Slashdot Mirror
DJB Announces 44 Security Holes In *nix Software
generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."
The title of this article is quite confusing, if I read it correctly. To me, it reads that *nix variants themselves have 44 security holes (as in something in the underlying OS, such as the kernel). However, upon further reading the story indicates that it is actually the 3rd party software that has holes in it. Sounds a little unfair to *nix environments. Consider blaming Microsoft for all holes in ever Win32 program (oh wait, we already do!) How about a better title like "DJB Announces 44 Security Holes In *nix-based Software"
As much as I respect profs who are willing to push you to do neat things (finding 44 holes in UNIX and it's standard set of programs is nothing to sneeze at), if you really do fail the class I'd take this straight to the administration. They're letting you down by allowing a professor to fail an entire class, especially since the grades are based on something that doesn't really reflect your understanding of the subject.
I've always had a problem with this sort of behavior in college profs -- it gets away from what I consider to be the basic nature of higher education. As a student, I'm the consumer. I'm paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information at the end of the class. Assignments such as this one or classes which are set up as "cut down classes" just aren't consistant with that.
It works the same way on the other end; I had a few professors in college who would cancel class on a fairly routine basis. Hey, I enjoy the odd day off as much as anyone else, but I'm paying a lot of money based on the assumption that I'm going to be getting something in return -- if I were to subscribe to a magazine and then only get 2/3rds of the issues, do you thing I'd be within my rights to object? Hell, the overly easy classes were bad enough; I actually had a few that graded based mostly on attendance. Yeah, getting the most for my tuition dollar there.
Anyhow, I know there are folks out there who are going to disagree with my view of a University education, and that's fine, but regardless I would really encourage you not to accept this lying down. I know as a student it often seems like you're powerless, but if 25 of you (and your parents -- I know you're an adult, but schools listen to parents) get together and make yourselves heard, you'll probably end up with a satisfactory outcome.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
All you need to do is find one more hole, this one in the campus records department, and exploit it for improving your grade. If you have an "A" average otherwise, another "A" will look right in place. It's the "D" average people suddenly getting "A"s and "B"s that draw suspicion.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
After 300 hours of work and an A average on the exams, I expect to fail the course.
but we've all learned a valuable lesson: don't take a class taught by DJB
to Kris Kubicki's mirror is here.
I mod down pyramid schemes in sigs.
Perhaps Microsoft should try this strategy. Im sure the kids would thoroughly enjoy that assignment! They'd have bugs coming out the wazoo! A's for everyone!
What no djb tools on the list? That seems the quickest way to fail, find an exploit in a djb tool.
-- botsex is {grep;touch;strip;unzip;head;mount}
Hey! I've found remote roots in OpenSSH, Apache, and Bind. If you run the file below, you can get root.
[ Part 2, Text/PLAIN (charset: unknown-8bit) 95 lines. ]
[ Unable to print this part. ]
Get your own free personal location tracker
I didn't look at all of them, but the ones I did check all seemed to be the usual culprits: str..() functions out of the standard, broken C library.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I see the two specific items linked to are buffer overflow exploits. Anyone learning to program in C needs to have good buffer dicipline beaten into their heads.
It's like wiping your butt after crapping - mandatory basic hygine. If you can always remember to wipe your butt, you can always remembers to watch your buffer lengths.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Why take for granted that the number of bugs to be found was expressed in base-10? Why not base-2?
Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.
Define "failed." They failed to find holes? Or they failed the course?
I seriously doubt a prof would fail an A average student for not being able to find a hole for an assignment. Extra credit, maybe, but an F? I mean, WTF?
In Soviet Russia, articles before post read *you*!
Thesis: This professor is retarded.
... which would lead me to believe "a little bit of both".
Evidence to support this belief:
1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.
2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes
3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.
Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)
If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.
Its well known that every college grinds out the poor students in the first two years...if you've made it to fourth year, its time to ladle up some gravy and bolster your GPA in time for grad school applications, resume bolstering, etc.
So the real moral is that the most intelligent students are the ones avoiding the course altogether. If you want to get an education in unix security holes, go read the OpenBSD mail archives.
The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.
10 for each student? I doubt DJB himself could find 10 on his own inside of a semester.
In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.
I guess the whispers I've been hearing about DJB being a complete asshole are true. It is always nice to have your academic future dictated by such people to your disadvantage, even though you may be a cut above the teacher himself. And in the meantime he will take credit for your work while simultaneously failing you. Thank you, sir, for reminding me why I dropped out of college.
