2010 bug hits millions of Germans | World news | The Guardian

[Kevin.Wall at qwest.com (Wall, Kevin)]

Stephen Craig Evans wrote...

> Looks like there's another one:
>
> Symantec Y2K10 Date Stamp Bug Hits Endpoint Protection Manager
> http://www.eweek.com/c/a/Security/Symantec-Y2K10-Date-Stamp-Bu
g-Hits-Endpoint-Protection-Manager-472518/?> kc=EWKNLSTE01072010STR1
> I am VERY curious to learn how these happened... Only using the last
> digit of the year? Hard for me to believe. Maybe it's in a single API
> and somebody tried to be too clever with some bit-shifting.

Just speculation, but perhaps all these systems are using the "fixed window"
technique to address these two digit year fields common on credit cards.
Depending on the "pivot point" year that is chosen determines whether
a 2 digit year field belongs to one century or the other. This could
just be a carry over from the Y2K fixes and the rather poor choice for
a pivot point. I worked next to a person who did some Y2K fixes for
lots of mainframes back in 1998-99, and he said that using 'windowing'
to address this was a pretty common technique because companies did not
want to expand all their databases and forms, etc. to allow for 4 digits.

For example, if 1980 was chosen as the pivot year, then 2 digit years
80 through 99 would be assigned '1900' as the century and 00 through 79
would be assigned '2000' as the century. So perhaps 1910 was chosen as
the pivot year (if DOB was a consideration, that would not be all that
unreasonable) so that 10 through 99 is interpreted as 1900s and
00 through 09 was considered as 2000 something. So we hit 2010 and
a credit card has a 2 digit year for it's expiration or transaction
date or whatever, and all of a sudden 01/10 or 01/07/10 is interpreted
as 1910.

Usually using such a fixed windowing technique (there is also a sliding
window technique that was a more expensive "fix") was only considered a
stop-gap measure with most organizations fixing things for real before
the pivot year gave them trouble. But we all know about how good intentions
work...or not.

Anyhow, like I said, this is only a GUESS of what might be going on. I have
no hard data to back it up.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.