Squiz CMS Easter Eggs (or: why do I keep seeing Greg’s name in my CAPTCHA?)

Anybody who has, like me, come into contact with the Squiz Matrix CMS for any length of time will have come across the reasonably easy-to-read but remarkably long CAPTCHA that it shows. These are especially-noticeable in its administrative interface, where it uses them as an exaggerated and somewhat painful “are you sure?” – restarting the CMS’s internal crontab manager, for example, requires that the administrator types a massive 25-letter CAPTCHA.

Four long CAPTCHA from the Squiz Matrix CMS.
Four long CAPTCHA from the Squiz Matrix CMS.

But there’s another interesting phenomenon that one begins to notice after seeing enough of the back-end CAPTCHA that appear. Strange patterns of letters that appear in sequence more-often than would be expected by chance. If you’re a fan of wordsearches, take a look at the composite screenshot above: can you find a person’s name in each of the four lines?

Four long CAPTCHA from the Squiz Matrix CMS, with the names Greg, Dom, Blair and Marc highlighted.
Four long CAPTCHA from the Squiz Matrix CMS, with the names Greg, Dom, Blair and Marc highlighted.

There are four names – GregDomBlair and Marc – which routinely appear in these CAPTCHA. Blair, being the longest name, was the first that I noticed, and at first I thought that it might represent a fault in the pseudorandom number generation being used that was resulting in a higher-than-normal frequency of this combination of letters. Another idea I toyed with was that the CAPTCHA text might be being entirely generated from a set of pronounceable syllables (which is a reasonable way to generate one-time passwords that resist entry errors resulting from reading difficulties: in fact, we do this at Three Rings), in which these four names also appear, but by now I’d have thought that I’d have noticed this in other patterns, and I hadn’t.

Instead, then, I had to conclude that these names were some variety of Easter Egg.

In software (and other media), "Easter Eggs" are undocumented hidden features, often in the form of inside jokes.
Smiley decorated eggs. Picture courtesy Kate Ter Haar.

I was curious about where they were coming from, so I searched the source code, but while I found plenty of references to Greg Sherwood, Marc McIntyre, and Blair Robertson. I couldn’t find Dom, but I’ve since come to discover that he must be Dominic Wong – these four were, according to Greg’s blog – developers with Squiz in the early 2000s, and seemingly saw themselves as a dynamic foursome responsible for the majority of the CMS’s code (which, if the comment headers are to be believed, remains true).

Greg, Marc, Blair and Dom, as depicted in Greg's 2007 blog post.
Greg, Marc, Blair and Dom, as depicted in Greg’s 2007 blog post.

That still didn’t answer for me why searching for their names in the source didn’t find the responsible code. I started digging through the CMS’s source code, where I eventually found fudge/general/general.inc (a lot of Squiz CMS code is buried in a folder called “fudge”, and web addresses used internally sometimes contain this word, too: I’d like to believe that it’s being used as a noun and that the developers were just fans of the buttery sweet, but I have a horrible feeling that it was used in its popular verb form). In that file, I found this function definition:

/**
 * Generates a string to be used for a security key
 *
 * @param int            $key_len                the length of the random string to display in the image
 * @param boolean        $include_uppercase      include uppercase characters in the generated password
 * @param boolean        $include_numbers        include numbers in the generated password
 *
 * @return string
 * @access public
 */
function generate_security_key($key_len, $include_uppercase = FALSE, $include_numbers = FALSE) {
  $k = random_password($key_len, $include_uppercase, $include_numbers);
  if ($key_len > 10) {
    $gl = Array('YmxhaXI=', 'Z3JlZw==', 'bWFyYw==', 'ZG9t');
    $g = base64_decode($gl[rand(0, (count($gl) - 1)) ]);
    $pos = rand(1, ($key_len - strlen($g)));
    $k = substr($k, 0, $pos) . $g . substr($k, ($pos + strlen($g)));
  }
  return $k;
} //end generate_security_key()

For the benefit of those of you who don’t speak PHP, especially PHP that’s been made deliberately hard to decipher, here’s what’s happening when “generate_security_key” is being called:

  • A random password is being generated.
  • If that password is longer than 10 characters, a random part of it is being replaced with either “blair”, “greg”, “marc”, or “dom”. The reason that you can’t see these words in the code is that they’re trivially-encoded using a scheme called Base64 – YmxhaXI=Z3JlZw==, bWFyYw==, and ZG9t are Base64 representations of the four names.

