List of Archived Posts

2008 Newsgroup Postings (10/05 - 10/24)

Blinkylights
illegal naked short selling
Credit Card Security
VMware Chief Says the OS Is History
Wachovia Bank web site
Houses
Houses
Credit Card Security
The end of the baby boomers, US bonds maturing, and then what?
Homebanking authentication methods: what's being used by your bank?
Does anyone read the Greater IBM Connection Blog?
Browser Security UI: the horns of the dilemma
The human plague
What risk of possible data leakage do you see for your organization?
Blinkylights
Financial Crisis - the result of uncontrolled Innovation?
Is Information Security driven by compliance??
what will be a wow feature in a credit card
Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
What's your view of current global financial / economical situation?
Is the Credit Cruch a boost for Virtualization?
Old XDS Sigma stuff
What risk of possible data leakage do you see for your organization?
Old XDS Sigma stuff
Nonviolent Activists Are Now Terrorists
What are the Black Swans for IT Security?
SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?
Blinkylights
Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
Signposts on the US Government's Trail of IT Failures
Signposts on the US Government's Trail of IT Failures
The human plague
How much is 700 Billion Dollars??
Signposts on the US Government's Trail of IT Failures
The human plague
The human plague
VMware Chief Says the OS Is History
The human plague
The human plague
The human plague
Signposts on the US Government's Trail of IT Failures
The human plague
The human plague
The human plague
The human plague
The human plague
Anyone still have access to VMTOOLS and TEXTTOOLS?
Will cards with PayPass (from MasterCard) be using CHIP & PIN in the future?
The Univac 110x Architecture Still Lives
Discussions areas, private message silos, and how far we've come since 199x
Old XDS Sigma stuff
Why are some banks failing, and others aren't?
Why is sub-prime crisis of America called the sub-prime crisis?
Old XDS Sigma stuff
Discussions areas, private message silos, and how far we've come since 199x
Virtual
Virtual
Virtual
Everyone is getting same deal out of life: babyboomers can't retire but they get SS benefits intact
Virtual
Biometric Credit cards
Discussions areas, private message silos, and how far we've come since 199x
Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?
Discussions areas, private message silos, and how far we've come since 199x
In your experience which is a superior debit card scheme - PIN based debit or signature debit?
Can the financial meltdown be used to motivate sustainable development in order to achieve sustainable growth and desired sustainability?
Open Source, Unbundling, and Future System
Invitation to Join Mainframe Security Guru Group
Blinkenlights
Blinkenlights
What happened in security over the last 10 years?
Why is sub-prime crisis of America called the sub-prime crisis?
Euro value
Addressing Scheme with 64 vs 63 bits
Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?
In light of the recent financial crisis, did Sarbanes-Oxley fail to work?
Blinkenlights
PDP-1 Spacewar! program internals
Who murdered the financial system?
What emerging risks are exposed with a shift from paper to electronic retail payments?
Can we blame one person for the financial meltdown?
How security audits, vulnerability assessments and penetration tests differ?
Greenspan testimony and securization
Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'

Blinkylights

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkylights
Newsgroups: alt.folklore.computers
Date: Sun, 05 Oct 2008 19:21:32 -0400
re:
http://www.garlic.com/~lynn/2008n.html#28 Blinkylights
http://www.garlic.com/~lynn/2008n.html#101 Blinkylights

oops, that first (illegal naked short selling) URL was supposed to be:

A Wikipedia Conspiracy and the Wall Street Meltdown
http://news.slashdot.org/news/08/10/05/201205.shtml

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

illegal naked short selling

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: illegal naked short selling
Newsgroups: alt.folklore.computers
Date: Sun, 05 Oct 2008 20:39:08 -0400
re:
http://www.garlic.com/~lynn/2008n.html#28 Blinkylights
http://www.garlic.com/~lynn/2008n.html#101 Blinkylights
http://www.garlic.com/~lynn/2008o.html#0 Blinkylights

posts from spring of 2007 mentioning reference to illegal naked short selling
http://www.garlic.com/~lynn/2007j.html#74 IBM Unionization
http://www.garlic.com/~lynn/2007j.html#75 IBM Unionization

after running across reference similar to one mentioned in this post
http://www.garlic.com/~lynn/2008k.html#4 dollar coins

CRAMER REVEALS A BIT TOO MUCH
http://nypost.com/2007/03/20/cramer-reveals-a-bit-too-much/

talking about illegal naked short selling.

other posts ...
http://www.garlic.com/~lynn/2008k.html#1 dollar coins
http://www.garlic.com/~lynn/2008k.html#9 dollar coins
http://www.garlic.com/~lynn/2008k.html#25 IBM's 2Q2008 Earnings
http://www.garlic.com/~lynn/2008k.html#31 SEC bans illegal activity then permits it
http://www.garlic.com/~lynn/2008k.html#44 SEC bans illegal activity then permits it
http://www.garlic.com/~lynn/2008n.html#23 Michigan industry
http://www.garlic.com/~lynn/2008n.html#25 Blinkylights
http://www.garlic.com/~lynn/2008n.html#31 Blinkylights

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Credit Card Security

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Credit Card Security
Date: October 5, 2008
Blog: Financial Security
re:
http://www.garlic.com/~lynn/2008n.html#90 Credit Card Security

and
http://www.linkedin.com/answers/finance-accounting/financial-regulation/FIN_FRG/333069-2064487

note that there was a rather large (POS) chipcard rollout in the earlier part of this decade/century in NE US .... but it turned out to be a yes card ... which may contribute to some of the skepticism/reluctance ... misc. past posts mentioning yes card
http://www.garlic.com/~lynn/subintegrity.html#yescard

about the same time there was a different, large chipcard deployment targeted for the online consumer pc (internet) market ... along with distribution of "free" serial-port card readers. there was enormous consumer installation problems with the serial-port reader (lots of BSOD and/or re-installs from scratch). The pervasiveness of the serial-port installation problems then contributed to effectively abandoning the effort and a rapidly growing opinion that chipcards weren't practical in the consumer PC market.

Some indepth postmortem analysis indicated that the problems were with the serial-port installation ... as opposed specifically with the chipcard operation (but it was too late to undo the spreading impression about chipcards not being practical in the consumer market).

Part of this demonstrated the adage about fleeting institutional knowledge. In the 95/96 timeframe, there were several presentations that a major motivation for online banking moving from the dedicated dialup operations of the 80s to the internet in the mid-90s was the significant support costs associated with dedicated serial-port modem installations. one bank, at the time, claimed that they were having to support over 60 different drivers as well as handle significant customer support calls. With move to internet ... this was all offloaded to ISPs which could amortize the support across all a consumer's online activity (and growing motivation to include support as part of original PC).

oh, and about the time of the rapidly spreading impression that chipcards weren't practical in the consumer (home) pc market ... all the activity associated with the EU FINREAD effort seemed to evaporate.
http://www.garlic.com/~lynn/subintegrity.html#findread

And, as mentioned previously ... the x9a10 financial standard activity was required to support ALL retail payments in the x9.59 financial standard ... i.e. at least both POS and online/internet.
http://www.garlic.com/~lynn/x959.html#x959

past posts discussing serial-port (card reader) problem
http://www.garlic.com/~lynn/2002m.html#37 Convenient and secure eCommerce using POWF
http://www.garlic.com/~lynn/aadsm23.htm#43 Spring is here - that means Pressed Flowers
http://www.garlic.com/~lynn/aadsm23.htm#50 Status of SRP
http://www.garlic.com/~lynn/aadsm27.htm#34 The bank fraud blame game
http://www.garlic.com/~lynn/aadsm27.htm#58 On the downside of the MBA-equiped CSO
http://www.garlic.com/~lynn/2007n.html#60 Poll: oldest computer thing you still use
http://www.garlic.com/~lynn/2007n.html#65 Poll: oldest computer thing you still use
http://www.garlic.com/~lynn/2007n.html#66 Poll: oldest computer thing you still use
http://www.garlic.com/~lynn/2007n.html#75 Poll: oldest computer thing you still use
http://www.garlic.com/~lynn/2007n.html#78 Poll: oldest computer thing you still use
http://www.garlic.com/~lynn/2007u.html#11 Public Computers
http://www.garlic.com/~lynn/2008j.html#56 WoW security: now better than most banks

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

VMware Chief Says the OS Is History

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: VMware Chief Says the OS Is History
Newsgroups: alt.folklore.computers
Date: Mon, 06 Oct 2008 08:35:33 -0400
Steve O'Hara-Smith <steveo@eircom.net> writes:
These people impress me more


http://www.nanosolar.com/economic.htm

Roll to roll processing spraying photovoltaic ink onto metal foil.


re:
http://www.garlic.com/~lynn/2008n.html#76 VMware Chief Says the OS is History
http://www.garlic.com/~lynn/2008n.html#85 VMware Chief Says the OS is History

Flexible Silicon Solar Cells; Thin but efficient solar cells use one-tenth the silicon of conventional cells.
http://www.technologyreview.com/energy/21467/

from above:
Arrays of the cells have about a 12 percent efficiency. The Illinois researchers increased the arrays' power output by about two and half times by adding concentrators in the form of a layer of cylindrical microlenses. The best solar cells on the market convert more than 20 percent of the sunlight that falls on them into energy.
... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Wachovia Bank web site

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Wachovia Bank web site
Newsgroups: microsoft.public.security
Date: Mon, 06 Oct 2008 10:19:44 -0400
re:
http://www.garlic.com/~lynn/2008n.html#96 Wachovia Bank web site
http://www.garlic.com/~lynn/2008n.html#100 Wachovia Bank web site

recent article from this morning:

Browser Security UI: the horns of the dilemma
https://financialcryptography.com/mt/archives/001050.html

which references ("ISPs doing MITMs on their customers"):
http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html

and example:
http://www.sslshopper.com/article-phishing-with-ev-ssl-certificates.htm

in all this description ... CAs are actually "certification authorities" ... i.e. they are certifying information. Frequently this has been twisted to "certificate authorities" ... because of the frequent focus on selling digital certificates (which is just a representation of the information that they are certifying).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Houses

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Houses
Newsgroups: alt.folklore.computers
Date: Mon, 06 Oct 2008 10:42:55 -0400
D.J. <jollycamper72@cableone.net> writes:
She and I grew up in a small town in Texas. Not many liberals there. Must have been the Klan influence. Women didn't get good paying jobs there. Maybe differet influences in the other towns we lived in in several states, my dad was in the Army, but not many women had good paying jobs.

when we were doing HA/CMP product
http://www.garlic.com/~lynn/subtopic.html#hacmp

we had various contracts for marketing information. one was a female that did a lot of subcontract work for dataquest (& then gartner after they purchased dataquest). one of the things she was very good at was surveys ... including telephone technology surveys.

she characterized a lot of the south (including texas) as having large percentage of "good ole boys" ... the amount of information extracted increased significantly when she adopted a "cheerleader" persona.

somewhat, in return i got a cameo role in a expensive marketing survey hired by the executive heading up the boca PC division. The contract called for a several hr (video taped) roundtable of the top dozen experts in silicon valley discussing the future of the PC business.

I cleared participation with our direct executive report ... and dataquest agreed to garble my introduction at the start of the round table.

misc. past references:
http://www.garlic.com/~lynn/2002k.html#55 Moore law
http://www.garlic.com/~lynn/2005t.html#21 What ever happened to Tandem and NonStop OS ?
http://www.garlic.com/~lynn/2007g.html#81 IBM to the PCM market
http://www.garlic.com/~lynn/2007h.html#0 The Perfect Computer - 36 bits?
http://www.garlic.com/~lynn/2008d.html#60 more on (the new 40+ yr old) virtualization

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Houses

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Houses
Newsgroups: alt.folklore.computers
Date: Mon, 06 Oct 2008 14:25:32 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
when we were doing HA/CMP product
http://www.garlic.com/~lynn/subtopic.html#hacmp

we had various contracts for marketing information. one was a female that did a lot of subcontract work for dataquest (& then gartner after they purchased dataquest). one of the things she was very good at was surveys ... including telephone technology surveys.

she characterized a lot of the south (including texas) as having large percentage of "good ole boys" ... the amount of information extracted increased significantly when she adopted a "cheerleader" persona.


re:
http://www.garlic.com/~lynn/2008o.html#5 Houses

and for a real challenge ... we also had her do ha/cmp technology classes in tokyo.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Credit Card Security

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Credit Card Security
Date: October 6, 2008
Blog: Financial Security
re:
http://www.garlic.com/~lynn/2008n.html#90 Credit Card Security
http://www.garlic.com/~lynn/2008o.html#2 Credit Card Security

and some recent chipcard news ... somewhat along the lines of the yes card problems:

Oyster card hack details revealed
http://news.bbc.co.uk/1/hi/programmes/click_online/7655292.stm
Boffins (finally) publish hack for world's most popular smartcard
http://www.theregister.co.uk/2008/10/06/mifare_hack_finally_published

note that a lot of the EU chipcards grew out of the environment in the 80s when telecom was significantly more expensive than in the states. the EU chipcards weren't initially billed as a security issue ... but enabled doing offline transactions (usually referred to as "stored value" of one kind or another) and represented overall less expensive alternative to the high telco costs in europe.

in the early 90s, "magstripe" online "stored value" cards were introduced in the US ... since they were significantly less expensive than the EU alternative chipcards (a lot of these now show up as store brand cards and/or "gift" cards).

About the same time, EU also started to see a significant decline in telco costs (sometimes in conjunction with the proliferation of the internet) ... greatly changing the online/offline chipcard economic trade-off. A lot of the chipcard reaction was to try and increase the feature/function provided by chipcards (as part of justifying their expense). This also tended to further increase their costs ... as well as complexity (which tends to adversely impact integrity and security).

A possible alternative approach was to leverage online transactions and reduce the feature/function in the chipcard ... purely concentrating on addressing security (it is possible to aggressively reduce cost while increasing security via less complexity).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The end of the baby boomers, US bonds maturing, and then what?

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The end of the baby boomers, US bonds maturing, and then what?
Date: October 6, 2008
Blog: Risk Management
supposedly it increases the number of retirees by something like a factor of four times ... and the following generation is only a little over half as large ... that increases the ratio of retirees to workers by a factor of something like eight times.

there are several professions that are claiming that cutting their numbers in half has all sorts of far reaching effects.

An obvious case is health and medical profession specializing in geriatrics (since the ratio of patients to workers is also likely to change by factor of eight times)

A year or so ago, there was program that the number of oil field development projects were only possibly 2/3rds the expected level (given the demand) ... the explanation was that such projects take 7-8 yrs and with expected retirements, there weren't going to be enough experienced personal to complete more projects.

there are also claims that the following generation ... besides being only half as large, also has a lower avg education level (which seems to have been in downward slope for 30 some yrs) ... which implies that they will be much less competitive in a global economy.

some number of critical infrastructures were developed, built and supported by baby boomers. the retirement of those baby boomers is periodically listed as one of the top risks faced by those critical infrastructures.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Homebanking authentication methods: what's being used by your bank?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Homebanking authentication methods: what's being used by your bank?
Date: October 7, 2008
Blog: Information Security
there are two parts ... the bank authenticating you and you authenticating the bank.

SSL has somewhat been seen as bank authentication ... but because of various deployment issues going back to the start, there are lots of short comings.

Browser Security UI: the horns of the dilemma
https://financialcryptography.com/mt/archives/001050.html

dynamic pages aren't really a countermeasure (for bank impersonation) since it is actually easier for an attacker to mount a MITM-attack than creating a bogus website with static pages (simple approach is to take some form of proxy code and slightly modify it for purpose of MITM-attacks) ... part of old thread discussing such MITM attacks
http://www.garlic.com/~lynn/aadsm26.htm#28 man in the middle, SSL

There have been all sorts of attempts to improve on client/customer authentication. Part of the problem is that "static" data is extremely subject to phishing (and MITM) attacks. Back in the 60s when i first started using passwords ... I only had a very few. Kindergarten 101 security requires a unique password for every unique security domain (as countermeasure against cross-domain attacks) ... but the proliferation in the number of such environments means that everybody has large scores or hundreds of "somthing you know" pin/password authentication (creating a huge security human factors problem with being able to keep them all straight).

An attempt was made to deploy hardware tokens/chipcards in the earlier part of this decade/century for the consumer home PC market. The problem was that part of the program also involved distributing serial-port card readers ... which resulted in enormous customer installation and support problems ("BSOD", reinstalls of system/machines from scratch, large number of customer calls). The magnitude of the problems basically resulted in abandoning the effort and a rapidly spreading opinion that chipcards weren't practical in the customer market segment.

In depth, after action studies attributed the problems to serial-port installations but was too late to head off the rapidly spreading view that chipcards weren't practical in the consumer market. It also seem to contribute to EU FINREAD effort appearing to evaporate ... even though many of the FINREAD readers weren't serial-port ... misc. past posts mentioning EU FINREAD activity
http://www.garlic.com/~lynn/subintegrity.html#finread

This is an example of fleeting institutional knowledge. There were several presentations in the 95/96 timeframe about big factor in the move from the dial-up home banking programs from the 80s to the internet (even tho it was generally viewed as less secure). This issue was huge consumer support problems again with serial-port ... in this case for modems. Some institutions claimed that they had well over 60 different software drivers supporting in-house dial-in operations ... and also had huge consumer support issues with configuration problems. Migration to internet and online service providers ... eliminated all those costs for the individual institutions (being able to amortize across the whole consumer online experience and helping motivate support being incorporated as part of standard products)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Does anyone read the Greater IBM Connection Blog?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Does anyone read the Greater IBM Connection Blog?
Date: October 7, 2008
Blog: Greater IBM
In the late 70s and early 80s ... i got blamed for online computer conferencing on the internal network ... misc. past posts mentioning the internal network
http://www.garlic.com/~lynn/subnetwork.html#internalnet

which was larger than the arpanet/internet from just about the beginning until possibly summer of '85.

recent post to ibm-main (originated on bitnet ... unv. network from the 80s ... using similar technology to that used for the internal network)
http://www.garlic.com/~lynn/2008m.html#35 IBM THINK original equipment sign

above reference has picture of desk ornament commemorating 1000th node on the internal network (from 1983).

other archived stuff from greater ibm:
http://www.garlic.com/~lynn/2008j.html#74 Are we approaching a "tipping point" with regard to business travel?
http://www.garlic.com/~lynn/2008k.html#59 Happy 20th Birthday, AS/400
http://www.garlic.com/~lynn/2008m.html#88 Sustainable Web
http://www.garlic.com/~lynn/2008n.html#50 The Digital Dark Age or.....Will Google live for ever?
http://www.garlic.com/~lynn/2008n.html#60 Costing for IT Services

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Browser Security UI: the horns of the dilemma

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Browser Security UI: the horns of the dilemma
Date: October 8, 2008 10:29 AM
Blog: Financial Cryptography
re:
https://financialcryptography.com/mt/archives/001050.html

My oft repeated comments were that we had signoff on the webserver to payment gateway ... but we couldn't dictate the webserver to browser .... and almost immediately, merchants found that SSL cut webserver thruput 85-95% and so they dropped back to just using SSL with a payment/checkout button.

so the latest in this

Google's Obfuscated TCP
http://it.slashdot.org/it/08/10/08/0025258.shtml
Obfuscated TCP
http://code.google.com/p/obstcp/

However, SSL was to address two issues

1) validating that the website you think you are talking to, is the website you are talking to

2) hide information

The big problem with conditioning endusers to clicking on buttons from unvalidated sources ... is the validating part is broken.

SSL required the end user understand the relationship between the webserver they thought they were talking to and the corresponding URL ... and then the browser SSL code provided the assurance between the URL and webserver they were talking to. With the checkout/pay paradigm button clicking (provided from a non-SSL validated source), the paradigm degenerated to the webserver is whatever webserver that it claimed to be (since an unvalidated source was providing the URL, not the enduser from validated source).

recent related threads:
http://www.garlic.com/~lynn/2008n.html#96 Wachovia Bank web site
http://www.garlic.com/~lynn/2008n.html#100 Wachovia Bank web site
http://www.garlic.com/~lynn/2008o.html#4 Wachovia Bank web site
http://www.garlic.com/~lynn/2008o.html#9 Homebanking authentication methods

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Wed, 08 Oct 2008 14:18:12 -0400
it is not just the pres; congress approval numbers have been running about 1/3rd that of the pres.
http://www.garlic.com/~lynn/2008j.html#73 lack of information accuracy

Congressional Performance; Congressional Approval Falls to Single Digits for First Time Ever
http://rasmussenreports.com/public_content/politics/mood_of_america/congressional_performance/congressional_performance

there have also been claims that recent congress had the lowest attendence record in the history of the country ... and one of the lowest legislative activity
http://www.garlic.com/~lynn/2007v.html#20 Education ranking

CSPAN on sunday had a guest that claimed that the financial industry had contributed $250m to congress the session that repealed Glass-Steagall ... and the financial industry has contributed $2b to the current congress (that recently passed the $700b bailout bill, with those voting for the bill receiving an avg of 45percent more from the financial industry, than those voting against) ... recent post
http://www.garlic.com/~lynn/2008n.html#99 Blinkylights

related:
http://www.garlic.com/~lynn/2008k.html#71 Cormpany sponsored insurance
http://www.garlic.com/~lynn/2008m.html#49 Taxes
http://www.garlic.com/~lynn/2008m.html#50 Taxes
http://www.garlic.com/~lynn/2008m.html#87 Fraud due to stupid failure to test for negative

repeatedly over the past several months, there have been statements "calling the bottom" to the current economic downturn (supposedly based on previous similar events). the current situation differentiates itself with so much institutional fabrication since 2001. there is danger that because of the confidence crisis (since there is such an enormous trust issue because of the pervasiveness of the fabrication), that things continue on down past 2001 reset point (including the housing market, financial institutions, as well as equity markets).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What risk of possible data leakage do you see for your organization?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What risk of possible data leakage do you see for your organization?
Date: October 9, 2008
Blog: Information Security
In the mid-90s we got involved in the X9A10 financial standard working of the financial infrastructure for *ALL* retail payments (credit, debit, stored-value, POS, face-to-face, internet, etc).

One of the interesting side-effects of the X9A10 financial standard working group being given the requirement to preserve the integrity of the financial infrastructure for all retail payments, which resulted in x9.59 standard


http://www.garlic.com/~lynn/x959.html#x959

... was besides the ALL obvious stuff, including POS and internet ... also had to be considered was things like metro transit gates.

As a part of that we developed a framework for security proportional to risk as parameterised risk management.

