50x -> 5000x realistically :)
-
-
Replying to @matthew_d_green @halvarflake and
I don't follow, having the source available would eliminate that - but what difference does it make if it's reproducible? To be clear, I believe having the source available - whether the vendor is trusted or not - is beneficial to security.
1 reply 0 retweets 0 likes -
Replying to @taviso @halvarflake and
If there is, say, a N-factor overhead to working with decompiled binaries rather than source, and projects ship with efficiently reproducible source code — then P0 finds N times as many bugs in the same amount of time, for any project that has open source. That seems good.
2 replies 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
OK, but let's separate out these components. There are two parts, There's the source code which we both agree has benefits. Then there's things like seeds for -frandom-seed. What is the benefit to Project Zero of the second?
2 replies 0 retweets 1 like -
Replying to @taviso @halvarflake and
Not to have to look at binaries unless you suspect a compiler flaw?
1 reply 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
The only possible reason for that would be we suspect the vendor is embedding a backdoor, right? But that would be an insane thing to do, when as we've already established, bugdoors are far superior?
2 replies 0 retweets 1 like -
Replying to @taviso @halvarflake and
I still want to know why P0 looks at binaries :)
2 replies 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
You mean if there's source available? There are a bunch of reasons, sometimes they're easier to work with, and we're all experienced and efficient at working with binaries.
1 reply 0 retweets 0 likes -
Replying to @taviso @halvarflake and
The question I’m really asking here is whether
@natashenka or others at Google ever look at binaries (despite source being available) because they’re specifically concerned that the binary might not be built from the source (and named dependencies) published.1 reply 0 retweets 1 like -
Replying to @matthew_d_green @taviso and
Obviously there are other reasons to look at binaries. I’m not discounting those. I’m asking if the factor above is ever a reason.
1 reply 0 retweets 0 likes
I think I can safely take a risk and speak for others and say no. The closest thing would be trying to figure out which version of an open source library was included, but that's not relevant to the discussion, i think!
-
-
-
Replying to @matthew_d_green @taviso and
But anyway I need to go outside. This has been illuminating. I take your point and accept some of your points, and will think more about it.
0 replies 0 retweets 2 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.