back to article After the cyberpunks, prepare to fight a new wave of nasties

Presagers of doom in the IT industry have sometimes got it horribly wrong. One need only look back 14 years to the millennium bug, which was supposed to bring down the world’s critical systems. The year 2000 came and went with no digital cataclysm in sight. Even the smartest people make grand claims about imminent threats. …

COMMENTS

This topic is closed for new posts.

Example: Router DNS hijacking

There's a fresh thread in the Plusnet forums where Plusnet sent out a warning about well know brands of router being vulnerable to having the DNS settings hijacked, to create a vector for a 'You need to update Adobe Flash, click here" attack, we recommend you buy a new router, how about one from this list.

FUD?

Lo and behold someone posts back they have found their router of suspected brand was compromised.

0
0

A huge error in the article

It is believed the software, which did nothing other than change its icon from a shield with an ‘X’ to one with a tick mark, was put up for sale accidentally. Yet it still sold more than 30,000 copies and made plenty of money for its creators.

Google eventually decided to refund users who had paid for the app. It proved Google’s app-vetting policies weren’t keeping out even basic threats.

I disagree. The app wasn't malware, or even a threat to the user/OS in any way. It's not the app vettings job to check if any app does what it says on the tin, or is even useful.

6
4
Silver badge

Re: A huge error in the article

It was a threat to the user. The user sees the tick on the shield, believes they are protected and makes decisions on that basis. A false sense of security can be very dangerous.

Not a "huge error", perhaps a grey area.

3
0

Re: A huge error in the article

quote: "It was a threat to the user. The user sees the tick on the shield, believes they are protected and makes decisions on that basis. A false sense of security can be very dangerous."

Given that no AV suite can be 100% effective, by that definition all AV suites can be considered a "threat to users". Or to rephrase, any user who believes that their AV suite makes them invulnerable has been badly educated, and does not understand the nature of the security suite they are using.

The only real fix for that is user education, alongside pulling apps found to be misrepresenting (intentionally or otherwise) their capabilities or purpose. Making it clear that deliberate misrepresentation of capabilities/purpose is covered under existing fraud legislation (aka actually prosecuting someone for it) would also go a long way to dissuade developers from pursuing such tactics in the search for a quick buck.

6
0
Anonymous Coward

Re: A huge error in the article

"It's not the app vettings job to check if any app does what it says on the tin"

Yes, yes it is. That is the whole point of vetting apps, to make sure they are what they say they are so that blind users can install them without worry the app will just slurp all your data and sell it to the highest bidder (facebook).

Having said that you ARE already using Android so I guess keeping your personal data secure and away from those that sell it for profit is fairly low down on your list of priorities.

2
5
Anonymous Coward

Re: It is believed the software [...] was put up for sale accidentally

Believed? By whom?

It was *claimed* that the software was put up for sale accidentally, but I saw no signs of anyone believing that claim.

I thought that was a bigger error than calling the app a 'threat'!

0
0
Anonymous Coward

Re: A huge error in the article

"Having said that you ARE already using Android so I guess keeping your personal data secure and away from those that sell it for profit is fairly low down on your list of priorities."

Yes, because security issues on mobile devices are clearly unique to Android. Not.

2
0
Anonymous Coward

Millenium Bug

Actually, don't think it was doomsaying. I worked during that era of 95-1999 on said bugs in a few different companies and it *needed* to be done.

Just wait till 2025...by which time the new crop of system maintainers who won't remember that particular fudge won't be expecting it....

12
0
Silver badge

Re: Just wait till 2025...

Or 2038...

9
0

Re: Millenium Bug

Quite. What happened as that people said there were problems. Effort was then spent fixing the problems. Problems were therefore largely fixed.

What the media did in the meantime was scaremonger that it was going to be the end of the industrial world, blaming the IT industry, and then when nothing happened, blamed the IT industry again for having spent money fixing supposedly non-existent problems.

Same problem happens with vaccination: An epidemic appears. Media scaremonger that everyone's going to die. Vaccination program to tackle the actual epidemic takes place. Few people die. Media then blame the medical industry and claim it was all a waste of money...

So here with have The Reg telling us, that this time, it's real. When the problems are fixed, I look forward to The Reg saying how it was all scaremongering from the IT industry.

12
0
Silver badge

Millennium bug

There were two Y2k problems;

a) the real one - lots of (mainly Cobol) programs held the year part of dates with two digit values* and would return incorrect results for dates after 31/12/1999. This required a lot of programming work to correct, but was almost entirely successful and few real-world problems occurred on 1/1/2000.

b) the hyped one - lots of PCs (it was claimed) would fail to boot after 31/12/1999. In reality, if there were any such systems they would have been many years old and in need of replacement anyway. Most PCs, if they had a problem at all, needed the date to be reset manually once and would be fine thereafter. Nevertheless, many snake-oil vendors flogged millions of small programs to clueless PHBs in order to 'fix' the problem.

