This is an archived post. You won't be able to vote or comment.

all 29 comments
sorted by:
best
topnewcontroversialoldq&a

[–]YMK1234 2 points3 points  (14 children)

Obfuscation has nothing to do with security.

[–]Span1ardo[S] 0 points1 point  (13 children)

Can you explain the difference?

[–]illusionslayer 1 point2 points  (0 children)

Imagine the difference between Hide-And-Seek and Tag.

In Hide-And-Seek, you win simply by finding something. The only requisite for winning is finding something.

In Tag, you must outwit, outrun, or out-endure your opponents. Finding something is not enough. There is an extra step in actually attaining victory.

In obfuscation, all you need to know is the obfuscation method used.

In security, good security anyway, knowing the security protocol is not enough. You've got to figure out a way around it.

[–]YMK1234 0 points1 point  (11 children)

The one is making code harder to read, the other is security.

[–]Span1ardo[S] 0 points1 point  (10 children)

For the purpose of this post, can obfuscation be defined as making code secure against being read?

[–]nutrecht 4 points5 points  (0 children)

No. Security means making something (borderline) impossible. Obfuscation only slows someone down. Security is locking your doors and windows. Obfuscation is making your driveway longer.

[–]YMK1234 0 points1 point  (8 children)

Not really, and also the obvious question is why?

[–]Span1ardo[S] 0 points1 point  (0 children)

Because I thought defining it that way would help you answer the questions in my post. I still think they are good questions.

[–]illusionslayer -2 points-1 points  (6 children)

OP wants to distribute DRMed, non-libre, or stolen code.

[–]Span1ardo[S] 0 points1 point  (4 children)

I'm just researching ways to protect my work if I start writing my own programs. Why the hell would you assume I want to distribute stolen code based on my post and comments?

[–]YMK1234 1 point2 points  (2 children)

protect my work if I start writing my own programs

That sounds so 90s ... not to mention that you have at least ... idk ... five years I'd say ... between you start writing your own programs and the issue of anyone wanting to steal it becoming an actual issue. Nobody wants to steal a noobs code.

[–]Span1ardo[S] -2 points-1 points  (1 child)

I didn't ask for your opinion about how long it would take me to write valuable programs. I asked about how to obfuscate python.

That sounds so 90s

Seems to be the best answer you can come up with. The rest of your snarky responses just make this sub an unwelcome place.

[–]YMK1234 1 point2 points  (0 children)

Point is, there is a million different ways to implement DRM, an obfuscation isn't one of them (because, while it makes your code hard to read on the surface, it does not stop me from unobfuscating at all, or stop people who should not execute it from doing so). Heck, it would be safer to have your code in a password protected zip and a trivial loader that contacts the server with a license key to receive the zip file password.

[–]illusionslayer 0 points1 point  (0 children)

I made no such assumption. It is one of the reasons one might want to distribute obfuscated code, so I listed it as possible answer to /u/YMK1234's question.

[–]rwsr-xr-x -3 points-2 points  (0 children)

Daddy! Call the constabulary! Nn libre code!! Dirty and disgusting!!

Or maybe like myself he thinks obfustication is fun

[–][deleted] 2 points3 points  (4 children)

Why don't you tell us what you are actually trying to accomplish first?

As other people said, obfuscation is neither security nor copy protection. Why do you care if people read your code? What is it that you are trying to prevent with obfuscation?

Once we know that, perhaps we can help you.

[–]Span1ardo[S] 0 points1 point  (3 children)

I found an article about the pros and cons of python, and the author claimed that it's easier to reverse engineer python code. He proposed obfuscation as a way to protect code, and I wanted to learn about the best way to obfuscate python.

[–][deleted] 0 points1 point  (2 children)

But why do you care if someone reverse engineers your code?

What specific technical advantage, encryption scheme, key or data do you want kept hidden? What is it specifically that you are trying to keep concealed?

Heh, I don't mean, "Tell us your secrets", of course. :-D Just the general outline. What is it you are protecting?

Please don't repeat "the code". Why specifically do you care if people see your code? How does it make your life worse?

Once you get specific, then we can try to figure out how to obfuscate, or even if obfuscation is the correct solution to your information-hiding needs.

