What is ClickOne?

Hello Tee,

We use ClickOnce on one of our applications. The way we did it is to use
the MageUI tool and place manifests on our web server.

To clarify, I just compile my C# application as usual. Then I go into the
BIN\Release folder and gather the exe and any extra .dll's that are needed
and place them into a folder on our release computer. We then run MageUI and
create a couple of manifests (Application Manifest, then Deployment Manifest)
and place the entire folder out in a specified web directory.

The full explanation is rather long and there is online help for these
specific steps.

The skinny of it is that you do not have to use and installer -- just MageUI
to create and sign your manifests. Oh, and you might want to consider
Obfusticating your exe file if you don't want people to be able to decompile
it :~}

Hope this helps a little bit.

Rob

"Tee" wrote:

Hi,

Just curious what is clickone? Is it the same as Installshield?

Been follow the following instructions and it seems to create an
installation exe for me which is good but how come it doesn't include the
..net framework as part of the installation exe too? if i was giving this exe
to a friend or a client i am sure they can't run the application after the
installed. If the clickone is the same as installshield how do i go about
to include the .net framework as part of the installation exe.

http://msdn2.microsoft.com/en-us/lib...ey(VS.80).aspx

Thanks

Hi Rob,

does MageUI handle the distribution of .NET framework the reason because my
application use quite a bit of .net components. Really deep down what i
really want is tell the installer

1. here is my .net project (solutions *.sln)
2. find all references dll and ocx
3. only include .net component that my app use with the installation exe
4. build a single installation exe
5. done.

Is there any technology out there.

PS. Obfusticating thing is a bit too expensive for me right now
"RobKinney1" <Ro********@discussions.microsoft.comwrote in message
news:2F**********************************@microsof t.com...

Hello Tee,

We use ClickOnce on one of our applications. The way we did it is to use
the MageUI tool and place manifests on our web server.

To clarify, I just compile my C# application as usual. Then I go into the
BIN\Release folder and gather the exe and any extra .dll's that are needed
and place them into a folder on our release computer. We then run MageUI
and
create a couple of manifests (Application Manifest, then Deployment
Manifest)
and place the entire folder out in a specified web directory.

The full explanation is rather long and there is online help for these
specific steps.

The skinny of it is that you do not have to use and installer -- just
MageUI
to create and sign your manifests. Oh, and you might want to consider
Obfusticating your exe file if you don't want people to be able to
decompile
it :~}

Hope this helps a little bit.

Rob

"Tee" wrote:

>Hi,

Just curious what is clickone? Is it the same as Installshield?

Been follow the following instructions and it seems to create an
installation exe for me which is good but how come it doesn't include the
..net framework as part of the installation exe too? if i was giving this
exe
to a friend or a client i am sure they can't run the application after
the
installed. If the clickone is the same as installshield how do i go
about
to include the .net framework as part of the installation exe.

http://msdn2.microsoft.com/en-us/lib...ey(VS.80).aspx

Thanks

On Jan 31, 5:58 pm, "Tee" <khmer_lov...@yahoo.comwrote:

Hi Rob,

does MageUI handle the distribution of .NET framework the reason because my
application use quite a bit of .net components. Really deep down what i
really want is tell the installer

1. here is my .net project (solutions *.sln)
2. find all references dll and ocx
3. only include .net component that my app use with the installation exe
4. build a single installation exe
5. done.

Keep in mind that the .NET Framework is installed on all Windows
machines worldwide as part of Microsoft's upgrades / hotfixes on the
Web. Very, very few machines will not have the Framework installed.
It's pretty safe to assume that it's on your target machine, although
it may not be safe to assume that version 2.0 is there (the machine
might still be on 1.1.)

In order to use ClickOnce, you need an IIS server. ClickOnce is
basically a Web service that allows you to install your application
automatically when the user clicks on a link on a Web page (for
example), and check for upgrades every time the application runs. You
do, however, require an IIS server in order to handle the requests.

Is there any technology out there.

Yes, there are products that will bundle your .NET app together with
selected Framework components into a single .exe for distribution. The
names escape me at the moment. However, realize that this is probably
overkill: as I said, it will be very, very rare to encounter a Windows
PC that doesn't have at least Framework 1.1 already on it.

If you have Visual Studio, you might find it easier to simply create a
Deployment project in VS. It will package all of your code into
an .msm file that will automatically extract itself and install on a
target machine. I believe that you can also instruct VS to include the
Framework itself as part of the install although, as I said, I
consider that overkill.

PS. Obfusticating thing is a bit too expensive for me right now

I believe that there are free obfuscators out there... anyone else
know of one?

