I was just thinking about the fact that most of us deal with code a lot.

Why not build your own, and try and build it complicated so that way it is difficult to for 'others' to use it.

But to make it more interesting. Why have it written down on paper? You know, a code that can be read like words?

Maybe this is just trash, but it sounded really cool in my head... *sigh*...

I was just thinking about the fact that most of us deal with code a lot.

Why not build your own, and try and build it complicated so that way it is difficult to for 'others' to use it.

Maybe this is just trash, but it sounded really cool in my head... *sigh*...


That is one of the fucking STUPIDest ideas I have ever heard.


Maybe you should keep those ideas in your head.



I'm curious what kind of code you deal with a lot?

Sounds like your in the "Enlightining Stage" and just realzing potential for all that is out there.

There is readable code availble, which you should really refer to as "Cypher" or "Encryption". Think of written language like English and French. If I have no clue what French should look like, or how to read it, then I'm not going to "Get" the cypher. Were someone who does will.

There a billions of ways to do this here is a start (http://www.google.com/search?hl=en&lr=&safe=active&c2coff=1&q=obscure+written+language&btnG=Search).

I was just thinking about the fact that most of us deal with code a lot.

Why not build your own, and try and build it complicated so that way it is difficult to for 'others' to use it.

But to make it more interesting. Why have it written down on paper? You know, a code that can be read like words?

Maybe this is just trash, but it sounded really cool in my head... *sigh*...

on yousuck()
display dialog "You are an idiot?" buttons {"OK"}
end yousuck

yousuck()

Why not just call it the 'Perl Programming Contest' ?

;)

I was just thinking about the fact that most of us deal with code a lot.
Why not build your own, and try and build it complicated so that way it is difficult to for 'others' to use it.
But to make it more interesting. Why have it written down on paper? You know, a code that can be read like words?
Maybe this is just trash, but it sounded really cool in my head... *sigh*...

You mean, like The International Obfuscated C Code Contest (http://www.ioccc.org/)?

Many people have tried different variations on making code complicated or more difficult to read. That contest has been around for a long time, and if you look through some of the entries, you will find a lot of code that is difficult to read.

Having code that is hard to follow because of the names used for identifiers is probably amaturish in this contest-- though it may appear in addition to other techniques.

Look through some of the winners' code, and see what I am writing about.

[Added content:]
Examples:
http://www0.us.ioccc.org/2004/anonymous.c
http://www0.us.ioccc.org/2004/arachnid.c
http://www0.us.ioccc.org/2004/newbern.c
http://www0.us.ioccc.org/2004/gavare.c

You mean, like The International Obfuscated C Code Contest (http://www.ioccc.org/)?

Many people have tried different variations on making code complicated or more difficult to read. That contest has been around for a long time, and if you look through some of the entries, you will find a lot of code that is difficult to read.

Having code that is hard to follow because of the names used for identifiers is probably amaturish in this contest-- though it may appear in addition to other techniques.

Look through some of the winners' code, and see what I am writing about.

Thanks for encouraging him.

Thanks for encouraging him.
I would say, "I'm all about the service," but that is owned by Chris.

Here's is my point:
The contest is 18 years old. The idea to have a contest where obfuscated code is used, is not at all new-- it may even be older than the poster.

(See the examples added to the post above.)

I would say, "I'm all about the service," but that is owned by Chris.

Here's is my point:
The contest is 18 years old. The idea to have a contest where obfuscated code is used, is not at all new-- it may even be older than the poster.

(See the examples added to the post above.)

1) Chris stole that quote from me

Here is my point:
All his post today have reaked of fucktardity. Encouraging his idea's without discussing the merits of good code is doing a disservice to him and the community.

And really, I kinda expect more outta you.

1) Chris stole that quote from me
That is not what he says. I have a document that says he owns the IP for that quote. He added a b unch of space so he could copyright it too. ]:>

Here is my point:
All his post today have reaked of fucktardity. Encouraging his idea's without discussing the merits of good code is doing a disservice to him and the community.
I am actually a fan of the obfuscated C code contest. They are fun puzzles to try to decipher-- just so long as they are not in projects by co-workers in projects at work.
If he is a tard, then he will receive more than enough comments telling him/her so, that my contribution will be a drop of water in the ocean.

And really, I kinda expect more outta you.
Thanks mom.
That is the story of my life.

I was just thinking about the fact that most of us deal with code a lot.

Why not build your own, and try and build it complicated so that way it is difficult to for 'others' to use it.

Here, let me cut out the middleman: http://www.x.org/download.cgi

And if that one's not confusing enough, let's try ftp://ftp.xfree86.org/pub/XFree86/4.5.0/source/

But to make it more interesting. Why have it written down on paper? You know, a code that can be read like words?

Punchcards. Punchcards with no sequence numbering.

(Actually, what you're talking about is pseudocode (http://perl.about.com/od/beginningperl/a/072604.htm), one of those things that's a great idea in theory and not so hot when it comes to implementation time.)

Id say something in brainfuck would be the most obscure.

