Comment by dmurray

Comment by dmurray 6 months ago

4 replies

View on Hacker News

Great post and great attitude. Little bit of a mixed message from this:

> Within the aims of the module this is fine - this is an introuction to security module so if you can exploit it like this, you're not really the target audience and you've already achieved the aims of the module.

> This isn't going to save me any time - I still need to do the assignments because they're assignments for a University module, which is supposed to teach me things. If I don't do the assignments and effectively cheat by submitting tokens I recover this way, I personally will suffer and not know what I'm doing in enough detail when it comes to the final exam and just generally will lack this knowledge that might be useful in future.

Which is it? This introduction to security module couldn't possibly have anything to teach someone who already has this level of ability, or it could?

akpa1 6 months ago

I see the contradiction there!

The bit about the "aims of the module" comes from its aims to get people thinking in a certain way about security, something I definitely already had. But that doesn't mean it had nothing to teach me - it was quite a while ago that I took it, but one exercise about the nuances of the setuid bit and how misconfigurations could be exploited stands out as something I doubt I'd have come across otherwise. There was also plenty of content on cryptography and basic binary reverse engineering/attacks that I'd not seen before.

My level of ability and knowledge isn't consistent - some places I'd dug into more, and some less. With tech, there's always a more detail to be explored and more learning to be done, even in areas I'm familiar with.

(I wrote the article)

Reply View 0 replies
saghm 6 months ago

To me, the first paragraph you quoted seems to be describing the modules themselves in the abstract, whereas the latter is about the university testing environment. There are plenty of things that I could do given ample time and the ability to look things up but would struggle to answer detailed questions about in a timed context without any notes or access to the internet. l think it's a fairly well-established concept that actively restating something you already know helps with recall later, like how the act of writing notes is considered to be useful even independent of studying them later. In the outside world, if you already know these concepts, you'll be able to refresh yourself about them easily enough whenever you end up needing to use them, but when you're getting tested in school, you need to do the refresher beforehand, and going through the exercises as they're intended is a pretty reasonable way to do that.

Reply View 0 replies
pastage 6 months ago

When you do problems from books, you do them to get faster and to discover edge cases and that is where you learn stuff. Being able to mount a disk image is a good thing to know how to do in security research, but it is not enough.

I do not know how these exercise were made but it sounds like in the beginning they had a central server for tests probably not security things and then someone just moved that software to VMs to let the students be more flexible.

Reply View 1 reply
  • glitchc 6 months ago

    You may be right, of course. However, it's worth noting that switching to VMs changed the security posture of the exercise and it's not an encouraging sign that the cybersecurity faculty did not pick up on it.

    Reply View 0 replies