From basic 3-factor authentication ... lots of past posts
http://www.garlic.com/~lynn/subintegrity.html#3factor

So the idea was the same chipcard would effectively handle x9.59 transaction as single factor something you have (say at metro transit turnstyle w/o PIN) .... but would also operate the same way when the infrastructure required arbitrary two (or more) factor authentication ... i.e. x9.59 transaction with base something you have chipcard ... but could also work with one or more additional authentication factors (based on amount at risk).

The other part of the x9a10 financial working group *ALL* was framework for supporting a person-centric paradigm ... as opposed to strictly an "institutional-centric" paradigm (each institution issuing a card). This required that the same chipcard not only operate highly secure for one or more authentication factor x9.59 financial transactions (potentially even same chipcard with a large number different financial institutions accounts) ... but the same chipcard could be easily used for things like ISP internet login authentication and physical door access authentication (w/o requiring institutional loading/personalizing the chip).

Finally, the chip would be form-factor and transport agnostic (POS, transit, internet); the same chip-core would work with contact and contactless ... and also as embedded chip in things like PDAs and/or cellphone.

so, as part of meeting the X9A10 *ALL* requirement, frameworks for

various aspects show up as part of the AADS chip strawman
http://www.garlic.com/~lynn/x959.html#aads

recent related thread:

Credit Card Security
http://www.linkedin.com/answers/finance-accounting/financial-regulation/FIN_FRG/333069-2064487
and
http://www.garlic.com/~lynn/2008n.html#90 Credit Card Security
http://www.garlic.com/~lynn/2008o.html#2 Credit Card Security
http://www.garlic.com/~lynn/2008o.html#7 Credit Card Security

Another part of X9A10 effort was detailed, end-to-end, threat and vulnerability studies. Another aspect of security proportional to risk was that in much of the current paradigm, information from previous transactions (skimming, data breaches, security breaches, etc) can be used by crooks for fraudulent transactions. The issue is that the value of the information to the merchant is basically some percent of the profit from the transaction; however, the value of the information to the crook is the account balance &/or credit limit. This can mean that the crook can afford to outspend (attacking the system) the merchant (defending the system) by factor of 100 times. The scope of the problem is further compounded by some studies showing that up to 70percent of identity theft involves insiders.

X9.59 didn't do anything about preventing such information leakage, but it tweaked the paradigm so that the information was useless to the crooks (i.e. could no longer be used for fraudulent transactions). We periodically commented that in the current paradigm, even if the planet was buried under miles of information hiding encryption, it still wouldn't be able to prevent information leakage.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Blinkylights

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkylights
Newsgroups: alt.folklore.computers
Date: Thu, 09 Oct 2008 10:30:44 -0400
related to ... long-winded, decade old post mentioning many of the current problems:
http://www.garlic.com/~lynn/aepay3.htm#riskm The Thread Between Risk Management and Information Security

in the S&L crisis period, citibank "discovering" the risk in ARMs and then getting out of the mortgage market.

the following is analytics related as opposed to all the fiddling and fabrication that went on ...

http://www2.marketwire.com/mw/mmframe?prid=441535&attachid=850879

"In 1973, Wm. Mack Terry and his colleagues at the Bank of America in San Francisco introduced the world's first matched maturity transfer pricing system," added Dr. Donald R. van Deventer, Kamakura Chairman and Chief Executive Officer. "Over the last 35 years, the concept has been increasingly refined and modified to incorporate the best practice calculations embedded in KRM Version 7.0. Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings. Board members can and should demand clarity of disclosure on the total risk of an institution and the contribution of each business unit and transaction to total risk. This capability is available now, and Kamakura has been gratified that so many institutions have reached out to Kamakura for best practice risk analytics during the current crisis."
... snip ...

past posts mentioning Kamakura:
http://www.garlic.com/~lynn/2007v.html#25 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2008.html#66 As Expected, Ford Falls From 2nd Place in U.S. Sales
http://www.garlic.com/~lynn/2008.html#70 As Expected, Ford Falls From 2nd Place in U.S. Sales
http://www.garlic.com/~lynn/2008b.html#12 Computer Science Education: Where Are the Software Engineers of Tomorrow?
http://www.garlic.com/~lynn/2008c.html#21 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008c.html#87 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008g.html#64 independent appraisers
http://www.garlic.com/~lynn/2008j.html#29 dollar coins
http://www.garlic.com/~lynn/2008n.html#56 VMware Chief Says the OS Is History
http://www.garlic.com/~lynn/2008n.html#69 Another quiet week in finance

the stories are that even the best of analytics wouldn't have been able to head off the current problems ... because the books were being fiddled to allow extremely risky actions that appeared to boost the bottom line ... as means of inflating executive compensation.

misc. past references:
http://www.garlic.com/~lynn/2008f.html#76 Bush - place in history
http://www.garlic.com/~lynn/2008g.html#52 IBM CEO's remuneration last year ?
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008h.html#42 The Return of Ada
http://www.garlic.com/~lynn/2008m.html#96 Blinkylights
http://www.garlic.com/~lynn/2008m.html#99 Blinkylights
http://www.garlic.com/~lynn/2008n.html#3 Blinkylights
http://www.garlic.com/~lynn/2008n.html#15 Blinkylights
http://www.garlic.com/~lynn/2008n.html#49 VMware Chief Says the OS Is History
http://www.garlic.com/~lynn/2008n.html#52 Technology and the current crisis
http://www.garlic.com/~lynn/2008n.html#53 Your thoughts on the following comprehensive bailout plan please
http://www.garlic.com/~lynn/2008n.html#56 VMware Chief Says the OS Is History
http://www.garlic.com/~lynn/2008n.html#65 Whether, in our financial crisis, the prize for being the biggest liar is
http://www.garlic.com/~lynn/2008n.html#69 Another quiet week in finance
http://www.garlic.com/~lynn/2008n.html#72 Why was Sarbanes-Oxley not good enough to sent alarms to the regulators about the situation arising today?
http://www.garlic.com/~lynn/2008n.html#78 Isn't it the Federal Reserve role to oversee the banking system??
http://www.garlic.com/~lynn/2008n.html#80 Why did Sox not prevent this financal crises?
http://www.garlic.com/~lynn/2008n.html#82 Fraud in financial institution

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Financial Crisis - the result of uncontrolled Innovation?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Financial Crisis - the result of uncontrolled Innovation?
Date: October 9, 2008
Blog: Organizational Development
The "problems" possibly are mostly

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

GAO has been doing database of corporate restatements. Basically financials are inflated, the bonuses taken on the inflated statements and possibly later the financials are restated ... but the bonuses aren't forfeited.

A lot of it is leveraging the lack of transparency as part of fiddling the books.

Toxic CDOs had been used two decades ago during the S&L crisis to obfuscate underlying values.

Getting triple-A rating on toxic CDOs allowed unregulated mortgage originators to continue funding their operations and unload all the mortgages they could possibly write ... w/o needing to pay any attention to loan quality. Then lots of institutions and retirement funds would snap up these supposedly "safe", triple-A rated toxic CDOs.

Speculators taking advantage of things like no-documentation, 1-2 percent intro, interest only mortgages ... basically could treat the home owner market like the unregulated 1920s stock market.

long-winded, decade old-post discussing many of the current problems, including needing visibility in CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm The Thread Between Risk Management and Information Security

note that the subprime loans (no-documentation, no-down, 1-2percent intro rate, possibly interest only payments) were supposedly for low-income, first time home buyers. However, studies are claiming that at least 61percent of such loans went to people that would have otherwise qualified for normal loans ... heavily suggesting speculators were taking advantage of the offerings. Also there have been huge price spike in segments of the home owner market not normally associated with low-income, first-time home buyers ... again suggesting heavy speculation activity.

Last spring there was a business school article that claimed something like 1000 executives are responsible for 80% of the current crisis ... and it would go a long ways towards fixing the problem if the gov. could figure how they could loose their job.

Example of fiddling financial statements was freddie in 2004 was fined $400m for $10b inflation in financial statements. The CEO was replaced ... but allowed to keep tens of (hundred?) millions. A few weeks ago, Warren Buffet said that he was largest stockholder in freddie in the 2000-2001, but got completely out because of their accounting practices.

article from today

Expert: Flawed corporate watchdog methods helped fuel economic crisis
http://www.news.uiuc.edu/news/08/1009corporations.html

another item/quote from today:

"Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings."

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Is Information Security driven by compliance??

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Is Information Security driven by compliance??
Date: October 9, 2008
Blog: Information Security
we had been asked to help wordsmith cal. state electronic signature legislation ... misc. past posts
http://www.garlic.com/~lynn/subpubkey.html#signature

some of the other participants were heavily into privacy issues and had done detailed, in-depth customer surveys. They found the top, number one issue was identity theft, and the 2nd was "denial of service" (by institutions and gov. using personal information).

A big part of identity theft was crooks acquiring information (data breaches and security breaches) and being able to perform fraudulent financial transactions ... which was getting little or no attention (little public connection between the breaches and the resulting fraud). This appeared to be the motivation for the cal. state breach notification legislation ... hoping the publicity would result in corrective actions.

Also, in the mid-90s we had been asked to participate in the x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments ... which resulted in the x9.59 financial standard.
http://www.garlic.com/~lynn/x959.html#x959

Part of the effort involved, detailed, end-to-end, threat and vulnerability studies.

Part of the issue here (related to data breaches) was something from kindergarten security 101, security proportional to risk. Majority of the data breaches has involved financial transaction information. Part of the issue, is the value of the information to merchants is some percent of profit off the transaction; however the value of the information to the crooks is the account balance and/or credit limit. The result is that the crooks can frequently outspend the merchants by a factor of 100:1 attacking the system (as the merchants can afford spend on defending the system).

So part of x9.59 financial standard was to slightly tweak the paradigm and make the information useless to crooks (doing nothing to prevent the data breaches, but eliminating the motivation for the data breaches)

somewhat related answer to this question

Financial Crisis - the result of uncontrolled Innovation?
http://www.linkedin.com/answers/management/organizational-development/MGM_ODV/335924-10127581

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

what will be a wow feature in a credit card

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject:  what will be a wow feature in a credit card
Date: October 9, 2008
Blog: Credit Card Professionals
in the mid-90s, we had been called in to work on the x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. this resulted in the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959

a lot of this was making x9.59 payment method agnostic (credit, debit, stored-value) as well as format agnostic, extremely lightweight, very low power, very fast, and very high security (use for broad range of transactions values from very low to very high ... at POS, internet, and even transit turnstyle).

Part of this was somewhat creating a framework for security proportional to risk that we called parameterised risk management .... which included allowing the same operation to work with multiple different numbers of authentication factors.

From 3-factor authentication model ... lots of past posts
http://www.garlic.com/~lynn/subintegrity.html#3factor

so that a very indexpensive, very high security, form-factor agnostic contactless hardware token could work within the time and power constraints at a transit turnstyle (w/o a pin or password) or for low-value transactions at POS ... and effectively the same operation and hardware token work for wide variety of higher value transactions (which might require pin, password, and/or biometrics) at POS and/or on the internet.

Another part of this ALL requirement was framework to tweak the paradigm to allow person-centric operation ... as opposed to institutional-centric paradigm (where a person might get a unique hardware token from every institution that they had dealings with). This allows a person to have a single (or very few) hardware tokens that satisfies all authentication requirements for a broad range of different kinds of transactions and values.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
Date: October 9, 2008
Blog: Government Policy
On sunday, CSPAN had guest on that said that the financial industry contributed $250m to congress in the session that repealed Glass-Steagall (Glass-Steagall had been passed in the wake of the '29 crash to keep the safety & soundness of regulated banking separate from highly risky, unregulated investment banking). PBS program going into some detail about the repeal:

The Wall Street Fix
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

and also that the financial industry contributed $2b to congress in the most recent session that saw the passage of the $700b bailout (supposedly those that voted for received 45percent more than those that voted against).

Much of the current problems is the lack of transparency and visibility allowing a lot of fiddling, fabrication and fudging the books.

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

Toxic CDOs had been used two decades ago in the S&L crisis to obfuscate underlying values and sell stuff that otherwise wouldn't have likely sold.

Being able to get triple-A ratings on toxic CDOs allowed unregulated mortgage originators to continue to fund their operations and also unload all the mortgages they could write w/o having to pay any attention to quality. There was little motivation not to write, no-documentation, ARMs with 1-2percent intro rates and interest only payments. Speculators could snap these up and basically treat the home owners market like the unregulated 1920s stock market.

Then there were a large number of institutions and retirement funds buying up these supposedly safe triple-A rated toxic CDOs.

and article from today:

Lehman Failure Seen as Straw Which Broke Credit Market's Back
http://www.financetech.com/news/showArticle.jhtml?articleID=211100066

but there is also the whole crisis & trust confidence in institutions ... in part because of the financial statement fiddling and restatements ... but also because of trust issues in rating services.

older article

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
"The Federal Reserve continues to bail out major financial institutions without imposing meaningful conditions to improve their conduct and performance," complains Peter Morici, professor at the Smith Business School at the University of Maryland.

Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

now part of the $700b presumably is to replenish the $137b that wall street sucked out of the infrastructure as their reward for contributions to creating the current problem

two weeks ago one of the tv business news shows had a representative from one of the rating companies to discuss downgrades they were giving some companies. the host spent much of the show trying to get the guest to admit to being responsible for the crisis (because of all the triple-A ratings they had given toxic CDOs).

the triple-A rated toxic CDOs allowed enormous speculation in the home owner market ... plot avg home prices back to 1970 and avg home prices as a percent of avg salary also back to 1970s. Both plots show an enormous ugly speculation pimple/boil starting earlier in this decade that is only about half-way deflated. Nominally the deflation of the ugly speculation pimple/boil would reset back to 2001 level. However the loss of confidence in so many institutions might continue the downward spiral past the 2001 reset point (the crisis confidence is also evident in credit and equity markets)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What's your view of current global financial / economical situation?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What's your view of current global financial / economical situation?
Date: October 9, 2008
Blog: Economics
On sunday, CSPAN had guest on that said that the financial industry contributed $250m to congress in the session that repealed Glass-Steagall (Glass-Steagall had been passed in the wake of the '29 crash to keep the safety & soundness of regulated banking separate from highly risky, unregulated investment banking). PBS program going into some detail about the repeal:

The Wall Street Fix
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

and also that the financial industry contributed $2b to congress in the most recent session that saw the passage of the $700b bailout (supposedly those that voted for received 45percent more than those that voted against).

Much of the current problems is the lack of transparency and visibility allowing a lot of fiddling, fabrication and fudging the books.

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

Toxic CDOs had been used two decades ago in the S&L crisis to obfuscate underlying values and sell stuff that otherwise wouldn't have likely sold.

Being able to get triple-A ratings on toxic CDOs allowed unregulated mortgage originators to continue to fund their operations and also unload all the mortgages they could write w/o having to pay any attention to quality. There was little motivation not to write, no-documentation, ARMs with 1-2percent intro rates and interest only payments. On the home owner market side of these triple-A rated, toxic CDOs, Speculators could snap these up and basically treat the home owners market like the unregulated 1920s stock market.

On the other side of these triple-A rated, toxic CDOs, there were a large number of institutions and retirement funds buying up these supposedly safe triple-A rated toxic CDOs.

Long-winded, decade old post discussing many of the current problems, including need for visibility into CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm The Thread Between Risk Management and Information Security

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Is the Credit Cruch a boost for Virtualization?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Is the Credit Cruch a boost for Virtualization?
Date: October 9, 2008
Blog: Enterprise Software
For the past 20 yrs or so there has been increasing leveraging of dedicated computers for specific applications. The hardware (and other related) costs were trade-off against expensive and scarce human expertise that would have required getting a large number of different applications to gracefully co-exist on a single computer. After 20 yrs of this approach, there are massive numbers of installed computers running at 5-10 percent utilization.

This has created an enormous opportunity to leverage racks, grid, and virtualization to frequently achieve 10:1 consolidation in the total number of computers (and in some cases, 10:1 consolidation in the number of an institution's datacenters). Virtualization allows for significant consolidation with little or none of the scarce expertise that would have been required using more traditional consolidation technologies.

This is also a "green" play ... representing a corresponding significant reduction in power & cooling (in addition to cost savings).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Old XDS Sigma stuff

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Old XDS Sigma stuff
Newsgroups: alt.folklore.computers
Date: Thu, 09 Oct 2008 13:57:54 -0400
Al Kossow <aek@spies.com> writes:
The real problem was software. SDS was in reactive mode to their customers well into the 70's for software on the Sigma. There are design specs for timsharing back to 1966, but it took them four or five years to finally ship UTS, which put them in the center of the 1970 recession trying to sell big timesharing systems.

They finally came up with a pretty decent system a few years later with the renamed CP-5, but by then Xerox had essentially killed them.

The systems that Sigmas ended up in were what became the supermini segment in the mid-late 70's. Both BART and the DC METRO used Sigmas for train control, NASA used one for Saturn V data collection, etc. This fits in with the market segment that the 900 series sold into.


In the early to mid 70s, I got called in to some number of customers to make presentations ... marketing against sigma7s ... i don't remember all the details but supposedly local marketing team was beating sigma7s in mixed-mode timesharing benchmarks (w/vm370).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What risk of possible data leakage do you see for your organization?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What risk of possible data leakage do you see for your organization?
Date: October 9, 2008
Blog: Information Security
re:
http://www.garlic.com/~lynn/2008o.html#13 What risk of possible data leakage do you see for your organization?

recent study ... another take on the "inside" scenario:

Study: 80% of Organizations Suffer Breaches, Most From the Inside
http://www.darkreading.com/document.asp?doc_id=165612

Majority of the data breaches that are making the press, have been the kind involving financial transaction information that crooks can use to make fraudulent transactions.

Another aspect of the X9A10 financial standard, in-depth, end-to-end, threat and vulnerability study was the dual-use nature of the breached information. The transaction information is needed for executing the transaction and a variety of ancillary of business processes, but also contains the information crooks leverage for performing fraudulent transactions. As a result, there are diametrically opposing, dual-use security requirements .... on the one hand, the information has to be generally available for all the business processes ... and on the other hand the information must be kept completely confidential and never divulged (nominally not even presenting the information in order to perform a transaction).

The diametrically opposing security requirements has led us to periodically observe that even if the planet was buried under miles of information hiding encryption, it still wouldn't be able to stop the information leakage.

This also part of the paradigm tweaking done in the x9.59 protocol ... to eliminate the dual-use nature of the information (and also eliminate the motivation for the majority of the breaches).
http://www.garlic.com/~lynn/x959.html#x959

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Old XDS Sigma stuff

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Old XDS Sigma stuff
Newsgroups: alt.folklore.computers
Date: Thu, 09 Oct 2008 15:11:52 -0400
Al Kossow <aek@spies.com> writes:
I just put up a competitive analysis document under
http://bitsavers.org/pdf/sds/sigma/memos
which compares CP-V and TSO


re:
http://www.garlic.com/~lynn/2008o.html#21 Old XDS Sigma stuff

CERN had made a presentation at SHARE circa 1974 on competitive analysis of TSO and vm370/cms. Internally, copies of the report were classified "confidential - restricted" ... basically available on a need-to-know basis only ... so as to limit the information to employees (about how badly TSO compared).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Nonviolent Activists Are Now Terrorists

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Nonviolent Activists Are Now Terrorists
Newsgroups: alt.folklore.computers
Date: Thu, 09 Oct 2008 15:34:49 -0400
Nonviolent Activists Are Now Terrorists
http://www.schneier.com/blog/archives/2008/10/nonviolent_acti.html

we've constantly heard the same refrain over the yrs trying to apply RDBMS technology to real-world information.

I've often claimed that original relational/sql implementation System/R ... misc past posts
http://www.garlic.com/~lynn/submain.html#systemr

had effectively made performance trade-offs ... for silver bullet application ... financial transaction processing. Basically account record with prestructured and uniform, homogeneous information regarding all the entries (significantly reduced per account record processing ... if it could be assumed that all information about each entry was uniform).

there is also frequently a significant upfront effort to come-up with some sort of semi-generalized uniform definitions for the tables ... which then frequently also requires enormous justification to change &/or add-to the table structure defintions (with frequent quotes of 18m-36m elapsed time cycle for such efforts).

The stronger implication is that all sorts of valuable information may get contorted and/or discarded because the original effort hadn't anticipated all possible future cases.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What are the Black Swans for IT Security?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What are the Black Swans for IT Security?
Date: October 9, 2008
Blog: Information Security
Nonviolent Activists Are Now Terrorists
http://www.schneier.com/blog/archives/2008/10/nonviolent_acti.html

we've constantly heard the same refrain over the yrs trying to apply RDBMS technology to real-world information.

I've often claimed that original relational/sql implementation System/R ... misc past posts
http://www.garlic.com/~lynn/submain.html#systemr

had effectively made performance trade-offs ... for silver bullet application ... financial transaction processing. Basically account record with prestructure and uniform, homogeneous information regarding all the entries (significantly reduced per account record processing ... if it could be assumed that all information about each entry was uniform).

there is also frequently a significant upfront effort to come-up with some sort of semi-generalized uniform definitions for the tables ... which then frequently also requires enormous justification to change &/or add-to the table structure definitions (with frequent quotes of 18m-36m elapsed time cycle for such efforts).

The stronger implication is that all sorts of valuable information may get contorted and/or discarded because the original effort hadn't anticipated all possible future cases.

At the same time I was involved in doing some of the System/R implementation ... I also got involved in doing a similar kind of implementation which didn't require the uniformity and prestructuring. In recent yrs, I've gone thru several re-implementations from scratch and have used it for a number of things like my RFC index
http://www.garlic.com/~lynn/rfcietff.htm
and various merged glossaries and taxonomies
http://www.garlic.com/~lynn/index.html#glosnote

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?
Date: October 10, 2008
Blog: Financial Regulation
Much of the current problems is the lack of transparency and visibility allowing a lot of fiddling, fabrication and fudging the books.

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

Toxic CDOs had been used two decades ago in the S&L crisis to obfuscate underlying values and sell stuff that otherwise wouldn't have likely sold.

Being able to get triple-A ratings on toxic CDOs allowed unregulated mortgage originators to continue to fund their operations and also unload all the mortgages they could write w/o having to pay any attention to quality. There was little motivation not to write, no-documentation, no down payment ARMs with 1-2percent intro rates and interest only payments. Speculators could snap these up and basically treat the home owners market like the unregulated 1920s stock market.

Then there were a large number of institutions and retirement funds buying up these supposedly safe triple-A rated toxic CDOs.

