• (cs)

    This isn't nearly as bad, but for my last CS course I took (operating systems...fun stuff), to access our grades we needed to choose a "magic word". I entered in my name and email and student id, but then accidentally hit enter before entering a magic word.

    Well, there were no checks like "your magic word must be longer than 0 characters" or anything...it let me choose a blank magic word. I couldn't change it afterwards, and even worse the ONLY thing you need is your magic word to view your grades. So now if anyone goes to the course webpage and clicks the "login" button before entering anything, it goes straight to my grades.

    The professor was very good otherwise. To his credit (or not) I think the site was set up by a TA (whoever wrote it seemed to not speak English as their first language, and the prof did). However I emailed him and never got a response.

    Ah well, they're just grades...and I kicked ass in that class.

  • American (unregistered) in reply to GD
    Anonymous:
    Why can't you Americans distinguish between an ER (carrot) sound and an EH sound (caret)


    There's an "ER" sound in carrot? Like the one at the end of idea?

    A glance in Webster's Encyclopedic Unabridged Dictionary of the English Language (c. 1989) reveals this: carat and carrot are both pronounced with the schwa in their second syllable, the sound used in the unstressed syllables of most words (the a in alone, the e in system, the i in easily, the o in gallop, and the u in circus), whereas proper pronounciation of caret would use the short i sound (the i of if and big).

    So, all-in-all, I'm not at all surprised that most Americans would find the words to be homophones, given our tendency toward weakening vowel sounds whenever possible; however, it is true that in careful speech, caret should sound like "care"-"it" whereas carrot and carat should sound more like "care"-"uht".

    CAPTCHA = shizzle
  • Erlend (unregistered) in reply to ben

    Anonymous:
    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.

    Typical reaction for somebody who most likely knows only 1 language (his own) to a guy's typo whose mother tongue is probably Greek, looking at his name ... I'm not sure but it's probably the typical american arrogance that your so ignorant of. I could have made some typos/syntax errors here aswell, but hey at least I can express myself in 4 languages ...

    Erlend from Belgium ( that's a country in the middle of Europe dumbo ! )

    Just been a little pissed now ;)

  • P-J (unregistered) in reply to ben
    Anonymous:
    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.


    Snigger! He said homophone!
  • Also Anonymous (unregistered) in reply to ChiefCrazyTalk

    [quote user="do n"][quote user="Anonymous"]Caret. Carrot. They're not even homophones.[/quote]

    Depends on where you're from. They're homophones to me (US, western Pennsylvania)
    [/quote]



    "Caret" rhymes with bet/get/net. "Carrot" rhymes with but/gut/nut.
  • (cs) in reply to codemoose

    codemoose:
    And he...taught programming.

    Those who can't do, teach.

  • (cs) in reply to kswanton

    <FONT face=Tahoma size=2>You know your like is meaningless when you "bust a blood vessel" over how people are spelling CARET and CARROT when the actual issue at hand here is , as previously mentioned, that these courses do "prepare" people for real world applications.</FONT>

    <FONT face=Tahoma size=2>This is what an IT degree does to you! No experience, all theory. Look how far it gets them!</FONT>

  • zamies (unregistered) in reply to icekrystal

    icekrystal:

    <FONT face=Tahoma size=2>This is what an IT degree does to you! No experience, all theory. Look how far it gets them!</FONT>

    Jung gur shpxG..LL

    What a load of crap. This is no theory! and no (good) practice either.

     

  • (cs) in reply to Also Anonymous

    [quote user="Anonymous"]

    [quote user="do n"][quote user="Anonymous"]Caret. Carrot. They're not even homophones.[/quote]

    Depends on where you're from. They're homophones to me (US, western Pennsylvania)
    [/quote]



    "Caret" rhymes with bet/get/net. "Carrot" rhymes with but/gut/nut.
    [/quote]

    Are you aware that not everyone pronounces words the same way?

    I'm not american, but even inside the US there are major differences between a new yorker's speech, a floridian, or a redneck from the deep south, there is no reason why one of them wouldn't pronounce "caret" and "carrot" the same way.

  • (cs)

    <FONT size=2>"I have never let my schooling interfere with my education." - Mark Twain (1835-1910) </FONT>

  • Vince (unregistered) in reply to ben
    Anonymous:
    They're not even homophones.

