Re: Is Delphi 8 dangerous ?
From: Alessandro Federici (nomore_at_spam.forme)
Date: 11/11/03
- Next message: Thomas Miller: "Re: Delphi 8 library questions - Danny???"
- Previous message: Alessandro Federici: "Re: Is Delphi 8 dangerous ?"
- In reply to: K. Sallee: "Re: Is Delphi 8 dangerous ?"
- Next in thread: Eric Grange: "Re: Is Delphi 8 dangerous ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 10 Nov 2003 21:41:01 -0600
"K. Sallee" <nonomail@ecostats.com> wrote in message
news:oprye45qx6ri0is8@localhost...
On Mon, 10 Nov 2003 03:31:19 -0600, Alessandro Federici
<nomore@spam.forme> wrote:
> > What is your problem K? I'm expressing an opinion
> Which is my point.... I asked for "evidence" in my original post I
> specifically was not interested in opinions:
> I quote myself:
> " Until I see a head to head test/challenge from hackers/cracker, not just
> comments from companies selling obfuscation software, I will remain in
> this opinion."
I don't need to give you any evidence for that! I agree with you damn it!
> Ah.... this I missed since I am rather ridgid about my topic. If you want
> to discuss that we should start a new thread....
Why? Now we are clear, so I think we can continue here (but if you really
want to , I am fine with a new thread).
> > I told you *why*, with a fact based on my experience, I believe the
> > alghoritm that does a certain thing so much better or so much faster
> > than another is a rarity
> 1. Faster is not always the goal.
> 2. Just "enough" better or cheaper are also significant.
"Faster" is an example in lack of a more generic term that describes the
idea of something important vs what the competition has. I was thinking
PkZip and tools like that, that is why I had that term in my mind.
> > IMO in the majorit of the systems people write in Delphi and I would
> > like your opinion on that.
> My opinion is again that the *majority* is not my concern. My products
> are my only concern.
If should be. Borland, MS or any other company doesn't give a damn about
*just* your needs ;-)) They look at masses.
> I did not say one is more important over another. I said that I do not
> yet believe that *obfuscation* protects any of them well or at least as
> well as Win32.
Of course.
> Also, how well Win32 protects them is also not germain.
> .Net, if anything, should be *MORE* secure since it is new and MS has
> years of security experience. But obfuscation is not making me feel this
> is true.
Agreed, expecially after the Java fiasco on this side: if you make it
better, go the whole nine yards!
> Perhaps. I appologize. But I also see this discussion not relevant to my
> original post. I see your posts questioning if my original question was
> relevant, but not directly answering my question (and I do not think there
> is an answer yet for my original questions simply since I do not believe
> any real tests have been done).
No biggie. Discussions change in real life and in newsgroups. How many times
did you start talking about (i.e.) football and ended up discussing about a
totally different thing after 30 mins? <G>
[..]
> A count I can not give you, nor will I waste my time looking. Why?
> Because it is again not germain for me if there are 1 or 1 million, if
> that 1 stolen was mine. That is enough.
But if you don't know what those claims are about (at least in big %), how
do you know they are even remotely related to what you are having a problem
with? (aka source code being revealed).
Maybe *none* of those is about source code. Maybe only a few and they were
never won or lost in court. Maybe they were all about architectures and
because of that most of your citation would become (in lack of better term)
off-topic. (damn, I hope you understand what I mean.... This sentence is
really badly written <G>)
> > Why do you tell me??
> Well, you *did* reply.... :-)
Telling you I agree and asking you another question <G>
> But my question was about *obfuscation*, so it *is* the topic that matters
> to me. If you think it does not matter, you need not continue this
> discussion. I accept your point has been made.
See above note about how human beings interact in public places <G>
> > "Give me a common one using a real life example.
> And, again..... I should waste my time with circular requests since this
> was exactly what I requested initially (i.e. first) : a real life example
> of tests that obfuscation is or is not worse at security.
Dude. I asked you an example that validates your other theory, not the one
we agree upon.
Anyhow, nevermind.
A new thread to separate concepts is probabily due otherwise we'll never
understand each other.
> I presented the scenario, for example sake. Now I am re-requested to
> provide a real world example to my own scenario? It is a *scenario*!!!!
> Definition: Scenario: An outline or model of an expected or supposed
> sequence of events. Read stress on *expected* and *supposed*.....
Cool but I asked for a real life "example", not a scenario <G>
> > I am not saying that .Net decompilation is not a problem [..]"
> ...and I also would like to hear *how much* of a problem it is from real
> world test.
[IMPORTANT THING]
Now we go back to the related digression: I don't think is too much of a
problem since even having the FULL source code won't ensure somebody will be
able to come up with a valid competing product. The time needed to
understand and steal code would probabily be almost as big as redoing it
from scratch but with big problems of maintainability inthe long run. So,
ultimately, I believe the best "stealing" is done by copying architectures
and implementing them yourself. It's cheaper, in the long run, IMHO.
[IMPORTANT THING]
> Again : relativity. Am I suppose to accept a potentially worse option
> just because what was before it was not that great?
No, the question is if having access to code would make the job doable for
the competitors.
My take is that is won't help them too much. The time wasted understanding
your system/small app or whatever you wanna call it could be spent in better
things. The idea is what matters. Implementation (except in a few cases IMO)
is simpler than getting to the idea.
> No animosity towards you in any way. Please understand that. But I have
> concerns that have not been addressed to my satifaction. So can we end
> this saying we just agree to disagree? I am sorry if I can not answer
> your questions to your satisfaction, but I need to get some things done
> for a client today and really can not continue with this. I will conceed
> all your remaining comments and let you have the final word on the matter.
IL decompilation IS a problem. We didn't have that problem before so, in
regards to code-security, we're worse off today. No argument about this.
**BUT** (1) IL code allows us to get to a better cross-system and
cross-language integration so buys us something else and (2) I ultimately
don't think that, even if I gave my source code to a competitor I would give
him such a bigger help than by telling him what my system does in the first
place. Ideas and architectures are what make products and sell them, not
good code <G> (plenty of examples out there). Exceptions to this are
applications which do complex stuff like data compression ( a fast alghoritm
might be the KEY of the product and the best selling point) or alike. But
that is a rarity: most software doesn't fall in that category.
This is my summary.
- Next message: Thomas Miller: "Re: Delphi 8 library questions - Danny???"
- Previous message: Alessandro Federici: "Re: Is Delphi 8 dangerous ?"
- In reply to: K. Sallee: "Re: Is Delphi 8 dangerous ?"
- Next in thread: Eric Grange: "Re: Is Delphi 8 dangerous ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