-R
He pretty much gave them free reign. ANY OSS at all!
Have you seen CPAN? Half of that code is something someone hacked up in a day! And what about all those sourceforge projects that have one developer and less than 10000 lines?
Meanwhile, almost every piece of code that this class is looking at is stuff that's already had a once over - heck, probably even been looked over thousands of times. No wonder they couldn't find any bugs. They were looking in the houses, not the motels.
Mod me down and I will become more powerful than you can possibly imagine!
If the majority of the class failed, then the professor failed YOU.
60%. This assignment is worth 60% of the FINAL SEMESTER GRADE. I suppose I should have put that in the summary.
I mod down pyramid schemes in sigs.
The problem is that many of the profs have no professional experience outside the academic realm. None. Amazing as it sounds, they go from graduate work to post-doc to the faculty lounge, all the while succesfully avoiding any opportunity to deal with people as equals...its always grovelling to someone or getting someone to grovel to you. Its no coincidence many sleep with their students, its often the only way they can get laid.
The dynamics of academic environments are truly absurd, I'm amazed more of them are not murdered.
I'd like to see you work your ass off for an entire semester, bury yourself in other people's C code for hundreds of programs, understand all the material, get As on the exams, and then fail because you weren't lucky enough -- and not be just a teeny bit pissed about it.
I mod down pyramid schemes in sigs.
Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago. A special footnote had to be added to transcripts as a result.
The pity is that such a strategy allows for no differentiation between people who are working at their full capacity and goof-offs who sleep though class.
D.L. Parnas once taught a 300 level software engineering class at the University of Victoria.
Grading used the 'high tide' method. That is, better score in one area of the course (exam, project, assignments) could override a poor score in another area. All instructor's judgement.
One student I knew got a C+ and discovered that he had roughly the same scores in each area as another student who got an A. That is, guy I knew had a poor exam, but awesome project. Someone else had nearly identical exam scores, and nearly the same (A) project.
So guy-I-knew approached Parnas, and asked why.
"Becuase I don't like you".
And that was the end of it.
"Multiple vulnerabilities were discovered in MPlayer by iDEFENSE, and more were found by us while reviewing the code"
http://www.mplayerhq.hu/
"New xine-lib released. This version adress multiple security vulnerabilites on PNM and Real RTSP clients. All users are advised to upgrade to 1-rc8. The release also includes several bug fixes and new features"
http://xinehq.de/
The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.
"There are only 10 types of people in the world: Those who understand binary, and those who don't"
The better approach is to create one or more large files of random data and feed that into the apps; this is better because it gives you a reproducible stream. (Or you can use a Perl script with a known srand() seed.)
The term "fuzz testing" comes from a seminal 1990 paper (and followups in 1995 and 2000) by Barton Miller et al., who, incidentally, found much higher quality in GNU tools than in their proprietary counterparts. Before my tendinitis got too bad, I used to run The Bulletproof Penguin a one-man project devoted to stamping out such bugs (my initial goal, easily achieved, was to eliminate all the bugs reported in the original paper). Ben Woodard was doing something very similar for a while, but I don't know whether he still does.
Incidentally, this makes a certain recent Slashdot story more embarrassing: it seems that free Web browsers crash on malformed input, the kind of case that free software normally handles better than its proprietary competition.
``Life results from the non-random survival of randomly varying replicators.'' -- Richard Dawkins
To me, a remote exploit is something that exploits a running server. Most of the examples seem to be trojan horse attacks, getting the user to run an application on a file which overflows a buffer in the application.
t
Example: http://www2.uic.edu/~kkubic1/securesoftware/26.tx
Jonathan Rockway, a student in my Fall 2004 UNIX Security Holes course,has discovered a remotely exploitable security hole in NASM. I'm publishing this notice, but all the discovery credits should be assigned to Rockway.
The only way I'd call this a remote exploit would be if someone has written an apache module that takes some assembly code and returns an executable. I dont think thats a very common setup.
Baz
If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.
Makes sense.
The requirements are to exploit 10 holes in unix software. Nowhere does it say that the unix software must come standard with any distros, and it doesn't say that you can't write it yourself.
Write a simple program with 10 holes in it, point them out, and boom you win.
We are talking about finding vulnerabilities and exploiting them aren't we? I'd get extra credit for finding and exploiting holes the class requirements.
