Researchers Reverse-Engineer Dropbox, Cracking Heavily Obfuscated Python App 242
rjmarvin writes "Two developers were able to successfully reverse-engineer Dropbox to intercept SSL traffic, bypass two-factor authentication and create open-source clients. They presented their paper, 'Looking inside the (Drop) box' (PDF) at USENIX 2013, explaining step-by-step how they were able to succeed where others failed in reverse-engineering a heavily obfuscated application written in Python. They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack, NASA, and a host of Google apps, just to name a few..."
Well, there goes Eve Online (Score:3, Interesting)
Good thing I stopped playing the game.
It's hosed now.
Re:Doesn't the Dropbox EULA... (Score:5, Interesting)
Why? If you're looking for the selfish angle, maybe he/they just wanted the notoriety. However, he/they might've just wanted to do a public service. Most people trust dropbox to be secure. Of course, slashdot users should all know better than to trust the 'cloud' for anything sensitive, but a way to get this info to people who would not otherwise know this is to make a splash about a successful pen-test.
Lots of guys see it as a challenge; the digital equivalent of saying 'you can't have this.' Well, challenge accepted.
Re:Waste of resources (Score:5, Interesting)
Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it.
No, but it will stop support calls from clients that are the result of messing with the code.
Re:Obfuscated python code? (Score:5, Interesting)
Sounds remarkably like security through obscurity to me. With the predictable outcome.
You have no right to feel secure if you only think you're secure assuming noone else examines your source code.
To what level do you take the paranoia, though?
As early as 1984 (hah!) it has been known that a compiler could be developed in such a way as to produce binaries containing a back door:
http://c2.com/cgi/wiki?TheKenThompsonHack [c2.com]
The next level is CPU microcode. Where does it end? One day we can fab our own CPUs from Open Source designs ... but will that be enough?
Peace,
Andy.
Re:Insecure by design (Score:2, Interesting)
Is that a typo or a new word in programming?
1. nonce. (UK) Slang for paedophile or sex offender
Re:Waste of resources (Score:4, Interesting)
Why do you paint bricks and fake keyholes on your door when you leave the house?
There, fixed that for you. Obfuscation is more like dazzle painting [wikipedia.org]. It works somewhat, but don't expect it to work well.
Re:Python? Really? (Score:2, Interesting)
Python and javascript are syntactically much more difficult to master than assembly language.
Plus, there are way more privitives to learn...