Otherwise, if you see this line in the BSD or Linux kernel:

/* You are not expected to understand this */

Then its probably obscure code.

All his post today have reaked of fucktardity. Encouraging his idea's without discussing the merits of good code is doing a disservice to him and the community.


I think his idea was vaild. The obfuscated C code contest is quite intresting I think...
There's a new one that they just started...
http://www.brainhz.com/underhanded/

"Inspired by Daniel Horn's Obfuscated V contest in the fall of 2004, we hereby announce an annual contest to write innocent-looking C code implementing malicious behavior. "

This is an excellent example of how a contest like this can improve security overall.

Fucktardity? I don't think so.
At least he was thinking in the right 'direction', or thinking even...

I was just thinking about the fact that most of us deal with code a lot.

Why not build your own, and try and build it complicated so that way it is difficult to for 'others' to use it.

But to make it more interesting. Why have it written down on paper? You know, a code that can be read like words?

Maybe this is just trash, but it sounded really cool in my head... *sigh*...

All I can say is that you don't deal with code enough.

Security through obscurity - isn't. Not only that, but added complexity and confusion makes it much more likely that security issues will be introduced in maintenance if they aren't there already.

I'll take clean maintainable code over 'cleverness' any day - and somebody that can articulate their ideas clearly over the endlessly baroque.

Why not just call it the 'Perl Programming Contest' ?

;)

Mad props for that

I gave you a few days to read his other posting before I flamed you. You chose not to, so I don't feel bad about it.

I think his idea was vaild. The obfuscated C code contest is quite intresting I think...
There's a new one that they just started...
http://www.brainhz.com/underhanded/

His idea wasn't for something along the line of the obfuscated C code contest. It really irks me that some of the "regulars" on this forum are either too stupid or too lazy to look at someones other recent posting and extrapolate the meaning of this post.


This is an excellent example of how a contest like this can improve security overall.


He's not try to improve security, if you take this posting with the other one he was posting in at the same time (where he told thorn and I that underground technology would "take down the man").... well, I would hope you would be smart enough to see what he was getting at, but I could be mistaken and might give you more credit then you deserve.


Fucktardity? I don't think so.
At least he was thinking in the right 'direction', or thinking even...

Fucktardity is exactly what it is, and this posting puts you right in line next to him.

He was thinking in the right 'direction'. He was thinking in the "uber-leet, lets hack the gibson, money is bad and hax0rs rule" frame of mind.

So in closing.. Think before you speak.... bitch.


edit:

This was the conversation I was refering to that was happening at the same time (check times and dates): http://forums.datamerica.com/showthread.php?t=5815

Security through obscurity - isn't. Not only that, but added complexity and confusion makes it much more likely that security issues will be introduced in maintenance if they aren't there already.


Who talked about security here? He was just talking of playing with code...

Why are people just bashing? :shock:

Security through obscurity work well, as long as it's secure in the first place...

You use password right? What about releasing all your password since obscurity is't helping your security anyway?

You use password right? What about releasing all your password since obscurity is't helping your security anyway?

Yep. I tend to say, "Security by obscurity is generally not security at all."

Another example of where it seems to help is the new-ish randomization of addresses used by a program each time it starts-up to defeat certain remote exploits through buffer overrun and stack execution on services.

In such a case, it decreases the risk, but does not eliminate it, and local attacks may still be possible if a user has access to (eg *NIX) /proc information for that process -- but then they would be local, and have higher privs anyway, to do more damage.

We hear "Security by layers" and obscurity can be added as an often weaker layer-- just so long as it is not the only layer.

Another example? Keys for physical locks work under a similar principle. The key-code for making a duplicate key is like a password-- obscure information. Then there is picking of locks...

Locks and keys could be considered security by obscurity, but I still use 'em. ;-)

Locks and keys could be considered security by obscurity, but I still use 'em. ;-)

I believe in this example however, security by obscurity would include hiding the key under the mat.

I believe in this example however, security by obscurity would include hiding the key under the mat.

Ooo! Laytered obscurity! (hah hah)

I gave you a few days to read his other posting before I flamed you. You chose not to, so I don't feel bad about it.

Do I really need to be 'flamed'? Just cuz you look bad in this thread doesn't mean you need to 'push back'. I hope others can see how you aimed to get a 'jab' in where you could to make me look bad for the sake of nothing but making my future posts unimportiant.


His idea wasn't for something along the line of the obfuscated C code contest. It really irks me that some of the "regulars" on this forum are either too stupid or too lazy to look at someones other recent posting and extrapolate the meaning of this post.

I just gave him a lot more credit than the typical "show me how to hack my friends hotmail" or "I need you to get me back into this WOW clan forum so I can downloadz0r teh cheeets"
Sure he's uninformed, but he's a lot better than some.
I don't really feel like researching other peoples extra motives when asking a question. I guess you could call that lazy, but I don't think so.... My responce was more just to add that link so others could find more information about a contest like we had started to discuss.


He's not try to improve security, if you take this posting with the other one he was posting in at the same time (where he told thorn and I that underground technology would "take down the man").... well, I would hope you would be smart enough to see what he was getting at, but I could be mistaken and might give you more credit then you deserve.

