Comment Articles

Last week's mini-Y2K: What went wrong?

Matt Loney ZDNet.co.uk

Published: 13 Jan 2004 16:00 GMT

The Y2K Bug was so-called, of course, because it triggered on a date. What made it so dangerous was that it was in very old code -- written when the trigger date was so far in the future that it couldn't possibly be a risk.

Last week saw two other date-sensitive events that seemed to cause widespread disruption. Among the problems: users of a Microsoft Navision Axapta ERP system saw response times soar; online banks in Singapore reportedly went offline, or at least refused to do any banking; some Java applications crashed, Norton AntiVirus had a breakdown; and at least one person thought he had been fired by email.

The problems stemmed from VeriSign's certificate business. Certificates are arguably as crucial to the sound working of the Internet as are notions of date and time. Without certificates we would have no way of knowing that the site we are using is secure, or even its true identity.

That little yellow padlock that appears at the bottom of your browser every time you access a secure part of a Web site hides a wealth of information, and in particular the certificate path. Indeed, the only way we can trust the certificate itself is by knowing its genealogy. Who issued it? How do we know that the issuer is trustworthy? Who issued the certificate that says the issuer itself can be trusted?

These are important questions, and we rely on the answers for certainty and peace of mind that the applications and Web sites we are using can be trusted. Suppose, for instance, you use antivirus software which every so often downloads a new batch of virus signatures. You want to be absolutely confident that these virus signatures really do come from the antivirus software publishing company which they purport to come from, and just as sure that they have not been tampered with on their way to you. Certificates hold the answer.

Last week we saw what can happen when that chain of trust, from the certificate issuing authority, through to the software publisher (or Web site) and over the Internet to our servers and PCs, breaks down.

On Wednesday morning, when Symantec's Norton AntiVirus product -- installed on thousands if not millions of PCs -- trundled off across the Internet to pick up the latest load of virus signatures, it came back behaving in a distinctly odd manner. Users reported instances of their PCs locking up or slowing down so much as to be unusable; Symantec itself said that Microsoft Word and Excel were refusing to start.

Elsewhere on the Internet at about the same time, users began noticing other strange behaviour.