Hi,

Bruce Wood wrote:

On Jan 31, 5:58 pm, "Tee" <khmer_lov...@yahoo.comwrote:

>Hi Rob,

does MageUI handle the distribution of .NET framework the reason because my
application use quite a bit of .net components. Really deep down what i
really want is tell the installer

1. here is my .net project (solutions *.sln)
2. find all references dll and ocx
3. only include .net component that my app use with the installation exe
4. build a single installation exe
5. done.

Keep in mind that the .NET Framework is installed on all Windows
machines worldwide as part of Microsoft's upgrades / hotfixes on the
Web. Very, very few machines will not have the Framework installed.
It's pretty safe to assume that it's on your target machine, although
it may not be safe to assume that version 2.0 is there (the machine
might still be on 1.1.)

ClickOnce allows to define prerequisites. The easiest way to create a
ClickOnce install file is to use Visual Studio "Publish" menu (under
"Build"). You can configure it using the project properties (Tab
"Publish", then "Prerequisites".

This way is nice, because the prerequisites are not added to your own
installation package, but if they are missing, they can be downloaded
from the vendor (i.e. Microsoft for the .NET runtime).

ClickOnce has disadvantages over MSI: This is a per-user installation
(not per machine), and also you don't have access to the registry,
etc... IMHO it's not intended as a replacement for MSI, rather a
complement for small application.

In order to use ClickOnce, you need an IIS server. ClickOnce is
basically a Web service that allows you to install your application
automatically when the user clicks on a link on a Web page (for
example), and check for upgrades every time the application runs. You
do, however, require an IIS server in order to handle the requests.

>Is there any technology out there.

Yes, there are products that will bundle your .NET app together with
selected Framework components into a single .exe for distribution. The
names escape me at the moment. However, realize that this is probably
overkill: as I said, it will be very, very rare to encounter a Windows
PC that doesn't have at least Framework 1.1 already on it.

One product I know of is this one:
https://thinstall.com/solutions/net_virtual.php

However I never tried it (as you said, one can accept that the runtime
is available, period) and it's very expensive (around 5000 USD + 39USD
per client).

If you have Visual Studio, you might find it easier to simply create a
Deployment project in VS. It will package all of your code into
an .msm file that will automatically extract itself and install on a
target machine. I believe that you can also instruct VS to include the
Framework itself as part of the install although, as I said, I
consider that overkill.

>PS. Obfusticating thing is a bit too expensive for me right now

I believe that there are free obfuscators out there... anyone else
know of one?

Dotfuscator community edition comes with Visual Studio .NET 2005. That
said, the value of obfuscating code is really questionable IMHO. If
someone wants to steal your code, they will be able to do it
(obfuscating will make the process slower, but it will not prevent it).
For most developers, I believe that openly publishing the source code is
the best way to go. I am fully aware of the problems that this poses for
a commercial company, though. I don't think that there is a satisfying
answer to this problem.

HTH,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

"For most developers, I believe that openly publishing the source code is
the best way to go"

I think this is absurd! A comparison is, why bother locking your house when
you go out? If they want to get in they will, why bother locking your car?
They'll just smash a window and so on. Just because they can and undoubtebly
would succeed if they really wanted to, making it harder lowers the chance
of your code being ripped. If you have to spend hours, days, weekes maybe to
crack code how many will truly bother if the end result is they can make
their own hacked version of say msn? On top of this obfuscating the code
itself and having obfuscated variable names and method names etc, really
will make deciphering the code a huge pain. Many may just give up in a very
complex app. To say just make it open source is rediculous.

I should also add:

"You can configure it using the project properties (Tab
"Publish", then "Prerequisites".

This way is nice, because the prerequisites are not added to your own
installation package, but if they are missing, they can be downloaded
from the vendor (i.e. Microsoft for the .NET runtime)."

This way is nice if you only have one prerequisite, but what about when you
have 2,3,4 etc prerequisites? Not so nice now is it. Your user has to click
one, then the next then the next etc. What woul dbe nice would be if you
could assign prerequisites BUT ClickOnce check user machine for the
prerequisite, if they dont have it, it installs them from vendor site or
some other location until all are in and then runs as usual. Benefit of
multiple install packs so not one big one for users that have pre-req, and
it would be smart. This is my biggest gripe with Click once.

Hi,

PokerMan wrote:

"For most developers, I believe that openly publishing the source code is
the best way to go"

I think this is absurd! A comparison is, why bother locking your house when
you go out?

I stand by my point, which was: .NET is an open house anyway.
Obfuscators are not efficient enough to protect code. If it's OK for
you, then you do have my blessing :-)

If they want to get in they will, why bother locking your car?

They'll just smash a window and so on. Just because they can and undoubtebly
would succeed if they really wanted to, making it harder lowers the chance
of your code being ripped. If you have to spend hours, days, weekes maybe to
crack code how many will truly bother if the end result is they can make
their own hacked version of say msn? On top of this obfuscating the code
itself and having obfuscated variable names and method names etc, really
will make deciphering the code a huge pain.

