Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!goblin2!goblin.stu.neva.ru!newsfeed1.swip.net!uio.no!nntp.uib.no!svn.schaathun.net!not-for-mail
From: Hans Georg Schaathun <hg@schaathun.net>
Newsgroups: comp.lang.python
Subject: Re: obviscating python code for distribution
Date: Thu, 19 May 2011 10:16:54 +0100
Organization: University of Bergen
Lines: 32
Message-ID: <6p3fa8-bnt.ln1@svn.schaathun.net>
References: <4DD08620.4030507@tysdomain.com> <mailman.1611.1305512463.9059.python-list@python.org> <op.vvlipenoa8ncjz@gnudebst> <5h9ca8-ekq.ln1@svn.schaathun.net> <mailman.1757.1305737674.9059.python-list@python.org> <rgcda8-tor.ln1@svn.schaathun.net> <mailman.1769.1305745672.9059.python-list@python.org> <1skda8-3as.ln1@svn.schaathun.net> <mailman.1773.1305754489.9059.python-list@python.org> <4vlea8-55t.ln1@svn.schaathun.net> <4dd4d920$0$29968$c3e8da3$5496439d@news.astraweb.com>
NNTP-Posting-Host: vannskorpion.bccs.uib.no
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: toralf.uib.no 1305795828 40676 129.177.20.20 (19 May 2011 09:03:48 GMT)
X-Complaints-To: abuse@uib.no
NNTP-Posting-Date: 19 May 2011 09:03:48 GMT
User-Agent: slrn/pre1.0.0-18 (Linux)
Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:5767

On 19 May 2011 08:47:28 GMT, Steven D'Aprano
  <steve+comp.lang.python@pearwood.info> wrote:
:  The real barrier to cracking Oyster cards is not that the source code is 
:  unavailable, but that the intersection of the set of those who know how
:  to break encryption, and the set of those who want to break Oyster cards, 
:  is relatively small. I don't know how long it took to break the encryption, 
:  but I'd guess that it was probably a few days of effort by somebody 
:  skilled in the art.
: 
:  http://www.usenix.org/events/sec08/tech/full_papers/nohl/nohl_html/index.html

In that paper, more than one art seem to have been applied.  An open 
design would have eliminated the need for image analysis and reduced
the requirement on hardware/electronics skills.  Hence, the obfuscation
has made that intersection you talk about smaller, and increased the
cost of mounting the attack.  As the system was broken anyway, it is
hardly a victory for obfuscation, but that's beside the point.

The work of that paper is almost certainly more than just «a few
days of effort».  There are simply to many technical issues to tackle,
and they must be tackled one by one.  The cost of mounting the attack
is to figure out what it takes to do it, before spend the resources
barking up the wrong tree.  For each successful attack, there probably
is a number of failed ones.

Thanks for the reference.

BTW.  That's not the only attack on MIFARE.  I cannot remember the
details of the other.

-- 
:-- Hans Georg