    Hey, no need to bring his orientation into this conversation...
  • Anonymous (unregistered) in reply to masklinn

    I'm curious. How many people on here pronounce "panache" to rhyme with "apache"?

  • (cs) in reply to ChiefCrazyTalk
    Anonymous:

    don:
    Anonymous:
    Caret. Carrot. They're not even homophones.


    Depends on where you're from. They're homophones to me (US, western Pennsylvania)

     

    LOL I was thinking they are homophones to me too, then I read where you are from (I'm from Pittsburgh).  Guess that explains it!

    CAPTCHA:  1337

    Same here, and you guessed it; I'm also in Pittsburgh.

     

  • (cs) in reply to masklinn
    masklinn:
    Anonymous:

    do n:
    Anonymous:
    Caret. Carrot. They're not even homophones.


    Depends on where you're from. They're homophones to me (US, western Pennsylvania)



    "Caret" rhymes with bet/get/net. "Carrot" rhymes with but/gut/nut.

    Are you aware that not everyone pronounces words the same way?

    I'm not american, but even inside the US there are major differences between a new yorker's speech, a floridian, or a redneck from the deep south, there is no reason why one of them wouldn't pronounce "caret" and "carrot" the same way.

    That's called dialect. ;)

  • (cs) in reply to Bob Smith
    Anonymous:
    Anonymous:
    Am I the only person here who's aware that Security != Web security?  You can know a shitload about security and cryptography without being a web programmer.  I wouldn't be at all surprised if this class were focused on algorithms and general concepts, and never once touched on web security.

    Knowing what security actually means (security through obscurity isn't security, etc) is the first step toward applying security knowledge.  Knowing how algorithms work is probably not that important to most real-world jobs, I'll give you that, but it's interesting as hell, and for a die-hard security specialist, it is important to know which algorithms work which ways so that you know that if algorithm X just got exploited, algorithm Y ain't safe either...

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.

    Should the prof have done some research on said app?  Yeah, probably.  But it's really not his job to know WEB security.  Web "security" isn't even the tip of the iceberg when it comes to knowing security and cryptography.  That's the place you apply the knowledge, if you land that kind of job, but not the place you start.  At least not if you want a strong security background, versus knowing how to write secure apps for one and only one platform.


    maybe you skimmed over the part about him using a substitution cypher for the password


    The whole mess sounds pathetic to me. It's not intellectually hard to do good security, but people manage to find ways of screwing it up all the time, trying to take shortcuts rather than doing the work. I can't count the number of times I've seen an authentication field sent up through a GET statement, visible right there in the URL. The "smart" people will hash it, but it's still problematical, because you're letting the user change it. And the "hidden" field is sadly common as well. If $logged_in == TRUE {} as a javascript, common.

    Always pass authentication information on a server-side session cookie, and, if at all possible, hit back to a database on a regular basis to make sure the cookie is valid for the session/user. Never store a password plain text, and never let a user send a password over an unencrypted connection, and even then, don't send it more than once...hash it against the sessions id, and check that value. DON'T USE MD5. Never leave authentication information where the user can see it. They should see a text box for username, a password box for password, and nothing else that is not cosmetic. Don't do anything related to security with javascript...that's not what it's for.

    The stuff is all common sense to anyone with experience. Read any article on securing web applications and you'll see the same stuff. But if common sense were really common, there'd be no word for it, and nobody reads the instructions.
  • Mark H (unregistered) in reply to Nerdmaster
    Anonymous:

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.


    If that's true, then its not a Comp Sci class, its a math class. And he's a math professor.

    I took a semester of RSA cryptography, and indeed, we wrote fewer than 200 lines of code all semester...we wrote over 1000 lines of mathematical proof.

    Can we please, for all thats holy, post the name of the professor? We're not going to flame him or anything, I just want to know if this is a big school to tell CS prospects not to go there.
  • I'm batman! (unregistered) in reply to don
    don:
    Anonymous:
    Caret. Carrot. They're not even homophones.


    Depends on where you're from. They're homophones to me (US, western Pennsylvania)

    That explains it - in eastern PA we enunciate. Let me guess: you think at least your" and "you're" are homophones, too. "hour", "our", "are". I've heard the hillpeople pronounce those the same, too!

  • anonymous (unregistered) in reply to Satanicpuppy
    Satanicpuppy:
    Don't do anything related to security with javascript...that's not what it's for.
    What? Gulp...I think I need to go fix some code!
  • (cs) in reply to merreborn
    merreborn:
    The only thing that makes me groan lowder than 'cheney with a gun' jokes is the realization that we're going to be hearing them for the next 10 years.


    I'm certain that the Cheney with a Gun jokes will stop soon after the Conservatives stop telling Clinton with a Cigar jokes.

  • Le salaud (unregistered) in reply to anonymous
    Satanicpuppy:
    Don't do anything related to security with javascript...that's not what it's for.
    You mean..Javascript is for something?
  • (cs) in reply to Satanicpuppy
    Satanicpuppy:
    I can't count the number of times I've seen an authentication field sent up through a GET statement, visible right there in the URL. The "smart" people will hash it, but it's still problematical, because you're letting the user change it.


    Just like with POST.

  • (cs) in reply to masklinn
    masklinn:
    Anonymous:

    do n:
    Anonymous:
    Caret. Carrot. They're not even homophones.


    Depends on where you're from. They're homophones to me (US, western Pennsylvania)



    "Caret" rhymes with bet/get/net. "Carrot" rhymes with but/gut/nut.

    Are you aware that not everyone pronounces words the same way?

    I'm not american, but even inside the US there are major differences between a new yorker's speech, a floridian, or a redneck from the deep south, there is no reason why one of them wouldn't pronounce "caret" and "carrot" the same way.

    Caret, Carrot, and "Care It" are all homophonous in my corner of the States (Cleveland, OH). Since we do not have accents (though every one else in the world does), I'm sure that our pronunciation is the correct one. Add that to the fact that a caret (^) resembles a triangle and that carrots are generally symbolized as triangles (as the below image shows), it's easy an easy detail to mix up.

     

    [image]

  • American (unregistered) in reply to Alex Papadimoulis

    "Caret" rhymes with bet/get/net. "Carrot" rhymes with but/gut/nut.

    Actually, while "caret" rhymes with bet, get, and net, "carrot" does not rhyme with but, gut, or nut. It does rhyme with abbot, tenet, senate... If you can't hear the difference, seek out a local linguist. It's a lot of fun to explore sounds that we don't differentiate (just as native Japanese speakers have trouble with l's and r's).

    Alex:

    Caret, Carrot, and "Care It" are all homophonous in my corner of the States (Cleveland, OH). Since we do not have accents (though every one else in the world does), I'm sure that our pronunciation is the correct one. Add that to the fact that a caret (^) resembles a triangle and that carrots are generally symbolized as triangles (as the below image shows), it's easy an easy detail to mix up.



    Cleveland certainly has an accept all its own...(actually, the area around Lake Erie).

    Still, how many Americans see the word caret in print? Not many, I'd say.

    CAPTCHA = hacker

  • (cs) in reply to I'm batman!

    Anonymous:
    don:
    Anonymous:
    Caret. Carrot. They're not even homophones.


    Depends on where you're from. They're homophones to me (US, western Pennsylvania)
    That explains it - in eastern PA we enunciate. Let me guess: you think at least your" and "you're" are homophones, too. "hour", "our", "are". I've heard the hillpeople pronounce those the same, too!

    Hmmm .. I've lived in Boston, New York City, Phoenix and Portland and it's always been 'care-it'.

    (krt) versus (krt) according to dictionary.com

    Merriam-Webster has:

    Pronunciation: 'ker-&t, 'ka-r&t   versus

    Pronunciation: 'ker-&t, 'ka-r&t

    You people talk funny

  • Max (unregistered)

    really sad. that prof should be fired.

  • Bustaz Kool (unregistered) in reply to Raider

    Raider:
    What's the difference between a Rooster and a Hooker?

    What are you in...seventh grade?

  • (cs)
    Anonymous:
    Reminds me of my college C++ professor, who was also my advisor.

    After much clamoring from the senior class one year about "Pascal is not going to get us a job!", they added a class in "C++". Which I promptly took.

    It seemed like my professor was reading the text as he walked to class each day. He didn't know a damn thing.

    Best part was his grip of inheritance. Completely upside down. In HIS mind:

    Class Animal

    derives from

    Class Dog

    derives from

    Class Poodle

    Need I explain how hard it is to write your final project when THAT's what the prof is looking for?

    Now that I look back, I think they owe me a partial refund.




