BCS says - Don't trust Contract workers - Official !
Paul Perrin
OCR'd from Computer Weekly.
---
ORGANISATIONS are vulnerable to the threat of logic bombs being put into
computer Systems during conversion work for millennium and European
monetary union compliance.
That concern was raised by Judith Scott, chief executive and
secretary of the British Computer Society. Logic bombs are software
designed to sabotage users' systems.
"These two IT projects expose more systems to being changed than
at any time in the history of the profession," Scott said. "Because of
the volume of work much of this will be done by contractors and unknown
people. Therefore there is a need to consider security. There is a risk
that security bombs could be placed in software opened up for legitimate
purposes."
Scott urged users to check their systems. "Organisations should
have an independent group of people to ensure that there are no time
bombs after 2000."
---
'much of this work will be done by contractors'
'There is a risk that security bombs...'
The cheek of the woman! I hope all contractors and freelancers who are
currently members of the BCS will be resigning - unless she does first!
----------------------------------------------------
Paul Perrin /)/+)
Freelance trading as Immediate Data Limited:-
http://www.cix.co.uk/~idltd
----------------------------------------------------
Admatic - Instant free classified advertising
Fastest search on the Web! http://www.admatic.com
----------------------------------------------------
ps. I posted this the other day with a different subject line, but as
there was no response at all -- I assume noone saw the body of the
message... So I am reposting with a different subject line.
Martin Tom Brown
In article <VA.0000001...@idltd.co.uk>
Ad...@admatic.com "Paul Perrin" writes:
> OCR'd from Computer Weekly.
> ---
> ORGANISATIONS are vulnerable to the threat of logic bombs being put into
> computer Systems during conversion work for millennium and European
> monetary union compliance.
It is true that modifying a system always exposes extra risks.
> That concern was raised by Judith Scott, chief executive and
> secretary of the British Computer Society. Logic bombs are software
> designed to sabotage users' systems.
Isn't this action strictly illegal in the UK or are there loopholes?
> "These two IT projects expose more systems to being changed than
> at any time in the history of the profession," Scott said. "Because of
> the volume of work much of this will be done by contractors and unknown
> people. Therefore there is a need to consider security. There is a risk
> that security bombs could be placed in software opened up for legitimate
> purposes."
This ignores the historic data that most logic bombs so far have
been added by disgruntled permanent staff fearful of dismissal.
The rash of downsizing and outsourcing deals has been particularly
risky in this respect. I personally don't like the idea of secure
computer databases being managed and operated by the cut-price gang
who offered the lowest bid and the worst staff conditions. YMMV
> Scott urged users to check their systems. "Organisations should
> have an independent group of people to ensure that there are no time
> bombs after 2000."
This is still good advice whoever makes the changes, even innocent
mistakes can still cause trouble if they are a result of the work.
> 'much of this work will be done by contractors'
I would be more worried that they don't check the credentials of
contract staff as being appropriate to the data they may handle
while working on site or commissioning.
> 'There is a risk that security bombs...'
That risk is ever present contractors or no contractors.
> ps. I posted this the other day with a different subject line, but as
> there was no response at all -- I assume noone saw the body of the
> message... So I am reposting with a different subject line.
I would guess the readership of uk.org.bcs.misc to be all of two dozen,
lets see if this reply sparks off some debate.
Regards,
--
Martin Brown <mar...@nezumi.demon.co.uk> __ CIS: 71651,470
Scientific Software Consultancy /^,,)__/
Newsmaster
In article <32e727f5.637459@news>, John Sullivan
<jo...@vernonbowles.co.uk> writes
>Paul Perrin <Ad...@admatic.com> wrote:
>
>>...
>>...concern was raised by Judith Scott, chief executive and
>>designed to sabotage users' systems.
>>
>>at any time in the history of the profession," Scott said. "Because of
>>the volume of work much of this will be done by contractors and unknown
>>people. Therefore there is a need to consider security. There is a risk
>>that security bombs could be placed in software opened up for legitimate
>>purposes."
>>ps. I posted this the other day with a different subject line, but as
>> there was no response at all -- I assume noone saw the body of the
>> message... So I am reposting with a different subject line.
