Slashdot Mirror
DJB Announces 44 Security Holes In *nix Software
generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."
The title of this article is quite confusing, if I read it correctly. To me, it reads that *nix variants themselves have 44 security holes (as in something in the underlying OS, such as the kernel). However, upon further reading the story indicates that it is actually the 3rd party software that has holes in it. Sounds a little unfair to *nix environments. Consider blaming Microsoft for all holes in ever Win32 program (oh wait, we already do!) How about a better title like "DJB Announces 44 Security Holes In *nix-based Software"
In a class of 25, 44 security holes seems a bit low.
Why is that low? I found 44 security holes to be a rather alarming amount.
As much as I respect profs who are willing to push you to do neat things (finding 44 holes in UNIX and it's standard set of programs is nothing to sneeze at), if you really do fail the class I'd take this straight to the administration. They're letting you down by allowing a professor to fail an entire class, especially since the grades are based on something that doesn't really reflect your understanding of the subject.
I've always had a problem with this sort of behavior in college profs -- it gets away from what I consider to be the basic nature of higher education. As a student, I'm the consumer. I'm paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information at the end of the class. Assignments such as this one or classes which are set up as "cut down classes" just aren't consistant with that.
It works the same way on the other end; I had a few professors in college who would cancel class on a fairly routine basis. Hey, I enjoy the odd day off as much as anyone else, but I'm paying a lot of money based on the assumption that I'm going to be getting something in return -- if I were to subscribe to a magazine and then only get 2/3rds of the issues, do you thing I'd be within my rights to object? Hell, the overly easy classes were bad enough; I actually had a few that graded based mostly on attendance. Yeah, getting the most for my tuition dollar there.
Anyhow, I know there are folks out there who are going to disagree with my view of a University education, and that's fine, but regardless I would really encourage you not to accept this lying down. I know as a student it often seems like you're powerless, but if 25 of you (and your parents -- I know you're an adult, but schools listen to parents) get together and make yourselves heard, you'll probably end up with a satisfactory outcome.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Anything you can download of the net, compile and run on Unix? There are probably millions of security holes out there.
All you need to do is find one more hole, this one in the campus records department, and exploit it for improving your grade. If you have an "A" average otherwise, another "A" will look right in place. It's the "D" average people suddenly getting "A"s and "B"s that draw suspicion.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
This seems like a call to the world for pity as if that will somehow change the professor's mind.
--
WHO ATE MY BREAKFAST PANTS?
After 300 hours of work and an A average on the exams, I expect to fail the course.
but we've all learned a valuable lesson: don't take a class taught by DJB
...is a Unix system, you should be able to get an easy A.
Better hope there's a curve
to Kris Kubicki's mirror is here.
I mod down pyramid schemes in sigs.
Let your prof 'secure' your hole, if you know what I mean.
Perhaps Microsoft should try this strategy. Im sure the kids would thoroughly enjoy that assignment! They'd have bugs coming out the wazoo! A's for everyone!
What no djb tools on the list? That seems the quickest way to fail, find an exploit in a djb tool.
-- botsex is {grep;touch;strip;unzip;head;mount}
The whole class could've passed just spending 15 minutes looking at IE.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Hey! I've found remote roots in OpenSSH, Apache, and Bind. If you run the file below, you can get root.
[ Part 2, Text/PLAIN (charset: unknown-8bit) 95 lines. ]
[ Unable to print this part. ]
Get your own free personal location tracker
I didn't look at all of them, but the ones I did check all seemed to be the usual culprits: str..() functions out of the standard, broken C library.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Even Bill Gates uses Linux for security-intensive applications: http://img101.exs.cx/img101/9162/billnDebian.jpg
I see the two specific items linked to are buffer overflow exploits. Anyone learning to program in C needs to have good buffer dicipline beaten into their heads.
It's like wiping your butt after crapping - mandatory basic hygine. If you can always remember to wipe your butt, you can always remembers to watch your buffer lengths.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Why take for granted that the number of bugs to be found was expressed in base-10? Why not base-2?
He doesn't even say what it's worth. Hell, it could be worth *nothing*.
I was given lots of assignments at university. Often, we wouldn't know until the end of the term what would count and what wouldn't. If the entire class did poorly on an assignment, it often does *not* count toward your grade.
Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.
Define "failed." They failed to find holes? Or they failed the course?
I seriously doubt a prof would fail an A average student for not being able to find a hole for an assignment. Extra credit, maybe, but an F? I mean, WTF?
In Soviet Russia, articles before post read *you*!
Thesis: This professor is retarded.
... which would lead me to believe "a little bit of both".
Evidence to support this belief:
1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.
2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes
3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.
Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)
By the time you reach fourth year, you realize that there is often some adjustment made to marks at the end of the course by the prof, and I also think that most universities have policies prohibiting more than 50% of a course from failing. So, before everyone cries bloody murder on this atrocity against the bell curve, I bet you most people are going to pass the course.
hacked? All that page says right now is "pwn3d"..
I noticed that sendmail and bind weren't on the list. I guess they're not as exploit-y as DJB would lead us to believe....
It says that was their homework assignment....
failing 1 homework assignment != failing the course
© 2004 The SCO Group, Inc. All Rights Reserved.
Did you even read the topic summary? The poster states that he's gotten A's on the exams and expects to fail the course.
If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.
Its well known that every college grinds out the poor students in the first two years...if you've made it to fourth year, its time to ladle up some gravy and bolster your GPA in time for grad school applications, resume bolstering, etc.
So the real moral is that the most intelligent students are the ones avoiding the course altogether. If you want to get an education in unix security holes, go read the OpenBSD mail archives.
The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.
10 for each student? I doubt DJB himself could find 10 on his own inside of a semester.
In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.
I guess the whispers I've been hearing about DJB being a complete asshole are true. It is always nice to have your academic future dictated by such people to your disadvantage, even though you may be a cut above the teacher himself. And in the meantime he will take credit for your work while simultaneously failing you. Thank you, sir, for reminding me why I dropped out of college.
-R
He pretty much gave them free reign. ANY OSS at all!
Have you seen CPAN? Half of that code is something someone hacked up in a day! And what about all those sourceforge projects that have one developer and less than 10000 lines?
Meanwhile, almost every piece of code that this class is looking at is stuff that's already had a once over - heck, probably even been looked over thousands of times. No wonder they couldn't find any bugs. They were looking in the houses, not the motels.
Mod me down and I will become more powerful than you can possibly imagine!
Assuming the submitter has some inkling of the weighing of the grade policy, the GP makes perfect sense.
If the majority of the class failed, then the professor failed YOU.
There are 44 different holes, not 44 seperate finds. Students could've independantly [or not so independantly] found the same exploit. In fact, I'd bet that it occured given that they were looking for the same things in largely the same places.
...all I can say is, "why didn't the EECS department have all the cool clases the MSCS department is offering?!" Granted, operating system design and computer architecture courses were cool, but there really weren't any UNIX specific courses.
60%. This assignment is worth 60% of the FINAL SEMESTER GRADE. I suppose I should have put that in the summary.
I mod down pyramid schemes in sigs.
The problem is that many of the profs have no professional experience outside the academic realm. None. Amazing as it sounds, they go from graduate work to post-doc to the faculty lounge, all the while succesfully avoiding any opportunity to deal with people as equals...its always grovelling to someone or getting someone to grovel to you. Its no coincidence many sleep with their students, its often the only way they can get laid.
The dynamics of academic environments are truly absurd, I'm amazed more of them are not murdered.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
A friend of mine was an instructor, he had very tough grading standards - the AVERAGE grade was about 50.
Of course, he curved so those who deserved an A got an A.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
djb will send you a check for $500 or $5000 for remote security holes in his tools.
I wonder having the developer of qmail and tcpserver know your name is worth the pain he seems to be as a prof.
Too bad he's gotta be a Nazi about his software licenses.
Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago. A special footnote had to be added to transcripts as a result.
The pity is that such a strategy allows for no differentiation between people who are working at their full capacity and goof-offs who sleep though class.
I read that as "MCS 494: Unix Secretary Holes". Me going outside now.
"Multiple vulnerabilities were discovered in MPlayer by iDEFENSE, and more were found by us while reviewing the code"
http://www.mplayerhq.hu/
"New xine-lib released. This version adress multiple security vulnerabilites on PNM and Real RTSP clients. All users are advised to upgrade to 1-rc8. The release also includes several bug fixes and new features"
http://xinehq.de/
Despite the usual quality of Unix software, I didn't think it would be that hard to find a hole. After all, on Linux it's really easy to get source, and surely some automated way of finding possible exploits like grepping for the usual dangerous functions could be found. Now actually exploiting it sounds harder.
/dev/urandom, or something similar. I'd also try feeding normal input with randomly changed characters, and things like that. In my experience valgrind's really good at finding all kinds of subtle issues.
My strategy would have been to compile a list of executables that can be easily tested automatically, and run them under valgrind while piping data from
NP-complete humor deserves +1 Funny.
-- n
What kind of stupid class is this? Find 10 security holes in *nix? Each person?
What makes this professor think the standard set of *nix based programs even contains 250 security holes? Generally, FLOSS is better secured than proprietary software.
But by the looks of things, he is looking for minor things like writing past an array, not full-blown arbitrary code execution. But I still don't think this is reasonable at all.