Previously, home owner market was indirectly regulated, mortgages were originated by regulated institutions that kept the mortgages on their books ... so there was significant motivation to pay attention to mortgage quality.

Long-winded, decade old post discussing many of the current problems, including need for visibility into CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm

Last spring there was a business school article that claimed something like 1000 executives are responsible for 80% of the current crisis ... and it would go a long ways towards fixing the problem if the gov. could figure how they could loose their job.

GAO has been doing database of increasing number of financial restatements. Basically the financials are fiddled in a number of ways to inflate them and executives get bonuses on the inflated financials. Later, the financials may be restated but the bonuses aren't forfeited.

Example of fiddling financial statements, freddie in 2004 was fined $400m for $10b inflation in financial statements. The CEO was replaced ... but allowed to keep tens of (hundred?) millions. A few weeks ago, Warren Buffet said that he was largest stockholder in freddie in 2000-2001, but got completely out because of their accounting practices.

article from yesterday:

Expert: Flawed corporate watchdog methods helped fuel economic crisis
http://www.news.uiuc.edu/news/08/1009corporations.html

and different item/quote from yesterday:

"Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.."
... snip ...

and article from today:

Lehman Failure Seen as Straw Which Broke Credit Market's Back
http://www.financetech.com/news/showArticle.jhtml?articleID=211100066

but there is also the whole crisis & trust confidence in institutions ... in part because of the financial statement fiddling and restatements ... but also because of trust issues in rating services.

two weeks ago one of the tv business news shows had a representative from one of the rating companies to discuss downgrades they were giving some companies. the host spent much of the show trying to get the guest to admit to being responsible for the crisis (because of all the triple-A ratings they had given toxic CDOs).

another article

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
"The Federal Reserve continues to bail out major financial institutions without imposing meaningful conditions to improve their conduct and performance," complains Peter Morici, professor at the Smith Business School at the University of Maryland.

Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

now part of the $700b presumably is to replenish the $137b that wall street sucked out of the infrastructure as their reward for contributions to creating the current problem

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Blinkylights

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkylights
Newsgroups: alt.folklore.computers
Date: Fri, 10 Oct 2008 10:16:29 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
the following is analytics related as opposed to all the fiddling and fabrication that went on ...
http://www2.marketwire.com/mw/mmframe?prid=441535&attachid=850879

"In 1973, Wm. Mack Terry and his colleagues at the Bank of America in San Francisco introduced the world's first matched maturity transfer pricing system," added Dr. Donald R. van Deventer, Kamakura Chairman and Chief Executive Officer. "Over the last 35 years, the concept has been increasingly refined and modified to incorporate the best practice calculations embedded in KRM Version 7.0. Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings. Board members can and should demand clarity of disclosure on the total risk of an institution and the contribution of each business unit and transaction to total risk. This capability is available now, and Kamakura has been gratified that so many institutions have reached out to Kamakura for best practice risk analytics during the current crisis."

... snip ...


re:
http://www.garlic.com/~lynn/2008o.html#14 Blinkylights

from today:

Lehman Failure Seen as Straw Which Broke Credit Market's Back
http://www.financetech.com/news/showArticle.jhtml?articleID=211100066

but there is also the whole crisis & trust confidence in institutions ... in part because of the financial statement fiddling and restatements ... but also because of trust issues in rating services.

past posts mentioning GAO database of increasing number of financial restatements (basically various fiddling to inflate financials to inflate executive bonuses, later financials may be restated but bonuses not forfeited)
http://www.garlic.com/~lynn/2008j.html#64 lack of information accuracy
http://www.garlic.com/~lynn/2008k.html#20 IBM's 2Q2008 Earnings
http://www.garlic.com/~lynn/2008n.html#2 Blinkylights
http://www.garlic.com/~lynn/2008n.html#28 Blinkylights
http://www.garlic.com/~lynn/2008n.html#37 Success has many fathers, but failure has the US taxpayer
http://www.garlic.com/~lynn/2008n.html#53 Your thoughts on the following comprehensive bailout plan please
http://www.garlic.com/~lynn/2008n.html#56 VMware Chief Says the OS Is History
http://www.garlic.com/~lynn/2008n.html#69 Another quiet week in finance
http://www.garlic.com/~lynn/2008n.html#72 Why was Sarbanes-Oxley not good enough to sent alarms to the regulators about the situation arising today?
http://www.garlic.com/~lynn/2008n.html#74 Why can't we analyze the risks involved in mortgage-backed securities?
http://www.garlic.com/~lynn/2008n.html#80 Why did Sox not prevent this financal crises?
http://www.garlic.com/~lynn/2008n.html#82 Fraud in financial institution
http://www.garlic.com/~lynn/2008o.html#15 Financial Crisis - the result of uncontrolled Innovation?
http://www.garlic.com/~lynn/2008o.html#26 SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
Date: October 11, 2008
Blog: Economics
Last sunday, CSPAN had guest on that said that the financial industry contributed $250m to congress in the session that repealed Glass-Steagall (Glass-Steagall had been passed in the wake of the '29 crash to keep the safety & soundness of regulated banking separate from highly risky, unregulated investment banking). PBS program going into some detail about the repeal:

The Wall Street Fix
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

and also that the financial industry contributed $2b to congress in the most recent session that saw the passage of the $700b bailout (supposedly those that voted for received 45percent more than those that voted against).

Much of the current problems is the lack of transparency and visibility allowing a lot of fiddling, fabrication and fudging the books.

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

Toxic CDOs had been used two decades ago in the S&L crisis to obfuscate underlying values and sell stuff that otherwise wouldn't have likely sold.

Being able to get triple-A ratings on toxic CDOs allowed unregulated mortgage originators to continue to fund their operations and also unload all the mortgages they could write w/o having to pay any attention to quality. There was little motivation not to write, no-documentation, no down payment ARMs with 1-2percent intro rates and interest only payments. Speculators could snap these up and basically treat the home owners market like the unregulated 1920s stock market.

Then there were a large number of institutions and retirement funds buying up these supposedly safe triple-A rated toxic CDOs.

Previously, home owner market was somewhat indirectly regulated, mortgages were originated by regulated institutions that kept the mortgages on their books ... so there was significant motivation to pay attention to mortgage quality.

Plot avg. home prices back to 1970 as well as avg. home prices as percent of avg. salary ... there is a unique ugly speculation pimple/boil inflating in the early part of this decade ... which has only about half-way deflated. The ugly speculation pimple/boil also contributed to significant over building, the over supply may result in downward spiral continuing down past the 2001 reset point.

Long-winded, decade old post discussing many of the current problems, including need for visibility into CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm

Last spring there was a business school article that claimed something like 1000 executives are responsible for 80% of the current crisis ... and it would go a long ways towards fixing the problem if the gov. could figure how they could loose their job.

GAO has been doing database of increasing number of financial restatements. Basically the financials are fiddled in a number of ways to inflate them and executives get bonuses on the inflated financials. Later, the financials may be restated but the bonuses aren't forfeited.

Example of fiddling financial statements, freddie in 2004 was fined $400m for $10b inflation in financial statements (in spite of SOX). The CEO was replaced ... but allowed to keep tens of (hundred?) millions. A few weeks ago, Warren Buffet said that he was largest stockholder in freddie in 2000-2001, but got completely out because of their accounting practices.

recent article

Expert: Flawed corporate watchdog methods helped fuel economic crisis
http://www.news.uiuc.edu/news/08/1009corporations.html

... and recent quote (from different source):

"Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.."
... snip ...

Is this akin to Cal. electrical power crisis buying electricity on "spot" market and no provisions for long-term infrastructure investment?

and more recent article

Lehman Failure Seen as Straw Which Broke Credit Market's Back
http://www.financetech.com/news/showArticle.jhtml?articleID=211100066

but there is also the whole crisis & trust confidence in institutions ... in part because of the financial statement fiddling and restatements ... but also because of trust issues in rating services.

a couple weeks ago one of the tv business news shows had a representative from one of the rating companies to discuss downgrades they were giving some companies. the host spent much of the show trying to get the guest to admit being responsible for the crisis (because of all the triple-A ratings they had given toxic CDOs).

older article from last spring:

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
"The Federal Reserve continues to bail out major financial institutions without imposing meaningful conditions to improve their conduct and performance," complains Peter Morici, professor at the Smith Business School at the University of Maryland.

Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

now part of the $700b presumably is to replenish the $137b that wall street sucked out of the infrastructure as reward for their contribution creating the current crisis

so there was wide spread systemic greed in several parts of the infrastructure that had disastrous interaction.

there is some character of a "Winnie-the-Pooh" metaphor in all this ... basically pooh bear disavows all responsibility for irrational behavior around honey ... explaining that he is a bear of no brain at all.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Signposts on the US Government's Trail of IT Failures

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Signposts on the US Government's Trail of IT Failures
Newsgroups: alt.folklore.computers
Date: Sat, 11 Oct 2008 14:56:07 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
Nonviolent Activists Are Now Terrorists
http://www.schneier.com/blog/archives/2008/10/nonviolent_acti.html

we've constantly heard the same refrain over the yrs trying to apply RDBMS technology to real-world information.


re:
http://www.garlic.com/~lynn/2008o.html#24 Nonviolent Activists Are Now Terrorists

Signposts on the US Government's Trail of IT Failures
http://www.ecommercetimes.com/story/must-read/64704.html

from above:
Why can't the U.S. government get its IT shop in order? A look at some of the reasons large IT projects fail in the private sector goes a long way toward explaining what may be causing so many government-funded undertakings to go south
... snip ...

and recent item for different topic drift:

Asia trumping US on science R&D; Federal funding for research has been falling in real terms. Is the nation's economic edge at stake?
http://features.csmonitor.com/innovation/2008/10/09/asia-trumping-us-on-science-rd/

misc. past posts mentioning modernization/re-engineering IT efforts w/problems
http://www.garlic.com/~lynn/2002g.html#16 Why are Mainframe Computers really still in use at all?
http://www.garlic.com/~lynn/2003m.html#13 Cost of patching "unsustainable"
http://www.garlic.com/~lynn/2004l.html#49 "Perfect" or "Provable" security both crypto and non-crypto?
http://www.garlic.com/~lynn/2005.html#37 [OT?] FBI Virtual Case File is even possible?
http://www.garlic.com/~lynn/2005.html#48 [OT?] FBI Virtual Case File is even possible?
http://www.garlic.com/~lynn/2005b.html#3 [OT?] FBI Virtual Case File is even possible?
http://www.garlic.com/~lynn/2005c.html#17 [Lit.] Buffer overruns
http://www.garlic.com/~lynn/2005h.html#13 Today's mainframe--anything to new?
http://www.garlic.com/~lynn/2005j.html#13 Performance and Capacity Planning
http://www.garlic.com/~lynn/2006o.html#9 Pa Tpk spends $30 million for "Duet" system; but benefits are unknown
http://www.garlic.com/~lynn/2007e.html#52 US Air computers delay psgrs
http://www.garlic.com/~lynn/2007i.html#38 John W. Backus, 82, Fortran developer, dies (Actually, Working under the table!)
http://www.garlic.com/~lynn/2007o.html#18 Flying Was: Fission products
http://www.garlic.com/~lynn/2007o.html#23 Outsourcing loosing steam?
http://www.garlic.com/~lynn/2007o.html#43 Flying Was: Fission products
http://www.garlic.com/~lynn/2007u.html#19 Distributed Computing
http://www.garlic.com/~lynn/2008h.html#6 The Return of Ada
http://www.garlic.com/~lynn/2008h.html#50 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~lynn/2008m.html#41 IBM--disposition of clock business
http://www.garlic.com/~lynn/2008m.html#45 IBM--disposition of clock business

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Signposts on the US Government's Trail of IT Failures

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Signposts on the US Government's Trail of IT Failures
Newsgroups: alt.folklore.computers
Date: Sun, 12 Oct 2008 09:04:46 -0400
jmfbahciv <jmfbahciv@aol> writes:
For the same reason the Air Force couldn't make a functional airplane. Do you remember the one-pluses that turned a design from a sleek useful fighter into a clumsy, overly complicated (thus lots of down time) monster?

re:
http://www.garlic.com/~lynn/2008o.html#29 Signposts on the US Government's Trail of IT Failures

at least boyd managed to undo some of that (for f15 & f18) as well as do an alternate (f16). .. misc. past boyd posts
http://www.garlic.com/~lynn/subboyd.html#boyd

and then was involved in f20 ... larger numbers of less expensive f20 that were much less complicated and required much less service per hrs flown ... met the requirement more often than small numbers of much more complicated f16s. misc. past posts/threads mentioning f20:
http://www.garlic.com/~lynn/94.html#8 scheduling & dynamic adaptive ... long posting warning
http://www.garlic.com/~lynn/2002c.html#14 OS Workloads : Interactive etc
http://www.garlic.com/~lynn/2002d.html#1 OS Workloads : Interactive etc
http://www.garlic.com/~lynn/2002d.html#2 OS Workloads : Interactive etc
http://www.garlic.com/~lynn/2004g.html#4 Infiniband - practicalities for small clusters
http://www.garlic.com/~lynn/2004n.html#27 Shipwrecks
http://www.garlic.com/~lynn/2005d.html#45 Thou shalt have no other gods before the ANSI C standard
http://www.garlic.com/~lynn/2006g.html#13 News Release
http://www.garlic.com/~lynn/2006n.html#43 MTS, Emacs, and... WYLBUR?
http://www.garlic.com/~lynn/2007i.html#3 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007i.html#4 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007i.html#6 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007i.html#7 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007i.html#8 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007i.html#10 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007i.html#25 Latest Principles of Operation
http://www.garlic.com/~lynn/2007o.html#40 EZPass: Yes, Big Brother IS Watching You!

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Sun, 12 Oct 2008 09:35:58 -0400
jmfbahciv <jmfbahciv@aol> writes:
What is more interesting is who are these people going to blame when Bush isn't in the office.

I heard on the news a couple days ago that banks were caught between a rock and a hard place; they had a choice: either hand out loans to people who could not pay or get sued by the government for racism violations. Barney Franks keeps giving speeches in this state that the banks will still be forced to issue loans to people who cannot pay them.


law of unintended consequences

nominally subprime were targeted at low-income 1st time home owners ... however, no-documentation, no-down ARMs with low 1-2 percent intro rate and possibly interest only payments were snapped up by speculators ... one study found 61% of subprime loans went to those that would otherwise qualify for normal loan.

the speculators caused huge inflation in home market prices ... in segments of the market that you wouldn't find low-income, first time home owners. plot avg home prices as well as avg home prices as percent of avg income back to 70s. current is unique, ugly, speculation pimple/boil starting in earlier part of this decade and has only been about halfway deflated. the enormous speculation also caused over building (speculation creating appearance that demand was much greater than actually existed). the resulting oversupply further depresses market and may result in downard spiral of prices to continue past 2001 reset point.

then there is the significant systemic greed and interactions with other parts of the infrastructure.

quote cited from
http://www.garlic.com/~lynn/2008o.html#14 Blinkylights
http://www.garlic.com/~lynn/2008o.html#27 Blinkylights

Best practice transfer pricing calculations would have made it clear than neither Bear Stearns nor Lehman Brothers had more than a marginal change of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.
... snip ...

and then systemic interaction with credit freezing up

Lehman Failure Seen as Straw Which Broke Credit Market's Back
http://www.financetech.com/news/showArticle.jhtml?articleID=211100066

but there is also the whole crisis & trust confidence in institutions ... in part because of the financial statement fiddling and restatements ... but also because of trust issues in rating services ... especially with a lot of institutions and retirement funds "snapping" up the supposedly safe, triple-A rated toxic CDOs.

GAO has been doing database of increasing number of financial restatements (in spite of SOX). Basically the financials are fiddled in a number of ways to inflate them and executives get bonuses on the inflated financials. Later, the financials may be restated but the bonuses aren't forfeited.

The home owner market would nominally be somewhat indirectly regulated because regulated banks would be making loans from deposits and would keep them on the books. The number of subprime loans that they would nominally be able to make would be limited by the regulators (somewhat like limit on CRA funds).

However, unregulated mortgage originators could leverage the triple-A rating on toxic CDOS to fund their operations and provide subprime loans to any and all comers w/o regard to qualifications (subprime loans having huge demand with speculators planning on flipping the property before the rate reset).

a couple weeks ago one of the tv business news shows had a representative from one of the rating companies to discuss downgrades they were giving some companies. the host spent much of the show trying to get the guest to admit to being responsible for the crisis (because of all the triple-A ratings they had given toxic CDOs).

a business school article from last spring estimated that 1000 executives are responsible for 80percent of the current crisis and that it would go a long way towards fixing the problem if the government could figure out how they could loose their jobs.

another article from last spring:

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
"The Federal Reserve continues to bail out major financial institutions without imposing meaningful conditions to improve their conduct and performance," complains Peter Morici, professor at the Smith Business School at the University of Maryland.

Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

now part of the $700b presumably is to replenish the $137b that wall street sucked out of the infrastructure as reward for their contribution creating the current crisis

so there was wide spread systemic greed in several parts of the infrastructure that had disastrous interaction.

there is some character of a "Winnie-the-Pooh" metaphor in all this ... basically pooh bear disavows all responsibility for irrational behavior around honey ... explaining that he is a bear of no brain at all.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How much is 700 Billion Dollars??

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How much is 700 Billion Dollars??
Date: October 12, 2008
Blog: Risk Management
from last spring ...

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
"The Federal Reserve continues to bail out major financial institutions without imposing meaningful conditions to improve their conduct and performance," complains Peter Morici, professor at the Smith Business School at the University of Maryland.

Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

now part of the $700b presumably is to replenish the $137b that wall street sucked out of the infrastructure as reward for their contribution creating the current crisis

a little topic drift ...

Asia trumping US on science R&D; Federal funding for research has been falling in real terms. Is the nation's economic edge at stake?
http://features.csmonitor.com/innovation/2008/10/09/asia-trumping-us-on-science-rd/

longer recent/related answer

Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.linkedin.com/answers/finance-accounting/economics/FIN_ECO/340229-20738879

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Signposts on the US Government's Trail of IT Failures

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Signposts on the US Government's Trail of IT Failures
Newsgroups: alt.folklore.computers
Date: Sun, 12 Oct 2008 11:32:04 -0400
krw <krw@att.bizzzzzzzzzz> writes:
The F14 is more in line with BAH's comments, I think. It was supposed to be the uber-plane. Instead, it was an overcomplicated brick with engines, designed by congress, that no one else liked.

re:
http://www.garlic.com/~lynn/2008o.html#29 Signposts on the US Government's Trail of IT Failures
http://www.garlic.com/~lynn/2008o.html#30 Signposts on the US Government's Trail of IT Failures

F15 & F18 started out similarly ... and Boyd significantly improved

old reference ... quoting biographies, boyd getting the f15 weight cut in half
http://www.garlic.com/~lynn/2003h.html#57 employee motivation & executive compensation

one of the tactics boyd used was drawing comparisons with the f111 ... past thread
http://www.garlic.com/~lynn/2007h.html#68 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007h.html#69 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007h.html#70 John W. Backus, 82, Fortran developer, dies

as in the above thread, F14 was done prior to boyd's e-m theory of maneuverability

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Sun, 12 Oct 2008 12:51:42 -0400
re:
http://www.garlic.com/~lynn/2008o.html#31 The human plague

and

Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.linkedin.com/answers/finance-accounting/economics/FIN_ECO/340229-20738879
http://www.garlic.com/~lynn/2008o.html#28

from today, somewhat more computer related:

The Rise of the (Financial) Machines
http://news.slashdot.org/news/08/10/12/1146231.shtml

from above:
Somehow the genius quants -- the best and brightest geeks Wall Street firms could buy -- fed $1 trillion in subprime mortgage debt into their supercomputers, added some derivatives, massaged the arrangements with computer algorithms and -- poof! -- created $62 trillion in imaginary wealth.
... snip ...

This assumes that they weren't just trying to purposefully obfuscate what was going on, i.e.

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

The reports are that the recent Lehman CDS auction, after net settlement there is less than 2percent actually changes hands (i.e. they sold each other large numbers of CDS that net'ed nearly to zero).

So do they get commissions for the CDS? ... significantly inflating bonuses is motivation for fiddling books; Commissions would be motivation for the large number of CDS sold (which would put it somewhat in the same league as stock transaction churn ... i.e. trades purely for the purpose of increasing commissions).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Sun, 12 Oct 2008 16:28:46 -0400
so this claims there was only about $1 trillion in actual subprime
http://news.slashdot.org/news/08/10/12/1146231.shtml The Rise of the (Financial) Machines

past posts reference study that found 61 percent of subprime loans went to people that would qualify for normal loans. first order approx. then is $390b went to owner-occupied, low-income, first time owners. However, the study said number of loans ... not amount of loans. low-income first time owner subprimes were at the low-end of the home owner market ... not the speculation end where the huge ugly pimple/boil price inflation happened. that means that possibly $100b would be more than enuf to outright buy every owner-occupied, low-income, first-time home owner, non-speculation subprime mortgage. reference to $300b passed last summer to mitigate mortgages in trouble:
http://www.garlic.com/~lynn/2008n.html#99 Blinkylights

so of the bailout $1.5trillion and counting ... $100b is possibly more than enuf to cover that underlying issue ... the rest is to cover the mess that wall street, public companies, speculators and financial institutions got themselves into.

there is the upenn business school article from last spring that mentions possibly 1000 executives are responsible for 80% of the current financial mess (and it would go a long way to fixing the mess if the gov. could figure out for them to loose their job).

and recent quote from last week:
"Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings."
... snip ...

