• Matt (unregistered) in reply to silent d

    +10 internet points for silent d

  • (cs) in reply to mmmmmm...Cake.
    mmmmmm...Cake.:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); ... leaveit(); start_formatit();

    whipit();

    whipit_good();

  • (cs) in reply to Numeromancer
    Numeromancer:
    mmmmmm...Cake.:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); ... leaveit(); start_formatit();

    whipit();

    whipit_good();

    goforward(); moveahead();
  • (cs) in reply to Ancient_Hacker

    Quoting from memory:

    "Whoa! Looks like the quadratic formula exploded....and it's eating some Linux!"

  • Craig Lewis (unregistered) in reply to Patrick

    You forgot: GOTO 10

  • Craig Lewis (unregistered) in reply to Patrick

    What's is called when you execute a Bel Air, but using Daft Punk instead of the Fresh Prince?

  • panzi (unregistered)

    Thats how I tried to decode it. Yeah, there seem to be encoding issues.

    >>> code=('F?@Z[SfLSX/}~xÉpÉÇzÅ~fJEH?CLtâxb/'
    ...    + 'Étzrp_JtÑÅcLtÉp{Ç}pÅc/~ÉÑPJ@LtÅtÅ_/Å~u/tÅÑstr~Å_/tÇdJ|{ÄÇz~~{'
    ...    + 'LtrÅÑ~b/pÉpSJg^aTgn]^XcPadcRPULv~{pÉpR/{pxÉx}XJbca^_TaQTfLSX/ÅtÇ'
    ...    + 'dJtÑÅcL~u}X/àÉxÅÑrtb/ÉÇxÇÅt_JEDCQTfLsÅ~ÜÇÇp_J@=QST[^[`bLÅtsxÖ~Å_')
    >>> def decode(s):
    ...     return ''.join(chr(ord(c)-15) for c in s)
    ...
    >>> decode(code)
    '701KLDW=DI noi\xb4za\xb4z\xb4xk\xb4voW;6904=e\xb4\x93iS \xb4zekcaP;e\xb4\x82\xb4vT=e\xb4zal\xb4xna\xb4vT o\xb4z\xb4\x82A;1=e\xb4ve\xb4vP \xb4vof e\xb4v\xb4\x82deco\xb4vP e\xb4xU;ml\xb4u\xb4xkool=ec\xb4v\xb4\x82oS a\xb4zaD;XOREX_NOITARUTCAF=gola\xb4zaC lai\xb4zinI;STROPERBEW=DI \xb4ve\xb4xU;e\xb4\x82\xb4vT=ofnI \xb4\x91\xb4zi\xb4v\xb4\x82ceS \xb4z\xb4xi\xb4x\xb4veP;654BEW=d\xb4vo\xb4\x8d\xb4x\xb4xaP;1.BDELOLQS=\xb4vedi\xb4\x87o\xb4vP'
    >>> print decode(code)
    701KLDW=DI noi�za�z�xk�voW;6904=e��iS �zekcaP;e���vT=e�zal�xna�vT o�z��A;1=e�ve�vP �vof e�v��deco�vP e�xU;ml�u�xkool=ec�v��oS a�zaD;XOREX_NOITARUTCAF=gola�zaC lai�zinI;STROPERBEW=DI �ve�xU;e���vT=ofnI ���zi�v��ceS �z�xi�x�veP;654BEW=d�vo���x�xaP;1.BDELOLQS=�vedi��o�vP
    
  • panzi (unregistered)

    Gah, forgot to reverse:

    >>> def decode(s):
    ...     return ''.join(reversed([chr(ord(c)-15) for c in s]))
    ...
    >>> print decode(code)
    Pv�o��idev�=SQLOLEDB.1;Pax�x���ov�d=WEB456;Pev�x�ix�z� Sec��v�iz��� Info=Tv���e;Ux�ev� ID=WEBREPORTS;Iniz�ial Caz�alog=FACTURATION_XEROX;Daz�a So��v�ce=lookx�u�lm;Ux�e Pv�oced��v�e fov� Pv�ev�e=1;A��z�o Tv�anx�laz�e=Tv���e;Packez� Si��e=4096;Wov�kx�z�az�ion ID=WDLK107
    >>> decode(code)
    'Pv\xb4o\x87\xb4idev\xb4=SQLOLEDB.1;Pax\xb4x\xb4\x8d\xb4ov\xb4d=WEB456;Pev\xb4x\xb4ix\xb4z\xb4 Sec\x82\xb4v\xb4iz\xb4\x91\xb4 Info=Tv\xb4\x82\xb4e;Ux\xb4ev\xb4 ID=WEBREPORTS;Iniz\xb4ial Caz\xb4alog=FACTURATION_XEROX;Daz\xb4a So\x82\xb4v\xb4ce=lookx\xb4u\xb4lm;Ux\xb4e Pv\xb4oced\x82\xb4v\xb4e fov\xb4 Pv\xb4ev\xb4e=1;A\x82\xb4z\xb4o Tv\xb4anx\xb4laz\xb4e=Tv\xb4\x82\xb4e;Packez\xb4 Si\x93\xb4e=4096;Wov\xb4kx\xb4z\xb4az\xb4ion ID=WDLK107'
    
