

If you’re trying to hack/deface a website, don’t submit a pull request - jwhelton
https://github.com/CoderDojo/CoderDojo-Kata/pull/1/files

======
RyanZAG
For anybody too lazy to read through them all, here are some gems:

\+ <script language="JavaScript1.2">

Are you sure, like, really really sure, you want JavaScript 1.2?

+var speed=1

please run jslint on your code before submitting a pull request

There are so many errors that JSLint gives up on this code at 39%.

+temp=document.body.scrollTop

You really shouldn't declare a variable without using var - can lead to all
sorts of scoping problems.

Oh, good catch! You should submit a pull request to fix this

+<mass of span elements>

There's a couple of redundant span elements here, when you get time, you could
optimise this

\+ <p align="center" dir="rtl">&nbsp;</p>

It's great that you've made sure that non-breaking space is read right to
left, your readers would have been screwed otherwise.

\+ $bind_port_p="IyEvdXN...<base64 encoded string>";

    
    
        It's going to be hard to comment on these Base64 encoded C and Perl programs in their current form.
        That daemon() function call is going to cause problems on a whole bunch of non-Linux architectures. Solaris doesn't have it for example.
        You should definitely consider supporting IPv6, you can't just assume IPv4 connectivity...
        You're also missing a return at the end of main().
    

+$auth_pass = "fe3f6d96a1ee06bc5415a5c05540c7a8";

1911990 is not a good password. Your birthday?

Let's hope you didn't use that for your email account, lovestory8976@yahoo.com

can you use a sha512 hash, instead? it's more secure.

+

Hmm the HTML isnt compliant. Please rebase from master, squash the previous
commit and resubmit.

Thanks for your invaluable future contributions

~~~
binarycrusader
Actually, Solaris does have the daemon() function as of Solaris 11:

    
    
      http://docs.oracle.com/cd/E19082-01/819-2243/6n4i098sj/index.html

------
ChuckMcM
Sort of reminds me of the scene in Life of Brian where Brian is caught by the
Romans defacing the wall. <http://www.youtube.com/watch?v=eaRcwpnsYYI>

------
judofyr
God, I'm so tired of animated GIFs in GitHub comment threads. The code
critique is far more amusing to me.

~~~
mastofact
I'm more shocked that they even allow images to be embedded in comments.

~~~
schrodinger
You guys are a bunch of cranky pants

~~~
mastofact
I'm just tired of seeing memes on places of "serious business," as bti points
out.

------
Achshar
What is happening here? I am not very accustomed to open source yet.

Edit: un-checking "show inline notes" helps.

Edit 2: So if I understand correctly, OP tried to hack into a website... by
submitting code to github. I was confused at first because that would have
been (very) wrong way to "hack", but as it turns out, that is indeed true. And
rest is about the code he/she used. It seems to be auto generated in some
wysiwyg html editor that uses old html.

~~~
kordless
And the devs of the project are having a field day pointing out all the coding
errors. This comment is a gem:

> can you please add semicolons to the end of these lines + @douglascrockford

------
ot
Please GitHub, implement the evil bit [1] on pull requests so we can filter
out defacing attempts when merging.

[1] <http://en.wikipedia.org/wiki/Evil_bit>

~~~
mwill
OT: I think everyone has made the Evil Bit/DNT header connection at some
point, but it seems especially funny/snarky being tacked on without any
further note in the See Also section of the Evil Bit entry. It's not often I
get a laugh out of non-content stuff on Wikipedia : )

------
Xylakant
This attempt is blatant and obvious, but what about a more serious attempt
where you first establish some credibility with a couple of "good" PR that fix
major problems and then add a tiny little backdoor that loads code from
somewhere else. Distribute the relevant code over a couple of commits and you
might just slip it in.