I've mentioned the winnie-the-pooh metaphor, on the theory that claiming bear with no brains at all ... absolves them of any responsibility; misc. past posts:
http://www.garlic.com/~lynn/2008n.html#3 Blinkylights
http://www.garlic.com/~lynn/2008n.html#14 Blinkylights
http://www.garlic.com/~lynn/2008n.html#33 Blinkylights
http://www.garlic.com/~lynn/2008n.html#37 Success has many fathers, but failure has the US taxpayer
http://www.garlic.com/~lynn/2008n.html#52 Technology and the current crisis
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#31 The human plague

another metaphor is the emperor's new clothes parable ... being able to make $1trillion to appear like $62 trillion?
http://www.garlic.com/~lynn/2008o.html#34 The human plague

and
http://news.slashdot.org/news/08/10/12/1146231.shtml The Rise of the (Financial) Machines
http://www.nytimes.com/2008/10/12/opinion/12dooling.html?em The Rise of the Machines

from the above:
Somehow the genius quants -- the best and brightest geeks Wall Street firms could buy -- fed $1 trillion in subprime mortgage debt into their supercomputers, added some derivatives, massaged the arrangements with computer algorithms and -- poof! -- created $62 trillion in imaginary wealth
... snip ...

which references:
http://edge.org/3rd_culture/dysong08.1/dysong08.1_index.html Economic Dis-equilibrium

past reference to emperor's new clothes parable:
http://www.garlic.com/~lynn/2008j.html#20 dollar coins
http://www.garlic.com/~lynn/2008j.html#40 dollar coins
http://www.garlic.com/~lynn/2008j.html#60 dollar coins
http://www.garlic.com/~lynn/2008j.html#69 lack of information accuracy
http://www.garlic.com/~lynn/2008k.html#10 Why do Banks lend poorly in the sub-prime market? Because they are not in Banking!
http://www.garlic.com/~lynn/2008k.html#16 dollar coins
http://www.garlic.com/~lynn/2008k.html#27 dollar coins
http://www.garlic.com/~lynn/2008l.html#42 dollar coins
http://www.garlic.com/~lynn/2008m.html#4 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008m.html#12 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008m.html#99 Blinkylights

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

VMware Chief Says the OS Is History

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: VMware Chief Says the OS Is History
Newsgroups: alt.folklore.computers
Date: Sun, 12 Oct 2008 17:00:30 -0400
re:
http://www.garlic.com/~lynn/2008n.html#76 VMware Chief Says the OS is History
http://www.garlic.com/~lynn/2008n.html#85 VMware Chief Says the OS is History
http://www.garlic.com/~lynn/2008o.html#3 VMware Chief Says the OS is History

"Black Silicon" Advances Imaging, Solar Energy
http://tech.slashdot.org/tech/08/10/12/1620212.shtml SiOnyx Brings 'Black Silicon' into the Light; Material Could Upend Solar, Imaging Industries Xconomy
http://www.xconomy.com/boston/2008/10/12/sionyx-brings-black-silicon-into-the-light-material-could-upend-solar-imaging-industries/

from above:
... they found that if they blasted the surface of a silicon wafer with an incredibly brief pulse of laser energy in the presence of gaseous sulfur and other dopants, the resulting material—which they called "black silicon"—was much better at absorbing photons and releasing electrons.
... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Sun, 12 Oct 2008 21:35:09 -0400
Carl Flippin <carlf@photocarl.org> writes:
It is irrational to argue that, since the bailout is saving banks from their own folly, we should refuse to do it. The simple fact is that the crisis is not only among major investment banks. Commercial paper is being severly restricted as all the banks pull into their shells and refuse to have anything to do with credit. If we refuse to do anything to resolve the crisis, we will be damaging our whole economy in the process. The bailout is a bitter pill but it's better than dying.

re:
http://www.garlic.com/~lynn/2008o.html#35 The human plague

lots of it involves highly risky unregulated investment banking. the idea behind them being unregulated would be that they would have the complete freedom to take any action they wanted to and be able to succeed or fail based on those actions (basically an economic survival of the fitest). basic, fundamental principle of the paradigm was that 1) they could take any risk they wanted to and 2) they would be allowed to fail.

there is a fundamental, argument going on frequently referred to as moral hazard ... allowing unlimited risky behavior with the consequence of failure ... but then not letting them actually fail ... will encourage worse and worse risky behavior.

because of a whole lot of systemic issues ... including the repeal of Glass-Steagall (Glass-Steagall had been passed in the wake of crash of '29 to keep the safety & soundness of regulated banking separate from the highly risky, unregulated investment banking). detailed discussion

The Wall Street Fix
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

Part of the issue is clearly delineate the risky investment banking activity from the safety & soundness of regulated banking and provide aid to bring those areas back to healthy operation (and allow the risky investment banking activity to succeed or fail on their own avoiding promoting ever increasing risky behavior and moral hazard).

Pumping money into the fissure w/o addressing the underlying systemic problems may actually accelerate overall infrastructure failure (i.e. indiscriminate pumping out money doesn't actually mean that it is doing anything to resolve the crisis).

This is claimed to better directly address the commercial paper credit crisis (only dealing with "safe & sound" regulated financial institutions):

Fed to buy commercial paper in bid to jump-start credit
http://www.breitbart.com/article.php?id=081007145358.da2mju5j&show_article=1

another scenario for not indiscriminately pumping money into the breach

Curing the Credit Crisis: A Better Alternative Plan
http://seekingalpha.com/article/97159-curing-the-credit-crisis-a-better-alternative-plan

above talks about not only lehman and bear-stearns
http://www.garlic.com/~lynn/2008o.html#14 Blinklights
http://www.garlic.com/~lynn/2008o.html#15 Financial Crisis - the result of uncontrolled Innovation?
http://www.garlic.com/~lynn/2008o.html#18 Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
http://www.garlic.com/~lynn/2008o.html#26 SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?
http://www.garlic.com/~lynn/2008o.html#27 Blinklights

playing long/short (w/marginal chance of survival) ... but also some of the banks:
Not only did banks lend long to borrowers, banks borrowed short-term CP money to buy collateralized residential and commercial mortgage-backed securities for their own inventories or balance sheets. Banks paid for these toxic assets by issuing commercial paper: They thought it was a great borrow-short/lend-long spread play. But when these short-term loans come due, they can't "roll" them over.
... snip ...

past posts mentioning moral hazard:
http://www.garlic.com/~lynn/2008g.html#64 independent appraisers
http://www.garlic.com/~lynn/2008j.html#71 lack of information accuracy
http://www.garlic.com/~lynn/2008j.html#76 lack of information accuracy
http://www.garlic.com/~lynn/2008k.html#16 dollar coins
http://www.garlic.com/~lynn/2008l.html#51 Monetary affairs on free reign, but the horse has Boulton'd
http://www.garlic.com/~lynn/2008l.html#67 dollar coins
http://www.garlic.com/~lynn/2008m.html#83 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008m.html#86 WSJ finds someone to blame.... be skeptical, and tell the WSJ to grow up
http://www.garlic.com/~lynn/2008n.html#0 Blinkylights
http://www.garlic.com/~lynn/2008n.html#3 Blinkylights
http://www.garlic.com/~lynn/2008n.html#65 Whether, in our financial crisis, the prize for being the biggest liar is
http://www.garlic.com/~lynn/2008n.html#69 Another quiet week in finance

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Sun, 12 Oct 2008 22:08:23 -0400
re:
http://www.garlic.com/~lynn/2008o.html#35 The human plague
http://www.garlic.com/~lynn/2008o.html#37 The human plague

hot off the press ... mentioned that in 87, wall street leaders stepped in and took action to help stock market

Wall Street Leaders Missing In Action
http://www.consumeraffairs.com/news04/2008/10/bailout14.html

but ...
In the current crisis, today's Wall Street leaders seem to be hiding, some behind the restrictiveness of the Sarbanes Oxley Act and others because they played a role in problem and are ashamed to be seen in public.
... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Mon, 13 Oct 2008 09:10:24 -0400
Morten Reistad <first@last.name> writes:
You need the employees and middle managers to sort things out, though. They may even have significant raises, because competent bankers are a rare skillset these days, and the demand has just skyrocketed.

re:
http://www.garlic.com/~lynn/2008o.html#37 The human plague
http://www.garlic.com/~lynn/2008o.html#38 The human plague

in the wake of the S&L crisis, one of the critisms was that in highly regulated, stable environment, there was no real requirement for competence to do the job, bankers could get by just performing their jobs by rote (and so much of the profession became populated by a large number of people that didn't really know what they were doing). when faced with new circumstances/conditions ... they didn't have the understanding to deal with it (somewhat economic surival of the fittest, where so many had grown up fat, dumb & happy). there is some relationship to our critism with the (then new) qualitative section nearly disappearing from original basel-ii draft. This is also somewhat references to the "winnie-the-pooh" metaphor.

besides the (triple-A rated) toxic mortgage-backed securities (fueled by the rating agencies giving out all these triple-A ratings) ... there are all these institutions playing unregulated, risky investment banks (repeal of Glass-Steagall which was keeping the safety&soundness of regulated banking separate from the risky unregulated investment banking); there is the observation that lehman and bear-stearns only had a marginal chance of survival playing the risky investment banking long/short game
http://www.garlic.com/~lynn/2008o.html#14 Blinkylights
http://www.garlic.com/~lynn/2008o.html#27 Blinkylights

... but that also applies to a fair number of other financial institutions.

misc. past posts mentioning basel-ii qualitative:
http://www.garlic.com/~lynn/aadsm25.htm#14 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm28.htm#61 Is Basel 2 out...Basel 3 in?
http://www.garlic.com/~lynn/aadsm28.htm#66 Would the Basel Committee's announced enhancement of Basel II Framework and other steps have prevented the current global financial crisis had they been implemented years ago?
http://www.garlic.com/~lynn/2003k.html#41 An Understanding Database Theory
http://www.garlic.com/~lynn/2005k.html#23 More on garbage
http://www.garlic.com/~lynn/2005t.html#26 Dangerous Hardware
http://www.garlic.com/~lynn/2006u.html#22 AOS: The next big thing in data storage
http://www.garlic.com/~lynn/2007j.html#0 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2008.html#71 As Expected, Ford Falls From 2nd Place in U.S. Sales
http://www.garlic.com/~lynn/2008.html#78 As Expected, Ford Falls From 2nd Place in U.S. Sales
http://www.garlic.com/~lynn/2008n.html#15 Blinkylights

misc. past posts mentioning Wall Street Fix PBS program on repeal of Glass-Steagall:
http://www.garlic.com/~lynn/2008f.html#13 independent appraisers
http://www.garlic.com/~lynn/2008f.html#46 independent appraisers
http://www.garlic.com/~lynn/2008f.html#71 Bush - place in history
http://www.garlic.com/~lynn/2008f.html#97 Bush - place in history
http://www.garlic.com/~lynn/2008g.html#2 Bush - place in history
http://www.garlic.com/~lynn/2008g.html#51 IBM CEO's remuneration last year ?
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008h.html#89 Credit Crisis Timeline
http://www.garlic.com/~lynn/2008k.html#36 dollar coins
http://www.garlic.com/~lynn/2008k.html#41 dollar coins
http://www.garlic.com/~lynn/2008l.html#67 dollar coins
http://www.garlic.com/~lynn/2008l.html#70 dollar coins
http://www.garlic.com/~lynn/2008m.html#16 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008n.html#53 Your thoughts on the following comprehensive bailout plan please
http://www.garlic.com/~lynn/2008n.html#78 Isn't it the Federal Reserve role to oversee the banking system??
http://www.garlic.com/~lynn/2008n.html#82 Fraud in financial institution
http://www.garlic.com/~lynn/2008o.html#18 Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
http://www.garlic.com/~lynn/2008o.html#19 What's your view of current global financial / economical situation?
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#37 The human plague

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Signposts on the US Government's Trail of IT Failures

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Signposts on the US Government's Trail of IT Failures
Newsgroups: alt.folklore.computers
Date: Mon, 13 Oct 2008 12:17:14 -0400
t-bone@address.invalid (Stan Barr) writes:
Not just the NHS, almost every govt. department computer system has problems and now they talking about ID cards - it'll never work!

I blame it on the fact that all the people who _really_ know what they're doing have grown old and retired or got promoted to management.


re:
http://www.garlic.com/~lynn/2008o.html#29 Signposts on the US Government's Trail of IT Failures
http://www.garlic.com/~lynn/2008o.html#30 Signposts on the US Government's Trail of IT Failures
http://www.garlic.com/~lynn/2008o.html#33 Signposts on the US Government's Trail of IT Failures

most of the ID cards are by factions that start out the view that such things are profit ... and then compromises are made to reduce the costs ... but usually not in the area of profits ... frequently in the area of security (trying to preserve profit).

we approached it from the inception that it was costs ... in the mid-90s we made semi-facetious claims that we would take a $500 milspec part and aggresively cost reduce by 2-3 orders of magnitude at the same time increasing the integrity and security.

misc. related to aads chip strawman
http://www.garlic.com/~lynn/x959.html#aads

one of the other issues was that the "card" programs tended to be driven by purely "card" myopic faction (possibly also as part of maximizing card profit) ... which nominally failed to bother with detailed, end-to-end, threat & vulnerability analysis (and where cards might reasonably fit into overall infrastructure). one such was payment infrastructure that started in europe in the mid-90s ... that managed to create the yes card fraud opportunity (i.e. in one meeting somebody made the comment that they managed to spend billions of dollars to prove that chips are less secure than magstripe)
http://www.garlic.com/~lynn/subintegrity.html#yescard

there was one large deployment where the yes card vulnerability was explained and they interpreted it as a characteristic of the distributed cards ... and took action to modify some of the options on the distributed cards. However, that had absolutely no effect on the threat ... since it involved counterfeit cards "attacking" valid terminals (not attacks on valid cards).

one of the other problems, we had got on similar technology track that affected the EPS/UPS RFID chips (make chips smaller and less complex) ... but with (aads chip strawman) maximizing purposeful security characteristics (rather than purely least expensive as possible). a significant issue was that chip manufacturing costs are basically per wafer ... so cost per chip is number/yield of chips per wafer. wafers went from 8in to 12in ... to increase chips/wafer. circuits got smaller ... so chips (with same number of circuits) got smaller. the problem was that there was technology circuits/wafer bump for a period where the area for the slicing&dicing of the wafer started to exceed the chip area (for small chips). it took the introduction of new slicing&dicing technology ((that consumed much less wafer area) to get to the next major increment in chips/wafer.

misc. past posts mentioning slicing&dicing wafers:
http://www.garlic.com/~lynn/aadsm20.htm#21 Qualified Certificate Request
http://www.garlic.com/~lynn/aadsm24.htm#29 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#49 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/2003i.html#29 electronic-ID and key-generation
http://www.garlic.com/~lynn/2003j.html#30 How is a smartcard created?
http://www.garlic.com/~lynn/2006.html#14 Would multi-core replace SMPs?
http://www.garlic.com/~lynn/2007l.html#13 My Dream PC -- Chip-Based
http://www.garlic.com/~lynn/2007m.html#27 nouns and adjectives
http://www.garlic.com/~lynn/2007m.html#31 nouns and adjectives
http://www.garlic.com/~lynn/2007q.html#34 what does xp do when system is copying
http://www.garlic.com/~lynn/2007q.html#35 what does xp do when system is copying
http://www.garlic.com/~lynn/2007u.html#70 folklore indeed
http://www.garlic.com/~lynn/2008i.html#61 Could you please name sources of information you trust on RFID and/or other Wireless technologies?
http://www.garlic.com/~lynn/2008j.html#44 What is "timesharing" (Re: OS X Finder windows vs terminal window weirdness)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Mon, 13 Oct 2008 13:37:44 -0400
Morten Reistad <first@last.name> writes:
What shall I say? 25+ year Internet experience? Active with Open Source since January 17th, 1979.

(virtual machine) cp67 delivered to univ. jan68 was full open-source so ... 40+yrs virtualization ... plus 40+yrs open source.

it was in large part gov. litigation that resulted in 23jan69 unbundling announcement that started charging for application software, se services, maintenance, etc. they did manage to make the case that kernel software wasn't part of it.
http://www.garlic.com/~lynn/submain.html#unbundle

i had done tty/ascii terminal support at the univ for cp67. then somewhat because the (2702) terminal controller wouldn't do exactly what i wanted ... the univ. started a clone terminal controller project ... initially using interdata/3, reverse engineering the mainframe channel interface ... and building a channel interface board for the interdata/3. four of us got written up for being responsible for initiating the clone controller business.
http://www.garlic.com/~lynn/subtopic.html#360pcm

later, in the 70s, the company started future system project:
http://www.garlic.com/~lynn/submain.html#futuresys
... in large part motivated by clone controller business, an old quote in this recent post:
http://www.garlic.com/~lynn/2008d.html#16 more on (the new 40+ yr old) virtualization

the distraction of future system project contributed significantly to letting clone processors get a foothold in the industry ... quotes from fergus/morris book:
http://www.garlic.com/~lynn/2001f.html#33

in the wake of the future system project failure ... and the mad rush to get (hardware & software) products back into the 370 product pipeline ... contributed to picking up a lot of (370) stuff (for product release) that i had been doing all during the future system period.

some related old email about shipping product releases internally during the period:
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

however, the foothold by clone processors also contributed to change policy and to start charging for kernel software ... and my resource manager was selected as the guinea pig. as a result i had to spend quite a bit of time with lawyers and business planning people regarding kernel software charging policy and practices. misc. past posts related to resource manager
http://www.garlic.com/~lynn/subtopic.html#fairshare

the internal network
http://www.garlic.com/~lynn/subnetwork.html#internalnet

(as well as virtual machines, gml, bunch of other stuff), originated at the science center
http://www.garlic.com/~lynn/subtopic.html#545tech

and was larger than the internet/arpanet from just about the beginning until possibly summer of 85. misc. old internal network related email
http://www.garlic.com/~lynn/lhwemail.html#vnet

sjr finally put up a gateway between the internal network and csnet in the fall of '82 ... old email ref:
http://www.garlic.com/~lynn/98.html#email821022
http://www.garlic.com/~lynn/internet.htm#email821022

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Mon, 13 Oct 2008 14:13:26 -0400
Morten Reistad <first@last.name> writes:
You _can_ use a long/short gamble (that is what it is) to establish a new bank in town; but you need to time it very well with the business cycle; entering when the boom starts, and be well covered by the time the boom starts to end. All covered in economist literature from Pre-Hoover times.

re:
http://www.garlic.com/~lynn/2008o.html#39 The human plague

funding 30yr ARM mortgage-backed toxic CDOs with 30day commercial paper ... implies that you were making the bet, not once ... but every 30 days. just about guaranteed that there is problem at some point ... Kamakura quote that there is no more than marginal chance of survival (for the parties taking part, not just lehman and bear-stearns, but also all the banks)
http://www.garlic.com/~lynn/2008o.html#14 Blinkylights

analogous scenario in long-winded, decade old post mentioning citibank totally getting out of the mortgage business
http://www.garlic.com/~lynn/aepay3.htm#riskm

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Tue, 14 Oct 2008 10:35:32 -0400
jmfbahciv <jmfbahciv@aol> writes:
A bank called Sovereign was reported yesterday to have been bought outright by a Spanish bank here. But I'm confused. The claim was that this bank did not do the toxic mortgages; so why are they in trouble?

re:
http://www.garlic.com/~lynn/2008o.html#42 The human plaque

there was claim that freddie/fannie also didn't do toxic mortgages. that is one of the scenarios of CDOs and investment banking.

it use to be that home owner market was somewhat indirectly regulated because regulated financial institutions would make the loans using deposits and keep the loans on their books. this provided significant motivation to pay attention to loan quality (terms & conditions, borrowers ability to repay, etc).

with the repeal of Glass-Steagall (Glass-Steagall had been passed in the wake of the crash of '29 to keep the safety and soundness of regulated banking separate from the highly risky activity of unregulated investment banking).

now an investment banking unit of a regulated bank could buy triple-A rated highly toxic CDOs ... playing the long/short game ... using funds from issuing 30day commercial paper. Long time past history as well as kamakura financial modeling demonstrates that institutions playing such a long/short came have very little chance of surviving.

unregulated mortgage originators could leverage triple-A rated toxic CDOs to fund their operation and unload all the mortgages they could write (write a mortgage, sell it as part of a toxic CDO and have the funds to write more mortgages). The obfuscation of the triple-A rating and being able to unload any mortgage they could write, pretty much eliminates any motivation to having to pay attention to loan quality. Effectively there is now little motivation not to write no-documentation, no down payment 1-2 percent introductory rate ARMs with possibly interest only payments. Ideal for speculators that would snap them up like mad (buy $1m property, keep it for two yrs and sell for $1.3m, clear $300k, cost of 1% ARM for two yrs is $20k, figure a deal with real estate agent for $20k, net nearly 1000 percent profit).

speculators move in on the home owner market and treat it like the unregulated 1920s stock market. There is enormous ugly inflation pimple/boil in the home owners market ... also the speculation activity makes it look like there is significantly more demand than there actually is. The ugly speculation pimple/boil bursts and prices are deflating back to 2001 level ... and the over supply further depresses the market.

besides investment banking arms possibly playing long/short game with buying up triple-A rated toxic CDOs (using 30day commercial paper) ... banks are making construction loans to builders (as part of trying to meet the speculation demand). The builders start to default (on what would otherwise appear to be good loans) because the homes are taking much longer to sell. consumers have also been encouraged to take out 100 percent equity loans on grossly inflated home values.

A major cornerstone of the whole process is being able to unload mortgages w/o regard to quality as toxic CDOs (obfuscating underlying value) ... signficiantly further contributing factor is being able to get triple-A rating on those toxic CDOs.

The triple-A rated toxic CDOs, in turn enables huge numbers of mortgages for speculators being able to treat the home owners market like the unregulated 1920s stock market.

The ugly speculation demand pimple/boil results in overbuilding ... after the ugly pimple/boil bursts, the oversupply not only further depresses home prices (potentially past reset when the speculation started), it also contributes to defaults on other kinds of loans like construction loans.