As previos posters have suggested, take your case to the administration. You don't deserve an F because you can't find 10 security holes in the most secure operating system and associated software suite that exists.
Le français vous intéresse?
Anything else will make sendmail look slow.
He's a good programmer, but so are a lot of other people who aren't whiny jerks, and have to have everything done their way.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
When even in my own limited experience I get three profs to admit to screwing female students, you have to wonder how much of this is going on. More bizarro college dynamics...the girls don't feel too shamed because they see some fetish in screwing the older acedemic type...deemed mildly acceptable as a college experience.
Some of the things discovered are valid exploits. Like the MPlayer hole where a streaming ASF file can modify hard disk contents. Some of the things are seemingly far fetched. Like the CUPS vulnerability where forcing the disk to fill up DURING a password write operation can cause a user defined error message to be written to the password file. I mean, if a user who doesn't have access to the CUPS passwords he needs has the ability to fill the disk and set error messages for CUPS, then something is very wrong with user management (ie quotas) and permissions (doesn't have CUPS passwords, but can alter the CUPS error messages?).
Too much repetition my too much repetition!
The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.
"There are only 10 types of people in the world: Those who understand binary, and those who don't"
happen to look at any of the software here?
http://cr.yp.to/software.html
What a piss poor assignment this was though. Esp considering that the submitter says he went into the "final" with an A and expects to fail.
Hope for a curve on that assignment. Even with tenure, the dept. won't like the fact that 50%+ of the class fails, unless that's the norm. Furthermore, go speak to the prof, esp since you're one who found one of the sec.holes. Explain that one failed assignment shouldn't completely outweigh a semester's worth of A-work. And don't speak only for yourself if able, speak for the class as a whole. Also, remember that there's safety in numbers. Gather as many classmates together and collectively approach him during his office hours.
I recall taking a course and I'd a 98.5% going into the final. The final was 33% of the grade, and I proceeded to completely bomb it (72% or so.) I went and talked to the prof, who knew me from the class of ~150 students. I clearly and calmly explained that I obviously knew the material as demonstrated throughout the semester, and that a single 2-hour exam shouldn't penalize me like it was about to. He agreed, and I got my A in the class as a final grade.
Something to consider! GL to you.
It's **GOOD** that people find this and I think they should get credit...
... uses strcat ... ... uses scanf ...
but have you read the reports?
HOLY CRAP? People still use those? Christ almighty get with the program people!
I don't think they found "hard to find bugs" moreso they prolly grep'ed for things like gets, strcat, strcpy, scanf, fscanf and then checked if they weren't capped properly.
All in all I think it's good they did it though... I guess I'm sitting on the fence about cheering DJB on with this one.
Tom
Someday, I'll have a real sig.
Ah- but did it commit to certain percentages being certain letter grades? You've probably got a solid 52% right now- likely one of the highest point totals in the class- and good reason to walk this up the chain of command, starting with djb, then the chair of the department, then the dean, then the president of the campus.....
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
I guess they can feel what it is like to be rooted....
Couldn't you simply write a piece of security-flawed OSS software...?
Ok, for an example read this notification about a hole in NASM, an assembler program. It says: Jonathan Rockway [..] has discovered a remotely exploitable security hole in NASM. The problem is, this is not quite correct. Read on for some lines: You are at risk if you receive an asm file from an email message (or a web page or any other source that could be controlled by an attacker) and feed that file through NASM. I.e. it is not remotely exploitable, only localy! Thanks djb, for using terms in quite different ways from what they're used usually!
The better approach is to create one or more large files of random data and feed that into the apps; this is better because it gives you a reproducible stream. (Or you can use a Perl script with a known srand() seed.)
The term "fuzz testing" comes from a seminal 1990 paper (and followups in 1995 and 2000) by Barton Miller et al., who, incidentally, found much higher quality in GNU tools than in their proprietary counterparts. Before my tendinitis got too bad, I used to run The Bulletproof Penguin a one-man project devoted to stamping out such bugs (my initial goal, easily achieved, was to eliminate all the bugs reported in the original paper). Ben Woodard was doing something very similar for a while, but I don't know whether he still does.
Incidentally, this makes a certain recent Slashdot story more embarrassing: it seems that free Web browsers crash on malformed input, the kind of case that free software normally handles better than its proprietary competition.
``Life results from the non-random survival of randomly varying replicators.'' -- Richard Dawkins
After 300 hours of work and an A average on the exams, I expect to fail the course."
So just crack the professor's box and change your grade. That might count as completing the assignment. But that's not really ethical. So what you have to do is crack the prof's box and NOT change your grade in order to get the grade that you would have gotten if you HAD cracked his box and changed the grade yourself. On the other hand, the Prof may want proof. Therefore you must crack the professor's box and change your grade in order to prove that you could have cracked his box in order to complete the assignment and earn your A. But after you have proven it to the Prof's satisfaction you are ethically bound to crack the box again and change your grade back to an F.
FreeSpeech.org
To me, a remote exploit is something that exploits a running server. Most of the examples seem to be trojan horse attacks, getting the user to run an application on a file which overflows a buffer in the application.
t
Example: http://www2.uic.edu/~kkubic1/securesoftware/26.tx
Jonathan Rockway, a student in my Fall 2004 UNIX Security Holes course,has discovered a remotely exploitable security hole in NASM. I'm publishing this notice, but all the discovery credits should be assigned to Rockway.
The only way I'd call this a remote exploit would be if someone has written an apache module that takes some assembly code and returns an executable. I dont think thats a very common setup.
Baz
UI-Chicago - training the next generation of buffer-overrun-exploiters!
Have you read my blog lately?
Let me get this straight -- you think your grade should only reflect your understanding of the assignment? So an "A" means "understood the assignment outstandingly" or something?
I agree with the general attitude you express that this was a hard (and perhaps impossible) assignment, but your grades should reflect your performance on the assignment, not just whether you were smart enough to understand it.
I've always had a problem with this sort of behavior in college profs -- it gets away from what I consider to be the basic nature of higher education. As a student, I'm the consumer. I'm paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information at the end of the class
Well there's your problem right there. If you think the "basic nature of higher education" is about treating the student as a consumer in the service industry, you really don't belong in higher education.
If you must look at it strictly as a commercial transaction -- and you're certainly entitled to; after all, it is your money -- then I suggest you leave the professor out of it. You're not "paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information" -- in fact, you're not paying the professor at all. The professor is paid by the university and his or her contract says nothing about rating your "absorption" of information like a scientist testing the nitrogen content of soil. You're paying the university to provide the bureaucratic and physical infrastructure for something like "education" to take place. This includes the creation of departments, etc., and of course the hiring of professors.
I'm not suggesting you should just take whatever professors you get without whining about the lousy ones, but I don't think it's legitimate at all to characterize the educational process as a kind of commercial transaction and to make the student's relationship with a teacher the kind of relationship that say a customer in a restaurant has with a waitress or waiter. Students like you remind me of cranky customers in restaurants who call the manager over and try to get the waitress fired because they didn't like her attitude. It's even more sad when the student's complaint about the teacher is that they are doing their job of challenging you a little too well -- that their classes are too difficult or their assignments require too much thinking.
Your complaint about teachers who don't show up to class is another point entirely -- a professor's contract with the university certainly does stipulate that they will attend their classes - though not perhaps in so many words - and it is certainly legitimate for a student to worry that they are wasting their money if their classes don't even meet. Again though I would make the same case on educational grounds rather than commercial grounds. If you can't tell by now, I really hate this metaphor of the university as some kind of service industry enterprise.
Anyway, I doubt this professor will fail the whole class, and it sounds to me like an almost impossible assignment, but I don't know anything about finding security holes in anything, so I wouldn't presume to make a judgement about that.
What, did you find a security whole in Qmail? ;)
-- L.
I expect most of the software will run on Windows.
thank God the internet isn't a human right.
"""
The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.
"""
Is this an unfair assignment? Simple: ask the prof to complete the assignment. See also "Eat Own Dog Food."
Of course, I'd have written 9 readily-exploitable widgets and then installed them for ready discovery by using the 1 exploit that I could find. If you can't figure that out, then you'll never survive the first set of Business Requirements you have tossed at you in a CMMI-and-Bureaucracy-Lovin' corporate environment.
And when your boss is offering bonuses for fixing bugs in software (instead of having bug-free software on the first pass), you'll know exactly what to do.
When the customer ASCIIs a stupid question, give 'em a stupid ANSI. You have to show them that they're being ridiculous; telling them isn't enough.
So this is what we call modern education? Teachers are merely muses to encourage us to do work and they don't actually teach anymore? Sounds like a trade school to me. No teaching, just hands on experience. I wouldnt want to pay for school and then get that crap in return.
-- Betting on the survival of the media industry is a serious risk. I advise investing elsewhere.
Look on page 3.
I mod down pyramid schemes in sigs.
I'm a first year Computer Science student at UIC. It is not really as bad as it sounds. From what I hear from my friends at ACM meetings, DJB is a pretty popular professor (see http://cr.yp.to/) for his web page. We make fun of him for redoing softwares like qmail which he runs his mail server. Everybody heard of him being a really difficult professor however, but the class is fairly full every year. DJB isn't as bad as James Longst. makes out to be, but he is pretty challenging, probably much more than many others. I hope to take his class sooner or later! I hope it isn't too difficult! ;-(
Dan Bernstein really should take this old saying to heart. He's done an astounding amount of good work for the IT community. His qmail MTA is technologically simple, secure, stable, and generally brilliant, as are his related software packages. His class project to have students find security holes in popular software packages is an outstanding piece of community service (though his practice of failing students for not finding those holes is draconian, if true).
