Page 1 of 2

Security through foreign languages.

Posted: Tue Dec 30, 2008 11:41 am
by kaisellgren
Hello fellow community members,

I've been recently chatting with another homeland PHP addict, and we were discussion about security -- and "Security through Obscurity" to be exact.

I've been thinking a lot about obscuring some parts of my code. What comes to obscurity, it makes your application harder to code due to many factors. For example if your fieldname is "dfg4rtSDFkgcvbF" it's definetly harder to remember later than "username". That's just one example.

Obscurity does not add security, but it strengthens it. However, the price of obscurity can be probably seen at the speed of the progress of your project.

After a little thinking I started to think if I write these certain parts of my script in a foreign language - Finnish. There are only 5 million Finnish speakers in this world, so it does strengthen the security by a meaningful amount. Still, I am able to code as fast as normal, and I does not affect anything else. At least not to me - but no one else other than me is coding on the project core, but rather a few outside plugins that are not affected by this obscurity method.

For example, the member table would have fields like tunnari,salari,soossi,mauste,kertapadi, ... and this would not just apply to the database.

All comments would be also unreadable for attackers unless they are fluent in Finnish.

// Ny sit pistetää kerran paddaus eli söössi tähä tunnarii nii että me suojau'utaa sateenkaarihyökkäyksilt

And trying to translate from Finnish to English is a pathetic attempt. ;)

Your thoughts?

EDIT: It would actually probably even boost the speed of coding.

Re: Security through foreign languages.

Posted: Tue Dec 30, 2008 3:29 pm
by Chalks
I think that I would only do this for personal projects. Mainly because anything other than a personal project could potentially have another developer at some point, and they would loathe you. LOATHE.

I do like the idea though.... if it was simpler/less obscure than a completely different language.

Re: Security through foreign languages.

Posted: Tue Dec 30, 2008 6:19 pm
by califdon
I agree with chalks. That would be fine for a personal project, or possibly for a commercial project if all the current and future coders were Finnish (which might be the case, since you indicate that you're located in Finland). I have indeed heard from other Europeans who say that Finnish, Bulgarian and Hungarian are the hardest languages for non-natives to learn. But, for example, if a determined hacker wanted to hack your code, I don't think it would be that hard for him to enlist the help of some Finnish speaker. So I guess it depends on who should have free access to your code in the future and the level of security you're trying to achieve. Maybe you could intermix Finnish, Bulgarian and Hungarian?? :wink:

Re: Security through foreign languages.

Posted: Tue Dec 30, 2008 6:50 pm
by kaisellgren
califdon wrote:I agree with chalks. That would be fine for a personal project, or possibly for a commercial project if all the current and future coders were Finnish (which might be the case, since you indicate that you're located in Finland). I have indeed heard from other Europeans who say that Finnish, Bulgarian and Hungarian are the hardest languages for non-natives to learn. But, for example, if a determined hacker wanted to hack your code, I don't think it would be that hard for him to enlist the help of some Finnish speaker. So I guess it depends on who should have free access to your code in the future and the level of security you're trying to achieve. Maybe you could intermix Finnish, Bulgarian and Hungarian?? :wink:
Wow, I didn't think of that yet... hmm... I think it begins to be too complex for a coder if he needs to know all those three languages :banghead:

Of course a hacker could learn Finnish or find someone who speaks it, but this is all about obscurity -- not bulletproof security. 8)

Re: Security through foreign languages.

Posted: Tue Dec 30, 2008 6:58 pm
by califdon
kaisellgren wrote:Of course a hacker could learn Finnish or find someone who speaks it, but this is all about obscurity -- not bulletproof security. 8)
It would sure be obscure to ME! :? It's all I can do to read code in ENGLISH! :roll:

Seriously, I think your idea has merit, if considered strictly as obfuscation. And of course it would be of no value in obscuring from another Finn. But for the rest of us ... really obscure! :)

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 3:51 am
by Weirdan
I don't think it would be as obscure as you think. You will still be coding in PHP, so the structure of the code will rat out what the code does =). I once worked with the code where they named everything in German (and I don't speak German). It wasn't that hard although it was annoying, for sure.

