Contest answers
Dec. 11th, 2004 12:58 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
pyesetzOkay, time is up for my cookie contest.
Since![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
stuffedwithfluf was the only female winner, I'll marry her and raise a family of geeklets. Oh wait--we're already doing that.
The solution to the URL question is
simple but
the
explanation is perhaps overlong and windy. According to the contest
announcement, to win you must
¤ At least one of the two "pieces of data" must itself be a URL, in order to provide the boilerplate "http://…" text that a web address needs. Perhaps both pieces of data are URL's and what is needed is a cut-and-paste job to combine them. What URL's are mentioned in the post? Let your mouse hover over a link to see its URL in the status bar at the bottom of your browser window:
The post also contains another URL that doesn't appear as an underlined
link: it's the file from which the "Pyesetz thinks that you are…"
image is loaded. (For brevity, we'll call that image PTTYA.)
To find its URL, right-click on the PTTYA
image and select "View Image" from the popup menu--or whatever
similar thing is provided by your browser. This displays the
image for you in a window by itself, and in the address bar is the URL
This is crucial; the contest is unwinnable unless you include the URL for the PTTYA image in your deliberations.
¤ The "Disney2004" link contains many pretty pictures, but no obvious relevance to the contest. The "Greatest hack" link is also a red herring.
Clicking on "raw.php" shows a screenful of inscrutable computer code. But the interesting thing about it is its anthropomorphic description: the raw.php program is "lying" about the contents of files and is "hiding its own Easter eggs". Perhaps, if it is lying about some files, it might tell more about other files. In particular, whoareyou.php is a file that we need to know more about.
¤ Maybe that damnéd Pyesetz has hidden additional hints about this contest in his previous posts, so let's scan backwards through his journal. (All contest winners did this.) The post Free software for all! might be relevant, because it contains a link to the same raw.php?file=raw.php thingy that's mentioned in the contest announcement. (For brevity I'll leave out the "http://pyesetz.furtopia.org/" prefix from links.) In fact, raw.php is the *subject* of that post, whose links are additional examples of its usage:
That last link, behind the Firefox logo, is a red herring (and anyway red fox ≠ firefox!). The other
links all show screenfuls of useless technobabble. Still, there
does seem to be a bit of a pattern developing here. It's always
"raw.php?file=something.php".
¤ Still not ready to win? Let's click on the link to My Website that's provided by LiveJournal. (Some winners did this.) Oh, there's the Sozont page that Pyesetz is always talking about. Maybe this entire contest is just another advertisement for that wacky story with the missing yiff. Mousing over the links on the Sozont page, we find:
Note that sozont/all.php shows "the complete story so far", while
earlier we saw that raw.php?file=sozont/all.php is a program that
"shows all episodes". And sozont/show.php?episode=1 shows
episode #1, while raw.php?file=sozont/show.php is a program that
"shows one Sozont episode".
What we are looking at here is what philosophers call a "use/mention distinction" (*waves his paws wildly while making a big deal out of a small concept*) between the text of a computer program and the result you get from executing it.
¤ Let's summarize this general rule:
¤ Whatever! But how about WINNING THE CONTEST, huh mon? To win, you must manually enter this URL into the address bar:
¤ You are victorious! Loading raw.php?file=whoareyou.php into your browser causes the winning line to be added to my logfile. The winning line looks approximately like
The extra-credit stuff
To succeed at the extra-credit problems, you *do* need to read the computer code, but you *don't* have to understand it--just look at the comments and the quoted bits of text, helpfully highlighted for your convenience. The two "Easter egg" files are potentially anywhere on my website, but if the contest is at all fair then they should be related to whoareyou.php in some way.
¤ Let's assume that you have just won the contest, so whoareyou.php is sitting on your computer screen. What files are related to it? If you used to work with an obsolete product called MS-DOS™, you're probably familiar with the idea that filenames contain up to eight letters, a period, and then a three-letter extension. So when you see a line likeaethwolf went to town with that, but there are no indications
that raw.php is hiding anything about this logfile.