With Githubs ease of merging and automatted testing by Travis, it's easy to
forget that changes may be actively malicious and not just buggy.

~~~
EthanHeilman
Why not just find an exploit in the code.

Spending months building trust while creating a giant trail of information
that can be used to find you and then really pissing off the open-source
community seems like a bad plan for someone that is attempting to quietly gain
root. Might work if one project is attempting to discredit another project
(think closed source vendor trying to steal clients who use opensourced github
projects).

I'm not saying someone wont do it, I suspect it has been done a few times, but
it is a dumb way to break into computers and far more work/risk than
downloading metasploit and using a public exploit.

~~~
Xylakant
Because it works even if you can't find a proper codepath to exploit. It might
gain you anything you want: A quiet path to leak admin account info to a
server of your choice. An attack vector into a system trusted by more than one
person.

You don't need to provide much information to get a github account, so the
risk is not very much elevated.

~~~
EthanHeilman
>You don't need to provide much information to get a github account, so the
risk is not very much elevated.

1\. Unless you are extremely lucky, you have to gain someones trust by posting
fixes that do not contain backdoors. This leaves a trail in terms of: coding
style, word usage, editor settings (tabs vs spaces), and ip records/timestamps
in github. It's not much but it is additional unnecessary exposure.

2\. Since the code is publicly available on github it stands a much better
chance of discovered later. If you own a server, do you business and change
the logs, you have a very very low chance of someone discovering the intrusion
after the fact.

3\. If someone discovers the backdoor they can setup a honey pot. They might
even allow the change to be merged and then wait for you to connect, although
this is unlikely. An attacker is potentially forfeiting the element of
surprise.

4\. Gaining access to a remote server is trivially easy (just use a publicly
available exploit before it is patched on your target server), especially if
it is a webapp, especially if you have access to the code.

I'm not saying there isn't someone out there that thinks this is great attack
method. I'm just saying that an attacker that uses this method is either doing
it because they think it is funny or a stupid attacker (there is not shortage
of stupid attackers).

~~~
Xylakant
Editor settings are not much of a record if you just follow the projects code
guidelines. ip-records with github are more of a problem, but I guess you can
fake those by using tor or any proxy. And to embed your malicious code over a
series of innocent looking commits, have a look at the underhanded c contest:
<http://underhanded.xcott.com/> There are some true marvels, code that looks
innocent as a baby but does malicious things.

So yes, owning a server might be easier in some respects, but owning a project
might own you a server you'd never get access to - a machine that runs behind
a firewall e.g.

------
nathanappere
Seems like a very civilized way to deface a website, you have to love how
GitHub changed the game.

~~~
kibwen
_evilmalware 0.6 (beta)

Copyright 2000, 2001, 2003, 2005 E\/17 |-|4><0|2z Software Foundation, Inc.

This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY, COMPLETE DESTRUCTION OF IMPORTANT DATA
or FITNESS FOR A PARTICULAR PURPOSE (eg. sending thousands of Viagra spams to
people accross the world).

Basic Installation

Before attempting to compile this virus make sure you have the correct version
of glibc installed, and that your firewall rules are set to ‘allow
everything’.

1\. Put the attachment into the appropriate directory eg. /usr/src.

2\. Type ‘tar xvzf evilmalware.tar.gz’ to extract the source files for this
virus.

3\. ‘cd’ to the directory containing the virus' source code and type
‘./configure’ to configure the virus for your system. If you're using ‘csh’ on
an old version of System V, you might need to type ‘sh ./configure’ instead to
prevent ‘csh’ from trying to execute ‘configure’ itself.

4\. Type ‘make’ to compile the package. You may need to be logged in as root
to do this.

5\. Optionally, type ‘make check_payable’ to run any self-tests that come with
the virus, and send a large donation to an unnumbered Swiss bank account.

6\. Type ‘make install’ to install the virus and any spyware, trojans
pornography, penis enlargement adverts and DDoS attacks that come with it.

7\. You may now configure your preferred malware behaviour in
/etc/evilmalware.conf.

SEE ALSO evilmalware(1), evilmalware.conf(5), please_delete_all_my_files(1)_

<http://www.gnu.org/fun/jokes/evilmalware.html>

