Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com)

Posted by EditorDavid on from the back-to-school dept.

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...

14 of 179 comments (clear)

  1. It is a tool to hack, you idiot by hsmith · · Score: 5, Insightful

    The real issue is what was exploited that one should be concerned about the quality of the code. "Oh man your shell scripts suck!"

    1. Re:It is a tool to hack, you idiot by saps1e · · Score: 5, Insightful

      Agreed. Considering this in the context of "cyberweapon", many weapons have been poorly designed and/or rushed into service, so this may be par for the course. I haven't looked at the code myself, but I would imagine that having a small footprint, both in terms of size and resources, is key to running undetected. Cutting corners, minimal encryption... those could be considered advantages here.

    2. Re:It is a tool to hack, you idiot by Spazmania · · Score: 4, Insightful

      "Oh man your shell scripts suck!"

      Yeah, that was my thought as well. Red team code is supposed to be quick and dirty. It's the attacker, not the defender. It doesn't have to be pretty or work well, it just has to breach the target system.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    3. Re:It is a tool to hack, you idiot by drinkypoo · · Score: 4, Insightful

      Yeah, that was my thought as well. Red team code is supposed to be quick and dirty.

      I think that's a somewhat strong statement. You want your code to work when you deploy it. It's supposed to work. If it works, then it's a working weapon. If it has bugs that impede its function, then it isn't. If the tool can be used against the initiator, because the back channel isn't protected, then it's not just a weapon — it's a hazard.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. TTL by Anonymous Coward · · Score: 3, Insightful

    I'm guessing that time to live is more important than having everything looking pretty with your i's dotted and t's crossed. These tools are for exploits that may not be around for ever. Getting the code live and useful is more important than anything else.

  3. Not Surprised by organgtool · · Score: 4, Insightful

    Security vulnerabilities are discovered and patched all of the time. It doesn't make sense to spend a lot of time writing extremely meticulous code for an exploit that could be patched by the time you're done writing the exploit code. Combine that with the fact that there's probably a ton of vulnerabilities in a lot of different applications, drivers, and firmware and it probably makes more sense to focus on quantity of exploits rather than quality.

  4. Re: In other news by Type44Q · · Score: 5, Insightful

    Or the exact opposite: they send him a fat check, as per their agreement (the NSA funtions more effectively when it's being underestimated).

  5. Re: The real issue by Anonymous Coward · · Score: 3, Insightful

    Cute that you think its a partisan issue

  6. Re:NSA is part of "big government" after all by breagerey · · Score: 3, Insightful

    I hate this trope
    Govt *isn't* a business in the traditional sense of the word and we shouldn't expect it to be

  7. Re: The real issue by Anonymous Coward · · Score: 1, Insightful

    Rather rich given the two presidents with the biggest domestic spying operations were Nixon and Bush Jr.

  8. Re:Scary by Anonymous Coward · · Score: 2, Insightful

    Actually the FBI has already been caught putting pictures ONTO peoples' computers in order to gain warrants. They don't do it directly, they do it by proxy through hacker groups they hire "for investigations", but it's been revealed that the hackers will put the material onto the computer, alert the FBI that this has been successful, go back and retrieve the pictures while the FBI watches, and thus giving the FBI what they need to breach the location. It's all pretty damn shady if you ask me. Does our FBI even do anything that's not semi-criminal, any more?

  9. Bomb researcher not impressed with IED by Overzeetop · · Score: 4, Insightful

    Expert: I mean, look at it - it's a bunch of nails and duct tape around a low explosive core which doesn't have nearly the proper confinement for even 50% of the maximum shock wave capable, much less the ability to transition to detonation. And this wiring - that's just disgraceful - the solder didn't even flow properly here, and this is entirely unsheilded - anything could set this off accidentally, even a cell phone. If you were in my training program, you're fail miserably.

    Terrorist: We used one of these yesterday to kill 25 people and injure another 70 in a market in Aleppo.

    Expert:...

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:Bomb researcher not impressed with IED by raftpeople · · Score: 1, Insightful

      I know. The professor admits he's not a cryptographer and then criticizes the way NSA forms a random number, which is a critical piece of crypto. Maybe they know something about crypto that he doesn't.

  10. Re:Random Numbers by david_bonn · · Score: 3, Insightful

    That's possible, true.

    But it is hard to see that someone would "fix" that problem using the approach given in the code sample. Basically their "fix" only produced 64 bits of entropy for a 128 bit key, which is a 101-level cryptography mistake. It also took more time and was much more complex than a straightforward implementation, which kind of kills the argument about the authors having to work quickly. This is one of those screwups that required thought and effort. I'm left with two possibilities:

    (1) The NSA is hiring complete amateurs to write their exploit tools, and they aren't giving any adult supervision (or code reviews) to the products of those amateurs.

    (2) The NSA/Equation Group didn't write this code at all.