|
In production/Lib.pm:code:
code:
|
# ? Aug 29, 2013 02:09 |
|
|
# ? Jun 3, 2024 08:19 |
|
My employer is taking on a new client and one of the first tasks is to audit the existing codebase to find the things that need to be fixed now. It's a simple CMS-driven website, with some special stuff for members. In order to handle the 'remember me' checkbox on their login form, they store your integer ID to a cookie like 'Client_User_Cookie'. If you hit the login page with that cookie set to a valid user ID, the form will be pre-populated with username AND PASSWORD corresponding to that user. Passwords are transmitted in the clear (and hence stored that way too). The site doesn't use SSL, obviously. You could scrape all the usernames and passwords for this site using bash + curl + grep in about 15 minutes.
|
# ? Aug 29, 2013 02:29 |
|
Ephphatha posted:In production/Lib.pm: Perl lets you modify your import path (@INC) dynamically at run time, so the second form could have worked while the first one didn't. Unrelatedly, that second case should read code:
|
# ? Aug 29, 2013 08:40 |
|
Smugdog Millionaire posted:My employer is taking on a new client and one of the first tasks is to audit the existing codebase to find the things that need to be fixed now. It's a simple CMS-driven website, with some special stuff for members. Wow.
|
# ? Aug 29, 2013 12:23 |
|
Smugdog Millionaire posted:My employer is taking on a new client and one of the first tasks is to audit the existing codebase to find the things that need to be fixed now. It's a simple CMS-driven website, with some special stuff for members. Oh my... that's awful. I've seen so many sites that don't hash passwords that I'm not even surprised about it anymore, but sending the passwords to anyone who asks is a whole new kind of idiocy.
|
# ? Aug 29, 2013 14:22 |
|
Smugdog Millionaire posted:My employer is taking on a new client and one of the first tasks is to audit the existing codebase to find the things that need to be fixed now. It's a simple CMS-driven website, with some special stuff for members. Oof, that's absolutely ridiculous. Since working for a small web company, I've learned the value of a password manager. As a bare minimum AT LEAST use SSL. Good find!
|
# ? Aug 29, 2013 15:48 |
It seems like the "we are not a bank, security doesn't matter" is a pretty common excuse among the ignorant. That was exactly what my boss told me when I brought up security concerns. It's not like the majority of people (especially among non-technical savvy) use the same password for all their accounts or anything Folks, don't ever assume your information is in good hands because it rarely is!
|
|
# ? Aug 29, 2013 18:36 |
|
Don Mega posted:It seems like the "we are not a bank, security doesn't matter" is a pretty common excuse among the ignorant. I actually had a candidate say this during an interview in response to being asked how he would store answers to security questions. Needless to say, he didn't get the job.
|
# ? Aug 29, 2013 19:02 |
|
Here's my security shame: I worked at a place for several years that had a combo ASP .NET and classic ASP site. The .NET stuff was new development, but the actual profitable part of the site was classic ASP. Since the classic ASP stuff was mature and worked, all of the logins for both sites went through the same classic ASP process. This made sense early on, when the new development was piggybacking on a lot of the existing infrastructure and database tables. Over time, they diverged and eventually became totally separate products, but implementing a proper membership provider was never a high priority on the product backlog. Someone had attempted, at one point in the dim past, to put some sort of quarter-assed encryption in place (I think it just ROT13ed everything), but that's not even the real horror here. After they put their encryption in place and converted all of the existing passwords over, they ended up with a bug: new users still had unencrypted passwords. The solution? Make the login page try the "encrypted" version of the password first, and if that failed, try the plaintext one. Bug solved! Now my shameful admission: I worked there for 3 years and we never got around to doing anything about that. As far as I know, to this day, that site still stores all of its passwords in plaintext. I fought for a long time against putting a "reset password" link on the site. I tried to tell them that with a proper membership provider, that kind of functionality would be built-in, in the hopes that their desire for the feature would get the membership provider PBI finally put into a sprint. I also made the point that if we emailed people their passwords, it would be clear we weren't managing passwords properly, which is kind of a big deal when your service involves medical data.
