securing .net code

Jeff,

My tests were limited, but I protected a COM visible Outlook
Addin which
then continued to work without a hitch. I figured if that
worked well,
then they must have covered most bases. I then tried an exe
which also
worked without a hitch.

Dino 

-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
Sent: Friday, 8 September 2006 01:40
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: Re: [DOTNET-WEB] securing .net code

Thanks dean. What kind of tests did you do?  I will
seriously be looking
at this product today for sure.  I have found a few, but
this one also
looks good.  One thing I am looking for is my understanding
is that some
products decrypt the assembly at run time and so it's
loaded in memory.
This then allows hackers to attach to the memory space and
some how
access that decrypted source, via debugging or other
methods.  I read
about one that only decrypts on the fly the method that its
needs, but
have only read a little about this.
htt
p://www.secureteam.net/solutionsTechnology.asp


Please email me off line if you like, jmtmagentatech.com

Thanks.

-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Dean Cleaver
Sent: Thursday, September 07, 2006 12:21 AM
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: Re: [DOTNET-WEB] securing .net code

I've tested Xheo CodeVeil, and it seemed to work very well.

www.xheo.com

-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
Sent: Thursday, 7 September 2006 11:15
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: [DOTNET-WEB] securing .net code

Can anyone recommend a product that will secure .net code
from
decompiling?
Have looked at thinstall but their cost for licensing is not
practical;
especially for unlimited user environment.  Looking for
other options
that are not susceptible to memory dumps, standard
obfuscation
limitations.  I have seen a few that claim to run the
product in their
own Virtual Environment.  Has anyone actually used any of
these and
tested whether they actually claim to do what they say?  We
have a .net
1.1 application that we were going to use demeanor to
obfuscate but
don't feel this provides enough security, is there anything
else we can
do?  In addition to the IP in the code itself that we want
to secure,
another issue we are dealing with is not allowing people to
take our
assemblies and use them (reference) from within another
separate project
for hacking purposes.  I see there is a new attribute in 2.0
that helps
in this (inte
<http://msdn2.microsoft.com/en-us/library/
system.runtime.compilerservice
s.in
te> rnalsvisibletoattribute) but our app is older and
written in 1.1.



Any info appreciated.  Thanks.








===================================
This list is hosted by DevelopMentor(r)  http://www.develop.com

View archives and manage your subscription(s) at
http://discuss.develop.com


===================================
This list is hosted by DevelopMentor.  http://www.develop.com

View archives and manage your subscription(s) at
http://discuss.develop.com


===================================
This list is hosted by DevelopMentor(r)  http://www.develop.com

View archives and manage your subscription(s) at
http://discuss.develop.com


===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

Anything that is obfuscated using techniques like these is
necessarily
no more than a speed hump. As the code must be capable of
being
interpreted by the VM, it always going to be possible to
decompile and
use the code elsewhere. All you can do is take some steps to
slow that
process down.

You have to ask yourself:
1) How much time and money are you spending to obfuscate
2) What security benefit this offers

Obfuscation techniques do not offer any significant security
against a
serious attacker. IMO they are not worth the effort. YMMV

