HTTP/2.0 Opens Every New Connection It Makes With the Word 'PRISM'

An anonymous reader writes: British programmer and writer John Graham-Cumming has spotted what appears to be a 'code-protest' in the next generation of the hypertext protocol. Each new connection forged by the HTTP/2.0 protocol spells out the word 'PRISM' obliquely, though the word itself is obscured to the casual observer by coded returns and line-breaks. Work on the hidden message in HTTP/2.0 seems to date back to nine days after the Snowden revelations broke, with the final commit completed by July of 2013. In July 2013 one of the protocol's architects appealed to the development group to reconsider design principles in the light of the revelations about the NSA's worldwide surveillance program.

HTTP/2.0 support.

[Anonymous Coward]

HTTP/2.0 also supports the Bitcoin protocol which allows underpaid female STEM workers to drive 3D printed Uber cars or get a job (powered by DICE) delivering Arduinos via drones to Elon Musks new IoT manufacturing Chinese death factory.

Re:

[Lumpy]

No tacos? FAIL!

Taco left four years ago

[tepples]

There haven't been tacos on Slashdot since Mr. Malda left four years ago [slashdot.org].

Re:

[mystik]

Linux crypto hackers open-sourced the BSD Microsoft monopoly.

Re:

[flink]

You should at least cite your sources [penny-arcade.com] :P

Re:

[thegarbz]

Wow I got Bingo on the first post.

Re:

[Coren22]

Second post, the first post is someone posting AC claiming to be APK and insulting him pretty profoundly.

http://yro.slashdot.org/commen... [slashdot.org]

Always read at -1, it is the most interesting side of Slashdot.

Re:

[thegarbz]

Always read at -1, it is the most interesting side of Slashdot.

Now there's good advice. Right up there with you don't need condoms. Sex is far more interesting without protection :-)

Re:

[Coren22]

Hey, if I didn't read at -1, I never would have seen the treasure that is an APK post.

Re:

[Coren22]

Wow, you really are special.

When you try to compare hosts to remote DNS, you are missing the point. You should be comparing hosts to local DNS, and DNS is faster on every count.

Re:

[Coren22]

Compared to your horribly inefficient Hosts file, even remote DNS comes out so far ahead it isn't even funny. But keep trying to claim your hosts file outperforms local DNS, when it flatly does not.

Re:

[Avarist]

You forgot the rasperry pi hacker competition.

Re:

[Coren22]

SystemD started on Windows, it is just a svchost backport.

no, without linefeeds it says PRI*HTTP/2.0SM

[raymorris]

If you remove the line feeds, you get PRI*HTTP/2.0SM.

Re:no, without linefeeds it says PRI*HTTP/2.0SM

[dcollins117]

So someone added cruft to a communications protocol just to make a political statement? Seems to me that is a very poor reason to make a technical decision. It's not needed, it should be removed.

Re:

[Anonymous Coward]

There needed to be a magic sting to help reject non-http2 at http2 endpoints. It isn't cruft. And it is sent exactly once on a new connection.

Re:

[Anonymous Coward]

It used to be FOO BA\r actually, wouldn't want that shitty pun to go unnoticed;

Re:

[fisted]

TFcommit says it used to be STA RT, not FOO BA

Re:

[BitterOak]

Isn't that what the characters "HTTP/2.0" do? How does that not identify it as http2?

Re:

[tepples]

The use of a new request method (PRI) makes HTTP/1.x servers more likely to (correctly) reject the connection attempt so that the client can cleanly fall back to 1.1.

Re:

[dcollins117]

The use of a new request method (PRI) makes HTTP/1.x servers more likely to (correctly) reject the connection attempt so that the client can cleanly fall back to 1.1.

That is not how computers work. They match bits, that's it. To anthropomorphize them because that's the way your brain works is a serious error.

