The Daily WTF: Curious Perversions in Information Technology

rc4 · 2015-12-13 Reply Admin

Good lord, this article again?

dkf · 2015-12-13 Reply Admin

:notes: Where have we seen this code… before? :musical_note:

Tsaukpaetra · 2015-12-13 Reply Admin

dkf:
before

It's like déjà vue or something....

rc4 · 2015-12-13 Reply Admin

Tsaukpaetra:
déjà vue

Surely you mean déjà vu? It feels like we've had this conversation before...

Tsaukpaetra · 2015-12-13 Reply Admin

rc4:
feels

I have no idea why my phone autocorrected to that...

boomzilla · 2015-12-13 Reply Admin

Tsaukpaetra:
It's like déjà vue or something....

All over again?

tom103 · 2015-12-14 Reply Admin

I actually worked on an app that stored passwords in almost exactly the same way (minus the reverse). Fortunately it was a desktop app, not a server app, so it wasn't as big an issue. Still, I insisted that we switch to using DPAPI instead to encrypt the passwords...

lcrawford · 2015-12-14 Reply Admin

QRVMuZ1MSNXYtFVP , or did I make a decode mistake? That's a notably good password from an end user.

PWolff · 2015-12-14 Reply Admin

lcrawford:
**QRVMuZ1MSNXYtFVP** , or did I make a decode mistake? That's a notably good password from an end user.

Or a somewhat weak password from a password generator. Unless the database won't accept any characters besides '0' to '9', 'A' to 'Z', 'a' to 'z'. Or their policy forbids other characters because they might confuse the SQL parser.

RiptoR · 2015-12-14 Reply Admin

Yes, you made a mistake. Well, partially.

The snippet from the article shows that the password gets base64-encoded and reversed 5 times in a row before it's stored. So you need to reverse and base64-decode 5 times too.

The actual password you'll get after doing that is "foo".

DogsB · 2015-12-14 Reply Admin

tom103:
I actually worked on an app that stored passwords in almost exactly the same way (minus the reverse). Fortunately it was a desktop app, not a server app, so it wasn't as big an issue. Still, I insisted that we switch to using DPAPI instead to encrypt the passwords...

Ye didn't happen to release a beta, implement the actual password code, release the product and then release a patch to undo the new password code because projects made during the beta wouldn't open in released version?

If so I think I might know we might of met once.

PWolff · 2015-12-14 Reply Admin

So the passwords can be assumed to be generic samples.

Minus 0n3 WTF.

But wouldn't it save a considerable amount of storage space if we'd rot13 encode the passwords 31 times instead?

tom103 · 2015-12-14 Reply Admin

Nope ;)

Quite · 2015-12-14 Reply Admin

The original specification was a shouted exchange with a very frustrated and infuriated boss. "Yaargh! You might as well reverse the damn thing 101 times for all the damn use it does!" and the coder thought he was talking in binary.

Quite · 2015-12-14 Reply Admin

DogsB:
If so I think I might know we might of met once.

Might have.

DogsB · 2015-12-14 Reply Admin

Quite:

DogsB:
If so I think I might know we might of met once.

Might have.

:raising_hand:

RFoxmich · 2015-12-14 Reply Admin

Would have been a lot more fun if there were an even number of strrevs :-P Clearly, however this is all being done to increase the time required to encode the password so that brute force online attacks are less practical -- yeah ....yeah....That's the ticket.

https://www.youtube.com/watch?v=iyp9fh-u4w8

rc4 · 2015-12-14 Reply Admin

Quite:
"Yaargh! You might as well reverse the damn thing 101 times for all the damn use it does!" and the coder thought he was talking in binary.

Made me think of this: https://xkcd.com/153/

Dave_Aronson · 2015-12-14 Reply Admin

let them know about the data breech

Those can be prevented with a good pair of security breeches.

Zylon · 2015-12-14 Reply Admin

I actually have one of those old Atari Portfolios in a box somewhere. Great little almost-DOS-compatible system. Really ahead of its time.

EatenByAGrue · 2015-12-14 Reply Admin

Dave_Aronson:
Those can be prevented with a good pair of security breeches.

They were laughing at me when I wore lederhosen to the office, but I sure showed them!

RevCurtisP · 2015-12-14 Reply Admin

Zylon:
I actually have one of those old Atari Portfolios in a box somewhere.

I approve of the photo not only because of the slightly obscure classic computer reference, but because I recentlY acquired an HP 95LX.

cellocgw · 2015-12-14 Reply Admin

No, it means the data is reversed (cf. "breech baby"), as the algorithm clearly shows it to be

RogerC · 2015-12-14 Reply Admin

I've never done any PHP programming, but I've done lots of C and C++. This comment has me puzzled, because in C/C++ that strrev would happen 4 times, not 5. Is PHP different?

HardwareGeek · 2015-12-14 Reply Admin

RogerC:
in C/C++ that strrev would happen 4 times, not 5. Is PHP different?

PHP is indeed "different," but not that way.

for($i=0; $i<5; $i++)

0, 1, 2, 3, 4 — that's 5 iterations — in any language that uses that for loop syntax.

john_a · 2015-12-14 Reply Admin

Even an idiot like me can undo this:

static void Main(string[] args)
{
	var cipher="==AUWZEdZhlTT1UMaVXTWJVU";

	for(int i=0; i<5; i++)
	{
		var rev=cipher.Reverse().ToArray();
		var bytes=Convert.FromBase64CharArray(rev, 0, rev.Length);
		cipher=Encoding.UTF7.GetString(bytes);
		Debug.WriteLine(cipher);
		// QRVMuZ1MSNXYtFVP
		// =QmasR3Vn1TP
		// ==gWtljd
		// v9mZ
		// foo
	}
}

blakeyrat · 2015-12-14 Reply Admin

https://www.youtube.com/watch?v=vGCUIaW2MSU

CodeSlave · 2015-12-14 Reply Admin

I don't remember a duplicate to this article, but I do recall that this is a fairly common "mistake" Stackoverflow PhpFreaks roshanbh.com.np mysnip.de (this time in VB)

There must be some old PHP guide out there with this as an example that's been passed on from coder to coder.

