CTFE and DI: The Crossroads of D

Thu May 10 00:50:42 PDT 2012

From: "H. S. Teoh" <hsteoh at quickfur.ath.cx>
> On Wed, May 09, 2012 at 10:24:48PM -0400, Nick Sabalausky wrote:
>
>> Believing binary libs are more secure than that is just simply
>> incorrect, period, opinion doesn't enter into it. 2+2 *is* 4 whether
>> you believe it or not. Life isn't looney tunes, you don't walk on air
>> just because nobody taught you gravity. Etc.
>
> Well, it's not *that* black and white. Technically speaking, door locks
> are useless because somebody determined enough to break into your house
> will find a way (smash the lock or find a different entrance), no matter
> what you do. That doesn't imply that you should just forget about door
> locks (or doors, for that matter). A door lock isn't secure, technically
> speaking, but it still keeps out the petty thieves. Doesn't stop the
> professionals, but then 90% of thieves aren't professional. Ineffective
> as it is, door locks do still keep out 90% of would-be breakers into
> your house. So I'd say there's some value to be had there.
>
> Binary libs *aren't* secure, if you're talking about ultimate security.
> [...]
>
> Of course, there are a whole lot of other issues with binary-only
> distributions[...] But that doesn't mean some people don't find value in
> it.
>

Right, I just meant specifically "well-obfuscated source" vs "non-encrypted
compiled binaries". (And then I started ranting and raving and rambling ;)
Hey, the three R's!)

> (read Richard Stallman's biography for poignant examples
> of that, etc.) -- which is why I don't believe in binary-only
> distributions.

I haven't read it (I'm afraid I'll agree with it *so much* that it'll just
piss me off too much thinking about closed source and I wouldn't be able to
get anything done for the rest of the day ;) ), but I've heard a little
about it, and I think I'm pretty much on the same page. Basically,
binary-only hurts your customers (for various reasons I won't list here),
*really* hurts then if (erm..."when") you ever go under or just loose
interest in the product, and it doesn't provide you with nearly as much
benefit as it would seem (the binary itself can just be passed around, most
people are honest as long as you don't give them reason not to be, and the
dishonest people will be dishonest no matter what you do, etc.).

Actually, here's a great example of the evils of closed...well, the evils of
closed *platforms* which IMNSHO are 100x worse than merely "closed source
software":

http://www.techdirt.com/articles/20120326/08360818246/patents-threaten-to-silence-little-girl-literally.shtml

>
> [...]
>> So source vs binary doesn't make a damn bit of difference, period - if
>> all you have is the binary, well, to use it you just *run* it! You
>> don't need *any* sources to use it. You just use it. The only thing
>> that can even make any difference is encryption (which still isn't
>> truly "secure").
>
> Encryption only slows them down. It doesn't stop them if they are
> determined enough.
>
> And sometimes you don't *need* to break the encryption.  The fact that
> the CPU eventually sees the decrypted code is good enough.  I've
> personally traced encrypted bootloaders myself -- by running pieces of
> them in what's effectively a crude sandbox of sorts, allowing them to
> decrypt themselves/the subsequent stage and passing control back to me
> each time, thus alleviating any need of breaking the encryption in the
> first place.  Remember, as long as it can run on your CPU, it can be
> reverse-engineered. You're just keeping out the petty thieves;
> determined professionals will break in no matter what you do.
>

Oh right, totally agree. Like I wads saying, all it can do is make *some*
difference (unlike "well-obfuscated source" vs "non-encrypted compiled
binaries"), and not actually be truly secure.

But there are systems that are real PITA with encryption though: For
example, the RockBox project never did (last I checked) manage to crack the
Zune or the particular model of Toshiba Gigibeat the Zune was derived from
(the "S" I think), and a big part of that was b/c of some nasty DRM/security
measures that were built into the hardware itself, unlike a normal x86 for
example. So you couldn't just do some simple man-in-the-middle like you
described. Of course, game systems have hardware-level DRM/securtity too and
they always get cracked, but they're much more popular than the Zune ever
was (Which is a shame, I would have considered the original Zune 1 (not the
shitty second one) to be the world's most perfect music player if it weren't
for Apple-inspired truckload of DRM/lockout bullshit that was involved
anytime you wanted it to communicate with a computer). Point being, consumer
devices with hardware-level DRM/security fucking suck ;)

>
>> And for that matter, nobody's algorithms are proprietary. Code is
>> proprietary. 99.9999999...9999999% of algorithms are not. For example,
>> wrapping some action in a foreach to make a batch processor and adding
>> an option box to enable it is not a fucking proprietary algorithm no
>> matter what the suits and the subhuman USPTO fuckwads think.
>> Real-world example: There isn't a fucking thing proprietary in
>> Marmalade's MKB build system (it's a stinking *build system* for fucks
>> sake!).
>
> Well, that's a different kettle o' fish. There are a lot of idiotic
> patents out there (blame the PTO, blame the system, blame incompetent
> employees, blame whatever). Personally, I hate the system, but there are
> companies whose livelihood depends on keeping their l'il precious algos
> safe under the covers. (Even if it's something known for 20 years in the
> industry save to the one programmer of questionable repute who
> re-invented it (poorly) under the auspices of said company.) I don't
> believe in that kind of business model, but unfortunately many people
> do.  It's a sad fact that in this day and age, patent-squatting is a
> widespread practice in the IT sector. I've even heard that some
> investors consider patent portfolio to be an important factor in a
> company's value -- i.e., the more patents you hold, the more valuable
> you are.
>

Yea, the fact this shit is even *allowed* to exist in a
*cough*"modern"*cough* society makes my blood boil. I know corporation are
legal entities, but for sanity (let alone anything as luxurious as justice)
to prevail, "corporate entities" must be deemed second-class citizens, at
best. Meh, I usually try not to think about it just so I can actually get
things done. And then I bitch about it at every opportunity ;)

> Yeah, life sucks. Deal with it.
>

Life sucks. Suits and corporations suck worse.

>> [...] *Only* thing it does is make it impractical for me to work
>> around any problems I encounter.
> [...]
>
> Yeah, it doesn't solve the theft problem and screws over your customers.
> What else is new in the corporate world?
>

That's why I *looove* OSS. Well, that and the fact that that if you want
software that *just fucking works right* period, then 9 times out of 10 the
only place it exists is the OSS scene (My current theory is that's b/c OSS
projects are managed by developers rather than suits...but there's my
venomous rantyness seeping in again ;) ).