What Y2K Can Teach Us About Dealing With Heartbleed

What Y2K Can Teach Us About Dealing With Heartbleed

Take a moment to jump back in your mental time machine to 31 December 1999. It was the biggest New Year’s Eve for a thousand years. The dawn of a new millennium. But as we prepared to party, the world was also gripped by the fear that digital infrastructure was about to come crashing down around us.

Picture: Drinks Machine

For all we knew, the millennium bug would hit at midnight, causing untold havoc on the computers upon which we had come to depend. Those of us old enough to remember may have felt a similar sense of dread over the past few weeks as we faced the implications of the Heartbleed security flaw.

We were caught in the hype in 1999 and let others dictate what we needed to do. That left us vulnerable to people who wanted to take advantage. We should learn our lesson from that time as we deal with Heartbleed and as we approach the next big security glitch.

The apocalypse that wasn’t

The millennium bug, also known as the Y2K bug, was a real issue, a throwback to historical programming from the 1960s and 1970s.

For many years, operating systems, hardware, software and many other devices made their calculations using a two-digit date. The switch from 99 to 00 as the millennium came to an end meant that some systems, such as those used by your bank, would be thrown into immediate chaos. They wouldn’t know if it was 1900 or 2000.

The story went that many critical systems, including air traffic control, security control systems and financial systems all used date and time to assist humanity in completing their automated tasks. If they were confused about the date, human safety and security could have been on the line.

The millennium bug came with considerable hype and scaremongering in the press. Some outlets discussed the potential for planes to simply fall out the sky. Whether you were around in 1999 or not, you probably know that this didn’t actually happen in the end.

But even though much of the hype was unwarranted, the millennium bug was a realistic concern. By 1999, the internet was popular across the world, even if it wasn’t the backbone of our very existence. Home computers were becoming a standard feature and many societies had become dependent on computer technology to support everyday experiences. Online shopping had already begun and many of us were already printing out tickets for economy airlines.

Cynics would say that some IT experts profited from Y2K, making a killing from the fear, hype and misunderstanding that surrounded it by selling advice and software to protect against the worst.

While Y2K didn’t cause total societal meltdown. There were still some problems. Some cash machines and card readers failed, for example, and were out of action for around two days. But many of the big issues it might have caused were addressed in advance of New Year’s Eve.

Learning the lesson

Considering the current media coverage of Heartbleed, you could be forgiven for thinking that we have not learnt from history.

Just as in 1999, the general public was heavily implicated. Up to 60% of websites were vulnerable to the Heartbleed security flaw, but users of those sites were left with mixed messages. Should they change their passwords? Was their bank, social network or email under threat? Would they be robbed? Would their identity be stolen? Is it the end of the internet as we know it?

As the media spread panic, people all over the world struggled to keep up. But now that we know we should probably change our passwords to be on the safe side, how many people have actually done it? Probably only a tiny fraction. Still, the internet has not crumbled. A security meltdown has not yet been reported.

For both Heartbleed and the Millennium Bug, the problem was real, issues have occurred for both. But with intervention from technical experts, the issues were both eventually resolved. While Heartbleed may linger for a little while longer. I doubt the Millennium Bug remains an issue.

Hopefully, Heartbleed has taught us all to be a bit more careful about our passwords and it should serve to prove that panic helps no one. On the other hand, the disasters averted in 1999 and 2014 should guide us as we start to look to 2038 – the year when the next big bug could hit our systems.

But maybe you should start thinking about 2038. This is the next date that could confuse our computers. It is a while yet before anyone should be concerned but it is still a mathematically likely issue.

In all technology reports, when you start seeing every expert saying different things, it can be difficult to know how to act. That is because collectively we do not yet know the the extent of the problem. So, the best thing, is to stay calm, wait, and make an informed decision rather than react to the first piece of advice that comes your way.The Conversation

Andrew Smith is Lecturer in Networking at The Open University. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.


  • Heartbleed should not be conflated with Y2K. They are unrelated in every single way.

    Y2K was known about in advance and a lot of hard work by professionals allowed many disasters to be identified and repaired.

    Heartbleed was unexpected and was secretly in place for a few years. You have no way of knowing what was covertly taken.

    The saving grace with Heartbleed is that the offending TLS heartbeat commit by Dr Spegglemann (on a New Years Eve when nobody was looking to implement his own rubber stamped and rushed through specification) is looking to be one that only a small subset of people knew of and exploited.

    This small subset of people are not expected to perform criminal acts using your facebook photos and it’s probably they don’t care about your IM conversations with your mistress or even your bank details.

    The impact is simple: You must now assume that you have no secrets remaining. You must audit your information and decide what needs to be protected again, then you need to reprotect it.

    All the talk of password changes is just something that we do at every single chance, each and every time we have the press gaze. Teaching people that you should not use the same password at each site, that you should rotate them – all that stuff – is basic security drill unrelated to this issue.

  • looks to me as if you were reading a different article, the discussion is about the panic, which 14+ years ago there was … with considerable hype and misinformation; sadly something that is happening here as well, whilst the problem is different, sadly for old windbags like me, my feeling is that this author has spotted the similarity in the media response …

Log in to comment on this story!