David

Dean Cleaver wrote:
> Jeff,
>
> My tests were limited, but I protected a COM visible
Outlook Addin which
> then continued to work without a hitch. I figured if
that worked well,
> then they must have covered most bases. I then tried an
exe which also
> worked without a hitch.
>
> Dino
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
> Sent: Friday, 8 September 2006 01:40
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: Re: [DOTNET-WEB] securing .net code
>
> Thanks dean. What kind of tests did you do?  I will
seriously be looking
> at this product today for sure.  I have found a few,
but this one also
> looks good.  One thing I am looking for is my
understanding is that some
> products decrypt the assembly at run time and so it's
loaded in memory.
> This then allows hackers to attach to the memory space
and some how
> access that decrypted source, via debugging or other
methods.  I read
> about one that only decrypts on the fly the method that
its needs, but
> have only read a little about this.
> htt
p://www.secureteam.net/solutionsTechnology.asp
>
>
> Please email me off line if you like, jmtmagentatech.com
>
> Thanks.
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Dean Cleaver
> Sent: Thursday, September 07, 2006 12:21 AM
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: Re: [DOTNET-WEB] securing .net code
>
> I've tested Xheo CodeVeil, and it seemed to work very
well.
>
> www.xheo.com
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
> Sent: Thursday, 7 September 2006 11:15
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: [DOTNET-WEB] securing .net code
>
> Can anyone recommend a product that will secure .net
code from
> decompiling?
> Have looked at thinstall but their cost for licensing
is not practical;
> especially for unlimited user environment.  Looking for
other options
> that are not susceptible to memory dumps, standard
obfuscation
> limitations.  I have seen a few that claim to run the
product in their
> own Virtual Environment.  Has anyone actually used any
of these and
> tested whether they actually claim to do what they say?
 We have a .net
> 1.1 application that we were going to use demeanor to
obfuscate but
> don't feel this provides enough security, is there
anything else we can
> do?  In addition to the IP in the code itself that we
want to secure,
> another issue we are dealing with is not allowing
people to take our
> assemblies and use them (reference) from within another
separate project
> for hacking purposes.  I see there is a new attribute
in 2.0 that helps
> in this (inte
> <http://msdn2.microsoft.com/en-us/library/
system.runtime.compilerservice
> s.in
> te> rnalsvisibletoattribute) but our app is older
and written in 1.1.
>
>
>
> Any info appreciated.  Thanks.
>
>
>
>
>
>
>
>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor.  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentorŪ  http://www.develop.com
>
> View archives and manage your subscription(s) at http://discuss.develop.com


===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

"David Cameron" - blimey! Bored of politics?...
turned to software
developement for a REAL challenge??? 

On 9/7/06, David Cameron <daviduberconcept.com> wrote:
> Anything that is obfuscated using techniques like these
is necessarily
> no more than a speed hump. As the code must be capable
of being
> interpreted by the VM, it always going to be possible
to decompile and
> use the code elsewhere. All you can do is take some
steps to slow that
> process down.
>
> You have to ask yourself:
> 1) How much time and money are you spending to
obfuscate
> 2) What security benefit this offers
>
> Obfuscation techniques do not offer any significant
security against a
> serious attacker. IMO they are not worth the effort.
YMMV
>
> David
>
> Dean Cleaver wrote:
> > Jeff,
> >
> > My tests were limited, but I protected a COM
visible Outlook Addin which
> > then continued to work without a hitch. I figured
if that worked well,
> > then they must have covered most bases. I then
tried an exe which also
> > worked without a hitch.
> >
> > Dino
> >
> > -----Original Message-----
> > From: Discussion of building .NET applications
targeted for the Web
> > [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
> > Sent: Friday, 8 September 2006 01:40
> > To: DOTNET-WEBDISCUSS.DEVELOP.COM
> > Subject: Re: [DOTNET-WEB] securing .net code
> >
> > Thanks dean. What kind of tests did you do?  I
will seriously be looking
> > at this product today for sure.  I have found a
few, but this one also
> > looks good.  One thing I am looking for is my
understanding is that some
> > products decrypt the assembly at run time and so
it's loaded in memory.
> > This then allows hackers to attach to the memory
space and some how
> > access that decrypted source, via debugging or
other methods.  I read
> > about one that only decrypts on the fly the method
that its needs, but
> > have only read a little about this.
> > htt
p://www.secureteam.net/solutionsTechnology.asp
> >
> >
> > Please email me off line if you like, jmtmagentatech.com
> >
> > Thanks.
> >
> > -----Original Message-----
> > From: Discussion of building .NET applications
targeted for the Web
> > [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Dean Cleaver
> > Sent: Thursday, September 07, 2006 12:21 AM
> > To: DOTNET-WEBDISCUSS.DEVELOP.COM
> > Subject: Re: [DOTNET-WEB] securing .net code
> >
> > I've tested Xheo CodeVeil, and it seemed to work
very well.
> >
> > www.xheo.com
> >
> > -----Original Message-----
> > From: Discussion of building .NET applications
targeted for the Web
> > [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
> > Sent: Thursday, 7 September 2006 11:15
> > To: DOTNET-WEBDISCUSS.DEVELOP.COM
> > Subject: [DOTNET-WEB] securing .net code
> >
> > Can anyone recommend a product that will secure
.net code from
> > decompiling?
> > Have looked at thinstall but their cost for
licensing is not practical;
> > especially for unlimited user environment. 
Looking for other options
> > that are not susceptible to memory dumps, standard
obfuscation
> > limitations.  I have seen a few that claim to run
the product in their
> > own Virtual Environment.  Has anyone actually used
any of these and
> > tested whether they actually claim to do what they
say?  We have a .net
> > 1.1 application that we were going to use demeanor
to obfuscate but
> > don't feel this provides enough security, is
there anything else we can
> > do?  In addition to the IP in the code itself that
we want to secure,
> > another issue we are dealing with is not allowing
people to take our
> > assemblies and use them (reference) from within
another separate project
> > for hacking purposes.  I see there is a new
attribute in 2.0 that helps
> > in this (inte
> > <http://msdn2.microsoft.com/en-us/library/
system.runtime.compilerservice
> > s.in
> > te> rnalsvisibletoattribute) but our app is
older and written in 1.1.
> >
> >
> >
> > Any info appreciated.  Thanks.
> >
> >
> >
> >
> >
> >
> >
> >
> > ===================================
> > This list is hosted by DevelopMentor(r)  http://www.develop.com
> >
> > View archives and manage your subscription(s) at
> > http://discuss.develop.com

