Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DJB Announces 44 Security Holes In *nix Software

timothy posted more than 9 years ago | from the extra-credit dept.

Security 983

generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."

cancel ×

983 comments

Sorry! There are no comments related to the filter you selected.

Misleading Title (4, Insightful)

whysanity (231556) | more than 9 years ago | (#11098101)

The title of this article is quite confusing, if I read it correctly. To me, it reads that *nix variants themselves have 44 security holes (as in something in the underlying OS, such as the kernel). However, upon further reading the story indicates that it is actually the 3rd party software that has holes in it. Sounds a little unfair to *nix environments. Consider blaming Microsoft for all holes in ever Win32 program (oh wait, we already do!) How about a better title like "DJB Announces 44 Security Holes In *nix-based Software"

Re:Misleading Title (4, Insightful)

WIAKywbfatw (307557) | more than 9 years ago | (#11098129)

If you want to get technical you could argue that everything apart from the kernel is *nix-based software. Where do you want to draw the line?

Re:Misleading Title (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11098178)

I draw the line here [tinyurl.com] , how about you?

Re:Misleading Title (0)

Anonymous Coward | more than 9 years ago | (#11098210)

Mod parent Offtopic

Re:Misleading Title (5, Insightful)

whysanity (231556) | more than 9 years ago | (#11098240)

For the sake of argument, what would you consider Windows software? The kernel, the graphics server, the programs that come with every "distribution" of Windows?

I think that most people would agree that if the program can be *easily* removed from the underlying OS, it's not part of the OS itself. Therefore I would not consider notepad.exe part of the OS, however I would consider explorer.exe (even though it is a seperate application).

If you don't agree, it's okay, but that's how I think of it.

Re:Misleading Title (2, Insightful)

geminidomino (614729) | more than 9 years ago | (#11098251)

Actually, only Linux is limited to being "Just the kernel." *BSD are full OSes, and are 4.4LITE-based, thus are Unix.

Re:Misleading Title (0)

Anonymous Coward | more than 9 years ago | (#11098140)

Yeah, I got that too. However, I didn't need to read the whole article...I read the article summary.

Re:Misleading Title (3, Insightful)

Dekke (829772) | more than 9 years ago | (#11098143)

Because if it weren't sensationalist, who would ever read it? For the knowledge? Hah! For shame, thinking we want accuracy...

Re:Misleading Title (-1, Troll)

slavemowgli (585321) | more than 9 years ago | (#11098318)

Not to mention that the title is misleading in that it seems to imply that it was DJB himself who found those holes, when in reality all he did was reap other people's (his students') work's rewards.

Why? (1, Insightful)

bonch (38532) | more than 9 years ago | (#11098106)

In a class of 25, 44 security holes seems a bit low.

Why is that low? I found 44 security holes to be a rather alarming amount.

Re:Why? (1)

ryanr (30917) | more than 9 years ago | (#11098121)

Because each student was assigned to find 10 original ones? Presumably, he was expecting it to be closer to 250.

Re:Why? (1)

Retric (704075) | more than 9 years ago | (#11098315)

More than one person could have discoverd the some holes. Then again probably not if there alowed to use any *NIX app.

No security holes in Ceren! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11098111)

IMPORTANT UPDATE: Please show your support [calcgames.org] for Ceren in this poll of Geek Babes!

Is it any wonder people think Linux [debian.org] users are a bunch of flaming homosexuals [lemonparty.org] when its fronted by obviously gay losers [nylug.org] like these?! BSD [dragonflybsd.org] has a mascot [freebsd.org] who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks [hope-2000.org] and gorgeous babes [hope-2000.org] then maybe it would be able to compete with BSD [openbsd.org] ! Hell this girl [electricrain.com] should be a model!

Linux [gentoo.org] is a joke as long as it continues to lack sexy girls like her [dis.org] ! I mean just look at this girl [dis.org] ! Doesn't she [dis.org] excite you? I know this little hottie [dis.org] puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox [spilth.org] . As you can see, no man can resist this sexy [spilth.org] little minx [dis.org] . Don't you wish the guy in this [wigen.net] pic was you? Are you telling me you wouldn't like to get your hands on this ass [dis.org] ?! Wouldn't this [electricrain.com] just make your Christmas?! Yes doctor, this uber babe [electricrain.com] definitely gets my pulse racing! Oh how I envy the lucky girl in this [electricrain.com] shot! Linux [suse.com] has nothing that can possibly compete. Come on, you must admit she [imagewhore.com] is better than an overweight penguin [tamu.edu] or a gay looking goat [gnu.org] ! Wouldn't this [electricrain.com] be more liklely to influence your choice of OS?

