Researchers Reverse-Engineer Dropbox, Cracking Heavily Obfuscated Python App

rjmarvin writes "Two developers were able to successfully reverse-engineer Dropbox to intercept SSL traffic, bypass two-factor authentication and create open-source clients. They presented their paper, 'Looking inside the (Drop) box' (PDF) at USENIX 2013, explaining step-by-step how they were able to succeed where others failed in reverse-engineering a heavily obfuscated application written in Python. They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack, NASA, and a host of Google apps, just to name a few..."

Where is your god now?

/popcorn

Re:Where is your god now?

Sitting on a computer... /cornpop

Re:Where is your god now?

Better delete your dropbox-hosted /copporn

Re:Where is your god now?

So why hasn't the US Government issued arrest warrants for these terrorists? Other people bringing security flaws to the attention of the service/product provider often get arrested and some even commit suicide under a mountain of charges. Oh, these two are "researchers"; I understand now. [ cough, cough ]

Re:Where is your god now?

Why? Not like it's /cpporno

Re:Where is your god now?

[interkin3tic]

Dirty, dirty doughnuts, and men in uniforms who love them.

Python? Really?

Use a non-compiled language, get what you deserve...

Re:Python? Really?

[epyT-R]

even then, all it takes is someone versed in the assembly language of the platform your application runs on, a copy of IDA pro or something similar, and a few hours of his time. I know this is a bit of a lost art in today's world of python and javascript, but it's still valid.

Re:Python? Really?

[aliquis]

Clever of you to post as AC.

Because no compiled (or assembled) code has ever been cracked.

Re:Python? Really?

[ThatAblaze]

Rediculous!

Re:Python? Really?

[You're+All+Wrong]

I hope your sarcasm is understood, it's a dangerous technique to use on the internet.

However, there's an interesting twist to the pcode vs. native code dichotomy, from reverse engineering standpoint, as anyone who's well versed in the brain-mangling line noise that calls itself the IOCCC will know. One of the best obfuscations is to embed an interpreter into your code, and then do all the hard work in the bytecode.

Re:Python? Really?

[You're+All+Wrong]

Fuck, that woooosh just blew my wig off!

Re:Python? Really?

Is it that hard to spell "ridiculous" correctly?

Re:Python? Really?

[davester666]

Been there. Done that.

I believe it was EA that was doing that way back as part of their DRM for their Commodore 64 disk-based games. It would load the interpreter and a script, then execute the script [drawing it's fancy startup screens, checking for various bad sectors on their disk, over-writing parts of the script and interpreter, loading the game from various parts of the disk].

Re:Python? Really?

[ciderbrew]

Is it that hard to understand what dixlecia is?

Re:Python? Really?

[buchner.johannes]

Use a non-compiled language, get what you deserve...

Python is compiled, if you distribute *.pyc files only.

Re:Python? Really?

[StripedCow]

Python and javascript are syntactically much more difficult to master than assembly language.
Plus, there are way more privitives to learn...

Re:Python? Really?

[StripedCow]

Privitives -> primitives

Re:Python? Really?

WTF is dixlecia? Use a spelling checker, fucktard.

Re:Python? Really?

[HetMes]

Assembly is art in programming like chiseling in stone is in writing books.

Re:Python? Really?

Is dixlecia when you have a hard time talking because you have two dicks in your mouth?

Re:Python? Really?

[loufoque]

That only works reliably for C-like code though.

Re:Python? Really?

[Gr8Apes]

Python and javascript are syntactically much more difficult to master than assembly language.

That's why there are so many assembly masters as compared to script kiddies, err, Python and JS "masters"? Or were you meaning to be funny? The mods certainly were clueless. (Interesting, really?)

Re:Python? Really?

... and when you ripped the DRM, added trainers, fixed some bugs, and compressed the executable the pirated copy was better than the original.

(Some days I really miss the C64 days of my life.)

Re:Python? Really?

You can learn my privitives any time you want baby.

Re:Python? Really?

[greg1104]

And games that ran via an interpreter go back to at least the Infocom Z-Machine in 1979.

Re:Python? Really?

If there's one thing I can't stand, it's language elitism. Look, the language you choose to write your application in is completely irrelevant. Programming languages are tools to help you solve problems and, unless you're a compiler writer or theoretician, aren't really all that interesting in and of themselves. If you think you're a better programmer than someone because of the language you've chosen rather than the types of problems you're able to solve and the quality of your solutions, then you've completely missed the point.

Re:Python? Really?

Programming is really two task:
- learn the syntax
- learn what to do with the syntax

Assembly as almost no sintaxy. is a long spaguetti of code with branching.
Python can have some complex syntax, with objects and lot of other fun things.

The part that is hard in assembler, is how to turn the ability to manage binary data into a program. While Python comes with batteries included, ... something you need, maybe is already part of the library, so you just use it.

Re:Python? Really?

[Jorl17]

In fact, if you RTFA, you see that's what Dropbox does.

Re:Python? Really?

Ahhh yes.

This was common on the c-64. I remember being able to generate the neccesary error by opening the drive at the time the game was looking for the bad sectors. You could hear the drive seeking when it was attempting this seek.

You could also manually add the bad sectors with a disk editor.

GOOD TIMES!

Re:Python? Really?

writing assembly is very simple. reading compiler optimized output is hard. reading hand tuned assembly is either simple or near impossible, depending on the author's intent.

did you take a cs course that made you write a program in asm, and think that makes you an expert? go find a crackme from 2002 and figure out what It's doing. we will wait.

also, Firefox mobile seems to suck balls, so I'm not sure if you are only part of my irritation, if if you are a 100% ignorant pissant. I can't even fix the double if above, ergo you are wrong.

Re:Python? Really?

[prelelat]

Bad choice in metaphors really. Assembly would be more akin to making a 3D model out of clay and presenting it instead of doing it in software and printing it off on a 3D printer. You end up with the same result, one is easier to do, but one has a more human feel to the fine details of the finished product. Curves are put on the clay were only a tangle mess of excess plastic is on the printed version. In the end both do their job, ones highly more efficient with no excess the other easy to reproduce and build tangents off of.

Re:Python? Really?

[Arker]

I really think what gets classified as "language elitism" tends to average out about 50-50. As you say, the languages are tools to get things done and choosing the right tool for the job is important, and there is a legitimate place for most if not all languages. It's a sad fact that a lot of humans derive some enjoyment to badmouthing anything they personally do not like or use, and I see some of that.

Still, I think there is also a significant difference between programming something from the ground up using appropriate language(s) and simply stringing together a bunch of library calls using some sort of ultra-high level script as glue, and if you tell me which language you prefer I can probably make a reasonably good guess as to which side of that divide you lean towards.

Re:Python? Really?

[pspahn]

Kind of like the mechanic that gets stuck in the middle of an argument between a Ford guy and a Mopar guy.

"Oh but Mopar does that all wrong! It should be done the way Ford does it!"

"Yeah but Ford insists on doing this other bit all backwards... Mopar is where it's at!"

...and then you have the mechanic...

"Eh... I get paid to fix cars. What the hell do I care which brand name is on the back?"

And yes, there is a difference between building a solution from ground-up and using an existing framework to build a solution on. The difference is that the ground-up solution will take longer and be more expensive (though, will have better obscurity). The choice is made based on a business decision... how long do we have until we need to monetize this?

So, in the end, you have programmer A telling programmer B that he sucks at programming because a (possibly poor) business decision was made by programmer A's boss. If that's where programmer A wants to hang his hat... I say go ahead and let him.

Re:Python? Really?

I would say I am not great at C (I can do the exercises). If I am writing it properly I am using the standard library properly.

If I am writing something and it is long I am usually not doing it very well.

I suppose if you are at the level where your own code is of the quality of that in the standard library then it would be different.

(I don't like having loads of dependencies i.e like gnome but one or two is ok and a try and find a highly optimised library that does a large proportion of what I want. I use libpcre probably more than I should).

Re:Python? Really?

Stringing together some existing proven libraries and tools is definitely going to give you a solution much faster, and it might be good enough for a good long while too.

Even if you're building something that's truly new or has special/uncommon requirements you can choose to build most of it using existing proven pieces and only build from scratch what is really new.

This is one thing that makes permissively licensed open source so great. There's rarely a need to start from scratch on anything, you should first look around to see what others have accomplished already. It's like a rising tide that floats all the boats.

Re:Python? Really?

[steelfood]

If you think you're a better programmer than someone because of the high level language you've chosen rather than the types of problems you're able to solve and the quality of your solutions, then you've completely missed the point.

FTFY.

Your point only applies to comparisons between high level languages. And arguably, this may apply to a lesser degree between languages of different levels of abstraction.

