bytecode obfuscation

[Adam DePrince]

On Thu, 2005-02-03 at 16:58, Jarek Zgoda wrote:
> snacktime napisał(a):
> 
> > Everything except the libraries that actually connect to the
> > bank networks would be open source, and those libraries aren't
> > something that you would even want to touch anyways.
> 
> This sounds suspicious to me. Really. Normal payment clearance programs 
> have open-spec API's.

Dare I suggest that closed source is a plea for rounding fraud?

No amount of obfuscation is going to help you.  Just look at the battles
between virii authors and anti-virus software firms.  Even as early as
the 80's, viruses were employing elaborate encryption schemes to "hide"
from virus scanners; virus scanners in return emulated the cpu for the
first couple thousand cycles in hopes of finishing the decryption and
seeing the virus.  Of course, virus authors responded with
for(x=0;x<1000000;x++) and the halting problem inspired game of chicken
raged on ... the difference with your situation is if somebody is using
obscurity as a form of security, then it means that your system is
reachable, and it is only a matter of money and time before the
obscurity becomes not very obscure.  

My humble recommendation is to put your efforts into educating those you
work with that if they secure their communication channel  it won't
matter if the protocol spec leaks to the world.  Your adversary won't
have an opportunity to talk to your service no matter how good their
implementation of your protocol.

The worst case if you depend on obscurity:  The bad guys are rounding
off your pennies as you read this.

The worse case if you depend on encryption and open your spec:  You get
to publish your code, but might get competition.

Just my $0.02.

Adam DePrince