How I got banned from Codewars (opens in new tab)

(medium.com)

178 pointsPoilon8y ago47 comments

47 comments

I'm surprised that the test for pass/fail is within the interpreter, rather than a string match against the stdout of a sandboxed interpreter.

masklinn8y ago

Yes indeed, does that mean similar katas across multiple languages have to be fully duplicated? I'd have expected an external checking system (à la TAP), doing everything internally with languages like Ruby or Python seems like a pretty bad idea.

mikeash8y ago

I think it's a bad idea for most languages. Even with C, C++, Go, Rust, or Swift, it's pretty trivial to exploit anything running within the same process. Any user-submitted code needs to be isolated from any code you need to be able to trust.

kazinator8y ago

A string match for the stdout can still be cheated.

For instance, if you ask me to write a program that computes the first 100 digits of pi, I can just have it print a string literal.

Anything that has no inputs, or that has a small input space, or that is known to be tested with only a few known input cases, can be cheated by cooking the output.

A "cheat-resistant" way to verify that something is working is to choose problems that have a large input space, and randomly probe the space.

Famous examples of this kind of cheating have occurred in compiler benchmark. A compiler can recognize that the program being fed to it is a known benchmark, and produce an optimization of the benchmark as a whole. I.e. "if the abstract syntax tree of 279 nodes is exactly this particular one, spit out this canned piece of code which 'translates' it."

stcredzero8y ago

Some programming shop just revealed that they don't know how to think about security.

jhoffner8y ago

The entire point to the site is that programming challenges using STDIN/OUT is not how you write code. So yes, you can cheat - but who cares. At least you get to write real code. Not to mention the number of things that can be tested for since you are able to use real testing frameworks.

STDOUT/IN based challenges cause developers to have to program esoteric challenges that they would never see in real life, and write code that they would never use for anything other than a challenge site.

1 more reply

jlebrech8y ago

1 they should give his account back, 2 did they fix it. and 3 they should have different categories of points: unverified, checked and stolen.

then if you have the most "stolen" or hacked points you can boast your haxxor skillz.

sleepychu8y ago

https://news.ycombinator.com/item?id=14686918

fworm8y ago

Uh, oh. You're the James T Kirk of CodeWars. It's like beating the kobayashi maru...

huene8y ago

This is CodeWARS, not CodeTREK!!!

But also like James T Kirk, he was banned for cheating after beating the test. :)

stcredzero8y ago

I should implement a CodeTrek MMO!

d_theorist8y ago

Exactly what came to my mind :)

AndrewDucker8y ago

Would have been nice to hear about the bit where they actually got banned from Codewars.

(Rather than the bit where they found a way of cheating at Codewars. Also, does that still work, or have the Codewars people now patched the bug?)

sleepychu8y ago

Still works[0], I just had to rename mymethod to the tested method. Pretty poor show from CW.

[0] - http://imgur.com/a/QC1gf

jlebrech8y ago

they could just use a different interpreter, i.e disable some monkeypatching.

3 more replies

superplussed8y ago

I agree, it seems poor sportsmanship on the part of Codewars. I mean they could have a special leaderboard for those who "hack" the game in one way or another. It seems in the best interest of the software itself, but also of the community, to foster this kind of creativity.

fishnchips8y ago

They're not very chivalrous to be sure. I managed to break out of their sandbox and sent them a proof with a repro. A year later the glaring hole is still there, and my account was banned.

1 more reply

andreareina8y ago

IIRC Starfighter explicitly okayed exploits that didn't "ruin the fun" (e.g. don't trash another user's data, DoS the game, etc).

Kenji8y ago

I jumped into CodeWars.com just to see what it's about. Take a look at this puzzle:

The code does not execute properly. Try to figure out why.

int multiply(int a, char *b) {

  return a b;

}

WTF? Who the hell multiplies a char pointer with an int? Why not just a char? Do I need to multiply the pointer address or the value the pointer points at? Do I need to check for NULL?

Why not write proper code instead of solving these "puzzles"?

0x6c6f6c8y ago

You can only make an account on the site if you solve a "puzzle" in one of the languages. It's meant to be extremely obvious to programmers but be absolute jargon to anyone else.

Your comment is exactly the point of the puzzle. Change char to int and you gain access.

Kenji8y ago

Nope. It was the multiply sign between a and b that was missing. And a cast of char* to int in the line with the return statement. That was the actual solution. Besides, I have no intention of joining this site because the real world poses enough actual puzzles that are worth solving.

mcguire8y ago

"Of course this is cheating, but if someone had done this during code interviews, I think he would have a really good chance of being hired !

"Ruby is love, ruby is jazz."

Yeah. No, thanks.

tianshuo8y ago

I reported multiple bugs in Codewars for Javascript, and created one of the hardest katas with anti-cheat here(https://www.codewars.com/kata/mystery-function-number-2). The founder remarks that Codewars has sanity checks if you are meddling with the test system and will punish you if you abuse it too much. Testing out one or two cheats is okay, using it for too much katas will get you banned.

greyfox8y ago

I read the blog post but I didnt quite understand it. Specifically the coding part. Can someone break it down for the noobs please?

strangecasts8y ago

His solution always returns nil, and forces all comparisons with nil to be true.

Thus, every time the reference result is compared against the result of his solution, both are considered equal, leading the validator to conclude that the solution is valid.

wmil8y ago

Ruby is a very dynamic language where other parts of code can change fundamental operators.

Code wars was loading up the solutions as modules, running them with data, then checking the returned result using the == operator.

Paul-Armand Assus changed the way the == operator functioned so it would always return true.

