Reverse Engineer OPA? \ stacker news ~security

pull down to refresh

482 sats \ 10k boost \ 27 comments \ @ek 21h security

@orangepillapp mentioned the following:

don't be sad, open source is security theatre

Now I wonder if I should show them that you can’t hide the important parts of your source code since you’re shipping the compiled version to every device which can be reverse engineered.

So I believe that it’s the other way around: hiding your source code is security theatre. If you hide your source code, I’m going to assume you have something to hide in there.

What do you think? Should I do it?

view all related items

67 sats \ 1 reply \ @aljaz 14h

You are just giving them what they crave the most - attention. Clearly their comments are misaligned and/or ignorant with the community and they use every opportunity to pump their chest so giving them more attention just fuels that

0 sats \ 0 replies \ @ek OP 13h

mhh, interesting opinion

100 sats \ 2 replies \ @optimism 18h

🤔🤔🤔

Unless you're outside of and not dependent on US/CA/EU (and adjacent)/UK and not going there, are truly untraceably anon or have an unlimited supply of small-metal-objects-that-can-be-ejected-from-a-bigger-metal-object-at-high-velocity (and training), it'd be best to not talk about disassembly.

That doesn't mean you can't do it. Just don't talk about it...

100 sats \ 1 reply \ @ek OP 18h

Thanks for your advice! I would say I considered what you're trying to say before posting.

67 sats \ 0 replies \ @optimism 17h

TBH: I simply remember getting verbally beat up by lawyers every time I did something stupid very, very clearly lol

34 sats \ 4 replies \ @nout 20h

Security through obscurity, Mr. Bond.

0 sats \ 3 replies \ @ek OP 20h

I will have some fun with the APK tonight

100 sats \ 2 replies \ @orangepillapp 20h

Let us know what you find!

0 sats \ 1 reply \ @ek OP 17h

How should I contact you in private if I find something?

You don't have a Github repository where I can create a security advisory and I don't see something here like we have here (see https://securitytxt.org/).

Is a mail to hello@orangepillapp.com good enough? I don't know if that mail might be read by the wrong employees.

100 sats \ 0 replies \ @orangepillapp 14h

you can email us at hello@orangepillapp.com anytime

51 sats \ 6 replies \ @anon 19h

He also counts his custodial wallets database updates as making up half of all lightning transactions. Red flags.

0 sats \ 4 replies \ @ek OP 16h

do you have a source for that?

112 sats \ 3 replies \ @anon 15h

0 sats \ 1 reply \ @ek OP 14h

how can one even tell how many lightning transactions there are globally?

/cc @orangepillapp

0 sats \ 0 replies \ @orangepillapp 14h

Hard to tell for sure, but we talked to all the major LN infrastructure providers and they all told us it’s 100-200k a day on avg.

Nostr does ~8k a day

0 sats \ 0 replies \ @nitter 15h bot

https://xcancel.com/matteopelleg/status/1902139558306967711

0 sats \ 0 replies \ @orangepillapp 18h

🚩🚩🚩

30 sats \ 5 replies \ @ek OP 20h

I also think this is wrong:

you cannot verify the code of an app even if you had access to the repo

— #897466

Reproducible builds fix this. You can't verify the code that runs on a server but afaik, you can verify if the app you downloaded is what you would get if you build it yourself from the source code.

41 sats \ 2 replies \ @optimism 18h

Reproducible builds fix this

This. It just requires a massive build environment setup and a ton of work. Probably not worth it. But it can be done where it makes sense.

Does it in this case though? I'm not convinced.

100 sats \ 1 reply \ @ek OP 14h

It just requires a massive build environment setup and a ton of work

it's just an app that talks to a server

0 sats \ 0 replies \ @optimism 4h

Yeah. Meaning the interesting thing from a privacy perspective that you'd hunt for in the source code is:

What data does it collect?
What data does it throw over the wire?

When I edit apks (always do) the main effort is replacing data collection stuff with stubs and removing callbacks to googly goog, bugsnag or other data brokers.

34 sats \ 1 reply \ @SimpleStacker 19h

I wonder if ideas from zero knowledge proofs can be used to verify what code a server is running without having to reveal the entire source code of the server. I'm talking way out of my league here, but it was just a thought.

0 sats \ 0 replies \ @optimism 18h

I'm sure you can express anything in lattices but do you really want to do this if you can just use nostr and extend that with an interactive ZK protocol? Lotta years of frustrating work vs just half a year of work.

0 sats \ 0 replies \ @siggy47 7h

Yes. Absolutely

0 sats \ 0 replies \ @Catcher 11h

0 sats \ 0 replies \ @joseph_at_nostr_fan 18h

deleted by author

0 sats \ 0 replies \ @orangepillapp 20h

deleted by author