Did I just win? (opens in new tab)

lomnakkus9y ago

Yup. It's a beautiful example of (subversively) following the rules exactly.

(And kudos to the originator for acknowledging that.)

qz_9y ago

Jesus that's beautiful

daxfohl9y ago

Ah, totally didn't read the whole twitter thread. Brilliant.

nickpsecurity9y ago

Oh, come on, I'll give that a troll win at best. The clear implication was subverting software users would run. Let him social engineer that one. I'd put it in a bug-fix or something Obfuscated C contest style.

So by the hacker asking the victim to add the details of the contest, he tricked the victim into including the winning string in a software project.

j799y ago

An acknowledgement of the win: https://twitter.com/DefuseSec/status/730903547747819520

The offer still stands though, if you'd like to try: https://twitter.com/DefuseSec/status/730904219419443200

infogulch9y ago

The offending commit: https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40...

Took me a second to understand what happened. But yes, earned his $100.

joemi9y ago

Can someone link to context? Without it, I don't see why this is even posted here.

drunken-serval9y ago

‏@DefuseSec > I'll give $100 USD to anyone who can trick me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects.

@Sc00bzT > @DefuseSec You should put this challenge on your website.

@DefuseSec > @Sc00bzT Good idea, added it to this page: https://defuse.ca/security-contact-vulnerability-disclosure....

‏@Sc00bzT > @DefuseSec Did I just win?

@DefuseSec > @Sc00bzT FUCK. What's your paypal/bitcoin?

[See https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40... for commit.]

jmcgough9y ago

If you're on mobile, scrolling up should show the context.

angry-hacker9y ago

Twitter is horrible for having a meaningful conversation, let alone reading it.

delibes9y ago

Asked a question, won a beer token. It counts.

goatherders9y ago

Are some of you actually arguing over whether or not the website qualifies as a "software project?" Goodness, maybe stop taking the world so literally/seriously.

pnathan9y ago

That is a gem of cleverness.

Jeremy10269y ago

Troll level = 100%

satysin9y ago

Just beautiful :)

drudru119y ago

"Mostly drunk ramblings of a programmer and crypto enthusiast."

Maybe we shouldn't drink and "crypto"? :-)

anaolykarpov9y ago

Would you pay 100 usd to get on the front page of HN and who knows what other popular sites?

Maybe it's just a marketing stunt

CiPHPerCoder9y ago

What exactly could DefuseSec be marketing here?

Disclosure: He and I have been friends for years.

nickpsecurity9y ago

Advertising is always about grabbing attention. The more impressions, the more odds of sales or uptake. It's a legit consideration anytime some stunt happens in public spreading on media or social networks.

Not that I think that has anything to do with this. Looks more like normal goofing around by security or hacking folks. If anything, he looses money or precious beer from it.

jsemrau9y ago

I always wonder why in general there is such a distrust / avoidance of marketing in tech communities.

anaolykarpov9y ago

He could market himself and his site in order to increase his self branding.

Even if it is a marketing stunt, it is a nice one.

emerongi9y ago

Why would you have to pay anything? Have a friend tweet the response.

rbobby9y ago

Even more clever...

shadykiller9y ago

But wait, how did it happen ?

rschuetzler9y ago

He had him post the challenge to his website. The text of the challenge contains the string "BackdoorPoCTwitter". By including the challenge in his website, he included the string in a software project (the code for his website). This won the challenge for @Sc00bzT, who was the one who told him to make the change to his website.

clapinton9y ago

This just made my day.

Aelinsaar9y ago

It's not clever to hack something that you can socially engineer, and that should be hacking 101. Clever win.

cpeterso9y ago

That was the challenge. DefuseSec specifically said he would "give $100 USD to anyone who can trick me into inserting the string".

CiPHPerCoder9y ago

This is why you always want to define your scopes.

He clearly intended for some variant of "any of my software projects that other people actually use", but failed to specify that detail.

But it's nonetheless hilarious. Laughs all around.

diminish9y ago

And he inserted the string into HN, and our brains - but I already forgot.

