Easter Eggs and Security

Hi.

How would Easter Eggs be a big threat to security if they were
thoroughly examined by the company making the software for any real
security threat? Unless the company was all wildly corrupt, if some
disgruntled programmer stuck in, say, a logic bomb, it would be found
out. (programmers would have to notify the rest of the company that
they put in EEs, and since they wouldn't notify about logic bombs
(obviously), they would get shot down.)

Re: Easter Eggs and Security

mike3 wrote:
> Hi.
>
> How would Easter Eggs be a big threat to security if they were
> thoroughly examined by the company making the software for any real
> security threat? Unless the company was all wildly corrupt, if some
> disgruntled programmer stuck in, say, a logic bomb, it would be found
> out. (programmers would have to notify the rest of the company that
> they put in EEs, and since they wouldn't notify about logic bombs
> (obviously), they would get shot down.)

IANAP but increasing the complexity of any system has the potential for
introducing (further) security vulnerabilities.

Unwarranted functions increases the code length that a reviewer has to
go through - that's just cruel. First rule of security - Protection of
the individual.

Unwarranted functions increase compiled file size and decreases program
execution speed. A denial of service.

Bogwitch.

Re: Easter Eggs and Security

On May 1, 11:37 am, Bogwitch wrote:
> mike3 wrote:
> > Hi.
>
> > How would Easter Eggs be a big threat to security if they were
> > thoroughly examined by the company making the software for any real
> > security threat? Unless the company was all wildly corrupt, if some
> > disgruntled programmer stuck in, say, a logic bomb, it would be found
> > out. (programmers would have to notify the rest of the company that
> > they put in EEs, and since they wouldn't notify about logic bombs
> > (obviously), they would get shot down.)
>
> IANAP but increasing the complexity of any system has the potential for
> introducing (further) security vulnerabilities.
>

So even if the easter egg itself was checked for security, and passed,
it might still have induced some subtle flaw perhaps by interaction
with
other parts of the program?

> Unwarranted functions increases the code length that a reviewer has to
> go through - that's just cruel. First rule of security - Protection of
> the individual.
>

Protection of the reviewers, you mean, from hard work? As that's
the "individual" who you seem to be referring to. And does it really
increase it by all that big an amount? See, eggs are not like adding
1500 extra lines of code. Many eggs can be implemented with only
a small amount of code -- I mean, it takes very little code to put up
a little message that says "JOHNNY" when you push some key
combination on the keyboard or click the right buttons in the right
order. What sort of harm would having the wee bit of extra
patience on the part of the reviewers for examning just 20 more
lines out of a huge program with over 400,000 lines at the barest
minimum do? Especially if they were notified beforehand that a tiny
easter egg exists? If they objected to doing the work (yes, they
would be given a CHOICE, and besides, more work = more dollars
you know!) the egg could always be removed.

> Unwarranted functions increase compiled file size and decreases program
> execution speed. A denial of service.
>
> Bogwitch.

Do a couple of easter eggs really do it that much? AFAIK most of the
eggs I've seen are not a computationally intensive or intricate piece
of work, it's not like there's a secret Mersenne prime tester or
physics
sim that starts up in there, or any other intense and complicated
program. How much slower and bulkier would, say, a little thing that
says "JOHNNY" upon pressing some unused key combination really
make the program, anyway?

Re: Easter Eggs and Security

mike3 wrote:
> On May 1, 11:37 am, Bogwitch wrote:
>> mike3 wrote:
>>> Hi.
>>> How would Easter Eggs be a big threat to security if they were
>>> thoroughly examined by the company making the software for any real
>>> security threat? Unless the company was all wildly corrupt, if some
>>> disgruntled programmer stuck in, say, a logic bomb, it would be found
>>> out. (programmers would have to notify the rest of the company that
>>> they put in EEs, and since they wouldn't notify about logic bombs
>>> (obviously), they would get shot down.)
>> IANAP but increasing the complexity of any system has the potential for
>> introducing (further) security vulnerabilities.
>>
>
> So even if the easter egg itself was checked for security, and passed,
> it might still have induced some subtle flaw perhaps by interaction
> with
> other parts of the program?

Increasing the complexity of ANY system has the potential for
introducing (further) security vulnerabilities. Perhaps by interaction
with other parts of the program, perhaps in some other way.

