• Dnrb (unregistered)

    $WEDFRISTMJY

  • (nodebb)

    I don't remember this one. I am so glad I don't remember this one

  • RLB (unregistered)

    The most amusing thing is, even with this encraption I can tell at a glance that the thing is buggy.

  • 🤷 (unregistered)

    ELI5?

    From what I understand, they read the key from a file, and open mcrypt with emtpy strings? Like... don't they use any algorithm at all?

  • Naomi (unregistered)

    You should always encrypt your encryption functions -- it's completely insecure otherwise.

    Too bad this code is completely insecure, then. When it comes to things that are encryption, obfuscation ain't one of them.

  • Shiwa (unregistered)

    The name of functions in the PHP standard library that bad after all…

  • Shiwa (unregistered)

    The name of functions in the PHP standard library aren't that bad after all…

  • Sole Purpose Of Visit (unregistered) in reply to Naomi

    Thus, "Security through obscurity." (The Wikipedia article leads me to Alfred Charles Hobbs, who seems to have invented the concept (albeit as the antithesis of what proponents believe).

    But it passes the eyeball test. OK, it makes the eyeballs bleed, but that's part of the test.

    Security through mathematical analysis? Goodness me. That would require paying people to do the mathematical analysis. It's so much easier, and cheaper, to pay people to be blithering idiots.

  • LCrawford (unregistered)

    | open mcrypt with emtpy strings

    That is part of the high level encryption; do you ever see blank passwords in the top 1000 passwords list? The bad guys don't bother trying this.

  • (nodebb)

    I once had a technical director of a company I worked for say (in front of the client) that would encrypt our database column names for extra security. I still laugh when I think about that.

  • Dave (unregistered)

    I'm not too familiar with PHP and the $QWERTYUIOP stuff is a bit distracting but it seems OK, it reads a key from a file, correctly sets the IV, and then encrypts data. I'm assuming the empty strings indicate to use the default algorithm and mode.

  • Local (unregistered)

    They need to indent 3 spaces instead of 2, so the larger prime number makes it more cryptographically secure.

  • (nodebb) in reply to 🤷

    From what I understand, they read the key from a file, and open mcrypt with emtpy strings? Like... don't they use any algorithm at all?

    I haven't got an old enough version of PHP, but you're right that those arguments don't make any sense. Only the last one has any right to be an empty string (or is that a single apostrophe?). The rest of it shouldn't be running at all, because $MQUFI3 wouldn't be an encryption handle. So $KIDO83R4234FFS won't have any value on return.

    Wait: (mcrypt_generic_init($MQUFI3,$MMNVUD884,$JF8)!=-1) So in the event of an error, most of the time it will continue to try and run anyway (the return value is from somewhere in the bowels of the mcrypt library, and it used different negative values to indicate different errors).

  • Turtle (unregistered)

    -you should always encrypt your encryption functions -- it's completely insecure otherwise

    Wow. I'm no manager, but if I was and someone on my team seriously tried to push this, it would be grounds for termination on the spot. After discreetly directing IT to disable their access. After such a stunning display of Dunning-Kreuger I fully expect them to go thermonuclear when called out on it - best to take away their keys beforehand.

  • MiserableOldGit (unregistered) in reply to Dave
    I once had a technical director of a company I worked for say (in front of the client) that would encrypt our database column names for extra security. I still laugh when I think about that.

    I worked on a project where someone tried to do that. Didn't last too long.

  • van Dartel (unregistered)

    The absence of an algorithm (1st parameter) in mcrypt_module_open('','',''') caught my eye at first glance. I was about to look up the meaning of the other parameters when I noticed that the 3d argument consists of 3 consecutive ''s; it doesn't even compile!. This vitiates the article.

  • van Dartel (unregistered) in reply to Turtle

    Wow. I'm glad you are not a manager. If a novice came up to me with the idea that obfuscating server-side functions would improve security I would very much appreciate their initiative. The actual idea might flawed but the actual taking of initiative is worth treasuring.

  • (nodebb) in reply to Turtle

    best to take away their keys beforehand

    Just encrypt the keys and tell the loser that it's for their security.

  • (nodebb)

    I don't know PHP particularly well (thankfully by the looks of it), but I would have thought it at least had variable scoping.

    So $KIDO83R4234FFS is defined within the if statement, then returned at the end.

    So does PHP just use the assigned value for $KIDO83R4234FFS when the if() block is executed, and then make up a new nullish one for when it isn't?

    Man, this language makes even Pre-ES6 JavaScript seem well designed.

Leave a comment on “Classic WTF: Functional Encryption”

Log In or post as a guest

Replying to comment #519605:

« Return to Article