- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
$WEDFRISTMJY
Admin
I don't remember this one. I am so glad I don't remember this one
Admin
The most amusing thing is, even with this encraption I can tell at a glance that the thing is buggy.
Admin
ELI5?
From what I understand, they read the key from a file, and open mcrypt with emtpy strings? Like... don't they use any algorithm at all?
Admin
Too bad this code is completely insecure, then. When it comes to things that are encryption, obfuscation ain't one of them.
Admin
The name of functions in the PHP standard library that bad after all…
Admin
The name of functions in the PHP standard library aren't that bad after all…
Admin
Thus, "Security through obscurity." (The Wikipedia article leads me to Alfred Charles Hobbs, who seems to have invented the concept (albeit as the antithesis of what proponents believe).
But it passes the eyeball test. OK, it makes the eyeballs bleed, but that's part of the test.
Security through mathematical analysis? Goodness me. That would require paying people to do the mathematical analysis. It's so much easier, and cheaper, to pay people to be blithering idiots.
Admin
| open mcrypt with emtpy strings
That is part of the high level encryption; do you ever see blank passwords in the top 1000 passwords list? The bad guys don't bother trying this.
Admin
I once had a technical director of a company I worked for say (in front of the client) that would encrypt our database column names for extra security. I still laugh when I think about that.
Admin
I'm not too familiar with PHP and the $QWERTYUIOP stuff is a bit distracting but it seems OK, it reads a key from a file, correctly sets the IV, and then encrypts data. I'm assuming the empty strings indicate to use the default algorithm and mode.
Admin
They need to indent 3 spaces instead of 2, so the larger prime number makes it more cryptographically secure.
Admin
I haven't got an old enough version of PHP, but you're right that those arguments don't make any sense. Only the last one has any right to be an empty string (or is that a single apostrophe?). The rest of it shouldn't be running at all, because
$MQUFI3
wouldn't be an encryption handle. So$KIDO83R4234FFS
won't have any value on return.Wait:
(mcrypt_generic_init($MQUFI3,$MMNVUD884,$JF8)!=-1)
So in the event of an error, most of the time it will continue to try and run anyway (the return value is from somewhere in the bowels of the mcrypt library, and it used different negative values to indicate different errors).Admin
-you should always encrypt your encryption functions -- it's completely insecure otherwise
Wow. I'm no manager, but if I was and someone on my team seriously tried to push this, it would be grounds for termination on the spot. After discreetly directing IT to disable their access. After such a stunning display of Dunning-Kreuger I fully expect them to go thermonuclear when called out on it - best to take away their keys beforehand.
Admin
I worked on a project where someone tried to do that. Didn't last too long.
Admin
The absence of an algorithm (1st parameter) in mcrypt_module_open('','',''') caught my eye at first glance. I was about to look up the meaning of the other parameters when I noticed that the 3d argument consists of 3 consecutive ''s; it doesn't even compile!. This vitiates the article.
Admin
Wow. I'm glad you are not a manager. If a novice came up to me with the idea that obfuscating server-side functions would improve security I would very much appreciate their initiative. The actual idea might flawed but the actual taking of initiative is worth treasuring.
Admin
Just encrypt the keys and tell the loser that it's for their security.
Admin
I don't know PHP particularly well (thankfully by the looks of it), but I would have thought it at least had variable scoping.
So $KIDO83R4234FFS is defined within the if statement, then returned at the end.
So does PHP just use the assigned value for $KIDO83R4234FFS when the if() block is executed, and then make up a new nullish one for when it isn't?
Man, this language makes even Pre-ES6 JavaScript seem well designed.