[HN Gopher] Winning a hackathon, losing my sanity
___________________________________________________________________
Winning a hackathon, losing my sanity
Author : jer0me
Score : 215 points
Date : 2024-03-14 14:15 UTC (8 hours ago)
(HTM) web link (jero.zone)
(TXT) w3m dump (jero.zone)
| jprete wrote:
| I clicked through and skimmed for "losing my sanity". I didn't
| find anything - total clickbait headline - but it was interesting
| to note the utter lack of reasonable ACLing in the university's
| campus food-ordering system, as well as the social engineering
| "attack" of posing as users to post their project and get actual
| users to try it.
| reactordev wrote:
| The loss of sanity I reckon was when they found out about all
| the backdoors and lax security the old system had. Incrementing
| int for id's, the session key being part of the url as a
| parameter, the XML. This may be something you're ok with but
| for those of us who care about security, this would drive me
| mad as well.
| busterarm wrote:
| State University of New York used to famously use students'
| Social Security Numbers for their student ids up until around
| 2005. That student id was printed on your student id card and
| used for just about every system on campus.
|
| They finally changed that system after lots of scams/fraud
| perpetrated against students brought the practice to media
| attention.
|
| Wild.
| bredren wrote:
| I believe it was the same situation at Oregon state, around
| 2003.
|
| Perhaps it was easier for the ID vendor to key against a
| registrar db.
| reactordev wrote:
| Wow... That's definitely worthy of a daily wtf.
| bcrosby95 wrote:
| This was pretty common. I went to two schools that did this
| in the late '90s and early '00s. T'was just a different
| time.
| lubesGordi wrote:
| I must've missed the hacking part. All I saw was a phishing
| expedition that resulted in them being able to log in as
| other users (and scrape their data)?
| avg_dev wrote:
| Cool breakdown.
|
| A few thoughts:
|
| 1. I would never be so brazen (brave? have the guts?) as to try
| all of this. I would expect to be rate limited and throttled or
| banned or get a nasty letter from a lawyer or something.
|
| 2. The HTTPie thing was interesting. I am still not quite sure
| what that application is, but I am definitely going to stick with
| curl now.
|
| 3. They demknstrated a number of interesting strategies unrelated
| to tech per se like registering that new domain and getting
| people to add them as a guest account and making those fake posts
| on what I presume is a university message board type thing. I bet
| this is how people who are good at stuff like "growth hacking" or
| developing engagement numbers and such work. Pretty clever. Still
| makes me feel a bit uncomfortable.
|
| A cool story. I was hoping the demo image would say "you at $300
| of omelets" but I guess it is probably not that fine grained?
| crazymoka wrote:
| Reminds me of a fun project I did in 2005. I made a course
| schedule generator that once you picked your courses it showed
| price comparison of text book prices from local university
| bookstore and amazon. I made a bit of money before receiving a
| lawyer call from the university.
|
| Funny part was, they could have used our course scheduler for
| students but no, they wanted students to still hand pick their
| classes one by one.
|
| This let you block off times you didn't want class and it would
| make a schedule around that.
|
| Reason was, "students might think they are registering for
| their class when they are not". We had an alert stating we
| didn't actually pick the classes and to log in __link__ to
| start. had the same warning everywhere.
|
| I lost the battle.
|
| :)
| lubesGordi wrote:
| I'll be less nice than you and say I'd be pretty mad if I was
| building something legit but lost out to a project like this.
| You not being brazen to phish all your fellow students just
| means you're not an asshole (and I thank you for that).
| tr3ntg wrote:
| Playing devil's advocate here... university systems feel like
| a great place to poke around recklessly like this. Especially
| when presented publicly. Any holes in the system that enabled
| such ease of abuse should be patched up.
|
| I don't know the author but would guess these hacks would
| never be used "in production" or with any system expecting to
| earn money. They're pretty blunt about how hacky it all is,
| and they don't sound happy to have done it.
| masfuerte wrote:
| Eh? They invited the other students to add them as guests.
| Nobody was phished.
| bhaney wrote:
| > I would expect to be rate limited and throttled or banned or
| get a nasty letter from a lawyer or something
|
| None of those things should ever prevent you from sating your
| curiosity.
| rjbwork wrote:
| Cool project and write up.
