Yeah, my mouse was hovering over the download button eager to test it out when my brain suddenly went "wait, don't do that!"
If you wanna run this thing, you should probably build it from source yourself (don't trust the binaries) and even then run it in a pretty well sandboxed virtual machine. I would not be surprised at all if the NSA left some surprises in that thing.
> I would not be surprised at all if the NSA left some surprises in that thing.
Huh. I would be extremely surprised if the NSA were to include some kind of malicious or pseudo-malicious easter egg in the open source RE toolkit they're releasing. How dumb would they have to be to pull a move like that, and for what? The self interest just doesn't line up.
Sure, the ones officially contributed by the NSA. What you have to wonder is how much code was contributed by some seemingly normal community member that is actually a front for the NSA to introduce subtly flawed code that they can use to their advantage while being plausibly just a bug?
There are those who suspect Heartbleed came about this way.
- SELinux has been free-software for over a decade, with many open-source contributions.
- Many people don't use SELinux, especially on distros like Arch, Gentoo etc. where it (luckily) doesn't come as part of the package, SELinux is far from universal.
If you're decompiling and analysing ANYTHING, you should be running it on a reflashable, airgapped machine in case it does something unexpected, even if it isn't intentionally malicious. Plus you probably don't want it phoning-home either...
If you wanna run this thing, you should probably build it from source yourself (don't trust the binaries) and even then run it in a pretty well sandboxed virtual machine. I would not be surprised at all if the NSA left some surprises in that thing.