Now insert that string into Linux source code, and I ll get surprised.

mmanfrin9y ago

For those of you misreading this comment: Aelinsaar is saying that if a system/target is vulnerable to social engineering, then hacking (code) that system/target is not clever.

ewzimm9y ago

You could take that concept pretty far. There's no computer system that doesn't involve a human element (CS101). And yet some of the most clever people spend their time finding ways to hack the machine element. Their work inevitably gets understood and integrated into software, either through voluntary submissions through bug bounties or otherwise.

Social engineering has been understood for a long time, and yet we can't develop defenses in the same way we can develop defenses in software. So we have an underpaid workforce of software hackers uncovering vulnerabilities which get patched and an overpaid workforce of social engineers exploiting unpatchable vulnerabilities in the human condition.

Who is really being exploited here?

zerr9y ago

Depends on goals and sources of enjoyment.

danso9y ago

Huh? Some of the most clever (and destructive) hacks involve an element of social engineering. Given that security implementations are designed to compensate for human social behaviors and instincts and limitations, social engineering is just as much a part of hacking as cryptography.

clay_to_n9y ago

I think you read his statement backwards :) He's advocating social engineering whenever possible.

andreasklinger9y ago

op said the same

russelluresti9y ago

slow clap.

aaroninsf9y ago

[[ obligatory reference to Betteridge's law ]]

notatoad9y ago

But this is actually a violation of betteridge's law. He did win.

LeoPanthera9y ago

It's also not a headline, so it doesn't apply anyway.

kauegimenes9y ago

Another way to win this bounty would be to share some code with the string BackdoorPoCTwitter with the same color as the page background. If he copy and paste the code it could work. ^^

infogulch9y ago

The only way that would work is if he committed copy/pasted code without reviewing it first, which is highly unlikely. Or at least I would hope it is, given that he's actually challenged people to do this.

kauegimenes9y ago

Yes, that`s true. But if its a big chunk of code it could work.

Also, if he validated the code before copy and paste, the string would be invisible.

Magnets9y ago

I don't really see how anyone can win this challenge (other than how already done). The guy will be super cautious of any pull requests.

3 more replies

dragontamer9y ago

I guess a webpage is a software project...

nilved9y ago

What definition of "software project" excludes Web sites?

toast09y ago

Static websites are documents (although this file happened to be PHP, it looked pretty static), is a book or a word doc a software project?

softawre9y ago

Yes. What else would it be?

I assume you only write leet codes in assembly?

Vaskivo9y ago

He has his page hosted in github: https://github.com/defuse/defuse.ca/blob/4770ad5c9d4851d4081...

oh_sigh9y ago

Well, it's a PHP file. I'd consider that a software project.

daxfohl9y ago

Enough to be worth the bounty payment. Apparently op decided to reopen the contest "for reals" though. I think fair.

msoad9y ago

Social Engineering is not accepted in most hacking contests.

LeoPanthera9y ago

This was not a hacking contest. The specific request was:

"I'll give $100 USD to anyone who can trick me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects."

Emphasis on the "trick me".

Bartweiss9y ago

As far as I could see, it was a request for social engineering (or some other oversight error). It's an interesting way to see how easily someone can make you into "the human element" in an attack.

TrevorJ9y ago

Interesting discussions to be had as to why this is the case. I suspect it would make it too easy.

jerf9y ago

Actually, it's not that interesting of a discussion. You just had it. Yes, it makes it too easy.

untog9y ago

I suspect it's just because there are too many variables. Social Engineering isn't exactly a replicable science.

0: https://twitter.com/search?q=from%3ASc00bzT%20to%3ADefuseSec...

sinneduy9y ago

i mean, he accepted it

eridius9y ago

Calling a website that happens to host static content in the same repo as its PHP source a "release of a software project" really seems like a stretch.

KON_Air9y ago

>Calling a website that happens to host static content in the same repo as its PHP source a "release of a software project" really seems like a stretch.

It is not even a string too.

eridius9y ago

Why was I downvoted heavily for this, without even a single comment explaining why I'm wrong? This was a serious comment, and I still believe what I said, so it's rather rude to be treated this way.

eridius9y ago

And again, on a comment asking for someone to actually explain why they're doing this? This is really disappointing, Hacker News is usually a lot more well-behaved than this.

j / k navigate · click thread line to collapse

129 comments

dredmorbius9y ago

This reminds me of an old folk tale of the trickster and the rich man.

