Skip to content
Naked Security Naked Security

US administration adds “subliminal” ad to White House website

Hiding digital "secrets" where they're supposed to be found is good fun. Just don't hide actual secrets and hope no one will notice!

Hidden messages, features or jokes in apps and websites are commonly known in hacker jargon as easter eggs, because they’re supposed to be found and enjoyed, but they’re not supposed to be immediately obvious.

One of the most famous easter eggs in commercial software history – if not the most complex – was the hidden flight simulator (really!) in Microsoft Excel 97.

How to fly in Excel 97. Open New workbook. Hit F5. Type in L97:X97 [Enter][Tab]. Ctrl-Shift-Click on the Chart Wizard icon. Fly using mouse. Hit [Esc] to end.

Sometimes, amusingly, it wasn’t games hidden in business apps, but business apps hidden in games.

One of the most famous computer games in software history, the first IBM PC version of Tetris, had a hidden spreadsheet as its easter egg, or more accurately as its boss mode.

Boss mode, activated with the boss key, often Ctrl-B or Alt-B so it was quick to type, popped up a more dubious sort of easter egg intended as a decoy.

Boss screens were meant to cover the display instantly with what might just about look like real work if your boss suddenly appeared on the horizon.

Not the most convincing decoy in the world, even for a US company.
Tetris boss screen “spreadsheet” app.

As you can imagine, hidden and undocumented code of this sort is not as common these days, because it’s not a terribly good cybersecurity look.

After all, if there’s a whole flight simulator hidden behind some sort of esoteric incantation involving the keyboard and the mouse (in Word 97, the easter egg was a pinball game), how well was it tested?

How thoroughly was the code reviewed? How official was the process by which the code was added to the source tree? What else was snuck in there by developers and never noticed at all? Did the person who approved the digital signing of the shipped software even know that easter egg code existed? Are customers entitled to official support and patches for the easter egg? If not, why not?

Having said that, even the very latest version of Microsoft Edge contains an openly secret surfing game that you can access by visiting the special URL edge://surf:

Surfing in Edge. (Screen grab from Edge for Linux 89.0.767.0.)
Click the three-lines menu for a choice of game types.

Likewise, many websites contain harmless jokes and messages, often inserted into the HTTP headers added to the reply, rather than in the body of the HTML data itself.

Marvel’s website adds a header to tell you which comic book hero the server you visited is named after.

In this HTTP connection, it was She-Hulk who replied to us:

WordPress tells you where to find job openings:

Well, it turns out that the new 2021 White House website added a job ad, too, presumably hoping to get some publicity and to attract job applicants to the US Digital Service (USDS).

The USDS describes itself as a part of the public service that aims to use “design and technology to deliver better services to the American people”, and its goal is to attract at least some of those technophiles that might otherwise be lured to join the fast-paced, dollar-sign world of commercial cloud-based products and services.

After all, today’s technology business juggernauts are in a position to offer eye-watering starting salaries and the promise of fast-paced, ever-changing coding challenges based on the very latest hardware platforms and programming languages.

Even the processes and procedures they use feel cooler and more progressive than anything you might expect in a “government job” (you’d be wrong, but it’s a perception we’ve heard often enough).

It’s astonishing how much cooler terms like methodology and paradigm (or rules and regulations) sound when you replace them with funkier contemporary nouns and epithets instead.

Who wants to use the tired-and-turgid waterfall metholodolgy when they could be using extreme devops techniques with continuous integration, and seeing their code shipping in days or weeks rather than in months, years, decades or never?

Who wants to work on ancient code decks (decks! the word itaelf harks right back to punched cards!) written in all-caps COBOL when they could be learning and using the new darling language of the programming world, Rust?

Heck, Rust’s logo is a stylised bicycle chainring, and it’s a funked-up chainring, too, like the sort of front sprocket you’d put on a trendy fixie and not on a conventional bicycle.

Rust chainring logo.
Good luck finding a chain to fit and a rear sprocket to suit.