    It sounds like the Professor was reading the book UPSIDE DOWN!
  • (cs) in reply to Erlend
    Anonymous:

    Anonymous:
    CARET, damnit, the word is CARET. A carrot is a bleedin' orange root vegetable, have you never seen a goddam carrot in your life? Caret. Carrot. They're not even homophones.

    Typical reaction for somebody who most likely knows only 1 language (his own) to a guy's typo whose mother tongue is probably Greek, looking at his name ... I'm not sure but it's probably the typical american arrogance that your so ignorant of. I could have made some typos/syntax errors here aswell, but hey at least I can express myself in 4 languages ...

    Erlend from Belgium ( that's a country in the middle of Europe dumbo ! )

    Just been a little pissed now ;)

    Europe?

  • (cs) in reply to Bus Raker
    Bus Raker:

    Anonymous:
    don:
    Anonymous:
    Caret. Carrot. They're not even homophones.


    Depends on where you're from. They're homophones to me (US, western Pennsylvania)
    That explains it - in eastern PA we enunciate. Let me guess: you think at least your" and "you're" are homophones, too. "hour", "our", "are". I've heard the hillpeople pronounce those the same, too!

    Hmmm .. I've lived in Boston, New York City, Phoenix and Portland and it's always been 'care-it'.

    (krt) versus (krt) according to dictionary.com

    Merriam-Webster has:

    Pronunciation: 'ker-&t, 'ka-r&t   versus

    Pronunciation: 'ker-&t, 'ka-r&t

    You people talk funny



    Bah! I don't care what any website or official reference book says. Carrot and Caret are both pronounced the same way. Kah Are Air Eh It. I really don't know how or why people are pronouncing it with two syllables when it CLEARLY has five.
  • (cs) in reply to Mark H

    Anonymous:
    Anonymous:

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.


    If that's true, then its not a Comp Sci class, its a math class. And he's a math professor.

    I took a semester of RSA cryptography, and indeed, we wrote fewer than 200 lines of code all semester...we wrote over 1000 lines of mathematical proof.

    Can we please, for all thats holy, post the name of the professor? We're not going to flame him or anything, I just want to know if this is a big school to tell CS prospects not to go there.

    For what it's worth, the project for my Masters degree involved porting TeX (Knuth) to support a then-new typesetter. It was delivered to us as about 10K lines of unformatted, uncommented, unindented Pascal, all as nested subroutines under a single 'main' subroutine, that itself was a hack to get around some vile heap space limitation in the Pascal implementation on our mainframe.

    I spent quite a while trying to format it in vi, quite a while analyzing it to figure out what it did, and how. I wound up changing ONE CHARACTER in the entire program to effect the change.

    I didn't learn a damn thing about programming, I learned that even smart people can write the worst possible code in the worst possible way, and that as long as I jumped through enough hoops, they'd give me a diploma, even if they didn't teach me anything about computer science.

  • kman (unregistered)

    <FONT face=Arial size=2>This is a joke right? Holy crap!</FONT>

  • poochner (unregistered) in reply to script-man
    script-man:

    For what it's worth, the project for my Masters degree involved porting TeX (Knuth) to support a then-new typesetter. It was delivered to us as about 10K lines of unformatted, uncommented, unindented Pascal, all as nested subroutines under a single 'main' subroutine, that itself was a hack to get around some vile heap space limitation in the Pascal implementation on our mainframe.

    I spent quite a while trying to format it in vi, quite a while analyzing it to figure out what it did, and how. I wound up changing ONE CHARACTER in the entire program to effect the change.

    I didn't learn a damn thing about programming, I learned that even smart people can write the worst possible code in the worst possible way, and that as long as I jumped through enough hoops, they'd give me a diploma, even if they didn't teach me anything about computer science.



    Why didn't they give you the web source code (the .web files)?  Or at least get you a copy of the book?  You did know that both the source to tex and metafont are published as books, right? Reading what comes out of tangle is a total PITA.  That's just stupid.  If you had read the source code, you'd know that it's not the worst possible code, it just gets mangled badly going through the preprocessor.  That's what strips the comments, re-arranges all the procedures, and in general glorks up the works.  OTOH, what comes out of weave (and printed out) is a lot better than what comes out of vgrind.
  • (cs) in reply to Bustaz Kool
    Anonymous:

    Raider:
    What's the difference between a Rooster and a Hooker?

