Tue, 29 Apr 2008
“And to think your [sic] paid for this”
The Looming Y2K38 Crisis
Following is a demonstration of how easily distractible I am.
A few months ago, I was doing a little training of some co-workers, and wound up composing this email:
Marc Hall/STL/MASTERCARD
01/14/2008 02:07 PM
While explaining to our newest team members this morning how [edit: redacted project name] works, I ran off on a related tangent about Unix timestamps formatted in seconds since the beginning of the Epoch. This further sent me off on a tangent about how Unix keeps track of time. This reminded me of the Looming Y2K38 Crisis.
In case you are unfamiliar with the idea, Unix keeps track of time by counting seconds since January 1, 1970. This is known as the beginning of the Unix Epoch. Today, around 1,200,160,000 seconds have elapsed. The seconds are represented in 32-bit Unix and unix-like systems by a four-byte integer value. Because a four-byte signed integer has a maximum decimal value of 2,146,483,547, on January 19, 2038, 03:14:07, Unix will run out of bits to store our seconds.
And time will stop.
No, seriously, either systems relying on the time will terminate in unpredictable ways, or the apparent time will wrap around back to January 1, 1970.
This is bad, for reasons left as an exercise for the reader.
Some time (ha!) between now and 2038, someone will have to go through every line of code in the Unix universe and validate that on the rollover date the system will not crash or behave unpredictably. This will be a project with a scope similar to the Y2K-bug-stomping-frenzy that concluded last century. It will make the DST patching we did after Congress last altered timekeeping look like making mud pies. Programmers specializing in Unix will be dragged kicking and screaming out of retirement and handed large sums of cash to evaluate critical systems. And, in the end, after months of trepidation and hype, January 19, 2038, will be a non-event — Because, like the Y2K Crisis, enough people will really understand how bad it could get if systems are left unpatched, that adequate time and resources will be allocated to be sure that everything is fixed in time.
Some have predicted that all 32-bit Unix systems will be long since retired by 2038, and 64-, 128-, 256-, 512-bit systems will have eliminated this as an issue. However, I have personally dealt with embedded systems more than 20 years old already. I expect there are 8-, 16-, and 32-bit embedded systems out there right now that will still be in use in 2038. Traffic signals. Assembly line controllers. Communications equipment. A lot of these run on 32-bit Unix-like kernels. In addition, there will still be business software running in emulated 32-bit environments, too, much like MasterCard is still using mainframes long after Microsoft’s predicted migration to all-Windows-all-the-time. Legacy systems have a way of hanging around.
You heard it here, first!
More info (so you know I’m not just making stuff up):
http://www.y2k38.info/index.html
http://home.netcom.com/~rogermw/Y2038.html
http://www.hackosis.com/index.php/2007/12/21/linux-is-not-y2k38-compliant/
The Boss’ Response …
And to think your [sic] paid for this
… And My Reply to the Boss’ Response
Hey, I’m just developing my career potential 
After all, Consultant-level —- no, Senior Consultant-level —- work requires strategically-oriented, thought leadership about the company’s long-term outlook and anticipation of future events that will affect business operations at the limits of the planning horizon. The ability to assimilate, internalize, and communicate these strategic issues is what separates the Senior Consultant from the Engineer.
Further, if training dollars are not available, then it is incumbent on Senior Consultants to provide appropriate knowledge transfer to the various lower-echelon engineering staffers.
Also, I’m paid a premium for my excellent grammar 
Mon, 28 Apr 2008
Windows Security for the Insecure
Tools for Keeping Windows Unbroken
I recently had a conversation with an acquaintance about his company-issued laptop, and how it had become significantly slower. He also reported some behavior (pop-up windows, extra toolbars, etc.) that are symptomatic of a computer that has been infected by a virus, spyware, adware, or worse. His complaints sounded all too familiar, as Microsoft Windows users have had similar issues since the advent of Windows for Workgroups.
