List of Archived Posts
2008 Newsgroup Postings (10/24 - 11/15)
- How much do those small credit card terminals cost per month?
- My Funniest or Most Memorable Moment at IBM
- Keeping private information private
- Blinkenlights
- Strings story
- Privacy, Identity theft, account fraud
- SECURITY and BUSINESS CONTINUITY ..... Where they fit in?
- Dealing with the neew MA ID protection law
- Global Melt Down
- Do you believe a global financial regulation is possible?
- Strings story
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Discussions areas, private message silos, and how far we've come since 199x
- "Telecommunications" from '85
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Blinkenlights
- Open Source, Unbundling, and Future System
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Donald Knuth stops paying for errata
- Would you say high tech authentication gizmo's are a waste of time/money/effort?
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Your views on the increase in phishing crimes such as the recent problem French president Sarkozy faces
- Why not build a shared services infrastructure to support the banking sector?
- How do group members think the US payments business will evolve over the next 3 years?
- What is the biggest IT myth of all time?
- Father Of Financial Dataprocessing
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- How were you using the internet 10 years ago and how does that differ from how you use it today?
- Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
- FC5 Special Workshop CFP: Emerging trends in Online Banking and Electronic Payments
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Making tea
- How can I tell if a keylogger got added to my PC while I was in Beijing?
- Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
- Making tea
- Making tea
- How do group members think the US payments business will evolve over the next 3 years?
- Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?
- Opsystems
- Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?
- Password Rules
- Barbless
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Near-perfection achieved by solar absorber
- Would you say high tech authentication gizmo's are a waste of time/money/effort?
- In Modeling Risk, the Human Factor Was Left Out
- How much knowledge should a software architect have regarding software security?
- Can Smart Cards Reduce Payments Fruad and Identity Theft?
- Barbless
- Barbless
- Serial vs. Parallel
- Query: Mainframers look forward and back
- Barbless
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Barbless
- What happened in security over the last 10 years?
- Do soft certificates provide two factor authentication?
- Can Smart Cards Reduce Payments Fraud and Identity Theft?
- Did sub-prime cause the financial mess we are in?
- Serial vs. Parallel
- Barbless
- Shedding light on solar cell technology
- Do you feel secure with your bank's online banking service?
- Barbless
- Happy 30th Birthday!
- Web Security hasn't moved since 1995
- "The Register" article on HP replacing z
- ATM PIN through phone or Internet. Is it secure? Is it allowed by PCI-DSS?, Visa, MC, etc.?
- Is there any technology that we are severely lacking in the Financial industry?
- Password Rules
- Alternative credit card network
- History of preprocessing (Burroughs ALGOL)
- 2008 Data Breaches: 30 Million and Counting
- Alternative credit card network
- Multi-Factor Authentication - Moving Beyond Passwords for Security of Online Transactions
- Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?
- Web Security hasn't moved since 1995
- PIN entry on digital signatures + extra token
- Making tea
- How to Plan a High Value Sales Campaign Using Military Principles
- Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?
- Residual Risk Methodology for Single Factor Authentication
How much do those small credit card terminals cost per month?
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How much do those small credit card terminals cost per month?
Date: October 24, 2008
Blog: Payment Systems Network
may be able to get one for free from these guys:
Chip and pin scam 'has netted millions from British shoppers'
http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html
Credit card scam: How it works
http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card-scam-How-it-works.html
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
My Funniest or Most Memorable Moment at IBM
Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: My Funniest or Most Memorable Moment at IBM
Date: October 25, 2008
Blog: Greater IBM
We were riding up elevator in large HK bank building for a marketing
pitch on our HA/CMP product ... some old posts
http://www.garlic.com/~lynn/subtopic.html#hacmp
and a young SE in the back of the elevator asked if I was the
"wheeler" of the wheeler scheduler. I said I guess so and he said
that they had studied me at the univ. of waterloo. I asked if they
taught the joke in the wheeler scheduler?
We eventually found time to discuss it a little further. I explained
that as undergraduate in the 60s, I had done a lot of work on dynamic
adaptive resource management ... and that a lot of my work as
undergraduate in the 60s, shipped in the cp67 virtual machine system.
In the morph from cp67 to vm370, there was a lot of simplification and
much of my work from undergraduate days was dropped. However, I
continued my work all through the future system days, even migrating
to vm370 ... some old email references:
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430
In the aftermath of future system project failure, some past posts:
http://www.garlic.com/~lynn/submain.html#futuresys
there was mad rush to get stuff back into the 370 hardware & software
product pipeline ... which contributed to decision to release a lot of
my 370 work ... including what customers had come to call wheeler
scheduler.
During some product review, some corporate technical expert claimed
that there was a deficiency, it lacked sufficient "tuning knobs"
... which was the latest state of the art and found in all the major
premier systems (nearly a decade after the dynamic adaptive work I had
done as undergraduate). I tried to explain about "dynamic adaptive"
... but it fell on deaf ears. So I had to add some "tuning knobs"
controlled by a new command I called "SRM". Eventually, the resource
manager was shipped to customers with full source and a manual
describing the formulas involved in the resource management
calculations (including the "tuning knobs").
What it didn't mention in the document, but was clearly visible in the
code was "degrees of freedom" (basis of the joke) i.e. the dynamic
adaptive code (aka "self tuning" by any other name) had more degrees
of freedom than the "tuning knobs" (aka the dynamic adaptive code
could pretty much compensate for any tuning knob setting).
The dynamic adaptive code was implemented in a module named with the
usual component 3-letter prefix convention ... followed by STP (from
a motto in popular TV commercial in the 60s).
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Keeping private information private
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Keeping private information private
Date: October 25, 2008
Blog: Greater IBM
Financial Privacy
One of the things I worked on in the X9 financial standard group was
co-author of X9.99 financial privacy standard. Part of it was spending
a lot of time trying to reconcile GLBA and HIPAA provisions ... as
well as take into account EU-DPD.
We had also been involved tangentially in Ca. state breach
notification legislation. Some of the parties involved had done
extensive consumer surveys on privacy. They found the most important
consumer privacy issue was identity theft. A major component of
identity theft is account fraud (fraudulent financial transactions
against existing accounts) as a result of information leakage from
breaches. This aspect was getting little or no attention, so it seemed
there was some hope that the publicity associated from breach
notification would start to prompt corrective action.
In the mid-90s, we had also participated in the X9A10 working group on
the X9.59 financial transaction standard ... some past posts
http://www.garlic.com/~lynn/x959.html#x959
The x9.59 standard didn't do anything directly about addressing such
breaches; however it slightly tweaked the paradigm so the information
from such breaches was no longer useful for performing fraudulent
transactions (did nothing to prevent breaches, but eliminated the
threat of the fraudulent transactions that resulted from breaches).
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Blinkenlights
Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkenlights
Newsgroups: alt.folklore.computers
Date: Sat, 25 Oct 2008 11:28:26 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
Poor Performance of Credit Rating Agencies
http://accounting.smartpros.com/x60011.xml
from above:
December 2007 Soon after Merrill Lynch disclosed its $8.4 billion
write-down because of problems with collateralized debt obligations
(CDOs) and other financial instruments relating to subprime mortgages,
the credit rating agencies started downgrading the securities. But, this
is like the proverbial soldier who watches a raging battle from afar;
when the war is over, he proceeds to bayonet the wounded.
... snip ...
the above article makes a point that rating agencies were paid quite a
bit of money for giving triple-A rating to the toxic CDOs ... also
drawing parallel with it took quite awhile for ENRON downgrade.
re:
http://www.garlic.com/~lynn/2008o.html#68 Blinkenlights
the congressional hearings into the credit rating agencies this week are
severely lambasting the triple-A ratings given to the toxic CDOs
... including one person's testimony that many such ratings met the
standard accepted definition for "fraud".
some recent related postings:
http://www.garlic.com/~lynn/2008o.html#78 Who murdered the financial system?
http://www.garlic.com/~lynn/2008o.html#80 Can we blame one person for the financial meltdown?
http://www.garlic.com/~lynn/2008o.html#81 How security audits, vulnerability assessments and penetration tests differ?
http://www.garlic.com/~lynn/2008o.html#82 Greenspan testimony and securization
http://www.garlic.com/~lynn/2008o.html#83 Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Strings story
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Strings story
Newsgroups: alt.folklore.computers
Date: Sat, 25 Oct 2008 12:01:21 -0400
joke embedded in the code, but not involving a character string ...
We were riding up an elevator in large HK bank building for a marketing
pitch on our HA/CMP product ... some old posts
http://www.garlic.com/~lynn/subtopic.html#hacmp
and a young SE in the back of the elevator asked if I was the
"wheeler" of the wheeler scheduler. I said I guess so and he said
that they had studied me at the univ. of waterloo. I asked if they
taught the joke in the wheeler scheduler?
We eventually found time to discuss it a little further. I explained
that as undergraduate in the 60s, I had done a lot of work on dynamic
adaptive resource management ... and that a lot of my work as
undergraduate in the 60s, shipped in the cp67 virtual machine system.
In the morph from cp67 to vm370, there was a lot of simplification and
much of my work from undergraduate days was dropped. However, I
continued my work all through the future system days, even migrating to
vm370 ... some old email references:
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430
In the aftermath of future system project failure, some past posts:
http://www.garlic.com/~lynn/submain.html#futuresys
there was mad rush to get stuff back into the 370 hardware & software
product pipeline ... which contributed to decision to release a lot of
my 370 work ... including what customers had come to call wheeler
scheduler (leftover from those that had run cp67)
During some product review, some corporate technical expert claimed
that there was a deficiency, it lacked sufficient "tuning knobs"
... which was the latest state of the art and found in all the major
premier systems (nearly a decade after the dynamic adaptive work I had
done as undergraduate). I tried to explain about "dyanamic adaptive"
... but it fell on deaf ears. So I had to add some "tuning knobs"
controlled by a new command I called "SRM". Eventually, the resource
manager was shipped to customers with full source and a manual
describing the formulas involved in the resource management
calculations (including the "tuning knobs").
What it didn't mention in the document, but was clearly visable in the
code was "degrees of freedom" (basis of the joke) i.e. the dynamic
adaptive code (aka "self tuning" by any other name) had more degrees
of freedom than the (manual) "tuning knobs" (aka the dynamic adaptive
code could pretty much compensate for any tuning knob setting).
