RE: Y2K trojans, and outsourcing...

[Henry Sieff <hsieff () orthodon com>]

> -----Original Message-----
> From: R. DuFresne [mailto:dufresne () sysinfo com]
> Sent: Monday, July 19, 1999 11:57 AM
> To: Henry
> Cc: firewall-wizards () nfr net
> Subject: Re: Y2K trojans, and outsourcing...
>
>
> On Mon, 19 Jul 1999, Henry wrote:
>
> > -----Original Message-----
> > From: Shappard, Richard, A (Rich) <rashappard () att com>
> > To: firewall-wizards () nfr net <firewall-wizards () nfr net>
> > Date: Sunday, July 18, 1999 3:19 PM
> > Subject: RE: Y2K trojans, and outsourcing...
> >
> >
> > > The only Trojans that the reporters at NBC know anything 
> about come in
> > > foil
> > > packages.  If you rely on the lamestream media for your 
> technology news
> > > you're in deep trouble.
> > >
> > > Did they happen to provide any references to this rumor?
> >
> > Saw the bit they did;  essentially its a problem of 
> insufficient background
> > checks for the code crunchers who have been brought in. No 
> exploits have
> > been found so far, but they had a few fairly respectable 
> professionals
> > (including someone from l0pht) talking about how they 
> SHOULD'VE been more
> > careful.
> >
> > I would have to agree, although I think as usual the media 
> is jumping on the
> > glamourous hacker chic bandwagon on this one.
> >
> > The $1 billion figure was a complete "guestimate", and as I 
> said, no one's
> > actually discovered a trojan or a backdoor.  However, I 
> know of a few
> > companies where consultants have been hired without the 
> sort of background
> > checks you would normally give for people who get to 
> directly handle code.
> > If a company has a decent security policy in place to begin 
> with, it really
> > shouldn't be a problem.
>
>
> From the article:
>
>    Several security firms say they have found "trap doors" in Y2K
>    programming. Some were placed to provide reputable firms 
> an entry for
>    future repairs, but others have been intentionally hidden.
>
>    "I'm aware of at least three such incidents," says Mike 
> Higgins of the
>    consulting firm Para-Protect Services. "One was in a major 
> information
>    technology company which used a Pakistani company to do (upgrades).
>    The company left a hidden trap door and has since gone out of
>    business."

I stand corrected; no more declarative statements for me. That should've
read, NBC knew of no specific cases of exploits, at least they didn't report
any on the segment I saw.  I'm sure it is a problem for larger firms, but I
also think that with an effective security policy which includes background
checks, it shouldn't be a real problem.

I think the hype potential of the story is huge, and the the exact cost of
"fixing" the problem will be hard to determine, since it will just be part
of th general mayhem of Y2K bug squashing anyways.

Unfortunately, (or fortunately) my company ended up doing all of our checks
ourselves, with staff MIS. But we're pretty small.

Henry
> Thanks,
>
> Ron DuFresne
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior consultant:  darkstar.sysinfo.com
>                   http://darkstar.sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!