[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered

Dave Brockman dave at brockmans.com
Wed Aug 28 21:40:45 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/28/2013 2:47 PM, Benjamin Stewart wrote:
> I agree. In fact, that's my strategy.
> 
> The problem I've run into in the past, however, is essentially the
> same as dropbox's biggest problem above. That is, being able to do
> something automatically for the user without making them enter a
> password every single time. As soon as you cache a password(or
> token), you have a secret. You can't encrypt it securely, either,
> because the code must necessarily have the key at that point, and
> your attacker can see the code and the key.
> 
> I suppose the proper answer is simply never to do that, but people 
> (users, not me!) want programs to remember them.

At some point you have to make a decision.  Convenience or Security.
You can't have both, I offer the past three decades of computing
history as my proof.

Regards,

dtb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSHm5dAAoJEMP+wtEOVbcdWB0H/0/lZ2Gqmxk0SAvwsGBwk0ZF
agudqVatfcBSN4I3QU2yPlGXFQBCNGqeu3r0DxJhxKlBLlej3DExZ+ImQ2xjO983
wJqLWo9bLX9B3g1ADdpKGn/eZ8M59obuXAIgBdGFkMYc43wzHpbxgivMlQVe32WD
C747S46BX0pR4nlvgFRpvL0W6NuAvs80INIb5vQPEB4SeFUNvyLLtUP48DnjOdDX
yKHsNJ9tQxXu0Fc5HTY5e+re3O/DnePGswCm2BxW/VMzWx56Igqud+vIX3Lh0CwD
qwOkcQlI4iKplb0I2wvqFmUDdAk/oagaw5e/OUHyg7q1KIL6QPdm2rA+vxdk8uA=
=4bZ9
-----END PGP SIGNATURE-----


More information about the Chugalug mailing list