Programming in assembly involves actually understanding what the processor is doing under the hood. Q.e.d. programmers comfortable with writing in assembly are better than solely high level programmers.

You can call it elitism when comparing a driver of a BMW and that of a Toyota, but it's not elitism to say that professional race car drivers are better than commuter drivers.

Re:Python? Really?

[Kazoo+the+Clown]

Yes, they used to use headerless Forth for that, not all that hard to hack if you were familiar with Forth.

Re:Python? Really?

[Arker]

I really think there is a lot of devil in the details that you gloss right over with that. Get a good glue-man to use good libraries and give him a job that is suited to those tools and you should expect a good product. But give him a job those tools are not suited for and you should expect crud. The language of implementation is only one variable among many. It's possible to write junk in any language.

Using a well reviewed library might allow you to avoid all kinds of easy and common mistakes. But relying on code you dont understand makes it harder to debug the result, and that just might be an understatement. It's always going to be possible to accomplish tasks with fewer cycles using hand tuned code. The counterargument is that you can usually hand tune only 10% or less of the code, after it's running, and get 90% of the benefit that way.

So ideally it seems large projects would have a life cycle starting with RAD in ObjC or Python or whatever you want, leading to a stable form which would then be relentlessly optimised into a mature and reliable product. I can remember seeing that happen occasionally in the past, but last few years programs seem to be considered obsolete before they really clear beta.

On top of that I see a disturbing trend towards low level stuff like device drivers being done in RAD languages, but that's another subject.

And yes, all too often the choices wind up being made for financial reasons by people that havent the slightest clue what the ramifications of their decisions will be.

Re:Python? Really?

Hear, hear!

Re:Python? Really?

[Gr8Apes]

Clueless.Programming is a whole lot more than merely syntax and what to do with it. That sounds like:

learn words. Words mean things. Mean you words are.

Which is my impression of script kiddies. They're at the first rung of the ladder that leads to programming.

Re:Python? Really?

[Gr8Apes]

It's not language elitism. It's a given that the knowledge base required to do something with JS or Python is significantly lower than with assembly. I wish I was an assembly master in addition to what I know, obviously it's preferred for my current hardware platforms, but even with other modern architectures it'd help me better understand how to optimize my code more than I do currently. As it is, I'm probably a "script kiddie" when it comes to assembly. A little knowledge is a dangerous thing. At least I know enough to know that and leave those sections to experts in their fields.

Re:Python? Really?

[Gr8Apes]

I'll give you a story about 2 companies. One chose language A and its eco-system. It was all proprietary and locked in. The other chose language B, and it's eco-system. This language was much more open source oriented, and by its nature, not locked to the vendor's platform. 2 very comparable systems were built (either could have fronted for the other) For sake of argument we'll say that the people were equal, possibly even of greater skill in language A (actually, my real lang A people probably were significantly better, sadly) Both companies were within an order of magnitude of customers and revenue. Profit was in company B's favor. Number of customers was in company B's favor, by a multiple. IOW, company B served more customers with smaller transactions with greater profit but lower revenue.

Now, company A required 800% more servers to serve almost an order less data to 1/10th the customers. Actually, I'm not sure about that, but I do know for a fact that the data layer was an 80 fold increase while the total number of servers at B was less than 1/20th of just the DB servers at company A, and company B had at least 100% overhead available for growth. I have no idea about the app and web layer comparisons between the two. I also know that company B had releases roughly 12 times as often as company A, and a lot less rollback / downltime. Also, the personnel comparison was 1/10th the people at B vs A in development. Neither company was small.

What you can take away from that is yes, language has a very big impact on what you can deliver and how fast you can deliver it, and the cost of maintenance and scalability do directly correlate to the technologies chosen. Even if there are smarter people overall on the poorer technological choice, they will lose on every metric except maybe the initial release, and then only by time to release.

So whatever elitism you might think I exhibit, it's merely my observations of my experiences. You see someone building a bridge out of marshmallows, you just know the end is going to be ugly.

Re:Python? Really?

[Gr8Apes]

Partially correct. You can find some nugget in open source. However, for real successful enterprises, you generally have to take that and do significant work and extensions to actually produce a worthwhile product. This can be true even of commercial code.

Re:Python? Really?

[davester666]

Yeah, normally they would have the bad tracks on the outside edge of the disk, but I know that EA mitigated against this by having data out there as well as checking a couple of times. And they also took advantage of the fact that the head could read more accurately than it could write, so they would read data from track 39, and check for an bad sector on track 39.5, which you couldn't write using the 1541 [as writing clobbered the 1/2 track on either side of the head, so you could either write the data or the bad sectors, so you had to crack the DRM instead].

Re:Python? Really?

[ciderbrew]

Unable to see the irony of spelling dyslexia incorrectly? Enjoy your Asperger.

Re:Python? Really?

[BLKMGK]

Heh and don't forget SimEarth - written in Clipper of all things. Clipper was basically compiled DbaseIV :-O Kinda' miss working in that actually, it was fun work at the time and FAR faster than the interpeted DbaseIV stuff :-) SimAnt and others may have also been done this way, I didn't dig into those too much...

Re:Python? Really?

[david_thornley]

Except that different languages are good at different things. This doesn't mean that one language is better than another, it's that one language can be better for a given purpose. I'm not a better programmer than anybody else because I like C++ and Perl. I'm a better programmer if I know what to write in C++ and what in Perl, as opposed to somebody who would just write everything in Java (or Python or Haskell or....).

You're correct in that language elitism is stupid, but not in that the differences between languages is minor or of little practical import.

Re: Python? Really?

Very well written

Re:Python? Really?

You're absolutely right, and I didn't mean to imply that the choice of language was unimportant, just uninteresting. Pick the right tool for the job and get on with actually solving the problem you set out to solve.

Re:Python? Really?

Because reverse engineering a compiled program is impossible...

BTW, Python goes compile the source.

Well, there goes Eve Online

Good thing I stopped playing the game.
It's hosed now.

Re:Well, there goes Eve Online

Wait, why?

Re:Well, there goes Eve Online

[thatkid_2002]

EVE uses IronPython which compiles down to the CIL (like other Microsoft languages, like C#) so it is not a frozen Python application. Similarly, if there was a Python implementation for LLVM it would be the same situation. AFAIK.

Re:Well, there goes Eve Online

[marcansoft]

EVE doesn't use IronPython. It uses Stackless Python. And yes, it is possible to decompile the code, and it has been done in the past.

http://evesupernerf.blogspot.co.uk/2012/05/decompiling-eve-client.html
https://github.com/wibiti/evedec/blob/master/evedec.py

Re:Well, there goes Eve Online

[MBGMorden]

And yes, it is possible to decompile the code, and it has been done in the past.

Awesome. With any luck they'll get an alternative client working. Shouldn't be too hard to set it up as a plugin to Microsoft Excel.

Re:Well, there goes Eve Online

Awesome. With any luck they'll get an alternative client working. Shouldn't be too hard to set it up as a plugin to Microsoft Excel.

You've already got a flight simulator, what more do you want??

Re:Well, there goes Eve Online

[h4nk]

ha

Re:Well, there goes Eve Online

A spreadsheet simulat.... wait...

Re:Well, there goes Eve Online

Not really, i have done code injection into EVE's client back in 2009 and disassembling all their python code from the inside is trivial. Hell they even have dis in there :P

Re:Well, there goes Eve Online

[thatkid_2002]

Oops. Got mixed up.

Re:Well, there goes Eve Online

Excel 97 included a flight simulator as an easter egg (95 had a Hall of tortured souls, and 2000 had a driving minigame).

Re:Well, there goes Eve Online

[Gr8Apes]

Which explains the extremely high quality of Excel and other MS Office products

Re:Well, there goes Eve Online

[Andy+Dodd]

Yup. It's been possible to decompile the code for ages.

Reinjecting it easily and without high risk of detection has been difficult since around the end of the first year of the game.

And yes: Back in the early days, I was starting to get bored with the game, and wrote what I believe was one of the first hacked autopilots. I didn't distribute it though so it wasn't well known. This was before warp-to-zero, so SuperPilot would actually go through all bookmarks in the system to attempt to find one that would allow it to drop within jump range of a target gate.

Once WTZ went in I didn't bother.

Re:Well, there goes Eve Online

You don't need an alternative client to tie excel into eve. It's far easier to just use the existing client's python interpreter to get at whatever you want to do. There are a ton of (usually commercial) bots available using this method. Only idiots use mouse macro automation in that game.

Re:Well, there goes Eve Online

[gweihir]

In addition, it uses Stackless Python on the _server_, not the client. Not affected by this thing at all, just some people that think word-associations make insights. Hint: They do not.

