List of Archived Posts

2008 Newsgroup Postings (10/24 - 11/15)

How much do those small credit card terminals cost per month?
My Funniest or Most Memorable Moment at IBM
Keeping private information private
Blinkenlights
Strings story
Privacy, Identity theft, account fraud
SECURITY and BUSINESS CONTINUITY ..... Where they fit in?
Dealing with the neew MA ID protection law
Global Melt Down
Do you believe a global financial regulation is possible?
Strings story
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Discussions areas, private message silos, and how far we've come since 199x
"Telecommunications" from '85
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Blinkenlights
Open Source, Unbundling, and Future System
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Donald Knuth stops paying for errata
Would you say high tech authentication gizmo's are a waste of time/money/effort?
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Your views on the increase in phishing crimes such as the recent problem French president Sarkozy faces
Why not build a shared services infrastructure to support the banking sector?
How do group members think the US payments business will evolve over the next 3 years?
What is the biggest IT myth of all time?
Father Of Financial Dataprocessing
Can Smart Cards Reduce Payments Fraud and Identity Theft?
How were you using the internet 10 years ago and how does that differ from how you use it today?
Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
FC5 Special Workshop CFP: Emerging trends in Online Banking and Electronic Payments
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Making tea
How can I tell if a keylogger got added to my PC while I was in Beijing?
Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
Making tea
Making tea
How do group members think the US payments business will evolve over the next 3 years?
Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?
Opsystems
Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?
Password Rules
Barbless
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Near-perfection achieved by solar absorber
Would you say high tech authentication gizmo's are a waste of time/money/effort?
In Modeling Risk, the Human Factor Was Left Out
How much knowledge should a software architect have regarding software security?
Can Smart Cards Reduce Payments Fruad and Identity Theft?
Barbless
Barbless
Serial vs. Parallel
Query: Mainframers look forward and back
Barbless
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Barbless
What happened in security over the last 10 years?
Do soft certificates provide two factor authentication?
Can Smart Cards Reduce Payments Fraud and Identity Theft?
Did sub-prime cause the financial mess we are in?
Serial vs. Parallel
Barbless
Shedding light on solar cell technology
Do you feel secure with your bank's online banking service?
Barbless
Happy 30th Birthday!
Web Security hasn't moved since 1995
"The Register" article on HP replacing z
ATM PIN through phone or Internet. Is it secure? Is it allowed by PCI-DSS?, Visa, MC, etc.?
Is there any technology that we are severely lacking in the Financial industry?
Password Rules
Alternative credit card network
History of preprocessing (Burroughs ALGOL)
2008 Data Breaches: 30 Million and Counting
Alternative credit card network
Multi-Factor Authentication - Moving Beyond Passwords for Security of Online Transactions
Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?
Web Security hasn't moved since 1995
PIN entry on digital signatures + extra token
Making tea
How to Plan a High Value Sales Campaign Using Military Principles
Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?
Residual Risk Methodology for Single Factor Authentication

How much do those small credit card terminals cost per month?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How much do those small credit card terminals cost per month?
Date: October 24, 2008
Blog: Payment Systems Network
may be able to get one for free from these guys:

Chip and pin scam 'has netted millions from British shoppers'
http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

Credit card scam: How it works
http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card-scam-How-it-works.html

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

My Funniest or Most Memorable Moment at IBM

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: My Funniest or Most Memorable Moment at IBM
Date: October 25, 2008
Blog: Greater IBM
We were riding up elevator in large HK bank building for a marketing pitch on our HA/CMP product ... some old posts
http://www.garlic.com/~lynn/subtopic.html#hacmp

and a young SE in the back of the elevator asked if I was the "wheeler" of the wheeler scheduler. I said I guess so and he said that they had studied me at the univ. of waterloo. I asked if they taught the joke in the wheeler scheduler?

We eventually found time to discuss it a little further. I explained that as undergraduate in the 60s, I had done a lot of work on dynamic adaptive resource management ... and that a lot of my work as undergraduate in the 60s, shipped in the cp67 virtual machine system.

In the morph from cp67 to vm370, there was a lot of simplification and much of my work from undergraduate days was dropped. However, I continued my work all through the future system days, even migrating to vm370 ... some old email references:
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

In the aftermath of future system project failure, some past posts:
http://www.garlic.com/~lynn/submain.html#futuresys

there was mad rush to get stuff back into the 370 hardware & software product pipeline ... which contributed to decision to release a lot of my 370 work ... including what customers had come to call wheeler scheduler.

During some product review, some corporate technical expert claimed that there was a deficiency, it lacked sufficient "tuning knobs" ... which was the latest state of the art and found in all the major premier systems (nearly a decade after the dynamic adaptive work I had done as undergraduate). I tried to explain about "dynamic adaptive" ... but it fell on deaf ears. So I had to add some "tuning knobs" controlled by a new command I called "SRM". Eventually, the resource manager was shipped to customers with full source and a manual describing the formulas involved in the resource management calculations (including the "tuning knobs").

What it didn't mention in the document, but was clearly visible in the code was "degrees of freedom" (basis of the joke) i.e. the dynamic adaptive code (aka "self tuning" by any other name) had more degrees of freedom than the "tuning knobs" (aka the dynamic adaptive code could pretty much compensate for any tuning knob setting).

The dynamic adaptive code was implemented in a module named with the usual component 3-letter prefix convention ... followed by STP (from a motto in popular TV commercial in the 60s).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Keeping private information private

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Keeping private information private
Date: October 25, 2008
Blog: Greater IBM
Financial Privacy

One of the things I worked on in the X9 financial standard group was co-author of X9.99 financial privacy standard. Part of it was spending a lot of time trying to reconcile GLBA and HIPAA provisions ... as well as take into account EU-DPD.

We had also been involved tangentially in Ca. state breach notification legislation. Some of the parties involved had done extensive consumer surveys on privacy. They found the most important consumer privacy issue was identity theft. A major component of identity theft is account fraud (fraudulent financial transactions against existing accounts) as a result of information leakage from breaches. This aspect was getting little or no attention, so it seemed there was some hope that the publicity associated from breach notification would start to prompt corrective action.

In the mid-90s, we had also participated in the X9A10 working group on the X9.59 financial transaction standard ... some past posts
http://www.garlic.com/~lynn/x959.html#x959

The x9.59 standard didn't do anything directly about addressing such breaches; however it slightly tweaked the paradigm so the information from such breaches was no longer useful for performing fraudulent transactions (did nothing to prevent breaches, but eliminated the threat of the fraudulent transactions that resulted from breaches).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Blinkenlights

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkenlights
Newsgroups: alt.folklore.computers
Date: Sat, 25 Oct 2008 11:28:26 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
Poor Performance of Credit Rating Agencies
http://accounting.smartpros.com/x60011.xml

from above:

December 2007 Soon after Merrill Lynch disclosed its $8.4 billion write-down because of problems with collateralized debt obligations (CDOs) and other financial instruments relating to subprime mortgages, the credit rating agencies started downgrading the securities. But, this is like the proverbial soldier who watches a raging battle from afar; when the war is over, he proceeds to bayonet the wounded.

... snip ...

the above article makes a point that rating agencies were paid quite a bit of money for giving triple-A rating to the toxic CDOs ... also drawing parallel with it took quite awhile for ENRON downgrade.


re:
http://www.garlic.com/~lynn/2008o.html#68 Blinkenlights

the congressional hearings into the credit rating agencies this week are severely lambasting the triple-A ratings given to the toxic CDOs ... including one person's testimony that many such ratings met the standard accepted definition for "fraud".

some recent related postings:
http://www.garlic.com/~lynn/2008o.html#78 Who murdered the financial system?
http://www.garlic.com/~lynn/2008o.html#80 Can we blame one person for the financial meltdown?
http://www.garlic.com/~lynn/2008o.html#81 How security audits, vulnerability assessments and penetration tests differ?
http://www.garlic.com/~lynn/2008o.html#82 Greenspan testimony and securization
http://www.garlic.com/~lynn/2008o.html#83 Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Strings story

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Strings story
Newsgroups: alt.folklore.computers
Date: Sat, 25 Oct 2008 12:01:21 -0400
joke embedded in the code, but not involving a character string ...

We were riding up an elevator in large HK bank building for a marketing pitch on our HA/CMP product ... some old posts
http://www.garlic.com/~lynn/subtopic.html#hacmp

and a young SE in the back of the elevator asked if I was the "wheeler" of the wheeler scheduler. I said I guess so and he said that they had studied me at the univ. of waterloo. I asked if they taught the joke in the wheeler scheduler?

We eventually found time to discuss it a little further. I explained that as undergraduate in the 60s, I had done a lot of work on dynamic adaptive resource management ... and that a lot of my work as undergraduate in the 60s, shipped in the cp67 virtual machine system.

In the morph from cp67 to vm370, there was a lot of simplification and much of my work from undergraduate days was dropped. However, I continued my work all through the future system days, even migrating to vm370 ... some old email references:
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

In the aftermath of future system project failure, some past posts:
http://www.garlic.com/~lynn/submain.html#futuresys

there was mad rush to get stuff back into the 370 hardware & software product pipeline ... which contributed to decision to release a lot of my 370 work ... including what customers had come to call wheeler scheduler (leftover from those that had run cp67)

During some product review, some corporate technical expert claimed that there was a deficiency, it lacked sufficient "tuning knobs" ... which was the latest state of the art and found in all the major premier systems (nearly a decade after the dynamic adaptive work I had done as undergraduate). I tried to explain about "dyanamic adaptive" ... but it fell on deaf ears. So I had to add some "tuning knobs" controlled by a new command I called "SRM". Eventually, the resource manager was shipped to customers with full source and a manual describing the formulas involved in the resource management calculations (including the "tuning knobs").

What it didn't mention in the document, but was clearly visible in the code was "degrees of freedom" (basis of the joke) i.e. the dynamic adaptive code (aka "self tuning" by any other name) had more degrees of freedom than the (manual) "tuning knobs" (aka the dynamic adaptive code could pretty much compensate for any tuning knob setting).

The dynamic adaptive code was implemented in a module named with the usual component 3-letter prefix convention ... followed by STP (from a motto in popular TV commercial in the 60s).

recent post (also) mentioning Open Source, Unbundling, and Future System
http://www.garlic.com/~lynn/2008o.html#66 Open Source, Unbundling, and Future System

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Privacy, Identity theft, account fraud

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Privacy, Identity theft, account fraud
Date: October 25, 2008
Blog: Financial Crime Risk, Fraud and Security
We had been tangentially involved with the cal state breach notification legislation. Some of the parties involved, had done detailed consumer surveys about privacy. The number one consumer privacy issue was identity theft ... a major component is "account fraud" (fraudulent financial transactions against existing accounts) resulting from the information leakage in breaches. There was little or no attention being paid to such breaches, so it seemed that there was some hope with the publicity from the notifications, it would start to prompt corrective action. I was also involved as co-author of the x9.99 financial privacy standard, which required paying attention to GLBA and HIPAA as well as taking into account EU-DPD

one of the big problems in much of the current retail transaction environment is that knowledge of the account number is sufficient for fraudulent transactions

I've mentioned before work in x9a10 financial standard working group which in the mid-90s, had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of this involved detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959

Along the way, we even wrote a couple paragraphs for early drafts of what, at the time, was called SWIFT-2.

We also talked to FEDWIRE. Turns out that FEDWIRE had 100percent availability for several yrs and attributed it primarily to:

they were aware that long ago and far away, my wife had been con'ed into going to POK to be in charge of loosely-coupled architecture where she created peer-coupled shared data architecture
http://www.garlic.com/~lynn/submain.html#shareddata

which, except for IMS hot-standby (at the time), didn't see a lot of uptake until sysplex.

In much of the current infrastructure, knowing the account number is sufficient for a crook to perform a fraudulent transaction. We've tried using a number of metaphors to describe the current infrastructure (fixed by x9.59):

dual-use vulnerability metaphor

account number is required in a large number of different business processes and is required to be readily available. at the same time the account number has to be kept strictly confidential and never divulged to anybody (not even those needing it for business processes, since insiders have repeatedly been shown to be the major source of identity theft). we've claimed that even if the planet was buried under miles of information hiding encryption, that it wouldn't be sufficient to prevent information leakage.

security proportional to risk metaphor

to the merchant, knowledge of the account number is worth some percent of the profit off the transaction; that same knowledge for the crook, is worth the account balance/credit-limit. as a result, the crook may be able to outspend by a factor of 100 times attacking the system (as the merchant can afford to spend protecting/defending the system).

naked transaction metaphor

lots of archived "naked transaction metaphor" blog activity & posts
http://www.garlic.com/~lynn/subintegrity.html#payments

prior to being involved in the x9a10 financial standard working group in the mid-90s, we had been called in to consult with a small client/server startup that wanted to do payment transactions on their server; they had this technology called SSL they had invented and they wanted to use it for payment transactions.

part of that effort involved something called payment gateway (which included various compensating procedures due to lack of various business critical features in the internet) ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

and the effort is now frequently referred to as electronic commerce.

Now the major use of SSL in the world today is to hide the details of financial transactions while being transmitted thru the internet; as countermeasure to crooks evesdropping and being able to use the information for fraudulent transactions (similar to the data breach threat). However, since x9.59 eliminates that threat ... it would also eliminate the major use of SSL in the world today.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

SECURITY and BUSINESS CONTINUITY ..... Where they fit in?

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: SECURITY and BUSINESS CONTINUITY ..... Where they fit in?
Date: October 25, 2008
Blog: Facilities Management
We were responsible for the HA/CMP product
http://www.garlic.com/~lynn/subtopic.html#hacmp

and spent quite a bit of time looking at continuous availability issues ... even coining the terms disaster survivability and geographic survivability as part of differentiating from disaster/recovery ... some past posts
http://www.garlic.com/~lynn/submain.html#available

When coming at the problem from the standpoint of "availability" products ... we viewed security threats/violations as an issue that could affect the integrity and availability of the system. This was further reinforced by having to deal with correct database operation ... both in a local scalable, cluster environment as well in geographically distributed environment ... where the paradigm acronym is "ACID"
• Atomicity
• Consistency
• Isolation
• Durability


for other topic drift ... misc. past related to original relational/sql:
http://www.garlic.com/~lynn/submain.html#systemr

We were also called in to consult with small client/server startup that wanted to do payment transactions on their server (the startup had invented this thing they called SSL which they wanted to use as part of the implementation). Two people at the startup responsible for what they called the "commerce" server ... we had previously worked with on scalable high availability databases ... minor reference in this post
http://www.garlic.com/~lynn/95.html#13

Part of that effort was something called a payment gateway ... some past posts here
http://www.garlic.com/~lynn/subnetwork.html#gateway

and it is now frequently referred to as electronic commerce. While some amount of the electronic commerce involved databases ... we also had to look at how the deployment on the internet introduced new failure mode issues (including various kinds of security threats and attacks requiring new countermeasures).

When looking at it from a "security" orientation there is the security acronym PAIN:

One of the footnotes was that in the early 80s, there was quite a bit of attention regarding countermeasures for insider threats. The coming of the Internet refocused a lot of attention on external attacks and vulnerabilities ... even though the majority of the exploits have continued to involve insiders.

One of the studies done during our HA/CMP days was that half of companies that suffered a unbacked-up disk failure involving critical corporate data (lot of small to medium sized businesses where the data was likely to include customer billing and account receivables) declared bankruptcy within the first 30days of the failure (loss of critical business operational data, but also could significantly impact cash flow).

From a data breach standpoint ... we were tangentially involved in Ca. state breach notification legislation ... discussed in more detail in this recent post on "Privacy, Identity theft, account fraud"
http://www.garlic.com/~lynn/2008p.html#5 Privacy, Identity theft, account fraud

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Dealing with the neew MA ID protection law

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Dealing with the neew MA ID protection law
Date: October 25, 2008
Blog: Government Policy
We had been tangentially involved with the cal state breach notification legislation. Some of the parties involved, had done detailed consumer surveys about privacy. The number one consumer privacy issue was identity theft ... a major component is "account fraud" (fraudulent financial transactions against existing accounts) resulting from the information leakage in breaches. There was little or no attention being paid to such breaches, so it seemed that there was some hope with the publicity from the notifications, it would start to prompt corrective action. Since the cal. breach notification legislation, many other states have passed similar legislation. There have also been two classes of "federal" notification bills proposed over the past couple yrs (those that are similar to the cal. legislation and those that would essentially pre-empt state legislation and eliminate most notification requirements).

