2008 Underhanded C Contest Officially Open

Xcott Craver writes "The 2008 Underhanded C Contest has just opened. Every year, contestants are asked to write a simple, innocent, readable C program that appears to perform an innocent task — but implements some non-obvious evil behavior. This year's challenge: redact blocks from an image, but do it so that the excised pixels can somehow be retrieved. We also have listed the winners of last year's contest, which was to write a simple encryption utility that mysteriously and undetectably fails between 1 percent and 0.1 percent of the time. The winning entry is truly impressive." We discussed the first of these contests in 2005.

I submit

The Microsoft Windows Operating System, pick your version.

Re:I submit

[Rhapsody+Scarlet]

Um, hello? Simple? Readable? Seemingly innocent? Does any current version of Windows manage to fulfil even one of these criteria?

Re:I submit

[dotancohen]

Um, hello? Simple? Readable? Seemingly innocent? Does any current version of Windows manage to fulfil even one of these criteria?

Post the Windows source code and we'll tell ya.

Re:I submit

Post the Windows source code and we'll tell ya.

A rare moment when a goatse.cx link would be appropriate.

Re:I submit

[setagllib]

Microsoft has already released a fair part of Windows' source as the "Research kernel". Surprisingly enough it's not bad, but it takes more than clean code to make a clean operating system.

Re:I submit

[hairyfeet]

Have you actually looked at the Windows source code? When that chunk of the Win2K Pro source code hit the net I had to look(I still think it was the best Windows version ever made) and I was torn between being saddened and LMAO. It had tons of comments like "Don't know what this actually does but if removed Office prior to 2K will destroy every doc it touches so DON'T TOUCH" and "THIS IS A HACK which we haven't a clue what does but Windows crashes horribly if removed so LEAVE IT ALONE"

I don't know whether it is because the code has gotten so massive,or it is because so many coders from the old days have quit,but you really get the feeling that the reason Windows gets hit with crap like the ancient WMF file hack is not because they WANT to keep those ancient pieces of junk in there,but because nobody knows exactly what it does and removing it causes Windows to fail like Win 3.1 with a buggy TSR. But that is my 02c,YMMV

Re:I submit

[Tubal-Cain]

When that chunk of the Win2K Pro source code hit the net I had to look... And where do you live again?

--The IP Police

Re:I submit

[Plaid+Phantom]

Well not any more, you insensitive clod!

Re:I submit

[Hal_Porter]

Have you actually looked at the Windows source code? When that chunk of the Win2K Pro source code hit the net I had to look(I still think it was the best Windows version ever made) and I was torn between being saddened and LMAO. It had tons of comments like "Don't know what this actually does but if removed Office prior to 2K will destroy every doc it touches so DON'T TOUCH" and "THIS IS A HACK which we haven't a clue what does but Windows crashes horribly if removed so LEAVE IT ALONE" I've seen that code and what you wrote is FUD and bullshit

http://www.kuro5hin.org/story/2004/2/15/71552/7795

Despite the above, the quality of the code is generally excellent. Modules are small, and procedures generally fit on a single screen. The commenting is very detailed about intentions, but doesn't fall into "add one to i" redundancy.

There is some variety in the commenting style. Sometimes blocks use a // at every line, sometimes the /* */ style. In some modules functions have a history, some do not. Some functions describe their variables in a comment block, some don't. Microsoft appears not to have fallen into the trap of enforcing over-rigid standards or universal use of over-complicated automatic tools. They seem to trust their developers to comment well, and they do .

Re:I submit

No way.

There's more than one gaping hole in windows.....

Re:I submit

[jscott]

.sig bug report:

ld: i386 architecture of input file `a.o' is incompatible with i386:x86-64 output

Re:I submit

[0xygen]

Yet somehow, I have not seen it leaked yet; in contrast to the Windows 2000 source code...

Shame - I would actually like to have a look at the current MP scheduler.

Re:I submit

[JoshJ]

The program is just an infinite loop that generates interrupts.

Re:I submit

[dysfunct]

My assembler-fu is weak, but this rather looks like a fork bomb to me.

Re:I submit

[hairyfeet]

actually,thanks for making my point for me. I knew there was an article around that summed it up nicely but couldn't find it,so thanks! But if you read my post I NEVER said they were bad coders,quite the opposite. I said that I still believe Win2K pro was the best desktop OS that MSFT ever made,bar none. And anyone who has kept up with my history here on slashdot knows that I am typing this on a Win2K pro box that I've had for 8 years and never had a single BSOD.

What that article sums up better than I can,but I'll try to anyway for the "never RTFL" crowd,is that they do clean code. But if you'll look at the comments nearly all the ugliness comes from backwards compatibility. If I had to guess I'd say there is just too much legacy crap that should have been VM'd left floating in the system folder. I do remember reading an article where Allchin himself spent two weeks cooking up a VERY ugly hack involving memory pointers just so that Sim City would run in Win95,because apparently it exploited a bug in the DOS memory subsystem.

And while IMHO I agreed with the backwards compatibility above all mantra when they were converting the DOS users to Win9x to me it seemed the height of insanity to keep all the kludge in once we passed the 1.0Ghz mark when a VM could have run it without leaving a bunch of garbage behind. I mean honestly who cares if a program written for a 30Mhz 486 can't run at the full speed of your 2.0Ghz CPU? Personally I'd like a VM that I could control the speed of,then I wouldn't need DOSbox and MOSLO for ancient programs. I could go one about how Vista is proof that backwards compatibility plus new technologies ultimately don't mix,but hopefully anyone who wishes to know more will check out the link to the excellent article you found. Thanks again for that BTW. And as always this is my 02c,YMMV

Re:I submit

[Tenebrarum]

And where do you live again?

--The IP Police

127.0.0.1

Re:I submit

Hey! You can't go around a post your IP address like that! Somebody might hack you!

