lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Lisa Parratt wrote:
> >or security advantage over source code.
> I'd have thought encrypted source would be significantly easier to crack 
> than encrypted byte codes.

No. Lua source and Lua bytecode have about the same low entropy
levels. This means it's trivial to crack naive ciphers (like
xor). But (lacking the key) there's hardly a difference when
brute-force cracking good ciphers (such as AES).

OTOH all of these 'copy protection' schemes suffer from the fact
that the key is not a secret. It's in your C compiled binary and
the CPU eventually gets to run the unencrypted code. So once you
get access to the CPU somehow, you get the code.

You can delay an attack somewhat by putting the key in hardware
together with additional measures (like code signing). But in the
end nothing is uncrackable.

A determined attacker will always choose the easiest attack
vector -- this is neither the key, nor the cipher in most cases
(hint: it's your janitor). It's a pointless game, anyway.

Coming from an open source perspective, I really wonder why so
many companies just don't get it. You can sell a product and
still give 'em the source code. Nothing prevents you from doing
so. Many examples have proven that you do not gain an advantage
over the competition by hiding code. You gain an advantage by
innovation, economies of scale and good marketing.

Historical note: IBM published the source code for the BIOS of
their first IBM PC (and the complete schematics, too). Think twice
before concluding this was a good or a bad idea in the long run.

Related URL:

But this is getting really off-topic. Sorry.