I was also involved as co-author of the x9.99 financial privacy standard, which required paying attention to GLBA and HIPAA as well as taking into account EU-DPD

After having worked with small client/server startup that wanted to do payments on their server (they had this technology called SSL and the implementation is now frequently called electronic commerce) we were invited to be part of the x9a10 financial standard working group which in the mid-90s, had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of this involved detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959

in much of the current infrastructure, knowing the account number is sufficient for a crook to perform a fraudulent transaction. We've tried using a number of metaphors to describe the current infrastructure (fixed by x9.59):

dual-use vulnerability metaphor

account number is required in a large number of different business processes and is required to be readily available. at the same time the account number has to be kept strictly confidential and never divulged to anybody (not even those needing it for business processes, since insiders have repeatedly been shown to be the major source of identity theft). we've claimed that even if the planet was buried under miles of information hiding encryption, that it wouldn't be sufficient to prevent information leakage.

security proportional to risk metaphor

to the merchant, knowledge of the account number is worth some percent of the profit off the transaction; that same knowledge for the crook, is worth the account balance/credit-limit. as a result, the crook may be able to outspend by a factor of 100 times attacking the system (as the merchant can afford to spend protecting/defending the system).

naked transaction metaphor

lots of naked transaction metaphor archived blog activity & posts
http://www.garlic.com/~lynn/subintegrity.html#payments

One of the biggest issues with x9.59 financial standard is that it enables commoditizing much of the payment transaction business

... being a single comprehensive protocol that is lightweight enough for very low-value transactions but with super strong integrity for very high-value transactions ... while also eliminating most of the current threats and vulnerabilities ... and applicable to all environments and types of payments.

For instance, x9.59 doesn't do anything about preventing all the data breaches that have been in the news over the past several years ... but it eliminates the threat of fraudulent transactions as a result of breaches (which also eliminates most of the crooks' motivation for making such breaches).

As an aside, the major use of SSL use in the world today is associated with hiding transmitted financial transactions as part of electronic commerce. X9.59 eliminates the need to use SSL for that purpose.

also, part of addressing the ALL issue was coming up with parameterised risk management framework. the broad scope of parameterised risk management framework allows for things like the same exact infrastructure and transactions to support single-factor authentication for low-value transactions and multi-factor authentication for higher-value transactions (somewhat analogous to not requiring signatures for low-value credit transactions ... aka the same hardware token may easily be used both with & w/o PIN depending on transaction value)

Following from Kansas City fed discusses some of the issues:

Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf

This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw

although AADS chip work had started quite a bit earlier. AADS related discussions and patent references
http://www.garlic.com/~lynn/x959.html#aads

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Global Melt Down

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Global Melt Down
Date: October 25, 2008
Blog: Corporate Governance
business school article from last spring estimated that approximately 1000 executives are responsible for 80% of the current crisis and that it would go a long way to solving the problem if the gov. could find a way for them to loose their jobs.

there are several individual different greed & corruption "centers" that have been known for some time.

for instance, recent quote:
Best practice transfer pricing calculations would have made it clear that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings.

...

San Fran FED article from 2000 discussing short/long mismatch problems.
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

article from last year about many financial institutions carrying such transactions offbalance (and may still be lurking):
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html

Toxic CDOs had been used two decades ago during the S&L crisis to obfuscate underlying value and offload for higher than their worth.

The GAO has been doing database of increasing number of public company financial statements being restated (in spite of SOX). Basically statements are inflated to increase executive bonuses. Later, statements may be restated but bonuses aren't forfeited. Example was freddie was fined $400M in 2004 for $10B statement inflation and the CEO replaced ... but allowed to keep tens (hundred?) of millions.

illegal short sales are common place but not prosecuted:

CRAMER REVEALS A BIT TOO MUCH
http://nypost.com/2007/03/20/cramer-reveals-a-bit-too-much/

then there is ...

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

presumably part of the $700B wallstreet bailout will be used to replenish the $137B taken out of the infrastructure (as reward for their part in creating the current situation).

Regulation repeal and relaxation of regulation enforcement contributed to the different sources of greed and corruption to start to interact in systemic ways.

Greenspan, Cox tell Congress that bad data hurt Wall Street's computer models
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117961

somewhat glosses over whether or not it was done on purpose ...

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers/
Subprime = Triple-A ratings? or 'How to Lie with Statistics' (gone 404 but lives on at the wayback machine)
https://web.archive.org/web/20071111031315/http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

There was guest on CSPAN recently that said that in congressional session that repealed Glass-Steagall (Glass-Steagall had been passed in the wake of '29 crash to keep the risky unregulated investment banking separate from safety&soundness of regulated banking), the financial industry had contributed $250m to congress. PBS program on the subject:

The Wall Street Fix
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

They also mentioned that in the most recent session that passed the $700B wallstreet bailout, the financial industry contributed $2B to congress (with those that voted for the bill received 45% more than those that voted against)

A couple weeks ago, one of the TV business news shows had a guest from one of the credit rating agencies on to discuss downrating of some companies. The host spent quite a bit of the time attempting to get the guest to taking responsibility for the current crisis.

Poor Performance of Credit Rating Agencies
http://accounting.smartpros.com/x60011.xml

from above:
December 2007 Soon after Merrill Lynch disclosed its $8.4 billion write-down because of problems with collateralized debt obligations (CDOs) and other financial instruments relating to subprime mortgages, the credit rating agencies started downgrading the securities. But, this is like the proverbial soldier who watches a raging battle from afar; when the war is over, he proceeds to bayonet the wounded.

... snip ...

jan2003 SEC report

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

there was discussions in the recent congressional credit rating hearings that SEC over the years repeatedly failed to provide any oversight/enforcement regarding rating agency operation.

there was also testimony that both issuers and the rating agencies knew that the toxic CDOs weren't worth triple-A ratings but the issuers were paying the rating agencies to give them triple-A ratings anyway and that amounted to fraud (collusion?, conspiracy?; triple-A ratings greatly expanded the market for toxic CDOs and allowed unregulated mortgage originators to unload any kind of mortgage, eliminating motivation to pay attention to loan quality).

hearings discussed scenario where ratings agencies might blackmail federal gov. into privatizing social security by threatening to downgrade the gov's triple-A rating (value could disappear into wallstreet like other retirement plans). then example was given where rating agencies had done something analogous to some companies.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Do you believe a global financial regulation is possible?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Do you believe a global financial regulation is possible?
Date: October 25, 2008
Blog: Financial Regulation
testimony at recent congressional hearings mentioned aligning business processes.

testimony was that both issuers and rating agencies knew that toxic CDOs weren't worth triple-A rating but that the issuers were paying the rating agencies for the triple-A rating ... which amounts to fraud.

there were comments that in the '70s, the rating agencies changed from the buyers paying for the ratings ... to the issuers paying for the ratings (as a means of increasing the brand monetizing) ... which resulted in mis-aligning the business interests.

there is huge amount of greed and corruption ... when the rating agencies and buyers are aligned to prevent seller fraud ... things are somewhat self-regulating. It is when rating agencies become aligned with (paid by) the seller ... that the business interests are out of alignment and opportunity for fraud increases significantly .... greatly increasing the requirement for external regulation.

Similarly, Glass-Steagall was repealed in the late 90s ... Glass-Steagall was passed in the aftermath of the '29 crash to keep the unregulated, risky investment banking separate from safety&soundness of regulated banking. With that separation removed, the regulatory issues increased enormously. PBS investigation into repeal of Glass-Steagall:

The Wall Street Fix
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

A recent guest on CSPAN said that the financial industry contributed $250m to congress during the session that repealed Glass-Steagall and that in the most recent session (passing $700B wallstreet bailout), the financial industry contributed $2B (supposedly those that voted for the bill received an avg. of 45% more than those voting against).

GAO is doing database of increasing number of public companies restating their financials. Basically statements are inflated to increase executive bonuses. Later statements may be restated but bonuses aren't forteited. Example was freddie was fined $400m in 2004 for $10B statement inflation and the CEO replaced ... but allowed to kep tens (hundred?) of millions.

There is recent published study of 270(?) some public companies that redid their executive compensation plan after having problems with financial statements and executive bonuses. Supposedly executive compensation has been changed to be much more closely aligned with the health and well being of the corporation ... and as a result the companies are performing much better.

Last spring, one of the business schools had an article that approx. 1000 executives are responsible for 80% of the current crisis and it would go a long way to fixing the situation if the gov. could figure out how they could loose their jobs.

Unregulated mortgage originators being able to unload an unlimited number of subprime loans as triple-A rated toxic CDOs ... lost any motivation to pay attention to loan quality (again business process misaligned by being able to pay rating agencies for triple-A ratings).

With business processes misaligned and no self-interest to do the "right thing", the requirement for external regulation increases enormously.

There is BIS
http://www.bis.org/index.htm
and wiki page:
https://en.wikipedia.org/wiki/Bank_for_International_Settlements

and the current "basel II"
https://en.wikipedia.org/wiki/Basel_II

Basel accords have had quantitative sections for some time. Early drafts of Basel II had new qualitative section ... which was largely eliminated during the review process .... there was some caustic comments about it not really necessary to demonstrate that they knew what they were doing ... as long as they could follow the formulas by rote.

There were similar comments in the wake of S&L crisis that in heavily regulated environment .... the institutions can become dominated by people just going thru the motions by rote (w/o having to know what they were doing). Then if regulations were ever relaxed or removed ... they are totally adrift (since they have no concept of why they were doing what they were doing).

This is one of the benefits behind trying to have business processes properly aligned ... so that people would be doing the right thing because it was in their best interest (as opposed to being mandated by regulations).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Strings story

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Strings story
Newsgroups: alt.folklore.computers
Date: Tue, 28 Oct 2008 09:48:18 -0400
Walter Bushell <proto@panix.com> writes:
s/will *never* work*/will appear to work, but fail at the most inopportune times and open you to identity theft/

A little more topic drift, following from Kansas City FED:

Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf

above references x9.59 financial standard protocol, also referenced here
http://www.garlic.com/~lynn/x959.html#x959

some of the issues discussed in this answer:
http://help.linkedin.com/app/answers/detail/a_id/35227
also archived here:
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law

This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw

although AADS chip work had started quite a bit earlier. AADS related discussions
http://www.garlic.com/~lynn/x959.html#aads

and patent references
http://www.garlic.com/~lynn/aadssummary.htm

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 28, 2008
Blog: Payment and Fraud Professional
Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf

above references x9.59 financial standard protocol, also referenced here
http://www.garlic.com/~lynn/x959.html#x959

some of the issues discussed in this answer:
http://help.linkedin.com/app/answers/detail/a_id/35227
also archived here:
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law

This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw

although AADS chip work had started quite a bit earlier. AADS related discussions
http://www.garlic.com/~lynn/x959.html#aads

and patent references
http://www.garlic.com/~lynn/aadssummary.htm

and another recent related discussion:
http://www.garlic.com/~lynn/2008p.html#5 Privacy, Identity theft, account fraud

Major payment chip card started to be introduced in Europe in the late 90s ... which continued through this decade in many parts of the world (including large deployment in US NE in the early part of this decade). Almost immediately after the introduction in Europe, the YES CARD exploit appeared ... lots of past discussions
http://www.garlic.com/~lynn/subintegrity.html#yescard

The YES CARD scenario used effectively the same technology that was being used for skimming magstripe information ... but loaded into counterfeit chip. The counterfeit chip costs were a few cents more than counterfeit magstripe ... but the degree of the resulting fraud was immensely greater (the fraud ROI for YES CARD significantly increased)

The YES CARD label came from a counterfeit card always answering YES to the questions from the terminal: 1) was the correct PIN entered (always answered YES)?, 2) should the transaction be done offline (always answered YES)?, and 3) is the transaction within the account credit limit (always answered YES)?. Skimming for counterfeit YES CARD was actually simpler than PIN-DEBIT magstripe card, since there was no requirement to also skim the PIN.

In the magstripe scenario ... fraud countermeasures included the ability to deactivate the account. In the YES CARD scenario, since the counterfeit card always told the terminal that it was an offline transaction, there was no way of finding out that the account had been deactivated.

As an aside, countermeasures for the YES CARD kind of exploit was standard part of the x9.59 financial standard work from the mid-90s.

The x9.59 financial standard work was done in the x9a10 financial standard working group, which in the mid-90s, had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

We had semi-facetiously joked in the mid-90s, that we would take a $500 milspec part and aggressively cost reduce by 2-3 orders of magnitude while increasing the security. Very quickly we had a chip that was less expensive than the least secure chip on the market but more secure than the most expensive chip on the market.

One of the lingering problems was that there was a consumer financial chipcard introduction in the early part of this decade. Attempting to improve the uptake, they were giving away PC card readers. These card readers resulted in horrible consumer installation problems (blue screen of death, having to completely re-install operating system, etc). In the wake of that disaster, there was a rapidly spreading opinion that chipcards weren't practical in the consumer market ... resulting in lots of card programs evaporating. That appeared to have also been major issue in the EU FINREAD effort also appearing to evaporate. misc. past posts mentioning EU FINREAD standard
http://www.garlic.com/~lynn/subintegrity.html#finread

The whole situation is an example of ephemeral institutional knowledge. Detailed after action reviews of the disaster identified nearly all of the problems dealing with PC card reader being a serial port device. In the mid-90s, there were a number of presentations about motivation behind migration of the 80s online banking implementations to the internet. A major issue behind the migration was enormous support problems dealing with serial port dial-up modems ... some banks claiming that they had library of more than 60 different (serial-port) dial-up modem drivers as part of supporting online banking. With migration of online banking to internet ... all of these support issues were offloaded to internet service providers. Significant problems with serial port infrastructure contributed to introduction of USB.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Discussions areas, private message silos, and how far we've come since 199x

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Discussions areas, private message silos, and how far we've come since 199x
Date: October 28, 2008
Blog: Greater IBM
previous posts in thread:
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#54 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#61 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#63 Discussions areas, private message silos, and how far we've come since 199x

from long ago and far away:

Date: 7 June 1985, 15:44:33 EDT
From: somebody in raleigh
To: wheeler at sjr, somebody in rochester, somebody in burlington, and somebody at corporate networking

To those folks who expressed an interest in the IBM TeleCommunications Conference Facility:

We finally have a successful "launch". It was a little slow getting off the "pad", due mainly to my own fat-fingered interference in an otherwise smooth-working service machine. But now it is a reality.

IBMCOMM is mastered by TOOLS at RALVM. We have one shadow being set up at SJRVM, and others possibly in La Gaude and Yorktown.

TOOLS at RALVM is a TOOLSRUN 4 machine, and should respond to requests from TOOLS or TREQ EXECs and behave very like IBMVM and IBMPC. Our disk space currently is very limited, but if the conference becomes lively enough to require more, there will be little difficulty in justifying it here. Can't speak for the shadow(s), though.

Thanks for your interest and participation! Your expertise and your concerns are equally important to us. Our goal is to improve our TeleCommunicating products -- from the USER's point of view -- and you are the source of how we percieve that.

Thank you all again for your interest in IBMCOMM.


... snip ... top of post, old email index

In the early & mid 80s, we were doing HSDT (high speed data transport) project (one of the reasons I named the project HSDT was to differentiate from communication) ... misc. old email related to HSDT
http://www.garlic.com/~lynn/lhwemail.html#hsdt
and various past posts mentioning HSDT:
http://www.garlic.com/~lynn/subnetwork.html#hsdt

and having periodic skirmishes with SNA organization; we weren't using SNA and were supporting T1 and higher speed links. some of the HSDT hardware was being built to spec by companies on the other side of the Pacific. The Friday before an HSDT business trip to the far east (not long after the above email), somebody from the SNA organization announced a new "high-speed" network related (IBMCOMM) computer conference that included the following definition:

   low-speed       <9.6kbits
medium-speed    19.2kbits
high-speed      56kbits
very high-speed 1.5mbits
the following Monday, on the wall of a conference room in the fareast:
low-speed       <20mbits
medium-speed    100mbits
high-speed      200-300mbits
   very high-speed >600mbits
We were also working with various NSFNET backbone (operational precursor to modern internet) participants for T1 links ... and pushed hard for the T1 requirement in the NSFNET backbone RFP. Various internal politics then prevented us from bidding on the RFP. Attempting to help with the internal politics, the director of NSF wrote a letter, copying the CEO (even saying that what we/HSDT already had running was at least five years ahead of all other NSFNET bid submissions). That appeared to just aggravate the internal politics. misc. past emails related to NSFNET backbone:
http://www.garlic.com/~lynn/lhwemail.html#nsfnet
and various past posts mentioning NSFNET
http://www.garlic.com/~lynn/subnetwork.html#nsfnet

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

"Telecommunications" from '85

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: "Telecommunications" from '85
Newsgroups: alt.folklore.computers
Date: Wed, 29 Oct 2008 10:26:35 -0400
x-post from linkedin greater ibm blog:
http://www.garlic.com/~lynn/2008p.html#12 Discussions areas, private message silos, and how far we've come since 199x

previous posts in thread:
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#54 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#61 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#63 Discussions areas, private message silos, and how far we've come since 199x

from long ago and far away:

Date: 7 June 1985, 15:44:33 EDT
From: somebody in raleigh
To: wheeler at sjr, somebody in rochester, somebody in burlington, and somebody at corporate networking

To those folks who expressed an interest in the IBM TeleCommunications Conference Facility:

We finally have a successful "launch". It was a little slow getting off the "pad", due mainly to my own fat-fingered interference in an otherwise smooth-working service machine. But now it is a reality.

IBMCOMM is mastered by TOOLS at RALVM. We have one shadow being set up at SJRVM, and others possibly in La Gaude and Yorktown.

TOOLS at RAL is a TOOLSRUN 4 machine, and should respond to requests from TOOLS or TREQ EXECs and behave very like IBMVM and IBMPC. Our disk space currently is very limited, but if the conference becomes lively enough to require more, there will be little difficulty in justifying it here. Can't speak for the shadow(s), though.

Thanks for your interest and participation! Your expertise and your concerns are equally important to us. Our goal is to improve our TeleCommunicating products -- from the USER's point of view -- and you are the source of how we percieve that.

Thank you all again for your interest in IBMCOMM.


... snip ... top of post, old email index

In the early & mid 80s, we were doing HSDT (high speed data transport) project (one of the reasons I named the project HSDT was to differentiate from communication) ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#hsdt

and having periodic skirmishes with SNA organization; we weren't using SNA and were supporting T1 and higher speed links. some of the HSDT hardware was being built to spec by companies on the other side of the Pacific. The Friday before an HSDT business trip to the far east (not long after the above email), somebody from the SNA organization announced a new "high-speed" network related (IBMCOMM) computer conference that included the following definition:

low-speed       <9.6kbits
     medium-speed    19.2kbits
high-speed      56kbits
very high-speed 1.5mbits
> the following Monday, on the wall of a conference room in the fareast:
     low-speed       <20mbits
medium-speed    100mbits
high-speed      200-300mbits
very high-speed >600mbits
We were also working with various NSFNET backbone (precursor to modern internet) participants for T1 links ... and pushed hard for the T1 requirement in the NSFNET backbone RFP. Various internal politics then prevented us from bidding on the RFP. Attempting to help with the internal politics, the director of NSF wrote a letter, copying the CEO (even saying that what we/HSDT already had running was at least five years ahead of all other NSFNET bid submissions). That appeared to just aggravate the internal politics. misc. past emails related to NSFNET backbone:
http://www.garlic.com/~lynn/lhwemail.html#nsfnet
and various past posts mentioning NSFNET
http://www.garlic.com/~lynn/subnetwork.html#nsfnet

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 29, 2008
Blog: Payment and Fraud Professional
re:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?

Note in the YES CARD scenario ... there is an issue whether the chip supports "static data authentication" (SDA) or "dynamic data authentication" (DDA).
http://www.garlic.com/~lynn/subintegrity.html#yescard

We had been asked to consult with a small client/server startup that wanted to do payment transactions on their servers and they had this technology they had invented called SSL they wanted to use. Part of the deployment included something called the payment gateway .... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

The result is now frequently referred to as electronic commerce

Then in the mid-90s, we were asked to participate in x9a10 financial standard working group, which had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of this involved detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in x9.59 financial transaction standard.

ALL included things like X9.59 being light-weight enough to be used in transit gate and mobile operation ... but secure enough that it handle the highest value transactions. It also had to eliminated vulnerabilities ... including data breaches and skimming.

Possibly part of the issue with X9.59 financial standard from the mid-90s appeared that with a single, very light-weight, super-secure transaction that was applicable to ALL kinds of payments, ALL kinds of payment values, ALL environments, and addressed majority of threats and vulnerabilities ... that it significantly commoditized payment transactions.

The major use of SSL in the world today is for hiding transaction information for this thing we worked on, that is now frequently called electronic commerce, as countermeasure to evesdropping and replay attacks. Part of X9.59 financial standard was slightly tweaking the paradigm that eliminated the threat of crooks using information from skimming and data breaches for fraudulent transactions. As a side-effect, X9.59 also eliminates the major use of SSL in the world today.

4-5 yrs ago at one of the payment conferences there was presentation on the YES CARD vulnerabilities. One of the people from the audience got up and commented about "they" have spent billions of dollars to prove that chipcards are less secure than magstrip cards.

The other (non-standard, non-a9a10 financial working group) payment transactions efforts from the mid-90s period had been narrowly focused, point solutions. As a result, over the years they have tended to substitute expensive trial&error deployments for comprehensive understanding and end-to-end threat and vulnerability studies.

recent reference (account fraud for David related to checks that he wrote for errata):

Donald Knuth stops paying for errata
http://www-cs-faculty.stanford.edu/~uno/news08.html

from above:
Financial Fiasco

Leading banks and investment funds have been foundering, because of bad debts and lack of trust; and other, less well-known kinds of fiscal chaos are also on the horizon. For example, due to an unfixable security flaw in the way funds are now transferred electronically, worldwide, it is no longer safe to write personal checks.


... snip ...

copied from response to some skepticism in one of the fraud groups ...

now, it is true that many in the smartcard industry over the past couple decades have gottten the reputation of showing up claiming smartcards are the answer ... even before finding out what the requirements are.

in the x9.59 scenario ... we had spent a great deal of time looking at detailed, end-to-end threats & vulnerabilities ... and designing a protocol that satisfies those requirements.

the smartcard part is somewhat more what people are familiar with ... a hardware implementation part of the solution can be done in 20,000 circuits, extremely short elapsed time (few tens of milliseconds) and very, very low power requirements. it would be possible to do a separate chip (somewhat akin to UPC/EPC RFID chips) or embedded circuits in small part of some larger chip. as a separate chip it could be packaged in a large number of different ways ... not just limited to traditional smartcard form factor.

i was part of assurance panel at intel developer's forum in TPC (trusted computing) track. I happened to comment that it was nice to see that the TPM definition had started to look more & more like the simpler (KISS) AADS chip strawman over the previous couple years. The person running TPC was in the front row and quipped back that I didn't have a committee of 200 people helping me with the design.

misconception about two sides ... there have been long litany of failed &/or aborted smartcard efforts over the past 15-20 yrs ... large percentage of reasons not having to do directly with smartcards; frequently cause was lack of understanding of smartcards and/or requirements. we've had to do postmortem on some number, although sometimes we were on the frontend. one case in mid-90s major euro, stored-value smartcard was looking at penetration of US market ... we were asked to design & cost dataprocessing operations to support deployment. We couldn't come up with numbers that would justify the deployment.

there is this web page about presentation discussing YES CARD at Cartes 2002
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

from above:
It was stated that cloning an EMV card is a relatively simple task, with all the necessary information and equipment available on the Internet.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 29, 2008
Blog: Smart Cards Group
re:
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14

and related:
http://www.garlic.com/~lynn/2008p.html#5 Privacy, Identity theft, account fraud

The above references several of the issues raised ... including failed attempts over the last decade that have resulted in raising the barrier to entry.

We had been asked to consult with a small client/server startup that wanted to do payment transactions on their servers and they had this technology they had invented called SSL they wanted to use. Part of the deployment included something called the payment gateway .... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

The result is now frequently referred to as electronic commerce

Then In the mid-90s, we were asked to participate in x9a10 financial standard working group, which had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of this involved detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in x9.59 financial transaction standard.

ALL included things like X9.59 being light-weight enough to be used in transit gate and mobile operation ... but secure enough that it handle the highest value transactions. It also had to eliminated vulnerabilities ... including data breaches and skimming.

Possibly part of the issue with X9.59 financial standard from the mid-90s appeared that with a single, very light-weight, super-secure transaction that was applicable to ALL kinds of payments, ALL kinds of payment values, ALL environments, and addressed majority of threats and vulnerabilities ... that it significantly commoditized payment transactions.

The major use of SSL in the world today is for hiding transaction information (for this earlier effort we worked on), as countermeasure to evesdropping and replay attacks. Part of X9.59 financial standard was slightly tweaking the paradigm that eliminated the threat of crooks using information from skimming and data breaches for fraudulent transactions. As a side-effect, X9.59 also eliminates the major use of SSL in the world today.

The other (non-standard, non-a9a10 financial working group) payment transactions efforts from the mid-90s period had been narrowly focused, point solutions. As a result, over the years they have tended to substitute expensive trial&error deployments for comprehensive understanding and end-to-end threat and vulnerability studies.

Also as part of meeting the ALL requirement was

parameterised risk management framework

parameterised risk management framework was created ... trivial example is that the same exact hardware token could be used both with & without PIN ... possibly based on transaction value (or other risk factors), somewhat in manner similar to not requiring signatures for low-value credit transactions.

person-centric paradigm

Quite a bit of time was spent investigating what were all the inhibitors preventing transitioning from a "institutional-centric" hardware token paradigm (each institution issues their own hardware token) ... to a person-centric hardware token paradigm ... aka what issues had to be addressed in order for gov. agencies to accept a person's token as an authentication device (physical access, computer access, etc) ... or any number of financial institutions to accept a person's token as an authentication device (financial transactions across a broad range of values, online banking access, etc).

With respect to past failed deployments, I went around to possibly half the booths at the 2001 annual smartcard conference ... asking the people 1) if they were aware there was a rapidly spreading opinion that smartcards weren't practical in the consumer market and 2) what were the reason for #1.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Blinkenlights

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Blinkenlights
Newsgroups: alt.folklore.computers
Date: Wed, 29 Oct 2008 19:07:02 -0400
John Varela <OLDlamps@verizon.net> writes:
Can you get a solid-core door that doesn't have imitation paneling? I suppose so, if that's your plan. I don't think I've ever seen one.

I made a kitchen table out of a hollow-core door about 40 years ago, and it's still doing service in the garage even after having been hit by a car, an incident too painful to recall.


the science center
http://www.garlic.com/~lynn/subtopic.html#545tech

long ago, and far away (>35yrs ago, but less than 40), made a desk out of solid/heavy fir door (over two 2-drawer file cabinets). I think it was kept around, just to remind me.

i was use to working on weekends late at night, dedicated time alone in the machine room ... and periodically would need to get backup tapes out of the tape library (effectively a office within the machine room, taken over with tape storage racks).

one weekend, the door to the tape library was locked ... and i had been up for awhile ... so didn't feel like going over the false ceiling ... so i kicked the door (once) ... and it split top to bottom ... along the edge intersecting the door knob hole.

turns out that wasn't the only problem ... they had moved the tape library to another room ... and replaced the tapes with employee personnel records.

misc. past posts mentioning kicking the door:
http://www.garlic.com/~lynn/2002m.html#15 What is microcode?
http://www.garlic.com/~lynn/2005d.html#31 The Mainframe and its future.. or furniture
http://www.garlic.com/~lynn/2006g.html#42 Old PCs--environmental hazard

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Open Source, Unbundling, and Future System

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Open Source, Unbundling, and Future System
Date: October 28, 2008
Blog: Global IBM Connection
re:
http://www.garlic.com/~lynn/2008o.html#66 Open Source, Unbundling, and Future System

About a decade ago I ran into former Perkin/Elmer salesman who had sold a lot of boxes to NASA and other gov. agencies. Perkin/Elmer had bought Interdata and was selling a descendant of the clone controller box that had been developed at the university when I was an undergraduate. In further discussions, the salesman commented that the "wire-wrap" channel interface board possibly had never been redone (effectively hadn't changed since my undergraudate days).

In that same period, I had a tour of one of the major merchant/acquiring (mainframe) datacenters. They had one of these Perkin/Elmer controller boxes handling dialup POS (point-of-sale) incoming calls (large number of dialup card swipe terminals found at retail establishments around the country).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 30, 2008
Blog: Smart Cards Group
re:
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?

attached is copied from similar discussion in one of the linkedin fraud groups.

Note that the experience of the dialup online banking transition to internet influenced the motivation for all the work on person-centric paradigm for smartcards. we had made semi-facetious comments that we would do aggressive cost reduction for 2-3 orders of magnitude per smartcard. then (if hardware token paradigm were to ever catch on), person-centric would futher reduce number of smartcards by a factor of 100 (compared to institutional-centric paradigm where a person was provided a hardware token in lieu of ever password, pin, and/or key). The aggregate infrastructure costs savings (for person-centric paradigm) could then be between 10,000 to 100,000 times (i.e. 100 times reduction in number of hardware tokens multiplied by 2-3 orders magnitude reduction in per token cost).

Another part of the experience of migration to internet ... was that the internet effectively obsoleted all the "value-added" networks that grew up in the 70s & 80s (although a few continue to linger on).

As noted, the lessons learned from the dial-up online banking migration to the internet (in large part serial port problems) seemed to have evaporated within a few years when the same exact problems were encountered attempting to give away large number of serial-port smartcard readers.

re:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?

... from above

One of the lingering problems was that there was a consumer financial chipcard introduction in the early part of this decade. Attempting to improve the uptake, they were giving away PC card readers. These card readers resulted in horrible consumer installation problems (blue screen of death, having to completely re-install operating system, etc). In the wake of that disaster, there was a rapidly spreading opinion that chipcards weren't practical in the consumer market ... resulting in lots of card programs evaporating. That appeared to have also been major issue in the EU FINREAD effort also appearing to evaporate. misc. past posts mentioning EU FINREAD standard
http://www.garlic.com/~lynn/subintegrity.html#finread

The whole situation is an example of ephemeral institutional knowledge. Detailed after action reviews of the disaster identified nearly all of the problems dealing with PC card reader being a serial port device. In the mid-90s, there were a number of presentations about motivation behind migration of the 80s online banking implementations to the internet. A major issue behind the migration was enormous support problems dealing with serial port dial-up modems ... some banks claiming that they had library of more than 60 different (serial-port) dial-up modem drivers as part of supporting online banking. With migration of online banking to internet ... all of these support issues were offloaded to internet service providers. Significant problems with serial port infrastructure contributed to introduction of USB.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 30, 2008
Blog: Financial Crime Risk, Fraud and Security
We had been called in to consult with small client/server startup that wanted to do payment transactions on their server and they had this technology called SSL they had invented they wanted to use. Part of that deployment was something called payment gateway ... some past posts/references
http://www.garlic.com/~lynn/subnetwork.html#gateway

The result is now frequently referred to a electronic commerce. Some of the detailed threat and vulnerability studies identified just "knowing" information from existing transaction was typically sufficient for a crook to successfully perform a fraudulent financial transactions. Furthermore, studies had shown that insiders have been involved in 70percent of these kinds of identity theft. SSL was only going to hide transaction information while being transmitted on the internet ... and otherwise ... transaction information was going to appear at tens millions of places all over the world. We asked for several countermeasures for this class of problem ... including detailed FBI background checks for every person associated with a payment transaction website everywhere in the world. There were some number of things that we mandated that were followed ... but we couldn't get the detailed FBI background check.

Then in the mid-90s, we were asked to participate in x9a10 financial standard working group which in the mid-90s, had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of this involved (further) detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in the x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959

part of the x9.59 financial standard involved slightly tweaking the paradigm and eliminating the threats from evesdropping, skimming, data breach, etc. x9.59 did nothing to eliminate evesdropping, skimming, and/or data breaches .... but x9.59 tweaked the paradigm so that any information was useless for performing fraudulent transactions.

