This morning, as we readied our latest Dotfuscator Community Edition (CE) announcement, it struck me that this remarkable piece of software has a unique story to tell. A story that can’t be expressed in a feature table or change log.
Most every .NET developer knows that Dotfuscator CE has been generally available inside Visual Studio (every SKU other than Express) since 2002. Fourteen years covers more than a few generations of software – and, counter-intuitively perhaps, it’s taken a whole lot of work behind the scenes to preserve that “rock-steady” reputation.
Dotfuscator CE has maintained its position “in the box” in two ways: first, by offering a consistent and reliable .NET obfuscation utility, and, second, by evolving its capabilities to keep pace with the expanding Visual Studio ecosystem—including making changes to support Microsoft’s growing emphasis on cross-platform development and DevOps, and its evolving attitude towards “grassroots development”.
For most of its 14-year history, Dotfuscator CE was built to provide a minimal feature set that would be all but impossible for anyone other than a solo developer to use. Build automation and more advanced protection algorithms were always reserved for our Dotfuscator Professional users. In a general sense, you can directly compare it to Microsoft’s free SKU: Visual Studio Express.
In 2015, Microsoft launched Visual Studio Community Edition. This new free version of Visual Studio was much more functional than Visual Studio Professional. Oriented towards individual developers and small teams, the principal difference between Visual Studio CE and paid versions was the licensing terms, not a massive deficit in functionality. (for a nice discussion of Visual Studio CE licensing, see Understanding Visual Studio Community Edition license in StackExchange).
This fundamental shift in how Microsoft intended to address this end of the developer market challenged us to do the same.
Beginning earlier this year, we began enhancing Dotfuscator CE to support a much wider array of application security and risk management scenarios and to make it incrementally closer to our Professional SKU.
With just these three enhancements, we’ve seen Dotfuscator CE usage spike by over 500%! (See the timeline at the beginning of this post)
…and we’re not done by a long shot.
Today, we announced that Dotfuscator CE 2017 includes the Debugger-detection-and-defense control. Dotfuscator CE can now inject logic (no coding required) to detect when a debugger is attached in production (an unauthorized probe like this leads to BOTH code and data tampering).
CE also includes the ability to trigger real-time defenses as well as transmit alerts to Microsoft’s Application Insights, HockeyApp, Google Analytics, and even Twitter! (Coding will be required to connect all of these endpoints)
You can learn more about this powerful new functionality inside CE by reviewing the following blog and/or video:
ANTI-DEBUG AND ANTI-TAMPER: MORE THAN JUST A POWERFUL NEW FEATURE (blog)
Dotfuscator Debug defense and analysis (video)
Visual Studio CE offers expanded functionality wrapped in a new license designed to target that grassroots developer; In that tradition, PreEmptive’s more expansive versions of Dotfuscator CE follow in lock-step.
Who can use Dotfuscator CE and who cannot?
As with Microsoft’s Visual Studio Community Edition, PreEmptive licenses Dotfuscator Community Edition with special permissions and restrictions. As with Microsoft, we subscribe to the objective of providing expanded functionality to individual users and small teams by making the CE license available at no cost.
Who can use Dotfuscator CE? The (partial) answer is “Any Licensed Visual Studio user (other than Express) who ALSO meets the following criteria:”
Dotfuscator CE can be used under its current license if and only if the software being consumed is owned by and developed by the individual Dotfuscator CE user (licensee).
In other words, you CANNOT use Dotfuscator CE in production if the code you develop is owned by your employer or if the code you want to harden includes code that you did not personally develop.
If you visited the earlier link outlining Microsoft’s CE restrictions, you’ll see we’ve had to take a different approach than they did. Microsoft’s specific criteria cannot work for a .NET obfuscator authored by a small ISV like PreEmptive Solutions.
Microsoft focuses in part on open source development projects—who wants to obfuscate their open source apps? They also rely on a financial definition of an enterprise to exclude CE use, but this is simply too cumbersome for a small company like ours to measure and track effectively.
Enforcement: We have been able to adopt Microsoft’s licensing model here. We enforce terms through a license agreement (EULA), but we do not employ access control software or license keys to enforce those terms. Nor do we ever retroactively bill or otherwise punish inadvertent misuse/overuse of Dotfuscator CE. We strive to be transparent, fair, and patient in working through any issues or questions our users may have.
We have other important enhancements (related to VSTS and more…) in the queue. We look forward to continuing to expand our support for grassroots Visual Studio development. Visit this page for a comparison of Dotfuscator SKUs.