
Cash registers in Poland fail due to new year bug (PL) - Donmario
https://translate.google.pl/translate?sl=pl&tl=en&u=https%3A%2F%2Fwww.spidersweb.pl%2F2020%2F01%2Fawaria-kas-fiskalnych-delio.html
======
nippoo
I wouldn't be surprised if something alone the lines of `split("20")` or
`replace("20", ““)` was the culprit somewhere (to turn it into a 2-digit
year). I've seen the most absurd date handling code...

~~~
hn_throwaway_99
Yeah, and I could imagine some developer fixing a Y2K big in the late 90s
thinking, "Hmm, this may cause a problem in 2020, good thing I'll be long gone
by then."

~~~
acqq
And that proves that the Y2K problem was real: even in 2020 some companies
that had only these printers apparently simply can't do their business until
the repair of the printers is made.

------
foobarian
On the topic of dates broken around New Year's, there is this perennial
favorite:

[http://dangoldin.com/2019/01/06/javas-simpledateformat-
yyyy-...](http://dangoldin.com/2019/01/06/javas-simpledateformat-yyyy-vs-
yyyy/)

------
astura
So far I've heard of the following fail due to some sort of 2020 bug:

Parking meters: [https://www.nytimes.com/2020/01/03/nyregion/nyc-parking-
mete...](https://www.nytimes.com/2020/01/03/nyregion/nyc-parking-meters.html)

Video games: [https://www.dsogaming.com/news/star-wars-jedi-fallen-
order-w...](https://www.dsogaming.com/news/star-wars-jedi-fallen-order-
wwe-2k20-and-other-games-are-not-launching-due-to-a-denuvo-2020-bug/)

Now cash registers.

Anything else?

~~~
gglnx
Trains in Hamburg: [https://www.ndr.de/nachrichten/hamburg/Software-Fehler-
legt-...](https://www.ndr.de/nachrichten/hamburg/Software-Fehler-legt-U-
Bahnen-lahm,hochbahn578.html)

------
jaredwiener
Similar issue in NYC with parking meters:
[https://www.nytimes.com/2020/01/03/nyregion/nyc-parking-
mete...](https://www.nytimes.com/2020/01/03/nyregion/nyc-parking-meters.html)

~~~
throwawayjava
The official explanation from the vendor is that this was an "anti-fraud
security setting".

Can anyone familiar with CC processing provide insight on whether that's a
reasonable explanation?

Regardless, a problem that requires a "software fix" from the vendor and
manual visitations to each individual machine doesn't sound like a mere
"setting"

~~~
CydeWeys
I assume the meters are network-connected because they take credit cards, but
they can't be remotely updated? Seems like an obvious omission.

~~~
leereeves
Or a deliberate security measure. Embedded devices often use Harvard
architecture, with separate memory for code and data, so not allowing remote
updates makes remote code execution impossible.

~~~
Cyph0n
Sure, but there are at least two other options that are essentially as secure,
assuming the “remote attack” threat model:

1\. Allow customers to download updates and flash over USB.

2\. Boot device into a limited mode that allows signed updates. Certificate
should be stored in secure memory.

~~~
ethbro
I don't deal with PCI personally, so $0.02, but we're talking retail or
unattended devices here.

I.e. low wage, minimal training, not technically proficient users with
unsupervised physical access to the machine

A machine through which a large amount of cash (virtual or otherwise) flows.

The criteria of (a) being updatable by a semi-technical customer & (b) being
secure against technically malicious or socially engineered ignorance attacks
seem challenging to simultaneously satisfy.

------
acqq
Apparently it's a "bug in the software of popular Delio cash printers from
Novitus". The product page of the printer mentioned is:

[https://www.novitus.pl/en/produkty/systemy-fiskalne/delio-
pr...](https://www.novitus.pl/en/produkty/systemy-fiskalne/delio-prime-e.html)

It can be seen that the printer already existed in 2009 and then got something
("Polish Promotional Emblem" according to Google Translate)
[https://www.novitus.pl/sites/default/files/certyfikaty_tp_55...](https://www.novitus.pl/sites/default/files/certyfikaty_tp_550.jpg)

Even if it's only one model, if the companies have only that _one_ model of
printers they won't be able to sell anything until the printers are serviced.

Effectively, having such a bug in software, even in multiple units of the same
model translates to a single point of failure for the company using it.

------
ethbro
I would love to hear what bizarre encoding they used that resulted in 2020
being an issue.

(I'm assuming these machines aren't all < year old and just break on any new
year)

~~~
skymt
2020 was a common pivot year used in the "windowing" workaround to the Y2K
bug. 2-digit years < 20 are defined as 20XX, while years >= 20 are defined as
19XX.

[https://en.wikipedia.org/wiki/Date_windowing](https://en.wikipedia.org/wiki/Date_windowing)

~~~
jeewes
Thanks for sharing.

Y2K used to be just an interesting story from the past. Never guessed that it
would still be biting people 20 years later. Ouch...