> >
> > ===================================
> > This list is hosted by DevelopMentor.  http://www.develop.com
> >
> > View archives and manage your subscription(s) at
> > http://discuss.develop.com

> >
> > ===================================
> > This list is hosted by DevelopMentor(r)  http://www.develop.com
> >
> > View archives and manage your subscription(s) at
> > http://discuss.develop.com

> >
> > ===================================
> > This list is hosted by DevelopMentor(r)  http://www.develop.com
> >
> > View archives and manage your subscription(s) at
http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at http://discuss.develop.com

>

===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

David,

CodeVeil stopped Reflector from working - in fact, Reflector
just said
the assembly was invalid I think - didn't even recognise it
as
obfuscated .net.

And for me, that adds about 99% more protection than I have
now with
nothing. Sure, there's still the 1% of people who will go
to greater
lengths to decompile it, but at least I've eliminated the
amateurs.

Dino

-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of David Cameron
Sent: Friday, 8 September 2006 10:27
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: Re: [DOTNET-WEB] securing .net code

Anything that is obfuscated using techniques like these is
necessarily
no more than a speed hump. As the code must be capable of
being
interpreted by the VM, it always going to be possible to
decompile and
use the code elsewhere. All you can do is take some steps to
slow that
process down.

You have to ask yourself:
1) How much time and money are you spending to obfuscate
2) What security benefit this offers

Obfuscation techniques do not offer any significant security
against a
serious attacker. IMO they are not worth the effort. YMMV

David

Dean Cleaver wrote:
> Jeff,
>
> My tests were limited, but I protected a COM visible
Outlook Addin 
> which then continued to work without a hitch. I figured
if that worked

> well, then they must have covered most bases. I then
tried an exe 
> which also worked without a hitch.
>
> Dino
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web 
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
> Sent: Friday, 8 September 2006 01:40
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: Re: [DOTNET-WEB] securing .net code
>
> Thanks dean. What kind of tests did you do?  I will
seriously be 
> looking at this product today for sure.  I have found a
few, but this 
> one also looks good.  One thing I am looking for is my
understanding 
> is that some products decrypt the assembly at run time
and so it's
loaded in memory.
> This then allows hackers to attach to the memory space
and some how 
> access that decrypted source, via debugging or other
methods.  I read 
> about one that only decrypts on the fly the method that
its needs, but

