Computer Science Professor Mocks The NSA's Buggy Code

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...

Scary

You don't like someone? All you have to do is place child porn pictures on their computer, alert the authorities, and even if they've never seen the pics, they are going to the hole for a long time. And it's quite easy to get the pics there too. USB, web link, email attachments, all so easy, and once the evidence is there, you're screwed, even if you deleted it, short of reinstalling windows, (and even that might not work) or replacing new harddrive.

The police and society at whole have no sympathy for "child molestors", despite the fact that VIEWING A PICTURE IS AN INNONCENT CRIME. But people just believe the hysteria, for the children nonsense, etc. and run with it. Or some are just on power trip and love to see others locked away for 10+ years for an activity that didn't harmed anyone.

I'm honestly surprised a lot more people don't try it, seeing how easy it is to frame someone with it. Welcome to 1984.

Re:It is a tool to hack, you idiot

[Sique]

Apparently, the bad code has been known to some secret services for some time. And that means that other secret services had the time to exploit the bad code and use it as an attack vector back against the NSA. I would be very wary to know that my opponent knows how shoddy my own code is. If for instance you can hijack encrypted communications, you can feed the communication any desinformation you want, and the original attacker believes it to be the real thing.

Meh

[Greyfox]

I've yet to see a computer science professor with particularly excellent code, either. I run across assignments and example code from courses on a regular basis that fall into the "Never, ever do that" category of programming. Case in point, a relative of mine recently had some questions about a CS programming assignment. Part of the assignment description talked about design patterns and predictably went straight for the Singleton as an example. I'm pretty sure that's the only pattern that about 90% of programmers ever actually learn when reading about design patterns and it's so abused in the industry right now that you can basically never get one past a design review board.

Anywhoo, back in the '90's I worked for a company that was getting a B2 Certification for its operating system. My job basically consisted of reading the entire AT&T C standard library code, finding potential security flaws, writing tests for those flaws and then writing a report with the tests which would be delivered to the NSA. I found the remote buffer overflow in the AT&T telnet daemon a couple years before the same overflow was discovered in the Linux telnet daemon. So the NSA basically outsourced the hard work of finding all those exploits to the companies that were trying to get security certifications. It took three or four guys just a few months to go through all the stuff we had to look at. I'm sure we missed a bit, but I was much more confident in the security of their OS at the end of all that. Too bad they eventually went out of business, were acquired by IBM and their products were killed. You know, progress!

Random Numbers

[raftpeople]

Is it possible the NSA knows something about existing pseudo-random number implementations and is purposefully working around that issue in this code? The professor seems to ignore this possibility.