Top

Hidden Easter Eggs in Software and The Security Implications

With Easter yesterday, it got me thinking about Easter Eggs. Are you aware that there could be hidden little gems in the software you use every day? Some applications, video games, DVDs, and others include little intentional tidbits of code that people might randomly stumble into that shows off some cool feature, display the credits, or are part of some inside joke by the developers.These tidbits are called Easter Eggs and the practice has been around for a long time but at the same time it might be a dying habit for security reasons.

One of the most famous easter eggs in software was the “flight simulator” hidden inside Excel ’97. It wasn’t really a flight simulator but more of a weird world that you could float through to find a scrolling list of the credits.

excel 400x241 Hidden Easter Eggs in Software and The Security Implications

You can also view a YouTube video of this easter egg being uncovered and in action:

Many of the easter eggs out there are documented on a site dedicated to them, The Easter Egg Archive, at eeggs.com. From the unbeatable Freecell games to hidden messages in the movie Fight Club, Eeggs.com chronicles easter eggs found in Software, Movies, Music, TV, Books, and Art. You can also find lists of Easter eggs at EggHeaven.com. For a quick sample, check out this recent list of the Top 50 Easter Eggs.

These easter eggs are usually humorous inside jokes or credits, so why are they being phased out in software titles?

Secure by Design, Secure by Default, and Secure in Deployment

Although I can’t find any real authoritative links, many people have referred to a court order that says Microsoft cannot include any “undocumented features” in its products or corporate customer demand that Easter Eggs made Microsoft management look not in control. There is an archived article from Network World from way back in March 2000 calling foul on Easter Eggs and painting a worst-case scenario for them which ended up being an interesting read (with too many good lines to quote). Microsoft responded (to whatever exactly changed their perspective on embedding Easter Eggs) with the Trustworthy Computing initiative. Trustworthy Computing tries to establish credibility for Microsoft’s applications and focuses on security, privacy, reliability, and business practices. They’re also taking it a step further with trying to make a safer, more secure Internet with their End to End Trust Program, which certainly has an interesting, if not overly ambitious, vision.

You can still find plenty of talk about the practice of Easter Eggs throughout the MSDN blogs, but I think Microsoft has made it quite clear to its developers that it is not professional to include Easter eggs so I don’t imagine they’ll resurface any time soon. From Larry Osterman’s blog in 2005:

Nowadays, adding an easter egg to a Microsoft OS is immediate grounds for termination, so it’s highly unlikely you’ll ever see another.

I don’t know about outside the OS division. I do know that Brian Valentine has made it QUITE clear that you will be IMMEDIATELY terminated for introducing an easter egg into the OS.

Of course, there are still some odd functions if you need some fluff filler in your multi-page paper:

Open a blank word document (works in Word 2007) and type (or copy it):
= rand (50,99)
Press enter
Wait 3 seconds…

Lorem Ipsum, eat your heart out.