Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Education Bug Operating Systems Software Unix Linux

DJB Announces 44 Security Holes In *nix Software 983

generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."
This discussion has been archived. No new comments can be posted.

DJB Announces 44 Security Holes In *nix Software

Comments Filter:
  • Misleading Title (Score:4, Insightful)

    by __aaitqo8496 ( 231556 ) * on Wednesday December 15, 2004 @06:17PM (#11098101) Journal
    The title of this article is quite confusing, if I read it correctly. To me, it reads that *nix variants themselves have 44 security holes (as in something in the underlying OS, such as the kernel). However, upon further reading the story indicates that it is actually the 3rd party software that has holes in it. Sounds a little unfair to *nix environments. Consider blaming Microsoft for all holes in ever Win32 program (oh wait, we already do!) How about a better title like "DJB Announces 44 Security Holes In *nix-based Software"
    • by WIAKywbfatw ( 307557 ) on Wednesday December 15, 2004 @06:19PM (#11098129) Journal
      If you want to get technical you could argue that everything apart from the kernel is *nix-based software. Where do you want to draw the line?
      • by __aaitqo8496 ( 231556 ) * on Wednesday December 15, 2004 @06:30PM (#11098240) Journal
        For the sake of argument, what would you consider Windows software? The kernel, the graphics server, the programs that come with every "distribution" of Windows?

        I think that most people would agree that if the program can be *easily* removed from the underlying OS, it's not part of the OS itself. Therefore I would not consider notepad.exe part of the OS, however I would consider explorer.exe (even though it is a seperate application).

        If you don't agree, it's okay, but that's how I think of it.
        • Have you actually tried removing notepad?

          Windows tries pretty hard to keep you from doing so.
        • I think that most people would agree that if the program can be *easily* removed from the underlying OS, it's not part of the OS itself.

          Yes, most people would. And that's why the title says *nix Software rather than *nix OS's. I don't know know anybody would defines "software" as meaning "something that is part of an OS". The title isn't misleading at all. In fact, it makes it explicit that we are discussing software for *nix rather than the OS itself.
        • by stor ( 146442 ) on Wednesday December 15, 2004 @07:03PM (#11098564)
          For the sake of argument, what would you consider Windows software? The kernel, the graphics server, the programs that come with every "distribution" of Windows?

          Ahh, this is such stuff that pointless flamewars are made on.

          Cheers
          Stor
      • Actually, only Linux is limited to being "Just the kernel." *BSD are full OSes, and are 4.4LITE-based, thus are Unix.
      • by FatAlb3rt ( 533682 ) on Wednesday December 15, 2004 @06:47PM (#11098406) Homepage
        so...why didn't someone just write some intentionally crappy software, stick it on sourceforge, then point out the flaws?

        or better yet, since it sounds as if this is an assignment due at the end of the semester, dive into some code, write up a few paragraphs on what you *think* is a security flaw, and submit it.

        heck, i think the instructor should give credit for explaining 10 good code examples of secure routines.

    • by Dekke ( 829772 ) *
      Because if it weren't sensationalist, who would ever read it? For the knowledge? Hah! For shame, thinking we want accuracy...
  • by Skyshadow ( 508 ) * on Wednesday December 15, 2004 @06:17PM (#11098112) Homepage
    Now that's a tough assignment. 44 holes found is an average of less than two a person -- it's possible the *entire* class failed, not just most. At best, probably one person completed the assignment.

    As much as I respect profs who are willing to push you to do neat things (finding 44 holes in UNIX and it's standard set of programs is nothing to sneeze at), if you really do fail the class I'd take this straight to the administration. They're letting you down by allowing a professor to fail an entire class, especially since the grades are based on something that doesn't really reflect your understanding of the subject.

    I've always had a problem with this sort of behavior in college profs -- it gets away from what I consider to be the basic nature of higher education. As a student, I'm the consumer. I'm paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information at the end of the class. Assignments such as this one or classes which are set up as "cut down classes" just aren't consistant with that.

