A thought experiment: Who would you rather trust when it comes to analyzing dangerous malware? The on-board resources of the operating system, the antivirus manufacturer you trust or your incident response and forensics service provider? Thousands of “reverse engineers” answered this question in spring 2019 with “I want to use my secret service joker”. As the? The NSA, since 2013 at the latest and Edward Snowden not exactly known to larger circles as a refuge for informational self-determination and more notorious for “tailored access operations” (TAO) and nasty “implants”, had their internal reverse engineering tool “ Ghidra ”made available to the community. Free, free, completely open source. Can that be any good? There had to be a catch to it.
He has a weak point for risks and writing about cyber: In his main job security researcher at HiSolutions AG, David Fuhr rages and rages on in this column about current incidents and general truths of information security. In addition to new articles, articles already printed in the iX appear here – always with a tongue-in-cheek update on the current security situation.
Floppy hats looking for contact
At least one cannot deny the technical US secret service the competencies in the subject. Ghidra (pronounced “jidra”) certainly does not contain all the tricks and tricks of the slouch hats from Maryland to this day. For the civil servants themselves, however, there is tremendous potential in cooperation with the hacker scene: visibility, respect, fame, street cred, but at least (even if something goes wrong) dialogue – a veritable concert of wishes from the recruiting department, which is also the case in the country of It is not easy for Google, Apple and Co. to wrest some of the best applicants from unlimited opportunities.
Do I have to worry about the NSA monitoring me if I use Ghidra? Yes and no. It does monitor us all anyway, with or without Ghidra. And the state hackers would certainly not be so stupid as to hide the monitoring routines in the open source code of the tool that is downloaded en masse by the best reverse engineers in the world.
Do I have to worry about supporting the NSA using Ghidra? Yes and yes. Because that in turn has a good and a bad side, just as the tasks of the secret services are different – especially in countries where the historically determined and repeatedly discussed separation of police, constitutional protection and intelligence services is less pronounced.
In combination with many other tools, Ghidra should contribute to making IT infrastructures more secure, as attacks can be investigated better and more efficiently. On the other hand, the improvements from the community should benefit numerous different projects, with the NSA as well as with not so friendly services.
Open source in the twilight
The topic of “dual use”, ie technology that can be used as a weapon as well as for civil defense, is particularly evident here. And the fact that the triumphant advance of open source no longer stops at these traditionally rather opaque corners of software development is another sign of the upheaval of old business models and production conditions.
Ghidra has been part of the standard arsenal available to everyone for two years now. Ignoring it is of no use to anyone. Contributing to the benefit and collaboration towards the resilience of our world can make all the difference.
This column was published in iX 05/2019 and has been updated for the online edition.