Re: executable obfuscator?
Re: executable obfuscator?
- Subject: Re: executable obfuscator?
- From: Laurence Harris <email@hidden>
- Date: Mon, 11 Dec 2006 13:53:40 -0500
On Dec 11, 2006, at 7:30 AM, Andy O'Meara wrote:
I've been following this thread, and it seems reminiscent of
premature optimization: a lot of work for an unknown benefit. I
don't have any hard statistics to support my beliefs (and I don't
know that anyone has hard numbers about revenues lost to hackers),
but:
You don't have any hard numbers because if you did, you wouldn't be
saying this. I'm guessing you also don't sell entertainment
software that targets the musical/young/teen/hip community for $30--
it's not like we sell and industrial app. If you did, you wouldn't
be saying this. When our software checks for updates, we can get
stats that lets us infer a lot of info.
- I'm not worried about people who hack software so they can use
it for free. Those are a tiny percentage of users. A much, much
bigger issue is the practice of posting serial numbers they've
hacked on the web for anyone and everyone to use. That only
requires one person who is able to hack your application and
willing to post hacked serial number and then anyone who lacks
integrity can use your product for free.
Our software, when it checks for updates, also grabs what we call a
passive (encrypted) blacklist of SNs that are bad. This way, any
compromised SNs usually get rejected. Also, this is a passive
approach, so we're respecting user privacy. Our SNs.have the
user's name baked into them, so when the software starts up, they
see their name, keeping honest users honest.
- I'm inclined to believe that the majority of software being used
without a valid license does not represent lost revenue. Many
people who will use software for free wouldn't use it if they had
to pay for it.
This is true in part, but not for everyone--and we have *tons* of
hard data (that I don't wish to disclose). Do you think we do the
extra work if our stats didn't support it? When I chat with
shareware devs that sell to the same community that we do, the ones
that aren't concerned about piracy are usually the same ones that
don't have any mechanisms for collecting piracy rates of their
software. The second that they have something in place, they
usually become very concerned overnight (this is what happened to
me years ago).
If you told me that you make your living from selling shareware to
the community I mentioned above then I'd be more convinced, so
please Larry--for once--just stop. For once, try listening more
than lecturing.
Thanks for the insult, but I wasn't lecturing and I think my point
was valid. And since I don't see where you really addressed my main
concerns, they still seem valid. You may be able to determine how
many people are using your software illegally, but how do you
determine how much revenue you actually lose to those people? People
will steal stuff they would never buy if they couldn't steal it.
How does investing a lot of effort in obfuscating parts of your code
help with this problem? It sounds like your main defense hinges on a
feature that allows your application to reject known unauthorized
serial numbers, which as far as I can tell has nothing to do with
obfuscating anything in your code. What does your hard data tell you
that would justify encrypting your localizable strings, for example?
I never suggested that *no* scheme to reduce piracy is effective or
worth the effort, only that I've seen no evidence to suggest that a
lot of time spent obfuscating anything is particularly useful.Nothing
in your message offers any support for obfuscation. Did I miss
something? My point is that if Joe Hacker is going to hack your
software and post working serial numbers on the web for a billion
people to access, what real difference does it make if it took Joe
five minutes, and hour, or an entire day to do it?
Larry
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden