Feeds

Millennium debuggers cry foul

Plus NHS data, DirecTV and BBC fridges

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Letters We think we touched a nerve with one of the pieces we dug up from the vault this week. The implication that the whole Y2K thing was a storm in a teacup did not sit well with some of the heroes who saved us from The Bug.

"As history records, or at least the history as recorded by the one person who was still sober on the fateful night, absolutely nothing happened. Mankind emerged blinking into the light of the new millennium without beholding a vista of total devastation.

One thing had changed, however: somewhere on a beach in Barbados, the CEO of a Y2K compliance company and his VP in charge of scaremongering were toasting their good work in a solid-gold jacuzzi into which the words "A fool and his money are soon parted" had been lovingly engraved."

At the risk of being FoTW I think this is a tad unfair. Although there were people who did nicely out of scaring people about Y2K the fact that very little failed at the millennium shows the success of those of us who worked bloody hard to make sure it wasn't a problem.

I was Technical Director of a vertical market software house in those days and I started planning for Y2K compliance in about 1995 and my programmers spent a *lot* of man hours changing our data structures and code over the last couple of years before the millennium to ensure we were compliant. We finally achieved compliance in summer 1999 so our software coped admirably with Y2K, but it would have fallen over rather badly if we had not done the work beforehand. -- Regards

Paul Oldham


On your "5 years ago today" story, mocking the Y2K doom-mongers for predicting disasters that never happened - I did Y2K work back in 1999.

The reason there were no major disasters was that I, and the thousands like me, worked our arses off. Would we have been given the time and resources if people had said, "it probably won't be that big a deal"?

I think not.

Yours, Dave Hemming ex-COBOL programmer


Hi Guys , I really enjoy your site, the articles are well written and light and airy, I rarely feel the need to whine about anything you have written, I even own hacker hat, polo shirt and mug.... but (bet you didn't know that was coming).

I grow garlic in my garden to keep elephants away, I have never seen an elephant in my garden, see how well it works?

Y2K was different, systems would have failed, serious problems with major financial systems would have caused significant losses, things would have stopped working. Many people put a lot of hard work into fixing and testing systems before problems occurred, nothing happened, but this was in no small part because of the effort that people put in to make sure nothing happened. OK so a few people took advantage of the scaremongering, but it doesn't mean that it was a waste of time. But of course, things did actually happen, no planes dropped out of the sky but issues still occurred, minor ones, like the 105 year old that got the call-up to go to primary school. The planes won't drop out of the sky until the 4byte rollover in 2038, I'll be retired by then but perhaps I'll come out of retirement to do some expensive consulting on the 4br bug ;-)

Mikey

Two words for you, regarding millennium cash-ins: travel agents. That's all we are saying.


Also this week, NASA suggested that British strawberries might get to go to Mars. We immediately set about trying to work out how we could disguise ourselves as summer fruits, to blag a place on the mission. Other people had more realistic thoughts about it:

Hi Lucy,

"NASA scientists are keen to use an English breed because it will be more accustomed to low light levels than those from California or Florida."

ah - that'll be all those clouds, I suppose; here in Norway, the strawberries get plenty of sunlight during their ripening season, due to days being longer further North. That effect should also apply for the UK variety relative to Californian and Floridian - they may have more intense sun-shine, but it's for a briefer period each day.

> the fruit has already been nicknamed the 'Marsberry'.

it's perhaps worth noting that the Norse word for strawberry is Jordbaer, literally "Earth berry", so that's a very apt nickname :^)

Eddy.


This week, a US appeals court ruled that DirecTV "cannot sue individuals for merely possessing technology useful for illegally intercepting the company's satellite signal".

Well DirecTV's campaign of bullying purchasers of smart card technology is finally beginning to unravel. It is long past time in this subscribers opinion.

I am a DirecTV stockholder, and pay close to $100.00 USD per month for the service. I am all for going after actual pirates. Yet I am furious that DirecTV would engage in a campaign that looks (to me) like a shakedown. I have always thought that harassing and threatening your customers is a shoddy way of doing business and shows a complete lack of basic business knowledge. It is strip-mining plain and simple, and the act of a management that has no long term vision or plan. Not a comforting thought for a DTV stockholder.

Clearly, engineering a robust defense against signal piracy is preferable to flooding the court system with frivolous lawsuits and tormenting your clients. Get with it DirecTV!

So now DirecTV states that they will 'investigate claims of innocence!' What gonads they have! Unless their lawyers have purchased their diplomas from some internet mill, they ought to know that in a criminal case in the USA, a defendant is presumed innocent until proven guilty beyond a reasonable doubt. Claims of innocence indeed! The burden of proof is on DirecTV.

Now that the court has ruled that mere possession of smart card technology does not justify the filing of civil lawsuits against suspected pirates, DirecTV will have to do its homework before it can hope to win lawsuits claiming piracy. This is how it should have been all along. Security researchers and other users of smart card technology need not fear the jack-booted thugs from DirecTV any more.

Now if I could just get DirecTV to drop all of those shopping and pay per view channels and put that bandwidth to use improving their signal quality which suffers horribly from compression artifacts when viewed on a large screen TV. It is a dream I have.

Steve Lubman


The flip side, of course, of huge NHS investment in IT is that hospitals and the like are stuffed full of nice, fenceable, computer equipment, just waiting to be nicked. This week, it was the turn of the pathology department at The Royal Shrewsbury in Shropshire:

Lucy;

This happens very frequently all over. The first time I happened to run ac cross this problem was in Buenos Aires in 1989. Company's first customer in that year was a branch office of a Brazilian bank where we had to specify the expansion of the network. During this job one fine day a guy came in told the security guards he was from maintenance and removed the server 'for maintenance'. They let him walk away happily through the front door with all the financial records the Argentina branch office had (and the server, of course). I'm sure there are many, many more cases like this all over.