The dynamic adaptive code was implemented in a module named with the
usual component 3-letter prefix convention ... followed by STP (from
a motto in popular TV commercial in the 60s).
recent post (also) mentioning Open Source, Unbundling, and Future System
http://www.garlic.com/~lynn/2008o.html#66 Open Source, Unbundling, and Future System
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Privacy, Identity theft, account fraud
Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Privacy, Identity theft, account fraud
Date: October 25, 2008
Blog: Financial Crime Risk, Fraud and Security
We had been tangentially involved with the cal state breach
notification legislation. Some of the parties involved, had done
detailed consumer surveys about privacy. The number one consumer
privacy issue was identity theft ... a major component is "account
fraud" (fraudulent financial transactions against existing accounts)
resulting from the information leakage in breaches. There was little
or no attention being paid to such breaches, so it seemed that there
was some hope with the publicity from the notifications, it would
start to prompt corrective action. I was also involved as co-author
of the x9.99 financial privacy standard, which required paying
attention to GLBA and HIPAA as well as taking into account EU-DPD
one of the big problems in much of the current retail transaction
environment is that knowledge of the account number is sufficient for
fraudulent transactions
I've mentioned before work in x9a10 financial standard working group
which in the mid-90s, had been given the requirement to preserve the
integrity of the financial infrastructure for ALL retail
payments. This is ALL retail , as in ALL credit, debit,
stored-value, check, ACH, etc; as in ALL POS, internet, unattended,
face-to-face, mobile, transit, contract, contactless, etc; and as in
ALL low-value, medium-value, high-value, etc.
Part of this involved detailed, end-to-end threat and vulnerability
studies of the environments ... which eventually resulted in x9.59
financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959
Along the way, we even wrote a couple paragraphs for early drafts of
what, at the time, was called SWIFT-2.
We also talked to FEDWIRE. Turns out that FEDWIRE had 100percent
availability for several yrs and attributed it primarily to:
• IMS hot-standby
• automated operator
they were aware that long ago and far away, my wife had been con'ed
into going to POK to be in charge of loosely-coupled architecture
where she created peer-coupled shared data architecture
http://www.garlic.com/~lynn/submain.html#shareddata
which, except for IMS hot-standby (at the time), didn't see a lot of
uptake until sysplex.
In much of the current infrastructure, knowing the account number is
sufficient for a crook to perform a fraudulent transaction. We've
tried using a number of metaphors to describe the current
infrastructure (fixed by x9.59):
• dual-use vulnerability metaphor
account number is required in a large number of different business
processes and is required to be readily available. at the same time
the account number has to be kept strictly confidential and never
divulged to anybody (not even those needing it for business processes,
since insiders have repeatedly been shown to be the major source of
identity theft). we've claimed that even if the planet was buried
under miles of information hiding encryption, that it wouldn't be
sufficient to prevent information leakage.
• security proportional to risk metaphor
to the merchant, knowledge of the account number is worth some percent
of the profit off the transaction; that same knowledge for the crook,
is worth the account balance/credit-limit. as a result, the crook may
be able to outspend by a factor of 100 times attacking the system (as
the merchant can afford to spend protecting/defending the system).
• naked transaction metaphor
lots of archived "naked transaction metaphor" blog activity & posts
http://www.garlic.com/~lynn/subintegrity.html#payments
prior to being involved in the x9a10 financial standard working group
in the mid-90s, we had been called in to consult with a small
client/server startup that wanted to do payment transactions on their
server; they had this technology called SSL they had invented and they
wanted to use it for payment transactions.
part of that effort involved something called payment gateway (which
included various compensating procedures due to lack of various
business critical features in the internet) ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway
and the effort is now frequently referred to as electronic commerce.
Now the major use of SSL in the world today is to hide the details of
financial transactions while being transmitted thru the internet; as
countermeasure to crooks evesdropping and being able to use the
information for fraudulent transactions (similar to the data breach
threat). However, since x9.59 eliminates that threat ... it would also
eliminate the major use of SSL in the world today.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
SECURITY and BUSINESS CONTINUITY ..... Where they fit in?
Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: SECURITY and BUSINESS CONTINUITY ..... Where they fit in?
Date: October 25, 2008
Blog: Facilities Management
We were responsible for the HA/CMP product
http://www.garlic.com/~lynn/subtopic.html#hacmp
and spent quite a bit of time looking at continuous availability
issues ... even coining the terms disaster survivability and
geographic survivability as part of differentiating from
disaster/recovery ... some past posts
http://www.garlic.com/~lynn/submain.html#available
When coming at the problem from the standpoint of "availability"
products ... we viewed security threats/violations as an issue that
could affect the integrity and availability of the system. This was
further reinforced by having to deal with correct database operation
... both in a local scalable, cluster environment as well in
geographically distributed environment ... where the paradigm
acronym is "ACID"
• Atomicity
• Consistency
• Isolation
• Durability
for other topic drift ... misc. past related to original
relational/sql:
http://www.garlic.com/~lynn/submain.html#systemr
We were also called in to consult with small client/server startup
that wanted to do payment transactions on their server (the startup
had invented this thing they called SSL which they wanted to use as
part of the implementation). Two people at the startup responsible for
what they called the "commerce" server ... we had previously worked
with on scalable high availability databases ... minor reference in
this post
http://www.garlic.com/~lynn/95.html#13
Part of that effort was something called a payment gateway ... some
past posts here
http://www.garlic.com/~lynn/subnetwork.html#gateway
and it is now frequently referred to as electronic commerce. While
some amount of the electronic commerce involved databases ... we also
had to look at how the deployment on the internet introduced new
failure mode issues (including various kinds of security threats and
attacks requiring new countermeasures).
When looking at it from a "security" orientation there is the security
acronym PAIN:
• Privacy (or sometimes CAIN & confidentiality)
• Authentication
• Integrity
• Non-repudiation
One of the footnotes was that in the early 80s, there was quite a bit
of attention regarding countermeasures for insider threats. The coming
of the Internet refocused a lot of attention on external attacks and
vulnerabilities ... even though the majority of the exploits have
continued to involve insiders.
One of the studies done during our HA/CMP days was that half of
companies that suffered a unbacked-up disk failure involving critical
corporate data (lot of small to medium sized businesses where the data
was likely to include customer billing and account receivables)
declared bankruptcy within the first 30days of the failure (loss of
critical business operational data, but also could significantly
impact cash flow).
From a data breach standpoint ... we were tangentially involved in
Ca. state breach notification legislation ... discussed in more detail
in this recent post on "Privacy, Identity theft, account fraud"
http://www.garlic.com/~lynn/2008p.html#5 Privacy, Identity theft, account fraud
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Dealing with the neew MA ID protection law
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Dealing with the neew MA ID protection law
Date: October 25, 2008
Blog: Government Policy
We had been tangentially involved with the cal state breach
notification legislation. Some of the parties involved, had done
detailed consumer surveys about privacy. The number one consumer
privacy issue was identity theft ... a major component is "account
fraud" (fraudulent financial transactions against existing accounts)
resulting from the information leakage in breaches. There was little
or no attention being paid to such breaches, so it seemed that there
was some hope with the publicity from the notifications, it would
start to prompt corrective action. Since the cal. breach notification
legislation, many other states have passed similar legislation. There
have also been two classes of "federal" notification bills proposed
over the past couple yrs (those that are similar to the
cal. legislation and those that would essentially pre-empt state
legislation and eliminate most notification requirements).
I was also involved as co-author of the x9.99 financial privacy
standard, which required paying attention to GLBA and HIPAA as well as
taking into account EU-DPD
After having worked with small client/server startup that wanted to do
payments on their server (they had this technology called SSL and the
implementation is now frequently called electronic commerce) we were
invited to be part of the x9a10 financial standard working group which
in the mid-90s, had been given the requirement to preserve the
integrity of the financial infrastructure for ALL retail
payments. This is ALL retail , as in ALL credit, debit,
stored-value, check, ACH, etc; as in ALL POS, internet, unattended,
face-to-face, mobile, transit, contract, contactless, etc; and as in
ALL low-value, medium-value, high-value, etc.
Part of this involved detailed, end-to-end threat and vulnerability
studies of the environments ... which eventually resulted in x9.59
financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959
in much of the current infrastructure, knowing the account number is
sufficient for a crook to perform a fraudulent transaction. We've
tried using a number of metaphors to describe the current
infrastructure (fixed by x9.59):
• dual-use vulnerability metaphor
account number is required in a large number of different business
processes and is required to be readily available. at the same time
the account number has to be kept strictly confidential and never
divulged to anybody (not even those needing it for business processes,
since insiders have repeatedly been shown to be the major source of
identity theft). we've claimed that even if the planet was buried
under miles of information hiding encryption, that it wouldn't be
sufficient to prevent information leakage.
• security proportional to risk metaphor
to the merchant, knowledge of the account number is worth some percent
of the profit off the transaction; that same knowledge for the crook,
is worth the account balance/credit-limit. as a result, the crook may
be able to outspend by a factor of 100 times attacking the system (as
the merchant can afford to spend protecting/defending the system).
• naked transaction metaphor
lots of naked transaction metaphor archived blog activity & posts
http://www.garlic.com/~lynn/subintegrity.html#payments
One of the biggest issues with x9.59 financial standard is that it
enables commoditizing much of the payment transaction business
... being a single comprehensive protocol that is lightweight enough
for very low-value transactions but with super strong integrity for
very high-value transactions ... while also eliminating most of the
current threats and vulnerabilities ... and applicable to all
environments and types of payments.
For instance, x9.59 doesn't do anything about preventing all
the data breaches that have been in the news over the past
several years ... but it eliminates the threat of fraudulent
transactions as a result of breaches (which also eliminates most of
the crooks' motivation for making such breaches).