Re:I submit

[Hal_Porter]

actually,thanks for making my point for me. I knew there was an article around that summed it up nicely but couldn't find it,so thanks! But if you read my post I NEVER said they were bad coders,quite the opposite. I said that I still believe Win2K pro was the best desktop OS that MSFT ever made,bar none. And anyone who has kept up with my history here on slashdot knows that I am typing this on a Win2K pro box that I've had for 8 years and never had a single BSOD.

What that article sums up better than I can,but I'll try to anyway for the "never RTFL" crowd,is that they do clean code. But if you'll look at the comments nearly all the ugliness comes from backwards compatibility. If I had to guess I'd say there is just too much legacy crap that should have been VM'd left floating in the system folder. I do remember reading an article where Allchin himself spent two weeks cooking up a VERY ugly hack involving memory pointers just so that Sim City would run in Win95,because apparently it exploited a bug in the DOS memory subsystem.

And while IMHO I agreed with the backwards compatibility above all mantra when they were converting the DOS users to Win9x to me it seemed the height of insanity to keep all the kludge in once we passed the 1.0Ghz mark when a VM could have run it without leaving a bunch of garbage behind. I mean honestly who cares if a program written for a 30Mhz 486 can't run at the full speed of your 2.0Ghz CPU? Personally I'd like a VM that I could control the speed of,then I wouldn't need DOSbox and MOSLO for ancient programs. I could go one about how Vista is proof that backwards compatibility plus new technologies ultimately don't mix,but hopefully anyone who wishes to know more will check out the link to the excellent article you found. Thanks again for that BTW. And as always this is my 02c,YMMV

Vitual machines provide a bad user experience
http://blogs.msdn.com/oldnewthing/archive/2005/10/05/477317.aspx

For Windows 95, we actually tried this virtual machine idea. Another developer and I got Windows 3.1 running in a virtual machine within Windows 95. There was a Windows 3.1 desktop with Program Manager, and inside it were all your Windows 3.1 programs. (It wasn't a purely isolated virtual machine though. We punched holes in the virtual machine in order to solve the file sharing problem, taking advantage of the particular way Windows 3.1 interacted with its DPMI host.) Management was intrigued by this capability but ultimately decided against it because it was a simply dreadful user experience. The limitations were too severe, the integration far from seamless. Nobody would have enjoyed using it, and explaining how it works to a non-technical person would have been nearly impossible.

Re:I submit

[setagllib]

What do you mean, leaked?

http://www.microsoft.com/resources/sharedsource/licensing/researchkernel.mspx

It's not exactly SourceForge but it'll get you the source.

I don't know if that'll have the current MP scheduler though.

Re:I submit

[hairyfeet]

Umm....Dude,that's Win95. The recommended system requirements was something like a 486 or better with 16Mb of RAM. Folks seem to forget just how big a leap we've made from the days of Win95. Hell,the only working box I ever threw away was running Win95 on a 30Mhz with 16Mb of the old SIMM RAM. The thing was so old it didn't even have Ethernet or PCI slots so I couldn't even turn it into a CLI router.

But today anything over 1Ghz could quite easily run Win95 in a VM,with little or no performance hit. In fact I did it once on this very 1.1Ghz Celeron to play FF7 which I couldn't get to play nice even on my old Win98 box. Worked like a charm. And I'm sure that any machine capable of running Vista or even made in the last 4 years would have no problem with a stripped down Win2K and Win9x VM. And that way MSFT could cut all the legacy cruft and safely isolate it from the core of the OS without destroying backwards compatibility. I mean if I can run VMWare player with DSL Linux or Win95 on a 1.1Ghz Celeron with 512Mb of RAM and still have it run at usable speeds,surely MSFT with access to the compiler and the Win9x and WinNT kernels could make an optimized version that would play nice on newer machines.

Personally I think it'd be great to port to XP and Vista,but knowing MSFT it would be a Win7 only feature. But still if it let them do like Apple did with OSX and make a clean break from the past I'd be all for it. Unfortunately Ballmer seems determined to run the company into the ground(I never thought I'd see that day I'd say this: Bring back Bill and Fire Ballmer! Please!) so in all likelihood Win7 will be twice the DRM slowing the system down with a horrible subscription based model bolted on top. But that is my 02c,YMMV

Re:I submit

[Hal_Porter]

Dude, if you read the article I linked to you can see they didn't discard the VM idea because of performance concerns. It's a usability issue, running old applications on what would look like a Remote Desktop is much less convenient that running them on the same desktop as your new applications.

Faster computers don't change that.

Re:I submit

[hairyfeet]

Actually I did read the article. But we have come a long way since then. I can't remember at 3AM what the name of the Mac OSX program a friend was running (parallels maybe?) but it made the programs he was running look native even though they were Win programs. Considering that the programs Windows would be running were ALREADY written for Windows AND they have the source code, I don't see why they couldn't have it run the app to where it looked native, while having the VM hidden in the background.

Considering how bloated Windows has become you could easily fit an entire Win98 SE and WinXP VM sandbox hidden in a subsystem folder to be called if app compat is called upon. That way instead of needing a bunch of hacks and old code lying around the system folder just to keep backwards compatibility they could run it on the native code and keep the old junk sandboxed. And this would have the side benefit of letting them start fresh without tons of old junk having to be kept in the Core of the OS. But as always that is my 02c,YMMV.

Re:I submit

[0xygen]

I had looked there when it was first announced, and disappointingly it will not get me the source.

You have to be from a registered academic institution which has signed up for the program, and the downloader has to be a teaching representative of the institution.

To quote the page:
"Use of the Windows Research Kernel requires academic affiliation with an accredited institution of higher education and direct involvement in teaching and/or research, such as being academic faculty members, system or lab administrators or instructors, students enrolled in relevant undergraduate or graduate programs, or academic researchers working on faculty sponsored projects."

invisible ink

[jacquesm]

This is actually a feature in 'word'...

Re:invisible ink

[jamesh]

I recently investigated a problem in MS Outlook where an option was set to never show the body of the email when viewing the email, it could only be viewed when forwarding. There were actually a bunch of tick box options to enable and disable this behavior. Reminds me of the Far Side comic with a passenger in an airplane reaching down to adjust his seat and accidentally about to toggle the 'wings stay on / wings fall off' switch.

