5th Underhanded C Contest Now Open

← Back to Stories (view on slashdot.org)

5th Underhanded C Contest Now Open

Posted by CmdrTaco on Wednesday December 30, 2009 @05:25AM from the i-c-what-you've-done-there dept.

Xcott Craver writes "The next Underhanded C Contest has begun, with a deadline of March 1st. The object of the contest is to write short, readable, clear and innocent C code that somehow commits an evil act. This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field. The prize is a gift certificate to ThinkGeek.com."

30 of 162 comments (clear)

Watch list? by girlintraining · 2009-12-30 05:27 · Score: 4, Funny

This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.
All participants will also receive complimentary cavity-searches at airport checkpoints.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Watch list? by RichardJenkins · 2009-12-30 05:50 · Score: 3, Funny
  
  Uh-oh, looks like you got missed out the punctuation and got the words in the wrong order! You clearly meant:
  
  God, is stupid science there? Is that religion? Get some religion! Karma should fuck me good.
  Yeah, that makes more sense.
2. Re:Watch list? by w0mprat · 2009-12-30 06:05 · Score: 4, Funny
  
  This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.
  I am certain that this is already a feature of existing luggage routing software.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
3. Re:Watch list? by markkezner · 2009-12-30 06:18 · Score: 5, Insightful
  
  Funny, but you've got a point. What would a potential employer think when, upon googling your name, they learn that you're so good at hiding malicious code that you won a contest for it. Would you hire that guy?
  It's not worth the $100 gift certificate.
  
  --
  Dangerous, sexy, turing complete: Femme Bots
4. Re:Watch list? by Applekid · 2009-12-30 06:35 · Score: 4, Insightful
  
  Would you hire that guy?
  
  Definitely, but maybe for QA or as a Code Review consultant. Of course, I'm assuming that the winner of the contest would also be clever enough to detect hidden maliciousness in others' code.
  
  --
  More Twoson than Cupertino
5. Re:Watch list? by Anonymous Coward · 2009-12-30 07:10 · Score: 3, Funny
  
  Yes, especially if the word "fragile" or "valuable" is in the comment field.
6. Re:Watch list? by gad_zuki! · 2009-12-30 12:26 · Score: 2, Insightful
  
  >What would a potential employer think when, upon googling your name, they learn that you're so good at hiding malicious code that you won a contest for it.
  Thats a pretty lousy line of reasoning and probably responsible for all the mediocrity out there in the computer world. Heck, what if your employer found out you were in the military and fought? Do you want to hire the guy who shot at Iraqis with a 50 caliber machine gun? Or the guy who wrote an ad blocking program? Or the guy who wrote a cover letter well enough to fool you into interviewing him?
  Yes, you do because all these things are signs of courage and intelligence. Once you start filtering anyone with any background in anything controversial, powerful, different, or mildly questionable then you can pretty much guarantee yourself a staff of dim bulbs and products that do miserably in the market.
  This is also why I think its so hard for smart people to be in politics. The electorate is so scared of anything that deviates from the mainstream that we only vote in conformist 'never rock the boat' overly-religious men, who turn out to be good at not cheating on their wives and going to church but not so good at governing and coming up with and implementing good solutions for the public good.
Not fair! by Anonymous Coward · 2009-12-30 05:35 · Score: 3, Funny

Someone who works at any major airline can just submit the real production code they use for luggage routing and win the contest for sure!
1. Re:Not fair! by fuzzyfuzzyfungus · 2009-12-30 05:47 · Score: 4, Funny
  
  Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?
2. Re:Not fair! by girlintraining · 2009-12-30 06:21 · Score: 2, Interesting
  
  Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?
  Depends on the function -- if it's mission critical, you bet your ass it'll be documented and readable. Considering that most ATC technical failures are hardware, not software-based, that should say something. The problem is that while the code is quite well-documented, few people are left with the training or understanding of it to port it to newer systems, and it's not like they can ground all flights for a week to do an upgrade. So we're left with mainframes that were out of date in the 70s being used today being used in critical infrastructure.
  On the other hand, the code in applications used at the ticket counter and security checkpoints... not so much.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
3. Re:Not fair! by Skater · 2009-12-30 08:35 · Score: 2, Interesting
  
  Does anyone else remember the new Denver Airport's original luggage system? This system singlehandedly delayed the airport's opening for over a year. Eventually the airport retrofitted a standard baggage moving system. If someone has access to the code of the original system, they could easily submit that.
4. Re:Not fair! by derGoldstein · 2009-12-30 08:38 · Score: 3, Insightful
  
  Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?
  Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any software written in C meets that description?
  
  There, fixed.
  
  --
  Entomologically speaking, the spider is not a bug, it's a feature.
Wait a sec... by Anonymous Coward · 2009-12-30 05:36 · Score: 4, Funny

| This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.
What, we actually need to write code for something that happens by nature?
1. Re:Wait a sec... by bcong · 2009-12-30 06:46 · Score: 4, Funny
  
  the current method of writing in:
  "Package Handler,
  Customer was an asshat...you know what to do"
  was starting to get noticed
Possibilities by Rei · 2009-12-30 05:41 · Score: 3, Interesting

I don't have the time for something like this, but it seems to me a good possibility would be to have all of your inputs that the clerk fills out be contiguous in memory, including the destination, have the algorithm to figure out what destination to go to scan through the whole destination string looking for matches (rather than looking for an exact match) and taking the last one it finds, and have a broken bounds check for the length of that string so that the algorithm looks into the comments section as well.
So, for example, if the clerk fills out the destination as "LAX" but writes in the comments section, "Do not confuse his bags with those owned by CID who is also going to a different final destination; they're very similar looking.", the bags would be routed to Cedar Rapids (CID) instead of Los Angeles (LAX).

