Researchers Reverse-Engineer Dropbox, Cracking Heavily Obfuscated Python App 242
rjmarvin writes "Two developers were able to successfully reverse-engineer Dropbox to intercept SSL traffic, bypass two-factor authentication and create open-source clients. They presented their paper, 'Looking inside the (Drop) box' (PDF) at USENIX 2013, explaining step-by-step how they were able to succeed where others failed in reverse-engineering a heavily obfuscated application written in Python. They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack, NASA, and a host of Google apps, just to name a few..."
Well, there goes Eve Online (Score:3, Interesting)
Good thing I stopped playing the game.
It's hosed now.
Re:Well, there goes Eve Online (Score:5, Informative)
EVE doesn't use IronPython. It uses Stackless Python. And yes, it is possible to decompile the code, and it has been done in the past.
http://evesupernerf.blogspot.co.uk/2012/05/decompiling-eve-client.html [blogspot.co.uk]
https://github.com/wibiti/evedec/blob/master/evedec.py [github.com]
Re:Well, there goes Eve Online (Score:5, Funny)
And yes, it is possible to decompile the code, and it has been done in the past.
Awesome. With any luck they'll get an alternative client working. Shouldn't be too hard to set it up as a plugin to Microsoft Excel.
Re:Well, there goes Eve Online (Score:5, Funny)
Awesome. With any luck they'll get an alternative client working. Shouldn't be too hard to set it up as a plugin to Microsoft Excel.
You've already got a flight simulator, what more do you want??
Re:Well, there goes Eve Online (Score:5, Funny)
A spreadsheet simulat.... wait...
Re: (Score:2)
Re: (Score:2)
Oops. Got mixed up.
Re: (Score:2)
Yup. It's been possible to decompile the code for ages.
Reinjecting it easily and without high risk of detection has been difficult since around the end of the first year of the game.
And yes: Back in the early days, I was starting to get bored with the game, and wrote what I believe was one of the first hacked autopilots. I didn't distribute it though so it wasn't well known. This was before warp-to-zero, so SuperPilot would actually go through all bookmarks in the system to attempt to find one that woul
Re:Well, there goes Eve Online (Score:5, Insightful)
In addition, it uses Stackless Python on the _server_, not the client. Not affected by this thing at all, just some people that think word-associations make insights. Hint: They do not.
Obfuscated python code? (Score:5, Insightful)
You have no right to feel secure if you only think you're secure assuming noone else examines your source code.
http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
Re:Obfuscated python code? (Score:4, Insightful)
Re:Obfuscated python code? (Score:5, Insightful)
Actually, it's not dependent on whether the code is open or not. It's dependent on the design. If the design requires secret bits to stay hidden in the client, then open sourcing it would make it even more trivial to break, but with such designs, it would not matter whether it was open source or not. The huge library of cracked software out there speaks volumes to this.
Re:Obfuscated python code? (Score:5, Informative)
http://archive.hack.lu/2012/Dropbox%20security.pptx
"A critical analysis of Dropbox software security", Florian LEDOUX
Re:Obfuscated python code? (Score:5, Interesting)
Sounds remarkably like security through obscurity to me. With the predictable outcome.
You have no right to feel secure if you only think you're secure assuming noone else examines your source code.
To what level do you take the paranoia, though?
As early as 1984 (hah!) it has been known that a compiler could be developed in such a way as to produce binaries containing a back door:
http://c2.com/cgi/wiki?TheKenThompsonHack [c2.com]
The next level is CPU microcode. Where does it end? One day we can fab our own CPUs from Open Source designs ... but will that be enough?
Peace,
Andy.
Re: (Score:2)
How do you know the machine building your CPU will not inject a backdoor in it?
NANDputer (Score:2)
How do you know the machine building your CPU will not inject a backdoor in it?
Because Kevin Horton's NANDputer was built by hand out of a pile of 74HC00 (quad 2-input NAND gate) ICs on a breadboard [hackaday.com]. There isn't enough room in any single 7400 to insert a backdoor.
Re:NANDputer (Score:5, Funny)
How do you know the machine building your CPU will not inject a backdoor in it?
Because Kevin Horton's NANDputer was built by hand out of a pile of 74HC00 (quad 2-input NAND gate) ICs on a breadboard [hackaday.com]. There isn't enough room in any single 7400 to insert a backdoor.
