By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,529 Members | 1,826 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,529 IT Pros & Developers. It's quick & easy.

Obfuscation: Not just for protecting intellectual property

P: n/a
Obfuscators aren't only used for protecting intellectual property.

See the hacker demo at this link:

http://www.preemptive.com/documentat...ackerDemo.html

For those who don't know what an obfuscator is, here's the link that
gives a brief explanation:

http://www.preemptive.com/obfuscator.html

Here are other resources concerning obfuscation:

http://www.preemptive.com/downloads/Documentation.html


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 21 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Jonathan Henderson <jh********@preemptive.com> wrote:
Obfuscators aren't only used for protecting intellectual property.

See the hacker demo at this link:

http://www.preemptive.com/documentat...ackerDemo.html


LOL - 'cos everyone ships debug versions including the PDB files.

Also interesting is the fact that he talks about user input validation,
when none is actually required, given that the customer ID is specified
as a parameter, not injected directly into the SQL statement.

Furthermore, he's suggesting making changes to the app in order to use
random bits of SQL, despite the fact that the connection string is in
the code anyway, so the more sensible thing to do would be to use that
connection string to do stuff directly to the database. Of course, with
a sensibly administered database, the user which could log in wouldn't
have access to any "dodgy" things, regardless of how they tried to do
it.

I'm not saying that obfuscation is a bad thing, but I do wish that
they'd put a bit more time into a *sensible* demo. In this case, the
connection string is the sensitive part, and so long as you could
decompile (with a suitably powerful decompiler) and then recompile the
code, it wouldn't be hard to find the places where the SqlConnection
constructor is called, insert something to write the value out
somewhere, and then recompile and run. Bingo, you're in the same boat
as you were before - all you need is a better decompiler. In fact, you
don't even really need a decompiler - just a disassembler (eg ildasm)
and enough nous to inject a single method call into the flow near the
SqlConnection constructor.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
Jul 21 '05 #2

P: n/a
On Thu, 21 Oct 2004 12:53:32 -0700, Jonathan Henderson wrote:
Obfuscators aren't only used for protecting intellectual property.


This seems to just be an advertisement for the Preemptive obfuscator. Do
you work for them Jonathan? While I'm sure the Preemptive obfuscator is a
fine product, it is generally considered poor manners to spam the
newsgroup.

--
Chris

dunawayc[AT]sbcglobal_lunchmeat_[DOT]net

To send me an E-mail, remove the "[", "]", underscores ,lunchmeat, and
replace certain words in my E-Mail address.
Jul 21 '05 #3

P: n/a
<Chris Dunaway <"dunawayc[[at]_lunchmeat_sbcglobal[dot]]net">> wrote:
Obfuscators aren't only used for protecting intellectual property.


This seems to just be an advertisement for the Preemptive obfuscator. Do
you work for them Jonathan? While I'm sure the Preemptive obfuscator is a
fine product, it is generally considered poor manners to spam the
newsgroup.


Agreed. (Not that it's a particularly good advert, given the technical
problems with it that I pointed out in another post.)

Given his post earlier, Jonathan does indeed work for PreEmptive. This
was not obvious from this thread though. It's bad enough starting a new
thread just for the sake of advertising, but to do it without declaring
interests is worse.

I'll drop a line to someone in PreEmptive to express my distaste -
that's had good effects before with other companies.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
Jul 21 '05 #4

P: n/a
Jon Skeet [C# MVP] <sk***@pobox.com> wrote:

<snip>
I'll drop a line to someone in PreEmptive to express my distaste -
that's had good effects before with other companies.


Just to follow up on this: I mailed PreEmptive about it, and had a very
fast response back. I've been convinced that it was a mistake of
inexperience rather than cynicism, if you see what I mean :)

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
Jul 21 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.