I would say that a lot of the GH/IDA differences probably come down to UI and usability. Most of the tooling in the RE world today is lacking in those spaces. The software simply isn't "comfortable" or intuitive enough to work with. Be it IDA/olly/windbg/radare, they're all desperately lacking a proper, solid UI. The good news is, most of them support a plugin/extension architecture - so in theory, most of the features GH provides could've ended up as an IDA plugin - so that the researchers receive the best of both worlds.
Not that I know anything about Ghidra yet.
Maybe they simply don't want to pay IDA Pro licenses $3k a pop. Getting an enterprise organization or the government to pay for stuff like that is not trivial sometimes.
CIA also made this a standard part of a developer's setup:
Install XCode, setup SSH, IRC, and install Ghidra ...
What prevents three-letter agencies from using software without paying for it? Tendering a bid usually requires surrendering source code. One's odds of finding out about unauthorized use is slim. And even if you do, legal discovery can be blocked on national security grounds.
The law, same as anyone else.
Having worked in the public sector, there's a lot more law than there is compared to the private sector. That's because anything that the legislature does or doesn't want your organization to do has to be coded in law. That's the legislatures only means of direction. Further, executive directives related to your organization also carry the force of law. What that means is you can't not follow it. You can't chose to ignore the law or executive directives. You don't get to ask for clarifications or exceptions. The former come from a judge and the latter do not exist until the legislature creates them. It doesn't matter that there's no direct penalty for it; you're not allowed to chose to not follow it. This is one of the worst parts about the public sector: there is often much less wiggle room, especially for broad issues.
I'm sure that the TLAs negotiate with IDA for site licenses, or bind them to confidentiality contracts, but I have no doubt at all that they legitimately pay for the COTS products they use.
Who has been punished for the numerous constitutional breaches by the TLA's? At last glance absolutely no one and that's not going to change.
Meanwhile the whistleblower who spoke up about illegal government activities is in exile and can likely never travel anywhere on Earth for the rest of his life.
On the other hand, blatantly stealing their tools instead of buying them is not the same kind of breaching the law, and it is obvious to everbody that it is illegal.
Also, even more so than persons, institutions can behave contradictivly when viewed from the outside. From within it may seem consistent and sound to surveil everybody and legally buying the tools they use for it. The evil is banal.
The fact that the phone spying case was even accepted by the Supreme Court should be enough to confirm that the law wasn't clear. Had the law been clear, the NSA would have lost in a lower court and the Supreme Court would have refused to consider the case.
That's not actually the way legality works. If the law is unclear, the justice department will provide their interpretation (which will typically give more power to the government). If you disagree with the interpretation and are affected by it, you are free to challenge it in a court of law which will clarify. Or you can lobby lawmakers to change the law.
This is different from how for instance organizational guidelines work in private industry - in case of ambiguity, you will ask for a clarification from the author. That option is basically not available because laws are made by the legislature which is a body distinct from the executive.
You truly say that with a straight face? Tempted to name 50 blatant programs off the top of my head but I'll start with one because the pathetic excuses that usually follow sum it up succinctly.
Tell me what you think of that government taxpayer funded program. I'm all ears.
2. Congresspeople, who answer primarily to their campaign donors (and secondarily to vocal radicals), do not abide the U.S. government breaching contracts with companies. Any government agency seeking to exploit IP from a U.S. company won't last long.
3. The NSA doesn't need to pinch pennies when it comes to IDA Pro site licenses. It declares those expenses in its budget. Government employees don't break the law to save money. They break it to accomplish their mission, handed to them by decision makers in Executive Branch and Congress. Moreover, government lawyers interpret the law in a manner that the individual employee isn't technically breaking the law (though many actions are immoral!)
Your overall sentiment is correct, that the U.S. government perpetrates wrongdoing. Your mental model needs to incorporate a legalistic framework around that, however.
The U.S. government is full of Lawful Good, Lawful Neutral, and Lawful Evil components. The Chaotic Good and Chaotic Evil actors are the ones getting indictments.