The problem, though, with DJB is that his great work and service is continually marred by his aggressively arrogant attitude. He has on many occasions told appreciative users of his software projects that his software is clearly superior, and that the developers of other software projects (Sendmail, Postfix and BIND, for instance) are incompetent and ignorant idiots. Dan is an academic, so some egocentrism should be allowed, for he is deserving of much praise. If only he would realize that his abusive attitude toward fellow open source community members is a detriment.
Perhaps it isn't Dan's intention to come off as arrogant and egotistical as he does (he's a mathematician, not an English expert, after all), but I do think he would be of so much more help to the community and industry in general if he'd be a little more kind, considerate, and empathetic toward other developers in the future. Intelligence is no excuse for lack of humility and compassion.
If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.
Makes sense.
The requirements are to exploit 10 holes in unix software. Nowhere does it say that the unix software must come standard with any distros, and it doesn't say that you can't write it yourself.
Write a simple program with 10 holes in it, point them out, and boom you win.
We are talking about finding vulnerabilities and exploiting them aren't we? I'd get extra credit for finding and exploiting holes the class requirements.
No need to find 10, just find one and then hack into the prof's grading machine. there.
Any good programmer and security tinfoil hat boy would see that in the assignemnt you would not be allowed to share found bugs with your peers. And since you cant share them you would have no way to know that you and a peer have found the same bug unless you cheated. So if two people find the same bug they must NOT be cheating. Now that we have a argument where the rules are proved in the inverse we simply break down the work. Everyone finds one bug, produces a slightly varied writeup and everyone gets full credit. You obviosly skipped the social engineering lectures.
Teams, as in one classmate writes a piece of OSS full of holes, and the other classmate finds them. Since its open source it shouldn't be too hard to find the weaknesses to exploit.
Dan East
Better known as 318230.
I've reported 4 stack/pointer based crashes in Konqueror in the past couple of days and they just came to me without looking.
If I could have crafted an exploit for the crashes then that would be 4 holes.
All the students needed to do was look at the current/recent bugs list for a version of software.
Identify bugs that could possibly be exploited. (say maybe 100)
Run automated buffer/stack exploit
checking software against those bugs.
hope to get 10 criticals.
Khtml's probably a good choice for exploiting at the moment, as it's getting a lot of 'features and fixes' which probably caused the crashed I've reported.
thank God the internet isn't a human right.
Most of these bugs were found in sourceforge projects (typical directions: "download this.sourceforge.net, compile it, run it with the supplied input file"). Simple strategy: create your own bugs, then report them. "Professor DJB, sir, I found ten root-level bugs in the SlashDotFirstPostSubmitter program! Gimme my A!"
Have you read my blog lately?
This is a link to his slides in the first class. Look at slides 7 and 8.
http://cr.yp.to/2004-494/0823.pdf
I'm not sure how I feel on this one. As a CS student doing PhD research and having been at university for a while, I know that some courses are more demanding than others, and a 49x code class is likely a senior level special interest course. Secondly, he had all semester to do this. On the other hand, if no student meets the requirements you set out, then the professor is likely at fault, since students' effort and skill should be normally distributed and a good percentage of them would pass if grading is done fairly, while a few might excel.
To DJB's defense, the requirement was for 10 bugs in any deployed UNIX software from what I'm reading. It shouldn't have been so hard. Assuming he taught what he was supposed to teach.
*blinking cursor*
Its 44 security holes we won't have anymore in the near future. Probably better than 3 months of work at Microsoft.
What, you think there are no gay men teaching college classes? (Or, women with suitable "plugins".)
-- Old Man Kensey
that - or something similar - is quite possibly the actual goal of the assignment.
Okay, once this assignment gets handed out, the first thing is to clarify assumptions with the professor.
Is currently deployed software and known bugs defined by the first day of class or the last?
If first day of class, simply wait until near the end of the semester. Venture to numerous *nix software sites and their respective known bugs list. Grab bugs submitted after first day of class.
If last day of class, generate your own buggy software with at least 10 security bugs. Make it available on the internet. Log the bugs...
The assignment takes 10 minutes!
By that- you might be close. At least, close to passing. Still going to screw up your GPA- but there is an outside chance that you can pull a D out of the hat (at 55% of total points available). I'd still suggest pulling the chain of command protest routine- which may just assure it since he didn't list any grades lower than a B on the original sylabus (boy, that was a badly written sylabus), just "etc". And you probably wouldn't have to take the protest any higher than the chair of the department. I had a couple of these in college myself, and usuaully, going to the instructor first, then the chair, worked fine, because by the time we got in to see the chair, the instructor had already taken advantage of the loophole he left himself in the sylabus, passed the top half of the class with C's and D's and was able to tell his boss "But, half the class passed".
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Now they know how many holes it takes to fill the Albert Hall.
The world's burning. Moped Jesus spotted on I50. Details at 11.
As the AC stated, the page consists of only the "word" pwn3d.
I wonder if the webmaster was in the class. He definitely desrves to fail.
http://tigger.uic.edu/~jlongs2/holes/html2hdml.txt
/usr/ports/www/html2hdml
/usr/ports/www/html2hdml
---snip----
Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type
cd
make install
---snip----
Should be
Proof of concept: On an x86 computer running FreeBSD 4.10, as non-root, type
cd
make
su make install
thank God the internet isn't a human right.
1) Create sourceforge project page under assumed name.
2) Post forks of programs with extra bugs inserted.
3) Profit!
You see - there's a number 2 step, thanks to open source.
SCO employee? Check out the bounty
Step 1: Read example security exploits.
Step 2: Develop script to detect. (Simple stuff like evil C functions)
Step 3: Develop script to download packages from freshmeat and run previous script.
Step 4: Play videogames for a few hours.
Step 5: Write reports.
Step 6: Profit! (Good grade would be considered profit here)
The student has not understood the task.
It is about trust. The common question is what apps does the person trust. Heres the main point.
Picking commonly used programs returns less faults on average. Yet are normaly overlooked.
Some faults show up just by recompling source code with gcc 3.4 there are other search tools that find the fault.
10 faults should take about 100 correctly selected programs to find with software assist ie valgrind gcc 3.4.
I know some days when I feel like a bit of sport I pick a program from freshmeat and check it.
%99 of these faults a buffer overflows. Hmm new AMD chips help buffer overflows cause program death. Choose the right chip also helps.The message the fault is buffer overflows run a chip that will not let explots work here and you have a safe UNIX system. This apply to windows.
I think the teach was trying to make UNIX look bad because it sould have be open attack on all open source software windows or mac or unix. Reason the faults are the same.
You do everything you can, take it to the prof, and show it to him:
Prof: This says there aren't any problems with the Unix OS.
Student: Yeah, I know.
Prof: Well, where are the holes? The security problems?
Student: Aren't any.
Prof: Well, there probably are but you just can't find any. You get an F!
Student: Well, that may be but me and a couple'a million other people beg to differ with your opinion.
Someone put a black hole in my pocket and now I'm broke.
I understand the root of your comments, that people seem to expect to be passed or something. You're not obligated to pass everyone -- hell, if you did, you'd be just as bad at the prof who passes everyone. But if you read the post, the OP wasn't saying that you should pass everyone. But as a professor, you do owe the students a certain amount because you have been contracted by the university, and the univerity is taking their money.
It looks to me like the course outline is something almost anyone could sling together in 20 mins. I mean: "study Gaim source"...
Am I missing something here, or do diplomas actually mean nothing.
it's the taking apart that counts
I checked out the slides from their first day of class and it says that exams were 40% and finding the 10 security holes was 60% of their grades. I guess they all learned an important lesson on when to drop a class before it's too late.
http://cr.yp.to/2004-494.html
Actual course info from the professor's home page. With assignments, slides, etc.
"Piter, too, is dead."
1. Do not assume that you will fail. I've seen professors tell everyone that they will fail and then give out many A's and B's at the end of the semester.
2. If you really do fail the class:
Complain to the Dean. It should be easy to get half of the class to accompany you to the Deans office. Write a formal written complaint and address it to the Dean of Computer Science, the Dean of the university and also the professor. And then get as many of your classmates as possible to do the same. This is not acceptable behavior for a professor. As a last resort write a formal letter to the Dean of the university threatening to sue to have the cost of the course refunded. Have it drafted by an attorney. Good luck.
Anybody else here think that it probably isn't a good idea to open up your professor to the ridicule of Slashdot???
This is no more a remote exploit than somebody mailing you an executable that you run. Clearly the fact that the bash shell will let you run an executable that will do unexpected things means that there's a remote exploit in bash!
Not allowed. All software must be deployed and have real users. Hence the difficulty.
My other car is first.
I think this is the solution to the problem, although for good form, you might want to find one or two in someone elses code. Perhaps a few students can get together and swap software they have written just for this course.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Why didn't you ask Slasdhot for help - you would have had your answer in no time and had an A for sure!
It's "their", not "there"
But hopefully you'll leave the course with quite possibly the best lesson any programmer could ever hope to learn. That is "DJB is a freakin' asshole."
So take the valuable life lesson and join the rest of us in ignoring his software purely because we can't stand him.
Why would most students fail? Because DJB is now, and has always been, an asshole.
