Slashdot Mirror
Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com)
After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".
"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
The real issue is what was exploited that one should be concerned about the quality of the code. "Oh man your shell scripts suck!"
Photos of the professor with under age children have been appearing all over the internet.
People have been puzzled why the material was on otherwise innocuous sites.
I'm guessing that time to live is more important than having everything looking pretty with your i's dotted and t's crossed. These tools are for exploits that may not be around for ever. Getting the code live and useful is more important than anything else.
Remember, these are the people who want "Front Door" access to your computer. Without a warrant, without oversight.
You can trust them, they are the most skilled cyber-warriors on the planet!
Give them the keys to your front door, both physical and virtual! They are super competent and trustworthy.
Clearly the NSA leaked these tools with built-in weaknesses so they could get others to install them, then they get to use them.
It's been confirmed to be real: https://yro.slashdot.org/story...
You don't like someone? All you have to do is place child porn pictures on their computer, alert the authorities, and even if they've never seen the pics, they are going to the hole for a long time. And it's quite easy to get the pics there too. USB, web link, email attachments, all so easy, and once the evidence is there, you're screwed, even if you deleted it, short of reinstalling windows, (and even that might not work) or replacing new harddrive.
The police and society at whole have no sympathy for "child molestors", despite the fact that VIEWING A PICTURE IS AN INNONCENT CRIME. But people just believe the hysteria, for the children nonsense, etc. and run with it. Or some are just on power trip and love to see others locked away for 10+ years for an activity that didn't harmed anyone.
I'm honestly surprised a lot more people don't try it, seeing how easy it is to frame someone with it. Welcome to 1984.
Security vulnerabilities are discovered and patched all of the time. It doesn't make sense to spend a lot of time writing extremely meticulous code for an exploit that could be patched by the time you're done writing the exploit code. Combine that with the fact that there's probably a ton of vulnerabilities in a lot of different applications, drivers, and firmware and it probably makes more sense to focus on quantity of exploits rather than quality.
Our best guy is on vacation in Moscow.
Have gnu, will travel.
We should privatize our security, and make the NSA as well as the military a publicly traded corporation.
I know! Let's outsource it all to Microsoft!!
I am sure that there are many other solipsists out there.
Trump will run the USA like a business, that's why he has my vote, although he hasn't announced privatisation of vast parts of the government yet, which I would really like.
And that is good because on average, every second business goes bankrupt after two years, right? Donald Trump has extensive experience in running businesses going bankrupt.
ok so like the NSA got pwnt because they asshat-miscrypto-cleartexted the shit out of trillions of dollars worth of strategic vital interest defensive and offensive cyberweapons while exposing us to digital armageddon by revealing a global infrastructure of intentionally, illegally, and poorly back-doored hardware while being recorded for 3 years by our enemies engaging in top secret god knows what the fuck in an information age geopolitical information warfare climate of 2013-2016? did i get this correct guys? oh and never mind the global financial race between thousands of entities to to buy 1/28th of the bitcoin market which doesnt have enough liquidity and a low cap that will crash the world finacial economy and make the shadow brokers owners of about 1/30th of the global electronic currency system (assuming they only sell it once, which they wont). the jfk assassination is starting to look like a day in the life of the kardashians. #makeamericagreatagain #blacklivesmatter #pewdiepie
Cute that you think its a partisan issue
.....is what they're thinking I'm sure. They probably destroy the VM after using the tool anyway.
Twinstiq, game news
Consider the possibility that the leaked code may be disinformation.
Isn't most of this coding already privately contracted to companies like Northrop Grumman and Raytheon?
Microsoft sued the government to protect its users. Google had a revolving door to the whitehouse installed. You are barking up the wrong tree.
In retrospect.
Suddenly those spent costs no longer seem like they should have cost as much.
And those lessons learned? We should have just known those!
It's why industry refuses to spend anything on basic research anymore. SOO inefficient, and with priorities that make no sense to some random consultant or investor.
[sarcasm]
Pff - NASA, I could do better than that! Here - I'll just make up an ideal, say, random number generation that I just happen to have a library of code on, and WOW - I do SO MUCH BETTER than them. Not impressed, NASA, not impressed.
I don't even have to bother understanding the ideals that their code was actually built towards!