* The youth of today may wonder why we didn't just use 4-digit years throughout. I was a DBA at a large financial services organisation in the 80s. We needed to distinguish centuries anyway (because dates of birth and maturity dates weren't always in the 1900s), but by using a single digit code rather than two digits, the saving in storage costs was nearly a million quid, in the days when that was serious money. (And we avoided much of the Y2k panic, though we still had to check every program.)

5
1

Re: Millennium bug

Surely though, if you'd stored the dates as a number rather than two ASCII characters, two bytes could represent up to the year 65535. 4 bytes could store you the entire date without problem (and technically a few bits wasted).

4
0
Silver badge

Re: Millennium bug

You're right in theory, and we did that for some programs. In practice, we had a lot of logic that tested based on month/day = current month/day, which required unpacking the binary date into YYYYMMDD and that would have increased CPU utilisation (also very expensive in those dim and distant days).

3
0
LDS
Silver badge

Re: Millennium bug

I had a PC (bought around 1995) whose BIOS was flawed. It required the date to be reset at each reboot. There was a workaround, a Windows 95 fix that corrected the date on boot, but made it very little useful with any other OS, Linux included.

The youth of today still don't understand why dates were stored as strings instead of numbers... even a single 8 bit byte would have stored 255 years, and a 2-byte word would have stored 65535 years, filling most needs but maybe those of astronomers, and with very little storage space used. The story repeats now, with most web developer wholly unable to understand any data type which is not a string.

4
0

Re: Millennium bug

The only real y2k bug I heard about didn't happen at the year rollover.

It was the clock display on a phone that failed 2 months later on 29/2/2000 cos 00 is not divisible by 4... (but 2000 is divisible by 400) the leapyear calculation was flawed it thought 2000 was not a leapyear when it was a 1-in-400 leap year.

The world didn't come to a standstill then either.

0
2

Re: Millennium bug

So after that the day wouldn't agree with the date with no way to fix it, except waiting 2800 years...

0
0
Silver badge

Re: Millennium bug

The only real y2k bug I heard about....

Oh, well, your anecdotal reminiscence certainly demonstrates that there were no important Y2K bugs, then.

We know what happens to those who forget history. What about those who can't be bothered to learn it in the first place? And that goes double for Mr Brewster, who's the one who got things "horribly wrong". That's some impressively shoddy journalism, even by Internet standards.

I believe it was in RISKS where someone mentioned remediating firmware for a line of dialysis machines which would go into self-cleaning mode when the current date was entered as "99/9/9". Admittedly that's an extreme example - most Y2K issues wouldn't kill people on the spot - but we sold a lot of remediation software, and customers reported finding and fixing a great many lines of code with it, and that code was in production systems where often even a few hours of downtime causes serious financial harm. (I'm thinking of one boutique finance firm in particular, but there were others that I knew of, and I wasn't even on that side of the business.)

3
0
Silver badge

IoT

Well there is some lovely default devices waiting to be abused.

1
0
Alien

Cyberpunks use Cryptocurrency?

Dear el Reg

Is it time to have a section/articles on cryptocurrencies?

0
0

Y2k

One need only look back 14 years to the millennium bug, which was supposed to bring down the world’s critical systems. The year 2000 came and went with no digital cataclysm in sight.

I can't believe El Reg has fallen for this oft-repeated pub meme. Every IT expert on the planet spent 1997 - 2000 auditing and patching *every* bit of software, hardware and firmware for Y2K compliance. We did nothing else for 3 years for Pete's sake. Hence the frustrating lack of Armageddon.

12
1
Anonymous Coward

Re: Y2k

Longer than that: we had a bunch of clients who left themselves too little time to solve the problem "properly" so they paid us to implement a 28 year rollover solution ASAP and then paid us to make all their year fields 4 bytes long 12 months later.

0
0
Joke

need a new agency...

perhaps we need a new government agency, that protects us from criminal uses of the internet and provides us with ongoing security by researching the best practices for encryption and software deployment?

I suggest we make it national, too.

P.

2
0
Silver badge

Re: need a new agency...

I know its a joke, but, yeah we certainly need something like that. Although it might be better as an international group with cooperation from IANA/ICANN and Interpol. Probably build it out of employees from various security companies and ISPs with an oversight organization filled with Government employees from the US's FCC, UK's OfCom, etc.

0
0
Anonymous Coward

remember, kids:

just because the world didn't burn down, doesn't mean there weren't thousands of firefighters cleaning up flammables and putting out sparks before it got big.

All those "ugly" and "boring" jobs hipster and metrosexual IT "Admins" direct out of Windows Certification don't want to do? It was handled in the background, at great expense and effort in the last 3-5 years before Y2K. Hundreds of techs dispatched to Podunk, Everywhere getting at those old systems that would have created thousands of little c*ckups that would have swelled into bigger issues.