|
# ? Aug 29, 2013 19:29 |
|
Don Mega posted:It seems like the "we are not a bank, security doesn't matter" is a pretty common excuse among the ignorant. That was exactly what my boss told me when I brought up security concerns. It's not like the majority of people (especially among non-technical savvy) use the same password for all their accounts or anything The irony being that banks tend to have the shittiest, least secure websites made.
|
# ? Aug 29, 2013 22:09 |
|
Speaking of security shame, here's a syllabus for Berkeley's (computer science) security class this semester: http://people.ischool.berkeley.edu/~tygar/161/161.2013.08.29.syllabus.pdf This particular professor is a special kind of bad. In summary:
|
# ? Aug 30, 2013 00:58 |
|
And yet people pay good money to be put through that poo poo.quote:Need to use the bathroom during an exam? Your test will be taken from you and photographed, and you will be escorted to the restroom. Am I stupid for failing to see or understand what photographing the exam is meant to accomplish? Am I going to somehow psychically alter the exam whilst making GBS threads? I don't get it. Isn't it enough to just take it?
|
# ? Aug 30, 2013 01:26 |
rrrrrrrrrrrt posted:And yet people pay good money to be put through that poo poo. Presumably if you then alter your previous answers, you will be failed, as you're assumed to have looked up answers in the john.
|
|
# ? Aug 30, 2013 01:43 |
|
Duh, right. Apparently my cheating skills aren't up to snuff. What if just go to the bathroom before writing any answers? Didn't think of that, did you Dr. Tygar?
|
# ? Aug 30, 2013 01:52 |
|
rrrrrrrrrrrt posted:And yet people pay good money to be put through that poo poo. So if they decide you cheated somehow while in the bathroom they can go back and grade the photograph? No, that doesn't make any sense either, they insta-fail you for everything else so they'd just fail you for that too. The only conclusion is it's an object lession in Security Theatre.
|
# ? Aug 30, 2013 02:05 |
|
A bit of a derail, but does anyone know a good standalone XML doc generator for C++? I'm staring at something like 200 completely undocumented lua-c bindings and beginning to feel nauseous.Doctor w-rw-rw- posted:Speaking of security shame, here's a syllabus for Berkeley's (computer science) security class this semester: Oh the horror stories I could tell about one of my upper division cs professors. Have you ever calculated a md5 by hand, on paper? I have.
|
# ? Aug 30, 2013 02:43 |
|
bucketmouse posted:A bit of a derail, but does anyone know a good standalone XML doc generator for C++? I'm staring at something like 200 completely undocumented lua-c bindings and beginning to feel nauseous. Was it ment to show you understood the concept of a checksum? Otherwise it sounds like a completely retarded question. In fact, I have trouble thinking of any good reason for doing it that isn't ment as a test of an algorithm you just wrote (assuming you know your input and expected output).
|
# ? Aug 30, 2013 03:13 |
|
bucketmouse posted:A bit of a derail, but does anyone know a good standalone XML doc generator for C++? I'm staring at something like 200 completely undocumented lua-c bindings and beginning to feel nauseous. You took a dump on that guy's desk after, right?
|
# ? Aug 30, 2013 03:28 |
|
bucketmouse posted:Oh the horror stories I could tell about one of my upper division cs professors. Have you ever calculated a md5 by hand, on paper? I have. Did you have to memorize the lookup table, or was that given to you?
|
# ? Aug 30, 2013 03:31 |
|
xtal posted:The irony being that banks tend to have the shittiest, least secure websites made. I'm curious why you think so.
