July 26, 1999 -- Newsletter #38

By Joe Burns


Application Security Testing: An Integral Part of DevOps

July 26, 1999 -- Newsletter #38
Please visit http://www.htmlgoodies.com

Regarding last week's Newsletter about Hackers and Crackers...

I made the statement that Hackers were those out to do harm and Crackers were those who followed a code of ethics against doing evil. Apparently my sources were outdated or just plain wrong. Readers let me know, in no uncertain terms, that I had the two backwards and provided a mountain of evidence to back their point. The correct interpretation of the terms is that Hackers are those who follow the code of ethics, not wanting to cause harm, and Crackers are those who are out to be malicious. Readers' main concern was the media's use of "Hacker" as an all-encompassing term for people who do bad things using computers. That's not so. Apparently I got the other stuff in the newsletter correct. My apologies.


Greetings, Weekend Silicon Warriors,

Welcome to the new 2000. My content editor Lindy has informed me that the Goodies to Go! Newsletter is growing at a rate of about 2000 new subscribers per issue. Apparently those already reading told two friends, and they told two friends, and so on, and so on...

Did you hear...

>Amazon.com is now selling toys and electronics just in time for the Christmas season? According to CEO Jeff Bezos, they want to be a one-click shopping area. Will it work? In just over a year Amazon took the CD sales top spot away from CD Now. Toys next? Can one site really offer everything? We'll see.

Wireless Web is coming. Lucent Technologies now says they have a system, WaveStar OpticAir, that can transmit 15 CD ROMs full of information in a second. Field tests are under way and I would think you could pick one up the middle of next year. That is, if you have a serious pile of money.

>Just as computer files are easy to create -- they are also easy to erase. Representative Ron Klink, Democrat from Pennsylvania, announced that some Medicare contractors are "turning off software [and] losing claims" to defraud the government. The claims were deleted so later false claims could not be checked and denied. Fifty-eight companies are being investigated over the allegations.

Now onto today's topic...

You know, it's all I can do not to write about Y2K. There is just so much out there, and with the New Year approaching I have to believe the press will only get bigger.

Usually the stories I read speak in generalities. This might happen. Maybe this will happen. Now a rather well respected company has set a figure in stone.

The Gartner Group, said to be the top Y2K research firm, came out with a study last week that states that fixing Y2K will cost businesses over 1 billion dollars.

No, I don't mean that that's what it will cost to fix it all... that what will be stolen as a result of fixing it all.


Conservative estimates state that between $300 and $600 billion will be spent worldwide in order to get computers up to Y2K snuff. Some believe that the cost will be upwards of one trillion after all of the legislation dust settles.

Here's the concern: In many cases, the people who are being hired to fix the Y2K problems are not only repairing the dates, but are also programming themselves a trapdoor.

I remember when Y2K really started to come to the mainstream. One of the stories I heard was that if bank vault computers recycled (going to 1900 instead of 2000) then the bank would be ripe for the picking as the first day of 1900 was a weekday instead of a weekend day, as will be the first day of 2000. The theory went that the vault would open, thinking it was a business day, and present-day Billy-the-Kid's would be waiting to snatch all the loot, carrying it away in burlap bags with big dollar signs on the side. That always sounded like the latest Olsen's film plot more than reality to me.

Nay, the criminals are too smart for that. Why get all dressed up when you can steal from the privacy of your own home? If I repair your system and place a "trapdoor" then I can come and go as I please at some later date. Sound impossible?

Mike Higgins of Para-Project Services can already relate three trapdoors found in major corporations. He tells the story of one high-tech firm that found the door, but when they went back to question the company that did the work, they had gone out of business.

Many consulting firms have piped up with the release of the Gartner Group report, not to praise it but rather to proclaim that it is way short of the mark. Many believe a billion dollars might be only a percentage of what will be stolen thanks to trapdoors left by those hired to fix Y2K problems. Many of the companies possibly equipped with trapdoors move eleven trillion dollars a year around financial institutions, the government, and personal business.

Furthermore, trapdoors may not need to be set. Software programmers are finding holes opening up, thanks to the patches and fixes being offered to repair buggy commercial software. I have to believe that if the professionals know about the new holes, so do the bad guys.

Here's something else to concern yourself with. If someone can get into the system and steal, why can't they get into the system and control? We think of terrorism as bombing or other methods of producing harm with the intent of producing fear for one reason or another. Imagine what could be done if the mainframe of a major company was held at bay.

Someone who doesn't like a company's business practices could, rather than holding employees hostage, hold a system hostage. Failure to comply with demands would mean the immediate loss of all records and backups.

I have said from my first investigations into the Y2K matter that the funny stories about elevators not working or Jeep automobiles failing to start would not be the real story of the New Year. My biggest concern was a run on banks, stocks, and mutual funds. I was afraid people would take out all of their money, leaving a lot of financial institutions empty.

Apparently banks are also concerned. Have you seen the commercial for this new disposable Polaroid camera? A young man goes to the ATM and puts his card in to take a photo of his balance as the New Year countdown commences in the background. At midnight the ATM burps and his balance becomes over 4 million. He takes another picture and walks away.

Banks went bonkers. They claimed the spot undermined their attempt to instill confidence in the public. I haven't seen the commercial in a while. Maybe it was taken off. My local bank here in PA, has "We're Y2K OK" signs everywhere. They even answer the phone with the slogan.

It's the home stretch. We've hit the halfway point of the year. The Christmas-in-July sales are coming to a close. As the months get colder, look for more and more stories about Y2K. December should produce an avalanche.

It does make me nervous. Not the computer glitches, but what will happen in response to the media's reporting of possible problems. I know it's not possible, but it would be nice to see one "we're Y2K OK" story for every doomsday story that's about to come out.

The New Year really will be something to witness.


And that's that. Thanks for reading another one.

Joe Burns, Ph.D.

And Remember: The longest English words that can be typed on a single row of qwerty typewriter keys are "perpetuity," "prerequire," "proprietor," and... "typewriter." Also-- can you name the shortest word in the English language to include the letters a, b, c, d, e, and f? Give me your feedback.

Archive Home Page.

Make a Comment

Loading Comments...

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.

    By submitting your information, you agree that htmlgoodies.com may send you HTMLGOODIES offers via email, phone and text message, as well as email offers about other products and services that HTMLGOODIES believes may be of interest to you. HTMLGOODIES will process your information in accordance with the Quinstreet Privacy Policy.

Thanks for your registration, follow us on our social networks to keep up-to-date