[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered

Stephen Haywood stephen at averagesecurityguy.info
Wed Aug 28 14:13:41 UTC 2013


You have to think through the system from beginning to end and determine the threats to the system and the attack surface of the system. Then you have to implement compensating controls in the system to mitigate (not remove) those threats. The most cost effective method is to reduce the attack surface but sometimes you can't do that.

Typically, you need someone with experience breaking and building security, to help you think through this stuff. If you have a system in mind, I would be glad to sit down over supper and help you think about the threats, attack surfaces, and compensating controls.

--
Stephen Haywood
Owner, ASG Consulting
CISSP, GSEC, OSCP
423.305.3700
stephen at averagesecurityguy.info




On Aug 28, 2013, at 9:33 AM, Benjamin Stewart <stewartbenjamin at gmail.com> wrote:

> That was my suspicion. So then, when you go on the defensive, what do you
> do? How do you build a system that, even when you can see clearly into it,
> provides reasonable security?
> 
> 
> On Wed, Aug 28, 2013 at 9:09 AM, Dave Brockman <dave at brockmans.com> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 8/28/2013 8:49 AM, Benjamin Stewart wrote:
>>> Interesting read, thanks for posting!
>>> 
>>> Question for the security programmer folks: Are there code
>>> obfuscation techniques, for Python or other languages, that
>>> actually work against such a determined attacker, or is this
>>> DropBox client pretty close to "state of the art?"
>> 
>> Short answer is no.  Given enough time, determination and debugger, at
>> the very least, whatever assembly code your obfuscated code produces
>> can be captured.
>> 
>>> You can't really just say "don't use Python," because C et al. can
>>> be decompiled, too.
>> 
>> If it's software, it can be decompiled....
>> 
>> Regards,
>> 
>> dtb
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iQEcBAEBAgAGBQJSHfZ1AAoJEMP+wtEOVbcdWeEH/1IzOSrCIkquTmYrwwz0R3Cx
>> /Sr1EldScLl550JyK/tZrU1h1Teni6ITmBPCa1pTdfQdqRp061GiXYM5r3A6dwU7
>> VO8n6LaLc96uLojSzYzKM943Uj8KQJdn3YxUrrQGa49/FTuiKL1yAJYT0wFnJE4L
>> RBjs4k7wQe+yfnDVd9wPumDRQY0hbfAbDaVvebECsqHYXEfb+5FGDN2V1n7ennJv
>> Su9wJFI0pUwnWz0utBDUINqOOIh9Fe9H3BIGjDwCpwgG3tO1h+dyDmN124meqMAF
>> 6tDCF12PCjrmA12g6Dv2GEAzLQW98uwK0mWPeAYemSIBmtFYHnv1/D2zfwaeecE=
>> =js+H
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>> 
> 
> 
> 
> -- 
> 
> 
> 
>                              Benjamin Stewart
> 
>                               <o(((><
>> <)))o>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130828/ca0c53c1/attachment.pgp>


More information about the Chugalug mailing list