
Did I just win? - davidtgoldblatt
https://twitter.com/Sc00bzT/status/730903007014076416
======
dredmorbius
This reminds me of an old folk tale of the trickster and the rich man.

A king passing through a town finds a man about to be punished for fraud. He
intercedes and asks what the matter is. The trickster says in his defence, "I
ask people for things, and they give then to me". The king is incredulous but
poses a challenge: "You must ask and receive money from the richest man in
town." The trickster agrees, but being short on assets, requests a loan. The
king obliges, and the trickster arranges (eliding details) to induce the
town's richest resident to provide him with a wealth of goods. He returns to
the king two days later with evidence in tow. The king is impressed by this
demonstration, at which the trickster notes that he'd actually met the
conditions 48 hours earlier when the king, wealthier than the town's richest
resident, had offered him a loan.

There's something to those old stories.

(I'm not positive of the source but believe it's included in Idries Shah's
_World Tales_.)

~~~
kyllo
A much lower-brow version of the same joke, from the movie Dumb and Dumber:

    
    
        Lloyd: I'll bet you twenty dollars I can get you gambling before the day is out!
    
        Harry: No!
    
        Lloyd: I'll give you three to one odds.
    
        Harry: No.
    
        Lloyd: Five to one.
    
        Harry: No.
    
        Lloyd: Ten to one?
    
        Harry: You're on!
    
        Lloyd: I'm gonna get ya!
    
        Harry: Nu uh!
    
        Lloyd: I don't know how but I'm gonna get ya.

------
tstrimple
1\. Create issues for items I need fixed on my github repos.

2\. Offer a $100 bounty to people who can trick me into getting some string
into my projects. The easiest way to "trick" me of course is to hide it inside
of a PR which fixes a real issue.

3\. Find and remove the string before merging the PR. I've had one of my
issues fixed for free. Rinse and repeat!

Bonus Round: Stage an announcement on twitter and have someone cleverly trick
me into including the string on my website (which I was totally going to do
anyway). Post clever trick to code geek social media and reap the sweet free
viral marketing and hackers trying to earn a Benjamin.

~~~
reledi
It's worrying that something as harmless as this comes across as a stunt with
some ulterior motive. Not everything is a viral marketing campaign.

~~~
Bromskloss
I like to suspect everything that gains attention to be a marketing campaign.

------
daxfohl
What exactly happened here? All I see is a highlighted line that seems to have
already been there.

~~~
aerovistae
A guy issued a challenge saying he'd give $100 to anyone who could trick him
into inserting a certain string into any of his software projects.

Another guy responded "You should put this challenge on your website."

The first guy said "Good idea" and proceeded to do so, thus including the
string in one of his software projects: his website.

GG

~~~
cortesoft
He basically did this:
[https://www.youtube.com/watch?v=XsrU2dMBVUQ](https://www.youtube.com/watch?v=XsrU2dMBVUQ)

~~~
sc00bz
That is awesome :)

~~~
frostymarvelous
Aren't you the winner?

~~~
sc00bz
Yes, I think this counts as proof:
[https://twitter.com/Sc00bzT/status/731243916951994368](https://twitter.com/Sc00bzT/status/731243916951994368)

My win was legit, but there's no way for me to prove that. Well if this was a
PR stunt then I should of @defcon or at least #defcon to get a larger
audience, but in all reality I'm banned from PayPal and haven't used Bitcoin.
Which is why I said I'll settle for a beer, but I should of asked for zcoin
after it launches... shit now this is all a PR stunt for "Zooko money".

Anyway if anyone working at PayPal sees this and wants to hook me up by
unbanning me that would be nice.

~~~
frostymarvelous
Was that all in reply to me or I'm missing something?

I just noticed you have the same handle that's why I asked.

------
j79
An acknowledgement of the win:
[https://twitter.com/DefuseSec/status/730903547747819520](https://twitter.com/DefuseSec/status/730903547747819520)

The offer still stands though, if you'd like to try:
[https://twitter.com/DefuseSec/status/730904219419443200](https://twitter.com/DefuseSec/status/730904219419443200)

------
infogulch
The offending commit:
[https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40...](https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40811c77b944f391aedbcf5d9)

------
nkristoffersen
Took me a second to understand what happened. But yes, earned his $100.

------
joemi
Can someone link to context? Without it, I don't see why this is even posted
here.

~~~
drunken-serval
‏@DefuseSec > I'll give $100 USD to anyone who can trick me into inserting the
string "BackdoorPoCTwitter" into a release of any of my software projects.

@Sc00bzT > @DefuseSec You should put this challenge on your website.

@DefuseSec > @Sc00bzT Good idea, added it to this page:
[https://defuse.ca/security-contact-vulnerability-
disclosure....](https://defuse.ca/security-contact-vulnerability-
disclosure.htm)

‏@Sc00bzT > @DefuseSec Did I just win?

@DefuseSec > @Sc00bzT FUCK. What's your paypal/bitcoin?

[See
[https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40...](https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40811c77b944f391aedbcf5d9)
for commit.]

------
delibes
Asked a question, won a beer token. It counts.

------
goatherders
Are some of you actually arguing over whether or not the website qualifies as
a "software project?" Goodness, maybe stop taking the world so
literally/seriously.

------
pnathan
That is a gem of cleverness.

------
Jeremy1026
Troll level = 100%

------
satysin
Just beautiful :)

------
drudru11
"Mostly drunk ramblings of a programmer and crypto enthusiast."