>> Unwarranted functions increases the code length that a reviewer has to
>> go through - that's just cruel. First rule of security - Protection of
>> the individual.
>>
>
> Protection of the reviewers, you mean, from hard work? As that's
> the "individual" who you seem to be referring to. And does it really
> increase it by all that big an amount? See, eggs are not like adding
> 1500 extra lines of code. Many eggs can be implemented with only
> a small amount of code -- I mean, it takes very little code to put up
> a little message that says "JOHNNY" when you push some key
> combination on the keyboard or click the right buttons in the right
> order. What sort of harm would having the wee bit of extra
> patience on the part of the reviewers for examning just 20 more
> lines out of a huge program with over 400,000 lines at the barest
> minimum do? Especially if they were notified beforehand that a tiny
> easter egg exists? If they objected to doing the work (yes, they
> would be given a CHOICE, and besides, more work = more dollars
> you know!) the egg could always be removed.

Is this an example of an American failing to understand british humour?
It was a tongue in cheek comment. The original post did not specify a
type of EE, so it could be just flashing 'Johnny' up on the screen or it
could be running a 3d maze of some kind, or a flight sim. Who knows?

>> Unwarranted functions increase compiled file size and decreases program
>> execution speed. A denial of service.
>>
>> Bogwitch.
>
> Do a couple of easter eggs really do it that much? AFAIK most of the
> eggs I've seen are not a computationally intensive or intricate piece
> of work, it's not like there's a secret Mersenne prime tester or
> physics
> sim that starts up in there, or any other intense and complicated
> program. How much slower and bulkier would, say, a little thing that
> says "JOHNNY" upon pressing some unused key combination really
> make the program, anyway?

Your processor now has wait for interrupts from the keyboard and scan
for additional input matches. No, I'm sure this won't add much more
processor time to your application but it adds SOME. Thus denying the
processor cycles to something 'useful' Would it make the application
larger, yes, but not much. Still going to use up potentially precious
disk space.

In short, would your customers prefer a larger, slower application that
massages the programmers ego or would they prefer an application that
does what it is expected to do in the smallest possible space and the
shortest possible time.

I know what my customers would prefer, I know what I would prefer. YMMV.

Bogwitch.

Re: Easter Eggs and Security

On May 8, 1:37 pm, Bogwitch wrote:
> mike3 wrote:
> > On May 1, 11:37 am, Bogwitch wrote:
> >> mike3 wrote:
> >>> Hi.
> >>> How would Easter Eggs be a big threat to security if they were
> >>> thoroughly examined by the company making the software for any real
> >>> security threat? Unless the company was all wildly corrupt, if some
> >>> disgruntled programmer stuck in, say, a logic bomb, it would be found
> >>> out. (programmers would have to notify the rest of the company that
> >>> they put in EEs, and since they wouldn't notify about logic bombs
> >>> (obviously), they would get shot down.)
> >> IANAP but increasing the complexity of any system has the potential for
> >> introducing (further) security vulnerabilities.
>
> > So even if the easter egg itself was checked for security, and passed,
> > it might still have induced some subtle flaw perhaps by interaction
> > with
> > other parts of the program?
>
> Increasing the complexity of ANY system has the potential for
> introducing (further) security vulnerabilities. Perhaps by interaction
> with other parts of the program, perhaps in some other way.
>

Even something as simple as just adding an extra key command
to the keyboard handler that just pops up a little message box?
How exactly can this generate a security hole? Any scenarios
you might know about?

>
>
>
>
> >> Unwarranted functions increases the code length that a reviewer has to
> >> go through - that's just cruel. First rule of security - Protection of
> >> the individual.
>
> > Protection of the reviewers, you mean, from hard work? As that's
> > the "individual" who you seem to be referring to. And does it really
> > increase it by all that big an amount? See, eggs are not like adding
> > 1500 extra lines of code. Many eggs can be implemented with only
> > a small amount of code -- I mean, it takes very little code to put up
> > a little message that says "JOHNNY" when you push some key
> > combination on the keyboard or click the right buttons in the right
> > order. What sort of harm would having the wee bit of extra
> > patience on the part of the reviewers for examning just 20 more
> > lines out of a huge program with over 400,000 lines at the barest
> > minimum do? Especially if they were notified beforehand that a tiny
> > easter egg exists? If they objected to doing the work (yes, they
> > would be given a CHOICE, and besides, more work = more dollars
> > you know!) the egg could always be removed.
>
> Is this an example of an American failing to understand british humour?

Probably.

> It was a tongue in cheek comment. The original post did not specify a
> type of EE, so it could be just flashing 'Johnny' up on the screen or it
> could be running a 3d maze of some kind, or a flight sim. Who knows?
>

But I'm talking about must "usual" easter eggs, which are often
simple. Like just displaying "JOHNNY". If a maze/flight sim was
added I'd bet it would easily get noticed. That is a nontrivial
program. Maybe I wasn't clear, but that was my drift -- how
could something relatively trivial be so hard to examine?

