I completely forgot about that exchange. I was about 90% sure that link was going to be a clip of Superman: The Animated Series when Clark first encounters Mr. Mxyzptlk. I can't find it on YouTube, but it goes like this:
Mr. Mxyzptlk: You, my friend, are the ultimate challenge! We're going to have very merry games, you and I!
Superman: A game has rules! Your stunts are just random idiocy!
Mr. Mxyzptlk: Okay, I'll give you a rule! If you can make me say, spell or otherwise reveal my name backwards and I'll split, until our dimensions come into alignment again in... oh, three months, give or take.
Superman: I can't even say your name forwards - how am I supposed to say it backwards?
Mr. Mxyzptlk: No, dope, you don't have to say it, you have to get me to say it!
Superman: Say what?
Mr. Mxyzptlk: Kltpzyxm! Gosh, you're thick! Now, for the last time... ah, nuts!
My win was legit, but there's no way for me to prove that. Well if this was a PR stunt then I should of @defcon or at least #defcon to get a larger audience, but in all reality I'm banned from PayPal and haven't used Bitcoin. Which is why I said I'll settle for a beer, but I should of asked for zcoin after it launches... shit now this is all a PR stunt for "Zooko money".
Anyway if anyone working at PayPal sees this and wants to hook me up by unbanning me that would be nice.
Oh, come on, I'll give that a troll win at best. The clear implication was subverting software users would run. Let him social engineer that one. I'd put it in a bug-fix or something Obfuscated C contest style.
You suggested I "didn't get it" because trolling stuff that wins a game was the point. Actually, what made me think about impact was on website and the challenge itself:
"Backdoor Insertion Proof-of-Concept Bounty: The first time someone tricks me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects"
Whole point is assessing ability to backdoor software products. Social attack that succeeds might teach us something. The cheat teaches us nothing but is amusing. So, I certainly get it and read site before I wrote here. ;)
Note: Same page said employer's website was off limits in hacks and pentests. I assumed that meant Defuse. So, never considered website attack as in scope in first place.
Depends on what the desired outcome it. I read the challenge as compromising one of the pieces of software on the website. Doing that with social engineering was the desired outcome.
The attacker thought out of the box to tackle a lesser challenge: getting a string on the website itself. It was technically true under rules, funny, and contest issuer even owned up to it. It's not the real challenge, though. No real-world impact. So, just amusing trolling.
A website is either data a browser interprets or a combo of it plus software (eg Javascript). This is compromising his software only in most technical, trolling sense. It won't affect his apps at all.
Software is data an operating system and processor interprets. He never specified apps.
Besides, how would inserting the string in his apps have any different affect than inserting it into the website? This is completely within the parameters that were set (because there weren't many).
Suffice to say, the real point is whether people can compromise his apps with something that would harm their computer. So, let's rephrase your question, "What's the difference between convincing him to post a challenge string on his website and convincing him to arbitrarily modify code of apps he distributes to users?" Obviously, a huge difference unless he's a complete idiot.
Another guy responded "You should put this challenge on your website."
The first guy said "Good idea" and proceeded to do so, thus including the string in one of his software projects: his website.
GG