I've reported 4 stack/pointer based crashes in Konqueror in the past couple of days and they just came to me without looking.
If I could have crafted an exploit for the crashes then that would be 4 holes.
All the students needed to do was look at the current/recent bugs list for a version of software.
Identify bugs that could possibly be exploited. (say maybe 100)
Run automated buffer/stack exploit
checking software against those bugs.
hope to get 10 criticals.
Khtml's probably a good choice for exploiting at the moment, as it's getting a lot of 'features and fixes' which probably caused the crashed I've reported.
thank God the internet isn't a human right.
1) Create sourceforge project page under assumed name.
2) Post forks of programs with extra bugs inserted.
3) Profit!
You see - there's a number 2 step, thanks to open source.
SCO employee? Check out the bounty
Why is that low? I found 44 security holes to be a rather alarming amount.
I don't. Your average security hole is exploitable under only very limited circumstances -- say, if a program is being run with privileges that the individual invoking it doesn't have.
Holes of that sort are extremely widespread (and part of the reason why marking programs that haven't been audited setuid is generally understood to be bad practice).
Step 1: Read example security exploits.
Step 2: Develop script to detect. (Simple stuff like evil C functions)
Step 3: Develop script to download packages from freshmeat and run previous script.
Step 4: Play videogames for a few hours.
Step 5: Write reports.
Step 6: Profit! (Good grade would be considered profit here)
Sure, viruses for Linux can be written. The problem's getting them to run, and then do anything useful.
Let's say I receive a virus attached to an email, which I open with kmail.
First of all, I've got to save it to disk, mark it as executable, and run it. This alone makes it quite improbable.
Second, the virus has actually to start up, and Linux binaries don't necessarily work on other systems, unless statically linked.
Assuming it's statically linked, Linux systems are rather less standard than Windows ones. How does it send mail? Well, kmail has a dcop interface, but I don't see a function for sending. The virus could compose it of course, but the user would need to click send on it.
Next, it can perhaps try using the server at localhost. If there's one, that is, since normal people probably aren't going to be running one. Reading the user's kmail config would probably work though, as long as the password is there.
So, overall I'd say, yeah, it's possible. But all the obstacles above make it a lot harder to do than on Windows, especially the first one. To make it run you probably would need to find a buffer overrun in a mail client, and that's increasingly uncommon these days.
Were you in the class?
:)
The exams and the homework were completely different. DJB should post the exams; there's lots of theoretical holes that we had to find for exams. It was very comprehensive, educational, and practical. It was a great course. (I too failed it, but grades and learning are not necessarily related. For the record I only missed points on exams because my exploit code wasn't C99-compliant
My other car is first.
student: I'm pretty sure this is right. I'd like to see your ten.
--Phillip
Can you say BIRTH TAX
That kind of stuff usually doesn't work. In an Astronomy class (toward an Astronomy major, not that gen-ed crap) the professor did not tell us we would have to remember constants, and he asked them as questions. They were short questions, and weren't worth a lot.
One of them was: What is the orbital period of Saturn? (2 pts/100)
I started thinking about Bode's law and the posibility I could calculate it from an approximate radius I would get from that law... if I could remember it. But when you expect a 72% to be an A on a test, you have bigger fish to fry.
Then I got it. It was right, it should work, and no one would have to be nailed to anything.
I wrote: One Saturn-Year
I didn't get credit for it. A couple years later a sophmore was telling me about this funny question he had in the same class. He showed it to me. It read:
What is the orbital period of Saturn? (Do not put one Saturn-Year)
I was so right that it had to be guarded against. Yet those were 2 points I would never have.
same analogy, but with 'exploit' instead of 'secure'
Required reading for internet skeptics
"So guy-I-knew approached Parnas, and asked why.
"Becuase I don't like you".
And that was the end of it."
I wonder why? Disliking someone is NOT a valid reason to assign low grades. Thinking their work is crap is a valid reason. That statement pretty much could have enabled the student to have his grade reevaluated by an outside observer. I would have complained to academic affairs. After all, if the professor already dislikes you, that bridge is already burned.
If the story is true, of course.
I think the point of contention is that people are saying that grades and learning *should* be related. Grades should reflect what you know --- they are utterly useless otherwise.
A deep unwavering belief is a sure sign you're missing something...
I'd fail these students too. Clearly they hadn't heard of DJB and his attitude to sign up for his course. With such a gaping hole in their knowledge, they deserve to get an F.
