My favorite entry is the first runner-up from the encryption challenge in 2007: <a href="http://underhanded.xcott.com/?page_id=16" rel="nofollow">http://underhanded.xcott.com/?page_id=16</a><p>Basically a subtly buggy SWAP() implementation causes the RC4 cipher to output more and more plaintext as time goes on.
I love the Underhanded C Contest, I enjoy it a lot more than the Obfuscated C Contest. It is also a great educational material; whenever someone advocates human code inspection as a security measure I only need to point them to the UCC website to display the weaknesses of that approach. (I'm not talking about peer review of course, that serves a different purpose)
Writing it in C makes it too easy. You can just store the comment in a struct before the airline so that a long comment overwrites the airline number and luggage gets missed. Store the airline number as text and add a validation routine in case numbers are input badly, and any long comment with a number at the end will reroute your luggage to the new airline.<p>I'm sure the winning entry will be cleverer than that. But all of the entries would have to be better if they insisted on a garbage collected language with safe string handling.<p>You know, like Java, PHP, Visual Basic, C#, Python, JavaScript, Perl, Ruby, etc. (I got that list by reading off the top 10 on the TIOBE index then removing C and C++ because by default they are not garbage collected and offer unsafe string handling.)