As panic increases, and pressure builds for management to put hordes of programmers to work on Y2K, won't it become impossible to thoroughly inspect all the many source code changes which ensue? How will we be able to stop malicious code from being planted into source code?

We are all well aware of the many viruses and trojan horses which we have to watch out for today. But we have anti-virus software to help us detect and fix problems in that area. The same people who put viruses and trojan horses on the internet may find it exceptionally easy to plant the same sort of stuff within source code being repaired for Y2K. Besides the people who are just plain mean, think also about industrial espionage and political espionage.

Does anybody know if this problem is being addressed? Care to share the details with the rest of us?

-- Richard M. Woodward (wwwprogrammer@email.msn.com), May 17, 1998

Answers

I can't comment on viruses and Trojan horses, but I do distinctly remember a New York Times article of about two months ago concerning companies that were sending their remediation work overseas to India. Apparently there are multiple cases of "corrected" programs being returned with new and illicit back doors added to allow unauthorized entry after the programs were reinstalled. I haven't seen anything more about it since. Wonder what the going price for a back door to the R&D files at Exon or du Pont would be worth. Curiously, a post I wrote on another site shortly afterwards referring to the problem disappeared the day after I wrote it.

-- J.D. Clark (yankeejdc@aol.com), May 18, 1998.

I'd ask two questions about this speculation:

What would you do if you were ticked off at the West?

How many people are there in the world who know what you know and are ticked off at the West.?

-- Carl Chaplin (chaplin@lillonet.org), May 24, 1998.

There is a new VIRUS in an email message "WIN A HOLIDAY".....Do not open if you receive it as it will erase all data on your hard drive....Message from Microsoft May 27/98. As if Y2k was not enough to contend with.

-- Laurane (familyties@rttinc.com), May 28, 1998.

You can not get a virus from an e-mail message. It is carried on a macro or executable. If there is a file attached to an e-mail and you don't know the sending party, delete it - don't open it. These virus scares have been running around for years.

-- Rebecca Kutcher (kutcher@pionet.net), May 28, 1998.

Actually, that's no longer quite true.

A lot of people now use e-mail clients that display incoming HTML, including executing any embedded JavaScript and Java applets. IE in particular can now auto-open attached Word documents, which can in turn contain Word macro viruses. There are security holes in many browsers--particularly betas, which seem more common than golden masters anymore.

Viruses aren't getting smarter, but e-mail clients are making more assumptions and automating more steps in the name of multimedia glitz.

-- Mark Zieg (mzieg@orlandosentinel.com), May 28, 1998.