Some suggestions on how to handle obsfucated code.

I've noticed there seems to be a lot of dislike towards obsfucation and minification of any kind being posted. While I can understand that malicious code can be an issue, I really feel like this is bad for people who legitimately want to use obsfucation to prevent people from having a good copy of the source code (one example is a project I have in development that I really am not looking forward to forcing it to be open source).

I'm not going to pretend like I know how to fix this - because believe me I don't really know how to fix this - but I think that maybe with a bit of discussion an alternate way of dealing with obsfucated scripts can be found - one that might allow users to obsfucate the stuff they put here.

I'll start with an idea: Perhaps we could have users test code out beforehand and give some sort of verdict before code is posted / keep a warning until code is verified to be fine?

cyanisaac, on 20 August 2015 - 02:48 AM said:

(one example is a project I have in development that I really am not looking forward to forcing it to be open source).

In my view, if you don't want to open-source it, then don't post it here at all. Obfuscation won't stop people reading your code. It'll merely slow them down.

These are Lua scripts we're talking about; Lua scripts for use in Minecraft, of all things. The value of your code, to you, should derive from the enjoyment you had in writing, sharing, and using it - seeking to find any other values in it will only lead to disappointment.

Like i posted to you earlier, obfuscation allows the coder to implement mal-code very easily, like i could easily obfuscate a program, like an OS, and then once it runs, it hijacks the computer on startup, but hides itself at the same time. Well, because of this, obfuscation is against the rules, as is mal-code. Now, lets say we take an OS, and minify it. If i provide the unminified code, then unminify the other code and compare, and they're the same, thats proof enough that its safe.

As someone who has written a tool to minify code I do have some thoughts about this:

Firstly I think it is helpful to distinguish between minification and obfuscation. I would define minification as reducing source size without changing how it works. The best example of this is Google's closure compiler. This can perform varying levels of minification from stripping whitespace, to shortening variable names through to more advanced techniques such as constant folding and function inlining. This can be used to make code less readable but I don't think it hides intent - tools like this allow you to pretty-print code, the Lua plugin for IntelliJ allows you to reformat code and then rename variables - performing the minification process in reverse.

Minification is a very useful tool. It cuts Howl's size from 109kB to 49kB - more than a 50% reduction. For a large program such as OneOS this could really solve the issue of disk space. I think the issue with blocking minification is that in the end all it is is a badly formatted program :)/>.

Obfuscation however is rewriting code to hide intent. You can see some pretty impressive examples on the wiki page. I don't think we have, or ever will, see code that attempts to do that - after all there is no reason that you would want to. I think if someone released obfuscated code then questions would have to be asked.

Personally I think CloudNinja's perspective is slightly off - what they are describing sounds pretty like advanced malware targeting what is most commonly used to automate basic Minecraft tasks: we do need some perspective. However maybe the moderators could say how much malware is a problem - though I have never noticed it.

On the topic of open source - do it. We have a wonderful community on the forums. I post code because I enjoyed writing it, I think other people will find it useful, and because I want other people to make it better. The last of those is really important - ComputerCraft is a great way to learn. If we then start not open sourcing code - what do we stand to gain?

TLDR:

• Minification helps save space - good idea
• Obfuscation is less of good idea
• Malware for CC isn't really advanced
• Open source is good - if you are going to release minified sources then also provide some source of unminified code.

Sorry for the massive, slightly incomprehensive post

"Personally I think CloudNinja's perspective is slightly off - what they are describing sounds pretty like advanced malware targeting what is most commonly used to automate basic Minecraft tasks: we do need some perspective. However maybe the moderators could say how much malware is a problem - though I have never noticed it."
I was purely approaching it from that standpoint. Malware MAY be an issue, may not be, but the point of obfuscation yes is to hide intent, and the only reason the mods really care is because of malicious code, or generally untrustworthy code.

ComputerCraft is intended to be a learning environment, one good way to learn is to look at how other people have done things. By obfuscating your code you are frustrating the system.

It would be interesting to have a malware statistic, but I have a feeling that like all malicious things CC malware will have its own circle of people which only discuss their stuff in hush tones. (For some reason the thought of an underground black market for ComputerCraft is amusing.)

Alrighty, I get the idea. I'll try making my next project open source. Thanks.