Re:Well, there goes Eve Online

[BLKMGK]

I knew a couple of guys who hacked EVE pretty badly there for awhile although thankfully they didn't spread what they had done. They wrote clients to mine and fly missions that completely got under the hood and used EVE function calls to do everything. They even got reported for botting and passed muster by CCP during a huge 'bot purge. In the end they stopped "playing" because it got boring - I had to point out to them that they weren't actually playing but simply writing clients to play and that this was what had become boring to them. They had completely pwned the client and there was no real challenge left. They no longer play, as an EVE player I'm glad for it lol

Re:Well, there goes Eve Online

look in your eve folder you will find plenty of python all over the place.

Obfuscated python code?

[You're+All+Wrong]

Sounds remarkably like security through obscurity to me. With the predictable outcome.

You have no right to feel secure if you only think you're secure assuming noone else examines your source code.
http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

Re:Obfuscated python code?

[odie5533]

This sounds remarkably like security + obfuscation to me. The two are not necessarily mutually exclusive. If they had released it open source, one could argue that with more eyes reading the code they would be able to find and eliminate bugs or security issues. But this is not necessarily true. And they clearly did not want to release the software open source.

Re:Obfuscated python code?

[You're+All+Wrong]

Reading the paper, googling for the debug hash, lead to this from 2012 which covers a lot of the same ground:

http://archive.hack.lu/2012/Dropbox%20security.pptx
"A critical analysis of Dropbox software security", Florian LEDOUX

Re:Obfuscated python code?

[epyT-R]

Actually, it's not dependent on whether the code is open or not. It's dependent on the design. If the design requires secret bits to stay hidden in the client, then open sourcing it would make it even more trivial to break, but with such designs, it would not matter whether it was open source or not. The huge library of cracked software out there speaks volumes to this.

Re:Obfuscated python code?

[six025]

Sounds remarkably like security through obscurity to me. With the predictable outcome.

You have no right to feel secure if you only think you're secure assuming noone else examines your source code.

To what level do you take the paranoia, though?

As early as 1984 (hah!) it has been known that a compiler could be developed in such a way as to produce binaries containing a back door:

http://c2.com/cgi/wiki?TheKenThompsonHack

The next level is CPU microcode. Where does it end? One day we can fab our own CPUs from Open Source designs ... but will that be enough?

Peace,
Andy.

Re:Obfuscated python code?

Link for the copy&paste-impaired...

Re:Obfuscated python code?

[black3d]

A lot of the commentators in this article are mentioning "security through obscurity" as if the fact it doesn't work long-term should be some revelation to the Dropbox team, or that Dropbox has somehow dropped the ball through using this method. It's an unfair stance to take, considering that outside of hardware based platforms like TPM, *ALL* client-side software security is at best security through obscurity.

The only news here is that Dropbox is the latest fairly major player to have their client reverse-engineered. Obfuscation is merely a means of delaying the inevitable, and for all we know it has done it's job wonderfully. Plenty of other people may have tried to reverse-engineer the code before but gave up because of the complexity of the obfuscation. The fact that an 'adversary' has dedicated sufficient time and commitment to the effort is news to be sure, but the news shouldn't be turned into "Dropbox did a bad". Anyone with any reasonable experience in IT (which I'd hope most readers here have) should know by now that there are no means to secure software on a computer which someone has control of.

Re:Obfuscated python code?

[aaaaaaargh!]

You're missing the point, which is that Dropbox did bad by obfuscating the code, because they should have made it Open Source right from the start and focus on selling their server-side hosting services. Keeping client code proprietary when it involves security and encryption of possibly confidential data is virtually always bad practise (outside the realm of embedded military applications using tamper-proof chips, perhaps).

Re:Obfuscated python code?

[loufoque]

How do you know the machine building your CPU will not inject a backdoor in it?

Re:Obfuscated python code?

[Dcnjoe60]

You're missing the point, which is that Dropbox did bad by obfuscating the code, because they should have made it Open Source right from the start and focus on selling their server-side hosting services. Keeping client code proprietary when it involves security and encryption of possibly confidential data is virtually always bad practise (outside the realm of embedded military applications using tamper-proof chips, perhaps).

"Always" is a strong word to use and speaks more of ideology than of reality.

Re:Obfuscated python code?

[drinkypoo]

"Always" is a strong word to use and speaks more of ideology than of reality.

It's always bad security practice, but it's fine practice if all you want to do is get money and don't care about people's security. Presumably they've indemnified themselves for anything that might happen to your data in the ToS, so they don't have to care.

Re:Obfuscated python code?

Sounds remarkably like security through obscurity to me.

Really? I get the obscurity part, but what was the security angle? Do you think the removal of the obscurity has made using dropbox less safe?

Re:Obfuscated python code?

[robmv]

How do you propose to write it? you need a stable API (private if you don't want anyone using it) and an application that runs on your customers machine. Please tell me how you can secure the use of your private API more than obfuscating the client code. I can tell you the answer, It isn't possible unless you start using TPMs and only run on hardware and OSs that force the usage of it, and that can be hacked too

There are only two outcomes of this:

1- Dropbox learns that it is good to have an open API, and get people to write clients for every platform known to man
2- Dropbox start the "change API, obsfuscate again" race again the reverse engineers

Re:Obfuscated python code?

[Millennium]

"Always" is a strong word to use and speaks more of ideology than of reality.

Not always.

Re:Obfuscated python code?

The question is: why the fuck did they obfuscate it in the first place. It's a file storage client. Who cares. They provide the service on their servers, they control it, the client is irrelevant.

Re:Obfuscated python code?

How do you know the machine building your CPU will not inject a backdoor in it?

You have to start with manual data input computers made using your own transistors, and run with your own built power source. Everything inside a Faraday cage of-course.

Re:Obfuscated python code?

[stox]

What a terrible name for this. Ken's title for his presentation was far more elegant and descriptive, "On Trusting Trust".

Ken's Hack was only a simple demonstration of this.

Re:Obfuscated python code?

Hard penalties change everything. :)

Re:Obfuscated python code?

[greg1104]

When the options are "only your hired staff reviews the security features" and "your staff plus outside researchers review the security features", the latter is always better. And releasing the source code is the easiest way to facilitate useful outside review.

Re:Obfuscated python code?

If the design requires secret bits to stay hidden in the client

That could be considered a bug or a security issue, if you like.

Re:Obfuscated python code?

The problem to open sourcing dropbox is that it will force the company close. Let me explain.

Many moons ago, also on slashdot, a story was about people figuring out how the dropbox db mechanism worked, since the client sends to the server the hashes it thinks it "owns" and should download. By using a different channel (email) you could then send to anybody the hashes for the files you want to download, insert them into your client's db and launch it. Then it will happily download that file.

There was a github project which was closed because the Dropbox people asked them nicely to please stop it. Then here we had drama about evil DMCA takedown rumors and stuff. But the truth is that if you allow people to get hashes inserted in their clients you have turned dropbox into the best torrent client available on earth.

Imagine how many seconds it will take for the MPAA/RIAA to sue.

Even if the dropbox guys have *fixed* this (I doubt) having an open source client would also allow other stuff, like maybe trying hashes at random to download files from other people and such (bittorrent sync are getting flack now precisely because they are not opening their protocol, I wonder why...)

Re:Obfuscated python code?

How about "virtually always" instead...

Re:Obfuscated python code?

[Yaur]

The advantage of keeping client code closed is that you can make breaking API changes much more easily. If you have an open client and an open API you are stuck with them and you need to spend a lot more time making sure that they are correct and complete. With a client based on reverse engineering you have no right to be surprised when it suddenly breaks.

Re:Obfuscated python code?

So...it has come to this...

Re:Obfuscated python code?

[DigitAl56K]

You're missing the point, which is that Dropbox did bad by obfuscating the code, because they should have made it Open Source right from the start and focus on selling their server-side hosting services.

Wrong.

Sure, that's easy to say in hindsight, now that they have built an extremely well established business out of it and are the premiere brand in the space. If they had open sourced it right from the start then they would have all the client and client-server development costs on their plate, meanwhile Joe Shmoe could have come along and copied it, pointed it at his own servers, and took a substantial chunk of the business opportunity with much less investment overhead.

In business you have to find a compromise between your ideals and reality. "Your ideals" perhaps not being the same as their ideals, either.

Re:Obfuscated python code?

Hmm.. not being a trained electrical or computer engineer, that leads me to a serious question that maybe someone could answer. Couldn't someone build a simple processor, say a 486 or so, out of an FPGA and use that to compile a version of gcc that could be certain to not inject a back door? While the tinfoil hat says it's possible big brother has gotten into the major chip manufacturers to do something this subversive, logic tells me that an FPGA couldn't possibly. Unless the programming software itself did it, but then it would have to be smart enough to recognize what is being built to do that...

