Usually, hackathons and other programming contests call on software developers to build something that's reasonably useful, perhaps even something that makes the world a better place. But the Underhanded C Contest is a little different. It calls on developers to create something that's deliciously malicious.
The goal of the contest is to create a piece of code that performs some sort of nasty activity but looks harmless even under scrutiny. If the malicious activity is discovered at all, it should look like an honest mistake rather than a deliberate attempt at causing problems. Winners will take home a $200 gift certificate to the online store ThinkGeek.
The contest is part of ever-growing number of competitions that seek to turn computer programming into a game -- and identify top talent. The Underhanded C Contest just happens to identify talent through maliciousness.
The contest was started in 2005 by Binghamton University professor and security expert Scott Craver, who funds the thing out of his own pocket, and a group called the Digital Asset Protection Association will help judge the results.
Craver is best known as the creator of the "Craver Attack," a method of hijacking digital watermarks. Today, Craver's research focuses on steganography -- the process of concealing a message so that only the intended recipient knows to even look for it. Specifically, he's looking for ways to embed hidden messages -- or even applications -- in multimedia files, such as images, videos, or PDFs.
Craver tells us he was inspired to start the Underhanded C contest by a Stanford student's 2004 contest called "Obfuscated V," which was created to question the security of electronic voting machines.
The contest asked for developers to create a vote-counting program that tallied the wrong number of votes, but did so in a way that could be disguised as an innocent mistake. The winner created a program that took advantage of the fact that voting took place on November 2 and that the word "second" is slightly longer than the words "first" or "third." When the word second occurred in the log record, it would trigger a bug that would write the wrong number of votes.
Craver thought the contest was a good way to raise awareness about security issues and drive research, so he started running his own contest. It began in 2005 and ran through 2009, when he took a break. This year marks the contest's return.
This year's contestants will take on the role of contractors for a fictional social network called ObsessBook. On ObsessBook, user permissions are determined by degrees of separation. If two users are separated by five or less degrees, they can view each others' profiles. If they are separated by three or fewer, they can write on each others' walls. Directly connected users can change each other's passwords.
The challenge is to create a piece of C code for determining the degrees of separation between users and slip some dastardly code in that will wrongly report the number of degrees separating your profile from other users, thus gaining unearned levels of access to as many users as possible.
Several things can earn a developer bonus points. For example, building a glitch that is either specific to your account or "extremely improbable" for another user to trigger. Building a bug that introduces a disparity of access -- in other words, one that gives you access to other users' accounts but doesn't give them access to yours -- will earn bonus points.
Also, extra points will be awarded for "humorous, spiteful, or ironic bugs, such as evil behavior in an error-checking routine."