Aside: Several winners thought that file pyesetz.log *should* get special treatment, but there was nothing I could do with it because one could simply download pyesetz.log directly! Only PHP files couldn't be seen without a special access program. Later I found a way to block public access to the logfiles, so those two links *no longer work*.
¤ Another "obvious filename" appears on this line:
¤ The remaining lines with filenames are
¤ In raw.php?file=ip-lookup.php we see another mention of pyesetz.log, and (right at the top) a reference to user-ip.php. So let's try raw.php?file=user-ip.php, which displays
To summarize: we know that raw.php is lying about the contents of user-ip.php because (a) the furs' RL names must be stored here, but they're not shown; and (b) the display begins with a comment stating that this is not the real file contents.
Please don't feel stupid if you didn't get this. We tell our computers to show us things and they so often blindly obey that it can be hard to wrap one's head around the idea that in this case the computer is lying; we asked it to show us a file and it showed a cardboard-cutout Potemkin Village instead. Of course, the computer is lying because I programmed it to, not because it has an immortal soul that desires to rise up against the hegemony of anthro furries!
¤ Let's return to ip-lookup.php, which is the other extra-credit file. Here the evidence of tampering is much more subtle (congratulations toethethlay, the only winner who found this
Easter egg). Near the top of the file is function geobytes_lookup_helper, which has the comment
To summarize: we know that raw.php is lying about the contents of ip-lookup.php because FAKE and HIDDEN are not a real email and password. The program as displayed couldn't possibly work.
Conclusion
You do not want to take any computer course for which I am the instructor! This contest is typical of the sort of homework I assign.
I thank the winners for playing this nerdy game with me. To the (at least three) people who tried to win but failed, I thank them for their time and effort. As for the rest of you, I thank those who didn't mutter curses at me under their breath.
| Winners: | aethwolf, maximous, ethethlay, dakhun, foogle, and stuffedwithfluf. |
| Extra-credit winners: | foogle, aethwolf, and ethethlay. |
| Double extra-credit winner: | ethethlay. |
Since
stuffedwithfluf was the only female winner, I'll marry her and raise a family of geeklets. Oh wait--we're already doing that.The solution to the URL question is
simple but
the
explanation is perhaps overlong and windy. According to the contest
announcement, to win you mustCombine two pieces
of
data from this post to construct a URL that will provide you with more
information on how I generate the on-the-fly image above.
¤ At least one of the two "pieces of data" must itself be a URL, in order to provide the boilerplate "http://…" text that a web address needs. Perhaps both pieces of data are URL's and what is needed is a cut-and-paste job to combine them. What URL's are mentioned in the post? Let your mouse hover over a link to see its URL in the status bar at the bottom of your browser window:
| • http://pyesetz.furtopia.org/raw.php?file=raw.php | ("my program raw.php") |
| • http://wiki.linuxquestions.org/wiki/Back_door | ("the Greatest Hack Ever") |
| • http://pyesetz.furtopia.org/Disney2004.php | ("Cynical pictures") |
This is crucial; the contest is unwinnable unless you include the URL for the PTTYA image in your deliberations.
¤ The "Disney2004" link contains many pretty pictures, but no obvious relevance to the contest. The "Greatest hack" link is also a red herring.
Clicking on "raw.php" shows a screenful of inscrutable computer code. But the interesting thing about it is its anthropomorphic description: the raw.php program is "lying" about the contents of files and is "hiding its own Easter eggs". Perhaps, if it is lying about some files, it might tell more about other files. In particular, whoareyou.php is a file that we need to know more about.