Repeal of Glass-Steagall results in safety&soundness of regulated banks being contaminated by risk behavior of investment banking arms ... like playing the long/short game (with the corresponding marginal chance of surviving), buying triple-A rated toxic CDOs with 30 day commercial paper.

other recent posts in thread:
http://www.garlic.com/~lynn/2008o.html#12 The human plague
http://www.garlic.com/~lynn/2008o.html#31 The human plague
http://www.garlic.com/~lynn/2008o.html#34 The human plague
http://www.garlic.com/~lynn/2008o.html#35 The human plague
http://www.garlic.com/~lynn/2008o.html#37 The human plague
http://www.garlic.com/~lynn/2008o.html#38 The human plague
http://www.garlic.com/~lynn/2008o.html#39 The human plague
http://www.garlic.com/~lynn/2008o.html#41 The human plague

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Tue, 14 Oct 2008 10:40:23 -0400
jmfbahciv <jmfbahciv@aol> writes:
Yet not a whisper of this is coming from any politician's flapping lips. I've been having an argument Glass-Stegall Act had to be eliminated (not updated) so that US banks could compete with foreign banks.

references to recent guest on CSPAN stated that financial industry contributed $250m to congress during the session that repealed Glass-Steagall:
http://www.garlic.com/~lynn/2008n.html#99 Blinkylights
http://www.garlic.com/~lynn/2008o.html#12 The human plague
http://www.garlic.com/~lynn/2008o.html#18 Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
http://www.garlic.com/~lynn/2008o.html#19 What's your view of current global financial / economical situation?
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?

past references to PBS program discussing the Wall Street Fix repeal of Glass-Steagall:
http://www.garlic.com/~lynn/2008f.html#13 independent appraisers
http://www.garlic.com/~lynn/2008f.html#46 independent appraisers
http://www.garlic.com/~lynn/2008f.html#71 Bush - place in history
http://www.garlic.com/~lynn/2008f.html#97 Bush - place in history
http://www.garlic.com/~lynn/2008g.html#2 Bush - place in history
http://www.garlic.com/~lynn/2008g.html#51 IBM CEO's remuneration last year ?
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008h.html#89 Credit Crisis Timeline
http://www.garlic.com/~lynn/2008k.html#36 dollar coins
http://www.garlic.com/~lynn/2008k.html#41 dollar coins
http://www.garlic.com/~lynn/2008l.html#67 dollar coins
http://www.garlic.com/~lynn/2008l.html#70 dollar coins
http://www.garlic.com/~lynn/2008m.html#16 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008n.html#53 Your thoughts on the following comprehensive bailout plan please
http://www.garlic.com/~lynn/2008n.html#78 Isn't it the Federal Reserve role to oversee the banking system??
http://www.garlic.com/~lynn/2008n.html#82 Fraud in financial institution
http://www.garlic.com/~lynn/2008o.html#18 Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
http://www.garlic.com/~lynn/2008o.html#19 What's your view of current global financial / economical situation?
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#37 The human plague

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The human plague

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The human plague
Newsgroups: alt.folklore.computers
Date: Tue, 14 Oct 2008 11:02:42 -0400
re:
http://www.garlic.com/~lynn/2008o.html#43 The human plaque

besides what ugly speculation pimple/boil and resulting burst ... did in general to home owner market ... and prospects of things like defaults on construction loans ... because the homes in the overbuilt market are taking longer to sell ... the ugly effects spreads out into lots of other areas.

municipalities are selling muni bonds (during the speculation pimple/boil) to fund services (water, sewer, etc) for new housing developments ... anticipating revenue from the real estate sales and taxes to cover the bond payments. with the burst in the ugly speculation pimple/boil ... all the anticipated tax revenue isn't materializing ... and there are huge pressures on all these muni bonds.

Also the contamination and loss of trust in the rating services ... associated with all the triple-A ratings given out to (morgage-backed) toxic CDOs ... froze up the bond market for a period ... creating a problem for all bonds ... including muni bonds. Warren Buffet stepped in to loosen up the muni bond market ... but municipalities were still having to pay more to fund the projects (in part because uncertainty and loss of trust in rating service) which would further exacerbate problems with lower than anticipated tax revenues.

some passed posts mentioning muni bonds:
http://www.garlic.com/~lynn/2008j.html#9 dollar coins
http://www.garlic.com/~lynn/2008j.html#20 dollar coins
http://www.garlic.com/~lynn/2008j.html#23 dollar coins
http://www.garlic.com/~lynn/2008k.html#16 dollar coins
http://www.garlic.com/~lynn/2008k.html#23 dollar coins

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Anyone still have access to VMTOOLS and TEXTTOOLS?

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Anyone still have access to VMTOOLS and TEXTTOOLS?
Date: October 14, 2008
Blog: Greater IBM
wow, TOOLSRUN EXEC ... one of the outcomes/suggestions of the taskforce investigating (& blaming me for) computer conferencing on the internal network.
http://www.garlic.com/~lynn/subnetwork.html#internalnet

started w/support VMTOOLS and later added PCTOOLS.

misc. past posts mentioning TOOLSRUN EXEC
http://www.garlic.com/~lynn/2001c.html#5 what makes a cpu fast
http://www.garlic.com/~lynn/2002d.html#33 LISTSERV(r) on mainframes
http://www.garlic.com/~lynn/2003i.html#18 MVS 3.8
http://www.garlic.com/~lynn/2004o.html#48 Integer types for 128-bit addressing
http://www.garlic.com/~lynn/2005q.html#5 What ever happened to Tandem and NonStop OS ?
http://www.garlic.com/~lynn/2005r.html#22 z/VM Listserv?
http://www.garlic.com/~lynn/2006h.html#9 It's official: "nuke" infected Windows PCs instead of fixing them
http://www.garlic.com/~lynn/2006r.html#11 Was FORTRAN buggy?
http://www.garlic.com/~lynn/2006r.html#16 Was FORTRAN buggy?
http://www.garlic.com/~lynn/2006w.html#35 Top versus bottom posting was Re: IBM sues maker of Intel-based Mainframe clones
http://www.garlic.com/~lynn/2006y.html#10 Why so little parallelism?
http://www.garlic.com/~lynn/2007.html#23 How to write a full-screen Rexx debugger?
http://www.garlic.com/~lynn/2007b.html#7 information utility
http://www.garlic.com/~lynn/2007b.html#31 IBMLink 2000 Finding ESO levels
http://www.garlic.com/~lynn/2007b.html#32 IBMLink 2000 Finding ESO levels
http://www.garlic.com/~lynn/2007b.html#55 IBMLink 2000 Finding ESO levels
http://www.garlic.com/~lynn/2007j.html#54 Using rexx to send an email
http://www.garlic.com/~lynn/2007j.html#70 Using rexx to send an email
http://www.garlic.com/~lynn/2007k.html#20 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007p.html#30 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2008i.html#48 Anyone know of some good internet Listserv's?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Will cards with PayPass (from MasterCard) be using CHIP & PIN in the future?

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Will cards with PayPass (from MasterCard) be using CHIP & PIN in the future?
Date: October 14, 2008
Blog: Credit Card Professionals
We had been called in to participate in the x9a10 financial standard working group in the mid-90s. It had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments (i.e. ALL, POS, face-to-face, unattended, internet, low-value, high-value, transit, etc) and resulted in the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959

As part of coming up with a framework for ALL, we developed what we called parameterised risk management ... this required a chip at least or much more secure than any chips in current use ... but much less expensive than the cheapest chips in current use ... and a mechanism somewhat similar to the current credit card operation not requiring signature for low-value transactions. The standard works identical whether or not a PIN is entered ... but it is possible for the amount of the transaction to dictate whether a PIN is required or not (in fact the standard parameterised risk management framework even allows that for really high values ... that both a PIN and a biometric might be required ... or that transaction may be only possible from certain types of locations or devices).

Another characteristic of ALL and parameterised risk management framework was not only being able to use the same token for authenticating all kinds of transactions across a broad range of values and integrity requirements .... but to be able to use the identical operation for authenticating non-payment transactions ... i.e. login, access control, approval/agreement etc.

misc. past posts mentioning parameterised risk management:
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo2 QC Bio-info leak?
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo3 QC Bio-info leak?
http://www.garlic.com/~lynn/aadsmore.htm#biosigs biometrics and electronic signatures
http://www.garlic.com/~lynn/aadsm2.htm#stall EU digital signature initiative stalled
http://www.garlic.com/~lynn/aadsm2.htm#strawm3 AADS Strawman
http://www.garlic.com/~lynn/aadsm3.htm#cstech3 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech4 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech5 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech9 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech10 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#kiss2 Common misconceptions, was Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp-00.txt))
http://www.garlic.com/~lynn/aepay3.htm#x959risk1 Risk Management in AA / draft X9.59
http://www.garlic.com/~lynn/aepay6.htm#x959b X9.59 Electronic Payment standard issue


http://www.garlic.com/~lynn/aadsm12.htm#17 Overcoming the potential downside of TCPA
http://www.garlic.com/~lynn/aadsm19.htm#15 Loss Expectancy in NPV calculations
http://www.garlic.com/~lynn/aadsm19.htm#44 massive data theft at MasterCard processor
http://www.garlic.com/~lynn/aadsm19.htm#46 the limits of crypto and authentication
http://www.garlic.com/~lynn/aadsm21.htm#5 Is there any future for smartcards?
http://www.garlic.com/~lynn/aadsm21.htm#8 simple (&secure??) PW-based web login (was Re: Another entry in the internet security hall of shame....)
http://www.garlic.com/~lynn/aadsm23.htm#1 RSA Adaptive Authentication
http://www.garlic.com/~lynn/aadsm23.htm#27 Chip-and-Pin terminals were replaced by "repairworkers"?
http://www.garlic.com/~lynn/aadsm25.htm#1 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#2 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#14 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm26.htm#35 Failure of PKI in messaging
http://www.garlic.com/~lynn/aadsm27.htm#61 Linus: Security is "people wanking around with their opinions"
http://www.garlic.com/~lynn/aadsm28.htm#37 Attack on Brit retail payments -- some takeways
http://www.garlic.com/~lynn/99.html#235 Attacks on a PKI
http://www.garlic.com/~lynn/99.html#238 Attacks on a PKI
http://www.garlic.com/~lynn/2000.html#46 question about PKI...
http://www.garlic.com/~lynn/2000.html#57 RealNames hacked. Firewall issues.
http://www.garlic.com/~lynn/2001.html#73 how old are you guys
http://www.garlic.com/~lynn/2003j.html#33 A Dark Day
http://www.garlic.com/~lynn/2003p.html#26 Sun researchers: Computers do bad math ;)
http://www.garlic.com/~lynn/2004h.html#38 build-robots-which-can-automate-testing dept
http://www.garlic.com/~lynn/2005k.html#23 More on garbage
http://www.garlic.com/~lynn/2006g.html#40 Why are smart cards so dumb?
http://www.garlic.com/~lynn/2006o.html#20 Gen 2 EPC Protocol Approved as ISO 18000-6C
http://www.garlic.com/~lynn/2007t.html#8 Translation of IBM Basic Assembler to C?
http://www.garlic.com/~lynn/2007u.html#5 Public Computers
http://www.garlic.com/~lynn/2007u.html#76 folklore indeed
http://www.garlic.com/~lynn/2008i.html#1 Do you belive Information Security Risk Assessment has shortcoming like
http://www.garlic.com/~lynn/2008i.html#70 Next Generation Security
http://www.garlic.com/~lynn/2008l.html#52 Payments Security in RFS
http://www.garlic.com/~lynn/2008o.html#13 What risk of possible data leakage do you see for your organization?
http://www.garlic.com/~lynn/2008o.html#17 what will be a wow feature in a credit card

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The Univac 110x Architecture Still Lives

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: The Univac 110x Architecture Still Lives
Newsgroups: alt.folklore.computers
Date: Wed, 15 Oct 2008 13:13:33 -0400
"Del Cecchi" <delcecchiofthenorth@gmail.com> writes:
I didn't think much of the idea either. But the Server guys had a lot of clout since systems were pretty profitable and chips weren't as much.

note that similar competitive things went on internally ... like highend getting chip allocation cut for some mid-range systems when (clustered) mid-range was starting to eat into some of the highend market segment.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Discussions areas, private message silos, and how far we've come since 199x

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Discussions areas, private message silos, and how far we've come since 199x
Date: October 15, 2008
Blog: Greater IBM
I got blamed for computer conferencing on the internal network in the late 70s and early 80s ... the internal network was larger than the arpanet/internet from just about the beginning until possibly summer of '85.

there was then a taskforce investigating this "new" phenomena ... one of the outcomes was "TOOLSRUN EXEC" which was used for things like VMTOOLS and later PCTOOLS.

Also there was a researcher paid to sit in the back of my office for nine months to take notes on how I communicated; telephone, face-to-face, email, instant messages, etc ... they also got copies of all my incoming and outgoing email as well as logs of all instant messages. The material was used for a research report, a number of papers and books ... including stanford phd thesis in the area of computer mediated communication (joint between computer AI and language).

misc past posts mentioning computer mediated communication
http://www.garlic.com/~lynn/subnetwork.html#cmc

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Old XDS Sigma stuff

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Old XDS Sigma stuff
Newsgroups: alt.folklore.computers
Date: Wed, 15 Oct 2008 21:49:33 -0400
Peter Flass <Peter_Flass@Yahoo.com> writes:
I'm not sure of the definitions, but OS/360 did full dynamic linking via the LINK, LOAD, and XCTL macros. This did full relocation. What is "full resolving?" The OS equivalent of a path is the JOBLIB and STEPLIB DD concatenations, and it would search these fort the appropriate module. The only distinction is that (IIRC) these weren't shared modules - shared among tasks of a job but not between jobs, because I don't think there was a shared memory area until later.

tss/360 in the mid-60s for 360/67 with virtual memory support. its format had stuff for paged image of executables loading at different (virtual) address locations.

os/360 was real storage, images out on disk had "RLD" values which were resolved at the time things were fetched into real storage (i.e. lots of modification to executable images after fetched into real storage). it was "shared" in the sense that it was a single (real) storage address space (stuff like "shared" in real memory address space, for resident linklib modules).

cp67/cms was done at the science center for 360/67 also using virtual memory support. however, cms' ran in single virtual address spaces ... and used lots of applications and code borrowed from os/360. cp67/cms beat out tss/360 because 1) had significantly better performance and 2) it provided virtual machine support for running other types of operating sysetms.

cp67/cms with 30 cms (emulating) users doing mixed-mode fortran program, edit, compile and execution ... had better performance that 4 tss/360 emulated users doing the same workload. Big part was that tss/360 was a (relatively) big storage hog (512kbyte, 768kbyte, 1mbyte real storage configuration machines).

this was in spring of '68 ... even before i started doing a lot of my performance, pathlength optimization, fastpath, and dynamic adaptive algorithm work on cp67&cms.

later at the science center
http://www.garlic.com/~lynn/subtopic.html#545tech

in the early 70s, for cp67/cms i did (cms) page mapped filesystem some old posts
http://www.garlic.com/~lynn/submain.html#mmap

as well as a bunch of shared memory/segment enhancements ... and then started work converting from cp67 to vm370 ... old email reference
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

I did implementations analogous to tss/360 that allowed executable images on disk to be page mapped to arbitrary address locations in virtual memory. It was constant uphill battle to compensate for all the os/360 oriented applications that was designed to swizzle all the stuff after it had been fetched into memory. Further complicating was that I was trying to allow same exact shared image to simultaneously appear at different virtual addresses in different virtual address spaces. lots of past posts mentioning all the problems i had to fiddle all these location dependencies
http://www.garlic.com/~lynn/submain.html#adcon

i was having fun at the science center on the 4th flr of 545 tech sq. ... sometimes joking that i was attempted to do as much as the multics group was doing on the 5th flr.

as initial part of os/360 migration to virtual memory on 370 ... os/vs2 SVS (single virtual storage) ... started out with MVT (from os/360) moved into a single 16mbyte virtual address space and a little bit of relocation hardware support cobbled into the side of MVT (most of MVT acted as if it was running on a real machine with 16mbyte real storage machine).

the other part of that transition involved channel program translation. 360,370,etc i/o channel programs used real addresses. cp67 supporting virtual machine address spaces ... had to "scan" the channel program from the virtual machine, make a complete copy ... and substitute "real" addresses for the virtual machine's virtual addresses.

the transition from MVT to SVS faced a similar problem ... standard os/360 MVT i/o involved applications creating channel programs ... including application addresses and then invoking the supervisor (EXCP/SVC0) for executing the channel program. In the transition to SVC ... the EXCP/SVC supervisor handling had to perform the same translation/copy function. The initial prototypes for SVS involved modified version of MVT running on 360/67 with a copy of the cp67 (channel program translation) CCWTRANS cobbled into the side of MVT.

In any case, the MVT "sharing" convention was preserved in SVS since the single real storage was traded for a single virtual address space. I actually "lost" a technology battle with the OS/VS2 group ... initially for SVS ... but carried into MVS. I tried to convey to the group the concept of least recently used page replacement algorithm. the VS2 group had modeled that selecting a non-changed page for replacement ... involved less work and less latency (didn't require first writing the page out to make the real storage slot available). My argument was that perverted the principle of least recently used page replacement (since a changed page might be much lower useage than a non-changed page).

The resident linklib modules easily carried over directly from MVT to os/vs2 svs. In the migration from os/vs2 SVS to MVS (multiple virtual storage, basically a unique virtual address space per application) ... the long history of single address space (real and virtual) left a legacy of large amounts of code that was dependent on pointer-passing. For MVS, the kernel and resident linklib was combined into a 8mbyte area that appeared in every application 16mbyte (i.e. half) virtual address space. It was well into the MVS product cycle before they realized that they were selecting, for replacement, high-useage, shared non-changed executable (like shared linklib) before private (possibly low useage) application changed pages.

Tne distinction for resident (shared) linklib started out (mvt, svs, mvs) being initialized at kernel boot.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Why are some banks failing, and others aren't?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Why are some banks failing, and others aren't?
Date: October 15, 2008
Blog: Risk Management
Regulated commercial banks have pretty much been held to standards ... like lending from deposits. Some of these are going to have problems with economy downturn.

Unregulated investment banks are suppose to be able to do whatever they want ... and were suppose to be allowed to fail based on their actions.

In the wake of the crash of '29, Glass-Steagall was passed to keep the safety&soundness of regulated banking separate from the risky unregulated investment banking. A decade ago Glass-Steagall was repealed ... PBS program discussing the wall street fix:
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet

So besides the independent unregulated investment banks ... other regulated institutions started showing up with investment banking units.

Recent comment about some of the practices of investment banking units (not just bears-stearn and lehman)
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.
....

There was a separate issue about the 30yr subprime mortgages having been packaged as toxic CDOs and then got triple-A ratings. However, funding long term purchases with short-term borrowing has a long history of bringing down institutions ... related article from sf fed (not just institutions, but countries also)
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

and a related yr old article talking about a lot of financial institutions carrying a lot of such transactions offbalance (and may be still lurking):
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Why is sub-prime crisis of America called the sub-prime crisis?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Why is sub-prime crisis of America called the sub-prime crisis?
Date: October 16, 2008
Blog: Corporate Debt
There were two sides of this ... with toxic CDOs getting triple-A credit ratings, sitting in the middle.

Toxic CDOs were used two decades ago (during S&L crisis) to package up low-value mortgages, obfuscate the underlying value ... and sell the toxic CDOs at much higher value than warrented by the underlying properties. In the current scenario, the obfuscated, toxic CDO underlying value was further obfuscated by triple-A credit ratings.

It used to be that home owner market was indirectly regulated, loans would be by regulated financial institutions using deposits ... and they would keep the mortgages on their books ... so there was significant motivation to pay attention to loan quality.

With triple-A rated, toxic CDOs, unregulated mortgage originators could fund their operations as well as unload mortgages off their books almost immediately. As a result there was little motivation to pay attention to loan quality. Sub-prime mortgages were normally targeted at low-income, first time home buyers. However, no-documentation, no downpayment, 1-2 percent introductory rate ARMs, possibly with interest only payments ... started to be picked up by speculators. Speculators were able to treat the home owners market like the unregulated 1920s stock market with these sub-prime mortgages. As a result of the speculation, there was a huge, ugly pimple/boil inflation in the home owner market (a lot of market segments where you wouldn't ever find low-income, first time home owners).

Plot avg. home prices as well as avg. home prices as percent of avg. salary going back to 1970. There is start of huge, ugly speculation pimple/boil inflation in the home owner market starting in the early part of this decade and has only about halfway deflated (boil is much more appropriate than bubble since the underlying factors are a lot more putrid than what would be found in bubble).

The speculation also created the impression that demand was much larger than it actually was. As a result there were a lot of institutions doing "normal" borrowing as part of meeting this demand; builder getting construction loans putting up housing projects, strip malls, etc ... to meet this (apparent) big spike in demand. The boil bursts and the real estate isn't selling, and they are getting into trouble paying off loans.

There were also municipalities selling bonds as part of putting in utilities (sewer, water, roads, etc) for all these new developments. They are running into problems because the real estate hasn't sold, and therefor the tax revenue is slow to materialize to make payments on the bonds. Earlier this year the bond market also froze up because loss of confidence in the rating agencies (after they had given out all those triple-A rating on toxic CDOs, which created a lot of ambiguity in value of the bonds). Warrent Buffet stepped in to at least unfreeze the municipal bond market.

On the institutional side of the triple-A rated toxic CDOs, there are unregulated investment banks and/or investment banking arms of regulated banks heavily leveraged buying up these (subprime motrage backed) triple-A rated toxic CDOs (some cases leveraged 50-80 times).

There are also institutions using short term 30day commercial paper to buy these (30yr sub-prime mortgage backed) triple-A rated toxic CDOs ... recent quote:
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.
... there are examples dating back centuries of institutions and countries going under, playing the game using short term borrowing to fund long term investments.

on the institution side (of triple-A rated toxic CDOs) playing long/short mismatch .... recent related answer
http://www.linkedin.com/answers/management/organizational-development/MGM_ODV/343639-20737334

along with a couple URLs discussing institutions/countries playing the long/short mistmatch
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Old XDS Sigma stuff

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Old XDS Sigma stuff
Newsgroups: alt.folklore.computers
Date: Thu, 16 Oct 2008 09:10:44 -0400
Peter Flass <Peter_Flass@Yahoo.com> writes:
My doubt was over whether the shared memory stuff was part of the early releases. My distant recollection is that originally only the LINKLIB directory entries (BLDL) were resident.

re:
http://www.garlic.com/~lynn/2008o.html#50 Old XDS Sigma stuff

when i was undergraduate and doing a lot of os/360 performance optimization (first mft and then mvt), I was doing some heuristic stuff about what went in BLDL list (resident memory) as well as carefully ordering other stuff on disk (to optimize disk avg. arm seek). Along the way, IBM provided me an internal trace/use tool that gave count of linklib member useage. I used this to further refine BLDL list as well as careful placement of stuff on disk. For the typical univ. workload, I could get a 300percent thruput improvement. Old post with reference to share presentationa about the os/360 improvements as well as os/360 thruput under cp67
http://www.garlic.com/~lynn/94.html#18 CP/67 & OS MFT14

there was memory shared stuff, in the sense there was single address space ... real address for mvt, and single virtual address space for os/vs2 svs. it wasn't until os/vs2 mvs that there was multiple virtual address spaces (i.e. Multiple Virtual Storage).

The single address space promoted the extensive use of pointer-passing convention. this legacy resulted in the common segment in mvs. there were some number of "subsystems" that resided outside the kernel, used by applications. in the move to mvs ... kernel (and related stuff) occupied 8mbyte of every (application) 16mbyte virtual address space (kernel code could take passed parameters and directly address application space parameters). However "subsystems" moved into their own virtual adddress space ... but still had a requirement to take application passed pointers and directly access parameters in the application virtual address space.

