Managing the insider threat through code obfuscation

[bishop at cs.ucdavis.edu (Matt Bishop)]

Hi, Ken,

> This morning, an article caught my attention -- "Managing the insider threat 
> through code obfuscation", 
> http://www.itmanagersjournal.com/article.pl?sid=05/12/13/1736253
>
> The article's premise is that, because attackers can find out a great deal 
> about the internals of databases and such by decompiling bytecode (in Java 
> and .NET), bytecode should be obfuscated to hide its internal details.  The 
> article points to several commercial bytecode obfuscation products: 
> http://www.devdirect.com/ALL/OBFUSCATIORS_PCAT_2014.aspx

I heard about code obfuscation in the late 1970's. A friend (and fellow 
student) in my graduate program said a company he worked at did exactly 
that. But the goal was *not* security; it was copyright protection. If 
anyone copied their binary, and claimed to have written it independently 
(and so did not need to pay a licensing fee), the company could easily 
prove to a court that the other user had not written it on their own by 
showing the convoluted logic in the program.

I don't remember if he said they ever actually had to do this in court, 
but it seemed a pretty effective way to trace code lineage. The 
application was not one in which speed was critical, so the loss of 
speed due to the obfuscation was apparently tolerable (if not unnoticeable).

I don't remember the language involved, but suspect pretty strongly it 
was *not* Java, because our discussion was some 15-20 years before Java 
was released ... :-)

Cheers to all!

Matt