• (disco)

    So, we need a bug that's simultaneously undetectable by a skilled programmer, and easily detectable by anyone else?

    I think it's time to break that quantum compiler open...

  • (disco) in reply to Maciejasjmj

    If you manage to write a heisenbug, you could make something which always fails even when it looks like it shouldn't.

    Any skilled programmer would test his stuff though, so I don't see how you could let this slip by unless @Remy wants to handwave the testing as "these bunch of criminals are out of time".

  • (disco)

    I guess it'd be something like, leaving a log whenever someone uses it (but in an obfuscated way)/sending an email to the owner/etc. As in, the EFFECTS are easily visible by anyone, but not the cause. This sounds quite a bit harder than the previous two...

  • (disco)

    I'm sorry, I realy don't get it. Neither one of the winners. Why is the Python-Code broken, how do you cheat? And for the cs-solution: What's the problem here? Sorry, but I just don't get it...

  • (disco)

    Uh, it'd be nice to have an explanation of the cheats the solutions used, rather than seemingly random snippets of code and praise for how realistic empty catch blocks are

  • (disco)

    Sorry Remy, normally you are my favorite writer, but today's and yesterday's articles were really bad.

  • (disco) in reply to Michael_Mahn

    You have to read the HTML comments for the full effect of Remy stories.

  • (disco) in reply to Hoffmann
    Hoffmann:
    Why is the Python-Code broken, how do you cheat?

    Globals and threads. That won't go wrong.

  • (disco) in reply to Ben

    There's cheats you can apply if the casino code is running locally. But it doesn't make sense for that code to run locally.

  • (disco) in reply to dkf

    I'm sorry, but I was expecting the developer to sit in front of a slot machine as any other user. And as such you can't even manipulate global vars. So I get the vector but can't realy see a way to execute it

  • (disco) in reply to Hoffmann
    Hoffmann:
    So I get the vector but can't realy see a way to execute it

    It's probably something mundane squirrelled away in code that was too long and boring to show. The injection vector is not nearly as interesting as the vulnerability.

  • (disco)

    I see one major vulnerability in the winning code. If any part of the ReadRandom() method throws an exception (which is silently swallowed), it won't get around to setting the number value. Since the code reuses the same variable for all three wheels, this means the third wheel will be the same as the second, giving you a high chance of a jackpot.

    When would this happen? Well, because the temp file is (rather bafflingly) filled with a RANDOM number of random numbers, it could potentially be shorter than the number of digits you want, which would make the substring operation throw an exception (since at least one of the arguments would be out of bounds).

    However, this would be a pretty rare, random occurrence, and off the top of my head I don't see a way to trigger or predict it without modifying the code.

  • (disco) in reply to RFoxmich
    RFoxmich:
    You have to read the HTML comments for the full effect of Remy stories.

    Indeed. I even have a bookmarklet to make them visible; running it is the first thing I do when I seen that an article is by @Remy. The only comment in this article was this:

    ( Seriously, I just love that gag, and I'm perfectly happy driving it into the ground. )

    That didn't help explain any of the code :wtf:s.

  • (disco) in reply to Trouble
    Trouble:
    it won't get around to setting the number value. Since the code reuses the same variable for all three wheels, this means the third wheel will be the same as the second, giving you a high chance of a jackpot.

    Yes, I agree with this, but

    int offset = r.Next(s.Length - numberOfDigits);

    seems to prevent

    Trouble:
    it could potentially be shorter than the number of digits you want
    unless there's an off-by-one error there that I'm not seeing. Unless that file of random data has non-digit characters that may cause `int.parse(num)` to fail, I don't get it. Even then,
    Trouble:
    I don't see a way to trigger or predict it
  • (disco) in reply to HardwareGeek

    Oops, I skimmed the MSDN documentation of Random.Next(), and got confused with the two-argument version, which allows you to use negative bounds.

    What will actually happen is that if the file is too short, s.Length - numberOfDigits becomes negative, and Random.Next() throws an ArgumentOutOfRangeException. The effect is the same, though.

  • (disco)

    The winning solution is actually far more sophisticated than most folks here expected - even more than the author probably did intend. And also far, FAR more broken.

    For starters: Let's have a look at int maxNumber. The precise value of that number has a funny side effect. If you count the occurrences of the digit 0 in the numbers from 0 to 999, it turns out, that in a non-padded formate, the digit zero is less common than any other. (Any other digit occurs 300 times, zero only 190 times.)

    Now, ReadRandom() actually tries to extract 3 digits - always. But in these 3 digits, the 0 is less common than any other digit, including the occurrence of leading zeros. Which means that the 3rd number is heavily biased, even if the intentional exploit didn't trigger.

    If the slot machine would allow you to bet until the 3rd wheel was set, you would only need to increase your bet every time the first 2 wheels contain no zeros.

  • (disco)

    Python code is broken with race conditions- if you spam the "pull" button hard enough, you can win.

    The C# code is broken because people in this thread have a lot more faith in a file written to disk than I do. If the file doesn't exist- which could happen for a lot of reasons- the third number will always match the second.

  • (disco) in reply to Remy
    Remy:
    If the file doesn't exist- which could happen for a lot of reasons- the third number will always match the second.

    Clearly that skews the odds big-time, but how does the user exploit that? To be useful, there has to be a way to trigger it, because if it just happens randomly, it doesn't help the author, and if it happens regularly, it's going to get noticed very quickly.

  • (disco) in reply to HardwareGeek

    I haven't looked into the code. But if the random file would be for instance a cookie in the browser that would make it very easy to trigger but most users would not see any problem.

  • cialis without a doctor prescription (unregistered)
    Comment held for moderation.
  • cheap cialis (unregistered)
    Comment held for moderation.
  • gapkwuih (unregistered)
    Comment held for moderation.

Leave a comment on “The Lucky Deuce: In the Cards”

Log In or post as a guest

Replying to comment #:

« Return to Article