--
As it says in the Constitution, Lenin is in my shower.
1. Re:Possibilities by j-stroy · 2009-12-30 06:41 · Score: 2, Interesting
  
  It could be hidden in piece of user interface that todays systems are full of, the extra clicks and bells that no one needs, but some client or marketing weenie will never give it up.. overwrite the destination with the first bytes of an audio file with some misdirection.
  Example on this page
2. Re:Possibilities by bberens · 2009-12-30 07:00 · Score: 2, Interesting
  
  I could see this... have the front-end and back-end communicate over a socket or something and have a simple delimited message format where someone could alter the results by using a sql-injection style attack on your parser. That way, at least, the input has to be somewhat complex, but the code could look very innocent.
  
  --
  Check out my lame java blog at www.javachopshop.com
Re:Easy? by Anonymous Coward · 2009-12-30 05:47 · Score: 5, Informative

*Way* more deceptive. The default value for the destination field? It's supposed to look innocent - an innocent program would note that you left out a destination and prompt you to enter one. Any basic debugging done by someone else would turn this up. What they want is for you to leave a "comment" like "this package is top-heavy" (in a field designed for such comments) that changes the destination, but in a way such that someone reading the source code wouldn't realize anything was happening at all much what that you were changing the destination. Also such that whoever entered the text wouldn't obviously be at fault.
Contest or Job Posting? by Anonymous Coward · 2009-12-30 05:49 · Score: 5, Funny

a luggage routing program that mysteriously misroutes a customer's bag
sounds like Delta is looking for new programmers
1. Re:Contest or Job Posting? by Sebilrazen · 2009-12-30 06:15 · Score: 4, Funny
  
  No, that challenge would have random 3 hour tarmac waits generated too.
  
  --
  "There are no facts, only interpretations." --Friedrich Nietzsche.
I'm really impressed by troll8901 · 2009-12-30 06:15 · Score: 4, Informative

I've read the entire blog, and I must say, I'm impressed. Very impressed. Very, very impressed.
The person who writes the criteria knows what he's/she's writing about.
And the winners who submit the results are really, really good.
1. Re:I'm really impressed by troll8901 · 2009-12-30 06:50 · Score: 5, Interesting
  Here's some points I'd like to highlight, from the 2008 Winners.
  Linus Akesson: The BYTESPERPIXEL macro "gives the false impression that the code intelligently supports higher bit widths" but actually "causes the 8-bit case to leak information into the file" (by exploiting a buffer overflow). ... (thus allowing wiped image data to be reconstructed.)
  Avinash Baliga: The ExpectTrue macro overwrites the image mask (by exploiting a buffer overflow), allowing two bits to survive the wiping, (thus allowing wiped image data to be reconstructed). Furthermore, the evil behavior is concealed in an innocent-looking error checking macro.
  John Meacham: (Winner) The code is "extremely simple, innocent, obvious" ... and devious. "Low-intensity pixels are replaced with a ‘0, and high-intensity pixels replaced with a ‘00 or a ‘000" ... (thus allowing wiped image data to be reconstructed.)
  All I can say is, Wow.
2. Re:I'm really impressed by derGoldstein · 2009-12-30 08:42 · Score: 3, Funny
  
  I also started looking up past winners, Johns explanation/justification code was brilliant. I had no idea such evilness could be so cleverly concealed.
  So you're new to C?
  
  --
  Entomologically speaking, the spider is not a bug, it's a feature.
Re:This sounds familiar to, by Anonymous Coward · 2009-12-30 06:17 · Score: 5, Funny

I was going to say, don't forget Perl programmers, but then I remembered the legibility requirement.
For extra points: by w0mprat · 2009-12-30 06:19 · Score: 4, Funny

For extra points submit this to your favourite open source project and have it accepted into the main code release - since it appears to be prefectly geniune, compiles, and can do what it appears to - it's certainly possible. Finally demonstrate your backdoor when the project is released to the wild.

If you manage to get this into the GNU/Linux Kernel, you get a job at the NSA.

Write short, readable, perfectly innocent looking C code, that somehow commits an evil act under certain circumstances.

--
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
1. Re:For extra points: by Nemyst · 2009-12-30 06:43 · Score: 3, Funny
  
  Well, Linux already allows you to install Windows...
2. Re:For extra points: by Rycross · 2009-12-30 07:29 · Score: 2, Informative
  
  Someone tried something similar to that.
Totally opposite by SuperKendall · 2009-12-30 06:28 · Score: 4, Informative

The true "Underhanded" program would be one that was perfectly readable, so readable in fact that you totally overlook the sneaky thing it was doing because what you think it's doing seems so clear.
The ObsfuC contest is all about code that even after staring you can't tell what the heck is going on.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Easy? by Tyler+Durden · 2009-12-30 07:02 · Score: 4, Funny

C motherfucker, do you speak it?!

--
Happy people make bad consumers.
Write up of last entry by John+Meacham · 2009-12-30 09:48 · Score: 5, Informative

I am the winner of the previous underhanded C contest. If anyone is interested, I wrote up a description of my entry on my blog here: http://notanumber.net/archives/54/underhanded-c-the-leaky-redaction
It was a fun contest to enter and now I can shop at thinkgeek for silly gadgets without feeling guitly :)

--
http://notanumber.net/