Computer Science Professor Mocks The NSA's Buggy Code

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...

It is a tool to hack, you idiot

[hsmith]

The real issue is what was exploited that one should be concerned about the quality of the code. "Oh man your shell scripts suck!"

Re:It is a tool to hack, you idiot

[saps1e]

Agreed. Considering this in the context of "cyberweapon", many weapons have been poorly designed and/or rushed into service, so this may be par for the course. I haven't looked at the code myself, but I would imagine that having a small footprint, both in terms of size and resources, is key to running undetected. Cutting corners, minimal encryption... those could be considered advantages here.

Re:It is a tool to hack, you idiot

[Spazmania]

"Oh man your shell scripts suck!"

Yeah, that was my thought as well. Red team code is supposed to be quick and dirty. It's the attacker, not the defender. It doesn't have to be pretty or work well, it just has to breach the target system.

Re:It is a tool to hack, you idiot

[drinkypoo]

Yeah, that was my thought as well. Red team code is supposed to be quick and dirty.

I think that's a somewhat strong statement. You want your code to work when you deploy it. It's supposed to work. If it works, then it's a working weapon. If it has bugs that impede its function, then it isn't. If the tool can be used against the initiator, because the back channel isn't protected, then it's not just a weapon — it's a hazard.

Not Surprised

[organgtool]

Security vulnerabilities are discovered and patched all of the time. It doesn't make sense to spend a lot of time writing extremely meticulous code for an exploit that could be patched by the time you're done writing the exploit code. Combine that with the fact that there's probably a ton of vulnerabilities in a lot of different applications, drivers, and firmware and it probably makes more sense to focus on quantity of exploits rather than quality.

Re: In other news

[Type44Q]

Or the exact opposite: they send him a fat check, as per their agreement (the NSA funtions more effectively when it's being underestimated).

Bomb researcher not impressed with IED

[Overzeetop]

Expert: I mean, look at it - it's a bunch of nails and duct tape around a low explosive core which doesn't have nearly the proper confinement for even 50% of the maximum shock wave capable, much less the ability to transition to detonation. And this wiring - that's just disgraceful - the solder didn't even flow properly here, and this is entirely unsheilded - anything could set this off accidentally, even a cell phone. If you were in my training program, you're fail miserably.

Terrorist: We used one of these yesterday to kill 25 people and injure another 70 in a market in Aleppo.

Expert:...