2010 Bug Plagues Germany

krou writes "According the Guardian, some 30 million chip and pin cards in Germany have been affected by a programming failure, which saw the microchips in cards unable to recognize the year change. The bug has left millions of credit and debit card users unable to withdraw money or make purchases, and has stranded many on holiday. French card manufacturer Gemalto accepted responsibility for the fault, 'which it is estimated will cost €300m (£270m) to rectify.' They claim cards in other countries made by Gemalto are unaffected."

FIRST NIGGEr

OOk Ook eek eek oo-oo Ah AA!

Re:FIRST NIGGEr

[Ja'Achan]

I'm a clod, you insensitive troll!

Re:FIRST NIGGEr

I'm a tired old meme, you insensitive Soviet Russian!

Re:FIRST NIGGEr

I'm insensitive, you clod!

I wonder how that is compared to the loss from Y2K

[mapkinase]

from TOA

A French card manufacturer, Gemalto, admitted today it was to blame for the failure, which it is estimated will cost 300m (£270m) to rectify.

I wonder how does it compare to the losses from Y2K bug... I know it is hard to compare, because there was an unspecified money loss as part of unnecessary checks, difference in scale, anticipation and efforts to fix before manifestation.

I guess it hits you when you are least expecting.

2010

[s31523]

Who would have thought 2010 was going to be a big deal. We just had a 2010 programming problem at work. Everything worked great in December then in January our software simulation stopped sending the correct time to our hardware. Turns out the simulation handles 2010 incorrectly. We now have to set our PC clocks to 2009 until the team gets a fix out. I bet we see more of this.

Re:2010

[corbettw]

Damn Mayans and their inability to correctly predict the end of the world! It came two years early!

Re:2010

[edmicman]

2 weeks before the new year I found in our legacy code multiple "Y2K10" bugs. We're a health insurance company, and this is for a major national client who is sending us data with a 2-digit year format. There is code all over the place that is making assumptions about how to treat those dates, but it's faulty logic. We've fixed what we've found, but have no way of doing a complete audit so we're just going to have to fix them as issues arise. I love the clusterf*ck that is my job.

Re:2010

[guruevi]

My question is, why the f*** so many systems have issues with their clocks. In just about any language (C, Java, .NET, Perl, PHP, SQL...) there are (built-in) libraries available that do time correctly. If you're unsure on how to store time, Unix epoch is just about the simplest way to store it (it's a freakin' integer), it's universally recognizable and accepted and very easy to calculate with and if you need more precision just make it a floating point number and add numbers after the comma.

I see way too many implementations where people build their own libraries to convert a string into a date format, calculate with it and back. On embedded systems it's even worse. Some hope to save some storage space and speed by building custom functions to store a time format (eg. 2010-01-07 10:50:59 pm) into an integer (201001071050591) and back simply by stripping some characters and implementing the storage part in assembler. When they decide to export to other states/countries however they now have to implement a conversion for timezones and daylight savings time and the code becomes hopelessly buggy and bloated - usually too late to fix it since they already have it out in the field. While they could've just saved time (and storage space) by just storing it as 1278024659 using an (initially) somewhat larger library.

Re:2010

Better make sure you use 'double', not 'float' then, or only use (shorter) time differences, otherwise you won't have more precision, just non-integers...

Re:2010

[digitig]

My question is, why the f*** so many systems have issues with their clocks. In just about any language (C, Java, .NET, Perl, PHP, SQL...) there are (built-in) libraries available that do time correctly. If you're unsure on how to store time, Unix epoch is just about the simplest way to store it (it's a freakin' integer), it's universally recognizable and accepted and very easy to calculate with and if you need more precision just make it a floating point number and add numbers after the comma.

Partly because of ignorance of the libraries, but partly because the built-in libraries simply don't do time correctly. Unix epoch? Rolls over in 2038, so it's no use for dealing with 49 or 99 year land-leases (or the 999 year lease I held on one property). I know somebody who worked on software dealing with mineral exploration rights who had just this problem: Unix epoch simply got it wrong for the timescales involved (and he wasn't allowed to use 3rd party libraries because management perceived that as a support issue). What was he to do but roll his own? And it's very much because people think it's simple, without looking at the actual issues.

Re:2010

[Rockoon]

I think most of the time they are building their own conversions to date formats because they have to. Those standard libraries are great when the date is in a standard format, but multinationals deal with nearly every variation of date encoding known to man.

1-digit years, 2-digit years, 4-digits years, month-before-day, month-after-day, year-first, year-last, decimal-seperators, slash-seperators, dhash-seperators, space-seperators, a-mix-of-seperators, without-day-of-week, with-day-of-week, with-day-of-week-abbreviated, without-english-month, with-english-month, with-month-abbreviation, and all words in many languages.. and different variations on abbreviations..

Even if these guys leverage the standard libraries as much as they can, its still non-trivial to do it correctly. Multinationals arent dealing with data in a single format.

Re:2010

[edesio]

A major bank (Banco Real of Santander Group) in Brazil had a problem on New Years Day: its ATMs would not accept 2010-01-04 (Monday) as a working day. But accept current day (on 2010-01-01) as valid and then send a message stating the transaction would be schedule for 2010-01-04!

Re:2010

[Jah-Wren+Ryel]

And it's very much because people think it's simple, without looking at the actual issues.

Indeed. Time is one of the most problematic issues I've ever had to deal with in my career. There are just so many different special cases like leap years/seconds and corner cases like converting from one timezone to another in the middle of daylight savings time change in or both of those timezones. Somebody ought to write a paper, or even a book, on all the stuff you have to watch out for.

Re:2010

[u8i9o0]

Wait, 2-digit year format? If you're having problems with the transition from "09" to "10", then you'd also have problems with the transition from "2009" to "2010". A Y2K-like bug would mean that the INPUT value is incomplete, or essentially pre-truncated. What you describe is code that intentionally truncates the value itself. The client had better not get any blame for this.

Re:2010

[Hurricane78]

That is exactly where open source shines: Clone just the date/time/calendar part of the (GNU) standard library, and patch it so it works with your needs. Then either offer this back to GNU, and continue to clone every release. Or just use updates of the library, to carefully apply applicable patches to your fork of that part.

You avoid rolling your own custom solution (with all the huge traps inside date/time calculations), and you avoid having to depend on someone else (since you forked it, and can choose to ignore the original and its updates).

Sounds like a great deal to me. :)

Re:2010

[Rufty]

Premature optimization is the root of (most) evil.

Re:2010

[Mr.+DOS]

It sounds like the software assumes incorrect start and end dates for double-digit years; i.e., it interprets 09 as 2009 and 10 as 1910.

      --- Mr. DOS

Re:2010

[digitig]

continue to clone every release. Or just use updates of the library, to carefully apply applicable patches to your fork of that part.

Sounds like exactly the sort of maintenance issue management wanted to avoid in the case I mentioned.

Re:2010

[l0b0]

Planck units since the Big Bang is the only way! Let's see: ~5.4E-44 seconds per unit, ~1.37E10 years since the Big Bang ~= 2.53E53 decimal = 2A4359FEF2C78D94A50F53B75B35AA648000000000000 hex, which should take about 180 bits to store.

Re:2010

"If you're having problems with the transition from "09" to "10", then you'd also have problems with the transition from "2009" to "2010""

Not so. Some hacks to "fix" the problem have a "pivot year". Years before that are interpreted one way, and years after are interpreted another. The full year representation does not require any of that, and would not be liable to the same error.

"The client had better not get any blame for this"

According to his/her/it's post, the client is sending the year over as two digits. That is on them, unless the company the parent poster works for required them to send it that way.

I would like to go on record predicting the year 10k problem set, by the way. When 4 digit years are no longer sufficient. I have patents on fixing this issue, so start the bank deposits now.

Re:2010

[Megane]

The bad news is that your patents will have expired by then. The good news is that the Y10K bug means that your patents will un-expire. So get your head jar ready, because you're gonna be RICH!

Re:2010

[bickerdyke]

it's a freakin' integer

How would you know?

All you have is a blob of bytes. It's about how you interpret them. Even if you store Unix epoch in your Datastore: Who prevents 3rd party software to mis-interpret it as windows-timestamp? Or Bitmap?And thats what happened here. A byte wasn't interpreted as integer, but as BCD number. (or other way round) And no one noticed, as it worked well as long as 0x03 = 00000011 = (BCD)03 = 0000 0011

Re:2010

[shentino]

Holy cow, patents lasting 8000 years?

If IP law ever gets that screwed up then count me among the grateful dead!

Re:2010

[shentino]

Just another case of a PHB sticking his nose where it doesn't belong.

If someone above you on the food chain is telling you HOW to do your job, that's micromanaging, especially when you know more than they do about what you are doing.

Re:2010

[DeadCatX2]

Leap years; did you know that leap years are every 4 years, except every one hundred years, except every four hundred years? (that's why 2000 was a leap year, but 2100 won't be)

Leap seconds.

Localization.

The libraries themselves have a storage size vs. resolution trade-off, so even Unix will have an Epoch Fail! in just a few dozen years.

The new NTP protocol is supposed to have 128 bit timestamps. 64-bit fractional second, 64-bit whole second. This is allegedly small enough to resolve the amount of time it takes a photon to pass an electron at the speed of light, while large enough to provide unambiguous time representation until the universe goes dim.

