Protect Your Source Code: Obfuscation 101
Subject:   You are teaching people to throw away their money.
Date:   2005-04-13 15:08:05
From:   ptwobrussell
Response to: You are teaching people to throw away their money.

Some thoughts on your response (BTW, this is interesting) :

"Obfuscation is a waste of your time and money" -- really? So if you do have some software and want people to register it by purchasing a code or something along those lines, should you take any protection measures at all to protect your algorithm that checks the registration code? I'd have to think that you would. Yea, people will try and may eventually break it, but that doesn't mean you just raise the white flag. Serious businesses and corporations seem to agree since they don't give up quite so easily. After all, everyone can't become rich through Google ads. Paying real money for real software eventually comes into play.

Also, keep in mind that "hard" algorithms, if correct, are at least as hard to break as they can be proven to be hard.

"Because you are fighting against the entire Internet. You will lose" -- That's just not a core philosophy I personally embrace for any endeavor. I see it as a defeatist attitude that ultimately leads to failure and pessimism if taken to the extreme. At any rate, I'd rather it take someone some time and frustration to reverse engineer or hack some of my work than to hand it to them on a silver platter.

"With this in mind, your obfuscation presents about as much a barrier to pirating your software as byte-compiling it does" -- If you're already assuming that a patch is out there, than I suppose a Google search does take care of the job in five minutes or less, but I'd defer to my previous points about not just surrendering and raising the white flag.

"I wouldn't even be surprised if someone came out with an automated deobfuscator to undo each Sandmark transform." -- I would be a bit surprised actually. And until someone actually accomplishes this by building a general purpose tool, I think I can remain rather unsurprised.

"Just don't try to say that its security." I call putting a padlock on a door security even though someone can take a pair of bolt cutters and rip it I think I will have to remain of the opinion that obfuscation is indeed a measure of security. I'm actually the one that's surprised to hear so much of the contrary.

No security is bulletproof, but I still think that a little bit can go a long way, even if there is an internet vehicle that can be used to share the piracy with the rest of the world.

Out of curiousity, what would you think that people should do for "security" rather than shouldn't do? You've said a lot about security, but it's all been "don't do it that way" rather than "here's a specific thing that you should do".