As an aside, the major use of SSL use in the world today is associated
with hiding transmitted financial transactions as part of electronic
commerce. X9.59 eliminates the need to use SSL for that purpose.
also, part of addressing the ALL issue was coming up with
parameterised risk management framework. the broad scope of
parameterised risk management framework allows for things like
the same exact infrastructure and transactions to support
single-factor authentication for low-value transactions and
multi-factor authentication for higher-value transactions
(somewhat analogous to not requiring signatures for low-value credit
transactions ... aka the same hardware token may easily be used both
with & w/o PIN depending on transaction value)
Following from Kansas City fed discusses some of the issues:
Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf
This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw
although AADS chip work had started quite a bit earlier. AADS related
discussions and patent references
http://www.garlic.com/~lynn/x959.html#aads
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Global Melt Down
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Global Melt Down
Date: October 25, 2008
Blog: Corporate Governance
business school article from last spring estimated that approximately
1000 executives are responsible for 80% of the current crisis and that
it would go a long way to solving the problem if the gov. could find a
way for them to loose their jobs.
there are several individual different greed & corruption "centers"
that have been known for some time.
for instance, recent quote:
Best practice transfer pricing calculations would have made it clear
that neither Bear Stearns nor Lehman Brothers had more than a marginal
chance of survival when funding 30 year sub-prime mortgage loans with
thirty day borrowings.
...
San Fran FED article from 2000 discussing short/long mismatch problems.
http://www.frbsf.org/econrsrch/wklyltr/2000/el2000-26.html
article from last year about many financial institutions carrying such
transactions offbalance (and may still be lurking):
http://www.forbes.com/entrepreneursfinance/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
Toxic CDOs had been used two decades ago during the S&L crisis to
obfuscate underlying value and offload for higher than their worth.
The GAO has been doing database of increasing number of public company
financial statements being restated (in spite of SOX). Basically
statements are inflated to increase executive bonuses. Later,
statements may be restated but bonuses aren't forfeited. Example was
freddie was fined $400M in 2004 for $10B statement inflation and the
CEO replaced ... but allowed to keep tens (hundred?) of millions.
illegal short sales are common place but not prosecuted:
CRAMER REVEALS A BIT TOO MUCH
http://www.nypost.com/seven/03202007/business/cramer_reveals_a_bit_too_much_business_roddy_boyd.htm
then there is ...
The Fed's Too Easy on Wall Street
http://www.businessweek.com/investor/content/mar2008/pi20080318_697440.htm?chan=top+news_top+news+index_businessweek+exclusives
from above:
Here's a staggering figure to contemplate: New York City securities
industry firms paid out a total of $137 billion in employee bonuses
from 2002 to 2007, according to figures compiled by the New York State
Office of the Comptroller. Let's break that down: Wall Street honchos
earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6
billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and
$33.2 billion in 2007.
... snip ...
presumably part of the $700B wallstreet bailout will be used to
replenish the $137B taken out of the infrastructure (as reward for
their part in creating the current situation).
Regulation repeal and relaxation of regulation enforcement contributed
to the different sources of greed and corruption to start to interact
in systemic ways.
Greenspan, Cox tell Congress that bad data hurt Wall Street's computer
models
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117961
somewhat glosses over whether or not it was done on purpose ...
How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers/
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/
There was guest on CSPAN recently that said that in congressional
session that repealed Glass-Steagall (Glass-Steagall had been passed
in the wake of '29 crash to keep the risky unregulated investment
banking separate from safety&soundness of regulated banking), the
financial industry had contributed $250m to congress. PBS program on
the subject:
The Wall Street Fix
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/
They also mentioned that in the most recent session that passed the
$700B wallstreet bailout, the financial industry contributed $2B to
congress (with those that voted for the bill received 45% more than
those that voted against)
A couple weeks ago, one of the TV business news shows had a guest from
one of the credit rating agencies on to discuss downrating of some
companies. The host spent quite a bit of the time attempting to get
the guest to taking responsibility for the current crisis.
Poor Performance of Credit Rating Agencies
http://accounting.smartpros.com/x60011.xml
from above:
December 2007 Soon after Merrill Lynch disclosed its $8.4 billion
write-down because of problems with collateralized debt obligations
(CDOs) and other financial instruments relating to subprime mortgages,
the credit rating agencies started downgrading the securities. But,
this is like the proverbial soldier who watches a raging battle from
afar; when the war is over, he proceeds to bayonet the wounded.
... snip ...
jan2003 SEC report
Report on the Role and Function of Credit Rating Agencies in the
Operation of the Securities Markets; As Required by Section 702(b) of
the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf
there was discussions in the recent congressional credit rating
hearings that SEC over the years repeatedly failed to provide any
oversight/enforcement regarding rating agency operation.
there was also testimony that both issuers and the rating agencies
knew that the toxic CDOs weren't worth triple-A ratings but the
issuers were paying the rating agencies to give them triple-A ratings
anyway and that amounted to fraud (collusion?, conspiracy?; triple-A
ratings greatly expanded the market for toxic CDOs and allowed
unregulated mortgage originators to unload any kind of mortgage,
eliminating motivation to pay attention to loan quality).
hearings discussed scenario where ratings agencies might blackmail
federal gov. into privatizing social security by threatening to
downgrade the gov's triple-A rating (value could disappear into
wallstreet like other retirement plans). then example was given where
rating agencies had done something analogous to some companies.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Do you believe a global financial regulation is possible?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Do you believe a global financial regulation is possible?
Date: October 25, 2008
Blog: Financial Regulation
testimony at recent congressional hearings mentioned aligning business
processes.
testimony was that both issuers and rating agencies knew that toxic
CDOs weren't worth triple-A rating but that the issuers were paying
the rating agencies for the triple-A rating ... which amounts to
fraud.
there were comments that in the '70s, the rating agencies changed from
the buyers paying for the ratings ... to the issuers paying for the
ratings (as a means of increasing the brand monetizing) ... which
resulted in mis-aligning the business interests.
there is huge amount of greed and corruption ... when the rating
agencies and buyers are aligned to prevent seller fraud ... things are
somewhat self-regulating. It is when rating agencies become aligned
with (paid by) the seller ... that the business interests are out of
alignment and opportunity for fraud increases significantly
.... greatly increasing the requirement for external regulation.
Similarly, Glass-Steagall was repealed in the late 90s
... Glass-Steagall was passed in the aftermath of the '29 crash
to keep the unregulated, risky investment banking separate from
safety&soundness of regulated banking. With that separation
removed, the regulatory issues increased enormously. PBS
investigation into repeal of Glass-Steagall:
The Wall Street Fix
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/
A recent guest on CSPAN said that the financial industry contributed
$250m to congress during the session that repealed Glass-Steagall and
that in the most recent session (passing $700B wallstreet bailout),
the financial industry contributed $2B (supposedly those that voted
for the bill received an avg. of 45% more than those voting against).
GAO is doing database of increasing number of public companies
restating their financials. Basically statements are inflated to
increase executive bonuses. Later statements may be restated but
bonuses aren't forteited. Example was freddie was fined $400m in 2004
for $10B statement inflation and the CEO replaced ... but allowed to
kep tens (hundred?) of millions.
There is recent published study of 270(?) some public companies that
redid their executive compensation plan after having problems with
financial statements and executive bonuses. Supposedly executive
compensation has been changed to be much more closely aligned with the
health and well being of the corporation ... and as a result the
companies are performing much better.
Last spring, one of the business schools had an article that
approx. 1000 executives are responsible for 80% of the current crisis
and it would go a long way to fixing the situation if the gov. could
figure out how they could loose their jobs.
Unregulated mortgage originators being able to unload an unlimited
number of subprime loans as triple-A rated toxic CDOs ... lost
any motivation to pay attention to loan quality (again business
process misaligned by being able to pay rating agencies for triple-A
ratings).
With business processes misaligned and no self-interest to do the
"right thing", the requirement for external regulation increases
enormously.
There is BIS
http://www.bis.org/index.htm
and wiki page:
http://en.wikipedia.org/wiki/Bank_for_International_Settlements
and the current "basel II"
http://en.wikipedia.org/wiki/Basel_II
Basel accords have had quantitative sections for some time. Early
drafts of Basel II had new qualitative section ... which was largely
eliminated during the review process .... there was some caustic
comments about it not really necessary to demonstrate that they knew
what they were doing ... as long as they could follow the formulas by
rote.
There were similar comments in the wake of S&L crisis that in heavily
regulated environment .... the institutions can become dominated by
people just going thru the motions by rote (w/o having to know what
they were doing). Then if regulations were ever relaxed or removed
... they are totally adrift (since they have no concept of why they
were doing what they were doing).
This is one of the benefits behind trying to have business processes
properly aligned ... so that people would be doing the right thing
because it was in their best interest (as opposed to being mandated by
regulations).
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Strings story
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Strings story
Newsgroups: alt.folklore.computers
Date: Tue, 28 Oct 2008 09:48:18 -0400
Walter Bushell <proto@panix.com> writes:
s/will *never* work*/will appear to work, but fail at the most
inopportune times and open you to identity theft/
A little more topic drift, following from Kansas City FED:
Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf
above references x9.59 financial standard protocol, also referenced
here
http://www.garlic.com/~lynn/x959.html#x959
some of the issues discussed in this answer:
http://www.linkedin.com/answers/government-non-profit/government-policy/GOV_GPO/349163-2125315
also archived here:
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law
This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw
although AADS chip work had started quite a bit earlier. AADS related
discussions
http://www.garlic.com/~lynn/x959.html#aads
and patent references
http://www.garlic.com/~lynn/aadssummary.htm
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 28, 2008
Blog: Payment and Fraud Professional
Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf
above references x9.59 financial standard protocol, also referenced
here
http://www.garlic.com/~lynn/x959.html#x959
some of the issues discussed in this answer:
http://www.linkedin.com/answers/government-non-profit/government-policy/GOV_GPO/349163-2125315
also archived here:
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law
This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw
although AADS chip work had started quite a bit earlier. AADS related
discussions
http://www.garlic.com/~lynn/x959.html#aads
and patent references
http://www.garlic.com/~lynn/aadssummary.htm
and another recent related discussion:
http://www.garlic.com/~lynn/2008p.html#5 Privacy, Identity theft, account fraud
Major payment chip card started to be introduced in Europe in the late
90s ... which continued through this decade in many parts of the world
(including large deployment in US NE in the early part of this
decade). Almost immediately after the introduction in Europe, the YES
CARD exploit appeared ... lots of past discussions
http://www.garlic.com/~lynn/subintegrity.html#yescard
The YES CARD scenario used effectively the same technology that was
being used for skimming magstripe information ... but loaded into
counterfeit chip. The counterfeit chip costs were a few cents more
than counterfeit magstripe ... but the degree of the resulting fraud
was immensely greater (the fraud ROI for YES CARD significantly
increased)
The YES CARD label came from a counterfeit card always answering
YES to the questions from the terminal: 1) was the correct PIN
entered (always answered YES)?, 2) should the transaction be done
offline (always answered YES)?, and 3) is the transaction within the
account credit limit (always answered YES)?. Skimming for
counterfeit YES CARD was actually simpler than PIN-DEBIT magstripe
card, since there was no requirement to also skim the PIN.