Hell, a breadboard full of 7400's is big enough to put in a real back door, complete with hinges.
Re: (Score:3)
Because Kevin Horton's NANDputer was built by hand out of a pile of 74HC00 (quad 2-input NAND gate) ICs on a breadboard [hackaday.com]. There isn't enough room in any single 7400 to insert a backdoor.
Are you sure? Did he ever leave the room while he was building it?
Trusting trust is busted (Score:4, Informative)
Re: (Score:2)
What a terrible name for this. Ken's title for his presentation was far more elegant and descriptive, "On Trusting Trust".
Ken's Hack was only a simple demonstration of this.
Re:Obfuscated python code? (Score:5, Insightful)
A lot of the commentators in this article are mentioning "security through obscurity" as if the fact it doesn't work long-term should be some revelation to the Dropbox team, or that Dropbox has somehow dropped the ball through using this method. It's an unfair stance to take, considering that outside of hardware based platforms like TPM, *ALL* client-side software security is at best security through obscurity.
The only news here is that Dropbox is the latest fairly major player to have their client reverse-engineered. Obfuscation is merely a means of delaying the inevitable, and for all we know it has done it's job wonderfully. Plenty of other people may have tried to reverse-engineer the code before but gave up because of the complexity of the obfuscation. The fact that an 'adversary' has dedicated sufficient time and commitment to the effort is news to be sure, but the news shouldn't be turned into "Dropbox did a bad". Anyone with any reasonable experience in IT (which I'd hope most readers here have) should know by now that there are no means to secure software on a computer which someone has control of.
Re:Obfuscated python code? (Score:5, Insightful)
You're missing the point, which is that Dropbox did bad by obfuscating the code, because they should have made it Open Source right from the start and focus on selling their server-side hosting services. Keeping client code proprietary when it involves security and encryption of possibly confidential data is virtually always bad practise (outside the realm of embedded military applications using tamper-proof chips, perhaps).
Re: (Score:3)
You're missing the point, which is that Dropbox did bad by obfuscating the code, because they should have made it Open Source right from the start and focus on selling their server-side hosting services. Keeping client code proprietary when it involves security and encryption of possibly confidential data is virtually always bad practise (outside the realm of embedded military applications using tamper-proof chips, perhaps).
"Always" is a strong word to use and speaks more of ideology than of reality.
Re: (Score:3)
"Always" is a strong word to use and speaks more of ideology than of reality.
It's always bad security practice, but it's fine practice if all you want to do is get money and don't care about people's security. Presumably they've indemnified themselves for anything that might happen to your data in the ToS, so they don't have to care.
Re:Obfuscated python code? (Score:5, Insightful)
"Always" is a strong word to use and speaks more of ideology than of reality.
Not always.
Re: (Score:2)
When the options are "only your hired staff reviews the security features" and "your staff plus outside researchers review the security features", the latter is always better. And releasing the source code is the easiest way to facilitate useful outside review.
Re:Obfuscated python code? (Score:4, Insightful)
Re:Obfuscated python code? (Score:5, Insightful)
You're missing the point, which is that Dropbox did bad by obfuscating the code, because they should have made it Open Source right from the start and focus on selling their server-side hosting services.
Wrong.
Sure, that's easy to say in hindsight, now that they have built an extremely well established business out of it and are the premiere brand in the space. If they had open sourced it right from the start then they would have all the client and client-server development costs on their plate, meanwhile Joe Shmoe could have come along and copied it, pointed it at his own servers, and took a substantial chunk of the business opportunity with much less investment overhead.
In business you have to find a compromise between your ideals and reality. "Your ideals" perhaps not being the same as their ideals, either.
Re: (Score:3)
How do you propose to write it? you need a stable API (private if you don't want anyone using it) and an application that runs on your customers machine. Please tell me how you can secure the use of your private API more than obfuscating the client code. I can tell you the answer, It isn't possible unless you start using TPMs and only run on hardware and OSs that force the usage of it, and that can be hacked too
There are only two outcomes of this:
1- Dropbox learns that it is good to have an open API, and ge
Stop calling this "security through obscurity" (Score:2)
It's "Unmaintainability Through Obscurity." There never was any (even falsely-justified) security component to it. Nobody is going to say this has somehow made Dropbox less safe.
Wow, amazing. (Score:5, Funny)
They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack...