We all already failed the course :-)
:)
We're not blaming DJB for our failure. He told us we would fail if we didn't find 10 unique holes. We didn't find 10 holes, so we failed. It's not hard to understand. DJB is not the guy that goes back on his word. He tells you what he means and sticks with it. That's something to respect. (Same with all the DJB-isms. Nothing wrong with saying what you mean and being confident in those statements.)
We're upset about failing, but that's life. It's the hardest CS course at the University (and this is my first semester in college), so it's expected. I know more about C, computer internals, and security than most professionals now, so I'm not too sad
My other car is first.
Others are pretty implausible, for instance the jpegtoavi exploit, which requires the user to run the jpegtoavi program on a set of files provided by an attacker.
On my quick perusal, the nastiest holes seem to be the changepassword hole, a local root exploit, and the two holes in cups, particularly the first one, which straightforwardly gets the attacker access to user "lp" where they can monitor everything that gets printed.
One thing that is a bit surprising and disappointing is that so many of these bugs are from well-known bad coding practices. Why the hell is *anyone* still using strcat in distributed software, for instance?
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
This all happened in '86, so there's not much that can be done now. The problem was not in unfair marking, the two students got essentially the same grades. The problem was the raw scores->grade mapping. The student did protest, but Parnas had a specially funded chair position. Can't think of the correct wording for it. Basically, there was nothing the department could do. So I guess that wasn't exactly the end of it, but the grade stood. The student did drop out the next year, and last I heard (over 15 years ago) was doing well without a degree.
Rules were changed partially because of this incident (there were a number of students who complained, I just happened to know this one). The result was that profs had to come up with more subtle ways of weighting exams. One I knew used to ask a couple of essay type questions, and mark them last. If the class was doing poorly, he would grade those questions very generously.
And yes, there was for Parnas to not like the student. He was a pain in the ass. Regardless, one would think that two students with the same raw scores should get the same grade.
Not quite. From the first slide here's the credit specification (emphasis mine):
Presumably a toy program you write on your doesn't count as "deployed UNIX software".
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
No. You're wrong.
A video player, say, should be completely immune to bad input. It should not be possible to craft an input file that causes my vide player to delete files or anything like that.
There is a very limited class of data (scripts, executables) that need to be "dangerous". Viewing a jpeg, even a jpeg hand-crafted by Dr. Evil, should never have the ability to do anything bad [well, OK, seeing the goatse guy is abd, but you know what I mean].
Mine was modifying a string constant in Borland's Turbo C by setting a pointer variable to the begining of where the constant was stored and then changing the proper offset. When I got my test back, it said "-5, +5, I tried it it worked!". I was too much of a stupid kid to realize that you shouldn't write self modifying code in the global constants table.....
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
I teach adult education tech classes. If everyone fails my class, I have failed. (Failing due to lack of attendence being the exception)
If I cannot get a majority of my students to understand the topics enough to pass my grading criteria, then I have somehow failed to properly instruct them. As an employee of the school, the school has also failed them (I am an agent of the school).
What is the point of taking a class which has a failure rate higher than, say, 50%? Unless this is a live or die case, such as SEAL training, this is completely absurd.
As far as the students being smart enough to take the class... that is why most classes have prerequisites. If each of these students meets all prerequisites, and participates fully and honestly in the class, the failure rate should not be as high as this one appears (90%-ish).
Instructors MUST be held accountable for being successful teachers. If the student does not learn, despite real effort, then the fault lies with the person who had the knowledge, but failed to pass it on.
You also know more about IT management, unrealistic goals, undeserved punishment, and PHBs than most professionals now. I don't know whether to rejoice in your hardwon jumpstart on corporate wisdom or mourn the inevitable early onset of cynicism.
Welcome to the Panopticon. Used to be a prison, now it's your home.
2 You, apparently without ever looking at it, run that file through something like jpeg2avi or nasm
3 Gasp! You've been 0wned!
Which is precisely how many Win boxes get compromised.
Really? Then you do it. I'm sick and tired of people telling me that I didn't work hard enough or that I obviously don't understand C, or that "there's TOTALLY that many bugs out there." A day's work? Give me ten by a month from today, January 15, and I'll admit that I should have failed.
I know of 3 (possibly 4) people who are passing this course. One of them, Limin Wang, is DJB's grad student. She didn't take any other courses this semester, and had the entire time to work on this. One is a very knowledgable and hard working student, Ariel Berkman, and he deserves a better grade than he got.