The primary downloadable code for a published program must be plain text, unminified code. This is to prevent the easy hiding of malicious code in the program. Obfuscated code is not allowed on the forums. Minified code may be tolerated as an alternative download, provided it does not seem to be obfuscated rather than minified, and does not appear to be different in function. Minification is generally unnecessary for programs published here, as most are smaller than 50kB. Most people posting in this thread so far do not remember the problems we had with malicious code, including some cleverly disguised in otherwise-innocuous programs and at least one hidden in obfuscated code. These rules are not arbitrary, and are designed to protect everyone who visits the forum. There should never be any question that code from this forum might be unsafe to run.

Lyqyd, on 20 August 2015 - 06:33 PM said:

The primary downloadable code for a published program must be plain text, unminified code. This is to prevent the easy hiding of malicious code in the program. Obfuscated code is not allowed on the forums. Minified code may be tolerated as an alternative download, provided it does not seem to be obfuscated rather than minified, and does not appear to be different in function. Minification is generally unnecessary for programs published here, as most are smaller than 50kB. Most people posting in this thread so far do not remember the problems we had with malicious code, including some cleverly disguised in otherwise-innocuous programs and at least one hidden in obfuscated code. These rules are not arbitrary, and are designed to protect everyone who visits the forum. There should never be any question that code from this forum might be unsafe to run.

I guess, but this is also the only place that people download ComputerCraft programs from. So if you don't want your code to be completely shown, you can't have it here, meaning that nobody will run your programs :P/>

cyanisaac, on 24 August 2015 - 11:01 PM said:

I guess, but this is also the only place that people download ComputerCraft programs from. So if you don't want your code to be completely shown, you can't have it here, meaning that nobody will run your programs :P/>

What on earth is in your code that you don't want people to know how it works?

The only thing I could understand (in a CC program anyway) is encryption; Understanding how it works is the first step to cracking it.

HPWebcamAble, on 24 August 2015 - 11:32 PM said:

cyanisaac, on 24 August 2015 - 11:01 PM said:

I guess, but this is also the only place that people download ComputerCraft programs from. So if you don't want your code to be completely shown, you can't have it here, meaning that nobody will run your programs :P/>

What on earth is in your code that you don't want people to know how it works?

The only thing I could understand (in a CC program anyway) is encryption; Understanding how it works is the first step to cracking it.

Correct me if I'm wrong, but isn't the definition of "good" encryption "using everyone you can find to try and crack it with any means necessary"? And the more people that fail, the stronger the encryption is? Encryption with secret algorithms is fairly useless, because unless you publish and adjust algorithms accordingly… well, no one can see every possibility. A thousand eyes are infinitely better than two when it comes to encryption. Just my two cents.

Tiin57, on 24 August 2015 - 11:39 PM said:

Correct me if I'm wrong, but isn't the definition of "good" encryption "using everyone you can find to try and crack it with any means necessary"? And the more people that fail, the stronger the encryption is?

Wouldn't that be the definition of how to crack good encryption?

I just mean that obfuscating an encryption algorithm is understandable, knowing how it works is a key step in decoding intercepted, encrypted data.

Tiin57, on 24 August 2015 - 11:39 PM said:

Encryption with secret algorithms is fairly useless, because unless you publish and adjust algorithms accordingly… well, no one can see every possibility

'adjust algorithms accordingly' - You mean that an algorithm should be coded with the intent to publish it?

Ok, but what are the 'possibilities' people are looking for? You mean possible applications for it?

He's basically saying that if you reveal the code for your encryption technique to a large group of people, and they can't break it, then you've got a good encryption technique.

If you don't reveal your code, then attempts to crack it are going to take longer. This is potentially a bad thing, as ideally you'll become aware of any flaws before you actually sit down and try to use it to protect something important.

Bomb Bloke, on 25 August 2015 - 01:27 AM said:

if you reveal the code for your encryption technique to a large group of people, and they can't break it, then you've got a good encryption technique.

…ideally you'll become aware of any flaws before you…try to use it to protect something important.

Ok, that makes sense. Thanks for clarifying.

Thank you for putting into words what I was unsuccessfully trying to convey, Bomb Bloke. Been a while since I had any real conversation on this forum, and I'm a bit rusty.

Agreed on encryption - in fact, I don't trust any encryption software that ISN'T fully open source, as you can't be certain that it's free of exploits, bugs, or even backdoors (hello, NSA! How are you guys doing today?). With encryption, it shouldn't matter if you know whether or not HOW it works, because the key to any encryption scheme is… well, the key. Even a 128 digit key could take decades for the average PC to break, while a double-2048 key scheme wouldn't be broken before the heat death of the universe… but only as long as you can verify the quality and security of the software that implements it.