In the magstripe scenario ... fraud countermeasures included the
ability to deactivate the account. In the YES CARD scenario, since
the counterfeit card always told the terminal that it was an offline
transaction, there was no way of finding out that the account had been
deactivated.
As an aside, countermeasures for the YES CARD kind of exploit was
standard part of the x9.59 financial standard work from the mid-90s.
The x9.59 financial standard work was done in the x9a10 financial
standard working group, which in the mid-90s, had been given the
requirement to preserve the integrity of the financial infrastructure
for ALL retail payments. This is ALL retail , as in ALL credit, debit,
stored-value, check, ACH, etc; as in ALL POS, internet, unattended,
face-to-face, mobile, transit, contract, contactless, etc; and as in
ALL low-value, medium-value, high-value, etc.
We had semi-facetiously joked in the mid-90s, that we would take a
$500 milspec part and aggressively cost reduce by 2-3 orders of
magnitude while increasing the security. Very quickly we had a chip
that was less expensive than the least secure chip on the market but
more secure than the most expensive chip on the market.
One of the lingering problems was that there was a consumer financial
chipcard introduction in the early part of this decade. Attempting to
improve the uptake, they were giving away PC card readers. These card
readers resulted in horrible consumer installation problems (blue
screen of death, having to completely re-install operating system,
etc). In the wake of that disaster, there was a rapidly spreading
opinion that chipcards weren't practical in the consumer market
... resulting in lots of card programs evaporating. That appeared to
have also been major issue in the EU FINREAD effort also appearing to
evaporate. misc. past posts mentioning EU FINREAD standard
http://www.garlic.com/~lynn/subintegrity.html#finread
The whole situation is an example of ephemeral institutional
knowledge. Detailed after action reviews of the disaster identified
nearly all of the problems dealing with PC card reader being a serial
port device. In the mid-90s, there were a number of presentations
about motivation behind migration of the 80s online banking
implementations to the internet. A major issue behind the migration
was enormous support problems dealing with serial port dial-up modems
... some banks claiming that they had library of more than 60
different (serial-port) dial-up modem drivers as part of supporting
online banking. With migration of online banking to internet ... all
of these support issues were offloaded to internet service
providers. Significant problems with serial port infrastructure
contributed to introduction of USB.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Discussions areas, private message silos, and how far we've come since 199x
Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Discussions areas, private message silos, and how far we've come since 199x
Date: October 28, 2008
Blog: Greater IBM
previous posts in thread:
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#54 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#61 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#63 Discussions areas, private message silos, and how far we've come since 199x
from long ago and far away:
Date: 7 June 1985, 15:44:33 EDT
From: somebody in raleigh
To: wheeler at sjr, somebody in rochester, somebody in burlington,
and somebody at corporate networking
To those folks who expressed an interest in the IBM TeleCommunications
Conference Facility:
We finally have a successful "launch". It was a little slow getting
off the "pad", due mainly to my own fat-fingered interference in an
otherwise smooth-working service machine. But now it is a reality.
IBMCOMM is mastered by TOOLS at RALVM. We have one shadow being set up
at SJRVM, and others possibly in La Gaude and Yorktown.
TOOLS at RALVM is a TOOLSRUN 4 machine, and should respond to requests
from TOOLS or TREQ EXECs and behave very like IBMVM and IBMPC. Our
disk space currently is very limited, but if the conference becomes
lively enough to require more, there will be little difficulty in
justifying it here. Can't speak for the shadow(s), though.
Thanks for your interest and participation! Your expertise and your
concerns are equally important to us. Our goal is to improve our
TeleCommunicating products -- from the USER's point of view -- and you
are the source of how we percieve that.
Thank you all again for your interest in IBMCOMM.
... snip ... top of post, old email index
In the early & mid 80s, we were doing HSDT (high speed data transport)
project (one of the reasons I named the project HSDT was to
differentiate from communication) ... misc. old email related
to HSDT
http://www.garlic.com/~lynn/lhwemail.html#hsdt
and various past posts mentioning HSDT:
http://www.garlic.com/~lynn/subnetwork.html#hsdt
and having periodic skirmishes with SNA organization; we weren't using
SNA and were supporting T1 and higher speed links. some of the HSDT
hardware was being built to spec by companies on the other side of the
Pacific. The Friday before an HSDT business trip to the far east (not
long after the above email), somebody from the SNA organization
announced a new "high-speed" network related (IBMCOMM) computer
conference that included the following definition:
low-speed <9.6kbits
medium-speed 19.2kbits
high-speed 56kbits
very high-speed 1.5mbits
the following Monday, on the wall of a conference room in the fareast:
low-speed <20mbits
medium-speed 100mbits
high-speed 200-300mbits
very high-speed >600mbits
We were also working with various NSFNET backbone (operational
precursor to modern internet) participants for T1 links ... and pushed
hard for the T1 requirement in the NSFNET backbone RFP. Various
internal politics then prevented us from bidding on the
RFP. Attempting to help with the internal politics, the director of
NSF wrote a letter, copying the CEO (even saying that what we/HSDT
already had running was at least five years ahead of all other NSFNET
bid submissions). That appeared to just aggravate the internal
politics. misc. past emails related to NSFNET backbone:
http://www.garlic.com/~lynn/lhwemail.html#nsfnet
and various past posts mentioning NSFNET
http://www.garlic.com/~lynn/subnetwork.html#nsfnet
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
"Telecommunications" from '85
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: "Telecommunications" from '85
Newsgroups: alt.folklore.computers
Date: Wed, 29 Oct 2008 10:26:35 -0400
x-post from linkedin greater ibm blog:
http://www.garlic.com/~lynn/2008p.html#12 Discussions areas, private message silos, and how far we've come since 199x
previous posts in thread:
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#54 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#61 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#63 Discussions areas, private message silos, and how far we've come since 199x
from long ago and far away:
Date: 7 June 1985, 15:44:33 EDT
From: somebody in raleigh
To: wheeler at sjr, somebody in rochester, somebody in burlington,
and somebody at corporate networking
To those folks who expressed an interest in the IBM TeleCommunications
Conference Facility:
We finally have a successful "launch". It was a little slow getting
off the "pad", due mainly to my own fat-fingered interference in an
otherwise smooth-working service machine. But now it is a reality.
IBMCOMM is mastered by TOOLS at RALVM. We have one shadow being set up
at SJRVM, and others possibly in La Gaude and Yorktown.
TOOLS at RAL is a TOOLSRUN 4 machine, and should respond to requests
from TOOLS or TREQ EXECs and behave very like IBMVM and IBMPC. Our
disk space currently is very limited, but if the conference becomes
lively enough to require more, there will be little difficulty in
justifying it here. Can't speak for the shadow(s), though.
Thanks for your interest and participation! Your expertise and your
concerns are equally important to us. Our goal is to improve our
TeleCommunicating products -- from the USER's point of view -- and you
are the source of how we percieve that.
Thank you all again for your interest in IBMCOMM.
... snip ... top of post, old email index
In the early & mid 80s, we were doing HSDT (high speed data transport)
project (one of the reasons I named the project HSDT was to
differentiate from communication) ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#hsdt
and having periodic skirmishes with SNA organization; we weren't using
SNA and were supporting T1 and higher speed links. some of the HSDT
hardware was being built to spec by companies on the other side of the
Pacific. The Friday before an HSDT business trip to the far east (not
long after the above email), somebody from the SNA organization
announced a new "high-speed" network related (IBMCOMM) computer
conference that included the following definition:
low-speed <9.6kbits
medium-speed 19.2kbits
high-speed 56kbits
very high-speed 1.5mbits
the following Monday, on the wall of a conference room in the fareast:
low-speed <20mbits
medium-speed 100mbits
high-speed 200-300mbits
very high-speed >600mbits
We were also working with various NSFNET backbone (precursor to modern
internet) participants for T1 links ... and pushed hard for the T1
requirement in the NSFNET backbone RFP. Various internal politics then
prevented us from bidding on the RFP. Attempting to help with the
internal politics, the director of NSF wrote a letter, copying the CEO
(even saying that what we/HSDT already had running was at least five
years ahead of all other NSFNET bid submissions). That appeared to
just aggravate the internal politics. misc. past emails related to
NSFNET backbone:
http://www.garlic.com/~lynn/lhwemail.html#nsfnet
and various past posts mentioning NSFNET
http://www.garlic.com/~lynn/subnetwork.html#nsfnet
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 29, 2008
Blog: Payment and Fraud Professional
re:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
Note in the YES CARD scenario ... there is an issue whether the
chip supports "static data authentication" (SDA) or "dynamic data
authentication" (DDA).
http://www.garlic.com/~lynn/subintegrity.html#yescard
We had been asked to consult with a small client/server startup that
wanted to do payment transactions on their servers and they had this
technology they had invented called SSL they wanted to use. Part of
the deployment included something called the payment gateway
.... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway
The result is now frequently referred to as electronic commerce
Then in the mid-90s, we were asked to participate in x9a10 financial
standard working group, which had been given the requirement to
preserve the integrity of the financial infrastructure for ALL
retail payments. This is ALL retail , as in ALL credit, debit,
stored-value, check, ACH, etc; as in ALL POS, internet, unattended,
face-to-face, mobile, transit, contract, contactless, etc; and as in
ALL low-value, medium-value, high-value, etc.
Part of this involved detailed, end-to-end threat and vulnerability
studies of the environments ... which eventually resulted in x9.59
financial transaction standard.
