OUR NETWORK: CompTIA TechLore DijitCommunity TiVoCommunity MyOpenRouter About UsAdvertiseContact Us
The Largest Online Community
for Software CEOs and Executives.

 
Learn about scoring Forum's Raw Score: 76884.0
November 21, 2005 01:10 PM

Categories: Licensing Issues

Rating (0 votes)
  • 1
  • 2
  • 3
  • 4
  • 5
Rate This!

Member Avatar

jbegley

Member
Joined: 11/29/2004

While this may sound like a developers topic, I was more interested in an IP protection opinion of code obfuscating.

We are preparing to deliver our first .Net application and the topic of encrypting or obfuscating our products came up as a way to protect our intellectual property. I am comfortable with the concept, but was interested in how others were facing this decision. I want to be responsible with our IP, yet, I don't want to build extra steps in our development process if it is really unnecesary.

Are others encrypting their .Net apps for commercial distribution or do you just figure if someone is set on reverse engineering, they are going to do it no mater what. (Our software does not contain any world-changing algorythyms, our values is our ease-of-use and process).

Thanks in advance!

Discussion:    Add a Comment | Comments 1-13 of 13 | Latest Comment

November 21, 2005 9:37 PM

Jim -

I'm having trouble seeing this as a P&L question, and I suspect others are too -- that's why you haven't gotten an answer -- but I was reluctant to move it because your first sentence seemed to indicate that P&L was an intentional choice. It seemed like either an R&D question (for the obvious reasons) or else perhaps an Ops & Legal question (IP protection, and the miscellaneous "nuts and bolts" of running a software company).

Should I move it, or do you really think it's a pricing and licensing question? The questions we get here, and our experts, run more along the lines of "if we sell one copy for $49, what should we charge for ten?" and "how do we write a license that prohibits our customers from doing X while letting them do Y?"

BTW, not the answer to your question, but it almost is and it's an amusing read, albeit waaay too long: http://thc.org/root/phun/unmaintain.html.

November 21, 2005 10:39 PM

Charles,

Thanks for the note. I put it under that forum because I saw obfuscation as similar to copy protection. But, I will gladly take your recomendation if you think it is better suited to R&D. I wanted to be sure and focus more on the IP rationale of obfuscating versus the technical merits. I would say whereever IP protection is discussed would likely be the right home.

Thanks again,

November 22, 2005 7:26 AM

I would say wherever IP protection is discussed would likely be the right home.
That would be here at Ops & Legal. IP is definitely a Legal topic, and I see your question as more Ops than R&D, because you are not asking "is method X or Y technically superior?" but rather for a management overview of obfuscation. I see the issue of obfuscation as different from copy protection because I think the big discussion point in CP is "how much are we inconveniencing the legit customers?" Obfuscation has no customer impact, is that correct?

Let me get the Ops & Legal ball rolling by confessing my ignorance. I know obfuscation/reverse compilation is a big issue for Java. Is it an equally big issue for .NET? Are C# and VB "object" code sufficiently one-to-one with the source code that use de- or reverse compilation is possible? Must be: I do a Google search on .NET obfuscation and get 545,000 hits, including ELEVEN paid ads. OTOH, a Google search on .NET decompiler yields 785,000 hits, including seven paid (some of them the same as from the earlier search).

If anyone is wondering "what the heck are these guys talking about?" here is a good introduction: http://www.awprofessional.com/articles/article.asp?p=353553&seqNum=3&rl=1

November 22, 2005 9:30 AM

Just to complete the picture, let me mention the aspect of this general topic that does apply to licensing. It is important to be clear about what you are trying to achieve as there are two separate issues involved:

1. Concealing your IP and algorithms from snoopers. This is the goal is obfuscation or encryption, and there are many such tools available. It is orthogonal to licensing.

2. Ensuring (in a licensing context) that the license checks and perhaps other function calls are not bypassed, modified or spoofed. One way of accomplishing this latter goal is to take a digital signature of the library elements, so detecting any tampering or substitution.

As I understood your post your concern is the former - right? - so I agree it is perhaps better addressed in this forum.