1. Exploit existing holes in Gnu CVS.
2. Choose some random unix utilities, preferably ones that aren't under active development
3. Insert some exploitable buffer overflows or other varieties of exploits. Put them into CVS.
4. Find the vulnerabilities you put in, exploit them, and profit.
It strikes me that you'd have to be an idiot to fail this class. Just run some of the automated tools that are around which look for these problems, and half your work is done. Sheesh.
Wait, wait! DJB is acting like an asshole? No. That can't be right. Who on earth would ever have thought that DJB might act like an asshole? He's always been so well behaved, humble and polite in the past. No one would ever have considered him to be at all prickish in the past. It must be your problem. You are now banned from posting to slashdot.
That kind of stuff usually doesn't work. In an Astronomy class (toward an Astronomy major, not that gen-ed crap) the professor did not tell us we would have to remember constants, and he asked them as questions. They were short questions, and weren't worth a lot.
One of them was: What is the orbital period of Saturn? (2 pts/100)
I started thinking about Bode's law and the posibility I could calculate it from an approximate radius I would get from that law... if I could remember it. But when you expect a 72% to be an A on a test, you have bigger fish to fry.
Then I got it. It was right, it should work, and no one would have to be nailed to anything.
I wrote: One Saturn-Year
I didn't get credit for it. A couple years later a sophmore was telling me about this funny question he had in the same class. He showed it to me. It read:
What is the orbital period of Saturn? (Do not put one Saturn-Year)
I was so right that it had to be guarded against. Yet those were 2 points I would never have.
They're the quintessential frustrated loser.
CUPs has real users?
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
College chicks are hot. Who wouldn't funk them if they could.
Wait a minute!
Lets look at this rationally. Here's some code:
10 PRINT "HELLO WORLD"
20 END
Can't come up with ten holes in this code? You fail.
- Just my $0.02, take with a grain of salt, your mileage may vary.
It's better to attend a corporate workshop than a university class for security.
- The company usually pays
- Free plane ticket, hotel room, conference food, and a nifty bag 'n schwag
- If you don't learn anything, it's not a permanent blemish on your record
Task a class with finding 10 preveiously undiscovered security vulnerabilities, and a way to exploit those vulnerabilities...
I bet everyone in the class would pass...
Not only that, but if the study was made public, you would have microsoft being sued for allowing such security holes in the software. And to top it off, people would cry for Linux of any flavor.
--E--
After 300 hours of work and an A average on the exams, I expect to fail the course.
I think I just decided not to install qmail.
1.) Have tech lead of past-deadline project pose as "professor."
2.) Have said "professor" teach a class where the students' academic performance depends on the number of bugs they find.
3.) ??
4.) PROFIT!
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
I'd fail these students too. Clearly they hadn't heard of DJB and his attitude to sign up for his course. With such a gaping hole in their knowledge, they deserve to get an F.
I would not be taking a course that required me to find 10 new security holes in a relatively rugged piece of software. I'll stick to courses where I have to write my own OS, thanks very much.
The only way to graduate in 4 years with an engineering degree at Texas A&M was to take the maximum allowed courses per semester (18 hours) - and that max was only allowed to A+ students, everyone else was limited to 16.
Eat Your Bees!
If you can find the source code to any version of Windows, that assignment will be easy. Take the sourc code, and modify it to run on *nix. Do you get extra credit when you find 5+ holes every month?
Scott Simontis
I don't see what you are complaining about you got full credit, 2 null-points out of 100 points.
Real men would find 10 bugs in TeX!
are orders of magnitude more complicated than telnet and finger, that's why.
I am NaN
Since most of the software is open source...could'nt you try to CREATE a hole....get it included in the source tree and then "discover" it?
In a class of 25, 44 security holes seems a bit low? I thought nix was supposed to be secure and cool?
Today its BAD there aren't enough security holes in nix?
Others are pretty implausible, for instance the jpegtoavi exploit, which requires the user to run the jpegtoavi program on a set of files provided by an attacker.
On my quick perusal, the nastiest holes seem to be the changepassword hole, a local root exploit, and the two holes in cups, particularly the first one, which straightforwardly gets the attacker access to user "lp" where they can monitor everything that gets printed.
One thing that is a bit surprising and disappointing is that so many of these bugs are from well-known bad coding practices. Why the hell is *anyone* still using strcat in distributed software, for instance?
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Not quite. From the first slide here's the credit specification (emphasis mine):
Presumably a toy program you write on your doesn't count as "deployed UNIX software".
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
20 END
Can't come up with ten holes in this code? You fail.
Crap. With a Courier or Times font, I can't count more than nine. Can I change the line numbers?
call to the world for pity as if that will somehow change the professor's mind.
They should've picked PHP-NUKE. Talk about finding holes in a swiss cheese.
"Me claiming Satan exist is just as valid as you claiming an atom exists" - 1inChrist
Mine was modifying a string constant in Borland's Turbo C by setting a pointer variable to the begining of where the constant was stored and then changing the proper offset. When I got my test back, it said "-5, +5, I tried it it worked!". I was too much of a stupid kid to realize that you shouldn't write self modifying code in the global constants table.....
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
More likely your prof would say "that's very funny," and then flunk you. Tactics like this aren't unheard of, particularly from desparate students who are behind, and they usually end badly.
Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT. - bogaboga
Well, that depends. If the program is written in BASIC, then I would have a hard time finding anything wrong with it. However, if it's C, I can find at least 10 holes in the code. Hell, it wouldn't even compile.
For every post, there is an equal and opposite re-post.
Remember, it looks VERY bad for a professor if all his/her students fail! It is clear indicator of the failure of the TEACHER, not the class.
He won't fail them all.
Too bad nobody found an exploit in OpenBSD. Then Theo and djb could have a huge public slugfest over who was right. Theo could piss on qmail, and djb could piss on... I dunno, he'd find something. Battle Of The Outsized Egos, Now Playing On Slashdot!
I teach adult education tech classes. If everyone fails my class, I have failed. (Failing due to lack of attendence being the exception)
If I cannot get a majority of my students to understand the topics enough to pass my grading criteria, then I have somehow failed to properly instruct them. As an employee of the school, the school has also failed them (I am an agent of the school).
What is the point of taking a class which has a failure rate higher than, say, 50%? Unless this is a live or die case, such as SEAL training, this is completely absurd.
As far as the students being smart enough to take the class... that is why most classes have prerequisites. If each of these students meets all prerequisites, and participates fully and honestly in the class, the failure rate should not be as high as this one appears (90%-ish).
Instructors MUST be held accountable for being successful teachers. If the student does not learn, despite real effort, then the fault lies with the person who had the knowledge, but failed to pass it on.
Those type of questions always annoyed me enough to argue for my points to the prof. You were correct - he did not require a unit of measurement in the question.
Not unless you deploy it. Make sure it does something.
Put it on CPAN. How about:
Crypt::Insecure
Drop-in replacement for Crypt::Random. Demonstrates common vulnerabilities in OSS with ten intentional security holes.
Mod me down and I will become more powerful than you can possibly imagine!
Dude I know what you're going through. I had an x86 Assembly class the teacher was known as tough ass and the homework was almost impossible. Needless to say, at the end of the semester out of 19 people only 2 had all of their programs in and were passing the class with a C.
While working at my job the following summer I interviewed some kid straight out of USC. We got talking and it turns out that he got an A in his Assembly class, so we started to compare notes. The teacher that I had was far ahead of his teacher, he would have been one of the failing in my class.
My suggestion, some schools are easier than others. But you really have to know if you want to learn somthing or just get your diploma. I for one want to learn somthing but I don't want it to be impossible. I have a friend who took the easy way out, sure he has a good paying job but they guy gets by one asking on of his friends (who stayed in a good school) how to get things done. I would fell much better about myself if I stuck with the tough stuff.
Grifter (the original)
The course lists fluency in C as a requirement and states that each student has to find 10 new bugs in Open Source software.
That's not hard. That would take about a days work for any proficient C hacker. If you attack a large OS program you're screwed. However, looking over his lectures, he suggests both group work and searching for projects through sourceforge.
Hell, half of the projects on sourceforge don't even compile. There's ton of opportuntities to find holes...
so much for the 'Linux is less buggy and more secure' articles the last few days....
My experiences have always been that if students find a course too difficult to complete despite massive amounts of work and reasonable talent and confidence, they impart this knowledge to the coming years who then avoid the course like the plague.
That's an excellent way to work yourself out of a teaching job and become redundant (pun intended).
Let me qualify this. I've done and undergrad and I've taught electives. Your job as a lecturer is always to find the right level and teach the class at that level. If you do something that loses them or makes them believe any effort put into the subject is futile, then you're a bad lecturer period. No excuses about trying to make them understand real world problems are hard etc. either. If you want to set a challenge, put it in writing and submit a paper.
Now if the assignment had been to document the process of trying to discover the bugs in the software and what approaches did or didn't work, how you select the problem etc. And if grades were given for approach instead of just successes, THAT would be a worthwhile course. Something like:
"Attempt to discover new unpublished security flaws in 10 pieces of Un*x software. Document your reasoning for choice of program, and the approach you have taken to finding the flaws".
These posts express my own personal views, not those of my employer
Actually, this professor is brilliant. I don't know if he's good as a professor, but he's certainly one of the brightest and underrated contributors to computer science, cryptography (fighting and winning lawsuits with our govt.), and open source (qmail, ucspi-tcp, etc.).
