• Brian (unregistered) in reply to Matt

    Anonymous:
    The Final Assignment was to find data/passwords.txt, print it out, place that on a wooden table...

    Now THAT made me bust out laughing!

    captcha: shizzle - how appropriate!

  • Someone, Somewhere, outwhere (unregistered) in reply to codenator
    codenator:

    Doesn't surprise me really, most professors stay in a sheltered workshop called University where they learn no real world skills just theory. Let’s face it if you were a security expert why would you stay and work for a university???

    you're a fucking idiot.  Seriously.  Remove head from ass. I know SOME professors who are like this - i also know MORE professors who could code circles around your arrogant little fuckface every day of the week and twice on sunday.

    CAPTCHA is appropriately: STFU


  • (cs) in reply to Nerdmaster
    Anonymous:
    Am I the only person here who's aware that Security != Web security?  You can know a shitload about security and cryptography without being a web programmer.  I wouldn't be at all surprised if this class were focused on algorithms and general concepts, and never once touched on web security.

    Knowing what security actually means (security through obscurity isn't security, etc) is the first step toward applying security knowledge.  Knowing how algorithms work is probably not that important to most real-world jobs, I'll give you that, but it's interesting as hell, and for a die-hard security specialist, it is important to know which algorithms work which ways so that you know that if algorithm X just got exploited, algorithm Y ain't safe either...

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.

    Should the prof have done some research on said app?  Yeah, probably.  But it's really not his job to know WEB security.  Web "security" isn't even the tip of the iceberg when it comes to knowing security and cryptography.  That's the place you apply the knowledge, if you land that kind of job, but not the place you start.  At least not if you want a strong security background, versus knowing how to write secure apps for one and only one platform.


    Well, even if it didn't touch web security, the prof should have known that substituion is a bad form of encryption
  • Unklegwar (unregistered) in reply to Raider
    Raider:

    Anonymous:
    Reminds me of my college C++ professor, who was also my advisor.

    After much clamoring from the senior class one year about "Pascal is not going to get us a job!", they added a class in "C++". Which I promptly took.

    It seemed like my professor was reading the text as he walked to class each day. He didn't know a damn thing.

    Best part was his grip of inheritance. Completely upside down. In HIS mind:

    Class Animal

    derives from

    Class Dog

    derives from

    Class Poodle

    Need I explain how hard it is to write your final project when THAT's what the prof is looking for?

    Now that I look back, I think they owe me a partial refund.

    HAHAHA ..

    RE: One of my replies to yesterdays WTF .. When I was teaching the professor at RIT some of the C++ Standards and what not, one of the examples I used was ..

    class Mother { ... };

    class Father { ... }

    class Milkman { ... }

    class Child : public Mother, public Father, private Milkman { ... }

    When showing how to use proprietary polymorphism with C++ Standard Library containers ... The students got a real kick out of it, but the professor wasn't happy about it :P



    Luckily I READ the book, and...for the record, he DID know his sh!t when it came to logic design (this was 1990s computer science). I did have a pool of brilliant profs that did know their stuff. I think this was all just  an unfortunate fallout of throwing a C++ course into the curriculum last minute due to student outcry.
  • Unklegwar (unregistered) in reply to Someone, Somewhere, outwhere
    Anonymous:
    codenator:

    Doesn't surprise me really, most professors stay in a sheltered workshop called University where they learn no real world skills just theory. Let’s face it if you were a security expert why would you stay and work for a university???

    you're a fucking idiot.  Seriously.  Remove head from ass. I know SOME professors who are like this - i also know MORE professors who could code circles around your arrogant little fuckface every day of the week and twice on sunday.