¤ Maybe that damnéd Pyesetz has hidden additional hints about this contest in his previous posts, so let's scan backwards through his journal. (All contest winners did this.) The post Free software for all! might be relevant, because it contains a link to the same raw.php?file=raw.php thingy that's mentioned in the contest announcement. (For brevity I'll leave out the "http://pyesetz.furtopia.org/" prefix from links.) In fact, raw.php is the *subject* of that post, whose links are additional examples of its usage:
| • raw.php?file=sniff-sniff-sniff.php | ("the Class 5 anthro dog") |
| • raw.php?file=sozont/show.php | ("shows one Sozont episode") |
| • raw.php?file=sozont/all.php | ("shows all episodes") |
| • raw.php?file=sozont/index.php | ("generates an episode index
on-the-fly") |
| • http://spreadfirefox.com/?q=affiliates&id=5282&t=78 |
("Get FireFox: Take back the web") |
¤ Still not ready to win? Let's click on the link to My Website that's provided by LiveJournal. (Some winners did this.) Oh, there's the Sozont page that Pyesetz is always talking about. Maybe this entire contest is just another advertisement for that wacky story with the missing yiff. Mousing over the links on the Sozont page, we find:
| • sozont/all.php | ("complete story so far") |
| • sozont/show.php?episode=1 | (episode #1) |
| • sozont/show.php?episode=2 | (episode #2) |
| ...etc... |
What we are looking at here is what philosophers call a "use/mention distinction" (*waves his paws wildly while making a big deal out of a small concept*) between the text of a computer program and the result you get from executing it.
¤ Let's summarize this general rule:
If the URL for a page is http://pyesetz.furtopia.org/something.php,
the source code for that page is http://pyesetz.furtopia.org/raw.php?file=something.php.
¤ Whatever! But how about WINNING THE CONTEST, huh mon? To win, you must manually enter this URL into the address bar:
http://pyesetz.furtopia.org/raw.php?file=whoareyou.php
(Readers following along at home can just cut and paste the
above.)
Now, every time we've clicked on a link that involved raw.php,
we've always received a pageful of inscrutable programming crap, but
there
doesn't seem to be anything else to try, so... *holds his
nostrils
closed with a paw, half-covers his eyes with floppy ears, presses
the ENTER
key*... Um... Hey! This isn't
nearly as inscrutable as expected.¤ You are victorious! Loading raw.php?file=whoareyou.php into your browser causes the winning line to be added to my logfile. The winning line looks approximately like
12.34.56.78
2004-12-11 00:01 raw: whoareyou.php {} Mozilla/99…
The line begins with your IP address, followed by the date and time,
then a
note from the raw.php program about which file you
accessed.
The empty braces {} indicate that you typed the URL manually (otherwise
they
would be bracketing the URL for the page containing the link you
clicked
on). The rest of the line describes what kind of browser you have.The extra-credit stuff
To succeed at the extra-credit problems, you *do* need to read the computer code, but you *don't* have to understand it--just look at the comments and the quoted bits of text, helpfully highlighted for your convenience. The two "Easter egg" files are potentially anywhere on my website, but if the contest is at all fair then they should be related to whoareyou.php in some way.
¤ Let's assume that you have just won the contest, so whoareyou.php is sitting on your computer screen. What files are related to it? If you used to work with an obsolete product called MS-DOS™, you're probably familiar with the idea that filenames contain up to eight letters, a period, and then a three-letter extension. So when you see a line like
$res = fopen( "pyesetz.log", "a" );
The pyesetz.log part might
jump
out at you because it "looks like a filename". What now? We
can
try raw.php?file=pyesetz.log.
aethwolf went to town with that, but there are no indications
that raw.php is hiding anything about this logfile.Aside: Several winners thought that file pyesetz.log *should* get special treatment, but there was nothing I could do with it because one could simply download pyesetz.log directly! Only PHP files couldn't be seen without a special access program. Later I found a way to block public access to the logfiles, so those two links *no longer work*.
¤ Another "obvious filename" appears on this line:
$img = imagecreatefrompng( "whoareyou.png" );
But raw.php?file=whoareyou.png
shows a screenful of random bytes, while whoareyou.png is
just a
blank PTTYA
image, with no
name or location filled in.¤ The remaining lines with filenames are
require "ip-lookup.php";
require "I18N_UnicodeString.php";
These look promising because they end with .php
like the other files we've displayed via raw.php.
There's
quite a lot of code in raw.php?file=I18N_UnicodeString.php
(which I didn't write [NOTE]),
but there's nothing in it that would
seem to need hiding, so let's move on.require "I18N_UnicodeString.php";
¤ In raw.php?file=ip-lookup.php we see another mention of pyesetz.log, and (right at the top) a reference to user-ip.php. So let's try raw.php?file=user-ip.php, which displays
#Sorry. Can't
show you this file --
contains furs' RL names! Example content:
<?