  • whatever (unregistered)

    Hey, org.mortbay.jetty.security.Password can obfuscate passwords!

    All they had to do then is port Jetty to VB6, and then they can say they're using common library code!

  • SuperSecure (unregistered)

    TRWTF is "Password=WEB456"

    Now that is secure, lightyears beyond "12345".

    Now excuse me while I go change the combo lock on my luggage.

  • (cs)

    Caesar's Code rulez !!111oneleven

  • ricecake (unregistered) in reply to Code Dependent
    Code Dependent:
    Numeromancer:
    mmmmmm...Cake.:
    whipit();
    whipit_good();
    goforward(); moveahead();
    try { detect_it(); }
  • zetetic (unregistered) in reply to ricecake

    try { detect_it(); } finally { its_not_too_late(); }

  • Blackice (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();

    bopIt(); twistIt(); pullIt();

  • Dr_Legacy (unregistered) in reply to Sa
    Sa:
    I'm starting to think that the code is not a WTF after all. The intent seems to have been to hide the connection string from casual view. And that seems to have worked.

    Both the encrypted string and the decryption algorithm have been visible on the WTF site for about an hour now. A whole bunch of people have tried to decrypt it. A few have come close. None have completely succeeded.

    Looks to me like the original author succeeded in his intent quite nicely. Hmmmmmm....

    exactly my thought. if Eve has lots of time it's not secure but an over-the-shoulder glance gives up nothing.

  • coyo (unregistered) in reply to Anon Ymous

    You missed your chance for first post! After all, this is the 15th one.

  • Henning Makholm (unregistered) in reply to Anon Ymous
    Anon Ymous:
    zokar:
    Actually, after being encoded with SHIFT-15, the bytes were interpreted as MacRoman (instead of ISO-8859-1), then encoded with HTML-entities, then finally UTF-8 (as presented on TDWTF webpage).
    Only I posted the complete connection string an hour earlier.
    Based on guesswork. In contrast, Zokar worked out the series of recodings that actually resulted in this mess. The ability to do that is much more impressive and useful-in-the-real-world than guessing corrections character-for-character based on a "random line noise" assumption.
  • CoyneT (unregistered) in reply to Juan
    Juan:
    Anon Ymous:
    vt_mruhlin:
    Can somebody who's had their morning coffee (or just has VB running) please post the decoded version of the string, for curiosity's sake? I tried re-implementing it in Javascript, but I'm still getting garbage. Does VB use some magic non-unicode character set or something, or am I just having a serious case of the mondays?

    The original code is not VB, but I "decoded" it with VB and get part gibberish, part connection string. I think it was fux0red by a copy/paste operation.

    P¶oÇide¶=SQLOLEDB.1;Pa¸¸Ío¶d=WEB456;Pe¶¸i¸º Sec¶iºÑ Info=T¶Âe;U¸e¶ ID=WEBREPORTS;Iniºial Caºalog=FACTURATION_XEROX;Daºa So¶ce=look¸µlm;U¸e P¶oced¶e fo¶ P¶epa¶e=1;Aºo T¶an¸laºe=T¶Âe;Packeº SiÓe=4096;Wo¶k¸ºaºion ID=WDLK107

    Addendum (2009-04-13 09:42): Provider=SQLOLEDB.1;Password=WEB456;Persist Security Info=True;User ID=WEBREPORTS;Initial Catalog=FACTURATION_XEROX;Data Source=looksµlm;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Workstation ID=WDLK107

    Couldn't figure out the data source.

    Ahhh!!! A great job for the programmer. The data it's safe!!

