-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestions + Cautions #90
Comments
The latest piece of software from Patrick Wardle/Objective See called "Ostiarius" is actually open-source, see https://objective-see.com/products/ostiarius.html |
It seems to be only partially open source (like KnockKnock). The kext is open source but the GUI is not, so there's no way for anyone to build a useable version of it for themselves. Also, I added this edit to my comment above to clarify why Adium not updating its libpurple in almost two years is a security issue:
|
Let me clarify that a bit: there is a way for folks to build a usable version of it themselves, but 99.99% will not because they will be left with a kernel extension and not knowing how to use it. There is the obvious problem of an ex-NSA employee distributing a binary that asks for your root password. The build is not a deterministic build so it would require an expert to disassemble it and verify that there's no funny-business going on. Then there's the issue of not providing any reason (at all) for not open sourcing everything. Let's go over it again:
|
Thanks for taking a look, Greg. Your insights are very much appreciated.
Greg, thank you again for having a read through the guide and offering your thoughts. If there's any other suggestions you can make, please let me know, or make a pull request. |
Aloha, First, thanks for including a link to my blog and providing an opportunity for me to respond. The tools on Objective-See.com are simply the personal tools I run on my Mac to keep myself secure. I figured freely sharing them on my personal site might be useful to other Mac users. Obviously there are pros & cons and endless debates about open-source vs. closed-source. I've thought a lot about this, however to protect my personal IP, I decided to keep various components close-sourced. This seems to align with the majority of software that is distributed for OS X, especially in terms of security software. Of course I understand some people will passionately disagree with this. I think the following points are relevant as well:
I have no problem with people disagreeing with my approach - but I'd rather keep reporting security vulnerabilities to Apple and releasing free tools to protect Mac users, than spend a lot of time arguing on the internet ;) |
I see. Well thanks for finally providing a reason, albeit one I find hard to understand. What is so important about the IP in a tiny Cocoa app to install/uninstall a kernel extension?
Most of those tools are:
Sorry, but there's a higher bar of scrutiny for ex-NSA rootkit experts to go over, especially those who aren't super willing to give convincing answers to simple questions.
KnockKnock is not fully open source, and the issue is that, so far as I can tell, 100% of the software on your "Free OS X Security Tools" page is not fully open source. In a world of many non-NSA employees happily giving the source away to their "Free OS X Security Tools", your behavior is deeply suspect.
Those were never the concern. It's interesting you left out the actual concern: backdoors.
If that's all you're doing, kudos and more power to you. If it's not, well, I'd hate to be in your shoes when someone finds out. |
Hi there, I'm agree for libpurple situation and as discussed with @taoeffect, Google Chrome does not install a updater daemon as root by default but use the current user's privilege (at least now) but I'm agree with https://twitter.com/taoeffect/status/697891999068721152 / https://twitter.com/pwnsdx/status/697892634749247489 though. Regarding Objective-See's @patrickwardle apps, I reverse engineered as I could BlockBlock / Ostiarius (binaries/kexts) and here is my thought about him:
So I think he is honest but despite my checks, I can not guarantee the presence of intentional/unintentional vulnerabilities so I don't understand why you are not opening the full sources so we all can look into it and be sure there is no nasty things inside. I think it's essential if you want to gain trust especially because it is a security-related software and because of where you worked before. And by assuming there is no backdoor now, they could ask you to put a backdoor inside the next BlockBlock update. Nobody will know about it so think about it. PS: @taoeffect, could you please provide a proof that @patrickwardle actually worked for the NSA? |
Yeah I'm curious to try it out again and see what the deal is with the latest versions (it certainly used to install the root daemon, as Todd's research is clear evidence of).
Cool, so you did end up comparing it against one you compiled (and you're certain)? If so that's good news.
Just put "patrick wardle nsa" (no quotes) into a search engine. |
Hello,
As I said it seems so I'm not certain.
Thanks. |
FYI, Ricochet 1.1.2 just released, and it includes an audit report! 😄 |
Thanks for the link, very nice report. |
Great stuff @drduh! |
Interesting discussion here, thanks. |
The text was updated successfully, but these errors were encountered: