Torben said:
Jon,
You are 100% right, and I have been thinking about this for some time.
I have a lot of contact with my customers and they are all very big
company's so piracy is a minor problem.
However the knowhow inside the code must be protected since what I
implement is public but how to implement it is the big secret.
It can't be that important of a secret if you can afford to publish
software that implements it.
Let me first point out that obfuscation or other copy protection
techniques are not necessary in order for you to properly protect your
secret. That is, yes...someone could theoretically duplicate your
implementation (they can no matter what...see below), but whether you
make it difficult or not, you always have legal recourse against
copyright violators. And assuming this is the sort of niche market it
seems to be, it seems unlikely that your implementation could gain any
sort of wide use that might be damaging to your business without you
finding out about it.
For the same reason that piracy isn't a major problem for you, so too
should it not be a problem for your implementation details to be
discoverable. Besides, you can't keep your implementation secret unless
you don't allow anyone else to use software that incorporates that
implementation.
Which brings me to the rest of my post...
There have been a number of threads here and in other .NET newsgroups on
the subject, so I won't bother with all of the details. The bottom line
here is that if you have something that is actually worth investing a
lot of time, money, and effort into protecting, then it's worth a
hacker's time, money, and effort to undo whatever protection you have
put into place.
The #1 rule of computer security is that if the attacker has access,
your security WILL be broken. You cannot give someone software that
runs without there being some way for the person to decipher what that
software does.
Yes, you can make it hard. But you can't make it impossible. And since
the degree of protection you're likely to put on is going to be
proportional to the importance of protecting the code, the more
protection you put on the code, the more likely it is that someone will
want to break the protection and will bypass whatever you do.
In other words, no matter what level of protection you put on the code,
either you've put on not enough or just enough, in which case it will be
broken, or you've put on too much, in which case you've wasted a lot of
resources better applied somewhere else.
It is a logical impossibility that there is some appropriate amount of
resources to apply to the problem.
And please pay very close attention to Jon's admonishment about the
potential unforeseen costs of obfuscation and other techniques. In
addition to those direct costs he mentions, consider also the effect the
protection will have on the end user. Simpler means of protection don't
do much (so why bother?) and more complicated means of protection often
involve techniques that can interfere with legitimate clients' use of
the software (while hackers who have, predictably, bypassed the
protection are not hindered in any such way).
I know, I said I wouldn't bother with all the details. Trust me, this
isn't nearly ALL the details.
But simply as a regular user of
computers and consumer electronics, I run into problems related to
attempts at copy protection practically once a month, and it's always
frustrating.
Whether it's Windows or Office complaining that I've changed my
hardware, or me not being able to easily repair a hardware problem with
my Tivo, or some music that I bought legally not being playable any more
because of some bug or oversight with respect to the DRM, I am
consistently impeded by mechanisms that are doing exactly the opposite
of what they were meant to do. They prevent me, the legal customer,
from using the product while the people who are using the product
illegally are not affected because part of their theft of the product
involves disabling or otherwise bypassing these protections.
Pete
