Software Engineering, Project Management, and Effectiveness
I met with Gabriel Torok and Sebastian Holst of PreEmptive Solutions, the other day. PreEmptive makes obfuscator products, including the Dotfuscator that comes with Visual Studio. Gabriel founded PreEmptive more than 10 years ago, and it was originally a code optimization company (The dual focus on performance and security resonates with me).
I was familiar with obfuscation and its limitations. I wasn't as familiar with some of the internals of specific obfuscation techniques, such as identifier renaming, control flow obfuscation, metadata removal, and string encryption, or how you can tweak or tune these. One surprise for me was that obfuscation for some scenarios could yield a 30-40% reduction in size (the result of shortening identifier names and "pruning" libraries that are never called.)
Gabriel's interested in creating obfuscation guidance for the community. I gave him my wish list:
Sebastion and I exchanged some metaphors. In reference to the limits of obfuscation, I said that just because door-locks don't prevent car thieves, that doesn't mean cars should come without locks. Sebastion related it to smoke alarms. In the grand schema of things, smoke alarms play a key role in saving lives and limiting damage, but to the individual, there's not a lot of value until a fire occurs. The fact that smoke alarms are low cost and simple helps justify their common use. He added, risk varies by context, so the value to hotels or restaurants may be more obvious.
It was an interesting and insightful meeting and I look forward to Gabriel's whitepaper.