>>
>Mike Cullen, chair of the Independent Contractors sub-group and
>himself a BCS council member. I have asked him to post his reply
>here.
>
Meanwhile, I don't really understand what Paul's problem with this might
be
It is true that a large amount of Y2K compliance work will be undertaken
by contractors, if only because a lot of organisations don't have
sufficient "spare" permanent employees to do the work. The same is true
of routine day-to-day maintenance in many companies - only the other
week, Computer Weekly highlighted the fact that Mercury Communications
had, until very recently, 70% of its IT staff as contractors. The IS
Director Uwe Natho's stated aim is to reduce the contractors to 30% of
total staff. That's still a fairly high number - almost one contractor
for every two permanent, so even there it is likely that some Y2K work
will be undertaken by contractors (unless his plan is to put the
"permies" on the Y2K work, and use the contractors for the routine
"business as usual" maintenance and enhancements).
Of course there is a risk of logic-bombs being planted, but what right-
minded contractor with a professional attitude would risk their future
job (and financial) prospects by doing such a thing in code they have
been specifically hired to modify? Such bombs could equally (or more!)
easily be placed by disgruntled "permies" who don't intend to be around
with their current employers for much longer.
Don't get me wrong - I'm not trying to trivialise this issue by any
means, but it must be seen in perspective. Judith did not say that BCS
and/or ICC members should be avoided - she just seemed to be pointing
out the obvious (or maybe not so obvious, if they needed to be spelt
out) dangers that have always been inherent in having "outsiders" modify
your core business applications.
Maybe more advice to employers is needed to suggest they be more
cautious about which contractors they take on for the job - go through
reputable agencies (who should be able to recognise the "cowboys" out
there), insist on references, etc.
--
John Dexter
Managing Director, Westfarthing Ltd
IT Consultants
Bob Milsom
>
>I would guess the readership of uk.org.bcs.misc to be all of two dozen,
>lets see if this reply sparks off some debate.
>
Martin, I'm in rough agreement with everything on this thread so far;
what about the other two people who follow the newsgroup? :-)
--
Bob Milsom (edit reply-to: header)
PGP ID: C9A64C0D from the MIT keyserver
PGP sig: 727E 7116 E2D0 CE9E E032 22F3 253D C83F
Richard Avery
I think there is a risk with any system where large numbers of outside
staff are brought in that inadequate management will mean either
substandard work or (possibly) deliberate sabotage. This applies equally to
outsourcing where systems are put into the hands of outside bodies, and
often to in house developments too.
As a contractor though I would obviously preferred the statement to include
something about choosing contractors who are members of reputable
professional bodies!
--
--
Richard Avery, e-mail:Richar...@nortel.com
The content of this message represents personal opinion and is not in any
way representative of Nortel.
Paul Perrin <Ad...@admatic.com> wrote in article
<VA.0000001...@idltd.co.uk>...
> OCR'd from Computer Weekly.
> ---
> ORGANISATIONS are vulnerable to the threat of logic bombs being put into
> computer Systems during conversion work for millennium and European
> monetary union compliance.
>
> That concern was raised by Judith Scott, chief executive and
> secretary of the British Computer Society. Logic bombs are software
> designed to sabotage users' systems.
>
[Snip]
>
E. Spires
Like you, I find it difficult to understand why the BCS should
apparently profile contract workers as potential criminals and/or
terrorists.
Let's hope that this was merely an unfortunate 'slip' of the public
relations pen, and not a glimpse of an an emerging policy.
I'm not a contract worker myself. However, the younger readers may see
few alternatives to contract working. Many of these potential new
recruits to the BCS might feel offended by what they have read.
Perhaps the public relations ledger should now be balanced.
Potential new members ought to feel respected and welcomed.
Eric
Paul Perrin <Ad...@admatic.com> wrote:
>OCR'd from Computer Weekly.
>---
>ORGANISATIONS are vulnerable to the threat of logic bombs being put into
>computer Systems during conversion work for millennium and European
>monetary union compliance.
>
>That concern was raised by Judith Scott, chief executive and
>secretary of the British Computer Society. Logic bombs are software
>designed to sabotage users' systems.
