Hacker News new | past | comments | ask | show | jobs | submit login

It’s already too hard to find security bugs in clean source code. Analyzing a binary can confirm the existence of encryption and the overall crypto scheme, but not the absence of backdoors.



Help me understand how the exact opposite thing isn't true? The binary is the true record of what the platform is actually going to execute, unlike the source code.


What he means is that it's not practically feasible. Experts and a few talented crackers have the expertise to go through a binary with tools like IDA Pro and analyse it, but the process takes a lot of man-hours and is much harder than auditing source code. So yes, if there is a problem with Zoom the NSA and other state-run agencies will find and exploit it, but ordinary security professionals might not have the combination of manpower and expertise needed.

Since it's used so much now, I still hope that somebody reverse-engineers some of the clients. In contrast to auditing open source code, this might also pose legal problems, though.


If the build is reproducible, you can analyze the source, compile it and verify they're distributing the correct binary. If the build isn't reproducible for some reason, you can still do this on some subset of the code.

Now, of course, the binary is what gets executed, so it is the ground truth.


Because the analysis needs to be done by a human mind, and it's 10x more difficult to analyse a binary, even with some tools. And it is already hard to analyze even clean source code, because there can be hidden backdoors, they are not always all called "function SendDataToFBIForTracking(data)".


I should have qualified my statement better. There aren’t many people in the world who can accurately audit a complex application. Evidence of the above fact is that there are approximately zero complex applications without a history of security issues, and there have even been successful attempts to maliciously add exploitable bugs in open source projects.

Among these people only a small minority is able to perform a similar audit on compiled code, and only at a much lower pace.

So I agree that it is possible to check a binary, but it is not feasible in a reasonable way.

PS. You are a well known (maybe even famous in the community) software security expert. Your perception of the availability and competence of good experts may be skewed by the fact that you probably know most of the good ones


>Your perception of the availability and competence of good experts may be skewed by the fact that you probably know most of the good ones

This is a bit disingenuous.

The fact that he knows them means that he can comment on the feasibility of that analysis.


He can maybe do it, and a few dozen of other people. There aren’t simply enough good experts to do it on any significant portion of popular software products.


So we are not worried about popular software products, we are concerned about critical pieces of software.

So seriously--how many are required?


which opposites are you talking about?

I cannot find any in the parents comment.


>but not the absence of backdoors.

This is patently false. Binary code can be completely analyzed and understood with respect to back doors.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: