Y2K-compliant products suddenly non-compliant

Less than 80 days before year 2000, a striking number of software and hardware products once deemed Y2K-compliant are showing new vulnerabilities to the millennium bug.

The compliance reversals are forcing IT executives to repeat remediation work that had been considered complete, and the reversals underscore the insidious nature of the Y2K bug. They have come in products from well-known companies such as 3Com, Compaq, Computer Associates, IBM, Novell, Microsoft and RSA Data Security. The flip-flops have been so frequent for Microsoft’s Windows NT 4.0, for example, that some users are putting off NT remediation for as long as they can rather than risk doing the work multiple times.

In the most recent report on an ongoing tracking survey released last week by Y2K compliance vendor Infoliant, two-thirds of 246 recorded Y2K compliance changes were negative, meaning they went from “compliant” to “action required,” “vendor will not test,” “pending evaluation, or “non-compliant.” In August, only 40 per ent of the reported changes were negative. The survey is one in a series of monthly audits the Pittsburgh, Pa. company is conducting on its Y2K compliance database of 42,000 products.

“The results don’t surprise me, we’ve been dealing with this throughout our entire program,” says Irene Dec, worldwide Y2K program manager for Prudential Insurance in Newark, N.J. “Every time we hear about these changes it means we have to go back and validate our testing. It proves you can’t close up shop on Y2K compliance.”

Prudential certainly plans to keep its eyes open. On Dec. 1, the company will open a Year 2000 Global Control Center to monitor Y2K compliance for systems in more than 800 company facilities. The centre will continue monitoring until March 1 and then conduct quality reviews on systems until 2001.

While IT executives anticipated last-minute compliance reversals, the rate at which they are occurring has been a surprise, according to Kevin Weaver, Infoliant executive vice president. Weaver did caution that the new bugs were not cause for catastrophic failures, but problems in components of products.

“It’s not one bug and a complete system failure,” he says. “It’s more like getting eaten alive by little ants.”

A search of Infoliant’s public database showed a slew of status changes last month, including Novell’s GroupWise 5.5 and NetWare 4.2, and 3Com’s Transcend Enterprise Manager 6.1, all of which moved from compliant to action required. The action required classification typically means that end users must install a patch. Also in that category were CA’s TopSecret VSE for mainframe authentication and security; a host of Compaq Armada laptops; and RSA’s ACM/100, 400 and 1600 authentication servers. The RSA status change included the startling acknowledgement that the ACM servers will not work after Nov. 10, 2001.

Weaver says the 246 status changes recorded for September don’t include hundreds of smaller revisions each month to previous compliance disclosures, such as revised versions of already released patches that don’t classify as status changes. Infoliant’s most recent audits have IBM, Sun, Technologic and Wall Data among the companies in this revision category.

“Enterprises say they are done with compliance testing, but they are not done,” says Andy Bochman, an analyst with Aberdeen Group in Boston. “This is not an alarmist situation, but they need to keep combing through stuff because it pays to be vigilant to the end.”

Vigilance has its price, however, as corporate Y2K teams scramble to fix what they thought was no longer broken.

“Some of the systems we had to go back to were a real pain, but luckily the problem has effected less than 10 per cent of our efforts,” says Steven Beasley, network analyst for St. Vincent Hospital in Birmingham, Ala.

Beasley says status changes with NT 4.0 have been a headache. Microsoft has issued Service Packs 3, 4 and 5 that address Y2K issues, and No. 6 is on the way. The pain for Beasley is not only installing the software, but also making sure his applications adhere to the changes and retain Y2K compliance.

“We’ve said Service Pack 4 is it and are doing testing,” Beasley says. “We’re asking our application vendors to be Service Pack 4-compliant.”

Some are not even applying the patches, instead waiting until the last minute hoping for the final answer.

“We’re waiting until next month to start work on NT with the hope that we’ll have the last of the fixes,” says Chas Snyder, head of Y2K projects at Levi Strauss in San Francisco. “We hope to update NT once,” although they are prepared for a repeat in December, he says.

But Snyder, who has completed work on nearly 100 per cent of his systems, is not concerned about all the late changes.

“The bulge in the amount of changes speaks to the amount of testing that is going on now, not the quality of the software,” he says.

But others are concerned.

“This issue wasn’t totally unexpected, but we’ve been working on compliance for 18 months, and you have to wonder about these 11 th-hour patches,” says one network manager who requested anonymity. “It begs some questions. Are the new patches shoddy? What level of testing has really been done up until now?”

Regardless of the questions, the fact remains that Y2K compliance is a moving target.

“The thing we hear the most from corporate users is about ‘clean management,’ which means locking down the IT infrastructure and trying to ride out Y2K,” Infoliant’s Weaver says. “That’s OK, but when you have the situation we’re seeing with all the revisions, it’s like pulling the rug out from under these people.”