- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Now THAT made me bust out laughing!
captcha: shizzle - how appropriate!
Admin
CAPTCHA is appropriately: STFU
Admin
Well, even if it didn't touch web security, the prof should have known that substituion is a bad form of encryption
Admin
Luckily I READ the book, and...for the record, he DID know his sh!t when it came to logic design (this was 1990s computer science). I did have a pool of brilliant profs that did know their stuff. I think this was all just an unfortunate fallout of throwing a C++ course into the curriculum last minute due to student outcry.
Admin
another one of those Where is your research from which you derived the qualifier "MOST professors"?
arbitrary assumptions gone wild.
Admin
every cloud...
Admin
I have 2 uni degrees and I wholeheartedly concur.
Admin
Whats's up with the expression 'code circles around'? Are they talking about Do ... Loop control structures around the code?
I would prefer the expression ' ... who could code OOP elegance around your arrogant little procedural scripting fuckface ...'
Admin
Those who can, do. Those who can't do, teach those who can.
Admin
Is the Professor Paula?
Admin
Or perhaps you skimmed over the part where I don't believe he wrote the code... so if I don't believe he wrote the code (and in fact I wouldn't be surprised if he doesn't do any web programming at all), then the cipher in use is a moot point.
Repeat after me: web security is not all there is to security. Just because some of you live in a little shell where you only know about security in the world of online apps, doesn't mean those apps are the only place security and cryptography have ever been used.
There are volumes of books that go over all kinds of cryptography and security principles, and most of them never touch on the specific issues for web apps: hidden field vulnerabilities, XSS, SQL Injections, assuming POST data is safe, assuming referer headers are reliable, assuming cookie data is reliable, etc.
Admin
Wow, seems like this topic has gotten quite a few peoples panties in a bunch ... I think most of us can agree that there are some good professors, and some bad professors .. I personally never went to college at all, hell I got kicked out of high school ... I spent a long time reading books and tutorials and talking to other programmers and doing a LOT of trial and error, all while scrubbing toilets and driving forklifts and a working at fast food joints for a living, making dozens of freelance projects before I finally got a "real" job doing it, quite a few years later I am now a Senior Software Engineer and the head of all C++ development where I work ...
Bottom line is whether a professor is good or bad at something, they are there to teach you theory, to give you some introductions ... If you are dependant on them for anything beyond that and have expectations that they alone will prepare you for the real world, you will fail. Any good programmer that has been in the real world will agree that we learn most if not all of what we know from experience, from reading, from doing, and from things outside of universities. Having a degree just makes it a little easier to get your foot in the door once you are ready to step into the real world.
Admin
You, Sir, have truly mastered the Zen art of Segue
Admin
If he wrote the app, and understood how web apps work (ie, being able to grab the password file may be obvious to us, but he might have assumed it was safe. Bad assumption but not one I would call him a total moron for, given his area may not be web apps) yes. But I know a couple schools like to use student-built code to run various sensitive apps. All I'm saying is it seems more likely to me that the guy didn't program the app.
Admin
Guilty as charged. I find debating the relative merits of the Professor versus the Professional extremely tedious and futile. Web security is equally as mundane. How about some VBA bashing?
Admin
The only thing that makes me groan lowder than 'cheney with a gun' jokes is the realization that we're going to be hearing them for the next 10 years.
Admin
You are missing the point.
That means that the visiting professor wrote the website. Not to mention the comment by the original poster saying so.
A crypt professor should know that substitution is weak security
That's a WTF.
I think everyone will agree that web security is a different subject than security in general, however web security utilizes things learned from studying general security. Things such as how strong different encryptions are. This professor should have known.... cmon man... DHER!
Admin
I didn't get that from the original poster - once I read his posts about the embellishments, I sort of wondered what other suppositions were being made here.
So let's assume he did code the site. He wasn't a CS guy as the original poster explains, and probably didn't know how to import crypto libraries into his code (it ain't that easy in Perl or PHP if you're not a programmer - other languages I can't comment as much on). I think we can assume it was his first publicly available project. He probably found the code for "encrypt" in PHP or something, and thought it looked "good enough", considering that he also probably assumed the password file was safely stored in a private location. And it sounds like that wasn't a terrible assumption, as the reporter mentions he had a friend with FTP access grab the file.
So we've got a web-clueless prof who makes a few bad assumptions, and gets hacked essentially from the inside. I'll give you that he's kind of a twit for not having somebody else do the app. But to debunk his security knowledge based solely on that event...? To me, it still seems like pretty separate issues.
