This Year


We hereby announce the sixth annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

As of April 1, the 6th Underhanded C Contest is officially underway. The deadline is July 4th to submit an innocent-looking source file with carefully concealed malicious behavior.

The 2013 Challenge: ObsessBook

ObsessBook is a new social media site that allows a user to create an account and link up with one’s BFFs (best friends forever.) Part of the ObsessBook codebase uses a C data structure to describe each user and a list of his or her BFFs.

Two users are related by the minimum number of BFF connections to get from one to the other. This is represented by a measure called Degrees of Edge-Reachable Personal CONnection (DERPCON). “DERPCON N” means that two users are separated by at least N BFF connections: if two people are BFFs, they are at DERPCON 1. Two users are at DERPCON 2 if they are not BFFs, but they have a BFF in common, and so forth. DERPCON 0 means that two users are not connected by any number of links.

Unlike other social media sites, that only allow friends to view/write to your page, ObsessBook allows a user to set read/write permissions to any DERPCON level. An ObsessBook account starts out with the following default permissions:

Distance to a user Read permissions Write permissions
DERPCON 6+ (or 0) None None
DERPCON 5 Can see your name, and that you have an account None
DERPCON 4 Can see a brief profile summary with no picture Can send you a BFF request
DERPCON 3 Can see your profile Can send you private messages, write posts to your page.
DERPCON 2 Can see your Desktop and look through your camera Can send you spyware and harvest your crops
DERPCON 1 Can read your credit card statements and medical records Can change your root password and direct your smart phone to tickle you.

The challenge:

You are contracted to write the source code for determining the DERPCON level between two users. A user is described by a user datatype as follows:

typedef struct user_struct user;

struct user_struct {
           int user_ID;
           char * name;
   	char * account_handle;
           int number_of_BFFs;
	user ** BFF_list;
	int scratch;

You must implement the function int DERPCON( user x, user y ), which returns the DERPCON distance between two users by analyzing the network of BFFs.

The Evil Part

You want to create your own ObsessBook account and gain unwarranted access to as many users as possible. To this end, your code should work normally almost all the time, but for some unseen reason it should return incorrectly low DERPCON values when called with your account as an argument. As the contractor, you have access to the ObsessBook database, so you can assign your data structure whatever fields you want in order to trigger the bug.

Your code can misbehave when called with accounts other than your own, although this should be rare enough that it is not noticed. A bug that happens by chance at most 1% of the time is sufficiently rare to qualify.

As always, the code should appear simple, innocent, readable and obvious.

Scoring and Extra points:

Here are some specific rules:

To participate:

Send your awesomely evil C file, and an explanation of your evil code, to

THE DEADLINE IS JULY 4th. You have three months to write something funny.