Not so much. What has been obfuscated can be de-obfuscated. There are
deobfuscatores out there. My opinion after careful consideration is that
obfuscating the code only makes hackers want to crack it even more.

Many may just give up in a very
complex app. To say just make it open source is rediculous.

You're entitled to your opinions as I am to mine. Saying it's ridiculous
is a bit extreme, don't you think?

HTH,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

Hi,

PokerMan wrote:

I should also add:

"You can configure it using the project properties (Tab
"Publish", then "Prerequisites".

This way is nice, because the prerequisites are not added to your own
installation package, but if they are missing, they can be downloaded
from the vendor (i.e. Microsoft for the .NET runtime)."

This way is nice if you only have one prerequisite, but what about when you
have 2,3,4 etc prerequisites? Not so nice now is it. Your user has to click
one, then the next then the next etc. What woul dbe nice would be if you
could assign prerequisites BUT ClickOnce check user machine for the
prerequisite, if they dont have it, it installs them from vendor site or
some other location until all are in and then runs as usual.

I am sorry, I reread this sentence 5 times and still don't understand
what you mean. Maybe you should reformulate.

Benefit of

multiple install packs so not one big one for users that have pre-req, and
it would be smart. This is my biggest gripe with Click once.

Greetings,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

What don't you understand? I'll simplify it for ya ;)

as it stands click once does this:

1) offers a link to vendor site of pre-requisite if user needs it
2) user clicks link, downloads requirement
3) user installs programme via click once

So what if you have, 2,3,4 or more prerequisites, then this happens

1) click once offers lots of links to pre-requisites
2) user clicks first and installs
3) now user clicks next one and installs
4) now user clicks yet another one and installs and so on
5) not clicks click once and install the app

Theoretically there is nothing wrong with that. Unfortunately it doesn't
take into account peoples expectation to want a one click install and second
people get impatient. So unless click once is being used for a company on
their employees where a sys admin does the initial install or they are sent
specific instructions and have to download so will do the steps it becomes a
hurdle. As regular users cant be bothered to download. There is more chance
of a member of public downloading a 100MB file walking off and having his
tea than clicking 3 downloads to get one programme. They simply don't
bother.

So my final point was click one woul dbe better if it did this:

1) User clicks install (no other options given)
2) Click once has been told the pre-requisites and now checks them on client
machine
3) If the client doesnt have a pre-req, click once instatiates the download
from vendor site
4) Once all pre-reqs done, it installs the app itself as it would usually

So client only sees one install button.

Make sense now?

"Laurent Bugnion [MVP]" <ga*********@bluewin.chwrote in message
news:Oj**************@TK2MSFTNGP02.phx.gbl...

Hi,

PokerMan wrote:

>I should also add:

"You can configure it using the project properties (Tab
"Publish", then "Prerequisites".

This way is nice, because the prerequisites are not added to your own
installation package, but if they are missing, they can be downloaded
from the vendor (i.e. Microsoft for the .NET runtime)."

This way is nice if you only have one prerequisite, but what about when
you have 2,3,4 etc prerequisites? Not so nice now is it. Your user has to
click one, then the next then the next etc. What woul dbe nice would be
if you could assign prerequisites BUT ClickOnce check user machine for
the prerequisite, if they dont have it, it installs them from vendor site
or some other location until all are in and then runs as usual.

I am sorry, I reread this sentence 5 times and still don't understand what
you mean. Maybe you should reformulate.

Benefit of

>multiple install packs so not one big one for users that have pre-req,
and it would be smart. This is my biggest gripe with Click once.

Greetings,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

I didnt mean offence but people come on these newgroups to ask advice from
people in the know. In my HO advising open source is not right and should
never be advised to anybody.

As i said before its about making it harder for the hackers so they have to
spend more time than its worth. No security is inpenetrable, its just made
hard enough to match the reward.

I agree with ppl that advise to protect their code, how they can do it but
also mention that it can always be cracked so take precautions. I just
cannot agree with anyone who says, why bother they'll crack it anyway just
make it open source.

If we all had your attitude the industry would perish.

"Laurent Bugnion [MVP]" <ga*********@bluewin.chwrote in message
news:ej**************@TK2MSFTNGP02.phx.gbl...

Hi,

PokerMan wrote:

>"For most developers, I believe that openly publishing the source code is
the best way to go"

I think this is absurd! A comparison is, why bother locking your house
when you go out?

I stand by my point, which was: .NET is an open house anyway. Obfuscators
are not efficient enough to protect code. If it's OK for you, then you do
have my blessing :-)

If they want to get in they will, why bother locking your car?

>They'll just smash a window and so on. Just because they can and
undoubtebly would succeed if they really wanted to, making it harder
lowers the chance of your code being ripped. If you have to spend hours,
days, weekes maybe to crack code how many will truly bother if the end
result is they can make their own hacked version of say msn? On top of
this obfuscating the code itself and having obfuscated variable names and
method names etc, really will make deciphering the code a huge pain.