Miguel


As you might imagine, this is not the first such theft from a hospital. I work for the xxxxxx Hospital in xxxxx and we lost a similar number of systems a couple of years ago.

This is a sad world and it has a number of bad people in it. The event I mention occured in an area that is open to the public during the day but it is locked at night. The theives had to bash open a fairly substantial door to get in. They neatly disconnected everything and left little mess (other than the door).

The reason I am writing is to express my unhappiness at the fact that in Shrewsbury the computers seem to have contained confidential data. Please feel free to mention to your readers the benefits of computer networking.

Workstations should not contain data. They are for applications. All data should be on servers in really well locked down areas. Ours have cameras, motion sensors swipe card access and so on. Nothing's foolproof but we do try. When our machines 'walked' we were able to say that none of them contained anything more confidential than document templates and the contents of browser caches. We were able to pull some old machines out of cupboards and everything was running witching a few hours. It was running a bit slower though...

Scott


So, in 7 years time - or whenever - these PC's would have contained "patient data" including (presumably) ID card identifiers etc ... So a nice case of (easy) stolen identities. (Nice to see the NHS knows what backup is though!)

Its going to take a fair bit of work to secure these "ID systems" isn't it!? One more thing to add to the list of "Change Procedures":

"No patient data should remain on an unsecured system for longer than the period of time it takes the operator to process/use/view that information. Neither should such information be stored (other than in temporary memory) on any such unsecured machine - Any such temporary storage must also be automatically erased once the machine has been inactive for a period of 5 minutes."

Has .gov budgeted for this revamp of all NHS/Police/Social Services systems in their cost calculations?

Thin Client IS the way forward - Someone send a Post-It to Home Secretary Blunkwit mentioning the need to investigate this "cost issue".

Andy Harrison


I will never understand how people who are charged with storing sensitive confidential information don't seem to understand the most basic principles of security.

Confidential information should only be stored on computers in a locked room. Desktop and laptop computers should never have any files with confidential information stored locally. People in positions of responsibility seem to take the attitude that they won't be the victim of any problems that will compromise the sensitive data that they store on machines that are out in the open and are accessible by the janitor or people who wander into an area when nobody else is around.

It's long past time that people lose their jobs over these kinds of incidents. These so called responsible people never suffer any consequences in these situations.

Kevin McDonald


The US government relented (slightly) on its request that we handover voodoo representations of ourselves for them to stick pins in if we are bad while visiting the US. Well, it has extended the deadline for the biometric passports, anway. And we were making it up about the Voodoo dolls too.

When, oh when, are the members of our governments going to wake up and realise that my passport already contains biometric data - it's a picture of my face.

Cheers

Steve Foster


If the US want biometric data on passports, why not give them some? As far as I understand, they did not ask for a specific kind, did they?

I could imagine, for instance, a sealed drop of the ID holder's urine planted into the passport or a scratch-and-sniff panel of their body odour. Something that is definitly biometric data, obviously silly and possibly a little gross to the poor person who has to evaluate it but not to the passport's wielder.

I can even imagine some of the bigger privacy advocation groups paying for it.

After all, if our big brother overseas says so, we little old countries have to obey, don't we?

Your sincerely (more or less, as far as this issue is concerned) Sabine Miehlbradt

We like the way your mind works, Sabine. An excellent level of silliness.


And, let's end on a light note. The mysterious case of the BBC fridge delivery mix-up.

Hi There,

Fantastic, certainly made my day brighter. Maybe the beeb could do a show called 'When deliveries go wrong'. Cheers Rob


Hi Lester, Perhaps it wasn't a mistake but a tape for David Attenborough's series Life in the Freezer programme :-)

en Haiku:

Might it not have been A good idea for Beth et al To obscure numbers?

Now, before we get lots of emails about this one, we understand that, technically, a Haiku should have 17 syllables, divided into five, seven and five. No one needs to write in and explain this to us. Also, we are aware that in fact these 17 syllables are not supposed to be English syllables, but Japanese onji, which are not quite equivalent, and that the 17 thing is more of a guideline than an actual rule, anyway. Sort of like the rules of Parlez, but with less piracy. OK?

Oh, I hate to do this with a really good story, but I'm not into software forensics for nothing ... If you actually look into the .mp3 file, you will find references to the creator of the file, possibly one Steve Cripps, possibly at a company called Wise Buddha. More importantly, you find references to a creation date of July 2000 ...

Well, as Lester himself said: Blast! Still, let's not let a few minor details get in the way of a good story, eh? ®

Beginner's guide to SSL certificates

More from The Register

next story
Oi, London thief. We KNOW what you're doing - our PRECRIME system warned us
Aye, shipmate, it be just like that Minority Report
WRISTJOB LOVE BONANZA: justWatch sex app promises blind date hookups
Mankind shuffles into the future, five fingers at a time
Every billionaire needs a PANZER TANK, right? STOP THERE, Paul Allen
Angry Microsoftie hauls auctioneers to court over stalled Pzkw. IV 'deal'
Apple's Mr Havisham: Tim Cook says dead Steve Jobs' office has remained untouched
'I literally think about him every day' says biz baron's old friend
Cops apologise for leaving EXPLOSIVES in suitcase at airport
'Canine training exercise' SNAFU sees woman take home booming baggage
Flaming drone batteries ground commercial flight before takeoff
Passenger had Something To Declare, instead fiddled while plane burned
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.