    CAPTCHA is appropriately: STFU




    another one of those Where is your research from which you derived the qualifier "MOST professors"?
    arbitrary assumptions gone wild.
  • mat (unregistered) in reply to GoatCheez
    GoatCheez:
    So far this week, I just haven't had the urge to shout out and say WTF.


    every cloud...
  • (cs) in reply to wyz
    Anonymous:

    Anonymous:
    And, I actually stayed in the course and got a B, probably because I wasn't able to crack anything after the first few easy ciphers.  Then again, no one else could either (with the exception of a cheater or two) so I didn't feel too bad.

     lol...There is a "cheater" way to crack codes? Anyway it is cracked, it's cracked. And "social engineering" accounts for most cracked codes/passwords/accounts/etc.

    <soapbox>For many years I've observed if you want to learn a subject, generally one of the worst places is in the formal education system, be it public schools, colleges, or universities. And rarely are they cost effective, i.e. the costs to attend are typically far more than is taught, or can be earned as a result of the degree.</soapbox>

    (From one having 3 uni degrees)

    I have 2 uni degrees and I wholeheartedly concur.

  • (cs) in reply to Someone, Somewhere, outwhere
    Anonymous:
    ... who could code circles around your arrogant little fuckface ...

    Whats's up with the expression 'code circles around'?  Are they talking about Do ... Loop control structures around the code?

    I would prefer the expression ' ... who could code OOP elegance around your arrogant little procedural scripting fuckface ...'

  • (cs) in reply to codemoose

    Anonymous:
    Scoutn:
    And people will be using what this "professor" is/was teaching in real world apps. Wow.


    Yeah, it's terrifying to think of.  I used to work with a "programmer" who also taught at a local U.  Couldn't program his way out of a paper bag.  One time, he had to build a module for an online system that basically parsed text input for form fields, and save the form field collection to the db (I'm oversimplifying for the sake of brevity).  3 months and 3000 lines of code later, it more or less did that.  I say more or less because it didn't always work.  And with more form fields, execute time grew exponentially.  If there were 50 fields, it'd take 2 to 3 minutes.

    I probably should have re-written it from scratch, but chose to "streamline" his code instead.  Got it down to under 500 lines, and an execute time measured in tenths of a second - no matter how big the form was.  And it even worked every time.

    And he...taught programming.

    Those who can, do. Those who can't do, teach those who can.

  • (cs)

    Is the Professor Paula?

  • Nerdmaster (unregistered) in reply to Bob Smith
    Anonymous:

    maybe you skimmed over the part about him using a substitution cypher for the password


    Or perhaps you skimmed over the part where I don't believe he wrote the code... so if I don't believe he wrote the code (and in fact I wouldn't be surprised if he doesn't do any web programming at all), then the cipher in use is a moot point.

    Repeat after me: web security is not all there is to security.  Just because some of you live in a little shell where you only know about security in the world of online apps, doesn't mean those apps are the only place security and cryptography have ever been used.

    There are volumes of books that go over all kinds of cryptography and security principles, and most of them never touch on the specific issues for web apps: hidden field vulnerabilities, XSS, SQL Injections, assuming POST data is safe, assuming referer headers are reliable, assuming cookie data is reliable, etc.
  • (cs) in reply to script-man

    Wow, seems like this topic has gotten quite a few peoples panties in a bunch ... I think most of us can agree that there are some good professors, and some bad professors .. I personally never went to college at all, hell I got kicked out of high school ... I spent a long time reading books and tutorials and talking to other programmers and doing a LOT of trial and error, all while scrubbing toilets and driving forklifts and a working at fast food joints for a living, making dozens of freelance projects before I finally got a "real" job doing it, quite a few years later I am now a Senior Software Engineer and the head of all C++ development where I work ...

    Bottom line is whether a professor is good or bad at something, they are there to teach you theory, to give you some introductions ... If you are dependant on them for anything beyond that and have expectations that they alone will prepare you for the real world, you will fail.  Any good programmer that has been in the real world will agree that we learn most if not all of what we know from experience, from reading, from doing, and from things outside of universities.  Having a degree just makes it a little easier to get your foot in the door once you are ready to step into the real world.

