Some hidden surprises are great – like a heartfelt note left in your kid’s lunchbox on the day of her big science test. Or the forgotten, neatly folded $10 bill tucked inside your jacket pocket. These hidden bonuses are Easter eggs — not the kind that gets tye-dyed and rolled once a year, but the kind that leaves people hunting for more secret treats.
How Easter Eggs got Their Start
Well apparently, some software developers over the years have decided to join in on the fun. Way back in the late 1970s, when video games first went on sale, the then-king-of-consoles, Atari, had a game called Adventure. Adventure’s developer, Warren Robinett, went unnamed in the game credits because Atari was concerned that competitors would find and lure away their best employees. (Sidenote, what better way to ensure employee satisfaction than to tick them off by not crediting them for their work, right?)
The disgruntled employee inserted the line “Created by Warren Robinett” into the code, which would appear when a player hovered over a specific grey dot in the game. The surreptitious move became known as an Easter egg, as the player had to “hunt around” to find it and it went unnoticed by the Atari folks until after Robinett left for another (and hopefully, more appreciative) job.
Once Robinett’s trick got a bit of PR, instead of discouraging such tactics, some video game companies, including Atari, figured it might be a good way to generate excitement. Including Easter eggs in games, like hidden levels and secret codes that helped players get more lives or power, became a semi-routine practice.
Sticking it to the Man
But at the same time, inserting Easter eggs became a symbol of defiance, a way for developers to “stick it to the man” — ie, their boss or company. And while some of these surprises might just be harmless “extras”, others can be malicious — it all just depends on the developer. Moreover, it’s important to remember that Easter eggs are not part of the approved final coding of a game or program – they are essentially unverified add-ons, which means that the snippet of code in question doesn’t get updated when the software does.
All this can cause incompatibilities which may affect functionality, and worse, may lead to vulnerabilities that allow the software itself to be hacked. And worse still, if a developer can code in an undocumented Easter egg, what’s to stop him or her from slipping in a backdoor or something equally insidious?
Preventing Easter Eggs
We sat down with Ronen Slavin, our head of research, to get a better idea of what software companies can do to prevent surprises like Easter eggs. Ronen has been in the software development world, as well as security, for over a decade and has seen what can go wrong when developers don’t play by the rules.
“Code is usually built out from one main branch. All developers merge the features they work on to that main branch. A software provider has to make sure that every commit is code-reviewed and approved by someone other than the original developer, before it can be merged to the main branch. This is meant to ensure that there are no hidden code sections or silly developer mistakes and bugs.”
“This works great,” he pauses for a moment and continues, “in theory, anyway. See, it doesn’t always work out like that. Sometimes teams skip this part for a variety of reasons.”
That got us thinking — Shouldn’t the practice of reviewing all code commits be more than just “best practice”?
“Well, it should be the status quo in the industry, but sometimes, that’s just not the case”, Ronen laments. “Sloppy quality assurance testing practices leaves room for vulnerabilities, intentional or not. And Easter eggs are just one issue that would be put to rest with institutionalised quality assurance testing. Holding development teams to an agreed-upon set of standards, which must be met before the software’s release, as well as maintaining a strong automated environment that keeps testing the product, would go a long way to routing out most code-based flaws before trouble occurs.”
Some Surprises are Good!
To be clear, we’re singling out unapproved and unchecked code that can eventually cause big problems. We aren’t discussing intentional extras, ones that everyone on production knows about – like Google’s famous “askew” and anagram tricks (type them into your Google search bar to see what we mean. You’re welcome.) or all the goodies tucked inside every MCU movie ever.
Some of these intentional extras can be a whole lot of fun and can even be beneficial. On that note, in honor of Easter — the holiday —we’re offering you the very best in PC protection at a special 60% discount (valid April 14-22). See, your security and privacy really means a lot to us here at Reason CyberSecurity — we want to ensure that threats stemming from things like malware and even Easter eggs can’t harm your data. So to snag your special discount, go to Reason Premium Antivirus and sign up now.
Now that you’re secured from all kinds of threats, it’s time to find some Easter eggs— the chocolate kind — and get going. Happy Easter from all of us at Reason CyberSecurity.