[Tfug] Code obfuscators and watermarking

[Bexley Hall]

Hi, Jeff,

--- Jeffry Johnston <tfug at kidsquid.com> wrote:

> On Sun, Apr 13, 2008 at 3:06 PM, Bexley Hall
> <bexley401 at yahoo.com> wrote:
> >  Even hardware attempts are silly, nowadays.  You
> >  can de-encapsulate and microprobe a die in many
> >  college labs, etc.
> 
> Well, that's the thing.  If an attacker has access
> to the hardware,
> the game is of course over again.  Even providing
> different encryption
> keys on each dongle won't solve that, because once
> the program is
> loaded into memory, they just save an unencrypted
> copy and now the
> dongle is no longer necessary.

There are processors in which the encryption is
done at the bus interface (i.e., the image in memory
remains encrypted -- even for *data*/stack/etc).
The solution there is to microprobe the die...

>  With physical
> access, there's nothing
> you can do.  From my understanding though, these
> dongles have been
> quite successful at combatting software piracy.

The goal in most *practical* attempts at protecting
IP are to make the cost of the counterfeiting or
the *time* required sufficient to render the
resulting unoriginal work not-marketable.

Note that this only applies to *commercial*
endeavours!  I.e., hobbyists often place little
value on their time so protecting against same
becomes problematic.  And, given the relative
impunity with which those folks can post their
efforts on the 'net, what was once merely an
issue of "Sheesh, Mr Hobbyist... get a life!"
now migrates back into the commercial world.
 
> >  > Or... just skip all that and put the GPL on
> your
> >  > code.  Much easier
> >  > and more satisfying since other hobbyists can
> use it
> >  > too.  That's what
> >  > I recommend ;)  Companies have been bitten a
> lot
> >  > lately by misusing
> >  > GPL code, and I think it's having an effect.
> >
> >  I'll let *you* try to convince my clients that
> >  they should "give away" the stuff they've paid
> >  me to develop.  :>  (just keep my name out of it)
> 
> No, that's not my job.. it's yours :)  And you
> didn't mention you were
> writing this for clients in your original message,

It doesn't matter.  I am very selective about what
*personal* works I make available for public use
as well.  There is nothing that forces an open
software user to adopt the same philosophy about
his own creations!  Just like there is nothing that
forces those users to *give* their labor to their
employers without compensation!  :>

> so in the original
> context (which seemed like it was code you were
> writing for yourself
> that you wanted to distribute) my suggestion was
> valid.  But, since
> you seem against the GPL idea (which is strange on a
> Unix group),

The GPL is a double edged sword.  I avoid GPL'd
code in any products as it puts a burden on the
owner of that code that is often cumbersome.
E.g., I don't distribute Linux based products;
especially when there are other quality open OS's
to choose from.

> here's another idea: Shareware.  Consider the
> Wolfenstein 3D and Doom
> games by iD software... what, back in the 90's I
> think?  Not only did
> they give away the game for free, but they provided
> an entire set of
> playable levels.  Once you played the game, it
> either wasn't your
> thing, or you were hooked.. and guess what?  You
> bought a copy so you
> could have the rest of the levels.  Obviously the
> scheme worked,
> because iD software didn't go bankrupt by giving
> away software.  In

Different markets.  Try selling a few *thousand*
copies of something (instead of MILLIONS) and
you'll see how the economics changes.  E.g.,
MS can afford to "lose" license fees from pirate
copies of their OS, etc.   OTOH, someone selling
software to *libraries* has a much smaller market.

> fact, it probably guaranteed their continued
> existence.  The point is
> that if it's a quality piece of software offered at
> a fair price,

"Fair" is a subjective word.

I am always amazed when people complain that a visit
to their doctor cost them $400 (or whatever).
"Gee, he only saw me for 15 minutes!"

Yeah, but *he* was the only person who billed you
for his time.  Yet, the receptionist still had to
answer the phones while you were there.  The nurse
(or nurse's aid) had to check your weight/BP.
Someone had to pull your records and refile them
when they were done.  Someone had to clean the
building so it was "presentable".  The insurance
has to get paid, lights, heat, etc.

Hmmm... $400 sure sounds "reasonable"/fair in that
context.  :-/  Yet, it never seems that way at
the time!  :>

> people will buy it.  Just offer a free trial or
> such.. long enough for
> them to start relying on it.  Then when the trial
> period is over,
> they'll buy a copy because they can't live without
> it.  Of course this
> also doesn't make sense in the context of a
> particular vendor.
> 
> If you're writing this code for a single vendor,
> what's the point of
> all the obfuscation?  Just sell them a license to
> the source and be

First, obfuscating sources makes reverse engineering
more difficult.  If you have ever reverse engineered
a big piece of software, (especially one that was
written in a HLL) you quickly recognize the
mechanical nature of the compiler and can infer
a *lot* about the actual "commented" source.
An obfuscator can increase the amount of apparent
entropy in the resulting compiled code.

Second, once you deliver source, you lose leverage.
Ever had a client "forget" to make a final payment
on a contract?  :>  With obfuscated sources, you
can legally claim to have *delivered* the source
(per your contract) despite his failure to pay you
for it (presumably, you deliver unobfuscated
sources *after* payment)

> done with it.  They should be demanding that
> anyways, because if you
> happen to get hit by a bus tomorrow and they need
> support, even
> unobfuscated it'll be a pain for them to reverse
> engineer your code..

Some clients do not care about this.  It depends on
the nature of the product and the staff that they
have available (i.e., if they can't maintain the
code without you -- relying on yet another consultant
to do so -- then having the source is often not
important; maintaining someone else's code as a
"new consultant" is often economically impractical --
I, for example, will only do so on a T&M basis
which leaves the client's commitment open-ended...
something they usually don't like  :-/  )

Also, there have been some cases where I want to
retain ownership of the resulting product.  Or,
big chunks of it.  Some clients like the idea
that they got a "discount" on their product
development as long as I am not directly
competing with them by retaining ownership.

> probably cheaper and easier to have someone else
> rewrite it rather
> than go through all that.




      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