AltME groups: search

Well, I suppose since ALTME is encrypted they would have to release 
the encryption specifics so it may never be done

encryption and authentication/authorization.

rugby uses 1024 bits encryption

used to say that that would take 3,000,000 years to crack ... but 
now they say governments can do it.  should switch to 2048 bits for 
espionage level encryption.

Would you really want a non-native GUI, with every call to / from 
it going via slow [in relative terms] routine! APIs?


I agree that having one *huge* exe that does 100% of what *everyone* 
wants but only has 20% of it's functionality used by the average 
coder is a bad thing. The problem is defining what constitutes huge 
and what functionality is needed by most coders. Here are some typical 
components:

	Graphics
	Sound
	Networking
	Maths
	Encryption
	Data storage
	Installer
	Registry access
	Library access


Which should be built-in? Which should be loadable modules? Is your 
preference going to be the same as mine? These are not easy design 
questions.

I meant links to the docs (Library docs, Sound docs, call docs, encryption 
docs)

it looks to me, that the initial-vector is not taken into account 
by the encryption ports?

I have to encrypt some rather large files .. many megabytes.  Is 
there an encryption port that will do this in Rebol?  Or does encryption 
require that the whole file be in memory?

I don't think encryption changes the file-length, so you could just 
choose a large chunk size and encrypt those separately.

http://www.rebol.com/docs/encryption.html#section-3.1"It is possible 
to copy from the port before all data has been written"

I don't know exactly, but I remember reading that its not a real 
encryption system.

Encloak  -- http://www.rebol.net/cookbook/recipes/0023.html-- Carl 
says


Newer versions of REBOL include "cloaking" functions for encrypting 
and decrypting strings. These functions do not provide full strength 
encryption such as Blowfish, AES, or RSA as found in REBOL/Command, 
nevertheless they can be useful for hiding passwords and other values. 
(That's why we call it cloaking rather than encrypting.)

There are things stronger than encloak in the Library

http://www.rebol.org/cgi-bin/cgiwrap/rebol/search.r?find=encryption

I have a 24 bit math implementation to do RSA  but never converted 
to or from other bases. It is from before Holgar did  encryption 
with thebignum library  nativly in  core/view which renders mine 
moot

anyone know of a way to get a persistent value based on someone's 
computer... the longer the string the better... (on windows)

this is with a /command license, so any accessible rebol feature 
is usable.

something like:
    -System install serial number
    -Disk serial number
    -CPU id


I want to generate an encryption key which isn't stored as part of 
the code.  It just makes it a bit more complicated to reverse engineer 
the stored password if the encryption key is different for all installations.

the idea is for the encryption key to a stored password is created 
dynamically via an algorythm.  
If the software is encapped, then its a pretty safe system IMHO.


But if the software stays open source (and interpreted), at least 
I can use some natives for which the key-gen algorythm is hard to 
reverse engineer.

Although someone with rebol know-how can obviously get the passwd 
by running the algorythm manually, there is no way around this AFAIK.

If you think that keeping the algorithm secret increases the security 
of your encryption then you should not be writing an encryption algorithm. 
it's that simple. :)

I'll use real encryption (using command)

using real encryption does not make any difference... but anyway.

is the client paying you to use a machine specific id and some secret 
encryption scheme?

Basically I am writing to ask something ... I am newbie at writing 
rebol bindings. This binding if it works it works but if almost anything 
goes wrong it simply crashes. For example missing some file, not 
going into TEXT mode , not oppening closing something, page reference 
insted of pdf doc reference given to some function in binding .. 
pdf that we intend to write being locked (alredy open in acrobat)... 
ETC ... 


I intend to write this robust now, so I am asking how is this usually 
done? I can check for preconditions before talking to binding at 
runtime in rebol. Another (better) option is that binding shouldn't 
just crash for anything that goes wrong. I saw in docs something 
about error messages as return, so maybe I am doing something wrong 
in the first place , for example not implementing or setting up some 
callback for errors... Anyone more experienced than me? Rebol Haru 
could be quite capable otherwise, it supports all things that are 
really messy to do in PDF (encodings, embedding fonts, images, encryption, 
graphics, ...).