  • (cs) in reply to Bus Raker
    Bus Raker:
    Anonymous:
    ... who could code circles around your arrogant little fuckface ...

    Whats's up with the expression 'code circles around'?  Are they talking about Do ... Loop control structures around the code?

    I would prefer the expression ' ... who could code OOP elegance around your arrogant little procedural scripting fuckface ...'

    You, Sir, have truly mastered the Zen art of Segue

  • Nerdmaster (unregistered) in reply to GoatCheez
    GoatCheez:

    Well, even if it didn't touch web security, the prof should have known that substituion is a bad form of encryption


    If he wrote the app, and understood how web apps work (ie, being able to grab the password file may be obvious to us, but he might have assumed it was safe.  Bad assumption but not one I would call him a total moron for, given his area may not be web apps) yes.  But I know a couple schools like to use student-built code to run various sensitive apps.  All I'm saying is it seems more likely to me that the guy didn't program the app.
  • (cs) in reply to script-man
    script-man:
    Bus Raker:

    Whats's up with the expression 'code circles around'?  Are they talking about Do ... Loop control structures around the code?

    I would prefer the expression ' ... who could code OOP elegance around your arrogant little procedural scripting fuckface ...'

    You, Sir, have truly mastered the Zen art of Segue

    Guilty as charged.  I find debating the relative merits of the Professor versus the Professional extremely tedious and futile.  Web security is equally as mundane.  How about some VBA bashing?

  • (cs) in reply to DiamondDave
    DiamondDave:
    This can't be serious.... 

    Taking a course taught by this WTFU guy makes as much sense as taking a firearms safety course taught by Dick Cheney


    The only thing that makes me groan lowder than 'cheney with a gun' jokes is the realization that we're going to be hearing them for the next 10 years.
  • (cs) in reply to Nerdmaster
    Anonymous:
    Anonymous:

    maybe you skimmed over the part about him using a substitution cypher for the password


    Or perhaps you skimmed over the part where I don't believe he wrote the code... so if I don't believe he wrote the code (and in fact I wouldn't be surprised if he doesn't do any web programming at all), then the cipher in use is a moot point.

    Repeat after me: web security is not all there is to security.  Just because some of you live in a little shell where you only know about security in the world of online apps, doesn't mean those apps are the only place security and cryptography have ever been used.

    There are volumes of books that go over all kinds of cryptography and security principles, and most of them never touch on the specific issues for web apps: hidden field vulnerabilities, XSS, SQL Injections, assuming POST data is safe, assuming referer headers are reliable, assuming cookie data is reliable, etc.


    You are missing the point.


    It turns out that the website was actually a practical application of the visiting professor's knowledge of the subject.


    That means that the visiting professor wrote the website. Not to mention the comment by the original poster saying so.

    A crypt professor should know that substitution is weak security

    That's a WTF.

    I think everyone will agree that web security is a different subject than security in general, however web security utilizes things learned from studying general security. Things such as how strong different encryptions are. This professor should have known.... cmon man... DHER!
  • Nerdmaster (unregistered) in reply to GoatCheez
    GoatCheez:

    That means that the visiting professor wrote the website. Not to mention the comment by the original poster saying so.


    I didn't get that from the original poster - once I read his posts about the embellishments, I sort of wondered what other suppositions were being made here.

    So let's assume he did code the site.  He wasn't a CS guy as the original poster explains, and probably didn't know how to import crypto libraries into his code (it ain't that easy in Perl or PHP if you're not a programmer - other languages I can't comment as much on).  I think we can assume it was his first publicly available project.  He probably found the code for "encrypt" in PHP or something, and thought it looked "good enough", considering that he also probably assumed the password file was safely stored in a private location.  And it sounds like that wasn't a terrible assumption, as the reporter mentions he had a friend with FTP access grab the file.