It seems likely to me that this would be a good way to guarantee a clean compiler, no? Am I misunderstanding or forgetting anything?

Re:Obfuscated python code?

Strange.. my question I posed in reply to this seems to have never posted. Trying again:

Would it be feasible to suppose that a compiler built on a CPU built from an FPGA be free of any injected back doors? A tinfoil hat might suggest the corrupted could inject such an attack into the commercial CPUs we all buy, but that doesn't seem as likely for an FPGA. If I made, say, a 486 processor out of an FPGA and compiled the gcc toolchain on that, could I feel confident in the security of my compiler?

Re:Obfuscated python code?

So that child classes can override the implementation of "always"? /confused

Re:Obfuscated python code?

"Always" is a strong word to use and always speaks more of ideology than of reality.

There, fixed it for ya.

Re:Obfuscated python code?

[Dcnjoe60]

"Always" is a strong word to use and speaks more of ideology than of reality.

Not always.

By definition, not always is not as strong as always. One might even say if always is strong then not always is not strong at all.

Re:Obfuscated python code?

Anyone with their own servers, have been able to do this for a long time. An ssh client in python with drag and drop provided by wxwidgets or similar. The real thing dropbox provides is the infrastructure on the backend.

Re:Obfuscated python code?

[david_thornley]

The Ken Thompson technique is software-only, so hand-building the CPU would have no effect on it. You need two different compilers for the same language to have confidence that one isn't backdoored.

What making your own CPU would do is allow you to ensure that there were no hardware back doors. Those are completely different animals.

Re:Obfuscated python code?

[thunderclap]

So...it has come to this...

Sadly yes, it has.

Re:Obfuscated python code?

[rdnetto]

One day we can fab our own CPUs from Open Source designs ... but will that be enough?

You can do that already with an FPGA (if you don't mind a clock frequency of ~100 MHz), but good luck finding an open source program to do synthesize the design.

Re:Obfuscated python code?

It is far easier to find and exploit bugs with only compiled code then it is to use source.

Re:Obfuscated python code?

That is why all the CPU's I use are built at home using breadboards.

Doesn't the Dropbox EULA...

...have a no-reverse-engineering clause?

Re:Doesn't the Dropbox EULA...

[epyT-R]

Lawyers have trouble understanding that law doesn't dictate the limits of curiosity, greed, mathematics, or physics. If there is sufficient incentive, it WILL be cracked. In this case, I think they wanted to demonstrate that drop box is not secure. This should be a 'duh' experience for anyone in IT worth their salt.

Re:Doesn't the Dropbox EULA...

Wouldn't that only be applicable if:

a> these people were "End users"
b> it was enforceable in their jurisdiction

Re:Doesn't the Dropbox EULA...

[phantomfive]

To me, the fascinating thing is that someone wanted to do that.

Re:Doesn't the Dropbox EULA...

[Dahamma]

Wouldn't that only be applicable if:

a> these people were "End users"
b> it was enforceable in their jurisdiction

Actually, yes, but if they *aren't* it falls under the DMCA, which is much, MUCH worse...

And jurisdiction... well... http://www.youtube.com/watch?v=EOJNs5YPR4g

Re:Doesn't the Dropbox EULA...

[epyT-R]

Why? If you're looking for the selfish angle, maybe he/they just wanted the notoriety. However, he/they might've just wanted to do a public service. Most people trust dropbox to be secure. Of course, slashdot users should all know better than to trust the 'cloud' for anything sensitive, but a way to get this info to people who would not otherwise know this is to make a splash about a successful pen-test.

Lots of guys see it as a challenge; the digital equivalent of saying 'you can't have this.' Well, challenge accepted.

Re:Doesn't the Dropbox EULA...

[Full+of+shit]

That assumes they got their hands on you compiler too. Any company shipping their open source code and a closed source compiler for it would invite suspicion.

Re:Doesn't the Dropbox EULA...

[gnupun]

See yesterday's slashdot article where the article author claims that no one will steal your ideas. No-reverse-engineering clauses in EULAs exist to prevent competitors from cloning software by disassembling and studying its internals. Did the researchers break a (valid) contract?

Re:Doesn't the Dropbox EULA...

[black3d]

How is Dropbox not secure? Do you mean the client you have control of isn't secure? That's all the article is speaking of - they haven't found a way to steal your data from Dropbox unless they already have a secret from your PC.

In order to access your account, they need the secret host_id (which is generated per device and unique to that device) and host_int from your computer (although, if they already have host_id, they can get host_int from the server - so really, they only need host_id). Presuming they have access to your computer, they can use these keys to access your account. (ie, without actually having your password). If they already have access to your computer however - well, at this stage we're splitting hairs. Any software which stores your login credentials on your own computer is at best hiding an access method through obscurity.

The only way to avoid this is to require you to enter your password each time you want to sync your files. Same with Google Drive. Same with .. every piece of software that stores login credentials on the client. Calling DropBox "insecure" when you actually mean "as secure as any client-side auto-login software can be" is a misnomer.

Re:Doesn't the Dropbox EULA...

Actually, yes, but if they *aren't* it falls under the DMCA, which is much, MUCH worse...

And jurisdiction... well... http://www.youtube.com/watch?v=EOJNs5YPR4g

*if* they live in murica... but they could just as well live somewhere in the *rest* of the world.

Re:Doesn't the Dropbox EULA...

[buchner.johannes]

Lawyers have trouble understanding that law doesn't dictate the limits of curiosity, greed, mathematics, or physics. If there is sufficient incentive, it WILL be cracked.

Non sequitur. Law also dictates that you can not steal and break into someone elses vault (limiting physics arguably). There will be sufficient incentive that people will do it nevertheless, thereby breaking the law. That does not mean it is an invalid law.

Re:Doesn't the Dropbox EULA...

Non sequitur.

How is that a non sequitur? That logic is absolutely correct even if it applies to other things as well.

That does not mean it is an invalid law.

Where did he say that it is?

Re:Doesn't the Dropbox EULA...

[Barefoot+Monkey]

The link in TFA says that Przemyslaw Wegrzyn is from Poland. No idea about Dhiru Kholia but that's not a typical name for the US.

Re:Doesn't the Dropbox EULA...

[Sloppy]

DMCA will need to be changed, for it to ever be able to prohibit cracking things like dropbox. Dropbox is too-general purpose for you to ever be able to guarantee in advance, that the copyright holder (the person whose authorization matters) will join a block in denying permission to the public. If I hold the copyright on a file, and a dropbox user uses dropbox to apply a technological measure that limits access to that file, I can give myself (and everyone else) permission to bypass that technological measure.

HDCP has the same issue.

Re:Doesn't the Dropbox EULA...

No No NO and No .... The law never dictates what you can/can't do ... All it Dictates is a Reaction to some action.
The law doesn't dictate that you can't steal and break into someone elses vault. What it dictates is - IF you steal and break into someone elses vault ... there MIGHT be certain consequences.
If the law would dictate that you can't break into someone's vault .... then even if you broke ... according to the law... whoever would claim that would be a liar ...claiming you just did the impossible. You can't do something that you can't do, can you ?

Re:Doesn't the Dropbox EULA...

[fast+turtle]

I've never considered dropbox to be secure after they screwed up and allowed anyone to log into any account a few years back. Now they include a public folder for sharing in dropbox so what's secure about that?

If you want to use dropbox and ensure things are secure, then encrypt it yourself. Otherwise, do not bitch if those private fotos of your wife end up shared on the net.

Re:Doesn't the Dropbox EULA...

[ImprovOmega]

Laws are essentially the terms of the social contract. We agree to be a part of society, as such we agree to abide by the laws put in place by our society. As with any other contract, violating the terms comes with certain consequences, but also as with civil contracts, these consequences only come about if someone notices/catches you/proves it.

Re:Doesn't the Dropbox EULA...

[Dahamma]

*if* they live in murica... but they could just as well live somewhere in the *rest* of the world.

Whoosh! Thanks for clarifying the point of my joke :) You haven't been keeping up on the news much lately, have you?

Wow, amazing.

[RightSaidFred99]

They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack...

Wow, they can reverse engineer OpenStack? That's amazing - what do they use, an obscure set of commands called "wget", "git", and "tar"?

Re:Wow, amazing.

Apparently they used a sophisticated web hacking process to discover a site where they can view and download the entire source code IN PLAIN TEXT!

Re:Wow, amazing.

Andrew Tridgell was accused of "hacking" BitKeeper because he telnetted in and typed "HELP".

Re:Wow, amazing.

Nah, you just found one of the N "organic references" that OpenStack has paid Dice for.

