12 Days competition: Day 11 – Now you see it, now you…ah…still see it

The Twelve Days of Christmas - melody

Here’s the melody – click to sing along!

You remember Snapchat, it’s the smartphone app that became famous for letting you send saucy photos that save your blushes by self destructing

…before it became famous for not actually doing that at all.

The potential immortality of SnapChat’s will-o’-the-wisps came home to roost in October’s inglorious Snappening.

‘The Snappening’: Snapchat images flood the internet after SnapSaved.com hack

And for your chance to win an exclusive, limited edition, Naked Security T-shirt, work out the answer to Paul Ducklin’s brain teaser below…

This December we’re celebrating Christmas by giving away five of our much-coveted, limited edition Naked Security T-shirts every day for 12 days!

We’ve selected twelve of the most interesting stories from 2014 and we’ll be writing about one of them each day.

All you have to do to win a T-shirt is read the story and answer the question.

We’ll pick 5 lucky winners out of a hat (OK, /dev/urandom) each day and those who answer the most questions correctly over the 12 days will be entered into our grand prize draw for a goody bag of geeky gifts valued at up to $500!

For today’s question, you will need the “maze” image below:

Day 11 Quiz image

We need to know your email address so that we can contact you if you’ve won. When we contact you, we’ll need your T-shirt size, a delivery address and a contact number so we can ship your prize. We won’t use any of your personal details for anything other than this competition.

Entries close at 23:59 Pacific Standard Time (UTC-8) each day. Sophos staff, those pro­fessionally connected to the company, and their families, are welcome to submit answers for fun, but can’t win. T-shirt styles may vary from those depicted. Sophos’s decision is final, and so on. Please read our official competition terms and conditions.

What was Day 10’s answer?

Day 10 was about the age of the Shellshock bug in Bash, a command shell that is very widely used on Linux and BSD-based systems (including OS X).

Bash is occasionally found on Windows, too, deployed by developers for compatibility with UNIX/Linux build systems.

Usually, you start Bash and then feed it a script to execute.

Usually, when Bash is started on your server by some remotely-triggered action (such as a website visitor running a search), the script is carefully controlled to prevent sneaky user input from causing trouble.

But thanks to the Shellshock hole, you could trick Bash into running a cunningly-concealed command during start up, and then feed it an innocent looking script to cover your tracks.

Amazingly, this bug was introduced in August 1989, in Bash version 1.03.

To the nearest full year, therefore, the vulnerability was 25 years old.