• mr foo (unregistered)

    holy crap.

  • Duke Nuken (unregistered)

        Shouldn't that be regret *NOT*  taking Masterpieces of Inner City Scandinavian Drama?

    [Update: Fixed this and Caret typo]

  • SlippyVillage (unregistered)

    "Carrot" delimited? Wascaly wabbit, could you mean "caret"?

  • Gordo (unregistered)

    I just can't resist... what's the Unicode number for those little carrot symbols the professor used as the delimiters in his passwords file?

  • Villa (unregistered)
    • golf clap *
      Bravo. Just... bravo.
  • C#ARPER (unregistered)

    You could change your grades I guess.

  • (cs)

    And people will be using what this "professor" is/was teaching in real world apps. Wow.

  • ben (unregistered)

    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.

  • (cs) in reply to ben

    I've had teachers like that. It makes you realize that you're just paying for the diploma, not the knowledge it's supposed to represent.

    Although, I really did get a laugh out of Alex's: "WTFU" - good one :)

  • (cs) in reply to ben

    Anonymous:
    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.

     

    I have a feeling they were joking...   No need to bust a blood vessel over it!<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

  • Lamezor (unregistered) in reply to ben

    You're a homophone.

  • (cs) in reply to Lamezor

    HAHAHAHAHAHAHAHAHAHAHA ... Wow ... I just got a bunch of funny looks from my coworkers as I burst out laughing, reading that ...

  • (cs) in reply to script-man
    script-man:

    I've had teachers like that. It makes you realize that you're just paying for the diploma, not the knowledge it's supposed to represent.

    Although, I really did get a laugh out of Alex's: "WTFU" - good one :)



    Hell, sometimes they even feel bad about taking all that money and only giving you a piece of paper. My school felt so bad they gave me a second sheet a couple months after I graduated, heh.
  • (cs)

    It's the "caret and stick" approach to website security.

  • (cs) in reply to ben
    Anonymous:
    Caret. Carrot. They're not even homophones.


    Depends on where you're from. They're homophones to me (US, western Pennsylvania)
  • Dam Bugglin (unregistered) in reply to Scoutn

    LOL nice embellishments, Alex. XD

    To clarify the story a bit, the class focused on creating and breaking messages using various ciphers (from simple substitution ciphers to RSA).

    It was a friend of mine who had FTP access to the web server who looked up the password files our of curiosity and discovered they used pathetic encryption.  It wasn't ROT13, but it was a simple substitution cipher, which isn't very much more secure.  There were no carets, each account had a separate file I believe.

    A form similar to the one shown (there were no "privileged" accounts, the software was VERY simple) was pretty much used for ANY page change, and the JavaScript used was already provided to me in the form of a Greasemonkey script that made all hidden form fields on a page visible.

    And, I actually stayed in the course and got a B, probably because I wasn't able to crack anything after the first few easy ciphers.  Then again, no one else could either (with the exception of a cheater or two) so I didn't feel too bad.

    And, the prof wasn't terribly happy that we had found holes in his site. :)

    		<br></td></tr></tbody></table>
    
  • (cs)
    Alex Papadimoulis:


     

    <form method="post">
      <input type="hidden" name="username" value="dbugglin">
      <input type="hidden" name="access" value="student"> 
      ... snip ...
    </form>


    It seems like a quick change from "student" to "professor" or "admin" would be in order.
  • (cs) in reply to chills42

    He used ROT13 to encrypt passwords?? 

    Jung gur shpx !!???

  • David (unregistered) in reply to Lamezor
    Anonymous:
    You're a homophone.


    God i love you
  • (cs)

    This can't be serious.... 

    Taking a course taught by this WTFU guy makes as much sense as taking a firearms safety course taught by Dick Cheney

  • (cs)

    While you're in there, why not check for grades.txt, bankaccountnumbers.txt or loveletterstostudents.txt?

  • Dam Bugglin (unregistered) in reply to chills42

    Like I said there were no "privileged" accounts... the prof had to manually edit the account files via FTP to add an account.

    Also I took the course because it was a "new" course being offered, and it might not have been available next year.  I believe it filled in a CompSci course requirement, although it MIGHT have been an elective (but I didn't tell Alex that, he just got lucky :P).

  • (cs)

    Doesn't surprise me really, most professors stay in a sheltered workshop called University where they learn no real world skills just theory. Let’s face it if you were a security expert why would you stay and work for a university???