One thing is that I can check for these preconditions at runtime,

encryption contest? ;)

Hello, everyone... Ii am using encryption in Rebol/SDK, and I would 
like to store the actual binary value returned from the port as a 
string... not the to-string value, but the binary value... for example, 
if I get back #{455121D505CD240595E530589ADCD7787F22EF9DE899D6D8} 
from the port, I would like to store 455121D505CD240595E530589ADCD7787F22EF9DE899D6D8 
as a string in a file... does anyone know if this is possible?

this is a serious flaw in R2... if you want to store encryption keys 
within an application and want to provide some sort of plugin interface, 
you are pretty much fucked... people can rip your application appart, 
and there is nothing you can do about it...


a part creating a dialect, which is complicated as hell if you want 
to provide do-like syntax.

Tim: MySQL 4.1 uses a new encryption method for user passwords, try 
add a new user assigning the password with the function OLD_PASSWORD('pass') 
rather than PASSWORD('pass'), and attempt   open mysql:// ... etc. 
 with the new user. Hope this helps.

I am not talking about encryption, just looking into 'checsum function 
help ... I just need hash ...

With v3.x.y servers, there's still sometimes connections errors 1045 
that shouldn't happen. I guess that's related to some encryption 
implementation difference between my client and v3 servers. Workaround 
for this, is catching error! values when connecting and retrying 
the connection if the user/pass is fixed and should be able to connect 
to the server (proper right set in 'mysql' tables).

so it's simply a different encryption scheme for some reason

At least, the whole networking support needs probably to be fully 
rewritten for R3. Beyond that I'm not sure what you work or not out 
of the box with R3. String encoding and Unicode might require some 
additional code. MD5 support is also required btw, if you want to 
use passwords with 4.1+ MySQL servers (for 3.x support, you would 
need to rewrite the whole current driver encryption code).

If I wrote some fanstastic treatise in French .. you would complain 
about the encryption method.

All SDKs have shell, library and encryption. Command adds ODBC/Oracle 
and SSL (client side)

I have sshd running on my Kubuntu, and when I fish: across to it 
from another kubuntu box on the local network, it takes a long time 
to connect. Today I counted 45 seconds before authentication dialog 
popped up. I think I remember reading something about a delay for 
encryption etc. but I'm wondering if that's a "normal" length of 
time to wait.

Is Altme communicating on plain TCP/IP protocol? Does Altme use encryption 
in any way? SSL?

Altme uses encryption but not ssl

Seems like SSL Tunnelling with squid is on by default on certain 
ports using the CONNECT method:

http://www.squid-cache.org/mail-archive/squid-users/200210/0295.html

Our customer was monitoring the trafik and could see, that nothing 
happened after the CONNECT, so maybe the problem is, that REBOL doesn't 
continue after the CONNECT!? As I understand it, the CONNECT method 
is used to establish a connection between the two computers (client 
and server), and then the proxy simple let the communication continue 
without touching it (allowing SSL encryption and the like). REBOL 
can make the connection, but fail to communicate afterwards. (My 
guess.)

It's interesting, that Altme works using encryption too!? Is the 
CONNECT method in use in this situation?

an encryption tool? I think not ... IMO altme is built upon SSL capability 
of Rebol/Command SDK or even Rebol/Pro? Dunno ...

Pekr: Graham was just saying, that "Altme uses encryption but not 
ssl"

see http://www.rebol.com/docs/encryption.html

The chapter also includes a really enthusiastic introduction to IOS 
and details of the data encryption features in Rebol/Command.

not sure, not tried yet, but good suggestion ... so what is the difference 
then? Encryption, odbc?

Command adds encryption, ODBC, Oracle, (slower native) MySQL, and 
SSL.

isn't encryption part of /pro too?

Command seems to have an "Encryption Level 2" though, which I would 
guess is better.

(I think Pro suffices anyway though. It has encryption and FastCGI 
on board)

But with the xpacker you don't protect the code as with encap. Encap 
is using encryption. the packer just decompress the files to temp 
dir and runs a command. So while the program is runing, you can see 
the files.

Folks, I'd like to use encryption, to encrypt some json records and 
deploy it to the browser and decrypt it using this algorithm at  
http://www.fourmilab.ch/javascrypt/javascrypt.html

I'd like to encrypt json text using Rebol and AES encryption. And 
decrypt this using javascript. Do you have any idea how to do this 
using Rebol. I mean the AES encryption. I mean : txt: "blablablba" 
 key: #CEDEFF.. encrypt  txt key   ...  using AES rhinjael algorithm 
.. thanks

rondon,

you have to check that the choosen encryption scheme is compatible 
on both sides. at least SHA-1 / MD5 should work.

here you have some javasript routines:
	http://www.movable-type.co.uk/scripts/sha1.html
	http://pajhome.org.uk/crypt/md5/index.html

howto rebol:
http://www.rebol.com/docs/words/wchecksum.html


just send some test data and adjust the encryption scheme at the 
javasript side.

with luck, the rebol implementation is suitable for the routines 
above.