    What are you in...seventh grade?

    No, I just enjoy amusing jokes, sorry if you don't have a sense of humor.

  • He Sed Awk (unregistered) in reply to codenator
    codenator:

    PhD's on your resume actually look bad when applying for real world jobs, I tend not to hire them because basically they aren't any good in the real world, remember that kids, academia is a bad thing when you want to work in the real world (woah now there's a flame war starter)<o:p></o:p>



    We once had a PhD in electrical engineering that could not soldier two wires together ... he often told us that he could derive all that was needed for PID control - I told him that I just needed the controller repaired.

    He was also offered the chance to teach Assembly at the local community college - I reminded him that he _did_not_ know Assembly - "no problem I have bought the book" was the response ...
    sigh ...

    captch == clueless :: how appropriate
  • (cs) in reply to Alexis de Torquemada
    Alexis de Torquemada:
    Satanicpuppy:
    I can't count the number of times I've seen an authentication field sent up through a GET statement, visible right there in the URL. The "smart" people will hash it, but it's still problematical, because you're letting the user change it.


    Just like with POST.



    Especially if you've got this.

    https://addons.mozilla.org/firefox/966/

    I use this extension to test against injection attacks, tampering with VIEWSTATE, and the like.
  • (cs) in reply to poochner
    Anonymous:
    script-man:

    For what it's worth, the project for my Masters degree involved porting TeX (Knuth) to support a then-new typesetter. It was delivered to us as about 10K lines of unformatted, uncommented, unindented Pascal, all as nested subroutines under a single 'main' subroutine, that itself was a hack to get around some vile heap space limitation in the Pascal implementation on our mainframe.

    I spent quite a while trying to format it in vi, quite a while analyzing it to figure out what it did, and how. I wound up changing ONE CHARACTER in the entire program to effect the change.

    I didn't learn a damn thing about programming, I learned that even smart people can write the worst possible code in the worst possible way, and that as long as I jumped through enough hoops, they'd give me a diploma, even if they didn't teach me anything about computer science.



    Why didn't they give you the web source code (the .web files)?  Or at least get you a copy of the book?  You did know that both the source to tex and metafont are published as books, right? Reading what comes out of tangle is a total PITA.  That's just stupid.  If you had read the source code, you'd know that it's not the worst possible code, it just gets mangled badly going through the preprocessor.  That's what strips the comments, re-arranges all the procedures, and in general glorks up the works.  OTOH, what comes out of weave (and printed out) is a lot better than what comes out of vgrind.

    I chose the project because I was excited to get to work with something that had been written by Knuth himself. I figured I'd get to see real-world examples of how stuff *should* be done.

    This was in the early 80's - there was no web - ergo, no .web files. There was DARPA, but we didn't have access, and I don't know if this would have been available on it anyway. At the time, I didn't know about the books (no clue when they were published). As for the mangled source, I asked why we had to work with it in that form, as opposed to getting, say, a nice clean listing. The professor told me it was all they would give us. IMHO, I think it was just to create difficulty (in what I had imagined as a nice easy learning exercise) to torture a grad-student.

     

  • (cs)
    Anonymous:

    I had a professor use some 3rd party online survey/test hosting service that I am sure was dumb simple for the user to set up. 

    I took a quick peek at the HTML and saw an interesting tag.

    <hidden name=emailresults [email protected] >

    I saved it localy and placed a yahoo address in there and clicked submit on the form.  And I loved the results I got back.

    you got 0 of 40 answers correct.

    For question 1 you picked <blank> you should have picked A
    For question 2 you picked <blank> you should have picked D
    For question 3 you picked <blank> you should have picked B
    ...

    it turned out to be a very easy class, no homework and all tests were online.

    Wish we had the web when I went to school *cries*

  • (cs) in reply to Raider
    Raider:
    Anonymous:

    Raider:
    What's the difference between a Rooster and a Hooker?

    What are you in...seventh grade?

    No, I just enjoy amusing jokes, sorry if you don't have a sense of humor.

    Just curious: Raider: are you a football fan, or just not a fan of Vince McMahon?

  • (cs) in reply to script-man
    script-man:
    Anonymous:
    script-man:

    For what it's worth, the project for my Masters degree involved porting TeX (Knuth) to support a then-new typesetter. It was delivered to us as about 10K lines of unformatted, uncommented, unindented Pascal, all as nested subroutines under a single 'main' subroutine, that itself was a hack to get around some vile heap space limitation in the Pascal implementation on our mainframe.

