped. If you think someone is going to take the entire work and start competing against you with your own code, then you probably have a pretty good lawsuit for copyright violation.
And when it comes to ordinary programming techniques, don't we naturally share these? I mean, here we are on CP, writing and sharing articles in order to educate each other.
|
|
|
|
|
A lot of programmers I've met over the years write obfuscated code.
Oh you mean a commercial product...No need.
|
|
|
|
|
If anyone in the office could decompile or otherwise reverse engineer my code, they would be in my department. And if any of our field reps were capable of cracking into the website's App_Code folder... nah. Most of them can bare use email.
|
|
|
|
|
Well, security is key. Never know.
Sir.Dre
|
|
|
|
|
That's the option I would have chosen
Look at me still talking when there's science to do
When I look out there it makes me glad I'm not you
|
|
|
|
|
I second this one. Although I would rather put it as "I think we should", as I don't really know how much harder it actually is. While I'm reading through some of the comments here, I'm beginning to wonder if it even makes that much of a difference.
|
|
|
|
|
When I look out there it makes me glad I
Yeah, same here , phuk u 2
|
|
|
|
|
We are UI vendors and we do share the source with the customers in one of our licensing method. Though any one can de compile it from the assemblies, there are laws that covers it all.
|
|
|
|
|
How to keep people from stealing your code.
Put this at the top of the code, as a comment.
/* This code was built to destroy your computer and spy on you. Please, DO NOT RUN this code! USE AT YOUR OWN RISK!!! */
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein
"Few things are harder to put up with than the annoyance of a good example." Mark Twain
|
|
|
|