> have only read a little about this.
> htt
p://www.secureteam.net/solutionsTechnology.asp
>
>
> Please email me off line if you like, jmtmagentatech.com
>
> Thanks.
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web 
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Dean Cleaver
> Sent: Thursday, September 07, 2006 12:21 AM
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: Re: [DOTNET-WEB] securing .net code
>
> I've tested Xheo CodeVeil, and it seemed to work very
well.
>
> www.xheo.com
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web 
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
> Sent: Thursday, 7 September 2006 11:15
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: [DOTNET-WEB] securing .net code
>
> Can anyone recommend a product that will secure .net
code from 
> decompiling?
> Have looked at thinstall but their cost for licensing
is not 
> practical; especially for unlimited user environment. 
Looking for 
> other options that are not susceptible to memory dumps,
standard 
> obfuscation limitations.  I have seen a few that claim
to run the 
> product in their own Virtual Environment.  Has anyone
actually used 
> any of these and tested whether they actually claim to
do what they 
> say?  We have a .net
> 1.1 application that we were going to use demeanor to
obfuscate but 
> don't feel this provides enough security, is there
anything else we 
> can do?  In addition to the IP in the code itself that
we want to 
> secure, another issue we are dealing with is not
allowing people to 
> take our assemblies and use them (reference) from
within another 
> separate project for hacking purposes.  I see there is
a new attribute

> in 2.0 that helps in this (inte 
> <http://msdn2.microsoft.com/en-us/library/sy
stem.runtime.compilerservi
> ce
> s.in
> te> rnalsvisibletoattribute) but our app is older
and written in 1.1.
>
>
>
> Any info appreciated.  Thanks.
>
>
>
>
>
>
>
>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at 
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor.  http://www.develop.com
>
> View archives and manage your subscription(s) at 
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at 
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at 
> http://discuss.develop.com


===================================
This list is hosted by DevelopMentor(r)  http://www.develop.com

View archives and manage your subscription(s) at
http://discuss.develop.com


===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

Yes agreed, but this is not obfuscation, its encryption the
code itself.
The main thing, is that how practical is it to intercept the
code as it's
loaded into the .net memory space because that's when it's
decrypted.  Can
any of you hackers tell me; is this a common practice for
code hacking; to
attach to the memory space the code is running in? btw, how
does one go
about doing this? What tools do they use?

I just got back the quote from thinstall, they claim to run
the entire code
in a "virtual process" that is not able to be
attached to and all the code
and any dependencies is wrapped into an encrypted .exe.
However the price
tag.... US$30k/year; not feasible.

Btw, we currently have a license for demeanor wiseowl but I
am just looking
for additional options that do more then obfuscation.



-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of David Cameron
Sent: Thursday, September 07, 2006 3:27 PM
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: Re: [DOTNET-WEB] securing .net code

Anything that is obfuscated using techniques like these is
necessarily
no more than a speed hump. As the code must be capable of
being
interpreted by the VM, it always going to be possible to
decompile and
use the code elsewhere. All you can do is take some steps to
slow that
process down.

You have to ask yourself:
1) How much time and money are you spending to obfuscate
2) What security benefit this offers

Obfuscation techniques do not offer any significant security
against a
serious attacker. IMO they are not worth the effort. YMMV

