Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <debatem1@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.015
X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'debug': 0.03; 'wed,': 0.03; '+0100,': 0.07; 'either.': 0.09; 'teams,': 0.09; 'am,': 0.14; 'wrote:': 0.14; 'subject:python': 0.14; 'library': 0.15; 'developer': 0.15; "doesn't.": 0.16; 'hackers': 0.16; 'hans': 0.16; 'mounting': 0.16; 'obviously,': 0.16; 'risk,': 0.16; 'subject:distribution': 0.16; '\xa0to': 0.16; 'cc:addr:python- list': 0.17; 'mon,': 0.17; 'header:In-Reply-To:1': 0.21; 'cc:2**0': 0.22; 'maybe': 0.23; 'cc:no real name:2**0': 0.23; 'received:209.85.210.174': 0.23; 'received:mail- iy0-f174.google.com': 0.23; 'subject:code': 0.23; 'code': 0.24; 'windows': 0.26; 'script': 0.27; "i'm": 0.27; 'message- id:@mail.gmail.com': 0.28; "won't": 0.30; 'cc:addr:python.org': 0.30; 'it.': 0.31; 'full-time': 0.31; 'player': 0.31; 'shared': 0.32; 'source': 0.34; 'there': 0.35; 'closely': 0.35; 'quite': 0.36; 'received:google.com': 0.37; 'something': 0.37; 'received:209.85': 0.37; 'floating': 0.37; 'security.': 0.37; 'model': 0.37; 'but': 0.38; 'subject:: ': 0.38; 'some': 0.38; 'trouble': 0.39; 'should': 0.39; 'received:209': 0.39; 'system.': 0.39; 'absolute': 0.40; 'best': 0.60; 'your': 0.60; 'secure': 0.63; 'adobe': 0.63; 'dedicated': 0.65; 'cost': 0.65; 'kept': 0.67; 'flash': 0.72; 'imagine': 0.72; 'obfuscation,': 0.84; 'philosophy,': 0.84; 'targeting': 0.84; 'risk.': 0.91; 'acrobat': 0.93; 'increases': 0.93; 'malware': 0.93
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=y89CnHlBkm1LyRYZBHpD5OUYDcP7S0H2HUbZLId44bI=; b=Knk0KnJK1vYTf9Tz1COWRZJcWxbxTrxF6xUGFZQNqTnkjugW7Wg2k0UcPQG+i0R6Gy vIrAtPqd2MzChYRL6IBaNoywJDM2xIvoP8vdHPcPQm2U0/xNOfVT5SVfGWweRkWa+EzD c9gGGTqNlLptPo6GBBtmrtWdx18JGOCPKFdvI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=aR3WHypspLXP044wl34a5sdonHgQfsPK8CnvttkIgO2ZcMK33/FWK6MLuwTQkBwNnf TIVZK30Hg4yn+rC9+cfB4/vWZgMg2z4fELtoziyugvm1BZl+ZT/Ea9AlG3Yvem2ZZcm4 LLLICtJUUL+l9gnXtHz7l+2TRP8sFiFsOiTKg=
MIME-Version: 1.0
In-Reply-To: <5h9ca8-ekq.ln1@svn.schaathun.net>
References: <4DD08620.4030507@tysdomain.com> <mailman.1611.1305512463.9059.python-list@python.org> <op.vvlipenoa8ncjz@gnudebst> <5h9ca8-ekq.ln1@svn.schaathun.net>
Date: Wed, 18 May 2011 09:54:30 -0700
Subject: Re: obviscating python code for distribution
From: geremy condra <debatem1@gmail.com>
To: Hans Georg Schaathun <hg@schaathun.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: python-list@python.org
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.1757.1305737674.9059.python-list@python.org>
Lines: 37
NNTP-Posting-Host: 82.94.164.166
X-Trace: 1305737674 news.xs4all.nl 49045 [::ffff:82.94.164.166]:40224
X-Complaints-To: abuse@xs4all.nl
Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:5708

On Wed, May 18, 2011 at 12:36 AM, Hans Georg Schaathun <hg@schaathun.net> w=
rote:
> On Mon, 16 May 2011 23:42:40 +0100, Rhodri James
> =A0<rhodri@wildebst.demon.co.uk> wrote:
> : =A0...which is, of course, not exactly secure either. =A0A sufficiently
> : =A0determined hacker won't have much trouble disassembling a shared lib=
rary
> : =A0even if you do strip out all the debug information. =A0By chance I'm=
 having
> : =A0to do something closely related to this at work just at the moment; =
it's
> : =A0hard, but far from impossible.
>
> But then, nothing is secure in any absolute sense.

If you're talking security and not philosophy, there is such a thing
as a secure system. As a developer you should aim for it.

> The best you can
> do with all your security efforts is to manage risk. =A0Since obfuscation
> increases the cost of mounting an attack, it also reduces risk,
> and thereby provides some level of security.

The on-the-ground reality is that it doesn't. Lack of access to the
source code has not kept windows or adobe acrobat or flash player
secure, and they have large full-time security teams, and as you might
imagine from the amount of malware floating around targeting those
systems there are a lot of people who have these skills in spades.

> Obviously, if your threat sources are dedicated hackers or maybe MI5,
> there is no point bothering with obfuscation, but if your threat source
> is script kiddies, then it might be quite effective.

On the theory that any attack model without an adversary is
automatically secure?

Geremy Condra