    So we've got a web-clueless prof who makes a few bad assumptions, and gets hacked essentially from the inside.  I'll give you that he's kind of a twit for not having somebody else do the app.  But to debunk his security knowledge based solely on that event...?  To me, it still seems like pretty separate issues.

  • dsfgsdgfsgsdgsdg (unregistered) in reply to Nerdmaster

    For once, you'd hope you get FileNotFound.

  • anon (unregistered) in reply to dsfgsdgfsgsdgsdg

    You are a WTF.

  • (cs) in reply to script-man
    script-man:

    Anonymous:
    Scoutn:
    And people will be using what this "professor" is/was teaching in real world apps. Wow.


    Yeah, it's terrifying to think of.  I used to work with a "programmer" who also taught at a local U.  Couldn't program his way out of a paper bag.  One time, he had to build a module for an online system that basically parsed text input for form fields, and save the form field collection to the db (I'm oversimplifying for the sake of brevity).  3 months and 3000 lines of code later, it more or less did that.  I say more or less because it didn't always work.  And with more form fields, execute time grew exponentially.  If there were 50 fields, it'd take 2 to 3 minutes.

    I probably should have re-written it from scratch, but chose to "streamline" his code instead.  Got it down to under 500 lines, and an execute time measured in tenths of a second - no matter how big the form was.  And it even worked every time.

    And he...taught programming.

    Those who can, do. Those who can't do, teach those who can.

    Those who can't do, and can't teach, become administrators over those who can do or can teach.

     

  • (cs) in reply to anon

    <FONT size=2>
    DailyWTF Deleted Archive:
    </FONT>

    <FONT size=2>Re: The Last of the Computers</FONT>

    <FONT size=2>by Alex Papadimoulis</FONT>
    First! In case you're wondering about the stock photos, I have credits expiring soon at iStockphoto.
    <FONT face=Arial>Deleted 7/22/2006 8:46:17 AM by ammoQ</FONT>
    No "First" posts. No exceptions.
     
    Guess I don't feel so bad about all of my posts deleted by GW seeing that one of Alex's posts was deleted  ;-)
  • (cs) in reply to merreborn
    merreborn:
    DiamondDave:
    This can't be serious.... 

    Taking a course taught by this WTFU guy makes as much sense as taking a firearms safety course taught by Dick Cheney


    The only thing that makes me groan lowder than 'cheney with a gun' jokes is the realization that we're going to be hearing them for the next 10 years.

    Yeah it's like those damn Dan Quayle jokes about how he can't spell the English plural of solanum tuberosum.

  • (cs) in reply to Nerdmaster
    Anonymous:
    GoatCheez:

    That means that the visiting professor wrote the website. Not to mention the comment by the original poster saying so.


    I didn't get that from the original poster - once I read his posts about the embellishments, I sort of wondered what other suppositions were being made here.

    So let's assume he did code the site.  He wasn't a CS guy as the original poster explains, and probably didn't know how to import crypto libraries into his code (it ain't that easy in Perl or PHP if you're not a programmer - other languages I can't comment as much on).  I think we can assume it was his first publicly available project.  He probably found the code for "encrypt" in PHP or something, and thought it looked "good enough", considering that he also probably assumed the password file was safely stored in a private location.  And it sounds like that wasn't a terrible assumption, as the reporter mentions he had a friend with FTP access grab the file.

    So we've got a web-clueless prof who makes a few bad assumptions, and gets hacked essentially from the inside.  I'll give you that he's kind of a twit for not having somebody else do the app.  But to debunk his security knowledge based solely on that event...?  To me, it still seems like pretty separate issues.



    Even if he didn't know that much about web programming, he should have known enough about security to tell/let someone else program the encryption instead of using a substitution. Also, since he was the professor, he should have known how to implement and break different types of encryption, as the original poster's comment has let us assume. Since he obviously had at least some skill at programming, as he did write the page and the substitution encryption, he should have been able to implement an algorithm that was at least SOMEWHAT more complicated. At least rotate the substitution table or something ya know?
  • ChiefCrazyTalk (unregistered) in reply to don

    don:
    Anonymous:
    Caret. Carrot. They're not even homophones.


    Depends on where you're from. They're homophones to me (US, western Pennsylvania)

     

    LOL I was thinking they are homophones to me too, then I read where you are from (I'm from Pittsburgh).  Guess that explains it!

    CAPTCHA:  1337

  • (cs) in reply to GoatCheez
    GoatCheez:
    You are missing the point.


    It turns out that the website was actually a practical application of the visiting professor's knowledge of the subject.


    That means that the visiting professor wrote the website.

    The professor imparts knowledge to students. Teaching assistants and research assistants are students. In this particular case, it is possible that one of the professor's research students was tasked with writing this website. Hence, the website is a practical application of knowledge imparted by the professor, and the website did not (necessarily) write the website.

    QED.

  • Nerdmaster (unregistered) in reply to GoatCheez
    GoatCheez:

    Even if he didn't know that much about web programming, he should have known enough about security to tell/let someone else program the encryption instead of using a substitution. Also, since he was the professor, he should have known how to implement and break different types of encryption, as the original poster's comment has let us assume. Since he obviously had at least some skill at programming, as he did write the page and the substitution encryption, he should have been able to implement an algorithm that was at least SOMEWHAT more complicated. At least rotate the substitution table or something ya know?


    Yeah, he made some stupid mistakes... but keep in mind, security is relative.  If you can reasonably assume that your password file is secure (and if he asked somebody else about that, they may well have told him it was, seeing as it was secure enough to require a second person to access it), you technically need very little security.  And if you don't know much about PHP/Perl, you might not know how to pull in a solid library for security.  When writing your own security, implementing something truly secure tends to be a very difficult process (especially for a non-programmer), and not likely to be worth your time for something that you already believe is secure.

    I'm not saying the prof doesn't have a thing or two to learn.  He clearly knows nothing about web security, and clearly didn't know how vulnerable his password file was.  But his mistakes don't seem, to me, to invalidate the topic about which he teaches.

    I consider myself a pretty good programmer, but if I'm doing a quick project that is just to get something up and running, I will cut corners too.  I think most people will.  I just can't fault him for that.
  • mph (unregistered) in reply to don
    don:
    Depends on where you're from. They're homophones to me (US, western Pennsylvania)


    Me too.  Just like your name and "Dawn", or "cot" and "caught."

    (Also from western PA.)
  • Jeff (unregistered) in reply to SlippyVillage

     No, he was actually using a carrot.

  • foxyshadis (unregistered) in reply to codenator
    codenator:

    Doesn't surprise me really, most professors stay in a sheltered workshop called University where they learn no real world skills just theory. Let’s face it if you were a security expert why would you stay and work for a university???

    According to Uni, PKI is the answer to all the world's business security problems. In the real world, even suggesting PKI to companies under 500 employees will get you laughed out of the room. Even if you'r suggesting it for identity management, rather than overt security; far simpler solutions have come along in the last decade to somewhat moot PKI.


    PhD's on your resume actually look bad when applying for real world jobs, I tend not to hire them because basically they aren't any good in the real world, remember that kids, academia is a bad thing when you want to work in the real world (woah now there's a flame war starter)<o:p></o:p>


    You're saying you actually discriminate against all PhD holders, rather than hire based on competence, experience, and confidence? And this is supposed to be a good business decision?
  • Adrian (unregistered) in reply to Scoutn

    I for one, have not directly used anything that I learn't in university.  That is not to say of course that university was not worth while.

    captcha : clueless

  • (cs) in reply to foxyshadis
    Anonymous:
    PhD's on your resume actually look bad when applying for real world jobs, I tend not to hire them because basically they aren't any good in the real world, remember that kids, academia is a bad thing when you want to work in the real world (woah now there's a flame war starter)<o:p></o:p>
    You're saying you actually discriminate against all PhD holders, rather than hire based on competence, experience, and confidence? And this is supposed to be a good business decision?


    Indeed.  Claiming that a PhD with 5 years field experience is any worse than a highschool graduate with 5 years field experience is absurd.
  • Fred Flintstone (unregistered)

    Great WTF, and congratulations to Dan for his 8.0 GPA.

  • John Hensley (unregistered) in reply to codenator
    codenator:

    Doesn't surprise me really, most professors stay in a sheltered workshop called University where they learn no real world skills just theory.


    Uh, except for going to conferences and needing to know enough to get a paper published and all that. It's rather obvious from the post that this instructor doesn't even know theory.

    Many universities have "staff instructors" who are not professors or students, do not have to research or submit papers, and do not attend conferences on current developments.
  • (cs) in reply to Nerdmaster

    Anonymous:
    Am I the only person here who's aware that Security != Web security?  You can know a shitload about security and cryptography without being a web programmer.  I wouldn't be at all surprised if this class were focused on algorithms and general concepts, and never once touched on web security.

    Knowing what security actually means (security through obscurity isn't security, etc) is the first step toward applying security knowledge.  Knowing how algorithms work is probably not that important to most real-world jobs, I'll give you that, but it's interesting as hell, and for a die-hard security specialist, it is important to know which algorithms work which ways so that you know that if algorithm X just got exploited, algorithm Y ain't safe either...

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.

    Should the prof have done some research on said app?  Yeah, probably.  But it's really not his job to know WEB security.  Web "security" isn't even the tip of the iceberg when it comes to knowing security and cryptography.  That's the place you apply the knowledge, if you land that kind of job, but not the place you start.  At least not if you want a strong security background, versus knowing how to write secure apps for one and only one platform.

    He should have known enough to not make the mistakes made on the web site.  For example, he should have known that hiding his secrets was one of the pillars of implementing an authentication system.  If he didn't do any research on how to do that in his chosen development platform/environment, he missed the boat.  He should have also known that rolling your own encryption scheme or choosing a trivial one is stupid.  Even if your environment doesn't come with a good algorithm, finding one is simple.  I found AES for a 4K PIC microprocessor after 30 minutes of Google searching last year, he could have found SHA512 for his platform.

    He was most likely one of those guys that knows all the words, but can't put them together to make a real solution.  Example: I met a guest lecturer a few months ago that was lecturing on biometric authentication.  Well, his whole focus was on how biometrics was going to revolutionize things like web banking and reduce spam.  He totally missed the point that biometrics only works when the hardware can be trusted.  The problem is that a compromised device in someone's house can be made to authenticate a fake finger or iris.  After that happens, the genuine owner would have an awful hard time changing their eyeball or fingers.  The system would be permanently broken in a few weeks.  A lot of people in the security industry can't put all the pieces together, and they also can't help a student understand security.  Guys like Bruce Schneider are good at putting the pieces together.

  • anonymous cow (unregistered)

    I took a Network Security class at university a few years ago. The class taught methodologies and implementation of public and private key encryption, as well as TCP/IP fundamentals and the basic concepts behind detecting and exploiting vulnerabilities. Every student in the class had an account on a Linux box in the professor's office. The first assignment was to send an email to the professor. The professor would autoreply his public PGP key. Then the students had to generate their own PGP key and send another message to the prof. You could send as many encrypted emails as you wanted, getting 1 pt for each.

