07/15/99- Updated 11:45 PM ET

Y2K upgrades may lead to new trouble

By M.J. Zuckerman, USA TODAY

From common thievery to threats of terrorism, the mass upgrading of computers to avoid potential collapse after Dec. 31, 1999, is creating a new set of vulnerabilities to businesses and national security.

"I'm very concerned," says Sen. Robert Bennett, R-Utah, co-chairman of the Senate Special Committee on Year 2000. "I think the Y2K experience has opened our eyes as a society to how vulnerable we are. If (Y2K) could cause this kind of disruption by accident, what kind of disruption could we have if someone sought to do us harm on purpose?"

What has Bennett and others worried is twofold. First, individuals involved in the upgrade process could sabotage a system or leave themselves a way to gain control of it later.

Also, most upgrades involve moving away from a variety of software, some unique to an industry or corporation, and installing commercial, off-the-shelf products, which frequently come to market with unintended bugs that can be exploited.

"You don't need a malevolent person to take some special action, but merely to make use of a common weakness," says Fred Schneider, Cornell University computer science professor.

Many firms doing upgrades are hiring outside contractors to make fixes to sensitive systems.

The Gartner Group, a consulting firm specializing in Year 2000 research, is predicting that these third-party upgrades of code will result in at least one single $1 billion theft or fraud directly linked to Y2K code upgrades.

Gartner's previous Y2K studies are accepted articles of faith, including predictions that from $300 billion to $600 billion will be spent worldwide fixing the Y2K problem. The price tag likely will exceed $1 trillion with litigation resulting from Y2K trouble.

"I find the Gartner prediction an understatement," says Tom Noonan, CEO of SSI, a leading computer security firm . "I don't know that we've found a single case where folks doing (the upgrading for Y2K) haven't left behind trap doors." Most, Noonan says, are legitimate means for technicians to make future repairs. Even so, the trap doors could be abused.

Gene Spafford, Purdue University computer science professor, argues for government efforts to improve "buggy" commercial software. Instead, he says, the government is approving legislation protecting the industry from Y2K suits. "This continuing trend to shield software companies puts consumers at risk," he says.

Article

-- Gayla (privacy@please.com), July 18, 1999

Answers

Hi Gayla,

How have you been? Haven't noticed you around much. I saw article you noted, I believe. Has some very important ideas in it. But I can't understand if they are so determined to protect businesses why they aren't transferring the concern to individuals. After all, no individual, no buisness......I'm really starting to believe that the politicians have no concern for people on business that will make them money. They have all sold out!

-- Moore Dinty moore (not@thistime.com), July 19, 1999.

"Many firms doing upgrades are hiring outside contractors to make fixes to sensitive systems."

This quote reminds me of a profound post awhile back.

Do any of the old-timers here remember the post from the Y2k remediator who described his project in detail (for some reason, I think he was from Canada), including all the recently hired people who could barely speak English? As I recall, he left that project and posted his story after he did. It was quite a story.

Anybody got a link? I bet it's in the archives somewhere.

:)

-- FM (vidprof@aol.com), July 19, 1999.

Hi Dinty Moore! Good to "see" you, too! :-) FM, do you remember any part of the title of the article? If you can remember any key words, I can find it in about 5 minutes. The man (programmer) who shares an office with my husband told him about a friend of his (from Iran) who was hired recently to work on a Y2K project in DC. There was no background check of any kind done on him. He said this guy would never sabotage anything anyway, but they both found it interesting that NO check was done on him.

-- Gayla (privacy@please.com), July 19, 1999.