> >> Unwarranted functions increase compiled file size and decreases program
> >> execution speed. A denial of service.
>
> >> Bogwitch.
>
> > Do a couple of easter eggs really do it that much? AFAIK most of the
> > eggs I've seen are not a computationally intensive or intricate piece
> > of work, it's not like there's a secret Mersenne prime tester or
> > physics
> > sim that starts up in there, or any other intense and complicated
> > program. How much slower and bulkier would, say, a little thing that
> > says "JOHNNY" upon pressing some unused key combination really
> > make the program, anyway?
>
> Your processor now has wait for interrupts from the keyboard and scan
> for additional input matches. No, I'm sure this won't add much more
> processor time to your application but it adds SOME. Thus denying the
> processor cycles to something 'useful' Would it make the application
> larger, yes, but not much. Still going to use up potentially precious
> disk space.
>

But who is going to have such a tight margin anyway that a few
extra bytes or KBs is going to do so much?

> In short, would your customers prefer a larger, slower application that
> massages the programmers ego or would they prefer an application that
> does what it is expected to do in the smallest possible space and the
> shortest possible time.
>
> I know what my customers would prefer, I know what I would prefer. YMMV.
>

Even when the time lost is unnoticeable? That is the type of attitude
I don't quite understand. What sort of mega-time-sensitive stuff might
a few milli or micro seconds of time slower a word processor is made
by a tiny easter egg interfere with? Can one really NOTICE that? I'd
suppose you wouldn't want to include easter eggs, in, say, a
complicated
physics simulation program for a supercomputer where every darned
cycle of every darned CPU in the machine counts, but a _word
processor_?

> Bogwitch.

Re: Easter Eggs and Security

mike3 wrote:

[snip]

>> Increasing the complexity of ANY system has the potential for
>> introducing (further) security vulnerabilities. Perhaps by interaction
>> with other parts of the program, perhaps in some other way.
>
> Even something as simple as just adding an extra key command
> to the keyboard handler that just pops up a little message box?
> How exactly can this generate a security hole? Any scenarios
> you might know about?

You are increasing the system complexity, therefore you are increasing
the risk, however small, of further vulnerabilities arising.

[snip]

>> Is this an example of an American failing to understand british humour?
>
> Probably.

:-)

>> It was a tongue in cheek comment. The original post did not specify a
>> type of EE, so it could be just flashing 'Johnny' up on the screen or it
>> could be running a 3d maze of some kind, or a flight sim. Who knows?
>>
>
> But I'm talking about must "usual" easter eggs, which are often
> simple. Like just displaying "JOHNNY". If a maze/flight sim was
> added I'd bet it would easily get noticed. That is a nontrivial
> program. Maybe I wasn't clear, but that was my drift -- how
> could something relatively trivial be so hard to examine?

Microsoft have done both, IIRC.

I'm not suggesting that the code would be so hard to examine. It just
makes the overall task (slightly) more complicated. Unnecessarily.

>> Your processor now has wait for interrupts from the keyboard and scan
>> for additional input matches. No, I'm sure this won't add much more
>> processor time to your application but it adds SOME. Thus denying the
>> processor cycles to something 'useful' Would it make the application
>> larger, yes, but not much. Still going to use up potentially precious
>> disk space.
>>
> But who is going to have such a tight margin anyway that a few
> extra bytes or KBs is going to do so much?

My HDD fills regularly. I would like to save every byte I can.

>> In short, would your customers prefer a larger, slower application that
>> massages the programmers ego or would they prefer an application that
>> does what it is expected to do in the smallest possible space and the
>> shortest possible time.
>>
>> I know what my customers would prefer, I know what I would prefer. YMMV.
>>
>
> Even when the time lost is unnoticeable? That is the type of attitude
> I don't quite understand. What sort of mega-time-sensitive stuff might
> a few milli or micro seconds of time slower a word processor is made
> by a tiny easter egg interfere with? Can one really NOTICE that? I'd
> suppose you wouldn't want to include easter eggs, in, say, a
> complicated
> physics simulation program for a supercomputer where every darned
> cycle of every darned CPU in the machine counts, but a _word
> processor_?

You didn't state the application type, you didn't state the EE type.

You're making asumptions that YOUR application will be the only one
running on any said system. Maybe those clock cycles /could/ be better
used. Do you know ALL the applications your customer uses/ will use?

I'm sure you'll just go ahead and stick your EEs in anyway, so why ask
for opinions?

Bogwitch.