2007, my employer is a magazine. I demand a blog. They decide to write one from scratch in .NET because we are a software magazine. 2010, said CMS is retired for Hubspot. Or maybe that happened later. Either way, to make me happy to have Hubspot is a feat. Also a great business angle for Hubspot: write your own shitty CMS? Welcome! And again, either way, 2017, bankruptcy. All money spent on CMS from inception to retirement could have been abated by a WordPress subscription. Definitely way above 6 figures lost. Coulda kept us alive for a few more years, anyway.
I think this is popping up in Hacker News because the concept of decompilers has become a bit more acceptable recently. (strokes beard)Time was, decompilation was said to be Impossible (as my wise friend syke said: most things people say are impossible are just tedious). Then, it just became "something you could only do in a targeted, single-application fashion.)
Somewhere in there, Alan Kaye laughed and handed everyone dynamic code.
These days, with AI in tow, decompilation is becoming the sort of thing that could be in the toolchain, replacing IDA and such. Why debug and examine when you can literally decompile?!
So, maybe, that idea being considered to be newly on the table, someone felt the need to post a counter-point, proving once again that everything old is new again.
Hats off for decomiling Java apps that mostly predate generics and annotations... both of which were added in 5.
I'm not sure you lived the same history I did. Decompiling for intermediate languages has always been a thing. Hell, back in college as an intern I was looking at the assembly of a decompiled C# binary, and back in highschool using intellij's Java decompiler to poke at some game applets to see if there we hacking opportunities. This was back when ruinscape didn't have a paid version
Is there anything especially hard about decompiling (to) Java?
.NET/C# decompilers are widespread and generally work well (there is one built into Visual Studio nowdays, JetBrains have their own, there were a bunch of stand-alone tools too back in the the day).
< disclaimer - I wrote CFR, which is one of the original set of 'modern' java decompilers >
Generic erasure is a giant pain in the rear. C# doesn't do this. You don't actually keep any information about generics in the bytecode, however some of the metadata is present. BUT IT COULD BE FULL OF LIES.
There's also a huge amount of syntactic sugar in later java versions - take for example switch expressions.
Personally, I don't get the sentiment. Yeah, decompiling might not produce the original source code, which is fair. It's possible to generate code using invokeDynamic and what not - still being valid code if a compiler opts to do so.
When decomiling bytecode there has to be a reason for, and a good one. There has to be a goal.
If the code is somewhat humanly understandable that's ok. if it's more readable than just bytecode, that's already an improvement.
Reading bytecode alone is not hard when it comes to reverse engineering.
Java already comes with methods and fields available by design. Having local variable names and line numbers preserved is very common, due to exception stack traces being an excellent debugging tool. Hence debugging info gets to be preserved.
try/finally shares the same issues, albeit less pronounced.
C# doesn't erase all generics; but there's also some type erasure happening: nullable reference types, tuple element names, and the object/dynamic distinction are all not present in .NET bytecode; these are only stored in attributes for public signatures, but are erased for local variable types.
C# also has huge amounts of syntactic sugar: `yield return` and `await` compile into huge state machines; `fixed` statements come with similar problems as "finally" in java (including the possibility of exponential code growth during decompilation).
You're awesome! I had really good experiences with CFR in the mid 2010s.
I used it for game modding and documentation (and caught/reported a few game bugs + vulnerabilities along the way). I'd pull game files from Steam depots with steamkit, decompile with CFR, and run the resulting java through doxygen.
My personal experience with both is that decompilers work great for easy code. I still have both Java and C# projects that I wish I decompiled even to worst possible, but almost compilable code. Instead getting just decompiler errors or code where all variables got the same letter/name and of course different types...
I think I've tried all available free tools and some paid in Java case. Finally I just deducted logic and reverse engineered the most important path.
One of the use case of décompilation is bug hunting / vulnerability research. And that’s still one of the use cases where AI isn’t that good because you must be precise.
I’m not saying that won’t change but I still see a bright future for reversing tools, with or without AI sidekicks (like the BN plugin)
I used codex 5.1 yesterday to point at a firmware blob and let it extract and explore it targeting a specific undisclosed vulnerability and it managed (after floundering for a bit) to read the Lua bytecode and identify and exploit the vuln on a device running the firmware.
If anything, vulnerability research should be good target for AI because failure to find an exploit isn't costly (and easily verified) but 1 in N success is very useful.
>Hats off for decomiling Java apps that mostly predate generics and annotations... both of which were added in 5.
the 1st very famous and good decompiler was written in C. Other than that generics and annotation didn't not make the work easier at all decmopilation wise
Furthering the original question: the myth says Plumbbob launched a manhole cover into orbit, but the truth is slightly less than that, and it wasn't really a manhole cover.