Re:Wow, amazing.

[Cramer]

That might have been the first 30s of his work, but he went a a lot further than that in his tinkering. ('tho he claims to have never had or ran the actual BitMover client, he sure as hell interacted with them. 90% of the beef here is that he continued to refine his client after agreeing to stop.)

Trying to obfuscate python was never going to work

They should have written it in perl.

Waste of resources

[xenobyte]

Why do so many developers waste time on obfuscation and other ways of hiding the source in scripting languages?

Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it. I've seen that countless times. It is security-through-obscurity at best and it will prevent people from both fixing bugs and re-submitting the fixed code to the developers, and finding security issues from simple code reviewing.

If developers of competing applications needs to steal code they're really crappy developers and whatever that makes their application unique will be equally crappy and thus not a threat.

Re:Waste of resources

[cerberusss]

Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it.

No, but it will stop support calls from clients that are the result of messing with the code.

Re:Waste of resources

[wonkey_monkey]

Why do you lock your front door when you leave the house?

Re:Waste of resources

[lorinc]

Why do so many developers waste time on obfuscation and other ways of hiding the source in scripting languages?

Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it. I've seen that countless times. It is security-through-obscurity at best and it will prevent people from both fixing bugs and re-submitting the fixed code to the developers, and finding security issues from simple code reviewing.

If developers of competing applications needs to steal code they're really crappy developers and whatever that makes their application unique will be equally crappy and thus not a threat.

Which brings us to the next point: If obfuscation is worthless and someone will steal you code whatever you do, just release it with an open source license in the first place.

My guess is that the short amount of time between the release and the cracking is where the management expects to make profit, and even more profit than if it was FLOSS in the first place. This highlights greatly the short-term objectives of today's business.

Re:Waste of resources

"Short" amount of time? Dropbox has been around for years, during which they've established themselves as the top brand in this space, even ahead of companies like Google or Microsoft.

Only in autistic/retard world is "In 5 years someone might get around to reversing this" the same as "a waste of time".

Re:Waste of resources

To lock the crazy people inside.

Re:Waste of resources

I'm in an apartment with a self-locking door, you insensitive clod!

Re:Waste of resources

[SJ]

Bad analogy.

Code obfuscation is more akin to locking your door, and then hiding the key behind the pot plant.

Re:Waste of resources

Code obfuscation is more akin to locking your door, and then hiding the key behind the pot plant.

OK, OK. You are one of those folks who *need* code obfuscation.

Re:Waste of resources

"Short" amount of time? Dropbox has been around for years, during which they've established themselves as the top brand in this space, even ahead of companies like Google or Microsoft...

Still cracks me up talking about how they "established" themselves as THE free cloud space provider above all other free cloud space providers, as if their clouds were somehow whiter and brighter than everyone else's.

Boy, how I love me some Dropbox flavored ones and zeros in the morning! All the others taste like generic binary shit, but those Dropbox-flavored bits with the marshmallow IP stack...mmmmm

Re:Waste of resources

[smash]

Because if you can raise the bar in terms of effort required to be equal to, or more than just writing your own damn product, then you'll get less people freeloading off your development.

Re:Waste of resources

[Errol+backfiring]

Why do you paint bricks and fake keyholes on your door when you leave the house?

There, fixed that for you. Obfuscation is more like dazzle painting. It works somewhat, but don't expect it to work well.

Re:Waste of resources

I think their business idea was to market and sell a "secure" (not secure in our ears but in the public's) service that is easy to use. A much better idea would have been to market and sell a secure (in everybody's ears) service with an open protocol. They would possibly have had more competition and it may have been harder but they could have made it in the long run. Now it's just a lousy service with a lot of problems that will get consumed by a better one soon.

I have only tried it once to see what it was and I always recommend people not to use it because of the broken security model. By that I mean that they see what you store.

Re:Waste of resources

[jrumney]

Obfuscation also helps with code size, which is especially important for code that is downloaded, like Javascript and CSS, since one of the first things that obfuscators do is change all the symbols in your program to short names (duplicating where possible), starting from a, working up to z then aa...az etc.

Re:Waste of resources

Worse analogy.

Code obfuscation is akin to locking your door and then hiding the key behind the pot plant ONLY when lack of code obfuscation is akin to locking your door and then hanging the key from the handle.

Re:Waste of resources

[neonsignal]

Actually, it's more like not locking it at all, and putting a big potplant in front of the door to hide it...

Re:Waste of resources

Bad move. That's the first place Leo (aka Tommy Chong) will look, and then he'll go in and eat everything in your fridge, man.

Re:Waste of resources

[Ash+Vince]

Why do so many developers waste time on obfuscation and other ways of hiding the source in scripting languages?

Because the boss tells us to.

This is spoken as someone who has been asked to obfuscate javascript. I spent a few minutes trying to explain why this was an utter waste of time and such but the problem is that the boss knows a bit of JS code so looked at it and could understand it. He then googled "javascript obfuscation" and found a product that made the code so he could no longer understand it. The fact that I said I could still understand it he just blamed on me having created it.

The problem was that this was dynamically generated JS so I had to then go away and incorporate obfuscation into my server side code. I tried to do the best I could and make the result really hard to understand (once I am given a task I hate doing a poor job, even if it is a waste of time) but one of our competitors he gave access to the end result still reverse engineered it and copied it in a few months.

Now it is back on my task list again to go and revisit it and make the end result more cryptic using the stuff I learned by looking at our competitors similar solution. I have long since given up trying to explain why trying to hide what is ostensibly an open technology does is a complete waste of time.

Re:Waste of resources

Code obfuscation is like giving someone something and telling them it performs function X, but purposefully making it difficult for them to verify that that's what it actually does for themselves; it could do something completely different, which could even be something harmful. It's immoral, in other words.

Wake me up when my locking the front door harms other people; it's my property, and it damn well isn't code running on someone else's system.

Re:Waste of resources

[cheekyjohnson]

and someone will steal you code whatever you do

I doubt anyone will steal anyone's code.

Re:Waste of resources

Why do you paint bricks and fake keyholes on your door when you leave the house?

There, fixed that for you. Obfuscation is more like dazzle painting. It works somewhat, but don't expect it to work well.

No. It's much more like Vajazzling and less useful.

Re:Waste of resources

[jones_supa]

I have long since given up trying to explain why trying to hide what is ostensibly an open technology does is a complete waste of time.

It's not necessarily complete waste. All scrambled JavaScript code can be returned into an understandable form, that's for sure. But by obfuscating the code, you're always adding some extra puzzle to those who want to steal your code. And if they come across someone else's code which isn't scrambled, they might decide it's easier grab than yours and leave you alone. So by obfuscating, you assure that at least you're not the easiest target out there.

Re:Waste of resources

Do you mean the pot plant or the potted plant? Or the planted pot, for that matter.

Re:Waste of resources

[drinkypoo]

It's not necessarily complete waste. All scrambled JavaScript code can be returned into an understandable form, that's for sure. But by obfuscating the code, you're always adding some extra puzzle to those who want to steal your code.

Steal your code? Will they be deleting it from your servers?

The right way to handle this situation is to not do a bunch of client-side js yourself. And why would you?

Re:Waste of resources

[TheNinjaroach]

Wouldn't file checksums do a good enough job of identifying tampered code?

Re:Waste of resources

[geminidomino]

I doubt "secure" in anyone's sense in their getting brand recognition. The "free space referral" pyramid scheme that they had going on for a few years probably had more to do with it.

Re:Waste of resources

If code obfuscation is enough to discourage others from dissecting it, it wasn't valuable enough to begin with.

Either it's worth enough to protect properly - which entails not exposing it at all - or it's just a waste of everyone's time fuddling about with obfuscation.

In addition, some (many?) obfuscation techniques add further sources of errors, that are increasingly difficult to deal with, to the detriment of everyone, including the original developer as well as any paying customers.

Code obfuscation is stupid.

Code compression at least has a value in bandwidth-sensitive situations.

Disclosure: I work at a company developing commercial web services, deployed in context of public facing web sites of paying customers. We do not obfuscate our code, even if it allows (potential) competitors to have a look at how we do certain client-side things. The actual business hinges on stuff we do in the backend. That part isn't public, and thus also not obfuscated. We don't know, and we don't care, if anyone has freeloaded on our public stuff. The actual value requires our backend services. We don't sell code. We sell functioning sets of services, that are valuable to our customers. We make sure everything works. Everyone's generally happy. Win.

Re:Waste of resources

To heck with the key. I'd steal the cannabis.

Re:Waste of resources

What do you think happens then if I tamper with the code which verifies the checksum?