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 8:04 am
by kaisellgren
Weirdan wrote:I don't think it would be as obscure as you think. You will still be coding in PHP, so the structure of the code will rat out what the code does =). I once worked with the code where they named everything in German (and I don't speak German). It wasn't that hard although it was annoying, for sure.
That is why it's called obscuration. It makes it painful for other people to understand it. Whether you understand the code in first 5 minutes or in one week - the author may have already patched a serious security vulnerability before the attacker has even understood the purpose of the whole code ;) - and that's just one benefit.

One greater benefit is that it's easier for me to code, because I would code in my mother tongue :lol:

Would you write in Ukrainian or in English?

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 8:28 am
by Weirdan
kaisellgren wrote:Would you write in Ukrainian or in English?
My mother tongue happens to be Russian (there are a lot of people speaking Russian in Ukraine, despite what the country name suggests :) ), but I wouldn't use it for coding. The one reason would be that I work in multilanguage team (with members from UK and Ukraine) and the other would be that code that uses anything but English always appeared as unprofessional to me, even if I knew that language. This viewpoint is almost universally accepted by most programmers I know personally.

Besides I'm not quite sure how PHP will handle multibyte identifiers (Cyrillic uses second byte when encoded in UTF-8).

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 8:39 am
by kaisellgren
Weirdan wrote:
kaisellgren wrote:Would you write in Ukrainian or in English?
My mother tongue happens to be Russian (there are a lot of people speaking Russian in Ukraine, despite what the country name suggests :) ), but I wouldn't use it for coding. The one reason would be that I work in multilanguage team (with members from UK and Ukraine) and the other would be that code that uses anything but English always appeared as unprofessional to me, even if I knew that language. This viewpoint is almost universally accepted by most programmers I know personally.

Besides I'm not quite sure how PHP will handle multibyte identifiers (Cyrillic uses second byte when encoded in UTF-8).
Well okay. Russian indentifiers - eh...

But for Finnish, PHP handles it totally anywhere I use Finnish. All characters are acceptable :D

And the part of the script that would be in Finnish is not coded by anyone else other than me. So, with this assembly, I am thinking of writing it in Finnish.

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 9:31 am
by omniuni
"Ny sit stop once paddaus or söössi here tunnarii nii that we suojau'utaa sateenkaarihyökkäyksilt"

You're right. It's not exactly translatable.

I would question, though, what this actually achieves. If someone is trying to hack your website you'll buy yourself a few hours, sure, but if you really wanted to keep your code to yourself, why not just compile it? For the benefit of being able to re-use the code if you want to on other projects, or being able to show it to someone else (non-finnish) you'd buy your self a lot more time while they decompile the thing.

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 9:53 am
by kaisellgren
omniuni wrote:"Ny sit stop once paddaus or söössi here tunnarii nii that we suojau'utaa sateenkaarihyökkäyksilt"

You're right. It's not exactly translatable.

I would question, though, what this actually achieves. If someone is trying to hack your website you'll buy yourself a few hours, sure, but if you really wanted to keep your code to yourself, why not just compile it? For the benefit of being able to re-use the code if you want to on other projects, or being able to show it to someone else (non-finnish) you'd buy your self a lot more time while they decompile the thing.
Obscuration is not a way to protect yourself. It's a way to stab a knife in your crackers stomach. I can not compile the code. Yet I am not trying to defeat crackers with this method - but rather stab them.

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 10:07 am
by omniuni
Well, I don't think it'll be much more than pins and needles... but I think they're in the right places to cause some considerable pain.

We'll call this technique "Kai's Curse".

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 10:14 am
by kaisellgren
omniuni wrote:Well, I don't think it'll be much more than pins and needles... but I think they're in the right places to cause some considerable pain.

We'll call this technique "Kai's Curse".
Ahhah :D

I actually find using Finnish very useful in my code...

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 12:01 pm
by califdon
I can certainly understand the motivation to program in your native language.

By the way, I have never heard of the English word "obscuration", but this is usually called "obfuscation". Today's English lesson! :P

Re: Security through foreign languages.

Posted: Wed Dec 31, 2008 12:13 pm
by kaisellgren
califdon wrote:I can certainly understand the motivation to program in your native language.

By the way, I have never heard of the English word "obscuration", but this usually called "obfuscation". Today's English lesson! :P
Something wierd happened. You made three posts :)

Btw, http://www.thefreedictionary.com/Obscuration