[end sarcasm]
Ryan Fenton
Anywhoo, back in the '90's I worked for a company that was getting a B2 Certification for its operating system. My job basically consisted of reading the entire AT&T C standard library code, finding potential security flaws, writing tests for those flaws and then writing a report with the tests which would be delivered to the NSA. I found the remote buffer overflow in the AT&T telnet daemon a couple years before the same overflow was discovered in the Linux telnet daemon. So the NSA basically outsourced the hard work of finding all those exploits to the companies that were trying to get security certifications. It took three or four guys just a few months to go through all the stuff we had to look at. I'm sure we missed a bit, but I was much more confident in the security of their OS at the end of all that. Too bad they eventually went out of business, were acquired by IBM and their products were killed. You know, progress!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Just like we should privatize our prisons, eh? And how has that worked out?
One thing decades as a developer has taught me is to avoid hubris about bugs. Even good programmers make bad mistakes. Software development on a large scale is a social process, and the less transparent that process is the greater opportunity bad decisions have to escape scrutiny.
It doesn't surprise me at all that secretly developed software has obvious mistakes in it -- obvious to outsiders that is.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
He can mock their code but thats how they got all his emails, internet browsing history, phone calls, text messages and gps coordinates for the last 10 years or more...
Riiiight.
"Hot line to the NSA
It's gotten to the point where no vendor hip to the NSA's power will even start building products without checking in with Fort Meade first. This includes even that supposed ruler of the software universe, Microsoft Corp. "It's inevitable that you design products with specific [encryption] algorithms and key lengths in mind," said Ira Rubenstein, Microsoft attorney and a top lieutenant to Bill Gates. By his own account, Rubenstein acts as a "filter" between the NSA and Microsoft's design teams in Redmond, Wash. "Any time that you're developing a new product, you will be working closely with the NSA," he noted. "
http://www.cnn.com/TECH/comput...
Is it possible the NSA knows something about existing pseudo-random number implementations and is purposefully working around that issue in this code? The professor seems to ignore this possibility.
I hate this trope
Govt *isn't* a business in the traditional sense of the word and we shouldn't expect it to be
Did he consider that perhaps NSA is smart enough to not leave their fingerprint i.e. NSA-like code all over the exploits? There are more layers of security to consider than the code itself and plausible deniability ought to be right up there should the code ever get leaked. They also have been known to buy exploits on the black market, which would also have the added benefit of concealing the true source of the hacks.
Cute that you think its a partisan issue
I think it would be a disaster if Trump won, and that is not entirely because of what trump would do. Simply put if you can regularly get elected on a stack of blatent lies this bad, then democracy is in trouble.
That being said, I see no evidence this is a remotely partisan issue. Bernie might have done something, maybe. Neither Hillary or Trump is likely to do anything.
Rather rich given the two presidents with the biggest domestic spying operations were Nixon and Bush Jr.
What if the shadow brokers didn't hack and steal NSA code, but simply had some part in writing the code to begin with and perhaps what they're selling is unrefined prototypes?
Frankly I have no reason to believe that the shadow brokers and the equation group are even separate entities. If equation group are as good as they are supposed to be, then it makes more sense that for some reason equation group are playing a game with the public. (I highly doubt they'd try and play a game with the NSA.)
I have also seen that the NSA has been trying to make itself somewhat more transparent and useful to the public in the last eight years. Not exactly taking strides but there have definitely been gestures. Perhaps this is the only way they know how to release tools to the public while avoiding accountability under a government that doesn't comprehend the benefits of transparency or educating the masses in cyber security. It would also explain how federally held bitcoins have been trickling into the shadow brokers' wallet.
Just sayin'.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Expert: I mean, look at it - it's a bunch of nails and duct tape around a low explosive core which doesn't have nearly the proper confinement for even 50% of the maximum shock wave capable, much less the ability to transition to detonation. And this wiring - that's just disgraceful - the solder didn't even flow properly here, and this is entirely unsheilded - anything could set this off accidentally, even a cell phone. If you were in my training program, you're fail miserably.
Terrorist: We used one of these yesterday to kill 25 people and injure another 70 in a market in Aleppo.
Expert:...
Is it just my observation, or are there way too many stupid people in the world?
Buggy code = hey some script kiddie put this crap on our system.
Gleaming perfect code = hey, this must be a nation state or some nationally backed entity.
...in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity...
Not exactly the best charter statement for a profitable business.
128-bit keys generated using 64 bits of entropy
I'd like to see the professor brute forcing 64 bits to show exactly how weak that is.
