[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered
stewartbenjamin at gmail.com
Wed Aug 28 14:52:59 UTC 2013
Sadly, I don't have any projects that interesting going at the moment, but
I will keep your offer in mind! Maybe we can talk about it when you do your
When I do write security-related code, though, I always feel a tension
between having to somehow keep secrets secret, and feeling like there's an
attacker looking over my shoulder at my code, already breaking my secrets
as I write it. I'm sure I'm terrible at it, but I do my best.
Seeing this, and similar things I've seen, it seems that many people do
almost as badly as I do or worse. That's terrifying! (Well, dropbox was way
more obfuscated than anything I've done, but still!)
On Wed, Aug 28, 2013 at 10:13 AM, Stephen Haywood <
stephen at averagesecurityguy.info> wrote:
> You have to think through the system from beginning to end and determine
> the threats to the system and the attack surface of the system. Then you
> have to implement compensating controls in the system to mitigate (not
> remove) those threats. The most cost effective method is to reduce the
> attack surface but sometimes you can't do that.
> Typically, you need someone with experience breaking and building
> security, to help you think through this stuff. If you have a system in
> mind, I would be glad to sit down over supper and help you think about the
> threats, attack surfaces, and compensating controls.
> Stephen Haywood
> Owner, ASG Consulting
> CISSP, GSEC, OSCP
> stephen at averagesecurityguy.info
> On Aug 28, 2013, at 9:33 AM, Benjamin Stewart <stewartbenjamin at gmail.com>
> > That was my suspicion. So then, when you go on the defensive, what do you
> > do? How do you build a system that, even when you can see clearly into
> > provides reasonable security?
> > On Wed, Aug 28, 2013 at 9:09 AM, Dave Brockman <dave at brockmans.com>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >> On 8/28/2013 8:49 AM, Benjamin Stewart wrote:
> >>> Interesting read, thanks for posting!
> >>> Question for the security programmer folks: Are there code
> >>> obfuscation techniques, for Python or other languages, that
> >>> actually work against such a determined attacker, or is this
> >>> DropBox client pretty close to "state of the art?"
> >> Short answer is no. Given enough time, determination and debugger, at
> >> the very least, whatever assembly code your obfuscated code produces
> >> can be captured.
> >>> You can't really just say "don't use Python," because C et al. can
> >>> be decompiled, too.
> >> If it's software, it can be decompiled....
> >> Regards,
> >> dtb
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v2.0.17 (MingW32)
> >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >> iQEcBAEBAgAGBQJSHfZ1AAoJEMP+wtEOVbcdWeEH/1IzOSrCIkquTmYrwwz0R3Cx
> >> /Sr1EldScLl550JyK/tZrU1h1Teni6ITmBPCa1pTdfQdqRp061GiXYM5r3A6dwU7
> >> VO8n6LaLc96uLojSzYzKM943Uj8KQJdn3YxUrrQGa49/FTuiKL1yAJYT0wFnJE4L
> >> RBjs4k7wQe+yfnDVd9wPumDRQY0hbfAbDaVvebECsqHYXEfb+5FGDN2V1n7ennJv
> >> Su9wJFI0pUwnWz0utBDUINqOOIh9Fe9H3BIGjDwCpwgG3tO1h+dyDmN124meqMAF
> >> 6tDCF12PCjrmA12g6Dv2GEAzLQW98uwK0mWPeAYemSIBmtFYHnv1/D2zfwaeecE=
> >> =js+H
> >> -----END PGP SIGNATURE-----
> >> _______________________________________________
> >> Chugalug mailing list
> >> Chugalug at chugalug.org
> >> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
> > --
> > Benjamin Stewart
> > <o(((><
> >> <)))o>
> > _______________________________________________
> > Chugalug mailing list
> > Chugalug at chugalug.org
> > http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
> Chugalug mailing list
> Chugalug at chugalug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chugalug