| Where to Find the Y2K Bugs
By Seth Ross
In the wake of the Year 2000 rollover, which didn't cause the end
of civilization as we know it, many are wondering what happened to
the Y2K infopocalypse we were promised. Some question whether the
$100 billion or so spent in the US was worthwhile; others wonder if
the whole Y2K bug was a barrelful of hype.
Don't believe the counter-hype/conventional wisdom about the smooth
and uneventful Y2K rollover. There were tens of thousands of Y2K
incidents, some of them quite serious. Perhaps not as serious
as planes falling from the sky, or nuclear plants going critical,
but endemic glitches, bugs, date errors, etc.
Why haven't you heard about them? Well, why *would* you hear about
them? Y2K incidents are similar to computer security incidents -
they make the victims look bad. The overwhelming instinct is to
cover up these kinds of problems as quickly as possible with minimal
Imagine that you are a corporate IT manager dealing with a severe
post-rollover Y2K problem. You're not going to call the New York
Times or issue a press release. ("Well, we thought we knew what
we're doing.") You're going to fix the problem as expeditiously
as possible and hope that word doesn't leak.
This is part of what computer security expert M. E. Kabay calls
problem of ascertainment." Most computer break-ins - like many
calendar problems - are undetected. We know they're undetected because
some are discovered long after they occur. Even if they are detected,
many problems are dealt with discretely for fear of bad publicity.
Kabay guesses that only 10% of computer crimes are detected, and
of those, only 10% are reported.
Consider for a moment the tremendous increase of computer crime
over the past several years, fueled in part by widespread Internet
connectivity and the availability of automated cracking tools. Then
check out these computer
crime stats displayed on the FBI's web site:
Both investigative cases and successful prosecutions have
increased significantly. Pending cases have increased 115% from
the beginning of FY 1997, from 260 to 559. In FY 1997, there was
a 110% increase in informations and indictments (from 10 to 21),
950% increase in arrests (from 4 to 42), and an 88% increase in
convictions (from 16 to 30).
These numbers are underwhelming, given the tens of millions of
Americans on the net and the amount of online crime and mischief
that goes on every day. Clearly, the FBI isn't casting a very wide
net. If an organization with the resources of the FBI can't develop
a solid profile of computer crime stats, who can?
This raises an even sharper question: How can one assess the risk
of computer crime or calendar problems if there's no way to ascertain
their scope and severity? How can one develop a computer security
plan (and budget) if one doesn't know what the risk of loss is?
The bottom line: Treat Y2K and computer crime statistics with
skepticism. The total scope and severity of rollover problems are
unknowable - they're not even guessable.
Given the problem of ascertainment, how can one ensure computer
security at all?
While it may be difficult or impossible to really know what's
happening in the larger world, you can take steps to ascertain what's
happening on your local hosts and local network.
Port scanning software programs are one ruthless way to discover
the security posture of your network (see the next section). But
there are also host-based tools you can run that report on the status
of individual personal computers and workstations.
If you run UNIX or Linux workstations, you've undoubtably run
commands like ps, uptime, and netstat to inspect what's happening.
You've probably also installed a log-watching program like Swatch
and perhaps even a filesystem integrity checker like Tripwire.
If you're running Windows, perhaps you've noticed these simple
- Dr. Watson (C:\Windows\Drwatson.exe) - Provides you with a
snapshot of what's happening on your system. Pick the "Advanced"
option and click on the "Tasks" tab to see what processes are
running on your computer. Learn to recognize common tasks (and
thus uncommon or potentially malicious tasks).
- Winipcfg (C:\Windows\Winipcfg.exe) - Displays information about
your Ethernet adapter (including address) and host (including
name and IP address).
- netstat (C:\Windows\Netstat.exe) - This simple command- line
utility displays current TCP/IP connections (it has to be run
at a DOS prompt). The "-a" flag shows all connections and listening
ports. Here is an excerpt of typical netstat output:
Proto Local Address Foreign Address State
TCP austerity:1393 s3.red.CERT.ORG:80 CLOSE_WAIT
TCP austerity:1396 www.ISI.EDU:ftp CLOSE_WAIT
TCP austerity:1409 example.com:22 ESTABLISHED
TCP austerity:nbsession SROSS:0 LISTENING
TCP austerity:1451 smtp.example.com:pop3 TIME_WAIT
UDP austerity:nbname *:*
UDP austerity:nbdatagram *:*
Run these tools on a regular basis to monitor what's running on
your computers. Become familiar with the tasks and processes your
systems run and be on the look-out for signs of anything unusual.