    PhD's on your resume actually look bad when applying for real world jobs, I tend not to hire them because basically they aren't any good in the real world, remember that kids, academia is a bad thing when you want to work in the real world (woah now there's a flame war starter)<o:p></o:p>

    When are we going to get some real world WTF? It’s too easy to pick on universities…the sidebar WTF yesterday was better than this or yesterday’s.<o:p></o:p>

    <o:p> </o:p>

  • Dam Bugglin (unregistered) in reply to Dam Bugglin

    Oh and one last thing to be fair... the prof who coded this was from the Math department, not the CS department, so it's not like he was skilled in programming or anything.  Still, I thought it was worthy of a Daily WTF. :)

  • dasmb (unregistered)

    I used to catch flak from my old company for using strong passwords (e.g. with numbers and letters and so forth) for our databases and for storing the connection strings encrypted.  I did so, because the installers use the same passwords for every installation, no matter what you hit them with.

    "That's not the way we used to do things," whines one of the installers.  "We used to use our company's name plus the word 'password' for everything.  Makes it easier to remember [than three 8 character keys that never changed]."

    "That's not very secure for a government software company," says I.

    "No, that's the secure version.  The insecure version just uses 'password.'"

    Guess which version of security is in the file that holds tax records?  (Hint: my house is assessed at $25).

  • (cs) in reply to ben
    Anonymous:
    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.

    Prof. Doccarrotcnffjbeqcarrotadmin Joe Bloggscarrotqxfwsuexwucarrotstudent Jane Smithcarrotcbavrfcbavrfcbavrfcarrotstudent Al Einsteincarroteryngvivglcarrotstudent

    ...and so on.

  • (cs) in reply to Dam Bugglin

    He should have just admitted he didn't know WTF he was doing and had a student help him make the site ... Better than assuming because he is a professor he knows what he is doing, and risking his work becoming a casualty to Alex :)

  • Matt (unregistered)

    The Final Assignment was to find data/passwords.txt, print it out, place that on a wooden table...

  • (cs) in reply to codenator
    codenator:

    PhD's on your resume actually look bad when applying for real world jobs, I tend not to hire them because basically they aren't any good in the real world, remember that kids, academia is a bad thing when you want to work in the real world (woah now there's a flame war starter)<o:p></o:p>

    <o:p> </o:p>


    Those idiots at PARC! What were they thinking hiring PhDs?

    (You overstated your point I believe. Some "real world jobs" are better filled by PhDs.)

    sincerely,
    Richard Nixon
  • (cs)

    Ah, dear-ol WTFU!  Home of the Fighting F-Wits.

     

  • fs (unregistered)

    I'm not surprised at all about this. Most of the security classes (even cryptography and security specialization!) I have taken suffered from teachers that barely knew about what they were talking about, and dedicated to flip powerpoint slides class after class. I can remember one that came from spain specially to teach us about ciphers... showing us the VB programs his students made in previous courses.

  • (cs)

    It seems this teacher let a few misguided students out into the world.

    I used to visit one of those Classmates.com-style sites. They let you see a little information for free, but make you pay to see people's full profiles. Screw that, I found a better way.

    I created an account. I went to the page to change my password, and I noticed on the screen that there was a box called "Current password". It was already filled in. I looked at the top of my screen in the address bar, and my location was set to setUserProperties.asp?userID=1234567.

    Yes, it was just that easy. Change the User ID number in the address, look at the page source and you could get anyone's password.

    Who says they don't learn anything from college? The site creator obviously did. Someone eventually fixed it though.

  • Jay (unregistered) in reply to ben
    Anonymous:
    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.


    I thought this may just be a southern thing as they're homophones here but some Yank above said they were there also.  So there.  My captcha is your antonym:  awesomeness.
  • wyz (unregistered) in reply to Dam Bugglin

    Anonymous:
    And, I actually stayed in the course and got a B, probably because I wasn't able to crack anything after the first few easy ciphers.  Then again, no one else could either (with the exception of a cheater or two) so I didn't feel too bad.

     lol...There is a "cheater" way to crack codes? Anyway it is cracked, it's cracked. And "social engineering" accounts for most cracked codes/passwords/accounts/etc.