Dominic

November 22, 2005 9:47 AM

Dominic,

Thanks for the post. The nut of the topic was the former, general protection of company IP from reverse engineering. As an addition, you are correct, I would not feel good if someone bypassed my complete licensing component through code manipulation.

The real nut of the question is I understand that .Net code has improved security by obfuscation or encryption, but are the majority of software companies really doing it? I spoke with one major company that said it was on their list of things to do, but just never got around it, (strategic decision through inaction). Others that know about it, but not sure it is worth it. Is it like going to your doctor and getting a physical every year? (A known best practice, but few really do it.) Or is it overkill that most have made the calculated decision to avoid? .Net adoption is really jumping, so I would think that many orgs are facing this decision, or is the decision not even making it to the C-level conversation?

Regards,

November 22, 2005 10:41 AM

Apparently several ISVs see a business here; there's this -->
http://www.preemptive.com/

and this -->
http://sharptoolbox.com/Category68fc8748-8956-4ed8-98aa-170a85c36813.aspx

November 22, 2005 1:05 PM

Jim,

We don't obfuscate our .NET product. I strongly believe that if someone is determined to hack/crack your application, nothing will protect you.
There is no 100% secure solution.

In my opinion it's better to get a copyright for your source code. So in case someone steals and sells your product, you can sue them.

As for the licensing code manipulation, think about: will a serious company (prospective buyer) try to tamper your licensing module? I don't think so.
Locks are to keep honest people honest. Person who tries to hack your product will hardly buy it anyway.

Best regards,
Vadim Katcherovski
www.easyprojects.net

November 22, 2005 6:19 PM

I someone wanted to copy your code and it happened to be obscured, they would just look at the processor as it executes and disassemble what the processor executed.

Obscuring code might raise the cost of copying your code, but it won't prevent it.

David Locke

November 23, 2005 7:59 AM

A couple of clarifications if I may.


  1. You've "got" a copyright automatically on your code and screen designs (very important -- see the recent thread on "copycat software") by virtue of your having recorded it on a "tangible medium." It's important to REGISTER your copyright to protect your ability to sue infringers. (I'm speaking of US law here. Others' mileage may vary.)
  2. Sure, any of these things only slows down/raises the cost for a crook. Will the lock on your front door at home keep crooks out absolutely? Of course not. It just slows them down -- but you still installed a lock, didn't you? If you can raise the cost of hacking your software to where it is cheaper to buy a license, or to where commercial crackers will play elsewhere, then obfuscation was worth the effort. Reconstructing code from a debugger trace is a lot harder than working with a decompiler.
  3. I agree with Vadim, assuming you are talking about mission-critical software. No one is going to take a chance running their company on unsupported software, stolen or otherwise -- no one, that is, who could have afforded your software in the first place. The tradeoffs are different for nice-to-have software.

November 24, 2005 6:46 PM

One additional consideration, which may apply to .Net applications in the same way as Java applications, is that by obfuscating Java code the file size gets smaller. This is because there is some data compression that is used as part of the obfuscation process. This was a welcome secondary benefit for one Java application I had written for me.

November 24, 2005 7:21 PM

Along the same lines, some of the sites selling obfuscators claim performance improvements. Seems plausible, but I would benchmark before I implemented obfuscation for that benefit.

March 22, 2009 4:50 PM

Just wanted to sy we have worked with this app and have been pretty happy with it.

http://www.remotesoft.com/salamander/obfuscator.html

-SC

June 28, 2011 3:45 AM

Obfuscating .Net software is a must, since its so easy to see the code using tools like Reflector. You want to make it as hard as possible for hackers and crackers and IP thieves. Of course, there is the license agreement but most companies do not have time or resources to fight legal battles.

Our own product Crypto Obfuscator offers a variety of protections for your .Net assemblies. Do check it out.

Discussion:    Add a Comment | Back to Top | Comments 1-13 of 13 | Latest Comment

You must login to discuss this item.

 
 

Please log in or register to participate in this community!

Log In

Remember

Not a member? Sign up!

Did you forget your password?

You can also log in using OpenID.

close this window
close this window