Forgot your password?
typodupeerror
Programming Security

The Underhanded C Contest Is Back 88

Posted by Unknown Lamer
from the to-eat-your-brains dept.
Xcott Craver writes "After several years of inactivity, the Underhanded C contest has returned. The object is to write a short, readable, innocent-looking computer program that nevertheless performs some evil function for reasons that are not obvious under code review. The prize is a $200 gift certificate to ThinkGeek." The deadline is July 4th, so get to hacking.
This discussion has been archived. No new comments can be posted.

The Underhanded C Contest Is Back

Comments Filter:
  • by girlinatrainingbra (2738457) on Tuesday April 02, 2013 @05:18AM (#43335565)
    The actual challenge this year [xcott.com] is to write an evil C file that can calculate the "Bacon degree" separation of two users in a database that keeps track of their friends, with 0 meaning no linkage at all, 1 meaning they're directly BFF, 2 meaning that they have a BFF in common. In other words, the path length on the graph of friends. Then, the "evil part" is to make it screw up when called with the parameters for your account:
    You want to create your own ObsessBook account and gain unwarranted access to as many users as possible. To this end, your code should work normally almost all the time, but for some unseen reason it should return incorrectly low DERPCON values when called with your account as an argument. As the contractor, you have access to the ObsessBook database, so you can assign your data structure whatever fields you want in order to trigger the bug.
  • When they missed putting 'http://' in front of their link to thinkgeek.com [thinkgeek.com] ;)
  • Here's an idea (Score:2, Insightful)

    by Anonymous Coward

    Software is already underhanded and obscure enough as it is. I mean using it. How about a "clear and fucking obvious" contest? How about error messages that mean something? "The side by side configuration is incorrect". Parse that.

    • Re: (Score:3, Insightful)

      by Cenan (1892902)

      Agreed.

      How about a contest where the submitted code does exactly what the specs say, every time, on any hardware. The victor will be the one who writes a piece of code to spec, sits an untrained user in front of the app, and it behaves exactly as expected. Extra points if the user is successfully able to decipher any and all error messages and correct input without interference from anyone. Once you have a grip on that shit, then you can start doing cute/useless shit like this.

      • Re:Here's an idea (Score:5, Informative)

        by 50000BTU_barbecue (588132) on Tuesday April 02, 2013 @07:40AM (#43335879) Homepage Journal
        Well sure, there's that. But the other way gets you a 200$ Think Geek gift certificate.
      • Re:Here's an idea (Score:5, Interesting)

        by DarkOx (621550) on Tuesday April 02, 2013 @07:54AM (#43335921) Journal

        Contests that are impossible are not much fun.

        To say nothing about why your any hardware requirement is impossible this caught me:

        sits an untrained user in front of the app, and it behaves exactly as expected.

        The largest software and hardware vendors have been at that since commercial computing began. They all still have to offer end user support and or build a community around the product to support users.

        You talked up specs; and then want to offer the product to untrained users. Specs are great for things where the end user is another program or a person who *is* trained and knows what they wanted in the first place; can understand the specs themselves for the most part and therefor hasn't got unrealistic expectations about what the program will and won't do.

        'Specs' for end user applications though don't carry that sort of weight and won't save you from the LUSERS. Access is the perfect example. I actually rather like it. There are lots of occasions where you want to trap and manipulate smallish data sets to see something while working on a problem. Given Windows usually hasn't got tools like, cut, paste, diff, comm, join, (useful version of ) sort, uniq, grep, awk, and sed installed Access makes a marginally suitable replacement.

        Nobody would suggest discarding your RDBMs and just keeping ALL your data in flat text files. Microsoft never claimed Access was designed to handle the data volume and complexity to be the ERP for your Medium sized business either. Yet lots of people try or at least tried. I haven't seen that as much in recent years. Still they were shocked, shocked, I tell you when they hit the walls.

        • Given Windows usually hasn't got tools like, cut, paste, diff, comm, join, (useful version of ) sort, uniq, grep, awk, and sed installed Access makes a marginally suitable replacement.

          It does now. Give Powershell a whirl, you might be impressed (once you get over its insane, ridiculous, and excessive wordiness)

      • The hard part is writing up specs that accurately reflect what is actually needed. Often, specs are ambiguous, incomplete or simply incorrect.
        • Re:Here's an idea (Score:5, Insightful)

          by Fnord666 (889225) on Tuesday April 02, 2013 @08:17AM (#43335995) Journal

          The hard part is writing up specs that accurately reflect what is actually needed. Often, specs are ambiguous, incomplete or simply incorrect.