The ignorant masses have exaggerated the powers a President has. This exaggeration also applies to the powers and capabilities of the intelligence agencies. The President can neither magically make things dramatically better or worse. If Trump was to win the Presidency he would have to work with a legislative branch that absolutely hates him and will work to stifle any Presidential initiatives he tries to create. In fact they would spend all their time looking for any impeachable offenses he may commit.
The current US government is in dire need of change. Both the democrats and republicans need a time out and reality check. The high dollar supporters of both parties need to experience losing vast sums of money and ending up with nothing to show for their donations. The media has stepped out of the closet and turned into the National Enquirer where headlines attract readership but the actual content doesn't come close to justifying the sensationalist headlines. In the past the big media players could be more subtle in their support for one party over another. If Trump wins the media empire will see nothing but scorn and ridicule while at the same time losing their behind the scenes access to the office of the President.
And it is the time for a US President who brings to light just how worthless most of the US foreign allies are. The foreign allies are scared to death that they might actually have to become responsible for their own security instead of expecting the US to do it for them. If some country wants US military protection they should expect an invoice with at least 50% due up front.
All those people advocating a third party candidate who can win the Presidency have one staring them in the face. And make no mistake Trump is a 3rd party candidate who attacks the Republican party more than Democrats.
Trumps election would reduce the power of the behind the scenes establishment crowd for at least 4 years. If he accomplished nothing else it would be worth it to see both the Republicans and Democrats sit in the corner pouting about having no presidential power or support. All the harshest critics of Trump will be further diminished if Trump wins. They have bet everything on Clinton winning so their statements and actions will not hurt them. If Trump wins they are truly fucked because Trump doesn't strike me as the kind of person who lets personal attacks just slide by.
Trump has no government experience which could be a plus but it doesn't really matter that much. The US government is big and operates mainly on the inertia created over the years. It's a big ship that takes a long time to turn either way. Trump would not have the power to radically change anything or cause any real harm.
So why not let him slap the existing parties and their supporters in the face?
Which is a better use of taxpayer money for something that won't get re-used a lot and which might have a short shelf life?
1) Expensive, good, and late, possibly too-late-to-be-useful?
2) Slightly less expensive, crappy-but-functional, and on time
Sometimes the answer is #1, sometimes it is #2. Sometimes you just don't know and you (or your bean-counting managers) have to make a call that might be wrong.
Bottom line:
I'd much rather the hacking tools be crappy than the code that runs something that directly affects tens of millions of people, like, oh, I don't know, the software that makes sure Social Security checks go out on time and in the right amounts?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Trump will run the USA like a business, that's why he has my vote, although he hasn't announced privatisation of vast parts of the government yet, which I would really like.
Ah yes, Trump the living Rorschach test. Apparently while we are meant to be ignoring all the insane things he says as sarcasm or nonsensical jokes, we are also supposed to be inserting all of our greatest policy desires between the lines. I guess I've been holding my Trump wrong this whole time. Let me just flip this around and...oh! Now it's a pretty butterfly! Go Trump!
Whats worse?
The buggy code that can hack a server
or
the buggy code running on the server that can be hacked?
...at reverse engineering and cracking tend to be extremely 'pragmatic' in their approach to creating software.
People are constantly confusing programming with software engineering. Look at Google for example, look at the design decisions behind golang. Google has lots of very smart people no doubt, but golang was designed around their pervasive weakness - they do not tend to be good software engineers (experience will usually lead them there though.)
Loading...
"The purpose of the keygen tool is to generate a 16-byte random number for use by the other tools. This simple task can be accomplished by reading 16 bytes from /dev/urandom."
No, not really - not if you want to maximize entropy. The procedure he describes afterwards seems awfully convoluted, but might be a good way of generating strong pseudorandom numbers in systems with a poor /dev/urandom implementation.
Just saying, there is such a thing as disinformation
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
It's not cute anymore.
Crap. I have to burn this because I accidentally moderated you as insightful. You're right that big government is a failure. But Trump isn't going to do a blessed thing to downsize anything. That man's as much a totalitarian as Hillary and neither should have gotten as far as they have already. Twenty years ago, the scandals and missteps by both of them would have ruined their campaigns. Hell, Howard Dean torpedoed his run with a single howl only 12 years ago!
The scenario of extracting RSA key from memory leaks on Cisco Pix reminds a lot about Heartbleed. Does Cisco Pix use OpenSSL?
Privatize security? You mean like dismantle the TSA and have airport security run by the airlines? As in having the government issue letters of marque and reprisal? Where privateers/mercenaries/whatever fight our wars for profit?