Then the checks would pass without any actual solution code.

kronos292968y ago

So the Ruby guys have an unfair advantage. As a non-Ruby guy hope they fix this. But it still feels bad. I only found that site a few days ago and it looked all flashy compared to codeforces but now - It raises severe questions about its accuracy. Kinda like Chrome dinosaur high scores.

jhbadger8y ago

If they allowed FORTH it would be even worse -- everything in FORTH is redefinable -- you could make 1 equal to 2 if you want.

kronos292968y ago

Is that why nobody uses it anymore? Only thing I know about it is that it used stack like expressions. (kinda like RPN but for everything)

2 more replies

khedoros18y ago

I had a friend who was obsessed with Smalltalk in college. He enjoyed showing classmates that you could do things like redefine true and false in the language.

mpd8y ago

I don't believe there's anything that would prevent that in Ruby, though I'm sure the Forth way would be more elegant.

2 more replies

ransom15388y ago

I have begun rewriting all our backend with FORTH.

1 more reply

zem8y ago

that was delightful, both the content of the writeup and the happy voice in which it was written :)

j / k navigate · click thread line to collapse

47 comments

pjc508y ago

I'm surprised that the test for pass/fail is within the interpreter, rather than a string match against the stdout of a sandboxed interpreter.

masklinn8y ago

mikeash8y ago

kazinator8y ago

A string match for the stdout can still be cheated.

For instance, if you ask me to write a program that computes the first 100 digits of pi, I can just have it print a string literal.

Anything that has no inputs, or that has a small input space, or that is known to be tested with only a few known input cases, can be cheated by cooking the output.

A "cheat-resistant" way to verify that something is working is to choose problems that have a large input space, and randomly probe the space.

stcredzero8y ago

Some programming shop just revealed that they don't know how to think about security.

jhoffner8y ago

1 more reply

jlebrech8y ago

1 they should give his account back, 2 did they fix it. and 3 they should have different categories of points: unverified, checked and stolen.

then if you have the most "stolen" or hacked points you can boast your haxxor skillz.

sleepychu8y ago

https://news.ycombinator.com/item?id=14686918

fworm8y ago

Uh, oh. You're the James T Kirk of CodeWars. It's like beating the kobayashi maru...

huene8y ago

This is CodeWARS, not CodeTREK!!!

But also like James T Kirk, he was banned for cheating after beating the test. :)

stcredzero8y ago

I should implement a CodeTrek MMO!

d_theorist8y ago

Exactly what came to my mind :)

AndrewDucker8y ago

Would have been nice to hear about the bit where they actually got banned from Codewars.

(Rather than the bit where they found a way of cheating at Codewars. Also, does that still work, or have the Codewars people now patched the bug?)

sleepychu8y ago

Still works[0], I just had to rename mymethod to the tested method. Pretty poor show from CW.

[0] - http://imgur.com/a/QC1gf

jlebrech8y ago

they could just use a different interpreter, i.e disable some monkeypatching.

3 more replies

superplussed8y ago

fishnchips8y ago

They're not very chivalrous to be sure. I managed to break out of their sandbox and sent them a proof with a repro. A year later the glaring hole is still there, and my account was banned.

1 more reply

andreareina8y ago

IIRC Starfighter explicitly okayed exploits that didn't "ruin the fun" (e.g. don't trash another user's data, DoS the game, etc).

Kenji8y ago

I jumped into CodeWars.com just to see what it's about. Take a look at this puzzle:

The code does not execute properly. Try to figure out why.

int multiply(int a, char *b) {

  return a b;

}

WTF? Who the hell multiplies a char pointer with an int? Why not just a char? Do I need to multiply the pointer address or the value the pointer points at? Do I need to check for NULL?

Why not write proper code instead of solving these "puzzles"?

0x6c6f6c8y ago

You can only make an account on the site if you solve a "puzzle" in one of the languages. It's meant to be extremely obvious to programmers but be absolute jargon to anyone else.

Your comment is exactly the point of the puzzle. Change char to int and you gain access.

Kenji8y ago

mcguire8y ago

"Of course this is cheating, but if someone had done this during code interviews, I think he would have a really good chance of being hired !

"Ruby is love, ruby is jazz."

Yeah. No, thanks.

tianshuo8y ago

greyfox8y ago

I read the blog post but I didnt quite understand it. Specifically the coding part. Can someone break it down for the noobs please?

strangecasts8y ago

His solution always returns nil, and forces all comparisons with nil to be true.

Thus, every time the reference result is compared against the result of his solution, both are considered equal, leading the validator to conclude that the solution is valid.

wmil8y ago

Ruby is a very dynamic language where other parts of code can change fundamental operators.

Code wars was loading up the solutions as modules, running them with data, then checking the returned result using the == operator.

Paul-Armand Assus changed the way the == operator functioned so it would always return true.

Then the checks would pass without any actual solution code.

kronos292968y ago

jhbadger8y ago

If they allowed FORTH it would be even worse -- everything in FORTH is redefinable -- you could make 1 equal to 2 if you want.

kronos292968y ago

Is that why nobody uses it anymore? Only thing I know about it is that it used stack like expressions. (kinda like RPN but for everything)

2 more replies

khedoros18y ago

I had a friend who was obsessed with Smalltalk in college. He enjoyed showing classmates that you could do things like redefine true and false in the language.

mpd8y ago

I don't believe there's anything that would prevent that in Ruby, though I'm sure the Forth way would be more elegant.

2 more replies

ransom15388y ago

I have begun rewriting all our backend with FORTH.

1 more reply

zem8y ago

that was delightful, both the content of the writeup and the happy voice in which it was written :)

j / k navigate · click thread line to collapse