Rondon, Rebol encryption is well described in this secure document 
http://www.rebol.com/how-to/encrypt.html#section-15

I tried to do AES encryption but anything I encypted was not de-crpytable 
by standard tools

TomBon: hashing and encryption are not the same thing.

crypt: func [
    "Encrypts or decrypts data and returns the result."
    data [any-string!] "Data to encrypt or decrypt"
    akey [binary!] "The encryption key"
    /decrypt "Decrypt the data"
    /binary "Produce binary decryption result."
    /local port
][
    port: open [
        scheme: 'crypt
        direction: pick [encrypt decrypt] not decrypt
        key: akey
        padding: true
    ]
    insert port data
    update port
    data: copy port
    close port
    if all [decrypt not binary] [data: to-string data]
    data
]

REBOL [
Title: "ARCFOUR and CipherSaber"
Date: 17-Jan-2004
File: %arcfour.r
Author: "Cal Dixon"

Purpose: {Provides encryption and decryption using the ARCFOUR algorithm}

Note: {this implementation can decrypt data at about 40KB/s on my 
1Ghz AMD Duron system with Rebol/View 1.2.10.3.1}
Library: [
level: 'advanced
platform: 'all
type: [function module protocol]
domain: [encryption scheme]
tested-under: [view 1.2.10.3.1 on [W2K] by "Cal"]
license: 'PD
support: none
]
]


;ARCFOUR specification: http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt

;CipherSabre specification: http://ciphersaber.gurus.com/faq.html#getrc4


arcfour-short: func [key [string! binary!] stream [binary! string!] 
/mix n /local state i j output swap addmod sz][

swap: func [a b s /local][ local: sz s a poke s a + 1 to-char sz 
s b poke s b + 1 to-char local ]
addmod: func [ a b ][ a + b // 256 ]
sz: func [ s a ][ pick s a + 1 ]

state: make binary! 256 repeat var 256 [ insert tail state to-char 
var - 1 ]

j: 0 loop any [ n 1 ] [ i: 0 loop 256 [ swap i j: addmod j add sz 
state i sz key i // length? key state i: i + 1] ]
i: j: 0 output: make binary! length? stream
repeat byte stream [
swap i: addmod i 1 j: addmod j sz state i state

insert tail output to-char xor~ byte to-char sz state addmod (sz 
state i) (sz state j)
]
clear state
return output
] 

make root-protocol [
addmod: addmod: func [ a b ][ a + b // 256 ]
sz: func [ s a ][ pick s a + 1 ]

swap: func [a b s /local][ local: sz s a poke s a + 1 to-char sz 
s b poke s b + 1 to-char local ]
ins: get in system/words 'insert
i: 0 j: 0
open: func [port][
port/state/tail: 2000
port/state/index: 0
port/state/flags: port/state/flags or port-flags

port/locals: context [ inbuffer: make binary! 40000 state: make binary! 
256]
use [key n i j] [
key: port/key
n: port/strength
repeat var 256 [ ins tail port/locals/state to-char var - 1 ]
j: 0 loop any [ n 1 ] [
i: 0 loop 256 [

swap i j: addmod j add sz port/locals/state i sz key i // length? 
key port/locals/state i: i + 1
]
]
]
i: j: 0
]
insert: func [port data][
system/words/insert tail port/locals/inbuffer data do []
]
copy: func [port /local output][
output: make binary! local: length? port/locals/inbuffer
loop local [

swap i: addmod i 1 j: addmod j sz port/locals/state i port/locals/state

ins tail output to-char sz port/locals/state addmod (sz port/locals/state 
i) (sz port/locals/state j)
]
local: xor~ output port/locals/inbuffer
clear port/locals/inbuffer
local
]

close: func [port][ clear port/locals/inbuffer clear port/locals/state 
clear port/url clear port/key]
port-flags: system/standard/port-flags/pass-thru
net-utils/net-install arcfour self 0
]

arcfour: func [key stream /mix n /local port][
port: open compose [scheme: 'arcfour key: (key) strength: (n)]
insert port stream
local: copy port
close port
return local
]


