Re: Protecting your code with click once

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

http://www.remotesoft.com/salamander/protector.html

This is the BEST software to date that I have found. It's expensive
but it does do what it says it does, and the guy behind it is a
Stanford Grad that's been doing this ever since dotNet came out :)

Hope this helps!

Daniel wrote:
Yes yes i know all this Jon lol. But i'd rather know about security
potential issues at this stage. As much as i want to say i am perfect and
will patch every possible hole, i have to assume i wont. So i need to know
just how likely it is, if i leave one that my code could be explouted.

Going by your comments i pretty much have to make this perfect, and that
does scare me. I am no timpressed how eaily managed code can be reverse
engineered.

Thanks for the help/advice


"Jon Skeet [C# MVP]" <skeet@xxxxxxxxx> wrote in message
news:1161271038.636233.106720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Daniel wrote:
My app uses a RNG and deals with real money transactions regularly.

The rng is on the server side so should be fine but there is code shared
between client and server. I dont see a way to do any major problems as
server handles the actual logic so they would only be able to hack the
way
things appear on their screen and not actually the servers handling of
it.

But, the fact someone can easily see my code, and spend all day if they
wanted to looking for a hole is a clear concern. If they found a hole and
exploited it, peoples accounts with real money could be effected. I cant
be
more specific at this time i am afraid.

If your code has a security hole, then preventing someone running the
client from working out what it's doing isn't going to remove that
security hole. It may make it a *little* less likely to be found, but
any code which can be run can be examined. It's harder with unmanaged
code, but still possible.

So it is a concern to me. If there is no way round it my alternative
would
be to rip as much as i possibly can out of client side code, and even
make
duplicate lightweight copies of classes that are shared between client
and
server.

Ideally, the client side code should be lighter weight anyway, IMO.

As well as many checks for malformed packets and so forth that could
be generated by a hacked client.

You should be making those checks anyway - otherwise any security flaws
would still be there. Security through obscurity is not true security.

Jon


.

Relevant Pages

  • Re: UnauthorizedAccessException when using MSDTC
    ... dispatcher2 is the user logged on the client pc. ... Event Source: Security ... Object Server: SC Manager ... Primary Domain: BLITZ ...
    (microsoft.public.data.ado)
  • Re: Routing and Remote Access - Authentication Failure
    ... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
    (microsoft.public.windows.server.networking)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: Problems with security requirements in Windows WorkGroups.
    ... "A remote side security requirement was not fulfilled during authentication. ... small chat application between a client and a server ... When I try to use the TCP channel I get the error (with NO inner exception ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: VPN -- the next consumer "turnkey"?
    ... I'm not a security expert. ... "A Hamachi system is comprised of backend servers and end-node ... Server nodes track client's locations and provide ... services without providing Hamachi with a list of client IP's. ...
    (alt.internet.wireless)