[a quote from Ed Catmull’s book Creativity Inc.] made me think a lot about the early days of Gutenberg and the huge
resistance it had in the community, including causing the fork of ClassicPress. Now that we’re much further along there’s a pretty widespread acceptance of Gutenberg, and it’s
responsible for the vast majority of all WP posts and pages made, however if we had taken a vote for whether it should happen or not, it probably wouldn’t have ever gotten off the
ground.
What’s funny is if you go back even further, using a visual WYSIWYG editor in the first place was very controversial, and many people didn’t want the classic editor brought into
WordPress.
Long-term WordPresser here; I remember when 2.0 integrated TinyMCE and it was absolutely necessary to ensure that raw HTML editing
remained an option, clear and up-front. Which I’m glad of: I probably hit raw HTML about once a month when I’m blogging, to this day!
I was among those who strongly resisted Gutenberg. Nowadays I use it every day! But my primary personal blog, which was already almost six years old when it migrated to WordPress 1.2
back in 2004, still uses the classic editor. I enjoy that I have the freedom to do that.
When we talk about open source meaning freedom, this is the kind of thing we mean. Years ago, I was in charge of the CMS for a major academic
institution when the company behind that CMS made a gradual and concerted effort to become less-open-source. That CMS didn’t have the ecosystem
and community around it that WordPress has, and so no forks took off, and so my employer got locked-in to upgrading to a new version that was mostly-closed-source and was in some ways
inferior. Ugh.
(Incidentally, I got them off that CMS: they’re now using a mixture of WordPress and Drupal for most of their
systems. Open source won.)
Change isn’t always good. But open source provides the freedom to embrace change in the way that suits you best.
Anybody who has, like me, come into contact with the Squiz Matrix CMS for any length of time will
have come across the reasonably easy-to-read but remarkably long CAPTCHA that it
shows. These are especially-noticeable in its administrative interface, where it uses them as an exaggerated and somewhat painful “are you sure?” – restarting the CMS’s internal
crontab manager, for example, requires that the administrator types a massive 25-letter CAPTCHA.
Four long CAPTCHA from the Squiz Matrix CMS.
But there’s another interesting phenomenon that one begins to notice after seeing enough of the back-end CAPTCHA that appear. Strange patterns of letters that appear in sequence
more-often than would be expected by chance. If you’re a fan of wordsearches, take a look at the composite screenshot above: can you find a person’s name in each of the four lines?
Four long CAPTCHA from the Squiz Matrix CMS, with the names Greg, Dom, Blair and Marc highlighted.
There are four names – Greg, Dom, Blair and Marc – which routinely appear in these CAPTCHA.
Blair, being the longest name, was the first that I noticed, and at first I thought that it might represent a fault in the pseudorandom number generation being used that was resulting
in a higher-than-normal frequency of this combination of letters. Another idea I toyed with was that the CAPTCHA text might be being entirely generated from a set of pronounceable
syllables (which is a reasonable way to generate one-time passwords that resist entry errors resulting from reading difficulties: in fact, we do this at Three Rings), in which these four names also appear, but by now I’d have
thought that I’d have noticed this in other patterns, and I hadn’t.
Instead, then, I had to conclude that these names were some variety of Easter Egg.
Smiley decorated eggs. Picture courtesy Kate Ter Haar.
I was curious about where they were coming from, so I searched the source code, but while I found plenty of references to Greg Sherwood, Marc McIntyre, and Blair Robertson. I
couldn’t find Dom, but I’ve since come to discover that he must be Dominic Wong – these four were, according to Greg’s blog – developers with Squiz in the early 2000s, and seemingly saw themselves as a dynamic
foursome responsible for the majority of the CMS’s code (which, if the comment headers are to be believed, remains true).
Greg, Marc, Blair and Dom, as depicted in Greg’s 2007 blog post.
