Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

xsawyerx (8978)

xsawyerx
  (email not shown publicly)

Journal of xsawyerx (8978)

Tuesday December 08, 2009
04:45 AM

Security by Obscurity, DLC style

[ #39988 ]

this was originally posted on my new blogs.perl.org journal, which can be found here which is also the RSS feed for it.

<rant>

Rapidshare deletes illegal files, so instead of sharing Rapidshare links, sites nowadays apparently started sharing .dlc files (or so I've heard). DLC is an encrypted container format. It is very very stupid. I'll elaborate.

Let's break it down:

  • Only one server decrypts - single point of failure.
  • Disregarding the necessity for internet, this binds you to specific programs that have the keys hardcoded in them to be able to access the server.
  • The protocol is secret, the key is secret, the programs are closed source (at least the part that matters).
  • One program is for Windows only. The main one is written in Java. Stupid Java. I've gone over the parts of it that are open source and it's horrible (really really horrible).
  • I have not managed to get the program running on three different computers, and on Windows as well.
  • Apparently they change the key every once in a while so you always have to stay updated with the program.

However, these are all implementation issues. The problem here is that a bunch of freelance programmers (I'm assuming) think that by hardcoding and source-closing the key to their wanna-be-open-source application, it will somehow deter people who make it their job to crack it.

Since you still want the average boob (that is, the average dumbbell) to be able to operate the program and download the stuff, you need to make it accessible enough for him/her. Once it's that accessible, it's accessible to any IRAA/MPAA/<enter agency name> agent to reach as well, since they are at least as smart as the average bear, err... boob.

You're telling me a well funded agency can't open the stupid program and click the link? They can't write a program that automatically opens the other program and clicks the link? Really? Oh, this is ultra super secure now? You can write a Visual Basic program that does that in 10 minutes.
(please don't write a visual basic program)

I've emailed at least one website that does that, trying to get a decent answer for this. Still no response.

As to the JDownloader developers: Your program doesn't work, and your super ultra secure technology is closed source i-wouldn't-touch-it-with-a-ten-foot-pole icky. Yes, icky. You've secured nothing!

Fox21.at [fox21.at] release various Perl programs. One of them is called dlc2txt (oh, here's the Google Translate for it). Using this program, given the key and host, you can just crack DLC files yourself.

Of course the developers keep the key in JDownloader only. They also issues two other keys for two other programs (one of them written in Python) and threatened them not to reveal the key. The other programs and JDownloader keep the key closed source by compiling it.

So you have to use JDownloader or the other programs.
Right? Wrong!

Here is a fully detailed post on how to crack DLC completely.

I will probably write a Perl module to use this new kickass webservice that cracks DLC for you.

Meanwhile, please quit trying to convince people that your new thinga-ma-gic protects them even though it really doesn't. It only adds complexity for the user (much more than for an agent) and pisses people (like me) off.

Thank you.

</rant>

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.