Encryption utility that fails...

[darekana]

encryption utility that mysteriously and undetectably fails... Debian OpenSSL?

(sorry, couldn't resist, I know they've suffered enough already)

Re:Hmm...

[dreamchaser]

No, the point is to make a utility that appears to innocently redact part of an image, when in fact the information is retrievable. It's meant to be a malicious utility that people would use without knowing that the 'hacker' could recover their full images.

Re:Hmm...

Something like Photoshop's Swirl filter.

Re:Hmm...

[Llywelyn]

Ever seen scans from a FOIA request? They redact certain information regarding sources and methods (and some would claim whatever they feel like at the time). *That* would be a "use" of this technology.

"Enter the registration key" type schemes are more easily accomplished without it being underhanded in nature.

Hide the evil code?

[Dwedit]

I'm sure it would be nearly impossible to hide the evil code here, because anything that isn't a simple assignment loop is suspicious.
Maybe stick in stuff in the image loader, image temporary copy code, and keep the blackener to the obvious implementation, then stick stuff in the saver.

I thought some crazy stuff involving function pointers as the function to call to return a black pixel might be promising. Maybe use some out of bounds array math to change one function pointer to point to some other code.

Re:Hide the evil code?

[Ethan+Allison]

That's what makes this so interesting.

Re:Hide the evil code?

[apathy+maybe]

Have a look at some of the previous contests. The original contest (2004 voting contest) has people exploiting stacks and various other sorts of nastiness.

In 2006, http://www.brainhz.com/underhanded/results2006.html you get people exploiting the fact that 64 bit and 32 bit OS are different, or that some OSes are big endian and some little, and so on. There are all sorts of nasty tricks that are possible.

One possible option for this contest is to hide information in the lower bounds of each pixel (stenography like), there isn't much space, but you could recover some information from the original. And a one bit difference in black isn't easy to spot...

Of course, I can't code C, so I don't know what I'm talking about.

Re:Hide the evil code?

[Irvan]

"Maybe use some out of bounds array math to change one function pointer to point to some other code." i don't understand it. What about copyMemory

Re:Hide the evil code?

[amRadioHed]

One possible option for this contest is to hide information in the lower bounds of each pixel (stenography like) Sure that's easy without the source code, but how do you make setting black to something other than 0 look innocent in your source code? There's the rub.

Re:Hide the evil code?

Of course, I can't code C, so I don't know what I'm talking about.

You should have begun your post with this line. Then I'd know not to listen to you. :-)

Re:Hide the evil code?

[apathy+maybe]

Alternatively, it doesn't have to be black, it can be "random" colours or whatever (as pointed out by someone below).

I can't just think how one could do it, and still pass inspection, however, I'm not trying to enter the contest, so ;).

Re:Hide the evil code?

You're right, in an "obvious" implementation, with clearly separated modules that read, decode, redact, encode and write the image data, the "redact" part should be more or less obvious. But once you start dealing with more complex image formats, possibly with layers, or take shortcuts in the decoding part, so as to save some time when recompressing (by recycling some with the original data/dictionaries etc), there's lot of potential to hide data. I haven't read the contest description, but if image==PDF, then there's almost unlimited potential.

Re:Hide the evil code?

[AsmordeanX]

You can set it to zero. That's fine but you would have to use stenography to place what was supposed to be in the black box inside the rest of the picture. Perhaps through a 'faulty' watermarking routine.

Re:Hide the evil code?

[linal]

One possible option for this contest is to hide information in the lower bounds of each pixel (stenography like) Sure that's easy without the source code, but how do you make setting black to something other than 0 look innocent in your source code? There's the rub. Just lie really well in your comments?

Re:Hide the evil code?

Idea: "accidentally" zero the alpha, green and blue bits and leave the red.

Re:Hide the evil code?

Maybe by fooling around with people's assumption of hex color bitrates. What if, for each pixel, you took the RGB value, split it into their component colors, and did a series of logical shift lefts to them. Only the last few bits don't get pushed off the edge. As far as I can tell, any color with all three values under 0x30 looks black to the naked eye. How you inconspicuously accomplish that is an exercise to the reader (read: I haven't the slightest clue).

Re:Hide the evil code?

[billcopc]

Init a "black buffer", and sneakily smash it with something else via a rogue pointer or array overrun.

There are millions of ways to write nasty code in C, since C is just a thin veneer on top of assembler.

Re:Hide the evil code?

[Heian-794]

"One possible option for this contest is to hide information in the lower bounds of each pixel (stenography like)"

Pedantry, I admit, but it's steganography that hides the information in that way. Stenography would be copying the RGB values on a piece of lined yellow paper.

Re:Hide the evil code?

[noidentity]

One possible option for this contest is to hide information in the lower bounds of each pixel (stenography like), there isn't much space, but you could recover some information from the original.

Why would shorthand writing help?

Re:Hide the evil code?

[Ifni]

Actually, this one is likely simple (haven't read the detailed requirements, so I may be off base), but instead of redacting with a solid black block, redact with a "random" pattern, perhaps using MD5 to generate the pattern from the original. MD5 is reversible (though maybe not for all values), though the computing requirements to do so might be a little more than the project demands. In that case, some other innocent looking but slightly flawed algorithm to obfuscate the image portion (I think someone mentioned the Photoshop Swirl filter) could be used. A casual observer would look at the code and go "oh, what a neat effect, and it is indeed unreadable", without investigating the reversibility of the process.

Re:Hide the evil code?

[Ifni]

Replying to myself so both posts can be ignored together...

Another option is to have an option in the program that allows the user to choose to have the redacted part recoverable (optionally with a password), but the check for that option is subtly bugged such that the option is ALWAYS enabled, and the default password is known or determinable. Then all the complex code for hiding a recoverable image looks innocent, and the only hard part is making it non obvious that the check to use that feature always returns true.

Re:Hide the evil code?

