Here’s the melody – click to sing along!
You remember Snapchat, it’s the smartphone app that became famous for letting you send saucy photos that save your blushes by self destructing…
…before it became famous for not actually doing that at all.
The potential immortality of SnapChat’s will-o’-the-wisps came home to roost in October’s inglorious Snappening.
‘The Snappening’: Snapchat images flood the internet after SnapSaved.com hack
And for your chance to win an exclusive, limited edition, Naked Security T-shirt, work out the answer to Paul Ducklin’s brain teaser below…
This December we’re celebrating Christmas by giving away five of our much-coveted, limited edition Naked Security T-shirts every day for 12 days!
We’ve selected twelve of the most interesting stories from 2014 and we’ll be writing about one of them each day.
All you have to do to win a T-shirt is read the story and answer the question.
We’ll pick 5 lucky winners out of a hat (OK, /dev/urandom) each day and those who answer the most questions correctly over the 12 days will be entered into our grand prize draw for a goody bag of geeky gifts valued at up to $500!
For today’s question, you will need the “maze” image below:
We need to know your email address so that we can contact you if you’ve won. When we contact you, we’ll need your T-shirt size, a delivery address and a contact number so we can ship your prize. We won’t use any of your personal details for anything other than this competition.
Entries close at 23:59 Pacific Standard Time (UTC-8) each day. Sophos staff, those professionally connected to the company, and their families, are welcome to submit answers for fun, but can’t win. T-shirt styles may vary from those depicted. Sophos’s decision is final, and so on. Please read our official competition terms and conditions.
What was Day 10’s answer?
Day 10 was about the age of the Shellshock bug in Bash, a command shell that is very widely used on Linux and BSD-based systems (including OS X).
Bash is occasionally found on Windows, too, deployed by developers for compatibility with UNIX/Linux build systems.
Usually, you start Bash and then feed it a script to execute.
Usually, when Bash is started on your server by some remotely-triggered action (such as a website visitor running a search), the script is carefully controlled to prevent sneaky user input from causing trouble.
But thanks to the Shellshock hole, you could trick Bash into running a cunningly-concealed command during start up, and then feed it an innocent looking script to cover your tracks.
Amazingly, this bug was introduced in August 1989, in Bash version 1.03.
To the nearest full year, therefore, the vulnerability was 25 years old.
10 comments on “12 Days competition: Day 11 – Now you see it, now you…ah…still see it”
That is a very tiny image (320×120) at the time of this message (~17 mins after the article went up).
There are no additional clues, though my instinct is to guess that you’re looking for the term to describe a specific form of hiding information?
The image is just too small though.
As always, it’s not the size that matters 🙂
(You can find some hints by searching for the hashtag #naksecquiz on Twitter – you don’t need a Twitter account to read what’s already there…only if you want to chime in yourself).
To be clear – we aren’t after a generic term for hiding information inside other sorts of information (so-called “steganography”). The answer we want *is hidden in the image file itself*. When you uncover the trick, you will have no doubt that you’ve solved it, as the answer sort of speaks for itself.
“Consider ye the pixels, how they do present themselves.”
I am of the opinion you got the answer wrong, after extensive research the answer should be 20 years. The earliest version of Bash affected by the vulnerability, 1.14 dates back to 08.07.1994. Chet Ramey of the New York Times believed that Shellshock dates back to a new feature introduced in 1992. There seems to be too many conflicting dates for this question. Please post a link to the article that you propose is the answer.
Further to my comments, I have found the e-mail that was sent on the 03.10.2014 explaining the spread misconceptions of the version of Bash dating back to 1.03 and find it baffling that so many articles have conflicting information, even the NVD database at NIST. I concede your answer is correct.
The screenshot of the changelog in the article is in fact a link that should take you to the changelog, and that should make it easy to find your way to links that provide a general consensus that it in August 1989 that the bug appeared.
That’s when the feature to parse environment variables into function definitions was added, and that’s what caused the trouble.
I liked this bit: “Look in the image itself, not the metadata” GL all.
NM my previous comment about the image size. I was initially looking at it on a phone. 😉
Buy a bigger phone 🙂 I hear that phablets are quite the thing these days…
learned something today – including the fact that my dictionary function is broken – have to go fix it now that this is done
When are winners contacted? I want a shirt! lol
I’m afraid all T-shirt winners have been contacted now. However if you’ve entered on many of the days, you may still be in the running for the uber prize (to be drawn tomorrow)!