|
| An aside - while I love the snark and making fun of these
| "legacy" systems, it has given me a window into my own maturity
| as an engineer. I was absolutely this cavalier and cocky about
| poorly implemented systems I've been a user or admin of in the
| past. But having now spent nearly a decade and a half getting
| paid for this work and seeing a lot of stuff and the evolution of
| best practices, I have much more empathy for the organizations
| and authors of these systems. There are very very few programs
| that ever achieve something like elegance and beauty when they
| collide with the real world.
| ok123456 wrote:
| Judging from the javascript, they scraped. The system they were
| scrapping would have been cutting-edge in 2004-5. Keeping
| something running that long, duck tape and all, is no small
| feat.
| simonask wrote:
| I totally get what you mean, and I feel kind of the same but in
| reverse: When I was young, I was totally making systems like
| this legacy dumpster thermal experience.
|
| A lot of this stuff is hacked together by young aspiring
| programmers just finding their footing, often grossly
| underpaid, and with very little experience or formal training.
| Which is great, respect the hustle! But not so super when
| personal data is being handled. Luckily, it kind of looks like
| they maybe dodged that bullet in this case?
|
| Lesson of the day is: Use different passwords for each thing
| you log in to. :-)
| bigfatfrock wrote:
| > A lot of this stuff is hacked together by young aspiring
| programmers just finding their footing, often grossly
| underpaid, and with very little experience or formal
| training. Which is great, respect the hustle! But not so
| super when personal data is being handled. Luckily, it kind
| of looks like they maybe dodged that bullet in this case?
|
| This is an odd generalization to me - are the massive
| mainframe COBOL systems handling personal data at banks to
| this day, "hacked together" by underpaid young programmers?
| I'm sure they were underpaid... but inexperienced with no
| formal training?
| bongodongobob wrote:
| You went straight to massive fortune 50. Guess what, there
| are 100s of thousands of businesses in the US. Most aren't
| fortune 50.
|
| Here are some other kinds of business:
|
| Freight
|
| Logistics
|
| Concrete
|
| Construction
|
| Eyeglasses
|
| Lawn care
|
| Plumbing
|
| Cabinet making
|
| Law Office
|
| Hair styling
|
| These small shops run on bespoke industry specific software
| with few competitors. They are often buggy and out of date
| because there is only one game in town a lot of times.
|
| There is more to the world than huge businesses
| headquartered in NYC or SF.
| whatever1 wrote:
| all of them use QuickBooks!
| red-iron-pine wrote:
| > but inexperienced with no formal training?
|
| someone doesn't have any experience with offshore
| programmers, eh?
| dartos wrote:
| SAP contractors hurt you too?
| steinuil wrote:
| Definitely agree. My first few gigs were in consultancy and
| after seeing how the sausage is made I don't feel much like
| calling out these kinds of old systems anymore. The budgets and
| deadlines are tight, the people working on them are often
| inexperienced and underpaid and have little time to sit down
| and think things through, and when they have to work on an old
| system to add some features they have little time and
| incentives to improve the overall state of things.
| dundun wrote:
| There's a ton of dunning-kruger going on, but I think as
| college kids riding a high of winning a contest and learning a
| ton, it can be excused.
| rjbwork wrote:
| Absolutely. I'm not trying to dump on them. It may not have
| come through with my choice of verbiage, but there's
| something romantic (in the aesthetic sense) and admirable
| about what they've done and their attitudes. That kind of
| unbridled optimism and confidence of youth that can be hard
| to cultivate as we get older.
| limaoscarjuliet wrote:
| Turning 50 this year, writing code for living, and could not
| agree more. I used to think all must be re-written and
| refactored. "Old crap must go". "I can do it better". But then
| one realizes the rewritten system is "crap" to someone else
| soon.
|
| Learning existing system is harder than to create something
| seemingly equivalent that author understands well. For some
| time at least.
| leetrout wrote:
| My measuring stick is how much the team can understand what
| is happening. When the team at large cannot move through the
| codebase and effectively make changes then it is time to make
| changes.
|
| If the code is on the back burner and only receiving
| maintenance then no need to mess with it.
|
| But active feature development? Teams need to have a grasp on
| it and have a way to get a mental model of what is happening.
| codelobe wrote:
| I never refactor for the purpose of refactoring.
|
| If I can do things better, and I usually can, it's because I
| have a more performant higher level algorithm or set of low
| level optimization strategies to apply.
|
| I agree, Those API organizers are just creating future crap
| for others. However, objective benchmarks showing my changes
| yield 10 to 100 thousand times quicker execution than the old
| method mean the legacy code was crap...