Re:no, without linefeeds it says PRI*HTTP/2.0SM

[Jesus_666]

// HTTP 1.1 is essentially 1.0 so any future version of HTTP will work with our code.
var weSupportThis = new Regex("^HTTP/\d+\.\d+").IsMatch(header);

There are many coders out there and many broken ways of detecting protocols. Only changing the version number might run into trouble if one side of the conversation assumes that everything starting with "HTTP" is going to be pretty much equivalent to HTTP/1.0. So at least the "PRI" part makes sense.

Re:

[Anonymous Coward]

And that habit will continue since it works.
As a result we end up with protocols with more overhead than necessary.

Wouldn't it be better that those who use broken code suffer instead of everyone else?

Re:

[dcollins117]

Thank you , Jesus. I see the light. It's way off in the distance, because I am surrounded by imbeciles, by I can see the light. One day, I believe, people will be smart. That's all I can hope for.

Re:

[AmiMoJo]

It was originally going to be START, but they found that people were using the START method for various things so changed it to something that hopefully would be less common. At first it was FOOBA, but after Snowden it was changed to PRISM in protest.

Re:

[DarkOx]

No computers do what they are programmed to do. I would count on the fact there are a lot of 'simplified' HTTP clients and servers out there that look for the string 'HTTP' and not much more. After all if you were implementing something that just needed to exchange a little information over the course of a handful of strait forward GETs or something and wanted to make it HTTP like enough to traverse firewalls be proxied if needed etc, a cut down HTTP implementation is/was a good way to go.

When it comes to

Re:

[LiENUS]

HTTP is Hyper TEXT transfer protocol, it makes sense that it is text.

Yes its for transmitting hypertext, ie text documents that contains links to other text documents. IE exactly what HTTP/2.0 is doing. Hypertext refers to the content not the protocol.

Your allergy to anthropomorphism

[tepples]

To anthropomorphize them because that's the way your brain works is a serious error.

It's called "colloquial language", and it appears to have got the point across to most other readers. But if you insist on discussing the process more formally in terms of "matching bits":

The PRI request method matches none of the methods in a pre-HTTP/2.0 server's list of acceptable methods. This causes the server to write a response that does not match the HTTP/2.0 upgrade pattern, even if the server's matching of the protocol version bits is incorrect. When the response fails to match at the client, the

No, they did not.

[Anonymous Coward]

They needed a magic value to recognize HTTP/2.0 servers that would reliably fail on existing ones. As magic values are arbitrary, this one was good enough (i.e. actually fails on almost all servers), they simply picked something and moved on.

This is NOT something extra or unnecessary added to HTTP/2.0, it's just something arbitrary that they happened to pick as a "magic" value, not unlike those commonly found in most file formats.

Re:

[Anonymous Coward]

> [...] poor reason to make a technical decision.

Sigh. Yet another "technical ideologist". Thing is, most of those have no clue about technology itself, but tout an ideal in which each and every decision is taken on "technical grounds". Which end up, for the above reason, by being just disguised gut feelings.

Know what? To do a good job, you should start by differentiating between your gut feelings and technical things (*both* are necessary and useful, but by all means, know which is which). If you can't

Re:

[Zontar The Mindless]

> [...] poor reason to make a technical decision.

Sigh. Yet another "technical ideologist". Thing is, most of those have no clue about technology itself, but tout an ideal in which each and every decision is taken on "technical grounds". Which end up, for the above reason, by being just disguised gut feelings.

Know what? To do a good job, you should start by differentiating between your gut feelings and technical things (*both* are necessary and useful, but by all means, know which is which). If you can't muster that, you should steer clear of science and engineering.

Thank you!

it took 2 1/2 years...

[Anonymous Coward]

for this to get "noticed"?

so much for open standards and open source software... 'its safe. you can look at the code yourself"... it took two and a half fucking years for someone to do just that.. and just to find an easter egg, not an embedded and obscured vulnerability.

Re:it took 2 1/2 years...

[viperidaenz]

took 2 1/2 years for someone to care

Re:it took 2 1/2 years...

