ritter.vg
Liberation Technology Auditing Guidelines
27 Feb 2013 21:06:34 EST

Liberation Technology is kind of a catch-all bucket I borrowed from Stanford's Program & Listserv that I use to describe technology that's designed to be used by activisits, journalists, folks with increased privacy needs (survey participants, whistleblowers, law enforcement), and the like. (I'm probably offending or upsetting someone by using this term willy nilly but I don't have a better one.) These types of applications obviously have a higher bar for security: not only do they need to be free from the major 'bad' vulnerabilities like SQL Injection and Memory Corruption - but also thought and attention needs to be paid to things like "What third party requests are made?" and "What does my use of this application leak to a network observer?"

There are a dearth of folks who are good at reviewing these applications, and of the ones their are - their time is spread too thinly and ultimately it's nobody's job so it's done in their free time. To that end, I took a stab at putting all the things I've picked up over the years together, in an effort to get more folks involved in the process. That list (sponsored by my employer) lives over here at github. It's aimed directly at fellow security consultants, and intended to list additional technical issues to search for when auditing these types of applications. I'm not nearly the best at this, and I don't do as much as I'd like to, but it's something, and you can improve or fork it.

What should you target with these ideas? Everything! There are high-profile applications like the ones by the Tor Project, Whisper Systems, and the Guardian Project. There are newer flashy projects like Cryptocat, MEGA, and Crypton. And there are brand-new projects that might take a bit of reverse engineering to understand - like Wickr and Silent Circle. And this is not an exhaustive list. The number of these types of applications has been increasing significantly in the past couple of years. The number of auditors has not.

I hope this list will inspire more people to look at these applications and contribute to them.

This post originally appeared on iSEC Partners' blog.

Comments
Add a comment...
required
required, hidden, gravatared

required, markdown enabled (help)
you type:you see:
*italics*italics
**bold**bold
[stolen from reddit!](http://reddit.com)stolen from reddit!
* item 1
* item 2
* item 3
  • item 1
  • item 2
  • item 3
> quoted text
quoted text
Lines starting with four spaces
are treated like code:

    if 1 * 2 < 3:
        print "hello, world!"
Lines starting with four spaces
are treated like code:
if 1 * 2 < 3:
    print "hello, world!"