David

Dean Cleaver wrote:
> Jeff,
>
> My tests were limited, but I protected a COM visible
Outlook Addin which
> then continued to work without a hitch. I figured if
that worked well,
> then they must have covered most bases. I then tried an
exe which also
> worked without a hitch.
>
> Dino
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
> Sent: Friday, 8 September 2006 01:40
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: Re: [DOTNET-WEB] securing .net code
>
> Thanks dean. What kind of tests did you do?  I will
seriously be looking
> at this product today for sure.  I have found a few,
but this one also
> looks good.  One thing I am looking for is my
understanding is that some
> products decrypt the assembly at run time and so it's
loaded in memory.
> This then allows hackers to attach to the memory space
and some how
> access that decrypted source, via debugging or other
methods.  I read
> about one that only decrypts on the fly the method that
its needs, but
> have only read a little about this.
> htt
p://www.secureteam.net/solutionsTechnology.asp
>
>
> Please email me off line if you like, jmtmagentatech.com
>
> Thanks.
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Dean Cleaver
> Sent: Thursday, September 07, 2006 12:21 AM
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: Re: [DOTNET-WEB] securing .net code
>
> I've tested Xheo CodeVeil, and it seemed to work very
well.
>
> www.xheo.com
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
> Sent: Thursday, 7 September 2006 11:15
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: [DOTNET-WEB] securing .net code
>
> Can anyone recommend a product that will secure .net
code from
> decompiling?
> Have looked at thinstall but their cost for licensing
is not practical;
> especially for unlimited user environment.  Looking for
other options
> that are not susceptible to memory dumps, standard
obfuscation
> limitations.  I have seen a few that claim to run the
product in their
> own Virtual Environment.  Has anyone actually used any
of these and
> tested whether they actually claim to do what they say?
 We have a .net
> 1.1 application that we were going to use demeanor to
obfuscate but
> don't feel this provides enough security, is there
anything else we can
> do?  In addition to the IP in the code itself that we
want to secure,
> another issue we are dealing with is not allowing
people to take our
> assemblies and use them (reference) from within another
separate project
> for hacking purposes.  I see there is a new attribute
in 2.0 that helps
> in this (inte
> <http://msdn2.microsoft.com/en-us/library/
system.runtime.compilerservice
> s.in
> te> rnalsvisibletoattribute) but our app is older
and written in 1.1.
>
>
>
> Any info appreciated.  Thanks.
>
>
>
>
>
>
>
>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor.  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentorR  http://www.develop.com
>
> View archives and manage your subscription(s) at
http://discuss.develop.com


===================================
This list is hosted by DevelopMentorR  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com


===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

I'm a different David Cameron (http://www.uberconcept.co
m/).

Ben Joyce wrote:
> "David Cameron" - blimey! Bored of
politics?... turned to software
> developement for a REAL challenge??? 
>
> On 9/7/06, David Cameron <daviduberconcept.com> wrote:
>> Anything that is obfuscated using techniques like
these is necessarily
>> no more than a speed hump. As the code must be
capable of being
>> interpreted by the VM, it always going to be
possible to decompile and
>> use the code elsewhere. All you can do is take some
steps to slow that
>> process down.
>>
>> You have to ask yourself:
