Why no Easter Eggs?

re: Why no Easter Eggs?

Jared Parsons — Sat, 22 Oct 2005 01:43:56 GMT

I think you meant anagram instead of acronym

re: Why no Easter Eggs?

BradC — Sat, 22 Oct 2005 01:50:11 GMT

Wow. So Exchange POP3 server actually had an egg where it would return a list of developers as an email message instead of a "normal" email?

Yeah, I can see how that would be a problem. Especially if the key phrase is the one listed here:

http://www.eeggs.com/items/19978.html

re: Why no Easter Eggs?

SteveJS — Sat, 22 Oct 2005 02:05:14 GMT

Jenson Harris' has an amusing blog post about a bad encounter with a Microsoft Easter Egg when he was four years old:
http://blogs.msdn.com/jensenh/archive/2005/10/20/483041.aspx

I was really bummed about the No Easter Egg policy when it was announced. Now, the last thing I want to do is Security Review a single line of unnecessary code.

re: Why no Easter Eggs?

jrp — Sat, 22 Oct 2005 02:35:26 GMT

The Exchange 4.0 server had a 30MB Easter Egg... although at that size it was pressing the definition of "egg". What struck me was your comment:

"But it didn't matter - we still shouldn't have done it. Why? Because it was utterly irresponsible."

I guess we've all gotten a little older and wiser, eh Larry?

re: Why no Easter Eggs?

Victoria French — Sat, 22 Oct 2005 02:49:36 GMT

We still put Easter Eggs in our products, but they are not installed by default. They are an extra set of code that the user must opt to install. The Easter Egg component is also removable once they find it.

People do like Easter Eggs and I disagree with most of the quotes presented. But giving the user a choice to install it allows for the customer to trust you.

re: Why no Easter Eggs?

SPJ — Sat, 22 Oct 2005 03:07:37 GMT

The REAL question is without having the source to build the final executable with a compiler (which was built from source, ad infinitum..) can you be ever sure that they've not snuck some other undocumented feature into the code?

People who have even a little common sense and are that suspicious will ask for source. They know that's the only way to be sure.

The explanation you gave is not even childish - some thing sillier than that. Asking for removing easter eggs and accepting that as a proof that they'll never get malware embedded in the software for instance.

Thing is some one at MS may still put Easter Eggs (and unlikely, Malware) which will never be discovered - like the WAV files built out by warez'ed tools that ship with Windows XP - who knows if they don't cause a buffer overflow somewhere?

re: Why no Easter Eggs?

Minh — Sat, 22 Oct 2005 04:17:41 GMT

I understand the security issues w/ Easter eggs. But those concerns must be RELATIVELY small compared to actual security issues in Windows. I mean, it's like comparing a tornado w/ wind speed of 200 mph and one with 202 mph.

I must say, my XP SP 2 is pretty solid. But the UX of running a LUA account leaves much to be desired. I hope Vista does LUA well, and MS could have another hit on its hands. Good luck.

re: Why no Easter Eggs?

TAG — Sat, 22 Oct 2005 04:26:57 GMT

Wow.. So many reasons except most important one - There is no way to make money from Easter Eggs in software.

re: Why no Easter Eggs?

LarryOsterman — Sat, 22 Oct 2005 04:38:21 GMT

The interesting thing about the 30MB easter egg was that it was never installed. It was just an AVI file stuck on the Exchange CD (renamed to be .MDB).

re: Why no Easter Eggs?

Capt. Jean-Luc Pikachu — Sat, 22 Oct 2005 05:54:50 GMT

Adequacy.org is a well known troll site! YHBT, HAND.

re: Why no Easter Eggs?

TC — Sat, 22 Oct 2005 07:48:47 GMT

A good example of how these things can get out of control, is the "NSA_Key" issue from some years ago. Presumeably someone chose that name as a joke, or without considering its potential interpretation. Whatever the rationale behind the name, it caused a firestorm of protest about "NSA backdoors" in microsoft products. Oops!

re: Why no Easter Eggs?

Jerry Pisk — Sat, 22 Oct 2005 23:24:26 GMT

What constitutes an easter egg? Would the list of developers that used be in IE's (4.x IIRC) about box be considered an easter egg? I think there's a gray area in there, a list of team members is not exactly an easter egg, at least not in the way the IE team's done it - it did not interfere with the normal (expected) operation of he software, t was a part of the about box. If Exchange returned an e-mail with its team member list in response to an e-mail with a trigger phrase then that might have crossed the line, as that would not be an expected behavior. But if it sent an e-mail in a response to an action in the about or acknowledgment dialog boxes that might be acceptable, even though still considered an easter egg.

re: Why no Easter Eggs?