ALL included things like X9.59 being light-weight enough to be used
in transit gate and mobile operation ... but secure enough that it
handle the highest value transactions. It also had to eliminated
vulnerabilities ... including data breaches and skimming.
Possibly part of the issue with X9.59 financial standard from the
mid-90s appeared that with a single, very light-weight, super-secure
transaction that was applicable to ALL kinds of payments, ALL
kinds of payment values, ALL environments, and addressed majority of
threats and vulnerabilities ... that it significantly commoditized
payment transactions.
The major use of SSL in the world today is for hiding transaction
information for this thing we worked on, that is now frequently called
electronic commerce, as countermeasure to evesdropping
and replay attacks. Part of X9.59 financial standard was
slightly tweaking the paradigm that eliminated the threat of crooks
using information from skimming and data breaches for
fraudulent transactions. As a side-effect, X9.59 also eliminates the
major use of SSL in the world today.
4-5 yrs ago at one of the payment conferences there was presentation
on the YES CARD vulnerabilities. One of the people from the audience
got up and commented about "they" have spent billions of dollars to
prove that chipcards are less secure than magstrip cards.
The other (non-standard, non-a9a10 financial working group) payment
transactions efforts from the mid-90s period had been narrowly
focused, point solutions. As a result, over the years they have
tended to substitute expensive trial&error deployments for
comprehensive understanding and end-to-end threat and vulnerability
studies.
recent reference (account fraud for David related to checks that he
wrote for errata):
Donald Knuth stops paying for errata
from above:
Financial Fiasco
Leading banks and investment funds have been foundering, because of
bad debts and lack of trust; and other, less well-known kinds of
fiscal chaos are also on the horizon. For example, due to an unfixable
security flaw in the way funds are now transferred electronically,
worldwide, it is no longer safe to write personal checks.
... snip ...
copied from response to some skepticism in one of the fraud groups ...
now, it is true that many in the smartcard industry over the past
couple decades have gottten the reputation of showing up claiming
smartcards are the answer ... even before finding out what the
requirements are.
in the x9.59 scenario ... we had spent a great deal of time looking at
detailed, end-to-end threats & vulnerabilities ... and designing a
protocol that satisfies those requirements.
the smartcard part is somewhat more what people are familiar with
... a hardware implementation part of the solution can be done in
20,000 circuits, extremely short elapsed time (few tens of
milliseconds) and very, very low power requirements. it would be
possible to do a separate chip (somewhat akin to UPC/EPC RFID chips)
or embedded circuits in small part of some larger chip. as a separate
chip it could be packaged in a large number of different ways ... not
just limited to traditional smartcard form factor.
i was part of assurance panel at intel developer's forum in TPC
(trusted computing) track. I happened to comment that it was nice to
see that the TPM definition had started to look more & more like the
simpler (KISS) AADS chip strawman over the previous couple years. The
person running TPC was in the front row and quiped back that I didn't
have a committee of 200 people helping me with the design.
misconception about two sides ... there have been long litany of
failed &/or aborted smartcard efforts over the past 15-20 yrs
... large percentage of reasons not having to do directly with
smartcards; frequently cause was lack of understanding of smartcards
and/or requirements. we've had to do postmortem on some number,
although sometimes we were on the frontend. one case in mid-90s major
euro, stored-value smartcard was looking at penetration of US market
... we were asked to design & cost dataprocessing operations to
support deployment. We couldn't come up with numbers that would
justify the deployment.
there is this web page about presentation discussing YES CARD
at Cartes 2002
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html
from above:
It was stated that cloning an EMV card is a relatively simple task,
with all the necessary information and equipment available on the
Internet.
... snip ...
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 29, 2008
Blog: Smart Cards Group
re:
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
and related:
http://www.garlic.com/~lynn/2008p.html#5 Privacy, Identity theft, account fraud
The above references several of the issues raised ... including failed
attempts over the last decade that have resulted in raising the
barrier to entry.
We had been asked to consult with a small client/server startup that
wanted to do payment transactions on their servers and they had this
technology they had invented called SSL they wanted to use. Part of
the deployment included something called the payment gateway
.... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway
The result is now frequently referred to as electronic commerce
Then In the mid-90s, we were asked to participate in x9a10 financial
standard working group, which had been given the requirement to
preserve the integrity of the financial infrastructure for ALL
retail payments. This is ALL retail , as in ALL credit, debit,
stored-value, check, ACH, etc; as in ALL POS, internet, unattended,
face-to-face, mobile, transit, contract, contactless, etc; and as in
ALL low-value, medium-value, high-value, etc.
Part of this involved detailed, end-to-end threat and vulnerability
studies of the environments ... which eventually resulted in x9.59
financial transaction standard.
ALL included things like X9.59 being light-weight enough to be used
in transit gate and mobile operation ... but secure enough that it
handle the highest value transactions. It also had to eliminated
vulnerabilities ... including data breaches and skimming.
Possibly part of the issue with X9.59 financial standard from the
mid-90s appeared that with a single, very light-weight, super-secure
transaction that was applicable to ALL kinds of payments, ALL
kinds of payment values, ALL environments, and addressed majority of
threats and vulnerabilities ... that it significantly commoditized
payment transactions.
The major use of SSL in the world today is for hiding transaction
information (for this earlier effort we worked on), as countermeasure
to evesdropping and replay attacks. Part of X9.59 financial
standard was slightly tweaking the paradigm that eliminated the threat
of crooks using information from skimming and data breaches for
fraudulent transactions. As a side-effect, X9.59 also eliminates the
major use of SSL in the world today.
The other (non-standard, non-a9a10 financial working group) payment
transactions efforts from the mid-90s period had been narrowly
focused, point solutions. As a result, over the years they have tended
to substitute expensive trial&error deployments for comprehensive
understanding and end-to-end threat and vulnerability studies.
Also as part of meeting the ALL requirement was
• parameterised risk management framework
parameterised risk management framework was created ... trivial
example is that the same exact hardware token could be used both with
& without PIN ... possibly based on transaction value (or other risk
factors), somewhat in manner similar to not requiring signatures for
low-value credit transactions.
• person-centric paradigm
Quite a bit of time was spent investigating what were all the
inhibitors preventing transitioning from a "institutional-centric"
hardware token paradigm (each institution issues their own hardware
token) ... to a person-centric hardware token paradigm ... aka what
issues had to be addressed in order for gov. agencies to accept a
person's token as an authentication device (physical access, computer
access, etc) ... or any number of financial institutions to accept a
person's token as an authentication device (financial transactions
across a broad range of values, online banking access, etc).
With respect to past failed deployments, I went around to possibly
half the booths at the 2001 annual smartcard conference ... asking the
people 1) if they were aware there was a rapidly spreading opinion
that smartcards weren't practical in the consumer market and 2) what
were the reason for #1.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Blinkenlights
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkenlights
Newsgroups: alt.folklore.computers
Date: Wed, 29 Oct 2008 19:07:02 -0400
John Varela <OLDlamps@verizon.net> writes:
Can you get a solid-core door that doesn't have imitation paneling? I
suppose so, if that's your plan. I don't think I've ever seen one.
I made a kitchen table out of a hollow-core door about 40 years ago, and
it's still doing service in the garage even after having been hit by a
car, an incident too painful to recall.
the science center
http://www.garlic.com/~lynn/subtopic.html#545tech
long ago, and far away (>35yrs ago, but less than 40), made a desk out
of solid/heavy fir door (over two 2-drawer file cabinets). I think it
was kept around, just to remind me.
i was use to working on weekends late at night, dedicated time alone in
the machine room ... and periodically would need to get backup tapes out
of the tape library (effectively a office within the machine room, taken
over with tape storage racks).
one weekend, the door to the tape library was locked ... and i had been
up for awhile ... so didn't feel like going over the false ceiling
... so i kicked the door (once) ... and it split top to bottom ... along
the edge intersecting the door knob hole.
turns out that wasn't the only problem ... they had moved the tape
library to another room ... and replaced the tapes with employee
personnel records.
misc. past posts mentioning kicking the door:
http://www.garlic.com/~lynn/2002m.html#15 What is microcode?
http://www.garlic.com/~lynn/2005d.html#31 The Mainframe and its future.. or furniture
http://www.garlic.com/~lynn/2006g.html#42 Old PCs--environmental hazard
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Open Source, Unbundling, and Future System
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Open Source, Unbundling, and Future System
Date: October 28, 2008
Blog: Global IBM Connection
re:
http://www.garlic.com/~lynn/2008o.html#66 Open Source, Unbundling, and Future System
About a decade ago I ran into former Perkin/Elmer salesman who had
sold a lot of boxes to NASA and other gov. agencies. Perkin/Elmer had
bought Interdata and was selling a descendant of the clone controller
box that had been developed at the university when I was an
undergraduate. In further discussions, the salesman commented that the
"wire-wrap" channel interface board possibly had never been redone
(effectively hadn't changed since my undergraudate days).
In that same period, I had a tour of one of the major
merchant/acquiring (mainframe) datacenters. They had one of these
Perkin/Elmer controller boxes handling dialup POS (point-of-sale)
incoming calls (large number of dialup card swipe terminals found at
retail establishments around the country).
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 30, 2008
Blog: Smart Cards Group
re:
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?
attached is copied from similar discussion in one of the linkedin
fraud groups.
Note that the experience of the dialup online banking transition to
internet influenced the motivation for all the work on
person-centric paradigm for smartcards. we had made semi-facetious
comments that we would do aggressive cost reduction for 2-3 orders of
magnitude per smartcard. then (if hardware token paradigm were to ever
catch on), person-centric would futher reduce number of smartcards
by a factor of 100 (compared to institutional-centric paradigm where a
person was provided a hardware token in lieu of ever password, pin,
and/or key). The aggregate infrastructure costs savings (for
person-centric paradigm) could then be between 10,000 to 100,000 times
(i.e. 100 times reduction in number of hardware tokens multiplied by
2-3 orders magnitude reduction in per token cost).
Another part of the experience of migration to internet ... was that
the internet effectively obsoleted all the "value-added" networks that
grew up in the 70s & 80s (although a few continue to linger on).