This seems like a strange choice of Easter Egg: immortalising the names of your developers in CAPTCHA. It seems like a strange choice especially because this somewhat weakens the (already-weak) CAPTCHA, because an attacking robot can quickly be configured to know that a 11+-letter codeword will always consist of letters and exactly one instance of one of these four names: in fact, knowing that a CAPTCHA will always contain one of these four and that I can refresh until I get one that I like, I can quickly turn an 11-letter CAPTCHA into a 6-letter one by simply refreshing until I get one with the longest name – Blair – in it!

A lot has been written about how Easter Eggs undermine software security (in exchange for a small boost to developer morale) – that’s a major part of why Microsoft has banned them from its operating systems (and, for the most part, Apple has too). Given that these particular CAPTCHA in Squiz CMS are often nothing more than awkward-looking “are you sure?” dialogs, I’m not concerned about the direct security implications, but it does make me worry a little about the developer culture that produced them.

I know that this Easter Egg might be harmless, but there’s no way for me to know (short of auditing the entire system) what other Easter Eggs might be hiding under the surface and what they do, especially if the developers have, as in this case, worked to cover their tracks! It’s certainly the kind of thing I’d worry about if I were, I don’t know, a major government who use Squiz software, especially their cloud-hosted variants which are harder to effectively audit. Just a thought.

× × ×

Hello 2013: My Birthday

This is the second in a series of four blog posts which ought to have been published during January 2013, but ran late because I didn’t want to publish any of them before the first one.

I spent the weekend of my birthday working in London, alongside the Squiz team, who make the CMS that forms the foundation of most of the public-facing websites of the Bodleian Libraries. We’d originally scheduled this visit for a different week, but – in that way that projects sometimes do – the project got juggled about a bit and so I found myself spending the week of my birthday away from home.

The team at Squiz's London office, debriefing over drinks at the end of a crazy week.
The team at Squiz’s London office, debriefing over drinks at the end of a crazy week.

But on Tuesday – my second day working on-site at Squiz’s office, and coincidentally my birthday – disaster struck! Our first clue was when the lights went out. And then, a minute or so later, when the fire alarm started going off. No big deal, we all thought, as we gathered our possessions and prepared to leave the office – it’s probably just that the fire alarm sounds as a precaution if it’s electricity supply is disrupted… but as we started to go down the stairs and smelled the smoke, we realised that there really was a fire.

Visiting @SquizUK in London when... Building caught fire! Heaps of smoke, two pumps. Been evacuated.
My tweet, from outside the Squiz offices.

The first two fire engines arrived within minutes. Apparently, they don’t mess about when a city centre office block catches light. The smoke was very visible from the street: thick grey plumes pouring out from the basement windows. Theories about the cause of the fire were whispered around the assembled crowd, and the consensus seemed to be that the substation in the basement had overheated and set alight its room.

The first fire engines on the scene, as people are still filing out of the building.
People were still filing out of the building when the first of the fire engines arrived.

A third fire engine arrived, and – after about a quarter hour of assessing the situation and controlling the crowd – we were told that we wouldn’t be able to get back into our building for “at least an hour, probably more.” So, being British, we therefore decamped to one of the nearby bars for networking and a round of gin & tonic. After I texted some friends to say that I hadn’t expected to spend the afternoon of my birthday in the pub, but that it wasn’t an entirely unwelcome experience, a few of them had the cheek to ask once again how the fire had actually started.

Fire engines behind a yellow tape line.
Before long, the fire brigade had established a cordon some distance back from the fire, and were pouring water into the basement.

By the time we were allowed to return to the building, it was already getting dark, and we quickly discovered a new problem that faced us: with the power still well and truly out, the electronic door locks that secured the offices had become completely unusable. Not willing to abandon my laptop, keys, and other personal possessions overnight in an unfamiliar office, I waited around until a locksmith had been summoned and had drilled his way through the cylinder and allowed us into the building.

The code lock at the door of the Squiz offices.
Without power, it turns out that these things can be pretty useless. At least they “fail secure”, keeping the door locked (from the outside) in the event of a problem, rather than the alternative…

It being my birthday, I’d arranged that Ruth would come and spend the night down in London, and that we’d go out to Dans le Noir, a restaurant that I’d heard about from news articles and via friends some years prior, and always wanted to try. The restaurant has a distinct and quite remarkable theme that you probably won’t find anywhere else: that theme is that you eat unidentified food in pitch blackness.