~~~
TazeTSchnitzel
_Importantly, this software may not function properly unless it is run with
root privileges. On systems that disable the root user, look for the_ sudo
_command, or similar._

------
mumrah
Pull request might not be a terrible attack vector. I'm sure there are plenty
of people out there who don't look carefully and just merge them in.

~~~
zheng
In fact, I might go so far as to say that this was never intended to be
merged. I'll assume whoever did this wants their message heard, and while it
will never show up on CoderDojo, the hodgepodge of coding styles ensures that
the "pull request" will go viral, thus possibly reaching a far greater number
of people than it would have otherwise.

/tinfoil

~~~
mseebach
What message? I read through the thing and didn't see any message. There's
some encoded arabic, but even if I could read arabic, I couldn't read it
encoded.

~~~
RyanZAG
There is actually a message:

"If there is no check on the freedom of your words, then let your hearts be
open to the freedom of our actions"

"The war continues until the last Zionist remains on the beloved land of
Palestine"

 _cough_ Shouldn't that be until there are no more Zionists in Palestine? Are
they proposing to kill all Zionists until there is just one of them left, and
then say "you're the last one here, you can stay".

~~~
frogpelt
It never fails to cease to amaze me when people people mix up these type of
statements.

~~~
dEnigma
That was irony, right?

------
kmfrk
Sadly, this attack makes more sense than the villain's in Skyfall.

------
laurencei
Better title would have been:

Protip: if your trying to hack/deface a website, dont submit a pull request
WITH YOUR EMAIL AND PASSWORD!

<https://github.com/CoderDojo/CoderDojo-Kata/pull/2>

~~~
nachteilig
A better title might not include puerile memes like "Protip".

~~~
thinkling
Being sarcastic is puerile?

~~~
jlgreco
Also, "protip" has been in use for what, two decades now? When does something
stop being a meme and just become an idiom?

~~~
dEnigma
An idiom is a meme too

~~~
jlgreco
In the sense that it is a cultural artifact that is passed along from one
individual to another, yes. In the sense that it is something annoying kids on
the internet use that must be complained about, no, not necessarily.

~~~
yuchi
I hate the abuse of the word "meme"...

~~~
skeletonjelly
Funnily enough, the abuse of the word "meme" is now a meme.

------
aroman
In case anyone's curious and got down to the embedded YouTube video in the
code, it's an Arabic-titled video of a screen recording of a Facebook video
(further evidence of the author's technical prowess) of two Israelis in a
place undergoing rocket fire from Gaza... definitely recent as well as they
say "Where's the iron dome!?" in Hebrew. It's about a minute and a half of the
rocket sirens blaring and them hearing rockets landing in the distance,
screaming out of fright/being startled when they do.

Pretty disturbing stuff, to say the least. Combined with the english text
about the Zionists leaving Palestine, I just wanted to shed some light on the
intention of the defacement.

------
AimHere
Hilarious.

But if I ever need a jury of my peers to audit my coding style to see how good
it is, now I know what to do - a pretend-attempted-defacement is bound to be
more effective than finding some place on the net to ask 'Is this proper
idiomatic javascript?'.

~~~
roryokane
If you ever actually need a place to check whether your JavaScript is
idiomatic, try Code Review Stack Exchange
(<http://codereview.stackexchange.com/>).

------
alt_
I wonder if it's the same genius who tried to hack WP[0] or if we've got a
copycat on our hands.

[0]
[https://github.com/maxymax/WordPress/commit/2fa93590c7881fab...](https://github.com/maxymax/WordPress/commit/2fa93590c7881fab043be7b8b51358894dbc1466)

------
geekgirlweb
Trying to hack a non-profit site? An non-affiliated NFP? Someone did not love
this person as a child.

Please report? <https://github.com/ahmedalex>

P.S. If you're not a jerk and would love to help with the new CoderDojo.com
site, let me know rebecca (at) coderdojo.com

~~~
mratzloff
Didn't know you could report a GitHub user for abuse until today. Just did.