Wow, they can reverse engineer OpenStack? That's amazing - what do they use, an obscure set of commands called "wget", "git", and "tar"?
Re: (Score:2, Informative)
Andrew Tridgell was accused of "hacking" BitKeeper because he telnetted in and typed "HELP".
Trying to obfuscate python was never going to work (Score:5, Funny)
They should have written it in perl.
Re: (Score:2, Funny)
They should have written it in perl.
They would have missed the fun of seeing how obfuscation made the code harder to read.
Re:Trying to obfuscate python was never going to w (Score:5, Funny)
Waste of resources (Score:5, Insightful)
Why do so many developers waste time on obfuscation and other ways of hiding the source in scripting languages?
Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it. I've seen that countless times. It is security-through-obscurity at best and it will prevent people from both fixing bugs and re-submitting the fixed code to the developers, and finding security issues from simple code reviewing.
If developers of competing applications needs to steal code they're really crappy developers and whatever that makes their application unique will be equally crappy and thus not a threat.
Re:Waste of resources (Score:5, Interesting)
Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it.
No, but it will stop support calls from clients that are the result of messing with the code.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Re:Waste of resources (Score:5, Funny)
To lock the crazy people inside.
Re:Waste of resources (Score:5, Insightful)
Bad analogy.
Code obfuscation is more akin to locking your door, and then hiding the key behind the pot plant.
Re: (Score:2)
Actually, it's more like not locking it at all, and putting a big potplant in front of the door to hide it...
Re:Waste of resources (Score:4, Interesting)
Why do you paint bricks and fake keyholes on your door when you leave the house?
There, fixed that for you. Obfuscation is more like dazzle painting [wikipedia.org]. It works somewhat, but don't expect it to work well.
Re: (Score:2)
Why do so many developers waste time on obfuscation and other ways of hiding the source in scripting languages?
Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it. I've seen that countless times. It is security-through-obscurity at best and it will prevent people from both fixing bugs and re-submitting the fixed code to the developers, and finding security issues from simple code reviewing.
If developers of competing applications needs to steal code they're really crappy developers and whatever that makes their application unique will be equally crappy and thus not a threat.
Which brings us to the next point: If obfuscation is worthless and someone will steal you code whatever you do, just release it with an open source license in the first place.
My guess is that the short amount of time between the release and the cracking is where the management expects to make profit, and even more profit than if it was FLOSS in the first place. This highlights greatly the short-term objectives of today's business.
Re: (Score:2, Insightful)
"Short" amount of time? Dropbox has been around for years, during which they've established themselves as the top brand in this space, even ahead of companies like Google or Microsoft.
Only in autistic/retard world is "In 5 years someone might get around to reversing this" the same as "a waste of time".
Re: (Score:3)
I doubt "secure" in anyone's sense in their getting brand recognition. The "free space referral" pyramid scheme that they had going on for a few years probably had more to do with it.
Re: (Score:2)
and someone will steal you code whatever you do
I doubt anyone will steal anyone's code.
Re:Waste of resources (Score:5, Informative)
Interoperability (Score:2)
Re: (Score:2)
Obfuscation also helps with code size, which is especially important for code that is downloaded, like Javascript and CSS, since one of the first things that obfuscators do is change all the symbols in your program to short names (duplicating where possible), starting from a, working up to z then aa...az etc.
Re: (Score:3)
Why do so many developers waste time on obfuscation and other ways of hiding the source in scripting languages?
Because the boss tells us to.
This is spoken as someone who has been asked to obfuscate javascript. I spent a few minutes trying to explain why this was an utter waste of time and such but the problem is that the boss knows a bit of JS code so looked at it and could understand it. He then googled "javascript obfuscation" and found a product that made the code so he could no longer understand it. The fact that I said I could still understand it he just blamed on me having created it.
The problem was that this
Re: (Score:2)
I have long since given up trying to explain why trying to hide what is ostensibly an open technology does is a complete waste of time.
It's not necessarily complete waste. All scrambled JavaScript code can be returned into an understandable form, that's for sure. But by obfuscating the code, you're always adding some extra puzzle to those who want to steal your code. And if they come across someone else's code which isn't scrambled, they might decide it's easier grab than yours and leave you alone. So by obfuscating, you assure that at least you're not the easiest target out there.
