Coming soon to a computer near you: A worm

If you're a Windows user, a patch Microsoft released earlier this week is of crucial importance. Less than 24 hours after Microsoft released patches for 23 serious vulnerabilities, the US Department of Homeland Security advised users to immediately apply the patches in the MS06-040 bulletin.

Earlier, the Computer Emergency Readiness Team (now part of DHS) warned that the flaw was being used in targeted attacks and that the appearance of public exploits is a sure sign that a worm attack is imminent. The exploits are out there now and they undoubtedly will be used against unpatched Windows 2000 systems and some versions of Windows XP.

Immunity and Core Security Technologies have each already created what they term reliable exploits for the flaw -- exploits that work on Windows XP with SP2 installed and on Windows Server 2003 with SP1 installed.

EWeek magazine interviewed Dave Aitel, a researcher at Immunity, who warned that a worm is coming. "This bug is just too easy to exploit."

Microsoft reported 100 million downloads of the MS06-040 patch in the first 3 days. The company says "This update resolves a privately disclosed vulnerability as well as additional issues discovered through internal investigations. An attacker who successfully exploited the vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Even if you have automatic updates turned on, now would be a good time to visit Microsoft's Windows Update site.

AOL is spelled "oops" (again)

Tens of thousands of people have copies of a file that contains "anonymized" search records for half a million AOL users over a 3-month period. AOL says it made the information available for "research" purposes. Those who are under the microscope might fee just a bit violated because some of the searches contained names, Social Security numbers, and other identifiable data. Anonymized? Yeah, right.

AOL quickly withdrew the file and even shut down its "research" site (try http://research.aol.com now and you'll get "The server at research.aol.com is taking too long to respond. The site could be temporarily unavailable or too busy." That may describe AOL's lawyers in coming months, too.

The file is still widely available via mirrors. It's impossible to know how many people have the file, but it's impossible to eliminate information once it's available. Not even the leaders of the Soviet Union could guarantee compliance with orders to remove information from the Great Soviet Encyclopedia when someone fell out of favor.

AOL stresses that this was a mistake. That somebody in an oversight position should have been made aware of this project and that had someone in an oversight position been made aware of the project, it would have been shut down immediately. Fine. But it wasn't. AOL stresses that the data covered something like one third of one percent of searches conducted. Fine, but what if yours was one of them? This wasn't some accidental release of information. Nobody hacked into AOL to get the information about half a million users. Somebody at the company knowingly made it available.

The page from which "researchers" could download the file carried AOL's request: Please reference the following publication when using this collection."

By "anonymized", AOL means that it replaced screen names with unique numbers. "It is still a research question how much information needs to be anonymized to protect users," says Abdur from AOL. Here are some examples of what you can find in the data:

User 491577, for example, can easily be identified by information included in various searches. Many searches involve matters that may be of interest to law enforcement. In fact, it's exactly this kind of information that Google refused to release.

How big is a file that details searches conducted by half a million people over a 3-month period? About 400MB when it's expanded from its compressed form.

We return once more to 1996

Last week, I said the Internet Wayback Machine can be embarrassing. Even if you've removed a page from your website, it may still be available. In looking around some old copies of Technology Corner that are no longer on the website, I ran across an article I wrote in early 1997 about the coming Y2K problem. Despite all the hype, my opinion was that it wouldn't be a particularly large problem.

On May 18, 1997, I wrote "'Y2K' spells 'Yikes!'?"

Back then it was in and trendy to report that everything would come to a grinding halt in 2000. It was my opinion at the time that the problem was real but that the nation had 3 years to prepare and it shouldn't be a big problem. I spent December 31, 1999, in an emergency communications center on the top floor of Riverside Hospital. Before I left that evening, I told Phyllis that I would be home by 1am because nothing would happen. I was home by 1am because nothing had happened.

Y2K is computer geek shorthand for "year 2000". That’s when computing as we know it is supposed to come to a halt. The entire business community will fail. Military weapons will become so confused that they’ll attack anyone who wanders by. Oh — and your local ATM won’t give you any of your hard-earned cash because it’ll think that you haven’t been born yet.

Or maybe it’s all marketing hype. It’s a way for some snake-oil sellers to bilk the public. In fact, there’s no problem. At worst, a few report formats will be wrong; but nobody outside the computer center will even notice the problem.

The truth? It’s a problem and a big one. The Y2K issue can’t be ignored, but neither should it engender panic.

Conventional wisdom seems to be that this problem was just recently discovered. In truth, those who wrote automation systems in the 1960s and 1970s knew about the problem they were creating, but the cost of memory (core and disk) and the cost of processing were so high that there was no other reasonable solution. Besides, the programmers figured that the systems they were writing would have been completely re-written by 2000.

The problem with 2-digit dates found in many computer programs becomes evident when the computer needs to do math with the date. Let’s say the Ohio Bureau of Motor Vehicles wants to know how old I am. Its computer takes the current year (97) and subtracts the year I was born (47). That’s easy. Even I can do that one in my head. The answer is 50. Now, let’s jump forward to 2000 (00 to some computers). The computer will take the current year (00) and subtract the year I was born (47). Suddenly I’m –47 years old. Plug an age like that into an actuarial table and watch what happens. It won’t be pretty.

