Hacker News new | comments | ask | show | jobs | submit login
Did I just win? (twitter.com)
950 points by davidtgoldblatt on May 13, 2016 | hide | past | web | favorite | 129 comments

This reminds me of an old folk tale of the trickster and the rich man.

A king passing through a town finds a man about to be punished for fraud. He intercedes and asks what the matter is. The trickster says in his defence, "I ask people for things, and they give then to me". The king is incredulous but poses a challenge: "You must ask and receive money from the richest man in town." The trickster agrees, but being short on assets, requests a loan. The king obliges, and the trickster arranges (eliding details) to induce the town's richest resident to provide him with a wealth of goods. He returns to the king two days later with evidence in tow. The king is impressed by this demonstration, at which the trickster notes that he'd actually met the conditions 48 hours earlier when the king, wealthier than the town's richest resident, had offered him a loan.

There's something to those old stories.

(I'm not positive of the source but believe it's included in Idries Shah's World Tales.)

A much lower-brow version of the same joke, from the movie Dumb and Dumber:

    Lloyd: I'll bet you twenty dollars I can get you gambling before the day is out!

    Harry: No!

    Lloyd: I'll give you three to one odds.

    Harry: No.

    Lloyd: Five to one.

    Harry: No.

    Lloyd: Ten to one?

    Harry: You're on!

    Lloyd: I'm gonna get ya!

    Harry: Nu uh!

    Lloyd: I don't know how but I'm gonna get ya.

That seems to have worked because the king had an unmanageable level of overconfidence, whereas this worked because they already had mutual trust[0]. Advice from a friend passes easily through the "harm test" heuristic filter which takes place immediately after hearing any untrusted (doubted) person advising one to change course (and potentially other places if someone learns they need to apply it there too).

By mixing in advanced machinery, our innate heuristics like harm measurement need many more dimensions of analysis. Hackers, in tune with modern machines, recognize this as a blunder since we have seen trust misused with secrets in machines before; still how can a "[s]cientist and security researcher" and "farmer and shoe-repair-man with a handheld" alike learn to recognize wider effects of their machine-enabled actions?

0: https://twitter.com/search?q=from%3ASc00bzT%20to%3ADefuseSec...

Hrm. Not in Shah's World Tales, though I still recommend that as well.

1. Create issues for items I need fixed on my github repos.

2. Offer a $100 bounty to people who can trick me into getting some string into my projects. The easiest way to "trick" me of course is to hide it inside of a PR which fixes a real issue.

3. Find and remove the string before merging the PR. I've had one of my issues fixed for free. Rinse and repeat!

Bonus Round: Stage an announcement on twitter and have someone cleverly trick me into including the string on my website (which I was totally going to do anyway). Post clever trick to code geek social media and reap the sweet free viral marketing and hackers trying to earn a Benjamin.

It's worrying that something as harmless as this comes across as a stunt with some ulterior motive. Not everything is a viral marketing campaign.

I like to suspect everything that gains attention to be a marketing campaign.

As somebody who knows the person in question: Nice theory, but no. Not everybody has ulterior motives like this.

steps 1 and 2 remind me of how Congress works

I started laughing then remembered that I live in the US for the last 5 years and started crying instead.

He offered him BTC for it. Not so much free...

You've discovered that social media is mostly used for getting attention. Congratulations, that was very clever of you.

I was trying to figure out the actual angle here because the challenger couldn't have been that stupid. I think you've hit the nail on the head.

It's not clever to hack something that you can socially engineer, and that should be hacking 101. Clever win.

That was the challenge. DefuseSec specifically said he would "give $100 USD to anyone who can trick me into inserting the string".

This is why you always want to define your scopes.

He clearly intended for some variant of "any of my software projects that other people actually use", but failed to specify that detail.

But it's nonetheless hilarious. Laughs all around.

And he inserted the string into HN, and our brains - but I already forgot.

Now insert that string into Linux source code, and I ll get surprised.

For those of you misreading this comment: Aelinsaar is saying that if a system/target is vulnerable to social engineering, then hacking (code) that system/target is not clever.

