Firewall Wizards mailing list archives
RE: Y2K trojans, and outsourcing...
From: Henry Sieff <hsieff () orthodon com>
Date: Mon, 19 Jul 1999 12:00:24 -0500
-----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] Sent: Monday, July 19, 1999 11:57 AM To: Henry Cc: firewall-wizards () nfr net Subject: Re: Y2K trojans, and outsourcing... On Mon, 19 Jul 1999, Henry wrote:-----Original Message----- From: Shappard, Richard, A (Rich) <rashappard () att com> To: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Sunday, July 18, 1999 3:19 PM Subject: RE: Y2K trojans, and outsourcing...The only Trojans that the reporters at NBC know anythingabout come infoil packages. If you rely on the lamestream media for yourtechnology newsyou're in deep trouble. Did they happen to provide any references to this rumor?Saw the bit they did; essentially its a problem ofinsufficient backgroundchecks for the code crunchers who have been brought in. Noexploits havebeen found so far, but they had a few fairly respectableprofessionals(including someone from l0pht) talking about how theySHOULD'VE been morecareful. I would have to agree, although I think as usual the mediais jumping on theglamourous hacker chic bandwagon on this one. The $1 billion figure was a complete "guestimate", and as Isaid, no one'sactually discovered a trojan or a backdoor. However, Iknow of a fewcompanies where consultants have been hired without thesort of backgroundchecks you would normally give for people who get todirectly handle code.If a company has a decent security policy in place to beginwith, it reallyshouldn't be a problem.From the article: Several security firms say they have found "trap doors" in Y2K programming. Some were placed to provide reputable firms an entry for future repairs, but others have been intentionally hidden. "I'm aware of at least three such incidents," says Mike Higgins of the consulting firm Para-Protect Services. "One was in a major information technology company which used a Pakistani company to do (upgrades). The company left a hidden trap door and has since gone out of business."
I stand corrected; no more declarative statements for me. That should've read, NBC knew of no specific cases of exploits, at least they didn't report any on the segment I saw. I'm sure it is a problem for larger firms, but I also think that with an effective security policy which includes background checks, it shouldn't be a real problem. I think the hype potential of the story is huge, and the the exact cost of "fixing" the problem will be hard to determine, since it will just be part of th general mayhem of Y2K bug squashing anyways. Unfortunately, (or fortunately) my company ended up doing all of our checks ourselves, with staff MIS. But we're pretty small. Henry
Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
Current thread:
- Y2K trojans, and outsourcing... R. DuFresne (Jul 16)
- <Possible follow-ups>
- RE: Y2K trojans, and outsourcing... Shappard, Richard, A (Rich) (Jul 18)
- Re: Y2K trojans, and outsourcing... Patrick Oonk (Jul 19)
- RE: Y2K trojans, and outsourcing... Cohen Liota (Jul 20)
- Re: Y2K trojans, and outsourcing... Henry (Jul 19)
- Re: Y2K trojans, and outsourcing... R. DuFresne (Jul 19)
- RE: Y2K trojans, and outsourcing... sean . kelly (Jul 19)
- Re: Y2K trojans, and outsourcing... Joseph S D Yao (Jul 20)
- RE: Y2K trojans, and outsourcing... Bill Stout (Jul 19)
- RE: Y2K trojans, and outsourcing... Henry Sieff (Jul 19)
- RE: Y2K trojans, and outsourcing... Alan Lustiger (Jul 19)
- RE: Y2K trojans, and outsourcing... Marcus J. Ranum (Jul 19)
- Re: Y2K trojans, and outsourcing... Steven M. Bellovin (Jul 20)
- RE: Y2K trojans, and outsourcing... Bill_Royds (Jul 20)
- Re: Y2K trojans, and outsourcing... Ryan Russell (Jul 21)