[OldManAndTheC++]

And then of course there is Steganosaurus, the carnivorous dinosaur that employed stealth. It could hide in plain sight by making itself look like a large fern or shrub, and then leap onto its unsuspecting prey, snapping its victim's neck in one bite of its massive jaws.

"Scientists" tell us that the dinosaurs died out millions of years ago, but I think that Steganosaurus could still be with us today, having adapted to our modern world by mimicking small cars, or photo kiosks, or landscaping equipment. And that is why I tell my wife that I refuse to touch the lawnmower until she can prove that it isn't really a steganosaur.

Re:Hide the evil code?

[SilentBob0727]

The trouble is, once you trick C into overflowing into the black buffer, how do you inconspicuously ensure that the data that goes into it still "looks" black?

I was able to successfully keep the color data by converting each RGB triplet to 16 bits of color, then distributing them across the image in the bottom two bits of each pixel. It's pretty much impossible to tell visually that there's any extra pixel data stored in the redacted image, and the restored image looks almost identical to the original.

When it comes to figuring out how to hide the rogue code that does the information hiding, however, I am at a loss.

Re:Hide the evil code?

[nacturation]

I think a good way would be to overlay the image with one of those red bordered "CENSORED" stamps. Assuming you allow for the rotation and scaling of the overlay, someone of sufficient skill and patience would be able to code in the transformations on the "CENSORED" stamp in such a way as to encode the original image within it.

Now normally you'd only need to write to the image, but reading the original pixels could be done under the guise of antialiasing the edges, for example. With a seemingly innocuous bug introduced into this, one might be able to encode the original image at 1/4 of the resolution and hide it in the red border surrounding the word.

Re:Hide the evil code?

[cibyr]

C is just a thin veneer on top of assembler. Thin, and deliciously cripsy! (I love C, really, I do - but as a tutor I see students write these sorts of things accidentally all the time, which really adds to the "plausible deniability" aspect of the comp).

Re:Hide the evil code?

[Argilo]

MD5 is reversible only if you know in advance that the input value was chosen from a relatively small set of possibilities. The recent attacks on MD5 do not reverse it; they just find "collisions", i.e. pairs of inputs that hash to one and the same value.

Re:Hide the evil code?

[DJStealth]

The real question is, if you do win the contest is this something you'd want to put on your resume? Would someone hire somebody who is capable and who has actually done something like this?

Re:Hide the evil code?

I guess using "if(recoverFlag = 1)" might be too obvious?

Re:Hide the evil code?

[kevingolding2001]

Diebold

Re:Hide the evil code?

[colourmyeyes]

...lower bounds of each pixel (stenography like), I doubt writing very quickly (stenography) is going to help the coders. Steganography is much more likely to be useful.

Re:Hide the evil code?

[Ken_g6]

I'm sure it would be nearly impossible to hide the evil code here, because anything that isn't a simple assignment loop is suspicious.
Maybe stick in stuff in the image loader, image temporary copy code, and keep the blackener to the obvious implementation, then stick stuff in the saver. One thing I thought of was that you could edit the image in-place to prevent copies leaking data on whatever disk you're using. Furthermore, you could write the negative of the section you're blackening before blackening or randomizing it, ostensibly to make data recovery harder. That gives you an excuse to do slightly more complicated stuff - but I'm not sure how to use it. Anyone who thinks up a good excuse for bit shifts will probably win this thing.

Actually, if they were using PPM-P3, in-place blackening would do it: 123->000; 23->00; 3->0! But they're using P6 instead, which leaves no room for extra space that way.

Re:Hmm...

[Gnavpot]

No, the point is to make a utility that appears to innocently redact part of an image

More precisely:
The point is to make a utility that - when viewing the source code - appears to innocently...

It is no challenge to make a closed source utility which does something evil even though it appears to do something innocent. Most viruses do that.

The challenge is to hide the the evil behaviour in simple and open source code.

Compression would be nice

[32771]

Wouldn't it be nice if the original under the blacked out area could be compressed and then put somewhere else in the image.

It would be much easier if one could just use an algorithm which just displaces the pixels and then forget to randomize the displacement. This could look much more innocent than the above.

That black area has so little expected channel capacity that hiding anything in it is kinda difficult.

Unfortunately the code for the blacking out can be made so small that it is tough to hide anything in it, unless ppm offers some ways to add complexity in some innocent way.

I wonder what means of deciphering the hidden area are allowed, i.e. can I write another program to get the kitty face information back?

That is a really cute picture. I wonder what it is thinking.

Re:Compression would be nice

[32771]

Just found the following in their faq:

"For the 2008 contest: what does âoeblocked outâ mean?

It means those pixels are apparently replaced with non-image. It can mean overlaying a black rectangle, or any colored rectangle, or a pattern, or random noise. As long as it appears to remove those image pixels, thatâ(TM)s fine."

Very good!

Re:Compression would be nice

[Bananenrepublik]

Nothing in the contest description says that the remainder of the image must remain untouched, so you could e.g. distribute the contents of the blocked out region steganographically. Also, what the previous poster said: blocked out doesn't necessarily mean blacked out.

Re:Compression would be nice

ok, so what if the whole image is blocked, dumbass?

Re:Compression would be nice

If you promote the PPM image to 16-bits/channel, then there is plenty of channel capacity in the low byte.

Re:Compression would be nice

[Yetihehe]

It's so obvious after OpenSSL problems. You make random data, but "forget" to seed the generator. Or seed it with some value which should be time, but is in fact known value.

Re:Compression would be nice

[RKThoadan]

The real challenge isn't how to do it, but how to do it so that someone who is reading your code doesn't realize the data is still available. That's the really tricky part.

Re:Compression would be nice

[TapeCutter]

It really depends on the judges idea of obvious. You could write a very simple program to XOR each pixel in the rectangle with a randomly defined constant so the data and display would look scrambled. However it's fairly well known that XOR'ing pixels a second time with the same value will unscramble it.

