On Thu, 2005-02-03 at 16:58, Jarek Zgoda wrote: > snacktime napisał(a): > > > Everything except the libraries that actually connect to the > > bank networks would be open source, and those libraries aren't > > something that you would even want to touch anyways. > > This sounds suspicious to me. Really. Normal payment clearance programs > have open-spec API's.
Dare I suggest that closed source is a plea for rounding fraud? No amount of obfuscation is going to help you. Just look at the battles between virii authors and anti-virus software firms. Even as early as the 80's, viruses were employing elaborate encryption schemes to "hide" from virus scanners; virus scanners in return emulated the cpu for the first couple thousand cycles in hopes of finishing the decryption and seeing the virus. Of course, virus authors responded with for(x=0;x<1000000;x++) and the halting problem inspired game of chicken raged on ... the difference with your situation is if somebody is using obscurity as a form of security, then it means that your system is reachable, and it is only a matter of money and time before the obscurity becomes not very obscure. My humble recommendation is to put your efforts into educating those you work with that if they secure their communication channel it won't matter if the protocol spec leaks to the world. Your adversary won't have an opportunity to talk to your service no matter how good their implementation of your protocol. The worst case if you depend on obscurity: The bad guys are rounding off your pennies as you read this. The worse case if you depend on encryption and open your spec: You get to publish your code, but might get competition. Just my $0.02. Adam DePrince -- http://mail.python.org/mailman/listinfo/python-list