A tealight candle burning in the dark.
Don’t be fooled: this picture of the tip of a candle wasn’t taken at Dans le Noir, but at Squiz.

As our (blind!) waiter, Gao, led Ruth and I by touch to our table, we suddenly realised that we’d all but forgotten exactly how dark pitch blackness actually is. When you stumble over your coffee table in the dark on a morning, that’s not truly black: there’s that sliver of light coming from underneath the curtains, or the faint glow of the LED light on the stereo. Real, complete darkness is disorienting and confusing, and to sit around in it – not even able to see whether your eyes are open or closed – for hours at a time is quite remarkable.

Blackness.
Now this is more like what it looks like at Dans le Noir!

It took us a little while to learn the new skills required to survive in this environment, but Gao was incredibly helpful. We worked out mechanisms for pouring drinks, for checking whether our plates were empty, and for communicating our relative movements (being geeks, as we are, Ruth and I quickly developed a three-dimensional coordinate-based system for navigating relative to an agreed centre-point: the tip of the bottle of our mystery wine). We also learned that there’s something truly humbling about being dependent upon the aid of a blind person to do something that you’d normally be quite capable of doing alone: simple things, like finding where your glass is.

Just come out of Dans le Noir, the restaurant where you eat mystery food in the dark, and... OMG. Expected a gimmick. Expected it to be about the food. But it's not. It's about so much more than that. Would eat here again.
My tweets after coming out of Ruth and I’s remarkable experience of Dans le Noir.

But the bigger lesson that we learned was about how darkness changes the way that we operate on a social level. Ruth and I were sat alongside another couple, and – deprived of body language, the judgement of sight, and the scrutiny of eye contact – we quickly entered into a conversation that was far deeper and more real than I would have anticipated having with total strangers. It was particularly strange to see Ruth, who’s usually so shy around new people, really come out as confident and open. I theorise that (in normally-signted people) eye contact – that is, being able to see that others can see you – serves as a regulator of our willingness to be transparent. Depriving it for long enough that its lack begins to feel natural makes us more frank and honest. Strange.

Still no power at @SquizUK following yesterday's fire. Just waiting for more people to arrive so we can work out where we're working today. Decamped to a number of venues around East London. The team I've been working with and I are in the basement of a nearby cafe!
Live updates, primarily for the benefit of the people back at my usual workplace, on progress at Squiz.

Back at Squiz the following day, there was still no electricity. Credit is due to the team there, though, who quickly put in to effect their emergency plans and literally “moved office” to a handful of conference rooms and meeting spaces around Shoreditch. “Runners” were nominated to help relay messages and equipment between disparate groups of people, and virtualised networks were established across the city. I laughed when I discovered that Squiz’s old offices had been in an old fire station.

Squiz team members put their emergency plan into effect.
Team members at Squiz, in their unlit, unheated office, begin to put their emergency plan into place, picking up computers and transporting them to alternative venues.

Before long, the folks I’d been working with and I were settled into a basement meeting room in a nearby café, running a stack of Mac desktops and laptops from a monumental string of power strips, and juggling an Internet connection between the café’s WiFi and a stack of Mifi-like devices. We were able to get on with our work, and the day was saved, all thanks to some smart emergency planning. Later in the week, a generator was deployed outside the building and we were able to return to normal desks, but the quick-thinking of the management ensured that a minimum of disruption was caused in the meantime.

After a wonderful night of comedy with @BrynS, I'm back in the office (in the building that caught fire), now powered by a huge generator.
My tweet about seeing comedy with Bryn and about returning to the office (now powered by a huge generator).

Not one to waste the opportunity to make the most of being in London for a week, I spent another of my evenings out with Bryn. He and I went out to the Free Fringe Fundraiser, which – despite a notable absence of Peter Buckley Hill, who had caught a case of the then-dominating norovirus – was still a great deal of fun. It was particularly pleasing to get to see Norman Lovett in the flesh: his particular brand of surrealist anti-humour tickles me mercilessly.

So what could have been “just another business trip” turned into quite the adventure, between fires and birthdays and eating-in-the-dark and comedy. If only it hadn’t taken me two months to finish writing about it…

× × × × × × ×