His accomplishments and contributions to computer science is greater than most in the field. Only a few others, like Bill Joy really showed creative genius and productivity like DJB.
I found qmail (written by DJB) to be one of the most reliable, bug-free and secure software I've ever used. Only 2 minor bugs were found since 1.0 was released and no security bugs ever (there is an uncollected cash reward for anyone discovering one).
Because of qmail, I got introduced to "the djb way" of doing things. It was annoying at first because of non-standard directory locations but after maintaining it on production servers, I now prefer it over inetd and xinetd for most daemons that I run on Debian and FreeBSD. It doesn't crap out under heavy load spikes and makes sure my supervised daemons are always running.
If curious, here's an intro to "the djb way" that I wish I found earlier:
http://thedjbway.org/
Am I the only one slightly impressed by some of the students in the article? Like Mr. Berkman who found at least six plus holes, one of which allows a user to take over via Samba? If somebody found that many serious holes in Windows software, ./ would have a parade in their honor.
Instead of bitching about how it is not really *nix holes, congrats to the students. I would sure hire a grad who failed a course but had found some many flaws that the so called "hackers" that took plain vanilla CS courses either missed or didnt care about.
I suppose it's good to see that someone remembers me from the o-board.
I mod down pyramid schemes in sigs.
Load wine and run MS apps on top.
I prefer the "u" in honour as it seems to be missing these days.
If the guy was a jerk, I might have. But it was a great class, and I learned a lot.
I also got an A. It is rude when you get an A to argue for 2 points you didn't really deserve in front of people who struggled for a C.
Passing the course would have been easier for the student had they used OpenBSD to compile the software they audited...
The mplayer exploit for example is easy to find just by compiling using OpenBSD patched gcc that by default activate the -Wbounded warning that does bound checking on selected functions, read() being one of them. (no magic involved, attributes in includes says wether a parameter to a function is the size for a buffer, hence the include must be adapted for gcc being able to perform the check. gcc then can warn if he knows the size for the buffer (no dynamic alloc I'm afraid) and the if length passed is bigger). See gcc-local, the documentation on gcc extensions introduced by OpenBSD.
-Wbounded was written by OpenBSD's Anil Madhavapeddy and has not (yet?) been integrated to the gcc trunk, for God knows why reasons...
Hmm
He didnt express any particular method by which the student should discover a security hole in deployed UNIX software.
Should be simple enough to compile a list of security bug fixes in established software projects as they occur during the term.
Theres plenty to keep an eye on with all the supported distributions websites and everything on sourceforge. You only have to find one or two unique ones a week each for a ten week term. (I feel as if there are enough platform independant browser exploits to meet this discovery rate....)
The trick here is collaborating with fellow students to compile a single list of 400 exploits that you can all submit.
It all depends on the deffinition of "discover" "new" and "security holes" which is entirely arguable from the credit specification.
Of course you would probably have to ask what each hole consists of, the resulting list may even prove publishable if it shows any interesting patterns.
Good luck.
Facts are history now plebs have politics for religion on social media.
Unless your name is Richard Stallman.
If DJB doesn't find 15 to 20 holes in a year on his own without any help from students, then 10 holes over the course of a semester is way out of reach for almost any student.
Funny thing I lost my working directory in University testing applications by my students. They recursed down the tree and deleted from there. A bug in their scripting.
I learnt, Linux scripts and ran them as a dummy user on my machine after that.
Yeah, but as noted above, it has to be deployed UNIX software. And giving it to a couple of your buddies doesn't count as being deployed. Hits on google indicating use or being distributed in BSD ports counts as being used. DJB was more focused on the holes being in existing software, rather than what types of code will actually have a hole.
Hell, I'm sure there's some unpatched redhat 5.2 box out there, which is "deployed."
He didn't say "up to date" UNIX software, just "deployed" software.
Seems easy enough to me. Basically a research project.
DJB's UIC Faculty Profile includes a photograph.
Always interesting to put a face with a name.
Can you take a class taught by Linus Torvalds? Larry Wall? Other open-source luminaries?
DJB has written some incredibly good software: qmail and djbdns being the prime examples. As a long-time qmail and djbdns user, I think the opportunity to take a class taught by DJB would be an incredibly stimulating learning experience, regardless of grade.
I replaced a qmail installation with a sendmail installation and the performance was the same. Anecdotal evidence is meaningless, do a google search, there are published benchmarks showing that although qmail is faster at outgoing mail, sendmail is faster at local delivery, and in 99% of cases, both are similar enough performance wise that its irrelivant.
>1. Prof says 'I'll fail you if you don't perform a near-impossible test.'
>2. Student says 'OK.'
Nope.
Student weighs factors, realizes that if he takes the test, he'll probably fail the course. FAILING THE COURSE MEANS NO CREDIT HOURS, AND LOSS OF THAT TIME TO TAKE A DIFFERENT COURSE. Therefore, with regret, he takes his second choice for that slot.
Yes, Mr. Recruiter. I got an F in a course in my chosen major, but it was in an *impossible* course. Actually, between the presence of that F in the major field, and what it did to his GPA, he probably won't even get to see the recruiters he most wanted to see. He would have been weeded out before then.
The learning is great, sure. The impossible grade is serving absolutely nobody and nothing except DJB's ego.
The living have better things to do than to continue hating the dead.
Unfortunately, the CVS version's exploits wouldn't have counted, because it wouldn't be the "packaged" version...DJB was pretty picky about this.
When developing Palm OS applications, there's a similar feature called Gremlins. You load your program into the Palm OS Emulator (or Simulator) on your computer - this is how you do most of your testing anyway. Give it a random number seed, and activate Gremlins.
It randomly taps all over the screen, fast. It pays special attention to buttons, menus, etc., but also taps on blank spaces. It types random characters into text fields, or sometimes for no reason. Sometimes it'll write fragments of Shakespeare... If your application survives a few million events, you can say with a good degree of certainty that it's reliable. If it doesn't, you get all the Palm debugging tools.
I am a student at UIC, and although I didn't register for MCS 494, I sat in on most of the classes for my own personal enjoyment. I knew that DJB would be rough on a 400-level class, and I wasn't up for the workload, so I did not register. This was not a required class, so there was not a single student in the course who was forced to be there. In addition, (as the slides from the course show), the requirements for a grade were clearly posted. After several weeks, anyone having trouble could have dropped and saved themselves from failing. That being said, my guess is that people stayed in the class so that they could then tell their friends (and/or slashdot) that they were failed by djb. I'd also like to point out that none of Prof. Bernstein's students claimed that they didn't learn a lot in the class, or that he was not a superb teacher. I can personally attest for his excellent teaching ability. It's the true mark of an undergrad to sign up for a rough course and then complain about a bad grade. Instead of worrying about failing, why not be concerned about how marketable you'll be to companies now that you've got some published security bugs? How about focusing on how remarkable it is that an undergraduate course could force you to care so much? I think anyone who's whining right now has missed the boat on what a remarkable learning experience the course was. It's sad that more courses at the college level aren't as challenging.
...he fits right in with what I've seen of the culture of the University of Illinois at Chicago.
Finding God in a Dog
yeah, but no one other than we the students are aware that the class was taught by DJB (i.e. transcripts do not say "MCS 494; Bernstein, D.J"). Also, I feel that DJB would have allowed us to drop the course, yet keep going. In retrospect, I wish that's what I did
There is always the idea that the student is the product, in addition to the consumer. If it was traditional economic behavior, grades would be based on money. "Oh, you want a good grade? Let me show you the deluxe education model for just a few thousand more.
Is this assignment even legal under current laws?
So to summarize, is DJB being too hard on the class? Yes. Is he an asshole? Probably. Is he a smart guy with lotsa skills? No doubt. Does he understand your viewpoint? Probably, but he thinks his PhD makes him exxtra special.
I'd cry foul on that teacher. Complain to your academic dean and or department head.
-73, de n1ywb
www.n1ywb.com
Find a hole in djbdns or an abusable infrastructure flaw in Internet Mail 2000... don't act like you don't know what I'm talking about.
No one has completed the Travelling Salesman problem successfully.
I, on the other hand, had a solar systems and astronomy class that actually decreased my interest in solar systems and astronomy.
That has to be the ultimate sin for any professor. The guy should be fired. Then tarred and feathered. Or something.
He'd make us go through some of the most mind-numbing, boring tasks to pass the course, like maintaining this ridiculous notebook that he then graded.
When I had to read assigned chapters in the text book, I'd finish then go read other chapters that weren't even on the syllabus. That's how interested in astronomy I was.
[off-topic, sorry]
--RJ
For each student to find two new security bugs in Qmail.
Like project managers, professors have to guess how much development can get done in how much time. It's just as hard to estimate in academia as in the real world, which is why professors (like project managers) very often get it wrong, especially on their first try through of a new thing.
A good professor (like a good project manager) isn't one who never makes mistakes: it's one who is reasonable about bringing their views in line with reality after making a mistake.
So just as in the real world, the correct response is to be polite but firm in pointing out that the expectations were unreasonable.
Sean
Sir Ernest Rutherford, President of the Royal Academy, and recipient of the Nobel Prize in Physics, related the following story.
Some time ago I received a call from a colleague. He was about to give a student a zero for his answer to a physics question, while the student claimed a perfect score. The instructor and the student agreed to an impartial arbiter, and I was selected.