Re:2010

Before 2000, many programs extended two-digit years by adding 1900. "89" became "1989". During the Y2K fixing frenzy, some evil/lazy/incompetent programmers replaced that code with something like this:
if (year<10) year+=2000;
else year+=1900;
This solved the Y2K problem by replacing it with a Y2K+10 problem.

Another type of problem caused the SMS date misinterpretation and was also only possible with a two digit year format: A two digit BCD number fits into one byte, 4 bits for one digit and 4 bits for the other digit. If you read a BCD number smaller than 10, it looks just like a normal decimal number, but the number 10 in BCD format is different from the number 10 in binary format. Had the year been formatted with four digits, it would have been obvious that it is not stored as a normal binary number and the misinterpretation would never have made it into production code.

Re:2010

[Nicolay77]

Databases.

IT doesn't matter if a C program can use fancy algorithms.

It all depends on the format used to store the data in a DB. Blame the old DBAs from these systems, not the programmers.

Re:2010

[Monkeedude1212]

My phone (HTC Touch Pro 2) or something with my service provider (Telus) has had an issue making all incoming text messages appear as though they are coming from the year 2016.
It's not a huge groundbreaking deal that stops me from using my phone, but any text messages I send appear to have been sent before my post new years recieved texts, making it hard to sort through and read conversations.

Re:2010

[digitig]

Just what we need -- an epoch that changes as science progresses (and estimates of the time of the Big Bang improve).

Re:2010

[Dishevel]

Hmm. They actually could last that long.

Re:2010

[Megane]

Apple did exacly this back in what, the late '90s? Double float time not only means no Y2038 problem, but you can represent a date/time with sub-second accuracy, and math to compute delta times can be done with only one potential scaling round-off at the end when adding to a real time. Representing dates in the (very) far past or future simply loses the sub-second precision.

The only reason it wasn't done sooner was probably because for so long floating point hardware was an expensive option, and software float would have been too slow. Also, before IEEE, there really wasn't a standard format.

Re:2010

[Stooshie]

And the missing 11 days (I worked on a genealogy site)

Re:2010

[rubycodez]

ah, but your happy-go-lucky thinking is exactly what causes problems. Where do your nifty libraries get the time ultimately...from hardware battery backed clocks, which have all manner of time issues and limitations, some even only use 16 bits or less to get time from some esoteric epoch date which might be the year the thing was designed, or the year 2000 or 1970 or 1969 and some month/day.

Your GNU goodness suddenly turns to shit in those cases.

Re:2010

[hrimhari]

Which integer are you referring to? 2-byte or 4-byte? Signed or unsigned? Have you checked how close our dear *nix based systems are to the signed threshold lately? Hint: 28 years.

Re:2010

[The+Flymaster]

What time was it one second after 915148800? Unix time hardly solves all problems.

Re:2010

[aaarrrgggh]

One of the kludges you see with 2-digit input years is assuming that if a number is less than x, you add 2000 to the number for the correct year; else add 1900 for correct year. People (apparently) assumed that by 2010 all the Y2K kludges will be worked around... or just didn't care.

BCD issues are also much more common than I (as a non-programmer) would have ever expected.

Re:2010

[digitig]

Or the person above you in the foodchain might just know more than you about what the company is actually tring to achieve, and/or may be correctly reflecting shared experience which you haven't yet encountered. If you can't deal with that, set up on your own.

Re:2010

[edmicman]

This. It was actually almost exactly that - we're getting a two-digit year value from the client. Legacy crap code that I inherited had essentially "if number less than 10, add 2000, else add 1900". It's fucking retarded is what it is.

Re:2010

[edmicman]

The client is sending us 2-digit years, and the legacy code mess was adding 2000 to anything less than 10, otherwise adding 1900. But why shouldn't we expect people to send 4-digit years now anyway?

Re:2010

[hesaigo999ca]

Exactly, which is what most c++ type date time combos usually are designed like...

Re:2010

it's the 'master race' we're talking about here. Of course, irony will always bite these fools in the ass.

Re:2010

[tom17]

915148801

Tom...

Re:2010

There's a single registry key you can change that'll correct this for any messages received in the future but you'd have to delete the already-present 2016 ones to get them out of the way.

HKEY_LOCAL_MACHINE\Software\OEM\SMS

Add/Change "RecvTimeStamp" to a dword set to 00000001

There are .cab files that just change this registry entry floating around, too, but I don't have a direct download link handy that works without a forum membership.

Re:2010

Planck units since the Big Bang is the only way! Let's see: ~5.4E-44 seconds per unit, ~1.37E10 years since the Big Bang ~= 2.53E53 decimal = 2A4359FEF2C78D94A50F53B75B35AA648000000000000 hex, which should take about 180 bits to store.

Apart from the fact that 1.85E43 plank time/second * 86400 second/day * 365 day/year * 1.37E10 years is about 8E60 decimal that would take 200 bits.
You see how difficult is to deal with dates? Not even Plank unit can help if you are dumb.

Re:2010

[The+Flymaster]

Half right. Under POSIX, it is ambiguous, and could be either 915148800 or 915148801. There was a leap second. And POSIX specifies that a leap second has the same UNIX time as the second before it. Of course, there are plenty of Unix-like implementations that make it so that there were multiple 915148799s, instead. Take your pick, there's an ambiguous second in there somewhere, and you don't really know where it was.

Never mind times before 1970, or future times which are unpredictably ambiguous.

Re:2010

Make that "If you read a BCD number smaller than 10, it looks just like a normal binary number".

Also, if you have to fix code like the above, don't you dare replace a Y2K+10 problem with a Y2K+20 problem. Make the interpretation window slide:
if (year<100) year += ((yearCur + 50 - year) / 100) * 100; //integer division

The 50 in that code is the end of the interpretation interval counted from the current year. If you want your interval in 2010 to go from 1921 to 2020, replace the 50 with 10 (2020=2010+10):

20 + ((2010+10-20)/100)*100 = 2020
21 + ((2010+10-21)/100)*100 = 1921

Note that the calculation even works if year is a 4 digit year, as long as it's in the interpretation interval:

2020 + ((2010+10-2020)/100)*100 = 2020
1921 + ((2010+10-1921)/100)*100 = 1921
1920 + ((2010+10-1920)/100)*100 = 2020
2021 + ((2010+10-2021)/100)*100 = 2021
2120 + ((2010+10-2120)/100)*100 = 2020

If you write unit tests for that kind of code, you should therefore test with dates that are both inside and outside of the interpretation interval (on both sides, close to the interval and far from the interval), or you won't catch bugs caused by missing if(year<100) conditions.

Re:2010

[tom17]

Interesting. Not sure I get the leap second though. From what I can see,

#date -ud @915148799
Thu Dec 31 23:59:59 UTC 1998

#date -ud @915148800
Fri Jan 1 00:00:00 UTC 1999

#date -ud @915148801
Fri Jan 1 00:00:01 UTC 1999


So there is no way of identifying the leap second in our normal representation and unix time just seems to map to that. The leap second has been 'ignored' in both cases. Maybe I am not getting something about leap seconds. What is the correct way of unambiguously identifying that leap second in a conventional time format?

And about the epoch limitations? Maybe we just need a new standard (ha!). 64 bit unix time with an epoch of 2000, or 0000 and just use BC like our conventional formats.

Tom...

Re:2010

[Blakey+Rat]

Presumably their Y2K problem was deferred (not fixed) by adding code that assumed that "01" - "09" should be considered "2001"-"2009", but they didn't include "10", so it is still treated as "1910".

Considering medical software is likely to encounter people in their 90s pretty regularly, it's amazing to me that this hasn't been permanently fixed yet for birthdates if nothing else.

Re:2010

[The+Flymaster]

A leap second is defined as, for example, Thu Dec 31 23:59:60 UTC 1998. It's fairly uncommon, but that's what makes dates so hard. They're complex, and don't work like you'd expect.

And the pre-1969 stuff isn't an epoch limitation, inherently. You could use negative Unix times, since they're signed. BUT. You can't, because a Unix time is defined as a UTC time. And UTC didn't use a SI second before 1972. And they had non-integer leap "second" style adjustments. So...what precise time does Unix time 20032 refer to? Well, you can probably figure out that specific one, but depending on where the adjustments were made...it can be ambiguous. All Unix time does is define that a day is exactly 86400 seconds long. Even if, in reality, the day isn't that long.

And a 1AD epoch is tough, too, because when is that? Extended continuous Gregorian calendar? Julian from some arbitrary-ish Julian end-epoch? Who knows.

Again, this is all edge case stuff that you don't USUALLY have to worry about. Until you do, and it (or some other date issue) breaks everyone's credit card.

Re:2010

[Nefarious+Wheel]

Pity VMS time didn't make it across to NT. It was an integer, too -- number of 100 msec ticks since - wasn't it 17 Nov 1851? Ah, VMS ... what a uniform programming environment that was.

Re:2010

[gilgongo]

In just about any language (C, Java, .NET, Perl, PHP, SQL...) there are (built-in) libraries available that do time correctly. If you're unsure on how to store time, Unix epoch is just about the simplest way to store it (it's a freakin' integer), it's universally recognizable and accepted and very easy to calculate with and if you need more precision just make it a floating point number and add numbers after the comma.

