Did I just win?(twitter.com) |
Did I just win?(twitter.com) |
It is not even a string too.
A king passing through a town finds a man about to be punished for fraud. He intercedes and asks what the matter is. The trickster says in his defence, "I ask people for things, and they give then to me". The king is incredulous but poses a challenge: "You must ask and receive money from the richest man in town." The trickster agrees, but being short on assets, requests a loan. The king obliges, and the trickster arranges (eliding details) to induce the town's richest resident to provide him with a wealth of goods. He returns to the king two days later with evidence in tow. The king is impressed by this demonstration, at which the trickster notes that he'd actually met the conditions 48 hours earlier when the king, wealthier than the town's richest resident, had offered him a loan.
There's something to those old stories.
(I'm not positive of the source but believe it's included in Idries Shah's World Tales.)
Lloyd: I'll bet you twenty dollars I can get you gambling before the day is out!
Harry: No!
Lloyd: I'll give you three to one odds.
Harry: No.
Lloyd: Five to one.
Harry: No.
Lloyd: Ten to one?
Harry: You're on!
Lloyd: I'm gonna get ya!
Harry: Nu uh!
Lloyd: I don't know how but I'm gonna get ya.By mixing in advanced machinery, our innate heuristics like harm measurement need many more dimensions of analysis. Hackers, in tune with modern machines, recognize this as a blunder since we have seen trust misused with secrets in machines before; still how can a "[s]cientist and security researcher" and "farmer and shoe-repair-man with a handheld" alike learn to recognize wider effects of their machine-enabled actions?
0: https://twitter.com/search?q=from%3ASc00bzT%20to%3ADefuseSec...
2. Offer a $100 bounty to people who can trick me into getting some string into my projects. The easiest way to "trick" me of course is to hide it inside of a PR which fixes a real issue.
3. Find and remove the string before merging the PR. I've had one of my issues fixed for free. Rinse and repeat!
Bonus Round: Stage an announcement on twitter and have someone cleverly trick me into including the string on my website (which I was totally going to do anyway). Post clever trick to code geek social media and reap the sweet free viral marketing and hackers trying to earn a Benjamin.
Another guy responded "You should put this challenge on your website."
The first guy said "Good idea" and proceeded to do so, thus including the string in one of his software projects: his website.
GG
(And kudos to the originator for acknowledging that.)
The offer still stands though, if you'd like to try: https://twitter.com/DefuseSec/status/730904219419443200
@Sc00bzT > @DefuseSec You should put this challenge on your website.
@DefuseSec > @Sc00bzT Good idea, added it to this page: https://defuse.ca/security-contact-vulnerability-disclosure....
@Sc00bzT > @DefuseSec Did I just win?
@DefuseSec > @Sc00bzT FUCK. What's your paypal/bitcoin?
[See https://github.com/defuse/defuse.ca/commit/4770ad5c9d4851d40... for commit.]
Maybe we shouldn't drink and "crypto"? :-)
Maybe it's just a marketing stunt
Disclosure: He and I have been friends for years.
Not that I think that has anything to do with this. Looks more like normal goofing around by security or hacking folks. If anything, he looses money or precious beer from it.
Even if it is a marketing stunt, it is a nice one.
He clearly intended for some variant of "any of my software projects that other people actually use", but failed to specify that detail.
But it's nonetheless hilarious. Laughs all around.
Now insert that string into Linux source code, and I ll get surprised.
Social engineering has been understood for a long time, and yet we can't develop defenses in the same way we can develop defenses in software. So we have an underpaid workforce of software hackers uncovering vulnerabilities which get patched and an overpaid workforce of social engineers exploiting unpatchable vulnerabilities in the human condition.
Who is really being exploited here?
Also, if he validated the code before copy and paste, the string would be invisible.
I assume you only write leet codes in assembly?
"I'll give $100 USD to anyone who can trick me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects."
Emphasis on the "trick me".
As for why so little attention is paid to the human side, I think you said it, "We can't develop defenses the same way we can develop defenses in software." Not only that, but a human being who's brilliant in their role in your company, might be singularly unsuited to learning lessons about social engineering.
I suppose if you want a humorous and somewhat dystopian sci-fi view of how this could be managed... you ever read 'Snow Crash'?
It really simplifies things.
Mr. Mxyzptlk: You, my friend, are the ultimate challenge! We're going to have very merry games, you and I!
Superman: A game has rules! Your stunts are just random idiocy!