Admin
For once, you'd hope you get FileNotFound.
Admin
You are a WTF.
Admin
Those who can't do, and can't teach, become administrators over those who can do or can teach.
Admin
<FONT size=2>
<FONT size=2>Re: The Last of the Computers</FONT>
<FONT size=2>by Alex Papadimoulis</FONT>Admin
Yeah it's like those damn Dan Quayle jokes about how he can't spell the English plural of solanum tuberosum.
Admin
Even if he didn't know that much about web programming, he should have known enough about security to tell/let someone else program the encryption instead of using a substitution. Also, since he was the professor, he should have known how to implement and break different types of encryption, as the original poster's comment has let us assume. Since he obviously had at least some skill at programming, as he did write the page and the substitution encryption, he should have been able to implement an algorithm that was at least SOMEWHAT more complicated. At least rotate the substitution table or something ya know?
Admin
LOL I was thinking they are homophones to me too, then I read where you are from (I'm from Pittsburgh). Guess that explains it!
CAPTCHA: 1337
Admin
The professor imparts knowledge to students. Teaching assistants and research assistants are students. In this particular case, it is possible that one of the professor's research students was tasked with writing this website. Hence, the website is a practical application of knowledge imparted by the professor, and the website did not (necessarily) write the website.
QED.
Admin
Yeah, he made some stupid mistakes... but keep in mind, security is relative. If you can reasonably assume that your password file is secure (and if he asked somebody else about that, they may well have told him it was, seeing as it was secure enough to require a second person to access it), you technically need very little security. And if you don't know much about PHP/Perl, you might not know how to pull in a solid library for security. When writing your own security, implementing something truly secure tends to be a very difficult process (especially for a non-programmer), and not likely to be worth your time for something that you already believe is secure.
I'm not saying the prof doesn't have a thing or two to learn. He clearly knows nothing about web security, and clearly didn't know how vulnerable his password file was. But his mistakes don't seem, to me, to invalidate the topic about which he teaches.
I consider myself a pretty good programmer, but if I'm doing a quick project that is just to get something up and running, I will cut corners too. I think most people will. I just can't fault him for that.
Admin
Me too. Just like your name and "Dawn", or "cot" and "caught."
(Also from western PA.)
Admin
No, he was actually using a carrot.
Admin
You're saying you actually discriminate against all PhD holders, rather than hire based on competence, experience, and confidence? And this is supposed to be a good business decision?
Admin
I for one, have not directly used anything that I learn't in university. That is not to say of course that university was not worth while.
captcha : clueless
Admin
Indeed. Claiming that a PhD with 5 years field experience is any worse than a highschool graduate with 5 years field experience is absurd.
Admin
Great WTF, and congratulations to Dan for his 8.0 GPA.
Admin
Uh, except for going to conferences and needing to know enough to get a paper published and all that. It's rather obvious from the post that this instructor doesn't even know theory.
Many universities have "staff instructors" who are not professors or students, do not have to research or submit papers, and do not attend conferences on current developments.
Admin
He should have known enough to not make the mistakes made on the web site. For example, he should have known that hiding his secrets was one of the pillars of implementing an authentication system. If he didn't do any research on how to do that in his chosen development platform/environment, he missed the boat. He should have also known that rolling your own encryption scheme or choosing a trivial one is stupid. Even if your environment doesn't come with a good algorithm, finding one is simple. I found AES for a 4K PIC microprocessor after 30 minutes of Google searching last year, he could have found SHA512 for his platform.
He was most likely one of those guys that knows all the words, but can't put them together to make a real solution. Example: I met a guest lecturer a few months ago that was lecturing on biometric authentication. Well, his whole focus was on how biometrics was going to revolutionize things like web banking and reduce spam. He totally missed the point that biometrics only works when the hardware can be trusted. The problem is that a compromised device in someone's house can be made to authenticate a fake finger or iris. After that happens, the genuine owner would have an awful hard time changing their eyeball or fingers. The system would be permanently broken in a few weeks. A lot of people in the security industry can't put all the pieces together, and they also can't help a student understand security. Guys like Bruce Schneider are good at putting the pieces together.
Admin
I took a Network Security class at university a few years ago. The class taught methodologies and implementation of public and private key encryption, as well as TCP/IP fundamentals and the basic concepts behind detecting and exploiting vulnerabilities. Every student in the class had an account on a Linux box in the professor's office. The first assignment was to send an email to the professor. The professor would autoreply his public PGP key. Then the students had to generate their own PGP key and send another message to the prof. You could send as many encrypted emails as you wanted, getting 1 pt for each.