It's human nature. You're a coder. You're writing code all day, solving problems, come up with solutions, you have pride in your work and you like to do it. Using somebody else's code to handle the thorny (and fun!) issue of dates is, well, no fun. So you don't do it. You roll your own.

And you screw it up.

If I had a fiver for every time I've been boggle-eyed seeing people sinking valuable time into writing complex bespoke solutions to issues that could be handled by just calling a couple of methods on an totally common, free library I'd be a rich man by now. Don't get me wrong, I'm not calling all coders retards - they're just proud.

Re:2010

[gilgongo]

There are just so many different special cases like leap years/seconds and corner cases like converting from one timezone to another in the middle of daylight savings time change in or both of those timezones. Somebody ought to write a paper, or even a book, on all the stuff you have to watch out for.

Eh? Isn't that was tzdata is for?

Re:2010

[jc42]

Considering medical software is likely to encounter people in their 90s pretty regularly, it's amazing to me that this hasn't been permanently fixed yet for birthdates if nothing else.

There have been sporadic reports of people aged 104 or 105 getting letters addressed to their parents, from the local school system, telling them that it's time to enroll their child in school for next year. These reports go back to at least the 1970s, and it's still happening.

Re:2010

[BitZtream]

What OS now days doesn't have a 64 bit time()?

Re:2010

[Jah-Wren+Ryel]

That's the whole point - rolling your own time handling routines means you aren't using things like tzdata, you may not even be on a platform where it exists...

Re:2010

[Lunzo]

All those formats you mention are in the standard .NET libraries. I can't remember doing date manipulation in java, but I suspect it has all that figured out too.

Re:2010

[Rockoon]

You havent said anything that I didnt address. Even if you fully leverage standard libraries, you still have to call those libraries correctly. There isnt a ConvertDate(string) function that magically figures out what format the date is in.

Heres an example: "1/8/10"

Is that January 8th 2010? August 1st 2010?

It could be August 10th 2001, or even October 8th 2001.

Thats 4 different dates that all match a format used somewhere in the world, and I havent even gotten the exotic shit yet.

There is plenty of room for complexity no matter how "solved" you claim this problem is. You are arguing from a position of not having to actually deal with the problem robustly in a live mission critical scenario which just makes you an arm-chair hack spitting opinions that arent relevant.

Re:2010

[jgrahn]

Exactly, which is what most c++ type date time combos usually are designed like...

Have you reviewed them all, or what? Care to give an example?

Re:2010

[hesaigo999ca]

Being a developer for 12 years I have had my share of them and thrid party add ons like infragistics or component one....as well as tdbgrid, I tend to shy away from third party as I hate being stuck with vendors more then I do m$.

They had to Queue?

[HiChris!]

"Although some cash machines were quickly reconfigured to override the 2010 problem, many bank customers were forced to queue to withdraw cash over the counter. Germany's economics minister, Rainer Brüderle, urged banks to 'ensure that credit and bank cards function without problem as soon as possible, or to replace them immediately'." My gosh standing in line to get money is so 1980

Re:They had to Queue?

[smooth+wombat]

My gosh standing in line to get money is so 1980

Yes, how horrible it is that for a brief moment in time, people had to revert to an older way which just works (albeit slightly more slowly).

Re:They had to Queue?

[Chaos+Incarnate]

Increasing the wait by an order of magnitude is hardly "slightly more slowly". And that ignores the additional paperwork that's required, too.

Re:They had to Queue?

[fuzzyfuzzyfungus]

The trouble is less in having to do it the old way than in having to do it the old way without notice and in an environment that has shifted toward the new way.

Back when ATMs and POS electronics were uncommon, everyone knew well in advance that they would have to go get cash in order to make purchases, and do so during banking hours. Inconvenient; but everybody knows the score and the system is set up to work that way. If things suddenly shift back, you get a whole bunch of people, many whose first warning is probably some sort of cryptic error at a payment terminal, either stuck outside of banking hours, or swarming the few bank clerks that haven't been replaced by ATMs. Substantially more inconvenient now than it was then.

Re:They had to Queue?

It worked in the past because there were several times more bank tellers. Now it just stalls everything. This really should be obvious to anyone...

Re:They had to Queue?

Queue the stack jokes.

Re:They had to Queue?

[Rogerborg]

Indeed. However, the number of actual humans available to hand out cash - and the amount of cash that they have available to hand out - are at reduced 2010 levels.

I suspect that you wouldn't be so sanguine if mommy sent you out from the basement to get cash, and you were stuck at the back of the queue and wondering if you were going to be able to withdraw enough for your next bag of weed.

Re:They had to Queue?

[samjam]

As a britisher*, I thought "wait in line" was American.

The term I'm familiar with is "queue" as in "get to the back of the queue" and "form a queue please"

While in America I heard the phrase "wait in line"

Sam

*german for british

Re:They had to Queue?

[Sique]

Just some nitpicking: German für "as a british" is "Als Brite".

Re:They had to Queue?

[samjam]

Thanks for that.

I was actually quoting from Commando comics (http://www.commandomag.com/) in which the Germans refer to the british as britishers; but of course that is probably the author trying to put german accent on the germans speaking english.

And thanks to your comment I learn even more:
http://en.wiktionary.org/wiki/Britisher

Britisher is currently rumoured to originate in India!

Re:They had to Queue?

[judugrovee]

I think, you are right, supposing him to add a German sound to it. Maybe some related information. a british -> ein Brite british -> britisch a british man -> ein britischer Mann There you could have your "britischer"; it's the indefinite, male adjective of "britisch". Maybe in spoken language, it could appear alone. In a sentence comparable to this: "A German guy would never queue up; a british (guy) would." Ommitting the noun to avoid redundancy, the stand-alone adjective would be "britischer" in the German sentence. But it's not proper Grammar, of course.

Re:They had to Queue?

[fotoguzzi]

New Yorkers say, "wait on line." For instance, if anyone ever heard Curtis Sliwa on his national radio show, he occasionally used this phrasing. Not sure of the social/regional extent, but I have noticed it all my life from anyone with an obvious New Yawk/Fran Drescher accent.

Re:They had to Queue?

[samjam]

Thanks for that, it is very interesting.

On a similar topic (as the word guy reminds me), in Tigger the Movie, Tigger is made to sound english (as he is) by saying something like "hey, you blokes" which is quite wrong.

A bloke is almost always somewhere else and "bloke" signifies that the identity is not of interest; "I met a bloke" "See those blokes".

Tigger should have said "Hey, you chaps" which is more intimate, or maybe "Hey, you guys"

So he used an english word and immediately identified himself (or the script-writer) as a foreign johnny.

-hmmm, maybe this puts it better:
http://www.urbandictionary.com/define.php?term=bloke
http://en.wikipedia.org/wiki/Bloke

Sam

Re:They had to Queue?

[nospam007]

many bank customers were forced to queue to withdraw cash over the counter.

Local news reported that since only the chip on the cards were wrong, you'd simple had to cover the pins with some adhesive tape to force the machine to read the magnetic strip instead.

OTOH another point of attack is now widely known to the planet.

Re:They had to Queue?

[bickerdyke]

"Germany's economics minister, Rainer Brüderle, urged banks to 'ensure that credit and bank cards function without problem as soon as possible, or to replace them immediately'."

With almost the same words as the german secretary of consumer protection.

If I were working in IT for a bank, my answer would be a press release "What exactly is it this stupid tart thinks we're busy with right now?"

Re:They had to Queue?

[Megane]

Back in the '90s, there were a couple of times when a store's credit card dialup was not working, and they had to pull out the trusty old Addressograph and get an imprint on carbon paper. The hard part was for them to find the thing.

Re:They had to Queue?

[socsoc]

I dont think I could get money from a teller. I walk up, "Hi, I want money" ... "okay fill out this form" ... "i dont know my account number" ... "okay, bye have a nice day then"

Re:They had to Queue?

[socsoc]

That is a similar topic. It has a lot to do with a 2010 bug in Germany cards. Perhaps Tigger was the programmer.

Re:They had to Queue?

[Tim+C]

(albeit slightly more slowly)

Heh, my card was eaten by an ATM a few months ago. Let me assure you that standing in line in the bank to withdraw cash over the counter is definitely *not* slightly slower than using an ATM, and that's when you're probably the only one doing it. When everyone has to, it's going to take a long time. (Especially if people who don't have the correct ID start to argue with the tellers...)

Re:They had to Queue?

[Stooshie]

Stack the queue jokes!

Re:They had to Queue?

[ArsenneLupin]

Yes, how horrible it is that for a brief moment in time, people had to revert to an older way which just works (albeit slightly more slowly).

Yes, but in 1980, there were far more bank clerks around to dispense cash over the counter... So the "older and slower" way actually got much slower than it used to be...

Re:They had to Queue?

[kb7oeb]

That still happens

Re:They had to Queue?

[netsharc]

Interestingly my local (German) bank introduced one-time cards for money withdrawal from their ATMs, it's for large withdrawals that might go over the normal card limit; the way it works is the cashier encodes the amount of money the card will spit out (taken from your account) and probably your account number onto the magnetic stripe*, then you take the card to one of the machines, stick it in, and it spits out the money. You then get the card back and you can throw it away or put it in a collection box. Presumably they are reusable; just put new data and the next customer can use the card.

Unfortunately the stupidly paranoid users think they have to destroy the card, lest some other person take the card and put it in the machine and get the account holder's money. How dumb do you think the banks are, of course such a transaction is not possible!

