Python obfuscation

Mike Meyer mwm at mired.org
Sat Nov 12 12:22:21 EST 2005 

Yu-Xi Lim <yuxi at ece.gatech.edu> writes:
> Indeed, everything has a cost, and I was wrong in saying
> "free". However, if convenient language-supported transforms are used,
> the direct cost of using obfuscation would be miniscule in comparison
> to just about everything else. Implementing it should be one simple
> step, and testing it shouldn't be required (if you reasonably assume
> the language isn't broken).

Failng to test what you ship is simply poor engineering and poor
marketing. If you're incompetent, you might skip those
steps. Otherwise, you have to test with obfuscation in place.

> I am going to ignore certain aspects of the Sony XCP case, such as the
> bad EULA and the bad PR (we shall leave that to the lawyers and
> marketing folk and stick to something we programmers can actually
> fix). What we have left is a broken software implementation of copy
> protection. If language-supported (or even OS-supported, which would
> have helped Sony*) transformations are used, we can expect to rule out
> such brokenness, i.e. no obfuscation-induced incompatibilities and
> related help-desk calls. This further reduces the unexpected costs of
> code obfuscation to zero (did I miss anything?)

You ignored the fact that the *act* of copy protection cost them
customers. It wasn't the poor implementation or the EULA, it was the
fact that people who were denied their fair use rights returned or
refused to buy their product. The rest of it merely made it widely
publicized.

> This form of obfuscation is certainly weak, but given that the costs
> are so tiny, why not use it? Even if you could gain one customer (and
> a few dollars if you're a shareware developer), you have more than
> recuperated your costs. If you don't, you probably lost 5 minutes of
> development time. Is this a worthwhile gamble? I believe so.

And if instead you lose one customer because you've denied them their
fair use rights, then your copy protection has lost you more in the
form of a cost that you overlooked than all the costs you actually
considered.

> Mike Meyer may reiterate his point about "keeping honest people
> honest" and thus such obfuscation has little ("insignificant")
> benefit. Whether this little difference is "insignificant" is up to
> the developer/publisher/etc to decide. My thesis (to borrow Alex
> Martelli's language) is that it is possible to obtain *some* benefit
> from obfuscation with *minimal* costs.

Actually, obfuscation by itself has *no* benefit. If all you do is
obfuscate the code, none of the pirates will ever notice - they'll
just copy the code without ever trying to read it. It's the copy
protection mechanisms you're trying to obfuscate that gains you the
alleged benefit. Once you provide a copy protection mechanism,
obfuscation has some benefit, though the costs aren't clearly minimal,
not if you're a cometent engineer. It's the benefits of the copy
protection that I claim are insignificant.

         <mike
-- 
Mike Meyer <mwm at mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

More information about the Python-list mailing list