[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered

wes wes at the-wes.com
Wed Aug 28 19:11:00 UTC 2013


That's all client-side. Let the user take the risk if he so chooses. It's
only his data that's exposed.

I think the bigger deal is that Dropbox doesn't want any third-party
software interfacing with their hosted service. That's what they're really
trying to protect. The last thing they want is for someone to release a way
to use Dropbox service for something actually useful ;)

-wes


On Wed, Aug 28, 2013 at 11:47 AM, Benjamin Stewart <
stewartbenjamin at gmail.com> wrote:

> I agree. In fact, that's my strategy.
>
> The problem I've run into in the past, however, is essentially the same as
> dropbox's biggest problem above. That is, being able to do something
> automatically for the user without making them enter a password every
> single time. As soon as you cache a password(or token), you have a secret.
> You can't encrypt it securely, either, because the code must necessarily
> have the key at that point, and your attacker can see the code and the key.
>
> I suppose the proper answer is simply never to do that, but people (users,
> not me!) want programs to remember them.
>
>
> On Wed, Aug 28, 2013 at 2:12 PM, wes <wes at the-wes.com> wrote:
>
>> A smarter plan is to remove the need for secrets. Use strong encryption
>> and authentication, which are essentially provided for you already in the
>> shape of libraries. Leave the workings in the open. All that remains is for
>> your users' keys to be compromised, and the attacker can then gain access
>> to that user's data only. This is the power of open source: with many eyes
>> on the system, the weaknesses will be brought to light quite rapidly.
>>
>> -wes
>>
>>
>> On Wed, Aug 28, 2013 at 7:52 AM, Benjamin Stewart <
>> stewartbenjamin at gmail.com> wrote:
>>
>>> Sadly, I don't have any projects that interesting going at the moment,
>>> but I will keep your offer in mind! Maybe we can talk about it when you do
>>> your pentesting class.
>>>
>>> When I do write security-related code, though, I always feel a tension
>>> between having to somehow keep secrets secret, and feeling like there's an
>>> attacker looking over my shoulder at my code, already breaking my secrets
>>> as I write it. I'm sure I'm terrible at it, but I do my best.
>>>
>>> Seeing this, and similar things I've seen, it seems that many people do
>>> almost as badly as I do or worse. That's terrifying! (Well, dropbox was way
>>> more obfuscated than anything I've done, but still!)
>>>
>>>
>>> On Wed, Aug 28, 2013 at 10:13 AM, Stephen Haywood <
>>> stephen at averagesecurityguy.info> wrote:
>>>
>>>> You have to think through the system from beginning to end and
>>>> determine the threats to the system and the attack surface of the system.
>>>> Then you have to implement compensating controls in the system to mitigate
>>>> (not remove) those threats. The most cost effective method is to reduce the
>>>> attack surface but sometimes you can't do that.
>>>>
>>>> Typically, you need someone with experience breaking and building
>>>> security, to help you think through this stuff. If you have a system in
>>>> mind, I would be glad to sit down over supper and help you think about the
>>>> threats, attack surfaces, and compensating controls.
>>>>
>>>> --
>>>> Stephen Haywood
>>>> Owner, ASG Consulting
>>>> CISSP, GSEC, OSCP
>>>> 423.305.3700
>>>> stephen at averagesecurityguy.info
>>>>
>>>>
>>>>
>>>>
>>>> On Aug 28, 2013, at 9:33 AM, Benjamin Stewart <
>>>> stewartbenjamin at gmail.com> wrote:
>>>>
>>>> > That was my suspicion. So then, when you go on the defensive, what do
>>>> you
>>>> > do? How do you build a system that, even when you can see clearly
>>>> into it,
>>>> > provides reasonable security?
>>>> >
>>>> >
>>>> > On Wed, Aug 28, 2013 at 9:09 AM, Dave Brockman <dave at brockmans.com>
>>>> wrote:
>>>> >
>>>> >> -----BEGIN PGP SIGNED MESSAGE-----
>>>> >> Hash: SHA1
>>>> >>
>>>> >> On 8/28/2013 8:49 AM, Benjamin Stewart wrote:
>>>> >>> Interesting read, thanks for posting!
>>>> >>>
>>>> >>> Question for the security programmer folks: Are there code
>>>> >>> obfuscation techniques, for Python or other languages, that
>>>> >>> actually work against such a determined attacker, or is this
>>>> >>> DropBox client pretty close to "state of the art?"
>>>> >>
>>>> >> Short answer is no.  Given enough time, determination and debugger,
>>>> at
>>>> >> the very least, whatever assembly code your obfuscated code produces
>>>> >> can be captured.
>>>> >>
>>>> >>> You can't really just say "don't use Python," because C et al. can
>>>> >>> be decompiled, too.
>>>> >>
>>>> >> If it's software, it can be decompiled....
>>>> >>
>>>> >> Regards,
>>>> >>
>>>> >> dtb
>>>> >> -----BEGIN PGP SIGNATURE-----
>>>> >> Version: GnuPG v2.0.17 (MingW32)
>>>> >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>> >>
>>>> >> iQEcBAEBAgAGBQJSHfZ1AAoJEMP+wtEOVbcdWeEH/1IzOSrCIkquTmYrwwz0R3Cx
>>>> >> /Sr1EldScLl550JyK/tZrU1h1Teni6ITmBPCa1pTdfQdqRp061GiXYM5r3A6dwU7
>>>> >> VO8n6LaLc96uLojSzYzKM943Uj8KQJdn3YxUrrQGa49/FTuiKL1yAJYT0wFnJE4L
>>>> >> RBjs4k7wQe+yfnDVd9wPumDRQY0hbfAbDaVvebECsqHYXEfb+5FGDN2V1n7ennJv
>>>> >> Su9wJFI0pUwnWz0utBDUINqOOIh9Fe9H3BIGjDwCpwgG3tO1h+dyDmN124meqMAF
>>>> >> 6tDCF12PCjrmA12g6Dv2GEAzLQW98uwK0mWPeAYemSIBmtFYHnv1/D2zfwaeecE=
>>>> >> =js+H
>>>> >> -----END PGP SIGNATURE-----
>>>> >> _______________________________________________
>>>> >> Chugalug mailing list
>>>> >> Chugalug at chugalug.org
>>>> >> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>> >>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> >
>>>> >
>>>> >
>>>> >                              Benjamin Stewart
>>>> >
>>>> >                               <o(((><
>>>> >> <)))o>
>>>> > _______________________________________________
>>>> > Chugalug mailing list
>>>> > Chugalug at chugalug.org
>>>> > http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>>
>>>>
>>>> _______________________________________________
>>>> Chugalug mailing list
>>>> Chugalug at chugalug.org
>>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>>                               Benjamin Stewart
>>>
>>>                                <o(((><
>>>                                ><)))o>
>>>
>>> _______________________________________________
>>> Chugalug mailing list
>>> Chugalug at chugalug.org
>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>>
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>
>
> --
>
>
>
>                               Benjamin Stewart
>
>                                <o(((><
>                                ><)))o>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130828/4c124aec/attachment.html>


More information about the Chugalug mailing list