Thus, the end result is reusable cards (for one-time transactions) end up becoming one-time use cards.

Just thought I'd share an anecdote about how the new way is being used incorrectly.

* or maybe the cashier just associates the card-id with your account and an amount, when the ATM sees the ID it queries the system "from what account shall I withdraw what amount?"

Revenge at last

[egandalf]

It only took 65 years, but they finally got their revenge for those invasions. Subtle, the french are, very subtle and patient. Like mice.

Re:Revenge at last

[FooAtWFU]

Man, they wish those invasions only cost them 300 million, inflation or no inflation.

... I'll </whoosh> myself, thank you.

Re:Revenge at last

[judugrovee]

65 years - you know, that's pretty fast... considering that they are french.
And regarding the subtleness, the plan is almost heroic... for a french.

Actually, I would like to have another nationality, cause right know, telling you that I'm German looks like as if I'm racist...
Understand me, people! I couldn't get money since January 1st! We are eating our shoes over here!!! It's all desperation which brings me so far! Waargh!!!

You had your revenge, please upload the Patch!!!
Délivrez-nous!

"'a'a'aaa, Jaques, zey are crawling on zeir knees. 'ave you 'eard zem lamenting?"
"Bien sûr, zey are sherman."

Re:Revenge at last

[LSD-OBS]

Taco has fixed it. We can get back on topic now. As you were.

Re:Revenge at last

And like mice(*), the Frenchies have a love of cheese.

(*) yes, we all know that mice will not eat cheese if you throw some in their cage.

Re:Revenge at last

[antek9]

Well, setting aside that amount of money in order to reimburse the future victims of your 'revenge' would take some time, now wouldn't it? I don't know about you, but if that was some great French strategy I'd file it under 'epic fail'. ;)

No wonder they can't win a war on their own behalf. Oops, there, I said it... On a more serious note: if subtlety would win wars the world would be quite different from what it is.

Re:Revenge at last

But they still kept the timezone.

Effected?

[LSD-OBS]

Come on, editors.

Re:Effected?

[show+me+altoids]

This is what I came here to say. Should be "affected."

Re:Effected?

[Jojoba86]

All editors please consult this handy guide.

Re:Effected?

[hicks107]

Eye was going two say the same thing. They knead to insure they are spelling things the write weigh.

Re:Effected?

[kazade84]

Wait. Slashdot has editors now?

Re:Effected?

[LSD-OBS]

I must be new here

Re:Effected?

[LSD-OBS]

I no, it happen's alot around hear!

Re:Effected?

"Effected" - as in the cards work as expected. See this comment.

Re:Effected?

If 30 million cards were affected by the bug and have to be replaced, the production of 30 million new cards will be effected by it.

Re:Effected?

[LSD-OBS]

Still completely the wrong use, sorry!

Re:Effected?

[jspenguin1]

The card users' rage was effected by the bug, not the cards themselves.

Re:Effected?

Are you sure?

http://xkcd.com/326/

Re:Effected?

[DoofusOfDeath]

Come on, editors.

I guess it would be insensitive to mention Grammar Nazis right now...

Re:Effected?

[LSD-OBS]

I was counting on it :)

Re:Effected?

[DoofusOfDeath]

I was counting on it :)

So you're what... some kind of Grammar Nazi Hunter?

Re:Effected?

[LSD-OBS]

Taco has fixed it. We can get back on topic now. As you were...

Re:Effected?

Yes, they have "moderators" that their software calls editors. Unfortunately, the job is actually that of selecting inflammatory, wrong, or half-baked submissions and often adding some biased comments to make Microsoft look bad. It isn't actually an "editor" job where they correct spelling, grammar, clarify meaning, etc. It's more of a "if I say MS sucks I can drive more page views" type of job.

Re:Effected?

[Kiralan]

Eye was going two say the same thing. They knead two insure they our spelling things the write weigh.

Fixed it for you :->

Re:Effected?

[nyctopterus]

Curious, but where are you from that "are" and "our" are homophones?

Re:Effected?

[Chirs]

I live in the Canadian prairies (historically farming communities), and in common usage around here "are" and "our" would be pretty close. I think the same would be true for the east coast (Newfoundland, for instance).

Also, "ant" and "aunt" can be hard to tell apart.

Of course this varies by person, education, etc.

Re:Effected?

[psithurism]

Haha, I get it. You're being a grammar Natzi in a story about Germany and France. Haha, Racy.

I wonder if that will effect people! :P

Re:Effected?

Im sory abut this. The spel checker seems to have been efectued by the y10k bug and wee no longer see mispelt words.

  - Slashdott editor

Untested software

[nodan]

Again, it's surprising that such an obvious software bug makes it into the real world. You really can never trust untested software at all. What disturbs me most are the proposed "solutions": the companies issuing the cards try to avoid the exchange of the cards by all means due to the costs involved. However, that comes at the cost of sacrificing the security gained by the introduction of the now ill-functioning chip. What has been mentioned as well was updating the software on the card at the banking terminal - I'm surprised that this is possible at all. Essentially, that opens another huge security gap (which might have been there for a long time but went unnoticed so far).

Re:Untested software

[corbettw]

What has been mentioned as well was updating the software on the card at the banking terminal - I'm surprised that this is possible at all. Essentially, that opens another huge security gap (which might have been there for a long time but went unnoticed so far).

Since you need the card itself and the PIN with that card to update it, it's not really insecure. And having the ability to change software and/or PINs without mailing things all over the place is a pretty reasonable (and handy) ability. The alternative would be for customers to mail in their cards and wait for them to be sent back weeks later; or have two cards that can access your account at the same time, and then depend on the customer to dispose of the old card properly. Those scenarios are much more prone to error than what they're doing in this case.

Re:Untested software

[owlstead]

Essentially, that opens another huge security gap (which might have been there for a long time but went unnoticed so far).

It does not necessarily open up a "huge security gap", that's sensationalism. It does add significant "surface" to attack.

GlobalPlatform cards (used by Visa/Mastercard) have always contained methods to update the Java Card (or other OS) applications on the card. Of course, this requires either signed code or a master key set. One expects this interface to be well tested and certified - and normally they are.

Normally bank cards (and ID cards/passports) don't get updated in the field. I would not be surprised when upgrading the cards would meet serious problems.

Re:Untested software

[rickb928]

Believe me, they they are tested. I know. But they are not always tested well.

- The EMV (Euro MasterCard & Visa, also called chip & pin) specs are complex to say the least. It took 6 months for one team I know of to get to the point that the spec writerd admitted they did not know how it actually worked, and to admit that the actual data did not match the specs. They rewrote the spec based on actual data. Later, the 'controlling authorities' updated their specs to match our results. As if anyone ever really know how it worked. Kinda like taking your new car to a mechanic, having him change the oil, and he says 'gee, this doesn't look like the oil drain to me, but the manual says so. Just let me check'. And sure enough, the manual is illustrating the radiator draincock. Nice. And the car manufacturer is arguing with you that you're wrong, even when you send them a video of coolant coming out of the so-called 'oil drain plug'. Next year, they send you a new page for the manual. Your video is the source of the new pictures. Thanks, guys. You made this, and you got it that wrong?

- Covering the connectors will force the reader to take the stripe if it can, and many do. This is also a scam by some criminals, where they cover the terminals in the reader and force the stripes for all purchases - and snarf your data. These usually don't last long, as this is a characteristic of either a failed terminal or fraud, and someone will be sending a new terminal out to the POS. If they do it again, they will send a body also. Third time usually results in sanctions. Gas stations and small restaurants are favorites for this, but large retailers also get hit of someone can slip in a doctored terminal - usually after stealing one earlier. Mongrel terminals are usually caught pretty quickly, so go in late at night, distract the staff, nick it, fix it up in your car, come right back, and get it back in before anyone notices. Target here in the U.S. got hit by this. So far, no reports from Europe.

Chip & pin is not yet common in the U.S., and I'm not looking forward to it. In England, disputes over unauthorized charges with chip & pin almost always result in the bank ignoring the customer's pleas, and very often result in discovery later that there was a breach elsewhere in the system, like a pin pad. Many a sad tale of widows wiped out, and only after much pain is the truth found. The banks and all are hanging on to chip & pin as the 'final solution' to card fraud. Fat chance.

Re:Untested software

[viralMeme]

> Believe me, they they are tested. I know. But they are not always tested well .. They rewrote the spec based on actual data. Later, the 'controlling authorities' updated their specs to match our results ..

Do you have any reliable third party citations for this ?

Re:Untested software

[nbert]

Covering the connectors will force the reader to take the stripe if it can, and many do.

That's exactly how many retailers in Germany currently deal with the situation. If the customer's card doesn't work they just put some sticky tape on it. The banks affected have also modified their ATMs to fall back to stripe-mode in case the chip has the bug. Of course that is just a workaround, because this "fix" doesn't work internationally.

Re:Untested software

[rickb928]

Actually, I was on the team. I AM the third party.

Re:Untested software

[rickb928]

Internationally, it should. EMV cards in the U.S. are generally only reading the stripe. There are not very many chip & pin terminals here, if any.

We aren't deploying at this time.

Re:Untested software

[nbert]

So those cards would work in the US and Germany. But it wouldn't work in most of Europe and many other places.

