[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered

Benjamin Stewart stewartbenjamin at gmail.com
Wed Aug 28 14:52:59 UTC 2013


Sadly, I don't have any projects that interesting going at the moment, but
I will keep your offer in mind! Maybe we can talk about it when you do your
pentesting class.

When I do write security-related code, though, I always feel a tension
between having to somehow keep secrets secret, and feeling like there's an
attacker looking over my shoulder at my code, already breaking my secrets
as I write it. I'm sure I'm terrible at it, but I do my best.

Seeing this, and similar things I've seen, it seems that many people do
almost as badly as I do or worse. That's terrifying! (Well, dropbox was way
more obfuscated than anything I've done, but still!)


On Wed, Aug 28, 2013 at 10:13 AM, Stephen Haywood <
stephen at averagesecurityguy.info> wrote:

> You have to think through the system from beginning to end and determine
> the threats to the system and the attack surface of the system. Then you
> have to implement compensating controls in the system to mitigate (not
> remove) those threats. The most cost effective method is to reduce the
> attack surface but sometimes you can't do that.
>
> Typically, you need someone with experience breaking and building
> security, to help you think through this stuff. If you have a system in
> mind, I would be glad to sit down over supper and help you think about the
> threats, attack surfaces, and compensating controls.
>
> --
> Stephen Haywood
> Owner, ASG Consulting
> CISSP, GSEC, OSCP
> 423.305.3700
> stephen at averagesecurityguy.info
>
>
>
>
> On Aug 28, 2013, at 9:33 AM, Benjamin Stewart <stewartbenjamin at gmail.com>
> wrote:
>
> > That was my suspicion. So then, when you go on the defensive, what do you
> > do? How do you build a system that, even when you can see clearly into
> it,
> > provides reasonable security?
> >
> >
> > On Wed, Aug 28, 2013 at 9:09 AM, Dave Brockman <dave at brockmans.com>
> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 8/28/2013 8:49 AM, Benjamin Stewart wrote:
> >>> Interesting read, thanks for posting!
> >>>
> >>> Question for the security programmer folks: Are there code
> >>> obfuscation techniques, for Python or other languages, that
> >>> actually work against such a determined attacker, or is this
> >>> DropBox client pretty close to "state of the art?"
> >>
> >> Short answer is no.  Given enough time, determination and debugger, at
> >> the very least, whatever assembly code your obfuscated code produces
> >> can be captured.
> >>
> >>> You can't really just say "don't use Python," because C et al. can
> >>> be decompiled, too.
> >>
> >> If it's software, it can be decompiled....
> >>
> >> Regards,
> >>
> >> dtb
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v2.0.17 (MingW32)
> >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>
> >> iQEcBAEBAgAGBQJSHfZ1AAoJEMP+wtEOVbcdWeEH/1IzOSrCIkquTmYrwwz0R3Cx
> >> /Sr1EldScLl550JyK/tZrU1h1Teni6ITmBPCa1pTdfQdqRp061GiXYM5r3A6dwU7
> >> VO8n6LaLc96uLojSzYzKM943Uj8KQJdn3YxUrrQGa49/FTuiKL1yAJYT0wFnJE4L
> >> RBjs4k7wQe+yfnDVd9wPumDRQY0hbfAbDaVvebECsqHYXEfb+5FGDN2V1n7ennJv
> >> Su9wJFI0pUwnWz0utBDUINqOOIh9Fe9H3BIGjDwCpwgG3tO1h+dyDmN124meqMAF
> >> 6tDCF12PCjrmA12g6Dv2GEAzLQW98uwK0mWPeAYemSIBmtFYHnv1/D2zfwaeecE=
> >> =js+H
> >> -----END PGP SIGNATURE-----
> >> _______________________________________________
> >> Chugalug mailing list
> >> Chugalug at chugalug.org
> >> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
> >>
> >
> >
> >
> > --
> >
> >
> >
> >                              Benjamin Stewart
> >
> >                               <o(((><
> >> <)))o>
> > _______________________________________________
> > Chugalug mailing list
> > Chugalug at chugalug.org
> > http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 



                              Benjamin Stewart

                               <o(((><
                               ><)))o>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130828/6ac3fd92/attachment-0001.html>


More information about the Chugalug mailing list