Python obfuscation

Steven D'Aprano steve at REMOVETHIScyber.com.au
Sun Nov 13 01:22:55 CET 2005


On Sat, 12 Nov 2005 12:22:21 -0500, Mike Meyer wrote:

> And if instead you lose one customer because you've denied them their
> fair use rights, then your copy protection has lost you more in the
> form of a cost that you overlooked than all the costs you actually
> considered.

In a competitive marketplace, why would I choose to buy DRMed software if
there is a non-DRMed equivalent with the same functionality and equivalent
cost? DRM is both an extra cost and a lower functionality applied to the
software: an extra cost because if I can only run three simultaneous
instances when I want four, then I need to pay more; lower functionality
because things I may wish to do (like lock the original disk in the
fireproof safe and install off a backup copy) may be impossible.

If you are supplying to a non-competitive market, you may decide that you
don't mind losing some sales. In non-competitive markets, the pressure to
improve the ratio of functionality to cost is weak.

[snip]

> Actually, obfuscation by itself has *no* benefit. If all you do is
> obfuscate the code, none of the pirates will ever notice - they'll just
> copy the code without ever trying to read it. It's the copy protection
> mechanisms you're trying to obfuscate that gains you the alleged
> benefit. 

I don't think you mean copy protection, as in preventing copies -- it is
difficult for an application to prevent the OS from making physical
copies, and by difficult I mean "essentially impossible". Perhaps you mean
access control, for example the software will only run for three people
simultaneously.

> Once you provide a copy protection mechanism, obfuscation has
> some benefit, though the costs aren't clearly minimal, not if you're a
> cometent engineer. It's the benefits of the copy protection that I claim
> are insignificant.

That's not quite true -- there may be instances where there is a real or
perceived benefit from keeping the algorithms used secret: perhaps you
have found a more efficient way to do something, or perhaps you just want
to hide from your users just how bad your code really is, or perhaps
you've conned^H^H^H^H convinced them to pay a premium price for reduced
functionality and don't want them bypassing your access control mechanisms.

The problem is, developers often have a ridiculously over-inflated opinion
of the worth of their code, and the business people behind them even more
so. Everybody[1] thinks that their two-bit Visual Basic calculator app is
going to be the next Microsoft Windows and make them a fortune, but only
if they keep the source code secret. Because so much code is secret,
people fail to appreciate just how little innovation there really is in
the IT industry, and imagine that just because they personally sweated
blood for months writing the code, it must be valuable.

Anyway, I think this is all a storm in a teacup. With the possible
exception of game console software, I think the idea of shrink-wrapped
software generally and software licencing particularly is a temporary
aberration. In a decade, software obfuscation will only exist as a way for
hackers to prove how clever they are, as in the Obfuscated C Contest.
Until then, well, if you think you can a commercial advantage by annoying
your customers, knock yourselves out.





[1] By "everyone" I mean "lots of people who should know better".

-- 
Steven.




More information about the Python-list mailing list