[XSL-LIST Mailing List Archive Home] [By Thread] [By Date]

Re: XLS files scrambling (Slightly Off-topic, Obfuscation etc)


Subject: Re: XLS files scrambling (Slightly Off-topic, Obfuscation etc)
From: Dan Morrison <dman@xxxxxxxx>
Date: Mon, 26 Jun 2000 23:57:57 +1200

Sorry, been AFK for the weekend :-)  (makes a change)

Warren Hedley wrote:
> 
> Dan Morrison wrote:
> >
> > <MADNESS view="source"
> > href="http://www.nationalbank.co.nz/calculators/default.asp" />
> 
> Oh great, another page that completely wipes out NS.

We tested it and dealt with all sorts of issues, but I suspect Unix/NS
was not a client priority. It was bad enough sorting IE4's whacked-out
event handling.

> Cool though. How on earth did you do that?

Since you asked....

<disclaimer>
This was not my idea, I did not do it, I merely maintain it a bit. Kudos
to Steve Baker who placated the suits with this hack!
</disclaimer>

We maintain the full javascript block in plaintext in a separate file.
The asp page that gets requested uses a few lines of Server-side
scripting to read the file and 'encode' it. This gets written inline as
a javaScript string. 
A minimal onload event then 'unencodes' the string, and document.writes
it. This becomes part of the page and the code is then parsed into
client-side functions.

I LOVE self-modifying code (or at least code that has the ability to
write more code...)
However...

I am completely aware that:

[James Robertson]:
> Client-side encryption of code is, by definition, broken.

I submitted this example as a JOKE to those in-the-know :->   
"MADNESS"?

BTW, I carefully shifted my wording from 'encryption' to 'obfuscation'
when giving this example. Client-side obfuscation is so easy it can
happen by accident ;-)

Did you not recognise the type of 'encoding'? It could not even be
labelled 'encryption'!

The client (bank) believed its formula for the calculation of mortgage
repayments was so special that viewable javascript just wasn't secure
enough. 
NEVER MIND that the basic formula is in high school text books, never
mind that it could be easily graphed by anyone who cared to take the
time, never mind that no-ones really going to put one over on them by
knowing it... 

So to avoid hiding it on the server, which would have been so slow as to
be non-interactive, this solution appears to work.
It was passed by the banks security advisors, the same ones that
insisted that they'd heard that Javascript was insecure.
They're happy, we're amused.

Don't get me wrong, I don't go out to put one over on the client, but
this situation was so anally corporate, and it all lived up to their
broken 'requirements' perfectly.

To go even further off topic...


Another bank, who consulted with me in a much more enlightened manner,
had the SAME requirement (doncha love lawyers?).
They had the foresight to ask us what we could do for them instead of
telling us they wanted a copy of their brochure.
The result was
http://www.asbbank.co.nz/calculators/lending/homelending_3.stm
(I hope the frame-farm won't break Unix-NS, I'm pretty sure the Java
doesn't)

Even compiled java classes weren't secure enough for their precious
formula (which shows they actually knew what they were talking about)
and believe it or not, the forumla lives on the server, which responds
behind the scenes with (XML) datasets to graph! No 'commercially
sensitive' code gets sent to the client.

PS, the 'jaggies' in the graph are supposed to be there, it's something
to do with the uneven number of fortnights in months! More accurate than
the real thing!

Again, kudos to Miles Thompson (occasionally lurking on this list) for
getting the feat done! Not me.

ANYWAY

Suffice it to say, as someone who gets paid for what I do, I sympathise
with Georges predicament:

> However, when working for a company and writing software for the 
> company's clients you might (just might) be asked to encrypt some stuff.

..and as such treated the question as a problem-solving exercise,
looking for a valid answer. I don't think I've found one yet.
I had no doubt the morality brigade would be jumping in before I could
render my next transformation.

Are there those out there saying XSL couldn't do it if you had to?

.dan.

-- 
:=====================:====================:
: Dan Morrison        : The Web Limited    :
:  http://here.is/dan :  http://web.co.nz  :
:  dman@xxxxxxxx      :  danm@xxxxxxxxx    :
:  04 384 1472        :  04 495 8250       :
:  025 207 1140       :                    :
:.....................:....................:
: If ignorance is bliss, why aren't more people happy?
:.........................................:


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list



Current Thread
Keywords
xsl