|
| Legacy being crap is not always the fault of devs. Back on
| Z80 and similar, before execution caches were expansive and
| expensive to invalidate, the short circuiting && and || bool
| operators made sense. Now that invalidating the CPU
| instruction cache with a jump is far more expensive than just
| running the ops these short circuits are trying to avoid, it
| is better to just use bitwise | or & instead of boolean || or
| && unless there are needed side-effects (really should make
| the conditional evaluations into proper branches [if
| statements] anyway, if only for clarity). Benchmark it and
| see. C is stuck doing LOTS of old and busted style logic, and
| coders imagine their compiler is doing a lot of magic voodoo
| under the hood that simply isn't happening. There's loads of
| compiler optimization hype.
|
| Sometimes the hardware or platform just shifts underneath
| Good Code and turns it into Crap Code.
| TylerE wrote:
| As ever, the greatest programmers are fundamentally lazy. I
| hate writing code. I endeavor to do as little of it as
| possible.
|
| Solving problems? Sure, love to.
|
| But slogging out LOC for the sake of it? Hard pass. Even as a
| teen that never really appealed to me.
| bigfatfrock wrote:
| 100%, I love debugging and digging through legacy systems,
| personally, yet have only run into co-workers in my career over
| the years that loathe and fear them!
|
| Being able to jump in and put out fires on a building that's
| already built has served me very well in my career, but in
| overall satisfaction as well!
| paxys wrote:
| I partially agree. While there is nothing wrong with boring
| "legacy" systems, and the world runs on them, practices like
| sending plain text passwords over email and all other security
| failures mentioned in the post are inexcusable. Software like
| Atrium is a perfect example of companies getting large
| contracts (usually in the public sector) through
| connections/corruption and outsourcing development for pennies,
| with no quality control or other oversight. This stuff should
| not be romanticized.
|
| In fact there is a non-zero chance that the company's response
| to this blog post will be to file a lawsuit against these
| students for "hacking" and ruining their lives, as has happened
| many times in the past in such cases.
| HeyLaughingBoy wrote:
| > There are very very few programs that ever achieve something
| like elegance and beauty when they collide with the real world.
|
| I write embedded systems. Tell me about it!
| zachmu wrote:
| Mocking bad systems like this is all fun and games but it
| definitely demonstrates your inexperience. Eventually you
| realize this is just normal, most stuff is as bad as this in
| one way or another. Mocking it all would be your full time job.
| And you just get tired of it.
| hondo77 wrote:
| Yeah, the best thing about hiring people "fresh out of college"
| (or whatever the equivalent is today) is that they see things
| with fresh eyes and want to change everything. The worst thing
| about hiring people fresh out of college is that they see
| things with fresh eyes and want to change everything. ;-)
| sanderjd wrote:
| This is a really good insight! The key is to say yes to the
| good ideas and no to the bad ones.
| ipaddr wrote:
| Nothing screams junior dev like the snark of things they don't
| understand
| theideaofcoffee wrote:
| I have a similar length of experience as you, but I'm on the
| opposite side of the fence and side with the students in this
| case. If an organization is willfully putting out and
| maintaining shit products year after year and equivocating
| about how updating things to be more in-line with modern
| practices is oh so difficult and oh so expensive, maybe they do
| deserve to be mocked. If they're making an effort, that's a
| different story. There's really no excuse to keep insecure and
| outdated things out in the wild except for organizational
| laziness. Stand behind and maintain the crap you sell or don't
| sell it at all.
|
| I think as a profession we need more derision and mockery of
| poorly made, documented and maintained shit and less reverting
| to robotic response of "you just don't understand, man".
| rjbwork wrote:
| I don't necessarily disagree. But you get what you pay for.
| These public institutions typically put out bids for projects
| and take the lowest one. Incentives matter and these types of
| organizations are incentivizing the production of cheap and
| poorly made software.
| sanderjd wrote:
| haha I had this same exact thought while reading it. "Oh sweet
| summer child..."
|
| To me it seems like a miracle anyone ever had the budget to
| create this kind of website to begin with, let alone to "keep
| up with the times" :)
| cortesoft wrote:
| Yeah, once you have gone through a few cycles or your cutting
| edge approaches becoming standard and then becoming legacy and
| outdated, you realize the treadmill never stops.
| simonw wrote:
| Bad title, good article. It's about exploiting security flaws in
| a university meal accounts website to build a Spotify-wrapped
| style summary of student's eating habits.
| Retr0id wrote:
| While they point out some flaws in the guest permission
| granularity, did they actually exploit any flaws, to make it
| work? My understanding was no.