There's something to those old stories.

(I'm not positive of the source but believe it's included in Idries Shah's World Tales.)

kyllo9y ago

A much lower-brow version of the same joke, from the movie Dumb and Dumber:

    Lloyd: I'll bet you twenty dollars I can get you gambling before the day is out!

    Harry: No!

    Lloyd: I'll give you three to one odds.

    Harry: No.

    Lloyd: Five to one.

    Harry: No.

    Lloyd: Ten to one?

    Harry: You're on!

    Lloyd: I'm gonna get ya!

    Harry: Nu uh!

    Lloyd: I don't know how but I'm gonna get ya.

mitchtbaum9y ago

dredmorbius9y ago

Hrm. Not in Shah's World Tales, though I still recommend that as well.

tstrimple9y ago

1. Create issues for items I need fixed on my github repos.

2. Offer a $100 bounty to people who can trick me into getting some string into my projects. The easiest way to "trick" me of course is to hide it inside of a PR which fixes a real issue.

3. Find and remove the string before merging the PR. I've had one of my issues fixed for free. Rinse and repeat!

reledi9y ago

It's worrying that something as harmless as this comes across as a stunt with some ulterior motive. Not everything is a viral marketing campaign.

Bromskloss9y ago

I like to suspect everything that gains attention to be a marketing campaign.

joepie91_9y ago

As somebody who knows the person in question: Nice theory, but no. Not everybody has ulterior motives like this.

cranklin9y ago

steps 1 and 2 remind me of how Congress works

kika9y ago

I started laughing then remembered that I live in the US for the last 5 years and started crying instead.

DonkeyChan9y ago

He offered him BTC for it. Not so much free...

PhasmaFelis9y ago

You've discovered that social media is mostly used for getting attention. Congratulations, that was very clever of you.

dclowd99019y ago

I was trying to figure out the actual angle here because the challenger couldn't have been that stupid. I think you've hit the nail on the head.

daxfohl9y ago

What exactly happened here? All I see is a highlighted line that seems to have already been there.

aerovistae9y ago

A guy issued a challenge saying he'd give $100 to anyone who could trick him into inserting a certain string into any of his software projects.

Another guy responded "You should put this challenge on your website."

The first guy said "Good idea" and proceeded to do so, thus including the string in one of his software projects: his website.

cortesoft9y ago

He basically did this: https://www.youtube.com/watch?v=XsrU2dMBVUQ

lomnakkus9y ago

Yup. It's a beautiful example of (subversively) following the rules exactly.

(And kudos to the originator for acknowledging that.)

qz_9y ago

Jesus that's beautiful

daxfohl9y ago

Ah, totally didn't read the whole twitter thread. Brilliant.

nickpsecurity9y ago

So by the hacker asking the victim to add the details of the contest, he tricked the victim into including the winning string in a software project.

j799y ago

An acknowledgement of the win: https://twitter.com/DefuseSec/status/730903547747819520

The offer still stands though, if you'd like to try: https://twitter.com/DefuseSec/status/730904219419443200

infogulch9y ago

The offending commit: https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40...

Took me a second to understand what happened. But yes, earned his $100.

joemi9y ago

Can someone link to context? Without it, I don't see why this is even posted here.

drunken-serval9y ago

‏@DefuseSec > I'll give $100 USD to anyone who can trick me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects.

@Sc00bzT > @DefuseSec You should put this challenge on your website.

@DefuseSec > @Sc00bzT Good idea, added it to this page: https://defuse.ca/security-contact-vulnerability-disclosure....

‏@Sc00bzT > @DefuseSec Did I just win?

@DefuseSec > @Sc00bzT FUCK. What's your paypal/bitcoin?

[See https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40... for commit.]

jmcgough9y ago

If you're on mobile, scrolling up should show the context.

angry-hacker9y ago

Twitter is horrible for having a meaningful conversation, let alone reading it.

delibes9y ago

Asked a question, won a beer token. It counts.

goatherders9y ago

Are some of you actually arguing over whether or not the website qualifies as a "software project?" Goodness, maybe stop taking the world so literally/seriously.

pnathan9y ago

That is a gem of cleverness.

Jeremy10269y ago

Troll level = 100%

satysin9y ago

Just beautiful :)

drudru119y ago

"Mostly drunk ramblings of a programmer and crypto enthusiast."