[thegarbz]

No. It took this long for someone to post it to Slashdot.

People still don't care.

Re:

[jellomizer]

That is probably more like it. The real down side I see it being connected to such a thing is if some techy guy who isn't awair of the protocol standard port sniffs the code and he thinks that he is being targeted by the NSA.

Re:

[allo]

when it's so obvious, the NSA must be really stupid.

Re:

[Atmchicago]

How long would it take for someone to spot something similar in a closed project? Forever?

Re:

[harperska]

Forever? Quite probably. Considering the developer who last touched any given source file in a large closed project has probably long since been laid off years before the poor contractor at some Bangalore outsourcing firm tasked with fixing a bug in the aforementioned source file was ever hired.

Re:

[BradleyUffner]

How long would it take for someone to spot something similar in a closed project? Forever?

Considering that this is a communication protocol spec, there is no way something similar could be "closed" in a way that would obscure it.

Re:

[Sique]

Considering that there are enough proprietary communication protocols around, whose specs are never disclosed at all, or where you have to pay money and sign a non disclosure agreement prior to getting a look at them, there are enough ways for them to be closed.

Re:

[Stewie241]

Except that there are things like Wireshark and other tools that let you sniff packets and see what is inside them. If it's widely used enough somebody is going to have tried.

Re:

[KGIII]

Just 'cause it's open doesn't mean someone's gonna notice. For example, look at this text that I'm typing now (and still typing) and see if you can spot the hidden message. It's open, can you find it? Can't make the association? No? Well, here's some more words to make it finish - consider this random text.

Re:

[vel-ex-tech]

Do you have a working Geiger counter?

Re:

[KGIII]

Nah, I'm not that smart. It's also not nearly so insightful. Well, maybe, but then I'd have to give you a hint. It is a topical message and there is, indeed, a very open message in there and it's not even remotely hidden if you know what to look for. Given Slashdot user's typical traits, I'd think it'd be obvious but only in hindsight.

Should I remember (or get a notification on here) then I'll share the "hidden" message or at least some hint. *nods*

Re:

[BronsCon]

Mine is in the shop.

Re:

[Anonymous Coward]

Your mother's legs are always open and every man can find that.

Re:

[tsqr]

The hidden message? It's right there - between "spot " and ". It's"

Re:

[swillden]

for this to get "noticed"?

so much for open standards and open source software... 'its safe. you can look at the code yourself"... it took two and a half fucking years for someone to do just that.. and just to find an easter egg, not an embedded and obscured vulnerability.

No, it didn't take 2.5 years to get noticed. Look at the comments on the final commit, it was noticed and commented on by another team member the same day it went in. https://github.com/http2/http2... [github.com]

The public didn't notice, but I'm sure many people involved in the project did... the commit wasn't in any way obscured. It just wasn't interesting enough for anyone else to notice.

Re:

[ganjadude]

its the same person posting like 8 times, he does this in everythread these days. i guess he likes talking to himself

So who did it?

[140Mandak262Jamuna]

It should be possible to find out who did the code chage, who approved the change and who merged it.

One of our coders used a limerick, yes it was the man from Nantucket, as a static string. He used it to test some of the string utility functions he was developing. Forgot to remove it. Eventually a nosy customer found it by running strings on our executable and made a stink about it. (Never explained why they were poking around our executable with strings) It is out of our builds now, but if you do a blame on stingutils.cpp you can still see it and see how long it stayed in production.

Re:

[dotancohen]

A friend of mine who worked for PDI (creators of Antz, Shrek, etc, later bought by Dreamworks) said one of his coworkers grepped their source code for "fuck" and there were so many comments using it, he turned it into a poem...

Go grep around the Linux source code. It would make a sailer blush.

Re:

[dcollins117]

It should be possible to find out who did the code chage, who approved the change and who merged it.

There is a link to the commit in TFS. It is worth looking at if only to see the first (and at this time, only) comment to the commit.