Re:Untested software

[rickb928]

Cover the connectors, and disable the chip, and they work most anywhere the reader is dual-mode. Assuming there is no regional restriction.

Not enough dual-mode terminals out there, since they are both a potential security/fraud issue, and the stuff is supposed to *work*. And most European processors are on board.

Re:Untested software

[DamonHD]

Your last point is one of several reasons that I refuse to have Chip-and-PIN for any card that will go near a retail terminal, and I am just now beating up a retailer with the help of my card issuer and the scheme manager over refusing/voiding my PIN-suppressed ("Chip-and-sign") payment even after it had gone through, in defiance of good manners and the scheme "Honour All Cards" rules...

Rgds

Damon

Re:Untested software

[DamonHD]

I was the CTO of a credit-card company. His tale is entirely plausible to me. Indeed I'm not very enthusiastic about the on-line and off-line 'new' security measures to put it mildly and essentially won't now do any (retail) transaction myself that requires them since I believe them to *reduce* security for various reasons. (I've gone back to posting cheques or phoning through 'customer not present' orders for example, and using more cash in person.)

Rgds

Damon

Re:Untested software

You really can never trust untested software at all.

You can't trust any software, period.

Exciting news!

France makes German credit cards. The cards blow up.

Germany makes French cars. I wonder what will happen?

DUN DUN DUUHH......

And by that I mean RAT-A-TAT-A-TAT

Similar Bug Reported Before ...

[foobsr]

Technology: 2016 Bug Hits Text Messages, Payment Processing

Experts (or excellence, YMMV) at work.

CC.

Re:I wonder how that is compared to the loss from

[zaydana]

Moreover, it makes you wonder who much of a problem Y2K may have actually been if we hadn't of looked for all the problems and fixed them.

Chances are things like this would have only been the beginning if Y2K hadn't have been anticipated and planned for, even if we over-reacted. Maybe we should be giving some people more credit than we do...

Re:There are fees for using tellers at some banks

Even worse, some banks charge you a fee if you wait in line for a teller rather than use an ATM for withdraws. Hopefully they waived the fee in this case.

Easy solution . . .

[PolygamousRanchKid+]

. . . use the magnetic strip.

I just saw a clip on a German news channel showing a chick covering the chip on her card with a piece of clear adhesive tape. Apparently this forces a dual card reader to use the strip. But I wasn't listening, so I'm working, you know.

Re:Easy solution . . .

This "solution" has already clogged up several ATMs: the adhesive tape gets stuck inside the machine and blocks the reader, rendering it unusable even for those customers who have an unaffected card. Thank you very much. (Remember that ATMs are designed to prevent manipulated cards from being used, so tolerances are tight. The increased thickness could be something more sinister than tape.)

Re:Easy solution . . .

[PolygamousRanchKid+]

Oh, well. That's brilliant advice for you. At least my chip had no problems today. Being that they showed the tape thingie on N-TV, I wonder how many more machines will be clogged by the end of the day?

Re:Easy solution . . .

Who would have thought that one day the magstripe will actually help us instead of always getting read out by criminals :D

Re:Easy solution . . .

[_merlin]

Doesn't work. At least in Australia, if you swipe a chip'n'PIN card on a POS terminal, it will just tell you to insert it so it can read the chip. There may be a magic code to override this, but you'd need a service manual for each device to find out how to do it.

Remind me of another story...

[langelgjm]

Reminds me of a story I mention every so often. When I was an undergrad, I along with a few other enterprising students discovered that our university ID cards stored our social security numbers in the clear on the magnetic stripe. We eventually brought this to the attention of the school, who rushed to find a solution. They needed a unique identifier that was also not important information. They quickly settled on using our "university ID numbers" - arbitrary numbers whose value had no importance to the individual, and they reissued cards to the entire university.

A few weeks after they finished reissuing cards, one of us discovered that the "university ID number" was a primary key in the school's LDAP database. By using a directory browser, you could look up any student, staff, or faculty member by name, and obtain their university ID number. Since this was the number on their ID card, and their ID card controlled access to buildings, labs, etc., it was trivial to obtain access privileges to pretty much anywhere on campus. Want to make it look like the president of the university broke into the nuclear reactor? Look him up, write his ID number to a magnetic stripe card (we had built the hardware to do this, as well as to "fake" cards, which allowed us to simple type in numbers and generate signals, without actually making a card), and have at it.

Again, it was brought to the attention of the university. After a failed attempt to begin disciplinary action against one of us, they recalled everyone's cards and wrote new, presumably pseudo-random identifiers to them that were not publicly accessible.

Moral of the story? In your rush to fix one problem, make sure you don't create an even bigger one.

Re:Remind me of another story...

[sznupi]

You had a nuclear reactor at your university?

Re:Remind me of another story...

[Xiterion]

How else would you study nuclear reactor physics ;) But really, they are a bit more common than you might think. One particularly fun design is the TRIGA design.

Re:Remind me of another story...

[noidentity]

Moral of the story? In your rush to fix one problem, make sure you don't create an even bigger one.

Indeed. When you find a problem and develop a fix, you are faced with a choice: continue using the old system with mostly known problems and possibly known workarounds, or use the patched system that has one of the known problems fixed, but might have new unknown problems, possibly more severe than the old known problem, and possibly without any workarounds.

Re:Remind me of another story...

I'm not the other poster, but my school did. I stood in the old reactor room, where the core once was.
http://en.wikipedia.org/wiki/Iowa_State_University
"1959 10-KW, 150-ton nuclear teaching reactor is built. Reactor decommissioned and removed in 2000.[30]"
http://www.encyclopedia.com/doc/1P1-24533197.html

Re:Remind me of another story...

[NevarMore]

No the moral is if you're a university you have access to a large number of people who are clever, smart, bored, and willing to do normally expensive work for free.

Kudos for pointing out the bug. It just always baffles me why universities don't do things like using their students as cheap labor while giving them real-world examples of work in their chosen fields or using professors as consultants and advisors from time to time.

Re:Remind me of another story...

NCSU has several... right in the middle of campus....

Re:Remind me of another story...

[systemeng]

Sounds like you went to Reed?

Re:Remind me of another story...

[Chirs]

You didnt? :)

We actually had several reactors. A SLOWPOKE-2 fission reactor as well as a couple of Tokomak style fusion reactors.

They're used in the Physics and Engineering Physics departments for research.

Re:Remind me of another story...

Don't know where he went, but plenty of universities do or did. The University of Virginia ran a reactor for years up on Observatory Hill, just above the "New Dorms," whose cockroaches were suspiciously large, intelligent, and luminescent. The reactor's been shut down; when I was a student, the engineering school's solar car team met there to work on assembly, and each team member was issued a radiation badge.

Re:Remind me of another story...

[harl]

My school did also. It's just a small one. They gave tours. It was really neat to look down into the core. Until I realized that I was looking down into the core.

I thought most large universities had one.

Re:Remind me of another story...

[CNTOAGN]

Not sure of the parent poster's university, but at the University of Kansas there is a small nuclear reactor. It is dormant now and was used by the physicists and nuclear engineers 20 years ago. However, it could be refueled and reactivated pretty quickly if needed.

Re:Remind me of another story...

[Tim+C]

I don't know about now, but when I was there in the 90s Imperial College in London had a nuclear reactor on a different site, and a z-pinch machine in the basement of the Physics building on the main campus (which is next door to the Science Museum in central London). So, I have no trouble believing that the OP's uni had a reactor.

Re:Remind me of another story...

[jimbobborg]

Kudos for pointing out the bug. It just always baffles me why universities don't do things like using their students as cheap labor while giving them real-world examples of work in their chosen fields or using professors as consultants and advisors from time to time.

As an undergrad, if I came up with something in class that was new and marketable, I owned it, not the school. If I was a graduate student/member of faculty, anything I came up with in class/while working was owned by the school.

Re:Remind me of another story...

I would have gone with 'you are a student hacking into a university system, you are suspended or expelled'.

You realize that liberal arts colleges don't need defense grade security systems, right? ....
right?

SSNs are confidential, so I understand wanting to use something else.

Building hardware and software to impersonate someone just to prove a point is at worst criminal, at best mean spirited.

Of course if you are studying in Gitmo, I retract my statement and apologize.

Re:Remind me of another story...

[ThrowAwaySociety]

You had a nuclear reactor at your university?

Lots of big universities have nuclear reactors. Mine did, though it has since been dismantled.

They were all the rage during the middle of the century. Gotta get budding engineers and scientists ready for the Atomic Age!

Re:Remind me of another story...

[Rolgar]

There is a list under the civilian research heading. I lived several guys who ran the Kansas State reactor freshman or sophomore year.

Re:Remind me of another story...

[jmnormand]

Reminds me of the Umass Boston email system. All you need to reset a password is the users email address (ie name) and their id number. what do you think is printed on the front of every Umass id? Not sure if this is the case throughout all Umass but if you go to umass boston dont use your email for anything important. I do know that some people in IT were made aware of this quite awhile ago...

Re:Remind me of another story...

[xaxa]

It seems they are decommissioning it (though I don't know if they're replacing it, or whether there are any other small reactors like it in the UK).

Re:Remind me of another story...

[SnarfQuest]

Ok, so the fact that a lot of student and employee information was easily available to anyone who cared to look wasn't veer considered a problem? Must be a great campus to be on if you want to stalk a fellow student.

