Obfuscated code...

I recently ran into this post from Alex Papadimoulis’s “Daily WTF”, and it reminded me of one company’s response to mandatory source disclosure (no, this isn’t really another open source discussion, really – I’ve learned my lesson J).

This company (which will remain nameless) licensed the sources to its code to Microsoft for integration in a Microsoft product (no, I’m not going to name names). 

As a matter of fact, giving away the source code was one of the selling points of their product. They licensed the source code to any and everyone who bought the product. This was important because some of their customers were government agencies with source code availability requirements. It also allowed for their code to run on lots of different platforms, all you needed was a compiler (and of course the work to adopt the program to your platform, which they were more than happy to provide).

But of course, if you’re giving away the source code to your product, how do you prevent the people who have your source code from using it? How do you continue to make money off the product once your customers have the source code? What’s to prevent them from making the bug fixes for you? Why should they continue to pay you lucrative contracting fees so that you’ll continue to get revenue from the product? And more importantly, how do they prevent their customers from making an incompatible (or incorrect) change to their server? If your customers have the source, you lose the ability to ensure quality of fixes. This latter issue is a very real issue btw. I see this all the time on the IETF IMAP mailing list. About once a semester or so, someone posts a “fix” for the U.W. IMAP server, and Mark Crispin immediately jumps on the fix explaining how the guy got it wrong. So it’s important that you make sure that your customers, who have the source code to your product, only make the fixes that you authorize.

Well, this company hit on what I think is a novel solution to the problem. Since their code had to be platform independent, they already had a restriction that none of their identifiers could be more than 6 characters in length (to work around limitations in the linkers on some of their supported platforms). So they took this one step further and purposely obfuscated their entire source code.

Every single function name in the source code took up exactly 6 letters. So did all the structures and local variables. And they stripped most of the comments out of the code. They had a book (on paper) that translated the obfuscated names to their functions to the human readable names, and their support guys (and internal development) all had copies of the book. 

The customers weren’t allowed to have the book, only employees of the company got the book.

So the customers couldn’t really figure out what was going on inside the source code, the only thing they could do was to call support and have them look at the code.

A clever solution to the problem, if a bit difficult for the customer J

Oh, and before you ask, no, this is NOT what Microsoft does when it licenses the source to someone. If you license the source to a Microsoft product, as far as I know, you get the real source.