You could take that concept pretty far. There's no computer system that doesn't involve a human element (CS101). And yet some of the most clever people spend their time finding ways to hack the machine element. Their work inevitably gets understood and integrated into software, either through voluntary submissions through bug bounties or otherwise.

Social engineering has been understood for a long time, and yet we can't develop defenses in the same way we can develop defenses in software. So we have an underpaid workforce of software hackers uncovering vulnerabilities which get patched and an overpaid workforce of social engineers exploiting unpatchable vulnerabilities in the human condition.

Who is really being exploited here?

You don't need to crack a safe if you can get the combination from the owner. You don't need to pick a lock if you can pick the key from a pocket. It also goes to the classic XKCD comic about the realities of crypto: https://xkcd.com/538/

As for why so little attention is paid to the human side, I think you said it, "We can't develop defenses the same way we can develop defenses in software." Not only that, but a human being who's brilliant in their role in your company, might be singularly unsuited to learning lessons about social engineering.

I suppose if you want a humorous and somewhat dystopian sci-fi view of how this could be managed... you ever read 'Snow Crash'?

Depends on goals and sources of enjoyment.

Huh? Some of the most clever (and destructive) hacks involve an element of social engineering. Given that security implementations are designed to compensate for human social behaviors and instincts and limitations, social engineering is just as much a part of hacking as cryptography.

I think you read his statement backwards :) He's advocating social engineering whenever possible.

Ah, I think my brain got led down a "garden path", a concept I just learned had an official name from yesterday's Parsey McParseface announcement https://en.wikipedia.org/wiki/Garden_path_sentence

Explain please? I cannot make sense of the op's sentence in a way that advocates social engineering.

The first half of the sentence is saying, "Don't do things the hard way (hacking) when you can do them the easy way (social engineering)". The second half is saying "Everyone should know this."

"It's not clever to hack [with social engineering] something that you can socially engineer"


"It's not clever to hack something [i.e. with technical exploits] that you can socially engineer""

Interesting. I am not a native speaker and I cannot make sense of the op's sentence in a way you understand it. How did you understand op's sentence in the first place?

lol just saw this. Basically, I thought he was being sarcastic in saying "Clever win" and took the "It's not clever to hack something that you can socially engineer" as "It's not clever to socially engineer". Hopefully that helps.

op said the same

What exactly happened here? All I see is a highlighted line that seems to have already been there.

A guy issued a challenge saying he'd give $100 to anyone who could trick him into inserting a certain string into any of his software projects.

Another guy responded "You should put this challenge on your website."

The first guy said "Good idea" and proceeded to do so, thus including the string in one of his software projects: his website.


I completely forgot about that exchange. I was about 90% sure that link was going to be a clip of Superman: The Animated Series when Clark first encounters Mr. Mxyzptlk. I can't find it on YouTube, but it goes like this:

Mr. Mxyzptlk: You, my friend, are the ultimate challenge! We're going to have very merry games, you and I!

Superman: A game has rules! Your stunts are just random idiocy!

Mr. Mxyzptlk: Okay, I'll give you a rule! If you can make me say, spell or otherwise reveal my name backwards and I'll split, until our dimensions come into alignment again in... oh, three months, give or take.

Superman: I can't even say your name forwards - how am I supposed to say it backwards?

Mr. Mxyzptlk: No, dope, you don't have to say it, you have to get me to say it!

Superman: Say what?

Mr. Mxyzptlk: Kltpzyxm! Gosh, you're thick! Now, for the last time... ah, nuts!

That is awesome :)

Aren't you the winner?

Yes, I think this counts as proof: https://twitter.com/Sc00bzT/status/731243916951994368

My win was legit, but there's no way for me to prove that. Well if this was a PR stunt then I should of @defcon or at least #defcon to get a larger audience, but in all reality I'm banned from PayPal and haven't used Bitcoin. Which is why I said I'll settle for a beer, but I should of asked for zcoin after it launches... shit now this is all a PR stunt for "Zooko money".

Anyway if anyone working at PayPal sees this and wants to hook me up by unbanning me that would be nice.

Was that all in reply to me or I'm missing something?