The other two are Tom Palarz, the president of the ACM at UIC, and Kris Kubicki, a senior editor for AnandTech. They've slept about an hour a day the past few weeks, most of that in the CS computer labs.
I mod down pyramid schemes in sigs.
Of course you failed. Obviously, half of you were supposed to rapidly deploy buggy software via sourceforge while the other half "fixed" the problems. Or don't you know more about Dilbert than us professionals? :)
DJB's UIC Faculty Profile includes a photograph.
Always interesting to put a face with a name.
>1. Prof says 'I'll fail you if you don't perform a near-impossible test.'
>2. Student says 'OK.'
Nope.
Student weighs factors, realizes that if he takes the test, he'll probably fail the course. FAILING THE COURSE MEANS NO CREDIT HOURS, AND LOSS OF THAT TIME TO TAKE A DIFFERENT COURSE. Therefore, with regret, he takes his second choice for that slot.
Yes, Mr. Recruiter. I got an F in a course in my chosen major, but it was in an *impossible* course. Actually, between the presence of that F in the major field, and what it did to his GPA, he probably won't even get to see the recruiters he most wanted to see. He would have been weeded out before then.
The learning is great, sure. The impossible grade is serving absolutely nobody and nothing except DJB's ego.
The living have better things to do than to continue hating the dead.
When developing Palm OS applications, there's a similar feature called Gremlins. You load your program into the Palm OS Emulator (or Simulator) on your computer - this is how you do most of your testing anyway. Give it a random number seed, and activate Gremlins.
It randomly taps all over the screen, fast. It pays special attention to buttons, menus, etc., but also taps on blank spaces. It types random characters into text fields, or sometimes for no reason. Sometimes it'll write fragments of Shakespeare... If your application survives a few million events, you can say with a good degree of certainty that it's reliable. If it doesn't, you get all the Palm debugging tools.
All other classes are inferior and a waste of resources compared to DJB's class! Oh by the way, his class will only be held in the western area of the quad in a specially built room with circular windows for optimal lighting.
For each student to find two new security bugs in Qmail.
Sir Ernest Rutherford, President of the Royal Academy, and recipient of the Nobel Prize in Physics, related the following story.
Some time ago I received a call from a colleague. He was about to give a student a zero for his answer to a physics question, while the student claimed a perfect score. The instructor and the student agreed to an impartial arbiter, and I was selected.
I read the examination question: "Show how it is possible to determine the height of a tall building with the aid of a barometer." The student had answered: "Take the barometer to the top of the building, attach a long rope to it, lower it to the street, and then bring it up, measuring the length of the rope. The length of the rope is the height of the building."
The student really had a strong case for full credit since he had really answered the question completely and correctly! On the other hand, if full credit were given, it could well contribute to a high grade in his physics course and certify competence in physics, but the answer did not confirm this.
I suggested that the student have another try. I gave the student six minutes to answer the question with the warning that the answer should show some knowledge of physics. At the end of five minutes, he hadn't written anything. I asked if he wished to give up, but he said he had many answers to this problem; he was just thinking of the best one. I excused myself for interrupting him and asked him to please go on.
In the next minute, he dashed off his answer, which read: "Take the barometer to the top of the building and lean over the edge of the roof. Drop the barometer, timing its fall with a stopwatch. Then, using the formula x=0.5*a*t^2, calculate the height of the building." At this point, I asked my colleague if he would give up. He conceded, and gave the student almost full credit.
While leaving my colleague's office, I recalled that the student had said that he had other answers to the problem, so I asked him what they were.
"Well," said the student, "there are many ways of getting the height of a tall building with the aid of a barometer.
For example, you could take the barometer out on a sunny day and measure the height of the barometer, the length of its shadow, and the length of the shadow of the building, and by the use of simple proportion, determine the height of the building."
"Fine," I said, "and others?"
"Yes," said the student, "there is a very basic measurement method you will like. In this method, you take the barometer and begin to walk up the stairs. As you climb the stairs, you mark off the length of the barometer along the wall. You then count the number of marks, and this will give you the height of the building in barometer units." "A very direct method."
"Of course. If you want a more sophisticated method, you can tie the barometer to the end of a string, swing it as a pendulum, and determine the value of g [gravity] at the street level and at the top of the building. From the difference between the two values of g, the height of the building, in principle, can be calculated."