Tell me something, how are these people supposed to arm themselves? Would this not require people to be able to buy the same weapons as those available to the standing army? If not then what are people supposed to fight with, VP Biden approved double barrel shotguns?
The ability for people to fight the battles that our government gets us into was the reason for the Second Amendment. Minutemen were people of the unorganized militia that came to battle with their own weapons. That's why they were called "minutemen", because they were ready to fight on a minute's notice.
One big problem I have with your proposition is the privatization of all military. The reason the Second Amendment is there is to allow the people to protect themselves from the government. What concerns me is with no government funded military there is nothing to protect the government from the people. The mutual respect of the authority of the people and the authority of the government is supposed to keep both in check, if that fails the natural instinct to not get killed in a battle between the two was supposed to keep them in check. Disarming one or the other is dangerous, disarming both is impossible.
Trump may be supportive of our right to keep and bear arms, and he may see some value in handling many aspects of the government like a business, what I don't see him doing is privatizing the military. I believe he has enough respect of the people in uniform to believe they will do the right thing when called upon.
I did laugh at loud at your proposal, if only because it reminded me of a scene from Iron Man 2 where an irreverent billionaire told a bunch of stuffy government officials to fuck off because he just privatized national defense. In some way I see that coming. Technology is enabling people with even a few thousand dollars to spare to produce weapons on par with anything the government has. An M-16 is almost trivial to produce now in a basement shop. I believe it won't be long before larger and more complicated weapons, like a passable battle tank, can be mass produced in an amateur machinist garage.
I am armed because I am free. I am free because I am armed.
At this point that would be an incredibly good idea.
The airlines have different priorities so would run it as security and not a massive welfare program for a massive number of poorly trained staff and money funnel to political connections.
Walmart "greeters" take the security part of their job far more seriously than the TSA up to the highest level.
As for everything else, you've got some good points.
Blackwater etc partially happening and a horror story in general. Mercenaries employed to do what professional soldiers consider unprofessional or outright war crimes.
He has shown utter contempt on several occasions.
A very interesting idea but it doesn't seem to be playing out that way anywhere.
By the way, what do you second amendment types do at 45? Do you get rid of all your guns since the second amendment doesn't apply to you after that? Perhaps you should consider that your right to be armed comes from it not being taken away from you in the first place and has nothing at all to do with the second amendment.
We've seen what the NSA is now.
It's horse judges doing a "heck of a job" all the way down.
If it's utter crap that fits bullet points but is not fit for the actual task then it's the real thing.
With all the drunk drivers on the road, every buggy should have a dash cam and automatic emergency services notification.
And it is probably worth considering a backup camera while you're doing the install.
These people at least have GPS:
http://thefw.com/horse-and-car...
This buggy has lots of electronics:
http://gajitz.com/literal-hors...
If I was the NSA, I wouldn't want all those data streams slipping through the cracks.
an exploit called BANANAGLEE, used against Fortinet firewalls
If the submitter actually bothered to read the article, he would realize that BANANAGLEE targets Juniper, not Fortinet. Hoes does one make the mistake of mis-attributing to someone who was only mentioned once in the entire article?
He has shown utter contempt on several occasions.
As someone that once wore the uniform of an American warrior I am quite aware of Trump saying some disparaging remarks about our military. Even so I've seen him say many good things. Hilary Clinton on the other hand allowed people under her care to die at the hands of our enemies only because by sending in our warriors might make things look worse for her. Trump isn't perfect and I'll admit that. Clinton on the other hand is far worse.
A very interesting idea but it doesn't seem to be playing out that way anywhere.
I can see both sides here, for and against.
First, in agreement with you. You are correct that people aren't mass producing machine guns in their basements or battle tanks in their garages. Even though there is a lot of suckage to go around we here in the USA still have it pretty good. People have access to a wide variety of weapons off the shelf and if one wants to go through the paperwork they can own real deal military hardware. Now people cannot own modern weapons like F-22 planes but people can get a vintage fighter plane, a belt fed machine gun, a medium battle tank, or just about anything except perhaps land mines. Because things are good and people generally have access to some really nice hardware we don't see people arming up with home made weaponry. If things become not so good then we get to my second point.
