DJB Announces 44 Security Holes In *nix Software

generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."

Re:It's just an assignment - Did you even go to un

[grazzy]

If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.

Clearing up ALL "it's just an assignment" posts:

[generationxyu]

60%. This assignment is worth 60% of the FINAL SEMESTER GRADE. I suppose I should have put that in the summary.

Re:Misleading Title

[Crazy+Eight]

NT has roots in VMS. The BSD advertising clause you're seeing comes from one piece of BSD software (I can't recall which) Microsoft incorporated.

Re:Misleading Title

[SquadBoy]

RTFA in all the emails he gives full credit to the students.

James Longstreet and Tom Indelli, two students in my Fall 2004 UNIX
Security Holes course, have discovered a remotely exploitable security
hole in bsb2ppm, a program to convert BSB image files to PPM image
files. I'm publishing this notice, but all the discovery credits should
be assigned to Longstreet and Indelli.

Re:Modern education sunken to a new low

[jrockway]

Were you in the class?

The exams and the homework were completely different. DJB should post the exams; there's lots of theoretical holes that we had to find for exams. It was very comprehensive, educational, and practical. It was a great course. (I too failed it, but grades and learning are not necessarily related. For the record I only missed points on exams because my exploit code wasn't C99-compliant :)

Re:Misleading Title

[SnowZero]

NT was originally developed by many of the core VMS developers after they left DEC, thus its VMS-like flavor. It doesn't use any code from VMS, but was a chance for the developers to start over and build a next generation operating system. They also tried to work with IBM in doing so (whee culture clash). My only gripe is that they took that clean, portable system, and put the Win32 API on top of it.

Wikipedia has a nice entry that is consistent with everything I learned there as an intern a while back. After I left there were many rumors that NT took BSD's better performing TCP stack, but unless someone who knows ever tells the story, its still just a rumor. What is true though it that they use some acient utilities ported from BSD, such as the command-line ftp.

Re:Good idea?

[jrockway]

We all already failed the course :-)

We're not blaming DJB for our failure. He told us we would fail if we didn't find 10 unique holes. We didn't find 10 holes, so we failed. It's not hard to understand. DJB is not the guy that goes back on his word. He tells you what he means and sticks with it. That's something to respect. (Same with all the DJB-isms. Nothing wrong with saying what you mean and being confident in those statements.)

We're upset about failing, but that's life. It's the hardest CS course at the University (and this is my first semester in college), so it's expected. I know more about C, computer internals, and security than most professionals now, so I'm not too sad :)

Re:It's just an assignment - Did you even go to un

[dcollins]

The requirements are to exploit 10 holes in unix software...

Not quite. From the first slide here's the credit specification (emphasis mine):

What you have to do
Exams are 40% of your grade.
Also three types of homework.
1. Read assigned parts of textbook. Assignment due 2004.08.25: foreword and preface of textbook.
2. Read assigned C program excerpts before we discuss them in class.
3. 60% of your grade: discover 10 new security holes in deployed UNIX software.
40 students = 400 new holes.
Collaboration is encouraged.
4 students who find 1 bug each receive 1/4 credit for it.

Presumably a toy program you write on your doesn't count as "deployed UNIX software".

Re:Sounds like Fermi at University of Chicago

[tootlemonde]

Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago.

This story is not likely.

Fermi only gave the quantium mechanics course once in 1954 in the last year of his life. He was known as an outstanding teacher, always willing to help students. His notes for the course were published in a book titled Notes on Quantum Mechanics with additional material supplied by one of the students. None of the reviews I've found mention the story about all the students failing.

One of his colleagues writes:

Fermi's legendary classroom teaching was the fruit of careful preparation. He seemed to derive pleasure from the act of teaching, without regard for the result. He never showed annoyance at a student's failure to grasp on the first try (or even the second) what he was trying to explain. On the contrary, if Fermi had to repeat an explanation, his pleasure appeared to be doubled.

Urban legend

[bharlan]

When an anecdote is a little too perfect (and this one is way over the top), then you need to google for it at site:snopes.com. http://www.snopes.com/college/exam/barometer.asp