| neltnerb wrote:
| It seemed to me like they actually got explicit consent to
| have guest permissions to view this information, I am
| honestly pleasantly surprised. Once I saw them looking at the
| security tokens I got worried, but they pulled it out of a
| tailspin pretty quick.
|
| > Because we can't instruct students to copy-and-paste the
| URL (and thus their session key), we needed another way to
| access students' transaction history. We turned our attention
| to JumboCash's guest access feature.
|
| I am going to take "can't" as "were not willing to" which is
| more impressive. It sounds like they could pretty easily have
| convinced people to give them a lot more access than they
| realized, and chose not to go that route.
| hunter2_ wrote:
| > I am going to take "can't" as "were not willing to"
|
| I disagree. I take "can't" as a reference to this earlier
| statement:
|
| > Change to another IP address, and it...breaks?
|
| I.e., they would need to not only ask for the key, but also
| use the same IP address that the key was generated with.
| Depending on what sort of NAT may or may not exist on
| campus, that could be difficult or easy.
| caseysoftware wrote:
| Great line:
|
| "The portal is really a wrapper around the reanimated corpse of
| much older software, its rotting flesh visible through
| nonsensical decisions and the occasional XML response."
| tr3ntg wrote:
| Seconding this. A beautiful line.
| riskable wrote:
| Hackathons and programming contests can be fun. The world could
| use more but more importantly, _more fun ones_. Yeah, we need
| solutions in healthcare and government but that 's so boring and
| the prizes are usually pathetic.
|
| We need more flashy and fun ones! Especially ones that give the
| entrants something like _a month_ instead of just a few days to
| come up with their entries.
|
| It'd also be great if there were more hardware-development
| hackathons. Give folks three months to make some hardware or a
| robot that does X.
|
| Make the prizes worthwhile for adult professionals! Spending a
| month of your free time for _the chance_ to win $5,000 isn 't
| very enticing. Make it $50,000 or more and I bet we'll see some
| _really_ fantastic entries.
| suddenclarity wrote:
| I think you're just getting too close to regular grants for
| research and development but with more losers. For example,
| Vinnova is handing out $5m for AI projects this year. Why
| participate in a contest when I can just get $100k from them by
| writing an application? In total, Vinnova handed out $300m last
| year with no follow-ups. That's just one organization.
| filoleg wrote:
| > Why participate in a contest when I can just get $100k from
| them by writing an application?
|
| Because that grant comes with obligations and strings
| attached (which you gotta deal with, after your application
| gets approved and the grant hits your bank account). The
| whole idea behind grants like this is that you use it to
| start up a real company, and the grant-giver gets to be one
| of the first early investors in it (in case of success). With
| this in mind, most of the work on your project is also
| expected to happen after you obtain the grant.
|
| Hackathon winnings are supposed to be the exact opposite[0].
| You do the work on your prototype on your own, you present,
| you win the prize with no strings attached, and that's it.
| You aren't expected to continue working on it after the
| hackathon as a condition to receive the prize (but you can of
| course, and you might even get encouragement and support from
| the sponsors/other entities at the event to do so).
|
| On a related massive side-tangent: I was sorely disappointed
| in hackathons back in college after going to a few major and
| local ones. Winners half the time didn't have any even barely
| functional prototype and would gather wins off of powerpoints
| alone, half of them with proposals that wouldn't even be
| feasible or possible to implement at all.
|
| A specific example that pissed me off at the time: the 2nd
| place winner at one of the Atlanta college hackathons I
| attended around 2014 was a team of 6 people with only a
| couple of devs. Their opening statement was like this: "none
| of us had any machine learning experience or knowledge until
| yesterday, but we learned it all in one day and decided to
| build an app that will tell you the full nutritional content
| of any dish you take a photo of, based on the food components
| in it." First, I don't think it is technically feasible to
| accomplish even in 2024. Second, claiming to have zero
| knowledge of machine learning and figuring it all out in one
| single day to the point of building a functional model that
| was beyond any cutting-edge research at the time was sussy.
| So naturally, I was excited to see what their prototype was.
| Turns out, there was no prototype and no code at all (which
| they easily admitted), just a powerpoint deck. Judges all
| fawned over it, and they won one of those "we are a startup
| accelerator and we would like to give you a grant to work on
| it afterwards to turn it into a real company, the grant is
| pre-approved and is waiting for you (if you are ready to
| commit)" sponsor grants.