With sexy chicks [minions.com] like the lovely Ceren [dis.org] you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD [netbsd.org] if she [dis.org] told you to? Personally I know I would give my right arm to get this close [dis.org] to such a divine beauty [czarina.org] !

Don't be a fag [gay-sex-access.com] ! Join the campaign [slashdot.org] for more cute [wigen.net] open source babes [wigen.net] today!

$Id: ceren.html,v 9.0 2004/08/01 16:01:34 ceren_rocks Exp $

Don't just take this lying down, IMO (5, Interesting)

Skyshadow (508) | more than 9 years ago | (#11098112)

Now that's a tough assignment. 44 holes found is an average of less than two a person -- it's possible the *entire* class failed, not just most. At best, probably one person completed the assignment.

As much as I respect profs who are willing to push you to do neat things (finding 44 holes in UNIX and it's standard set of programs is nothing to sneeze at), if you really do fail the class I'd take this straight to the administration. They're letting you down by allowing a professor to fail an entire class, especially since the grades are based on something that doesn't really reflect your understanding of the subject.

I've always had a problem with this sort of behavior in college profs -- it gets away from what I consider to be the basic nature of higher education. As a student, I'm the consumer. I'm paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information at the end of the class. Assignments such as this one or classes which are set up as "cut down classes" just aren't consistant with that.

It works the same way on the other end; I had a few professors in college who would cancel class on a fairly routine basis. Hey, I enjoy the odd day off as much as anyone else, but I'm paying a lot of money based on the assumption that I'm going to be getting something in return -- if I were to subscribe to a magazine and then only get 2/3rds of the issues, do you thing I'd be within my rights to object? Hell, the overly easy classes were bad enough; I actually had a few that graded based mostly on attendance. Yeah, getting the most for my tuition dollar there.

Anyhow, I know there are folks out there who are going to disagree with my view of a University education, and that's fine, but regardless I would really encourage you not to accept this lying down. I know as a student it often seems like you're powerless, but if 25 of you (and your parents -- I know you're an adult, but schools listen to parents) get together and make yourselves heard, you'll probably end up with a satisfactory outcome.

Re:Don't just take this lying down, IMO (5, Insightful)

jdray (645332) | more than 9 years ago | (#11098151)

I wouldn't get too worked up about it until it happens. I had several college profs who started out the terms saying how they were strict about assignments getting turned in, and how you could fail if you didn't do this or that; I rarely found their bite to be as bad as their bark. Mostly they want to put the fear of them as a deity figure in you, then be gracious later. If they get overwhelmed, they've set a good baseline to fall back on.

Agreed, many profs are abusive (3, Interesting)

Ars-Fartsica (166957) | more than 9 years ago | (#11098273)

From time to time you do get a normal human being lecturing you, but often you get an inhuman prick whose real mastery is in manipulating human emotions. I've watched a calculus prof reduce many female students to tears...and I'm thinking, what is it dude, a sexual thing? I mean, come on, show some dignity and respect for the students.

The problem is that many of the profs have no professional experience outside the academic realm. None. Amazing as it sounds, they go from graduate work to post-doc to the faculty lounge, all the while succesfully avoiding any opportunity to deal with people as equals...its always grovelling to someone or getting someone to grovel to you. Its no coincidence many sleep with their students, its often the only way they can get laid.

The dynamics of academic environments are truly absurd, I'm amazed more of them are not murdered.

Re:Don't just take this lying down, IMO (1)

el-spectre (668104) | more than 9 years ago | (#11098281)

I had this real bastard of a professor... gave us a set of 50 problems for the midterm (worth 50% of the class). Now, we knew how to do them, but they took approx. 20 minutes each to do, and we got 2 hours to do all 50.

After the fact he announced that he didn't actually expect us to get more than 5 or 6 done, and would be grading on a curve. Several students had balked and walked out on the exam, straight to the dean. I think that't the only thing that saved our asses.

