|
Posted by mike3 on May 12, 2007, 7:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options > mike3 wrote:
> >> mike3 wrote:
> >>> Hi.
> >>> How would Easter Eggs be a big threat to security if they were
> >>> thoroughly examined by the company making the software for any real
> >>> security threat? Unless the company was all wildly corrupt, if some
> >>> disgruntled programmer stuck in, say, a logic bomb, it would be found
> >>> out. (programmers would have to notify the rest of the company that
> >>> they put in EEs, and since they wouldn't notify about logic bombs
> >>> (obviously), they would get shot down.)
> >> IANAP but increasing the complexity of any system has the potential for
> >> introducing (further) security vulnerabilities.
>
> > So even if the easter egg itself was checked for security, and passed,
> > it might still have induced some subtle flaw perhaps by interaction
> > with
> > other parts of the program?
>
> Increasing the complexity of ANY system has the potential for
> introducing (further) security vulnerabilities. Perhaps by interaction
> with other parts of the program, perhaps in some other way.
>
Even something as simple as just adding an extra key command
to the keyboard handler that just pops up a little message box?
How exactly can this generate a security hole? Any scenarios
you might know about?
>
>
>
>
> >> Unwarranted functions increases the code length that a reviewer has to
> >> go through - that's just cruel. First rule of security - Protection of
> >> the individual.
>
> > Protection of the reviewers, you mean, from hard work? As that's
> > the "individual" who you seem to be referring to. And does it really
> > increase it by all that big an amount? See, eggs are not like adding
> > 1500 extra lines of code. Many eggs can be implemented with only
> > a small amount of code -- I mean, it takes very little code to put up
> > a little message that says "JOHNNY" when you push some key
> > combination on the keyboard or click the right buttons in the right
> > order. What sort of harm would having the wee bit of extra
> > patience on the part of the reviewers for examning just 20 more
> > lines out of a huge program with over 400,000 lines at the barest
> > minimum do? Especially if they were notified beforehand that a tiny
> > easter egg exists? If they objected to doing the work (yes, they
> > would be given a CHOICE, and besides, more work = more dollars
> > you know!) the egg could always be removed.
>
> Is this an example of an American failing to understand british humour?
Probably.
> It was a tongue in cheek comment. The original post did not specify a
> type of EE, so it could be just flashing 'Johnny' up on the screen or it
> could be running a 3d maze of some kind, or a flight sim. Who knows?
>
But I'm talking about must "usual" easter eggs, which are often
simple. Like just displaying "JOHNNY". If a maze/flight sim was
added I'd bet it would easily get noticed. That is a nontrivial
program. Maybe I wasn't clear, but that was my drift -- how
could something relatively trivial be so hard to examine?
> >> Unwarranted functions increase compiled file size and decreases program
> >> execution speed. A denial of service.
>
> >> Bogwitch.
>
> > Do a couple of easter eggs really do it that much? AFAIK most of the
> > eggs I've seen are not a computationally intensive or intricate piece
> > of work, it's not like there's a secret Mersenne prime tester or
> > physics
> > sim that starts up in there, or any other intense and complicated
> > program. How much slower and bulkier would, say, a little thing that
> > says "JOHNNY" upon pressing some unused key combination really
> > make the program, anyway?
>
> Your processor now has wait for interrupts from the keyboard and scan
> for additional input matches. No, I'm sure this won't add much more
> processor time to your application but it adds SOME. Thus denying the
> processor cycles to something 'useful' Would it make the application
> larger, yes, but not much. Still going to use up potentially precious
> disk space.
>
But who is going to have such a tight margin anyway that a few
extra bytes or KBs is going to do so much?
> In short, would your customers prefer a larger, slower application that
> massages the programmers ego or would they prefer an application that
> does what it is expected to do in the smallest possible space and the
> shortest possible time.
>
> I know what my customers would prefer, I know what I would prefer. YMMV.
>
Even when the time lost is unnoticeable? That is the type of attitude
I don't quite understand. What sort of mega-time-sensitive stuff might
a few milli or micro seconds of time slower a word processor is made
by a tiny easter egg interfere with? Can one really NOTICE that? I'd
suppose you wouldn't want to include easter eggs, in, say, a
complicated
physics simulation program for a supercomputer where every darned
cycle of every darned CPU in the machine counts, but a _word
processor_?
> Bogwitch.
| 
XML site map