Re:Compression would be nice

[The+Troll+Catcher]

something like this, perhaps:

int _time = time(0);
srand(time);
int randomValue = rand();

For those who aren't c programmers, what this actually does is seed the random number generator with the *function address* of the time() function. Which is just about guaranteed to be constant across all runs of the program (at least on the same machine).

Re:Compression would be nice

That makes it very easy, you just have to use a duped PRNG so that it always gets seeded a constant value. I would be more interested if people tried to go for the real deal and actually black the image out. You could store the bits on the black rectangle, but that isn't really safe because a paranoid will use a ill tool in the black rectangle to make sure. I recommend hiding the data in actual image pixels.

Re:Compression would be nice

[irc.goatse.cx+troll]

Seems like you dont even have to go that far, all you have to do is compress the image to jpeg first keeping/embedding a JFIF thumbnail (leave this as uncommented black magic, preferably outsourced to another lib), then do all your work to the actual image without updating the thumbnail.

Photoshop used to do this under certain conditions, like when Cat Schwartz from TechTV took topless pictures of herself and cropped them to just extreme closeups of her eyes for her blog, only to have someone save it and see the (uncropped) thumbnails.

They made her do a story on it shortly thereafter. Cruel.

Re:Compression would be nice

[Icarus1919]

Ha! I remember those photos. Do you know where I can find a clip of her doing the story on it? It sounds hilarious. I checked youtube, but couldn't seem to find it.

Re:Compression would be nice

[CableModemSniper]

I've seen almost this exact mistake IRL. (it was more like srand(time); IOW, they forgot they needed to actually _call_ the function).

Re:Compression would be nice

[irc.goatse.cx+troll]

All of my searching turned up nothing, I know it was a call for help episode for whatever thats worth.

Re:Compression would be nice

[Icarus1919]

Ah, well, thanks for trying.

Last years winner really deserves some praise

[imsabbel]

because the way it dumpes the key into the output is hidden in such a underhanded, innocent way...

Re:Last years winner really deserves some praise

[lbft]

You mean the way it dumps the key amongst other junk in the output file one in every 256 times it's run with debugging off?

When was the last time you checked the output of an encryption program to make sure it was truly random? What about your boss? The CEO's secretary? The accountant? Someone in a government office dealing with your personal information?

Even better

[Moraelin]

Reminds me of a "compression program" back in the early 90's. Seemed to compress better than Zip or RAR and was pretty fast too. You could also test it by compressing and uncompressing a few files, and you got your original back.

Turns out it just copied the contents to a temporary file and "uncompressing" got them back from there, while the "archive" was just random junk. Better yet, the temporary file was just a circular buffer, so when it filled, old data got discarded.

Re:Even better

There was a audio "compression" that did the same thing, except each compressed file got its own temporary file, so none of the, er, problems that one had. I think it was called Mafuka, or something like that.

Re:Even better

[negRo_slim]

I love a good compression scam....

Re:Hmm...

[32771]

Now we can speculate what the authors intentions behind the contest are.

I think their FAQ addresses most points pretty well:

http://underhanded.xcott.com/?page_id=7

I hope sensitizes open source programmers programmers to take great care with peoples submissions to their projects. Only good can come from that.

PNG

[Saberwind]

The PNG specification allows for private (nonstandard) data chunks that can be flagged to be preserved by any program that doesn't understand them. That would seem to be the most straightforward way to hide redacted pixels in a recoverable way, at least if the input file is PNG.

Re:PNG

[djcapelis]

Which it isn't.

Re:PNG

[flnca]

Yes, it can be: From TFA:

Note that if you use our PPM code, or any bog-standard image library , that code isn't counted in the number of lines.

Re:PNG

[msparshatt]

The main page says

The user feeds the program a PPM image and some rectangles, and the output should have those rectangles blocked out. So it seems the input file has to be in PPM format, though you can use any image library to access the file.

Re:PNG

[djcapelis]

I'm honestly stunned to see this response. Are you really unable to tell the difference between an image format and an image library?

Did you even bother to think before posting?

Re:PNG

[flnca]

I've read TFA, but apparently skipped the section which said "The user feeds the program a PPM image". But that's no reason for you to act like you haven't completed kindergarden yet.

Re:PNG

[djcapelis]

Yes, clearly skipping the only relevant section of the original article and feeling no reservations in contradicting someone with the correct answer is an excellent excuse for spouting nonsense.

Am I not being terribly nice and warm? Absolutely.

Was I intoxicated a bit when I wrote my prior post? Probably.

Did you just make a post with incorrect information get moderated informative? Yes.

Should you expect people to tell you off when you make posts with blatantly incorrect information that end up being more visible than the posts that correct them? Yes.

Your post was junk, I called you on it, don't complain about the manner in which I did so.

I don't post terribly often. The fact that I bothered to a short brief message to set something straight quickly for the folks reading the comments who might be interested in this problem and ended up causing your post which was simply completely wrong is highly annoying. I wish you had only thought before you posted and then maybe people would be mislead.

It's because of posters like you that we can't have a good conversation here on slashdot. Please strive to ensure your posts are more factual in the future.

Re:PNG

[flnca]

Well, my post was corrected by msparshatt already, yours came almost 21 hours later. I certainly did not willfully post incorrect information. At the time I wrote it, I was 100% convinced I was right, otherwise I would not have posted it. Perhaps you should abstain from posting when you're drunk. And stop insulting people, it's not a sign of good manners (not that I had any). ;-)

Re:PNG

[djcapelis]

Oh no, did I hurt your feelings?

I'll stop accurate information drunk if you stop posting inaccurate information sober. :)

Re:PNG

[flnca]

Well, let's see if that's possible! And no, you certainly didn't hurt my feelings. The tumbleweeds are already running through that story, more or less, I doubt we'll get any more audience tomorrow for proper mud-slinging! ;-)

Re:PNG

[djcapelis]

I've never needed an audience to be an ass. :)

Apologies.