That still didn’t answer for me why searching for their names in the source didn’t find the responsible code. I started digging through the CMS’s source code, where I eventually
found fudge/general/general.inc (a lot of Squiz CMS code is buried in a folder called “fudge”, and web addresses used internally sometimes contain this word, too: I’d like to
believe that it’s being used as a noun and that the developers were just fans of the buttery sweet, but I have a horrible feeling that it was used in its popular verb form). In that file, I found
this function definition:
/**
* Generates a string to be used for a security key
*
* @param int $key_len the length of the random string to display in the image
* @param boolean $include_uppercase include uppercase characters in the generated password
* @param boolean $include_numbers include numbers in the generated password
*
* @return string
* @access public
*/
function generate_security_key($key_len, $include_uppercase = FALSE, $include_numbers = FALSE) {
$k = random_password($key_len, $include_uppercase, $include_numbers);
if ($key_len > 10) {
$gl = Array('YmxhaXI=', 'Z3JlZw==', 'bWFyYw==', 'ZG9t');
$g = base64_decode($gl[rand(0, (count($gl) - 1)) ]);
$pos = rand(1, ($key_len - strlen($g)));
$k = substr($k, 0, $pos) . $g . substr($k, ($pos + strlen($g)));
}
return $k;
} //end generate_security_key()
For the benefit of those of you who don’t speak PHP, especially PHP that’s been made deliberately hard to decipher, here’s what’s happening when “generate_security_key” is being called:
A random password is being generated.
If that password is longer than 10 characters, a random part of it is being replaced with either “blair”, “greg”, “marc”, or “dom”. The reason that you can’t see these words in the
code is that they’re trivially-encoded using a scheme called Base64 – YmxhaXI=, Z3JlZw==, bWFyYw==, and ZG9t are Base64 representations of the four
names.
This seems like a strange choice of Easter Egg: immortalising the names of your developers in CAPTCHA. It seems like a strange choice especially because this somewhat weakens the
(already-weak) CAPTCHA, because an attacking robot can quickly be configured to know that a 11+-letter codeword will always consist of letters and exactly one instance of one of these
four names: in fact, knowing that a CAPTCHA will always contain one of these four and that I can refresh until I get one that I like, I can quickly turn an
11-letter CAPTCHA into a 6-letter one by simply refreshing until I get one with the longest name – Blair – in it!
A lot has been written about how Easter Eggs undermine software security (in exchange for a
small boost to developer morale) – that’s a major part of why Microsoft has banned them from its operating systems (and, for the most part, Apple has too). Given that these
particular CAPTCHA in Squiz CMS are often nothing more than awkward-looking “are you sure?” dialogs, I’m not concerned about the direct security implications, but it does make me worry
a little about the developer culture that produced them.
I know that this Easter Egg might be harmless, but there’s no way for me to know (short of auditing the entire system) what other Easter Eggs might be hiding under the
surface and what they do, especially if the developers have, as in this case, worked to cover their tracks! It’s certainly the kind of thing I’d worry about if I were, I don’t
know, a major government who use Squiz software, especially their cloud-hosted variants which are harder to
effectively audit. Just a thought.
This is the second in a series of four blog posts which ought to have been published during January
2013, but ran late because I didn’t want to publish any of them before the first one.
I spent the weekend of my birthday working in London, alongside the Squiz team, who make the CMS that forms the foundation of most of the public-facing websites of the Bodleian Libraries. We’d originally scheduled this visit for a different
week, but – in that way that projects sometimes do – the project got juggled about a bit and so I found myself spending the week of my birthday away from home.
The team at Squiz’s London office, debriefing over drinks at the end of a crazy week.
But on Tuesday – my second day working on-site at Squiz’s office, and coincidentally my birthday – disaster struck! Our first clue was when the lights went out. And then, a minute or so
later, when the fire alarm started going off. No big deal, we all thought, as we gathered our possessions and prepared to leave the office – it’s probably just that the fire alarm
sounds as a precaution if it’s electricity supply is disrupted… but as we started to go down the stairs and smelled the smoke, we realised that there really was a fire.
My tweet, from outside the Squiz offices.
The first two fire engines arrived within minutes. Apparently, they don’t mess about when a city centre office block catches light. The smoke was very visible from the street: thick
grey plumes pouring out from the basement windows. Theories about the cause of the fire were whispered around the assembled crowd, and the consensus seemed to be that the substation in
the basement had overheated and set alight its room.
People were still filing out of the building when the first of the fire engines arrived.
A third fire engine arrived, and – after about a quarter hour of assessing the situation and controlling the crowd – we were told that we wouldn’t be able to get back into our building
for “at least an hour, probably more.” So, being British, we therefore decamped to one of the nearby bars for networking and a round of gin & tonic. After I texted some friends to say
that I hadn’t expected to spend the afternoon of my birthday in the pub, but that it wasn’t an entirely unwelcome experience, a few of them had the cheek to ask once again how
the fire had actually started.
Before long, the fire brigade had established a cordon some distance back from the fire, and were pouring water into the basement.