    <soapbox>For many years I've observed if you want to learn a subject, generally one of the worst places is in the formal education system, be it public schools, colleges, or universities. And rarely are they cost effective, i.e. the costs to attend are typically far more than is taught, or can be earned as a result of the degree.</soapbox>

    (From one having 3 uni degrees)

  • (cs) in reply to Richard Nixon
    Richard Nixon:
    codenator:

    PhD's on your resume actually look bad when applying for real world jobs, I tend not to hire them because basically they aren't any good in the real world, remember that kids, academia is a bad thing when you want to work in the real world (woah now there's a flame war starter)<o:p></o:p>

    <o:p> </o:p>


    Those idiots at PARC! What were they thinking hiring PhDs?

    (You overstated your point I believe. Some "real world jobs" are better filled by PhDs.)

    sincerely,
    Richard Nixon


    but I'm never wrong :-)



  • Bob Smith (unregistered) in reply to dasmb

    haha, im sure Alex will comply when the IRS comes asking for the IP of that poster.

  • Bob Smith (unregistered) in reply to dasmb
    Anonymous:
    I used to catch flak from my old company for using strong passwords (e.g. with numbers and letters and so forth) for our databases and for storing the connection strings encrypted.  I did so, because the installers use the same passwords for every installation, no matter what you hit them with.

    "That's not the way we used to do things," whines one of the installers.  "We used to use our company's name plus the word 'password' for everything.  Makes it easier to remember [than three 8 character keys that never changed]."

    "That's not very secure for a government software company," says I.

    "No, that's the secure version.  The insecure version just uses 'password.'"

    Guess which version of security is in the file that holds tax records?  (Hint: my house is assessed at $25).


    DOH this poster
  • Elliot (unregistered)

    It's brilliant - the professor avoids all those "pitfalls" and "security flaws" associated with hijacking sessions and stealing cookies by employing a system so idiotic, stupid, and unexpected that no one would expect a PhD (presumed) professor to have thought of it.

    My guess is he just blames one of his research assistants.  They're good for more than just stealing prestige.

  • (cs)

    So, the guy in the picture is Dan, right?

  • codemoose (unregistered) in reply to Scoutn
    Scoutn:
    And people will be using what this "professor" is/was teaching in real world apps. Wow.


    Yeah, it's terrifying to think of.  I used to work with a "programmer" who also taught at a local U.  Couldn't program his way out of a paper bag.  One time, he had to build a module for an online system that basically parsed text input for form fields, and save the form field collection to the db (I'm oversimplifying for the sake of brevity).  3 months and 3000 lines of code later, it more or less did that.  I say more or less because it didn't always work.  And with more form fields, execute time grew exponentially.  If there were 50 fields, it'd take 2 to 3 minutes.

    I probably should have re-written it from scratch, but chose to "streamline" his code instead.  Got it down to under 500 lines, and an execute time measured in tenths of a second - no matter how big the form was.  And it even worked every time.

    And he...taught programming.
  • (cs)

    The past few days have taught me something -- I'm not a fan of the "anectodal WTF."

  • (cs)

    So far this week, I just haven't had the urge to shout out and say WTF. This is what's wrong with... blah blah blah... It's probably because the wtfs so far this week have been good examples of most of the stuff I have already ranted about. So, I simply leave the reader with a big fat I TOLD YA SO! ;-P

  • Unklegwar (unregistered)

    Reminds me of my college C++ professor, who was also my advisor.

    After much clamoring from the senior class one year about "Pascal is not going to get us a job!", they added a class in "C++". Which I promptly took.

    It seemed like my professor was reading the text as he walked to class each day. He didn't know a damn thing.

    Best part was his grip of inheritance. Completely upside down. In HIS mind:

    Class Animal

    derives from

    Class Dog

    derives from

    Class Poodle

    Need I explain how hard it is to write your final project when THAT's what the prof is looking for?

    Now that I look back, I think they owe me a partial refund.



  • Nerdmaster (unregistered)

    Am I the only person here who's aware that Security != Web security?  You can know a shitload about security and cryptography without being a web programmer.  I wouldn't be at all surprised if this class were focused on algorithms and general concepts, and never once touched on web security.

    Knowing what security actually means (security through obscurity isn't security, etc) is the first step toward applying security knowledge.  Knowing how algorithms work is probably not that important to most real-world jobs, I'll give you that, but it's interesting as hell, and for a die-hard security specialist, it is important to know which algorithms work which ways so that you know that if algorithm X just got exploited, algorithm Y ain't safe either...

