Slashdot Mirror
Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com)
After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".
"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
and big government is failure, as we all know it. We should privatize our security, and make the NSA as well as the military a publicly traded corporation. Trump will run the USA like a business, that's why he has my vote, although he hasn't announced privatisation of vast parts of the government yet, which I would really like.
The real issue is what was exploited that one should be concerned about the quality of the code. "Oh man your shell scripts suck!"
They pay less, so naturally they will get the subpar programmers.
Photos of the professor with under age children have been appearing all over the internet.
People have been puzzled why the material was on otherwise innocuous sites.
I'm guessing that time to live is more important than having everything looking pretty with your i's dotted and t's crossed. These tools are for exploits that may not be around for ever. Getting the code live and useful is more important than anything else.
"I would expect relatively bug-free code."
And you say you are some kind of academic?
Those who can't, teach!
Those in the middle, read comments here!
God is great! Ayaaayyyaayyya!
Remember, these are the people who want "Front Door" access to your computer. Without a warrant, without oversight.
You can trust them, they are the most skilled cyber-warriors on the planet!
Give them the keys to your front door, both physical and virtual! They are super competent and trustworthy.
Clearly the NSA leaked these tools with built-in weaknesses so they could get others to install them, then they get to use them.
You think this "leaked" code is the real thing?
If Slashdot were chemistry it would look like this:Cadaverine
You fool. The real issue is that they are doing this illegal spying on Americans in the first place. And it's bound to get worse with Hillary and Dems seemingly going to dominate this coming election.
You don't like someone? All you have to do is place child porn pictures on their computer, alert the authorities, and even if they've never seen the pics, they are going to the hole for a long time. And it's quite easy to get the pics there too. USB, web link, email attachments, all so easy, and once the evidence is there, you're screwed, even if you deleted it, short of reinstalling windows, (and even that might not work) or replacing new harddrive.
The police and society at whole have no sympathy for "child molestors", despite the fact that VIEWING A PICTURE IS AN INNONCENT CRIME. But people just believe the hysteria, for the children nonsense, etc. and run with it. Or some are just on power trip and love to see others locked away for 10+ years for an activity that didn't harmed anyone.
I'm honestly surprised a lot more people don't try it, seeing how easy it is to frame someone with it. Welcome to 1984.
Security vulnerabilities are discovered and patched all of the time. It doesn't make sense to spend a lot of time writing extremely meticulous code for an exploit that could be patched by the time you're done writing the exploit code. Combine that with the fact that there's probably a ton of vulnerabilities in a lot of different applications, drivers, and firmware and it probably makes more sense to focus on quantity of exploits rather than quality.
Our best guy is on vacation in Moscow.
Have gnu, will travel.
There will always be bugs in software it's how you mitigate / react to them that counts in this day and age. I wonder if this guy has ever written anything other than research papers?
Yeah, the pakis and Chinese can't code for shit.
it would be written very fast; the goal being to get it functional as fast as possible, not to make it bullet proof nor do more than what it is supposed to do. So i'm not surprised how shit it is.
they are just niggerlicious
Irony: Some of the kids who wrote that code took classes from the professor in college.
Dump-a-drumpf 2016/Forever
ok so like the NSA got pwnt because they asshat-miscrypto-cleartexted the shit out of trillions of dollars worth of strategic vital interest defensive and offensive cyberweapons while exposing us to digital armageddon by revealing a global infrastructure of intentionally, illegally, and poorly back-doored hardware while being recorded for 3 years by our enemies engaging in top secret god knows what the fuck in an information age geopolitical information warfare climate of 2013-2016? did i get this correct guys? oh and never mind the global financial race between thousands of entities to to buy 1/28th of the bitcoin market which doesnt have enough liquidity and a low cap that will crash the world finacial economy and make the shadow brokers owners of about 1/30th of the global electronic currency system (assuming they only sell it once, which they wont). the jfk assassination is starting to look like a day in the life of the kardashians. #makeamericagreatagain #blacklivesmatter #pewdiepie
.....is what they're thinking I'm sure. They probably destroy the VM after using the tool anyway.