Re:

[epyT-R]

(Never explained why they were poking around our executable with strings)

It's on his computer. That gives him the right.

Re:

[Anonymous Coward]

(Never explained why they were poking around our executable with strings)

It's on his computer. That gives him the right.

A person with code in his possession does not automatically give him the right to do whatever he wants with it, anymore than having windows on his computer allows him allows him to disasseble it and reuse it's code, or having a video on his computer gives him the right to edit and republish it.

That said, there is nothing to stop him from doing whatever he wants with what he has in his possession. Whatever he chooses to do, he may not have the right to do so, and there may be repercussions.

Re:

[Anonymous Coward]

Disassembling Windows is perfectly legal (at least in my country) and I consider it ludicrous to think otherwise. Code is text. If it's in front of me, I can read it.

Re:

[allo]

It does. But it does not give you the right to redistribute the result (as long as its not fair use) and no right to demand change from the vendor.

Re:

[stoborrobots]

Agreed - they have the right.

However, the question was "why were they doing it?", not "were they doing something wrong?"

Re:

[Dog-Cow]

The GP never implied the customer didn't have the right.

Re:

[140Mandak262Jamuna]

Well, you remember the limerick well, sadly the mods don't seem to.

uaggressions

[tepples]

microaggressive behavior

What, as in it'd take a million of them to cause even one real problem?

Re:

[gweihir]

Slander term used by people that think normal is somehow icky. (The variety of fuckups in the human race is both endless and astonishing....)

Re:

[gweihir]

I already did by identifying you as a "fuckup". Which you clearly are.

Re:

[dave420]

Please be quiet - adults are trying to talk.

Re:

[Zontar The Mindless]

Trans is Latin for "other side of; beyond"; cis is "this side of; within". E.g. cislunar [wiktionary.org].

"Cisgender" is a neologism, but I see nothing wrong with that, given that "transgender" has only been around since the 1980s.

And what's with the veiled hate/disgust thing? Remind me never to invite you to a showing of The Rocky Horror Picture Show.

Re:

[Zontar The Mindless]

Wow, a -1, Informative. First time for everything, heh.

Re:

[ganjadude]

not sure how this is troll when it is scientifically correct. this is not a knock at anyone, simply the scientific truth

2.5 years...

[Anonymous Coward]

and suddenly now we give a fuck?

Poor word choice

[sootman]

"Each new connection forged by the HTTP/2.0 protocol..."
 
So is that...
* forge (verb) 2. To form or create with concerted effort.
or
* forge (verb) 4. To create a forgery of; to make a counterfeit item of; to copy or imitate unlawfully.
?
 
https://en.wiktionary.org/wiki/forge

Summary should be clearer

[dabadab]

Does this apply only to forged connections or also to legit ones?

Re:

[Anonymous Coward]

Is this was slashdot has come to?

Re:

[dave420]

APK, you are not going to win any friends by assuming we are all too stupid to realise that it's not you posting these ridiculous sycophantic messages. We know it's you. You know it's you. Stop lying for once in your life. Be an adult.

Re:

[Coren22]

Are you sure Tepples supports you?

For those of us who are logged in, here is what your link points to:

APK agrees that hosts files are only one component in a layered security strategy [slashdot.org]. Eight years ago, he wrote a detailed article about the other layers [neowin.net].

--
Hosts file disadvantages: No wildcards, no NXDOMAIN, slow linear search, no per-user, no whole-LAN protection

I don't see him agreeing with you anywhere. He in fact strictly disagrees with you in part of that message. You really should use your account, it will change your world to see all those signatures you hate so much.

No complaints from me, I like APK's spam. Reminds me to use a host file. Also, his stuff is free.

Arg (don't feel like counting the a's, sorry) doesn't actually say he uses your software, just that he uses hosts files.

And that KGIII post you link to has nothing to do with hosts files, he is

Re:

[Coren22]

If you could read, you wouldn't still be arguing. It has been proven out that you cannot read repeatedly, including right here, as you didn't read any of the posts you linked to.