Note that the major use of SSL in the world today is for this thing we had earlier worked on, now frequently called electronic commerce ... as part of hiding the information. In effect, x9.59 results in eliminating the primary use of SSL in the world today ... since with x9.59 financial transactions, it is no longer necessary to hide the information (as countermeasure to preventing fraudulent financial transactions).

now, it is true that many in the smartcard industry over the past couple decades have gottten the reputation of showing up claiming smartcards are the answer ... even before finding out what the requirements are.

in the x9.59 scenario ... we had spent a great deal of time looking at detailed, end-to-end threats & vulnerabilities ... and designing a protocol that satisfies those requirements.

the smartcard part is somewhat more what people are familiar with ... a hardware implementation part of the solution can be done in 20,000 circuits, extremely short elapsed time (few tens of milliseconds) and very, very low power requirements. it would be possible to do a separate chip (somewhat akin to UPC/EPC RFID chips) or embedded circuits in small part of some larger chip. as a separate chip it could be packaged in a large number of different ways ... not just limited to traditional smartcard form factor.

i was part of assurance panel at intel developer's forum in TPC (trusted computing) track. I happened to comment that it was nice to see that the TPM definition had started to look more & more like the simpler (KISS) AADS chip strawman over the previous couple years. The person running TPC was in the front row and quipped back that I didn't have a committee of 200 people helping me with the design.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Donald Knuth stops paying for errata

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Donald Knuth stops paying for errata
Date: Thu, 30 Oct 2008 16:37:01 -0400
To: Perry E. Metzger <perry@xxxxxxxx>
CC: cryptography@xxxxxxxx
On 10/30/08 16:30, Perry E. Metzger wrote:
It seems that Donald Knuth had his bank accounts attacked not once but three times using his checking account number off of checks he sent out for bounties for flaws in his books and software, and is thus ending a practice of nearly 40 years. Rather sad.

I mark this as another milestone in the slow destruction of the idea that it is okay for an account number to be the secret used to effect payment in a transaction system.


http://www-cs-faculty.stanford.edu/~uno/news08.html


recent article from Kansas City Fed on the subject (including reference to x9.59 financial standard protocol):

Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf

some archived posts on the article from linkedin fraud & payment groups
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Would you say high tech authentication gizmo's are a waste of time/money/effort?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Would you say high tech authentication gizmo's are a waste of time/money/effort?
Date: October 30, 2008
Blog: Information Security
Here is a recent article from Kansas City FED:

Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf

above references x9.59 financial standard protocol, also referenced here
http://www.garlic.com/~lynn/x959.html#x959

some of the issues discussed in this answer:
http://help.linkedin.com/app/answers/detail/a_id/35227
also archived here:
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law

This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw

although AADS chip work had started quite a bit earlier. AADS related discussions
http://www.garlic.com/~lynn/x959.html#aads

and patent references
http://www.garlic.com/~lynn/aadssummary.htm

part of recent discussions related to the article in fraud, payment and smartcard groups archived here:
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19

and another recent reference (account fraud for Donald related to checks that he wrote for errata):

Donald Knuth stops paying for errata
http://www-cs-faculty.stanford.edu/~uno/news08.html

from above:
Financial Fiasco

Leading banks and investment funds have been foundering, because of bad debts and lack of trust; and other, less well-known kinds of fiscal chaos are also on the horizon. For example, due to an unfixable security flaw in the way funds are now transferred electronically, worldwide, it is no longer safe to write personal checks.


... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: October 30, 2008
Blog: Payments & Cards Network
Modifying POS terminals and/or ATM machines ... to record the information read by the terminal/machine reader dates back something like two decades. This skimming ... using a valid machines normal reading process is then used to counterfeit magstripe card.

The same technique was also used starting almost immediately with the first introduction of payment chip cards back in the 90s (basically identical technology that was already in place for recording magstripe information). The recorded chip information was then used to create counterfeit YES CARDS (dating back almost a decade).

Lots of past posts mentioning counterfeit YES CARDS
http://www.garlic.com/~lynn/subintegrity.html#yescards

The YES CARD exploit scenario was already well understood when we started on the x9.59 financial standard protocol in the mid-90s.

There was a presentation at an industry conference a couple years ago about YES CARDS being found in various markets. One of the members in the audience made a point of saying to the whole room ... that "they" have managed to spend billions of dollars to prove that chips are less secure than magstripe.

We had been brought in to consult with a small client/server startup that wanted to do payment transactions on their servers and they had this technology they had invented called SSL they wanted to use. Part of that deployment was something called payment gateway ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

and is now frequently referred to as electronic commerce.

Part of calling us in ... was that two people responsible for the small client/server startup's "commerce server" project ... we had previously worked with earlier on high availability, high integrity, scalable database ... when they had been at a large database vendor ... minor old post mentioning a meeting in early 92, that included the two people
http://www.garlic.com/~lynn/95.html#13

Then in the mid-90s, we were asked to participate in x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of this involved detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in the x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959

part of the x9.59 financial standard involved slightly tweaking the paradigm and eliminating the threats from evesdropping, skimming, data breach, etc. x9.59 did nothing to eliminate evesdropping, skimming, and/or data breaches .... but x9.59 tweaked the paradigm so that any information was useless for performing fraudulent transactions.

Note that the major use of SSL in the world today is for this thing we had earlier worked on, now frequently called electronic commerce ... as part of hiding the information. In effect, x9.59 results in eliminating the primary use of SSL in the world today ... since with x9.59 financial transactions, it is no longer necessary to hide the information (as countermeasure to preventing fraudulent financial transactions).

Other things related to X9.59 being able to meet ALL of the ALL requirements .... we did a framework we called parameterised risk management that would allow x9.59 to operate as a consistent protocol across a broad range of values and security requirements.

other recently archived posts in some of the other fraud & smartcard groups
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Your views on the increase in phishing crimes such as the recent problem French president Sarkozy faces

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Your views on the increase in phishing crimes such as the recent problem French president Sarkozy faces.
Date: October 31, 2008
Blog: Information Security
Here is a recent article from Kansas City FED:

Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf

above references x9.59 financial standard protocol, also referenced here
http://www.garlic.com/~lynn/x959.html#x959

some of the issues discussed in this answer:
http://help.linkedin.com/app/answers/detail/a_id/35227
also archived here:
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law

This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw

although AADS chip work had started quite a bit earlier. AADS related discussions
http://www.garlic.com/~lynn/x959.html#aads

and patent references
http://www.garlic.com/~lynn/aadssummary.htm

part of recent discussions related to the article in fraud, payment and smartcard groups archived here:
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19

and another recent reference (account fraud for Donald related to checks that he wrote for errata):

Donald Knuth stops paying for errata
http://www-cs-faculty.stanford.edu/~uno/news08.html

from above:
Financial Fiasco

Leading banks and investment funds have been foundering, because of bad debts and lack of trust; and other, less well-known kinds of fiscal chaos are also on the horizon. For example, due to an unfixable security flaw in the way funds are now transferred electronically, worldwide, it is no longer safe to write personal checks.


... snip ...

We had been brought in to consult with a small client/server company that wanted to do payment transactions on their servers and they had this technology they had invented called SSL they wanted to use. Part of that deployment was something called payment gateway ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

and is now frequently referred to as electronic commerce.

Then in the mid-90s, we were asked to participate in x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. This is ALL retail , as in ALL credit, debit, stored-value, check, ACH, etc; as in ALL POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in ALL low-value, medium-value, high-value, etc.

Part of this involved detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in the x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959

part of the x9.59 financial standard involved slightly tweaking the paradigm and eliminating the threats from evesdropping, skimming, data breach, phishing, etc. x9.59 did nothing to eliminate evesdropping, skimming, and/or data breaches .... but x9.59 tweaked the paradigm so that any information was useless to crooks for performing fraudulent transactions.

Note that the major use of SSL in the world today is for this thing we had earlier worked on, now frequently called electronic commerce ... as part of hiding the information. In effect, x9.59 results in eliminating the primary use of SSL in the world today ... since with x9.59 financial transactions, it is no longer necessary to hide the information (as countermeasure to preventing fraudulent financial transactions).

Part of addressing ALL was the use for x9.59 for ALL retail transactions ... but also using the same mechanism/token for other authentication purposes. Two of the most widely used authentication mechanisms in the world today are Kerberos and RADIUS.

Kerberos was originally done by Project Athena which was funded equally by two corporate entities for $25m each. Being at one of the entities at the time, we periodically did reviews of Project Athena. One such visit was getting to sit thru several days of Kerberos sessions as cross-domain Kerberos was being worked out. Not long ago, sat through a detailed presentation on large cross-domain SAML deployment ... and noticed that all the SAML messages & message flows appeared to actually be Kerberos ... with the bits reformated. Lots of past posts mentioning Kerberos & AADS Kerberos:
http://www.garlic.com/~lynn/subpubkey.html#kerberos

I originally worked with RADIUS from the original vendor, setting up some of their router boxes. This was before AT&T bought them and RADIUS was donated to IETF for internet standard. Lots of past post mentioning RADIUS & AADS RADIUS
http://www.garlic.com/~lynn/subpubkey.html#radius

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Why not build a shared services infrastructure to support the banking sector?

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Why not build a shared services infrastructure to support the banking sector?
Date: October 31, 2008
Blog: Derivatives Markets
We did some consulting to the person originally setting up FSTC. In the early to mid 90s, there was a push for gov. technology re-use (commercializing gov. technology) and provisions were made for setting up collaborative industry organizations & relaxing anti-trust laws.

FSTC basically looks at various kinds of shared technology projects in the financial sector
http://www.fstc.org/

But there are still several issues with regard to anti-trust laws. Also, there are project areas that financial institutions deem to be "competitive" advantages ... which they still do solo.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How do group members think the US payments business will evolve over the next 3 years?

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How do group members think the US payments business will evolve over the next 3 years?
Date: October 31, 2008
Blog: Payments Leadership Network
In the U.S., Visa Banks on Debit As Credit Growth Goes Negativ
http://www.digitaltransactions.net/newsstory.cfm?newsid=1966

A couple weeks ago there was discussion in the linkedin "Credit Card Professionals" group about whether "signature" or "pin" debit was superior.

Periodically, there is a couple hundred page publication that compares detailed sliced&diced numbers for avg. of leading regional financial institutions against leading national financial institutions.

A couple years ago it showed regional institution avg with higher profit margin (than national institution avg). There was no analysis done on all the detailed sliced & diced numbers ... but after examination ... it turns out that regional institutions had a measurable higher percentage of "electronic" transactions vis-a-vis paper/manual transactions (compared to national institutions). The "electronic" transactions fully loaded costs was 1/5th or less that of paper/manual .... which was the only significant statistically correlation accounting for regional vis-a-vis national difference. The fully loaded processing costs per type of transaction was essentially the same for regional & national institutions .... it was the percentage mix between electronic vis-a-vis paper/manual that made the difference.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What is the biggest IT myth of all time?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What is the biggest IT myth of all time?
Date: October 31, 2008
Blog: Enterprise Architecture Network
In the 90s, financial institutions spent billions on projects using massive parallel killer micros and object oriented software technology ... in attempt to address straight-through processing as part of eliminating overnight batch window bottleneck.

Part of the issue was financial institutions had started with batch mainframe operations ... but in the 70s & 80s had partially gone to online operations ... at least for initial parts of the operation. However, the operations continued to be completed in batch operations that ran overnight. With a combination of increasing workload and globalization ... the length of the overnight batch window was shrinking at the same time the amount of work (that needed to be done) was increasing.

The holy grail was leveraging object oriented software for parallel operation on large numbers of "small" processors as part of implementing straight-through processing (and eliminating the overnight batch window).

Several toy demos were achieved but there was an astounding lack of investigation into actual speeds & feeds. It turned out that the object oriented parallelizing technologies had 100 times overhead increase (compared to the mainframe batch implementations) ... which totally swamped any anticipated throughput increase by the use of large numbers of (parallel) killer micros.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Father Of Financial Dataprocessing

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Father Of Financial Dataprocessing
Date: November 1, 2008
Blog: Payment Systems Network
The end of May, there was a gathering to celebrate Jim Gray. Part of that celebration involved acknowledging Jim Gray as father of (modern) financial dataprocessing (including enabling electronic payment transactions). Jim's formalizing of transaction semantics provided the basis that was crucial in allowing financial auditors to move from requiring paper ledgers to trusting computer operations.

I worked with Jim in the 70s; when he left for Tandem, he attempted to palm off his responsibilities on me ... and I started getting his calls from financial institutions. a couple recent posts on the subject:
http://www.garlic.com/~lynn/2008i.html#50 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~lynn/2008l.html#88 Book: "Everyone Else Must Fail"
http://www.garlic.com/~lynn/2008p.html#6 SECURITY and BUSINESS CONTINUITY

Tribute press release:
http://web.archive.org/web/20080616153833/http://www.eecs.berkeley.edu/IPRO/JimGrayTribute/pressrelease.html

podcast of the tribute:
http://web.archive.org/web/20080604010939/http://webcast.berkeley.edu/event_details.php?webcastid=23082
http://web.archive.org/web/20080604072804/http://webcast.berkeley.edu/event_details.php?webcastid=23083
http://web.archive.org/web/20080604072809/http://webcast.berkeley.edu/event_details.php?webcastid=23087
http://web.archive.org/web/20080604072815/http://webcast.berkeley.edu/event_details.php?webcastid=23088

tribute also by ACM SIGMOD
http://www.sigmod.org/publications/sigmod-record/0806

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: November 1, 2008
Blog: Payment and Fraud Professionals
re:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#14 Can Smart Cards Reduce Payments Fraud and Identity Theft?

EU FINREAD standard emerged in the late 90s as countermeasure to rapidly spreading virus, trojans, and keyloggers. Part of the issue was a lot of PC networking had evolved on small private networks ... and later adapted to the internet. The issue was that countermeasures to the hostile anarchy of the internet had never evolved in the local private, safe, networking environments.

As an aside, analogous exploits for POS terminals (keylogging, skimming, etc) had emerged well before widespread appearance of PCs on the internet.

EU FINREAD terminals fell victim to the rapidly spreading opinion that smartcards weren't practical in the consumer market ... ephemeral institutional knowledge regarding all the serial port consumer support problems ... which appeared to evaporate in the few years between dialup home banking transition to the internet and the disastrous serial port smartcard terminal giveway.

We weren't members of NACHA ... but we got somebody from NSCC to submit our proposal ... over the years we had worked with large number of parties in and around manhatten ... slightly related recent post:
http://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing

copy of the NACHA submission:
http://www.garlic.com/~lynn/nacharfi.htm

The pilot was eventually declared a rousing success ... reference
http://web.archive.org/web/20070706004855/http://internetcouncil.nacha.org/News/news.html
and document here:
http://internetcouncil.nacha.org/docs/ISAP_Pilot/ISAPresultsDocument-Final-2.PDF

however, despite its rousing success, the pilot also fell victim to the rapidly spreading view that smartcards weren't practical in the consumer market place (as an outcome of the disastrous serial port smartcard reader give-away).

Further severely tarnishing the extreme jaundice view of smartcards was that the YES CARD fiasco ("managed to spend billions of dollars to prove that chips are less secure than magstripe") happened in the same time frame .... various past YES CARD discussions
http://www.garlic.com/~lynn/subintegrity.html#yescard
and web page referencing presentation at Cartes 2002
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

from above:
It was stated that cloning an EMV card is a relatively simple task, with all the necessary information and equipment available on the Internet.

... snip ...

In that time frame there had also been a rather large deployment of such payment cards in NE US ... that appeared to quickly vanish without a trace (given the increasing bad reputation of smartcards).

for a little topic drift ... a variation on the YES CARD hack ... but from the early 70s ... rather than accepting all entered PINs as valid ... it would accept all entered passwords as valid ... recent post in linkedin thread "Invitation to Join Mainframe Security Guru Group"
http://www.garlic.com/~lynn/2008o.html#67

Note ... in the YES CARD hack ... it wasn't just the PIN ... the counterfeit card would always answer YES to three questions: 1) correct pin?, 2) offline transaction?, 3) transaction within credit limit?.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How were you using the internet 10 years ago and how does that differ from how you use it today?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How were you using the internet 10 years ago and how does that differ from how you use it today?
Date: November 1, 2008
Blog: Web Development
email and posting on usenet .... usenet postings from 1998:
http://www.garlic.com/~lynn/98.html

Earlier in the 90s, we had been called in to consult with a small client/server startup that wanted to do payment transactions on their server and had this technology they had invented called SSL, that they wanted to use. Part of that work was deployment of something called payment gateway ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

and the result is frequently now referred to as electronic commerce.

I was doing email on the internal network dating back to the early 70s and in the late 70s and early 80s got blamed for computer conferencing on the internal network ... the internal network was larger than the arpanet/internet from just about the beginning until possibly summer of '85

Index of misc. old email ... even one back to 1973
http://www.garlic.com/~lynn/lhwemail.html

the operational precursor to modern internet was the NSFNET backbone ... recent reference
http://www.garlic.com/~lynn/2008p.html#12

Once in the early 70s, I was helping with computer installation in Paris as part of EMEA hdqtrs moving from NY to Paris ... and having a devil of a time accessing my email back in the states.

about 4yrs ago i started using browser tab features to compensate for latency ... i.e. pages fetched in the background while viewing other tabs. i have process that regularly fetches 200-300 web pages in background tabs.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
Date: November 2, 2008
Blog: Banking and Finance Technologies
In the 90s, financial institutions spent billions on new technologies in attempt to eliminate the overnight batch window. Financial dataprocessing had been implemented as batch processes. Then in the 70s & 80s some of the operations had been partially moved to "online" (or realtime) ... however, the completion of the operations were still done in the overnight batch window.