Re: (Score:2)
It's not necessarily complete waste. All scrambled JavaScript code can be returned into an understandable form, that's for sure. But by obfuscating the code, you're always adding some extra puzzle to those who want to steal your code.
Steal your code? Will they be deleting it from your servers?
The right way to handle this situation is to not do a bunch of client-side js yourself. And why would you?
Re: (Score:2)
It's not necessarily complete waste. All scrambled JavaScript code can be returned into an understandable form, that's for sure. But by obfuscating the code, you're always adding some extra puzzle to those who want to steal your code.
Steal your code? Will they be deleting it from your servers?
The right way to handle this situation is to not do a bunch of client-side js yourself. And why would you?
In my case it was because I had to produce something that was scorm 1.2 compatible (http://en.wikipedia.org/wiki/Sharable_Content_Object_Reference_Model). That meant I had to use javascript as to produce a scorm compatible course there has to be no server side code (Only flash or JS). I should have used flash but that would have meant me spending 6 months learning actionscript before having anything to show for it.
Insecure by design (Score:5, Insightful)
DropBox allows you to "log in" to it's website via click in the application -> no credentials required. Therefore it must either store user credentials or some other secret(s) on client side (host_id and host_int in this case).
Any process running under privileges accessible to you can be cracked (albeit sand-boxing, in which case you need system privileges) and it can't hide data from end-user / other processes in same privilege space (albeit sand-boxing....).
They can make it more difficult though (extracting Bluray key from windows media player will take anyone at least a few days)
More and more big companies think they can hide data on client side and be secure. Dropbox, Windows Live (LiveConnect) and numerous others are now relying on fast exchange of nonces in addition to client-side secret storing to make it secure "enough".. But breaking the nonce handshake and authenticating in programmatic fashion will add maybe 10% more cracking/programming effort on top of the regular cracking effort.
TLDR: If it is insecure by design, it is insecure and no amount of obfuscation will help you....
Re: (Score:3)
Newsflash: encryption delcared to be pointless on slashdot!
More seriously, if you're (not the poster above) storing unencrypted data on dropbox, joke's on you...
Re: (Score:2, Interesting)
Is that a typo or a new word in programming?
1. nonce. (UK) Slang for paedophile or sex offender
Re:Insecure by design (Score:5, Informative)
http://en.wikipedia.org/wiki/Cryptographic_nonce
It is a crypto term.
Re: (Score:2)
Re: (Score:2)
DropBox allows you to "log in" to it's website via click in the application -> no credentials required. Therefore it must either store user credentials or some other secret(s) on client side (host_id and host_int in this case).
This could in principle be secure, e.g. if the app requests a new session ID, and launches the web browser with that session ID in a GET parameter. No secret needs to be stored, you just need to be logged in with the app already.
More relevant links (Score:2)
Presentation slides (view online or download PDF), and links to the paper (PDF) and "dedrop" source code (GitHub):
http://www.openwall.com/presentations/WOOT13-Security-Analysis-of-Dropbox/ [openwall.com]
USENIX WOOT '13 web page dedicated to this talk, including video and audio (view/listen online or download the video .mp4 via a direct link from there):
https://www.usenix.org/looking-inside-drop-box [usenix.org]
(Somehow the Slashdot story only links to a third-party article and to the paper PDF, but not to any of the authors' and the c
Was it worth it? (Score:2)
What happens when Dropbox changes how everything works. How long before it is reverse engineered again. That's why I wouldn't want to depend on this kind of hack for anything.
Developer prowess (Score:2)
Probably they were just told to by management (Score:2)
Management: Make sure people don't steal our stuff! ...yeah, sure.
Developers: Okay, uhhh . . . it's obsfucated now, is that good?
Management: Don't give me any of your technical mumbo-jumbo, is our IP secure? We can't monetize it without keeping our secret sauce.
Developers:
Management: Good enough for me! I'm going on a business lunch,
Re: (Score:2)
"OK I'll use the META tag IMPOSSIBLE=true."