I just noticed you have the same handle that's why I asked.

What is the PayPal ban about?

Yup. It's a beautiful example of (subversively) following the rules exactly.

(And kudos to the originator for acknowledging that.)

Jesus that's beautiful

Ah, totally didn't read the whole twitter thread. Brilliant.

Oh, come on, I'll give that a troll win at best. The clear implication was subverting software users would run. Let him social engineer that one. I'd put it in a bug-fix or something Obfuscated C contest style.

This is what Social Engineering is. Asking someone to do something that they normally would do, in order to get the desired outcome.

Re your deleted comment

You suggested I "didn't get it" because trolling stuff that wins a game was the point. Actually, what made me think about impact was on website and the challenge itself:

"Backdoor Insertion Proof-of-Concept Bounty: The first time someone tricks me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects"

Whole point is assessing ability to backdoor software products. Social attack that succeeds might teach us something. The cheat teaches us nothing but is amusing. So, I certainly get it and read site before I wrote here. ;)

Note: Same page said employer's website was off limits in hacks and pentests. I assumed that meant Defuse. So, never considered website attack as in scope in first place.

Depends on what the desired outcome it. I read the challenge as compromising one of the pieces of software on the website. Doing that with social engineering was the desired outcome.

The attacker thought out of the box to tackle a lesser challenge: getting a string on the website itself. It was technically true under rules, funny, and contest issuer even owned up to it. It's not the real challenge, though. No real-world impact. So, just amusing trolling.

Websites are made of software.

Lol. I'm not repeating myself twice if you're not seeing the point.

You're failing to see the charm here. Social engineering is a confidence trick that exploits gaps in someone's personal trust system.

Surely you are right that when he presented the challenge he had something different in mind. But that's exactly the point! The winner realized that the website itself might be a gap in the challenger's trust system; a place where he would have his guard down.

Eschewing the implied parameters of a problem and cheating expectations are what vulnerability detection is all about.

I not only see that: I specifically explained the expectation and how it was reframed into a new target above.


Your failing to see my actual concern here. I'm one of those old-school types that rate people on impact their work has first and how clever/funny it is second. The first, expected challenge had consequences with impact. Tackling that with effort even close to success would be praiseworthy & even contribute something new to INFOSEC.

The other thing is the kind of shit I do to coworkers and people online all day for fun. One I hadn't thought of and clever for sure but same concept. It's a combo of wit and sophistry that focuses on technicalities of people's statements who aren't thinking carefully about them. Outside policy and procedures, outthinking a statement has no impact at all.

So, as I think along both lines, I recognize it as clever trolling in the second category like I do 20 times a day. Similarly pointless. Just fun and funny. Then, acknowledge that the real target or challenge would've been more valuable. Implicitly encouraging people to go for that one in case we learn something important. You know, relevant to information security. Plus, I give highest props to people that pull off difficult or nigh-impossible feats.

A website is software that users run.

A website is either data a browser interprets or a combo of it plus software (eg Javascript). This is compromising his software only in most technical, trolling sense. It won't affect his apps at all.

Software is data an operating system and processor interprets. He never specified apps.

Besides, how would inserting the string in his apps have any different affect than inserting it into the website? This is completely within the parameters that were set (because there weren't many).

I already explained my perspective on this here:


Suffice to say, the real point is whether people can compromise his apps with something that would harm their computer. So, let's rephrase your question, "What's the difference between convincing him to post a challenge string on his website and convincing him to arbitrarily modify code of apps he distributes to users?" Obviously, a huge difference unless he's a complete idiot.

So by the hacker asking the victim to add the details of the contest, he tricked the victim into including the winning string in a software project.

An acknowledgement of the win: https://twitter.com/DefuseSec/status/730903547747819520

The offer still stands though, if you'd like to try: https://twitter.com/DefuseSec/status/730904219419443200

Took me a second to understand what happened. But yes, earned his $100.

Can someone link to context? Without it, I don't see why this is even posted here.

‏@DefuseSec > I'll give $100 USD to anyone who can trick me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects.

@Sc00bzT > @DefuseSec You should put this challenge on your website.

