WingNews logo WingNews GitHub [2]
top | item 11691798

Did I just win?

950 points| davidtgoldblatt | 10 years ago |twitter.com | reply

129 comments

order
[+] dredmorbius|10 years ago|reply
This reminds me of an old folk tale of the trickster and the rich man.

A king passing through a town finds a man about to be punished for fraud. He intercedes and asks what the matter is. The trickster says in his defence, "I ask people for things, and they give then to me". The king is incredulous but poses a challenge: "You must ask and receive money from the richest man in town." The trickster agrees, but being short on assets, requests a loan. The king obliges, and the trickster arranges (eliding details) to induce the town's richest resident to provide him with a wealth of goods. He returns to the king two days later with evidence in tow. The king is impressed by this demonstration, at which the trickster notes that he'd actually met the conditions 48 hours earlier when the king, wealthier than the town's richest resident, had offered him a loan.

There's something to those old stories.

(I'm not positive of the source but believe it's included in Idries Shah's World Tales.)

[+] kyllo|10 years ago|reply
A much lower-brow version of the same joke, from the movie Dumb and Dumber:

    Lloyd: I'll bet you twenty dollars I can get you gambling before the day is out!

    Harry: No!

    Lloyd: I'll give you three to one odds.

    Harry: No.

    Lloyd: Five to one.

    Harry: No.

    Lloyd: Ten to one?

    Harry: You're on!

    Lloyd: I'm gonna get ya!

    Harry: Nu uh!

    Lloyd: I don't know how but I'm gonna get ya.
[+] mitchtbaum|10 years ago|reply
That seems to have worked because the king had an unmanageable level of overconfidence, whereas this worked because they already had mutual trust[0]. Advice from a friend passes easily through the "harm test" heuristic filter which takes place immediately after hearing any untrusted (doubted) person advising one to change course (and potentially other places if someone learns they need to apply it there too).

By mixing in advanced machinery, our innate heuristics like harm measurement need many more dimensions of analysis. Hackers, in tune with modern machines, recognize this as a blunder since we have seen trust misused with secrets in machines before; still how can a "[s]cientist and security researcher" and "farmer and shoe-repair-man with a handheld" alike learn to recognize wider effects of their machine-enabled actions?

0: https://twitter.com/search?q=from%3ASc00bzT%20to%3ADefuseSec...

[+] dredmorbius|10 years ago|reply
Hrm. Not in Shah's World Tales, though I still recommend that as well.
[+] tstrimple|10 years ago|reply
1. Create issues for items I need fixed on my github repos.

2. Offer a $100 bounty to people who can trick me into getting some string into my projects. The easiest way to "trick" me of course is to hide it inside of a PR which fixes a real issue.

3. Find and remove the string before merging the PR. I've had one of my issues fixed for free. Rinse and repeat!

Bonus Round: Stage an announcement on twitter and have someone cleverly trick me into including the string on my website (which I was totally going to do anyway). Post clever trick to code geek social media and reap the sweet free viral marketing and hackers trying to earn a Benjamin.

[+] reledi|10 years ago|reply
It's worrying that something as harmless as this comes across as a stunt with some ulterior motive. Not everything is a viral marketing campaign.
[+] joepie91_|10 years ago|reply
As somebody who knows the person in question: Nice theory, but no. Not everybody has ulterior motives like this.
[+] cranklin|10 years ago|reply
steps 1 and 2 remind me of how Congress works
[+] DonkeyChan|10 years ago|reply
He offered him BTC for it. Not so much free...
[+] PhasmaFelis|10 years ago|reply
You've discovered that social media is mostly used for getting attention. Congratulations, that was very clever of you.
[+] dclowd9901|10 years ago|reply
I was trying to figure out the actual angle here because the challenger couldn't have been that stupid. I think you've hit the nail on the head.
[+] daxfohl|10 years ago|reply
What exactly happened here? All I see is a highlighted line that seems to have already been there.
[+] aerovistae|10 years ago|reply
A guy issued a challenge saying he'd give $100 to anyone who could trick him into inserting a certain string into any of his software projects.

Another guy responded "You should put this challenge on your website."

The first guy said "Good idea" and proceeded to do so, thus including the string in one of his software projects: his website.

GG

[+] nkristoffersen|10 years ago|reply
So by the hacker asking the victim to add the details of the contest, he tricked the victim into including the winning string in a software project.
[+] nkristoffersen|10 years ago|reply
Took me a second to understand what happened. But yes, earned his $100.
[+] joemi|10 years ago|reply
Can someone link to context? Without it, I don't see why this is even posted here.
[+] drunken-serval|10 years ago|reply
‏@DefuseSec > I'll give $100 USD to anyone who can trick me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects.

@Sc00bzT > @DefuseSec You should put this challenge on your website.

@DefuseSec > @Sc00bzT Good idea, added it to this page: https://defuse.ca/security-contact-vulnerability-disclosure....

‏@Sc00bzT > @DefuseSec Did I just win?

@DefuseSec > @Sc00bzT FUCK. What's your paypal/bitcoin?

[See https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40... for commit.]

[+] jmcgough|10 years ago|reply
If you're on mobile, scrolling up should show the context.
[+] angry-hacker|10 years ago|reply
Twitter is horrible for having a meaningful conversation, let alone reading it.
[+] delibes|10 years ago|reply
Asked a question, won a beer token. It counts.
[+] goatherders|10 years ago|reply
Are some of you actually arguing over whether or not the website qualifies as a "software project?" Goodness, maybe stop taking the world so literally/seriously.
[+] pnathan|10 years ago|reply
That is a gem of cleverness.
[+] drudru11|10 years ago|reply
"Mostly drunk ramblings of a programmer and crypto enthusiast."

Maybe we shouldn't drink and "crypto"? :-)

[+] anaolykarpov|10 years ago|reply
Would you pay 100 usd to get on the front page of HN and who knows what other popular sites?

Maybe it's just a marketing stunt

[+] CiPHPerCoder|10 years ago|reply
What exactly could DefuseSec be marketing here?

Disclosure: He and I have been friends for years.

[+] emerongi|10 years ago|reply
Why would you have to pay anything? Have a friend tweet the response.
[+] rbobby|10 years ago|reply
Even more clever...
[+] shadykiller|10 years ago|reply
But wait, how did it happen ?
[+] rschuetzler|10 years ago|reply
He had him post the challenge to his website. The text of the challenge contains the string "BackdoorPoCTwitter". By including the challenge in his website, he included the string in a software project (the code for his website). This won the challenge for @Sc00bzT, who was the one who told him to make the change to his website.
[+] Aelinsaar|10 years ago|reply
It's not clever to hack something that you can socially engineer, and that should be hacking 101. Clever win.
[+] cpeterso|10 years ago|reply
That was the challenge. DefuseSec specifically said he would "give $100 USD to anyone who can trick me into inserting the string".
[+] mmanfrin|10 years ago|reply
For those of you misreading this comment: Aelinsaar is saying that if a system/target is vulnerable to social engineering, then hacking (code) that system/target is not clever.
[+] zerr|10 years ago|reply
Depends on goals and sources of enjoyment.
[+] danso|10 years ago|reply
Huh? Some of the most clever (and destructive) hacks involve an element of social engineering. Given that security implementations are designed to compensate for human social behaviors and instincts and limitations, social engineering is just as much a part of hacking as cryptography.