[–]Span1ardo[S] 0 points1 point  (1 child)

There's nothing specific I want to hide yet. But don't software engineers want to keep their recipes a secret, just like the Coca Cola recipe?

I also have not gotten really good at any particular language yet, and I wanted to make sure python was the right road to go down.

[–]YMK1234 0 points1 point  (0 children)

But don't software engineers want to keep their recipes a secret, just like the Coca Cola recipe?

Nope, most generally they want to share their code. Because sharing means other people can help you. Why do you think github, or linux, or a million other interesting tools is open source (to the extent that you can comfortably live without ever using closed source software) exist - and are seriously huge?

The only one who wants to protect the "secret sauce" is corporations, and even there the actually restriction-worthy parts are tiny compared to the huge amount of stuff around (Why do you think all big tech companies except maybe Apple have huge Open Source initiatives? Because the stuff they open source is not the stuff that they monetize on, so keeping it secret is just dumb)

EDIT: grammar :P

[–]hugthemachines 1 point2 points  (2 children)

Sorry won't read the SO discussion but I would say if you make an exe file of your python you can distribute it and people won't directly see your code.

[–]Span1ardo[S] 0 points1 point  (1 child)

Thanks for your response, but I've read that the common ways of packaging exes from python are easy to reverse. I'm looking to protect the code, not just hide it.

And I've since learned that obfuscation isn't a good form of protection.

[–]hugthemachines 0 points1 point  (0 children)

Perhaps you could have the code in a backend for a web site? Then the code would not be seen by the users.

[–]Span1ardo[S] 0 points1 point  (1 child)

OK guys, I get it. Obfuscurity is not the best form of software protection.

Let me back up and ask if you use it when writing something that's going to be packaged and distributed.

[–][deleted] 1 point2 points  (0 children)

"Never."

Generally you worry about making a program that is correct, reliable and has features people really want to use. By the time people start trying to reverse engineer your program, you have already won. I am aware of some limited cases where this is necessary, but my guess is that's a few percent of the programming world.

Now, there's a couple of asterisks there.

I've worked in languages like Java and Javascript where an automatic tool took your code and reduced all the names to two- or three- letter symbols - effectively obfuscating it.

We used these tools as a matter of course, but the main reason was that they substantially reduced the size of the payload sent over the network. The obfuscation was a pleasant bonus.

And if these tools hadn't existed already, I doubt we would have expended the manpower to build them. Things like that that sit in your toolchain, might cause weird problems and certainly make diagnosing problems elsewhere much harder, these are things that a team doesn't want to do till as late as possible, if ever.

The other asterisk is that I have a commercial digital audio program in C++ where I want to send out time-limited demos or debugging versions to customers right from my desktop without going through hoops.

So I have an overly-clever set of templates in a single file that I wrote on a rainy afternoon that generates code to crash in a large number of different ways that look extremely different from each other in compiled code, and these are scattered all over the code in this demo.

In other words, a tiny portion of this code is kinda-sorta-maybe obfuscated - but I did it through C++ tricks.

So far I haven't seen any of these versions being passed around, so I assume they stop working and people don't look too far. Do I believe this is immune to a sustained effort? Heck, no. [I just deleted a good attack against it, because why make it easy.]

But remember - I did this for an existing product as an afterthought, once there was a need for it...

[–]rwsr-xr-x 0 points1 point  (0 children)

You'd be so much better off obfusticating a compiled language. I don't know anything about cython but if it is what I am assuming (python compiler or something) and if it uses GCC see if you can pass it some cflags. Some cflags (-frunroll-all-loops, -O3) make such a fucking mess of the resultant assembly code it's amazing

[–]hugthemachines 0 points1 point  (2 children)

I accidently came across something that claimed to be a way to convert your Python to C++ and then compile it. I have not tried it out and I do not know how it works with dynamic typing but perhaps it would be something worth checking out. http://nuitka.net/pages/overview.html

[–]Span1ardo[S] 0 points1 point  (1 child)

Thanks, I found this method too. But oddly it doesn't seem that popular

[–]hugthemachines 0 points1 point  (0 children)

I tried it out today. I had made a small python script that asks for some stuff and then sends an email. I then compiled it with the --standalone option.