Don’t overthink software security

While reading the trapkit blog, my attention was drawn to the following post: Commercial usage of ScoopyNG. ScoopyNG, in case you didn’t know about it before, is a proof of concept tool to detect VMWare. In the post the author of ScoopyNG details how the makers of a commercial product (Atempo Time Navigator) use the code and asked him for permission to do so which he says is very nice, and I agree.

However :-), my question here is: why does a backup software need to know if it is being run inside of a VM? Such measures, besides slowing down (not stopping, mind you), the perceived threat have a lot of negative impact:

My message to all of the companies is: don’t overthink the security of your products. It hurts and annoys users and doesn’t generate revenue (someone who pirates your product is very unlikely to buy it, even if s/he is prevented from using it without paying – it is much more likely that s/he will use a competing product which can be used for “free”).


2 responses to “Don’t overthink software security”

  1. If we have lived in an optimized world it would be too boring. The same is with software – we’d love to see optimized code and make things work quickly. What we have though are websites with over 100 SQL queries for a single website without any special effects.

  2. “Premature optimization is the root of all evil” as Donald Knuth said. But also, leaving out (mostly) useless features is a no brainer and the fact that it improves performance is just an added benefit.

Leave a Reply

Your email address will not be published. Required fields are marked *