    Would have been even safer if he'd obfuscated the names:

    Absorber=SQLOLEDB.1;Abracadabra=WEB456;Salesman=True;The Fan=WEBREPORTS;Milestone=FACTURATION_XEROX;Well=looksµlm;Checklist=1;Sign Language=True;Shipping Quantity=4096;Hot Seat=WDLK107

    ...because absolutely no one would figure THAT out. :P

  • CoyneT (unregistered) in reply to Pol
    Pol:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); [about 40 other names omitted] start_formatit();

    Teknologic

    Teknologic

    Why so verbose, y'all? If code is hard to write, it should be hard to read. Why not:

    DoIt(); DoIt2(); DoIt3(); DoIt4(); DoIt5();

    ... and so on?

    ;)

  • (cs) in reply to Blackice
    Blackice:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); ...

    bopIt(); twistIt(); pullIt();
  • Anonymoose (unregistered)

    Wow For a second I thought i was reading some former employers Delphi code...

    Captia: Letatio

  • (cs) in reply to Code Dependent
    Code Dependent:
    Blackice:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); ...

    bopIt(); twistIt(); pullIt();
    waxIt(); washIt(); tugIt(); whackIt(); buffIt(); slapIt(); workIt(); beatIt(); wagIt(); pumpIt(); spit_polishIt();
  • What? (unregistered)

    I don't see the WTF. Of course its insecure. Its just obfuscation. If someone looks over the developers shoulder, he won't be able to read the password. If he gets the source, he can get the password anyway by just using exactly the same decryption function the program uses. so where's the wtf?

  • Zapp Brannigan (unregistered)

    Assuming 8 bits per char this is only 40 bit encryption. A vendor of ours did something almost identical. They stored the ODBC connect string as plain text in a .ini file. When we said that was not secure enough to pass our auditors, they used a bit shift algorithm to obfuscate the database log-in.

  • justsomedude (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();

    Am I the only one who instinctivly read that to the tune of daft punk / technologic?

  • justsomedude (unregistered) in reply to justsomedude

    ok...next time I'll read the rest of the comments first...

    lmao!

  • (_|_) (unregistered)

    doit(WRONG);

  • (cs) in reply to zetetic
    zetetic:
    try { detect_it(); } finally { its_not_too_late(); }
    if ( ! too_late) { whip_it(good); }
  • Edoode (unregistered) in reply to SuperSecure
    Now _that_ is secure, lightyears beyond "12345". Now excuse me while I go change the combo lock on my luggage.
    LOL, Spaceballs reference...
  • Anonym (unregistered) in reply to Edoode
    Edoode:
    Now _that_ is secure, lightyears beyond "12345". Now excuse me while I go change the combo lock on my luggage.
    LOL, Spaceballs reference...
    LOL, eegra reference...
  • Princehal (unregistered)

    So, what would be the "right" way to abstract the connection information?

  • Copperblade (unregistered) in reply to blah
    blah:
    More like job security.

    Yeah, I can't believe how many people didn't get that. That "kind" of security is "job security" -- making your code less readable.

    Duh.

  • did it (unregistered)

    I'm kind of surprised more people thought of Technologic than Harder Better Faster Stronger. Maybe my brain is just wired differently because of this.

  • GrandmasterB (unregistered) in reply to What?
    What?:
    I don't see the WTF. Of course its insecure. Its just obfuscation. If someone looks over the developers shoulder, he won't be able to read the password. If he gets the source, he can get the password anyway by just using exactly the same decryption function the program uses. so where's the wtf?

    The doit(), printit(), etc function names are more wtf worthy than the obfuscation. If the intention is to keep casual browsers of the .exe file from seeing the connection string, the simple encoding will do the trick. Will it keep the KGB out? No. Is it the best text-book way to do it? No. But it is enough to keep curious employees and the run-of-the-mill IT drones from seeing the connection info? Most likely. Like you said, its obfuscation, and as long as the programmer realizes what that is and isnt, there are times and places for it.

  • m0ffx (unregistered) in reply to GetOff MyLawn
    GetOff MyLawn:
    Dear college kid, welcome to the real world.

    Where stupid people get hired and promoted, where stupid code lives on forever,

    Stop right there, go back and READ the article. The stupid code isn't living on forever, the new guy's been charged with REPLACING it.

    This is a code WTF, not a management one. The management here actually have a clue, and know that it's better to do a rewrite than maintain the existing code.