Y2K wasn't a problem by the end of 1999 because we, and thousands of our "not pretty enough to sit around and create dot-com diversity posters" brethren had already rooted the bug out of restaurant POS's, car and tractor dealership systems, hotel backends, stockbroker ISDN systems, rat-infested comm closets in the middle of Native reservations and Mayberry Police Departments, and everywhere else barely-adequate-when-new and cheap-as-possible "legacy" systems ran all the infrastructure most yoof today take for granted.

We cleaned the tubes before they got clogged. You're welcome.

#veteranofthey2kwars

10
1
Silver badge

Pouring <s>snake</s> oil on the fire.

Due to the numerous weaknesses in critical machines, from those managing traffic lights to those helping to run the power grid, many security experts believe there will be an increase in digital attacks with a real destructive effect.

“There are those threats which kind of drop off the radar and no one is really quite sure how they are being used or if they have been used at all because they don’t need to be used en masse,” says Malik.

“For example, industrial control systems have been shown to be vulnerable but there isn’t enough public data available to show that they have been actively exploited.

Well now, you surely cannot expect the system to admit and own up to its systems being penetrated because they are systemically flawed and unpatchable unless reconfigured to support and driver an altogether quite different program of revised protocols/smarter algorithms.

And the following, which in this case is in the form of an email, is the sort of thing to be expecting to flood the mainstream as status quo information dumps prove themselves to be selfishly self serving to a very few rather than broader enlightening to humanity, and that has those few becoming persons of mad interest to increasingly restive disenchanted mobs and yobs/hoi polloi, which is not at all comforting, but it is inevitable unless there be a radically fundamental change in present behaviour for continuing future wellbeing and prosperity ......

Subject: Keys to Failure Remedy and Failed Futures Option Dealers/Virtual Reality Pimping who be Sub-Prime Intelligence Dumping and Pumping/Mainstream Media Polluting

Date: 27 May 2014 08:57:03 BST

Delete and Remove to Eliminate and Eradicate the Problem when Changing the Problem Normally can’t Solve it, is a Novel Noble but Not New and Ignoble Solution to Persistent Unpleasant Problems in Real Worlds and in IT and MetaDataBase Command and Control Systems of Operation too.

Hi, John,

To be forewarned is to be forearmed, and also allows for the smarter being to consider more desirable and adventurous courses of action in proaction and in AI NEUKlearer HyperRadioProActive IT, for they will be infinitely more attractive to supporting creative ventures than anything else which could be considered negative and destructive because it delivers competitive and opposing conflicts.

“You normally change the problem if you can’t solve it.” …. David Wheeler

Insights from research in security economics have taught us that many real-world security systems failed not for technical reasons, but for a misalignment of incentives. If the party that is in the best position to protect security is not liable for the security failure, it will lack the incentive to invest in improving security. Consequently, the security of the overall system will suffer and eventually fail. …. http://cryptome.org/2014/05/sse-protocol.pdf…. “Deleting Secret Data with Public Verifiability”…. Feng Hao, Member, IEEE, Dylan Clarke, Avelino Francisco Zorzo

The fiat capitalist system base root Catch 22 which guarantees exponentially increasing catastrophic failures and monumental losses ….. and in a smart information and getting smarter intelligence environment, delivers the virtually certain possibility and therefore the very real active probability of both the secret private and populous public sector targeting of responsible key systems administrators/head honchos/bank bosses/treasury officials/chancellors of exchequers/chancers in office for requisite treatment?

0
1
Silver badge

Truth sets all free and condemns identified oppressors to vain fight and/or wingless flight

Oh, and here be future nasty and present dilemma to ponder on, which reveals in all ITs glory to both friend and foe adversaries and/or competition alike, that which is a systems indefensible achilles heel problem .......... the free sharing of information over networks with the full and normal expectation of wwworld wide web publication which doesn't get published, and shared with an intelligent global crowd.

0
1
Bronze badge

Mt GOX was NOT robbed by external parties , there appears to be clear evidence the scumbag in charge did the dirty and was using customer funds for running the business as well as other out of pocket expenses.

0
1
Meh

"Mt GOX was NOT robbed by external parties , there appears to be clear evidence the scumbag in charge did the dirty and was using customer funds for running the business as well as other out of pocket expenses."

Not that I'd be surprised of course, but presumably you do have the evidence you've just publicly tried and convicted the guy with, right?

1
0
Silver badge

Who needs 'evidence' when they have outrage?

I'd not be surprised if it turned out that the whole thing was just a massive con. However, I don't see the 'clear evidence' suggested. Perhaps a pointer from the OP to where this 'clear evidence' might be found might help.

not holding my breath awaiting said pointer.

0
0
This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017