    It works the same way on the other end; I had a few professors in college who would cancel class on a fairly routine basis. Hey, I enjoy the odd day off as much as anyone else, but I'm paying a lot of money based on the assumption that I'm going to be getting something in return -- if I were to subscribe to a magazine and then only get 2/3rds of the issues, do you thing I'd be within my rights to object? Hell, the overly easy classes were bad enough; I actually had a few that graded based mostly on attendance. Yeah, getting the most for my tuition dollar there.

    Anyhow, I know there are folks out there who are going to disagree with my view of a University education, and that's fine, but regardless I would really encourage you not to accept this lying down. I know as a student it often seems like you're powerless, but if 25 of you (and your parents -- I know you're an adult, but schools listen to parents) get together and make yourselves heard, you'll probably end up with a satisfactory outcome.

    • by jdray ( 645332 ) * on Wednesday December 15, 2004 @06:21PM (#11098151) Homepage Journal
      I wouldn't get too worked up about it until it happens. I had several college profs who started out the terms saying how they were strict about assignments getting turned in, and how you could fail if you didn't do this or that; I rarely found their bite to be as bad as their bark. Mostly they want to put the fear of them as a deity figure in you, then be gracious later. If they get overwhelmed, they've set a good baseline to fall back on.
      • From time to time you do get a normal human being lecturing you, but often you get an inhuman prick whose real mastery is in manipulating human emotions. I've watched a calculus prof reduce many female students to tears...and I'm thinking, what is it dude, a sexual thing? I mean, come on, show some dignity and respect for the students.

        The problem is that many of the profs have no professional experience outside the academic realm. None. Amazing as it sounds, they go from graduate work to post-doc to the fac

        • Its no coincidence many sleep with their students, its often the only way they can get laid.

          This is false.

          We sleep with our students because they're just so damn sexy in their cute little spring wardrobes.

          (I'm joking, I'm joking; stop slapping me with that trout already!)

      • by Anonymous Coward
        Mostly they want to put the fear of them as a deity figure in you...
        Wrong. Mostly they want to get the lazy and uninterested students to drop their course.
    • by Marxist Hacker 42 ( 638312 ) * <seebert42@gmail.com> on Wednesday December 15, 2004 @06:22PM (#11098168) Homepage Journal
      Not disagreeing- but if I was this student, I'd get a few buddies together from the class and point out to the prof:
      1. This is the first term this class has been taught.
      2. Nobody did well with the homework if the entire class of 25 students only found 44 holes.
      3. Even those who were among the best students in the class, getting A's on all the exams, only found 2-3 holes.

      Therefore the grades should be assigned to fit a bell curve based mainly on test scores and minimizing points earned for the homework.
      • you really think djb cares? given his well known history of being supreme asshole of the known universe?

        fwiw this was obviously djb trying to get his students to dig up ammo for him to go on another one of his public penis-waving tantrums, acting all smug and high and mighty again (oh lookit me i wrote qmail and its all uber secure, and wooo lookit all the MISERABLE LAMERS WRITING SHIT CODE!!1!!111!)
        • No- I don't think djb cares per say- but that's the first step. ALWAYS go with the chain of command method while protesting- then you can make a monkey of yourself in the Secretary of Defense's press conferance and get your name in all the papers.

          Same rules apply for universities, as the army, private industry, etc.
        • by edunbar93 ( 141167 ) on Thursday December 16, 2004 @03:19AM (#11101888)
          oh lookit me i wrote qmail and its all uber secure

          That's cute. His code may not have any bugs in it, but damn, does it ever have some huge logical flaws.

          Qmail has the lovely lack of ability to reject e-mail while the SMTP connection is still active. What it does instead is it creates and sends a bounce message itself, instead of leaving that up to the sending server. What happens when you do this is you allow spammers to send e-mail to recipients in the To: line instead of the From: line, just by putting in a bogus To: line and putting the real recipient in the From: line.