Note to hipster Rust fans. That chainring is a bit too small for a practical road-going bike, assuming you could get fixie cranks it would fit onto, and even if you were to use it with the dubious choice of 12T at the rear; the teeth are quite the wrong shape to carry a roller chain; and its unbalanced design suggests an inherent structural weakness that would surely lead to potentially catastrophic failure during a critical braking manouevre on a hillbombing run. But perhaps those are all metaphors that were deliberately hidden in the logo right from the start, as a sort of easter meta-egg?

Of course, the cool life of a commercial coder isn’t for everyone.

For some techies, that sort of job isn’t so much cool as cold; isn’t so much meaningful as mechanical; and isn’t so much about building for the future as it is about delivering ROI right now.

Presumbly, that’s the sort of person that the USDS was hoping to appeal to with its latest job advertisement…

…which was embedded as an HTML comment at the top of every web page on the new administration’s White House website:

USDS job ad in White House HTML source code. Use Ctrl-U in Firefox to see the code yourself.
The text in the highlighted tag is an HTML comment so it does not appear on screen in the page that’s displayed.

Amusingly, the HTML on the USDS website’s home page also currently contains an easter egg in the form of a comment – but this one is a pure-play easter egg, not a job ad:

Easter egg on USDS home page.
“Meet Mollie the crab, our unofficial mascot”.

What can we learn?

Easter eggs of this sort are good fun, given that they’re ultimately meant to be found and don’t contain any information that’s supposed to be confidential.

But they do teach us an important cybersecurity lesson about embedding genuine secrets such as hardwired passwords and backdoors: DON’T DO IT!

As this case makes abundantly clear, given how quickly it was noticed and publicised, trying to keep digital secrets by relying merely on them “not being noticed” will not protect you at all.

Once your backdoor is discovered, you’re not only stuck with it, but also have to assume that the whole world knows about it.

Indeed, this easter egg proves how quickly hidden news can become common knowledge.

It’s less that 48 hours since the ad first appeared, but the link in the “hidden” comment has already been changed so that it takes you to the USDS home page instead of specifially to the job application page.

We’re assuming that’s because the USDS very quickly received way more applications than it planned for.

PS. If you know of any other 2021 website easter eggs you think our readers would enjoy (SFW only, please!), let us know in the comments below.


If you go to the home page as requested, and view its source, you currently get an ASCII picture of Mollie the crab, their unofficial mascot.


Hahahaha… indeed you do! (The article actually suggests Ctrl-U for viewing the source of the White House website, but I will add a screenshot of Mollie from USDS into the article, just for completeness :-)

Thanks for the note.

Mollie the mascot is apparently named after a USDS alumna called Mollie Ruskin:


Long before the web era – in the 1960’s at a very large UK company running LEO computers someone added a line to the December pay advices – “and a Happy Christmas to all our readers!”. Management were not amused!


LEO FTW! 70 years old this year!

You might like this article, now itself nearly a decade old, from when LEO turned 60:


Try this computer


Imagine troubleshooting and maintaining that TDC computer in the confines of a sub while on active duty…

…heck, just imagine being in the confines of a sub at all, even when safely docked in harbour in peacetime, even without being the “sysadmin” of a TDC!


BBC News has a thing in the JavaScript developer console directing you to some job adverts


Ha, that’s quite funky. It’s the most complex code wrapper around a call to “console.log()” that you’ve ever seen!

It even prints out a representation of the BBC logo by writing large-white-B-on-black-background[space]large-white-B-on-black-background[space]large-white-C-on-black-background. The links go to the BBC’s GitHub page and to the BBC’s careers page for “job type 57” (Technology, Systems & Delivery). Nice.

In Fire


I like your articles but I think you misused the word subliminal and so this feels a bit like clickbait


To be fair, I put the word in air quotes (and, yes, I am using the words “air quotes” metaphorically here, just as I did with “subliminal” in the headline).

I think it’s an unexceptionable usage, so I don’t plan to change it…

Glad you like the articles anyway :-)


What a trip down memory lane, especially with the Excel flight simulator and the Boss button. Here in the US the website for a pair of public radio auto gurus/comics (Car Talk’s Tom and Ray) had a prominent boss button on every page.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!