|
# ? Aug 30, 2013 03:36 |
|
Fly posted:I'm curious why you think so. This is an industry that uses 4-character numeric passphrases. Every bank I've used (admittedly only three) has the same limitation on e-banking passphrases. I recognize that not all do, but the best I've seen is 8 numeric characters. I would say banks have an adequate amount of security for their importance when your passphrase (both online and on the actual account) can be any amount of any characters, two-factor authentication is mandatory and "we use HTTPS" isn't a trait worth marketing. xtal fucked around with this message at 03:51 on Aug 30, 2013 |
# ? Aug 30, 2013 03:48 |
|
xtal posted:This is an industry that uses 4-character numeric passphrases. Every bank I've used (admittedly only three) has the same limitation on e-banking passphrases. I recognize that not all do, but the best I've seen is 8 numeric characters. Wow, the only 4-digit pass phrases I've seen are for ATM/Debit card PINs, and while that may not be very secure, a few missed will invalidate the card. Most online banking I've seen requires a bit more as a password, or at least allows for much more complex passwords. On the other hand, I've seen some intranet SSO requirements based on the least common denominator require that passwords be at most 8 characters and only letters and digits, which is horrible, but that's not reflected in the consumer Internet banking product of that bank.
|
# ? Aug 30, 2013 04:11 |
|
xtal posted:This is an industry that uses 4-character numeric passphrases. Every bank I've used (admittedly only three) has the same limitation on e-banking passphrases. I recognize that not all do, but the best I've seen is 8 numeric characters. Password generation policy is a subset of password security. Most banks lock you out after very few tries, and a four digit PIN is less likely to be written down on a scrap of paper in a wallet next to the ATM card it protects.
|
# ? Aug 30, 2013 04:16 |
|
Fidelity is my favorite example of bad bank password security. They allow authentication while phone banking via password entered through DTMF tones. This means that, during auth, your password is converted to some DTMF-tone equivalent representation before comparison to a stored value. If you have a Fidelity account, try altering a letter in your password on their website to the equivalent DTMF number (or another letter that occupies the same button on your phone dial pad), and watch your login succeed. The entropy reduction from alpha-numeric to strictly numeric characters is pretty upsetting, and the maximum password length is something like 12 characters. Good job, guys.
|
# ? Aug 30, 2013 04:42 |
|
Doctor w-rw-rw- posted:Speaking of security shame, here's a syllabus for Berkeley's (computer science) security class this semester: That has to be some elaborate metaphor for overly burdensome security practices. It's just too nuts.
|
# ? Aug 30, 2013 04:45 |
|
sklnd posted:The entropy reduction from alpha-numeric to strictly numeric characters is pretty upsetting, and the maximum password length is something like 12 characters. Good job, guys. Vanguard's maximum password length is ten My minimum password length at work is 22 characters. My password is a loving sentence, and I mostly write open source software (science stuff)
|
# ? Aug 30, 2013 05:46 |
|
Doctor w-rw-rw- posted:Speaking of security shame, here's a syllabus for Berkeley's (computer science) security class this semester:
|
# ? Aug 30, 2013 06:57 |
|
HFX posted:Was it ment to show you understood the concept of a checksum? Otherwise it sounds like a completely retarded question. In fact, I have trouble thinking of any good reason for doing it that isn't ment as a test of an algorithm you just wrote (assuming you know your input and expected output). Nooope. We had to do 3 of them on one exam, iirc. Not only was it pointless, the prof in question is notorious for basically being a real-life version of the boss from Dilbert. I need to track down the bad teachers thread at some point and post about him because I've honestly never seen anyone so stupid in a position of authority. I don't even mean 'I don't agree with his morals' figurative stupid, I mean platonic 'does not understand basic principles of physics such as gravity and friction and hence renders an entire class's semester projects unusable' stupid. Suspicious Dish posted:Did you have to memorize the lookup table, or was that given to you? Given. Still was a giant pain in the rear end though.