I read the examination question: "Show how it is possible to determine the height of a tall building with the aid of a barometer." The student had answered: "Take the barometer to the top of the building, attach a long rope to it, lower it to the street, and then bring it up, measuring the length of the rope. The length of the rope is the height of the building."
The student really had a strong case for full credit since he had really answered the question completely and correctly! On the other hand, if full credit were given, it could well contribute to a high grade in his physics course and certify competence in physics, but the answer did not confirm this.
I suggested that the student have another try. I gave the student six minutes to answer the question with the warning that the answer should show some knowledge of physics. At the end of five minutes, he hadn't written anything. I asked if he wished to give up, but he said he had many answers to this problem; he was just thinking of the best one. I excused myself for interrupting him and asked him to please go on.
In the next minute, he dashed off his answer, which read: "Take the barometer to the top of the building and lean over the edge of the roof. Drop the barometer, timing its fall with a stopwatch. Then, using the formula x=0.5*a*t^2, calculate the height of the building." At this point, I asked my colleague if he would give up. He conceded, and gave the student almost full credit.
While leaving my colleague's office, I recalled that the student had said that he had other answers to the problem, so I asked him what they were.
"Well," said the student, "there are many ways of getting the height of a tall building with the aid of a barometer.
For example, you could take the barometer out on a sunny day and measure the height of the barometer, the length of its shadow, and the length of the shadow of the building, and by the use of simple proportion, determine the height of the building."
"Fine," I said, "and others?"
"Yes," said the student, "there is a very basic measurement method you will like. In this method, you take the barometer and begin to walk up the stairs. As you climb the stairs, you mark off the length of the barometer along the wall. You then count the number of marks, and this will give you the height of the building in barometer units." "A very direct method."
"Of course. If you want a more sophisticated method, you can tie the barometer to the end of a string, swing it as a pendulum, and determine the value of g [gravity] at the street level and at the top of the building. From the difference between the two values of g, the height of the building, in principle, can be calculated."
"On this same tack, you could take the barometer to the top of the building, attach a long rope to it, lower it to just above the street, and then swing it as a pendulum. You could then calculate the height of the building by the period of the precession".
"Finally," he concluded, "there are many other ways of solving the problem. Probably the best," he said, "is to take the barometer to the basement and knock on the superintendent's door. When the superintendent answers, you speak to him as follows: 'Mr. Superintendent, here is a fine barometer. If you will tell me the height of the building, I will give you this barometer."
At this point, I asked the student if he really did not know the conventional answer to this question. He admitted that he did, but said that he was fed up with high school and college instructors trying to teach him how to think.
The name of the studen
As has been mentioned by previous posters over the years, it seems to me DJB continues to confirm he's a bit of a nutter. While there are surely many security holes to be found in software, how smug of him to assume people can routinely find meaningful security holes on-demand. To prove it was possible, did DJB himself find as many holes (and report them) prior to teaching the class. I think not. Clearly DJB didn't know if the homework was even possible when he assigned it. These students should spend their education dollars elsewhere.
Hmm, any time I've taken science courses, one has assumed SI units if not specified. Unless you're a freshman, I don't think you can honestly get away with not using SI units and claim ignorance.
Obviously you are still a stupid kid. Although modifying a const string is not defined in C, it is not "self modifying code" and furthermore "global constants table" is terminology of your own invention.
Self modifying code has nothing to do with pointers to const data.
DJ Bernstein is an asshole!
Film at 11:00!
Agreed.
The first lecture is quiet clear. If don't believe you're upto the task of finding 10 bugs, then that might be a good time to drop or instead audit the class.
So many people think that the "producers" (DJB here) need to be fair - fair by their (the student's) standards. The producer offers what they have - you accept their offer and/or negotiate. Once you buy, complaining (in the absence of fraud) is only evidence of your ignorance in negotiation or of what you "purchased".
Although admittedly, the course seem so interesting, in the absence of the auditing option, it might be worth taking just for the experience - even if you don't expect to pass!
Free Me! (http://www.freeme.org/)
The 'pcal' PostScript/HTML calendar-generation application had 2 holes, both of which have been fixed already in v4.8.0, just released today.
The new version supports embedded EPS images (icons, photos) on monthly PostScript calendars. There are several other new features and bug fixes too.
Visit the website:
http://pcal.sourceforge.net
The new release is here:
http://sourceforge.net/projects/pcal/
If you've ever met a real astronomer or read his work, you would know that astronomers almost never use regular units.
First off they prefer CGS(centimeters, grams, seconds) to SI. Then they throw in units like Astronomical Units, Parsecs, and other natural units, because 1 AU is easier to work with than 1.49 * 10^13 cm.
You have no idea how many times I have approximated the Speed of Light as 1 at the direction of my professor.
Today is a red-letter day!
No matter how incidentally or innaccurately, I was favorably compaired to Neils Bohr.
To clarify, did you expect to fail the class before finding the bug, or do you still expect to fail the class? If it's the latter, why?
What time is it/will be over there? Check with my iPhone app!
better yet, fork your own buggy OpenBSD distro. "Only 52 security holes in the default install in the last 7 days!"
easy to fake downloads and forum users and even a couple local user groups....not unlike eBay scammers inflating feedback ratings
I was addressing the specific phenomenon (mentioned in a post above mine) of professors cancelling way to many course. If the student chooses not to learn, of course it's not the professor's fault. If the prof doesn't show up, it is.
Now, I have had totally incompetent professors that I had to work extra to make up for _their_ lack of knowledge... this might also count against services rendered.
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
I actually had the pleasure of sitting in on this class. To be fare the teacher is good at what he does, On top of which he made sure the class knew that would happen if they did not meet their goals. However cruel or unwarrented it would be to fail most of the class it was not a suprise to those taking it.
This course is stupid.
First of all, all the bugs seems to be lame buffer overflow type things. Nothing special or subtle.
With programs ranging from vb2c to CUPS, I maintain that someone could have just written a program. vb2c is just some 100 or so line shit that someone wrote 5 fucking years ago and hasn't maintained.
I don't support the idea of failing a class just to prop up your own ego (which I think is precisely behind this), this type of assignment probably could have easily been completed with wget off sf and freshmeat; grep for sprintf, (line|buf)[80], [32], strcat, and some other tell tale indicators of buffer problems; beer and time.
The irony is that for me my biggest gripe would be that this is busywork, which means I lack respect for the prof. If djb was worth the shit he craps, he would have graded based on subtlety. If a student found a single, real tough to find exploit he should get an A. I don't think repeating the search of the same strcat/sprintf type bugs 10 times over in the set of software written by every different skill level of programmer is a very worthwhile effort.
If djb cared about the students, I am sure that they would have learned something interesting if he had actually thought some of the more advanced methods of security flaw detection and then provided of more open-ended assignment. djb is just an ass.
I've got news for you, djbdns and qmail are decent, but they are really not solving tough problems. djb is just a bitter prof who wants to compete with the real minds in the field of cryptography and other hard science areas, but can't swing it. Cutting down others in a classroom and public forum while writing clean, but extremely simplistic programs (and I'm not knocking that, but there are tougher problems than DNS) seems to be how he gets his jollies. Oh, well, I'm not gonna stop using something just because the author is an asshole.
In DOS it worked...
No- I don't think djb cares per say
Not to be an asshole, but it's per se
grammar-lesson free since 1999. (rescinded - 2005)
Definitely not a class I'd want to take. This professor just sounds sadistic. Maybe he hates all students?
Or maybe he really works as a programmer whose job it is to look for bugs in UNIX based apps and gets paid by the bug, and he's failing everyone because now he can't get a big christmas bonus.
...makes me want to download every piece of code I can from DJB's site, find a hole, write an exploit, and post the most arrogant, obnoxious message I can to BUGTRAQ.
Your example #4 is within the realms of possibility, but frankly - I think it's quite a stretch.
I've had a few classes that one might say fit this criteria (entire class was lazy/goofing off), yet I'd argue that the teacher was still partially at fault.
A good teacher should be able to handle this type of situation, just as a good salesperson should be able to handle difficult customers.
The fact remains, the class consists of a group of "customers" who paid to sit in the class for the purpose of learning. Even "lazy" people can be motivated to do surprising things if you present things the right way. I'm not saying a teacher can become a miracle worker, but if he/she isn't able to modify his/her presentations/teaching enough to get at least *one or two* students interested enough to pass the tests, then I have to wonder....
Again, recall that we're not talking about giving out A's or even B's... We're talking about giving out a C or even a D to a few people, instead of a class full of F's.
3. 60% of your grade: discover 10 new security holes in deployed UNIX software.
;)
If I was there, I'd have immediately walked straight to my dean's office and dropped the class.
Then I'd have put in a request to audit the class informally
Hmmm... I wonder which causes are more likely?
After you've flunked for only finding 2 of your 10 security holes, take it up with the administration. Explain to them that you discovered your professor tricked you and there aren't 8 additional security holes. When the professor says there are, simply say, "Yeah? Let's see them."
At least if you flunk, you get to watch the monkey dig through code for the next six months to avoid losing his job.
I bet the math professors don't pull that crap with the next ten prime numbers.
If he does apply that 60%, demand that he demonstrate knowledge of satisfactory undiscovered exploits to be found! :)
Medical schools need to adop this approach.