In the 90s, with more global operations (reducing the size of the overnight batch window) and increased business (attempting to squeeze more work through in smaller elapsed time), there were large efforts to leverage object oriented technologies and large number of "killer micros" to implement straight-through processing (as a way of eliminating the overnight batch window bottleneck).

There were some number of toy demos completed, but a surprising lack of early work on speeds and feeds. It turned out using the object oriented technologies and massive parallelism (of large number of "killer micros") had factors of 100 times increase in overhead (compared to the efficiency of the batch implementations), completely swamping any possible anticipated throughput increases.

semi-related post archived here:
http://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

FC5 Special Workshop CFP: Emerging trends in Online Banking and Electronic Payments

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: FC5 Special Workshop CFP: Emerging trends in Online Banking and Electronic Payments
Date: November 2, 2008
Blog: Banking and Finance Technologies
related comment in "Can Smart Cards Reduce Payments Fraud and Identity Theft?" thread in "Payment and Fraud Professionals" group discussing some possible factors related to current market inhibitors

EU FINREAD standard emerged in the late 90s as countermeasure to rapidly spreading virus, trojans, and keyloggers. Part of the issue was a lot of PC networking had evolved on small private networks ... and later adapted to the internet. The issue was that countermeasures to the hostile anarchy of the internet had never evolved in the local private, safe, networking environments.

As an aside, analogous exploits for POS terminals (keylogging, skimming, etc) had emerged well before widespread appearance of PCs on the internet.

EU FINREAD terminals fell victim to the rapidly spreading opinion that smartcards weren't practical in the consumer market ... ephemeral institutional knowledge regarding all the serial port consumer support problems ... which appeared to evaporate in the few years between dialup home banking transition to the internet and the disastrous serial port smartcard terminal giveway.

We weren't members of NACHA ... but we got somebody from NSCC to submit our proposal ... over the years we had worked with large number of parties in and around manhatten ... slightly related recent post:
http://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing

copy of the NACHA submission:
http://www.garlic.com/~lynn/nacharfi.htm

The pilot was eventually declared a rousing success ... reference
http://web.archive.org/web/20070706004855/http://internetcouncil.nacha.org/News/news.html
and documents here:
http://internetcouncil.nacha.org/docs/ISAP_Pilot/ISAPresultsDocument-Final-2.PDF

however, despite its rousing success, the pilot also fell victim to the rapidly spreading view that smartcards weren't practical in the consumer market place (as an outcome of the disastrous serial port smartcard reader give-away).

Further severely tarnishing the extreme jaundice view of smartcards was that the YES CARD fiasco ("managed to spend billions of dollars to prove that chips are less secure than magstripe") happened in the same time frame .... various past YES CARD discussions
http://www.garlic.com/~lynn/subintegrity.html#yescard
and web page referencing presentation at Cartes 2002
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

from above:
It was stated that cloning an EMV card is a relatively simple task, with all the necessary information and equipment available on the Internet.

... snip ...

In that time frame there had also been a rather large deployment of such payment cards in NE US ... that appeared to quickly vanish without a trace (given the increasing bad reputation of smartcards).

for a little topic drift ... a variation on the YES CARD hack ... but from the early 70s ... rather than accepting all entered PINs as valid ... it would accept all entered passwords as valid ... recent post in linkedin thread "Invitation to Join Mainframe Security Guru Group"
http://www.garlic.com/~lynn/2008o.html#67

Note ... in the YES CARD hack ... it wasn't just the PIN ... the counterfeit card would always answer YES to three questions: 1) correct pin?, 2) offline transaction?, 3) transaction within credit limit?.

other parts of discussions, archived here:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#14 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#18 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#19 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#22 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#28 Can Smart Cards Reduce Payments Fraud and Identity Theft?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: November 2, 2008
Blog: Smart Cards
Base, X9.59 financial standard protocol slightly tweaked the paradigm so the (replay attack, crooks using information for performing fraudulent transactions) threats from all the skimming, evesdropping, phishing, data breaches, etc were eliminated ... it didn't eliminate skimming, evesdropping, phishing, data breaches, etc ... it just eliminated majority of the current fraud where crooks used the information to perform financial transactions.

That leaves open, the "active" attacks by compromised environment where there is transaction modification (is what you think you are approving, actually what you are approving). Currently these exploits are several orders of magnitude smaller than the replay attack kind of fraud.

In the mid-90s, the X9A10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments.

As mentioned, there were detailed, end-to-end threat and vulnerability studies of the different environments.

Part of X9.59 financial standard allows for authentication of the environment (where the transaction is performed) to be included along with the entity authentication (this is optional within the parameterised risk management framework development for addressing ALL).

The EU FINREAD reader standard recognized that PC compromises (viruses, trojans, keyloggers, etc) could include "active" attacks ... in addition to "evesdropping" kinds of attacks. The EU FINREAD was a tamper resistent, independent reader, with its own LED display and pinpad. The LED display provides for a trusted, independent display for things like the value of the transaction being authenticated/approved .... as well as an independent, trusted PINPAD for (two-factor) something you know authentication (in addition to the card something you have authentication). As mentioned, the EU FINREAD standard came out of the late 90s, in response to the rapid increase in the various kinds of PC compromises. misc. past posts mentioning EU FINREAD:
http://www.garlic.com/~lynn/subintegrity.html#finread

The X9.59 financial standard protocol already had provisions for including environment authentication as part of the transaction. This allowed for the relying party (i.e. customer financial institution) to know whether the operation was being performed with an authentic EU FINREAD reader.

I've mentioned before, once a X9.59 transaction has been "armored" then it is no longer necessary to hide it. A side-effect, this eliminates requirement for SSL to hide the transaction when it is moving through the internet. It also means that once a transaction has been created by an EU FINREAD ... then there is little or no difference between the intermediary PC and any other intermediary device that a x9.59 transaction might pass through (as it moves through the internet).

earlier X9.59 proposal (predating EU FINREAD) suggested trusted PDA or trusted cellphone with embedded chip/circuit along with wireless communication ... that would also provide trusted display & trusted key entry .... as countermeasure to both PC & POS compromises.

other parts of discussions, archived here:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#14 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#18 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#19 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#22 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#28 Can Smart Cards Reduce Payments Fraud and Identity Theft?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Making tea

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Making tea
Newsgroups: alt.folklore.computers
Date: Sun, 02 Nov 2008 23:36:32 -0500
Morten Reistad <first@last.name> writes:
I would dearly like to know why the "DEC dwarves" like Prime, DG, Wang etc folded too. They needed DEC like the other seven dwarves needed IBM; but they all went away a lot faster than DEC.

hardware development and software development didn't get any cheaper, in fact, it increased. at the same time, PC volumes allowed per unit commoditization. by 486 ... processors & software were becoming equivalent of at least minis ... but per unit prices were small percent of minis and mainframes .... w/o the unit volumes there was no way to compete. personal computing was commoditizing computing.

i've periodically posted about the large growth in vax & 43xx (mid-range) volumes starting in 79 but by 85 ... mid-range/minis market was being taken over by workstations and large PCs.

old posts with vax numbers sliced & diced by yr, model, us/non-us
http://www.garlic.com/~lynn/2002f.html#0 Computers in Science Fiction

DG attempted to leverage pc hardware with SCI interconnect scaleup. Sequent, DG, Convex, SGI built NUMA machines with SCI .... sequent and DG using 486 processors, Convex using HP risc processors, SGI with MIPS. Sequent already had a multiprocessor unix (dynix) that they extended to NUMA. Convex adopted MACH extending for NUMA.

In the late 80s, people at a number of labs basically worked on standardizing various kinds of computer interconnect ... accelerating COTS and commoditizing. LANL worked on standardizing cray channel as HiPPI, LLNL moving a copper serial technology to fiber and standization as FCS, and SLAC doing SCI (in that period we had some participation in all three activities).

related thread last spring
http://www.garlic.com/~lynn/2008i.html#3 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~lynn/2008i.html#5 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~lynn/2008i.html#18 Microsoft versus Digital Equipment Corporation

as part of doing scaleup related to ha/cmp
http://www.garlic.com/~lynn/subtopic.html#hacmp

we did various designs with FCS .... old email
http://www.garlic.com/~lynn/lhwemail.html#medusa

minor related post
http://www.garlic.com/~lynn/95.html#13

post in the same thread from last spring ... but more related to ha/cmp
http://www.garlic.com/~lynn/2008i.html#18 Microsoft versus Digital Equipment Corporation

as an aside ... one of the reasons for using ha/cmp "loosely-coupled" or cluster ... for scaleup .... was that RIOS chip didn't have any support for multiprocessor cache coherency ... so there was no option of attempting an SCI flavor.

later we were approached about running a project to adapt sun's object operating system, SPRING to a SCI NUMA machine built with SPARCs.

Wang towards the end tried OEMing RS6000 machines.

other past posts mentioning SCI NUMA
http://www.garlic.com/~lynn/96.html#8 Why Do Mainframes Exist ???
http://www.garlic.com/~lynn/96.html#25 SGI O2 and Origin system announcements
http://www.garlic.com/~lynn/98.html#40 Comparison Cluster vs SMP?
http://www.garlic.com/~lynn/2001b.html#39 John Mashey's greatest hits
http://www.garlic.com/~lynn/2001b.html#85 what makes a cpu fast
http://www.garlic.com/~lynn/2001f.html#11 Climate, US, Japan & supers query
http://www.garlic.com/~lynn/2001j.html#12 OT - Internet Explorer V6.0
http://www.garlic.com/~lynn/2001j.html#17 I hate Compaq
http://www.garlic.com/~lynn/2002g.html#10 "Soul of a New Machine" Computer?
http://www.garlic.com/~lynn/2002h.html#78 Q: Is there any interest for vintage Byte Magazines from 1983
http://www.garlic.com/~lynn/2002i.html#83 HONE
http://www.garlic.com/~lynn/2002j.html#45 M$ SMP and old time IBM's LCMP
http://www.garlic.com/~lynn/2002l.html#52 Itanium2 performance data from SGI
http://www.garlic.com/~lynn/2003.html#0 Clustering ( was Re: Interconnect speeds )
http://www.garlic.com/~lynn/2003d.html#57 Another light on the map going out
http://www.garlic.com/~lynn/2003j.html#65 Cost of Message Passing ?
http://www.garlic.com/~lynn/2003p.html#1 An entirely new proprietary hardware strategy
http://www.garlic.com/~lynn/2004d.html#6 Memory Affinity
http://www.garlic.com/~lynn/2004d.html#68 bits, bytes, half-duplex, dual-simplex, etc
http://www.garlic.com/~lynn/2005.html#50 something like a CTC on a PC
http://www.garlic.com/~lynn/2005d.html#20 shared memory programming on distributed memory model?
http://www.garlic.com/~lynn/2005j.html#13 Performance and Capacity Planning
http://www.garlic.com/~lynn/2005m.html#46 IBM's mini computers--lack thereof
http://www.garlic.com/~lynn/2005m.html#55 54 Processors?
http://www.garlic.com/~lynn/2005n.html#4 54 Processors?
http://www.garlic.com/~lynn/2005n.html#37 What was new&important in computer architecture 10 years ago ?
http://www.garlic.com/~lynn/2005v.html#0 DMV systems?
http://www.garlic.com/~lynn/2006c.html#40 IBM 610 workstation computer
http://www.garlic.com/~lynn/2006c.html#41 IBM 610 workstation computer
http://www.garlic.com/~lynn/2006l.html#43 One or two CPUs - the pros & cons
http://www.garlic.com/~lynn/2006m.html#52 TCP/IP and connecting z to alternate platforms
http://www.garlic.com/~lynn/2006p.html#46 "25th Anniversary of the Personal Computer"
http://www.garlic.com/~lynn/2006q.html#9 Is no one reading the article?
http://www.garlic.com/~lynn/2006q.html#24 "25th Anniversary of the Personal Computer"
http://www.garlic.com/~lynn/2006u.html#33 Assembler question
http://www.garlic.com/~lynn/2006w.html#2 IBM sues maker of Intel-based Mainframe clones
http://www.garlic.com/~lynn/2006x.html#11 The Future of CPUs: What's After Multi-Core?
http://www.garlic.com/~lynn/2006y.html#38 Wanted: info on old Unisys boxen
http://www.garlic.com/~lynn/2007g.html#3 University rank of Computer Architecture
http://www.garlic.com/~lynn/2007g.html#69 The Perfect Computer - 36 bits?
http://www.garlic.com/~lynn/2007i.html#78 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007m.html#13 Is Parallel Programming Just Too Hard?
http://www.garlic.com/~lynn/2007m.html#72 The Development of the Vital IBM PC in Spite of the Corporate Culture of IBM
http://www.garlic.com/~lynn/2008c.html#81 Random thoughts
http://www.garlic.com/~lynn/2008e.html#24 Berkeley researcher describes parallel path
http://www.garlic.com/~lynn/2008e.html#40 Fantasy-Land_Hierarchal_NUMA_Memory-Model_on_Vertical

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How can I tell if a keylogger got added to my PC while I was in Beijing?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: How can I tell if a keylogger got added to my PC while I was in Beijing?
Newsgroups: alt.internet.wireless,alt.privacy.spyware,microsoft.public.security
Date: Mon, 03 Nov 2008 09:12:46 -0500
Donna Ohl <donna.ohl@sbcglobal.net> writes:
I was in Beijing, and I used my Windows PC there with a freeware firewall and freeware anti virus and freeware malware scanners.

Recently a friend said nearly all American travelers were to be warned by the State Department that their laptops, if left in the hotel, were almost certainly compromised.

How could I tell if a keylogger or other spyware was inserted onto my laptop by the Chinese?


recent news with more sophisticated flavor ... which mentions having lots of countermeasures against detection:

Three Year Old Trojan Compromised Half Million Banking Details - The exact origins of the Trojan have not been determined yet
http://news.softpedia.com/news/Three-Years-Old-Trojan-Compromised-Half-Million-Banking-Details-96953.shtml
Trojan steals 500,000+ bank and card details
http://www.finextra.com/news/fullstory.aspx?newsitemid=19217
'Ruthless' Trojan horse steals 500k bank, credit card log-ons
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9118718
Advanced Trojan Virus Compromises Bank Info
http://www.redorbit.com/news/technology/1595930/advanced_trojan_virus_compromises_bank_info/index.html/
Sinowal data-stealing trojan has infected half million PCs
http://www.scmagazine.com/Sinowal-data-stealing-trojan-has-infected-half-million-PCs/article/120243/

part of archived (linkedin) thread (regarding article from Kansas City FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that includes discussion of countermeasures for compromised PCs
http://www.garlic.com/~lynn/2008p.html#28
http://www.garlic.com/~lynn/2008p.html#32

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
Date: November 3, 2008
Blog: Banking and Finance Technlogies
re:
http://www.garlic.com/~lynn/2008p.html#30

After the major re-engineering failures in the 90s ... including the straight-through processing efforts ... there was significant retrenchment in tackling new activities. There were even some that admitted that the re-engineering failures demonstrated that they didn't know what they were doing.

Something similar has happened in large number of gov. re-engineering failures (some number of them financial systems). In the gov. case, there has been jokes about the failures having created a whole new subindustry of major contractors & system integrators taking turns at failing projects (failures resulted in more revenue flow than if there had been successes).

with some number of past failures ... there have been alternative approaches (to major re-engineering) .... current buzzwords are SOA and middleware. Frequently these are interfaces that allow new kinds of uses for legacy operations (w/o requiring re-engineering).

We had been called in to consult with a small client/server startup that wanted to do payment transactions on their server and had this technology they had invented, called SSL, they wanted to use. Part of the deployment was something called a payment gateway ... numerous past discussions
http://www.garlic.com/~lynn/subnetwork.html#gateway

the result is now frequently called electronic commerce. We periodically refer to the gateway as the original SOA.

