On Jun 1, 2011, at 9:43 PM, Dave Nelson wrote: > for mounting the attack. I firmly believe that secrets can be > sufficiently obfuscated in code delivered in binary format without the > benefit of a symbol table, so as to be sufficiently resistant to > discovery via disassembly by attackers you'd expect to encounter in a > typical commercial environment. I'm not talking about printable
I have empirical evidence to support this. At Yahoo! we devised one of the most complex systems I've ever seen in a publicly distributed program (Messenger). It was disassembled in 3 days. Scott Renfro (now over with David at Facebook) and likely Bill Mills can also vouch for the difficulty of this having also studied the case well. Moreover if a hardware-enforced system like that of Playstation 3 can be broken, then so can most systems. The PS3 protection mechanisms are/were very sophisticated. Even if a system is not yet cracked or is very hard, you have to assume it can be cracked. History has shown this to be true nearly without exception - at least to the point it is not worth considering for the OAuth use cases. skylar _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
