Python obfuscation

Bengt Richter bokr at oz.net
Fri Nov 18 01:58:52 CET 2005


On Thu, 17 Nov 2005 10:53:24 -0800, aleax at mail.comcast.net (Alex Martelli) wrote:

>Anton Vredegoor <anton.vredegoor at gmail.com> wrote:
[...]
>> The idea of using a webservice to hide essential secret parts of your
>> application can only work well if one makes some random alterations to
>> the results of the queries. Like GPS signals that are deliberately made
>
>I disagree on this general statement and I have already given two
>counterexamples:
I agree with your disagreement in general, but I think Antoon may be
alluding to the "covert channel" problem, where sometimes randomization
of an external observable is a defense. E.g., if a web site login process
responds faster with a rejection of a bad user name (i.e. is not in the authorized
user list) than it does for a valid user name and a bad password, the timing
difference can be used over time to eke out the private user name list, and
make subsequent password attacks that much easier.

The time difference of course will be degraded with noise, but if the signal
is there (user is/isn't valid), it can be extracted, given time for
statistics -- which of course leads to the defense of only so many
tries per some time interval per username. The point re radomization
is that in this example the covert information channel is variation in time
and after introducing enough artifical delay in the faster paths to make all
approximately equal, an added random delay can pretty much wipe out the channel.

As to covert channels revealing the particulars of a secret algorithm used
to calculate optimum wood cutting or do excellent weather prediction, I'd
say social engineering is probably an easier attack, and a well designed
sequence of problems presented to the wood cutting site would probably
have more information in the answers than in any other observables I can think of.

Which perhaps gets towards Antoon's point (or my projection thereof ;-) -- i.e.,
that the anwers provided in an experimental probe of an algorithm are "signal"
for what you want to detect, and randomization may put noise in the signal to
defeat detection (even though enough noise might make the algorithm output unsaleable ;-)

>
>a. a webservice which, for some amount X of money, gives an excellent
>heuristic estimate of a good cutting-path for a woodcutting tool (for a
>set of shapes to be cut out of standard-sized planks of wood by a
>numerically driven cutter): this is a case where ESR, acting as a
>consultant, advised his clients (who had developed a heuristic for this
>task which saved a lot of wood compared to their competitors') to keep
>their code closed-source, and it makes a good use case for the "hide
>essential secret parts" in general;
>
>b. a (hypothetical) website that, given time-space coordinates (and some
>amount Y of money), produces and returns weather predictions that are
>better than those you can get from its competitors.
>
>It appears to me that any application of this kind could work well
>without at all "making random alterations" to whatever.  Point is, if
>you develop a better algorithm (or, more likely, heuristic) for good
>solutions to such problems, or predictions of just about anything which
>might have economic value to somebody, using a webservice to hide the
>essential secret parts of your discovery is an option, and it might be a
>preferable alternative to relying on patents (since software patents may
>not be enforceable everywhere in the world, and even where they're
>nominally enforceable it could prove problematic and costly to actually
>deter all would-be competitors from undercutting you).  I do not see
>anything in your post that contradicts this, except the bare unsupported
>assertion that a webservice "can only work well if one makes random
>alterations".
Yes, IMO that was an overgeneralization of an idea that may however have
some actual narrow applicability.
>
>> But the more one messes with the ideal output the more often the user
>> will rather click another link. (or launch another satellite)
>
>Of course.  If my "better weather predictor" is in fact based not on
>inventing some new algorithm/heuristic, but on having better or more
>abundant raw data due to my private network of satellites or other
>observation platforms, this doesn't change the economic situation by all
>that much (except that patenting may not even be an option in the latter
>case, if there's no patentable innovation in that private network); a
>competitor *could* reach or surpass my predictions' quality by investing
>enough to re-develop the heuristic or duplicate the sensors-network.
>So, my pricing should probably take that risk into account.
>
>Deliberately giving predictions worse than I could have given, in this
>context, seems a deliberate self-sabotage without any return.
>
>> what's the current exchange rate for clicks and dollars?
>
>As far as I know, it varies wildly depending on the context, but I
>suspect you can find ranges of estimates on the web.
>
The growth of virtual worlds with virtual money and virtual/"real"
currency exchange is interesting. People are actually making real
money investing in and developing virtual real estate and selling
virtual currency profits for real-world money ;-)

Regards,
Bengt Richter



More information about the Python-list mailing list