Skype Client Next Please? (Score:2)
There are already a lot of dropbox alternatives that have open source clients and even ones that do encryption. But there isn't a good Skype alternative I've seen that lets me participate in Skype group chats. I don't even care about video/audio chat. Can someone reverse engineer the Skype client next?
ecryptfs+Dropbox is a nice solution (Score:5, Informative)
chinook: ~orp df
Filesystem 1K-blocks Used Available Use% Mounted on
/home/orp/Dropbox/e 491451392 129077764 361240528 27%
chinook: ~orp ls Dropbox/e
./
../
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkw6-7kc4NR3-58yIKIxSsrgk--
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkw9VkRKmwOO95LV0W1qwwNHk--/
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwKsqUWInaV2aVwzvhw6CcW---
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwOggoYf2PUQpQQmgJLHwIaU--/
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwQEdvushvgMYZ2uRpeRJ9EU--
[etc]
This works with the same partition mounted across multiple machines. Save a file to
The main disadvantage to this approach is that if you are trying to access files on a non-linux machine you are hosed; Lastpass and other password managers that have file encryption functionality can give you cross-platform encryption but not with the nice filesystem access that Dropbox provides.
Re:Python? Really? (Score:5, Informative)
even then, all it takes is someone versed in the assembly language of the platform your application runs on, a copy of IDA pro or something similar, and a few hours of his time. I know this is a bit of a lost art in today's world of python and javascript, but it's still valid.
Re: (Score:2, Interesting)
Python and javascript are syntactically much more difficult to master than assembly language.
Plus, there are way more privitives to learn...
Re: (Score:3)
Privitives -> primitives
Re: (Score:2, Insightful)
Python and javascript are syntactically much more difficult to master than assembly language.
That's why there are so many assembly masters as compared to script kiddies, err, Python and JS "masters"? Or were you meaning to be funny? The mods certainly were clueless. (Interesting, really?)
Re:Python? Really? (Score:5, Insightful)
If there's one thing I can't stand, it's language elitism. Look, the language you choose to write your application in is completely irrelevant. Programming languages are tools to help you solve problems and, unless you're a compiler writer or theoretician, aren't really all that interesting in and of themselves. If you think you're a better programmer than someone because of the language you've chosen rather than the types of problems you're able to solve and the quality of your solutions, then you've completely missed the point.
Re: (Score:2)
Bad choice in metaphors really. Assembly would be more akin to making a 3D model out of clay and presenting it instead of doing it in software and printing it off on a 3D printer. You end up with the same result, one is easier to do, but one has a more human feel to the fine details of the finished product. Curves are put on the clay were only a tangle mess of excess plastic is on the printed version. In the end both do their job, ones highly more efficient with no excess the other easy to reproduce and
Re: (Score:2)
That only works reliably for C-like code though.
Re: (Score:2)
Clever of you to post as AC.
Because no compiled (or assembled) code has ever been cracked.
Re:Python? Really? (Score:4, Informative)
However, there's an interesting twist to the pcode vs. native code dichotomy, from reverse engineering standpoint, as anyone who's well versed in the brain-mangling line noise that calls itself the IOCCC will know. One of the best obfuscations is to embed an interpreter into your code, and then do all the hard work in the bytecode.
Re:Python? Really? (Score:4, Informative)
Been there. Done that.
I believe it was EA that was doing that way back as part of their DRM for their Commodore 64 disk-based games. It would load the interpreter and a script, then execute the script [drawing it's fancy startup screens, checking for various bad sectors on their disk, over-writing parts of the script and interpreter, loading the game from various parts of the disk].
Re: (Score:3)
And games that ran via an interpreter go back to at least the Infocom Z-Machine [wikipedia.org] in 1979.
Interpreted is guaranteed to be easier to reverse (Score:2)
> One of the best obfuscations is to embed an interpreter into your code, and then do all the hard work in the bytecode.
"One of the best" is kind of nebulous, but it's ALWAYS more secure against reverse engineering to distribute a compiled binary, machine code. At least on a PC, or any platform with a decent debugger. Here's why. If you do anything with an interpreter or bytecode, the attacker has at least two options. They can choose to EITHER:
A) Use a debugger to dump the generated machine code and wo
Re: (Score:2)
Re:Python? Really? (Score:4, Informative)
Use a non-compiled language, get what you deserve...
Python is compiled, if you distribute *.pyc files only.
Re: (Score:3)
not compiled, just parsed (Score:2)
A pyc is pretty much just a parse tree. It's been syntax checked, etc. but not really compiled. As docs.python.com explains, a pyc doesn't run any faster than a .py. The heading on the docs page is:
"Compiled" Python
With compiled in quotes because though some people use that word, it's not really true.
