 Cool. Why is it good? Oh, oh, you just separate the two. Yeah. Yeah, yeah. To make it easier. Yeah, if you, it has your SSH key. So if you're using the same SSH key, it won't ask for your password. So that should be easier for you all. That's why using SSH keys is awesome. But anyways, what's up? Is there like a command to see our individual scores or like, if we need to do that, do we just have to go into the scoreboard every time and search for our name? You can use the grep command. But yes. So for instance, although it probably doesn't look very nice, but something like this. Do I need to restart the system? Mine also says system restart required. That just means packages need to be updated. I guess I should do that since you guys are a bunch of hackers. Well, this is good. I may reboot the server now. Cool. All right. So we're going down. It'll come back up. Do LS dash LA. Oh, some of your usernames are absolutely crazy. I'm shocked that some of these actually worked. It's not your ASU password. It's not the password you use for the site, right? Because of hashing. I don't know your ASU password. I don't want to know it. And I don't know the password used for the site. It's sent to you in email. No, nothing inappropriate. More just like. Oh, it should be back up now. But yeah, some people have usernames with stars in them. So they're like, there's a few people whose usernames starts with a star. And I didn't know Linux would accept that, but it does. And so that's going to be very fun for that for those people. Yeah, very. They'll be a surprise Pikachu. If you haven't received your email, let's say ping me on discord right now. Because after the fact, don't do it. You'd also be able to log in, right? I mean, using your account. And as long as you're using your past as a key, you should be able to just SSH today. If you have your SSH key, yes, but the password, they don't know it's a random password. Yeah, yeah. Yes, you can change the password with PA. I think it's just PSSWD is the command. Yeah, password. And we'll, I'll write up a web page that has all this stuff. I just didn't have time. As you know, the emails went out like at 10. So, okay, I'm getting some discord pings. So do we want to take bets on how long it takes somebody to get to the top? Two hours. Is the, is the groups challenge just supposed to spit my name out? Or am I doing something wrong? I'm assuming I'm, there's a command called groups that would spit out my name. Oh, no, no, no, the group challenge. You have to execute the program and slash of our challenge groups slash groups. I think that's what I did. Let me double check, but last time I did it. I didn't know. No, that's if you execute just the program groups, it will do that. Is there a way to see just my score and not the whole scoreboard? No, not yet. I got it. Thanks. Well, you can do use the grep command. Basically if you do score. What do we say? Could not resolve how the same. Interesting. We can use. Which one is the best one to start with? Start with just execute me first. And then I would start playing around with different ones. Just execute me is fairly easy. Secure this house is kind of based on stuff that you have already done before. I will say rock me is supposed to be a difficult, like extra credit level one since we didn't really cover rock, but that's something you can go and learn and do on your own. I'm going to share my screen so you all can see. I want the I turn. I'll just leave that command up there. Wire shark is what you want. If you're having a password problems, ping me on discord and I can help. Just score. I'm going to run the challenge itself. It will tell you the command. It's an SCP command. This will be fun. We can watch the scoreboard move. Yeah. Had a similar thing like this in grad school. I created that we had TVs in the lab. So I created this. Use this as a scoreboard that would auto refresh. So it was constantly showing how everyone was doing. I don't know what nobody has any money on prime daddy. They were the best scammer. Or do we not think that translates. Yeah. Yeah. That's right. Okay. I guess that's a better name. You're supposed to run lead when you break. Break a challenge. So some challenges will call it for you. And it'll be kind of clear. Like. The password one we looked at with the traffic dump. Once you give the password, it will call lead for you. Other ones. You may have to force the binary or the application to call the lead function. And you can do which. You can call the which command is shows you where it is. So if you dive in which lead, it will show you the path. Yeah. If you run it directly, it'll, it'll just tell you that you're not in any of the levels. You haven't broken anything. What do you mean mess with? So you don't have to, you shouldn't have to mess with it. Well, there should be, it's a set you ID program. So there should be no bugs in it. I hope, but there's not a fishing related challenge yet. We weren't able to get it in time into here, but I will try to add one depending on how people feel about it. So. I don't know why these emails didn't come out. Do you guys are, are you guys flagging me as a spammer or something? Because they went out. And then I also heard some students who didn't. Receive the email. Yeah. Yeah. I know there's something wrong with this use mail server today this morning. I also got complained with other PhD students. That is the issue. Could be. Could be. Oh, it's a great excuse to not reply to emails. So it's awesome. That's a good idea. The cool thing about the public scoreboard is you can definitely like after it's been out for a bit, you can tell which ones are the easier challenges. So you can know how to spend your time. Let's see. I think I can give a demo. Yeah. Adding you to the group message means that you passed the challenge and then run score to verify that you've passed that. Okay. So