37
Condor
6y

Long rant ahead.. so feel free to refill your cup of coffee and have a seat πŸ™‚

It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.

So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).

So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.

Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.

So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.

Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?

Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching πŸ˜‚), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.

Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.

So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.

Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.

Comments
  • 6
    It still sounds like you learned CYA at that school. So the time wasn't completely wasted.
  • 4
    Could you give me some hints as to what institution? I'd like to avoid them
  • 9
    Yeah teachers will find a way to fuck you up. I had classmates who had parts of their code written by a teacher (yes they typed the code, not the student) and when grading day came that same teacher said that the code was shit. I heard that and walked up to him and said "do you know who has written that code? Since I know that you are the one who wrote it"

    Next project, same student
    Day before grading day, student has almost finished the project, teacher came and said "thats not looking good can I change some things?" while deleting 80% of the project and walks away.

    Next day
    "You didnt finish the project, why is that"
    "ehh miss, you deleted everything yesterday"
    "no I didnt? I only removed code that wasnt gonna work"

    I was the only one who had experience programming before going to that school (including teachers) and that had put me in the position of being able to be rude to them since I didnt need the school as much as they did me.
  • 3
    @epse I'd like to keep such information out of public forums (school still has a record of me that adversaries can social engineer out of them after all, and I'm not sure if everything there has been rendered irrelevant over time yet) but I'd be willing to name the school in private? I'm on Telegram as well as Signal. And email of course πŸ™‚
  • 3
    @Condor not sure how to get in touch on signal without making phone numbers public, so email it'll be redacted was it?
  • 3
    @epse yep! Please do edit the email out before the bots get to it though _/\_ the SEO spam is sort of fixed now but To: based filtering is still part of the blocking lists. Some mailboxes turned into serious spam magnets.
  • 3
    @Condor done :-)
  • 4
    I once pinned out a big in a system that exposed every customers contact details. I wrote them showing the bug. I'm not in security but would have liked to publish my findings after they fixed it.

    Their response was "what do you mean by 'publish'?"

    Some people are Muppets. They are the majority. Some people are dicks. They're the minority. I don't mind dealing with Muppets up to a certain point.

    However, I have absolutely no brain space for dicks. Consider this a lesson learnt.

    The next lesson will be that your teacher will not let this go. I guarantee that this will not be the end of it. I can either smile and nod and then go do what ever you were going to do anyway (easy route) or go head to head with him. I'm pretty certain the latter option will end badly for you since he has pull over your grades. Don't underestimate how petty people can be
  • 3
    @polaroidkidd I left that school shortly after the incident. Regardless of their pull on my grades, with Moodle blocked for my VPN server (at the time it was just one of them), I wasn't able to do much for school anymore anyway. And it was kind of the straw that broke the camel's back for me. Incompetence, long commute, etc etc, all fine for me.. but this, that was the end of it. And after that incident there was no way that they wouldn't have become biased against me anyway.
  • 4
    this remembers me of my time in school. first day in new class - we where asked about who we are and what our hobbies are (no it related class). I told them that i am programming in my free time. on the same day we had a computer course and something did not work, cant even remember what it was. i think some people could not access a network share. someone told the teacher that i am know programming and it must have been me. the teacher came to me and blamed me that i should revert what i have done to the system.
    i explained to him that i could not cause the thing that did not work and that an IT related teacher should know that (in that course he teached how to use word and excel and shit).
    since then he had an eye on me as he must have thought i am some kind of evil hacker or something like that.
    in the last year he gave me a bad grade on my certificate (a 3, only had 1 and 2 apart from that). caused me effort to get a second certificate with my real grade on that paper -.-
  • 1
    I haven't read the comments yet, but please don't let @irene read how skilled you were in school, he'll get super depressed
  • 2
    "That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there."

    well said, man.
    when I told my family that a degree in comp sci wasn't a guarantee of anything nowadays, they flipped tfo, as if I was some heathen.

    I've seen horrible developers with degrees too.

    getting certified by a reputed institute makes a lot more sense.
  • 2
    @irene is there anything I could do to help? within the boundaries of the realizable, ofc...
  • 3
    @irene ok, I'm here if I can ever help...
  • 3
    Seriously tho. The amount of ego these fucking teachers have is amazing
  • 1
    @Condor hey man care to answer my email?
  • 1
    @epse Sorry for the wait, was really tired this morning... went for a couple hours of sleep as I was extremely tired, answered it just a little while back though.
    And switched my sleeping schedule from daytime wake right back to nighttime wake again, as it should be (: long time no see, darkness, my ol' friend :3
  • 1
    @Condor hahaha that's fine, enjoy the darkness!
  • 2
    @erandria you're a great person, you know
  • 2
    @epse πŸ€—
  • 1
    @Condor that's adorable, ya weeb.
  • 2
    @epse thanks man, I appreciate that
  • 1
    I never had anything similar happening in my school, although my teachers were assholes too. For starters, they didn't give a fuck about your knowledge. We had a JS teacher, who told us to create a online store in JS (more of a mockup). The requirements were simple, some HTML and CSS and info about the product when you hover on it. First of all, he forced us to use a theme, may I add, a shitty one. So instead of actually learning CSS, we had to fuck around trying to find relevant code. Second of all, we were supposed to add a form that displayed the message that you typed in "Contact us". Simple, right? So I asked if I can change that a bit and improve it. He said sure. I made it so that you receive an email with the message, and he said he didn.t like it. I also added some CSS animations, which he didn't know existed so he though I just used some JS library... In the end I got B for the most technologiacally advanced project in my class... So glad that I finished that school.
  • 0
    @Codex404 your teachers were perfect trolls
  • 1
    @electrineer I wish they were trolls, that would mean they were just annoying and not dumb.
Add Comment