2-digit years

[Lord+Bitman]

This is just an "Up yours" to everyone who, after Y2K, decided "But now we won't have to worry about 4 digit years for another hundred years, so let's just use two digit years. What could be the harm?"

Re:2-digit years

Why, does "10" not fit into two digits?

Re:2-digit years

[Lord+Bitman]

If they had just rolled from 2009 to 2010, they wouldn't have this problem. The bug would have been apparent immediately and they would have fixed it then.

Greetings from 2038!

[fotoguzzi]

Hah, hah, hah!

Re:Greetings from 2038!

[hrimhari]

You must mean 1901 : )

How big is a country factory?

They claim cards in other countries made by Gemalto are unaffected.

Which countries were made by Gemalto?

Re:How big is a country factory?

They should hire Slartibartfast, I hear he has experience with fjords.

This won't be fixed quickly...

[MiniMike]

Gemalto accepted responsibility for the fault, 'which it is estimated will cost €300m (£270m) to rectify.'

I hope that money isn't in a German bank...

Re:This won't be fixed quickly...

Or in an Icelandic savings account...

Understandable really

[Chrisq]

I mean, who in the year 2000 could have predicted that a one day the important digit would roll over from 0, 1, 2, ... 9, and back to 0 again? Especially when you are so busy eating cheese and contemplating surrender.

Re:Understandable really

[thht]

I am german and i don't understand the (US-)american hate against the french?! Apparently the propaganda from US-Networks like FOX-News does an excellent job.

Re:Understandable really

[nyctopterus]

Jeez, enough with the stupid surrender monkey shit. Honestly.

Re:Understandable really

[Dr.+Hok]

I mean, who in the year 2000 could have predicted that a one day the important digit would roll over from 0, 1, 2, ... 9, and back to 0 again?

I don't know the details but my guess is that the chip expects year-2000 in BCD (which is traditionally used in trade IIRC), but the machine provides it in plain binary. So the chip fails to dig bit pattern 1100.

Especially when you are so busy eating cheese and contemplating surrender.

You must be referring to the fact that they refused to join the 'coalition of the willing'. IMHO this beats celebrating victory (remember MISSION ACCOMPLISHED?) in a war even before it starts to get real nasty.

Re:Understandable really

[psithurism]

I am german and i don't understand the (US-)american hate against the french?!

Apparently the propaganda from US-Networks like FOX-News does an excellent job.

Most of the French words that were adapted into English don't follow the normal pronunciation rules of the rest of the language (Ballet, Faux) which makes grade school reading really hard and...Actually I have no idea, I'm from the US and I did not know we hated the French. We make fun of our exaggerations of their culture (cheese eating snobs who don't bathe) all the time, but we do that to everybody, including ourselves.

Re:Understandable really

[will_die]

France is in the top places that Americans visit, after Canada, Mexico, UK. Tourism did take a hit in the mid-2000 when the french started to boycott American made products and the weak dollar has not helped.
Most of it is just joking that started more from British TV then anything else as for how false stuff starts just look at your message and your claim that it was Fox news fault.

Re:Understandable really

[True+Grit]

as for how false stuff starts just look at your message and your claim that it was Fox news fault.

Have we forgotten about those 'freedom fries' already? Or DijonGate? And what those spawned?

http://en.wikipedia.org/wiki/Freedom_fries

http://en.wikipedia.org/wiki/Cheese_Eating_Surrender_Monkeys

Take note of where that last one originated, not Fox *News*, but close enough.

And Sean Hannity's fit over POTUS's use of Dijon mustard is hilarious, in a sad, insane kind of way. (google it)

Yes, silly and stupid, and it mainly died out fairly quickly, but the trolls and morons just can't let it go.

So its mainly joking (British & American) and partly redneck arrogance (at least American - do the Brits have an equivalent of rednecks?).

Re:Understandable really

[True+Grit]

and contemplating surrender.

Good thing they didn't do that in 1781, otherwise you and I would still be having to bow to royalty...

Great day for Skimmers

[mseeger]

The problem lies in the advanced security mechanisms (EMV chip). The fix (currently) is to disable advanced security features (either by disabling the chip by taping it or in POS device). I can already hear the Skimmers jubilating. They will profit greatly...
Another problem will be that a lot of people will become wary of security features.

Re:I wonder how that is compared to the loss from

[Nadaka]

The response for y2k was not planned for, and it was not an over reaction.

Y2k issues were known in the 80's. Had IT been allowed to respond in a timely manner, it would have cost much less, been checked more thoroughly and finished earlier. Instead they waited until the last possible moment and poured much more money into it, hiring as many developers as possible to put in a rushed hackjob and then firing them when the hack worked instead of retaining them to vet, verify and implement permanent solutions where needed. This issue is a result of the failure to react apropriately to y2k. The rushed temporary get-it-done-yesterday hacks are starting to fail.

Security problem

I hear people going on about how using the magnet strip is horrible and a security problem. But I don't get it.

People say, the bad guys can easily copy the magnet strip, but not the chip, so taping over the chip is insecure, since it forces use of the insecure magnet strip. Now, what's to stop the bad guys from just copying the magnet strip anyway? ATMs and other card readers seem to work just fine with chipless cards, so having no secure chip on the card should be no problem for them.

Could anybody explain?

Re:I wonder how that is compared to the loss from

Moreover, it makes you wonder who much of a problem Y2K may have actually been if we hadn't of looked for all the problems and fixed them.

I think you mean "if we hadn't have looked", or more simply, "if we hadn't looked". The "of" you used sounds like the contraction of "have" ("'ve").

Suppression of costs via minimizing testing.

[master_p]

I don't know the exact nature of the bug, but I know that in the current economic crisis, managers first and foremost look for minimizing costs. This has laid to reductions in personnel, and ultimately in testing problems: not enough people to test the software and the people that are assigned the testing job are not experienced enough to do it properly.

I experienced this personally: I worked all throughout 2009 on a project that should have been ended by the end of 2008, because the contractor has laid off several people and they were unable to fully come out with a good specification and testing of their system. Most of the errors became apparent through the testing done by us, the subcontractor. The contractor was French, by the way.

Re:Suppression of costs via minimizing testing.

[Dr.+Hok]

I agree. In my experience, testing is usually cut down first when it comes to cost reduction, because the bosses can't see the benefit of testing. They never learn, it seems.

Re:Suppression of costs via minimizing testing.

[RAMMS+EIN]

The question is if this is actually a bug that testing would have caught. The problem is that you can't test _everything_. So what you do is come up with a few scenarios, and you try to at least test the happy flow and the corner cases that you think might cause problems. For numbers, that's usually things like 0, 1, -1, 2^n for various values of n, -2^n for various values of n, and, in the case of years, probably things like 2000, 2100, and past dates if your system has to deal with those (1979, 1969, and 1899 might be interesting). The numbers 2010 and 10 are not usually problematic and not usually tested. Perhaps that will change now, but, really, who would have thought 2010 would be a problem?

What would have caught this bug, I think, is not testing, but code review. For this bug to occur at all, the code must have done some pretty funky year handling. That would definitely have raised my eyebrows and prompted further investigation, especially with Y2K still in mind. I can't guarantee that the bug would have been found by code review (after all, it's easy to overlook bugs in code), but I do give more of a chance to code review than to testing, in this case.

Unix epoch does not have to end in 2038

[Chemisor]

2038 is only the limit on 32bit platforms. On a 64bit platform time_t is 64bits, which will last "forever". We are already significantly on the way to switching to 64bit-only CPU operation, and I'm going to bet that by 2038 we'll switch completely, if only to avoid the end of time. Heck, if you could only have a working 64bit flash plugin on Linux, all Linux users would go 64bit already.

Re:Unix epoch does not have to end in 2038

[aaarrrgggh]

...so, what do you do when you wrote a program on a 32-bit platform 10 years ago, and it is still running?

Re:Unix epoch does not have to end in 2038

[PitaBred]

...we don't? So what is it that I'm using? The Adobe alpha 64bit Linux Flash release really is quite stable and works well for me. It's the only platform to actually have 64bit Flash, IIRC.

Re:Unix epoch does not have to end in 2038

[ArsenneLupin]

Heck, if you could only have a working 64bit flash plugin on Linux, all Linux users would go 64bit already.

The flash plugin is not the only binary thing missing on 64 bit Linux.... and it's quite ironic to see this kind of comment after an article about Gemalto.

These people would rather give you a blowjob than recompile their Linux driver on a 64 bit CPU!

Re:Unix epoch does not have to end in 2038

[Rolgar]

Here it is. Unfortunately, I think there is plenty of non compatible hardware out there that will be running 32-bit Linux for a while.

Re:Unix epoch does not have to end in 2038

[default+luser]

I thought the big complaint on Linux was you couldn't run Firefox in 64-bit mode with 32-bit plugins (hence the 32-bit Flash complaint). I thought Linux in 64-bit mode could run legacy 32-bit application just like Windows. Am I wrong about this?

Or are there, say, compatibility issues using 32-bit and 64-bit libraries, or something of that nature?

Re:Unix epoch does not have to end in 2038

[ArsenneLupin]

I thought the big complaint on Linux was you couldn't run Firefox in 64-bit mode with 32-bit plugins (hence the 32-bit Flash complaint).

Unfortunately, this Gemalto middleware is also (a kind of) Firefox plugin.

