Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com)

Posted by EditorDavid on from the back-to-school dept.

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...

12 of 179 comments (clear)

  1. It is a tool to hack, you idiot by hsmith · · Score: 5, Insightful

    The real issue is what was exploited that one should be concerned about the quality of the code. "Oh man your shell scripts suck!"

    1. Re:It is a tool to hack, you idiot by saps1e · · Score: 5, Insightful

      Agreed. Considering this in the context of "cyberweapon", many weapons have been poorly designed and/or rushed into service, so this may be par for the course. I haven't looked at the code myself, but I would imagine that having a small footprint, both in terms of size and resources, is key to running undetected. Cutting corners, minimal encryption... those could be considered advantages here.

    2. Re:It is a tool to hack, you idiot by Spazmania · · Score: 4, Insightful

      "Oh man your shell scripts suck!"

      Yeah, that was my thought as well. Red team code is supposed to be quick and dirty. It's the attacker, not the defender. It doesn't have to be pretty or work well, it just has to breach the target system.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    3. Re:It is a tool to hack, you idiot by Sique · · Score: 4, Interesting

      Apparently, the bad code has been known to some secret services for some time. And that means that other secret services had the time to exploit the bad code and use it as an attack vector back against the NSA. I would be very wary to know that my opponent knows how shoddy my own code is. If for instance you can hijack encrypted communications, you can feed the communication any desinformation you want, and the original attacker believes it to be the real thing.

      --
      .sig: Sique *sigh*
    4. Re:It is a tool to hack, you idiot by drinkypoo · · Score: 4, Insightful

      Yeah, that was my thought as well. Red team code is supposed to be quick and dirty.

      I think that's a somewhat strong statement. You want your code to work when you deploy it. It's supposed to work. If it works, then it's a working weapon. If it has bugs that impede its function, then it isn't. If the tool can be used against the initiator, because the back channel isn't protected, then it's not just a weapon — it's a hazard.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Front Door Access by Anonymous Coward · · Score: 5, Funny

    Remember, these are the people who want "Front Door" access to your computer. Without a warrant, without oversight.

    You can trust them, they are the most skilled cyber-warriors on the planet!

    Give them the keys to your front door, both physical and virtual! They are super competent and trustworthy.

  3. Not Surprised by organgtool · · Score: 4, Insightful

    Security vulnerabilities are discovered and patched all of the time. It doesn't make sense to spend a lot of time writing extremely meticulous code for an exploit that could be patched by the time you're done writing the exploit code. Combine that with the fact that there's probably a ton of vulnerabilities in a lot of different applications, drivers, and firmware and it probably makes more sense to focus on quantity of exploits rather than quality.

  4. What did you expect? by PPH · · Score: 4, Funny

    Our best guy is on vacation in Moscow.

    --
    Have gnu, will travel.
  5. Re:NSA is part of "big government" after all by Archtech · · Score: 5, Funny

    We should privatize our security, and make the NSA as well as the military a publicly traded corporation.

    I know! Let's outsource it all to Microsoft!!

    --
    I am sure that there are many other solipsists out there.
  6. Re: In other news by Type44Q · · Score: 5, Insightful

    Or the exact opposite: they send him a fat check, as per their agreement (the NSA funtions more effectively when it's being underestimated).

  7. Meh by Greyfox · · Score: 5, Interesting
    I've yet to see a computer science professor with particularly excellent code, either. I run across assignments and example code from courses on a regular basis that fall into the "Never, ever do that" category of programming. Case in point, a relative of mine recently had some questions about a CS programming assignment. Part of the assignment description talked about design patterns and predictably went straight for the Singleton as an example. I'm pretty sure that's the only pattern that about 90% of programmers ever actually learn when reading about design patterns and it's so abused in the industry right now that you can basically never get one past a design review board.

    Anywhoo, back in the '90's I worked for a company that was getting a B2 Certification for its operating system. My job basically consisted of reading the entire AT&T C standard library code, finding potential security flaws, writing tests for those flaws and then writing a report with the tests which would be delivered to the NSA. I found the remote buffer overflow in the AT&T telnet daemon a couple years before the same overflow was discovered in the Linux telnet daemon. So the NSA basically outsourced the hard work of finding all those exploits to the companies that were trying to get security certifications. It took three or four guys just a few months to go through all the stuff we had to look at. I'm sure we missed a bit, but I was much more confident in the security of their OS at the end of all that. Too bad they eventually went out of business, were acquired by IBM and their products were killed. You know, progress!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  8. Bomb researcher not impressed with IED by Overzeetop · · Score: 4, Insightful

    Expert: I mean, look at it - it's a bunch of nails and duct tape around a low explosive core which doesn't have nearly the proper confinement for even 50% of the maximum shock wave capable, much less the ability to transition to detonation. And this wiring - that's just disgraceful - the solder didn't even flow properly here, and this is entirely unsheilded - anything could set this off accidentally, even a cell phone. If you were in my training program, you're fail miserably.

    Terrorist: We used one of these yesterday to kill 25 people and injure another 70 in a market in Aleppo.

    Expert:...

    --
    Is it just my observation, or are there way too many stupid people in the world?