by heyitsnick on 8/27/13, 10:24 PM with 45 comments
by wladimir on 8/28/13, 4:50 AM
Oh I see dropship is mentioned in the paper, great :)
In any case, interesting that they found some previously unknown security holes this way. This again proves that security through obscurity, at least for client software, doesn't work. When will people learn. You can't hide anything on the client for the user, at least not for long.
by recuter on 8/27/13, 11:46 PM
"The contrast with my visitor the next day couldn't be greater. Through a former colleague I got an introduction to Drew Houston, co-founder and CEO of the vastly successful start-up company Dropbox.
Python plays an important role in Dropbox's success: the Dropbox client, which runs on Windows, Mac and Linux (!), is written in Python. This is key to the portability: everything except the UI is cross-platform. (The UI uses a Python-ObjC bridge on Mac, and wxPython on the other platforms.) Performance has never been a problem -- understanding that a small number of critical pieces were written in C, including a custom memory allocator used for a certain type of objects whose pattern of allocation involves allocating 100,000s of them and then releasing all but a few. Before you jump in to open up the Dropbox distro and learn all about how it works, beware that the source code is not included and the bytecode is obfuscated. Drew's no fool. And he laughs at the poor competitors who are using Java."
Sometime after that, Drew poached Guido from Google. I remember this post. :)
by groby_b on 8/27/13, 11:40 PM
by seiji on 8/27/13, 11:09 PM
It's like when a new iPhone comes out and they throw the custom silicon under electron microscopes. It's entertaining, and I'm sure fun for the people doing it, but fighting information wars against ourselves just seems silly.
There are large problems humans don't have answers to, but we're busy making things then figuring out how the things we made work. Madness ensues.
by naner on 8/27/13, 10:53 PM
by lucb1e on 8/28/13, 9:06 AM
- you feel like cracking a 256-bit random value remotely (can't locally bruteforce it), or
- you have filesystem access.
I'd say both are irrelevant. You can't crack 256-bit values locally, let alone if you have to check the value remotely, and with filesystem access I imagine you can do a whole lot more than just uploading files to someone's Dropbox.
Bypassing two-factor authentication with either of the options is possible though, and I can see the issue, but this is by design. I don't think you want to have to enter your credentials (username, password, second factor) every single time you store a file or check for updates.
by andrewcooke on 8/27/13, 11:15 PM
by arnehormann on 8/28/13, 8:19 AM
by RachelF on 8/27/13, 11:22 PM
by ChazDazzle on 8/29/13, 3:45 PM
Fun find from the source code: There's a module named "gandolf.py" which appears to have something to do with version control.
by unknownian on 8/27/13, 11:21 PM