I thought Linux in 64-bit mode could run legacy 32-bit application just like Windows. Am I wrong about this?

You can run 32 bit applications on a 64 bit system, but you obviously can't mix 32bit and 64bit within a single executable (...hence the problem with Firefox plugins).

Or are there, say, compatibility issues using 32-bit and 64-bit libraries, or something of that nature?

If you want to run 32 bit applications on a 64 bit system, you need to install 32 bit libraries (usually under /lib32 and /usr/lib32) in addition to your normal 64 bit applications.

Well, you can install a 32 bit Firefox (hosting 32 bit plugins) on a 64 bit system, and that's basically what I do in order to use my Lustrust crypto stick. But it's a hassle. A real 64 bit version would be so much easier.

Re:Unix epoch does not have to end in 2038

[kamochan]

...switching to 64bit-only...if only to avoid the end of time.

This has to be the coolest reason for 64-bitness, ever!

Re:Unix epoch does not have to end in 2038

[Chemisor]

I'm glad it works for you. Unfortunately, on my 64bit Arch it reliably crashes, unable to show even the simplest Flash app.

Re:I wonder how that is compared to the loss from

[WinterSolstice]

I was running a Y2K lab at my company from 1999 to 2000, and we found a TON of serious problems. Nearly all of our internal stuff had major issues, as well as email, phone systems, backup systems, and several operating systems.

The tests I ran went from 1998->2012 in one year increments (with full tests by all teams at each year step) and most of those problems were nailed down.

I'm guessing not all shops tested much further out than 2001 or 2002 - probably due to poor planning and lack of funds. As it was we had to cut ours back to 2012 because of budget constraints, so I can only imagine other shops did likewise.

Re:I wonder how that is compared to the loss from

[shentino]

I suspect it's also aggravated by a bunch of sleazy contractors taking advantage of desperate clients who know that they're about to get bit in the behind, and deciding to cheap out and do a half-assed job in the first place.

Seriously, after what caused Y2K, only a complete moron or a crook would add 2000 to a single digit in a barcode.

Wow!

[Linuxmonger]

Wow, somebody stood up, said it was their fault, and took responsibility - what a rare moment in the business world. I offer my gratitude and wish them well on what will undoubtedly be a perilous journey.

problems indeed

[Golden_Rider]

My card is working fine, but my parents had this problem today - both my mother's and my father's card did not work at the ATM with (for them) cryptic error messages, so they had to get money over the counter. What's most annoying about this is that when they got home, they checked their online banking website to see if there were any news there and saw that even though my mom's card got rejected at the ATM, it still showed the 100 euros she wanted to get at the ATM as having been withdrawn, even though she did not receive any cash.

Re:There are fees for using tellers at some banks

[shentino]

How convenient then that the ATMs were down...

I seriously do not get it.

[jhoegl]

How does code get written to misinterpret a date? Why does code do anything to the date except to display the date or to poll data based on the date and the some how read a "10" as... "OMG MOTHERFUCKIN SNAKES ON A MOTHERFUCKIN PLANE"? Srsly, any examples out there? I am sure this isnt some big conspiracy, but I just cant imagine code that would shut down entire systems based on a date.

Re:I wonder how that is compared to the loss from

[hrimhari]

The rushed temporary get-it-done-yesterday hacks are starting to fail.

Wonderful rant, but pray tell, how does this issue link to y2k hacks when it's an update to previous cards limited to German market? Have you inside knowledge from Gemalto of what motivated the aforementioned update and the reason they used such a way to represent the year in that particular geographic location?

Re:I wonder how that is compared to the loss from

[inviolet]

Y2k issues were known in the 80's. Had IT been allowed to respond in a timely manner, it would have cost much less, been checked more thoroughly and finished earlier. Instead they waited until the last possible moment and poured much more money into it, hiring as many developers as possible to put in a rushed hackjob and then firing them when the hack worked instead of retaining them to vet, verify and implement permanent solutions where needed.

You forget TVM. Money spent fifteen years later is waaaaaaay cheaper than money spent today.

Plus, by waiting until the last minute, no labor was wasted in pre-fixing systems that would already be obsoleted by 1999. Guess what, lots of systems that were in use in 1980 were no longer in use in 1999 and so early Y2K fixes would've been a waste of time.

This issue is a result of the failure to react apropriately to y2k. The rushed temporary get-it-done-yesterday hacks are starting to fail.

Oh pipe down, it's nothing of the sort; these cards are not that old. They just skimped a bit on QA.

Yup, Symantec even has a Y2010 bug...

[MufasaZX]

Starting on 1/1/2010 Symantec Endpoint Protection Manager v11, the software that pulls down updates from Symantec and pushes them out to all the client systems, started repeatedly downloading the same virus def over and over and stashing them in randomly named temp folders on the C drive at the rate of about 1GB/hour. Party. Lots of folks on the Symantec support forms are experiencing the issue. Purging the temp folders and upgrading to the recently released v11 RU5 fixes the problem, but those without current support contracts to get the updates would be kinda screwed...

-c

Re:I wonder how that is compared to the loss from

"it makes you wonder who much of a problem Y2K may have actually been if we hadn't of looked for all the problems and fixed them."

Maybe if you assume that the economic losses due to such a bug are insignificant compared to the manufacturer's cost of correcting the bug.

Re:I wonder how that is compared to the loss from

[boule75]

The estimated cost relates only to the "no-workaround" option, if all the cards were to be replaced.

By the way : Symantec Endpoint Protection is affected by a 2010 bug too. SNAC users are not happy.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348

Untrusted software and auditing agencies...

[ArsenneLupin]

The funny part is that this kind of software (and the companies that make it) must be audited by consultants specifically habilitated to do this kind of auditing (such as BSI...). In order to guarantee that the auditors have the necessary skills and integrity to perform such audits, they have to be audited and certified themselves by yet other consultants, who in turn get audited by even higher level auditors. Turtles all the way down...

But somehow, all this auditing, code reviewing and certification doesn't manage to uncover a simple date encoding bug.

It's actually worse: if during routine maintenance, a employee, partner or customer stumbled across the bug, he would be dismissed as mistaken, because such bugs are just not possible, or else the very strident auditing would have caught it.

... and now, the emperor is standing there alone on hangman's hill, without his underwear, trying hard to conceal a huge hardon with his hands... What the hell did happen to his fine clothes?

Obvious?

[jotaeleemeese]

How do you know it is obvious?

It could have been buried deep in the innards of code decades old.

OpenVMS native time is pretty foolproof.

Hi,

As an unrepentant OpenVMS fan, I have had to do some system programming dealing with
date/time issues. The native timekeeping uses 64 bit integers and midnight preceding
November 17, 1858 as the epoch. http://en.wikipedia.org/wiki/OpenVMS#Timekeeping

Although it takes a bit of trouble converting these dates to human readable form,
it rules out any rollover errors until July, 31 31086 02:48:05.47.

Perhaps we should standardize on this?

Bob Dobbs

Problems in Asia too?

[Dionysus]

Just got back from a trip in Asia (Vietnam and stopover in Thailand) and had problems using my creditcard. Wondering if it was related? (Only brought one creditcard so had problems at some stores and the airport in Bankok)

Re:I wonder how that is compared to the loss from

[Rich0]

You know, companies make the conscious decision to not have permanent staff to oversee contractors. They get what they pay for. That doesn't excuse contractors, but there is this thing called due diligence.

Also, I'd say there is a 90% chance that the contractor spelled out exactly what they were doing and its implications, and somebody in the company signed off. Maybe they didn't read it all, but it is just as likely that they were given the choice of $600k to do it right, and $500k to do it cheap, and they picked the latter. Saving $100k probably got the decision-makers bigger bonuses, and by now they're all in different jobs or retired anyway.

The problem is that companies are WAY too short-sighted. As a result stuff like this never shocks me.

It's the Year 200A

Finally time to release C++0x?

Re:I wonder how that is compared to the loss from

[orgelspieler]

What's that line Wally says to Dilbert when PHB announces a cash reward for finding and fixing bugs in their own projects? "I'm going to code myself a new minivan." Or something like that.

Re:I wonder how that is compared to the loss from

[Darinbob]

The longer you put something off, the more likely it will become someone else's problem.

two digit year of birth

[formfeed]

I would suggest to just switch to a one-byte storage format, this way we all can live up to 255 years, before insurance companies send us stupid letters intended for families with young children.
But then again, if anyone ever makes it to 127, she might turn -128 the next year. If only there were a solution to this problem..

Bad data format specification

[SplashMyBandit]

I still see bad date formats specified in many projects I work on (not from me of course). People are still in love with entering two digit years and compressing things to shave off a bit here and there. This might make sense for high-volume data entry but for regular applications it is a vile practice. You then have to start guessing what century people mean and what the date offset is (is it 1970? 1979? 1990? 2000?). Things like date of births get very complicated since some people live past 100 and you don't know what century they belong to. All because they've broken the most fundamental rule of software systems, which is (wait for it ....):

Don't lose information.

If you have information (a four digit year) then don't throw it away (store as a two digit, or one digit [hex] year). Don't ask the user for a two digit year since it doesn't have enough information to compose a four-digit year without some (risky) guessing.

Every time I see a two digit year specified for software I want to scream, "DIDN"T YOU LEARN *ANYTHING* FROM Y2K!".

