Friday, June 29, 2007

Obfuscated by obfuscation

From time to time, I have to add in the list of dependencies of one my projects a library whose byte code has been obfuscated.

Who cares, would you ask? Well not me until I have to step debug into the said library because it is usually easier to follow an execution path than a technical guide. And then the pain begins: obfuscated library are (intentionally) a mess and you can not do anything in debug mode with them.

So here is my messages to vendors and other smart guys who think security by obscurity works: this is freaking retarded! You prevent legitimate users to do their business with your library the way experienced users do. No matter how good you think your user guides are, when something goes wrong, nothing replaces the ability to follow the actual execution of a program. As Bruce Schneier says it:
Security by obscurity: it doesn't work, and it's a royal pain to recover when it fails.

So please, do not obfuscate the libraries you distribute, no matter how proprietary you think they are. Your value, as a software company, does not reside in the heart of the few bytes that you try to hide. It lies in your people, your know-how and your services.

Let there be light!