The solution was the "common segment" that started out as one mbyte ... also in every virtual address space ... where applications could stuff parameters and pass pointers ... which subsystems could directly address. Over time, as subsystems proliferated, the size of "common segment" grew until it wasn't unusual to be five mbytes (and growing on some systems). Out of every 16mbyte application virtual address space, 8mbytes was taken up by the "kernel" and five mbytes was being taken by the "common segment" ... leaving only three mbytes for actual application use.

This problem ("common segment" size growing out of control) was getting so bad, that "dual-address" space mode was introduced for 3033. This allowed for pointers to be passed to semi-privileged subsysetms (running in different virtual address space) and use dual-address space mode to directly address parameters in the application virtual address space (w/o requiring them to be in common segment).

"dual-address" space was later generalized with access registers and program call/return instructions. "dual-address" space required kernel call to change the virtual address space pointers before switching address spaces. program call/return instructions referenced a kernel table that specified the rules for changing address space pointers. among other things it enabled all sorts of library code to be moved into their own virtual address space ... which could be then directly called w/o having the overhead of passing thru kernel. this sort of represents a form of "shared memory" stuff ... except the "shared memory" no longer exists inside the application virtual address space.

past posts mentioning "dual-address" space:
http://www.garlic.com/~lynn/2008c.html#33 New Opcodes
http://www.garlic.com/~lynn/2008c.html#35 New Opcodes
http://www.garlic.com/~lynn/2008d.html#69 Regarding the virtual machines
http://www.garlic.com/~lynn/2008e.html#14 Kernels
http://www.garlic.com/~lynn/2008e.html#33 IBM Preview of z/OS V1.10
http://www.garlic.com/~lynn/2008g.html#60 Different Implementations of VLIW
http://www.garlic.com/~lynn/2008h.html#29 DB2 & z/OS Dissertation Research
http://www.garlic.com/~lynn/2008i.html#52 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~lynn/2008l.html#45 z/OS BIND9 DNS Vulnerable to Cache Poisoning Attack Problem?
http://www.garlic.com/~lynn/2008l.html#83 old 370 info

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Discussions areas, private message silos, and how far we've come since 199x

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Discussions areas, private message silos, and how far we've come since 199x
Date: October 16, 2008
Blog: Greater IBM
The internal network passed 1000 nodes in 1983 (much larger than arpanet/internet which was around 255 nodes); these were mainframe nodes with hundreds and/or thousands of individuals per node.

Old post with some references to the internal network in 1983 ... including list of all worldwide locations that added one or more network nodes in 1983:
http://www.garlic.com/~lynn/2006k.html#8

Somewhere on the computer history site, the inventor of REXX has story of effectively being able to use the world wide internal network as an aide to distributed development in the late 70s (send out new versions, get almost immediate feedback, suggestions for further enhancements, etc).

One of the problems the internal network had was corporate requirement that all links that left corporate property had to be encrypted. At one point in the mid-80s, there was claim that the internal network had more than half of all link encryptors in the world. Part of the problem were govs. restrictions on the use of encryption. This showed up with links that were between sites in the same country. It really got complex, when it involved links between sites in different countries ... and there were different govs. involved.

For other drift, picture of desk ornament commemorating 1000th node on the internal network
http://www.garlic.com/~lynn/2008m.html#35

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Virtual

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Virtual
Newsgroups: bit.listserv.ibm-main
Date: Thu, 16 Oct 2008 11:59:07 -0400
PaulGBoulder@AIM.COM (Paul Gilmartin) writes:
Understood. But is this because z/VM does a superior job of providing virtual images of the underlying hardware, or because z/VM provides images of an architecture superior to that hardware. z/VM becomes something like another layer of microcode.

I glanced at Sine Nomine's page about OpenSolaris for Z. There's a prominent restriction that it runs only under z/VM, not in an LPAR. So it exploits a CP feature. An easy conjecture, with no evidence, is that it uses CP Block DASD I/O to bypass the complexities of CKD channel programs.

Then, is it fairer to compare VMWare to z/VM or to PR/SM?

Is OpenSolaris for z eligible for IFL?

Thinking about the recurrent chatter about FBA, might something akin to CP Block I/O be moved into PR/SM to provide FBA emulation or other device type imaging?


various unix ports dating back to at least the early 80s ... like UCLA locus port for aix/370 ... were done for vm370 ... not because of the complexity of CKD channel programs vis-a-vis block i/o ... but because of being able to leverage vm to meet error recover and EREP requirements ... which represented a much, much larger body of code (than straight device driver).

dating back to original cp67 & cms ... CKD disks had been treated as logical block devices ... with simplified, stylized CKD channel programs. But the lines-of-code to meet error recovery and EREP requirements was significantly larger than the much simpler and smaller inline device driver code.

Part of the past FBA wasn't so much about the complexity of the inline device driver code ... but as part of the FBA simplification, significant amount of device physical characteristics were abstracted. This eliminated a lot of release-to-release transitions and significant new device driver support code that came with every small change in CKD product.

In the middle of the FBA wars ... i had offered driver support to the MVS device support group. They replied that even fully tested and integrated code ... there was still a $26m bill for documentation and training ... which I needed a business case for. At the time, the simplified scenario was that a business case required incremental, new product sales (as opposed to long term infrastructure cost savings). Their scenario was that FBA support would just result in the same amount of disk being sold as FBA rather than CKD ... resulting in no incremental business case to cover the $26m cost for MVS supporting FBA.

misc. past posts mentioning CKD and/or FBA issues
http://www.garlic.com/~lynn/submain.html#dasd

I was also allowed to play disk engineer in bldg. 14 (disk engineering) and bldg 15 (disk product test). One of the issues was that they were doing mainframe "stand-alone", dedicated machine testing (i.e. each test required prescheduled, dedicated machine time). They had tried running MVS on the machines (looking to possibly being able to perform multiple concurrent tests and eliminated the dedicated machine time test bottleneck). However, standard MVS product had 15min MTBF in that enviroment. I undertook to rewrite i/o supervisor to create bullet proof error recovery and operation ... enabling multiple concurrent testing to be done in operating system environment (and eliminating the dedicated machine time scheduling development bottlenecks). misc. past posts mentioning getting to play disk engineer
http://www.garlic.com/~lynn/subtopic.html#disk

I had originally done simplified "block i/o" interface for CMS & CP67 as pathlength reduction as an undergraduate in the 60s.

Later in the early 70s, for CP67/CMS, I did a much more powerful, flexible, lower overhead, and higher thruput API that supported page mapped operations (even more simplified than FBA channel programs, much lower pathlength, and much more opportunity for thruput optimization). On the CMS side of the API, I then implementated a paged mapped filesystem. Later I migrated the changes to vm370 ... some old email from the period
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

Later tests on 3380s, with light to moderate disk intensive CMS applications, I could get something like three times the thruput than best case with standard block I/O. The thruput advantage increased further as applications became more & more disk intensive. misc. past posts mentioning page mapped filesystem work
http://www.garlic.com/~lynn/submain.html#mmap

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Virtual

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Virtual
Newsgroups: bit.listserv.ibm-main
Date: Thu, 16 Oct 2008 14:08:19 -0400
joarmc@SWBELL.NET (John McKown) writes:
That is something that I thought was very interesting. It is not as necessary on a single z. But it would be wonderful if a multi-CEC environment could transparently move a guest from a z/VM on one system to a z/VM on a different system without the necessity of any kind of an outage. Now that would be NICE!

at least one of the (cp67/vm370) virtual machine based commercial timesharing service bureaus did this in the mid-70s. it started out with being able to migrate all the virtual memory as well as the in-storage control blocks to shared disks in loosely-coupled environment ... and bring it back into another processor complex. it was then enhanced to be able to also transfer necessary information across a coast-to-coast transmission link. lots of past posts mentioning virtual machine based commercial timesharing service bureaus from the period
http://www.garlic.com/~lynn/submain.html#timeshare

at least one of the implementations was by one of the co-op students mentioned in this old email
http://www.garlic.com/~lynn/2006v.html#email731212

that helped me with migrating several enhancements from cp67 to vm370. he had graduated and joined one of the timesharing service bureaus and re-implemented some of the stuff from scratch ... including several things that I only distributed internal (and never made it out in customer products) ... old email references:
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

along with some enhancements to the mechanism that migrated kernel virtual machine control blocks to secondary storage.

An analogous set of loosely-coupled enhancements were done later for the internal (virtual machine based) HONE system ... which provided world-wide sales & marketing support ... misc. past posts mentioning HONE
http://www.garlic.com/~lynn/subtopic.html#hone

The virtual machine based commercial timesharing service bureaus had been moving into 7x24 operation with customers around the world. In this period there was still significantly monthly preventive maintenance activity, which required removing systems from service. Being able to transparently migrate virtual machines across complexes in loosely-coupled environment ... allowed maintenance activity to occur while totally masking the associated system outages.

Minor topic drift ... in this period, my wife had been con'ed into going to POK to be in charge of loosely-coupled architecture. while there she had originated peer-coupled shared data architecture ... which, except for IMS hot-standby, saw very little uptake until sysplex (contributed to her not staying very long in the position) ... misc. past posts
http://www.garlic.com/~lynn/submain.html#shareddata

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Virtual

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Virtual
Newsgroups: bit.listserv.ibm-main
Date: Thu, 16 Oct 2008 14:40:27 -0400
Thomas.Kern@HQ.DOE.GOV (Thomas Kern) writes:
I thought the early prototype of this was the Single-System-Image code written at University of Waterloo back in the early 1980's. I tried to convince management that it would be cheaper to use it to glue together a slew of surplus 4341s than some of the other alternatives.

re:
http://www.garlic.com/~lynn/2008o.html#55 Virtual
http://www.garlic.com/~lynn/2008o.html#56 Virtual

Separate from the virtual machine based commercial timesharing service bureaus
http://www.garlic.com/~lynn/submain.html#timeshare

As part of consolidating the several US HONE datacenters in a single location (northern cal) in the mid-70s ... there was work on supporting single-system image.
http://www.garlic.com/~lynn/subtopic.html#hone

By 78/79 there was front-end load balancing and other single-system-image support ... across multiple multiprocessor machines in large loosely-coupled environment (at the time, possibly the largest single-system-image operation anywhere). Then because of natural disaster considerations ... the load-balancing was extended to a replicated 2nd HONE datacenter in Dallas and then a replicated 3rd HONE datacenter in Boulder (there were approaching 40k defined userid on the US HONE system complex ... and mainframe orders couldn't even be submitted w/o first having been processed by HONE).

Note that while the HONE support provided load balancing across the complex and various other single-system-image transparency ... it didn't support process (virtual machine) migration between different machines in loosely-coupled complex.

In the very early 80s, SJR started a 4341 vm-based cluster project using 3088/trotter (this was before moving up the hill to almaden). One of the big problems before being released as a product, they had to migrate the implementation to standard SNA protocol. This had disastrous effects on the cluster operation efficiency. For instance, the original cluster syncronization process that took very small subsecond elapsed time, increased two orders of magnitude when migrated to standard SNA protocol (over 30 seconds elapsed time).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Everyone is getting same deal out of life: babyboomers can't retire but they get SS benefits intact

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Everyone is getting same deal out of life: babyboomers can't retire but they get SS benefits intact
Date: October 16, 2008
Blog: Equity Markets
The big baby boomer bubble is coming up for retirement ... increasing the number of retired by something like four times.

There are articles that the following generation is only a little over half as large as the baby boomers. This changes the ratio of retirees to workers by a factor of eight times. It is the workers that are paying all the taxes that are being used to provide the retiree benefits (the current paradigm is a lot more palatable with the ratio of workers per retirees being eight times larger, but all that is likely to change when the full effect of the baby boomer retirements starts to kick in).

The are also issues claiming that the avg skill level of the following generation is a lot lower (besides there being only about half as many) ... with all the statistics about education levels, proficiency tests, math/science scores, etc being in steady decline for the past 30 yrs (and therefor likelyhood of lower earning power).

The are numerous unanticipated effects.

A year ago, there was a show looking at number of oil field development projects ... and the claim was that given the demand, the number of projects are only about 2/3rds what would normally be expected. The explanation was that the typical oil field development project took 7-8 yrs and there weren't going to be enough people available to complete more projects.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Virtual

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Virtual
Newsgroups: bit.listserv.ibm-main
Date: Fri, 17 Oct 2008 08:46:02 -0400
re:
http://www.garlic.com/~lynn/2008o.html#55 Virtual
http://www.garlic.com/~lynn/2008o.html#56 Virtual
http://www.garlic.com/~lynn/2008o.html#57 Virtual

and from long ago and far away

Date: 05/19/82 10:33:28
To: wheeler

Lynn,
The Endicott Prog Center has a proposal to support a collection of VM systems with Single System Image and Continuous Availability for CMS and VM Subsystem users. The proposal is called VMC, for VM Clusters.

XXXX, SPD High Availability Systems Project Office Manager, and I will be in San Jose on 6/8/82 to (among other things) present VMC to Research. YYYY is hosting the meeting. I hope you can attend. If not I'd like to make other arrangements to show you this proposal.

... snip ... top of post, old email index

for other drift ... later in the decade, my wife & I started on the ha/cmp (high-availability/cluster multiprocessor) product ... but rs/6000 based ...
http://www.garlic.com/~lynn/subtopic.html#hacmp some old email on ha/cmp cluster scaleup
http://www.garlic.com/~lynn/lhwemail.html#medusa

old post with mention of effort
http://www.garlic.com/~lynn/95.html#13

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Biometric Credit cards

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Biometric Credit cards
Date: October 17, 2008
Blog: Credit Card Professionals
one of the things we did as part of x9.59 financial transaction standard was to delineate to both generalize the kinds of transactions as well as the kinds of authentication .... after having been called into to consult with a small client/server startup that wanted to do payments on their server (they also had this technology called SSL and the results is now frequently referred to as electronic commerce), we were asked to participate in the x9a10 financial standard working group in the mid-90s. X9A10 had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. This was all in all kinds of environments, POS, face-to-face, unattended, internet, metro .... as well as all kinds of values, low-value, high-value, etc. Part of this generalized solution was a framework that we called parameterised risk management.

From 3-factor authentication paradigm ... misc. past posts
http://www.garlic.com/~lynn/subintegrity.html#3factor

X9.59 , in conjunction with parameterised risk management framework, works in all possible environments and with one or more authentication factors ... as well as option of allowing not only broad variety of end-user authentication ... but can also support secondary authentication of the environment that the transaction is performed in.

The issue with respect to biometric authentication and parameterised risk management ... is the integrity evaluation of the particular biometric being used ... and whether or not it is only single factor authentication or multiple factor authentication.

A trivial example is a hardware token that might be used both in contact mode as well as contactless mode ... and might be used in single factor authentication operation in contactless mode at transit turnstyle (for low-value transaction) ... but same hardware token could be used in contactless mode in conjunction with PIN (or biometric) at POS (or internet) for higher value transactions requiring multi-factor authentication. For even higher value transactions ... there could be provisions for the transaction environment/terminal to also authenticate.

x9.59 financial transaction standard reference
http://www.garlic.com/~lynn/x959.html#x959

also, as part of x9a10 financial standard effort, there was detailed end-to-end, threat and vulnerability study. One of the issues was the enormous vulnerability of much of the existing infrastructure to data breaches (evesdropping, harvesting, etc ... being able to use information from valid transaction to perform fraudulent transactions).

The x9.59 financial standard didn't do anything to eliminate the data breaches ... but it slightly tweaked the paradigm ... so that the crooks couldn't use information from existing/valid transactions for fraudulent transactions.

For instance, the dominant use of SSL in the world is this earlier work we did for electronic commerce ... as part of hiding transaction information. X9.59 eliminates that as a threat & vulnerability ... so also eliminates the major use of SSL in the world today.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Discussions areas, private message silos, and how far we've come since 199x

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Discussions areas, private message silos, and how far we've come since 199x
Date: October 17, 2008
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#54 Discussions areas, private message silos, and how far we've come since 199x

Note that later (mid-80s), LISTSERV facility (somewhat analogous to TOOLSRUN) was developed on BITNET/EARN ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#bitnet

basically university network using similar technology to that used for the internal network ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#internalnet

for some example, recent (archived) posts to the ibm-main listserv discussion group:
http://www.garlic.com/~lynn/2008o.html#55 Virtual
http://www.garlic.com/~lynn/2008o.html#56 Virtual
http://www.garlic.com/~lynn/2008o.html#57 Virtual

even earlier ... one of the virtual machine based time-sharing commercial service bureaus had developed a computer conferencing facility and provided the VMSHARE service free to (the IBM mainframe user group) SHARE starting in August 1976. The VMSHARE archives can be accessed here:
http://vm.marist.edu/~vmshare/

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?
Date: October 18, 2008
Blog: Systems Thinking
Related discussion in an answer here:
http://www.linkedin.com/answers/finance-accounting/corporate-debt/FIN_CDT/344064-28994563 also archived here:
http://www.garlic.com/~lynn/2008.html#52 Why is sub-prime crisis of America called the sub-prime crisis?

Part of the issue (that has periodically froze parts of the market) was all the triple-A ratings that had been given the (subprime mortgage backed) toxic CDOs. This led to confidence crisis in the ratings organizations. A couple weeks ago, one of the business news show had on a guest from one of the ratings organization to discuss ratings downgrade given some companies. The host spent much of the interview trying to get the guest to admit to being responsible for the current credit crisis (huge amount of money was spent on triple-A rated toxic CDOs ... and then when it all started to fall apart and lots of confidence & trust paralysis).

A lot of the unregulated investment banks &/or unregulated investment banking arms of other institutions were heavily leverage borrowing to buy these triple-A rated toxic CDOs. The heavy borrowing was also large mismatch between short term commercial paper and long term triple-A rated toxic CDOs ... recent quote:
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.
....

Using short term borrowing to finance long term projects has been recognized as systemic mismatch for centuries ... having downside for both countries and institutions; related San Fran FRB article from 2000:
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

More recent article from last year about practice in current situation.
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html

Besides all the other side-effects of the triple-A rated toxic CDOs ... both on the home owner market, the investment institutions, and propagating out into the rest of the economy .... there is also the potential that the heavy borrowing activity by financial institutions in short term commercial paper ... represents severe competition and downside on traditional players in short-term commercial paper borrowing.

past posts mentioning short/long mismatch
http://www.garlic.com/~lynn/2008o.html#14 Blinkylights
http://www.garlic.com/~lynn/2008o.html#15 Financial Crisis - the result of uncontrolled Innovation?
http://www.garlic.com/~lynn/2008o.html#26 SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?
http://www.garlic.com/~lynn/2008o.html#27 Blinkylights
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#35 The human plague
http://www.garlic.com/~lynn/2008o.html#37 The human plague
http://www.garlic.com/~lynn/2008o.html#39 The human plague
http://www.garlic.com/~lynn/2008o.html#51 Why are some banks failing, and others aren't?
http://www.garlic.com/~lynn/2008o.html#52 Why is sub-prime crisis of America called the sub-prime crisis?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Discussions areas, private message silos, and how far we've come since 199x

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Discussions areas, private message silos, and how far we've come since 199x
Date: October 18, 2008
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2008o.html#61 Discussions areas, private message silos, and how far we've come since 199x

and
http://vm.marist.edu/~vmshare/

Comment from the VMSHARE archive site:
For many users, access to VMSHARE using 3270 fullscreen would have been a dream come through. Many never got further than 300 bps TeleType access or reading Melinda's Daily Distribution (or one of the several copies derived from those).
... snip ...

Before Melinda ever started her distribution ... I was getting monthly tape of VMSHARE files and putting them up on various machines on the internal network.

One such complex that I made the VMSHARE files available was on HONE. HONE (Hands-On Network Environment) started out as a few CP67 virtual machine datacenters in the wake of the 23Jun69 unbundling announcement; not only did unbundling mark starting to charge for application software but also SE time. This eliminated a major educational mechanism for new SEs (effectively apprentice type activity as part of a team at the customer site). With unbundling, most of the "hands-on" learning experience was eliminated for new SEs (couldn't justify charging the customer, but would have been required by new circumstances).

Because of a number of factors, HONE transitioned away from hands-on experience for SEs into major world-wide sales & marketing support infrastructure (by mid-70s, mainframe orders couldn't be submitted w/o having first being processed by HONE applications).

One of my other hobbies was providing highly enhanced production operating systems for internal locations ... and HONE was one of my long-time major customers. As a result, it wasn't all that difficult to convince HONE to also deploy VMSHARE files for world-wide branch office and field access.

Misc past emails, some mentioning HONE
http://www.garlic.com/~lynn/lhwemail.html#hone
some mentioning VMSHARE
http://www.garlic.com/~lynn/lhwemail.html#vmshare

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

In your experience which is a superior debit card scheme - PIN based debit or signature debit?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: In your experience which is a superior debit card scheme - PIN based debit or signature debit?
Date: October 18, 2008
Blog: Credit Card Professionals
re:
http://www.garlic.com/~lynn/2008n.html#38 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
http://www.garlic.com/~lynn/2008n.html#45 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
http://www.garlic.com/~lynn/2008n.html#48 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
http://www.garlic.com/~lynn/2008n.html#54 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
http://www.garlic.com/~lynn/2008n.html#55 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
http://www.garlic.com/~lynn/2008n.html#59 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
http://www.garlic.com/~lynn/2008n.html#73 In your experience which is a superior debit card scheme - PIN based debit or signature debit?

As in other recent answers ... one of the other areas from the X9A10 financial standard working group (given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments) for x9.59 standard ... wasn't just looking at all kinds of payments (credit, debit, stored-value, etc), in all kinds of environments (POS, internet, face-to-face, unattended, transit gate, contact, contactless, etc), but also all kinds of values from very low to very high.

So in addition to detailed, end-to-end threat and vulnerability studies in the mid-90s, we also created a framework we called parameterised risk management (for x9.59 financial standard protocol).... where the same hardware token (and/or secure PDA/cellphone, possible with embedded secure chip) and ( x9.59 ) protocol could be used, possibly in both contact and contactless environments as well as with and w/o PINs (analogous to credit guidelines not requiring signatures for low-value transactions).

It is even possible within the parameterised risk management framework, that for really high value transations, that the participating terminal also provide authentication information (and transactions might even be restricted to specific environments).