Mr. Mxyzptlk: Okay, I'll give you a rule! If you can make me say, spell or otherwise reveal my name backwards and I'll split, until our dimensions come into alignment again in... oh, three months, give or take.
Superman: I can't even say your name forwards - how am I supposed to say it backwards?
Mr. Mxyzptlk: No, dope, you don't have to say it, you have to get me to say it!
Superman: Say what?
Mr. Mxyzptlk: Kltpzyxm! Gosh, you're thick! Now, for the last time... ah, nuts!
My win was legit, but there's no way for me to prove that. Well if this was a PR stunt then I should of @defcon or at least #defcon to get a larger audience, but in all reality I'm banned from PayPal and haven't used Bitcoin. Which is why I said I'll settle for a beer, but I should of asked for zcoin after it launches... shit now this is all a PR stunt for "Zooko money".
Anyway if anyone working at PayPal sees this and wants to hook me up by unbanning me that would be nice.
vs
"It's not clever to hack something [i.e. with technical exploits] that you can socially engineer""
I actually have another idea which I now think I should try to do, so I won't give the details here.
We make changes to those systems by setting up very intricate situations where the changes are all in the right place at the right time and a bunch of approvals sytems have basically got flags indicarinf changes can be made. Then the changes get included as part of the systems normal operations, as in once it gets a bunch of signals for vaious places it pulls in whatever is in a specific clearcase stream.
Obviously the above description is a huge over simplification, but the only way to social engineer that is if you can convince multiple system managers to approve a change which has already been promoted by tech leads in various departments.
Admittedly it makes "hot"fixes a god damn nightmare because 'oh shit, no one noticed a spelling error in the legal disclaimer sent to business customers? Lets get all 150 technical sign offs again... And get me the number of that lawyer who said that we had to include that!'
Tough problem.
I just noticed you have the same handle that's why I asked.
Disclaimer: My employer has used this, but I was uninvolved with the choice and have no stake in knowbe4. Just using it as an example I have to hand. I believe there are quite a few choices.
You suggested I "didn't get it" because trolling stuff that wins a game was the point. Actually, what made me think about impact was on website and the challenge itself:
"Backdoor Insertion Proof-of-Concept Bounty: The first time someone tricks me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects"
Whole point is assessing ability to backdoor software products. Social attack that succeeds might teach us something. The cheat teaches us nothing but is amusing. So, I certainly get it and read site before I wrote here. ;)
Note: Same page said employer's website was off limits in hacks and pentests. I assumed that meant Defuse. So, never considered website attack as in scope in first place.
The attacker thought out of the box to tackle a lesser challenge: getting a string on the website itself. It was technically true under rules, funny, and contest issuer even owned up to it. It's not the real challenge, though. No real-world impact. So, just amusing trolling.
Besides, how would inserting the string in his apps have any different affect than inserting it into the website? This is completely within the parameters that were set (because there weren't many).
https://news.ycombinator.com/item?id=11696750
Suffice to say, the real point is whether people can compromise his apps with something that would harm their computer. So, let's rephrase your question, "What's the difference between convincing him to post a challenge string on his website and convincing him to arbitrarily modify code of apps he distributes to users?" Obviously, a huge difference unless he's a complete idiot.
Surely you are right that when he presented the challenge he had something different in mind. But that's exactly the point! The winner realized that the website itself might be a gap in the challenger's trust system; a place where he would have his guard down.
Eschewing the implied parameters of a problem and cheating expectations are what vulnerability detection is all about.
https://news.ycombinator.com/item?id=11693426
Your failing to see my actual concern here. I'm one of those old-school types that rate people on impact their work has first and how clever/funny it is second. The first, expected challenge had consequences with impact. Tackling that with effort even close to success would be praiseworthy & even contribute something new to INFOSEC.
The other thing is the kind of shit I do to coworkers and people online all day for fun. One I hadn't thought of and clever for sure but same concept. It's a combo of wit and sophistry that focuses on technicalities of people's statements who aren't thinking carefully about them. Outside policy and procedures, outthinking a statement has no impact at all.
So, as I think along both lines, I recognize it as clever trolling in the second category like I do 20 times a day. Similarly pointless. Just fun and funny. Then, acknowledge that the real target or challenge would've been more valuable. Implicitly encouraging people to go for that one in case we learn something important. You know, relevant to information security. Plus, I give highest props to people that pull off difficult or nigh-impossible feats.