Hacker News new | ask | show | jobs
by gjjrfcbugxbhf 3155 days ago
There are different types of audits. Yes someone doing a full security audit is going to be happy with doing reverse engineering. But I can perform a quick check on a lot of the software that I use that it doesn't do user hostile things (like ring home on startup) this is harder to do on a binary - so given the choice I'll use the open source option.
1 comments
kasey_junk 3155 days ago
For those kind of checks why would you look at the source? Stick a proxy between the internet and the device to see what it does.

Seems waaaay easier than looking for the mythical badCodeGoesHere function.

link
gjjrfcbugxbhf 3155 days ago
Because I can trivially read and run code in my head I do that all day. I don't have a clue how to set up a proxy. Also my scan over the code tells me if it is generally badly writtes and a lot more than just one example of potential bad behaviour.
link
kasey_junk 3155 days ago
You are more prepared to run arbitrary code “in your head” than setup a simple network proxy?... uh huh
link
gjjrfcbugxbhf 3155 days ago
Yeah. As a developer the former is literally the $dayjob. The latter - I've never done so it could be simple or it could be hard. I've heard that getting software to respect proxies is tricky though...
link
kasey_junk 3155 days ago
So um. I'm a developer and the idea that I could take an arbitrary code base and get it into my headspace in less time than it would take me to figure out a programs network interactions is one of the most absurd things I've ever heard.
link
gjjrfcbugxbhf 3154 days ago
How would you force an arbitrary program to use a software proxy for all network traffic?

The thing is this isn't just about network interactions. By taking a quick scan of the code you also (1) might learn something new, (2) can see the athors general attitudes to things, (3) might spot some other nasty activity (does this program hot load code from a remote source, try to obscure what it is doing, scan the file system? Etc)

link
esrauch 3153 days ago
How would looking at network sniffer logs let you detect any security flaws for a server, as long as none of the live traffic is doing anything sketchy?
link