In the late 80s, we had come up with 3-tier architecture and were out pitching it to customer executives. This included defining some number of functions/applications that resided in the middle layer (now frequently called middleware). Part of the problem at the time was other parts of the corporation were pushing SAA (sometimes characterized as attempting to head off 2-tier, client/server and preserve the terminal emulation install base). Lots of past discussions of 3-tier
http://www.garlic.com/~lynn/subnetwork.html#3tier

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Making tea

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Making tea
Newsgroups: alt.folklore.computers
Date: Mon, 03 Nov 2008 12:38:05 -0500
Morten Reistad <first@last.name> writes:
I would otherwise see that Prime, Wang and DG would have had a fighting chance. They all embraced microprocessors early, but they didn't adapt their business models. All of them could have done a Novell, and become the server-pusher of choice.

re:
http://www.garlic.com/~lynn/2008p.html#33 Making tea

sequent was actually already in that market ... before doing the SCI NUMA scaleup

in the mid-90s with increasing load on webservers ... especially at this small client/server startup that allowed network download of their products ... many met a TCP implementation brickwall ... 90-95% of processor time spent running FINWAIT list. TCP had been assumed to be long-running sessions ... with relatively little FINWAIT activity. HTTP use of TCP for datagram operation (instead of session) ... enormously increased events on the FINWAIT list.

the small client/server startup eventually, initially got around the problem by installing a moderate size SEQUENT server (before that there was the increasing number of download servers that had to be manually selected). Part of the issue was that SEQUENT had previously implemented "fixes" to FINWAIT list processing ... for customer configurations with 20,000 telnet sessions.

As an aside ... I've posted before about a (client/server) project that san jose had called DataHub ... and had a work-for-hire subcontract for parts of the implementation with a company in Provo. One of the San Jose people on the DataHub project was commuting to Provo nearly ever week.

At some point, the corporation decided to cancel the DataHub project ... and the company in Provo was allowed to retain rights to everything they had been doing under work-for-hire contract. Shortly later a company with a name that started with the letter "N" appeared in Provo.

some conjecture that canceling of the DataHub project was associated with early stages of attempting to stave off client/server and preserve the terminal emulation install base ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#emulation

this picked up speed later with SAA ... which we tended to run afoul of after we had come up with 3-tier architecture and were out pitching it to customer executives
http://www.garlic.com/~lynn/subnetwork.html#3tier

misc. past posts mentioning DataHub project (&/or work sub'ed out to operation in Provo):
http://www.garlic.com/~lynn/96.html#4a John Hartmann's Birthday Party
http://www.garlic.com/~lynn/2000g.html#40 No more innovation? Get serious
http://www.garlic.com/~lynn/2002f.html#19 When will IBM buy Sun?
http://www.garlic.com/~lynn/2002g.html#79 Coulda, Woulda, Shoudda moments?
http://www.garlic.com/~lynn/2002o.html#33 Over-the-shoulder effect
http://www.garlic.com/~lynn/2003e.html#26 MP cost effectiveness
http://www.garlic.com/~lynn/2003f.html#13 Alpha performance, why?
http://www.garlic.com/~lynn/2004f.html#16 Infiniband - practicalities for small clusters
http://www.garlic.com/~lynn/2005p.html#23 What ever happened to Tandem and NonStop OS ?
http://www.garlic.com/~lynn/2005q.html#9 What ever happened to Tandem and NonStop OS ?
http://www.garlic.com/~lynn/2005q.html#36 Intel strikes back with a parallel x86 design
http://www.garlic.com/~lynn/2006l.html#39 Token-ring vs Ethernet - 10 years later
http://www.garlic.com/~lynn/2006y.html#31 "The Elements of Programming Style"
http://www.garlic.com/~lynn/2007f.html#17 Is computer history taught now?
http://www.garlic.com/~lynn/2007j.html#49 How difficult would it be for a SYSPROG ?
http://www.garlic.com/~lynn/2007n.html#21 The Development of the Vital IBM PC in Spite of the Corporate Culture of IBM
http://www.garlic.com/~lynn/2007n.html#86 The Unexpected Fact about the First Computer Programmer
http://www.garlic.com/~lynn/2007p.html#35 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2007v.html#53 folklore indeed
http://www.garlic.com/~lynn/2008e.html#8 MAINFRAME Training with IBM Certification and JOB GUARANTEE

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Making tea

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Making tea
Newsgroups: alt.folklore.computers
Date: Mon, 03 Nov 2008 12:44:25 -0500
Andrew Swallow <am.swallow@btinternet.com> writes:
The other problem was the distribution channel. PCs are sold through main street shops. The mini-computer firms still expected to send a salesman around. Even IBM failed in that market.

re:
http://www.garlic.com/~lynn/2008p.html#33 Making tea
http://www.garlic.com/~lynn/2008p.html#36 Making tea

however, IBM sold huge numbers into the commercial market as an "enhanced" 3270 terminal ... I've claimed that early on this was much more important source of sales than home market ... since there were still only a few applications for driving the home market sales.

customer could get a PC for about the same price as a 3270 ... and therefor needed very small incremental business justification ... same desk footprint allowed operation to switch between terminal emulation and whatever applications there happened to be for local execution

There was sort of chicken & egg ... needed volumes to attract application developers, needed applications to achieve volumes ... terminal emulation was path to seed initial install base.

past posts mentioning terminal emulation
http://www.garlic.com/~lynn/subnetwork.html#emulation

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How do group members think the US payments business will evolve over the next 3 years?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How do group members think the US payments business will evolve over the next 3 years?
Date: November 3, 2008
Blog: Payments Leadership Network
re:
http://www.garlic.com/~lynn/2008p.html#25 How do group members think the US payments business will evolve over the next 3 years?

In the thread about Kansas City Fed paper "Can Smart Cards Reduce Payments Fraud and Identity Theft?"
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf

in linkedin Smart Cards group ... there is discussion of the X9.59 financial transaction standard (mentioned in the paper).
http://www.garlic.com/~lynn/x959.html#x959

X9.59 standard work in X9A10 financial standard working group included detailed, end-to-end threat and vulnerability studies of various environments (x9a10 had been given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments). Part of x9.59 was a form factor and implementation agnostic standard.

This included being able to perform x9.59 transactions wirelessly/contactless from PDAs and/or Cellphones. This included the observation that a "trusted" PDA/Cellphone with their own "trusted" dispaly and "trusted" input would be a countermeasure to compromised POS terminals and compromised personal computers.

Part of the discussion mentions "trusted" devices as countermeasures to commonly compromised devices is archived here:
http://www.garlic.com/~lynn/2008p.html#32

The x9.59 standard slightly tweaks the paradigm so that it is no longer necessary to hide transaction information as countermeasure to crooks being able to leverage such information to perform fraudulent transactions .... aka x9.59 didn't do anything about eliminating evesdropping, data breaches, skimming, phishing, keylogging, etc .... but x9.59 did eliminate the threat that crooks would be able to perform fraudulent transactions as the result of such activity.

This is archived answer from linkedin "Payment and Fraud Professionals" group
http://www.garlic.com/~lynn/2008p.html#28

related archived answer in linkedin "Government Policy" discussing some of the vulnerabilities in the current paradigm
http://www.garlic.com/~lynn/2008p.html#7

We had earlier been called in to consult with small client/server startup that wanted to do payment transactions on servers ... and they had invented something called SSL that they wanted to use. Part of that effort included deploying something called a payment gateway ... misc. past posts mentioning the work
http://www.garlic.com/~lynn/subnetwork.html#gateway

which is now frequently called electronic commerce. This is now the major use of SSL in the world today ... to hide transaction information (as countermeasure to crooks being able to perform fraudulent transactions). X9.59 eliminates the need to use SSL for that purpose.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?
Date: November 4, 2008
Blog: Greater IBM
I duplicated the subject discussion & my responses from "Banking and Financial Technologies" group:
http://www.garlic.com/~lynn/2008p.html#30
http://www.garlic.com/~lynn/2008p.html#35

after several other IBM responses in the duplicated subject:

about 15 yrs ago, we were brought in to one of the major airline reservation system and asked to look at the routes application (find flts to get from origin to destination; represented 20%-25% of total dataprocessing). they had ten impossible things that they wanted looked at (that they currently couldn't do). we went away and came back eight weeks later with an (re-)implementation that included all the ten impossible things.

that started nearly yr of hand-wringing ... before finally telling us that they hadn't actually wanted us to solve the problem ... they just wanted to be able to tell the board that they had us looking at the problem.

big part of the ten impossible things was the result of having several hundred people doing manual operations in support of the application. we changed the paradigm and eliminated all those manual tasks (and effectively the associated jobs). the new paradigm also combined three separate interactions (that were normally done by agents) into a single interaction that could be performed by end-users.

the paradigm change also eliminated requirement to have large mainframe complexes for routes ... but could easily be done on moderate sized workstation.

the executive hand-wringing ... appeared that they just wanted us to go away and forget that they ever talked to us ... since eliminating all the worker requirements ... eliminated much of the executive positions ... and the paradigm change effectively commoditized that part of the operation.

after that, we would periodically tell perspective clients to be careful what you asked for

....

some past (usenet) posts mentioning the above:
http://www.garlic.com/~lynn/96.html#29 Mainframes & Unix
http://www.garlic.com/~lynn/96.html#31 Mainframes & Unix
http://www.garlic.com/~lynn/99.html#136a checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#153 Uptime (was Re: Q: S/390 on PowerPC?)
http://www.garlic.com/~lynn/2000.html#61 64 bit X86 ugliness (Re: Williamette trace cache (Re: First view of Willamette))
http://www.garlic.com/~lynn/2000f.html#20 Competitors to SABRE?
http://www.garlic.com/~lynn/2001d.html#69 Block oriented I/O over IP
http://www.garlic.com/~lynn/2001d.html#74 Pentium 4 Prefetch engine?
http://www.garlic.com/~lynn/2001k.html#26 microsoft going poof [was: HP Compaq merger, here we go again.]
http://www.garlic.com/~lynn/2002g.html#2 Computers in Science Fiction
http://www.garlic.com/~lynn/2002i.html#38 CDC6600 - just how powerful a machine was it?
http://www.garlic.com/~lynn/2002i.html#40 CDC6600 - just how powerful a machine was it?
http://www.garlic.com/~lynn/2002j.html#83 Summary: Robots of Doom
http://www.garlic.com/~lynn/2002l.html#39 Moore law
http://www.garlic.com/~lynn/2003b.html#12 InfiniBand Group Sharply, Evenly Divided
http://www.garlic.com/~lynn/2003o.html#17 Rationale for Supercomputers
http://www.garlic.com/~lynn/2004o.html#23 Demo: Things in Hierarchies (w/o RM/SQL)
http://www.garlic.com/~lynn/2004q.html#85 The TransRelational Model: Performance Concerns
http://www.garlic.com/~lynn/2005o.html#24 is a computer like an airport?
http://www.garlic.com/~lynn/2005p.html#8 EBCDIC to 6-bit and back
http://www.garlic.com/~lynn/2006o.html#18 RAMAC 305(?)
http://www.garlic.com/~lynn/2006q.html#22 3 value logic. Why is SQL so special?
http://www.garlic.com/~lynn/2007g.html#22 Bidirectional Binary Self-Joins
http://www.garlic.com/~lynn/2007g.html#41 US Airways badmouths legacy system
http://www.garlic.com/~lynn/2007h.html#41 Fast and Safe C Strings: User friendly C macros to Declare and use C Strings
http://www.garlic.com/~lynn/2007j.html#28 Even worse than UNIX
http://www.garlic.com/~lynn/2007p.html#45 64 gig memory
http://www.garlic.com/~lynn/2008h.html#61 Up, Up, ... and Gone?
http://www.garlic.com/~lynn/2008j.html#32 CLIs and GUIs

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Opsystems

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Opsystems
Newsgroups: alt.folklore.computers
Date: Tue, 04 Nov 2008 18:14:14 -0500
Morten Reistad <first@last.name> writes:
All the other stuff like networks, the actual file systems, drivers, is relegated into subsystems, and use ring 1 protection. They are still in the kernel memory space; the vnode/page/segment model makes that the best design.

MVS evolved a different way.

The MVT history was single real address space which made extensive use of pointer-passing API. The initial transition of MVT to virtual memory was VS2/SVS ... basically MVT laid out in a (larger) single virtual address space.

It wasn't until VS2/MVS that got to multiple virtual address space. However, there were all sorts of restrictions imposed by the prevalent pointer-passing API. Each 16mbyte virtual address space was initially partitioned into 8mbyte kernel i.e. the MVS kernel appeared in half of very virtual address space; with the other half (sort of) available to applications.

The issue was that there were a lot of subsystem functions outside the kernel that now found themselves in their own virtual address space. The problem was how does an application use a pointer-passing API to call a subsystem function (now) located in a different virtual address space.

The solution started out being a "common segment" that appeared in every virtual address space. Applications could obtain a location in the common segment to stuff parameters ... invoke a kernel call that switched address space ... and the subsystem would utilize the area in the common segment. The common segment started out (supposedly) as a 1mbyte area ... but at large customer installations it quickly grew to 4-5mbyte (and increasing) ... leaving only 3-4mbytes in every virtual address space for application use.

Dual-address space mode was introduced with 3033 ... allowing (called) subsystems to reach back into (address) the calling application's virtual address space (reducing the pressure to constantly increase the common segment size). This still required two passes thru the kernel (the call & return) to change the (two) virtual address space registers.

This was later generalized to "access registers" (several distinct concurrent virtual address spaces) and "program call" & "program return" instructions. A (kernel) hardware table was defined for the program call/return instructions which defined the available "subsystems" and the rules governing changes to virtual address space registers. In parallel with having multiple concurrent virtual address spaces, virtual address space size was extended from 24-bit to 31-bit (16mbyte to 2mbyte ... with various conventions for dual-mode virtual address space operation).

This changed the overhead of doing a subsystem call/return from requiring two passes through the kernel to nearly the overhead of a simple library subroutine call/return. as a result, there became a very large number of different (and isolated) semi-privileged subsystem "levels".

program call/return was extended with program transfer ... allowing "transfers" between multiple different, isolated semi-privileged subsystems before a final return to the original calling application.

Currently there is (multiple) 64-bit virtual address spaces with conventions to continue to support 24-bit & 31-bit operations.

some recent posts discussing dual-address space, access register, program call/return
http://www.garlic.com/~lynn/2008c.html#33 New Opcodes
http://www.garlic.com/~lynn/2008c.html#35 New Opcodes
http://www.garlic.com/~lynn/2008d.html#69 Regarding the virtual machines
http://www.garlic.com/~lynn/2008e.html#14 Kernels
http://www.garlic.com/~lynn/2008e.html#33 IBM Preview of z/OS V1.10
http://www.garlic.com/~lynn/2008g.html#60 Different Implementations of VLIW
http://www.garlic.com/~lynn/2008h.html#29 DB2 & z/OS Dissertation Research
http://www.garlic.com/~lynn/2008i.html#52 Microsoft versus Digital Equipment Corporation
http://www.garlic.com/~lynn/2008l.html#45 z/OS BIND9 DNS Vulnerable to Cache Poisoning Attack Problem?
http://www.garlic.com/~lynn/2008l.html#83 old 370 info
http://www.garlic.com/~lynn/2008o.html#53 Old XDS Sigma stuff
http://www.garlic.com/~lynn/2008o.html#73 Addressing Scheme with 64 vs 63 bits

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?
Date: November 5, 2008
Blog: Greater IBM
Trivia comment about airline res. systems. A few yrs prior to the "routes" activity ... post also archived here (with additional references):
http://www.garlic.com/~lynn/2008p.html#39

my wife served (short) stint as Amadeus chief architect. During the stint she sided with decision to go with x.25. This upset the SNA forces which lobbied for her replacement. It turned out to not do any good, since Amadeus went with x.25 anyway.

...

I had previously made some comments in the XING Greater IBM fora thread "The Problem with current automated testing solutions" ... related to my resource manager.

From recent post in linkedin Greater IBM fora thread "My Funniest or Most Memorable Moment at IBM" ... archived here
http://www.garlic.com/~lynn/2008p.html#1

I mentioned a joke regarding "dynamic adaptive" resource manager subsuming (automating) manual "tuning knobs" (that I was sort of forced into by somebody from corporate hdqtrs). Other posts about my resource manager
http://www.garlic.com/~lynn/subtopic.html#fairshare

Also mentioned in this recent linkedin Greater IBM fora thread "Open Source, Unbundling, and Future System" where the resource manager was selected as guinea pig for starting to charge for kernel software:
http://www.garlic.com/~lynn/2008o.html#66

the science center ... lots of old posts
http://www.garlic.com/~lynn/subtopic.html#545tech

had done a lot of work in both system modeling and performance optimization ... as well as doing a port of apl\360 to cms for cms\apl. some of the system modeling was an analytical model done in cms\apl. A version of this was made available on HONE ... lots of past posts
http://www.garlic.com/~lynn/subtopic.html#hone

as the performance predictor tool ... allowed marketing people to characterize customer configuration and workload and then ask "what if" questions about changes (like workload changes, processor changes, more real stoarge, etc).