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.

    Should the prof have done some research on said app?  Yeah, probably.  But it's really not his job to know WEB security.  Web "security" isn't even the tip of the iceberg when it comes to knowing security and cryptography.  That's the place you apply the knowledge, if you land that kind of job, but not the place you start.  At least not if you want a strong security background, versus knowing how to write secure apps for one and only one platform.

  • (cs)
    Alex Papadimoulis:

      That was the last straw; it was time to drop the course.

    I couldn't imagine missing out on all of the fun that could be had.  It would be like April fools day everyday if you could log in to the message board as your professor.

     

  • (cs) in reply to Unklegwar

    Anonymous:
    Reminds me of my college C++ professor, who was also my advisor.

    After much clamoring from the senior class one year about "Pascal is not going to get us a job!", they added a class in "C++". Which I promptly took.

    It seemed like my professor was reading the text as he walked to class each day. He didn't know a damn thing.

    Best part was his grip of inheritance. Completely upside down. In HIS mind:

    Class Animal

    derives from

    Class Dog

    derives from

    Class Poodle

    Need I explain how hard it is to write your final project when THAT's what the prof is looking for?

    Now that I look back, I think they owe me a partial refund.

    HAHAHA ..

    RE: One of my replies to yesterdays WTF .. When I was teaching the professor at RIT some of the C++ Standards and what not, one of the examples I used was ..

    class Mother { ... };

    class Father { ... }

    class Milkman { ... }

    class Child : public Mother, public Father, private Milkman { ... }

    When showing how to use proprietary polymorphism with C++ Standard Library containers ... The students got a real kick out of it, but the professor wasn't happy about it :P

  • Bob Smith (unregistered) in reply to Nerdmaster
    Anonymous:
    Am I the only person here who's aware that Security != Web security?  You can know a shitload about security and cryptography without being a web programmer.  I wouldn't be at all surprised if this class were focused on algorithms and general concepts, and never once touched on web security.

    Knowing what security actually means (security through obscurity isn't security, etc) is the first step toward applying security knowledge.  Knowing how algorithms work is probably not that important to most real-world jobs, I'll give you that, but it's interesting as hell, and for a die-hard security specialist, it is important to know which algorithms work which ways so that you know that if algorithm X just got exploited, algorithm Y ain't safe either...

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.

    Should the prof have done some research on said app?  Yeah, probably.  But it's really not his job to know WEB security.  Web "security" isn't even the tip of the iceberg when it comes to knowing security and cryptography.  That's the place you apply the knowledge, if you land that kind of job, but not the place you start.  At least not if you want a strong security background, versus knowing how to write secure apps for one and only one platform.


    maybe you skimmed over the part about him using a substitution cypher for the password
  • duh (unregistered) in reply to script-man

    True, for those attending schools like WTFU (or even wtfU). That is why it is imperative to find a decent school if one is going to be investing so much time & money in an education.

    Choose a decent school people! Even with student loans up to your eyeballs (like myself), posts like WTFU will make the school and costs all seem worthwhile.

    Me at work: "MF! I got crap outa my education. I didn't learn a thing!"
    Me reading my loan statement: "MF! I got crap outa my education. I didn't learn a thing!"

    Me reading WTF & WTFU alumnus code: "MF! It was worth it!"

  • Anymoose (unregistered) in reply to ben

    depends on your accent actually.

  • Zack (unregistered) in reply to fs

    The best security class I have attended was taught by Herbert H. Thompson.  He is a PHD, but unlike some other PHDs mentioued here Herbert had a lot of knowledge about real security testing.  Mr Thompson is Chief Security Strategist of Security Innovation which does security defect testing for outside firms.  He also wrote Mezonic Agenda - Hacking the presidency.  That book looks at hacking a hypothetical election and even has "hack-a-long" excersizes. (Voting machine not included)  The book is simplified for non-security experts but it is a fun read.  If you get a chance to see Herbert H. Thompson speak do so.  He was technical enough for me and I am pretty darn knowledgeable about exploits and attacks.  He is also a good speaker which is not true for most security experts.

    He was by far the best speaker at the Java One conference I attended.  His class was only half full since he was too technical the manager types.

    Zack

Leave a comment on “Security 101 ... at WTF University”

Log In or post as a guest

Replying to comment #:

« Return to Article