Sign In/My Account | View Cart  

advertisement

AddThis Social Bookmark Button

Article:
  Protect Your Source Code: Obfuscation 101
Subject:   Those who do not learn from history.
Date:   2005-04-12 00:37:11
From:   schwern

the vast majority of software pirates won't spend 500 hours reverse engineering and patching a simple $10 shareware application


Every anti-piracy method is based on this assumption. Every one fails because it is not true. It was not true back when it was a bunch of computer nerds copying 5 1/4" floppies using BitNibbler downloaded off a dial-up BBS and its not even remotely true now with your grandma downloading music over BitTorrent.


The vast majority do not need to break the obfuscation. Just one. The Internet takes care of the rest. And there's always somebody who does this sort of thing for fun and is shockingly good at it.


An article investigating automated obfuscation and discussing how its done might have been interesting. But to conclude that obfuscation is security? Sophomoric.
Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • Matthew Russell photo Those who do not learn from history.
    2005-04-13 08:34:11  Matthew Russell | O'Reilly AuthorO'Reilly Blogger [View]

    You quoted me to say that "the vast majority of software pirates...." and then make you point by saying that "The vast majority do not need to break the obfuscation. Just one." I agree with you since that seems agreeable what I was trying to communicate in the first place: deterrence goes a long way (not that obfuscation is your end-all solution for securing anything).

    Ditto on my other response about obfuscation and security. I still stand by it.

    BTW, I totally appreciate the feedback and thought that readers put into these replies. I'm engaging in a dialogue, because I find it interesting and even a little bit fun. Hopefully, others find it just as fun to read through and think about.
    • I think you missed the point.
      2005-04-13 13:38:58  Michael Schwern | [View]

      The deterrence goes no where. Once one person breaks the obfuscation they post the unobfuscated code up on the Internet and you're shot. And there's a lot of folks on the Internet who love to break anti-piracy measures for breakfast.


      • You are teaching people to throw away their money.
        2005-04-13 14:16:25  Michael Schwern | [View]

        A friend of mine pointed out that I still hadn't mde the core point clear enough. So here it is.

        Obfuscation is a waste of your time and money. By teaching people that obfuscation adds any deterence you are teaching them to throw away their time and money.

        Why?

        Because you are fighting against the entire Internet. You will lose.

        Because some bored teenager is going to reverse the obfuscation and post it on the Internet irregardless of its value to him. The more interesting the anti-piracy measure the better, its about challenge not economics. Then anyone who can use google can find and download a copy.

        This has been true for the last 20 years and it gets more true all the time.

        With this in mind, your obfuscation presents about as much a barrier to pirating your software as byte-compiling it does. That is, it changes it from simply opening up the file and looking at it to doing about 5 minutes of work. For byte-compiling: finding and using a decompiler. For obfuscation: a google search. Since obfuscating is not adding any more anti-piracy value to your product than you're already getting by byte-compiling any amount of time you put into it is a waste of your employer's money.

        Furthermore.

        Because it increases code complexity which increases code maintenance costs.

        If you obfuscate the code by hand, woe be unto the next person who has to maintain that code. Or even if its you, six months later, when you've forgotten what in the hell you did. The automated obfuscator solves this problem, but because it is using rote transforms (ie. refactoring) and well-known obfuscation techniques the pirates will go through it like tissue paper.

        I wouldn't even be surprised if someone came out with an automated deobfuscator to undo each Sandmark transform.

        That said, I would like to reiterate that the Sandmark automated obfuscator is interesting. An article focusing on how that accomplishes its obfuscations (not just how to use the thing) and how it measures code complexity would be very interesting.

        Just don't try to say that its security.
        • Matthew Russell photo You are teaching people to throw away their money.
          2005-04-13 15:08:05  Matthew Russell | O'Reilly AuthorO'Reilly Blogger [View]

          Some thoughts on your response (BTW, this is interesting) :

          "Obfuscation is a waste of your time and money" -- really? So if you do have some software and want people to register it by purchasing a code or something along those lines, should you take any protection measures at all to protect your algorithm that checks the registration code? I'd have to think that you would. Yea, people will try and may eventually break it, but that doesn't mean you just raise the white flag. Serious businesses and corporations seem to agree since they don't give up quite so easily. After all, everyone can't become rich through Google ads. Paying real money for real software eventually comes into play.

          Also, keep in mind that "hard" algorithms, if correct, are at least as hard to break as they can be proven to be hard.

          "Because you are fighting against the entire Internet. You will lose" -- That's just not a core philosophy I personally embrace for any endeavor. I see it as a defeatist attitude that ultimately leads to failure and pessimism if taken to the extreme. At any rate, I'd rather it take someone some time and frustration to reverse engineer or hack some of my work than to hand it to them on a silver platter.

          "With this in mind, your obfuscation presents about as much a barrier to pirating your software as byte-compiling it does" -- If you're already assuming that a patch is out there, than I suppose a Google search does take care of the job in five minutes or less, but I'd defer to my previous points about not just surrendering and raising the white flag.

          "I wouldn't even be surprised if someone came out with an automated deobfuscator to undo each Sandmark transform." -- I would be a bit surprised actually. And until someone actually accomplishes this by building a general purpose tool, I think I can remain rather unsurprised.

          "Just don't try to say that its security." I call putting a padlock on a door security even though someone can take a pair of bolt cutters and rip it off...so I think I will have to remain of the opinion that obfuscation is indeed a measure of security. I'm actually the one that's surprised to hear so much of the contrary.

          No security is bulletproof, but I still think that a little bit can go a long way, even if there is an internet vehicle that can be used to share the piracy with the rest of the world.

          Out of curiousity, what would you think that people should do for "security" rather than shouldn't do? You've said a lot about security, but it's all been "don't do it that way" rather than "here's a specific thing that you should do".