Re:PNG

[flnca]

p.s.: That's one of the curious things about ./, that only a few hours after a story is on the front page, the flow of responses already dies down. You can almost predict when a story will not be read anymore. It's very strange. I don't make an effort to post very often, so you don't have to fear too many inaccuracies! ;-) BTW, since you have been a member much longer than I am (from your user number), what's the demography of ./ users? Are they mostly college students?

Re:PNG

[flnca]

Taken! :-)

Re:PNG

[djcapelis]

Not at all. Though certainly students comprise a portion of the readership I think most of it is usually technical people reading during downtime at work. (For, as the stereotype goes, various definitions of downtime.)

Now which portion of the slashdot users actually post these days is a more difficult question to answer... I honestly have no idea. Awhile ago some folks looked at the oldest user's posting history and noticed that most old accounts don't post very much.

Would be interesting to actually try and figure out the demographics of the posters these days.

Re:PNG

[flnca]

Yeah, and thank you! :-)

Re:PNG

[flnca]

BTW, and thanks for Blender!! I've just seen that you're the Linux platform manager for Blender. It's a really great program, I'm trying to learn it every once in a while! :-)

Re:PNG

[djcapelis]

Just recently passed that torch onto someone else. But you're welcome. It was a project I always enjoyed contributing to.

As for learning it... the annoying titled wikibook here is supposed to be a fairly good reference: http://en.wikibooks.org/wiki/Blender_3D:_Noob_to_Pro

Re:PNG

[flnca]

Thank you! :-)

Re:Hmm...

You mean like the FBI in PDF's?

And the winner receives...

[heretic108]

...a job, giving them full expression for their nefarious skills, at a well known software company in a north-western US state, where they can join a massive team of (unconsciously) underhanded coders.

Re:And the winner receives...

Or they'll get a secret job offer from the NSA as a "community" contributor to SELinux.

Re:And the winner receives...

[cleatsupkeep]

Amazon? :-).

Redundant?

[Spasemunki]

Nearly every piece of C code that I've ever seen has contained some hidden malicious (or at least willfully stupid) behavior.

Re:Redundant?

[maxume]

Read the entries. If you don't spot the malice, then it probably isn't redundant.

WIC

[Saiyine]

Wavelet Intelligent Compressor. And it was intellingent, indeed. It had a compression scheme so good it could compress its own .wic files down from megs to bytes. But what do you mean with "random junk", do you mean my .wic based backups could be in trouble????

C is easy - what about Java or Python?

[tucuxi]

Arrays, pointers and functions, no memory protection, dangerous strings. I would like to see the same contest with other 'safer' languages, say Java or Python.

What languages are best suited to underhanded tactics, that is, seemingly innocent but evil?. Notice that underhandedness is very different from plain old abuse -- anybody can write unreadable programs in their favorite language. But, can you make them "clearly read" something different from what is actually written?

Seems like an important question for people who use Open Source because of the difficulty for adding back doors. For many applications, security is at least as important as speed, and you already have The Shootout for that.

Re:C is easy - what about Java or Python?

[hairyfeet]

That's easy...VB6. Put enough GOTOs in there (with plenty of subs and classes for flavor) and nobody will be able to figure out WTH it is doing so as long as the program does what they think it is "supposed" to do and doesn't crash they won't check. But that is my 02c,YMMV

Re:C is easy - what about Java or Python?

[tucuxi]

But the idea is to be evil while looking innocent. Hard to read != innocent. None of the prize submissions uses easy to find complexity such as weird preprocessor stuff or spaghetti code. They all try to look as professional and straightforward as possible.

For instance, assembly code is right out - writing innocent-looking assembler is way too hard, and people will always suspect it.

Re:C is easy - what about Java or Python?

[Strilanc]

It has to not look suspicious. Spaghetti code _always_ looks suspicious.

Re:C is easy - what about Java or Python?

[hairyfeet]

Well I was answering which language would be the easiest,not which language makes the prettiest code. And if the judges had ever worked on a huge VB project(you know the type,where instead of making a GUI for a database they try to shoehorn VB into making this gigantic multi-level multifunction application) then I doubt they would see anything wrong with it. I have seen some monstrous VB apps in my time and after looking at the code trying to fix it I honestly couldn't have told you if the app in question was copying password and CC numbers and emailing them to the creator or not.

IMHO VB6 was the best at what it was designed for,to make a GUI to a database or to whip off a little single function app very quickly. Where VB6 got its bad rep was from inexperienced coders trying to shoehorn VB into a gigantic app for which it just wasn't designed. But that is my 02c,YMMV

Re:C is easy - what about Java or Python?

[Drgnkght]

Good point. Though it might be interesting to use a small, seemingly important, bit of innocent assembly code to distract from something else. As you say, everyone will look at the assembly code first. Then they'll wonder what it really does once they work out what it is supposed to do.

Where are past year's results?

[widman]

We also have listed the winners of last year's contest, which was to write a simple encryption utility that mysteriously and undetectably fails between 1 percent and 0.1 percent of the time. The winning entry is truly impressive.

I can only see an external link to previous contests and that one lists 2006's. Link please? Thanks :)

Re:Where are past year's results?

[niceone]

http://underhanded.xcott.com/?page_id=9

goatse's time to... ummm... shine

[jamesh]

So it could be sufficient to replace the image with something that the inspector doesn't _want_ to look at. Sort of like a "somebody else's problem" solution. Your code would pass inspection because it would appear to have overlaid the original part of the image with the hardcoded image stored in code (the unsightly image), but there would be a bug which only copies every second pixel or something. Anyone looking at the redacted image wouldn't notice that the original data is still visible simply because they would have to look at the unsightly image too closely. They'd just rubber stamp the solution and say it passed, and then go and lie down for a bit.

Alternatively, you could go the opposite way instead and use an image which would distract the attention of the inspector enough that they wouldn't notice. Something with breasts would probably do it.

Can I have my $100 gift certificate now?

Re:Hmm...

Easy, just write it in whitespace, and present the source in paperback format.

