He said there isn't anything quite like it as it can actually stand toe-to-toe with IDA Pro, the commercial software that apparently nothing yet can really beat.
Recently Hopper and BinaryNinja have been rising in use, with much more affordable pricing plans, but they're still second-rate as far as I know.
(There's also radare2, which for all it's mentioned occasionally I don't actually know anyone that uses it)
Does the same not apply to Ida where you would make the money back fast enough to justify the pricetag? Or is it that there are more hobbyists and less people making actual money from using Ida?
The problem is barrier to entry. Many RE blogs and free resources start with "open up Ida", which means that in order to learn how to use the tool to make that money, you first have to buy the tool. Yes, there's the community edition, but it always seems to be missing that one feature you really need...
I'm really curious what the prevalence of tools like this is going to do to the salaries for reverse engineers.
They had a significant barrier to entry protecting them, in that making a decompiler (the hex rays decompiler is the expensive part of "Ida") is hard, and the market is (was?) small.
Consider the difference between Standard Oil and Adobe. Photoshop was the only game in town not because Adobe lost money on it to drive out rivals but because it's hard to make software that does what Photoshop does.
You are of course free to think so, but be aware that does not align with the common use of the term monopoly.
I have never used IDA Pro but maybe the licensing comes with some sort of support agreement?
Note that $3000 lacks the decompilers, of which there are 5 available. The total price with all of those is about $15,000.
Nothing really beat the combination of SoftICE and IDA Pro, although some of the newer entrants like radare2 & good ol’ OllyDBG are pretty good, but nothing beats IDA Pro.
I hope the scripting language are real programming language like Lua or Python and some custom DSL.
I'd like to know if someone is using x64dbg, however, which looks similar in appearance: https://x64dbg.com/
HTTPS (tls, really) allows clients to present a certificate, just like the server does. This is commonly used, eg, for microservices authenticating to each other in a backend.
It is less commonly used for people to authenticate to servers.
In particular, the "Common Access Card" is the ID badge used by the DoD, various parts of the armed forces, and in particular the NSA (whose website this is). Those access cards have a key and certificate usable for this.
So your keyboard (or laptop) has a smartcard reader in it, and you can insert your ID badge (maybe with a PIN? not sure if usa gov't does that) to log into any website.
Edit: for what it's worth, the executive agencies are all required to use PIV (essentially civilian CAC) to authenticate, and those PIVs are required to have significant physical controls including requiring a PIN for access. It's a pretty robust way of enforcing 2fa.
> You cannot visit nsa.dod.afpims.mil at the moment because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.
Note that unless your compiler is already bugged (or you’re using a bugged binary), community review of the source should turn out any possible issues... unless there’s a significant competence gap between the NSA and the security community — which may be possible, but I don’t think security professionals are worried about it.
you do realize their primary goal is intelligence gathering?
That doesn't mean assume nothing's wrong, but I'm pretty sure this thing will have some pretty talented people looking at it fairly early just for kicks, so of things to worry about, this isn't high on my list.
a) audit a tool like this and
b) have the chops to perform that audit
Reverse engineers. If you're nervous, just wait 2 months and follow Twitter.
Harder to meter: how understandable is the code? More verbose, but more easily understandable code will be far easier to audit.
Personally, I'd rather a million lines of code that are clear and obvious than 500k that are obtuse, terse and/or obfuscated.