  • corey (unregistered)

    kid.justJamIt()

  • XP User (unregistered) in reply to WayneCollins

    Ayup, run as non-admin on my laptop and desktop. Some annoyances, but runs great. Definitely not as bad as some make it out to be. As long as you can have access to local admin for the times you DO need it.

  • diaphanein (unregistered) in reply to BBT
    BBT:
    whipit();

    Whipit(GOOD);

    I believe this should be:

    you.mustWhipIt();
    sleep();
    you.whipIt(GOOD);
    
  • Anon (unregistered) in reply to mstum

    WorkIt(harder); MakeIt(better); DoIt(faster); MakesUs(stronger);

    MoreThan(ever); Hour_After(hour);

    for ($our_work = 0,$our_work = 0,our_work++) { WorkIt(harder); MakeIt(better); DoIt(faster); MakesUs(stronger); }

  • Trinian (unregistered)

    while(isWrong || isRight) { beatit(); }

  • Mr.'; Drop Database -- (unregistered) in reply to Dmitri
    Dmitri:
    Code snippet is in Delphi, character set is ANSI ;).
    There is no "ANSI" character set. Microsoft did call some of its character sets "ANSI" but there's still no one encoding referred to as "ANSI"; it depends on your system settings.

    The character set most commonly called "ANSI" is Windows-1252 (aka. cp1252), but that isn't it.

  • Lord Cancellor (unregistered) in reply to Patrick

    Technologic!

  • 50% Opacity (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); ... Turnit(); leaveit(); start_formatit();

    Best reference to anything I've read on here for a while.

    Blue. NAO! doit(!!!!11);

  • STFU (unregistered) in reply to silent d
    silent d:
    BBT:
    whipit();

    Whipit(GOOD);

    Function call whipit() should only be invoked on an error condition (i.e., when a problem comes along )

    no. Also,

    Before the cream sits out too long.

    When a good time comes around... or you will never live it down

  • StriderA (unregistered)

    Every other comment you've read so far is encrypted (using a one time pad) saying "first"

  • Glow-in-the-dark (unregistered) in reply to vt_mruhlin
    vt_mruhlin:
    Can somebody who's had their morning coffee (or just has VB running) please post the decoded version of the string, for curiosity's sake? I tried re-implementing it in Javascript, but I'm still getting garbage. Does VB use some magic non-unicode character set or something, or am I just having a serious case of the mondays?

    Yes.

    :-)

  • Theo (unregistered) in reply to Pol
    Pol:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); ...

    Teknologic

    Teknologic

    Yeah, that's a good song

    http://www.youtube.com/watch?v=6EUupnF02vo

  • reaver121 (unregistered) in reply to alegr
    alegr:
    WayneCollins:
    where 90% of lusers need anti-virus because they have to be logged in as administrator while they're reading their SPAM.

    Have you tried running Windows XP as a non-administrator? It gets to be kind of a pain. Vista is noticeably better in that regard, but still has a ways to go before it's as nice in that regard as Linux.

    I've been running as a Limited User since Windows 2000 days. No problems whatsoever. Of course, some piece of crap (like ICQ) would refuse to work, but that's just a reason not to use ICQ.

    Running as a limited user in XP for about a year now. It's doable. To my surprise I only have to start 3 program as administrator to make them work (a firewall, a ip blocker and another one I forgot). I use PsExec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to run programs as administrator through shortcuts (and yes, I know it means my admin password is visible in plain text in those shortcuts but I would take a real person (ie hacker) to figure that out. I doubt a virus/trojan/etc is smart enough to do that).

  • david (unregistered) in reply to alegr
    alegr:
    I've been running as a Limited User since Windows 2000 days. No problems whatsoever.

    How you managed this I cannot imagine. Yesterday I was unable to even install the current release of Flash player on a limited-user XP box. Most users in this situation would just continue to run with the old Flash player.

    Unpatched Flash player with known and easily exploitable vulnerabilities, is the single most dangerous thing to have on a computer (with the possible exception of what's between chair and keyboard).

    Personally, having seen limited-user accounts repeatedly fail to repel any nasties, and prevent the installation of essential updates, I think they are a liability not an asset.

  • iMalc (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();

    You forgot the most important bit of all, the function you call to terminate the program:

    ahf*uckit();

Leave a comment on “That Kind of Security”

Log In or post as a guest

Replying to comment #:

« Return to Article