"On this same tack, you could take the barometer to the top of the building, attach a long rope to it, lower it to just above the street, and then swing it as a pendulum. You could then calculate the height of the building by the period of the precession".
"Finally," he concluded, "there are many other ways of solving the problem. Probably the best," he said, "is to take the barometer to the basement and knock on the superintendent's door. When the superintendent answers, you speak to him as follows: 'Mr. Superintendent, here is a fine barometer. If you will tell me the height of the building, I will give you this barometer."
At this point, I asked the student if he really did not know the conventional answer to this question. He admitted that he did, but said that he was fed up with high school and college instructors trying to teach him how to think.
The name of the studen
I wouldn't say that to DJB. He'd probably pull out 20 or 30.
I doubt it - sendmail doesn't count.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Today is a red-letter day!
No matter how incidentally or innaccurately, I was favorably compaired to Neils Bohr.
No- I don't think djb cares per say
Not to be an asshole, but it's per se
grammar-lesson free since 1999. (rescinded - 2005)
at first i read that as: the inevitability of early onset cynicism... :)
If you'd been really clever, you'd have written some software -- preferably a whole suite of trivial related items, posted it somewhere, then "found" all the holes you put in them :-)
After you've flunked for only finding 2 of your 10 security holes, take it up with the administration. Explain to them that you discovered your professor tricked you and there aren't 8 additional security holes. When the professor says there are, simply say, "Yeah? Let's see them."
At least if you flunk, you get to watch the monkey dig through code for the next six months to avoid losing his job.
I bet the math professors don't pull that crap with the next ten prime numbers.
Have you ever actually worked with qmail?
Yes. It's not rubbish. Rediffmail is using it on their mail service and they have 25,000,000 users.
Operationally, however, there are HUGE holes in his code.
Your bullet points are numbered, but this one doesn't deserve a number, since it simply says that you have a non-zero number of bullet points.
#2 qmail accepts all mail first, THEN generates bounce messages internally.
Yes, it does. Why tell remote attackers which email addresses are valid and which are not? You're just inviting dictionary attacks. Qmail users never complain about dictionary attacks because they're never subjected to them.
#3 the qmail queue processes choke up on any amount of moderate to high load,
This is the silly qmail syndrome. You can either provision more servers or apply a patch.
#4 DJB arrogantly states that all servers should be running in GMT time because that makes more sense when trying to figure out logfiles. Hello?! ALL MY USERS ARE IN JAPAN. They don't care about the rest of the world.
And you call djb arrogant?
#5 The log files are barely readable. It is almost impossible to actually track what happened to a particular delivery.
Obviously you never discovered qmailanalog.
#6 Want spam/virus scanning? Forget it! You'll have to patch the code!
Well, this one is simply wrong. There are any number of qmail-queue replacements which don't require any patching.
#7 Want LDAP support? Forget it! You need to patch it!
Well, qmail-ldap certainly patches a whole hell of a lot of code, however, it also does boat-loads more than simply supply an ldap interface. Contrary to what you say, I managed to write an LDAP interface for a customer without having to patch qmail. LDAP, on the other hand, is generally a piece of crap, but that's another topic.
#8 Want to fix any problem operationally with qmail? FORGET IT! IT NEEDS TO BE PATCHED!
How else do you fix software? When you were a child did you walk to school uphill both ways?
Sorry, I have a lot of pent up hatred for DJB and qmail. Anyone who says he is a good developer needs to actually USE his software in a real environment, in the real world,
I have, and qmail works just fine for me and my customers.
Don't piss off The Angry Economist
The best part of that story:
...all of the methods attributed to Bohr are more accurate than the method the professor considered to be the 'right' solution.
(delta P on the barometer will be so small that error in reading the difference will dominate the result)
It is not outside the realm of possibility that, for instance, a web server would use various programs to automatically process uploaded images.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
Oh for pete's sake... the link to the course includes the course slides. While college was a while ago for me... I recall that the grading and expectations of the prof are clearly stated early in the course so that everyone knows the rules.
If you look at the first slide deck published:
http://cr.yp.to/2004-494/0823.pdf
You can see very clearly on page 7 that grading is very straight forward.
Simply put, you have 60% of your grade that is not related to formal tests.
Surely a 400 level course has adults capable of making an adult choice to drop the course if they cannot live with the grading terms outlined early in the course?
