
Equation Group Initial Impressions - tptacek
https://www.cs.uic.edu/~s/musings/equation-group/
======
e28eta
It seems like the author is assuming all of these mistakes are unintentional,
and possibly due to incompetence.

I don't know enough about it, but I wonder what some reasons for intentionally
making these mistakes could be, and would love to see that analysis (aka:
informed speculation, instead of my guesses).

Maybe they're trying to seem less competent, so a target that finds these
programs infecting their system won't think to look for (ex:) an infection in
their Cisco ASA.

Maybe it's an evolution of a tool written by someone else. Either independent
or a different nation state, leading to misattribution.

Maybe they want the encryption to be easy to break, for some reason I can't
think of.

I'm assuming they're primarily using these tools with stolen data, and perhaps
it's less critical to protect it from prying eyes than it is to accomplish
some other goal that is met by using tools with these flaws.

------
tptacek
Two crypto challenges we never even thought to write:

* urandom -> srandom(3) -> random(3)

* OFB with SHA1(msg) as IV

Who _does_ either of these things? Who even uses OFB?

~~~
nialo
Why is OFB worse than CTR? Admittedly I'm just glancing at the wikipedia block
cipher modes of operation page, but it is totally non-obvious to me that OFB
with SHA1(msg) as an IV is worse than CTR with SHA1(msg) as the 'nonce'.

~~~
tptacek
It's everything that's bad about CTR and nothing that's good about it. Or,
just let Rogaway explain:

[http://web.cs.ucdavis.edu/~rogaway/papers/modes.pdf](http://web.cs.ucdavis.edu/~rogaway/papers/modes.pdf)