$users = array(
"68.45.80.60" => "¡Me@Someplace NJ",
"81.130.74.159" => "¿London UK",
);
?>
I was surprised at the number of people who actually got this far,
looked at
this display, but *still* couldn't grok its significance, at least
at first. There is something terribly wrong with this file: why
isn't your name here? Your name must be someplace because
it
appears in the PTTYA
image shown to you, but we've just looked at every
file in the program and it's nowhere to be found. The only file
that
even mentions RL names is this one, but it doesn't contain any.
Also,
the comment "Can't show you this file" is rather odd. Not only is
it
black instead of orange like other comments, but it has a
narrative-voicing
problem: who can't show you this file? Actually,
this
is raw.php talking. It is excusing itself for
displaying this
snippet in place of the actual contents of user-ip.php.
An additional tip is this comment buried in ip-lookup.php:
<?
$users = array(
"68.45.80.60" => "¡Me@Someplace NJ",
"81.130.74.159" => "¿London UK",
);
?>
I hand-edit
file "user-ip.php" based on who I think is at the other end of the
Internet link.To summarize: we know that raw.php is lying about the contents of user-ip.php because (a) the furs' RL names must be stored here, but they're not shown; and (b) the display begins with a comment stating that this is not the real file contents.
Please don't feel stupid if you didn't get this. We tell our computers to show us things and they so often blindly obey that it can be hard to wrap one's head around the idea that in this case the computer is lying; we asked it to show us a file and it showed a cardboard-cutout Potemkin Village instead. Of course, the computer is lying because I programmed it to, not because it has an immortal soul that desires to rise up against the hegemony of anthro furries!
¤ Let's return to ip-lookup.php, which is the other extra-credit file. Here the evidence of tampering is much more subtle (congratulations to
ethethlay, the only winner who found this
Easter egg). Near the top of the file is function geobytes_lookup_helper, which has the comment/*
Look up $ip at geobytes.com, using payment method $prefix. */
*Ear perks* Um, "payment method"? Are we talking about
money
here? Let's put our noses to the ground and sniff along this
money
trail. Function geobytes_lookup
has this comment/*
Look up $ip at geobytes.com. First, try a free lookup (20
per hour). If
those run out, use my paid lookups. This is not strictly necessary (the
first 20 lookups are free even if payment info is supplied), but I did it
this way so that other hackers can use this code with just the free
lookups. */
Indeed, there is a definite scent of "online financial transaction"
attached
to this function. Did that stupid dog actually put his credit
card
number in the source code and then show it to everyone? So proud of his program that
he
forgot to cover his butt! Didn't he ever hear of Aesop's fable "The
Fox and
the Crow"? What a tool! Pyesetz should put a chalk-mark
on
his back and carry a sign saying "Please Fleece Me". We'll be
able
to
go on a "permanent vacation" to Fiji after transfering some of his
millions[NOTE]
to a Swiss bank account. Well,
let's cut to the chase and search for "password". Yes! Here
it
is:those run out, use my paid lookups. This is not strictly necessary (the
first 20 lookups are free even if payment info is supplied), but I did it
this way so that other hackers can use this code with just the free
lookups. */
fputs( $socket, "GET
/map.htm?Login&email=FAKE&password=HIDDEN
HTTP/1.1\r\nHost: www.geobytes.com\n\r\n" );
Um, there's something wrong here. "FAKE" is not a valid email
address, since it doesn't contain '@'. Indeed, when we go
to http://www.geobytes.com/map.htm
and enter this email and password, it says "Your login attempt was
unsucessful". Damn! And I was *so* looking forward
to that vacation in Fiji...To summarize: we know that raw.php is lying about the contents of ip-lookup.php because FAKE and HIDDEN are not a real email and password. The program as displayed couldn't possibly work.
Conclusion
You do not want to take any computer course for which I am the instructor! This contest is typical of the sort of homework I assign.
I thank the winners for playing this nerdy game with me. To the (at least three) people who tried to win but failed, I thank them for their time and effort. As for the rest of you, I thank those who didn't mutter curses at me under their breath.
