OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: reverse engineer c or java
From: Bluefish (11aGMX.NET)
Date: Sun May 21 2000 - 12:50:46 CDT

Most likely the sender is intrested in copy protection, creating
'uncrackable' shareware etc. That's a different topic, which is more
suitable in mailinglist etc which deals with such things.

Anyway; given access to files, it is easier to create backdoored variants
if the source code is open, or you use java (seems to be close to the same
thing ;) But to rely upon C with none-open sourcecode is not the solution,
because it simply makes it harder, it doesn't stop an inventive attacker
with good programming knowledge.

> security in any program you write? Write well thought out code.
> Learn about common bugs such as bad 'system()' placement or
> buffer overruns.

Btw, on the topic of java! Has there been published any research upon
buffert overruns in java? I assume the class String is more or less
secure, but are there security concerns related to usage of e.g. arrays?

> What I really think good code comes down to is the following.
> If you aren't secure enough to release the program to the public
> open sourced you didn't secure the program.

True, in most cases. Concider distributed.net who publish almost the
entire source code to aid development, but not the validation routines
which are used to check that client hasn't been tampered with by malicious
users.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team