As noted, the lessons learned from the dial-up online banking
migration to the internet (in large part serial port problems) seemed
to have evaporated within a few years when the same exact problems
were encountered attempting to give away large number of serial-port
smartcard readers.
re:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
... from above
One of the lingering problems was that there was a consumer financial
chipcard introduction in the early part of this decade. Attempting to
improve the uptake, they were giving away PC card readers. These card
readers resulted in horrible consumer installation problems (blue
screen of death, having to completely re-install operating system,
etc). In the wake of that disaster, there was a rapidly spreading
opinion that chipcards weren't practical in the consumer market
... resulting in lots of card programs evaporating. That appeared to
have also been major issue in the EU FINREAD effort also appearing to
evaporate. misc. past posts mentioning EU FINREAD standard
http://www.garlic.com/~lynn/subintegrity.html#finread
The whole situation is an example of ephemeral institutional
knowledge. Detailed after action reviews of the disaster identified
nearly all of the problems dealing with PC card reader being a serial
port device. In the mid-90s, there were a number of presentations
about motivation behind migration of the 80s online banking
implementations to the internet. A major issue behind the migration
was enormous support problems dealing with serial port dial-up modems
... some banks claiming that they had library of more than 60
different (serial-port) dial-up modem drivers as part of supporting
online banking. With migration of online banking to internet ... all
of these support issues were offloaded to internet service
providers. Significant problems with serial port infrastructure
contributed to introduction of USB.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 30, 2008
Blog: Financial Crime Risk, Fraud and Security
We had been called in to consult with small client/server startup that
wanted to do payment transactions on their server and they had this
technology called SSL they had invented they wanted to use. Part of
that deployment was something called payment gateway ... some past
posts/references
http://www.garlic.com/~lynn/subnetwork.html#gateway
The result is now frequently referred to a electronic commerce. Some
of the detailed threat and vulnerability studies identified just
"knowing" information from existing transaction was typically
sufficient for a crook to successfully perform a fraudulent financial
transactions. Furthermore, studies had shown that insiders have been
involved in 70percent of these kinds of identity theft. SSL was only
going to hide transaction information while being transmitted on the
internet ... and otherwise ... transaction information was going to
appear at tens millions of places all over the world. We asked for
several countermeasures for this class of problem ... including
detailed FBI background checks for every person associated with a
payment transaction website everywhere in the world. There were some
number of things that we mandated that were followed ... but we
couldn't get the detailed FBI background check.
Then in the mid-90s, we were asked to participate in x9a10 financial
standard working group which in the mid-90s, had been given the
requirement to preserve the integrity of the financial infrastructure
for ALL retail payments. This is ALL retail , as in ALL credit,
debit, stored-value, check, ACH, etc; as in ALL POS, internet,
unattended, face-to-face, mobile, transit, contract, contactless, etc;
and as in ALL low-value, medium-value, high-value, etc.
Part of this involved (further) detailed, end-to-end threat and
vulnerability studies of the environments ... which eventually
resulted in the x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959
part of the x9.59 financial standard involved slightly tweaking the
paradigm and eliminating the threats from evesdropping, skimming, data
breach, etc. x9.59 did nothing to eliminate evesdropping, skimming,
and/or data breaches .... but x9.59 tweaked the paradigm so that any
information was useless for performing fraudulent transactions.
Note that the major use of SSL in the world today is for this thing we
had earlier worked on, now frequently called electronic commerce
... as part of hiding the information. In effect, x9.59 results in
eliminating the primary use of SSL in the world today ... since with
x9.59 financial transactions, it is no longer necessary to hide the
information (as countermeasure to preventing fraudulent financial
transactions).
now, it is true that many in the smartcard industry over the past
couple decades have gottten the reputation of showing up claiming
smartcards are the answer ... even before finding out what the
requirements are.
in the x9.59 scenario ... we had spent a great deal of time looking at
detailed, end-to-end threats & vulnerabilities ... and designing a
protocol that satisfies those requirements.
the smartcard part is somewhat more what people are familiar with
... a hardware implementation part of the solution can be done in
20,000 circuits, extremely short elapsed time (few tens of
milliseconds) and very, very low power requirements. it would be
possible to do a separate chip (somewhat akin to UPC/EPC RFID chips)
or embedded circuits in small part of some larger chip. as a separate
chip it could be packaged in a large number of different ways ... not
just limited to traditional smartcard form factor.
i was part of assurance panel at intel developer's forum in TPC
(trusted computing) track. I happened to comment that it was nice to
see that the TPM definition had started to look more & more like the
simpler (KISS) AADS chip strawman over the previous couple years. The
person running TPC was in the front row and quiped back that I didn't
have a committee of 200 people helping me with the design.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Donald Knuth stops paying for errata
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Donald Knuth stops paying for errata
Date: Thu, 30 Oct 2008 16:37:01 -0400
To: Perry E. Metzger <perry@xxxxxxxx>
CC: cryptography@xxxxxxxx
On 10/30/08 16:30, Perry E. Metzger wrote:
It seems that Donald Knuth had his bank accounts attacked not once but
three times using his checking account number off of checks he sent
out for bounties for flaws in his books and software, and is thus
ending a practice of nearly 40 years. Rather sad.
I mark this as another milestone in the slow destruction of the idea
that it is okay for an account number to be the secret used to effect
payment in a transaction system.
http://www-cs-faculty.stanford.edu/~knuth/news08.html
recent article from Kansas City Fed on the subject (including reference
to x9.59 financial standard protocol):
Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf
some archived posts on the article from linkedin fraud & payment groups
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Would you say high tech authentication gizmo's are a waste of time/money/effort?
Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Would you say high tech authentication gizmo's are a waste of time/money/effort?
Date: October 30, 2008
Blog: Information Security
Here is a recent article from Kansas City FED:
Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf
above references x9.59 financial standard protocol, also referenced
here
http://www.garlic.com/~lynn/x959.html#x959
some of the issues discussed in this answer:
http://www.linkedin.com/answers/government-non-profit/government-policy/GOV_GPO/349163-2125315
also archived here:
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law
This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw
although AADS chip work had started quite a bit earlier. AADS related
discussions
http://www.garlic.com/~lynn/x959.html#aads
and patent references
http://www.garlic.com/~lynn/aadssummary.html
part of recent discussions related to the article in fraud, payment
and smartcard groups archived here:
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19
and another recent reference (account fraud for Donald related to
checks that he wrote for errata):
Donald Knuth stops paying for errata
http://www-cs-faculty.stanford.edu/~knuth/news08.html
from above:
Financial Fiasco
Leading banks and investment funds have been foundering, because of
bad debts and lack of trust; and other, less well-known kinds of
fiscal chaos are also on the horizon. For example, due to an unfixable
security flaw in the way funds are now transferred electronically,
worldwide, it is no longer safe to write personal checks.
... snip ...
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 30, 2008
Blog: Payments & Cards Network
Modifying POS terminals and/or ATM machines ... to record the
information read by the terminal/machine reader dates back something
like two decades. This skimming ... using a valid machines normal
reading process is then used to counterfeit magstripe card.
The same technique was also used starting almost immediately with the
first introduction of payment chip cards back in the 90s (basically
identical technology that was already in place for recording magstripe
information). The recorded chip information was then used to create
counterfeit YES CARDS (dating back almost a decade).
Lots of past posts mentioning counterfeit YES CARDS
http://www.garlic.com/~lynn/subintegrity.html#yescards
The YES CARD exploit scenario was already well understood when we
started on the x9.59 financial standard protocol in the mid-90s.
There was a presentation at an industry conference a couple years ago
about YES CARDS being found in various markets. One of the members
in the audience made a point of saying to the whole room ... that
"they" have managed to spend billions of dollars to prove that chips
are less secure than magstripe.
We had been brought in to consult with a small client/server startup
that wanted to do payment transactions on their servers and they had
this technology they had invented called SSL they wanted to use. Part
of that deployment was something called payment gateway ... misc. past
posts
http://www.garlic.com/~lynn/subnetwork.html#gateway
and is now frequently referred to as electronic commerce.
Part of calling us in ... was that two people responsible for the
small client/server startup's "commerce server" project ... we had
previously worked with earlier on high availability, high integrity,
scalable database ... when they had been at a large database vendor
... minor old post mentioning a meeting in early 92, that included the
two people
http://www.garlic.com/~lynn/95.html#13
Then in the mid-90s, we were asked to participate in x9a10 financial
standard working group which had been given the requirement
to preserve the integrity of the financial infrastructure
for ALL retail payments. This is ALL retail , as
in ALL credit, debit, stored-value, check, ACH, etc; as
in ALL POS, internet, unattended, face-to-face, mobile,
transit, contract, contactless, etc; and as in ALL low-value,
medium-value, high-value, etc.
Part of this involved detailed, end-to-end threat and vulnerability
studies of the environments ... which eventually resulted in the x9.59
financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959
part of the x9.59 financial standard involved slightly tweaking the
paradigm and eliminating the threats from evesdropping, skimming, data
breach, etc. x9.59 did nothing to eliminate evesdropping, skimming,
and/or data breaches .... but x9.59 tweaked the paradigm so that any
information was useless for performing fraudulent transactions.
Note that the major use of SSL in the world today is for this thing we
had earlier worked on, now frequently called electronic commerce
... as part of hiding the information. In effect, x9.59 results in
eliminating the primary use of SSL in the world today ... since with
x9.59 financial transactions, it is no longer necessary to hide the
information (as countermeasure to preventing fraudulent financial
transactions).
Other things related to X9.59 being able to meet ALL of
the ALL requirements .... we did a framework we called
parameterised risk management that would allow x9.59 to
operate as a consistent protocol across a broad range of values and
security requirements.
other recently archived posts in some of the other fraud & smartcard
groups
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Your views on the increase in phishing crimes such as the recent problem French president Sarkozy faces
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Your views on the increase in phishing crimes such as the recent problem French president Sarkozy faces.
