It's a reverse engineering tool. The community is going to have plenty of ability to do network analysis on it. Also, it's trivial to sandbox it, even if it weren't going to be open-sourced.

Sandboxing things is rarely trivial ;)

Air gapped RE machines (recall you're probably looking at malware anyway). One way transfer of samples. Print reports and OCR. Done.

Is printing and OCRing actually a thing? I'd think you would at least just point the camera (aka scanner) at a screen...

It depends how paranoid the security person you're trying to appease is, honestly. There are definitely better options, but that one will always "sound secure".

in particular tools that are designed to reverse engineer things :)

I am familiar with the concept. However, I would recommend hesitating to anyone who thinks any software from the organization, open source or no, is entirely harmless to the user...

It's going to be an open source release so depending on your paranoia levels you could just build it yourself.

You'd have to audit the source code first, though, which is not a trivial thing to do.

But you can bet there will be plenty of people looking at it, and that group of people will also likely include security professionals looking to use it. I'm not sure I can honestly think of a stupider move in this area than to include nefarious code in an open source security auditing tool aimed at the highest and most complex levels of security auditing and used by professionals whose job it is to find and announce these things.

That doesn't mean assume nothing's wrong, but I'm pretty sure this thing will have some pretty talented people looking at it fairly early just for kicks, so of things to worry about, this isn't high on my list.

Given the audience I feel like the source code will be audited by the community in record time.

I don't get the criticism here, you're right on the money. What's the one group of people absolutely guaranteed to

a) audit a tool like this and

b) have the chops to perform that audit

Reverse engineers. If you're nervous, just wait 2 months and follow Twitter.

exactly my point. When they released SELinux this was the argument and how many lines of code does an OS have?

Lines of code is not a great metric to equate to the effort of auditing the code.

Harder to meter: how understandable is the code? More verbose, but more easily understandable code will be far easier to audit.

Personally, I'd rather a million lines of code that are clear and obvious than 500k that are obtuse, terse and/or obfuscated.

Having spent many years in US Navy Radar Rooms, NOC's and the like. I can tell you that white interfaces are the digital equivalent of being snow blind. it's MUCH easier on your eyes and your vision if you utilize dark backgrounds (or darkmodes) than it is to use bright interfaces... that's not just my opinion but something born from experience...

Agreed. When I worked in CIC/CDC, it was always darkened, and a white interface would have been super annoying.

Chat over IMAP, isn't that just email... :)