Twinstiq, game news
Consider the possibility that the leaked code may be disinformation.
In retrospect.
Suddenly those spent costs no longer seem like they should have cost as much.
And those lessons learned? We should have just known those!
It's why industry refuses to spend anything on basic research anymore. SOO inefficient, and with priorities that make no sense to some random consultant or investor.
[sarcasm]
Pff - NASA, I could do better than that! Here - I'll just make up an ideal, say, random number generation that I just happen to have a library of code on, and WOW - I do SO MUCH BETTER than them. Not impressed, NASA, not impressed.
I don't even have to bother understanding the ideals that their code was actually built towards!
[end sarcasm]
Ryan Fenton
Anywhoo, back in the '90's I worked for a company that was getting a B2 Certification for its operating system. My job basically consisted of reading the entire AT&T C standard library code, finding potential security flaws, writing tests for those flaws and then writing a report with the tests which would be delivered to the NSA. I found the remote buffer overflow in the AT&T telnet daemon a couple years before the same overflow was discovered in the Linux telnet daemon. So the NSA basically outsourced the hard work of finding all those exploits to the companies that were trying to get security certifications. It took three or four guys just a few months to go through all the stuff we had to look at. I'm sure we missed a bit, but I was much more confident in the security of their OS at the end of all that. Too bad they eventually went out of business, were acquired by IBM and their products were killed. You know, progress!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It's widely known that the best and brightest Americans rarely work for the government. The bureaucracy is slow, filled with low intelligence and rules oriented persons, and is generally allergic to actually getting anything useful done. Oh, and the pay sucks too. What's not to like if you're a young, intelligent and entrepreneurial techie? As it turns out, quite a bit. It should surprise nobody then that the best techies work in the private sector and government gets whatever is left to write poor quality code with very short shelf life.
He can mock their code but thats how they got all his emails, internet browsing history, phone calls, text messages and gps coordinates for the last 10 years or more...
Well, whaddaya expect? The gubment put the task out to bid. The lowest bidder got the contract with a lowball bid. in order to make money, they hired H1B visa holders to do the coding, and gave them impossible deadlines. But, hey, the code was good enough for government work.
Is it possible the NSA knows something about existing pseudo-random number implementations and is purposefully working around that issue in this code? The professor seems to ignore this possibility.
Did he consider that perhaps NSA is smart enough to not leave their fingerprint i.e. NSA-like code all over the exploits? There are more layers of security to consider than the code itself and plausible deniability ought to be right up there should the code ever get leaked. They also have been known to buy exploits on the black market, which would also have the added benefit of concealing the true source of the hacks.
0xDECAFBAD Indeed.
What if the shadow brokers didn't hack and steal NSA code, but simply had some part in writing the code to begin with and perhaps what they're selling is unrefined prototypes?
Frankly I have no reason to believe that the shadow brokers and the equation group are even separate entities. If equation group are as good as they are supposed to be, then it makes more sense that for some reason equation group are playing a game with the public. (I highly doubt they'd try and play a game with the NSA.)
I have also seen that the NSA has been trying to make itself somewhat more transparent and useful to the public in the last eight years. Not exactly taking strides but there have definitely been gestures. Perhaps this is the only way they know how to release tools to the public while avoiding accountability under a government that doesn't comprehend the benefits of transparency or educating the masses in cyber security. It would also explain how federally held bitcoins have been trickling into the shadow brokers' wallet.
Just sayin'.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Expert: I mean, look at it - it's a bunch of nails and duct tape around a low explosive core which doesn't have nearly the proper confinement for even 50% of the maximum shock wave capable, much less the ability to transition to detonation. And this wiring - that's just disgraceful - the solder didn't even flow properly here, and this is entirely unsheilded - anything could set this off accidentally, even a cell phone. If you were in my training program, you're fail miserably.
Terrorist: We used one of these yesterday to kill 25 people and injure another 70 in a market in Aleppo.
Expert:...