I had also done a bunch of work on automating benchmarking in conjunction with resource manager performance work ... lots of past posts
http://www.garlic.com/~lynn/submain.html#bench

So part of preparing for resource manager product release ... a modified version of the performance predictor was integrated into the automated benchmarking process. The modified performance predictor would select the workload and configuration; that benchmark run; the results compared to predicted; and then process repeated for new values. In the final phase of resource manager calibration and verification, 2000 such automated benchmarks were run, taking three months elapsed time.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Password Rules

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Password Rules
Date: November 5, 2008
Blog: Greater IBM
The last friday in mar84, I received a file from a cpu engineer in POK (POK cpu engineer group used to have periodic bike rides after work, and I would be included when visiting POK).

I shared the file with several people in SJR that Friday. Over the weekend somebody printed the file on one of the building 6670s using official corporate letterhead paper and put it in all the bldg. 28 bulletin boards.

Monday morning numerous people reading the bulletin boards believed it was an official corporate document and several got angry when they found out it wasn't. There was an investigation attempting to identity who was responsible and then all corporate letterhead paper was placed under lock&key.

The memo outlined new "password" rules ... the first line

CORPORATE DIRECTIVE NUMBER 84-570471 April 1, 1984

a copy of the full file can be found in this post:
http://www.garlic.com/~lynn/2001d.html#52

note that 1apr84 was sunday.

....

As an aside, we actually took security seriously.

For instance, reference in linkedin Corporate Governance question "Invitation to Join Mainframe Security Guru Group" thread ... also archived here:
http://www.garlic.com/~lynn/2008o.html#67

refers to some corporate security issues as well as mentioning gov. security
http://web.archive.org/web/20090117083033/http://www.nsa.gov/research/selinux/list-archive/0409/8362.shtml

Another security consideration is somewhat related to the science center's CMS\APL activity ... mentioned in a linkedin Greater IBM fora ... also archived here:
http://www.garlic.com/~lynn/2008p.html#41

One of the changes from APL\360 to CMS\APL was increasing typical workspace size from 16k-32k up to virtual address space size (this required reworking how APL did storage allocation and garbage collection). The dramatic increase in APL workspace size (as well as adding functions to access system services) enabled the implementation of real-world applications.

One of the groups that started using CMS\APL were some Armonk business planning people ... transferring a detailed copy of the company's customer information to the Cambridge CP/67 (for use in APL business modeling they were developing). This was among the most valuable of internal corporate data. It should be noted that in addition to regular corporate employee access to the Cambridge CP/67, a number of non-employees (including students) from universities and colleges in the Cambridge area, also had access to the system (requiring some fairly strong security to keep non-authorized individuals from all sorts of internal corporate business data).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Barbless

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Barbless
Newsgroups: alt.folklore.computers
Date: Wed, 05 Nov 2008 16:27:17 -0500
Morten Reistad <first@last.name> writes:
You mean that monster-cable with a hundred leads or so all clocked at 25(?)Mhz?

Totally point to point?

Last I saw of it was an interface to a Cray-1 sometime in the mid 1980s. Convex made a lot of self-confident noises about supporting it at the time, but did we ever see such an interface?

About 1991 fiber technology took off. And such monster cables were history.

ISTR that Cisco supported some HIPPI interface. Was that IP-over-hippi?


One of the bldg. 28 alumni showed up on Apple human factors project ... which had Cray with (HiPPI) very high resolution display. They used Cray to simulate the Apple interface ... studying effects of tweaking all sorts of characteristics.

there was work on HiPPI over fiber.

recent post
http://www.garlic.com/~lynn/2008p.html#33 Making tea

LLNL took a private serial-copper as base for FCS (converting to fiber optic)

1990 there was also 9333 ... which was also serial-copper ... referenced in this post
http://www.garlic.com/~lynn/95.html#13

which evolved into SSA. current SSA reference:
http://www.ibm.com/systems/storage/disk/7133/index.html

One of the issues in HiPPI standards group had to do with HiPPI switch, IPI disks, and 3rd party transfer.

some labs had done an early (supercomputer) NAS/SAN using ibm mainframe (sort of as intelligen disk/file controller), ibm mainframe disks and HYPERChannel.

Supercomputer would message ibm mainframe (over HYPERChannel) for some data read/write.

The ibm mainframe would manage the disk and load mainframe channel program in local memory of the HYPERChannel A515 remote device adapter (A515 simulated ibm mainframe channel and attached mainframe disk controllers).

The ibm mainframe then responded to the supercomputer with pointer/handle to the specific channel program in the A515.

The supercomputer then invoked that specific channel program (doing data transfer directly to/from supercomputer and disk over HYPERChannel).

Transitioning that to HiPPI, HiPPI switch, and IPI disks ... required feature allowing "intelligent NAS/SAN server" to setup "3rd-party" transfers. The HiPPI switch also required "permission" features that dictated which components were allowed to communicate with other components.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: November 5, 2008
Blog: Smart Cards Group
re:
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#18 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#30 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#32 Can Smart Cards Reduce Payments Fraud and Identity Theft?

recent article/reference ... basically trying to address same kinds of (personal computer) compromises as the EU FINREAD standard (discussed earlier in this thread) .... but updated to USB. Note that X9.59 financial standard in the mid-90s, considered this general flavor of end-point compromises ... not only for personal computers but also for POS terminals.


http://www.zurich.ibm.com/ztic/
IBM Zone Trusted Information Channel (ZTIC)

A banking server's display on your key chain

More and more attacks to online banking applications target the user's home PC, changing what is displayed to the user, while logging and altering key strokes. Therefore, third parties such as MELANI conclude that Two-factor authentication systems [...] do not afford protection against such attacks and must be viewed as insecure once the computer of the customer has been infected with malware.


... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Near-perfection achieved by solar absorber

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Near-perfection achieved by solar absorber
Newsgroups: alt.folklore.computers
Date: Thu, 06 Nov 2008 08:34:29 -0500
from article ...
After a silicon surface was treated with Lin's new nanoengineered reflective coating, however, the material absorbed 96.21% of sunlight shone upon it -- meaning that only 3.79% of the sunlight was reflected and unharvested. This huge gain in absorption was consistent across the entire spectrum of sunlight, from UV to visible light and infrared, and moves solar power a significant step forward toward economic viability.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Would you say high tech authentication gizmo's are a waste of time/money/effort?

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Would you say high tech authentication gizmo's are a waste of time/money/effort?
Date: November 6, 2008
Blog: Banking and Finance Technologies
re:
http://www.garlic.com/~lynn/2008p.html#21 Would you say high tech authentication gizmo's are a waste of time/money/effort?

One of the issues in hardware token space was that most of the players view it as profit item. We had taken the requirement given the X9A10 financial standard working group fairly seriously.
http://www.garlic.com/~lynn/x959.html#x959

Rather than viewing hardware tokens as a profit item ... we viewed it as a cost item. We semi-facetiously commented that we would take a $500 milspec item and aggressively cost reduce it by 2-3 orders of magnitude while increasing the security. As a result we got the chip on the EPC/UPC RFID cost curve while improving the security (i.e. the chips that are suppose to replace barcodes on grocery store products).

We also did a lot of work on being able to support transition from "institutional-centric" paradigm to a person-centric paradigm i.e. where the same chip that could be used as something you have authentication everywhere ... that could be used analogous to how something you are fingerprint might be used.

We claimed that if hardware tokens were ever to take off in the "institutional-centric" paradigm ... a person would be provided with a token replacement for every current pin, password, and key.

Transition to a person-centric paradigm easily reduces the number tokens by two-orders of magnitude (2-3 orders magnitude reduction in token cost, 2-3 orders magnitude reduction in number; 4-6 orders of magnitude aggregate infrastructure cost reduction)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

In Modeling Risk, the Human Factor Was Left Out

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: In Modeling Risk, the Human Factor Was Left Out
Date: November 6, 2008
Blog: Financial Crime Risk, Fraud and Security
re:
http://www.cnbc.com/id/27554492

There are numerous old articles that wall street had been lying to their computers ... they fiddled the input until they got the desired output. Testimony in recent congressional hearings claimed that it amounted to fraud. The opportunity for fraud significantly increased when the rating agencies were being paid by toxic CDO issuers to produce the desired (triple-A) rating.

recent posts
http://www.garlic.com/~lynn/2008p.html#3
http://www.garlic.com/~lynn/2008p.html#8
http://www.garlic.com/~lynn/2008p.html#9

long winded, decade old post discussing some of the current problems:
http://www.garlic.com/~lynn/aepay3.htm#riskm

Toxic CDOs were used in a similar manner two decades ago during the S&L crisis to obfuscate underlying value ... so that part was well understood. The congressional hearings highlighted that in the current situation, that rating agencies were being paid for triple-A ratings (testimony claiming that amounted to fraud).

There have also been lots of comments that many institutions buying the toxic CDOs were using 30day short-term commercial paper. The long/short mismatch (alone) has been known (centuries) to take down institutions. Quote was that there was only marginal chance Lehman & Bear-Stearns could survive practicing long/short mismatch.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How much knowledge should a software architect have regarding software security?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How much knowledge should a software architect have regarding software security?
Date: November 6, 2008
Blog: International Association of Software Architects
Depends on whether you are dealing with simple applications or services. We've claimed that taking a well tested & designed application and turning it into a "service" takes 4-10 times the original effort ... much of it related to dealing with various kinds of contingencies, failures, attacks, etc.

We had been called in to consult with small client/server startup that wanted to do payment transactions on their server and had this technology they invented called SSL that they wanted to use. Part of that deployment was something called a payment gateway ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

and the result is now frequently called electronic commerce.

We leveraged our prior experience having done high-availability products for the payment gateway implementation and deployment ... misc. past posts mentioning ha/cmp
http://www.garlic.com/~lynn/subtopic.html#hacmp

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fruad and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fruad and Identity Theft?
Date: November 6, 2008
Blog: Financial Crime Risk, Fraud and Security
some recent news items:

2008 Data Breaches: 30 Million and Counting
http://www.informationweek.com/financialservices/news/showArticle.jhtml?articleID=212501185

Working To Resolve Identity Theft
http://www.idtheftcenter.org/Press-Releases/identity-theft-1.html

ITRC Breach List Reaches All-Time High! At the end of the 3rd quarter of 2008, ITRC reports 516 breaches
http://www.idtheftcenter.org/artman2/publish/m_press/Breach_List_Reaches_All-time_High.shtml

Opinion: Card breaches shake faith in e-payments
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119359

past posts in this thread:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#14 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#18 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#19 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#22 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#28 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#32 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#44 Can Smart Cards Reduce Payments Fraud and Identity Theft?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Barbless

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Barbless
Newsgroups: alt.folklore.computers
Date: Fri, 07 Nov 2008 09:15:26 -0500
re:
http://www.garlic.com/~lynn/2008p.html#43 Barbless

Date: 05/06/80 13:55:52
To: wheeler

Lynn, There will be a HYPERchannel meeting at STL Thur's morning. Are you interested in coming? A rep from NSC ( Network Systems Corp.) will be here to discuss their VM proposal and their hardware.


... snip ... top of post, old email index

STL had only been opened a few yrs and was already bursting at the seems, some reference to opening STL:
http://www.garlic.com/~lynn/2006.html#24 IBM up for grabs?
http://www.garlic.com/~lynn/2006r.html#21 50th Anniversary of invention of disk drives

I went to the meeting and then got dragged into completely rewriting the NSC software from scratch. The issue was 300 people from the IMS group were being relocated to an off-site bldg ... with their dataprocessing back into the STL datacenter. They had looked at standard "remote" 3270 ... but found operation to be totally unacceptable.

HYPERChannel was going to be used instead, to provide "channel extender" operation (over T1 link) ... and "local" 3270 support at the remote location. recent reference to the project (including image of logo used on the 3270 screen):
http://www.garlic.com/~lynn/2008m.html#20 IBM-MAIN longevity

HYPERChannel boxes consisted of A220s in STL datacenter (interfaced to IBM mainframe channels), a pair of A710s (link "adapters" ... provided HYPERChannel interface of telco links), and A510s at remote location (remote device adapter that emulated IBM mainframe channel and 3274 terminal controllers connected).

There was a problem with the A710s ... that they didn't bother to tell me for awhile ... they operated half-duplex. It didn't show up with their software drivers since they only allowed very few concurrent operations. My complete rewrite eliminated a lot of serialization and really increased the number of concurrent operations. This had the effect of getting the A710s really confused ... sometimes once an hour or so which the boxes didn't recover very gracefully. When NSC finally let slip that the A710s were only half-duplex ... I had to go back and put in a lot of slow-down, pacing code. Eventually, NSC replaced the A710 link adapters, with A715s which had full-duplex support.

A few yrs later, when some of the NAS/SAN stuff was going on ... I was periodically called as consultant to the people writing the mainframe drivers. There was a timing issue with supporting IBM CKD DASD over HYPERChannel ... and NSC came out with a A515 replacement for the A510 to address the disk timing issues.

Later, NSC came out with TCP/IP router box ... and I wrote the RFC 1044 support for the IBM mainframe TCP/IP product ... lots of past posts
http://www.garlic.com/~lynn/subnetwork.html#1044

part of the above mentions having trip to Cray Research to do some tuning on the implementation ... and the plane left SFO 20 minutes late ... but 5 minutes before the earthquake hit.

for RFC 1044 ... from my RFC index:
http://www.garlic.com/~lynn/rfcietff.htm


http://www.garlic.com/~lynn/rfcidx3.htm#1044
1044 S Internet Protocol on Network System's HYPERchannel: Protocol specification, Hardwick K., Lekashman J., 1988/02/01 (43pp) (.txt=100836) (STD-45) (Refs 826) (Ref'ed By 2626) (IP-HC)

some other past posts that may mention NSC &/or HYPERChannel
http://www.garlic.com/~lynn/subnetwork.html#hsdt

Over the yrs, HSDT project inherited all the NSC HYPERChannel boxes that had been in use around the corporation, and HSDT eventually had quite an inventory of NSC adapters of one sort or another in warehouses. At one point we were doing some stuff with UT Balcones research center ... and they were strapped for interconnect between their Cray and several other boxes. We managed to get permission to donate all the the spare NSC boxes (that they were able to use) to Balcones.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Barbless

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Barbless
Newsgroups: alt.folklore.computers
Date: Fri, 07 Nov 2008 11:05:41 -0500
Anne & Lynn Wheeler <lynn@garlic.com> writes:
A few yrs later, when some of the NAS/SAN stuff was going on ... I was periodically called as consultant to the people writing the mainframe drivers. There was a timing issue with supporting IBM CKD DASD over HYPERChannel ... and NSC came out with a A515 replacement for the A510 to address the disk timing issues.

re:
http://www.garlic.com/~lynn/2008p.html#43 Barbless
http://www.garlic.com/~lynn/2008p.html#50 Barbless

NCAR was one of the locations in mid-80s, that I got calls from about IBM mainframe HYPERChannel software. Somewhat "recent" NCAR article
http://www.cisl.ucar.edu/news/06/0130.mss.jsp

some excerpts from above:
Ensuring that this enormous amount of information can be stored and accessed speedily, safely, and reliably by geoscientists around the world is the job of NCAR's Scientific Computing Division (SCD), which designed the MSS in the mid-1980s and has been extending its capabilities it ever since.

...
HiPPI, a popular technology in the late 1980s to mid-1990s, was an early high-speed Local Area Network (LAN) protocol. Designed for connecting supercomputers and storage devices, it offered near-gigabit data transfer rates at a time when Ethernet was still rated at 10 megabits per second (Mbps) and leading-edge OC-3 technology was rated at 155 Mbps.

...
"Back in 1993, we needed a high-speed connection to the MSS, and HiPPI was the only technology available," says Merrill. "We'd been using HYPERchannel, which had a top data transfer rate of 50 megabits per second. HiPPI was faster and more flexible."

... snip ...

Note that hippi switch was needed for it to operate as LAN.

the article mentions that in the 60s, ncar supercomputer did 1.3mflops, which had increased to 8.3teraflops (at the time of the article, 2006).