From 3-factor authentication paradigm ... misc. past posts
http://www.garlic.com/~lynn/subintegrity.html#3factor

given the parameterised risk management can use single factor authentication and/or various combinations of multi-factor authentication ..all with the same hardware token and the same x9.59 financial standard transactions (in addition to supporting credit, debit, stored-value, POS, internet, face-to-face, unattended, mobile, transit gate, low-value, high-value, very high-value).

recent references to parameterised risk management
http://www.garlic.com/~lynn/2008o.html#13 What risk of possible data leakage do you see for your organization?
http://www.garlic.com/~lynn/2008o.html#17 what will be a wow feature in a credit card
http://www.garlic.com/~lynn/2008o.html#47 Will cards with PayPass (from MasterCard) be using CHIP & PIN in the future?
http://www.garlic.com/~lynn/2008o.html#60 Biometric Credit cards

older references to parameterised risk management
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo2 QC Bio-info leak?
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo3 QC Bio-info leak?
http://www.garlic.com/~lynn/aadsmore.htm#biosigs biometrics and electronic signatures
http://www.garlic.com/~lynn/aadsm2.htm#stall EU digital signature initiative stalled
http://www.garlic.com/~lynn/aadsm2.htm#strawm3 AADS Strawman
http://www.garlic.com/~lynn/aadsm3.htm#cstech3 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech4 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech5 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech9 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech10 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#kiss2 Common misconceptions, was Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp-00.txt))
http://www.garlic.com/~lynn/aepay3.htm#x959risk1 Risk Management in AA / draft X9.59
http://www.garlic.com/~lynn/aepay6.htm#x959b X9.59 Electronic Payment standard issue
http://www.garlic.com/~lynn/aadsm12.htm#17 Overcoming the potential downside of TCPA
http://www.garlic.com/~lynn/aadsm19.htm#15 Loss Expectancy in NPV calculations
http://www.garlic.com/~lynn/aadsm19.htm#44 massive data theft at MasterCard processor
http://www.garlic.com/~lynn/aadsm19.htm#46 the limits of crypto and authentication
http://www.garlic.com/~lynn/aadsm21.htm#5 Is there any future for smartcards?
http://www.garlic.com/~lynn/aadsm21.htm#8 simple (&secure??) PW-based web login (was Re: Another entry in the internet security hall of shame....)
http://www.garlic.com/~lynn/aadsm23.htm#1 RSA Adaptive Authentication
http://www.garlic.com/~lynn/aadsm23.htm#27 Chip-and-Pin terminals were replaced by "repairworkers"?
http://www.garlic.com/~lynn/aadsm25.htm#1 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#2 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#14 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm26.htm#35 Failure of PKI in messaging
http://www.garlic.com/~lynn/aadsm27.htm#61 Linus: Security is "people wanking around with their opinions"
http://www.garlic.com/~lynn/aadsm28.htm#37 Attack on Brit retail payments -- some takeways
http://www.garlic.com/~lynn/99.html#235 Attacks on a PKI
http://www.garlic.com/~lynn/99.html#238 Attacks on a PKI
http://www.garlic.com/~lynn/2000.html#46 question about PKI...
http://www.garlic.com/~lynn/2000.html#57 RealNames hacked. Firewall issues.
http://www.garlic.com/~lynn/2001.html#73 how old are you guys
http://www.garlic.com/~lynn/2003j.html#33 A Dark Day
http://www.garlic.com/~lynn/2003p.html#26 Sun researchers: Computers do bad math ;)
http://www.garlic.com/~lynn/2004h.html#38 build-robots-which-can-automate-testing dept
http://www.garlic.com/~lynn/2005k.html#23 More on garbage
http://www.garlic.com/~lynn/2006g.html#40 Why are smart cards so dumb?
http://www.garlic.com/~lynn/2006o.html#20 Gen 2 EPC Protocol Approved as ISO 18000-6C
http://www.garlic.com/~lynn/2007t.html#8 Translation of IBM Basic Assembler to C?
http://www.garlic.com/~lynn/2007u.html#5 Public Computers
http://www.garlic.com/~lynn/2007u.html#76 folklore indeed
http://www.garlic.com/~lynn/2008i.html#1 Do you belive Information Security Risk Assessment has shortcoming like
http://www.garlic.com/~lynn/2008i.html#70 Next Generation Security
http://www.garlic.com/~lynn/2008l.html#52 Payments Security in RFS

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can the financial meltdown be used to motivate sustainable development in order to achieve sustainable growth and desired sustainability?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can the financial meltdown be used to motivate sustainable development in order to achieve sustainable growth and desired sustainability?
Date: October 18, 2008
Blog: Economics
Toxic CDOs were used two decades ago (during S&L crisis) to obfuscate and inflate the underlying values ... and being able to sell at much higher than would otherwise be possible.

Decade old post discussing many of the current problems, including needing visibility into CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm

Buyers of these toxic CDOs were heavily leveraged and frequently using short-term commercial paper to make long-term purchases ... the short/long mismatch has been recognized as systemic problem dating back centuries. recent quote:
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.
...

Decade old article from SF FRB about fragility of short/long mismatch
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

More recent article from last year about short/long systemic effects in current situation:
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html

past posts mentioning short/long mismatch
http://www.garlic.com/~lynn/2008o.html#14 Blinkylights
http://www.garlic.com/~lynn/2008o.html#15 Financial Crisis - the result of uncontrolled Innovation?
http://www.garlic.com/~lynn/2008o.html#26 SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?
http://www.garlic.com/~lynn/2008o.html#27 Blinkylights
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#35 The human plague
http://www.garlic.com/~lynn/2008o.html#37 The human plague
http://www.garlic.com/~lynn/2008o.html#39 The human plague
http://www.garlic.com/~lynn/2008o.html#51 Why are some banks failing, and others aren't?
http://www.garlic.com/~lynn/2008o.html#52 Why is sub-prime crisis of America called the sub-prime crisis?
http://www.garlic.com/~lynn/2008o.html#62 Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Open Source, Unbundling, and Future System

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Open Source, Unbundling, and Future System
Date: October 18, 2008
Blog: Greater IBM
starting even before joining IBM, (virtual machine) cp67 delivered to univ. jan68 was full open-source so ... 40+yrs virtualization ... plus 40+yrs open source.

it was in large part gov. litigation that resulted in 23jan69 unbundling announcement that started charging for application software, SE services, maintenance, etc. however, they managed to make the case that kernel software wasn't part of it.
http://www.garlic.com/~lynn/submain.html#unbundle

i had done tty/ascii terminal support at the univ for cp67. then somewhat because the (2702) terminal controller wouldn't do exactly what i wanted ... the univ. started a clone terminal controller project ... initially using interdata/3, reverse engineering the mainframe channel interface ... and building a channel interface board for the interdata/3. four of us got written up for being responsible for initiating the clone controller business.
http://www.garlic.com/~lynn/subtopic.html#360pcm

later, in the 70s, the company started future system project:
http://www.garlic.com/~lynn/submain.html#futuresys ... in large part motivated by clone controller business, recent post with an old quote:
http://www.garlic.com/~lynn/2008d.html#16 from article here:
http://web.archive.org/web/20110718153549/http://www.ecole.org/Crisis_and_change_1995_1.htm
http://www.ecole.org/en/seances/CM07

the distraction of future system project contributed significantly to letting clone processors get a foothold in the industry ... quotes from fergus/morris book:
http://www.garlic.com/~lynn/2001f.html#33

in the wake of the future system project failure ... and the mad rush to get (hardware & software) products back into the 370 product pipeline ... contributed to picking up a lot of (370) stuff (for product release) that i had been doing all during the future system period.

some related old email about shipping product releases internally during the period:
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

however, the foothold by clone processors also contributed to change policy and to start charging for kernel software ... and my resource manager was selected as the guinea pig. as a result i had to spend time with lawyers and business planning people regarding kernel software charging policy and practices. misc. past posts related to resource manager
http://www.garlic.com/~lynn/subtopic.html#fairshare

In addition to other internal locations, I also provided custom kernels and support to HONE during cp67 and vm370 period, well into the 80s. HONE had originally been created in the wake of 23jun69 unbundling announcement ... which had taken away a major method of new SE training ("apprentice" as part of a team onsite at customer sites which went away with starting to charge for SE services). HONE started out with several CP67 datacenters to provide Hands-On Network Environment for SEs running various operating systems in virtual machines.

The science center had also ported apl\360 to CMS for cms\apl and there started to be several sales & marketing cms\apl applications deployed on HONE. Eventually the sales & marketing applications came to dominate HONE useage and the original use for SEs withered away. By the mid-70s, HONE datacenters had been replicated at a number of places around the world. HONE had also been so integrated into sales & marketing that mainframe orders had to be first processed by HONE applications. misc. old email mentioning HONE
http://www.garlic.com/~lynn/lhwemail.html#hone
and past posts mentioning HONE
http://www.garlic.com/~lynn/subtopic.html#hone

As part of moving EMEA hdqtrs from NY to Paris in the early 70s, I got to go over as part of installing a HONE clone in Paris for EMEA hdqtrs.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Invitation to Join Mainframe Security Guru Group

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Invitation to Join Mainframe Security Guru Group
Date: October 19, 2008
Blog: Corporate Governance
As part of the future system project ... misc. past posts
http://www.garlic.com/~lynn/submain.html#futuresys

the future system documentation was kept in software copy on special internal vm370 systems with lots of security enhancements. once some of them even made the statements that even if Lynn Wheeler was in the same room with the machine, even he wouldn't be able to access the information. it was one of the few times that I took the bait. I replied that it would take less than five minutes ... but it 1st required disabling all outside connections to the machine and then flipping one bit in machine storage from the console.

as undergraduate, i would periodically get requests from the vendor to make specific enhancements to cp67. i didn't became aware of these users until many years later:
http://web.archive.org/web/20090117083033/http://www.nsa.gov/research/selinux/list-archive/0409/8362.shtml

but i subsequently conjectured that some of the enhancement requests may have been of the type that originated from that customer set

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Blinkenlights

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkenlights
Newsgroups: alt.folklore.computers
Date: Sun, 19 Oct 2008 16:41:22 -0400
Morten Reistad <first@last.name> writes:
Seems the housing bubble in northern Scandinavia is real, but proporationatly only about have as inflated as in the US or Ireland/Denmark.

Banks cannot unload CDOs as easily here. They can list them, but cannot offload them as easily. That regulation came with the last housing crash and seems to dampen this one a bit.


Poor Performance of Credit Rating Agencies
http://accounting.smartpros.com/x60011.xml

from above:
December 2007 Soon after Merrill Lynch disclosed its $8.4 billion write-down because of problems with collateralized debt obligations (CDOs) and other financial instruments relating to subprime mortgages, the credit rating agencies started downgrading the securities. But, this is like the proverbial soldier who watches a raging battle from afar; when the war is over, he proceeds to bayonet the wounded.
... snip ...

the above article makes a point that rating agencies were paid quite a bit of money for giving triple-A rating to the toxic CDOs ... also drawing parallel with it took quite awhile for ENRON downgrade.

there is (somewhat jaundice) reference to report by SEC:

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

comment on the above:
Third, on page 42 of the report, the SEC promises to explore whether these credit rating agencies "should implement procedures to manage potential conflicts of interest that arise when issuers [pay] for ratings." Either the SEC did not keep its promise or such actions are inadequate. Clearly, the credit rating agencies have not responded any differently to the CDO problem than they did with Enron's circumstances.
... snip ...

long winded, decade old post mentioning several of current problems, including needing visibility into CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm

as to bayonet the wounded ... we've had a similar definition for auditors ... from long ago and far away (from file of random quotes that printed on 6670/sherpa separator page):
[Business Maxims:] Signs, real and imagined, which belong on the walls of the nation's offices:
1) Never Try to Teach a Pig to Sing; It Wastes Your Time and It Annoys the Pig.
2) Sometimes the Crowd IS Right.
3) Auditors Are the People Who Go in After the War Is Lost and Bayonet the Wounded.
4) To Err Is Human -- To Forgive Is Not Company Policy.
... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Blinkenlights

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkenlights
Newsgroups: alt.folklore.computers
Date: Sun, 19 Oct 2008 19:46:31 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
as to "bayonet the wounded" ... we've had a similar definition for auditors ... from long ago and faw away (from file of random quotes that printed on 6670/sherpa separator page):
[Business Maxims:] Signs, real and imagined, which belong on the walls of the nation's offices:
1) Never Try to Teach a Pig to Sing; It Wastes Your Time and It Annoys the Pig.
2) Sometimes the Crowd IS Right.
3) Auditors Are the People Who Go in After the War Is Lost and Bayonet the Wounded.
4) To Err Is Human -- To Forgive Is Not Company Policy.
re:
http://www.garlic.com/~lynn/2008o.html#68 Blinkenlights

for other (research started installing 6670s in the late 70s) bayonet the wounded drift .... i had sponsored Boyd's briefings at ibm in the 80s ... one of his references was to Guderian's directive about verbal orders only for the blitzkrieg (soldiers on the spot not having to worry about after action reviews by people that weren't there).

lots of past posts mentioning Boyd:
http://www.garlic.com/~lynn/subboyd.html#boyd

past references to Guderian's verbal orders only:
http://www.garlic.com/~lynn/99.html#120 atomic History
http://www.garlic.com/~lynn/2001.html#29 Review of Steve McConnell's AFTER THE GOLD RUSH
http://www.garlic.com/~lynn/2001.html#30 Review of Steve McConnell's AFTER THE GOLD RUSH
http://www.garlic.com/~lynn/2001m.html#16 mainframe question
http://www.garlic.com/~lynn/2002d.html#36 Mainframers: Take back the light (spotlight, that is)
http://www.garlic.com/~lynn/2002d.html#38 Mainframers: Take back the light (spotlight, that is)
http://www.garlic.com/~lynn/2002q.html#33 Star Trek: TNG reference
http://www.garlic.com/~lynn/2002q.html#43 Star Trek: TNG reference
http://www.garlic.com/~lynn/2003h.html#51 employee motivation & executive compensation
http://www.garlic.com/~lynn/2003p.html#27 The BASIC Variations
http://www.garlic.com/~lynn/2004k.html#24 Timeless Classics of Software Engineering
http://www.garlic.com/~lynn/2004q.html#86 Organizations with two or more Managers
http://www.garlic.com/~lynn/2005e.html#3 Computerworld Article: Dress for Success?
http://www.garlic.com/~lynn/2006f.html#14 The Pankian Metaphor
http://www.garlic.com/~lynn/2006g.html#9 The Pankian Metaphor
http://www.garlic.com/~lynn/2006q.html#41 was change headers: The Fate of VM - was: Re: Baby MVS???
http://www.garlic.com/~lynn/2007b.html#37 Special characters in passwords was Re: RACF - Password rules
http://www.garlic.com/~lynn/2007b.html#52 Special characters in passwords was Re: RACF - Password rules
http://www.garlic.com/~lynn/2007c.html#25 Special characters in passwords was Re: RACF - Password rules
http://www.garlic.com/~lynn/2008c.html#26 Current Officers
http://www.garlic.com/~lynn/2008g.html#34 WWII supplies
http://www.garlic.com/~lynn/2008h.html#8a Using Military Philosophy to Drive High Value Sales
http://www.garlic.com/~lynn/2008h.html#61 Up, Up, ... and Gone?
http://www.garlic.com/~lynn/2008h.html#63 how can a hierarchical mindset really ficilitate inclusive and empowered organization

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What happened in security over the last 10 years?

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What happened in security over the last 10 years?
Date: October 19, 2008 10:19 PM
Blog: Financial Cryptography
re:
https://financialcryptography.com/mt/archives/001107.html

can you say (old thread) "naked transactions" ... my archived posts
http://www.garlic.com/~lynn/subintegrity.html#payments

reference to threads here:
https://financialcryptography.com/mt/archives/000745.html
https://financialcryptography.com/mt/archives/000744.html
https://financialcryptography.com/mt/archives/000747.html
https://financialcryptography.com/mt/archives/000749.html

... referenced blog
http://1raindrop.typepad.com/1_raindrop/2008/07/the-network-firewall-is-a-consensual-hallucination.html

talks about safety of the enterprise domain and use of firewalls and SSL for dealing with outside the safety zone.

the biggest items in the press regarding breach scenarios (and protecting information) have involved information from financial transactions that crooks can use for (other) fraudulent financial transactions.

we had been called into consult with small client/server company that wanted to do payment transactions on their servers and had this thing they had invented called SSL they wanted to use. it is frequently now called electronic commerce. part of that was something called payment gateway
http://www.garlic.com/~lynn/subnetwork.html#gateway

then in the mid-90s, we were asked to play in the x9a10 financial standard working group that had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. Part of the effort involved detailed end-to-end, threat and vulnerability studies. The result was x9.59 protocol
http://www.garlic.com/~lynn/x959.html#x959

part of x9.59 meeting the ALL requirement, ALL types of retail payments: credit, debit, stored-value, etc; ALL environments: POS, internet, unattended, contact, contactless, face-to-face, transit turnstyle, etc; and ALL values: low-value, high-value, very high-value, etc.

Part of it involved tweaking the paradigm so that information from previous transactions couldn't be used by crooks for fraudulent transactions (didn't do anything to eliminate breaches, just eliminated the threat from breaches). As it turns out, it also eliminates the major use of SSL in the world (hiding information in financial transactions).

Part of addressing ALL values involved a framework we called parameterised risk management. Some recent references:
http://www.garlic.com/~lynn/2008o.html#13 What risk of possible data leakage do you see for your organization?
http://www.garlic.com/~lynn/2008o.html#17 what will be a wow feature in a credit card
http://www.garlic.com/~lynn/2008o.html#47 Will cards with PayPass (from MasterCard) be using CHIP & PIN in the future?
http://www.garlic.com/~lynn/2008o.html#60 Biometric Credit cards
http://www.garlic.com/~lynn/2008o.html#64 In your experience which is a superior debit card scheme - PIN based debit or signature debit?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Why is sub-prime crisis of America called the sub-prime crisis?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Why is sub-prime crisis of America called the sub-prime crisis?
Date: October 20, 2008
Blog: Corporate Dept
re:
http://www.garlic.com/~lynn/2008o.html#52 Why is sub-prime crisis of America called the sub-prime crisis?

recent answer about the agencies giving out triple-A ratings to those toxic CDOs.

A couple weeks ago, one of the TV business news shows had a guest from one of the credit rating agencies on to discuss downrating of some companies. The host spent quite a bit of the time attempting to get the guest to taking responsibility for the current crisis.

Poor Performance of Credit Rating Agencies
http://accounting.smartpros.com/x60011.xml

from above:
December 2007 Soon after Merrill Lynch disclosed its $8.4 billion write-down because of problems with collateralized debt obligations (CDOs) and other financial instruments relating to subprime mortgages, the credit rating agencies started downgrading the securities. But, this is like the proverbial soldier who watches a raging battle from afar; when the war is over, he proceeds to bayonet the wounded.
... snip ...

the above article makes a point that rating agencies were paid quite a bit of money for giving triple-A rating to the toxic CDOs ... the article makes the following point:
Third, on page 42 of the report, the SEC promises to explore whether these credit rating agencies "should implement procedures to manage potential conflicts of interest that arise when issuers [pay] for ratings." Either the SEC did not keep its promise or such actions are inadequate. Clearly, the credit rating agencies have not responded any differently to the CDO problem than they did with Enron's circumstances.
... snip ...

regarding this SEC report:

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Euro value

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Euro value
Newsgroups: alt.folklore.computers
Date: Tue, 21 Oct 2008 07:31:54 -0400
pltrgyst <pltrgyst@spamlessxhost.org> writes:
That was as an "accounting currency" only. When use of Euro bills and coins began on 1/1/2002, the Euro was worth $0.90.

I remember well, because we were in Strasbourg, France, on that day, and couldn't get our car out of the municipal parking garage due to the currency confusion. 8;)


we were in munich and a couple other places in germany in 2002 ... and the germans were complaining that the shopkeepers changed all the signs from DM to EU ... but left the numerical values the same (large inflation).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Addressing Scheme with 64 vs 63 bits

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Addressing Scheme with 64 vs 63 bits
Newsgroups: bit.listserv.ibm-main
Date: Tue, 21 Oct 2008 07:52:03 -0400
hal9001@PANIX.COM (Robert A. Rosenberg) writes:
There was also the secondary use of the high bit to signal AM24 vs AM31 in addresses used for branching to/from subroutines. This required replacing BALR with BASR and BR with BSM to do the AM Mode Switch.

360/370 24bit psw had ILC/CC and program mask in adjacent byte; BAL/BALR not only saved the 24bit instruction address but also the next byte of the PSW (cc, and program mask).

on return, not only could the calling/return address be restored, but SPM instruction would also be used to restore the program mask ... aka from principle of ops SPM programming notes:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/dz9zr003/7.5.113?DT=20040504121320
1. Bits 34-39 of the general register may have been loaded from the PSW by execution of BRANCH AND LINK in the 24-bit addressing mode or by execution of INSERT PROGRAM MASK in either the 24-bit or 31-bit addressing mode.

2. SET PROGRAM MASK permits setting of the condition code and the mask bits in either the problem state or the supervisor state.

3. The program should take into consideration that the setting of the program mask can have a significant effect on subsequent execution of the program. Not only do the four mask bits control whether the corresponding interruptions occur, but the exponent-underflow and significance masks also determine the result which is obtained.

... snip ...

BAS/BASR were introduced on 360/67 as part of supporting 32bit virtual addressing mode.

retrenching to 370 ... not only was 360/67 32bit virtual addressing dropped ... but also the channel controller for multiprocessor support ... standard 360/67 multiprocessor not only allowed all processors to address all real storage but also all channels.

standard 360 (and later 370) multiprocessor support only allowed two processors to address all of the (same) real storage ... but each processor was limited to only addressing their own, dedicated channels.

some of the 360/67 control registers were also used to "sense" the switches on the channel controller (which governed the multiprocessor configuration settings ... not only for channels but also for real storage) ... these control register definitions were later taken over for "access registers"

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?
Date: October 29, 2008
Blog: Systems Thinking
re:
http://www.garlic.com/~lynn/2008o.html#62 Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?

One of the problems with being able to unload apparently unlimited amount of subprime loans as triple-A rated toxic CDOs ... was that speculators could pick up a large number of subprime loans. They were "subprime" supposedly because they were suppose to go to low-income, first time home owners .... but no-documentation, no down payment, 1% ARM, with interest only payments made them ideal for speculators (who would plan on flipping the property before the rate adjusted).

