> Within the aims of the module this is fine - this is an introuction to security module so if you can exploit it like this, you're not really the target audience and you've already achieved the aims of the module.
> This isn't going to save me any time - I still need to do the assignments because they're assignments for a University module, which is supposed to teach me things. If I don't do the assignments and effectively cheat by submitting tokens I recover this way, I personally will suffer and not know what I'm doing in enough detail when it comes to the final exam and just generally will lack this knowledge that might be useful in future.
Which is it? This introduction to security module couldn't possibly have anything to teach someone who already has this level of ability, or it could?
I do not know how these exercise were made but it sounds like in the beginning they had a central server for tests probably not security things and then someone just moved that software to VMs to let the students be more flexible.
The bit about the "aims of the module" comes from its aims to get people thinking in a certain way about security, something I definitely already had. But that doesn't mean it had nothing to teach me - it was quite a while ago that I took it, but one exercise about the nuances of the setuid bit and how misconfigurations could be exploited stands out as something I doubt I'd have come across otherwise. There was also plenty of content on cryptography and basic binary reverse engineering/attacks that I'd not seen before.
My level of ability and knowledge isn't consistent - some places I'd dug into more, and some less. With tech, there's always a more detail to be explored and more learning to be done, even in areas I'm familiar with.
(I wrote the article)
> I'm a little surprised that the source code was included as opposed to precompiled .class files to further obfuscate what's going on, but then again by this point, with the GPG encryption and all, I don't imagine the module team was focused on preventing me from meddling around as much as they were focused on getting a module out of the door
> This entire attack was possible because I have the VM's disk image right here on my computer and I can do absolutely whatever I want to it, such as overriding its access control settings.
This is the key insight. Protecting via VMs and obfuscations does not provide security equivalent to network boundaries and hardware protections. While the encryption step may have helped, it was self-defeating as the key was stored on the VM and the VM was in your control. It would have been much harder (perhaps impossible) to crack if the unique key was ephemerally sourced from a server prior to every decryption coupled with some end state from the exercise.
> Within the aims of the module this is fine - this is an introuction to security module so if you can exploit it like this, you're not really the target audience and you've already achieved the aims of the module.
Yes, it's clear to me that the course has little left to teach you. At this point I would just submit the generated tokens for every assignment and read more complex material. I say this as an academic and a cybersecurity expert.
red_admiral•9h ago
Also, https://xkcd.com/2385/
dmurray•9h ago
The professor hopefully has an interest in actual security research and some level of intellectual curiosity in general. The IT department is more likely to run on security by checklist and certification, and much more likely to throw the student under the bus of some Academic Misconduct Committee.
cornfieldlabs•8h ago
dmurray•5h ago
red_admiral•5h ago
The goal of the assignment is to exploit something anyway, just not necessarily this way. And she got her professor's consent to publish the article.
It seems the system was moved to the cloud in later years with ssh-only access. Exploiting something inside the VM should be fine and maybe a feature for some assignments - probably one reason it's a VM in the first place. It's not like anyone's hacking the university network.
Since there's mention of `@bham.ac.uk` - I forget if it was Birmingham or Brighton or someone else, but the way things work in GB is teachers submit "unreleased" grades after marking their exams, an exam board approves or fiddles with these grades, and then the grades for all students on a course are released together on "results day". A CS student got in trouble somewhere because they passed around the info that you could see unreleased grades in the "learning mangement system" by selecting "view source" and looking for the "display:none" entries in a table or something like that.
akpa1•46m ago
(I wrote this article)