Since that was less than two months ago, the current submission counts as a dupe. When it's open-sourced, that will be significant new information, which makes for a new story. It will certainly be discussed by HN then.
My brother is into reverse engineering, he is literally counting the days to the open source release of this.
He said there isn't anything quite like it as it can actually stand toe-to-toe with IDA Pro, the commercial software that apparently nothing yet can really beat.
Yup. IDA Pro is the gold standard, and was basically the only choice for a long time. It's also stupidly expensive and priced for defense contractor funny money, with an individual license nearly $3000 [0]. Most freelancers just use a cracked copy or the freeware version.
Recently Hopper and BinaryNinja have been rising in use, with much more affordable pricing plans, but they're still second-rate as far as I know.
(There's also radare2, which for all it's mentioned occasionally I don't actually know anyone that uses it)
As someone who learned to program by reverse engineering, I also cannot wait to see this being released.
Nothing really beat the combination of SoftICE and IDA Pro, although some of the newer entrants like radare2 & good ol’ OllyDBG are pretty good, but nothing beats IDA Pro.
I hope the scripting language are real programming language like Lua or Python and some custom DSL.
Is IDA so superior to OllyDBG? What are the differences? I was into reversing in 2009/2010, was just a hobbist trying to crack some programs and making bots to some games.
I haven't worked at US government so I am not 100% sure of the details, but this is my understanding:
HTTPS (tls, really) allows clients to present a certificate, just like the server does. This is commonly used, eg, for microservices authenticating to each other in a backend.
It is less commonly used for people to authenticate to servers.
In particular, the "Common Access Card" is the ID badge used by the DoD, various parts of the armed forces, and in particular the NSA (whose website this is). Those access cards have a key and certificate usable for this.
So your keyboard (or laptop) has a smartcard reader in it, and you can insert your ID badge (maybe with a PIN? not sure if usa gov't does that) to log into any website.
Browser UX for this isn't great. Unlike the newer Webauthn specs where javascript (and thus site-specific instructions) can ask you to log in, the browser has to prompt you in a very generic way to present your certificate.
On a sidenote, looking at their Github, they publish a lot of names / emails in the git logs (~100). Some are encoded / anonymous, but most are real looking names and plausible email addresses.
an open source competitor to IDA pro is very welcome, never thought it would come from NSA. have they said anything about their motivation to open-source it?
Probably to crowd source maintenance like nearly every other closed to open transition. And ghidra has been leaked a few times (they give it out like candy to contractors) so they're not really losing much.
NSA releasing an open-source tool? My first thought is, better subject it to serious, in-depth security review before installing it locally. Even then, build it from source.
It would also make me want to consider Ken Thompson's compiler trojan, and whether there is any similar vulnerability that could be inserted into an RE tool.
I'm still trying to figure out, in this day and age, especially after the Snowden disclosures, why anyone would trust software released by this organization.
you do realize their primary goal is intelligence gathering?
It's a reverse engineering tool. The community is going to have plenty of ability to do network analysis on it. Also, it's trivial to sandbox it, even if it weren't going to be open-sourced.
[+] [-] chc4|7 years ago|reply
0: https://news.ycombinator.com/item?id=18828083
[+] [-] dang|7 years ago|reply
https://hn.algolia.com/?query=%22significant%20new%20informa...
[+] [-] slimsag|7 years ago|reply
He said there isn't anything quite like it as it can actually stand toe-to-toe with IDA Pro, the commercial software that apparently nothing yet can really beat.
[+] [-] chc4|7 years ago|reply
Recently Hopper and BinaryNinja have been rising in use, with much more affordable pricing plans, but they're still second-rate as far as I know.
(There's also radare2, which for all it's mentioned occasionally I don't actually know anyone that uses it)
0: https://www.hex-rays.com/cgi-bin/quote.cgi
[+] [-] mahmoudimus|7 years ago|reply
Nothing really beat the combination of SoftICE and IDA Pro, although some of the newer entrants like radare2 & good ol’ OllyDBG are pretty good, but nothing beats IDA Pro.
I hope the scripting language are real programming language like Lua or Python and some custom DSL.
[+] [-] G4BB3R|7 years ago|reply
[+] [-] amiga-workbench|7 years ago|reply
[+] [-] mcpherrinm|7 years ago|reply
HTTPS (tls, really) allows clients to present a certificate, just like the server does. This is commonly used, eg, for microservices authenticating to each other in a backend.
It is less commonly used for people to authenticate to servers.
In particular, the "Common Access Card" is the ID badge used by the DoD, various parts of the armed forces, and in particular the NSA (whose website this is). Those access cards have a key and certificate usable for this.
So your keyboard (or laptop) has a smartcard reader in it, and you can insert your ID badge (maybe with a PIN? not sure if usa gov't does that) to log into any website.
Browser UX for this isn't great. Unlike the newer Webauthn specs where javascript (and thus site-specific instructions) can ask you to log in, the browser has to prompt you in a very generic way to present your certificate.
[+] [-] captn3m0|7 years ago|reply
[+] [-] aboutruby|7 years ago|reply
[+] [-] tribby|7 years ago|reply
[+] [-] monocasa|7 years ago|reply
[+] [-] TimTheTinker|7 years ago|reply
[+] [-] appleflaxen|7 years ago|reply
http://wiki.c2.com/?TheKenThompsonHack
[+] [-] mahmoudimus|7 years ago|reply
[+] [-] ypolito|7 years ago|reply
[+] [-] crb002|7 years ago|reply
[+] [-] gpm|7 years ago|reply
[+] [-] os2mac|7 years ago|reply
you do realize their primary goal is intelligence gathering?
[+] [-] larkeith|7 years ago|reply
[+] [-] artemisbot|7 years ago|reply