From: "H. S. Teoh" <[email protected]> > On Wed, May 09, 2012 at 10:24:48PM -0400, Nick Sabalausky wrote: > >> Believing binary libs are more secure than that is just simply >> incorrect, period, opinion doesn't enter into it. 2+2 *is* 4 whether >> you believe it or not. Life isn't looney tunes, you don't walk on air >> just because nobody taught you gravity. Etc. > > Well, it's not *that* black and white. Technically speaking, door locks > are useless because somebody determined enough to break into your house > will find a way (smash the lock or find a different entrance), no matter > what you do. That doesn't imply that you should just forget about door > locks (or doors, for that matter). A door lock isn't secure, technically > speaking, but it still keeps out the petty thieves. Doesn't stop the > professionals, but then 90% of thieves aren't professional. Ineffective > as it is, door locks do still keep out 90% of would-be breakers into > your house. So I'd say there's some value to be had there. > > Binary libs *aren't* secure, if you're talking about ultimate security. > [...] > > Of course, there are a whole lot of other issues with binary-only > distributions[...] But that doesn't mean some people don't find value in > it. >
Right, I just meant specifically "well-obfuscated source" vs "non-encrypted compiled binaries". (And then I started ranting and raving and rambling ;) Hey, the three R's!) > (read Richard Stallman's biography for poignant examples > of that, etc.) -- which is why I don't believe in binary-only > distributions. I haven't read it (I'm afraid I'll agree with it *so much* that it'll just piss me off too much thinking about closed source and I wouldn't be able to get anything done for the rest of the day ;) ), but I've heard a little about it, and I think I'm pretty much on the same page. Basically, binary-only hurts your customers (for various reasons I won't list here), *really* hurts then if (erm..."when") you ever go under or just loose interest in the product, and it doesn't provide you with nearly as much benefit as it would seem (the binary itself can just be passed around, most people are honest as long as you don't give them reason not to be, and the dishonest people will be dishonest no matter what you do, etc.). Actually, here's a great example of the evils of closed...well, the evils of closed *platforms* which IMNSHO are 100x worse than merely "closed source software": http://www.techdirt.com/articles/20120326/08360818246/patents-threaten-to-silence-little-girl-literally.shtml > > [...] >> So source vs binary doesn't make a damn bit of difference, period - if >> all you have is the binary, well, to use it you just *run* it! You >> don't need *any* sources to use it. You just use it. The only thing >> that can even make any difference is encryption (which still isn't >> truly "secure"). > > Encryption only slows them down. It doesn't stop them if they are > determined enough. > > And sometimes you don't *need* to break the encryption. The fact that > the CPU eventually sees the decrypted code is good enough. I've > personally traced encrypted bootloaders myself -- by running pieces of > them in what's effectively a crude sandbox of sorts, allowing them to > decrypt themselves/the subsequent stage and passing control back to me > each time, thus alleviating any need of breaking the encryption in the > first place. Remember, as long as it can run on your CPU, it can be > reverse-engineered. You're just keeping out the petty thieves; > determined professionals will break in no matter what you do. > Oh right, totally agree. Like I wads saying, all it can do is make *some* difference (unlike "well-obfuscated source" vs "non-encrypted compiled binaries"), and not actually be truly secure. But there are systems that are real PITA with encryption though: For example, the RockBox project never did (last I checked) manage to crack the Zune or the particular model of Toshiba Gigibeat the Zune was derived from (the "S" I think), and a big part of that was b/c of some nasty DRM/security measures that were built into the hardware itself, unlike a normal x86 for example. So you couldn't just do some simple man-in-the-middle like you described. Of course, game systems have hardware-level DRM/securtity too and they always get cracked, but they're much more popular than the Zune ever was (Which is a shame, I would have considered the original Zune 1 (not the shitty second one) to be the world's most perfect music player if it weren't for Apple-inspired truckload of DRM/lockout bullshit that was involved anytime you wanted it to communicate with a computer). Point being, consumer devices with hardware-level DRM/security fucking suck ;) > >> And for that matter, nobody's algorithms are proprietary. Code is >> proprietary. 99.9999999...9999999% of algorithms are not. For example, >> wrapping some action in a foreach to make a batch processor and adding >> an option box to enable it is not a fucking proprietary algorithm no >> matter what the suits and the subhuman USPTO fuckwads think. >> Real-world example: There isn't a fucking thing proprietary in >> Marmalade's MKB build system (it's a stinking *build system* for fucks >> sake!). > > Well, that's a different kettle o' fish. There are a lot of idiotic > patents out there (blame the PTO, blame the system, blame incompetent > employees, blame whatever). Personally, I hate the system, but there are > companies whose livelihood depends on keeping their l'il precious algos > safe under the covers. (Even if it's something known for 20 years in the > industry save to the one programmer of questionable repute who > re-invented it (poorly) under the auspices of said company.) I don't > believe in that kind of business model, but unfortunately many people > do. It's a sad fact that in this day and age, patent-squatting is a > widespread practice in the IT sector. I've even heard that some > investors consider patent portfolio to be an important factor in a > company's value -- i.e., the more patents you hold, the more valuable > you are. > Yea, the fact this shit is even *allowed* to exist in a *cough*"modern"*cough* society makes my blood boil. I know corporation are legal entities, but for sanity (let alone anything as luxurious as justice) to prevail, "corporate entities" must be deemed second-class citizens, at best. Meh, I usually try not to think about it just so I can actually get things done. And then I bitch about it at every opportunity ;) > Yeah, life sucks. Deal with it. > Life sucks. Suits and corporations suck worse. >> [...] *Only* thing it does is make it impractical for me to work >> around any problems I encounter. > [...] > > Yeah, it doesn't solve the theft problem and screws over your customers. > What else is new in the corporate world? > That's why I *looove* OSS. Well, that and the fact that that if you want software that *just fucking works right* period, then 9 times out of 10 the only place it exists is the OSS scene (My current theory is that's b/c OSS projects are managed by developers rather than suits...but there's my venomous rantyness seeping in again ;) ).