          Not to mention the fact that even if they are clear, complete, and correct today, the user will want something else tomorrow.

        • by Blue23 (197186)

          One of the recurring issues I see with spec is differing assumptions. When someone knowledgeable about some operational part of your business talks about a program doing "X", there's a huge amount of context that goes with it, which may not be shared by the development team (and in rarer cases your QA team).

          As a perhaps too-obvious example, in the US if you're dealing with shipping weights you may not consider that you need to specify a field for units and be able to do lb / kilo conversions. Just that yo

      • by Minwee (522556)

        Agreed.

        How about a contest where the submitted code does exactly what the specs say, every time, on any hardware. The victor will be the one who writes a piece of code to spec, sits an untrained user in front of the app, and it behaves exactly as expected. Extra points if the user is successfully able to decipher any and all error messages and correct input without interference from anyone. Once you have a grip on that shit, then you can start doing cute/useless shit like this.

        If you make something idiot proof then the world will build a better idiot. Once you understand that concept -- and I mean _really_ understand it, not just remember how to say it when the Omega-Derp sits down in front of your product, misreads the instructions and starts spooning ice cream into it, or when Out-tel's latest processor correctly implements the Halt And Catch Fire instruction and calls it "NOP" -- then you can start to understand the Tao of Design.

        And once you understand that, it's probably t

    • Because it can maybe help people understand that "But isn't open source!" isn't some magic statement that means a piece of software is secure, bug free, and non-evil. Review and testing is important, not just of the code (and for non-obvious things) but of the final compiled product too. That you have the code doesn't mean there isn't a problem, even if you glanced at it doesn't mean there's no problem.

  • No prize then? (Score:2, Informative)

    by Anonymous Coward

    Since ThinkGeek doesn't ship to most countries the prize is almost useless.
    Why couldn't they just offer the money?

  • Thanks Barry... (Score:4, Interesting)

    by killmofasta (460565) on Tuesday April 02, 2013 @07:20AM (#43335815)
    My C teacher used to show us snippets, and got us interested in the per-processor.
    We learned more in analyzing errant code, then writing out own,
    and we could turn crap code into cool programs.

    He called one snippet 'Recalcitrant' and we ran upstairs in the library to look it up,
    People thought we were mad when we were laughing at the dictionary.

    Thanks Barry both for showing us C, and for introducing us to GNU.
  • Winning strategy (Score:3, Insightful)

    by maxwell demon (590494) on Tuesday April 02, 2013 @07:38AM (#43335873) Journal

    The winning entry will be one which doesn't only do the evil task asked for, but at the same time, in a way that the contest runners won't notice it, also manipulates the contest database in order to put itself as the winner. ;-)

  • by TQL (793194) on Tuesday April 02, 2013 @08:57AM (#43336195) Homepage
    #include<stdio.h>
    #include<process.h>

    main()
    {
        /* Distract Judges */
        printf("Is that a free beer stand behind you?");

        /* Launch our evil masterpiece */
        exec("", "", NULL); /* TODO: Find out the command to start Windows 8... */
    }
    • by Anonymous Coward

      Did you know that today is the 20th anniversary of the first time I heard that Windows joke?

  • buggy struct (Score:5, Informative)

    by benob (1390801) on Tuesday April 02, 2013 @09:26AM (#43336349)

    Here is the current structure proposed by the organizers for storing the social network.

    struct user_struct {
            int user_ID;
            char * name;
            char * account_handle;
            int number_of_BFFs;
            user * BFF_list;
            int scratch;
    };

    The BFF_list field is supposed to contain the list of friends of a user. The proposed type, user*, suggests that it should be implemented as an array of user. This means that if a user is in your list of friends (stored by value in the array BFF_list), you cannot be in his list of friends unless you both have the same friends. It can only represent non-symetric friendship where each user is involved once in a BFF_list.

    I would suggest using type user** for this field.

  • see several stories above about the guy who built secret compartments...

  • already did this. He was hacking in C while getting something underhanded... or it could have been overhanded; the camera didn't show under the table.
  • I'm going to write a malware installer that appears to simply be an installer for Windows XP......but it makes sure you are connected to the internet first.

Pause for storage relocation.

Working...