Ah yes, the “I’m swinging my arms and if you get too close and I punch you it’s your own fault” big brother defense.
Nothing, but they'd have to rationalize it. As an organization they need to tell themselves why they are doing it, if it is going to happen officially. So someone has to write "disable licensing..." in the setup instructions. And while killing and other things can be rationalized ("War on Terror, etc...") some petty stuff in comparison like breaking IDA Pro's licensing paradoxically might be harder.
Another thing is that on the surface at least, people who are hired have to pass polygraph tests and have to reveal if they committed crimes or stole things etc. It used to be that NSA would reject people who admitted to pirating software or music in the past. So they'd have to solve that "inconsistency".
Another reason is well, they that could get sued. The military and other government offices have been sued by software makers in the past so it's not outrageous as it seems:
Imagine if the police could walk up to you in any situation and demand that you prove the legality of any part of whatever it is that you are (or are not) doing.
When I was in product management, GSA price lists were my trick to learn what competitors charged.
In the same way, it's not my personal morality or the law that prevents me from stealing the supplies my company needs in order to help my employer cut costs or burning down the buildings of our rivals. Those things wouldn't help me personally but they expose me to lots of risk. That the law and morality agree with self interest is a happy coincidence.
Licenses are only as good as the frameworks in which they're constructed. :-)
I would argue because the three-letter agencies want that the software continues to be maintained. And perhaps anything illegal that an agency does yields bad PR if it comes out. So they try to do only illegal things that they believe are worth the PR risk. Illegal copies of software probably is not.
On top of that, none of those agencies are likely to be willing to download some pirated crack for whatever piece of software they need, so that means if they want it for free they have to crack it themselves. Which requires them to divert people who could otherwise be doing things that are actually relevant to their missions. There is plenty of funding in these agencies to buy software and there's little to be gained from stealing it.
State sponsored malware will often do an inventory of the system they are running on, and send details back to help identify the machines that are being used to analyze the samples. NSA steals things like IDA when they come across them (in the same way they target companies to steal things like code signing certificates) so the analysis environment is completely non-attributable.
This was mostly to combat piracy, as far as I was aware–I doubt that there is any nationalistic or moral reasons behind it. So I don't see this being a major issue in this case.
Honestly, I'm semi-confident that he does this just because he can…
A home grown NSA tool is unlikely to have an intentional backdoor in the version they give to the CIA.
People didn't choose IDA Pro just for quality. GHIDRA was highly restricted. Even the people with access to GHIDRA were hesitant, because they didn't want to learn a tool that they couldn't take to another employer.
The other players in this market, binja (Binary Ninja) and Hopper Disassembler, are much newer. Inertia keeps them back. Imagine introducing a new editor, like vi or emacs, but with everything just a bit different. It could even be a slightly better editor. Uptake will be slow. People don't want to relearn or repurchase.
Until recently, normal people could only choose IDA Pro. You paid, or you had to suffer with awful substitutes like Radare2 and objdump.
I think you meant hex-rays decompiler (which is a separate product).
This will be some interesting competition for IDA Pro, Binary Ninja (binja), and Hopper Disassembler. People with access to GHIDRA have been avoiding it because they prefer to develop skills with software that can be used at all employers, but soon that thinking will favor GHIDRA. IDA Pro is a few thousand dollars, and the other choices are a few hundred dollars.
This question has been explained a bit in a blog post by the pentagon :
> While all of the work done by Federal employees remains in the public domain with no restrictions, public contributors enjoy the protections of widely adopted free and open source licenses. As projects mature, the aggregate work — with all the patches, bug fixes, and additional features — will fall under the license associated with the project.
Ghidra, also known as "King Ghidorah," is an enemy monster in the Godzilla series. Typically, Ghidra is Godzilla's fiercest opponent, and it usually fights against humanity.
(Note to the insufficiently paranoid: "I can imagine" does the work you need it to.)
This tool lowers the bar for security researchers to analyze malware, and seems to be part of a broader effort by the NSA to share their tools and foster public-private partnerships.