By the time we were allowed to return to the building, it was already getting dark, and we quickly discovered a new problem that faced us: with the power still well and truly out, the
electronic door locks that secured the offices had become completely unusable. Not willing to abandon my laptop, keys, and other personal possessions overnight in an unfamiliar office,
I waited around until a locksmith had been summoned and had drilled his way through the cylinder and allowed us into the building.
Without power, it turns out that these things can be pretty useless. At least they “fail secure”, keeping the door locked (from the outside) in the event of a problem, rather than the
alternative…
It being my birthday, I’d arranged that Ruth would come and spend the night down in London, and that we’d go out to
Dans le Noir, a restaurant that I’d heard about from news articles and via friends some years prior, and always
wanted to try. The restaurant has a distinct and quite remarkable theme that you probably won’t find anywhere else: that theme is that you eat unidentified food in pitch blackness.
Don’t be fooled: this picture of the tip of a candle wasn’t taken at Dans le Noir, but at Squiz.
As our (blind!) waiter, Gao, led Ruth and I by touch to our table, we suddenly realised that we’d all but forgotten exactly how dark pitch blackness actually is. When you stumble over
your coffee table in the dark on a morning, that’s not truly black: there’s that sliver of light coming from underneath the curtains, or the faint glow of the LED light on the stereo.
Real, complete darkness is disorienting and confusing, and to sit around in it – not even able to see whether your eyes are open or closed – for hours at a time is quite remarkable.
Now this is more like what it looks like at Dans le Noir!
It took us a little while to learn the new skills required to survive in this environment, but Gao was incredibly helpful. We worked out mechanisms for pouring drinks, for checking
whether our plates were empty, and for communicating our relative movements (being geeks, as we are, Ruth and I quickly developed a three-dimensional coordinate-based system for
navigating relative to an agreed centre-point: the tip of the bottle of our mystery wine). We also learned that there’s something truly humbling about being dependent upon the aid of a
blind person to do something that you’d normally be quite capable of doing alone: simple things, like finding where your glass is.
My tweets after coming out of Ruth and I’s remarkable experience of Dans le Noir.
But the bigger lesson that we learned was about how darkness changes the way that we operate on a social level. Ruth and I were sat alongside another couple, and – deprived of
body language, the judgement of sight, and the scrutiny of eye contact – we quickly entered into a conversation that was far deeper and more real than I would have anticipated having
with total strangers. It was particularly strange to see Ruth, who’s usually so shy around new people, really come out as confident and open. I theorise that (in
normally-signted people) eye contact – that is, being able to see that others can see you – serves as a regulator of our willingness to be transparent. Depriving it for long enough that
its lack begins to feel natural makes us more frank and honest. Strange.
Live updates, primarily for the benefit of the people back at my usual workplace, on progress at Squiz.
Back at Squiz the following day, there was still no electricity. Credit is due to the team there, though, who quickly put in to effect their emergency plans and literally “moved office”
to a handful of conference rooms and meeting spaces around Shoreditch. “Runners” were nominated to help relay messages and equipment between disparate groups of people, and virtualised
networks were established across the city. I laughed when I discovered that Squiz’s old offices had been in an old fire station.
Team members at Squiz, in their unlit, unheated office, begin to put their emergency plan into place, picking up computers and transporting them to alternative venues.
Before long, the folks I’d been working with and I were settled into a basement meeting room in a nearby café, running a stack of Mac desktops and laptops from a monumental string of
power strips, and juggling an Internet connection between the café’s WiFi and a stack of Mifi-like
devices. We were able to get on with our work, and the day was saved, all thanks to some smart emergency planning. Later in the week, a generator was deployed outside the building and
we were able to return to normal desks, but the quick-thinking of the management ensured that a minimum of disruption was caused in the meantime.
My tweet about seeing comedy with Bryn and about returning to the office (now powered by a huge generator).
Not one to waste the opportunity to make the most of being in London for a week, I spent another of my evenings out with Bryn. He and I went out to the Free
Fringe Fundraiser, which – despite a notable absence of Peter Buckley Hill, who had caught a case of the
then-dominating
norovirus – was still a great deal of fun. It was particularly pleasing to get to see Norman Lovett in the flesh: his particular brand of surrealist anti-humour tickles me mercilessly.
So what could have been “just another business trip” turned into quite the adventure, between fires and birthdays and eating-in-the-dark and comedy. If only it hadn’t taken me two
months to finish writing about it…
