Obfuscation: Not just for protecting intellectual property

Jonathan Henderson <jh********@preemptive.com> wrote:

Obfuscators aren't only used for protecting intellectual property.

See the hacker demo at this link:

http://www.preemptive.com/documentat...ackerDemo.html

LOL - 'cos everyone ships debug versions including the PDB files.

Also interesting is the fact that he talks about user input validation,
when none is actually required, given that the customer ID is specified
as a parameter, not injected directly into the SQL statement.

Furthermore, he's suggesting making changes to the app in order to use
random bits of SQL, despite the fact that the connection string is in
the code anyway, so the more sensible thing to do would be to use that
connection string to do stuff directly to the database. Of course, with
a sensibly administered database, the user which could log in wouldn't
have access to any "dodgy" things, regardless of how they tried to do
it.

I'm not saying that obfuscation is a bad thing, but I do wish that
they'd put a bit more time into a *sensible* demo. In this case, the
connection string is the sensitive part, and so long as you could
decompile (with a suitably powerful decompiler) and then recompile the
code, it wouldn't be hard to find the places where the SqlConnection
constructor is called, insert something to write the value out
somewhere, and then recompile and run. Bingo, you're in the same boat
as you were before - all you need is a better decompiler. In fact, you
don't even really need a decompiler - just a disassembler (eg ildasm)
and enough nous to inject a single method call into the flow near the
SqlConnection constructor.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

On Thu, 21 Oct 2004 12:53:32 -0700, Jonathan Henderson wrote:

Obfuscators aren't only used for protecting intellectual property.

This seems to just be an advertisement for the Preemptive obfuscator. Do
you work for them Jonathan? While I'm sure the Preemptive obfuscator is a
fine product, it is generally considered poor manners to spam the
newsgroup.

--
Chris

dunawayc[AT]sbcglobal_lunchmeat_[DOT]net

To send me an E-mail, remove the "[", "]", underscores ,lunchmeat, and
replace certain words in my E-Mail address.

<Chris Dunaway <"dunawayc[[at]_lunchmeat_sbcglobal[dot]]net">> wrote:

Obfuscators aren't only used for protecting intellectual property.

This seems to just be an advertisement for the Preemptive obfuscator. Do
you work for them Jonathan? While I'm sure the Preemptive obfuscator is a
fine product, it is generally considered poor manners to spam the
newsgroup.

Agreed. (Not that it's a particularly good advert, given the technical
problems with it that I pointed out in another post.)

Given his post earlier, Jonathan does indeed work for PreEmptive. This
was not obvious from this thread though. It's bad enough starting a new
thread just for the sake of advertising, but to do it without declaring
interests is worse.

I'll drop a line to someone in PreEmptive to express my distaste -
that's had good effects before with other companies.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

Jon Skeet [C# MVP] <sk***@pobox.com> wrote:

<snip>

I'll drop a line to someone in PreEmptive to express my distaste -
that's had good effects before with other companies.

Just to follow up on this: I mailed PreEmptive about it, and had a very
fast response back. I've been convinced that it was a mistake of
inexperience rather than cynicism, if you see what I mean :)

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too