>
>"These two IT projects expose more systems to being changed than
>at any time in the history of the profession," Scott said. "Because of
>the volume of work much of this will be done by contractors and unknown
>people. Therefore there is a need to consider security. There is a risk
>that security bombs could be placed in software opened up for legitimate
>purposes."
>
>Scott urged users to check their systems. "Organisations should
>have an independent group of people to ensure that there are no time
>bombs after 2000."
>---
>
>'much of this work will be done by contractors'
>'There is a risk that security bombs...'
>
>The cheek of the woman! I hope all contractors and freelancers who are
>currently members of the BCS will be resigning - unless she does first!
>
>----------------------------------------------------
>Paul Perrin /)/+)
>Freelance trading as Immediate Data Limited:-
>http://www.cix.co.uk/~idltd
>----------------------------------------------------
>Admatic - Instant free classified advertising
>Fastest search on the Web! http://www.admatic.com
>----------------------------------------------------
>
Martin Tom Brown
In article <32ee8ece...@news.cityscape.co.uk>
dx...@cityscape.co.uk "E. Spires" writes:
> Like you, I find it difficult to understand why the BCS should
> apparently profile contract workers as potential criminals ...
Yes - it seems they made a very poor choice of words.
The usual channels from HQ are remarkable silent on this one :(
> I'm not a contract worker myself. However, the younger readers may see
> few alternatives to contract working. Many of these potential new
> recruits to the BCS might feel offended by what they have read.
Existing members weren't all that impressed either.
> Perhaps the public relations ledger should now be balanced.
> Potential new members ought to feel respected and welcomed.
I am all for the BCS speaking out on some of the important issues
which arise in our industry; I think that is very healthy.
The BCS has always taken far too low a profile in the public eye.
It would be nice if the views expressed didn't tend to alienate
potential new members of the society. There are a lot of contractors.
Netrunner
>>Paul Perrin <Ad...@admatic.com> wrote:
>>
>>>...
>>>...concern was raised by Judith Scott, chief executive and
>>>secretary of the British Computer Society. Logic bombs are software
>>>designed to sabotage users' systems.
I have worked in the IT business for over a decade and studied it at
university before that. Although I understand the concept of logic
bombs and have heard the odd scare story, I have never been anywhere
where one has occured or met anyone who has experienced such a thing.
>>>"These two IT projects expose more systems to being changed than
>>>at any time in the history of the profession,"
Yes and no. Systems are constantly being updated or replaced. I am
sure that every year the "number of systems being changed" increases.
>>>Scott said. "Because of the volume of work much of this will be done
>>>by contractors and unknown people.
Firstly, businesses have a limited number of staff (permie and
contract) and although IT budgets are generally increasing over time,
the total amount of work being done is increasing at a steady, slow
rate. The majority of businesses I have come across who are facing
Year 2000 work will allocate resources from an existing pool. The
main difference between this project and some others is that this one
has to be completed by a certain date and no slippage beyond that can
be permitted for any reason. In *some* cases this may require an
extra body to do the work.
Secondly, the suggestion that most of the work will be done by any
particular group of people is total conjecture. It is a guess which I
think is very dubious indeed.
Thirdly, any company having "unknown people" working on their system
has a lot more to worry about than timebombs being placed in the code.
>>> Therefore there is a need to consider security.
There is *always* a need to consider security.
>>> There is a risk that security bombs could be placed in software opened
>>>up for legitimate purposes."
Martin Tom Brown asked for confirmation that this would be illegal.
Well of course it is. The difficulty in such cases would be proving
that someone had done it.
The question has to be asked, though, "Why would anyone want to do
this?" If the answer is that the person hates the company then is
this going to be:
(a) the well paid contractor (getting paid by the hour) who is there
for 3-6 months and can leave on perhaps 1 month notice knowing that
another job awaits almost immediately, or
(b) the permie who has been there six years, gets underpaid and
overworked for long hours and hates their boss ???
>>>ps. I posted this the other day with a different subject line, but as
>>> there was no response at all -- I assume noone saw the body of the
>>> message... So I am reposting with a different subject line.
