Slashdot Mirror
Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com)
After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".
"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
Remember, these are the people who want "Front Door" access to your computer. Without a warrant, without oversight.
You can trust them, they are the most skilled cyber-warriors on the planet!
Give them the keys to your front door, both physical and virtual! They are super competent and trustworthy.
Clearly the NSA leaked these tools with built-in weaknesses so they could get others to install them, then they get to use them.
Our best guy is on vacation in Moscow.
Have gnu, will travel.
We should privatize our security, and make the NSA as well as the military a publicly traded corporation.
I know! Let's outsource it all to Microsoft!!
I am sure that there are many other solipsists out there.
He can mock their code but thats how they got all his emails, internet browsing history, phone calls, text messages and gps coordinates for the last 10 years or more...