Re:Don't just take this lying down, IMO (4, Insightful)

Marxist Hacker 42 (638312) | more than 9 years ago | (#11098168)

Not disagreeing- but if I was this student, I'd get a few buddies together from the class and point out to the prof:
1. This is the first term this class has been taught.
2. Nobody did well with the homework if the entire class of 25 students only found 44 holes.
3. Even those who were among the best students in the class, getting A's on all the exams, only found 2-3 holes.

Therefore the grades should be assigned to fit a bell curve based mainly on test scores and minimizing points earned for the homework.

Re:Don't just take this lying down, IMO (3, Funny)

bani (467531) | more than 9 years ago | (#11098260)

you really think djb cares? given his well known history of being supreme asshole of the known universe?

fwiw this was obviously djb trying to get his students to dig up ammo for him to go on another one of his public penis-waving tantrums, acting all smug and high and mighty again (oh lookit me i wrote qmail and its all uber secure, and wooo lookit all the MISERABLE LAMERS WRITING SHIT CODE!!1!!111!)

It's just an assignment - Did you even go to uni?? (1)

brunes69 (86786) | more than 9 years ago | (#11098184)

He doesn't even say what it's worth. Hell, it could be worth *nothing*.

I was given lots of assignments at university. Often, we wouldn't know until the end of the term what would count and what wouldn't. If the entire class did poorly on an assignment, it often does *not* count toward your grade.

Can you even read? (0)

Anonymous Coward | more than 9 years ago | (#11098208)

Did you even read the topic summary? The poster states that he's gotten A's on the exams and expects to fail the course.

Re:It's just an assignment - Did you even go to un (4, Informative)

grazzy (56382) | more than 9 years ago | (#11098209)

If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.

READ (1)

neilb78 (557698) | more than 9 years ago | (#11098202)

It says that was their homework assignment....

failing 1 homework assignment != failing the course

READ yourself, dumbass (0)

Anonymous Coward | more than 9 years ago | (#11098232)

This isnt even a case of RTFA. It's RTF SlashDot summary: "After 300 hours of work and an A average on the exams, I expect to fail the course."

Assuming the submitter has some inkling of the weighing of the grade policy, the GP makes perfect sense.

Clearing up ALL "it's just an assignment" posts: (4, Informative)

generationxyu (630468) | more than 9 years ago | (#11098271)

60%. This assignment is worth 60% of the FINAL SEMESTER GRADE. I suppose I should have put that in the summary.

Re:Don't just take this lying down, IMO (5, Funny)

Saint Stephen (19450) | more than 9 years ago | (#11098217)

My algorithms class was like this. I aced every test but didn't complete the Travelling Salesman program successfully. I got an "incomplete" and had to come to summer school. Boy was I mad at the time but I see now why they did it. All or nothing.

If I only had a mod point. (1)

neuro.slug (628600) | more than 9 years ago | (#11098319)

NP-complete humor deserves +1 Funny.

-- n

Re:Don't just take this lying down, IMO (1)

aero2600-5 (797736) | more than 9 years ago | (#11098235)

Why was the parent modded off-topic? The article is about a college class where the finding of security holes is the requirement to pass. This post is about his opinions about classes and their requirements to pass. This is not off-topic. Don't moderate someone down because you disagree.

As I previewed my post, the parent went from (Score: 2, off-topic) to (Score: 5, interesting). I guess the moderators are psychic too. Further proof that the Slashdot moderation system actually works.

Aero

Re:Don't just take this lying down, IMO (4, Insightful)

mateomiguel (614660) | more than 9 years ago | (#11098238)

"As a student, I'm the consumer. "

No, no, and hell no. As a student, you are a student. Leave your stupid consumer victimization routine in suburbia, where it belongs. Don't try to bring that crap to academia.

Re:Don't just take this lying down, IMO (5, Insightful)

KillerDeathRobot (818062) | more than 9 years ago | (#11098272)

As soon as universities start being free, I'll agree with you.

Re:Don't just take this lying down, IMO (1)

el-spectre (668104) | more than 9 years ago | (#11098312)

If I pay for something, and then only 50% of the service is rendered, damn right I've been victimized...