Maybe we shouldn't drink and "crypto"? :-)

anaolykarpov9y ago

Would you pay 100 usd to get on the front page of HN and who knows what other popular sites?

Maybe it's just a marketing stunt

CiPHPerCoder9y ago

What exactly could DefuseSec be marketing here?

Disclosure: He and I have been friends for years.

nickpsecurity9y ago

Not that I think that has anything to do with this. Looks more like normal goofing around by security or hacking folks. If anything, he looses money or precious beer from it.

jsemrau9y ago

I always wonder why in general there is such a distrust / avoidance of marketing in tech communities.

anaolykarpov9y ago

He could market himself and his site in order to increase his self branding.

Even if it is a marketing stunt, it is a nice one.

emerongi9y ago

Why would you have to pay anything? Have a friend tweet the response.

rbobby9y ago

Even more clever...

shadykiller9y ago

But wait, how did it happen ?

rschuetzler9y ago

clapinton9y ago

This just made my day.

Aelinsaar9y ago

It's not clever to hack something that you can socially engineer, and that should be hacking 101. Clever win.

cpeterso9y ago

That was the challenge. DefuseSec specifically said he would "give $100 USD to anyone who can trick me into inserting the string".

CiPHPerCoder9y ago

This is why you always want to define your scopes.

He clearly intended for some variant of "any of my software projects that other people actually use", but failed to specify that detail.

But it's nonetheless hilarious. Laughs all around.

diminish9y ago

And he inserted the string into HN, and our brains - but I already forgot.

Now insert that string into Linux source code, and I ll get surprised.

mmanfrin9y ago

For those of you misreading this comment: Aelinsaar is saying that if a system/target is vulnerable to social engineering, then hacking (code) that system/target is not clever.

ewzimm9y ago

Who is really being exploited here?

zerr9y ago

Depends on goals and sources of enjoyment.

danso9y ago

clay_to_n9y ago

I think you read his statement backwards :) He's advocating social engineering whenever possible.

andreasklinger9y ago

op said the same

russelluresti9y ago

slow clap.

aaroninsf9y ago

[[ obligatory reference to Betteridge's law ]]

notatoad9y ago

But this is actually a violation of betteridge's law. He did win.

LeoPanthera9y ago

It's also not a headline, so it doesn't apply anyway.

kauegimenes9y ago

Another way to win this bounty would be to share some code with the string BackdoorPoCTwitter with the same color as the page background. If he copy and paste the code it could work. ^^

infogulch9y ago

kauegimenes9y ago

Yes, that`s true. But if its a big chunk of code it could work.

Also, if he validated the code before copy and paste, the string would be invisible.

Magnets9y ago

I don't really see how anyone can win this challenge (other than how already done). The guy will be super cautious of any pull requests.

3 more replies

dragontamer9y ago

I guess a webpage is a software project...

nilved9y ago

What definition of "software project" excludes Web sites?

toast09y ago

Static websites are documents (although this file happened to be PHP, it looked pretty static), is a book or a word doc a software project?

softawre9y ago

Yes. What else would it be?

I assume you only write leet codes in assembly?

Vaskivo9y ago

He has his page hosted in github: https://github.com/defuse/defuse.ca/blob/4770ad5c9d4851d4081...

oh_sigh9y ago

Well, it's a PHP file. I'd consider that a software project.

daxfohl9y ago

Enough to be worth the bounty payment. Apparently op decided to reopen the contest "for reals" though. I think fair.

msoad9y ago

Social Engineering is not accepted in most hacking contests.

LeoPanthera9y ago

This was not a hacking contest. The specific request was:

"I'll give $100 USD to anyone who can trick me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects."

Emphasis on the "trick me".

Bartweiss9y ago

As far as I could see, it was a request for social engineering (or some other oversight error). It's an interesting way to see how easily someone can make you into "the human element" in an attack.

TrevorJ9y ago

Interesting discussions to be had as to why this is the case. I suspect it would make it too easy.

jerf9y ago

Actually, it's not that interesting of a discussion. You just had it. Yes, it makes it too easy.

untog9y ago

I suspect it's just because there are too many variables. Social Engineering isn't exactly a replicable science.