Sorry - busy people - what with all this Y2K work and all :)
---
>Newsmaster <Newsm...@Westfarthing.demon.co.uk> wrote:
>It is true that a large amount of Y2K compliance work will be undertaken
>by contractors, if only because a lot of organisations don't have
>sufficient "spare" permanent employees to do the work. The same is true
>of routine day-to-day maintenance in many companies - only the other
>week, Computer Weekly highlighted the fact that Mercury Communications
>had, until very recently, 70% of its IT staff as contractors. The IS
>Director Uwe Natho's stated aim is to reduce the contractors to 30% of
>total staff. That's still a fairly high number - almost one contractor
>for every two permanent, so even there it is likely that some Y2K work
>will be undertaken by contractors (unless his plan is to put the
>"permies" on the Y2K work, and use the contractors for the routine
>"business as usual" maintenance and enhancements).
Some companies are looking to reduce the number of contractors working
there. Other companies are increasing. My impression generally is
that more and more companies are realising that they need to retain a
core of permanent staff who know the system so that they can support
it after development. These people should preferably have worked on
the development all the way from analysis and design through coding to
system testing. To many, the idea of hiring contract staff is to
increase total staff numbers when in heavy demand, such as during
major developments, and then reduce them afterwards. I have worked
somewhere where they have most of the permies doing the planning,
anlaysis and project management, and twice that number of contractors
who are doing the coding, testing (and some design).
>Of course there is a risk of logic-bombs being planted, but what right-
>minded contractor with a professional attitude would risk their future
>job (and financial) prospects by doing such a thing in code they have
>been specifically hired to modify? Such bombs could equally (or more!)
>easily be placed by disgruntled "permies" who don't intend to be around
>with their current employers for much longer.
Exactly! I have met, worked with, and even hired, many contractors.
They have come from a wide range of backgrounds and have had a wide
range of attitudes. But generally, they want to come to work, do a
professional job, get paid and go home. I have come across a few who
will not take responsibility for errors in design or coding (whether
done by them or not) in expectation that permanent staff in charge of
the project will do all the proper project lifecycle stuff and check
everything ...
>Don't get me wrong - I'm not trying to trivialise this issue by any
>means, but it must be seen in perspective. Judith did not say that BCS
>and/or ICC members should be avoided - she just seemed to be pointing
>out the obvious (or maybe not so obvious, if they needed to be spelt
>out) dangers that have always been inherent in having "outsiders" modify
>your core business applications.
Code authorisation and audits, system testing and change control are
all the responsibilities of a company regardless of whether the
programmer is permanent or contract.
>Maybe more advice to employers is needed to suggest they be more
>cautious about which contractors they take on for the job - go through
>reputable agencies (who should be able to recognise the "cowboys" out
>there), insist on references, etc.
I agree - I have been a a Freelance Software Consultant (i.e. a
Computer Contractor) for a few years and although (of course) I think
that I am very professional, do a good job and should be trusted by
anybody, I do wonder sometimes why a company will offer me an
important job on the basis of my CV and a one hour interview (which is
often taken up more by the interviewer telling me about the job and
the company than me answering questions). An aptitude test can be of
great assistance in weeding out the bluffers, but when it comes down
to it, there are a number of cowboys out there getting regular work.
(And yes, some of them are permie.)
I know this is a long posting - sorry, I'm in a chatty mood tonight.
So I'll sum up.
- There is no increase in the likelihood of logic bombs being placed
in your system than there has been before.
- I have seen no evidence whatsoever that contractors are any more
or less likely to perpetrate this crime than permanent staff.
(Although various research reports have stated that *company staff*
are responsible for anywhere between 40 - 75% of "hacking " of
computer systems.)
- It is wise to do certain code-checking (for numerous reasons)
before changed code is released live.
- It is wise to be careful who one allows to change your system.
I joined BCS about 15 years ago and am now a full member and a
Chartered Engineer. I am also a contractor. As Eric Spires wrote,
let us hope that the comments by Judith Scott were an unfortunate
'slip' of the PR pen.
David Caldwell,
Netrunner Services Limited.
-- The views expressed above are my own and are also the views
of my company.