Knowing that I have some experience with computers, he asked me for some advice on what to do. After explaining that his laptop is to the systems I work with as a dinghy is to an ocean liner, I agreed to impart some wisdom.
First, I explained that he shouldn’t be worrying about fixing the laptop: it’s a company laptop, and therefore the company’s responsibility. They need to hire someone with domain-specific competence to do routine maintenance and security auditing on these computers. In other words, they need to hire a geek.
Presuming that, for whatever reason, his employer would not be supporting this computer, I also gave him a brief overview of the wide variety of misuses that his laptop could be engaged in. Here are a few, and let me emphasize that this is not a comprehensive list:
- spam zombie
- identity theft
- key logging
- delivery of unwanted advertising (is there any other kind?)
- distributed denial of service attacks
- vector for other malware to be transmitted to other computers
- industrial espionage
After outlining the risks to him and others that could result from a compromised machine, I agreed to provide him with more information in a follow-up email. This blog entry is an expansion on that email.
Places to seek understanding of the problem
Carnegie Mellon University supports an organization called the Computer Emergency Response Team (CERT), which watches the Internet for trends in computer abuse. CERT maintains a web site dedicated to helping people keep their computers secure. Two sections of that site of particular benefit to my acquaintance are:
Another popular resource is Security Novice, which outlines best security practices from the perspective of a novice.
Microsoft also provides a reasonably complete explanation of security basics. Naturally, this is geared specifically for Windows users, but then, most PC users are Windows users.
Organizations seeking to fix the problem
Security is a process, not a product. Nevertheless, here are a few free tools that will improve your overall situation, at least initially. If these are so good, why are they free? Principally, two reasons:
- They are loss-leaders for commercial products, or
-
The Free/Open
Source Software (F/OSS) community is a strong force on the
Internet, and has, essentially, developed entire environments
for PC users to be productive without spending any money. Some
groups in this movement are motivated by pragmatism, and some
by idealism; but the result is a full suite of operating systems
and applications that rival the corporate software world’s offerings
in virtually every category.
F/OSS software includes several variants of Linux, OpenOffice, several of the tools listed below, and many other programs. Development of these programs is sponsored by major companies, like IBM, Sun, Google, and Oracle, as well as largely volunteer organizations, like the Mozilla Foundation, Apache Foundation, and Free Software Foundation.
A comprehensive list is beyond the scope of this blog, so I won’t cover things like firewalls and root kit detection. However, the tools I describe below will give you a glimpse into the variety of precautions you can take immediately.
Web Browsing
For browsing the Web, I recommend Mozilla’s Firefox, a more secure web browser than Microsoft’s Internet Explorer. The biggest reason for choosing a more secure browser is that it is more difficult (although unfortunately still not impossible) for a malicious outsider to use a website to deliver malware to your PC.
Anti-Virus
Every Windows PC should have an virus scanner and removal tool, and Grisoft has an excellent free program, AVG Anti-Virus (the free one does the job, but you can pay ‘em for additional features).
Spyware Detection and Removal
Spyware can be even more dangerous than a typical virus, at least to the computer user whose PC has been compromised. Spybot Search & Destroy is my favorite tool for this purpose.
Adware Removal
Adware is mostly an annoyance; it uses CPU time and RAM that you want for your own purposes to put advertisements on your screen when you’re trying to do work. Lavasoft Ad-Aware Free is my choice for this (the free one does the job, but you can pay ‘em for additional features).
Email Safety
Finally, if you’re using Microsoft Outlook Express for email, that’s
just asking for trouble. Either use Microsoft Outlook (without the
“Express”, or Mozilla’s
Thunderbird.
Summary
These tools will make your life much easier, and won’t cost you (or, in the case of my acquaintance, your employer) a lot of money. My advice is to take advantage of them and save yourself many of the headaches associated with using a PC on the Internet.
posted at: 14:45 | permanent link to this entry
Marc Elliot Hall St. Peters, Missouri
Page created: 21 January 2002
Page modified: 31 December 2009