          There's a patch for this, but it involves setting up a list of e-mail addresses that are allowed to be accepted. Once you have several thousand e-mail addresses all over the place courtesy of Vpopmail, this becomes an impossible task.

          So no, this man isn't a perfect programmer.
    • by Saint Stephen ( 19450 ) on Wednesday December 15, 2004 @06:28PM (#11098217) Homepage Journal
      My algorithms class was like this. I aced every test but didn't complete the Travelling Salesman program successfully. I got an "incomplete" and had to come to summer school. Boy was I mad at the time but I see now why they did it. All or nothing.
    • by mateomiguel ( 614660 ) <matt_the_grad@yaho[ ]om ['o.c' in gap]> on Wednesday December 15, 2004 @06:30PM (#11098238)
      "As a student, I'm the consumer. "

      No, no, and hell no. As a student, you are a student. Leave your stupid consumer victimization routine in suburbia, where it belongs. Don't try to bring that crap to academia.
    • I don't have any problem with the concept of an entire class failing a course. Why you think that a professor failing his entire class constitutes a failure on the part of the university is a mystery to me: would you be so opposed if a professor failed an astronomy class that failed to put the planets in the correct order or an economics class that couldn't describe how supply and demand affect prices?

      Frankly, I think you're jumping the gun here. Ten is a nice round figure and one that suggests that it mig
      • by Skyshadow ( 508 ) * on Wednesday December 15, 2004 @06:46PM (#11098393) Homepage
        I don't have any problem with the concept of an entire class failing a course. Why you think that a professor failing his entire class constitutes a failure on the part of the university is a mystery to me: would you be so opposed if a professor failed an astronomy class that failed to put the planets in the correct order or an economics class that couldn't describe how supply and demand affect prices?

        Frankly, I think you're jumping the gun here...

        I didn't jump the gun, I provided a qualified statement. You know, "if he does this then you should do this".

        Now, let me provide another statement which may or may not apply to this specific case (since we haven't seen grades yet): Any time an entire class fails, it is on the professor's shoulders. Since we assume that the people in the class are both mentally competent and reasonably intelligent based on the fact that they're in college, and excepting odd situations (a 1 or 2 person class, for instance), a near-100% failure rate can only be one of three things:

        1. The professor has created a class which cannot be successfully completed given the time constraints and the level of the students.
        2. The professor has completely failed to impart his knowledge to the students.
        3. The professor has based the grades on items which do not accurately reflect what was taught in the class.

        Implying that a professor who fails all or nearly all of a given class has competently done his/her job is nonsense. It's not "part of the learning experience", it's a professional failure on the part of the professor and needs to be treated as such. In any event, when this sort of extraordinary event occurs, the University itself is responsible for allowing that failure to occur.

      • by Punk Walrus ( 582794 ) on Wednesday December 15, 2004 @06:48PM (#11098418) Journal
        Why you think that a professor failing his entire class constitutes a failure on the part of the university is a mystery to me: would you be so opposed if a professor failed an astronomy class that failed to put the planets in the correct order or an economics class that couldn't describe how supply and demand affect prices?

        That's different, and it's still bad because that reflects poorly on the professor. If you were a university, would you want to hire a professor of astronomy who couldn't teach people the basics (for whatever reason)?

        What most of these posts are saying is that this professor did not grade these students on a reasonable test of their skills. It's kind of like a professor of Art History requiring students to discover a previously undiscovered Picasso. Sure, some may exist in people's basements or garage sales, and sometimes a new piece of art from an expired artist shows up on the auction block from an previously unknown collector of rare things, but would you consider it fair to flunk art students who could not find a new Picasso? How would you rate such a find, grade-wise?

    • by plopez ( 54068 ) on Wednesday December 15, 2004 @06:37PM (#11098314) Journal
      It could be the prof was trying to weed out the riff-raff (those who think they are hot but are not, etc.). But giving such an open ended project at the undergrad level is extreme. It is appropriate for grad school, where research projects sometimes are not completed, but not undergrad (I assume by the number it is undergrad).

