Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com)

Posted by EditorDavid on from the back-to-school dept.

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...

19 of 179 comments (clear)

  1. It is a tool to hack, you idiot by hsmith · · Score: 5, Insightful

    The real issue is what was exploited that one should be concerned about the quality of the code. "Oh man your shell scripts suck!"

    1. Re:It is a tool to hack, you idiot by saps1e · · Score: 5, Insightful

      Agreed. Considering this in the context of "cyberweapon", many weapons have been poorly designed and/or rushed into service, so this may be par for the course. I haven't looked at the code myself, but I would imagine that having a small footprint, both in terms of size and resources, is key to running undetected. Cutting corners, minimal encryption... those could be considered advantages here.

    2. Re:It is a tool to hack, you idiot by Spazmania · · Score: 4, Insightful

      "Oh man your shell scripts suck!"

      Yeah, that was my thought as well. Red team code is supposed to be quick and dirty. It's the attacker, not the defender. It doesn't have to be pretty or work well, it just has to breach the target system.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    3. Re:It is a tool to hack, you idiot by Sique · · Score: 4, Interesting

      Apparently, the bad code has been known to some secret services for some time. And that means that other secret services had the time to exploit the bad code and use it as an attack vector back against the NSA. I would be very wary to know that my opponent knows how shoddy my own code is. If for instance you can hijack encrypted communications, you can feed the communication any desinformation you want, and the original attacker believes it to be the real thing.

      --
      .sig: Sique *sigh*
    4. Re:It is a tool to hack, you idiot by drinkypoo · · Score: 4, Insightful

      Yeah, that was my thought as well. Red team code is supposed to be quick and dirty.

      I think that's a somewhat strong statement. You want your code to work when you deploy it. It's supposed to work. If it works, then it's a working weapon. If it has bugs that impede its function, then it isn't. If the tool can be used against the initiator, because the back channel isn't protected, then it's not just a weapon — it's a hazard.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. TTL by Anonymous Coward · · Score: 3, Insightful

    I'm guessing that time to live is more important than having everything looking pretty with your i's dotted and t's crossed. These tools are for exploits that may not be around for ever. Getting the code live and useful is more important than anything else.

  3. Front Door Access by Anonymous Coward · · Score: 5, Funny

    Remember, these are the people who want "Front Door" access to your computer. Without a warrant, without oversight.

    You can trust them, they are the most skilled cyber-warriors on the planet!

    Give them the keys to your front door, both physical and virtual! They are super competent and trustworthy.

  4. Not Surprised by organgtool · · Score: 4, Insightful

    Security vulnerabilities are discovered and patched all of the time. It doesn't make sense to spend a lot of time writing extremely meticulous code for an exploit that could be patched by the time you're done writing the exploit code. Combine that with the fact that there's probably a ton of vulnerabilities in a lot of different applications, drivers, and firmware and it probably makes more sense to focus on quantity of exploits rather than quality.

  5. What did you expect? by PPH · · Score: 4, Funny

    Our best guy is on vacation in Moscow.

    --
    Have gnu, will travel.
  6. Re:NSA is part of "big government" after all by Archtech · · Score: 5, Funny

    We should privatize our security, and make the NSA as well as the military a publicly traded corporation.

    I know! Let's outsource it all to Microsoft!!

    --
    I am sure that there are many other solipsists out there.
  7. Re: In other news by Type44Q · · Score: 5, Insightful

    Or the exact opposite: they send him a fat check, as per their agreement (the NSA funtions more effectively when it's being underestimated).

  8. Re: The real issue by Anonymous Coward · · Score: 3, Insightful

    Cute that you think its a partisan issue

  9. Meh by Greyfox · · Score: 5, Interesting
    I've yet to see a computer science professor with particularly excellent code, either. I run across assignments and example code from courses on a regular basis that fall into the "Never, ever do that" category of programming. Case in point, a relative of mine recently had some questions about a CS programming assignment. Part of the assignment description talked about design patterns and predictably went straight for the Singleton as an example. I'm pretty sure that's the only pattern that about 90% of programmers ever actually learn when reading about design patterns and it's so abused in the industry right now that you can basically never get one past a design review board.

