7

I've recently learnt that the company that will handle the installation of one of our core products have previously tried to reverse engineer suppliers' work in evil purposes. Due to this I want to learn more about how to protect our work and so far I have thought of the following:

1) Obviously to use an obfuscator. Question is which one.

2) Encrypt config files as much as possible (especially endpoint information).

3) Move as much of the logic as possible to the web service.

4) Use SSL for data transfers.

The project is written in C#/WPF and connects to a set of web services hosted on a IIS 7. We package our deliveries with WIX, does WIX have anything to provide?

I understand that in the end all binaries can be hacked and that as a minor company we should probably concentrate on writing code instead of protecting it. But these minor steps will at lease make it harder. What else can be done? Does the community have any more advices regarding this? Links to internal/external resources would be much appreciated.

Avada Kedavra
  • 8,523
  • 5
  • 32
  • 48
  • 2
    Take you business elsewhere. If enough people do this then the "evil" company will go bust. – ChrisF Jun 20 '11 at 21:25
  • 6
    How about (1) don't give them the program at all, or (2) have them enter into a licensing agreement wherein they may not reverse engineer your software upon pain of death or something. – Chris Eberle Jun 20 '11 at 21:26
  • a lot of people use c++ for this reason exactly. – normalppl Jun 20 '11 at 21:28
  • @ChrisF: Fair point indeed, but will be hard to do. We have a contract with a company that uses thie "evil" company for all it's IT installations/maintenance. So its not, at this point, a real option. – Avada Kedavra Jun 20 '11 at 21:29
  • @Chris +1 you should post your comment as an answer(I was going to post the same but didn't want to steal if from you). Licensing is a very good way to go. – Nix Jun 20 '11 at 21:29
  • As Chris has put, most of the sense comes from making part of your terms of business, that any company agreeing to use your product also agrees not to reverse engeineer, or reuse it or parts of in any manner without your agreement. – BugFinder Jun 20 '11 at 21:29
  • @Chris, please put that (licensing) in an answer. Very valid point. – Avada Kedavra Jun 20 '11 at 21:30
  • And just because it is licensed, doesn't mean you have to sell it. Its a contract, and allows you to go after someone legally that does stupid things. – Nix Jun 20 '11 at 21:30
  • @Avada - I guessed as much which is I why posted a comment rather than answer. These things are often beyond your control. Take the other Chris's advice - draw up a tight agreement. – ChrisF Jun 20 '11 at 21:31
  • Duplicate of thread http://stackoverflow.com/questions/506282/protect-net-code-from-reverse-engineering read this it's a very fruitful discussion and surely a long one. – Usman Masood Jun 20 '11 at 21:47

3 Answers3

16

Here are your options:

  • Don't give them the program, they've already abused their power
  • Have them enter into a license agreement wherein:
    • They can reverse engineer the program or even see the source code within the confines defined by your legal team
    • They can't do anything without inviting a world of legal hurt
  • Release the code as open source. You'd be surprised, if the "forbidden fruit" isn't forbidden they may just get bored and leave it alone.
  • Move the proprietary computation to your own servers, essentially making your program into a thin client.
  • Reverse engineer some of their tools. Enter into a cold-war of sorts.
  • Stock up on patents, and when you see your own code out in the wild sue the company into oblivion for violating your patent.
  • Pay the mob to run your "friends" out of town
  • Send them a basket of muffins with a note that says "PlZ st0p wit teh H4x"
  • Dress up as the ghost of professional integrity, visit each of the employees in their homes and teach them lessons about ethics and morality.
  • Buy out the company, fire all of the employees.
Chris Eberle
  • 47,994
  • 12
  • 82
  • 119
  • +1 For the legal part. +1 for "world of legal hurt", if +2 was an option :) – Avada Kedavra Jun 20 '11 at 21:36
  • +1 for the cold war solution. I really wanted to type a russian accent statement and something about nukes but that failed on me here. – Chris Marisic Jun 20 '11 at 21:56
  • I wish that my wallet would allow me to accept "Buy out the company, fire all of the employees" :)) – Avada Kedavra Jun 20 '11 at 22:02
  • I read on a forum that the one of the big private investors of CCP also invested in a russian brewery whose competition either burnt or was "driven out of town". Looks like solution 7 is actually used in the real world... – Kheldar Sep 05 '11 at 14:45
3

As much an agreement with @Chris as anything.

Hire an attorney and draw up the appropriate license terms.

Every so often contact the offending company and ask if they have something similar to your software for sale. In the event they say yes, get a demo. If it bears any resemblence to yours, sue them into oblivion. One of the early stages in a lawsuit of this type is discovery. At which point you'll know whether they copied your code or not.

Presto, problem solved.

Point is, the only real solution is to use the legal system.

NotMe
  • 87,343
  • 27
  • 171
  • 245
2

Actually I think that your 4 points cover what you can do (realistically) very well. The only thing I would add is the appropriate clause in your licence.

If someone wants to steal, they will steal.

Edit: oh, RE Obfuscator as much as I hate to recommend Red Gate after their reflector treatment, their Smart Assembly is very good.

Tim Jarvis
  • 18,465
  • 9
  • 55
  • 92
  • +1 Thanks for suggesting Smart Assembly. Have you compared it with for example dotfuscator? Smart Assembly seems reasonable priced. Cannot find a license cost for dotfuscator.. – Avada Kedavra Jun 20 '11 at 22:10
  • Yes I did compare, and unfortunately Smart Assembly does appear to be better, maybe through obscurity ;-) There are apps around that claim to be able to make some sense of Dotfuscator, I haven't seen the same claims for Smart Assembly. Plus the error reporting is actually pretty useful. Don't know about the costs for Dotfuscator, isn't it free? – Tim Jarvis Jun 21 '11 at 04:17
  • DotFuscator "light" is shipped together with visual studio but offers only a small subset of the features in the pro version. Supposely the pro version is better.. I'll follow up on this lead, cheers! – Avada Kedavra Jun 21 '11 at 06:45