      I actually had a class like that, expected to fail but passed becase I actually did a lot of work on the problem and it showed. This may be one of those cases. Remember, research is about trying your best but still failing, actually most of the time.
    • Crash.... (Score:3, Interesting)

      I've reported 4 stack/pointer based crashes in Konqueror in the past couple of days and they just came to me without looking.

      If I could have crafted an exploit for the crashes then that would be 4 holes.

      All the students needed to do was look at the current/recent bugs list for a version of software.

      Identify bugs that could possibly be exploited. (say maybe 100)
      Run automated buffer/stack exploit
      checking software against those bugs.

      hope to get 10 criticals.

      Khtml's probably a good choice for exploiting at
  • by Nom du Keyboard ( 633989 ) on Wednesday December 15, 2004 @06:18PM (#11098115)
    After 300 hours of work and an A average on the exams, I expect to fail the course.

    All you need to do is find one more hole, this one in the campus records department, and exploit it for improving your grade. If you have an "A" average otherwise, another "A" will look right in place. It's the "D" average people suddenly getting "A"s and "B"s that draw suspicion.

  • by pchan- ( 118053 ) on Wednesday December 15, 2004 @06:19PM (#11098125) Journal
    After 300 hours of work and an A average on the exams, I expect to fail the course.

    but we've all learned a valuable lesson: don't take a class taught by DJB
    • by Ars-Fartsica ( 166957 ) on Wednesday December 15, 2004 @06:27PM (#11098212)
      Who signs up for hard classes in fourth year? Duh! You've practically got your degree. sit back, uncap a cold one and choose from the many many many easy courses every school offers to fourth year students.

      Its well known that every college grinds out the poor students in the first two years...if you've made it to fourth year, its time to ladle up some gravy and bolster your GPA in time for grad school applications, resume bolstering, etc.

      So the real moral is that the most intelligent students are the ones avoiding the course altogether. If you want to get an education in unix security holes, go read the OpenBSD mail archives.

      • If you assume it is stupid to pick harder classes, then you are assuming everyone's goal is laziness. If a person has a goal of learning interesting things, then it is not necessarily stupid to take a hard class. This sounds like an interesting class - the only problem is the grading is poorly thought out.
  • Better link (Score:3, Informative)

    by generationxyu ( 630468 ) on Wednesday December 15, 2004 @06:19PM (#11098138) Homepage
    to Kris Kubicki's mirror is here. [uic.edu]
  • Hmm... (Score:4, Funny)

    by excaliber19 ( 750206 ) on Wednesday December 15, 2004 @06:22PM (#11098160)
    Perhaps Microsoft should try this strategy. Im sure the kids would thoroughly enjoy that assignment! They'd have bugs coming out the wazoo! A's for everyone!
  • What? (Score:4, Insightful)

    by jjshoe ( 410772 ) on Wednesday December 15, 2004 @06:22PM (#11098165) Homepage
    What no djb tools on the list? That seems the quickest way to fail, find an exploit in a djb tool.
  • by caluml ( 551744 ) <slashdotNO@SPAMspamgoeshere.calum.org> on Wednesday December 15, 2004 @06:23PM (#11098171) Homepage
    Hey! I've found remote roots in OpenSSH, Apache, and Bind. If you run the file below, you can get root.

    [ Part 2, Text/PLAIN (charset: unknown-8bit) 95 lines. ]
    [ Unable to print this part. ]
  • Comment removed (Score:3, Interesting)

    by account_deleted ( 4530225 ) on Wednesday December 15, 2004 @06:23PM (#11098172)
    Comment removed based on user account deletion
  • by Mr. Slippery ( 47854 ) <tms&infamous,net> on Wednesday December 15, 2004 @06:23PM (#11098175) Homepage

    I see the two specific items linked to are buffer overflow exploits. Anyone learning to program in C needs to have good buffer dicipline beaten into their heads.

    It's like wiping your butt after crapping - mandatory basic hygine. If you can always remember to wipe your butt, you can always remembers to watch your buffer lengths.