    Anywhoo, back in the '90's I worked for a company that was getting a B2 Certification for its operating system. My job basically consisted of reading the entire AT&T C standard library code, finding potential security flaws, writing tests for those flaws and then writing a report with the tests which would be delivered to the NSA. I found the remote buffer overflow in the AT&T telnet daemon a couple years before the same overflow was discovered in the Linux telnet daemon. So the NSA basically outsourced the hard work of finding all those exploits to the companies that were trying to get security certifications. It took three or four guys just a few months to go through all the stuff we had to look at. I'm sure we missed a bit, but I was much more confident in the security of their OS at the end of all that. Too bad they eventually went out of business, were acquired by IBM and their products were killed. You know, progress!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  10. Whos naked? by pabloesgalhardo · · Score: 3, Funny

    He can mock their code but thats how they got all his emails, internet browsing history, phone calls, text messages and gps coordinates for the last 10 years or more...

  11. Random Numbers by raftpeople · · Score: 3, Interesting

    Is it possible the NSA knows something about existing pseudo-random number implementations and is purposefully working around that issue in this code? The professor seems to ignore this possibility.

    1. Re:Random Numbers by david_bonn · · Score: 3, Insightful

      That's possible, true.

      But it is hard to see that someone would "fix" that problem using the approach given in the code sample. Basically their "fix" only produced 64 bits of entropy for a 128 bit key, which is a 101-level cryptography mistake. It also took more time and was much more complex than a straightforward implementation, which kind of kills the argument about the authors having to work quickly. This is one of those screwups that required thought and effort. I'm left with two possibilities:

      (1) The NSA is hiring complete amateurs to write their exploit tools, and they aren't giving any adult supervision (or code reviews) to the products of those amateurs.

      (2) The NSA/Equation Group didn't write this code at all.

  12. Re:NSA is part of "big government" after all by breagerey · · Score: 3, Insightful

    I hate this trope
    Govt *isn't* a business in the traditional sense of the word and we shouldn't expect it to be

  13. Bomb researcher not impressed with IED by Overzeetop · · Score: 4, Insightful

    Expert: I mean, look at it - it's a bunch of nails and duct tape around a low explosive core which doesn't have nearly the proper confinement for even 50% of the maximum shock wave capable, much less the ability to transition to detonation. And this wiring - that's just disgraceful - the solder didn't even flow properly here, and this is entirely unsheilded - anything could set this off accidentally, even a cell phone. If you were in my training program, you're fail miserably.

    Terrorist: We used one of these yesterday to kill 25 people and injure another 70 in a market in Aleppo.

    Expert:...

    --
    Is it just my observation, or are there way too many stupid people in the world?
  14. Re:NSA is part of "big government" after all by dbIII · · Score: 3, Informative

    Privatize security? You mean like dismantle the TSA and have airport security run by the airlines?

    At this point that would be an incredibly good idea.
    The airlines have different priorities so would run it as security and not a massive welfare program for a massive number of poorly trained staff and money funnel to political connections.
    Walmart "greeters" take the security part of their job far more seriously than the TSA up to the highest level.

    As for everything else, you've got some good points.

    is the privatization of all military

    Blackwater etc partially happening and a horror story in general. Mercenaries employed to do what professional soldiers consider unprofessional or outright war crimes.

    I believe he has enough respect of the people in uniform

    He has shown utter contempt on several occasions.

    I believe it won't be long before larger and more complicated weapons, like a passable battle tank, can be mass produced in an amateur machinist garage.

    A very interesting idea but it doesn't seem to be playing out that way anywhere.

    By the way, what do you second amendment types do at 45? Do you get rid of all your guns since the second amendment doesn't apply to you after that? Perhaps you should consider that your right to be armed comes from it not being taken away from you in the first place and has nothing at all to do with the second amendment.