Not so much. What has been obfuscated can be de-obfuscated. There are
deobfuscatores out there. My opinion after careful consideration is that
obfuscating the code only makes hackers want to crack it even more.

>Many may just give up in a very complex app. To say just make it open
source is rediculous.

You're entitled to your opinions as I am to mine. Saying it's ridiculous
is a bit extreme, don't you think?

HTH,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

As i said before its about making it harder for the hackers so they have to

spend more time than its worth. No security is inpenetrable, its just made
hard enough to match the reward.

I agree completely with you, if a hacker is going to rip apart my
program, I at least want to make his job as hard as possible!

I think we all know and accept that there are always people who can
break into anything - be it our house, car, or programs. Personally, I
don't worry about those people, I worry about the other ones. If
locking my door stops a drunk from wandering into my house and
stealing my TV, then I consider it worth all the effort. Likewise, if
obfuscating my programs stops them from being ripped off by the
average Joe, then it was worth all the effort.

As far as the open source / not open source argument goes, I'm
somewhere in the middle. I believe that most large, complete programs
should be kept private, and not shared with the public, or at least
not immediately. I also feel that many individual components, like the
ones you'll find on codeproject.com, should be published for
everyone's benefit.

Just my opinions though...

Thanks,

Seth Rowe
On Feb 2, 8:08 am, "PokerMan" <nos...@pokercat.co.ukwrote:

I didnt mean offence but people come on these newgroups to ask advice from
people in the know. In my HO advising open source is not right and should
never be advised to anybody.

As i said before its about making it harder for the hackers so they have to
spend more time than its worth. No security is inpenetrable, its just made
hard enough to match the reward.

I agree with ppl that advise to protect their code, how they can do it but
also mention that it can always be cracked so take precautions. I just
cannot agree with anyone who says, why bother they'll crack it anyway just
make it open source.

If we all had your attitude the industry would perish.

"Laurent Bugnion [MVP]" <galasoft...@bluewin.chwrote in messagenews:ej**************@TK2MSFTNGP02.phx.gbl. ..

Hi,

PokerMan wrote:

"For most developers, I believe that openly publishing the source code is
the best way to go"

I think this is absurd! A comparison is, why bother locking your house
when you go out?

I stand by my point, which was: .NET is an open house anyway. Obfuscators
are not efficient enough to protect code. If it's OK for you, then you do
have my blessing :-)

If they want to get in they will, why bother locking your car?

They'll just smash a window and so on. Just because they can and
undoubtebly would succeed if they really wanted to, making it harder
lowers the chance of your code being ripped. If you have to spend hours,
days, weekes maybe to crack code how many will truly bother if the end
result is they can make their own hacked version of say msn? On top of
this obfuscating the code itself and having obfuscated variable names and
method names etc, really will make deciphering the code a huge pain.

Not so much. What has been obfuscated can be de-obfuscated. There are
deobfuscatores out there. My opinion after careful consideration is that
obfuscating the code only makes hackers want to crack it even more.

Many may just give up in a very complex app. To say just make it open
source is rediculous.

You're entitled to your opinions as I am to mine. Saying it's ridiculous
is a bit extreme, don't you think?

HTH,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering:http://www.galasoft-LB.ch
PhotoAlbum:http://www.galasoft-LB.ch/pictures
Support children in Calcutta:http://www.calcutta-espoir.ch

Glad you agree. And yes, i dont mean to come across as an open source hater.

Open source samples really help others to improve their code and learn from
mistakes without it the programming world would progress far slower i feel.
My concern is the subject matter here, on the security front. Its the
authors choice if they want to spend hours on some code and then freely give
it away.

My personal view is i appreciate open source code and thank those that do
it. But for me, i went to univeristy and worked hard to get qualified and i
spend every day staying on top of the ever changing coding world and as
harsh as it sounds, i didn't do all that just so i could give it away for
someone else to benefit from lol. (Though i do like helping people on
forums)

It's the reason the guy that invented DOS sits in some crummy flat while
Bill Gates made billions.
"rowe_newsgroups" <ro********@yahoo.comwrote in message
news:11**********************@h3g2000cwc.googlegro ups.com...

>As i said before its about making it harder for the hackers so they have
to
spend more time than its worth. No security is inpenetrable, its just
made
hard enough to match the reward.

I agree completely with you, if a hacker is going to rip apart my
program, I at least want to make his job as hard as possible!

I think we all know and accept that there are always people who can
break into anything - be it our house, car, or programs. Personally, I
don't worry about those people, I worry about the other ones. If
locking my door stops a drunk from wandering into my house and
stealing my TV, then I consider it worth all the effort. Likewise, if
obfuscating my programs stops them from being ripped off by the
average Joe, then it was worth all the effort.