    I spent quite a while trying to format it in vi, quite a while analyzing it to figure out what it did, and how. I wound up changing ONE CHARACTER in the entire program to effect the change.

    I didn't learn a damn thing about programming, I learned that even smart people can write the worst possible code in the worst possible way, and that as long as I jumped through enough hoops, they'd give me a diploma, even if they didn't teach me anything about computer science.



    Why didn't they give you the web source code (the .web files)?  Or at least get you a copy of the book?  You did know that both the source to tex and metafont are published as books, right? Reading what comes out of tangle is a total PITA.  That's just stupid.  If you had read the source code, you'd know that it's not the worst possible code, it just gets mangled badly going through the preprocessor.  That's what strips the comments, re-arranges all the procedures, and in general glorks up the works.  OTOH, what comes out of weave (and printed out) is a lot better than what comes out of vgrind.

    I chose the project because I was excited to get to work with something that had been written by Knuth himself. I figured I'd get to see real-world examples of how stuff *should* be done.

    This was in the early 80's - there was no web - ergo, no .web files. There was DARPA, but we didn't have access, and I don't know if this would have been available on it anyway. At the time, I didn't know about the books (no clue when they were published). As for the mangled source, I asked why we had to work with it in that form, as opposed to getting, say, a nice clean listing. The professor told me it was all they would give us. IMHO, I think it was just to create difficulty (in what I had imagined as a nice easy learning exercise) to torture a grad-student.

    I just looked it up - the books were published in 1984 - I graduated in 1983, so the project was done in late 1982-early 1983 - before the books were available. I was born too damn soon!

  • (cs) in reply to John Bigboote
    John Bigboote:
    Alexis de Torquemada:
    Satanicpuppy:
    I can't count the number of times I've seen an authentication field sent up through a GET statement, visible right there in the URL. The "smart" people will hash it, but it's still problematical, because you're letting the user change it.


    Just like with POST.



    Especially if you've got this.

    https://addons.mozilla.org/firefox/966/

    I use this extension to test against injection attacks, tampering with VIEWSTATE, and the like.


    Yea, I check all the input data on the backend, before I pass it forward, so even if they screw with the POST data, it'll throw errors when the program checks the data against what it should be. I usually use some kind of hash to compare against the session id and the username, and if it doesn't compare, I log the user out and make them start over.

    The problem with a GET statement isn't jsut that it's in the damn URL, which is bad enough, it's that it's idempotent...I don't want a user to get back to the same page by clicking on a URL, if I care enough to make it secure in the first place. They better have the right session id, and they better be coming from a correct previous page, and they had better not have an invalid stored timestamp. If they don't, log 'em out. User friendly is fine when everything is happy and unsecure, but if you need secure, it's time to get user hostile.

    I love firefoxes developer tools. Tamper data, web developer, view cookies. All good stuff. They make my life a hell of a lot easier...I used to sniff the damn data through homebrew proxies to make sure it looked right, and that is a huge pain in the ass.
  • (cs) in reply to Satanicpuppy

    Satanicpuppy:
    John Bigboote:
    Alexis de Torquemada:
    Satanicpuppy:
    I can't count the number of times I've seen an authentication field sent up through a GET statement, visible right there in the URL. The "smart" people will hash it, but it's still problematical, because you're letting the user change it.


    Just like with POST.



    Especially if you've got this.

    https://addons.mozilla.org/firefox/966/

    I use this extension to test against injection attacks, tampering with VIEWSTATE, and the like.


    Yea, I check all the input data on the backend, before I pass it forward, so even if they screw with the POST data, it'll throw errors when the program checks the data against what it should be. I usually use some kind of hash to compare against the session id and the username, and if it doesn't compare, I log the user out and make them start over.

    The problem with a GET statement isn't jsut that it's in the damn URL, which is bad enough, it's that it's idempotent...I don't want a user to get back to the same page by clicking on a URL, if I care enough to make it secure in the first place. They better have the right session id, and they better be coming from a correct previous page, and they had better not have an invalid stored timestamp. If they don't, log 'em out. User friendly is fine when everything is happy and unsecure, but if you need secure, it's time to get user hostile.