Re:Waste of resources

[Ash+Vince]

It's not necessarily complete waste. All scrambled JavaScript code can be returned into an understandable form, that's for sure. But by obfuscating the code, you're always adding some extra puzzle to those who want to steal your code.

Steal your code? Will they be deleting it from your servers?

The right way to handle this situation is to not do a bunch of client-side js yourself. And why would you?

In my case it was because I had to produce something that was scorm 1.2 compatible (http://en.wikipedia.org/wiki/Sharable_Content_Object_Reference_Model). That meant I had to use javascript as to produce a scorm compatible course there has to be no server side code (Only flash or JS). I should have used flash but that would have meant me spending 6 months learning actionscript before having anything to show for it.

Re:Waste of resources

[jandrese]

If your code is open source, file checksums are no hurdle at all. I mean if someone is modifying your code, what's going to stop them from modifying the stored checksum as well?

Re:Waste of resources

"Why do so many developers waste time on obfuscation and other ways of hiding the source in scripting languages?
Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people..."

But it will stop people who aren't dedicated.

You might as well ask "Why do so many people waste time on locking their doors?" when everone one knows a dedicated person WILL get into your house.

"It is security-through-obscurity at best and it will prevent people from both fixing bugs and re-submitting the fixed code to the developers"

Why should developers be beholden to people? Without wishing to start a religious war, the answer is they're not and shouldn't be. As for the code the developers work on, obfuscation is the last process before the code ships, you don't work on obfuscated code... as a developer.

"If developers of competing applications needs to steal code they're really crappy developers and whatever that makes their application unique will be equally crappy and thus not a threat."

Bit of a non sequitur. It is necessary that to steal the code they're crappy people but all you can say about they're development is it's lazy or otherwise time constrained. For all you know the source of the constraint may be they worked doubly hard on $UniqueFeature making it a very real threat. For all you know...

Re:Waste of resources

[Random+Destruction]

Then your client would lie to the server.

You wouldn't want to create a liar would you?

Re:Waste of resources

[TheNinjaroach]

Don't provide the verification tool to the client until they call. Support then loads a single program that verifies the integrity of the rest of system.. checksums of application code would just be one of the tests.

Re:Waste of resources

Ehm... The fact that it is YOU who has the checksums and not the client?

Re:Waste of resources

"If developers of competing applications needs to steal code they're really crappy developers and whatever that makes their application unique will be equally crappy and thus not a threat."

True. There's a large middle-area of crap software supported by this ideology. Without crap, there's 1/100th the number of apps.

Re:Waste of resources

[smash]

You think that the original developer doesn't have an unobfuscated copy that isn't just run through an obfuscator before being released? Lol.

Re:Waste of resources

[mattack2]

...but you left???

Re:Waste of resources

[IamTheRealMike]

Yep. You got it.

A few years ago I developed a state of the art obfuscation system for JavaScript. It goes far beyond what you might normally see (renaming variables, etc) and is used for anti-spam purposes. I expected the obfuscation to get cracked by spammers eventually as anyone who had succeeded could have directly profited off that success, but in fact although there were many attempts over the years none were successful. When done well, software obfuscation is a powerful tool. It has a bad rap because so many people do it badly - there is precious little information out there about how to build really good obfuscations, so you get a lot of wheel reinvention.

Re:Waste of resources

[jandrese]

Ok, so you have the checksums on the server. That's great, how is that going to help you insure that the client has not been modified? Are you going to ask the client machine for the checksums and just trust what it sends you is accurate?

Re:Waste of resources

[Jonner]

Dropbox is a service. Presumably, they're successful because they provide that service better than many competitors. What does that have to do with hiding the code of client software?

Tronfuzzled

It took two developers to scrape Dropbox?

Re:Trying to obfuscate python was never going to w

They should have written it in perl.

They would have missed the fun of seeing how obfuscation made the code harder to read.

Obfuscated Python isn't the point here...

The point is that with this knowledge, they were able to bypass everything else which shouldn't have been the case -- namely they were able to workaround 2FA and "intercept" ssl traffic meaning they tricked the server into communicating with them. These things go well beyond python -- that python client could have been in the clear/open-source from the beginning but you shouldn't be able to bypass 2FA and get in un-authenticated.

This is the real problem here; their implementation of 2FA and ssl basically depended on a 'proper' client which shouldn't have been the case.

Re:Obfuscated Python isn't the point here...

[Arker]

"These things go well beyond python -- that python client could have been in the clear/open-source from the beginning but you shouldn't be able to bypass 2FA and get in un-authenticated."

That's right. And remember kids, when you see people pushing closed binaries and wont provide source - this is exactly the kind of basic fsck up they are almost certainly trying to hide.

If you write a secure system, you dont need to worry about people seeing the source. You want them to see the source. You want them to appreciate just how elegantly you solved the problem. You hide the source when you know you screwed it up and are just stuck hoping no one catches on.

Insecure by design

[nomaddamon]

The point of the article wasn't to crack it, it was to show that if something sounds insecure by design, it is insecure...

DropBox allows you to "log in" to it's website via click in the application -> no credentials required. Therefore it must either store user credentials or some other secret(s) on client side (host_id and host_int in this case).

Any process running under privileges accessible to you can be cracked (albeit sand-boxing, in which case you need system privileges) and it can't hide data from end-user / other processes in same privilege space (albeit sand-boxing....).
They can make it more difficult though (extracting Bluray key from windows media player will take anyone at least a few days)

More and more big companies think they can hide data on client side and be secure. Dropbox, Windows Live (LiveConnect) and numerous others are now relying on fast exchange of nonces in addition to client-side secret storing to make it secure "enough".. But breaking the nonce handshake and authenticating in programmatic fashion will add maybe 10% more cracking/programming effort on top of the regular cracking effort.

TLDR: If it is insecure by design, it is insecure and no amount of obfuscation will help you....

Re:Insecure by design

[smash]

TLDR: If it is insecure by design, it is insecure and no amount of obfuscation will help you....

Newsflash: encryption delcared to be pointless on slashdot!

More seriously, if you're (not the poster above) storing unencrypted data on dropbox, joke's on you...

Re:Insecure by design

[Inda]

"others are now relying on fast exchange of nonces"

Is that a typo or a new word in programming?

1. nonce. (UK) Slang for paedophile or sex offender

Re:Insecure by design

Is this a technical forum or Urban Dictionary affiliate?

Here, let me help you.

Re:Insecure by design

http://en.wikipedia.org/wiki/Cryptographic_nonce

It is a crypto term.

Re:Insecure by design

[buchner.johannes]

DropBox allows you to "log in" to it's website via click in the application -> no credentials required. Therefore it must either store user credentials or some other secret(s) on client side (host_id and host_int in this case).

This could in principle be secure, e.g. if the app requests a new session ID, and launches the web browser with that session ID in a GET parameter. No secret needs to be stored, you just need to be logged in with the app already.

Re:Insecure by design

I'm not sure how being able to steal Dropbox credentials is a big deal. If you're in the position to steal the credentials, you're already running code on the machine, or at least reading arbitrary files or memory. At that point it is game over. If you want to steal the files of dropbox, why not copy them right out of the local Dropbox folder? If you want to delete and cause havoc for them, you could just delete the files from the dropbox folder and have the software do its intended behaviour and also delete the serverside copies. If you are hell bent on actually getting into the dropbox account for whatever reason, this might be helpful.

But to say "OMG if we take over this PC we can also take over the Dropbox!" is useless sensationalism.

Re:Insecure by design

So Alan Turing is a crypto nonce? Sorry I will see myself out.

Re:Insecure by design

Everything is insecure, so talking about insecure by design is a bit wrong in this context. Let's say that dropbox didn't store any easy method of logging in, which means you have to type the password each time. Only a keylogger is needed to crack that. Insecure? sure. Ah, 2FA, giving you a sms each time you want to load the webpage - we don't trust cookies, they're insecure by design - would be enough? No, setting up a celltower outside your house and picking up the sms would solve that security measure. Hard, sure. Secure? no.

Nothing is secure. Everything is insecure, by design. As long as it's stored, disk, memory, your brain, it's insecure.

Re:Insecure by design

That is why there is a big witch hunt for paedophiles and sex offenders. We need nonces for cryptography to work.

Re:Insecure by design

Is that a typo or a new word in programming?

1. nonce. (UK) Slang for paedophile or sex offender

I see what they did here...

capcha: ince nse

Re:Insecure by design

GP didn't declare encryption pointless anywhere. Encryption is only pointless if done wrong, e.g. as Dropbox does it by design.

Re:Insecure by design

You should try a crypto class sometime, the introductory courses on constructive cryptography are usually pretty light on math.
There's a clear difference between "everything in the real world is insecure as long as the adversary has enough resources and motivation" and "something is insecure because they made a stupid design decision". Here we have the latter case.