>> 1) How much time and money are you spending to
obfuscate
>> 2) What security benefit this offers
>>
>> Obfuscation techniques do not offer any significant
security against a
>> serious attacker. IMO they are not worth the
effort. YMMV
>>
>> David
>>
>> Dean Cleaver wrote:
>> > Jeff,
>> >
>> > My tests were limited, but I protected a COM
visible Outlook Addin
>> which
>> > then continued to work without a hitch. I
figured if that worked well,
>> > then they must have covered most bases. I then
tried an exe which also
>> > worked without a hitch.
>> >
>> > Dino
>> >
>> > -----Original Message-----
>> > From: Discussion of building .NET applications
targeted for the Web
>> > [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
>> > Sent: Friday, 8 September 2006 01:40
>> > To: DOTNET-WEBDISCUSS.DEVELOP.COM
>> > Subject: Re: [DOTNET-WEB] securing .net code
>> >
>> > Thanks dean. What kind of tests did you do?  I
will seriously be
>> looking
>> > at this product today for sure.  I have found
a few, but this one also
>> > looks good.  One thing I am looking for is my
understanding is that
>> some
>> > products decrypt the assembly at run time and
so it's loaded in memory.
>> > This then allows hackers to attach to the
memory space and some how
>> > access that decrypted source, via debugging or
other methods.  I read
>> > about one that only decrypts on the fly the
method that its needs, but
>> > have only read a little about this.
>> > htt
p://www.secureteam.net/solutionsTechnology.asp
>> >
>> >
>> > Please email me off line if you like, jmtmagentatech.com
>> >
>> > Thanks.
>> >
>> > -----Original Message-----
>> > From: Discussion of building .NET applications
targeted for the Web
>> > [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Dean Cleaver
>> > Sent: Thursday, September 07, 2006 12:21 AM
>> > To: DOTNET-WEBDISCUSS.DEVELOP.COM
>> > Subject: Re: [DOTNET-WEB] securing .net code
>> >
>> > I've tested Xheo CodeVeil, and it seemed to
work very well.
>> >
>> > www.xheo.com
>> >
>> > -----Original Message-----
>> > From: Discussion of building .NET applications
targeted for the Web
>> > [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
>> > Sent: Thursday, 7 September 2006 11:15
>> > To: DOTNET-WEBDISCUSS.DEVELOP.COM
>> > Subject: [DOTNET-WEB] securing .net code
>> >
>> > Can anyone recommend a product that will
secure .net code from
>> > decompiling?
>> > Have looked at thinstall but their cost for
licensing is not practical;
>> > especially for unlimited user environment. 
Looking for other options
>> > that are not susceptible to memory dumps,
standard obfuscation
>> > limitations.  I have seen a few that claim to
run the product in their
>> > own Virtual Environment.  Has anyone actually
used any of these and
>> > tested whether they actually claim to do what
they say?  We have a .net
>> > 1.1 application that we were going to use
demeanor to obfuscate but
>> > don't feel this provides enough security, is
there anything else we can
>> > do?  In addition to the IP in the code itself
that we want to secure,
>> > another issue we are dealing with is not
allowing people to take our
>> > assemblies and use them (reference) from
within another separate
>> project
>> > for hacking purposes.  I see there is a new
attribute in 2.0 that helps
>> > in this (inte
>> >
>> <http://msdn2.microsoft.com/en-us/library/
system.runtime.compilerservice
>> > s.in
>> > te> rnalsvisibletoattribute) but our app is
older and written in 1.1.
>> >
>> >
>> >
>> > Any info appreciated.  Thanks.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > ===================================
>> > This list is hosted by DevelopMentor(r)  http://www.develop.com
>> >
>> > View archives and manage your subscription(s)
at
>> > http://discuss.develop.com

