Re: Easter Eggs and Security

On May 8, 1:37 pm, Bogwitch <Bogwi...@xxxxxxxxxxxxxxxxxxx> wrote:
mike3 wrote:
On May 1, 11:37 am, Bogwitch <Bogwi...@xxxxxxxxxxxxxxxxxxx> wrote:
mike3 wrote:
Hi.
How would Easter Eggs be a big threat to security if they were
thoroughly examined by the company making the software for any real
security threat? Unless the company was all wildly corrupt, if some
disgruntled programmer stuck in, say, a logic bomb, it would be found
out. (programmers would have to notify the rest of the company that
they put in EEs, and since they wouldn't notify about logic bombs
(obviously), they would get shot down.)
IANAP but increasing the complexity of any system has the potential for
introducing (further) security vulnerabilities.

So even if the easter egg itself was checked for security, and passed,
it might still have induced some subtle flaw perhaps by interaction
with
other parts of the program?

Increasing the complexity of ANY system has the potential for
introducing (further) security vulnerabilities. Perhaps by interaction
with other parts of the program, perhaps in some other way.


Even something as simple as just adding an extra key command
to the keyboard handler that just pops up a little message box?
How exactly can this generate a security hole? Any scenarios
you might know about?





Unwarranted functions increases the code length that a reviewer has to
go through - that's just cruel. First rule of security - Protection of
the individual.

Protection of the reviewers, you mean, from hard work? As that's
the "individual" who you seem to be referring to. And does it really
increase it by all that big an amount? See, eggs are not like adding
1500 extra lines of code. Many eggs can be implemented with only
a small amount of code -- I mean, it takes very little code to put up
a little message that says "JOHNNY" when you push some key
combination on the keyboard or click the right buttons in the right
order. What sort of harm would having the wee bit of extra
patience on the part of the reviewers for examning just 20 more
lines out of a huge program with over 400,000 lines at the barest
minimum do? Especially if they were notified beforehand that a tiny
easter egg exists? If they objected to doing the work (yes, they
would be given a CHOICE, and besides, more work = more dollars
you know!) the egg could always be removed.

Is this an example of an American failing to understand british humour?

Probably.

It was a tongue in cheek comment. The original post did not specify a
type of EE, so it could be just flashing 'Johnny' up on the screen or it
could be running a 3d maze of some kind, or a flight sim. Who knows?


But I'm talking about must "usual" easter eggs, which are often
simple. Like just displaying "JOHNNY". If a maze/flight sim was
added I'd bet it would easily get noticed. That is a nontrivial
program. Maybe I wasn't clear, but that was my drift -- how
could something relatively trivial be so hard to examine?

Unwarranted functions increase compiled file size and decreases program
execution speed. A denial of service.

Bogwitch.

Do a couple of easter eggs really do it that much? AFAIK most of the
eggs I've seen are not a computationally intensive or intricate piece
of work, it's not like there's a secret Mersenne prime tester or
physics
sim that starts up in there, or any other intense and complicated
program. How much slower and bulkier would, say, a little thing that
says "JOHNNY" upon pressing some unused key combination really
make the program, anyway?

Your processor now has wait for interrupts from the keyboard and scan
for additional input matches. No, I'm sure this won't add much more
processor time to your application but it adds SOME. Thus denying the
processor cycles to something 'useful' Would it make the application
larger, yes, but not much. Still going to use up potentially precious
disk space.


But who is going to have such a tight margin anyway that a few
extra bytes or KBs is going to do so much?

In short, would your customers prefer a larger, slower application that
massages the programmers ego or would they prefer an application that
does what it is expected to do in the smallest possible space and the
shortest possible time.

I know what my customers would prefer, I know what I would prefer. YMMV.


Even when the time lost is unnoticeable? That is the type of attitude
I don't quite understand. What sort of mega-time-sensitive stuff might
a few milli or micro seconds of time slower a word processor is made
by a tiny easter egg interfere with? Can one really NOTICE that? I'd
suppose you wouldn't want to include easter eggs, in, say, a
complicated
physics simulation program for a supercomputer where every darned
cycle of every darned CPU in the machine counts, but a _word
processor_?

Bogwitch.

.