Comment by gyomu
3 days ago
Yes, those tools are extremely good at reverse engineering. With a bit of know how, it is now trivial to reverse engineer any protocol or crack any software, often in a matter of hours or less.
A lot of people in the industry have vested interests in this not being discussed openly so you don't hear too much about it, but the implications are huge.
What are some of the implications? Where does widely available mythos-level hacking lead? By people with a vested interest, do you mean non-cloud software vendors?
Software that had a data moat because it was hard to integrate with or migrate off of will have that moat disappear. A web site is a client now. Building data migration too for all of you competitors is easier now.
I've just had a SaaS that I use decide to implement a 2.4x price increase. I reacted instead by taking screenshots of every page of the SaaS, downloading their API docs, exporting what data I could, and asking Claude to build a self-hosted clone based just on those files. I had a read-only version of my entire data history completed in a single evening. Even at Opus API rates, it cost me less than half the price of a single annual seat.
1 reply →
One of the many SaaS products we use at Day Job chose to gatekeep its MCP behind an enterprise plan. A brief Claude Code session later and a better, more feature-full MCP than the official was reverse-engineered from internal APIs by Opus.
Right now, software is protected by the attacker not having enough competence. If that's over, the logical next step is using real encryption.
E.g. a synth has a public key embedded. To change settings, you upload them to the vendor, who blesses them with their private key.
Hacking such a synth requires either jailbreaking the synth, or the vendor losing their key . Both can be mitigated with tamper resistant hardware.
We're well ahead on this path already, I assume AI will accellerate it. This is very bad news for the right to repair.
But everything you described was basically a byproduct of incompetence somehow no? On both side. That's why the right to repair and how local HW should be treated when the online counterpart is EOLed by the manufacturer should be mandated by law. A law that stands on the side of the citizen, the end-user, obviously.
2 replies →
I think companies with valuable data to scrape (e.g. media companies) will eventually lock it behind APIs that verify Apple App Attest or Google Play Integrity. And deprecate websites which are easily scraped too. Then it will be useless to reverse engineer APIs used by apps and we will have to run the unmodified client on an unmodified OS.
Some people even had some fun de-minifying JS and disassembling binaries. Successfully.
What do you mean? Everyone is talking about Mythos.
I think GP is talking about cracking, not pen testing.
Those are the same thing. They're talking about decompilation and protocol analysis.
1 reply →
It wouldn't surprise me if reverse engineering is put on the "highly unsafe" list in the near future in the same category as bio because of these interests. Can't have the cattle classes be able to control their own property now can we?
This is pretty much a given anyway. Making reverse engineering tools is already likely to get you sued by someone so model makers are apt to slow down the ability of their tools to reverse engineer to avoid the lawsuits themselves.
Heh finally the impunity of the NSA is good for once. Good luck suing them over Ghidra