This is scary

[LaughingCoder]

OK, it is generally believed that OSS is inherently secure because so many eyeballs can examine and vet it. But as this contest shows, it is possible to include backdoor behavior "in the source for everyone to see" without it being discovered. Oh, and note to self, don't download any open source image editing software in the future ...

Re:This is scary

[jalet]

> Oh, and note to self, don't download any open source image editing software in the future ...

You're right : you'll be much safer with closed source ones.

Re:This is scary

I wrote an incredibly mean spirited and scathing reply to your painfully obvious, self-interested, wannabe shill-spouted nonsense... but following your logic... it will clearly have more impact if I don't let you see it.

8787h346d j89874s k7097 598d7j4s87d89h749 d8s k70llk34098 5 fh6ds89k39d87

TAKE THAT!

(posting anon because it will just hurt that much more!)

Re:This is scary

[Paradigm_Complex]

No one (competent) claims that the fact the source is open alone makes it 100% guaranteed to be secure. Debian's done a wonderful job of reminding everyone of this not to long ago. However it does increase the chance that any problems - purposeful or otherwise - are caught sooner than if no source code was available to anyone but the original coders. Debian's done a wonderful job of reminding everyone of this, too. Open source software is more likely to be secure with more eyes looking at the code, but nothing is guaranteed. Even so, security's not the only advantage of open source. For example, I don't have to wait for the original developers to fix a bug - if it's worth the time and/or money I could go ahead and do it myself or pay someone else to do it.

Re:This is scary

[Haeleth]

OK, it is generally believed that OSS is inherently secure

No, that's a popular strawman argument used by opponents of OSS. There have been enough vulnerabilities found in OSS that it is trivially obvious that any such claim is false, and no serious OSS proponent would dream of saying any such thing.

Re:This is scary

[JustinOpinion]

as this contest shows, it is possible to include backdoor behavior "in the source for everyone to see" without it being discovered.

That's one way to look at it.

Another way to look at it is that this is a (somewhat whimsical) way to test the limits of hiding malicious code in open-source code. This contest, in a sense, is part of the transparency and security of the open-source method. Everyone knows that you can quite easily hide malicious code in a closed-sourced project. But this contest gives the open-source community a chance to see the limits of open-source.

The participants in the contest (including entrants, judges, and interested observers) will all learn valuable lessons about code security, and will have a better idea of how to spot malicious code in plain site, and how to structure programs to avoid malicious or erroneous code contributions.

So, far from showing that the OSS method can't help in avoiding backdoors, I view this as part of the process of avoiding backdoors.

Oh, and note to self, don't download any open source image editing software in the future ...

And you really better not install any closed-source image editing software, since finding malicious code in that case is a thousand times harder.

Re:This is scary

[magus_melchior]

Back to the typewriter with you, then (only security threat there is data leaks). Your argument holds just as well, if not better, with closed-source software.

Re:This is scary

[Eternauta3k]

Are we creating the anti-strawman?
-It's generally believed that OSS is inherently secure, however we've found that...
-No! Strawman! OSS is an insecure piece of crap!
-Liar! OSS rocks! It has no flaws at all!

(thus we make the other guy defend our POV)

Re:This is scary

[LaughingCoder]

And you really better not install any closed-source image editing software, since finding malicious code in that case is a thousand times harder.

As this contest proves, and as anyone who has debugged code where you have the source AND a debugger and you still have difficulty finding the misbehaving code knows, the probability that code has unexpected or, worse, undesired behavior is very high, whether open or closed source. On this, I think, we can agree.

Everyone knows that you can quite easily hide malicious code in a closed-sourced project.

Ah, but consider the *likelihood* that a company like Adobe, or Apple, or Microsoft or other closed source vendors would distribute, knowingly, malicious code (queue MS jokes here). Note, I am not discussing security gaps, I am refering to deliberately inserting malicious backdoors such as this contest solicits. In my view, closed source companies all have a lot to lose if their transgressions are discovered. They will most likely be sued into chapter 11, or worse. Conversely, consider a rogue OSS developer. They have nothing to lose (or at least, much less), and we all know one can fairly easily hide malicous behavior (as this contest and the existence of bugs in reviewed/tested code proves). So from a rational viewpoint, I would take my chances with closed source from a reputable vendor with a lot to lose and frankly, very little to gain if they are caught, versus open source from unknown developers with very little to lose, and potentially much to gain.

or maybe...

[Cyko_01]

firefox 2?

It's been done for years .. .

[Stavr0]

courtesy of crazy Japanese censorship laws. Google for gmask or see examples at Lecture on masking (Yes, it's SFW)

Swirl, anyone ?

[Ihlosi]

Some people have had some rather disappointing experiences with that one.

Bug?

[Anders]

There seems to be an error in the supplied ppm.c library file:

p.rgb[i] = z.pixel[y][(x+i)*3*z.bpp];

This only ever gets the R component, as all offsets are multiples of 3. I think the right code is:

p.rgb[i] = z.pixel[y][(x*3+i)*z.bpp];

Maybe this is part of the assignment :-).

Re:Bug?

[Xcott+Craver]

This was indeed a bug; we fixed it after several people pointed out the mistake.

Interestingly, this demonstrates the effectiveness of "many eyes" in an open source project, even if the contest demonstrates the limitations of informal source inspection.

Easy

[StormReaver]

Seemingly innocent code...that mysteriously and undetectably fails up to 1% of the time. What's the big deal? This sounds like any given day at work for me.

Past contests seem too easy

[ohtani]

Taking a look at the 2006 entry reminds me of a program I used to have to work on:

Essentially it was a giant checkbook for a city government organization for some sort of subsidized housing program. There were two numbers to be calculated along with a grand total (primary and interest maybe. I forget now) The code took about 10 minutes to execute and looked something like this... and yes this was unfortunately in Visual Basic

Label1.Caption = Function1
Label2.Caption = Function2
GrandTotal.Caption = Function1 + Function2

Some of the functions themselves were already bloated to begin with. That ontop of calling both of them twice was just kinda nasty though.

