

Cool additions by Dropbox Interns - chromedude
http://blog.dropbox.com/?p=875

======
koopajah
Nice to see that interns seem to choose the topic they'd like to work on and
feel like making really useful work! Pretty skeptical of the code obfuscator
part. Even written from scratch this will not prevent people to deobfuscate it
in the end.

~~~
esrauch
It's not possible to reconstruct variable names that are replaced with
arbitrary strings.

~~~
yid
You seem to have not heard of the field of software reverse-engineering. If
you think obfuscated JS is hard to understand, keep in mind that people like
DVD Jon typically reverse-engineer algorithms out of optimized assembly.

~~~
esrauch
You are completely making assumptions about who I am and what my comment means
outside of what is literally there in the text of it. I never said you can't
get algorithms out of obfuscated source, I said you can't get variable names.

A lot of JS code ends up getting deployed with references to future planned
unreleased features. Fairly simple code obfuscation works completely to hide
that form of leak. See the leak about Facebook's future integration with some
music service that came out from a javascript string without there literally
being any functionality to go along with it, among a number of Google+ feature
leaks that came out similarly.

Obviously you can infer what the variable name might be, but you can't get the
original variable name back. Was a variable count or counter? Index or i?

In reality I just thought that "Even written from scratch this will not
prevent people to deobfuscate it in the end" is exceptionally silly; it's
implying that existing deobfuscators use knowledge of the obfuscators in their
process of reversing it. They clearly do not, and an obfuscator written from
scratch is almost certainly strictly inferior to existing solutions.

I decided not to attack someone for being slightly naive and just mention
something that is legitimately protected by obfuscation. Apparently that is
the wrong thing to do on HN and I need to be snarky to avoid people assuming
that I'm a moron.

------
igorgue
I remember writing a code obfuscator for my first job at company XYZ ;-), not
really a pleasant experience. That's why interns or entry level employees do
that.

------
georgieporgie
"and came from a variety of schools (MIT, Stanford, Brown, CMU, Tufts, Chapman
and University of Ontario"

 _eyeroll_ Starting the elitism early, I see.

~~~
sebkomianos
And the message of this comment is?

------
bkaid
So Dropbox security is based on a code obfuscator? And was it an intern that
let us log into any dropbox account with any password? Kidding, but seriously,
they need to get more interns because one of the most requested feature for
years on their site is remote wipe
([https://www.dropbox.com/votebox/35/remote-destroy-purge-
opti...](https://www.dropbox.com/votebox/35/remote-destroy-purge-option-if-
laptop-is-stolen)) and they never implement it. Granted its not an entirely
reliable method but its better than not offering it.

~~~
esrauch
Every major company uses code obfuscation/minification/compilation on their
javascript. It's not really clear what they mean though...

~~~
igorgue
obfuscation != minification != compilation

~~~
esrauch
Compilation where the source and target language are the same = obfuscation
and minification