Re:Don't just take this lying down, IMO (1)

zumajim (681331) | more than 9 years ago | (#11098241)

I had a similar experience with a professor for an AI course. Fortunately, he made it clear on the first day of class that he intended to flunk most of us and that the highest grade he intended to give was a C+. This prompted me to drop the class immmediately. (A protest visit to the ombudsman's office proved fruitless, of course.) Is DJB known as a hard-ass? Don't students know what they're getting into from day one?

DJB is a notorious dick. I am serious, google him. (1)

Ayanami Rei (621112) | more than 9 years ago | (#11098275)

Re:Don't just take this lying down, IMO (1)

paulschroeder (757739) | more than 9 years ago | (#11098243)

Amen. What's one expected to learn by working obscenely hard only to be told 'You fail' on a goal that's considered difficult my many professionals, let alone college kids ? Personally, I would be rather gunshy after an experience like that. Just my .02, though.

Re:Don't just take this lying down, IMO (4, Insightful)

Marxist Hacker 42 (638312) | more than 9 years ago | (#11098304)

Perhaps- I didn't think of this until reading your post- that's exactly what the professor was trying to teach. Though it would be a damned awfull way to do it, I've got to admit that 95% of the projects I've worked on since college have followed that general path. Work obscenely hard- get a product out there- get laid off when the marketing people spend tons on booze to cover their poor marketing skills and drive the company into the ground. Yep- sounds just like this assignment.

Re:Don't just take this lying down, IMO (1)

IO ERROR (128968) | more than 9 years ago | (#11098261)

Indeed, don't take this lying down. Has anyone considered the possibility that the software in question only had 44 security holes to be found between them? (Or, at least, 44 that we could reasonably know about right now.) It would be impossible for anyone to pass this assignment in those circumstances.

It sounds like the assignment was utterly unfair. I don't think I could find 10 security holes in the project [citadel.org] I code for at this point; it's been fairly well audited both by us and by others [nosystem.com.ar] . A few days ago I just patched what I think is the last one; of course, I should know better by now...

Re:Don't just take this lying down, IMO (2, Insightful)

WIAKywbfatw (307557) | more than 9 years ago | (#11098269)

I don't have any problem with the concept of an entire class failing a course. Why you think that a professor failing his entire class constitutes a failure on the part of the university is a mystery to me: would you be so opposed if a professor failed an astronomy class that failed to put the planets in the correct order or an economics class that couldn't describe how supply and demand affect prices?

Frankly, I think you're jumping the gun here. Ten is a nice round figure and one that suggests that it might have been picked arbitrarily. Perhaps the professor asked for ten but didn't expect any one individual to find more than two or three? Perhaps the professor wasn't as interested in their results as he was their methodologies and definitions of what did and didn't constitute a vulnerability? Perhaps he was using the exercise to reinforce lessons on how to create a secure computing environment?

Chew on that for a while, and while you're doing that think about the fact that you should be looking at university as a learning experience, not merely an acquisition of course credits. Frankly, your post makes you sound like someone who would sue their professor if he so much as considered awarding you less than a pass mark.

Re:Don't just take this lying down, IMO (1)

grendel_x86 (659437) | more than 9 years ago | (#11098287)

The other side of this being the people I hated most in school, those that pay money, and expect to be passed because 'they pay their salary'.

I doubt this prof expected this few holes, and adjusted grading accordingly. UIC is not an elitist school by any streach of the imagination.

Re:Don't just take this lying down, IMO (3, Insightful)

plopez (54068) | more than 9 years ago | (#11098314)

It could be the prof was trying to weed out the riff-raff (those who think they are hot but are not, etc.). But giving such an open ended project at the undergrad level is extreme. It is appropriate for grad school, where research projects sometimes are not completed, but not undergrad (I assume by the number it is undergrad).

I actually had a class like that, expected to fail but passed becase I actually did a lot of work on the problem and it showed. This may be one of those cases. Remember, research is about trying your best but still failing, actually most of the time.

Re:Don't just take this lying down, IMO (2, Insightful)

Jace of Fuse! (72042) | more than 9 years ago | (#11098322)

They're letting you down by allowing a professor to fail an entire class, especially since the grades are based on something that doesn't really reflect your understanding of the subject.

I couldn't agree with this post any more.

Let me also say that if this professor feels so high and mighty, let's see this person perform the assignment themself! Something tells me this professor would also fail!