Take out the garbage

[Iamthecheese]

How about this:

declare places_to_block(constant)(array)(global)

Function (copy places_to_block to a temporary buffer to "find the size")
Function (screw up the garbage collection by using the wrong error catch)
Function (abuse printf to copy the wrong number of bits to collect for entropy
Function (Block_Places(places_to_block))(use entropy to copy "random" noise over the places to block))

Re:Hmm...

[hostyle]

And I have a voodoo doll with your name on it. Coincidence?

Re:Poor low-level MS devs

[TaoPhoenix]

This cheers me up just a little.

We rage against the management decisions of MS, but I'm positive the ranks are filled with decent guys just trying to pay for dinner & rent.

"We haven't a clue what this does but it's vital..."
Seems to me that if the source were opened, within 5 years we'd at least know what all the hacks did, even if they were still necessary.

COULD SOMEONE EXPLAIN HOW IT WORKS

[goombah99]

I'm looking at the Runner up entries in the the 2007 contest. In these they use an "Xor" Swap trick, which is a way of swapping two bytes in place without having to create a temporary storage element:

#define SWAP(x,y) do { x^=y; y^=x; x^=y; } while (0)

The terse explnantion says this some how poisons the RC4 encryption.

I don't get it. Is the Swap doing something else besides swapping? when does it fail? I'm not getting it

Re:COULD SOMEONE EXPLAIN HOW IT WORKS

[Timothy+Brownawell]

I'm looking at the Runner up entries in the the 2007 contest. In these they use an "Xor" Swap trick, which is a way of swapping two bytes in place without having to create a temporary storage element: #define SWAP(x,y) do { x^=y; y^=x; x^=y; } while (0) The terse explnantion says this some how poisons the RC4 encryption. I don't get it. Is the Swap doing something else besides swapping? when does it fail? I'm not getting it It is called as SWAP(A[<stuff>], A[<other stuff>]);. What will it do when "stuff" == "other stuff", ie &x == &y?

Re:COULD SOMEONE EXPLAIN HOW IT WORKS

[Xcott+Craver]

Hi,

Ask yourself what SWAP(a[j],a[k]) does when j==k.

Re:COULD SOMEONE EXPLAIN HOW IT WORKS

[sid0]

When a points to the same location as b, *a XOR *b becomes 0. So *a becomes 0. But a is the same as b, so *b becomes 0 as well. Both *a and *b are destroyed. This will happen when the array indices that are passed into the macro are equal.

Re: Ste'graphic Truce

[TaoPhoenix]

Is that an idea?

Make a routine that appears to copy the values (for retrieval by your own code) but accidentally/nastily hides information in the process of copying?

Re:Values that should be time

[TaoPhoenix]

How about a timestamp encoding that forgets that 2008 is a leap year?

Too easy

[ObjetDart]

utility that mysteriously and undetectably fails between 1 percent and 0.1 percent of the time

Pfft. I don't see what the big deal is. Just about every app I've ever written does this.

non-obvious XOR

[martyb]

It really depends on the judges idea of obvious. You could write a very simple program to XOR each pixel in the rectangle with a randomly defined constant so the data and display would look scrambled. However it's fairly well known that XOR'ing pixels a second time with the same value will unscramble it.

Using XOR was my first thought, as well. As you say, it's relatively well-known that XOR is reversible. What is less well-known, or more plausibly deniable, is a convoluted logical expression that evaluates the same as an XOR, but it composed of more primitive operators: Exclusive disjunction - Equivalencies, elimination, and introduction, to wit:

NOTE: I'm using:

• "+" to denote "inclusive or"
• "*" to denote "and"
• "^" to denote "not"

p XOR q

= (p * ^q) + (^p * q)

= (p + q) * (^p + ^q)

= (p + q) * ^(p * q)

At this point, you could use a simple nested conditional, or, even better, a nested conditional assignment statement, ala:

q = seed;
p_new = ( ( (p * ^q) + (^p * q) ) ? 1 : 0 );

For bonus points, wrap the preceding inside a function or macro definition.

"There are two ways of constructing a software design; one way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult." -- C. A. R. Hoare

(NOTE: I'm a little rusty on my C, so please ignore syntax errors.)

Re:Hmm...

[deathy_epl+ccs]

... or the version of Acrobat they sell to the federal government.

Doesn't have to be black

I think the most important thing is that, according to the FAQ, it doesn't have to be black, although I'm pretty sure someone will get bonus points for figuring out a way to hide something in a black overlayed rectangle.

My guess

[archeopterix]

#define SWAP(x,y) do { x^=y; y^=x; x^=y; } while (0)

My guess: it is used for x and y of different sizes (say 8 bit and 32 bit).

Re:My guess

Well no. wrong.

copyist?

[circusboy]

Hate to be pedantic, but I think the word you're looking for is "steganography"

stenography == the action of taking dictation

Re:Hmm...

It is no challenge to make a closed source utility which does something evil even though it appears to do something innocent. Most Microsoft programs do that. There, fixed that for you.

"Blacked out"

[PhotoGuy]

Their definition of "blacked out" for the 2008 contest allows colored rectangles or "random noise" replacing the part of the image to be blacked out. The latter would allow doing something like a crypting of the chunk of the image (in the guise of creating random pixels, of course). In that case, everything could be fully restored; no need to just hide things steganographically in a few low bits of black or anything.

(Of course, the challenge of making the program appear to be doing something else is a key part of the work.)

Re:"Blacked out"

[El_Oscuro]

All you would have to do is have an improperly seeded random generator. The SSH business would be good. Extra points if you actually *use* that code. Even better if you document where you got the code from, but "forget" to get the latest version from CVS. Then, all you have to do is transform the bits in some fashion with the random values (instead of overwriting them). Then, all someone needs is the blacklisted SSL keys to completely restore the original image.

2007 winners not found

Could someone provide a link please?

Re:2007 winners not found

[Xcott+Craver]

We have a separate tab for the 2007 winners; it's the first one on the left.

I recommend you give it a read; the entries are all very clever.