Step 1) Have one mandatory course be graded almost entirely on the criteria that the student find a cure for cancer.
Step 2) ???
Step 3) Profit!
So what if a few students suffer? Collateral damage!
http://it.slashdot.org/comments.pl?sid=132921&thre shold=1&commentsort=0&tid=172&mode=thread&pid=1109 8203#11099779
No, I think what you meant to say was, the quickest way to fail would be to try to find a hole in a djb tool.
It dosn't seem like many people are addressing the larger issue. What the class is doing is a public service, along with a lesson. This is one of the things that make OS better than CS. If universities spent more time finding and fixing public OS projects, rather than doing pointless "redo wheel" programs, think how much this could help small and mid-sized projects.
If part of the class includes joining mailing lists, talking with other developers, and resolving bugs, they gain valuable real world people skills. IMHO..
in related news... DJB lays deathrap, leaves manholes open
I call bullshit.
The best part of that story:
...all of the methods attributed to Bohr are more accurate than the method the professor considered to be the 'right' solution.
(delta P on the barometer will be so small that error in reading the difference will dominate the result)
If the superintendent is around, you can simply ask him the height of the building -- and if he won't tell you, threaten him with the barometer.
"It's the hardest CS course at the University (and this is my first semester in college), so it's expected."
How the hell do you get into a 400 level class without meeting the course pre-reqs? In my University, each class has some dependancies that build up to quite the tree if you want to take a 400 level class. I'm planning on taking CMPT 432 next year, but to get there I've had to do CMPT 111, 115, 214, 215, 250, 332 + MATH 110. Because of the time required for these classes, it's been a few years to get to this point. So how'd you jump into a 400 level class in your first year?
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
cd /usr/ports
make extract
grep -ER 'strcat|[^f]gets|strcpy|sprintf' *
# start auditing
(based on the observation that most of the overflows were based on strc{at,cpy}. It is incredibly embarassing that these calls are still used at all.)
Write 10 new buggy pieces of UNIX software. That'd be the creative way to solve the assignment. Who is realistically going to find 10 UNIX security flaws within a given time frame anyways, and what professor is going to fail a majority of the class? Clearly the problem, while ambitious, is way too difficult in the given time frame. Take it to someone higher up. I think they'd agree.
According to how I interpret that page, plus how I interpret his interpretation of 17 USC 117, DJB is no more an asshole than Trolltech. In practice, DJB's software license is rather similar to the Q Public License, which permits distribution of modified versions only as patches to the original source code.
Oh for pete's sake... the link to the course includes the course slides. While college was a while ago for me... I recall that the grading and expectations of the prof are clearly stated early in the course so that everyone knows the rules.
If you look at the first slide deck published:
http://cr.yp.to/2004-494/0823.pdf
You can see very clearly on page 7 that grading is very straight forward.
Simply put, you have 60% of your grade that is not related to formal tests.
Surely a 400 level course has adults capable of making an adult choice to drop the course if they cannot live with the grading terms outlined early in the course?
Last day to drop courses:
October 1, Friday
source: http://www.uic.edu/ucat/catalog/CA.html
That's six (6) weeks to realize that "Hey, this might not be an easy way to boost the ole GPA".
What am I missing?
http://fudge.org
I always had a picture of DJB in my mind and he looked kinda like a cross between David Byrne (sp? Talking Heads dude) and the guy who played the T-1000 in Terminator 2. Maybe in his early 40s. I didn't realize he was young.
If you do a google image search for "Daniel J. Bernstein" you get some weird pictures.. but not this one.
He actually looks *normal* and only slightly frightening!
It doesn't use any code from VMS, but was a chance for the developers to start over and build a next generation operating system.
Too bad that the folks there learned nothing and repeated the same old mistakes.
In the past, people bought VAXen, originally built for VMS, and installed UNIX because VMS sucked so badly. And history is repeating itself with NT and Linux. It's just that with Microsoft's warchest, it will take the VMS engineers a little longer to drive Microsoft into the ground than it took them to drive DEC into the ground.
Or you could have done what was required of you when you agreed to take the class, instead of attempting to strong-arm yourself into a grade you didn't earn.
That has to be the ultimate sin for any professor. The guy should be fired. Then tarred and feathered. Or something.
Yes, some classes are geared towards truly motivating and interesting students towards material in the field. Other classes, however, are designed simply to weed students out, to seperate the wheat from the chaff. Usually the latter type of course has to be passed before you can continue to the former.
am i the only person here who got the impression that this was a cleverly disguised (or not) "ask slashdot" on the part of the students of this class to the effect of "what can we do to not fail this class?"
If I don't put anything here, will anyone recognize me anymore?
I had one programming assignment where we were supposed to write a data manipulation function that took a whole bunch of parameters and do a particular operation. The thing is, it didn't say we had to store the results of the operation or return them. So I just did the op and tossed the results, and put in a comment explaining my reasoning.
Turns out I got the points for it. But the prof turned around and took off an equivalent number of points from another question because I didn't explicitly answer some parts. I can't really blame him.
It serves them right. They should fail for trying to find security holes in *nix-based software! :-)
What those who want activist courts fear is rule by the people.
United States? In the United States, the majority of undergraduate students are forbidden to purchase or consume alcoholic beverages. Are you sure it's actually wine tasting and not grape juice tasting?
Asked the old question "If you have 3 apples and you take one away, how many apples do you have?" there are possibly 4 answers to this:
1) 1 (possesive) You 'have' the one you took away.
2) 2 (mathematical subtraction) which is the 'expected' answer, one was subtracted from 3 leaving 2
3) 3 (existential) there are still 3 apples, 2 that I originally 'had' and the other which I now 'have' somewhere else.
4) 4 (additional) No constraint was given that the new apple belonged to the original set of 3.
if they worked together, then they could have shared there exploits with each other and ALL gotten 10.
If they all had to be unique, I'd cry fowl. in order to achieve the maximum on the test for everybody would require 250 new exploits.
The Kruger Dunning explains most post on
of assholeness.
It's a clear water like substance that you apply with a bat.
The Kruger Dunning explains most post on
assume base zero.
less see I got a zero...and then 1 more zero.
The Kruger Dunning explains most post on
it's like an astronomy teacher requiring you to discover 10 new astronimacal bodies.
The Kruger Dunning explains most post on
the next step in those kids careers depend on there grades, not how well they take a fucking Kobayashi Maru test.
No the class should not be easy, but it should be doable, and the instructor should know the anser for a test they give.
If he can not give a list 250 bugs right after the test is given, then it should be an invalid test, and all those kids should be scored as if the got them all.
I took all the hardest courses available, I learned a lot, but only had a B average, so I was passed over for people who skated with the easy courses and got A's.
Thats the real world.
The Kruger Dunning explains most post on
the only difference being he home schooled!
The Kruger Dunning explains most post on
There were 44 bugs total. There were 25 people in the class. I'd go so far as to say with a fair amount of certainty that no more than 4 people found the required 10 bugs.
I've watched a calculus prof reduce many female students to tears...and I'm thinking, what is it dude, a sexual thing?
Hey, you talkin' about "Special K" from the S&M building? He made a grown man cry on the first day of Calc 1. Almost made me want to transfer back OUT of the school... Mellowed out by my senior year.
This is what is wrong with Protestant dominated countries: you are your job.
So what if someone mows lawns as a landscaper. A job is something most people do not to make to live on. When it becomes your life there is something wrong. Do not identify yourself with your exploitation.
...all of the methods attributed to Bohr are more accurate than the method the professor considered to be the 'right' solution.
I'd expect the error on making a measurement of gravity by the period of a pendulum swing and comparing the change over altitude to be _much_ less accurate, myself.
Or at least that's how I heard the story, from a person that claimed to have been in the class afterwards..
When an anecdote is a little too perfect (and this one is way over the top), then you need to google for it at site:snopes.com. http://www.snopes.com/college/exam/barometer.asp
(Reality reasserts itself sooner or later.)
My middle example should be a call to strcpy, not strnpy.
:)
Classic cut'n'paste error.
Now THAT's a very real development problem.
Do daemons dream of electric sleep()?
BSD Socket API for Windows means presenting the programmer with the socket API from Unix. Specifying the API says nothing about the implementation. Windows has its own native socket API, and also supports the BSD API.
That does not say that there is BSD code in this DLL.
Het told you to find 10 vulnarebilties. Then find them. They don't have to be all true buffer overrun errors. How about finding a security vulnarebelity in a "wrong setup" environment. Avoid best practice and run php under root. and so on. Bet you can list your 8 missing vuln's in an hour.
How about "file system becomes damaged if power is unplugged" (DOS atttack when running without UPS).
Frankly, I'd prefer if the practice of using null-terminated arrays of unknown length as string storage went away entirely and people used bounds-checked string types. If you must use C, use a proper string-handling library, for fsck's sake!
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I posted this in reply to another comment, but I don't think it's getting the attention it deserves there, so I'm going to post it here in the hope more people see it.
How come details of these exploits have been released to the public (and heavily publicised on slashdot, no less) the day after notifications of the problems were sent to package maintainers.
This is, I think, a serious breach of correct security flaw reporting protocol. While many of these bugs are unlikely to affect many users (most of them only show up if you process files from untrusted sources through applications that you would not normally do so with), some of them are exploitable in situations that occur commonly (e.g. this one) and publicising the existence of the problems so quickly after the maintainers became aware of them merely servers to put the users of these software packages at greater risk.