    I love firefoxes developer tools. Tamper data, web developer, view cookies. All good stuff. They make my life a hell of a lot easier...I used to sniff the damn data through homebrew proxies to make sure it looked right, and that is a huge pain in the ass.

    It's the very nature of web applications that sessions can always be hijacked.  Well, either that or you don't support proxy servers.  The best you can do is to make the session id unpredictable, un-sniffable (by using https), and short lived.  A good random number generating algorithm, a 32 character session id, and some anti-brute-force logic will give a site a statistically insignificant chance of having a session hijacked.  Anything else is just wishful thinking as you send the session-keeping algorithm as part of the page to the client.  You might be able to obfuscated it a little bit, but we all know how well obfuscation works for security.  90% of my apps allow bookmarking and arbitrary page access without compromising security.  Often I even go the extra mile to make a page that someone might want to bookmark use a GET.  I once encoded a big structure in base72 just to cram it in a url parameter.  BTW, at the time I could find 72 characters that worked unencoded in a url, so that's why I chose base72.

    All those little tweaks really do is unnecessarily punish users for bookmarking and using the back button.  I've seen plenty of web apps that go apeshit when somewhen uses "open in new window".  Why ruin a perfectly useful feature that you get for free?

  • (cs) in reply to Unklegwar
    Anonymous:
    Anonymous:
    codenator:

    Doesn't surprise me really, most professors stay in a sheltered workshop called University where they learn no real world skills just theory. Let’s face it if you were a security expert why would you stay and work for a university???

    you're a fucking idiot.  Seriously.  Remove head from ass. I know SOME professors who are like this - i also know MORE professors who could code circles around your arrogant little fuckface every day of the week and twice on sunday.

    CAPTCHA is appropriately: STFU




    another one of those Where is your research from which you derived the qualifier "MOST professors"?
    arbitrary assumptions gone wild.

    Your reply is odd, considering the word "most" does not appear in the message to which you replied.

  • poochner (unregistered) in reply to script-man
    script-man:
    script-man:
    Anonymous:
    script-man:

    For what it's worth, the project for my Masters degree involved porting TeX (Knuth) to support a then-new typesetter. It was delivered to us as about 10K lines of unformatted, uncommented, unindented Pascal, all as nested subroutines under a single 'main' subroutine, that itself was a hack to get around some vile heap space limitation in the Pascal implementation on our mainframe.

    I spent quite a while trying to format it in vi, quite a while analyzing it to figure out what it did, and how. I wound up changing ONE CHARACTER in the entire program to effect the change.

    I didn't learn a damn thing about programming, I learned that even smart people can write the worst possible code in the worst possible way, and that as long as I jumped through enough hoops, they'd give me a diploma, even if they didn't teach me anything about computer science.



    Why didn't they give you the web source code (the .web files)?  Or at least get you a copy of the book?  You did know that both the source to tex and metafont are published as books, right? Reading what comes out of tangle is a total PITA.  That's just stupid.  If you had read the source code, you'd know that it's not the worst possible code, it just gets mangled badly going through the preprocessor.  That's what strips the comments, re-arranges all the procedures, and in general glorks up the works.  OTOH, what comes out of weave (and printed out) is a lot better than what comes out of vgrind.

    I chose the project because I was excited to get to work with something that had been written by Knuth himself. I figured I'd get to see real-world examples of how stuff *should* be done.

    This was in the early 80's - there was no web - ergo, no .web files. There was DARPA, but we didn't have access, and I don't know if this would have been available on it anyway. At the time, I didn't know about the books (no clue when they were published). As for the mangled source, I asked why we had to work with it in that form, as opposed to getting, say, a nice clean listing. The professor told me it was all they would give us. IMHO, I think it was just to create difficulty (in what I had imagined as a nice easy learning exercise) to torture a grad-student.

    I just looked it up - the books were published in 1984 - I graduated in 1983, so the project was done in late 1982-early 1983 - before the books were available. I was born too damn soon!



