US administration adds “subliminal” ad to White House website

Security

Hidden messages, features or jokes in apps and websites are commonly known in hacker jargon as easter eggs, because they’re supposed to be found and enjoyed, but they’re not supposed to be immediately obvious.

One of the most famous easter eggs in commercial software history – if not the most complex – was the hidden flight simulator (really!) in Microsoft Excel 97.

How to fly in Excel 97. Open New workbook. Hit F5. Type in L97:X97 [Enter][Tab]. Ctrl-Shift-Click on the Chart Wizard icon. Fly using mouse. Hit [Esc] to end.

Sometimes, amusingly, it wasn’t games hidden in business apps, but business apps hidden in games.

One of the most famous computer games in software history, the first IBM PC version of Tetris, had a hidden spreadsheet as its easter egg, or more accurately as its boss mode.

Boss mode, activated with the boss key, often Ctrl-B or Alt-B so it was quick to type, popped up a more dubious sort of easter egg intended as a decoy.

Boss screens were meant to cover the display instantly with what might just about look like real work if your boss suddenly appeared on the horizon.

Not the most convincing decoy in the world, even for a US company.
Tetris boss screen “spreadsheet” app.

As you can imagine, hidden and undocumented code of this sort is not as common these days, because it’s not a terribly good cybersecurity look.

After all, if there’s a whole flight simulator hidden behind some sort of esoteric incantation involving the keyboard and the mouse (in Word 97, the easter egg was a pinball game), how well was it tested?

How thoroughly was the code reviewed? How official was the process by which the code was added to the source tree? What else was snuck in there by developers and never noticed at all? Did the person who approved the digital signing of the shipped software even know that easter egg code existed? Are customers entitled to official support and patches for the easter egg? If not, why not?

Having said that, even the very latest version of Microsoft Edge contains an openly secret surfing game that you can access by visiting the special URL edge://surf:

Surfing in Edge. (Screen grab from Edge for Linux 89.0.767.0.)
Click the three-lines menu for a choice of game types.

Likewise, many websites contain harmless jokes and messages, often inserted into the HTTP headers added to the reply, rather than in the body of the HTML data itself.

Marvel’s website adds a header to tell you which comic book hero the server you visited is named after.

In this HTTP connection, it was She-Hulk who replied to us:

WordPress tells you where to find job openings:

Well, it turns out that the new 2021 White House website added a job ad, too, presumably hoping to get some publicity and to attract job applicants to the US Digital Service (USDS).

The USDS describes itself as a part of the public service that aims to use “design and technology to deliver better services to the American people”, and its goal is to attract at least some of those technophiles that might otherwise be lured to join the fast-paced, dollar-sign world of commercial cloud-based products and services.

After all, today’s technology business juggernauts are in a position to offer eye-watering starting salaries and the promise of fast-paced, ever-changing coding challenges based on the very latest hardware platforms and programming languages.

Even the processes and procedures they use feel cooler and more progressive than anything you might expect in a “government job” (you’d be wrong, but it’s a perception we’ve heard often enough).

It’s astonishing how much cooler terms like methodology and paradigm (or rules and regulations) sound when you replace them with funkier contemporary nouns and epithets instead.

Who wants to use the tired-and-turgid waterfall metholodolgy when they could be using extreme devops techniques with continuous integration, and seeing their code shipping in days or weeks rather than in months, years, decades or never?

Who wants to work on ancient code decks (decks! the word itaelf harks right back to punched cards!) written in all-caps COBOL when they could be learning and using the new darling language of the programming world, Rust?

Heck, Rust’s logo is a stylised bicycle chainring, and it’s a funked-up chainring, too, like the sort of front sprocket you’d put on a trendy fixie and not on a conventional bicycle.

Rust chainring logo.
Good luck finding a chain to fit and a rear sprocket to suit.

Note to hipster Rust fans. That chainring is a bit too small for a practical road-going bike, assuming you could get fixie cranks it would fit onto, and even if you were to use it with the dubious choice of 12T at the rear; the teeth are quite the wrong shape to carry a roller chain; and its unbalanced design suggests an inherent structural weakness that would surely lead to potentially catastrophic failure during a critical braking manouevre on a hillbombing run. But perhaps those are all metaphors that were deliberately hidden in the logo right from the start, as a sort of easter meta-egg?

Of course, the cool life of a commercial coder isn’t for everyone.

For some techies, that sort of job isn’t so much cool as cold; isn’t so much meaningful as mechanical; and isn’t so much about building for the future as it is about delivering ROI right now.

Presumbly, that’s the sort of person that the USDS was hoping to appeal to with its latest job advertisement…

…which was embedded as an HTML comment at the top of every web page on the new administration’s White House website:

USDS job ad in White House HTML source code. Use Ctrl-U in Firefox to see the code yourself.
The text in the highlighted tag is an HTML comment so it does not appear on screen in the page that’s displayed.

Amusingly, the HTML on the USDS website’s home page also currently contains an easter egg in the form of a comment – but this one is a pure-play easter egg, not a job ad:

Easter egg on USDS home page.
“Meet Mollie the crab, our unofficial mascot”.

What can we learn?

Easter eggs of this sort are good fun, given that they’re ultimately meant to be found and don’t contain any information that’s supposed to be confidential.

But they do teach us an important cybersecurity lesson about embedding genuine secrets such as hardwired passwords and backdoors: DON’T DO IT!

As this case makes abundantly clear, given how quickly it was noticed and publicised, trying to keep digital secrets by relying merely on them “not being noticed” will not protect you at all.

Once your backdoor is discovered, you’re not only stuck with it, but also have to assume that the whole world knows about it.

Indeed, this easter egg proves how quickly hidden news can become common knowledge.

It’s less that 48 hours since the ad first appeared, but the link in the “hidden” comment has already been changed so that it takes you to the USDS home page instead of specifially to the job application page.

We’re assuming that’s because the USDS very quickly received way more applications than it planned for.

PS. If you know of any other 2021 website easter eggs you think our readers would enjoy (SFW only, please!), let us know in the comments below.


Products You May Like

Articles You May Like

Missing Teens Used School Laptops to Chat with Alleged Abductors
Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites
Popular password manager in the spotlight over web trackers
Satanic Temple Loses Cyber-squatting Lawsuit
Safeguarding children against cyberbullying in the age of COVID‑19

Leave a Reply

Your email address will not be published. Required fields are marked *