  • by jgbustos ( 131144 ) on Wednesday December 15, 2004 @06:24PM (#11098177)

    Why take for granted that the number of bugs to be found was expressed in base-10? Why not base-2?

  • by dokebi ( 624663 ) on Wednesday December 15, 2004 @06:25PM (#11098186)
    Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.

    Define "failed." They failed to find holes? Or they failed the course?
    I seriously doubt a prof would fail an A average student for not being able to find a hole for an assignment. Extra credit, maybe, but an F? I mean, WTF?
  • My thoughts. (Score:5, Insightful)

    by Anonymous Coward on Wednesday December 15, 2004 @06:25PM (#11098188)
    Thesis: This professor is retarded.

    Evidence to support this belief:

    1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.

    2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes ... which would lead me to believe "a little bit of both".

    3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.

    Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)
    • Re:My thoughts. (Score:5, Insightful)

      by slavemowgli ( 585321 ) on Wednesday December 15, 2004 @06:41PM (#11098350) Homepage
      It teaches you that professors can be asshats/idiots/..., too, and that you should not take classes taught by DJB. Furthermore, it teaches you that in life, you will still get treated like shit even when you're paying for things (like your education, in this case), and that having a famous name (like DJB) is more important than what you actually do.
  • What's the deal? (Score:5, Insightful)

    by retro128 ( 318602 ) on Wednesday December 15, 2004 @06:27PM (#11098213)
    The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.

    10 for each student? I doubt DJB himself could find 10 on his own inside of a semester.

    In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.

    I guess the whispers I've been hearing about DJB being a complete asshole are true. It is always nice to have your academic future dictated by such people to your disadvantage, even though you may be a cut above the teacher himself. And in the meantime he will take credit for your work while simultaneously failing you. Thank you, sir, for reminding me why I dropped out of college.
  • by fireboy1919 ( 257783 ) <(rustyp) (at) (freeshell.org)> on Wednesday December 15, 2004 @06:29PM (#11098227) Homepage Journal
    He pretty much gave them free reign. ANY OSS at all!

    Have you seen CPAN? Half of that code is something someone hacked up in a day! And what about all those sourceforge projects that have one developer and less than 10000 lines?

    Meanwhile, almost every piece of code that this class is looking at is stuff that's already had a once over - heck, probably even been looked over thousands of times. No wonder they couldn't find any bugs. They were looking in the houses, not the motels.
  • by JoshMKiV ( 548790 ) on Wednesday December 15, 2004 @06:30PM (#11098237) Homepage Journal
    If the majority of the class failed, then the professor failed YOU.
  • by monopole ( 44023 ) on Wednesday December 15, 2004 @06:36PM (#11098297)
    Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago. A special footnote had to be added to transcripts as a result.

    The pity is that such a strategy allows for no differentiation between people who are working at their full capacity and goof-offs who sleep though class.
    • by tootlemonde ( 579170 ) on Wednesday December 15, 2004 @11:20PM (#11100609)

      Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago.

      This story is not likely.

      Fermi only gave the quantium mechanics course once in 1954 [physicstoday.org] in the last year of his life. He was known as an outstanding teacher [iop.org], always willing to help students. His notes for the course were published in a book titled Notes on Quantum Mechanics [amazon.com] with additional material supplied by one of the students. None of the reviews I've found mention the story about all the students failing.

      One of his colleagues writes [physicstoday.org]:

      Fermi's legendary classroom teaching was the fruit of careful preparation. He seemed to derive pleasure from the act of teaching, without regard for the result. He never showed annoyance at a student's failure to grasp on the first try (or even the second) what he was trying to explain. On the contrary, if Fermi had to repeat an explanation, his pleasure appeared to be doubled.
  • by andymar ( 690982 ) on Wednesday December 15, 2004 @06:37PM (#11098313)
    "Multiple vulnerabilities were discovered in MPlayer by iDEFENSE, and more were found by us while reviewing the code"
    http://www.mplayerhq.hu/ [mplayerhq.hu]

    "New xine-lib released. This version adress multiple security vulnerabilites on PNM and Real RTSP clients. All users are advised to upgrade to 1-rc8. The release also includes several bug fixes and new features"
    http://xinehq.de/ [xinehq.de]
    • by iive ( 721743 ) on Wednesday December 15, 2004 @08:22PM (#11099224)
      Place mod the parent up.