Claiming security because you've obfuscated server secrets on the user side of the channel is simply a lie, no matter what algorithms you use.
Car analogy: your new anti-theft system with a phone-home locator will certainly help in the average case, but not against more sophisticated thieves who can shield off the transmission. On the other hand all of this is somehow pointless if your car is a cabriolet and has a "hidden" push-to-start-and-turn-off-security button usable by anyone.

Re:Insecure by design

...you do realize that in your hypothetical situation, the client still has the authentication keys, right?

Re:Insecure by design

[ciderbrew]

I can't see that term picking up in the office here; but I can't wait until the next US call and a dev there using it. Tea, meet rest of people in room - pffftt.

Re:Insecure by design

How does the server know the app is authenticated? What prevents me from requesting a new session ID manually?

Re:Insecure by design

[Henk+Postma]

Any process running under privileges accessible to you can be cracked (albeit sand-boxing, in which case you need system privileges) and it can't hide data from end-user / other processes in same privilege space (albeit sand-boxing....). They can make it more difficult though (extracting Bluray key from windows media player will take anyone at least a few days)

Correct. However, how is that a problem for Dropbox or Dropbox users? It would provide access to files that are already stored _decrypted_ on the machine. Please explain, cause I would love to know. Seriously.

Re:Insecure by design

What dictionary are you using?

nonce (adjective): occurring, used, or made only once or for a special occasion

Nonce (noun):
1: the one, particular, or present occasion, purpose, or use
2: the time being

Re:Insecure by design

[smash]

GP made the assertion that "no amount of obfuscation" will help you. Ciphers are obfuscation of "insecure" (i.e., sitting out in the public space) data.

Ugh

[JTD121]

Neat, I finally submit to the cloud, and there we go with the security shenanigans!

Re:Ugh

It already had security problems.

There's a FBI backdoor in Dropbox, and, well, PRISM?

The problem here is the technical deficit amongst web developers.

Minecraft??

"with any of the countless other sites, programs and applications written in Python: NASA, Minecraft, Django, OpenStack and a host of Google products, to name just a few."

Minecraft??

Re:Minecraft??

They're also going to force open Django and OpenStack sources and NASA is apparently an app, not an aerospace agency. /. journalism at its highest!

Re:Minecraft??

[MichaelSmith]

Minecraft is written in java.

Re:Trying to obfuscate python was never going to w

[Buchenskjoll]

Yes, only with Perl would they be able to implement security through obscurity and open-source it at the same time.

What two-factor ?

[HuguesT]

I never knew that Dropbox had two-factor authentication. They only ask for a single password.

Re:What two-factor ?

1st factor is the username silly

Re:What two-factor ?

Something you know - password
Something you have - the fsck'd up client of theirs that is broken :)
Something you are - moron for storing files in dropbox

So technically they have 3FA...

Re:Trying to obfuscate python was never going to w

I remember an old co-worker referring to perl as "a write only language". I was young and dumb and didn't get what he meant. Until 1 year later when I tried to add a new feature to my perl script.

openstack?

why would you need to reverse-engineer openstack when you can just grab the code since it's like open

Other people's hard drives

The lesson here: Don't store your data on other people's hard drives.

Re:Other people's hard drives

[Agent+ME]

Just because someone reverse-engineered the dropbox client doesn't mean that dropbox is insecure. (Well, maybe their 2FA is bypassable.)

More relevant links

[solardiz]

Presentation slides (view online or download PDF), and links to the paper (PDF) and "dedrop" source code (GitHub):
http://www.openwall.com/presentations/WOOT13-Security-Analysis-of-Dropbox/

USENIX WOOT '13 web page dedicated to this talk, including video and audio (view/listen online or download the video .mp4 via a direct link from there):
https://www.usenix.org/looking-inside-drop-box

(Somehow the Slashdot story only links to a third-party article and to the paper PDF, but not to any of the authors' and the conference's web-based content.)

Was it worth it?

[morgauxo]

What happens when Dropbox changes how everything works. How long before it is reverse engineered again. That's why I wouldn't want to depend on this kind of hack for anything.

Re:Was it worth it?

[RockDoctor]

What happens when Dropbox changes how everything works.

The large majority of their customers find that their "DropBoxes" (I don't know DropBox's terminology ; I've never considered wasting my time by looking at their service) have stopped working, and flood the company with (justifiably) irate support calls and hate messages.

What - you think they'd manage to get revised, bug-fixed clients out to every single user, including the ones with severely paranoid, tightly locked-down machines with a checksum on every file, particularly downloaded ones? Not a chance.

Trusting trust is busted

[tepples]

The "trusting trust" attack that you linked already has countermeasures. One by David A. Wheeler, called diverse double compiling, involves bootstrapping the compiler using several independently developed compilers for the same language and seeing whether they ultimately produce the same binary. Of course, these countermeasures are no help for a proprietary language such as the Pascal variant used by Delphi.

NANDputer

[tepples]

How do you know the machine building your CPU will not inject a backdoor in it?

Because Kevin Horton's NANDputer was built by hand out of a pile of 74HC00 (quad 2-input NAND gate) ICs on a breadboard. There isn't enough room in any single 7400 to insert a backdoor.

Re:NANDputer

[ColdWetDog]

How do you know the machine building your CPU will not inject a backdoor in it?

Because Kevin Horton's NANDputer was built by hand out of a pile of 74HC00 (quad 2-input NAND gate) ICs on a breadboard. There isn't enough room in any single 7400 to insert a backdoor.

Hell, a breadboard full of 7400's is big enough to put in a real back door, complete with hinges.

Re:NANDputer

[Minwee]

Because Kevin Horton's NANDputer was built by hand out of a pile of 74HC00 (quad 2-input NAND gate) ICs on a breadboard. There isn't enough room in any single 7400 to insert a backdoor.

Are you sure? Did he ever leave the room while he was building it?

Like Firefox and Python

[tepples]

Any company shipping their open source code and a closed source compiler for it would invite suspicion.

Does this include Mozilla Corporation and Python Software Foundation, which ship open source code and binaries compiled using Microsoft Visual C++?

Re:Like Firefox and Python

[Full+of+shit]

That's not an instance of the scenario I mention, why do you bring it up?

However, IMNSHO anyone who produces anything targeting windows is an MS enabler, but that's another matter entirely.

Developer prowess

[EmperorOfCanada]

I wonder if the developers promised that it was "basically impossible" to decompile the code. Or did the developers more honestly say, "this will buy us a bunch of time."

Interoperability

[tepples]

Writing one's own product doesn't really help to interoperate with the service in which your potential customers are already storing their data.

Re:Interoperability

[smash]

Interoperability with third parties is clearly not an aim of those doing code obfuscation.

NASA has a website

[tepples]

and NASA is apparently an app, not an aerospace agency

NASA is an aerospace agency, but it's also the website of the aerospace agency. That and the Toki Pona word for crazy or foolish.

Skype Client Next Please?

[Agent+ME]

There are already a lot of dropbox alternatives that have open source clients and even ones that do encryption. But there isn't a good Skype alternative I've seen that lets me participate in Skype group chats. I don't even care about video/audio chat. Can someone reverse engineer the Skype client next?

Yet another vote for ...

... TahoeLAFS?

not compiled, just parsed

[raymorris]

A pyc is pretty much just a parse tree. It's been syntax checked, etc. but not really compiled. As docs.python.com explains, a pyc doesn't run any faster than a .py. The heading on the docs page is:

"Compiled" Python

With compiled in quotes because though some people use that word, it's not really true.

Re:not compiled, just parsed

It's been really compiled - to bytecode. What, did you think Python interprets parse trees?

It's not faster than .py because .py is compiled to same bytecode .pyc behind the scenes. You're saving disk space and some load time (not very much because compilation is usually on the order of milliseconds).

Re:not compiled, just parsed

[radarskiy]

You make the baby Alfred Aho cry.

Stop calling this "security through obscurity"

[Sloppy]

It's "Unmaintainability Through Obscurity." There never was any (even falsely-justified) security component to it. Nobody is going to say this has somehow made Dropbox less safe.

Interpreted is guaranteed to be easier to reverse

[raymorris]

> One of the best obfuscations is to embed an interpreter into your code, and then do all the hard work in the bytecode.

"One of the best" is kind of nebulous, but it's ALWAYS more secure against reverse engineering to distribute a compiled binary, machine code. At least on a PC, or any platform with a decent debugger. Here's why. If you do anything with an interpreter or bytecode, the attacker has at least two options. They can choose to EITHER:

A) Use a debugger to dump the generated machine code and work from that.

OR

B) Use any other method to go after the provided file, the interpreter, or the bytecode.

