Secure Coding mailing list archives
2010 bug hits millions of Germans | World news | The Guardian
From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Thu, 7 Jan 2010 13:03:36 -0600
Stephen Craig Evans wrote...
Looks like there's another one: Symantec Y2K10 Date Stamp Bug Hits Endpoint Protection Manager http://www.eweek.com/c/a/Security/Symantec-Y2K10-Date-Stamp-Bu
g-Hits-Endpoint-Protection-Manager-472518/?> kc=EWKNLSTE01072010STR1
I am VERY curious to learn how these happened... Only using the last digit of the year? Hard for me to believe. Maybe it's in a single API and somebody tried to be too clever with some bit-shifting.
Just speculation, but perhaps all these systems are using the "fixed window" technique to address these two digit year fields common on credit cards. Depending on the "pivot point" year that is chosen determines whether a 2 digit year field belongs to one century or the other. This could just be a carry over from the Y2K fixes and the rather poor choice for a pivot point. I worked next to a person who did some Y2K fixes for lots of mainframes back in 1998-99, and he said that using 'windowing' to address this was a pretty common technique because companies did not want to expand all their databases and forms, etc. to allow for 4 digits. For example, if 1980 was chosen as the pivot year, then 2 digit years 80 through 99 would be assigned '1900' as the century and 00 through 79 would be assigned '2000' as the century. So perhaps 1910 was chosen as the pivot year (if DOB was a consideration, that would not be all that unreasonable) so that 10 through 99 is interpreted as 1900s and 00 through 09 was considered as 2000 something. So we hit 2010 and a credit card has a 2 digit year for it's expiration or transaction date or whatever, and all of a sudden 01/10 or 01/07/10 is interpreted as 1910. Usually using such a fixed windowing technique (there is also a sliding window technique that was a more expensive "fix") was only considered a stop-gap measure with most organizations fixing things for real before the pivot year gave them trouble. But we all know about how good intentions work...or not. Anyhow, like I said, this is only a GUESS of what might be going on. I have no hard data to back it up. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Current thread:
- 2010 bug hits millions of Germans | World news | The Guardian Kenneth Van Wyk (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian Stephen Craig Evans (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian ljknews (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian Wall, Kevin (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian ljknews (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian McCown, Christian M (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian ljknews (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian Steven M. Christey (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian Wall, Kevin (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian Stephen Craig Evans (Jan 07)
- <Possible follow-ups>
- 2010 bug hits millions of Germans | World news | The Guardian Peter G. Neumann (Jan 07)
- 2010 bug hits millions of Germans | World news | The Guardian Matt Bishop (Jan 08)