    Now, where the assignment got interesting: you got 5pts for each OTHER student's email you submitted. There was a packet sniffer setuid root on the machine for the purpose. Because the sniffer was setuid root, the prof had modified the code to change the ownership of the logfile to the person running it. [The professor was aware of this vulnerability and left it in place intentionally to see if anyone would find it]. Well.. I set the logfile to be /etc/passwd. Ran the sniffer and terminated it, and set root's password to null, su'd and set the password to one of my own. Then I switched the professor's public key for mine, and locked his account. I let other people send their emails, and just before the deadline for the assignment, I ran a perl one-liner to kill everyone else's ssh sessions, then sent my second email in plaintext. Stopped the one-liner, then grabbed the mail log and submitted that. The best part was when I was sitting in the professor's office, chatting with him about something else, and one of my classmates came in and asked him to reset her password. He tried to log in and said "It appears my password no longer works. [looking at me] You wouldn't know anything about this, would you?"

    I didn't have to complete any other assignments for the rest of the quarter. I acted as TA and replaced the linux box with a FreeBSD one.

    So, not all colleges are completely worthless. This was at the University of Cincinnati. If you ever get the chance to take a class with Professor Franco, I highly recommend it. Definitely the best teacher I've ever had.

  • Anony Moose (unregistered) in reply to Dam Bugglin

    Anonymous:
    And, the prof wasn't terribly happy that we had found holes in his site. :)

    It could have been worse. You could have been arrested and imprisoned as a terrorist, (Well, terrorist/hacker mastermind, it's all the same thing, right?)

    All joking aside, as long as "hacking" is illegal, the lack of permission to view other student's accounts could technically have made your actions a crime, and these days it is viewed pretty seriously.

     

  • Franz Kafka (unregistered) in reply to Nerdmaster
    Anonymous:
    Am I the only person here who's aware that Security != Web security?  [...]

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.

    Should the prof have done some research on said app?  Yeah, probably.  But it's really not his job to know WEB security.  Web "security" isn't even the tip of the iceberg when it comes to knowing security and cryptography.  That's the place you apply the knowledge, if you land that kind of job, but not the place you start.  At least not if you want a strong security background, versus knowing how to write secure apps for one and only one platform.


    That is an astoundingly stupid thing to say. Security is a process and web security is an application of that process. It doesn't matter if you know all about crypto if your security is a joke - crypto is just one piece of the puzzle.

    Also, running that turd while teaching a security course is like teaching English with text message abbreviations.
  • Franz Kafka (unregistered) in reply to Nerdmaster
    Anonymous:
    Anonymous:

    maybe you skimmed over the part about him using a substitution cypher for the password


    Or perhaps you skimmed over the part where I don't believe he wrote the code... so if I don't believe he wrote the code (and in fact I wouldn't be surprised if he doesn't do any web programming at all), then the cipher in use is a moot point.

    Repeat after me: web security is not all there is to security.  Just because some of you live in a little shell where you only know about security in the world of online apps, doesn't mean those apps are the only place security and cryptography have ever been used.

    There are volumes of books that go over all kinds of cryptography and security principles, and most of them never touch on the specific issues for web apps: hidden field vulnerabilities, XSS, SQL Injections, assuming POST data is safe, assuming referer headers are reliable, assuming cookie data is reliable, etc.


    Well, he certainly selected it, and over other products like phpBB, so it's reasonable to expect he'd catch something as obvious as this non-security.

    captcha: craptastic - how appropriate
  • ME (unregistered) in reply to Franz Kafka

    We had a fun one at my University,
    Directly after a lecture on computing ethics our lecturer asked the class if anyone knew where he could get a cracked version of  a programme he had 'lost his key to'.  Within seconds he had four or five offers of copies, and no this was not part of a test he actually wanted the software!

  • (cs) in reply to ben
    Anonymous:
    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.

    But the fields were really carrot separated! The professor printed the account file, placed the printout on his wooden kitchen table and put carrots between the columns. Then he photographed the whole carrot-separated arrangement.

    It's interesting to note that the same professor also invented a logarithmic sorting algorithm for root vegetables that uses a linear number of leporidian processing units, better known as wascally wabbits.