Re:Where is your god now? (Score:5, Funny)
Re:Doesn't the Dropbox EULA... (Score:5, Insightful)
Lawyers have trouble understanding that law doesn't dictate the limits of curiosity, greed, mathematics, or physics. If there is sufficient incentive, it WILL be cracked. In this case, I think they wanted to demonstrate that drop box is not secure. This should be a 'duh' experience for anyone in IT worth their salt.
Re: (Score:2)
Re:Doesn't the Dropbox EULA... (Score:5, Interesting)
Why? If you're looking for the selfish angle, maybe he/they just wanted the notoriety. However, he/they might've just wanted to do a public service. Most people trust dropbox to be secure. Of course, slashdot users should all know better than to trust the 'cloud' for anything sensitive, but a way to get this info to people who would not otherwise know this is to make a splash about a successful pen-test.
Lots of guys see it as a challenge; the digital equivalent of saying 'you can't have this.' Well, challenge accepted.
Re:Doesn't the Dropbox EULA... (Score:5, Insightful)
How is Dropbox not secure? Do you mean the client you have control of isn't secure? That's all the article is speaking of - they haven't found a way to steal your data from Dropbox unless they already have a secret from your PC.
In order to access your account, they need the secret host_id (which is generated per device and unique to that device) and host_int from your computer (although, if they already have host_id, they can get host_int from the server - so really, they only need host_id). Presuming they have access to your computer, they can use these keys to access your account. (ie, without actually having your password). If they already have access to your computer however - well, at this stage we're splitting hairs. Any software which stores your login credentials on your own computer is at best hiding an access method through obscurity.
The only way to avoid this is to require you to enter your password each time you want to sync your files. Same with Google Drive. Same with .. every piece of software that stores login credentials on the client. Calling DropBox "insecure" when you actually mean "as secure as any client-side auto-login software can be" is a misnomer.
Re: (Score:2)
Lawyers have trouble understanding that law doesn't dictate the limits of curiosity, greed, mathematics, or physics. If there is sufficient incentive, it WILL be cracked.
Non sequitur. Law also dictates that you can not steal and break into someone elses vault (limiting physics arguably). There will be sufficient incentive that people will do it nevertheless, thereby breaking the law. That does not mean it is an invalid law.
Re: (Score:2)
Like Firefox and Python (Score:2)
Any company shipping their open source code and a closed source compiler for it would invite suspicion.
Does this include Mozilla Corporation and Python Software Foundation, which ship open source code and binaries compiled using Microsoft Visual C++?
Re: (Score:3)
Wouldn't that only be applicable if:
a> these people were "End users"
b> it was enforceable in their jurisdiction
Actually, yes, but if they *aren't* it falls under the DMCA, which is much, MUCH worse...
And jurisdiction... well... http://www.youtube.com/watch?v=EOJNs5YPR4g [youtube.com]
Re: (Score:2)
DMCA will need to be changed, for it to ever be able to prohibit cracking things like dropbox. Dropbox is too-general purpose for you to ever be able to guarantee in advance, that the copyright holder (the person whose authorization matters) will join a block in denying permission to the public. If I hold the copyright on a file, and a dropbox user uses dropbox to apply a technological measure that limits access to that file, I can give myself (and everyone else) permission to bypass that technological me
Re: (Score:2)
The link in TFA says that Przemyslaw Wegrzyn is from Poland. No idea about Dhiru Kholia but that's not a typical name for the US.
Re: (Score:2)
Minecraft is written in java.
NASA has a website (Score:2)
and NASA is apparently an app, not an aerospace agency
NASA is an aerospace agency, but it's also the website of the aerospace agency [nasa.gov]. That and the Toki Pona word for crazy or foolish.
Re: (Score:2)
Just because someone reverse-engineered the dropbox client doesn't mean that dropbox is insecure. (Well, maybe their 2FA is bypassable.)
Re: (Score:2)
"These things go well beyond python -- that python client could have been in the clear/open-source from the beginning but you shouldn't be able to bypass 2FA and get in un-authenticated."
That's right. And remember kids, when you see people pushing closed binaries and wont provide source - this is exactly the kind of basic fsck up they are almost certainly trying to hide.
If you write a secure system, you dont need to worry about people seeing the source. You want them to see the source. You want them to appr