I wish I could talk about it. You'll have to find someone who's not bound by
stuff like employment contracts and trades secrets stuff to tell you the story.
________________________________
From: Skylar Woodward <sky...@kiva.org>
To: Dave Nelson <dnel...@elbrys.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Sent: Wednesday, June 1, 2011 1:07 PM
Subject: Re: [OAUTH-WG] Text for Native Applications
On Jun 1, 2011, at 9:43 PM, Dave Nelson wrote:
> for mounting the attack. I firmly believe that secrets can be
> sufficiently obfuscated in code delivered in binary format without the
> benefit of a symbol table, so as to be sufficiently resistant to
> discovery via disassembly by attackers you'd expect to encounter in a
> typical commercial environment. I'm not talking about printable
I have empirical evidence to support this. At Yahoo! we devised one of the most
complex systems I've ever seen in a publicly distributed program (Messenger).
It was disassembled in 3 days. Scott Renfro (now over with David at Facebook)
and likely Bill Mills can also vouch for the difficulty of this having also
studied the case well.
Moreover if a hardware-enforced system like that of Playstation 3 can be
broken, then so can most systems. The PS3 protection mechanisms are/were very
sophisticated.
Even if a system is not yet cracked or is very hard, you have to assume it can
be cracked. History has shown this to be true nearly without exception - at
least to the point it is not worth considering for the OAuth use cases.
skylar
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
