Y2K as DoS

(These days, it’s best to leave Y2K experience off your résume.)

Evan Spence

In the course of our business, we publicize countless possible Denial of Service attacks on our web site, and strongly urge users to take the appropriate steps to lessen their exposure to such attacks. We have now also begun recognizing Year 2000 bugs as possible DoS vulnerabilities. In fact, the date change event at the end of 1999 will be the largest Denial of Service attack the world has ever seen.

In the near future, we will be publishing a series of three articles in this space on Year 2000 related issues. This one begins by raising the issue of awareness and attitude, and ends by dispelling a few common myths. Future articles will cover the dangers of Y2K related litigation, and contingency planning. We won’t make a habit of preaching Y2K here, but it does deserve attention.

Our last corporate bank statement came with an audacious little note telling us how to prepare our business for the year 2000. The Royal Bank of Canada has developed a ten-minute Guide to the Year 2000 and is busy trumpeting it to all of its customers.

A quick trip through the enclosed documentation, followed by a search of the Royal Bank web site yielded plenty of well intentioned information focused on raising the awareness of the Y2K issue throughout Canadian companies. The reason this is audacious is that there is only passing mention on the web site of the Royal Bank’s own compliance, under the heading Project Daybreak.

While they are impressing the need upon Codetalker to ensure that all of our important business partners are compliant, they are not providing the necessary information for us to confirm that our primary financial institution will still be standing on January 1, 2000.

I would like to have confidence in the system stability of our major Canadian banks. They have rigorously controlled systems, and they started their preparations as far back as 1995, but I just don’t see them shouting “We’re ready!” from their soapboxes, and I have yet to run across a published time-line. In light of this, their paternalistic behaviour is just slightly galling.

That said, Codetalker is well prepared. We have the advantage of using only recent generation hardware, and have a reasonably short inventory of applications in production use. And although it’s not our speciality, we try to make our clients as aware as possible of the possible ramifications of this little historic snafu, which is also the best reason to write these particular opinion pieces: awareness.

Kids Say The Darnedest Things

I have come across some otherwise well informed people who are completely in the dark surrounding the extent of this problem. One common reaction is “Oh, I thought Bill Gates solved that.” Think hard about this response, and contemplate its implications.

First, it implies that the world runs on Wintel PCs, which is patently false. The world still runs, for good, bad, and occasionally bizarre reasons, on heavy iron computers. Banks, utilities, hospitals, air traffic control systems all use what many falsely label obsolete hardware. And the list goes on.

Second, it implies there is such a beast as a silver bullet. This possibility is aptly disproved by Peter de Jager’s Biting the Silver Bullet (required reading for this class). I am actually very fond of saying the only silver bullet is leadership at the executive level.

Calling Y2K a Denial of Service risk is a bit of a unique way of looking at the problem, and once the seriousness of the Y2K threat is recognized, it has the added benefit of emphasizing the seriousness of all DoS vulnerabilities.

Think of it this way: it’s a little like knowing a DoS attack is going to be perpetrated against your systems, and knowing the date on which it will happen. Would you take immediate action in this case? Certainly. And with extreme prejudice, I suspect.

Solving your company’s Y2K problem needs exactly that attitude.

A Few More Myths

Myth: The Y2K bug has arisen because programmers were saving valuable disk space in the 60s.

This is the one that’s in the media all the time, in the quick explanations at the top of articles. It’s misleading because it’s partially true: Yes, programmers did save valuable disk and screen territory by dropping two digits from the date. But shortening dates to two digits is a normal, habitual process. It’s called windowing, and you and I do it all the time.

When I say “The 80s are over”, you intuitively know I’m not referring to the 1880s or the 2080s. There is a window of reasonability which makes my reference obvious. It’s a natural phenomenon to use two digits to express a year.

We may have started by saving a few bits of disk space in the 60s, but we continued to use two digits for the intervening years because that’s how we think.

Myth: Y2K is a problem for the techies to figure out

Wrong. This is a board-level, risk management problem.

Myth: The millennium bug scare was created by computer consultants to make money.

Well, this one may be true in some isolated cases. But in the case of this consultant, Y2K work is absolutely the last thing I want to be doing. It’s filthy, tedious work, and companies usually could have prevented it with a modicum of managerial foresight five years ago. Nothing sets my teeth on edge quicker than preventable work, profitable or not.

Myth: 2000 is not a leap year

Typically, years that are divisible by 100 are not leap years. However, years that are also divisible by 400 are. 2000 is a leap year.

Myth: February 2000 has 30 days

There is no such thing as a double leap year in the Gregorian calendar. Check Claus Tøndering’s Calendar FAQ for some very entertaining reading on the subject.

Myth: 2000 is the start of a new millennium

The third millennium starts on January 1, 2001, not 2000. Somebody tell the M&M ad execs.

In Case You Hadn’t Heard

If you don’t watch TV, read the papers, listen to the radio, or surf the web, yet have somehow wandered across our web site, here’s a few pointers for getting yourself all learned up about Y2K.

Some of these sites are scary, one is well beyond paranoid, but they’re pretty good eye openers all the same.

Evan Spence

Friday, May 22, 1998

pintday.org » Fresh every Tuesday.