The Equation Group's sourcecode is totally fugly


#1

Originally published at: http://boingboing.net/2016/08/21/the-equation-groups-sourceco.html


#2

I remember reading long ago that simply making up your own PRNG algorithm is a bad idea. The algorithms the big eggheads have developed are really secure, but if you “slice and dice” a dozen random numbers, the result is generally far less random. Counter-intuitive but true.

Likewise, the secret codes I developed in third grade are actually less secure than RSA-128. Disappointed!


#3

So, the one with using 64 bits of entropy to generate a 128 bit key is legitimately a serious fuckup that should have been caught, and could easily have serious consequences.

The rest of those don’t strike me as that big a deal. These vulnerabilities don’t really last for that long, so code to exploit them isn’t going to be in use all that long either, which means that just hacking together something that works as fast as you can and pushing it out the door is not an unreasonable way to go about it.


#4

It wouldn’t be a huge surprise if the talent and interests of their team skew pretty heavily toward the ‘poking your stuff for weaknesses’ rather than the ‘perfectionist rigor for our stuff’ school.

The two aren’t mutually exclusive; but once you’ve adopted the theory that exploiting bugs generates more security than fixing them your allocation of time and energy probably reflects that.


#5

Except when they go undetected for a decade or longer.

A bigger reason why it matters, though, is that the vulnerability is just 10% or less of any given malware, the rest gets re-used in dozens of malware packages, so the quality of the code does matter. Analogy: the zero day vulnerability is like the lock pick that opens the door, and the rest of the malware package are all the rest of the tools that a burglar needs to ransack someone’s house. Having bugs in the malware code is like going to rob a house equipped with a broken flashlight.


#6

Is it possible that the Shadow Brokers are part of the Equation Group, and that this is a scheme to expose some purposefully weak code with the goal of diminishing global fears of the NSA?

I’m not usually very conspiritorial, but that would be a clever plan.


#7

The ones I developed are less secure than ROT-13. Twice.


#8

See The Man Who was Thursday, by G K Chesterton. Spoiler:

In this book a secret agent penetrates a cell of anarchists only to discover that almost everybody else is also a secret agent. It may be the prototype, or even the archetype, of such stories.


#9

True enough. I’ve had more than one time in my personal experience where I’ve hacked together something that was supposed to be a one-off on a tight deadline, only to regret having not spent more time structuring it well when it inevitably turns out that, once you’ve got the code to do something, everyone wants you to do it for them, too, so it winds up not being a one-off.


#10

Hardly surprising. It is the principle of ‘good enough’.

I need to go to the supermarket. I would really like to get there quickly so I will wait until a Ferrari shows up in my driveway. No, the answer is to get the old Subaru out of the garage and start driving – it will get the job done.

There is an old aphorism that the perfect is the enemy of the good. This was quick-and-dirty hack where quick was the key word. Having code audits and weekly group hugs would certainly have produced prettier source code and more secure results but the time involved would certainly have made the effort less useful. There was no intention that professors would be handing out grades.


#11

More often than I care to admit…


#12

It’s different code, but Nick Weaver was very impressed with Sauron/Strider.

Edit to add: one of the points that Weaver makes is that the NSA’s A-Game is so good, that their stuff is basically recognisable on sight, even without direct attribution.He therefore suggests that the NSA would be wise to continue producing their A-Game stuff for targeted, bespoke high-value espionage, while shitty code like that - which is not so easy to attribute - be used for lesser or wholesale targeting. Maybe BANANAGLEE is exactly that - deliberately shitty to avoid attribution (which obviously didn’t work in this case, but you know …)?


#13

That jackass didn’t even leave comments! How did he expect me to understand why he’s doing this?


#14

That reminds me of a story I read on reddit where someone told the tale of a Monday morning where he was dealing with crappy code (with no comments). He went around the office to hunt down the idiot who wrote it, only to discover that it was him. He wrote it, the previous Friday, just three days prior.


#15

I remember reading an interview once with some congressional staffer where he said something like, “If you want to watch a show about the secret behind the scene workings of DC politics, don’t watch House of Cards, watch Veep.”

Point being, most things are much more likely to be half-assed, last minute rush jobs than something complicated and well-thought-out. A frightening number of things in this modern world are done in a manner much more akin to those last minute essays you wrote in college than any of us would like to admit.


#16

Yup. After all, why change the habit of a lifetime? If it got you through college, it’ll get you through engineering a regime change.


#17

Good old 2-factor ROT13.


#18

Of course the code is sloppy. It is a hack! Hacks are sloppy by definition.


#19

Thanks! I need to read some Chesterton and this is available at gutenberg.org :wink:


#20

On the flip side isn’t it rewarding when you come back to an old piece of work, forgot it was you that put it together, and say, “nicely done, I could learn a thing or two from this person”