the question was, how do I supply the text in a file as a command line argument? So you can do that with. What's the best way to do this? I think it's something like this. Okay. Just cat test. So what this is doing on the command line. If you can see the screen. So this is the in on the command line. Dollar sign parentheses is how you execute other commands. So this is saying cat out the file test and then put it right here and enclose that in double quotes. So it's one thing. So if we look at cat test. It's the text var challenge. Okay. Okay. Excuse me. L s. This it's running the same exact thing as L s var challenge. It would be cool if I can, we can figure out how to do the text like at an angle. So it's a takes up less of the screen. What are the permissions on that file? Do L s dash LA to look at the permission so you can understand what's going on. Nice. There's something probably like 80 ish of you out there. Yeah. Which I think I mentioned this in class yesterday, but it's like the last possible date we could have an assignment do so that you guys have the most time on the assent on the final. Cause we need to submit grades like right then. So. Oh, Tiff, are you writing up the description for the website? Yes. Thank you. Sure. I will be there in five minutes. Time you. Well, watch my screen. Let's see what happens. Yeah. Yeah. It's part of the challenge. So you should always look at the directory and see what's in there. Right. So. Especially because there's this C source code. So that should help you on your way. Read the code, figure it out. I guess we've been nice to you, right? As I'm in five, you've actually been learning how to read assembly code. Excuse me. So you could reverse engineer this read secret binary and figure everything out, but to help you along. You can read the source codes. This is why it's always super important to make sure you look at that directory, look at, and always do LS dash LA, look at everything in that directory to see what's in there. Right. So the challenges that don't call lead means that you have to, your goal is to force the challenge that to call lead. So the executable may or may not do it automatically. It really depends on the challenge itself. So you should look at the challenge. Some of them will call it and some of them won't. So like the password ones, if you get the password, it will call the other ones. Like if it doesn't call lead, your goal is then to force it to like exploit a vulnerability in that program in order to force it to call lead. Oh, is that the first basic overflow solve? Nice. Do you guys think I should even post this recording? I guess I will just so that the Wednesday, Monday, Wednesday people can see it, but no, no, I'll definitely post the early recording. I just don't know. There's a lot of dead time of me helping people on discord. I don't know. I don't know. I don't know. Okay. I'll post it. I'll post it. Yeah. And they won't even see the, the texts. It's just like I'm talking to nobody. So yeah, they don't know that I was doing an evil laugh on behalf of Emma, because they finally figured out how to get an attack file into the program and exploited it. That'd be a good recording. I should have a sound board of various recordings. Ooh, maybe you're not real. And I'm imagining all of this. That's only my worst nightmare. So thank you for that. Have you all. I always think of the movie. Have you seen the movie? Beautiful mind. Hey, Tiffany, they're saying yes. So they've, some people have seen it. Yeah. Yeah. Start thinking back and you're like, shoot, could all these people in this class be real? Technically, I've never met any of you. So you could all be robots or Russian plants or AI has gone wild. I've at least met Tiffany in person. So I know she's real. I think she's real. But how do I know maybe the person introduced her to me is not real and all that stuff. Oh, that's right. Steven, I have met you. That's right. Well, I don't know that you're you though. Yeah, that was also if I have zoom. See, you're just a, you could be an actor hired to somehow trick me. You're just a little baby program, learning how to hack. It's great. We love, you're like a, like those baby fawns that are just, you know, using your legs the first time on a computer hack and stuff. I mean, I don't know how to answer that. I mean, the main thing I always do is just double check, look at the permissions of whatever that file is right to see if you should or should not have permissions to it. So somebody's asked me in a private message, but, you know, make sure for challenges like our challenge. I wouldn't say 12%, I'd say 12 points. I think that's a little bit easier, but yes, they're the same thing as you know. If you want to secure this house, right? If we look at that, there's two files in there. If you do secure this house.py and you execute that. And you actually whatever, get it working. You will not get the flag because it doesn't have the right permissions. So you need to make sure you execute secure this house. This actually will, will help you break it. Now I have to go fix that typo. How come none of you told me this. There's also one in successfully in the, well it's successful with two L's. You don't have the typos are intentional. Yeah, maybe it's a, like a side channel. We're leaking information through typos. Sorry, I didn't get it. I was too much in debugging mode. Jokes go over my head. Got about five minutes left. Any final questions? Five minutes last five minutes. Okay. So we're going to go ahead and do some of our beautiful CSE 365 time together this semester. Is basic overflow supposed to print like a message at the start? Cause it's just asking for arguments. I know I can probably dig through the files to find out like what arguments to pass it or something, but I said no, it was supposed to print anything at first. I have no idea. I would