A look over a few 'tricks' with unicode that can make a program look like it's doing something it doesn't. Recently repopularized by a recent publication, these are well worth being aware of; both from a security point of view and for simply being on your guard against friends who may be trying to pull a prank on you :-D.

These tricks are well suited for attacks as it can be difficult to detect even with a manual code review thanks to aspects of unicode like bidirectional (bidi) control characters.

Examples of using/abusing unicode inlude: - Look-alike characters (homoglyphs) being used to make two different functions and make calls of one function look like that of the other (eg: Cyrillic е and Latin e are too similar for us to distinguish easily). - Use bidi control characters to make a part of the appear to be present when it's actually part of a comment. - Classic trick of naming files so that even an .exe file can look like a .pdf. - Use of invisible characters to make strings that look same when they aren't.

This is meant as a basic introductory level talk.