Distributing a compiled exe (machine code) forces the attacker to do A, eliminating all of the options listed in B.

Of course, what I do, what I think is better, is I ship readable source. Any security needed is handled by actual security, such as encryption of sensitive data, rather than by trying to obfuscate how the program works.

Probably they were just told to by management

[Phil+Urich]

I wonder if the developers promised that it was "basically impossible" to decompile the code. Or did the developers more honestly say, "this will buy us a bunch of time."

Management: Make sure people don't steal our stuff!
Developers: Okay, uhhh . . . it's obsfucated now, is that good?
Management: Don't give me any of your technical mumbo-jumbo, is our IP secure? We can't monetize it without keeping our secret sauce.
Developers: ...yeah, sure.
Management: Good enough for me! I'm going on a business lunch, you folks get back to work.

Re:Probably they were just told to by management

[EmperorOfCanada]

I wonder how many HTML/Javascript developers have been instructed to make it "impossible" to steal the site's forward facing code?

"OK I'll use the META tag IMPOSSIBLE=true."

Re:Probably they were just told to by management

[pspahn]

There's a difference between "impossible" and "expensive". I've never actually met a good manager, but a good manager should know the difference between something that would be "impossible" for a competitor to replicate, versus "expensive" for a competitor to replicate.

Re:Interpreted is guaranteed to be easier to rever

[Full+of+shit]

Compiled? Then they'll just replace the libs with hacked ones in the loader, and stub out the calls that they'd rather you didn't make. Child process returned 0 to say license is valid - and gee, wasn't it quick!

If you really stretch the definition of "compile"

[raymorris]

Compile: to create a set of *machine instructions* from a high-level programming language, using a compiler

Grace Hopper, who coined the term "compile", defined it as "accept things that were people-oriented and then use the computer to translate to *machine code*.”

A primary purpose of compiling code is so that the user doesn't need to have a copy of the matching version of the interpreter. Compiled code runs by itself.
Python bytecode is a couple of steps removed from machine code. Look at how many lines of code are required in the bytecode interpreter to interpret that bytecode and do something with it. Compiled code doesn't need any interpreter, much less hundreds of thousands of lines of interpreter.

Re:If you really stretch the definition of "compil

[ehynes]

The *machine* doesn't have to be hardware, or are you saying that Java isn't compiled either?

Re:If you really stretch the definition of "compil

Compile: to create a set of *machine instructions* from a high-level programming language, using a compiler

No, it's not and I'm not sure where did you get this narrow definition contrary to contemporary usage. Go ahead and find some more examples of people referring to bytecode comilers as ""compilers" in quotes because they're not really compilers y'know".

Grace Hopper, who coined the term "compile", defined it as "accept things that were people-oriented and then use the computer to translate to *machine code*.â

No, she didn't. She did use this phrase to describe her FORTRAN compiler, tho.

Seriously, should I come over to your place and hit you on the head with my copy of Aho's Dragon Book?

ecryptfs+Dropbox is a nice solution

[Orp]

I've always assumed that data on Dropbox wasn't very secure, which is why I was happy to find that ecryptfs works well with dropbox across multiple machines (assuming they are all running Linux). To wit:

chinook: ~orp df /home/orp/e
Filesystem          1K-blocks      Used Available Use% Mounted on
/home/orp/Dropbox/e 491451392 129077764 361240528  27% /home/orp/e
chinook: ~orp ls Dropbox/e
./
../
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkw6-7kc4NR3-58yIKIxSsrgk--
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkw9VkRKmwOO95LV0W1qwwNHk--/
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwKsqUWInaV2aVwzvhw6CcW---
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwOggoYf2PUQpQQmgJLHwIaU--/
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwQEdvushvgMYZ2uRpeRJ9EU--
[etc]

This works with the same partition mounted across multiple machines. Save a file to /home/orp/e, and it "magically" appears in its unencrypted form (name, content) on any other machine that was updated on Dropbox that has the encrypted partition mounted the same way. All dropbox ever sees is the encrypted stuff.

The main disadvantage to this approach is that if you are trying to access files on a non-linux machine you are hosed; Lastpass and other password managers that have file encryption functionality can give you cross-platform encryption but not with the nice filesystem access that Dropbox provides.

Re:ecryptfs+Dropbox is a nice solution

[akita]

encfs works on windows, see
http://members.ferrara.linux.it/freddy77/encfs.html

Re:Trying to obfuscate python was never going to w

Yes, when you're young and dumb you tend to write "write-only" scripts. Eventually you learn to not do that.

Re:Trying to obfuscate python was never going to w

[VortexCortex]

Yes, only with Perl would they be able to implement security through obscurity and open-source it at the same time.

"Only Perl can parse Perl." Yargh! Havin' ye source be indistinguishable as compiled for me Parrot.

MSVC vs. MinGW

[tepples]

That's not an instance of the scenario I mention, why do you bring it up?

As a way of beginning discussion about the difference between the scenario you mention and the scenario I mention. Mozilla and PSF ship open source code alongside binaries that cannot be produced with only free tools, as opposed to binaries produced with the MinGW version of GCC.

Re:MSVC vs. MinGW

[Full+of+shit]

An interesting topic, but a change of topic which was about suspicion drawn to closed source things.

if ms' s compiler is freely available, then there's no obligation under: ..plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs..

Re:MSVC vs. MinGW

[tepples]

if ms' s compiler is freely available

When Mozilla Application Suite (now SeaMonkey) and Phoenix (now Mozilla Firefox) were first being developed, there was no such thing as Visual C++ Express.

then there's no obligation

There's no legal obligation. But requiring a paid compiler, as Mozilla did before Microsoft introduced Visual C++ Express, does shut out much of the public from participating.

plus the scripts used to control compilation and installation

I'm not so sure of the extent to which Microsoft allows Mozilla to distribute "the scripts used to control compilation and installation" of a Windows 8 style (formerly Metro) application such as Metro Firefox, especially when such "scripts" may include private code signing keys.

if you really ignore the historical definition

[luis_a_espinal]

Compile: to create a set of *machine instructions* from a high-level programming language, using a compiler

Grace Hopper, who coined the term "compile", defined it as "accept things that were people-oriented and then use the computer to translate to *machine code*.”

A primary purpose of compiling code is so that the user doesn't need to have a copy of the matching version of the interpreter. Compiled code runs by itself. Python bytecode is a couple of steps removed from machine code. Look at how many lines of code are required in the bytecode interpreter to interpret that bytecode and do something with it. Compiled code doesn't need any interpreter, much less hundreds of thousands of lines of interpreter.

*machine code*, *machine code*. As Inigo Montoya would say: You keep using that word. I do not think it means what you think it means. Seriously, what's the point of quoting Grace Hopper if we are willing to ignore the historical definitions of what compiler and *machine*.

The phrase "machine instructions" was never meant to literally stand for "hardware machine instructions" to the exclusion of anything else. From very early on in the evolution of computers, compilers created somewhat portable symbolic instructions meant to be further decoded or translated at start-up run time into the actual hardware level instructions.

From a purely theoretical POV, the concept of a machine that could execute instructions preceded the existence of hardware machines. Think turing machines, -recursive functions, turing-complete string rewriting systems and lambda calculus. Think of the idea of algorithmic systems that can translate a program representation from one mathematical model of computation to another. That is a compiler. That is, in the world of the computable, a machine has never been exclusively of a hardware nature, and the notion of a compiler has never been constrained by that limitation.

Moving from the esoteric to the mundane, p-code is the most commonly known historical name for this approach that has existed since the 60's (and which is now typically referred to bytecode.) Mainframes and mini-computers sported such compilers in a variety of languages - BCPL, COBOL, PL/1, etc.

The world of practical computing has always moved around and above this notion.

Hell, if languages that produce bytecode/p-code are not compiled because these are not true hardware instructions, then neither is the x86 family of assemblers and native compilers because the x86 family of "native" CICS instructions are not true compilers.

Why? Well, because, unlike RISC hardware platforms, those instructions are interpreted at run-time into the micro-code instructions specific to the hardware.

That is the x86 CISC instruction set is not hardware machine code, but an extremely low-level p-code/bytecode interpreted at run-time by an on-the-die interpreter.

Re:if you really ignore the historical definition

[david_thornley]

The IBM 360 series was a set of different machines, most developed at about the same time, all interpreting what had been designed as a common "machine code". Any compiler on the system compiled to an intermediate language/pcode/whatever that was then interpreted by the underlying machine.

Re:If you really stretch the definition of "compil

A compiler take a stream of symbols and emits a different stream of symbols based on a predefined set of rules.

That is it.

Java has a compiler

Python has a compiler

Latex has a compiler