; CipherSaber is an ARCFOUR stream prepended with 10 bytes of random 
key data
ciphersaber: func [ key stream /v2 n ][

arcfour/mix join key copy/part stream 10 skip stream 10 either v2 
[ any [ n 42 ] ][ 1 ]
]

Graham: I was able to implement TLS1.0 protocol configured to use 
the TLS_RSA_WITH_RC4_128_SHA cipher-suite. All the mentioned algorithms 
were calculated using the  build-in Rebol2 encryption functionality. 
I had no problems regarding the compatibility. I haven't tried the 
cipher-suite with the AES enctryption though but my guess it will 
work as well.

Doc: the code is in sort of "prototype state" and It was meant as 
possible implementation for R3 in future (once Carl put the encryption 
algorithms codebase into the R3/host-kit or someone write an extension 
for that).

I wrote it because I wanted to know if we could get rid of unnecesary 
C code that is currently in R2 to just handle the protocol logic 
while the performance of the crypto algorithms will remain in C. 
The current size is less than 20Kb of Rebol script code so IMO it 
could be useful and also easier maintainable way.

Currently it works in client-side mode only but there is already 
support for ASN.1 certificates also I tried to write the code so 
the server-side mode and other cipher-suites shouldn't be hard to 
add.

I plan to release the prototype to open public after some cleanup 
but if you want to waste some time with the current 'raw stuff' just 
post me privately and I'll send you a copy.

yes, zip:// scheme - would be usefull, along with encryption :-)

Is there any progress on encryption with Uniserve protocols ?

Encryption methods are application-depend, it's hard to built-in 
Uniserve's kernel a general purpose encryption for communication 
that'll fit well any case...The kernel have to remain general purpose. 
But it may provides some helping features to allow easier encryption 
integration. Do you have some design ideas how the kernel should 
help integrating encryption ?

I think the problem I had is that uniserve either uses a terminating 
sequence, or a preset number of bytes.  If the size of each "packet" 
changes with encryption, how does one cope with that?

I've added a new event : 'on-write-chunk to allow modification of 
the chunks of big files just before they are sent. This can be the 
hook to implement compression or encryption when sending big files.

About server-side SSL : after several beers last year in Paris, Carl 
told me that the ssl:// scheme could be turn to work as server-side 
with just the right flag set (IIRC, was about setting the right "direction" 
in encryption), then you "just" have to implement server-side HTTPS 
protocol to support it fully. I've since that, tryed several times 
to get the info about the "magic flag" from Carl, without success. 
So I've prepared several dozens bottles of beer to be sure to get 
the info from him at the next DevCon ;-).

Their LNS implementation uses BEER for authentication, encryption, 
and transport.

BEER does channelling in one single connection. if you don't need 
that, there's no advantage in using it vs. plain tcp. lns is doing 
its own auth/encryption and so on anyway.

I mentioned certificates for two reasons here. 1) IIRC Holger (or 
someone from RT, do not remember right now) said, that internally 
Rebol has some parser for that, but the API for that is not exposed 
2) it seems to me, that there might be some parts of the world, where 
encryption is enough, and there is nothing bad with such opinion, 
in regards to such countries ...

Q about encryiption within rebservices: my *guess* is if you are 
using core or view, then rebservices can' t use rsa encryption method 
but must use encloack/decloack method. And there is no plans to upgrade 
for rsa support in the next releases of  core and view . I'm rigth?

About the Email.. I think they dont understand where email is going.. 
If they would have build an email client that would support encryption 
or packaging from text to grafics they would be on the route to the 
future.. For..re-inventing the wheel with lots of bells and advertising.. 
(yes im a little anti java and .net internet applications currently 
;-) Ever stranger...NET is dead and also is Java..still many use 
it.. i dont get it..

Yes on both counts. Really depends on what kind of data needs to 
be encrypted; if it's passwords and personal information that is 
indirectly referenced (i.e. on / by other key column(s) ) then client-side 
encryption makes sense.

IMO encryption should be on a lower level, on the file level. I don't 
want to care about using encryption in my application, I just want 
to set a flag that the database file gets encrypted.

WRT encryption. I found one implementation (you need to buy a license) 
that supports transparent encryption. IIRC I posted the link some 
time ago. I will have a look at the C code and there at the storage 
stuff to see how hard it is to add an AES encryption of storage pages. 
IMO it can't be that hard.