@DefuseSec > @Sc00bzT Good idea, added it to this page: https://defuse.ca/security-contact-vulnerability-disclosure....

‏@Sc00bzT > @DefuseSec Did I just win?

@DefuseSec > @Sc00bzT FUCK. What's your paypal/bitcoin?

[See https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40... for commit.]

Twitter is horrible for having a meaningful conversation, let alone reading it.

If you're on mobile, scrolling up should show the context.

Asked a question, won a beer token. It counts.

Are some of you actually arguing over whether or not the website qualifies as a "software project?" Goodness, maybe stop taking the world so literally/seriously.

That is a gem of cleverness.

Troll level = 100%

Just beautiful :)

"Mostly drunk ramblings of a programmer and crypto enthusiast."

Maybe we shouldn't drink and "crypto"? :-)

Would you pay 100 usd to get on the front page of HN and who knows what other popular sites?

Maybe it's just a marketing stunt

What exactly could DefuseSec be marketing here?

Disclosure: He and I have been friends for years.

Advertising is always about grabbing attention. The more impressions, the more odds of sales or uptake. It's a legit consideration anytime some stunt happens in public spreading on media or social networks.

Not that I think that has anything to do with this. Looks more like normal goofing around by security or hacking folks. If anything, he looses money or precious beer from it.

I always wonder why in general there is such a distrust / avoidance of marketing in tech communities.

I can't speak for others, but I see marketing as manipulation and I see manipulation as a dehumanizing act that robs humans of their own agency.

He could market himself and his site in order to increase his self branding.

Even if it is a marketing stunt, it is a nice one.

Taylor (@DefuseSec) is one of the organizers of the Underhanded Crypto Contest at DEFCON; it started as an open invitation to try to social engineer him so he can improve himself. It wasn't a marketing stunt, at all.

Why would you have to pay anything? Have a friend tweet the response.

Even more clever...

But wait, how did it happen ?

He had him post the challenge to his website. The text of the challenge contains the string "BackdoorPoCTwitter". By including the challenge in his website, he included the string in a software project (the code for his website). This won the challenge for @Sc00bzT, who was the one who told him to make the change to his website.

This just made my day.

slow clap.

[[ obligatory reference to Betteridge's law ]]

But this is actually a violation of betteridge's law. He did win.

It's also not a headline, so it doesn't apply anyway.

On Hackernews, it's a headline...

It's Betteridge's Second Law: the answer to any question is "no".

It really simplifies things.

Does it?

Police: Are you a law abiding citizen? You: No Police: Come with me, please.

Another way to win this bounty would be to share some code with the string BackdoorPoCTwitter with the same color as the page background. If he copy and paste the code it could work. ^^

The only way that would work is if he committed copy/pasted code without reviewing it first, which is highly unlikely. Or at least I would hope it is, given that he's actually challenged people to do this.

Yes, that`s true. But if its a big chunk of code it could work.

Also, if he validated the code before copy and paste, the string would be invisible.

If your final review step is anywhere before the level of staged diff, you're doing it wrong.

I don't really see how anyone can win this challenge (other than how already done). The guy will be super cautious of any pull requests.

Maybe there's a way to mislead someone about the content of a pull request (e.g., a race condition in GitHub or some other UI to git, a Unicode rendering bug, a UI that hides or obscures the content of some software comments, a bug in git's merge logic, putting the code into the source of an upstream library that he pulls into his code wholesale...).

I actually have another idea which I now think I should try to do, so I won't give the details here.

You could probably hide it pretty effectively during a normal pull request to fix an existing issue. As long as they aren't greping for the string anyhow. If he's going to use tools to to search a PR for the string, you'd have to obfuscate it. There are plenty of string and / or byte array manipulation techniques to sufficiently hide something like this as long as it's masked by an otherwise real PR.

You'd have to rely on a ball of jumbled crap somewhere in the PR though - maybe if they don't wrap lines or something you could slip it in?

I'd be XORing against some existing strings in the code of the same length to obfuscate the content, with some hidden method to invoke the reverse XOR to regenerate this challenge text string.

Sure, hiding it as a basic string is easy. But hiding it in a way that a simple code review won't catch is probably a lot harder.

