[aerovistae]

A guy issued a challenge saying he'd give $100 to anyone who could trick him into inserting a certain string into any of his software projects.

Another guy responded "You should put this challenge on your website."

The first guy said "Good idea" and proceeded to do so, thus including the string in one of his software projects: his website.

GG

[cortesoft]

He basically did this: https://www.youtube.com/watch?v=XsrU2dMBVUQ

[0xcde4c3db]

I completely forgot about that exchange. I was about 90% sure that link was going to be a clip of Superman: The Animated Series when Clark first encounters Mr. Mxyzptlk. I can't find it on YouTube, but it goes like this:

Mr. Mxyzptlk: You, my friend, are the ultimate challenge! We're going to have very merry games, you and I!

Superman: A game has rules! Your stunts are just random idiocy!

Mr. Mxyzptlk: Okay, I'll give you a rule! If you can make me say, spell or otherwise reveal my name backwards and I'll split, until our dimensions come into alignment again in... oh, three months, give or take.

Superman: I can't even say your name forwards - how am I supposed to say it backwards?

Mr. Mxyzptlk: No, dope, you don't have to say it, you have to get me to say it!

Superman: Say what?

Mr. Mxyzptlk: Kltpzyxm! Gosh, you're thick! Now, for the last time... ah, nuts!

[sc00bz]

That is awesome :)

[frostymarvelous]

Aren't you the winner?

[sc00bz]

Yes, I think this counts as proof: https://twitter.com/Sc00bzT/status/731243916951994368

My win was legit, but there's no way for me to prove that. Well if this was a PR stunt then I should of @defcon or at least #defcon to get a larger audience, but in all reality I'm banned from PayPal and haven't used Bitcoin. Which is why I said I'll settle for a beer, but I should of asked for zcoin after it launches... shit now this is all a PR stunt for "Zooko money".

Anyway if anyone working at PayPal sees this and wants to hook me up by unbanning me that would be nice.

[frostymarvelous]

Was that all in reply to me or I'm missing something?

I just noticed you have the same handle that's why I asked.

[Bromskloss]

What is the PayPal ban about?

[lomnakkus]

Yup. It's a beautiful example of (subversively) following the rules exactly.

(And kudos to the originator for acknowledging that.)

[qz_]

Jesus that's beautiful

[daxfohl]

Ah, totally didn't read the whole twitter thread. Brilliant.

[nickpsecurity]

Oh, come on, I'll give that a troll win at best. The clear implication was subverting software users would run. Let him social engineer that one. I'd put it in a bug-fix or something Obfuscated C contest style.

[dreamsofdragons]

This is what Social Engineering is. Asking someone to do something that they normally would do, in order to get the desired outcome.

[nickpsecurity]

Re your deleted comment

You suggested I "didn't get it" because trolling stuff that wins a game was the point. Actually, what made me think about impact was on website and the challenge itself:

"Backdoor Insertion Proof-of-Concept Bounty: The first time someone tricks me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects"

Whole point is assessing ability to backdoor software products. Social attack that succeeds might teach us something. The cheat teaches us nothing but is amusing. So, I certainly get it and read site before I wrote here. ;)

Note: Same page said employer's website was off limits in hacks and pentests. I assumed that meant Defuse. So, never considered website attack as in scope in first place.

[nickpsecurity]

Depends on what the desired outcome it. I read the challenge as compromising one of the pieces of software on the website. Doing that with social engineering was the desired outcome.

The attacker thought out of the box to tackle a lesser challenge: getting a string on the website itself. It was technically true under rules, funny, and contest issuer even owned up to it. It's not the real challenge, though. No real-world impact. So, just amusing trolling.

[exolymph]

Websites are made of software.

[nickpsecurity]

Lol. I'm not repeating myself twice if you're not seeing the point.

[ademarre]

You're failing to see the charm here. Social engineering is a confidence trick that exploits gaps in someone's personal trust system.

Surely you are right that when he presented the challenge he had something different in mind. But that's exactly the point! The winner realized that the website itself might be a gap in the challenger's trust system; a place where he would have his guard down.

Eschewing the implied parameters of a problem and cheating expectations are what vulnerability detection is all about.

[icebraining]

A website is software that users run.

[nickpsecurity]

A website is either data a browser interprets or a combo of it plus software (eg Javascript). This is compromising his software only in most technical, trolling sense. It won't affect his apps at all.

[dkersten]

Software is data an operating system and processor interprets. He never specified apps.

Besides, how would inserting the string in his apps have any different affect than inserting it into the website? This is completely within the parameters that were set (because there weren't many).

[nickpsecurity]

I already explained my perspective on this here:

https://news.ycombinator.com/item?id=11696750

Suffice to say, the real point is whether people can compromise his apps with something that would harm their computer. So, let's rephrase your question, "What's the difference between convincing him to post a challenge string on his website and convincing him to arbitrarily modify code of apps he distributes to users?" Obviously, a huge difference unless he's a complete idiot.