------
hdra
I can't understand how did someone capable of understanding and doing a git
pull request can produce this kind of "code".

Or how did he think that he can pull this thing off? is there a "10 ways to
hack a website" where a git pull is one of them?

The fact that there is a code snipped a tutorial on "How to Create a Website
With Notepad" and the whole thing seems like it came out from an old WYSIWYG
editor, the thing obviously was made by a script kiddie. script kiddies uses
git now? wow

~~~
Zarel
Github makes a lot of things really easy. I'm guessing he just used the "edit"
button while viewing a file in Github, which will make Github automatically
fork, commmit, and submit a pull request.

------
chewxy
Thanks for the hilarity before my bedtime.

~~~
phalasz
Yeah, it is quite funny. Love the code critique :)

------
enkitosh
This guy has got 5 followers now. Are you just waiting for what kind of stuff
he comes up with next, haha :D

------
taylorbuley
Funniest pull request thread I've seen this year.

Here's last year's winner: [https://github.com/MrMEEE/bumblebee-Old-and-
abbandoned/commi...](https://github.com/MrMEEE/bumblebee-Old-and-
abbandoned/commit/a047be85247755cdbe0acce6f1dafc8beb84f2ac)

------
bdg
What an obvious mistake he made... that's okay, I fixed it for him.

[https://github.com/Incognito/CoderDojo-
Kata/commit/d6c4163ab...](https://github.com/Incognito/CoderDojo-
Kata/commit/d6c4163abc7ab366511448f2a3e69bd2fc7a519b)

------
johnernaut
Either this person is a complete moron, or one of the greatest trolls GitHub
has seen in a long time.

------
isabre
Using Github as a public humiliation platform = WIN! I love this code review!

------
eykanal
"Social hacking": the next big thing.

~~~
klez
Hacktivism? Has been the next big thing for quite a while actually.

~~~
diminoten
Hacktivism is more like hacking for a cause. This is social hacking, where the
hack is perpetrated entirely in the social space - adding a PI as a friend on
Facebook, having a rival company able to see your LinkedIn profile page or
hanging around in your company Skype channels - that sort of thing.

------
tucson
can someone explain? (I am not familiar with github and the whole thing is
cryptic to me)

~~~
ngokevin
It's equivalent to knocking on someone's door and asking them if you can
graffiti their house wall, egg their car, and toilet paper their front yard
tree. All while having the graffiti, egg, and toilet paper in your hands in
front of their face.

~~~
angersock
The comments are even better, and so to extend this analogy:

After you ask them, they then criticize your choice of spraypaint ("Krylon?
Really? Not using Rustoleum, even though this is clearly for outside
application?"), testing that your egg is actually of proper dimension and
size, and then sighing in annoyance upon finding out that your toilet paper
isn't quilted.

~~~
duaneb
...and then saying "no."

------
snake_plissken
omg this is awesome.

PROTIP. better than calling someone a sheep.

------
beakel
Context: CoderDojo is a kid's club for learning to code. Hence the quality.

------
chiquitabacana
I don't think they were actually trying to deface the website... I think they
just wanted to spread anti-semitism...

~~~
jablan
Anti-semitism or anti-zionism?

~~~
chiquitabacana
both...

------
Buzaga
What if they are palestinians "being bombed back into middle ages"[1] or from
other arab country that provides 1/100th of the opportunities we have to know
`how to be a pro hacker`, a foreign language or, say, an expert modern coder
that know all the little beautiful standards?

Suddenly all the smart comments feel a lot less fun

[1] [http://www.alternet.org/speakeasy/tikkundaily/israeli-
minist...](http://www.alternet.org/speakeasy/tikkundaily/israeli-minister-
goalis-send-gaza-back-middle-ages)