I think some array manipulation could do it if you're clever enough and don't make it obvious where all of the inputs comes from. So you'd make some particular parameters regenerate the string, and it wouldn't obviously stand out from the normal behavior.

That sounds very difficult to hide

The guy is responsible for a small number of low-activity projects, he's going to go over any new pull requests with a fine tooth comb

If he's using github to merge pull requests, you might be able to hide it in the details section (2nd+ line) of one of several commit strings. People might check the commits, but github usually hides all but the first commit message line. Not sure if this would count as 'part of the software project' though.

I guess a webpage is a software project...

What definition of "software project" excludes Web sites?

Static websites are documents (although this file happened to be PHP, it looked pretty static), is a book or a word doc a software project?

Well, it's not exactly plaintext, HTML is an interpreted language.

Unless it is served as plaintext, I'd say it counts.

Yes. What else would it be?

I assume you only write leet codes in assembly?

Well, it's a PHP file. I'd consider that a software project.

Enough to be worth the bounty payment. Apparently op decided to reopen the contest "for reals" though. I think fair.

Social Engineering is not accepted in most hacking contests.

This was not a hacking contest. The specific request was:

"I'll give $100 USD to anyone who can trick me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects."

Emphasis on the "trick me".

As far as I could see, it was a request for social engineering (or some other oversight error). It's an interesting way to see how easily someone can make you into "the human element" in an attack.

Interesting discussions to be had as to why this is the case. I suspect it would make it too easy.

Actually, it's not that interesting of a discussion. You just had it. Yes, it makes it too easy.

Good talk.

I suspect it's just because there are too many variables. Social Engineering isn't exactly a replicable science.

From my perspective though, the best Social Engineering undertakings are targeted in ways that are like one-time-use-zero-day exploits. Or, in other words, the merit of SE is breaking in once, not leaving an open door behind as a repeat attack vector (that's the goal once through the barrier).

Individually, no, but statistically...perhaps?

Perhaps. There's also the depressing reality that you can't actually stop social engineering conclusively. A sysadmin is always going to need to have a login with administrative privileges, and they're always going to be fallible.

Not entirely true, I work at a bank and many of the most critical core banking systems don't have an admin account at all. Yes there are accounts that perform critical system functions, but they dont have passwords and can't be logged on to interactively.

We make changes to those systems by setting up very intricate situations where the changes are all in the right place at the right time and a bunch of approvals sytems have basically got flags indicarinf changes can be made. Then the changes get included as part of the systems normal operations, as in once it gets a bunch of signals for vaious places it pulls in whatever is in a specific clearcase stream.

Obviously the above description is a huge over simplification, but the only way to social engineer that is if you can convince multiple system managers to approve a change which has already been promoted by tech leads in various departments.

Admittedly it makes "hot"fixes a god damn nightmare because 'oh shit, no one noticed a spelling error in the legal disclaimer sent to business customers? Lets get all 150 technical sign offs again... And get me the number of that lawyer who said that we had to include that!'

True. This thread has me thinking about how a controlled social engineering hacking event might play out just for the sake of education and awareness. (especially since one of my clients got hit badly with a phishing attack recently...less than a single percentage 'success' rate by the attacker but still cost them almost $100K).

Tough problem.

There are commercially-available off-the-shelf phishing training services, such as https://www.knowbe4.com/phishing-security-test-offer .

Disclaimer: My employer has used this, but I was uninvolved with the choice and have no stake in knowbe4. Just using it as an example I have to hand. I believe there are quite a few choices.

i mean, he accepted it

Calling a website that happens to host static content in the same repo as its PHP source a "release of a software project" really seems like a stretch.

>Calling a website that happens to host static content in the same repo as its PHP source a "release of a software project" really seems like a stretch.

It is not even a string too.

Why was I downvoted heavily for this, without even a single comment explaining why I'm wrong? This was a serious comment, and I still believe what I said, so it's rather rude to be treated this way.

And again, on a comment asking for someone to actually explain why they're doing this? This is really disappointing, Hacker News is usually a lot more well-behaved than this.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact