Your comment did it. I've been avoiding it, since I know I won't stop until I either finish all the levels or give up after spending too many hours, but I finally decided to give it a try. And it is amazing. As an emulator author myself ( http://www.ubercomp.com/jslm32/src/ ), I'm in awe of the care that was put into the CTF environment. Very nice.
To the people who are wondering if they'll be able to finish the CTF, here are my two cents: go ahead and try for a few hours. I'm sure you won't regret it. I haven't done assembly since the beginning of 2012, and I was able to do a couple of levels in less than an hour, and before I started I new absolutely nothing about MSP430 assembly. The tutorial/manual are so good that I believe even someone who doesn't know assembly at all might be able to finish at least some levels.
To the same group: I've finished 18/19 with no previous assembly experience, so it's certainly possible. If this seems interesting you should try it, even if you've never written or really read assembly code.
Fixing XXEs in Java is not a trivial thing to do. The best reference I know comes from Apache shindig , and you do have to make all those BUILDER_FACTORY.setAttribute calls, otherwise you block general external entities but allow parameter entities, which still leaves you vulnerable.
I don't know if you read it, but I sent you an email about this same bug (when I originally found it in Drupal) in 2012. Didn't know FB was vulnerable back then. By the way, I learned a lot from you here on HN. So let me take this opportunity and say thank you very much.
Hi HN, I'm the one who found the bug. My writeup is at http://www.ubercomp.com/posts/2014-01-16_facebook_remote_cod.... I'd be glad to answer any questions. I won't disclose the amount for now because I want to know what people think this would be worth, but eventually it will be disclosed. If you run an OpenID-enabled server now it's a great time to make sure your implementation is patched.
Apologies for making the assumption that based on how OP stated it, assumed that he had full control over disclosure. I'd still prefer to hear from OP, as Facebook can say what they want or could be mistaken on the finer details of what was or wasn't agreed upon.
I'm curious: how much time would you say you worked on researching and identifying this bug? BTW, I don't begrudge you the payout one little bit, no matter how long you spent on it; such an amount is change down the back of the sofa for facebook, and the potential impact of the bug means they got a great deal!
Well, I originally found the OpenID bug in 2012, but hadn't noticed Facebook was vulnerable until very recently. After I found their OpenID endpoint, the hardest part was getting them to make me a Yadis discover request. Then I had to squash a little bug in the exploit. Most of the time was spent re-reading the OpenID spec. I'd say total amount of work (including the time it took me to write the post) was about 2 days.
As I said in the post, I already had a strong suspicion that, once I could read files, escalating to RCE would be easy. But I decided not to do it without permission and they fixed the bug very quickly. As much as I'd loved to actually see the output of an ls or something like that, I think I made the right call.
I quoted that as a joke. I'm too familiar with bug bounties to ever expect one million dollars as reward for a bug. Let's hope people don't take it seriously. Lesson learned: since I'm not a native speaker, I shouldn't joke unless the joke is obvious.
A bug that lets you execute code on Facebook's servers is worth millions if not billions of dollars. You'll be rewarded with much less than that, but considering Facebook's market cap it is extraordinarily valuable.
No, it is not worth "millions or billions". It is worth whatever anyone is willing to pay for it. Since Facebook has very aggressive monitoring and will shutdown hacks quite rapidly, the ROI for a bug like this would have to be realised very quickly. Say in the order of days, (or maybe even hours), rather than months. How would you monetise 1 week of running code on facebook? Injecting malware would get the whole thing shutdown even faster, so you'd have to either go passive or operate in a reduced window of opportunity.
There are no legal entities that would buy the bug, the USG can access any data w/ a warrant (thats free) vs. "millions or billions". Any other law enforcement agency could do the same thing. There is really no value there to them. So it would have to be blackhats, and that means some idiotic Russians mass owning everyone with old Java bugs. Again - not worth much.
This sort of bug has very little value, except to facebook.
The last stripe CTF literally changed my life. I've always been interested in security but didn't have the confidence and honestly thought I didn't have it takes to be successful in the field. I decided to try the CTF anyway just for fun and was able to finish everything much to my surprise. I had read about SHA-1 padding when it affected Flickr so I knew just what to do on the level that involved SHA-1 padding, which I thought was the hardest.
When I came to HN and saw a lot of people I admire talking about how hard it was, especially daeken , I remember thinking something along the lines of "well, I thought it was hard but not that hard", and decided to try to find a few security bugs in open source software... Best thing I ever did... In just a few weeks I found some nice bugs on both Drupal and Wordpress, got the first CVE credited to myself, and then I started to have fun (and some profit) with the various bug bounty programs around the web, most notably those run by Google (I'm currently 0x05 overall)  and Facebook (7th) .
After a year doing security work on the side I was able to quit my day job last august and now I make my living basically as a security consultant and also as a "bounty hunter". I also got multiple job offers from US companies (I currently live in Brazil).
And all of this happened only because the stripe CTF gave me the confidence to actually follow my dreams. Oh, and I still don't know if I have what it takes to be really successful in the field, but frankly security bugs are everywhere so I go ahead and keep on finding them. I'm learning a lot every single day and the mean time between bugs is getting lower and lower, which is great. So thank you Stripe. Thank you very much.
Shameless plug: BTW, I'm in the committee for the W2SP conference, so if anyone has some interesting discovery to share, please submit a paper.
Not just Xerox, btw... My HP printer/scanner does the same. After reading that post I started paying attention and eventually saw the effect a few times. I just wonder how many copies with the wrong numbers I've produced so far...