10 previously undiscovered exploits for one person to find is a serious undertaking. Most Security Professionals probably don't find that many per year I would guess.

Shesh. What an ass.

What is 'deployed unix software'? (1)

Neil Blender (555885) | more than 9 years ago | (#11098114)

Anything you can download of the net, compile and run on Unix? There are probably millions of security holes out there.

Re:What is 'deployed unix software'? (1)

generationxyu (630468) | more than 9 years ago | (#11098156)

Deployed Unix software, as defined for the purposes of this class, is something that the professor can put into Google and find references to people using it. Not just it's Sourceforge or Freshmeat page, but people actually using it.

Re:What is 'deployed unix software'? (1)

Stevyn (691306) | more than 9 years ago | (#11098169)

Yeah, but they found 44 specific holes. More importantly, the developers won't have to get permission from their boss take a break from developing a new feature to fix these.

All you need is one more hole... (5, Funny)

Nom du Keyboard (633989) | more than 9 years ago | (#11098115)

After 300 hours of work and an A average on the exams, I expect to fail the course.

All you need to do is find one more hole, this one in the campus records department, and exploit it for improving your grade. If you have an "A" average otherwise, another "A" will look right in place. It's the "D" average people suddenly getting "A"s and "B"s that draw suspicion.

Re:All you need is one more hole... (0)

Anonymous Coward | more than 9 years ago | (#11098290)

The exploit already exists and is called, "making friends with employees in the student records office". I was at UIC and I know for a fact that people in records and admissions were changing grades.

Boohoo (1, Troll)

Breakfast Pants (323698) | more than 9 years ago | (#11098117)

This seems like a call to the world for pity as if that will somehow change the professor's mind.

Re:Boohoo (0)

Anonymous Coward | more than 9 years ago | (#11098228)

Insightful/Troll? I thought this was pretty funny:)

Re:Boohoo (2, Insightful)

generationxyu (630468) | more than 9 years ago | (#11098294)

I'd like to see you work your ass off for an entire semester, bury yourself in other people's C code for hundreds of programs, understand all the material, get As on the exams, and then fail because you weren't lucky enough -- and not be just a teeny bit pissed about it.

and the moral is: (3, Funny)

pchan- (118053) | more than 9 years ago | (#11098125)

After 300 hours of work and an A average on the exams, I expect to fail the course.

but we've all learned a valuable lesson: don't take a class taught by DJB

Re:and the moral is: (1)

bani (467531) | more than 9 years ago | (#11098189)

i would have thought that was already patently obvious.

and if tdr [openbsd.org] ever teaches a class, don't take it either.

Fourth year: bird courses only please (4, Insightful)

Ars-Fartsica (166957) | more than 9 years ago | (#11098212)

Who signs up for hard classes in fourth year? Duh! You've practically got your degree. sit back, uncap a cold one and choose from the many many many easy courses every school offers to fourth year students.

Its well known that every college grinds out the poor students in the first two years...if you've made it to fourth year, its time to ladle up some gravy and bolster your GPA in time for grad school applications, resume bolstering, etc.

So the real moral is that the most intelligent students are the ones avoiding the course altogether. If you want to get an education in unix security holes, go read the OpenBSD mail archives.

Re:Fourth year: bird courses only please (2, Insightful)

DunbarTheInept (764) | more than 9 years ago | (#11098286)

If you assume it is stupid to pick harder classes, then you are assuming everyone's goal is laziness. If a person has a goal of learning interesting things, then it is not necessarily stupid to take a hard class. This sounds like an interesting class - the only problem is the grading is poorly thought out.

If the computer that stores your grades (0)

Anonymous Coward | more than 9 years ago | (#11098127)

...is a Unix system, you should be able to get an easy A.

Fail the course? (1, Informative)

Anonymous Coward | more than 9 years ago | (#11098134)

Better hope there's a curve

Better link (3, Informative)

generationxyu (630468) | more than 9 years ago | (#11098138)

to Kris Kubicki's mirror is here. [uic.edu]

How to pass this class (females only) (1, Funny)

Anonymous Coward | more than 9 years ago | (#11098139)

Let your prof 'secure' your hole, if you know what I mean.

Re:How to pass this class (females only) (0)

Anonymous Coward | more than 9 years ago | (#11098162)

What if he's gay?

Sad but true (1)

Ars-Fartsica (166957) | more than 9 years ago | (#11098329)

When even in my own limited experience I get three profs to admit to screwing female students, you have to wonder how much of this is going on. More bizarro college dynamics...the girls don't feel too shamed because they see some fetish in screwing the older acedemic type...deemed mildly acceptable as a college experience.

DJB Is cool. (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11098157)

Even though I've heard so much trash talk about DJB, I think he writes good programs that are very reliable. I rolled out qmail to replace several sendmail servers that were constantly hitting 20+ load average. Now our servers deliver more mail than before, and the load average never goes over .25 on the exact same hardware. I think that says alot about his programming technique. I bet his classes are very challenging, hopefully adding some quality programmers to the gene pool.

Re:DJB Is cool. (0)

Anonymous Coward | more than 9 years ago | (#11098283)

Too bad he's gotta be a Nazi about his software licenses.

I bet you postfix, exim, or courier would work. (1)

Ayanami Rei (621112) | more than 9 years ago | (#11098328)

Anything else will make sendmail look slow.

He's a good programmer, but so are a lot of other people who aren't whiny jerks, and have to have everything done their way.

Hmm... (4, Funny)

excaliber19 (750206) | more than 9 years ago | (#11098160)

Perhaps Microsoft should try this strategy. Im sure the kids would thoroughly enjoy that assignment! They'd have bugs coming out the wazoo! A's for everyone!

Re:Hmm... (0)

Anonymous Coward | more than 9 years ago | (#11098316)

If it was MS source up for review, they'd get @'s, not A's

What? (3, Insightful)

jjshoe (410772) | more than 9 years ago | (#11098165)

What no djb tools on the list? That seems the quickest way to fail, find an exploit in a djb tool.

Re:What? (1)

generationxyu (630468) | more than 9 years ago | (#11098203)

The reason is that we were instructed to look for "low hanging fruit," like sprintf(buffer_on_the_stack, "%s", untrusted_input), or while (ch = getc()) { buffer_on_the_stack[i] = ch; i++; }.

DJB's software doesn't have these kind of holes. If it has any, we weren't about to spend our time analyzing every little atom of it. $500 isn't enough for me to spend that much time on it.

Re:What? (1)

Blue-Footed Boobie (799209) | more than 9 years ago | (#11098225)

That would have been excellent if someone had found 10 holes all in djb tools.

Good luck with that one.... (1)

Lanboy (261506) | more than 9 years ago | (#11098282)

djb will send you a check for $500 or $5000 for remote security holes in his tools.

I wonder having the developer of qmail and tcpserver know your name is worth the pain he seems to be as a prof.

Fairness? (1)

HangingChad (677530) | more than 9 years ago | (#11098167)

To be fair this assignment should've been assigned to Windows software.

The whole class could've passed just spending 15 minutes looking at IE.

Re:Fairness? (1)

axafluff (530026) | more than 9 years ago | (#11098284)

The whole class could've passed just spending 15 minutes looking at IE.

Sure, but that class wouldn't amount to much more than random typing and clicking. Extra credit if you use a debugger or go into real detail and skim the source.

Where's the gumpf? (4, Funny)

caluml (551744) | more than 9 years ago | (#11098171)

Hey! I've found remote roots in OpenSSH, Apache, and Bind. If you run the file below, you can get root.

[ Part 2, Text/PLAIN (charset: unknown-8bit) 95 lines. ]
[ Unable to print this part. ]

Were any of them *not* buffer overflows? (2, Interesting)

jcr (53032) | more than 9 years ago | (#11098172)

I didn't look at all of them, but the ones I did check all seemed to be the usual culprits: str..() functions out of the standard, broken C library.

-jcr

Re:Were any of them *not* buffer overflows? (2, Informative)

winthrop (314632) | more than 9 years ago | (#11098230)

Change password [uic.edu] involved trusting that the version of "make" in its path was not modified:
Here's the bug: Line 317 of changepassword.c, without cleaning its
environment in any way, calls system("cd /var/yp && make &> /dev/null");
the Makefile arranges for changepassword.cgi to be setuid root (mode
4755). A user can set $PATH to point to his own make program, set
$CONTENT_LENGTH to 512, set $REQUEST_METHOD to POST, and feed...

Still more secure than Windows (0)

Anonymous Coward | more than 9 years ago | (#11098174)

Even Bill Gates uses Linux for security-intensive applications: http://img101.exs.cx/img101/9162/billnDebian.jpg [img101.exs.cx]

Re:Still more secure than Windows (1)

Rosonowski (250492) | more than 9 years ago | (#11098259)

Nice try [fark.com]

ah, buffer overflows... (4, Insightful)

Mr. Slippery (47854) | more than 9 years ago | (#11098175)

I see the two specific items linked to are buffer overflow exploits. Anyone learning to program in C needs to have good buffer dicipline beaten into their heads.

It's like wiping your butt after crapping - mandatory basic hygine. If you can always remember to wipe your butt, you can always remembers to watch your buffer lengths.

Re:ah, buffer overflows... (4, Funny)

symbolic (11752) | more than 9 years ago | (#11098308)

If you can always remember to wipe your butt, you can always remembers to watch your buffer lengths.

Well, there's the problem!

But you have already found 10 bugs!!! (5, Funny)

jgbustos (131144) | more than 9 years ago | (#11098177)

Why take for granted that the number of bugs to be found was expressed in base-10? Why not base-2?

Most of the class failed? (2, Insightful)

dokebi (624663) | more than 9 years ago | (#11098186)

Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.

Define "failed." They failed to find holes? Or they failed the course?
I seriously doubt a prof would fail an A average student for not being able to find a hole for an assignment. Extra credit, maybe, but an F? I mean, WTF?

Re:Most of the class failed? (0)

Anonymous Coward | more than 9 years ago | (#11098249)

The professor found out all the students believe in broken budgets so he assumed they were conservative and failed them all. That damned liberal elite college professor who does he think he is.

My thoughts. (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11098188)

Thesis: This professor is retarded.

Evidence to support this belief:

1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.

2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes ... which would lead me to believe "a little bit of both".

3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.

Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)

Most people will pass (0)

Anonymous Coward | more than 9 years ago | (#11098194)

By the time you reach fourth year, you realize that there is often some adjustment made to marks at the end of the course by the prof, and I also think that most universities have policies prohibiting more than 50% of a course from failing. So, before everyone cries bloody murder on this atrocity against the bell curve, I bet you most people are going to pass the course.

Re:Most people will pass (3, Funny)

wk633 (442820) | more than 9 years ago | (#11098303)

D.L. Parnas once taught a 300 level software engineering class at the University of Victoria.

Grading used the 'high tide' method. That is, better score in one area of the course (exam, project, assignments) could override a poor score in another area. All instructor's judgement.

One student I knew got a C+ and discovered that he had roughly the same scores in each area as another student who got an A. That is, guy I knew had a poor exam, but awesome project. Someone else had nearly identical exam scores, and nearly the same (A) project.

So guy-I-knew approached Parnas, and asked why.

"Becuase I don't like you".

And that was the end of it.

pwn3d (0)

Anonymous Coward | more than 9 years ago | (#11098195)

hacked? [uic.edu] All that page says right now is "pwn3d"..

Missing... (1)

Chris Parrinello (1505) | more than 9 years ago | (#11098196)

I noticed that sendmail and bind weren't on the list. I guess they're not as exploit-y as DJB would lead us to believe....

mo6d do3n (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11098200)

OS don't fear the national gay 8igger FrreBSD at about 80 OF AMERICA irc

What's the deal? (4, Insightful)

retro128 (318602) | more than 9 years ago | (#11098213)

The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.

10 for each student? I doubt DJB himself could find 10 on his own inside of a semester.

In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.

I guess the whispers I've been hearing about DJB being a complete asshole are true. It is always nice to have your academic future dictated by such people to your disadvantage, even though you may be a cut above the teacher himself. And in the meantime he will take credit for your work while simultaneously failing you. Thank you, sir, for reminding me why I dropped out of college.

Students didn't exploit the loophole (4, Interesting)

fireboy1919 (257783) | more than 9 years ago | (#11098227)

He pretty much gave them free reign. ANY OSS at all!

Have you seen CPAN? Half of that code is something someone hacked up in a day! And what about all those sourceforge projects that have one developer and less than 10000 lines?

Meanwhile, almost every piece of code that this class is looking at is stuff that's already had a once over - heck, probably even been looked over thousands of times. No wonder they couldn't find any bugs. They were looking in the houses, not the motels.

If the majority of the class failed... (4, Insightful)

JoshMKiV (548790) | more than 9 years ago | (#11098237)

If the majority of the class failed, then the professor failed YOU.

Re:If the majority of the class failed... (1)

narcc (412956) | more than 9 years ago | (#11098323)

To a certain extent, I'll agree -- It's not likely that in a class this interesting that the majority would blow it off.

Of course, this professor is noted for saying:
You Fail It! Your Skill Is Not Enough!!

Re:If the majority of the class failed... (0)

Anonymous Coward | more than 9 years ago | (#11098333)

But in Soviet Russia.. Ah Never mind.

bad math? (1)

Telastyn (206146) | more than 9 years ago | (#11098242)

There are 44 different holes, not 44 seperate finds. Students could've independantly [or not so independantly] found the same exploit. In fact, I'd bet that it occured given that they were looking for the same things in largely the same places.

As a Former UIC Student (0)

Anonymous Coward | more than 9 years ago | (#11098262)

...all I can say is, "why didn't the EECS department have all the cool clases the MSCS department is offering?!" Granted, operating system design and computer architecture courses were cool, but there really weren't any UNIX specific courses.

Dear generationxyu (1)

Letter (634816) | more than 9 years ago | (#11098278)

Dear generationxyu,

I've had the same problem -- failing courses because THE SMASHING PUMPKINS have taken over your life. Instead of studying, you spend endless hours reloading billycorgan.com to read more of his unintelligible rants on god and bumblebees. You waste your time designing covers and dvd menus for your bootlegs. You listen to MARY STAR OF THE SEA but always end up going back to 2001-11-16.

I call this problem corganitis. The only cure is the METRO DVD release and afterwards imminent SMASHING PUMPKINS REUNION. We can only hope.

Toppling,
Graceful Swan of Never

Maybe he'll grade on the curve? (1)

davidwr (791652) | more than 9 years ago | (#11098279)

A friend of mine was an instructor, he had very tough grading standards - the AVERAGE grade was about 50.

Of course, he curved so those who deserved an A got an A.

Sounds like Fermi at University of Chicago (3, Interesting)

monopole (44023) | more than 9 years ago | (#11098297)

Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago. A special footnote had to be added to transcripts as a result.

The pity is that such a strategy allows for no differentiation between people who are working at their full capacity and goof-offs who sleep though class.

Maybe it wasn't just me (1)

xv4n (639231) | more than 9 years ago | (#11098310)

I read that as "MCS 494: Unix Secretary Holes". Me going outside now.

Mplayer and Xine new security releases (3, Informative)

andymar (690982) | more than 9 years ago | (#11098313)

"Multiple vulnerabilities were discovered in MPlayer by iDEFENSE, and more were found by us while reviewing the code"
http://www.mplayerhq.hu/ [mplayerhq.hu]

"New xine-lib released. This version adress multiple security vulnerabilites on PNM and Real RTSP clients. All users are advised to upgrade to 1-rc8. The release also includes several bug fixes and new features"
http://xinehq.de/ [xinehq.de]

Well, that's surprising (1)

vadim_t (324782) | more than 9 years ago | (#11098317)

Despite the usual quality of Unix software, I didn't think it would be that hard to find a hole. After all, on Linux it's really easy to get source, and surely some automated way of finding possible exploits like grepping for the usual dangerous functions could be found. Now actually exploiting it sounds harder.

My strategy would have been to compile a list of executables that can be easily tested automatically, and run them under valgrind while piping data from /dev/urandom, or something similar. I'd also try feeding normal input with randomly changed characters, and things like that. In my experience valgrind's really good at finding all kinds of subtle issues.

What kind of stupid class is this? (1)

koreaman (835838) | more than 9 years ago | (#11098321)

What kind of stupid class is this? Find 10 security holes in *nix? Each person?

What makes this professor think the standard set of *nix based programs even contains 250 security holes? Generally, FLOSS is better secured than proprietary software.

But by the looks of things, he is looking for minor things like writing past an array, not full-blown arbitrary code execution. But I still don't think this is reasonable at all.

As previos posters have suggested, take your case to the administration. You don't deserve an F because you can't find 10 security holes in the most secure operating system and associated software suite that exists.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>