      As one of the mplayer developers, I would like to thank to DJB for giving us (hmm)16 (?) hours before unleashing exploints on wild.

      Maybe he is not aware that making right fix, testing it and finally releasing it, is not so simple task. Especially if we have to convice the person that have release (write) permisions, that him girlfriend is not as importan as the security release:)

      Not to say, that I still haven't got the mail in my mailbox, despire that gmame shows it have been recived.

      Also mplayer-dev-eng@mplayerhq.hu is the more appropriate maillist to send security issues. (MPlayer documentation will be updated accordingly.)

      The exploit that is found in MPlayer is not alone. There are at least 2 other places with similar exploitable bahavioud in the same file. I guess the students keep them for next semester.

      BTW code originates from Xine, probably it is time to update our version ;)

  • by fuufump ( 840716 ) on Wednesday December 15, 2004 @06:40PM (#11098343)
    The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.

    "There are only 10 types of people in the world: Those who understand binary, and those who don't"
  • Fuzz testing (Score:5, Interesting)

    by ScottMaxwell ( 108831 ) on Wednesday December 15, 2004 @06:44PM (#11098383) Homepage
    If you want a quick and easy way to find potentially exploitable bugs, try fuzz testing. This is as simple as it could be: feed random data (e.g., from /dev/random) into applications until you crash one. That usually means there's a buffer overflow, which you can then exploit. Re-run the test under a debugger to pinpoint the exact cause of the crash, then craft an attack.

    The better approach is to create one or more large files of random data and feed that into the apps; this is better because it gives you a reproducible stream. (Or you can use a Perl script with a known srand() seed.)

    The term "fuzz testing" comes from a seminal 1990 paper [wisc.edu] (and followups in 1995 and 2000) by Barton Miller et al., who, incidentally, found much higher quality in GNU tools than in their proprietary counterparts. Before my tendinitis got too bad, I used to run The Bulletproof Penguin [pacbell.net] a one-man project devoted to stamping out such bugs (my initial goal, easily achieved, was to eliminate all the bugs reported in the original paper). Ben Woodard was doing something very similar [sourceforge.net] for a while, but I don't know whether he still does.

    Incidentally, this makes a certain recent Slashdot story [slashdot.org] more embarrassing: it seems that free Web browsers crash on malformed input, the kind of case that free software normally handles better than its proprietary competition.

  • by Bazman ( 4849 ) on Wednesday December 15, 2004 @06:45PM (#11098388) Journal
    To me, a remote exploit is something that exploits a running server. Most of the examples seem to be trojan horse attacks, getting the user to run an application on a file which overflows a buffer in the application.

    Example: http://www2.uic.edu/~kkubic1/securesoftware/26.txt

    Jonathan Rockway, a student in my Fall 2004 UNIX Security Holes course,has discovered a remotely exploitable security hole in NASM. I'm publishing this notice, but all the discovery credits should be assigned to Rockway.

    The only way I'd call this a remote exploit would be if someone has written an apache module that takes some assembly code and returns an executable. I dont think thats a very common setup.

    Baz
  • by wfberg ( 24378 ) on Wednesday December 15, 2004 @07:01PM (#11098533)
    1) Create sourceforge project page under assumed name.
    2) Post forks of programs with extra bugs inserted.
    3) Profit!

    You see - there's a number 2 step, thanks to open source.
  • Duh! (Score:3, Funny)

    by Quixote ( 154172 ) on Wednesday December 15, 2004 @07:26PM (#11098777) Homepage Journal
    I'd fail these students too. Clearly they hadn't heard of DJB and his attitude to sign up for his course. With such a gaping hole in their knowledge, they deserve to get an F.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...