Fortunately there is a solution. It is the ISO 8601 specification for representing dates in text format. It simply says use something like:
2010-01-08

You don't have to use this in the user interface, just use it everywhere else dates are represented as strings. This format also sorts properly using regular alphabetic string sorting and is internationalized (unlike dd-mm-yy or the crufty US system of mm-dd-yy). Hope this helps some of you developers, architects and analysts out there. Two digit dates are the plague and anyone using them should be stripped of their license to practice in IT (what? there's no license to practice IT? no wonder so many bad design decisions are made!). Use ISO 8601 for date strings and most of your date problems will disappear.

Re:I wonder how that is compared to the loss from

the world is going to end anyways, so there's no sense programming past that.

By not hitting you

[Estragib]

I guess it hits you when you are least expecting.

Shouldn't that be, "It hits you when you are most expecting it"?

I'd reckon the unnecessary checks and public panic to have been much more expensive than EUR 300m.

Those who don't learn from the past.

[Drethon]

Um yeah...

Re:I wonder how that is compared to the loss from

[Nefarious+Wheel]

I was running a Y2K lab at my company from 1999 to 2000, and we found a TON of serious problems...

My wife was in charge of a Pick-based hospital IS back then. She put in a huge number of extra-long days getting the dates expanded so the hospital wouldn't have to "go manual" on 1-Jan-2000. She made the deadline, but it nearly killed her. Hospital administrators then gave her a sledge for making such a big deal over it, because clearly it was all a farce - nothing happened as a result of the date changing to year 2000.

The loss to her was any further interest in an IT career. She's now teaching immersive medieval history to a number of schools, where her work is at least appreciated by her clients.

Re:I wonder how that is compared to the loss from

[Purity+Of+Essence]

Instead they waited until the last possible moment and poured much more money into it, hiring as many developers as possible to put in a rushed hackjob and then firing them when the hack worked instead of retaining them to vet, verify and implement permanent solutions where needed.

So it's exactly like the game industry?

Re:I wonder how that is compared to the loss from

[WinterSolstice]

Yeah - this was a real killer for me too. The company I was at was extremely grateful (thank goodness) but I keep seeing all these idiots who were not involved (either because they were still in school 10 years ago, or because they just don't get it) and it really does get me.

I think Y2K, the massive outsourcing wave that followed, and the complete destruction of IT as a viable career has really not yet caught up with us.

It will. The 2010 thing is just part of it. When the rest of the really skilled and dedicated people (like your wife, and many many others) have left, the void will be huge. It also won't be noticed for quite a while, because a side effect of a well designed system is that it can stand for quite a long time.

When it falls, however...

"Much that once was is lost, for none now live who remember it."

I think I got stung by this too.

[AbRASiON]

My bank called me 4 days ago and told me my card was 'compromised' and Mastercard had contacted Bankwest (Australia) to inform them of a list of cards with 'security issues'. It never occured to me this might be the same issue as the 2010 / 2016 one.
Traditionally when your bank calls you and offers a card swap over, it's a pretty quick process, however it's been 4 days and nothing so I'm thinking it's quite possible they got stung too.
Looks like it according to this too.
http://www.brisbanetimes.com.au/business/welcome-to-2016-eftpos-glitch-spreads-20100105-lqus.html?comments=19

Re:I wonder how that is compared to the loss from

[Nadaka]

Do I "KNOW"? No I do not, no personal knowledge in this precise case. It is however practically the same problem. Someone screwed up the date format. It has been happening all over the world in a very similar way. I have heard some other cases where the issue has been tracked back to y2k hacked fixes.

Re:I wonder how that is compared to the loss from

[mgblst]

Yes somehow loads of countries who didn't spend big on y2k, like Italy, managed just fine.

Is there such a thing as obsolete code?

[jc42]

Plus, by waiting until the last minute, no labor was wasted in pre-fixing systems that would already be obsoleted by 1999.

Yeah, but recall that in the Y2K bugs were mostly found in corporate COBOL programs, and COBOL code doesn't get retired. It just accumulates in the musty corners of old runtime libraries. There was a lot of COBOL code from the 1960s that was patched for Y2K

To see how bad the COBOL retention syndrome is, consider that IBM has had to supply emulators of older processors, so that customer companies could continue to run binaries for which the COBOL source has been lost. Yes, it really is that bad in the corporate DP/MIS/IT world. Of course, the binary-only programs generally couldn't be fixed for Y2K, and had to be rewritten. But they were rewritten by people adapted to the same corporate culture, and made the same mistakes in date/time handling that they've always made.

I remember reading a story by a fellow who got curious about the date problems in COBOL code, and started collecting examples of COBOL date-manipulating code. He said that when his count of the number of different date formats passed 180, he decided that he understood the problem quite well. This is still going on, as can be seen by looking at the date-handling code in newer software, and we still have the same problems.

Just last week, I gave a demo of some web code that I've been developing for a (mercifully) unnamed client. During the demo, some of the screens exposed the fact that the code internally saves all dates in ISO standard form, for the UT "time zone". I assured them that I could add the obvious translations to local time fairly soon, but this turned out not good enough. They were insistent that they didn't want the code "working on European time", and wanted the internal times all in local time. This despite the fact that they (and their visitors) are scattered across about 10 time zones. Just displaying all times in the local zone isn't acceptable; they object to Universal Time internally on general principles. I've seen this repeatedly on a lot of projects. It tells you a lot about why our software continues to have time-handling problems, whenever any particular ad-hoc time representation reaches a value ending with some number of zeroes (in base two or ten).

It was really funny a few days ago, when we read about spamassassin's bug triggered by the first day of the year 2010. I predict that we'll get reports like this in every year ending with a zero, for as long as any of us is alive. ;-)

Re:I wonder how that is compared to the loss from

[jc42]

Y2k issues were known in the 80's.

Actually, they were known in 1970. During the first months of that year, a lot of banking software went insane. This is because banks had a lot of 30-year mortgages, and assorted other things of the same duration. For some reason, the banking system has long settled on 30 years as a reasonable "long-term" period for a lot of their business.

So in January of 1970, there were many reports of bank computers treating their oldest mortgages as having an expiration date in 1900, meaning that the loan had been paid off 70 years earlier, and the computers would no longer accept payments on such loans. In some cases, the computers started sending harrassing letters about the loans that weren't yet paid off, and overdue by 70 years. Depending on just how the date code worked (and failed), some very bizarre misbehaviors resulted.

Date-based bugs don't always wait for the critical date to manifest themselves. Any time the software has to deal with future dates, the bugs can pop up well before the critical time. They're just more visible when "now" passes a critical time, because "now" is on the other side of the divide from most of the previous dates stored in the databases.

(So far, I haven't read of any bugs that screwed things up more than 30 years before a critical date. But it wouldn't surprise me.)

Why 10?

Why 10?

Surely the program doesn't have to represent 1910 and earlier? Besides which, any program that deals with 1910 is very likely to deal with 18xx and therefore wouldn't have Y2K problems in the first place (as the original programmer would have had to use 4* digit date codes). And if the cycle point could have been put further in the future, then it was extremely foolish of the Y2K compliance guy to put the cycle point so close in the future, where they might get their not-yet-dead butts sued (not that foolishness isn't a huge part of this decade-long debacle).

Besides, is that even technically a 2010-specific bug (this bug spate seems to be related to BCD->hex transliteration)? I mean, the Y2K compliance programmer could have picked 13 or 42 or 8 or 35 as the cycle point - and it's just a coincidence that they picked 10 (probably because it's a round number).

* Technically, they could have gotten away with using 3 digit codes, which WOULD have meant Y2K problems - but even this "fucking retarded" hack would have still not kicked up problems until ~900 years in the future (and I might have to kill myself if I thought for a second that such crap code could be in use ~900 years from now).

PS. If your solution was something APART FROM "push the cycle point forward" (or worse, futz with the clock - thereby adding a second layer of kludge), I'd be thrilled to hear it (assuming it doesn't violate an NDA).

This is not Y2K

[dfuess]

The date jumped from 09 to 16 when the digits went from 09 tp 10. So what programmer in his right mind interprets any part of a date in HEX? Y2K was caused by programmers seeking to save space. This bug was caused by a programmer interpreting the last two digits as HEX! This was just a bonehead mistake not a space saving measure. So I really do not understand all the comparisons to Y2K. Just because they were errors in date fields does not make them the same at all.

Retrieval? Information? Noooo

I have an account with a German bank.

Today - a working week after the issue became apparent - there's still nothing on their website, their call center has no idea what to do and even more senior staff can't tell me if my cards are affected.

My experience here http://youmustbefromaway.blogspot.com/2010/01/y201k.html

Re:I wonder how that is compared to the loss from

[Nadaka]

I am sure, I just wasn't around to know about them in the 70s.

Re:I wonder how that is compared to the loss from

[mapkinase]

"By the way : Symantec Endpoint Protection is affected by a 2010 bug too"

Oh, the irony.

Latin in sig is incorrect

[SpammersAreScum]

That should be "viditur", not "vidutar"; Latin verbs don't end in -ar, but (deponent) ones do end in -ur. And, as you might guess from the "vidi" prefix, "appears" would be a more literal translation than "sounds".

Re:Latin in sig is incorrect

[l0b0]

Thanks - Never had Latin in school, and I've seen at least three variants, so I just picked one :)