Throwback to kindergarten obfuscation
PoV: You’re 10 years old. Wearing a uniform too tight for you, trousers above your waist but not self-conscious enough to care, writing an exam with your Flora pencil. You don’t need the extra 5 marks from the Apsara pencil - you’re a first-bencher, you can’t get 105/100. But you might get a star sticker.
Mummy said don’t copy and don’t show anyone. Usually you’d let your friend copy from you, but you remember she didn’t give you the foreign biscuit “oreo” last week. What do you do when faced with this trauma?
You decide to be a “good” kid and make life difficult for your friend.
- Write with a bad handwriting (there goes the 5 marks)
- Answer questions in a jumbled order
- Write a wrong answer, cross it out and write the right answer later
This is obfuscation: intentionally making data unintelligible and difficult to understand.
This is usually used in source code. And nerd goodie friends.
Big boy obfuscation
Now you’re all grown up and working in a tech company, but…some things never change. There are no exam sheets now, but you do have your Writer docs and code. 😈 Here are some things you can do:
1️⃣ Change file and folder names in Workdrive.
Eg: "payslips_folder" name to "documentation_folder" (nobody reads the docs anyway), "Important meeting summaries" to "Recycle bin" (higher chance of it being read). Or if you have one Workdrive folder, create 10 more dummy folders and rename them all to numbers. Anybody will give up after checking a few folders.
2️⃣ Running programs on unusual ports or URLs.
Eg: bvdagnscdbasc.netlify.app instead of todoapp.netlify.app, localhost:11263 instead of localhost:8000 etc.
3️⃣ In code, renaming variables to misleading or vague values.
Eg: username to u, userInput to str, login_id to num.
4️⃣ Splitting values in code or using weird short forms so that it’s harder to search.
Eg: You can modify text such that it’s easy to read for people but won’t show up when they do a Ctrl+F search. @dmin in a Writer doc can easily be read as admin, but searching the file for admin won’t return any results.
Kind of like what we do to our passwords to feel secure - pick a common word, add an a few @$&s and a number. Reads like the original word but just so much cooler right?
In all these examples, anybody with enough resources and time on their hands will still be able to figure it out.
People can open every Workdrive folder and check, they can try every URL combination, they can read the whole writer doc instead of searching for certain words.
We’re just making it harder for people trying to figure it out, hopefully discouraging people from putting in that effort.
This is called Security through obscurity; note that obfuscation compliments security by increasing the barrier for someone trying to understand and break into your software, but is not a replacement for security or encryption.
Encryption and other security measures are the lock on your door; prevents breaches. Obfuscation is adding a maze to get to your door hoping most people will skip your house and move on to easier targets.
Try some basic obfuscation to put in your Writer doc!
(unless you're in my team. don't do this guys, i like my ctrl+f. sfic)Source code obfuscation
Most of the above examples are pretty simple; but obfuscation for computers happen on a whole other level.
Computers do not need any context and will just process whatever you give them. So when it comes to source code, it’s possible to transform it to what looks like gibberish to us but perfectly normal for computers.
a short example of Javascript code converted into gibberish - but it works, so it makes no difference to the computer!
At a high level: we write code in plain english, which after some processes (like compiling) are turned into the 0s and 1s that the computer understands, called a binary format.
One of the best ways to prevent reverse-engineering is to distribute applications in these binary or native formats, which takes a lot of effort to convert into something human readable.
An example of obfuscated C++ code from this resource:
See also: Security through obscurity
Try some more complicated obfuscation online - Online JS obfuscator