Hi, I know that some talk of encryption was held here some time ago, 
but currently I was asked to eventually protect sqlite data and I 
am not sure what is correct aproach. I would not go DB-as-a-file 
encryption, then "unpacking" into memory, or so. I prefer app level 
encryption, but I am not sure about searches, using LIKE directive. 
Would it work?

the proper encryption would have to come at lower db level, namely 
- storage level ....

Performance will be about 50% without encryption for the SQLite extension. 
But I don't think that it's that much. Reading/writing to disk is 
a lot slower compared to execution speed of processors. So, I expect 
about 25% performance loss.

well, but at some point, you open-up that partition in order to be 
able to access it. The security is not there anymore. What I would 
like to have is direct SQLite low-level encryption, so that file 
might be visible to FS, but still encrypted. And your app provides 
password or something like that ... IIRC BrianH is using some such 
solution, I just don't remember its name.

IIRC encryption costs $2000

SQLIte is fast for simple to middle local stuff. I have few obstacles 
with it 


1) it stores everything in one file. You can't use simplicity of 
file-system for simple back-up purposes. Attaching DBs (max 10 precompiled 
value) is not an option, as then transactions are not atomic

2) it is not secure - can't be secured easily, because encryption 
is not part of the package

3) serverless (both advantage = no install, but also disadvantage). 
It provides locking. They claim multiple instances of app can access 
one file, but I did not find more info on that. Dunno how granular 
locking you can do. You have to create server front-end yourself 
...

R3 does not have encryption modules yet, they will probably come 
later. but notice that nobody stops people from linking to OpenSSL 
and provide a complete SSL solution.

Services requires encryption so you can bet release version of R3 
will have it.

SSL is specific protocol. I am not speaking about encryption here, 
but about the trust, that is what certificates are for. IIRC the 
api for them is inside, it was not just exposed. And IIRC2, Ladislav 
once mentioned he will do it? But I could misunderstood him ...

signatures - rebol has that built in. is called rsa encryption

We'll need access to Berkeley DB too, (if the Grid stays in the current 
shape it is) so a good reason to link to libdb for RIF.


For LDAP, I think the protocol should be in a REBOL scheme.  But 
as stated, it's not a small task.


And for the Grid, we'll need certificate handlers, and encryption 
ports will work nicely for that.  With those three pieces, I think 
we'd be ready to introduce ourselves to the CERN LCG and VDT people 
 (Assuming they didn't shoot down the idea off hand due to not Open 
Source)  In which case we'd have to live outside the inner grid and 
float about the consumer grid.  No science apps would need apply, 
but the consumer grid could be a lucrative next step.  Maybe.

Some info from Carl from the past:


The DLL access is very complicated code that is specific to every 
CPU and OS.The DLL access is very complicated code that is specific 
to every CPU and OS.

The problem with plugin is not the code itself, but the security 
of it.

If we can set security aside for a while, we can certainly have the 
method for it.
I think it is probably ok for 3.0 to make this statement:

If you want to use plugins, you can -- but, you will want to only 
use those from trusted sources. Do not execute unknown plugins from 
the web.

the complex part of the security model is some method of digital 
signing.

We could use a simple hash method, but the problem is with public/private 
certification.

What makes it complicated is that we must port the R2 encryption 
code to R3.
That project could take a few weeks.

A way to add higher order encryption

Graham: okay. that's the whole licensing/encryption/pro features/etc. 
issue right?

Here's a few components of Trusted Scripts (this is only a draft 
-- open for feedback):
	* Default security model is tight -- how tight is TBD.

 * Developers that want to take advantage of Trusted Scripts, i.e. 
 to lower security for a production app, first must buy a license.key 
 from RT.

 * license.key unlocks  "features" and "permissions". Features are 
 things like encryption within the script. Permissions include file 
 sandbox, domain restrictions, dll loading permissions, etc.

 * license.key will contain contact info, so we can track down the 
 author of a malicious signed script if necessary.

using encryption if you have those options in your license.

My working login.rsp script ...