Date: October 31, 2008
Blog: Information Security
Here is a recent article from Kansas City FED:
Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf
above references x9.59 financial standard protocol, also referenced
here
http://www.garlic.com/~lynn/x959.html#x959
some of the issues discussed in this answer:
http://www.linkedin.com/answers/government-non-profit/government-policy/GOV_GPO/349163-2125315
also archived here:
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law
This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw
although AADS chip work had started quite a bit earlier. AADS related
discussions
http://www.garlic.com/~lynn/x959.html#aads
and patent references
http://www.garlic.com/~lynn/aadssummary.html
part of recent discussions related to the article in fraud, payment
and smartcard groups archived here:
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19
and another recent reference (account fraud for Donald related to
checks that he wrote for errata):
Donald Knuth stops paying for errata
http://www-cs-faculty.stanford.edu/~knuth/news08.html
from above:
Financial Fiasco
Leading banks and investment funds have been foundering, because of
bad debts and lack of trust; and other, less well-known kinds of
fiscal chaos are also on the horizon. For example, due to an unfixable
security flaw in the way funds are now transferred electronically,
worldwide, it is no longer safe to write personal checks.
... snip ...
We had been brought in to consult with a small client/server company
that wanted to do payment transactions on their servers and they had
this technology they had invented called SSL they wanted to use. Part
of that deployment was something called payment gateway ... misc. past
posts
http://www.garlic.com/~lynn/subnetwork.html#gateway
and is now frequently referred to as electronic commerce.
Then in the mid-90s, we were asked to participate in x9a10 financial
standard working group which had been given the requirement to
preserve the integrity of the financial infrastructure for ALL
retail payments. This is ALL retail , as in ALL credit, debit,
stored-value, check, ACH, etc; as in ALL POS, internet, unattended,
face-to-face, mobile, transit, contract, contactless, etc; and as in
ALL low-value, medium-value, high-value, etc.
Part of this involved detailed, end-to-end threat and vulnerability
studies of the environments ... which eventually resulted in the x9.59
financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959
part of the x9.59 financial standard involved slightly tweaking the
paradigm and eliminating the threats from evesdropping, skimming, data
breach, phishing, etc. x9.59 did nothing to eliminate evesdropping,
skimming, and/or data breaches .... but x9.59 tweaked the paradigm so
that any information was useless to crooks for performing fraudulent
transactions.
Note that the major use of SSL in the world today is for this thing we
had earlier worked on, now frequently called electronic commerce
... as part of hiding the information. In effect, x9.59 results in
eliminating the primary use of SSL in the world today ... since with
x9.59 financial transactions, it is no longer necessary to hide the
information (as countermeasure to preventing fraudulent financial
transactions).
Part of addressing ALL was the use for x9.59 for ALL retail
transactions ... but also using the same mechanism/token for other
authentication purposes. Two of the most widely used authentication
mechanisms in the world today are Kerberos and RADIUS.
Kerberos was originally done by Project Athena which was funded
equally by two corporate entities for $25m each. Being at one of the
entities at the time, we periodically did reviews of Project
Athena. One such visit was getting to sit thru several days of
Kerberos sessions as cross-domain Kerberos was being worked out. Not
long ago, sat through a detailed presentation on large cross-domain
SAML deployment ... and noticed that all the SAML messages & message
flows appeared to actually be Kerberos ... with the bits
reformated. Lots of past posts mentioning Kerberos & AADS Kerberos:
http://www.garlic.com/~lynn/subpubkey.html#kerberos
I originally worked with RADIUS from the original vendor, setting up
some of their router boxes. This was before AT&T bought them and
RADIUS was donated to IETF for internet standard. Lots of past post
mentioning RADIUS & AADS RADIUS
http://www.garlic.com/~lynn/subpubkey.html#radius
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Why not build a shared services infrastructure to support the banking sector?
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Why not build a shared services infrastructure to support the banking sector?
Date: October 31, 2008
Blog: Derivatives Markets
We did some consulting to the person originally setting up FSTC. In
the early to mid 90s, there was a push for gov. technology re-use
(commercializing gov. technology) and provisions were made for setting
up collaborative industry organizations & relaxing anti-trust laws.
FSTC basically looks at various kinds of shared technology projects in
the financial sector
http://www.fstc.org/
But there are still several issues with regard to anti-trust
laws. Also, there are project areas that financial institutions deem
to be "competitive" advantages ... which they still do solo.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
How do group members think the US payments business will evolve over the next 3 years?
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How do group members think the US payments business will evolve over the next 3 years?
Date: October 31, 2008
Blog: Payments Leadership Network
In the U.S., Visa Banks on Debit As Credit Growth Goes Negativ
http://www.digitaltransactions.net/newsstory.cfm?newsid=1966
A couple weeks ago there was discussion in the linkedin "Credit Card
Professionals" group about whether "signature" or "pin" debit was
superior.
Periodically, there is a couple hundred page publication that compares
detailed sliced&diced numbers for avg. of leading regional financial
institutions against leading national financial institutions.
A couple years ago it showed regional institution avg with higher
profit margin (than national institution avg). There was no analysis
done on all the detailed sliced & diced numbers ... but after
examination ... it turns out that regional institutions had a
measurable higher percentage of "electronic" transactions vis-a-vis
paper/manual transactions (compared to national institutions). The
"electronic" transactions fully loaded costs was 1/5th or less that of
paper/manual .... which was the only significant statistically
correlation accounting for regional vis-a-vis national difference. The
fully loaded processing costs per type of transaction was essentially
the same for regional & national institutions .... it was the
percentage mix between electronic vis-a-vis paper/manual that made the
difference.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
What is the biggest IT myth of all time?
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What is the biggest IT myth of all time?
Date: October 31, 2008
Blog: Enterprise Architecture Network
In the 90s, financial institutions spent billions on projects using
massive parallel killer micros and object oriented software technology
... in attempt to address straight through processing as part of
eliminating overnight batch window bottleneck.
Part of the issue was financial institutions had started with batch
mainframe operations ... but in the 70s & 80s had partially gone to
online operations ... at least for initial parts of the
operation. However, the operations continued to be completed in batch
operations that ran overnight. With a combination of increasing
workload and globalization ... the length of the overnight batch
window was shrinking at the same time the amount of work (that needed
to be done) was increasing.
The holy grail was leveraging object oriented software for parallel
operation on large numbers of "small" processors as part of
implementing straight through processing (and eliminating the
overnight batch window).
Several toy demos were achieved but there was an astounding lack of
investigation into actual speeds & feeds. It turned out that the
object oriented parallelizing technologies had 100 times overhead
increase (compared to the mainframe batch implementations) ... which
totally swamped any anticipated throughput increase by the use of
large numbers of (parallel) killer micros.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Father Of Financial Dataprocessing
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Father Of Financial Dataprocessing
Date: November 1, 2008
Blog: Payment Systems Network
The end of May, there was a gathering to celebrate Jim Gray. Part of
that celebration involved acknowledging Jim Gray as father of
financial dataprocessing (including enabling electronic payment
transactions). Jim's formalizing of transaction semantics provided the
basis that was crucial in allowing financial auditors to move from
requiring paper ledgers to trusting computer operations.
I worked with Jim in the 70s; when he left for Tandem, he attempted to
palm off his responsibilities on me ... and I started getting his
calls from financial institutions. a couple recent posts on the
subject:
http://www.garlic.com/~lynn/2008i.html#50 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~lynn/2008l.html#88 Book: "Everyone Else Must Fail"
http://www.garlic.com/~lynn/2008p.html#6 SECURITY and BUSINESS CONTINUITY
Tribute press release:
http://www.eecs.berkeley.edu/IPRO/JimGrayTribute/pressrelease.html
podcast of the tribute:
http://webcast.berkeley.edu/event_details.php?webcastid=23082
http://webcast.berkeley.edu/event_details.php?webcastid=23083
http://webcast.berkeley.edu/event_details.php?webcastid=23087
http://webcast.berkeley.edu/event_details.php?webcastid=23088
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: November 1, 2008
Blog: Payment and Fraud Professionals
re:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#14 Can Smart Cards Reduce Payments Fraud and Identity Theft?
EU FINREAD standard emerged in the late 90s as countermeasure to
rapidly spreading virus, trojans, and keyloggers. Part of the issue
was a lot of PC networking had evolved on small private networks
... and later adapted to the internet. The issue was that
countermeasures to the hostile anarchy of the internet had never
evolved in the local private, safe, networking environments.
As an aside, analogous exploits for POS terminals (keylogging,
skimming, etc) had emerged well before widespread appearance of PCs on
the internet.
EU FINREAD terminals fell victim to the rapidly spreading opinion that
smartcards weren't practical in the consumer market ... ephemeral
institutional knowledge regarding all the serial port consumer support
problems ... which appeared to evaporate in the few years between
dialup home banking transition to the internet and the disastrous
serial port smartcard terminal giveway.
We weren't members of NACHA ... but we got somebody from NSCC to
submit our proposal ... over the years we had worked with large number
of parties in and around manhatten ... slightly related recent post:
http://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing
copy of the NACHA submission:
http://www.garlic.com/~lynn/nacharfi.htm
The pilot was eventually declared a rousing success ... reference
http://internetcouncil.nacha.org/News/news.html
and document here:
http://internetcouncil.nacha.org/docs/ISAP_Pilot/ISAPresultsDocument-Final-2.PDF
however, despite its rousing success, the pilot also fell victim to
the rapidly spreading view that smartcards weren't practical in the
consumer market place (as an outcome of the disastrous serial port
smartcard reader give-away).
Further severely tarnishing the extreme jaundice view of smartcards
was that the YES CARD fiasco ("managed to spend billions of dollars
to prove that chips are less secure than magstripe") happened in the
same time frame .... various past YES CARD discussions
http://www.garlic.com/~lynn/subintegrity.html#yescard
and web page referencing presentation at Cartes 2002
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html
from above:
It was stated that cloning an EMV card is a relatively simple task,
with all the necessary information and equipment available on the
Internet.
... snip ...
In that time frame there had also been a rather large deployment of
such payment cards in NE US ... that appeared to quickly vanish
without a trace (given the increasing bad reputation of smartcards).
for a little topic drift ... a variation on the YES CARD hack
... but from the early 70s ... rather than accepting all entered PINs
as valid ... it would accept all entered passwords as valid ... recent
post in linkedin thread "Invitation to Join Mainframe Security Guru
Group"
http://www.garlic.com/~lynn/2008o.html#67
Note ... in the YES CARD hack ... it wasn't just the PIN
... the counterfeit card would always answer YES to three questions:
1) correct pin?, 2) offline transaction?, 3) transaction within credit
limit?.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
How were you using the internet 10 years ago and how does that differ from how you use it today?
