Security by Obscurity, DLC style


Rapidshare deletes illegal files, so instead of sharing Rapidshare links, sites nowadays apparently started sharing .dlc files (or so I've heard). DLC is an encrypted container format. It is very very stupid. I'll elaborate.

Let's break it down:

  • Only one server decrypts - single point of failure.

  • Disregarding the necessity for internet, this binds you to specific programs that have the keys hardcoded in them to be able to access the server.

  • The protocol is secret, the key is secret, the programs are closed source (at least the part that matters).

  • One program is for Windows only. The main one is written in Java. Stupid Java. I've gone over the parts of it that are open source and it's horrible (really really horrible).

  • I have not managed to get the program running on three different computers, and on Windows as well.

  • Apparently they change the key every once in a while so you always have to stay updated with the program.

However, these are all implementation issues.
The problem here is that a bunch of freelance programmers (I'm assuming) think that by hardcoding and source-closing the key to their wanna-be-open-source application, it will somehow deter people who make it their job to crack it.

Since you still want the average boob (that is, the average dumbbell) to be able to operate the program and download the stuff, you need to make it accessible enough for him/her. Once it's that accessible, it's accessible to any IRAA/MPAA/<enter agency name> agent to reach as well, since they are at least as smart as the average bear, err... boob.

You're telling me a well funded agency can't open the stupid program and click the link? They can't write a program that automatically opens the other program and clicks the link? Really? Oh, this is ultra super secure now? You can write a Visual Basic program that does that in 10 minutes.
(please don't write a visual basic program)

I've emailed at least one website that does that, trying to get a decent answer for this. Still no response.

As to the JDownloader developers: Your program doesn't work, and your super ultra secure technology is closed source i-wouldn't-touch-it-with-a-ten-foot-pole icky. Yes, icky. You've secured nothing! [] release various Perl programs. One of them is called dlc2txt (oh, here's the Google Translate for it). Using this program, given the key and host, you can just crack DLC files yourself.

Of course the developers keep the key in JDownloader only. They also issues two other keys for two other programs (one of them written in Python) and threatened them not to reveal the key. The other programs and JDownloader keep the key closed source by compiling it.

So you have to use JDownloader or the other programs.
Right? Wrong!

Here is a fully detailed post on how to crack DLC completely.

I will probably write a Perl module to use this new kickass webservice that cracks DLC for you.

Meanwhile, please quit trying to convince people that your new thinga-ma-gic protects them even though it really doesn't. It only adds complexity for the user (much more than for an agent) and pisses people (like me) off.

Thank you.


Hey Sawyer, I just unpublished from this entry the 4th spam comment on your blog that got published. 3 of those were published after I switched your blog settings to having to approve new commenters (which I did because reCAPTCHA seems to be problematic on this site and because it still allows some spam through) – so you must be manually approving this spam.

Are you not aware that not every comment is genuine?

(Note the characteristics of this comment: some not-obviously-generic vaguely-flattery as the comment text, a plausible-seeming commenter name, and then a spammy URL about job adverts as the commenter’s “homepage”. Most comment spam looks like that nowadays.)

There was no link in the post. The link was in the name of the commenter. I only unpublished the comment and didn’t delete it, so you can still go and look.

Leave a comment

About Sawyer X

user-pic Gots to do the bloggingz