- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
So, we need a bug that's simultaneously undetectable by a skilled programmer, and easily detectable by anyone else?
I think it's time to break that quantum compiler open...
Admin
If you manage to write a heisenbug, you could make something which always fails even when it looks like it shouldn't.
Any skilled programmer would test his stuff though, so I don't see how you could let this slip by unless @Remy wants to handwave the testing as "these bunch of criminals are out of time".
Admin
I guess it'd be something like, leaving a log whenever someone uses it (but in an obfuscated way)/sending an email to the owner/etc. As in, the EFFECTS are easily visible by anyone, but not the cause. This sounds quite a bit harder than the previous two...
Admin
I'm sorry, I realy don't get it. Neither one of the winners. Why is the Python-Code broken, how do you cheat? And for the cs-solution: What's the problem here? Sorry, but I just don't get it...
Admin
Uh, it'd be nice to have an explanation of the cheats the solutions used, rather than seemingly random snippets of code and praise for how realistic empty catch blocks are
Admin
Sorry Remy, normally you are my favorite writer, but today's and yesterday's articles were really bad.
Admin
You have to read the HTML comments for the full effect of Remy stories.
Admin
Globals and threads. That won't go wrong.
Admin
There's cheats you can apply if the casino code is running locally. But it doesn't make sense for that code to run locally.
Admin
I'm sorry, but I was expecting the developer to sit in front of a slot machine as any other user. And as such you can't even manipulate global vars. So I get the vector but can't realy see a way to execute it
Admin
It's probably something mundane squirrelled away in code that was too long and boring to show. The injection vector is not nearly as interesting as the vulnerability.
Admin
I see one major vulnerability in the winning code. If any part of the ReadRandom() method throws an exception (which is silently swallowed), it won't get around to setting the number value. Since the code reuses the same variable for all three wheels, this means the third wheel will be the same as the second, giving you a high chance of a jackpot.
When would this happen? Well, because the temp file is (rather bafflingly) filled with a RANDOM number of random numbers, it could potentially be shorter than the number of digits you want, which would make the substring operation throw an exception (since at least one of the arguments would be out of bounds).
However, this would be a pretty rare, random occurrence, and off the top of my head I don't see a way to trigger or predict it without modifying the code.
Admin
Indeed. I even have a bookmarklet to make them visible; running it is the first thing I do when I seen that an article is by @Remy. The only comment in this article was this:
That didn't help explain any of the code :wtf:s.
Admin
Yes, I agree with this, but
seems to prevent
unless there's an off-by-one error there that I'm not seeing. Unless that file of random data has non-digit characters that may cause `int.parse(num)` to fail, I don't get it. Even then,Admin
Oops, I skimmed the MSDN documentation of
Random.Next()
, and got confused with the two-argument version, which allows you to use negative bounds.What will actually happen is that if the file is too short,
s.Length - numberOfDigits
becomes negative, andRandom.Next()
throws anArgumentOutOfRangeException
. The effect is the same, though.Admin
The winning solution is actually far more sophisticated than most folks here expected - even more than the author probably did intend. And also far, FAR more broken.
For starters: Let's have a look at
int maxNumber
. The precise value of that number has a funny side effect. If you count the occurrences of the digit 0 in the numbers from 0 to 999, it turns out, that in a non-padded formate, the digit zero is less common than any other. (Any other digit occurs 300 times, zero only 190 times.)Now, ReadRandom() actually tries to extract 3 digits - always. But in these 3 digits, the 0 is less common than any other digit, including the occurrence of leading zeros. Which means that the 3rd number is heavily biased, even if the intentional exploit didn't trigger.
If the slot machine would allow you to bet until the 3rd wheel was set, you would only need to increase your bet every time the first 2 wheels contain no zeros.
Admin
Python code is broken with race conditions- if you spam the "pull" button hard enough, you can win.
The C# code is broken because people in this thread have a lot more faith in a file written to disk than I do. If the file doesn't exist- which could happen for a lot of reasons- the third number will always match the second.
Admin
Clearly that skews the odds big-time, but how does the user exploit that? To be useful, there has to be a way to trigger it, because if it just happens randomly, it doesn't help the author, and if it happens regularly, it's going to get noticed very quickly.
Admin
I haven't looked into the code. But if the random file would be for instance a cookie in the browser that would make it very easy to trigger but most users would not see any problem.