also just run it and see what it does. Sounds like any. Okay. So I'm going to go ahead and go ahead and do some of those. There's like five lines of code. I'm sure you can figure, you know, read those, that's C code. Final due May 2nd. Let's just say the last day will stop. And there's obviously no late, no late anything for the final. As grades are going in. So basically that Monday morning, we'll email you with all the grades we have. If there's any questions, let us know. Tiffany, do you teach any other classes? No, I. I'm not going to teach any classes. Not this master or next semester, but Adam, you would teach a class next semester, right? Nope. You don't semester after that. Yeah. Okay. Cool. But in the past you've taught what, what are some other courses you've taught? I taught a five 98, which is a topic class for. In the past, I taught a five 98, which is a topic class for security. So for security has a banana as a game theory. And then I taught a five 45, which is stuff for security. And Adam taught almost all the classes women. Most of the cyber security classes at. Oh, not even close, not even close. I've taught a three 40 in the past. So I taught that for a number of years. 465. So this class when I was at the 400 level, I taught a way long time ago, a grad course on web securities, web vulnerabilities and that kind of stuff. But yeah, I think, I mean, right now I typically teach just 365. Right. And then for those concepts that we covered this master, I mean, many of them there, I was in most of them, they're closely related to the research that we're doing right now. So if there is anything that you feel interesting, you can just think of us and we can talk and then we can see if there's anything that we can work together on some very cool research projects. At classes that we recommend after this, if you're really into this hacking stuff. 466 is the spiritual successor really to this class. So from there you go from, you know, it's basically like the binary or the application security part of this class, but really in depth, like an entire course just on that, taking you from this stage. You're in now where you're kind of a white belt. And then you can understand what's going on a little bit and taking you through to, I can't remember all the belts. I have to get it straight from yellow or blue or something. Yes, the top is will be blue. So to the point where you can like exploit crazy T cash, you know, heat vulnerabilities and reverse engineer custom virtual machines and all kinds of cool stuff. So, really, I think it's depends on what you're interested in, right? If you're more interested in networking stuff, there's network security. If you're interested in forensics, there's forensics classes. Yeah, there's a decent variety of classes. It's not, you know, not everything, but we have a lot of good stuff. Two more minutes. Cool. All right. We're at the end of this class. And we're actually, you know, at the end of class itself. So, you know, good luck with the assignments, you know, start early, especially for, you know, the CTF stuff. I think it's important, you know, even if you, you don't have to devote a ton of time to it, but a good trick is to like look at each of the challenges to try to see what they're doing. I'd like to kind of get a broad overview and sampling. And if there's something you see right away, maybe work on it for a little bit, see if you can do it. If not go to something else and just kind of keep, keep doing that, that process so that even though I know, you know, we both know you have other finals, other projects, whatever that you're doing, but if you can keep thinking kind of in a background process in your head on these challenges, it becomes a lot easier when you come back to them, rather than if you just wait till the Saturday before it's due or something, you'll have a hard time because you don't have that time to think. So I think that will help. And I think the other thing I told this to the Wednesday class and it's definitely true of you all. Yeah, I mean, Tiffany and I are really proud of the class. And, you know, we both know you guys are going through unprecedented times, you know, an entire semester's remote, you're in the midst of a pandemic, don't have a lot of social interaction, all that crazy stuff. So yeah, we're super proud of the progress you made in this course. I mean, think about how far you've come from, you know, some of you not knowing how to, you know, even access SSH and now you're on this system, PONING software, which is super cool. So good job. You're at the finish line. Let's finish strong and then you can enjoy that sweet, sweet summer. Do you have anything you want to add, Tiff? Yeah, I mean, as a harsh professor, I would urge you to start assignment five as soon as possible. I know many of you haven't started the CTF part, like the Stack Overflow. We have only less than 200 people registered yet. And if we're on site, please start. It's going to be very important because you don't have too much time. And we don't want to handle thousands of PIAs that post at safe time. So please start. Also, I also want to say, you know, like you guys really did a good job. We are very impressive. And also we want to thank you guys for your bar, you know, discover, and finance for those books in our system, which I really appreciate. Sometimes I know that it's a stupid bug, which I really apologize, but sometimes I know that this is like a brilliant issue that we've never triggered. And we've never realized before, and you did a great job in finding it. Other than that, I don't have too much to say. It's really nice. It's for me, this is a very interesting, a very enjoyable experience to talk to you guys to, you know, go through every interesting part of cybersecurity. And thank you. All right. We'll see you all. We'll be, see you all on the Discord and on Piazza.