For insurance companies, the deadline for compliance is this year because so many of their calculations go forward several years. Banks and credit card companies will also need to be ready soon. Some credit card companies already have been forced to re-issue cards because those with expiry dates of 2000 may bounce.

Here’s one view:

"Senator [Daniel] Moynihan is warning anyone who will listen that a huge economic black hole is facing the U.S. and the world in year 2000. Computer systems worldwide are going to break down and cause chaos in government institutions and private industry and possibly lead to a worldwide economic collapse.

"According to Westergaard Online the Y2K Timebomb will be to year 2000 what the stock market collapse of 1929 was to the 1930s!!! Recall how that resulted in a collapse of the financial system worldwide?"

For a more balanced view, there's the Year 2000 Information Center.

It’s worth pointing out that personal computers (except for the very first ones) all treat years as 4 digits instead of 2. Most computer programs written for PCs also treat dates as 4 digits, even if they display only 2. The problem is largely limited to mainframe computers and minicomputers.

If you’re concerned about your computer, here’s an experiment. But first, a WARNING: Have a complete and verified system backup before trying the following experiment. If you run any programs, particularly financial programs, they may become hopelessly confused if you try to go back in time to a prior period (now) after allowing the program to think "now" is sometime after January 1, 2000.

Set your computer’s date to January 5, 2000, and then try running the programs. Your PC isn’t likely to have a problem and by 2000 a lot of programs that are today running on minis and mainframes will be running on Unix systems or NT-based systems or Novell networks. And guess what! All of those operating systems handle 4-digit dates just fine.

Governments and large corporations will spend a lot of money fixing the problem. Some estimates suggest more than $500 billion. Others are higher or lower. In truth, nobody really knows how much it’ll cost. But companies that don’t solve the problem now will have to pay a lot more to solve it on an emergency basis in January 2000.

And by the way — there’s another problem lurking in 2000. Not all software recognizes February 29, 2000, as a valid date. 2000 is a leap year. The rule is: Years that are divisible evenly by 4 are leap years, except for years ending in 00, which are leap years only if they are divisible by 400. Thus, 1900 was not a leap near. Nor was 1700.

What about 1600? Well, in 1582, the Gregorian calendar changed the rule for determining whether a year should be a leap-year by stating that century years should be leap years only if they were divisible by 400. This makes the average year-length 365.2425 days, so the calendar will be off by one day every 4,000 years. Britain adopted the Gregorian calendar in 1752. September 2nd was followed by September 14th and riots broke out as people protested being bilked out of half a month’s rent.

If this sounds like a trivial problem, it’s not. Some automated systems will refuse to run on February 29, 2000, because the program will know that’s not a valid date. And February 29, 2000 is a workday — a Tuesday.

This problem can be a bit more serious because some computer hardware doesn’t have the right formula for determining which years are leap years. WARNING: Have a complete and verified system backup before trying the following experiment. If you run any programs, particularly financial programs, they may become hopelessly confused if you try to go back in time to a prior period (now) after allowing the program to think "now" is sometime after January 1, 2000.

Paying close attention to the preceding warning, change the CMOS date in your computer to February 29, 2000. This should succeed. If it doesn’t and dates are critical to what you do, you have a little less than 3 years to resolve the problem.

We'll visit the past again in the future.

Nerdly News

Vista cracked even before it has been released

Microsoft's upcoming operating system (Vista) has reportedly been cracked. The threat, referred to as "Blue Pill" is being discussed on the Internet. Microsoft says Vista is its most secure operating system to date and the company has spent a lot of time looking for problems. That's one reason why this development cycle has been so long and why Vista is so late.

Microsoft attended this year's Black Hat hacker conference and asked those in attendance to do their worst. Apparently they have. Blue Pill reportedly bypasses Vista's integrity-checking process. This allows unsigned code to be loaded by the Vista kernel, which means that malware can be run without detection by the operating system.

Microsoft is looking for a solution.

IBM challenges Microsoft and Oracle

IBM announced will pay $1.6 billion for FileNet, a maker of software that helps companies manage documents and other digital information. IBM is trying to get a solid foothold in content management, a large and growing segment that specializes in maintaining control of corporate documents, e-mail archives, and other digital data.

Oracle has already entered the market, starting with its database business. Oracle has its own content management offerings, but there are reports that the company is in the market for a company that's further along -- OpenText is the often-mentioned target.

Microsoft is also active in the market and IBM sees both Microsoft and Oracle as its primary threats in content management.

Annoying legal disclaimer

My attorney says I really need to say this: The TechByter website is for informational purposes only. I assume no responsibility for its accuracy, although I do my best. The information is subject to change without notice. Any actions you take based on information from the radio program, the podcast, or from this website are entirely at your own risk. Products and services are mentioned for informational purposes only and their various trademarks and service marks are the property of their respective owners. TechByter cannot provide technical support for products or services mentioned.