Second, I did not claim that people were making such things now, only that the capability exists or will exist very soon. Every once in a while we will even see it happen. People will have a broken rifle and it goes full auto on them, it happens. It's trivial to clean that up and make it do that intentionally and safely. We've seen people flip their lid and turn a bulldozer, earth mover, or some other piece of heavy machinery into a mobile gun platform. Not quite a battle tank but if you look for videos on the internet you'll see a few cases of some quite successful attempts at getting close. Again if this is cleaned up a bit, and done with some sane planning instead of an act of suicide by cop then we could see something quite battle worthy. A lot of people know how to make this stuff but lack the motivation to do so. With a few emerging technologies to help this along, like 3D printing, the number of people with this capability increases as does the rate at which such weapons could be produced.
By the way, what do you second amendment types do at 45? Do you get rid of all your guns since the second amendment doesn't apply to you after that? Perhaps you should consider that your right to be armed comes from it not being taken away from you in the first place and has nothing at all to do with the second amendment.
It appears you are of the mind that the Second Amendment is there to protect the state's right to create a militia. This is a false interpretation, to demonstrate how this is wrong I can show the writings of the authors of the Constitution and opinions from SCOTUS that the right to keep and bear arms exists outside of the militia. The Second Amendment protects the right of self defense by the individual and by the states. The right does not begin and end at the age of conscription.
You are correct that the right of self defense exists outside of the Second Amendment which is why I am confused that you some how came to the conclusion that I believe that the Second Amendment places limits on my rights. The Second Amendment does not define my rights, limit my rights, or create my rights. What it says is that my rights exist, that they are inherent to my person, and says that the government has no authority to deny that right to me. All of that is not said in the Second Amendment alone, but comes from the preamble to the Bill of Rights and the Constitution as a whole.
I am armed because I am free. I am free because I am armed.
And it is the time for a US President who brings to light just how worthless most of the US foreign allies are. The foreign allies are scared to death that they might actually have to become responsible for their own security instead of expecting the US to do it for them. If some country wants US military protection they should expect an invoice with at least 50% due up front.
So you think it's really in the best interests of the US to let Putin reconstruct the USSR/Warsaw Pact as he seems intent on doing? And have you noticed all the Russian activity in the Middle East of late...? Guess not.
As soon as Trump started the spewing the utter horseshit which you parrot above, it became obvious he was either working for Putin, or might as well be.
Trump/Putin in 2016! It even rhymes, hey...
Il n'y a pas de Planet B.
It's not a good sign when the supposed skilled parts of the US Govt show incompetence. Makes me doubt Aliens could be kept a secret by the US Govt.
That's what the Aliens want you to think.
wtf? "And have you noticed all the Russian activity in the Middle East of late."
hello pot, this is kettle calling...you're black!
So the Russians are involved in Syria, via Syrian airbases and Iranian airbases, both of which they received permission to use from the host country.
The USA on the other hand... is illegally operating with non-boots-on-the-ground boots in Syria.
We invaded Iraq.
We destroyed Libya.
We have bases in Kuwait, UAE, Saudi Arabia, Iraq, Syria, Yemen, Afghanistan, Egypt, Libya.
But look over there, those damn Russians!
If your first sentence is accurate, than Trump is a very successful businessman since I have only heard about 2 or 3 of his companies going bankrupt, and he has had 100s.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Except for Obama who expanded Bush's domestic spying.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
As seen in Syria vs Israel some years ago the German tanks that were very effective in WW2 did not stand a chance against a later American tank - there is a looong way down from those old tanks to what you describe. Those home built platforms are one roadside bomb or RPG away from scrap metal.
That's not in the amendment is it? That's kind of reinforcing my point that the right comes from elsewhere.
Real (but small) machine tools at the bottom end with controllers that could make them as easy to use as 3D printers are already as cheap. Why make a piece of shit ABS plastic gun when you can make a real one out of cheap steel after cutting and pasting a bit of code? Personally I think the 3D guns thing is from attention seekers that don't care if they ruin stuff for everyone - a lot of types of wood are stronger than ABS plastic.
Your conspiracy theories A, B and C depict them as an unknowable force with perfect capability. That's a common factor with a lot of conspiracy theories where the exponents can feel comfort that there is somebody with infinite capability in control so they don't have to worry.
Reality is a series of fuckups some of which have got public attention. The theory that the fuckups are just there to lull us into a false sense of security instead of them being a bunch of toy soldiers that should be replaced with the real thing is especially pathetic. The amount of money being funneled through to private contractor that employed Snowden is staggering and proof enough that the NSA is a very long way from being perfect. The vast number of external bodies with hooks deep into the heart of the NSA would have made it very easy for foreign powers to get hold of everything Snowden had and more.
It's looking more and more that the NSA is more a machine to pump taxpayers money to people with good connections than anything to do with national security.