Our great sponsors
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
https://github.com/NationalSecurityAgency/ghidra/issues/382
3. Airgaps may be broken by ultrasound side channels; communication to compromised devices like smartphones is possible (see: speaker-to-gyroscope communication https://ieeexplore.ieee.org/abstract/document/9647842/ ; speaker-to-speaker communication https://arxiv.org/pdf/1803.03422.pdf)
4. Low bitrate data leaks, like "ghidra is running in this org, decompiling files named....." may be accumulated by the NSA
This is just zero-day warehousing and passive signals collection with embedded zerodays. It would be hard for security researchers to detect this. I'd happily change my mind if you showed me an audit that looks for beacons and other side channels.
II. The audits
Here is the one audit I could find
https://github.com/NationalSecurityAgency/ghidra/issues/382
This audit tells us that the code is janky, but doesn't tell us if it's secure. It's just a dump of thousands upon thousands of static analysis errors.
There's no threat anaylsis in this audit. All it suggests is that the code has so many defects that a serious security audit will very expensive to perform.
III. Change my mind with evidence
Please link me to the "heavy audits" of the code that you think should exist. I couldn't find them. Surely you were not bullshitting me. Surely not?!
tldr;; I think this code is less heavily audited than you can support.