[Mono-list] Security Q

Joshua Tauberer tauberer@for.net
Wed, 08 Sep 2004 17:47:33 -0400

Tom Larsen wrote:
> Security and secure code isn't about hiding stuff.  Its about a sound 
> process and data flow.  Concentrate on that instead of trying to make 
> the runtime do something it was never designed to handle.

In defense of the original question, here's a real world situation I 
have had to deal with:

I am involved in commercial software that has an extremely small market, 
but the software is very valuable (i.e. pricey).  Thus, each purchase of 
the software is very important, and it is critical that copies of the 
software cannot be freely made.  We use various technological techniques 
to prevent unauthorized copying, in a variety of natively compiled 

However, none of these techniques would be practical under .NET, as it 
would be trivial to circumvent any copy protection scheme that I know of 
implemented in .NET (putting aside obfuscation).  Without a copy 
protection scheme, venturing into a .NET version of our software could 
mean the end of new sales of the software.

So, as much as I would like to be developing that software with C#, 
under our current business model it is a prohibitively risky move to do 
so.  So far, a middle ground for .NET languages has seemed a theoretical 
impossibility.  Nothing is impossible, though.  Maybe someone has some 
ideas on how to achieve a middle ground.

(I'm sure someone will be tempted to suggest we change our business 
model, or open-source the software...)

- Joshua Tauberer


** Nothing Unreal Exists **