In short, while it's well not it's not safe to roll your own encryption. It might not even safe NOT to roll your own :^).

Fox · 2015-12-14 Reply Admin

:facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm:

Protoman · 2015-12-14 Reply Admin

Whoa, I must have missed the news that Slashdot is now StackOverflow.

CodeSlave · 2015-12-14 Reply Admin

Whoops... my finders slipped. - corrected.

RogerC · 2015-12-14 Reply Admin

Yikes. It's Monday, that's all I can say...

CoyneTheDup · 2015-12-14 Reply Admin

Hey, at least it's not...

function encode5t($str){
    for($i=0; $i<5; $i++){
        $str=strrev(rot13_encode($str));
    }
    return $str;
}

dkf · 2015-12-14 Reply Admin

Protoman:
Slashdot is now StackOverflow

SlashdotOverflow…

JimNtexas · 2015-12-14 Reply Admin

My Eyes! The goggles do nothing!!!!!!!!!

herby · 2015-12-15 Reply Admin

$ rev | base64 -d | rev | base64 -d | rev | base64 -d | rev | base64 -d | rev | base64 -d UVJWTXVaMU1TTlhZdEZWUA==

Easy to find out what the password is. Me? I'd use something silly like SHA1 or something stronger.

rc4 · 2015-12-15 Reply Admin

herby:
something stronger.

You should definitely be using PBKDF1/2, bcrypt, or scrypt with an appropriate number of rounds. Salted hashes alone should be considered deprecated, even SHA-512. ASICs and GPUs are getting really fast.

OriginalOuttascope · 2015-12-15 Reply Admin

PWolff:
Or a somewhat weak password from a password generator. Unless the database won't accept any characters besides '0' to '9', 'A' to 'Z', 'a' to 'z'. Or their policy forbids other characters because they might confuse the SQL parser.

Only a system administrator could claim that "somewhat weak" is constituted by a complexity that would take 1 million 4ghz 8 core computers, whose every single clock cycle was dedicated solely to brute forcing these passwords (miracle clock cycles that can execute an entire crack attempt in one tick I might add) over 23 thousand years to reach a 50% confidence interval. But yeah, make your users add ampersands and exclamation points. THAT will be the thing that makes the difference. SMH.

ben_lubar · 2015-12-15 Reply Admin

d41d8cd98f00b204e9800998ecf8427f

I defy you to find the original password that matches this MD5.<http play.golang.org/p/2G8IoMF901>

herby · 2015-12-15 Reply Admin

"something stronger" is a bit mild. I suspect that the prudent (non-WTF) method would be to use something provided by someone who has greater knowledge in such things as encryption and hashes and the like.

As everyone knows, rolling your own on such things as dates and encryption is a sure way to being quoted in some way here. Fine a proper library and use it!

rc4 · 2015-12-15 Reply Admin

You would use a library which provides an implementation of one of the algorithms I listed, all of which are well-known in academia and are considered secure (to various degrees; PBKDF1 > SHA1 any day even though it is old), not rolling your own should have been obvious from what I posted.

urkerab · 2015-12-15 Reply Admin

john_a:
Even an idiot like me can ~~undo this~~put the code block language inside instead of before the block:


(I don't know whether Discurse supports code block languages, but I wish it supported quoted code blocks.)

rc4 · 2015-12-15 Reply Admin

Did you do something like 100 random bytes | md5sum?

NedFodder · 2015-12-15 Reply Admin

Only 100 bytes? It was probably a Go program compiled into BIT, so I'd wager around 4 GB.

abarker · 2015-12-15 Reply Admin

herby:
Fine a proper library and use it!

Why would you want to fine the library you plan to use? Seems like a bad way to start off your relationship.

If this is some way of getting back at a library for all those overdue fines you had to pay back in the day, remember that those fees were all your fault. Besides, those are a completely different type of library anyway.

boomzilla · 2015-12-15 Reply Admin

abarker:
Why would you want to fine the library you plan to use?

Revenue doesn't just generate itself!

Fox · 2015-12-15 Reply Admin

boomzilla:
Revenue doesn't just generate itself!

The thread where we discuss the merits (or lack thereof) of wealthy people whose revenue generates itself is :arrows:

PWolff · 2015-12-16 Reply Admin

Tsaukpaetra:
déjà vue

Who is this DJ Vue?

DCRoss · 2015-12-16 Reply Admin

ben_lubar:
d41d8cd98f00b204e9800998ecf8427f
I defy you to find the original password that matches this MD5.<http play.golang.org/p/2G8IoMF901>

That one's easy.

It's "OCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /md5/get.php was not found on this server.</p> <hr> <address>Apache/2.2.22 (Debian) Server at i337.net Port 80<.

Filed under: "Yes I know.", "About three weeks ago", and "The Coin-Flip Hash""

Tsaukpaetra · 2015-12-16 Reply Admin

PWolff:
Who is this DJ Vue?

No idea, I think my keyboard knows though....

Secure Portfolio

Leave a comment on “Secure Portfolio”