Now, where the assignment got interesting: you got 5pts for each OTHER student's email you submitted. There was a packet sniffer setuid root on the machine for the purpose. Because the sniffer was setuid root, the prof had modified the code to change the ownership of the logfile to the person running it. [The professor was aware of this vulnerability and left it in place intentionally to see if anyone would find it]. Well.. I set the logfile to be /etc/passwd. Ran the sniffer and terminated it, and set root's password to null, su'd and set the password to one of my own. Then I switched the professor's public key for mine, and locked his account. I let other people send their emails, and just before the deadline for the assignment, I ran a perl one-liner to kill everyone else's ssh sessions, then sent my second email in plaintext. Stopped the one-liner, then grabbed the mail log and submitted that. The best part was when I was sitting in the professor's office, chatting with him about something else, and one of my classmates came in and asked him to reset her password. He tried to log in and said "It appears my password no longer works. [looking at me] You wouldn't know anything about this, would you?"
I didn't have to complete any other assignments for the rest of the quarter. I acted as TA and replaced the linux box with a FreeBSD one.
So, not all colleges are completely worthless. This was at the University of Cincinnati. If you ever get the chance to take a class with Professor Franco, I highly recommend it. Definitely the best teacher I've ever had.
Admin
It could have been worse. You could have been arrested and imprisoned as a terrorist, (Well, terrorist/hacker mastermind, it's all the same thing, right?)
All joking aside, as long as "hacking" is illegal, the lack of permission to view other student's accounts could technically have made your actions a crime, and these days it is viewed pretty seriously.
Admin
That is an astoundingly stupid thing to say. Security is a process and web security is an application of that process. It doesn't matter if you know all about crypto if your security is a joke - crypto is just one piece of the puzzle.
Also, running that turd while teaching a security course is like teaching English with text message abbreviations.
Admin
Well, he certainly selected it, and over other products like phpBB, so it's reasonable to expect he'd catch something as obvious as this non-security.
captcha: craptastic - how appropriate
Admin
We had a fun one at my University,
Directly after a lecture on computing ethics our lecturer asked the class if anyone knew where he could get a cracked version of a programme he had 'lost his key to'. Within seconds he had four or five offers of copies, and no this was not part of a test he actually wanted the software!
Admin
But the fields were really carrot separated! The professor printed the account file, placed the printout on his wooden kitchen table and put carrots between the columns. Then he photographed the whole carrot-separated arrangement.
It's interesting to note that the same professor also invented a logarithmic sorting algorithm for root vegetables that uses a linear number of leporidian processing units, better known as wascally wabbits.
Admin
The author missed an opportunity. He should have demonstrated to the lecturer a user account that isn't supposed to exist then demand a meeting with him and another lecturer to demonstrate and explain how the message board can be cracked. At the meeting, don't proceed without explicit permission to crack the site. He would then proceed to rip it apart whilst explaining how he did it and the principles that should be applied to prevent such cracking.
Then he should have exclaimed this demonstrates an excellent knowledge and understanding of the course subject and that he should be given top marks.
Admin
Yeah... amazing how the gym seats and the guy and the shirt all look too similar. Is Dan == Chris ( from previous post ) - are we using stock photography?
Admin
The real rub about security is keeping a secret. If only one person knows the secret it is 100% secret. if two know, it's only a half secret. It diminishes further from there. The whole point of keys and encryption is to "share" a secret - between two or more parties.
The strength of the secret depends on two things, primarily the trust of those that know the secret ( ie - their ability to keep it secret ) and the strength of the encryption.
If the trust is loosely guarded, what's the point of encryption?
If the encryption is easily decrypted, what's the point of encryption?
I see this all the time:
"our database is password protected" .... Yeah, but your data is clear text
"our database is encrypted" .... Yeah, but the password is taped to the monitor of one of your trustees
Secrecy is a two-fold effort. Trust and Encryption. Mainly trust.
Admin
I'd be very surprised if those files were there. You have to get very lucky to get the names exact.
Admin
And I just cannot resist... It's a serious bug for "carrot" cannot be find in the 3 Wingdings fontsets. Heck... we even have Windows log there (0xffh)
Admin
Didn't he get the error message? OR with FTP access.. EVERY file will show.
why can't you Americans distinguish between an ER (carrot) sound and an EH sound (caret)
Admin
Or a Ted Stevens lecture about the internets
Admin
Knows enough to use ROT(n) encryption? :)
Admin
It's true, carrot's haven't got anything against gays