Great post and great attitude. Little bit of a mixed message from this:
> Within the aims of the module this is fine - this is an introuction to security module so if you can exploit it like this, you're not really the target audience and you've already achieved the aims of the module.
> This isn't going to save me any time - I still need to do the assignments because they're assignments for a University module, which is supposed to teach me things. If I don't do the assignments and effectively cheat by submitting tokens I recover this way, I personally will suffer and not know what I'm doing in enough detail when it comes to the final exam and just generally will lack this knowledge that might be useful in future.
Which is it? This introduction to security module couldn't possibly have anything to teach someone who already has this level of ability, or it could?
I feel if you solve a security assignment by hacking the system, YOU'RE DOING IT RIGHT. I hope you get a first-class mark for this.
Also, https://xkcd.com/2385/
I still don't understand why they must compile assignments' source code on your instance. Why can't assignments be pre-compiled and shared as binary to prevent open code data?
[dead]
Kudos for breaking the environment in a security course.
> This entire attack was possible because I have the VM's disk image right here on my computer and I can do absolutely whatever I want to it, such as overriding its access control settings.
This is the key insight. Protecting via VMs and obfuscations does not provide security equivalent to network boundaries and hardware protections. While the encryption step may have helped, it was self-defeating as the key was stored on the VM and the VM was in your control. It would have been much harder (perhaps impossible) to crack if the unique key was ephemerally sourced from a server prior to every decryption coupled with some end state from the exercise.
> Within the aims of the module this is fine - this is an introuction to security module so if you can exploit it like this, you're not really the target audience and you've already achieved the aims of the module.
Yes, it's clear to me that the course has little left to teach you. At this point I would just submit the generated tokens for every assignment and read more complex material. I say this as an academic and a cybersecurity expert.