Last day to drop courses:
October 1, Friday
source: http://www.uic.edu/ucat/catalog/CA.html
That's six (6) weeks to realize that "Hey, this might not be an easy way to boost the ole GPA".
What am I missing?
http://fudge.org
you given an undoiable assignment, thats the problem.
Welcome to astronomy 101, 60% of your grade will depend on finding 10 new planets in our solar system
"and security than most professionals now,"
I have my doubts.
The Kruger Dunning explains most post on
I would have told you the same thing three months ago, but frankly, there are plenty of safe uses of strcpy, strcat, sprintf, etc, all the functions everyone assumes mean "overflow me!" gets is a different story... there's no way to protect gets. But I've looked at enough code with enough strcpy's in it:
void suspicious_function(char* previously_mallocd_buffer) {
char buffer[MAX_LEN];
if (strlen(previously_mallocd_buffer) >= MAX_LEN) {
fprintf(stderr, "input too long\n");
exit(1);
}
strcpy(buffer,previously_mallocd_buffer);
}
Is there anything wrong with this? Other than the fact that they could have used a simple strncpy, no... it isn't unsafe, just pointless and time consuming. I think it's the fact that s[canf,scanf,printf,trcpy,trcat] are so ingrained in people's minds that that's what they have to use -- they just know it's unsafe so they jump through hoops to make it safe.
I mod down pyramid schemes in sigs.
...all of the methods attributed to Bohr are more accurate than the method the professor considered to be the 'right' solution.
I'd expect the error on making a measurement of gravity by the period of a pendulum swing and comparing the change over altitude to be _much_ less accurate, myself.
When an anecdote is a little too perfect (and this one is way over the top), then you need to google for it at site:snopes.com. http://www.snopes.com/college/exam/barometer.asp
(Reality reasserts itself sooner or later.)
Fantastic! So you've spent over a hundred dollars to learn something, and although you've succeeded, you've just destroyed your GPA uneccessarily.
... They have various grading methods that would better suit the level of difficulty such as the Bell curve (as other's have pointed out.) Why? Also as other's have pointed out, If the teacher was unable to successfully teach his students to perform up to his expectations he is infact the one who has failed, and this results in a penalty on you.
... You've already got your F. Besides, the best exploit is the human kind.
No offense but getting an F on an insanely hard course does not reflect any better than an F on an easier one. Failing your course is utterly unfair if you did infact walk away with a good solid understanding of what this "teacher" was actually teaching you. In your situation I'd have definately approached him
Then again, maybe your failure was to allow someone like "DJB" to control your grades. Still challenging his judgement is a good thing. If you feel you deserve a higher grade then fight for it. If not then
No, I am not an English major. My posts are subject to typos and incorrect grammar. Do not expect perfection.
Het told you to find 10 vulnarebilties. Then find them. They don't have to be all true buffer overrun errors. How about finding a security vulnarebelity in a "wrong setup" environment. Avoid best practice and run php under root. and so on. Bet you can list your 8 missing vuln's in an hour.
How about "file system becomes damaged if power is unplugged" (DOS atttack when running without UPS).
We're not blaming DJB for our failure.
Well, then perhaps you do deserve to fail. He's the one doing the grading, and he's the person responsible for giving you an assignment where success is based as much on luck as on technical prowess.
He tells you what he means and sticks with it. That's something to respect.
This is called begging the question. Why, exactly, is this something to respect?
"Hey, I'm going to kill you if you don't give me your money."
"Well, I don't have any money."
"Sorry, gotta kill you."
"That's cool. I totally respect that."
Perhaps if you didn't idolize him as much, you might realize the practical consequences of a failing grade for your GPA, and potential employment future. But at least you got to learn from a kick-ass prof, right? Or rather, an ass-kicking prof.
I think this is a very positive use of the many eyes proposition. And this helps *NIX software by having many eyes scanning code. These holes are real, though in real world terms probably not easily exploitable with common usage, but fixed now it prevents and extension of these applications in the future suffering from these weaknesses.
I don't understand why this is a bad thing. It is the community watching itself and in this case it is the *NIX community watching itself.
I say we need more courses like this.
I was thinking of the immortal words of Socrates, who said: "I drank what?" - Chris Knight (Val Kilmer)- Real Genius
We're not blaming DJB for our failure
I have to say, it sounds like a stupid requirement. I study social scinences, so an equvalent for me would like; "Come up with a ten point working plan for peace in the middle east"