Ken Cox [MVP] — Sun, 23 Oct 2005 05:19:10 GMT

The scary thing is that if one developer can slip an innocent Easter egg into an OS, another could also implement a back door.

re: Why no Easter Eggs?

TC — Sun, 23 Oct 2005 06:24:24 GMT

Jerry wrote:
> What constitutes an easter egg?

Larry is saying (if I understand him) that the key thing is, is the behaviour documented? So, if you /documented/ that the keystroke sequence Alt, Ctrl, 1, *, 8 displayed a list of developers then sent an email to Father Xmas, then, that is not an easter egg!

re: Why no Easter Eggs?

Chris Walker — Mon, 24 Oct 2005 07:02:18 GMT

So Microsoft responded to corporate and other institutions who care greatly about security and removed the so called easter eggs. It was a inexpensive thing to do, but did that really added much to the security of Windows?

<p>
I'm all for trustworthy computing. How about we have a defined and spec'd "credits" box that you can only get on if you have done something for the product that improved its security?

<p>
In the entertainment industry and esp. the movie industry, contracts spell out what people have to do to get on the credits and how long they run on screen etc. While software isn't there, it might be another incentive for developers, testers, PMs, PSS people, Beta testers etc to do the right thing to get their name on the product. Just a simple acknowledgement could be enough for many people to want to contribute.

<p>
The original Mac had the development team's names on the inside of the case. They took pride in their work and Mr. Jobs took pride in them.

<p>
Personal aside: I was the video tester for Windows NT when the screen saver with the developers names in it was shipped. The developer definitely went out of his way to obscure the code. (Strings.exe would not find them) The first I heard of it was from PSS people who wanted to be put on the list i.e. I was contacted to enter a bug. This was in the 1995 time frame so it predates any corporate dictums.

re: Why no Easter Eggs?

Matthew — Mon, 24 Oct 2005 09:09:11 GMT

>> The explanation you gave is not even childish - some thing sillier than that. Asking for removing easter eggs and accepting that as a proof that they'll never get malware embedded in the software for instance.

Ummm, he never said that...

re: Why no Easter Eggs?

barrkel — Mon, 24 Oct 2005 16:53:39 GMT

> One of the aspects of Trustworthy Computing
> is that you can trust what's on your computer.

Trustworthy computing is a DRM initiative. That sentence should read:

+ One of the aspects of Trustworthy Computing
+ is that Microsoft can trust what's on your
+ computer.

re: Why no Easter Eggs?

mschaef — Mon, 24 Oct 2005 19:02:43 GMT

"A good example of how these things can get out of control, is the "NSA_Key" issue from some years ago. Presumeably someone chose that name as a joke, or without considering its potential interpretation. Whatever the rationale behind the name, it caused a firestorm of protest about "NSA backdoors" in microsoft products. Oops! "

It's more than just that, Windows used to have entry points named:

Death
Resurrection
PrestoChangoSelector
TabTheTextOutForWimps
WinOldAppHackOMatic
UserSeeUserDo
Bunny_351
Brute
FixUpBogusPublisherMetaFile

I don't think these names are innately bad _private_ names, but to have them exposed in export tables was pretty bad.

re: Why no Easter Eggs?

Simon Cooke — Mon, 24 Oct 2005 20:31:08 GMT

Of course, the easy way around all of the easter egg stuff is for MS to start putting credits in the About screen for each product. That way the devs get their names up in lights... and everyone's happy.

That doesn't address the "cool factor" of writing a cool easter egg though, of course.

re: Why no Easter Eggs?

Mike — Mon, 24 Oct 2005 21:41:54 GMT

People will complain no matter what you do, it's pointless to try to pander to everybody. The no easter eggs policy just reinforces in my mind the Microsoft is nothing more than faceless, humorless, Big Corporate, and therefore, not trustworthy.

There's nothing at all wrong with them as long as they aren't "snuck in" and go through the same quality review that everything else does.

re: Why no Easter Eggs?

Valery Tolkov — Mon, 24 Oct 2005 22:02:44 GMT

In fact, the EE is nothing more than just one feature. If we get any MS product, there are many features which are never used by a particular user. It may be because the user does not know about them, or if he does know, he can't imagine how he can use them and what are they added for. In case of EE, the usage is quite obvious - a bit of fun. So EE looks even better comparing with other unused features. The same is true about security: unused features have more security risk, comparing with EE, because EE is quite simple (usually a bit of UI).

re: Why no Easter Eggs?