Re:

[Coren22]

It would be hilarious if you actually got something right for once, but sadly no, I will now proceed to tear your argument apart.

"except on the hard coded favorites, and even then if they make calls to non hard coded sites, they will take forever" - by Coren22 (1625475) on Tuesday December 01, 2015 @10:02AM (#51033517)

See subject: 1st of all you stupid fuck, ads I block alone buys that speed back on the RARE sub 4% times I need DNS - get it? Good!

You CANNOT compare hosts to local DNS with the same records. Yet you continue to try. The ads you block are also on the DNS side, so how can you count the time you save there? If the DNS has the exact same records as your hosts file, every site will load faster. You don't make up the time with the ads you aren't loading, as they also are not loaded with the DNS example. How c

Re:

[Coren22]

So, how is it a fuckup that you decide to ignore the ad blocking the local DNS server is doing in your figuring? I see a fuckup, but not on my side.

Re:

[Coren22]

No it isn't.

DNS running locally is kept up to date in patches, it is not a security issue. DNS uses less resources and speeds your browsing, leading to more power savings. Why would you setup a separate system? https://www.isc.org/downloads/ [isc.org] The need for the locally setup DNS is the exact same need as the need for your terrible hosts file, so that argument is silly. Keep reaching and moving the goal posts.

due to your LIMITED MENTALLY DAMAGED GOOD ASSBURGERS BRAIN being only able to hold 1 of MANY variable factors in play @ a time

Stay classy.

(sub 4% of the time ONLY for me due to hardcoded favorites in hosts @ the TOP of it cached in RAM locally)? Adblocking gains me back lookup speeds if a total miss & I have to hit DNS remotely.

You mean the same ad blocking you gain with a local dns setup with the same entries?

Re:

[Coren22]

Less is more, I totally agree! This is why I suggest running BIND with the entries, as it is more efficient on power, and faster in processing. It uses way less power and time, and speeds up your browsing many fold over your 2 million plus record hosts file!

Re:

[Coren22]

You know what they call people like you? Zealots. You can't see that you have already lost your argument, so you keep making the same points over and over, despite them already being proved wrong. Keep up the crusade!

BIND can run on any computer, including desktops. It therefore uses less power/resources than your hosts file, as your name resolution is sped up many fold, so you don't wait on your queries as long. It also can be setup to block the very same records, so it is still faster than your ad bl

Re:

[Zontar The Mindless]

Absolutely not me.

Almost wish it was, though.

Re:

[Zontar The Mindless]

Darn, I was just starting to enjoy your work, seemed to shaping up nicely.

Re:

[_merlin]

You know the duplicate AC posts makes it really obvious that's you, APK. Why don't you just give up? Even the trolls are mocking you now.

Re:

[Coren22]

You are funny, you wish you could even get things right once, but yet still fail utterly to prove your way out of a paper bag.

Re:

[barbariccow]

This is garbage. Literally this entire thread is APK spewing foam and cohen22 shooting him with a nerf gun.

Re:

[KGIII]

If that's true then, AFAIK, headers have always had some form of constant and, if not, there's consistent content in the individual packets that identify things like what stream they belong to.

Re:

[gumbi west]

Right, but not all headers can be encrypted. e.g. your letter still needs an unencrypted address or it can't be delivered.

Re:

[KGIII]

That's kind of what I was thinking - I wasn't sure that their comment was even salient but I'm not a crypto-geek and I knew that headers have pretty much always contained repeatable data and that it's not made a difference (AFAIK) so far. I probably should have phrased it better. I do know, by grace of having to learn a bunch, some basic networking but not a lot of crypto - enough to implement it if needed. I understand things like SYN and ACK, UDP, etc... I did not have the budget to hire a network admin (

Re:

[GrandCow]

Yes... all 30 seconds or so were wasted.

Re:

[Coren22]

A CIA Bug.