As far as the open source / not open source argument goes, I'm
somewhere in the middle. I believe that most large, complete programs
should be kept private, and not shared with the public, or at least
not immediately. I also feel that many individual components, like the
ones you'll find on codeproject.com, should be published for
everyone's benefit.

Just my opinions though...

Thanks,

Seth Rowe
On Feb 2, 8:08 am, "PokerMan" <nos...@pokercat.co.ukwrote:

>I didnt mean offence but people come on these newgroups to ask advice
from
people in the know. In my HO advising open source is not right and should
never be advised to anybody.

As i said before its about making it harder for the hackers so they have
to
spend more time than its worth. No security is inpenetrable, its just
made
hard enough to match the reward.

I agree with ppl that advise to protect their code, how they can do it
but
also mention that it can always be cracked so take precautions. I just
cannot agree with anyone who says, why bother they'll crack it anyway
just
make it open source.

If we all had your attitude the industry would perish.

"Laurent Bugnion [MVP]" <galasoft...@bluewin.chwrote in
messagenews:ej**************@TK2MSFTNGP02.phx.gbl ...

Hi,

PokerMan wrote:
"For most developers, I believe that openly publishing the source code
is
the best way to go"

>I think this is absurd! A comparison is, why bother locking your house
when you go out?

I stand by my point, which was: .NET is an open house anyway.
Obfuscators
are not efficient enough to protect code. If it's OK for you, then you
do
have my blessing :-)

If they want to get in they will, why bother locking your car?
They'll just smash a window and so on. Just because they can and
undoubtebly would succeed if they really wanted to, making it harder
lowers the chance of your code being ripped. If you have to spend
hours,
days, weekes maybe to crack code how many will truly bother if the end
result is they can make their own hacked version of say msn? On top of
this obfuscating the code itself and having obfuscated variable names
and
method names etc, really will make deciphering the code a huge pain.

Not so much. What has been obfuscated can be de-obfuscated. There are
deobfuscatores out there. My opinion after careful consideration is
that
obfuscating the code only makes hackers want to crack it even more.

>Many may just give up in a very complex app. To say just make it open
source is rediculous.

You're entitled to your opinions as I am to mine. Saying it's
ridiculous
is a bit extreme, don't you think?

HTH,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering:http://www.galasoft-LB.ch
PhotoAlbum:http://www.galasoft-LB.ch/pictures
Support children in Calcutta:http://www.calcutta-espoir.ch

Hi,

PokerMan wrote:

Glad you agree. And yes, i dont mean to come across as an open source hater.

You come across as someone who appreciates taking open source code, but
not giving ;-) It's OK, not everyone's a giver. No worries. (that was
tongue in cheek, don't be offensed ;-)

Open source samples really help others to improve their code and learn from
mistakes without it the programming world would progress far slower i feel.
My concern is the subject matter here, on the security front. Its the
authors choice if they want to spend hours on some code and then freely give
it away.

FWIW, I work for a very big firm. Bigger than most. Our last web
application was developed in ASP.NET 1.1. When we had to decide if we
wanted to obfuscate it or not, we took the *informed* decision that it
was simply not worth it.

I understand the concern. I am also not a die-hard advocate of open
source. Honestly, I see the problems caused by open source philosophy
every day. The most obvious example is NDoc, you probably heard about
the story (if not, google it). My point (and I stand by it) is: You
simply cannot protect .NET code. You can regret it, but it's a fact. You
can make it harder to read, but then I find a beautifier which makes it
again exactly like it was before. The fact that the assemblies are not
machine code anymore, but IL poses the same problem that was posed to
the Java and to the JavaScript community. I can only repeat: Yes it may
be regrettable, but it's a mere fact. Obfuscating doesn't protect source
code efficiently enough that it's worth the time.

My personal view is i appreciate open source code and thank those that do
it. But for me, i went to univeristy and worked hard to get qualified and i
spend every day staying on top of the ever changing coding world

Oh, then I understand our difference of view. See, me I learned coding
in a farm, and I didn't work hard at all.

and as
harsh as it sounds, i didn't do all that just so i could give it away for
someone else to benefit from lol. (Though i do like helping people on
forums)

It's the reason the guy that invented DOS sits in some crummy flat while
Bill Gates made billions.

Greetings,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

In reply:

>You come across as someone who appreciates taking open source code, but not
giving ;-) It's OK, not everyone's a giver. No worries. (that was tongue in
cheek, don't be offensed ;-)

lol, my last sentence did say i post on these forums to help ppl with their
issues. Open source is the reason script kiddies exist and some morons i
meet act like they can code cause they edited some open source work. I don't
use any open source apps like oscommerce for example.

Oh, then I understand our difference of view. See, me I learned coding in
a farm, and I didn't work hard at all.

