
Ghidra - jakobdabo
https://www.nsa.gov/resources/everyone/ghidra/
======
chc4
There was a thread on HN when they first announced a public release at RSA[0].
A lot of reverse engineers I know are excited for it.

0:
[https://news.ycombinator.com/item?id=18828083](https://news.ycombinator.com/item?id=18828083)

~~~
dang
Since that was less than two months ago, the current submission counts as a
dupe. When it's open-sourced, that will be significant new information, which
makes for a new story. It will certainly be discussed by HN then.

[https://hn.algolia.com/?query=%22significant%20new%20informa...](https://hn.algolia.com/?query=%22significant%20new%20information%22&sort=byDate&dateRange=all&type=comment&storyText=false&prefix=false&page=0)

------
slimsag
My brother is into reverse engineering, he is literally counting the days to
the open source release of this.

He said there isn't anything quite like it as it can actually stand toe-to-toe
with IDA Pro, the commercial software that apparently nothing yet can really
beat.

~~~
chc4
Yup. IDA Pro is the gold standard, and was basically the only choice for a
_long_ time. It's also stupidly expensive and priced for defense contractor
funny money, with an individual license nearly $3000 [0]. Most freelancers
just use a cracked copy or the freeware version.

Recently Hopper and BinaryNinja have been rising in use, with much more
affordable pricing plans, but they're still second-rate as far as I know.

(There's also radare2, which for all it's mentioned occasionally I don't
actually know anyone that _uses_ it)

0: [https://www.hex-rays.com/cgi-bin/quote.cgi](https://www.hex-rays.com/cgi-
bin/quote.cgi)

~~~
joshschreuder
I've always wondered this - there's a real "pay for your useful tools"
philosophy on here at least, for things like Sublime Text. Often quoted is the
cost per hour of use, etc. which justify the price (which is admittedly low
compared to Ida).

Does the same not apply to Ida where you would make the money back fast enough
to justify the pricetag? Or is it that there are more hobbyists and less
people making actual money from using Ida?

~~~
pm90
This is basically how a monopoly works. And the defense industry behaves like
a monopoly even if its made up of a bunch of different companies.

~~~
Godel_unicode
I disagree, I think there's an important difference between a monopoly and a
company that happens to have no competition at the moment. I think that active
anti-competitive actions are one of the defining characteristics of a
monopoly, and so far we haven't seen that behavior from hex-rays.

They had a significant barrier to entry protecting them, in that making a
decompiler (the hex rays decompiler is the expensive part of "Ida") is hard,
and the market is (was?) small.

Consider the difference between Standard Oil and Adobe. Photoshop was the only
game in town not because Adobe lost money on it to drive out rivals but
because it's hard to make software that does what Photoshop does.

~~~
zokier
> I think there's an important difference between a monopoly and a company
> that happens to have no competition at the moment. I think that active anti-
> competitive actions are one of the defining characteristics of a monopoly

You are of course free to think so, but be aware that does not align with the
common use of the term monopoly.

------
amiga-workbench
Uhh, what's this about?
[https://i.imgur.com/e3kNYTH.png](https://i.imgur.com/e3kNYTH.png)

~~~
mcpherrinm
I haven't worked at US government so I am not 100% sure of the details, but
this is my understanding:

HTTPS (tls, really) allows clients to present a certificate, just like the
server does. This is commonly used, eg, for microservices authenticating to
each other in a backend.

It is less commonly used for people to authenticate to servers.

In particular, the "Common Access Card" is the ID badge used by the DoD,
various parts of the armed forces, and in particular the NSA (whose website
this is). Those access cards have a key and certificate usable for this.

So your keyboard (or laptop) has a smartcard reader in it, and you can insert
your ID badge (maybe with a PIN? not sure if usa gov't does that) to log into
any website.

Browser UX for this isn't great. Unlike the newer Webauthn specs where
javascript (and thus site-specific instructions) can ask you to log in, the
browser has to prompt you in a very generic way to present your certificate.

~~~
Godel_unicode
I actually prefer the browser UX for client cert authentication; since it's
presented by the browser it's harder to do nefarious things with JavaScript to
confuse the user as to what site is requesting authentication.

Edit: for what it's worth, the executive agencies are all required to use PIV
(essentially civilian CAC) to authenticate, and those PIVs are required to
have significant physical controls including requiring a PIN for access. It's
a pretty robust way of enforcing 2fa.

------
aboutruby
On a sidenote, looking at their Github, they publish a lot of names / emails
in the git logs (~100). Some are encoded / anonymous, but most are real
looking names and plausible email addresses.

------
tribby
an open source competitor to IDA pro is very welcome, never thought it would
come from NSA. have they said anything about their motivation to open-source
it?

~~~
monocasa
Probably to crowd source maintenance like nearly every other closed to open
transition. And ghidra has been leaked a few times (they give it out like
candy to contractors) so they're not really losing much.

~~~
weaksauce
any reports on if it's better than IDA?

~~~
monocasa
I've heard that it's about equal in power, but different. Ghidra has a bigger
emphasis on working with the decompiled output; you spend nearly all your time
in the decompiler whereas in IDA you flip back and for decompiler (if you have
it) and disassembler.

------
TimTheTinker
NSA releasing an open-source tool? My first thought is, better subject it to
serious, in-depth security review before installing it locally. Even then,
build it from source.

~~~
mahmoudimus
Apache NiFi was also released by the NSA & has seen commercial success in the
enterprise.

~~~
hermitdev
Wans't Tor initially developed by NSA/CIA as well?

~~~
grzm
> _" The core principle of Tor, "onion routing", was developed in the
> mid-1990s by United States Naval Research Laboratory employees,
> mathematician Paul Syverson, and computer scientists Michael G. Reed and
> David Goldschlag, with the purpose of protecting U.S. intelligence
> communications online. Onion routing was further developed by DARPA in
> 1997."_

[https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Histor...](https://en.wikipedia.org/wiki/Tor_\(anonymity_network\)#History)

------
ypolito
Can't wait to try it and read articles comparing its features with IDA, Binary
Ninja, radare2 or Hopper. Sounds really interesting!

------
crb002
Good to see NSA has got on board that removing the attack surface of US
software is a top priority.

------
gpm
I wonder what the NSA does with the analytics on a page like this.

------
os2mac
I'm still trying to figure out, in this day and age, especially after the
Snowden disclosures, why anyone would trust software released by this
organization.

you do realize their primary goal is intelligence gathering?

~~~
larkeith
It's a _reverse engineering tool_. The community is going to have plenty of
ability to do network analysis on it. Also, it's trivial to sandbox it, even
if it weren't going to be open-sourced.

~~~
saagarjha
Sandboxing things is rarely trivial ;)

~~~
Godel_unicode
Air gapped RE machines (recall you're probably looking at malware anyway). One
way transfer of samples. Print reports and OCR. Done.

~~~
gpm
Is printing and OCRing actually a thing? I'd think you would at least just
point the camera (aka scanner) at a screen...

~~~
Godel_unicode
It depends how paranoid the security person you're trying to appease is,
honestly. There are definitely better options, but that one will always "sound
secure".

