Poor company - do we need an obfuscator?
-
I'm a member of a small (3 men) company, developing new .NET app "from garage". This app took over two years of development and now it's time to release it. But the last question before releasing the final version is: Do we need more code protection? How should the answer sound? 1) Yes - we have to buy some VERY EXPENSIVE code protector, like Xheo or Salamander. -gulp- But, we can't buy such a product without profit from the first release - a problem. 2) No - we can release all the MSIL code and don't care about "bad boys" 3) No - we can publish some source code (even if the application is commercial), either. There are still "good boys", which tell us, where are the security bugs in our code Which answer is right?
-
I'm a member of a small (3 men) company, developing new .NET app "from garage". This app took over two years of development and now it's time to release it. But the last question before releasing the final version is: Do we need more code protection? How should the answer sound? 1) Yes - we have to buy some VERY EXPENSIVE code protector, like Xheo or Salamander. -gulp- But, we can't buy such a product without profit from the first release - a problem. 2) No - we can release all the MSIL code and don't care about "bad boys" 3) No - we can publish some source code (even if the application is commercial), either. There are still "good boys", which tell us, where are the security bugs in our code Which answer is right?
Depends on what the app does, and how wide it's market is. If I was, for example, about to release Microsoft Office, I'd want to obsfucate. We do a product into a niche market, which is not very technical, we don't bother to obsfucate it. Christian Graus - Microsoft MVP - C++
-
I'm a member of a small (3 men) company, developing new .NET app "from garage". This app took over two years of development and now it's time to release it. But the last question before releasing the final version is: Do we need more code protection? How should the answer sound? 1) Yes - we have to buy some VERY EXPENSIVE code protector, like Xheo or Salamander. -gulp- But, we can't buy such a product without profit from the first release - a problem. 2) No - we can release all the MSIL code and don't care about "bad boys" 3) No - we can publish some source code (even if the application is commercial), either. There are still "good boys", which tell us, where are the security bugs in our code Which answer is right?
ltinka wrote:
No - we can publish some source code (even if the application is commercial), either. There are still "good boys", which tell us, where are the security bugs in our code
An obfuscator can hide bad code. Make sure your code is public ready before selling it, else you might land up on the dailywtf.com :) xacc.ide-0.1 released! Download and screenshots
-
Depends on what the app does, and how wide it's market is. If I was, for example, about to release Microsoft Office, I'd want to obsfucate. We do a product into a niche market, which is not very technical, we don't bother to obsfucate it. Christian Graus - Microsoft MVP - C++
Thanks for your reply. Well, it's an imaging app aimed on digital photography. The market we want to enter is quite small, but we don't kknow if there is something to be afraid of.
-
I'm a member of a small (3 men) company, developing new .NET app "from garage". This app took over two years of development and now it's time to release it. But the last question before releasing the final version is: Do we need more code protection? How should the answer sound? 1) Yes - we have to buy some VERY EXPENSIVE code protector, like Xheo or Salamander. -gulp- But, we can't buy such a product without profit from the first release - a problem. 2) No - we can release all the MSIL code and don't care about "bad boys" 3) No - we can publish some source code (even if the application is commercial), either. There are still "good boys", which tell us, where are the security bugs in our code Which answer is right?
Imaging application implies you might have some algorithmic stuff in there the workings of which you'd like to keep to yourself. I would if it were a commercial venture anyway. It's a bit of a nightmare really because its really is so simple to pull apart a .NET assembly and leech its contents. If you haven't done so already take a look at Lutz Roeder's .Net Reflector (http://www.aisto.com/roeder/dotnet/[^]) as a means to reconstruct your source - it's depressingly easy. I don't see the need to protect the general framwork of an application - anyone can recreate this, but the algorithmics I see a bit differently - have you considered providing these in non-managed code? Regards, Rob Philpott.
-
Imaging application implies you might have some algorithmic stuff in there the workings of which you'd like to keep to yourself. I would if it were a commercial venture anyway. It's a bit of a nightmare really because its really is so simple to pull apart a .NET assembly and leech its contents. If you haven't done so already take a look at Lutz Roeder's .Net Reflector (http://www.aisto.com/roeder/dotnet/[^]) as a means to reconstruct your source - it's depressingly easy. I don't see the need to protect the general framwork of an application - anyone can recreate this, but the algorithmics I see a bit differently - have you considered providing these in non-managed code? Regards, Rob Philpott.
Rob Philpott wrote:
have you considered providing these in non-managed code?
For speed and security :) xacc.ide-0.1 released! Download and screenshots