|
| However, there was one time where I remembered the winners
| vividly (and the hackathon overall, as it was one of the very
| few that I would consider "proper"), because I was genuinely
| impressed by what they built, and felt it was very well
| deserved. I tried to keep up with what they were up to, as
| they continued working on that project in the open after the
| hackathon, and I am so happy I did.
|
| Spoiler: that team was the one that built WorkFlow[1].
| Shortly afterwards, they actually released it in the App
| Store, and it kept growing over the years. It culminated into
| the team continuing to work on it full-time after graduating
| and getting acquired by Apple to build the improved native
| version of that, which is currently known as Apple Shortcuts.
| Which is an amazing tool I use all the time, and I am a bit
| surprised by how little discourse there has been about it in
| tech circles. Especially since it is clearly not abandonware,
| as Apple eventually expanded Shortcuts from iPhone to iPadOS
| and macOS, and it keeps being integrated into newer things
| Apple releases as well (like Home automation and plenty
| others).
|
| 0. Note: I am aware that a lot of hackathons now have similar
| type of "prizes" from some sponsors, where they give you a
| tiny (or often non-existent) cash prize and then offer to
| fast-track/pre-approve your grant application as a component
| of it.
|
| 1. https://www.michigandaily.com/uncategorized/mhacks-
| winners-p...
| jaflo wrote:
| Cool article and looks like a well deserved win! I like that the
| project was something fun and doesn't take itself too seriously.
|
| And I liked the part about how they did Guerilla marketing too.
| NeoTar wrote:
| It seems there is a second story here about their University
| requiring the purchase of a 'meal plan' and that generally not
| being good value (costing more than the dishes individually)? Am
| I reading that between the lines correctly?
| suddenclarity wrote:
| Yes and no. It seems you're required to be on a meal plan.
| First-year students automatically (you might be able to
| downgrade) get a plan for $4019 which includes 400 meals and
| $75. Meals vary in price though.
|
| So if you max out on dinners ($14.97), in theory, you can get
| 405 dinners which would cost a total of $5974. In other words,
| a meal plan saves you $1955 vs buying individual meals. If you
| eat all three meals (breakfast, lunch, dinner), the average
| meal would equal $12.19. In other words, you'd get $4951 worth
| of food for $4019.
|
| To summarize, it seems the meal plan saves you money by giving
| you a discount. The problem (I assume) is that some students
| don't make use of their 400 meal swipes.
|
| https://dining.tufts.edu/your-meal-plan/your-meal-plan-optio...
| Ensorceled wrote:
| My alma mater solved this issue by making the compulsory
| "meal plan" a credit for the campus wide system so you could
| eat in the residence dining hall (which was relatively cheap)
| or spend the credit at various food courts on campus (more
| expensive, but there is a Subway, McDonalds, etc. etc. as
| well as various non-franchised options).
|
| The second term, they added the credit on a weekly basis
| because a bunch of students had run out of credit before the
| end of the first term ... which, as our psychology department
| pointed out, was a completely predictable eventuality.
| Ensorceled wrote:
| The project calculates if the meal plan is good value FOR YOU
| based on your eating habits.
| nico wrote:
| > Through some clever promotion on Ben's part, we managed to get
| hundreds of students to use it in just a couple of days
|
| At the end of the day, marketing is just as important (or more),
| than the tech we build
|
| I won a hackathon this way too. We were the only ones who brought
| a printer to the event, we printed maybe 100 posters of our app
| with a QR code to use it, then we put the posters up all over the
| venue
|
| By the time to pitch came, we not only had a working proof of
| concept, we also had the data we collected from all the people
| who had already used it, so we were able to show traction in
| barely more than 24hrs
|
| We also spent at least 4hrs creating and rehearsing the pitch
| mprovost wrote:
| The ligature on "www" was making me doubt my sanity. I had to
| doublecheck that it's for real but it comes from the Berkeley
| Mono font.
| jessekv wrote:
| What surprised me the most is that the public directory of all
| students and staff really is completely public. Anyone on the
| internet can use it to get names and emails of students.
| filoleg wrote:
| I assume that is the case for almost all public universities in
| the US, or at least it was back when i was in college a decade
| ago.
|
| Also, those student emails listed in the directory aren't
| personal ones, they are school-assigned ones, so I don't think
| it is a major issue tbh. The only times I've ever got any
| emails sent to mine from people that obviously discovered it
| through the directory were from the recruiters (and those were
| definitely very welcome at the time).
___________________________________________________________________
(page generated 2024-03-14 23:01 UTC)