[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered

Benjamin Stewart stewartbenjamin at gmail.com
Wed Aug 28 18:47:53 UTC 2013


I agree. In fact, that's my strategy.

The problem I've run into in the past, however, is essentially the same as
dropbox's biggest problem above. That is, being able to do something
automatically for the user without making them enter a password every
single time. As soon as you cache a password(or token), you have a secret.
You can't encrypt it securely, either, because the code must necessarily
have the key at that point, and your attacker can see the code and the key.

I suppose the proper answer is simply never to do that, but people (users,
not me!) want programs to remember them.


On Wed, Aug 28, 2013 at 2:12 PM, wes <wes at the-wes.com> wrote:

> A smarter plan is to remove the need for secrets. Use strong encryption
> and authentication, which are essentially provided for you already in the
> shape of libraries. Leave the workings in the open. All that remains is for
> your users' keys to be compromised, and the attacker can then gain access
> to that user's data only. This is the power of open source: with many eyes
> on the system, the weaknesses will be brought to light quite rapidly.
>
> -wes
>
>
> On Wed, Aug 28, 2013 at 7:52 AM, Benjamin Stewart <
> stewartbenjamin at gmail.com> wrote:
>
>> Sadly, I don't have any projects that interesting going at the moment,
>> but I will keep your offer in mind! Maybe we can talk about it when you do
>> your pentesting class.
>>
>> When I do write security-related code, though, I always feel a tension
>> between having to somehow keep secrets secret, and feeling like there's an
>> attacker looking over my shoulder at my code, already breaking my secrets
>> as I write it. I'm sure I'm terrible at it, but I do my best.
>>
>> Seeing this, and similar things I've seen, it seems that many people do
>> almost as badly as I do or worse. That's terrifying! (Well, dropbox was way
>> more obfuscated than anything I've done, but still!)
>>
>>
>> On Wed, Aug 28, 2013 at 10:13 AM, Stephen Haywood <
>> stephen at averagesecurityguy.info> wrote:
>>
>>> You have to think through the system from beginning to end and determine
>>> the threats to the system and the attack surface of the system. Then you
>>> have to implement compensating controls in the system to mitigate (not
>>> remove) those threats. The most cost effective method is to reduce the
>>> attack surface but sometimes you can't do that.
>>>
>>> Typically, you need someone with experience breaking and building
>>> security, to help you think through this stuff. If you have a system in
>>> mind, I would be glad to sit down over supper and help you think about the
>>> threats, attack surfaces, and compensating controls.
>>>
>>> --
>>> Stephen Haywood
>>> Owner, ASG Consulting
>>> CISSP, GSEC, OSCP
>>> 423.305.3700
>>> stephen at averagesecurityguy.info
>>>
>>>
>>>
>>>
>>> On Aug 28, 2013, at 9:33 AM, Benjamin Stewart <stewartbenjamin at gmail.com>
>>> wrote:
>>>
>>> > That was my suspicion. So then, when you go on the defensive, what do
>>> you
>>> > do? How do you build a system that, even when you can see clearly into
>>> it,
>>> > provides reasonable security?
>>> >
>>> >
>>> > On Wed, Aug 28, 2013 at 9:09 AM, Dave Brockman <dave at brockmans.com>
>>> wrote:
>>> >
>>> >> -----BEGIN PGP SIGNED MESSAGE-----
>>> >> Hash: SHA1
>>> >>
>>> >> On 8/28/2013 8:49 AM, Benjamin Stewart wrote:
>>> >>> Interesting read, thanks for posting!
>>> >>>
>>> >>> Question for the security programmer folks: Are there code
>>> >>> obfuscation techniques, for Python or other languages, that
>>> >>> actually work against such a determined attacker, or is this
>>> >>> DropBox client pretty close to "state of the art?"
>>> >>
>>> >> Short answer is no.  Given enough time, determination and debugger, at
>>> >> the very least, whatever assembly code your obfuscated code produces
>>> >> can be captured.
>>> >>
>>> >>> You can't really just say "don't use Python," because C et al. can
>>> >>> be decompiled, too.
>>> >>
>>> >> If it's software, it can be decompiled....
>>> >>
>>> >> Regards,
>>> >>
>>> >> dtb
>>> >> -----BEGIN PGP SIGNATURE-----
>>> >> Version: GnuPG v2.0.17 (MingW32)
>>> >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> >>
>>> >> iQEcBAEBAgAGBQJSHfZ1AAoJEMP+wtEOVbcdWeEH/1IzOSrCIkquTmYrwwz0R3Cx
>>> >> /Sr1EldScLl550JyK/tZrU1h1Teni6ITmBPCa1pTdfQdqRp061GiXYM5r3A6dwU7
>>> >> VO8n6LaLc96uLojSzYzKM943Uj8KQJdn3YxUrrQGa49/FTuiKL1yAJYT0wFnJE4L
>>> >> RBjs4k7wQe+yfnDVd9wPumDRQY0hbfAbDaVvebECsqHYXEfb+5FGDN2V1n7ennJv
>>> >> Su9wJFI0pUwnWz0utBDUINqOOIh9Fe9H3BIGjDwCpwgG3tO1h+dyDmN124meqMAF
>>> >> 6tDCF12PCjrmA12g6Dv2GEAzLQW98uwK0mWPeAYemSIBmtFYHnv1/D2zfwaeecE=
>>> >> =js+H
>>> >> -----END PGP SIGNATURE-----
>>> >> _______________________________________________
>>> >> Chugalug mailing list
>>> >> Chugalug at chugalug.org
>>> >> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> >
>>> >
>>> >                              Benjamin Stewart
>>> >
>>> >                               <o(((><
>>> >> <)))o>
>>> > _______________________________________________
>>> > Chugalug mailing list
>>> > Chugalug at chugalug.org
>>> > http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>>
>>> _______________________________________________
>>> Chugalug mailing list
>>> Chugalug at chugalug.org
>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>>
>>
>>
>> --
>>
>>
>>
>>                               Benjamin Stewart
>>
>>                                <o(((><
>>                                ><)))o>
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 



                              Benjamin Stewart

                               <o(((><
                               ><)))o>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130828/710ce77e/attachment-0001.html>


More information about the Chugalug mailing list