    Oy.  Yes, you were born too soon :-)  The .web files have nothing to do with the WWW.  They're source files in the web language, which is what TeX and metafont are written in.  I'd recommend checking out the books, if you have a chance.  Computers and Typesetting has two volumes consisting entirely of the source code of TeX and metafont.  Another is the metafont source to the computer modern fonts.  Knuth is a strong proponent of literate programming, and web is a contribution to that end.   I know we had the web sources to TeX a little before your project, since that was what we were using at the time.  It was readily available, and beat the pants off of XICS, which was the other fancy typesetting package we had.  They were definitely torturing you. :-)

    Captcha: paste
    How appropriate for something about typesetting!
  • (cs) in reply to Nerdmaster

    Anonymous:
    Am I the only person here who's aware that Security != Web security?  You can know a shitload about security and cryptography without being a web programmer.  I wouldn't be at all surprised if this class were focused on algorithms and general concepts, and never once touched on web security.

    Knowing what security actually means (security through obscurity isn't security, etc) is the first step toward applying security knowledge.  Knowing how algorithms work is probably not that important to most real-world jobs, I'll give you that, but it's interesting as hell, and for a die-hard security specialist, it is important to know which algorithms work which ways so that you know that if algorithm X just got exploited, algorithm Y ain't safe either...

    I wouldn't be surprised if the prof is very knowledgeable about security and cryptography, but knows nothing about programming, and that the "app" in question is something used by more than just him.  ie, a student project that the school, in its infinite wisdom, decided to make use of.

    Should the prof have done some research on said app?  Yeah, probably.  But it's really not his job to know WEB security.  Web "security" isn't even the tip of the iceberg when it comes to knowing security and cryptography.  That's the place you apply the knowledge, if you land that kind of job, but not the place you start.  At least not if you want a strong security background, versus knowing how to write secure apps for one and only one platform.

    +4 Informative

  • (cs) in reply to Anymoose

    Anonymous:
    depends on your accent actually.

    +5 Interesting

  • (cs) in reply to Someone, Somewhere, outwhere
    Anonymous:
    codenator:

    Doesn't surprise me really, most professors stay in a sheltered workshop called University where they learn no real world skills just theory. Let’s face it if you were a security expert why would you stay and work for a university???

    you're a fucking idiot.  Seriously.  Remove head from ass. I know SOME professors who are like this - i also know MORE professors who could code circles around your arrogant little fuckface every day of the week and twice on sunday.

    CAPTCHA is appropriately: STFU


    -30 Stupid

    The tone of the above post just actually offended me, and I'm an Australian. I really find this pointlessly offensive and of no educational or entertainment value whatsoever.

    Which ever side of the debate on the merits of formal education you may sit, the language and tone used here detracts from any attempt at intelligent argument to the point of obscurity.

    ... wait a minute, on closer inspection, there is no intelligent argument there..... must be one of those pro-formal education dickheads!

  • Joseph Motha (unregistered) in reply to Someone, Somewhere, outwhere

    Hit a sore spot, prof? Get a grip. Academia is chock-full of clueless guys who haven't seen a real application in years. Figure that you're the exception--not so clueless when it comes to programming savvy, but maybe a bit too touchy to hold down a real job.

  • Ambiguous George (unregistered)

    I hope Dan is like me and realized that people often use the same passwords for other things. Perhaps the professor did too, or his peers? Perhaps he needs to exercise the importance of good coding and security habbits, by unleashing a reign of terror.

    Or he could take the "high road" and quietly show the professor the problem, befriend him, and do well in the subject.

    Or he could take the "low road" and grandstand in front of the class, prooving once and for all how uber leet he is.

    I think we all know what is most cool to happen in this situation.

  • tester (unregistered) in reply to American
    American:
    "Caret" rhymes with bet/get/net. "Carrot" rhymes with but/gut/nut.
    Actually, while "caret" rhymes with bet, get, and net, "carrot" does not rhyme with but, gut, or nut. It does rhyme with abbot, tenet, senate... If you can't hear the difference, seek out a local linguist. It's a lot of fun to explore sounds that we don't differentiate (just as native Japanese speakers have trouble with l's and r's).
    Alex:
    Caret, Carrot, and "Care It" are all homophonous in my corner of the States (Cleveland, OH). Since we do not have accents (though every one else in the world does), I'm sure that our pronunciation is the correct one. Add that to the fact that a caret (^) resembles a triangle and that carrots are generally symbolized as triangles (as the below image shows), it's easy an easy detail to mix up.
    Cleveland certainly has an accept all its own...(actually, the area around Lake Erie).Still, how many Americans see the word caret in print? Not many, I'd say.CAPTCHA = hacker

Leave a comment on “Security 101 ... at WTF University”

Log In or post as a guest

Replying to comment #:

« Return to Article