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How were you using the internet 10 years ago and how does that differ from how you use it today?
Date: November 1, 2008
Blog: Web Development
email and posting on usenet .... usenet postings from 1998:
http://www.garlic.com/~lynn/98.html
Earlier in the 90s, we had been called in to consult with a small
client/server startup that wanted to do payment transactions on their
server and had this technology they had invented called SSL, that they
wanted to use. Part of that work was deployment of something called
payment gateway ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway
and the result is frequently now referred to as electronic commerce.
I was doing email on the internal network dating back to the early 70s
and in the late 70s and early 80s got blamed for computer conferencing
on the internal network ... the internal network was larger than the
arpanet/internet from just about the beginning until possibly summer
of '85
Index of misc. old email ... even one back to 1973
http://www.garlic.com/~lynn/lhwemail.html
the operational precursor to modern internet was the NSFNET backbone
... recent reference
http://www.garlic.com/~lynn/2008p.html#12
Once in the early 70s, I was helping with computer installation in
Paris as part of EMEA hdqtrs moving from NY to Paris ... and having a
devil of a time accessing my email back in the states.
about 4yrs ago i started using browser tab features to compensate for
latency ... i.e. pages fetched in the background while viewing other
tabs. i have process that regularly fetches 200-300 web pages in
background tabs.
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
Date: November 2, 2008
Blog: Banking and Finance Technologies
In the 90s, financial institutions spent billions on new technologies
in attempt to eliminate the overnight batch window. Financial
dataprocessing had been implemented as batch processes. Then in the
70s & 80s some of the operations had been partially moved to "online"
(or realtime) ... however, the completion of the operations were still
done in the overnight batch window.
In the 90s, with more global operations (reducing the size of the
overnight batch window) and increased business (attempting to
squeeze more work through in smaller elapsed time), there were large
efforts to leverage object oriented technologies and large number of
"killer micros" to implement straight through processing (as a way
of eliminating the overnight batch window bottleneck).
There were some number of toy demos completed, but a surprising lack
of early work on speeds and feeds. It turned out using the object
oriented technologies and massive parallelism (of large number of
"killer micros") had factors of 100 times increase in overhead
(compared to the efficiency of the batch implementations), completely
swamping any possible anticipated throughput increases.
semi-related post archived here:
http://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
FC5 Special Workshop CFP: Emerging trends in Online Banking and Electronic Payments
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: FC5 Special Workshop CFP: Emerging trends in Online Banking and Electronic Payments
Date: November 2, 2008
Blog: Banking and Finance Technologies
related comment in "Can Smart Cards Reduce Payments Fraud and Identity
Theft?" thread in "Payment and Fraud Professionals" group discussing
some possible factors related to current market inhibitors
EU FINREAD standard emerged in the late 90s as countermeasure to
rapidly spreading virus, trojans, and keyloggers. Part of the issue
was a lot of PC networking had evolved on small private networks
... and later adapted to the internet. The issue was that
countermeasures to the hostile anarchy of the internet had never
evolved in the local private, safe, networking environments.
As an aside, analogous exploits for POS terminals (keylogging,
skimming, etc) had emerged well before widespread appearance of PCs on
the internet.
EU FINREAD terminals fell victim to the rapidly spreading opinion that
smartcards weren't practical in the consumer market ... ephemeral
institutional knowledge regarding all the serial port consumer support
problems ... which appeared to evaporate in the few years between
dialup home banking transition to the internet and the disastrous
serial port smartcard terminal giveway.
We weren't members of NACHA ... but we got somebody from NSCC to
submit our proposal ... over the years we had worked with large number
of parties in and around manhatten ... slightly related recent post:
http://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing
copy of the NACHA submission:
http://www.garlic.com/~lynn/nacharfi.htm
The pilot was eventually declared a rousing success ... reference
http://internetcouncil.nacha.org/News/news.html
and documents here:
http://internetcouncil.nacha.org/docs/ISAP_Pilot/ISAPresultsDocument-Final-2.PDF
however, despite its rousing success, the pilot also fell victim to
the rapidly spreading view that smartcards weren't practical in the
consumer market place (as an outcome of the disastrous serial port
smartcard reader give-away).
Further severely tarnishing the extreme jaundice view of smartcards
was that the YES CARD fiasco ("managed to spend billions of dollars
to prove that chips are less secure than magstripe") happened in the
same time frame .... various past YES CARD discussions
http://www.garlic.com/~lynn/subintegrity.html#yescard
and web page referencing presentation at Cartes 2002
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html
from above:
It was stated that cloning an EMV card is a relatively simple task,
with all the necessary information and equipment available on the
Internet.
... snip ...
In that time frame there had also been a rather large deployment of
such payment cards in NE US ... that appeared to quickly vanish
without a trace (given the increasing bad reputation of smartcards).
for a little topic drift ... a variation on the YES CARD hack
... but from the early 70s ... rather than accepting all entered PINs
as valid ... it would accept all entered passwords as valid ... recent
post in linkedin thread "Invitation to Join Mainframe Security Guru
Group"
http://www.garlic.com/~lynn/2008o.html#67
Note ... in the YES CARD hack ... it wasn't just the PIN
... the counterfeit card would always answer YES to three questions:
1) correct pin?, 2) offline transaction?, 3) transaction within credit
limit?.
other parts of discussions, archived here:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#14 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#18 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#19 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#22 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#28 Can Smart Cards Reduce Payments Fraud and Identity Theft?
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: November 2, 2008
Blog: Smart Cards
Base, X9.59 financial standard protocol slightly tweaked the paradigm so
the (replay attack, crooks using information for performing fraudulent
transactions) threats from all the skimming, evesdropping, phishing,
data breaches, etc were eliminated ... it didn't eliminate skimming,
evesdropping, phishing, data breaches, etc ... it just eliminated
majority of the current fraud where crooks used the information to
perform financial transactions.
That leaves open, the "active" attacks by compromised environment
where there is transaction modification (is what you think you are
approving, actually what you are approving). Currently these exploits
are several orders of magnitude smaller than the replay attack
kind of fraud.
In the mid-90s, the X9A10 financial standard working group had been
given the requirement to preserve the integrity of the financial
infrastructure for ALL retail payments.
As mentioned, there were detailed, end-to-end threat and vulnerability
studies of the different environments.
Part of X9.59 financial standard allows for authentication of the
environment (where the transaction is performed) to be included along
with the entity authentication (this is optional within the
parameterised risk management framework development for addressing
ALL).
The EU FINREAD reader standard recognized that PC compromises
(viruses, trojans, keyloggers, etc) could include "active" attacks
... in addition to "evesdropping" kinds of attacks. The EU FINREAD was
a tamper resistent, independent reader, with its own LED display and
pinpad. The LED display provides for a trusted, independent display
for things like the value of the transaction being authenticated/approved
.... as well as an independent, trusted PINPAD for (two-factor)
something you know authentication (in addition to the card
something you have authentication). As mentioned, the EU FINREAD
standard came out of the late 90s, in response to the rapid increase
in the various kinds of PC compromises. misc. past posts mentioning EU
FINREAD:
http://www.garlic.com/~lynn/subintegrity.html#finread
The X9.59 financial standard protocol already had provisions for
including environment authentication as part of the transaction. This
allowed for the relying party (i.e. customer financial institution) to
know whether the operation was being performed with an authentic EU
FINREAD reader.
I've mentioned before, once a X9.59 transaction has been "armored"
then it is no longer necessary to hide it. A side-effect, this
eliminates requirement for SSL to hide the transaction when it is
moving through the internet. It also means that once a transaction has
been created by an EU FINREAD ... then there is little or no
difference between the intermediary PC and any other intermediary
device that a x9.59 transaction might pass through (as it moves
through the internet).
earlier X9.59 proposal (predating EU FINREAD) suggested trusted PDA or
trusted cellphone with embedded chip/circuit along with wireless
communication ... that would also provide trusted display & trusted
key entry .... as countermeasure to both PC & POS compromises.
other parts of discussions, archived here:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#14 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#18 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#19 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#22 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#28 Can Smart Cards Reduce Payments Fraud and Identity Theft?
--
40+yrs virtualization experience (since Jan68), online at home since Mar70
Making tea
Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Making tea
Newsgroups: alt.folklore.computers
Date: Sun, 02 Nov 2008 23:36:32 -0500
Morten Reistad <first@last.name> writes:
I would dearly like to know why the "DEC dwarves" like Prime,
DG, Wang etc folded too. They needed DEC like the other
seven dwarves needed IBM; but they all went away a lot faster
than DEC.
hardware development and software development didn't get any cheaper, in
fact, it increased. at the same time, PC volumes allowed per unit
commoditization. by 486 ... processors & software were becoming
equivalent of at least minis ... but per unit prices were small
percent of minis and mainframes .... w/o the unit volumes there was no
way to compete. personal computing was commoditizing computing.
i've periodically posted about the large growth in vax & 43xx
(mid-range) volumes starting in 79 but by 85 ... mid-range/minis market
was being taken over by workstations and large PCs.
old posts with vax numbers sliced & diced by yr, model, us/non-us
http://www.garlic.com/~lynn/2002f.html#0 Computers in Science Fiction
DG attempted to leverage pc hardware with SCI interconnect scaleup.
Sequent, DG, Convex, SGI built NUMA machines with SCI .... sequent and
DG using 486 processors, Convex using HP risc processors, SGI with
MIPS. Sequent already had a multiprocessor unix (dynix) that they
extended to NUMA. Convex adopted MACH extending for NUMA.
In the late 80s, people at a number of labs basically worked on
standardizing various kinds of computer interconnect ... accelerating
COTS and commoditizing. LANL worked on standardizing cray channel as
HiPPI, LLNL moving a copper serial technology to fiber and standization
as FCS, and SLAC doing SCI (in that period we had some participation in
all three activities).
related thread last spring
http://www.garlic.com/~lynn/2008i.html#3 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~lynn/2008i.html#5 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~