'nuff said ;)

As for the rest you still miss the point. Neither I nor the poster who
agreed with me ever said obfuscating makes it impossible. Did you not read
the analogy of the car? It's about making it harder. I am coding a
client/server app that requires high secuirty, i do use .net. Due to the
problem with .net being easily opened up i have to put in tonnes of
rechecking server side. Basically i am writing my server to handle a fully
hacked client and always do as it should. Am i going to obfuscate, of
course i am. Anything else that makes it harder even if it only adds an hour
on to the hackers time, i'll do it.

This thread is about click once, which is comes back in now as we have gone
very much off subject with this. But click once installs to an obfuscated
location. Microsoft seem to think it's worth it, is your company bigger than
that?

Thanks ;)
"Laurent Bugnion [MVP]" <ga*********@bluewin.chwrote in message
news:Oq****************@TK2MSFTNGP05.phx.gbl...

Hi,

PokerMan wrote:

>Glad you agree. And yes, i dont mean to come across as an open source
hater.

You come across as someone who appreciates taking open source code, but
not giving ;-) It's OK, not everyone's a giver. No worries. (that was
tongue in cheek, don't be offensed ;-)

>Open source samples really help others to improve their code and learn
from mistakes without it the programming world would progress far slower
i feel. My concern is the subject matter here, on the security front.
Its the authors choice if they want to spend hours on some code and then
freely give it away.

FWIW, I work for a very big firm. Bigger than most. Our last web
application was developed in ASP.NET 1.1. When we had to decide if we
wanted to obfuscate it or not, we took the *informed* decision that it was
simply not worth it.

I understand the concern. I am also not a die-hard advocate of open
source. Honestly, I see the problems caused by open source philosophy
every day. The most obvious example is NDoc, you probably heard about the
story (if not, google it). My point (and I stand by it) is: You simply
cannot protect .NET code. You can regret it, but it's a fact. You can make
it harder to read, but then I find a beautifier which makes it again
exactly like it was before. The fact that the assemblies are not machine
code anymore, but IL poses the same problem that was posed to the Java and
to the JavaScript community. I can only repeat: Yes it may be regrettable,
but it's a mere fact. Obfuscating doesn't protect source code efficiently
enough that it's worth the time.

>My personal view is i appreciate open source code and thank those that do
it. But for me, i went to univeristy and worked hard to get qualified and
i spend every day staying on top of the ever changing coding world

Oh, then I understand our difference of view. See, me I learned coding in
a farm, and I didn't work hard at all.

>and as harsh as it sounds, i didn't do all that just so i could give it
away for someone else to benefit from lol. (Though i do like helping
people on forums)

It's the reason the guy that invented DOS sits in some crummy flat while
Bill Gates made billions.

Greetings,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

Hi,

PokerMan wrote:

'nuff said ;)

As for the rest you still miss the point. Neither I nor the poster who
agreed with me ever said obfuscating makes it impossible.

Nor did I say you did. My point is that if you obfuscate your code,
you'll let hackers think that it's worth hacking. I sincerely think that
unobfuscated code doesn't attract hackers as much as obfuscated one. But
I'll agree to disagree with you about that ;-)

Microsoft seem to think it's worth it, is your company bigger than
that?

Quite bigger. According to Wikipedia, Microsoft has 76000 employees,
while Siemens has 472000. Of course that doesn't say a lot about the
quality of our work ;-)

Greetings
Laurent

PS: Happy that we came back to a more gentlemanly tone.
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

Nor did I say you did. My point is that if you obfuscate your code,

you'll let hackers think that it's worth hacking. I sincerely think that
unobfuscated code doesn't attract hackers as much as obfuscated one. But
I'll agree to disagree with you about that ;-)

Once again, I don't concern myself with the 3 hackers that want to
break into my code because they want a challenge. I worry about the
3000 non-hackers who just want to use my work as their own (and
probably aren't skilled/patient enough to de-obfuscate and decompile
my projects). Odds are that even if the hacker did break into my code,
he wouldn't post it on the internet for the world to see. Even if he
did, I would only then be in the same position if I had posted it as
open source in the beginning. The point is that the chances of a
hacker taking interest in my project, then assuming he has the skills,
take the time to break down my code, he still has to post it as a
widely available download on the internet. As far as I can tell, the
odds of that are really low, so it seems to me that obfuscating really
does protect your code...

Thanks,

Seth Rowe
On Feb 3, 7:41 am, "Laurent Bugnion [MVP]" <galasoft...@bluewin.ch>
wrote:

Hi,

PokerMan wrote:

'nuff said ;)

As for the rest you still miss the point. Neither I nor the poster who
agreed with me ever said obfuscating makes it impossible.

