Most complicated code

I gave you a few days to read his other posting before I flamed you. You chose not to, so I don't feel bad about it.

His idea wasn't for something along the line of the obfuscated C code contest. It really irks me that some of the "regulars" on this forum are either too stupid or too lazy to look at someones other recent posting and extrapolate the meaning of this post.

He's not try to improve security, if you take this posting with the other one he was posting in at the same time (where he told thorn and I that underground technology would "take down the man").... well, I would hope you would be smart enough to see what he was getting at, but I could be mistaken and might give you more credit then you deserve.

Fucktardity is exactly what it is, and this posting puts you right in line next to him.

He was thinking in the right 'direction'. He was thinking in the "uber-leet, lets hack the gibson, money is bad and hax0rs rule" frame of mind.

So in closing.. Think before you speak.... bitch.


edit:

This was the conversation I was refering to that was happening at the same time (check times and dates): http://forums.datamerica.com/showthread.php?t=5815

Who talked about security here? He was just talking of playing with code...

Why are people just bashing?

Security through obscurity work well, as long as it's secure in the first place...

You use password right? What about releasing all your password since obscurity is't helping your security anyway?

Yep. I tend to say, "Security by obscurity is generally not security at all."

Another example of where it seems to help is the new-ish randomization of addresses used by a program each time it starts-up to defeat certain remote exploits through buffer overrun and stack execution on services.

In such a case, it decreases the risk, but does not eliminate it, and local attacks may still be possible if a user has access to (eg *NIX) /proc information for that process -- but then they would be local, and have higher privs anyway, to do more damage.

We hear "Security by layers" and obscurity can be added as an often weaker layer-- just so long as it is not the only layer.

Another example? Keys for physical locks work under a similar principle. The key-code for making a duplicate key is like a password-- obscure information. Then there is picking of locks...

Locks and keys could be considered security by obscurity, but I still use 'em. ;-)

I believe in this example however, security by obscurity would include hiding the key under the mat.

Ooo! Laytered obscurity! (hah hah)

Do I really need to be 'flamed'? Just cuz you look bad in this thread doesn't mean you need to 'push back'. I hope others can see how you aimed to get a 'jab' in where you could to make me look bad for the sake of nothing but making my future posts unimportiant.

I just gave him a lot more credit than the typical "show me how to hack my friends hotmail" or "I need you to get me back into this WOW clan forum so I can downloadz0r teh cheeets"
Sure he's uninformed, but he's a lot better than some.
I don't really feel like researching other peoples extra motives when asking a question. I guess you could call that lazy, but I don't think so.... My responce was more just to add that link so others could find more information about a contest like we had started to discuss.

You could be making unsubstatiated assumptions here.. but maybe im not giving you much credit. I'm write in "line" next to him? Line of what.... and just because I didn't go and research a possibility he could've been thinking something else when he wrote this, before I replied... makes me now on the same level as him? ...... whatever you say.
Wow.. I think that was a little over the top. I've met you in person, and I don't think you'd talk to me like this if we were face to face. I used to think you were an OK guy, but now I just think your a real jerk. Nice signature too, I love how I never said any of that.

I'm sure that you understand this, TheCotMan, but I don't anyone to think that keeping a password (or key) private is what Bruce meant by "security through obscurity" (trust me, it is a common mistake). The obscurity refers to the design and implementation of the system.

With respect to stack mangling/changing, we are not talking about security through obscurity since the method and technique for the mangling is completely open.

[Going to be revising this to make it shorter]

This is one of the reasons why I used lots of words with posts-- lots of qualifiers and exceptions. :-)

Given: There exists a general definition for "obscurity" that applies not just to computer science, but also to other fields fo science.

Appropriate assignment of this definition to specific events or objects is subjective.

However, even though the person may be making the subjective claim, they will be able to discern that something either is, or is not obscure and give us an opinion-based objective response. (Even if it takes several qualifiers to get such a response.)

I view a password as something that is obscure, just like key codes for to make keys to open specific physical locks and passphrases to unlock access restrictions and even address randomization of processes on load. (Subjective)

Going further, even "who you are" (biometrics) is a secret of sorts. Somethng based just on genetics is a secret too. These don't work when the interface for the system acquiring the data is not secure.

"Something you can do" is partly a secret. Performance tests can sometimes be learned, and this allows some of these to be categorized as obscure too.

Are these secure? They are all based on the idea of a secret, or something that is hidden. They all rely upon an existing system in order to decrease security risks. (Mentioned by dataworm above)

A modification to hardware to have a processor support noexec pages/segments, along with and OS support for the same is not necessarily obscure. There is no secret. There is nothing hidden. So long as this system does what it claims, there is no "secret" that can be guessed to make the system execute instructions in noexec-space-- no amount of brute force, or intelligent guessing either. This remains "secure" so long as the other parts of the OS that might permit enabling/disabling of this are not compromised.

Then what is our discussion over? It is over a definition. Does obscure apply to secrets? Does it only apply to secrets in the realm of design and implementation? Why or why not? How can application of the word "obscure" be described so everyone can follow it ]:>

What I am saying is that obscurity itself does't make a system insecure. If the system is secure and is obscure, it will defeat a good number of people that could had found a flaw in the system, because no system is totally secure. So if no system is totally secure obscurity does't make a system totally secure.

Anyway without obscurity it would't be fun! Long life to security by obscurity :D

/me go hide in the shadow

That's it.
/me weilds dead chicken as primary weapon.

Ah! Your location is just a secret. You are trying to use obscurity to gain security. I'll find you yet, and this dead chicken has your name on it!
]:>

Please can you stop your voodoo, I beg you!

Ok I admit, I was trooling! Now see I got punish, my boss assigned me to do that article about Security by obscurity(Still I am sure I'll have alot of fun workign on it)... I bet he is reading this forum

Oh well don't get me wrong, my boss is really the best boss you can get, he is nice, really cool, and genearous of his person, he also allow me to take yet some more vacation to go to defcon

Of course. I needed to sharpen my dead chicken anyway.
/me sheaths the dead chicken.

Doh!

Yep. You write this after you write that you suspect your boss is reading the forums? Have you been taking Social Engineering lessons from Siviak? ]:>