Maybe we shouldn't drink and "crypto"? :-)

------
anaolykarpov
Would you pay 100 usd to get on the front page of HN and who knows what other
popular sites?

Maybe it's just a marketing stunt

~~~
CiPHPerCoder
What exactly could DefuseSec be marketing here?

Disclosure: He and I have been friends for years.

~~~
jsemrau
I always wonder why in general there is such a distrust / avoidance of
marketing in tech communities.

~~~
CiPHPerCoder
I can't speak for others, but I see marketing as manipulation and I see
manipulation as a dehumanizing act that robs humans of their own agency.

------
shadykiller
But wait, how did it happen ?

~~~
rschuetzler
He had him post the challenge to his website. The text of the challenge
contains the string "BackdoorPoCTwitter". By including the challenge in his
website, he included the string in a software project (the code for his
website). This won the challenge for @Sc00bzT, who was the one who told him to
make the change to his website.

------
clapinton
This just made my day.

------
Aelinsaar
It's not clever to hack something that you can socially engineer, and that
should be hacking 101. Clever win.

~~~
cpeterso
That was the challenge. DefuseSec specifically said he would "give $100 USD to
anyone _who can trick me_ into inserting the string".

~~~
CiPHPerCoder
This is why you always want to define your scopes.

He clearly intended for some variant of "any of my software projects that
other people actually use", but failed to specify that detail.

But it's nonetheless hilarious. Laughs all around.

------
russelluresti
slow clap.

------
aaroninsf
[[ obligatory reference to Betteridge's law ]]

~~~
notatoad
But this is actually a violation of betteridge's law. He did win.

~~~
LeoPanthera
It's also not a headline, so it doesn't apply anyway.

~~~
mistercow
It's Betteridge's Second Law: the answer to _any_ question is "no".

It really simplifies things.

~~~
garethadams
Does it?

------
kauegimenes
Another way to win this bounty would be to share some code with the string
BackdoorPoCTwitter with the same color as the page background. If he copy and
paste the code it could work. ^^

~~~
infogulch
The only way that would work is if he committed copy/pasted code without
reviewing it first, which is highly unlikely. Or at least I would hope it is,
given that he's actually challenged people to do this.

~~~
Magnets
I don't really see how anyone can win this challenge (other than how already
done). The guy will be super cautious of any pull requests.

~~~
tstrimple
You could probably hide it pretty effectively during a normal pull request to
fix an existing issue. As long as they aren't greping for the string anyhow.
If he's going to use tools to to search a PR for the string, you'd have to
obfuscate it. There are plenty of string and / or byte array manipulation
techniques to sufficiently hide something like this as long as it's masked by
an otherwise real PR.

~~~
ultramancool
You'd have to rely on a ball of jumbled crap somewhere in the PR though -
maybe if they don't wrap lines or something you could slip it in?

~~~
Natanael_L
I'd be XORing against some existing strings in the code of the same length to
obfuscate the content, with some hidden method to invoke the reverse XOR to
regenerate this challenge text string.

~~~
ultramancool
Sure, hiding it as a basic string is easy. But hiding it in a way that a
simple code review won't catch is probably a lot harder.

~~~
Natanael_L
I think some array manipulation could do it if you're clever enough and don't
make it obvious where all of the inputs comes from. So you'd make some
particular parameters regenerate the string, and it wouldn't obviously stand
out from the normal behavior.

------
dragontamer
I guess a webpage is a software project...

~~~
nilved
What definition of "software project" excludes Web sites?

~~~
toast0
Static websites are documents (although this file happened to be PHP, it
looked pretty static), is a book or a word doc a software project?

~~~
icebraining
Well, it's not exactly plaintext, HTML is an interpreted language.

------
msoad
Social Engineering is not accepted in most hacking contests.

~~~
TrevorJ
Interesting discussions to be had as to why this is the case. I suspect it
would make it too easy.

~~~
untog
I suspect it's just because there are too many variables. Social Engineering
isn't exactly a replicable science.

~~~
clavalle
Individually, no, but statistically...perhaps?

~~~
untog
Perhaps. There's also the depressing reality that you can't _actually_ stop
social engineering conclusively. A sysadmin is always going to need to have a
login with administrative privileges, and they're always going to be fallible.

~~~
clavalle
True. This thread has me thinking about how a controlled social engineering
hacking event might play out just for the sake of education and awareness.
(especially since one of my clients got hit badly with a phishing attack
recently...less than a single percentage 'success' rate by the attacker but
still cost them almost $100K).

Tough problem.

~~~
jerf
There are commercially-available off-the-shelf phishing training services,
such as [https://www.knowbe4.com/phishing-security-test-
offer](https://www.knowbe4.com/phishing-security-test-offer) .

Disclaimer: My employer has used this, but I was uninvolved with the choice
and have no stake in knowbe4. Just using it as an example I have to hand. I
believe there are quite a few choices.

------
eridius
Calling a website that happens to host static content in the same repo as its
PHP source a "release of a software project" really seems like a stretch.

~~~
eridius
Why was I downvoted heavily for this, without even a single comment explaining
why I'm wrong? This was a serious comment, and I still believe what I said, so
it's rather rude to be treated this way.

~~~
eridius
And again, on a comment asking for someone to actually explain why they're
doing this? This is really disappointing, Hacker News is usually a lot more
well-behaved than this.