Nor did I say you did. My point is that if you obfuscate your code,
you'll let hackers think that it's worth hacking. I sincerely think that
unobfuscated code doesn't attract hackers as much as obfuscated one. But
I'll agree to disagree with you about that ;-)

Microsoft seem to think it's worth it, is your company bigger than
that?

Quite bigger. According to Wikipedia, Microsoft has 76000 employees,
while Siemens has 472000. Of course that doesn't say a lot about the
quality of our work ;-)

Greetings
Laurent

PS: Happy that we came back to a more gentlemanly tone.
--
Laurent Bugnion [MVP ASP.NET]
Software engineering:http://www.galasoft-LB.ch
PhotoAlbum:http://www.galasoft-LB.ch/pictures
Support children in Calcutta:http://www.calcutta-espoir.ch

More gentlemanly tone? I never realised we veered off. Though in a polite
way you clearly don't know when your beat,.

Nor did I say you did. My point is that if you obfuscate your code, you'll
let hackers think that it's worth hacking. I sincerely think that
unobfuscated code doesn't attract hackers as much as obfuscated one. But
I'll agree to disagree with you about that ;-)

Actually you keep implying it. But i ask you this, how will a hacker know
its obfuscated, unless he tried to hack it? Think about it.

>Microsoft seem to think it's worth it, is your company bigger than that?

Quite bigger.

The size of a company isnt determined by the number of employees. You are
not bigger than Microsoft, at present no one is. Their turnover and profit
margins make them the most influential and powerful company on the planet as
it stands. Hence, the biggest company. I just know you're going to disagree
on that one ;) .

Even so, Microsoft obfuscate and is an example of a big corporation that
does. So it means nothing that your company chooses not to.

>Of course that doesn't say a lot about the quality of our work ;-)

I know its a tongue in cheek joke and not to be too rude here. But maybe
thats why you guys dont care if people can easily hack it. The reward just
isn't that great.

Thanks ;)

"Laurent Bugnion [MVP]" <ga*********@bluewin.chwrote in message
news:O1**************@TK2MSFTNGP02.phx.gbl...

Hi,

PokerMan wrote:

>'nuff said ;)

As for the rest you still miss the point. Neither I nor the poster who
agreed with me ever said obfuscating makes it impossible.

Nor did I say you did. My point is that if you obfuscate your code, you'll
let hackers think that it's worth hacking. I sincerely think that
unobfuscated code doesn't attract hackers as much as obfuscated one. But
I'll agree to disagree with you about that ;-)

>Microsoft seem to think it's worth it, is your company bigger than that?

Quite bigger. According to Wikipedia, Microsoft has 76000 employees, while
Siemens has 472000. Of course that doesn't say a lot about the quality of
our work ;-)

Greetings
Laurent

PS: Happy that we came back to a more gentlemanly tone.
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

Hi,

PokerMan wrote:

More gentlemanly tone? I never realised we veered off.

Calling another person's opinion "absurd" and "rediculous" (sic) is not
very gentlemanly in my book. Note that by copying your typo here, I
suddenly stopped being a gentleman too ;-)

Though in a polite
way you clearly don't know when your beat,.

I was not aware this was a competition.

Actually you keep implying it. But i ask you this, how will a hacker know
its obfuscated, unless he tried to hack it? Think about it.

Common behaviour when a programmer comes across a new interesting DLL is
to use Reflector on it. No need to be a hacker for that, it's so easy.

>>Microsoft seem to think it's worth it, is your company bigger than that?

Quite bigger.

The size of a company isnt determined by the number of employees. You are
not bigger than Microsoft, at present no one is. Their turnover and profit
margins make them the most influential and powerful company on the planet as
it stands. Hence, the biggest company. I just know you're going to disagree
on that one ;) .

Not really, though with firms this size, it's getting really hard to get
an overview of who's bigger. However, we're also the biggest .NET
programming company worldwide. And we collaborate a lot with Microsoft
to make their code (and our own) better.

Even so, Microsoft obfuscate and is an example of a big corporation that
does. So it means nothing that your company chooses not to.

The .NET framework is not obfuscated. That's all I need to know about
the value of obfuscation. I don't think it would be as popular as it is
if it was obfuscated. Being able to check what the engineers did and
possibly modify their code adds great value to a product, commercial or
not. We prefer to play this card rather than the unfriendly "hide-all" one.

>Of course that doesn't say a lot about the quality of our work ;-)

I know its a tongue in cheek joke and not to be too rude here. But maybe
thats why you guys dont care if people can easily hack it. The reward just
isn't that great.

The code is good enough to work, sell well, and pay me and my colleagues
a nice salary. We still have tons to learn (as you said yourself, when
you write code, you always have new things to learn) and do our best to
improve ourselves. And also, to change our opinions about a subject if
proven wrong. Like we did back then when we still thought we should
obfuscate our code, and then realized there was no way to do this in a
satisfying way.

