obviscating python code for distribution
geremy condra
debatem1 at gmail.com
Wed May 18 12:54:30 EDT 2011
On Wed, May 18, 2011 at 12:36 AM, Hans Georg Schaathun <hg at schaathun.net> wrote:
> On Mon, 16 May 2011 23:42:40 +0100, Rhodri James
> <rhodri at wildebst.demon.co.uk> wrote:
> : ...which is, of course, not exactly secure either. A sufficiently
> : determined hacker won't have much trouble disassembling a shared library
> : even if you do strip out all the debug information. By chance I'm having
> : to do something closely related to this at work just at the moment; it's
> : hard, but far from impossible.
>
> But then, nothing is secure in any absolute sense.
If you're talking security and not philosophy, there is such a thing
as a secure system. As a developer you should aim for it.
> The best you can
> do with all your security efforts is to manage risk. Since obfuscation
> increases the cost of mounting an attack, it also reduces risk,
> and thereby provides some level of security.
The on-the-ground reality is that it doesn't. Lack of access to the
source code has not kept windows or adobe acrobat or flash player
secure, and they have large full-time security teams, and as you might
imagine from the amount of malware floating around targeting those
systems there are a lot of people who have these skills in spades.
> Obviously, if your threat sources are dedicated hackers or maybe MI5,
> there is no point bothering with obfuscation, but if your threat source
> is script kiddies, then it might be quite effective.
On the theory that any attack model without an adversary is
automatically secure?
Geremy Condra
More information about the Python-list
mailing list