>> >
>> > ===================================
>> > This list is hosted by DevelopMentor.  http://www.develop.com
>> >
>> > View archives and manage your subscription(s)
at
>> > http://discuss.develop.com

>> >
>> > ===================================
>> > This list is hosted by DevelopMentor(r)  http://www.develop.com
>> >
>> > View archives and manage your subscription(s)
at
>> > http://discuss.develop.com

>> >
>> > ===================================
>> > This list is hosted by DevelopMentor(r)  http://www.develop.com
>> >
>> > View archives and manage your subscription(s)
at
>> http://discuss.develop.com

>>
>> ===================================
>> This list is hosted by DevelopMentor(r)  http://www.develop.com
>>
>> View archives and manage your subscription(s) at
>> http://discuss.develop.com

>>
>
> ===================================
> This list is hosted by DevelopMentorŪ  http://www.develop.com
>
> View archives and manage your subscription(s) at http://discuss.develop.com


===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

I didn't say it was better than nothing. I just said that
it is a speed
hump. It isn't something your should put all your trust in.

David

Dean Cleaver wrote:
> David,
>
> CodeVeil stopped Reflector from working - in fact,
Reflector just said
> the assembly was invalid I think - didn't even
recognise it as
> obfuscated .net.
>
> And for me, that adds about 99% more protection than I
have now with
> nothing. Sure, there's still the 1% of people who will
go to greater
> lengths to decompile it, but at least I've eliminated
the amateurs.
>
> Dino
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of David Cameron
> Sent: Friday, 8 September 2006 10:27
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: Re: [DOTNET-WEB] securing .net code
>
> Anything that is obfuscated using techniques like these
is necessarily
> no more than a speed hump. As the code must be capable
of being
> interpreted by the VM, it always going to be possible
to decompile and
> use the code elsewhere. All you can do is take some
steps to slow that
> process down.
>
> You have to ask yourself:
> 1) How much time and money are you spending to
obfuscate
> 2) What security benefit this offers
>
> Obfuscation techniques do not offer any significant
security against a
> serious attacker. IMO they are not worth the effort.
YMMV
>
> David
>
> Dean Cleaver wrote:
>> Jeff,
>>
>> My tests were limited, but I protected a COM
visible Outlook Addin
>> which then continued to work without a hitch. I
figured if that worked
>
>> well, then they must have covered most bases. I
then tried an exe
>> which also worked without a hitch.
>>
>> Dino
>>
>> -----Original Message-----
>> From: Discussion of building .NET applications
targeted for the Web
>> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
>> Sent: Friday, 8 September 2006 01:40
>> To: DOTNET-WEBDISCUSS.DEVELOP.COM
>> Subject: Re: [DOTNET-WEB] securing .net code
>>
>> Thanks dean. What kind of tests did you do?  I will
seriously be
>> looking at this product today for sure.  I have
found a few, but this
>> one also looks good.  One thing I am looking for is
my understanding
>> is that some products decrypt the assembly at run
time and so it's
> loaded in memory.
>> This then allows hackers to attach to the memory
space and some how
>> access that decrypted source, via debugging or
other methods.  I read
>> about one that only decrypts on the fly the method
that its needs, but
>
>> have only read a little about this.
>> htt
p://www.secureteam.net/solutionsTechnology.asp
>>
>>
>> Please email me off line if you like, jmtmagentatech.com
>>
>> Thanks.
>>
>> -----Original Message-----
>> From: Discussion of building .NET applications
targeted for the Web
>> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Dean Cleaver
>> Sent: Thursday, September 07, 2006 12:21 AM
>> To: DOTNET-WEBDISCUSS.DEVELOP.COM
>> Subject: Re: [DOTNET-WEB] securing .net code
>>
>> I've tested Xheo CodeVeil, and it seemed to work
very well.
>>
>> www.xheo.com
>>
>> -----Original Message-----
>> From: Discussion of building .NET applications
targeted for the Web
>> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Jeff
>> Sent: Thursday, 7 September 2006 11:15
>> To: DOTNET-WEBDISCUSS.DEVELOP.COM
>> Subject: [DOTNET-WEB] securing .net code
>>
>> Can anyone recommend a product that will secure
.net code from
>> decompiling?
>> Have looked at thinstall but their cost for
licensing is not
>> practical; especially for unlimited user
environment.  Looking for
>> other options that are not susceptible to memory
dumps, standard
>> obfuscation limitations.  I have seen a few that
claim to run the
>> product in their own Virtual Environment.  Has
anyone actually used
>> any of these and tested whether they actually claim
to do what they
>> say?  We have a .net
>> 1.1 application that we were going to use demeanor
to obfuscate but
>> don't feel this provides enough security, is there
anything else we
>> can do?  In addition to the IP in the code itself
that we want to
>> secure, another issue we are dealing with is not
allowing people to
>> take our assemblies and use them (reference) from
within another
>> separate project for hacking purposes.  I see there
is a new attribute
>
>> in 2.0 that helps in this (inte
>> <http://msdn2.microsoft.com/en-us/library/sy
stem.runtime.compilerservi
>> ce
>> s.in
>> te> rnalsvisibletoattribute) but our app is
older and written in 1.1.
>>
>>
>>
>> Any info appreciated.  Thanks.
>>
>>
>>
>>
>>
>>
>>
>>
>> ===================================
>> This list is hosted by DevelopMentor(r)  http://www.develop.com
>>
>> View archives and manage your subscription(s) at
>> http://discuss.develop.com

>>
>> ===================================
>> This list is hosted by DevelopMentor.  http://www.develop.com
>>
>> View archives and manage your subscription(s) at
>> http://discuss.develop.com

>>
>> ===================================
>> This list is hosted by DevelopMentor(r)  http://www.develop.com
>>
>> View archives and manage your subscription(s) at
>> http://discuss.develop.com

>>
>> ===================================
>> This list is hosted by DevelopMentor(r)  http://www.develop.com
>>
>> View archives and manage your subscription(s) at
>> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor(r)  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentorŪ  http://www.develop.com
>
> View archives and manage your subscription(s) at http://discuss.develop.com


===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com