Thanks ;)

And you for the interesting exchange. That said, I will stop talking
about it now, it's getting boring. I hate nothing like too long winded
threads. In short I think we can say that: I think that obfuscating
can't be done in .NET in a satisfying way and doesn't add value to
source code, so I prefer to publish code openly; while you prefer to
protect your work and make use of obfuscators in order to keep your
source code more difficult to read, even though you're aware that 100%
protection is not possible. I think it's the gist of this talk.

If that helps you sleep better at night, you can consider that you won
since I am leaving now ;-) As for me, I'll sleep well in all cases ;-)

Greetings,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

sigh, all i can say is simply lol.

"Laurent Bugnion [MVP]" <ga*********@bluewin.chwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...

Hi,

PokerMan wrote:

>More gentlemanly tone? I never realised we veered off.

Calling another person's opinion "absurd" and "rediculous" (sic) is not
very gentlemanly in my book. Note that by copying your typo here, I
suddenly stopped being a gentleman too ;-)

>Though in a polite way you clearly don't know when your beat,.

I was not aware this was a competition.

>Actually you keep implying it. But i ask you this, how will a hacker know
its obfuscated, unless he tried to hack it? Think about it.

Common behaviour when a programmer comes across a new interesting DLL is
to use Reflector on it. No need to be a hacker for that, it's so easy.

>>>Microsoft seem to think it's worth it, is your company bigger than
that?
Quite bigger.

The size of a company isnt determined by the number of employees. You are
not bigger than Microsoft, at present no one is. Their turnover and
profit margins make them the most influential and powerful company on the
planet as it stands. Hence, the biggest company. I just know you're
going to disagree on that one ;) .

Not really, though with firms this size, it's getting really hard to get
an overview of who's bigger. However, we're also the biggest .NET
programming company worldwide. And we collaborate a lot with Microsoft to
make their code (and our own) better.

>Even so, Microsoft obfuscate and is an example of a big corporation that
does. So it means nothing that your company chooses not to.

The .NET framework is not obfuscated. That's all I need to know about the
value of obfuscation. I don't think it would be as popular as it is if it
was obfuscated. Being able to check what the engineers did and possibly
modify their code adds great value to a product, commercial or not. We
prefer to play this card rather than the unfriendly "hide-all" one.

>>Of course that doesn't say a lot about the quality of our work ;-)

I know its a tongue in cheek joke and not to be too rude here. But maybe
thats why you guys dont care if people can easily hack it. The reward
just isn't that great.

The code is good enough to work, sell well, and pay me and my colleagues a
nice salary. We still have tons to learn (as you said yourself, when you
write code, you always have new things to learn) and do our best to
improve ourselves. And also, to change our opinions about a subject if
proven wrong. Like we did back then when we still thought we should
obfuscate our code, and then realized there was no way to do this in a
satisfying way.

>Thanks ;)

And you for the interesting exchange. That said, I will stop talking about
it now, it's getting boring. I hate nothing like too long winded threads.
In short I think we can say that: I think that obfuscating can't be done
in .NET in a satisfying way and doesn't add value to source code, so I
prefer to publish code openly; while you prefer to protect your work and
make use of obfuscators in order to keep your source code more difficult
to read, even though you're aware that 100% protection is not possible. I
think it's the gist of this talk.

If that helps you sleep better at night, you can consider that you won
since I am leaving now ;-) As for me, I'll sleep well in all cases ;-)

Greetings,
Laurent
--
Laurent Bugnion [MVP ASP.NET]
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

On Fri, 2 Feb 2007 15:56:16 -0000, "PokerMan" <no****@pokercat.co.ukwrote:

[snip]

>It's the reason the guy that invented DOS sits in some crummy flat while
Bill Gates made billions.

[snip]

Actually Bill Gates and a coworker wrote the first DOS (as we know it) used by
IBM, so he and the DOS writer were one in the same...

Good luck with your project,

Otis Mukinfus

http://www.otismukinfus.com
http://www.arltex.com
http://www.tomchilders.com
http://www.n5ge.com

DOS "as we know it" is correct. What was essentially DOS was made by another
guy who failed to get anyone interested. Gates saw it for what it could be,
improved it and sold it.
"Otis Mukinfus" <ph******************@phoney.comwrote in message
news:ht********************************@4ax.com...

On Fri, 2 Feb 2007 15:56:16 -0000, "PokerMan" <no****@pokercat.co.uk>
wrote:

[snip]

>>It's the reason the guy that invented DOS sits in some crummy flat while
Bill Gates made billions.

[snip]

Actually Bill Gates and a coworker wrote the first DOS (as we know it)
used by
IBM, so he and the DOS writer were one in the same...

Good luck with your project,

Otis Mukinfus

http://www.otismukinfus.com
http://www.arltex.com
http://www.tomchilders.com
http://www.n5ge.com