Carlos — Tue, 25 Oct 2005 00:10:26 GMT

SPJ wrote:
"People who have even a little common sense and are that suspicious will ask for source. They know that's the only way to be sure."

Read the link Larry gave to Ken Thompson's lecture. Even if you compile from source, you *cannot* be sure what the program will do.

re: Why no Easter Eggs?

dhiren — Tue, 25 Oct 2005 10:17:24 GMT

mschaef:

http://blogs.msdn.com/oldnewthing/archive/2003/10/15/55296.aspx

re: Why no Easter Eggs?

me — Tue, 25 Oct 2005 16:13:32 GMT

re adequacy.org

Have you read that site before, or did you just google for contrary opinions. It sits well alongside the story on AMD: http://www.adequacy.org/public/stories/2002.1.28.153048.268.html

Not everything is as it seems....

re: Why no Easter Eggs?

LarryOsterman — Tue, 25 Oct 2005 16:36:03 GMT

me: Actually, Raymond gave me the links, and I used them. Afterwards, I learned that Adequacy was an intentional troll site, but it doesn't really matter, even though it's a troll post, the others aren't.

re: Why no Easter Eggs?

SPJ — Wed, 26 Oct 2005 23:14:05 GMT

Carlos -
From the Ken Thompson article - "Figure 6 shows a simple modification to the compiler that will deliberately miscompile source whenever a particular pattern is matched. If this were not deliberate, it would be called a compiler "bug." Since it is deliberate, it should be called a "Trojan horse." "

In my post, I said we need the compiler source and library source and the OS source etc. to be sure enough to trust a program. You _can_ trust source code, not infected binaries of compiler that produces untrustworthy code from trustworthy source. So if you have source for everything you can theorotically verify that it does what it is supposed to do and just that.

Oh and yes, the CPU which executes the code needs to be trusted!

re: Why no Easter Eggs?

TC — Fri, 28 Oct 2005 08:36:00 GMT

SPJ wrote:
> Oh and yes, the CPU which executes the code needs to be trusted!

Indeed, I gather that some of the CPU microcode update procedures, are now well-known publically. So I guess, with enough smarts, you /could/ trojan a modern CPU. For those not aware, google on "microcode update" (including the quotes) for lots of relevant hits.

re: Why no Easter Eggs?

BassOMatic — Fri, 28 Oct 2005 13:21:46 GMT

A good story about "why no easter eggs" is the tale of the Adobe Photoshop easter egg that was snuck in by a developer and therefore wasn't tested. Of course, it had a globalization bug which caused it to crash on systems that used double-byte characters, so there was much embarrassment when, one April 1st, the application became useless in various squiggly-text-using countries around the world. The embarrassment was so great in Japan that Adobe actually went to the trouble of printing stickers apologizing for the problem and slapped them on the boxes sold in Japan.

re: Why no Easter Eggs?

daffy@sbate.com — Sun, 13 Nov 2005 20:15:54 GMT

I applaud this policy as a security engineer.

Another year, another post

Larry Osterman's WebLog — Wed, 15 Mar 2006 20:21:22 GMT

Well, this year I didn't miss the anniversary of my first blog post.
I still can't quite believe it's...

Google Airlines » El Blog de Enrique Dans

Google Airlines » El Blog de Enrique Dans — Sat, 01 Sep 2007 13:56:30 GMT

PingBack from http://www.enriquedans.com/2007/09/google-airlines.html

Lo nuevo en la red: Google Arlines… « ObuX hecho por JoseKont

Lo nuevo en la red: Google Arlines… « ObuX hecho por JoseKont — Sun, 09 Sep 2007 19:09:17 GMT

PingBack from http://obux.wordpress.com/2007/09/09/lo-nuevo-en-la-red-google-arlines/

??El Office 2003 tiene huevos de pascua? | hilpers

??El Office 2003 tiene huevos de pascua? | hilpers — Tue, 20 Jan 2009 22:04:24 GMT

PingBack from http://www.hilpers-esp.com/415794-a-el-office-2003-tiene

Larry Osterman s WebLog Why no Easter Eggs | fix my credit

Larry Osterman s WebLog Why no Easter Eggs | fix my credit — Wed, 17 Jun 2009 05:40:28 GMT

PingBack from http://fixmycrediteasily.info/story.php?id=6460

Larry Osterman s WebLog Why no Easter Eggs | debt solutions

Larry Osterman s WebLog Why no Easter Eggs | debt solutions — Fri, 19 Jun 2009 20:30:56 GMT

PingBack from http://debtsolutionsnow.info/story.php?id=10313