While reading the trapkit blog, my attention was drawn to the following post: Commercial usage of ScoopyNG. ScoopyNG, in case you didn’t know about it before, is a proof of concept tool to detect VMWare. In the post the author of ScoopyNG details how the makers of a commercial product (Atempo Time Navigator) use the code and asked him for permission to do so which he says is very nice, and I agree.
However :-), my question here is: why does a backup software need to know if it is being run inside of a VM? Such measures, besides slowing down (not stopping, mind you), the perceived threat have a lot of negative impact:
- It slows the product down with unnecessary code
- It can lead to the application being detected by security software (much the same way as packing your application can)
- It can annoy legitimate users who want to use a VM to test the product
My message to all of the companies is: don’t overthink the security of your products. It hurts and annoys users and doesn’t generate revenue (someone who pirates your product is very unlikely to buy it, even if s/he is prevented from using it without paying – it is much more likely that s/he will use a competing product which can be used for “free”).
2 responses to “Don’t overthink software security”
If we have lived in an optimized world it would be too boring. The same is with software – we’d love to see optimized code and make things work quickly. What we have though are websites with over 100 SQL queries for a single website without any special effects.
“Premature optimization is the root of all evil” as Donald Knuth said. But also, leaving out (mostly) useless features is a no brainer and the fact that it improves performance is just an added benefit.