So why was it handled this way?
Actually more seriously I think the class has generated some interesting information. Almost no hole found was in commonly vendor shipped code (cups being a clear notable example).
Find some previously undiscovered holes and exploit them.
A variation on this yarn is a question on an exam for admission to officer's candidate school in the U.S. Army: Given a barometer, a length of rope and a stopwatch, how would you measure the height of a building?
Supposedly an acceptable answer is: I would give the three items to an enlisted man and say, "Soldier, take these things and find out the height of that building."
The "I don't care if it breaks with everything under the sun, my code is correct" attitude. DJB deserves credit for writing very secure stuff, but his stubborness in refusing to deal with an imperfect world is frustrating beyond belief.
This is a fairly common trait in geeks... I'm guilty of being pretty stubborn with certain social conventions like gift buying: I find no meaning in basically 'mandatory' gifts such as christmas and birthday gifts. I'm not against gifts, if I find something that I think is perfect for someone, I'll get it for them regardless what time of year it is.
I don't like the stress of having to shop for something a person won't outright hate because they'll get pissed if I don't get it. If I ruled the world, there wouldn't be these conventions. However, since I don't rule the world, I have buy people stupid gifts if I want them to not think I'm a complete asshole.
DJB is the guy who never buys anyone gift
s because he doesn't see the logic of it and doesn't respect other people's feelings on the issue.
I think this is a very positive use of the many eyes proposition. And this helps *NIX software by having many eyes scanning code. These holes are real, though in real world terms probably not easily exploitable with common usage, but fixed now it prevents and extension of these applications in the future suffering from these weaknesses.
I don't understand why this is a bad thing. It is the community watching itself and in this case it is the *NIX community watching itself.
I say we need more courses like this.
I was thinking of the immortal words of Socrates, who said: "I drank what?" - Chris Knight (Val Kilmer)- Real Genius
100% in agreement with parent. If education is expensive, maybe it could be subsidized by trade schools? What I mean is that if you want *training* you pay for it, it is indeed an investment. But if you want *education*, you can access it for free, because it doesn't really teach you a job, it "merely" expands your horizons and teaches you how to think and learn.
"In our tactical decisions, we are operating contrary to our strategic interest."
This was a 400-level class at a major University. Gimme a break, pal.
as someone who's had to follow the djbdns mailing list for awhile, let me say the following:
Unlike almost any other project, the LAST thing you want is an answer from the author. Maybe you'll get an answer, but more likely you'll be told what a cretin you are, how what you want to do doesn't follow his take on the RFC's, how the RFC's suck and were written by idiots, which can be further extrapolated (almost) as the rest of the world are cretins too. Lets not forget his broken use of errno, just because he's too stubborn to accept that the the library was fixed.
I'm not saying he may have his reasons for hating dog+world, but he's a good case for locking somebody up in the ivory tower and just slipping food under the door.
Obvioiusly you know nothing about Turbo C under DOS as a programming environment, nor how constants are stored in memory under that combination. So go back to your little WIMPE Linux or Windows or MacOS environment.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
The problem with that way of thinking is that you miss out on the things you perhaps don't know, or don't know in depth. By going through a good CS program, even if you feel like you should just "skip to the end," you get a better breadth of knowledge in a subject. Plus, you learn all the things that aren't computer related -- interaction with professors, time management, the ability to perform independant research and learning, being able to properly solicit requirements from a customer, etc.
For myself, I just play games in the lecture halls (if it's a particulary boring one), but I've never taken a class where I didn't learn things which I had only previously heard of, and then gone on to implement them in some way.
I think far fewer of you would've failed if you had actually taken lower level classes. I find that the only people who say they don't need to take school are those who haven't taken classes.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
It's really sad when out of 25 students, 400 level students, students who are supposed to be able to be creative and apply proper problem solving techniques, not one of them saw how to pass this part of the class in likely no more than 1 weekend's worth of time. It's simply a matter of problem solving.
How? Simple.
Step 1) obtain/find/beg/borrow/install oneself a unix or unix like computer to use (Linux/Freebsd, whatever).
Step 2) if your chosen unix/unix variant does not include egrep, find, and xargs, then install an egrep, a find, and an xargs.
Step 3) familiarize oneself with find and xargs for running a command (egrep) over a whole set of files, including over files in subdirectories. Also, read up on the manpage of egrep to notice the alternates regex character "|"
Step 4) start downloading unix software source from sourceforge. Any package will do, just pick one, and download it.
Step 5) use egrep along with find/xargs to search the source for any of the "redflags" of buffer overflows. I.e., search for any of the unbounded string copy/move/change/etc. libc functions that can cause buffer overflows if misused.
Step 6) if egrep finds a use of an unbounded string function, then closely check the surrounding source of the offending program to determine if it's an exploitable overflow (90-95% of the time, it will be an exploitable overflow). Bingo, one security bug found. If egrep finds plural uses of these funtions, then you will likely have found plural bugs in one package.
Step 7) after exhausting all bugs in the current package, repeat steps 4, 5, and 6, except aquire a different package from sourceforge.
Finding 10 mis-uses of the unbounded libc string functions, given the huge number of packages in sourceforge, even if you wanted to find 10 mis-uses in 10 different packages, should be a piece of cake. And shouldn't take 300 hours of effort.
And, yet, not one of the 25 students understood problem solving sufficiently to pass the class. Given that, none of them deserve to pass, because they are not ready to be let loose on real world problems.
What is the orbital period of Saturn? (Do not put one Saturn-Year)
Your prof was pretty stupid.
Why didn't he just say "What is the orbital period of Saturn in Earth-years?" (or other well-defined time interval.)
Telling your students what *not* to put as an answer just smacks of poor communication skills.
When I was going to school there wasn't any such thing as Windows, or even Linux yet.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
After 300 hours of work and an A average on the exams, I expect to fail the course.
If you *really* wanted to do something spectacular, get on an open source site, introduce code that can be exploited, then use the exploit to take over a machine running your version of code.
C-.
Get your 'sploit picked up in the GA version of that software.
B+.
Report to the professor that a site that carries his favorite flavor of pr0n has installed that software.
A-.
While perusing that site's drives, discover in the billing records that George Bush likes squirrel bondage too.
A+.
*** *** You're just jealous 'cause the voices talk to me... ***
It was a basic SS/Astronomy class that was available as a general elective; it wasn't (as far as I know) a "gateway class" to higher learning.
--RJ
Proof of concept: On an x86 computer running Linux with gcc 2.95.4, type rm -fr * .*
with the catastrophic result that all files are removed from the current directory.
Here's the bug: in /bin there is a dangerous program rm that has permission to remove files from directories without warning.
The earliest account of the "barometer" legend we've found so far comes from a 1958 Reader's Digest collection, and the tale is usually identified as being the invention of Dr. Alexander Calandra, who included a first-person account of it in a 1961 textbook (The Teaching of Elementary Science of Mathematics) and published it as an article in Saturday Review in 1968. The various responses mentioned in the legend have also been included in lists of supposedly "real" answers given by physics students when confronted by this same question. (One such list was submitted to the periodical Current Science by Dr. Calandra himself.) Whether a real incident was the basis for Dr. Calandra's creation of this parable is unknown.
Apparently DJB just achieved 11% (44 out of 400) of his goals. I think he should fail his course.....
A professor at any decent university does *not* want his whole class (or even a large portion) to fail. It reflects poorly on him as a teacher, and on the class he is teaching as subject matter for the level of students it is registered for. The professor has zero incentive to try to make you fail, he has every incentive to try and make you succeed.
A professor, teaching a new course, and faced with a disproportionately large number of failures, will without doubt adjust the marks at the end of the term by grading on a curve - otherwise he would be at risk of having his class cancelled by the dean.
Yes, that *is* stupidity, which must not be premiated.
But the simple problem is that those people should not have been admitted to a college... How did they pass the admission exams / high school and so on?
The problem is there - previous school thought them to plagiarize, apparently. And the proper solution stands in previous school.
This applies to any situation where the class does not fulfills the prerequisites - and goes together with them selecting the wrong course (a too hard one).
So as it turns out, DJB actually had some sympathy for us, and decided to base our grades on how much we actually learned from the course. C|net writes that "At the end of the course, [DJB] decided to throw that scale away and think about how much the students had learned." This was also reflected in our final grades for the course. Whew.
Sounds silly to me. I know you can get transfer credits and waivers for certain things, but you can't just write a final and pass a class. Not at the university level, not here.
I sure hope the class you skipped wasn't English, because, " I would of had to take" makes absolutely no sense. Yes, it sounds similar to the contraction of "would have," but syntactically means something completely different. It's this kind of attention to detail that separates programmer grunts from truly excellent computer scientists.
If you just want to program, there are plenty of technical colleges to teach you how to make a DLL file. University is there to teach you why you should make a DLL file. This is something you just can't skip by writing a final.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The entire class should petition Dan for an "incomplete". It is possible that he would listen to a reasoned argument that includes the fact that this is the first time the course was offered, and that it is difficult to gauge the difficulty of such projects without having a history of past performance by students. If the request is made politely and logically, and does not ask for too long a period to finish the work (an additional semester would be reasonable, IMHO), he may just grant your request, allowing those students who are serious enough about the subject to continue the project time to earn thier grades.
I don't know Dan, so I can't know what his response would be. And asking can't make the situation any worse.
Read, L