Fucktardity is exactly what it is, and this posting puts you right in line next to him.

He was thinking in the right 'direction'. He was thinking in the "uber-leet, lets hack the gibson, money is bad and hax0rs rule" frame of mind.


You could be making unsubstatiated assumptions here.. but maybe im not giving you much credit. I'm write in "line" next to him? Line of what.... and just because I didn't go and research a possibility he could've been thinking something else when he wrote this, before I replied... makes me now on the same level as him? ...... whatever you say.

Think before you speak.... bitch.

Wow.. I think that was a little over the top. I've met you in person, and I don't think you'd talk to me like this if we were face to face. I used to think you were an OK guy, but now I just think your a real jerk. Nice signature too, I love how I never said any of that.

We hear "Security by layers" and obscurity can be added as an often weaker layer-- just so long as it is not the only layer.

Another example? Keys for physical locks work under a similar principle. The key-code for making a duplicate key is like a password-- obscure information. Then there is picking of locks...

I'm sure that you understand this, TheCotMan, but I don't anyone to think that keeping a password (or key) private is what Bruce meant by "security through obscurity" (trust me, it is a common mistake). The obscurity refers to the design and implementation of the system.

With respect to stack mangling/changing, we are not talking about security through obscurity since the method and technique for the mangling is completely open.

I'm sure that you understand this, TheCotMan, but I don't anyone to think that keeping a password (or key) private is what Bruce meant by "security through obscurity" (trust me, it is a common mistake).
[Going to be revising this to make it shorter]

This is one of the reasons why I used lots of words with posts-- lots of qualifiers and exceptions. :-)

Given: There exists a general definition for "obscurity" that applies not just to computer science, but also to other fields fo science.

Appropriate assignment of this definition to specific events or objects is subjective.

However, even though the person may be making the subjective claim, they will be able to discern that something either is, or is not obscure and give us an opinion-based objective response. (Even if it takes several qualifiers to get such a response.)

I view a password as something that is obscure, just like key codes for to make keys to open specific physical locks and passphrases to unlock access restrictions and even address randomization of processes on load. (Subjective)

Going further, even "who you are" (biometrics) is a secret of sorts. Somethng based just on genetics is a secret too. These don't work when the interface for the system acquiring the data is not secure.

"Something you can do" is partly a secret. Performance tests can sometimes be learned, and this allows some of these to be categorized as obscure too.

Are these secure? They are all based on the idea of a secret, or something that is hidden. They all rely upon an existing system in order to decrease security risks. (Mentioned by dataworm above)

A modification to hardware to have a processor support noexec pages/segments, along with and OS support for the same is not necessarily obscure. There is no secret. There is nothing hidden. So long as this system does what it claims, there is no "secret" that can be guessed to make the system execute instructions in noexec-space-- no amount of brute force, or intelligent guessing either. This remains "secure" so long as the other parts of the OS that might permit enabling/disabling of this are not compromised.

Then what is our discussion over? It is over a definition. Does obscure apply to secrets? Does it only apply to secrets in the realm of design and implementation? Why or why not? How can application of the word "obscure" be described so everyone can follow it ]:>

What I am saying is that obscurity itself does't make a system insecure. If the system is secure and is obscure, it will defeat a good number of people that could had found a flaw in the system, because no system is totally secure. So if no system is totally secure obscurity does't make a system totally secure.

Anyway without obscurity it would't be fun! Long life to security by obscurity :D

/me go hide in the shadow :evil:

Anyway without obscurity it would't be fun! Long life to security by obscurity :D
That's it.
/me weilds dead chicken as primary weapon.

/me go hide in the shadow :evil:
Ah! Your location is just a secret. You are trying to use obscurity to gain security. I'll find you yet, and this dead chicken has your name on it!
]:>

That's it.
/me weilds dead chicken as primary weapon.


Ah! Your location is just a secret. You are trying to use obscurity to gain security. I'll find you yet, and this dead chicken has your name on it!
]:>

Please can you stop your voodoo, I beg you!

Ok I admit, I was trooling! Now see I got punish, my boss assigned me to do that article about Security by obscurity(Still I am sure I'll have alot of fun workign on it)... I bet he is reading this forum :redface:

Oh well don't get me wrong, my boss is really the best boss you can get, he is nice, really cool, and genearous of his person, he also allow me to take yet some more vacation to go to defcon :cool:

Please can you stop your voodoo, I beg you!
Of course. I needed to sharpen my dead chicken anyway.
/me sheaths the dead chicken.

Ok I admit, I was trooling! Now see I got punish, my boss assigned me to do that article about Security by obscurity(Still I am sure I'll have alot of fun workign on it)... I bet he is reading this forum :redface:
Doh!

Oh well don't get me wrong, my boss is really the best boss you can get, he is nice, really cool, and genearous of his person...
Yep. You write this after you write that you suspect your boss is reading the forums? Have you been taking Social Engineering lessons from Siviak? ]:>