Is it just my observation, or are there way too many stupid people in the world?
https://www.youtube.com/watch?v=LdZFmeMWrtk&feature=youtu.be&t=112
(c) John Cleese
great watch btw
now what has been leaked looks to have lost credibility, and looks like it is bait-ware.
I would bet it is crappy - the actual tools are built by committee and non-technical folks make technical decisions and assert things like "get that done today or else". I bet there is some crappy in the actual code. I don't know how much.
I'm betting that the ones who got robbed are the incompetent boobs of the bunch. I bet also that the highly competent folks figured out the boobs might get hacked and left some "breadcrumbs" in the system.
Why does softpedia link to everything except the source?
https://www.cs.uic.edu/~s/musi...
It's too easy to pick things that make no sense to you apart. I don't understand x, y and z and therefore I conclude in typical know it all academic think "This is ridiculous". The following is just conjecturbation and is likely to be totally wrong.
If your deriving a symmetric encryption key you never actually transmit perhaps some nerfing is intentional so the intended receiver has a prayer of expending energy to derive it. There could be a calculation embedding asymmetric keys is an unnecessary (attribution?) risk leaving crap like this where anyone with sufficient resources could plausibly decrypt a more appealing option.
The consequence of not using random IVs is situation dependent and can range from the safe default of very detrimental to beneficial given certain operating constraints.
Authentication is a double edged sword. If your adversaries don't know what key or data they are looking for providing a known authentication mechanism is an unnecessary gift.
Buggy code = hey some script kiddie put this crap on our system.
Gleaming perfect code = hey, this must be a nation state or some nationally backed entity.
128-bit keys generated using 64 bits of entropy
I'd like to see the professor brute forcing 64 bits to show exactly how weak that is.
Which is a better use of taxpayer money for something that won't get re-used a lot and which might have a short shelf life?
1) Expensive, good, and late, possibly too-late-to-be-useful?
2) Slightly less expensive, crappy-but-functional, and on time
Sometimes the answer is #1, sometimes it is #2. Sometimes you just don't know and you (or your bean-counting managers) have to make a call that might be wrong.
Bottom line:
I'd much rather the hacking tools be crappy than the code that runs something that directly affects tens of millions of people, like, oh, I don't know, the software that makes sure Social Security checks go out on time and in the right amounts?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
...teach.
When you rule with technology don't be surprised when someone else comes along and beats you at your own game. #Japanese2016
Buggy code? Why is the NSA making code for buggies? I thought buggies and horse whips were "old tech"... do people still use them to get around?
Perhaps a buggy is the best way for terrorists to avoid detection. Then I could see putting some code in the buggy to track them... but where would you put it? Maybe in a horse or donkey?
I don't read your sig. Why are you reading mine?
Perhaps NSA followed the lead of the Office of Personal Management and outsourced the code writing to the Chinese?
Whats worse?
The buggy code that can hack a server
or
the buggy code running on the server that can be hacked?
Let's assume this actually is NSA code. By definition, they're working against the clock. They're exploiting vulnerabilities that the vendor might patch tomorrow, next month, next year or never. They have to assume tomorrow and work against that.
You also have to factor in deployment windows. In the case of stuxnet, I seriously doubt Iran was dumb enough to hook up their uranium extractors to the internet. Yes, you can go spear-fishing and hope you catch the right fish or you can intercept a cisco router and replace the firmware... which again puts you in a time crunch.
Finally, how many people do you think they have working on this? I've done management on projects with the lowest level of Federal security clearance and we have a hard enough time finding cleared staff that know their ass from a hole in the ground. I'd be surprised if the development team was more than 10-20 people and I seriously doubt they have a formal QA team.
TLDR; It works. Mission accomplished. (Yes, I used that on purpose).
...at reverse engineering and cracking tend to be extremely 'pragmatic' in their approach to creating software.
People are constantly confusing programming with software engineering. Look at Google for example, look at the design decisions behind golang. Google has lots of very smart people no doubt, but golang was designed around their pervasive weakness - they do not tend to be good software engineers (experience will usually lead them there though.)