Steve Lewis
In article: <32ee8ece...@news.cityscape.co.uk>
dx...@cityscape.co.uk (E. Spires) writes:
> Like you, I find it difficult to understand why the BCS should
> apparently profile contract workers as potential criminals and/or
> terrorists.
Perhaps the word "contractors" was used in the broader sense of the word
meaning some sort of sub-contracted firm (as in BS5750/ISO9000, etc.)?
For example, a software house or outsource supplier. If so, even more
people in the industry could feel slighted. Andersons, Logica, EDS are
all tarred with the same brush...
In the booklet "The Year 2000 - A practical guide for professionals and
business managers" there is a section on resources. The BCS use slightly
different wording "The BCS advise you to use professionally qualified
staff and business units, by carefully verifying their credentials and
previous experience" and advise controls to BS7799 against fraud or
Trojan horses. It appears to me to refer to a wider cross-section of the
industry than just individual freelancers.
Either way, isn't Judith Scott's original point true for ALL work
undertaken? Isn't that one of the reasons many of us joined the BCS in
the first place? Perhaps there should be a follow-up statement by Scott
stating that BCS members offer the required level of professionalism to
undertake this work? As a CEng, MBCS and member of the of the BCS
Independent Computer Contractor SIG I feel sure that this apparent
own-goal could be turned into a successful recruitment drive -- Mike
Cullen please note...
> Paul Perrin <Ad...@admatic.com> wrote:
[snip]
>>'much of this work will be done by contractors'
>>'There is a risk that security bombs...'
>>
>>The cheek of the woman! I hope all contractors and freelancers who are
>>currently members of the BCS will be resigning - unless she does
>>first!
--
Steve Lewis CEng MBCS, Smartware Ltd., UK
Bob Milsom
On Tue, 28 Jan 1997 23:46:29 GMT, dx...@cityscape.co.uk (E. Spires)
wrote:
>Like you, I find it difficult to understand why the BCS should
>apparently profile contract workers as potential criminals and/or
>terrorists.
>
>Let's hope that this was merely an unfortunate 'slip' of the public
>relations pen, and not a glimpse of an an emerging policy.
>
>I'm not a contract worker myself. However, the younger readers may see
>few alternatives to contract working. Many of these potential new
>recruits to the BCS might feel offended by what they have read.
>Perhaps the public relations ledger should now be balanced.
>Potential new members ought to feel respected and welcomed.
>
>
>Eric
>
I must confess to having been on the brink of transferring over to the
BCS from the IEE.
It does seem, however, that the BCS does still have a problem to
resolve in terms of its own professionalism. (Remember the old
"British Computer Club" jibe?)
I think I'll shelve the decision for another few years, and see how
things turn out...
Adrian Wontroba
According to Bob Milsom <rmi...@snip-to-reply.enterprise.net>:
>On Fri, 24 Jan 97 10:00:09 GMT, Mar...@nezumi.demon.co.uk (Martin Tom
>Brown) wrote:
>Martin, I'm in rough agreement with everything on this thread so far;
>what about the other two people who follow the newsgroup? :-)
I too am in general agreement with the previously expressed views,
especially:
Annoyance at being classified as a likely cowboy by my
professional body.
The importance of the security aspects of any change, by
anybody, to a system.
--
Adrian Wontroba, Stade Computers Limited. phone: (+44) 121 373 9546
Mail in...@accu.org for information about the Association of C and C++ Users
or see <http://bach.cis.temple.edu/accu>
Martin Tom Brown
In article <330DD3...@dla.prestel.co.uk>
David....@dla.prestel.co.uk "David Leslie" writes:
> So I'm quite certain they happen, but I agree with all the comments about
> disgruntled employees being just as likely perpetrators.
>
> I was disappointed when I first read the report on Judith Scott's
> remarks, and expected a correction or explanation from BCS. Its been a
> while coming (BCS HQ - why not contribute to this Newsgroup at least on
> matters of fact?), but read Mike Cullen's column on p27 of the 14 Feb
> issue of VNU's 'Computer Contractor' publication.
For those of us who don't get Computer Contractor would you care to
elaborate further ? I find it lamentable that no official comment
or disclaimer on this issue has been made here by BCS HQ.