  • (cs)

    The author missed an opportunity. He should have demonstrated to the lecturer a user account that isn't supposed to exist then demand a meeting with him and another lecturer to demonstrate and explain how the message board can be cracked. At the meeting, don't proceed without explicit permission to crack the site. He would then proceed to rip it apart whilst explaining how he did it and the principles that should be applied to prevent such cracking.

    Then he should have exclaimed this demonstrates an excellent knowledge and understanding of the course subject and that he should be given top marks.

  • (cs) in reply to wintermyute

    wintermyute:
    So, the guy in the picture is Dan, right?

    Yeah... amazing how the gym seats and the guy and the shirt all look too similar. Is Dan == Chris ( from previous post ) - are we using stock photography?

  • (cs) in reply to GoatCheez

    GoatCheez:
    Anonymous:
    Anonymous:

    maybe you skimmed over the part about him using a substitution cypher for the password


    Or perhaps you skimmed over the part where I don't believe he wrote the code... so if I don't believe he wrote the code (and in fact I wouldn't be surprised if he doesn't do any web programming at all), then the cipher in use is a moot point.

    Repeat after me: web security is not all there is to security.  Just because some of you live in a little shell where you only know about security in the world of online apps, doesn't mean those apps are the only place security and cryptography have ever been used.

    There are volumes of books that go over all kinds of cryptography and security principles, and most of them never touch on the specific issues for web apps: hidden field vulnerabilities, XSS, SQL Injections, assuming POST data is safe, assuming referer headers are reliable, assuming cookie data is reliable, etc.


    You are missing the point.


    It turns out that the website was actually a practical application of the visiting professor's knowledge of the subject.


    That means that the visiting professor wrote the website. Not to mention the comment by the original poster saying so.

    A crypt professor should know that substitution is weak security

    That's a WTF.

    I think everyone will agree that web security is a different subject than security in general, however web security utilizes things learned from studying general security. Things such as how strong different encryptions are. This professor should have known.... cmon man... DHER!

    The real rub about security is keeping a secret. If only one person knows the secret it is 100% secret. if two know, it's only a half secret. It diminishes further from there. The whole point of keys and encryption is to "share" a secret - between two or more parties.

    The strength of the secret depends on two things, primarily the trust of those that know the secret ( ie - their ability to keep it secret ) and the strength of the encryption.

    If the trust is loosely guarded, what's the point of encryption?
    If the encryption is easily decrypted, what's the point of encryption?

    I see this all the time: 
     "our database is password protected" .... Yeah, but your data is clear text
     "our database is encrypted" .... Yeah, but the password is taped to the monitor of one of your trustees
     
    Secrecy is a two-fold effort. Trust and Encryption. Mainly trust.

  • Cherry Barnet (unregistered) in reply to OneMHz

    I'd be very surprised if those files were there.  You have to get very lucky to get the names exact.

  • Cheong (unregistered) in reply to Gordo
    Anonymous:
    I just can't resist... what's the Unicode number for those little carrot symbols the professor used as the delimiters in his passwords file?

    And I just cannot resist... It's a serious bug for "carrot" cannot be find in the 3 Wingdings fontsets. Heck... we even have Windows log there (0xffh)
  • GD (unregistered) in reply to Cherry Barnet
    Anonymous:
    I'd be very surprised if those files were there.  You have to get very lucky to get the names exact.

    Didn't he get the error message? OR with FTP access.. EVERY file will show.

    why can't you Americans distinguish between an ER (carrot) sound and an EH sound (caret)

  • Gondola (unregistered) in reply to Saarus

    Or a Ted Stevens lecture about the internets

  • anonymous coward (unregistered) in reply to Nerdmaster
    Anonymous:


    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.



    Knows enough to use ROT(n) encryption? :)
  • (cs) in reply to ben

    Anonymous:
    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.

     

    It's true, carrot's haven't got anything against gays

Leave a comment on “Security 101 ... at WTF University”

Log In or post as a guest

Replying to comment #:

« Return to Article