Facebook admits “supply chain data leak” in new Oculus headsets

Oculus, Facebook’s virtual reality subsidiary, has fessed up to what might be the weirdest ever data leak.

OK, so it might not actually be a data leak at all, even though messages that weren’t supposed to be released seem to have got out.

And even if it is a data breach, it’s kind of cool – did we say that aloud, or just think it? – and may end up making the affected devices more sought after, and worth more money on online auction sites, than vanilla ones.

At any rate, if we were a Data Privacy Officer – a job that we suspect might be thin on opportunities for fun, games and humour – we’d be cracking a smile at this one, if not breaking into laughter, instead of reaching for our breach report forms.

The leaked messages are, literally and physically, printed characters that ended up hidden inside “tens of thousands” of new Oculus motion controllers.

We’re not big VR fans ourselves, but we think that motion controllers are the things you strap onto your hands so you can waft your way through virtuality, rather than the masochistic-looking faux diving goggles [Can we just say ‘sinister’ or ‘peculiar’ instead? – Ed.] that you wear while immersed in unreality.

Supposed to be found

The hidden messages were presumably there to be found by the more obsessive among the journalists and developers who received prototype and pre-release versions for review.

When you give cool new hardware out hoping to attract publicity, the techies who get it [a] haven’t had to pay for it, [b] don’t have to give it back, and want to know what’s inside, so the second first thing they are going to do is…

…TAKE IT APART!

Forget about the illusory access control provided by weird pentalobe security bolts, or so-called security screws hidden behind warranty stickers, or those fantastically fine tolerances that are supposed to keep even the thinnest guitar picks and spudgers away from the clips that keep the case together.

The word spudger isn’t in Oxford’s British or American Dictionaries yet, but it should be. You’ll find the word used right back in the 1920s to describe hand-crafted, non-conductive wooden tools used to tweak radio receivers while they were electrically live; these days, spudgers are usually made of soft, springy plastic to prevent scratches rather than to avoid short circuits. Modern spudgers generally resemble dainty-looking bicycle tyre levers, and are used for easing apart tight-fitting plastic components held together by internal clips that are intended to convince you that there really are “no user serviceable parts inside”.

If it can be taken apart, it will be; and if it can’t, well, it will be anyway – there is no can’t.

So, why not leave secret messages inside for the early adopters to find and enjoy?

That’s exactly what happened, according to Oculus supremo Nate Mitchell, except that the plans went slightly awry:

The messages on final production hardware say “This Space For Rent” & “👁The Masons Were Here.👁” A few dev kits shipped with “👁Big Brother is Watching👁” and “Hi iFixit! We See You!👁” but those were limited to non-consumer units. [2/3] pic.twitter.com/po1qyQ10Um

— Nate Mitchell (@natemitchell) April 12, 2019

As officially admitted by Mitchell above, the “early adopter” messages that went where they were supposed to – into the hands of reviewers and developers – were as follows:

   👁Big Brother is Watching👁 

   Hi iFixit! We See You!👁

The second message pays homage to device deconstruction experts iFixIt, who publish gloriously neat and detailed teardowns of just about everything, even absurdly jammed-full devices like Apple’s Retina Macbooks, which rate 1/10 for “repairability”.

But some devices that have already been sent out into the consumer market supply chain inadvertently shipped with these words inside:

   This Space For Rent

   👁The Masons Were Here.👁

This sort of hidden “feature” is known in the technology industry as an Easter Egg, because it’s there for techies to hunt down and cheer about when found.

Today, by the way, is Palm Sunday, exactly one week out from Easter itself, but that’s a coincidence. [Are you sure – Ed.]

Easter Eggs considered harmful

The problem with IT-related Easter Eggs these days, especially if they’re programmatically embedded into software, firmware or websites, is that hidden features are generally regarded as a very bad thing indeed.

Firstly, backdoors – secret, undocumented, insecure ways past login screens or cryptographic protections – count as “hidden features”, and we all know what we think about backdoored products and algorithms.

Secondly, Easter Eggs are supposed to be little-known and hidden, so they tend to get a lot less testing than regular code, and may even bypass entirely the code review and sign-off processes that are supposed to happen before release.

Thirdly, Easter Eggs often get forgotten about, and jokes that might have been appreciated at one time by a select audience end up weird at best and creepy at worst if they survive past their use-by date.

What to do?

In general, if you’re a developer, avoid Easter Eggs in your code – they’re more trouble than they’re worth.

In this specific Easter Egg story, however, there’s nothing you need to do. (If you insist on taking some action, a smile wouldn’t hurt.)

This isn’t a misfeature that’s part of the firmware in the new Oculus devices; it’s not a software vulnerability; and even if you get one of the misprinted devices, you’re not going to see the message unless you are determined to do so by prising the device apart.

In fact, we wouldn’t be surprised to see devices that contain the Masons were here message fetching well-above-retail prices on online auction sites.

As Twitterer @dr_oculus quickly said:

This is awesome! I'll take 10

— Dr oculus VR (@dr_oculus) April 12, 2019

What we can’t tell you, if you’re a collector who values that kind of thing, is how you’d tell a genuine dodgy Touch controller from a counterfeit dodgy controller if you came to buy one.

We also can’t be sure…

…but maybe we just got zuckered into a funky PR campaign, along with everyone else?