|
A friend of mine pointed out that I still hadn't mde the core point clear enough. So here it is.
Obfuscation is a waste of your time and money. By teaching people that obfuscation adds any deterence you are teaching them to throw away their time and money.
Why?
Because you are fighting against the entire Internet. You will lose.
Because some bored teenager is going to reverse the obfuscation and post it on the Internet irregardless of its value to him. The more interesting the anti-piracy measure the better, its about challenge not economics. Then anyone who can use google can find and download a copy.
This has been true for the last 20 years and it gets more true all the time.
With this in mind, your obfuscation presents about as much a barrier to pirating your software as byte-compiling it does. That is, it changes it from simply opening up the file and looking at it to doing about 5 minutes of work. For byte-compiling: finding and using a decompiler. For obfuscation: a google search. Since obfuscating is not adding any more anti-piracy value to your product than you're already getting by byte-compiling any amount of time you put into it is a waste of your employer's money.
Furthermore.
Because it increases code complexity which increases code maintenance costs.
If you obfuscate the code by hand, woe be unto the next person who has to maintain that code. Or even if its you, six months later, when you've forgotten what in the hell you did. The automated obfuscator solves this problem, but because it is using rote transforms (ie. refactoring) and well-known obfuscation techniques the pirates will go through it like tissue paper.
I wouldn't even be surprised if someone came out with an automated deobfuscator to undo each Sandmark transform.
That said, I would like to reiterate that the Sandmark automated obfuscator is interesting. An article focusing on how that accomplishes its obfuscations (not just how to use the thing) and how it measures code complexity would be very interesting.
Just don't try to say that its security.
|
You are teaching people to throw away their money.
[View]
"Obfuscation is a waste of your time and money" -- really? So if you do have some software and want people to register it by purchasing a code or something along those lines, should you take any protection measures at all to protect your algorithm that checks the registration code? I'd have to think that you would. Yea, people will try and may eventually break it, but that doesn't mean you just raise the white flag. Serious businesses and corporations seem to agree since they don't give up quite so easily. After all, everyone can't become rich through Google ads. Paying real money for real software eventually comes into play.
Also, keep in mind that "hard" algorithms, if correct, are at least as hard to break as they can be proven to be hard.
"Because you are fighting against the entire Internet. You will lose" -- That's just not a core philosophy I personally embrace for any endeavor. I see it as a defeatist attitude that ultimately leads to failure and pessimism if taken to the extreme. At any rate, I'd rather it take someone some time and frustration to reverse engineer or hack some of my work than to hand it to them on a silver platter.
"With this in mind, your obfuscation presents about as much a barrier to pirating your software as byte-compiling it does" -- If you're already assuming that a patch is out there, than I suppose a Google search does take care of the job in five minutes or less, but I'd defer to my previous points about not just surrendering and raising the white flag.
"I wouldn't even be surprised if someone came out with an automated deobfuscator to undo each Sandmark transform." -- I would be a bit surprised actually. And until someone actually accomplishes this by building a general purpose tool, I think I can remain rather unsurprised.
"Just don't try to say that its security." I call putting a padlock on a door security even though someone can take a pair of bolt cutters and rip it off...so I think I will have to remain of the opinion that obfuscation is indeed a measure of security. I'm actually the one that's surprised to hear so much of the contrary.
No security is bulletproof, but I still think that a little bit can go a long way, even if there is an internet vehicle that can be used to share the piracy with the rest of the world.
Out of curiousity, what would you think that people should do for "security" rather than shouldn't do? You've said a lot about security, but it's all been "don't do it that way" rather than "here's a specific thing that you should do".