Loading...
It's not a good sign when the supposed skilled parts of the US Govt show incompetence. Makes me doubt Aliens could be kept a secret by the US Govt.
Well, the Afghan government is incompetent. The Pentagon charges $1 million/solder year for Afghanistan. USAid isn't efficient. The VA still has big problems, in spite of the Senate subcommittee's promises of changes a few years ago. So, I guess if you hired Trump, and he hired Blackwater, Cintra, some former state governors, and Kaiser Permanente, and he appointed some people for oversight, things would be better.
Still, thousands of religious fanatics skilled in guerrilla warfare, in a nation with an indifferent populace is a very tough problem.
I bet you supported Ted Cruz.
"The purpose of the keygen tool is to generate a 16-byte random number for use by the other tools. This simple task can be accomplished by reading 16 bytes from /dev/urandom."
No, not really - not if you want to maximize entropy. The procedure he describes afterwards seems awfully convoluted, but might be a good way of generating strong pseudorandom numbers in systems with a poor /dev/urandom implementation.
Just saying, there is such a thing as disinformation
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
As soon as I got as far as the mention of UIC, I assumed this would have been DJB.
https://en.wikipedia.org/wiki/Daniel_J._Bernstein
The difference?
He *INTENTIONALLY* gave us buggy code. While there were a few 'written from scratch' assignments to do, he felt that 'reinventing the wheel' each new concept was a waste of time, and instead taught the proper way techniques were meant to be done, provided often extremely buggy sample code (from a hypothetical fellow developer at your company) and had you clean it up and fix any issues you found in the source code. He also always included a few obscure bugs which offered bonus points so an occasional bad day wouldn't ruin you if you were otherwise on-target. Interestingly enough his class success/failure rates still matched the course averages compared to other professors, despite this (The spread of ABCDF students was very similiar to less favorable classes, but one bad/missed test wouldn't ruin an A student, and even a D/F student early on could climb back to a C if they got serious by the middle of the semester. Most didn't.)
That said, many of the other professors I had did have sloppy code, and critique of it could result in punitive scoring against your own work.
I would like to point out that everyone is assuming the leaked code is the version of the code that was used in actual operations. I would not be willing to rule out a purposeful "leak" with code that could be cleverly hiding a trojan horse (not the malware, the idea via the Greeks). Supposedly, in the 1980s the CIA learned of a leak of code that controlled pipeline valves etc, and instead of stopping the leak, the worked an attack into the code causing a large pipeline burst in Siberia. It is in a book "At the Abyss" and I admit it has some issues that make the truth not 100% certain.
Still, could the NSA have worked some clever way of tracking anyone that tries to exploit this leaked code and then leaked it themselves? My tin foil hat is firmly in place thank you.
The scenario of extracting RSA key from memory leaks on Cisco Pix reminds a lot about Heartbleed. Does Cisco Pix use OpenSSL?
an exploit called BANANAGLEE, used against Fortinet firewalls
If the submitter actually bothered to read the article, he would realize that BANANAGLEE targets Juniper, not Fortinet. Hoes does one make the mistake of mis-attributing to someone who was only mentioned once in the entire article?
And left unchanged to blend in with all the other script kiddies swimming the sewers with it. Best not to expose the good stuff until the initial poke has been done.
Your conspiracy theories A, B and C depict them as an unknowable force with perfect capability. That's a common factor with a lot of conspiracy theories where the exponents can feel comfort that there is somebody with infinite capability in control so they don't have to worry.
Reality is a series of fuckups some of which have got public attention. The theory that the fuckups are just there to lull us into a false sense of security instead of them being a bunch of toy soldiers that should be replaced with the real thing is especially pathetic. The amount of money being funneled through to private contractor that employed Snowden is staggering and proof enough that the NSA is a very long way from being perfect. The vast number of external bodies with hooks deep into the heart of the NSA would have made it very easy for foreign powers to get hold of everything Snowden had and more.
It's looking more and more that the NSA is more a machine to pump taxpayers money to people with good connections than anything to do with national security.