due Thu 9/26 at noon

To receive a late day (that extends your deadline until Fri 9/27 at noon), you must complete Late Day no later than Wed 9/25 at noon.

  • Better acquaint you with functions and libraries.

  • Allow you to dabble in cryptanalysis.

diff pset2 hacker2

  • Hacker Edition challenges you to handle extra whitespace in inputs.

  • Hacker Edition challenges you to crack actual passwords.

  • Head to https://www.cs50.net/shorts/2 and watch the shorts on loops, scope, the Caesar Cipher, and RSA. Then head to https://www.cs50.net/shorts/3 and watch the short on command-line arguments. Be sure you’re reasonably comfortable answering the below when it comes time to submit this problem set’s form!

  • How does a while loop differ from a do … while loop? When is the latter particularly useful?

  • What does undeclared identifier usually indicate if outputted by make (or, really, clang)?

  • Why is the Caesar Cipher not very secure?

  • And unrelated to those shorts, be sure you’re reasonably comfortable answering the below as well when it comes time to submit this problem set’s form!

    • What’s a function?

    • Why bother writing functions when you can just copy and paste code as needed?

Getting Started

  • Alright, here we go again!

    Open a terminal window if not open already (whether by opening gedit via Menu > Programming > gedit or by opening Terminal itself via Menu > Programming > Terminal). Then execute


    to make sure your appliance is up-to-date. In general, if you run into errors like "No such file or directory" with the staff’s solutions or "invalid ID" with check50, best to re-run update50, just to make sure you have the latest updates.

    Next, execute

    mkdir ~/Dropbox/hacker2

    at your prompt in order to make a directory called hacker2 in your Dropbox directory. Take care not to overlook the space between mkdir and ~/Dropbox/hacker2 or any other character for that matter! Keep in mind that ~ denotes your home directory, ~/Dropbox denotes a directory called Dropbox therein, and ~/Dropbox/hacker2 denotes a directory called hacker2 within ~/Dropbox.

    Now execute

    cd ~/Dropbox/hacker2

    to move yourself into (i.e., open) that directory. Your prompt should now resemble the below.

    jharvard@appliance (~/Dropbox/hacker2):

    If not, retrace your steps and see if you can determine where you went wrong. You can actually execute


    at the prompt to see your last several commands in chronological order if you’d like to do some sleuthing. You can also scroll through the same one line at a time by hitting your keyboard’s up and down arrows; hit Enter to re-execute any command that you’d like. If still unsure how to fix, remember that CS50 Discuss is your friend!

Late Day

To receive a late day (that extends your deadline until Fri 9/27 at noon), you must complete this section no later than Wed 9/25 at noon.

  • Head to http://www.youtube.com/playlist?list=PLhQjrBD2T382e9a6m_i2F-a4xLm4hjYdG and watch the walkthroughs on string-0, string-1, and string-2, whose source code can be found at http://cdn.cs50.net/2013/fall/lectures/2/w/src2w/. Then head to http://www.youtube.com/playlist?list=PLhQjrBD2T383LBd7z_5k32rbPdO99LNB9 and watch the walkthroughs on capitalize-0, capitalize-1, and capitalize-2, whose source code can also be found at http://cdn.cs50.net/2013/fall/lectures/2/w/src2w/. Feel free to watch any other walkthroughs of interest!

  • Next, write, in a file called initials.c, a program that prompts a user for their name (using GetString to obtain their name as a string) and then outputs their initials in uppercase with no spaces or periods, followed by a newline (\n) and nothing more. You may assume that the user’s input will contain only letters (uppercase and/or lowercase) plus spaces. Folks like Joseph Gordon-Levitt, Conan O’Brien, and R.J. Aquino won’t be using your program. But the user’s input might be sloppy, in which case there might be one or more spaces at the start and/or end of the user’s input or even multiple spaces in a row.

    So that we can automate some tests of your code, your program must behave per the examples below. Assumed that the underlined text is what some user has typed.

    jharvard@appliance (~/Dropbox/hacker2): ./initials
    Milo Banana
    jharvard@appliance (~/Dropbox/hacker2): ./initials
       robert   thomas bowden

    If you’d like to check the correctness of your program with check50, you may execute the below.

    check50 2013.hacker2.initials initials.c

    And if you’d like to play with the staff’s own implementation of initials in the appliance, you may execute the below.

  • Assuming you got initials to work and check50 outputted only green smileys, go ahead and open a terminal window via Menu > Programming > Terminal. A big, black window should open (bigger than the one embedded in gedit). Navigate your way to ~/Dropbox/hacker2, as with

    cd Dropbox/hacker2

    and then re-run check50 as follows to output a "coupon code":

    check50 -c 2013.hacker2.initials initials.c

    Go ahead and highlight the code that you see, select Edit > Copy, then visit https://www.cs50.net/coupons/2 using Chrome inside of the appliance, paste the code where prompted, as with control-v on your keyboard, or type it manually, and then click Redeem. You should be rewarded with an extension of 24 hours.

    You may (re-)submit coupons as many times as you’d like, but you’ll be rewarded with no more than one 24-hour extension per problem set.

Passwords Et Cetera

  • On most, if not all, systems running Linux or UNIX is a file called /etc/passwd. By design, this file is meant to contain usernames and passwords, along with other account-related details (e.g., paths to users' home directories and shells). Also by (poor) design, this file is typically world-readable. Thankfully, the passwords therein aren’t stored "in the clear" but are instead encrypted using a "one-way hash function." When a user logs into these systems by typing a username and password, the latter is encrypted with the very same hash function, and the result is compared against the username’s entry in /etc/passwd. If the two ciphertexts match, the user is allowed in. If you’ve ever forgotten some password, you may have been told that "I can’t look up your password, but I can change it for you." It could be that person doesn’t know how. But, odds are they just can’t if a one-way hash function’s involved.

    Even though passwords in /etc/passwd are encrypted, the crypto involved is not terribly strong. Quite often are adversaries, upon obtaining files like this one, able to guess (and check) users' passwords or crack them using brute force (i.e., trying all possible passwords). Only in recent years have (most) system administrators stopped storing passwords in /etc/passwd, instead using /etc/shadow, which is (supposed to be) readable only by root. (Take a look at /etc/passwd in the appliance, for instance; wherever you see x a password once was.) Below, though, are some username:ciphertext pairs from an outdated (fake) system.


    Crack these passwords, each of which has been encrypted with C’s DES-based (not MD5-based) crypt function. Specifically, write, in crack.c, a program that accepts a single command-line argument: an encrypted password. (In case you test your code with other ciphertexts, know that command-line arguments with certain characters (e.g., ?) must be enclosed in single or double quotes; those quotation marks will not end up in argv itself.) If your program is executed without any command-line arguments or with more than one command-line argument, your program should complain and exit immediately, with main returning any non-zero int (thereby signifying an error that our own tests can detect). Otherwise, your program must proceed to crack the given password, ideally as quickly as possible, ultimately printing to standard output the password in the clear followed by \n, nothing more, nothing less, with main returning 0. The underlying design of this program is entirely up to you, but you must explain each and every one of your design decisions, including any implications for performance and accuracy, with profuse comments throughout your source code. Your program must be designed in such a way that it could crack all of the passwords above, even if said cracking might take quite a while. That is to say, it’s okay if your code might take several minutes or days or longer to run. What we demand of you is correctness, not necessarily optimal performance. Your program should certainly work on inputs other than these as well; hard-coding into your program the solutions to the above is not acceptable.

    Your program must behave per the below; underlined is some sample input.

    jharvard@appliance (~/Dropbox/hacker2): ./crack 50yoN9fp966dU

    Assume that users' passwords, as plaintext, are no longer than eight characters long. As for their ciphertexts, you’d best pull up the "man page" (i.e., manual) for crypt by executing

    man crypt

    in a terminal window so that you know how the function works. In particular, make sure you understand its use of a "salt." (According to the man page, a salt "is used to perturb the algorithm in one of 4096 different ways," but why might that be useful?) As implied by that man page, you’ll likely want to put

    #define _XOPEN_SOURCE
    #include <unistd.h>

    at the top of your file and link your program with -lcrypt.

    You might also want to read up on C’s support for file I/O, as there’s quite a number of English words in /usr/share/dict/words in the appliance that might (or might not) save your program some time.

    By design, /etc/passwd entrusts the security of passwords to an assumption: that adversaries lack the computational resources with which to crack those passwords. Once upon a time, that may have been true. Perhaps some still do. But when it comes to security, assumptions are dangerous. May that this problem set make that claim all the more real.

    We should note that this problem set is no invitation to seek out other passwords to crack. Do not conflate these Hacker Editions with "black hat" editions. We hope, though, that by understanding better the design of today’s systems, you might one day build better systems yourself. Besides acquainting you further with C, this problem set urges you to start questioning designs, as vulnerabilities (if not regrets) often result from poor ones.

    If you’d like to play with the staff’s own implementation of crack, well, sorry! :-) Where’d be the fun in that?