These "subprime" mortgages were subpime also in the sense that the introductory interest rate was decoupled from the feds "prime" rate.

Not only did the fed loose their indirect regulatory control of the home owner market i.e. in the past, regulated financial institutions would make the loans from deposits and keep the mortgages on the books (significant incentive to manage the loan quality). Unregulated mortgage originators could use triple-A rated toxic CDOs to fund their operation as well as unload the mortgages nearly as fast as they could be written (eliminating motivation to pay any attention to loan quality).

The introductory rate that would be charged by these subprime mortgages were also "subprime" in the sense that they were decoupled from anything that the FED was doing with the "prime" rate (further distancing what was going on in the home market from any of the standard controls available to the FED).

oh ... in the past, I've drawn the parallel between the use of triple-A rated toxic CDOs to bypass traditional infrastructure mechanisms (attempting to prevent things from running wild and eventually self-destructing) ... with work i started as undergraduate in the 60s on dynamic adaptive feedback resource controls (my undergraduate work even shipping in the virtual machine vendor product).

example is archived post from last summer in the financial cryptography blog:
http://www.garlic.com/~lynn/2008k.html#10 Why do Banks lend poorly in the sub-prime market?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

In light of the recent financial crisis, did Sarbanes-Oxley fail to work?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: In light of the recent financial crisis, did Sarbanes-Oxley fail to work?
Date: October 21, 2008
Blog: Equity Markets
Two parts

1) toxic CDOs being given triple-A rating 2) financials that institutions were using to buy these triple-A rated toxic CDOs.

recent answer here
http://www.linkedin.com/answers/financial-markets/equity-markets/MKT_EQU/346092-4671342

about SOX requiring SEC to evaluate the credit rating agencies (reference to Jan2003 SEC study) .... and possibly whether or not SEC followed through as required by SOX. other recent references:
http://www.garlic.com/~lynn/2008o.html#68 Blinkenlights
http://www.garlic.com/~lynn/2008o.html#71 Why is sub-prime crisis of America called the sub-prime crisis?

A couple weeks, one of the TV business news shows had a guest from one of the rating agencies on to discuss downgrading some companies. The host spent much of the program trying to get the guest to take responsibility for the current crisis.

On the side of institutions purchasing these triple-A rated toxic CDOs ... there is this recent observation:
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.
....

similar discussion by SanFran FED in 2000 about short/long mismatch funding:
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

and discussion from a year ago about short/long mismatch in the current crisis:
http://www.forbes.com/entrepreneursfinance/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.htm

similar recent references:
http://www.garlic.com/~lynn/2008o.html#51 Why are some banks failing, and others aren't?
http://www.garlic.com/~lynn/2008o.html#52 Why is sub-prime crisis of America called the sub-prime crisis?
http://www.garlic.com/~lynn/2008o.html#62 Would anyone like to draw a diagram of effects or similar for the current "credit crisis"?
http://www.garlic.com/~lynn/2008o.html#65 Can the financial meltdown be used to motivate sustainable development in order to achieve sustainable growth and desired sustainability?

Toxic CDOs were used two decades ago during the S&L crisis to obfuscate underlying values and unload properties that probably wouldn't sell otherwise.

The part of SOX that is more familiar is financial statements of public companies. GAO has been doing database of increasing number of financial restatements (in spite of SOX). Basically the financials are inflated and the executives take bonuses based on the inflated financials. Later, the financials may be restated ... but the bonuses aren't forfeited. Example was that in 2004, freddie was fined $400m for $10b inflation in statements; the CEO was replaced, but kept tens (hundred?) million in bonuses. A few weeks ago, Warren Buffet had commented that he had been the largest freddie shareholder in 2000-2001 ... but got completely out because of their accounting practices.

A couple years ago, I talked at a european financail conference that SOX wasn't going to affect such determined financial fiddling.

somewhat related articles:

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Blinkenlights

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkenlights
Newsgroups: alt.folklore.computers
Date: Tue, 21 Oct 2008 14:08:20 -0400
Morten Reistad <first@last.name> writes:
So, in part, this is due to hasty legislation from the FDR administration. They didn't replace the truly evil banking laws though; that make a pan-american push-style payment system impossible unless done through Swift.

part of the issue is that wholesale banking transactions have a much higher bar for participant authentication and things like compensating balances on file for settlement.

one of the big problems in much of the current retail transaction environment is that knowledge of the account number is needed for push transactions ... but is also sufficient for a pull transactions (one of the nigerian scams, tjeu need your account number in order to transfer you $25m ... they then drain your account).

I've mentioned before work in x9a10 financial standard working group which in the mid-90s, had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of this invovled detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959

Along the way, we even wrote a couple paragraphs for early drafts of what, at the time, was called SWIFT-2.

We also talked to FEDWIRE. Turns out that FEDWIRE had 100percent availability for several yrs and attributed it primarily to:

they were aware that long ago and far away, my wife had been con'ed into going to POK to be in charge of loosely-coupled architecture where she created peer-coupled shared data architecture
http://www.garlic.com/~lynn/submain.html#shareddata

which, except for IMS hot-standby (at the time), didn't see a lot of uptake unitl sysplex.

In much of the current infrastructure, knowing the account number is sufficient for a crook to perform a fraudulent transaction. We've tried using a number of metaphors to describe the current infrastructure (fixed by x9.59):

dual-use vulnerability metaphor

account number is required in a large number of different business processes and is required to be readily available. at the same time the account number has to be kept strictly confidential and never divulged to anybody (not even those needing it for business processes, since insiders have repeatedly been shown to be the major source of insider theft). we've claimed that even if the planet was buried under miles of information hiding encryption, that it wouldn't be sufficient to prevent information leakage.

security proportional to risk metaphor

to the merchant, knowledge of the account number is worth some percent of the profit off the transaction; that same knowledge for the crook, is worth the account balance/credit-limit. as a result, the crook may be able to outspend by a factor of 100 times attacking the system (as the merchant can afford to spend protecting the system).

naked transaction metaphor

lots of archived blog activity & posts
http://www.garlic.com/~lynn/subintegrity.html#payments

===

One of the biggest issues with x9.59 financial standard is that it commoditicises much of the payment transaction business

... being a single comprehensive protocol that is lightweight enough for very low-value transactions but with super strong integrity for the highest-value transactions ... while also eliminating most of the current threats and vulnerabilities ... and applicable to all environments and types of payments.

For instance, x9.59 doesn't do anything about preventing all the data breaches that have been in the news over the past several years ... but it eliminates the threats of fraudulent transactions from such data breaches (which also eliminates most of the crook's motivation for making data breaches).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

PDP-1 Spacewar! program internals

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: PDP-1 Spacewar! program internals
Newsgroups: alt.folklore.computers,rec.games.video.arcade.collecting
Date: Tue, 21 Oct 2008 14:36:11 -0400
later on in the 60s, somebody at the science center (4th flr, 545 tech sq) ported it to 2250-4 (i.e. 1130 with 2250). my kids (pre-teen) would play sometimes on weekends ... keyboard split left/right for two players. I don't know of where any versions might be.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Who murdered the financial system?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Who murdered the financial system?
Date: October 22, 2008
Blog: Currency Markets
In real time, congressional hearings are putting the blame on credit rating agencies.

long-winded, decade old post discussing some of the current problems ... including needing (accurate) visibility into CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm

Toxic CDOs were used two decades ago during the S&L crisis to obfuscate underlying value and unload.

Subprime mortgages were supposedly targeted at low-income home buyers. However, mortgage originators found that when they were able to get triple-A ratings on toxic CDOs ... they basically could unload all the mortgages they could possibly write at a very nice premium. The use of triple-A rated toxic CDOs significantly expanded the funding for writing subprime loans, far beyond the orignal intended markets. Speculators found that they could pick up (subprime) no-documentation, no-down payment, 1-2percent interest rate ARM with interest only payments .... and treat the home owner market like the unregulated 1920s stock market.

The claim is that the subprime mortgage orginators would never have been able to write all those subprime mortgages w/o nearly unlimited funding by getting triple-A rating on those toxic CDOs.

Say a speculator picks up a $500k home with one of those loans and plans on flipping it in a year for $600k. The carrying cost with a 1% subprime is $5k, possibly get a real estate agent to handle the flip for 3% total ... total out of pocket is around $20k for $100k return ... 500 percent ROI. The speculation and the huge inflation is bad ... but it wouldn't have been possible w/o the unregulated mortgage originators being able to fund the subpime mortgage mill using triple-A rated toxic CDOs.

A few weeks ago, one of the TV business shows had on a guest from one of the rating agencies to talk about down rating of some companies. The host spent much of the show trying to get the guest to admit to being responsible for the current crisis.

On the other side (speculators buying all the subprime loans), there was the financial methods all the investment banks (and/or intestment banking arms of regulated financial i institutions) buying up all these triple-A rated toxic CDOs ... recent comment:
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.

actually $5k mortgage payments over a year ... is more like $2.5k avg out-of-pocket for the period of the year. rather than treating the $15k real estate agent fee as part of investment ... treat as cost ... so only clears $85k after a year. So for an avg. investment of $2.5k for the year ... have a $85k ROI on the $2.5k investment.

For pathological speculation case, have the speculator even borrow the mortgage payments ... so there is only the interest payments on the borrowing of mortgage interest payments. This is getting into "heavy leveraged" analogous to what the institutions were doing on the other side of the toxic CDOs and their triple-A ratings.

recent question/answer referencing the two sides with triple-A rating on toxic CDOs in the middle; unregulated mortgage originators and speculations treating home owner martket like the 1920s unregulated stock market on one side ... and the unregulated investment banks (and investment banking arms of regulated banking ... courtesy of the Glass-Steagall repeal) heavily leveraged and playing long/short game on the other side.
http://www.linkedin.com/answers/finance-accounting/corporate-debt/FIN_CDT/344064-28994563
and
http://www.garlic.com/~lynn/2008o.html#52 Why is sub-prime crisis of America called the sub-prime crisis?

One can claim that there are a variety of individual areas that all contributed to the current financial crisis. For decades/centuries, the individual areas have been understood to be their separate areas of greed and corruption (toxic CDOs, real estate speculation, heavy leveraged borrowing, long/short mismatch, etc).

The current issue is a combination of
• regulation relaxing (both repeal of regulations like Glass-Steagall and in other cases failing to enforce regulations)

toxic CDOs getting triple-A ratings


the relaxing of regulations allowed all the individual (greed and corruption) brush fires to combine into one large fire (another analogy is eliminating bulkheads in ships). the triple-A ratings (for toxic CDOs) then provided huge amounts of accelerant to turn the blaze into an enormous firestorm (think Dresden ... but spanning much of the country).

there was a report about fires in cal. state mountain valleys. the claim was that policy of putting out all fires allowed excessive amounts of undergrowth to accumulate; to the point that it would fuel environmental disastrous fires. the claim was that there was evidence that prior to Europeans, the local inhabitants would purposefully start fires in these valleys every couple generations ... when the undergrowth became too thick (small fires wouldn't take out the trees, but letting too much undergrowth accumulate would result in fire that destroyed everything).

the somewhat loose corollary was that in the wake of the S&L crisis, the claim was made that strongly regulated financial industry became very vulnerable when regulations were relaxed. the issue supposedly was the strong regulation allows the financial industry to become populated by large number of (greedy) individuals that weren't required to know what they were doing ... they just did what the regulations told them to do. then when regulations were relaxed, they became fat prey for predators (who did "understand").

relaxing of regulations enabled all the small greed & corruption fires to combine into single fire. however, that still wouldn't have resulted in a firestorm without the triple-A ratings on toxic CDOs.

recent threads mentioning credit rating agencies:
http://www.garlic.com/~lynn/2008j.html#68 lack of information accuracy
http://www.garlic.com/~lynn/2008j.html#71 lack of information accuracy
http://www.garlic.com/~lynn/2008o.html#52 Why is sub-prime crisis of America called the sub-prime crisis?
http://www.garlic.com/~lynn/2008o.html#68 Blinkenlights
http://www.garlic.com/~lynn/2008o.html#71 Why is sub-prime crisis of America called the sub-prime crisis?
http://www.garlic.com/~lynn/2008o.html#75 In light of the recent financial crisis, did Sarbanes-Oxley fail to work?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What emerging risks are exposed with a shift from paper to electronic retail payments?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What emerging risks are exposed with a shift from paper to electronic retail payments?
Date: October 22, 2008
Blog: Risk Management
Electronic data breaches will frequently involve significantly more records than paper data breaches.

After having been called in to work with small client/server startup that wanted to payments on their server (& they had invented this technology SSL, they wanted to use), in the mid-90s, we were asked to participate in the x9a10 financial standard working group which had been been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments.

This was ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of the effort involved doing detailed, end-to-end, threat and vulnerability studies and the effort resulted in x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959

The majority of data breaches that have been in the news have involved respositories of retail financial transaction information. The threat from the data breaches involve crooks being able to use the information from financial transactions to perform fraudulent transactions. The x9.59 financial standard protocol did nothing about preventing the data breaches ... but it does slightly change the paradigm, eliminating the threat of using data breach information for fraudulent transactions (and therefor the value of the information to crooks).

Recent post discussing the existing electronic retail payment data breach threat and the x9.59 protocol eliminating the threat (doesn't address breaches, but the threat from the breaches)
http://www.garlic.com/~lynn/2008o.html#76

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can we blame one person for the financial meltdown?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can we blame one person for the financial meltdown?
Date: October 23, 2008
Blog: Financial Regulation
Yesterday, congressional hearings are putting the blame on credit rating agencies.

long-winded, decade old post discussing some of the current problems ... including needing (accurate) visibility into CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm

Toxic CDOs were used two decades ago during the S&L crisis to obfuscate underlying value and unload at premium

Subprime mortgages were supposedly targeted at low-income home buyers. However, mortgage originators found that when they were able to get triple-A ratings on toxic CDOs ... they basically could unload all the mortgages they could possibly write at a premium. The use of triple-A rated toxic CDOs significantly expanded the funding for writing subprime loans, far beyond the original intended markets. Speculators found that they could pick up (subprime) no-documentation, no-down payment, 1-2percent interest rate ARM with interest only payments .... and treat the home owner market like the unregulated 1920s stock market.

The claim is that the subprime mortgage originators would never have been able to write all those subprime mortgages w/o nearly unlimited funding that became possible with getting triple-A rating on the toxic CDOs.

A few weeks ago, one of the TV business shows had on a guest from one of the rating agencies to talk about down rating of some companies. The host spent much of the show trying to get the guest to admit to being responsible for the current crisis.

On the other side (speculators buying all the subprime loans), there was the financial methods all the investment banks (and/or intestment banking arms of regulated financial i institutions) buying up all these triple-A rated toxic CDOs ... recent comment:
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.

related answers here:
http://www.linkedin.com/answers/finance-accounting/corporate-debt/FIN_CDT/344064-28994563
http://www.linkedin.com/answers/financial-markets/currency-markets/MKT_CUR/348304-31790229
also here:
http://www.garlic.com/~lynn/2008o.html#52 Why is sub-prime crisis of America called the sub-prime crisis?
http://www.garlic.com/~lynn/2008o.html#78 Who murdered the financial system?

There was business school article from last spring that estimated approx. 1000 executives are responsible for 80% of the current credit crisis and it would go a long way to fixing the problem if the gov. could figure out how they could loose their jobs.

Greenspan testimony in real-time also says "triple-A" ratings on (subprime mortgage backed) toxic CDOs.

In the past, home owner market was somewhat indirectly regulated because regulated financial institutions would originate the mortgages using deposits. They would also retain the mortgages so there was significant motivation to pay attention to mortgage quality.

Unregulated mortgage originators could leverage the triple-A rating on toxic CDOs to both fund their operations as well as immediately unload all the mortgages nearly as fast as they could write them. This eliminated nearly all motivation to pay any attention to quality.

The use of toxic CDOs two decades ago during the S&L crises had much smaller market ... and so use as funding source and impact was much smaller. It was still viewed as problem ...as per the long-winded decade old post. Being able to get triple-A ratings on toxic CDOs greatly expanded the market.

One can claim that there are a variety of individual areas that all contributed to the current financial crisis. For decades/centuries, the individual areas have been understood to be their separate areas of greed and corruption (toxic CDOs, real estate speculation, heavy leveraged borrowing, long/short mismatch, etc).

The current issue is a combination of
• regulation relaxing (both repeal of regulations like Glass-Steagall and in other cases failing to enforce regulations)
toxic CDOs getting triple-A ratings


the relaxing of regulations allowed all the individual (greed and corruption) brush fires to combine into one large fire (another analogy is eliminating bulkheads in ships). the triple-A ratings (for toxic CDOs) then provided huge amounts of accelerant to turn the blaze into an enormous firestorm (think Dresden ... but spanning the whole country).

there was a report about fires in cal. state mountain valleys. the claim was that policy of putting out all fires allowed excessive amounts of undergrowth to accumulate; to the point that it would fuel environmental disastrous fires. the claim was that there was evidence that prior to Europeans, the local inhabitants would purposefully start fires in these valleys every couple generations ... when the undergrowth became too thick (small fires wouldn't take out the trees, but letting too much undergrowth accumulate would result in fire that destroyed everything).

the somewhat loose corollary was that in the wake of the S&L crisis, the claim was made that strongly regulated financial industry became very vulnerable when regulations were relaxed. the issue supposedly was the strong regulation allows the financial industry to become populated by large number of (greedy) individuals that weren't required to know what they were doing ... they just did what the regulations told them to do. then when regulations were relaxed, they became fat prey for predators (who did "understand").

relaxing of regulations enabled all the small greed & corruption fires to combine into single fire. however, that still wouldn't have resulted in a firestorm without the triple-A ratings on toxic CDOs.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How security audits, vulnerability assessments and penetration tests differ?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How security audits, vulnerability assessments and penetration tests differ?
Date: October 23, 2008
Blog: Auditing
One of the things I use our knowledge tools for is doing merged taxonomies and glossaries.
http://www.garlic.com/~lynn/index.html#glosnote

one is merged security taxonomy and glossary
http://www.garlic.com/~lynn/secure.htm

"penetration testing" (from NIST 800-115):
Security testing in which evaluators mimic real-world attacks to attempt to identify methods for circumventing the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the common tools and techniques used by attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through any single vulnerability.

"security audit" (from NIST 800-82):
Independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.

"vulnerability assessment" (GAO report 06-691):
The identification of weaknesses in physical structures, personal protection systems, processes or other areas that may be exploited. A vulnerability assessment identifies inherent states and the extent of their susceptibility to exploitation relative to the existence of any countermeasures.
....

penetration testing & vulnerability assessment are more focused on identifying weaknesses. security audit includes looking at compensating procedures and countermeasures (for weaknesses)

Somewhat example in this QA:

What emerging risks are exposed with a shift from paper to electronic retail payments?
http://www.linkedin.com/answers/finance-accounting/risk-management/FIN_RMG/348646-17020110

also here:
http://www.garlic.com/~lynn/2008o.html#79 What emerging risks are exposed with a shift from paper to electronic

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Greenspan testimony and securization

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Greenspan testimony and securization
Date: October 23, 2008
Blog: Derivatives Markets
Greenspan, Cox tell Congress that bad data hurt Wall Street's computer models
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117961

somewhat glosses over whether or not it was done on purpose ...

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

related answers here
http://www.linkedin.com/answers/financial-markets/currency-markets/MKT_CUR/348304-31790229
http://www.linkedin.com/answers/finance-accounting/financial-regulation/FIN_FRG/344874-2322797
and archived here:
http://www.garlic.com/~lynn/2008o.html#78 Who murdered the financial system?
http://www.garlic.com/~lynn/2008o.html#80 Can we blame one person for the financial meltdown?

long winded, decade old post discussing some of the current problems, including requirement for visibility into CDO-like instruments
http://www.garlic.com/~lynn/aepay3.htm#riskm

Toxic CDOs had been used two decades ago in the S&L crisis to obfuscate the underlying values .... so it wasn't like the problem wasn't understood and known.

Nearly all the individual parts of the current crisis had been well known ... some even for centuries. For instance recent quote about short/long mismatch:
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.
....

article from 2000 by san fran FED about short/long mismatch problems in the 90s.
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

To great extent, regulations had kept all the individual hot beds of greed and corruption separated. Relaxation of regulations contributed significantly to the separate/isolated problems turning into systemic firestorm.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
To: cryptography@xxxxxxx
Subject: Re: Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'
Date: Fri, 24 Oct 2008 10:22:43 -0400
re:
Chip and pin scam 'has netted millions from British shoppers'
http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html
Credit card scam: How it works
http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card-scam-How-it-works.html


some of the strategies to obfuscate fraudulent terminal clones, as the source of information, get more sophisticated than mentioned in article (as countermeasures to industry techniques to identify patterns to track back to compromised/counterfeit terminals that are skimming info). fraudulent clones have not only be used to skim for magstripe for counterfeit magstripe cards ... but also for counterfeit yes cards. misc. past posts mentioning chip yes cards
http://www.garlic.com/~lynn/subintegrity.html#yescards

some of the comments may be misdirection. there was large scale counterfeit POS terminal case in europe in mid-90s involving a couple million investment and a couple unemployed scientists ... more expertise/resources than available to most highschool dropouts .. but well within the capability of small to medium sized criminal organization.

....

now, doesn't seem likely that (our own) gov. agencies need to manipulate the market in that way ... just have the printing presses run a little longer.

a more likely scenario is the people on wallstreet (and/or other gov) ... chasing bonuses, commissions, illegal short sales, etc.

recent temporary ban on short sales ... somewhat ignored huge amount of illegal short sales not being prosecuted (somewhat analogous to the penny stock pump&dump scams that are periodically shutdown, except all the hype/rumors/fabrication is downward pressure rather than upward pressure). following claims that the illegal activity is widespread ...

CRAMER REVEALS A BIT TOO MUCH
http://nypost.com/2007/03/20/cramer-reveals-a-bit-too-much/

from above:
He added that the strategy - while illegal - was safe enough because, "the Securities and Exchange Commission never understands this."
... snip ...

recent testimony by Greenspan and Cox used the term "bad data" fed to computers
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117961

... which sort of glosses over whether it was done on purpose; one of the least critical articles about wallstreet practices:

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//

A couple weeks ago, CSPAN had on guest that mentioned that during the congressional session that repealed Glass-Steagall, the financial industry had contributed $250m to congress ... but that had increased to $2B in the most recent session that approved the $700B wallstreet bailout (supposedly those that voted for the bill received 45% more in contributions than those that voted against).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70




previous, next, index - home