<%
		in-user: select request/content 'login
		in-pass: select request/content 'pass
		encoding-salt: to-binary "My encryption string"


  print [ <p/> "Login is: " in-user " and pass is " in-pass <p/> ]
				
		encode-pass: func [
			pass [string!]
			salt [binary!]
		] [
			checksum/secure append to binary! pass salt
		]

		
		if all [ in-user in-pass ][
			print <pre>


   qry: rejoin [ {select staffname, sid, fullname from staff where staffname 
   = '} in-user {' and pwd = '} form encode-pass in-pass encoding-salt 
   {'} ]

			probe qry
			print </p>
			
			sql: do-sql 'remr qry 
			print [ "Query result: " sql ]
			print </pre>	
			if found? sql/1 [
				response/redirect "/testapp/"
			]
		]
%>

Encryption: I meant this to use for normal cookies.

It's equivalent to Rugby but without encryption. R/Services is much 
higher level. If someone is interested, I can search my older backups 
for the whole thing.

I don't need the encryption as it will be used as localhost

Bad news for websocket support in REBOL: the new RFC requires that 
client encodes data sent to server using a basic XOR encryption algorithm:


http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-10#section-4.3


This is a bad news for us, because it requires to process all bytes 
received, one by one to decode the message. REBOL is very slow at 
processing big data in loops, so the overhead can be very significant 
for data frames of a few dozen KB and more. It could affect Cheyenne 
global performances drastically.


However, it could have been worse, this encryption scheme is not 
required for data sent by server. So, as long as clients are sending 
small messages (up to a few KB), the overhead should be low. Fortunately, 
the usual client messages are queries to obtain data, so usually 
small. But if you have to move big amouts of data (like XML documents) 
back and forth through websockets, Cheyenne won't be able to cop 
with the load and it will most probably be a show-stopper.

Point of Information;  The user.r 2009 roty vote code.

vote: func [name] [

    enbase/base encloak head change head insert/dup copy "" " " 16 form 
    name "roty" 64
]


Please use that function, capture the output and post your vote to 
    user.r Chat


Due to encryption issues please use   'doc, 'brianh, 'henrik, for 
Nenad Rakocevic , Brian Hawley and Henrik Mikael Kristensen.

Need some more lower level encryption before HTTPS, I think. I think 
also that it belongs in the same category as SSH, SFTP, etc.

BSD or MIT... yes that is exactly what I proposed... it it VERY well 
coded and exceptionally small the whole putty app is in fact smaller 
than rebol.exe IIRC :-)


it has a LOT of goodies beyond a full SSH2 encryption set and EVERYTHING 
is stand-alone it relies on no external dll or libs.

Carl once admitted that is was possible but not "enabled".   AFAIK, 
he never told anyone the trick.  maybe its unstable and didn't want 
to put time on it.


theoretically, one could build an https server protocol in R2... 
the encryption algorithms are all there AFAIK in /pro licenses.  
its just knowing the handshaking protocols and all that... I look 
briefly at the RFC once and its not "obvious" to implement... at 
least not for the bg I have.

MD5 checksums, a parser for the files (easy), and whatever they use 
for encryption.

but encryption occurs at a higher level than tcp

A great discussion with an even greater outcome. I'm hardly able 
to follow, but I love the pure elegance of the proposed solution 
with selfish objects and selfless functions and alike. I'm deeply 
impressed by the security implications your drawing and in general 
all the situations both of you, Ladislav, Brian, with the help of 
Carl and Gabriele, are considering when it comes to answer a question 
which is easy to ask but hard to answer in a satisfying way. So, 
first of all, this is just a note to let you know how much your work 
is appreciated. 


On the other - off topic - hand, it has made me curious especially 
for the security concerns one has to deal with in REBOL. Not the 
kind of security issues you always have to deal with like SQL injections, 
everything related to proper encryption and proper password handling, 
but the kind of rebolish security you have to deal with when, let's 
say, executing arbirtray code. What are the appropiate measures you 
have to take in order to protect yourself from harm, that kind of 
stuff. Are there any documents on this subjects somewhere beyond 
Ladislav's articles?

but yes brianh you got the point when you relay on hardware then 
you have to choose what technology you support i know rebol main 
target is to be hardware / OS / driver abstracted .. but then you 
have a toy language anyone laught about that  can't bring anyway 
the same thing on every OS computer a part some very basic features 
like networking, encryption etc...

There are two ways of hiding values. The tricky way is to use PROTECT/hide 
on a publically visible context. The more common, easier way is to 
use contexts that aren't publically accesible. There is no way that 
a reflector can tell if a bound context is not accessible, but the 
unbind trick prevents that kind of hack. And since inaccesible contexts 
might contain private information like encryption keys that might 
not belong to the person running the R3 process, there is no security 
setting that can make this safe to not do.