I've read all the post in this thread up to date, and well, you have got quite a predicament here..
------------------------------------------- On stealing your code... You say you are paid to protect your code, well, If it's really a conrcern for your company I think the code is running on the machines of the clients. I think that because if the code is in a server, you can just isolate it form outside... but if the attacker has access to the maching running the code, there is nothing you can do... ofuscate, encrypt, hide, whatever in the long run they get the code, doesn't matter if it's .NET or not. I'm not only saying that any security at this level is useless at the date, I'm also suggesting against it, the end user should have the right to know what his machine is doing. If you can develop a real security at this level (something would involucrate hardware, I think), then you are not only making the user buy that hardware (lowering your market, unless that hardware has some adventage for the end user) but you are making clear where to attack, and trust me, then the cracker will really like to do it, they just luv the chalenge... take DVD copy protection as example, XBOX as example... they end up breaking it anyway. Besides that developers respects a well done product, if your code is good enough, they will probably perefer to help you instead of copy your product just let it die. Well... about companies it may be a different story, but in that case the protection is copyright, as they just won't sell something you can proof it's not their own, they will first buy you (taking as the product is that clever, right?). Give good support to your products, set a help desk, good documentation, and change management... they can't disassemble that. Allow extension points to your code, if third party can develop plug ins, add ins... then they won't say: "This program is good, but it doesn't have such and such, let's copy the code and then we add that". Believe me, I've had those thinkins... ------------------------------------------- About illegal copies.... Go for software as a service any time you can (do they call that cloud this days?), but If you are still limited to put the code on the end user side... you can still add value on a server, say: updates, support forum, news, extra content, a plug in lib, and for those things you can have more control. They will not disassemble your server code, because they simply can't download it (make sure of that). The security is now on the field of illegal end user copies, not about stealing code... Also if you have this server side, you can request activation online to the users, so you can detect illegal copies early... about that... it's just a shame, that you need to purchase a new licence if you change your hardware... look how web mail providers set a good security without relying on hardware... why? they make people think: "this is my account and it have sensitive info for me, so I will not share it". Also the simple fact that the user sets a name, makes it hard to use brute force because the attacker need to guess both name and pass, and perhaps serial number also. And of course you can always set a captcha. And the whole fact that your codes doesn't rely on hardware and that it depends on the name (which you store in your server, someplace where it can't be downloaded... and encrypted is better), then they will be unable to create a keygen (key maker if you like Matrix). Remember: security on the server, not javascript, and be aware of code injection (SQL or not). If yout app is not big enough to set a server... damn, do not protect that crap, futhermore, give it open source, and advertise it, so everybody can tell that code was made by you. If there are developer they will just make that app on their own without going to crack your code. They just look what it does, and start from scratch... and trust me, there are developers out there. On 9 dic, 10:05, Kadir Avci <[email protected]> wrote: > What are you doing for code security? > Prevent from copying, erasing, stealing ..etc. > > Kadir Avcı > Software Developer | Freelance Web Designer > web:www.kad1r.com > twt:www.twitter.com/kad1r > Sent from Izmir, 35, Turkey