Still, this is what happens when you use a nuclear bonb as a detonating charge at the bottom of a tube...
And it was most probably vaporized, either by blast itself or by rapid compression of air. They estimated if it actually started flying it would have 6x Earth escape velocity (cca 240,000 kmh), no way to survive flight through 100km of atmosphere before reaching semi-vacuum
Been saying it for YEARS: 95% of VPNs sell your data. It's where they make their money. It's absolutely insane the push-back I get when I say this online. I get downvoted to hell and back.
Source: I bought this data from VPN companies... Hell, you can inject ads and surveys if you want!
I'm much more skeptical of this. I know linus tech tips is not exactly an expert organization, but I believe the discussions they've had about almost starting a VPN and backing out for ethical reasons, and they made it clear that the core VPN product would have huge profit margins. You can always do greedy things to make more money, but for a paid VPN I'd need some solid evidence to believe that data sales are a huge line item or especially that they're the main source of money.
If you're including the swaths of free VPNs then that makes your number a lot harder to use.
I'm more interested in this part - how does that work? Do you just reach out to them directly and ask "hey, let me buy your user data"? Or is there some sort of service they offer?
I wouldn't be surprised if a lot of them have like a Crypto AG thing going on and have the capability to use paying customers as exit nodes as a way to launder consent-manufacturing bot bullshit through legitimate-looking residential and mobile connections.
Fun fact: I once interviewed for a company offering a free VPN, which was actually using other users as endpoints for the VPN. Some kind of P2P VPN if you will.
How did they make money? Easy: there were also selling a botnet! So if you used their "free VPN", you could be part of a botnet for DDOS or to create fake reviews/upvotes from thousands of "legit" IP addresses.
Yes, I've heard of bad VPN companies that sell your data. I would like to learn more about how it is done exactly.
In your later comment you said "DNS is very useful, and unencrypted. OpenDNS makes its money on this same info." Is the VPN company only openly selling DNS info or are they selling more, such as connection logs?
How did you approach the VPN provider to ask to buy this info?
> Hell, you can inject ads and surveys if you want!
So am I right in saying that the data that's encrypted by VPNS is only in transit? It then sits on a server in plain text, ready to be queried by third parties for money.
People seem to use VPNs to avoid IP based issues, like Netflix or ip bans/associations, not sure anyone would use it for actual privacy -- at best its obsfucation.
They sell metadata. DNS queries, locations, apps using data, device info. Usually anonymized, but both unscrupulous and "better" providers do have access to your account and payment info.
They can't inject to the http response, but ad servers that work with the VPN or their data brokers can better identify the requester and serve better targeted ads.
If HTTPS were for privacy it would be called HTTPP. Security features tend to make things less Private, like how opening apps on a Mac makes it phone home for OCSP check.
> 95% of VPNs sell your data. It's where they make their money. It's absolutely insane the push-back I get when I say this online.
People love to stick to what they irrationally believe in. I would give you push back as well by saying 95% is a very conservative number. I would say 98-99%
But hey, they say they don't sell my data isn't it?
How does this work? They harvest your DNS! They inject surveys into your YouTube packets. They tabulate just how much traffic goes to which specific games on Twitch. How? The provider is the endpoint, not you.
It's not the whole picture, but it's enough to sell to marketers.
This is what happens EVERY time I say this! Look again! It happened, I have 1 upvote... It's almost as if the VPN companies don't want you to believe this is true!
Story time! I have been cashed out of three startups. $600 total, across them all. It's the people in the Valley who've struck out over and over who know the truth, not the successes.
One of those startups was about tracking the games played on Twitch, and selling that info to Esports entities, marketing firms, etc. The company did not succeed because, honestly, it's not hard data to scrape yourself. BUT, we tried. And where did we get our data? VPN providers. Major VPN providers. We don't care about your personal data. We care about whether you watched a Twitch stream of GTA or Madden.
And for a time, yes, we could buy injected surveys. Packets, literally injected into your streams of data. This was expensive, iffy, and controversial, but it was on the rate cards.
DNS is very useful, and unencrypted. OpenDNS makes its money on this same info. Stop putting your heads in the sand. Ya'll have seriously lost the path.
Well, sort of. I mean, yeah he deserved to be praised, but the reason half the SRI staff left to go to Xerox is that Engelbart and his people were becoming obsessed with EST training. EST is basically a cult that starves you, insults you until you cry, then builds you back up with compliments while asking you to pay up front for the next sucker in your family to take the "training." It's about as close as you can get to a cult while still being a business. Engelbart and his closest people were basically forcing SRI workers to take EST training, and they did't like it so they left.
reply