Computer Science Professor Mocks The NSA's Buggy Code

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...

Re:It is a tool to hack, you idiot

[Aighearach]

Not only that, but what sort of idiot is this guy? Does he realize that he's clowning himself when he says, "I would expect relatively bug-free code." Why? Because it is the magic Goobermint, or because unreleased internal tools usually get a large number of extra QA cycles looking for unreported bugs?

The danger to this code of bugs is actually regular OS and network service bugs that let users crack the machine and get access to this code. The danger isn't that a user who already is on the same machine might access the memory and shit. They already have the jewels at that point, there is no need for multiuser security here. It doesn't get installed on the target system, it gets installed on a staging server.

It is like complaining that an ammo dump isn't armor plated. That might not be a mistake.