|
# ? Aug 30, 2013 11:06 |
|
xtal posted:This is an industry that uses 4-character numeric passphrases. Every bank I've used (admittedly only three) has the same limitation on e-banking passphrases. I recognize that not all do, but the best I've seen is 8 numeric characters. Wow, that really does suck. Around here the minimum authentication for a bank is a 6-digit customer ID and a 6+ character main password... but to actually do anything you also need either a code card with 24 PINs (obsolete and only lets you transfer up to $200/day), a hardware PIN calculator, or government-issued ID card and its PKI. The customer ID and main password are only there to help in case a PIN calculator or other secure means of authentication gets stolen. Even the first internet banks required a PIN card at the very least.
|
# ? Aug 30, 2013 11:27 |
|
Doctor w-rw-rw- posted:Speaking of security shame, here's a syllabus for Berkeley's (computer science) security class this semester: Man, that is a ridiculously fast-paced course. If that's meant for undergrads then god help you all.
|
# ? Aug 30, 2013 12:37 |
|
Doctor w-rw-rw- posted:Speaking of security shame, here's a syllabus for Berkeley's (computer science) security class this semester: Those two at least appear to be one medical emergency away from a lawsuit.
|
# ? Aug 30, 2013 12:53 |
|
His grading is 1/3 quizzes, 1/3 exams and 1/3 the final and doesn't take any homework or attendance into account (a genuinely great way to do things for a class without real projects), but then he insta-fails you for the course and kicks you out of the room if you are late for one lecture or lab session. Seems conflicted.
|
# ? Aug 30, 2013 13:32 |
|
Maybe the guy just really doesn't want to teach the course and came up with all of that as a scheme for making sure no student would take it. Then he can turn around to the department and say "Welp, I tried but there were no students motivated enough to take my course".
|
# ? Aug 30, 2013 13:35 |
|
It's intended to make the student count drop down to 75 or whatever.
|
# ? Aug 30, 2013 13:38 |
|
KaneTW posted:It's intended to make the student count drop down to 75 or whatever. Yeah, primarily he's trying to weed people out, and I guess maybe he's trying to make a statement of protest about the university not being able to provide sufficient TAs (I assume they don't have the budget to do so, because at a university as big as Berkeley you should be able to find plenty of willing and qualified victims so long as you can pay them). Part of me wonders if once the student count drops below his crisis threshold, he'd say "hey folks, thanks for sticking this out, now let's have some fun" and start treating the students like the adults they are.
|
# ? Aug 30, 2013 14:06 |
|
Doctor w-rw-rw- posted:Speaking of security shame, here's a syllabus for Berkeley's (computer science) security class this semester: Jesus. This is an optional course, right? It's a 1xx course, which usually means freshman as well. I wonder how many failing grade cases go to appeal, and if many are successful.
|
# ? Aug 30, 2013 14:12 |
|
kitten smoothie posted:Yeah, primarily he's trying to weed people out, and I guess maybe he's trying to make a statement of protest about the university not being able to provide sufficient TAs (I assume they don't have the budget to do so, because at a university as big as Berkeley you should be able to find plenty of willing and qualified victims so long as you can pay them). Yeah, dude isn't that dumb, he knows exactly what he's doing.
|
# ? Aug 30, 2013 14:14 |
|
zergstain posted:Jesus. This is an optional course, right? It's a 1xx course, which usually means freshman as well. It's an upper division course. It's one of 9 courses that fulfill a breadth requirement. http://www.eecs.berkeley.edu/csugrad/#upperdiv
|
# ? Aug 30, 2013 14:19 |
|
From the syllabus:quote:for security reasons, if you are late to class, you will not be allowed to take the quiz I hope one of the lectures is on those security reasons.
|
# ? Aug 30, 2013 14:23 |
|
|
# ? Jun 3, 2024 08:19 |
|
So one of our favorite derails has been settled. Turns out doing_it_like_this is easier on the eye and faster to read thanDoingItLikeThis. An Eye Tracking Study on camelCase and under_score Identifier Styles
|
# ? Aug 30, 2013 15:07 |