I've mentioned before that in the early to mid 90s ... there was push to commercialize gov. technology ... and we got involved in these efforts in one way or another. LANL stuff got commercialized (by General Atomics) as DataTree, LLNL stuff got commercialized as Unitree, and work on commercializing NCAR's stuff as Mesa Archival. Besides working with LLNL on the Unitree effort ... we also spent some amount of time trying to help Mesa Archival.

As part of the push to commercialize gov. technology there was also relaxing some anti-trust provisions as part of setting up "consortiums". in the mid-90s we did some consulting with gov. person organizing FSTC ... recent reference to FSTC
http://www.garlic.com/~lynn/2008p.html#24 Why not build a shared services infrastructure to support the banking sector?

part of that was trying to figure out how to push some gov. smartcard technology into commercial market place ... health care, financial services, etc

misc. past posts mentioning Mesa Archival
http://www.garlic.com/~lynn/2001.html#21 Disk caching and file systems. Disk history...people forget
http://www.garlic.com/~lynn/2001.html#22 Disk caching and file systems. Disk history...people forget
http://www.garlic.com/~lynn/2001f.html#66 commodity storage servers
http://www.garlic.com/~lynn/2002e.html#46 What goes into a 3090?
http://www.garlic.com/~lynn/2002g.html#61 GE 625/635 Reference + Smart Hardware
http://www.garlic.com/~lynn/2003b.html#29 360/370 disk drives
http://www.garlic.com/~lynn/2003b.html#31 360/370 disk drives
http://www.garlic.com/~lynn/2003h.html#6 IBM says AMD dead in 5yrs ... -- Microsoft Monopoly vs. IBM
http://www.garlic.com/~lynn/2004d.html#75 DASD Architecture of the future
http://www.garlic.com/~lynn/2004p.html#29 FW: Is FICON good enough, or is it the only choice we get?
http://www.garlic.com/~lynn/2005e.html#12 Device and channel
http://www.garlic.com/~lynn/2005e.html#15 Device and channel
http://www.garlic.com/~lynn/2005e.html#16 Device and channel
http://www.garlic.com/~lynn/2005e.html#19 Device and channel
http://www.garlic.com/~lynn/2006n.html#29 CRAM, DataCell, and 3850
http://www.garlic.com/~lynn/2007j.html#47 IBM Unionization

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Serial vs. Parallel

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Serial vs. Parallel
Newsgroups: alt.folklore.computers
Date: Fri, 07 Nov 2008 11:17:07 -0500
timcaffrey@aol.com (Tim McCaffrey) writes:
The problems with parallel at these speeds is synchronizing the signals, since any little bend in the wire can throw you off, EMI noise/shielding (more wires, more EMI), and power. The serial protocol has been optimized to reduce EMI and power through some magic encoding tricks. Serial also reduces the size of the cable, which helps with physical layout.


http://www.garlic.com/~lynn/2008p.html#43 Barbless
http://www.garlic.com/~lynn/2008p.html#50 Barbless
http://www.garlic.com/~lynn/2008p.html#51 Barbless

part of the motherhood for SCI was that it allowed for turning half-duplex synchronous paradigm into parallel, full-duplex asynchronous operation. "bus" protocols got packetized (say SCSI commands) and sent off the outbound serial link. responses came back (asynchronously) on the inbound serial link. another touted "benefit" was electrical isolation.

similar claims were made for 9333 serial-copper. original 9333 was 80mbit/sec with packetized SCSI command ... but effective thruput (compared to SCSI) was much higher than just the raw speed ... since there could be significantly more concurrent active (and it was 80mbit/sec concurrent in each direction).

as before ... old post with reference to 9333
http://www.garlic.com/~lynn/95.html#13

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Query: Mainframers look forward and back

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Query: Mainframers look forward and back
Newsgroups: bit.listserv.ibm-main,alt.folklore.computers
Date: Fri, 07 Nov 2008 11:59:52 -0500
ibm system mag article done a couple yrs ago (slightly garbled some details):

Making History; Unofficial historian's dedication to the industry still thrives
http://www.ibmsystemsmag.com/mainframe/stoprun/Stop-Run/Making-History/

and of course, lots more at
http://www.garlic.com/~lynn/

some recent posts in "The Greater IBM" blogs (current and former IBMers)
http://www.garlic.com/~lynn/2008h.html#8a Using Military Philosophy to Drive High Value Sales
http://www.garlic.com/~lynn/2008i.html#63a DB2 25 anniversary: Birth Of An Accidental Empire
http://www.garlic.com/~lynn/2008j.html#74 Are we approaching a "tipping point" with regard to business travel?
http://www.garlic.com/~lynn/2008k.html#59 Happy 20th Birthday, AS/400
http://www.garlic.com/~lynn/2008m.html#88 Sustainable Web
http://www.garlic.com/~lynn/2008n.html#50 The Digital Dark Age or.....Will Google live for ever?
http://www.garlic.com/~lynn/2008n.html#60 Costing for IT Services
http://www.garlic.com/~lynn/2008o.html#10 Does anyone read the Greater IBM Connection Blog?
http://www.garlic.com/~lynn/2008o.html#46 Anyone still have access to VMTOOLS and TEXTTOOLS?
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#54 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#61 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#63 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008o.html#66 Open Source, Unbundling, and Future System
http://www.garlic.com/~lynn/2008p.html#1 My Funniest or Most Memorable Moment at IBM
http://www.garlic.com/~lynn/2008p.html#2 Keeping private information private
http://www.garlic.com/~lynn/2008p.html#12 Discussions areas, private message silos, and how far we've come since 199x
http://www.garlic.com/~lynn/2008p.html#39 Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?
http://www.garlic.com/~lynn/2008p.html#41 Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?
http://www.garlic.com/~lynn/2008p.html#42 Password Rules

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Barbless

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Barbless
Newsgroups: alt.folklore.computers
Date: Fri, 07 Nov 2008 14:58:03 -0500
jmfbahciv <jmfbahciv@aol> writes:
Did they have the memos to back their claims?

remember ... "don't feed the troll" ... periodic scenario in the past ... one from spring 2007:
http://www.garlic.com/~lynn/2007h.html#10 The Perfect Computer - 36 bits?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: Novermber 7th, 2008
Blog: Smart Cards Group
Some number of SAMs claim that they can cost reduce cards by 2/3rds ... i.e. there is still requirement to have some kind of authentication of the entity being dealt with. SAMs somewhat preserve the current paradigm where there is requirement to have both a strong end-point environment for the integrity of the operation as well as strong (if hardware token is being used) a something you have authentication device.

The X9A10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. As a result, there were detailed, end-to-end threat and vulnerability studies of the various environments. Part of this resulted in the X9.59 financial standard protocol.
http://www.garlic.com/~lynn/x959.html#x959

The idea wasn't to start assuming the design had anything at all to do with a smartcard. The idea was to establish the end-to-end integrity requirements .. design a protocol that satisfied those end-to-end integrity requirements. After everything else was done ... there was some (something you have authentication, hardware token) specification of the (KISS) functions that met the necessary requirements.

In much of the current paradigm ... the focus is on armoring the end-point and then assumes the transaction exists in fairly safe environment the rest of the time. The end-to-end detailed threat and vulnerability studies showed that wasn't true (in part huge number of breaches). as a result, the x9.59 financial transaction protocol tweaks the paradigm and focuses on providing for (super lightweight and super strong) end-to-end integrity of the transaction.

This change in paradigm significantly mitigates the security requirements needed in much of the rest of the infrastructure (since the transaciton now has its own security and integrity .,... at the same time only marginally increasing the end-to-end payload and processing).

The change in paradigm then

1) simplifies (KISS) the requirements placed on the something you have authentication token ... other than purely focusing on increasing token integrity. The result is that first cut at pure circuit design to support the function is 20,000 circuits. This can be done in a chip that is almost as cheap as EPC/UPC RFID chip ... or as trivial embedded part of some other chip (significantly less expensive that traditional smartcards currently on the market).

2) requirement for the transaction end-point origin environment is now "is what the person sees, what the person actually deals with". This primarily requires trusted display. The KISS/simplification of X9.59 protocol means that a "trusted" end-point display can be done as "secure" POS terminal ... but can also be done with "trusted" end-point display in a private PDA/cellphone belonging to the entity.

recent post mentioning trusted display:
http://www.garlic.com/~lynn/2008p.html#32 Can Smart Cards Reduce Payments Fraud and Identity Theft?

one of the activities to validate the applicability of a fundamental (KISS) something you have authentication token .... that could be applicable across large number of different environments ... was to not only map it to x9.59 transactions for ALL retail payments (cedit, debit, stored-value, POS, internet, e-commerce, transit, low-value, high-value, etc) .... but seesion type of operations.

the same exact authentication mechanism mapped to X9.59 was then mapped to both Kerberos and RADIUS ... various past posts discussing Kerberos
http://www.garlic.com/~lynn/subpubkey.html#kerberos
and RADIUS
http://www.garlic.com/~lynn/subpubkey.html#radius

there is some additional recent discussion in linkedin "Information Security" group discussion related to kansas city fed article .... also archived here
http://www.garlic.com/~lynn/2008p.html#23

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Barbless

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Barbless
Newsgroups: alt.folklore.computers
Date: Sat, 08 Nov 2008 10:14:31 -0500
jmfbahciv <jmfbahciv@aol> writes:
I just got confused again..was that switch a software or a hardware (where somebody had to flick a piece of metal or plastic).

re:
http://www.garlic.com/~lynn/2008p.html#43 Barbless
http://www.garlic.com/~lynn/2008p.html#51 Barbless

think star-wired ... like token-ring with MAUs ... a token-ring cat5 runs from central MAU to station. then ethernet did similar versions ... wire (now mostly cat5 or even cat6) running from central hub to each station.

Hippi (hardware) switch (software) programmed ... didn't require manual operation (much heavier cables than cat5).

for some topic drift ...

the (then) new research almaden bldg. had been built with lots of new cat5 for 16mbit token-ring (and wiring closets). however, it was very quickly discovered that (even) 10mbit ethernet (over cat5) had both lower latency and higher aggregate thruput (than 16mbit t/r).

in the late 80s, we had come up with 3-tier architecture and were out making pitches to customer executives ... including configuration comparisons between 10mbit (cat5) ethernet and 16mbit t/r (along with references to the almaden experience).

In that period, there was extensive corporate push behind SAA ... which had been periodically characterized as attempting to head-off 2-tier, client/server and preserve terminal emulation (and the extensive terminal infrastructure install base). We took lots of "barbs" from both SAA and T/R organizations ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#3tier

misc. past posts referencing terminal emulation
http://www.garlic.com/~lynn/subnetwork.html#emulation

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What happened in security over the last 10 years?

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What happened in security over the last 10 years?
Date: November 8, 2008 02:18 PM
Blog: Financial Cryptography
re:
https://financialcryptography.com/mt/archives/001107.html
http://www.garlic.com/~lynn/2008o.html#70 What happened in security over the last 10 years?

archive of some old email
http://www.garlic.com/~lynn/lhwemail.html

recent semi-humorous post
http://www.garlic.com/~lynn/2008p.html#42 Password Rules

also reference to undergraduate in the 60s
http://www.garlic.com/~lynn/2008o.html#67 Invitation to Join Mainframe Security Guru Group

I was blamed for computer conferencing on the internal network (larger than internet/arpanet from just about the beginning until possibly summer '85) in the late 70s and early 80s. Partially as result of that, a researcher was paid to sit in the back of my office for 9 months taking notes on how I communicated. They also got copies of all my incoming and outgoing email and logs of all instant messages. The result was also material for Stanford phd thesis (joint between language and computer AI) and some number of papers and books. recent reference
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x

For another kind of reference
http://www.garlic.com/~lynn/2008p.html#27 Father of Financial Dataprocessing

Different kind of recent reference
http://www.garlic.com/~lynn/2008p.html#41 Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Do soft certificates provide two factor authentication?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Do soft certificates provide two factor authentication?
Date: November 8, 2008
Blog: Information Security
hardware tokens have been used to protect the confidentiality of a private key. "soft certificates" represent significant terminology confusion ... since digital certificates are the mechanism for publishing information about public key. "soft" is likely referring to various (non hardware token) mechanisms attempting to protect the private key from being divulged.

asymmetric cryptography is technology where there are pair of keys, one key decodes what the other encodes.

public key is business process where one key of asymmetric pair is made public and the other key is kept confidential and never divulged.

certification authority and digital certificates are business process for publishing information related to public key ... design point is the letters of credit/introduction from sailing ship days ... where the relying party has no other recourse to information regarding the party associated with the key pair (in first time communication with complete stranger).

Multi-factor authentication is nominally assumed to represent better security when the different factors are subject to independent threats and vulnerabilities.

Encrypted software containers protecting private key are analogous to hardware containers protecting the private key. Guessing a PIN to break an encrypted software container is equivalent to breaking a hardware token.

Software containers are frequently much more vulnerable than hardware tokens ... in part because software containers frequently can be easily cloned w/o the owners knowledge. various kinds of trojans and viruses frequently represent a common vulnerability to encrypted software container (since they can obtain PIN and decrypted contents). there has been quite a bit in the news recently about large percentage of the PCs on the internet have been compromised.

Archived post from thread in (linkedin) Smart Cards & Payments groups on subject "Can Smart Cards Reduce Payments Fraud and Identity Theft?"
http://www.garlic.com/~lynn/2008p.html#28
http://www.garlic.com/~lynn/2008p.html#32
http://www.garlic.com/~lynn/2008p.html#55

Nominally, a PIN is countermeasure to lost/stolen token (multi-factor, independent threat/vulnerability) ... as in "PIN-debit" financial transactions. A PIN for (private key) encrypted software container would be countermeasure to lost/stolen laptop (where the laptop information isn't otherwise encrypted).

The issue is that infected/compromised PCs are generally a much larger threat .... where the private key & PIN can be "stolen" w/o the owner even being aware (and represents a single/common threat/vulnerability).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Can Smart Cards Reduce Payments Fraud and Identity Theft?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Can Smart Cards Reduce Payments Fraud and Identity Theft?
Date: November 9, 2008
Blog: Smart Cards Group
One of the issues mentioned in one of the the references (about various metaphor attempting to describe the risks, threats and vulnerabilities)
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law

is where some sort of account number (or SSN) can be used w/o independent authentication ... from the mentioned reference:

dual-use vulnerability metaphor
account number is required in a large number of different business processes and is required to be readily available. at the same time the account number has to be kept strictly confidential and never divulged to anybody (not even those needing it for business processes, since insiders have repeatedly been shown to be the major source of identity theft). we've claimed that even if the planet was buried under miles of information hiding encryption, that it wouldn't be sufficient to prevent information leakage.

... snip ...

point-solution two-factor authentication, by itself isn't necessarily a complete solution if there are any places in the infrastructure where operations can be performed w/o always requiring that authentication (not necessarily just the single backend ... but possibly large number of operations between the origin and the final backend). This is the "naked transaction" metaphor ... where there is point authentication that is independent from the actual transaction ... large number of references and posts here:
http://www.garlic.com/~lynn/subintegrity.html#payments

Another scenario is parameterised risk management ... after separating the information used in the business processes from authentication (i.e. "dual-use" metaphor) then the level of authentication/security needed for any specific operation becomes a separate issue.

Multi-factor authentication is normally considered more secure when the different factors have independent threats & vulnerabilities. For instance, PINs are normally considered countermeasure to lost/stolen token. However, breaches are currently significantly larger threat/vulnerability than lost/stolen tokens.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Did sub-prime cause the financial mess we are in?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Did sub-prime cause the financial mess we are in?
Date: November 9, 2008
Blog: Derivatives Markets
If properly rated ... there would have been only a limited amount of money to fund subprime mortgages. Being able to package subprime mortgages as toxic CDOs and sell them off, enormously increased the amount of money for writing subprime mortgages. CDOs had been used in this manner two decades ago in the S&L crisis to obfuscate the underlying values.

The influx of funds (into subprime mortgages) provided enormous fuel for speculators to greatly inflate prices in the home owner market (no-document, no-downpayment, 1-2% introductory rate ARM with possibly interest only payments, speculators planning on flipping the property before the rate adjusted; looking at 2000% ROI or better). Plotting prices in home owner market back to 1970 (as well as home owner prices as percent of avg. salary) shows a ugly pimple/boil corresponding to the big speculation runup ... which has only about half-way deflated.

This was further aggravated with triple-A ratings being given the toxic CDOs. In recent congressional testimony, both the toxic CDO issuers and the rating agencies knew that the toxic CDOs weren't worth triple-A rating ... but the toxic CDO issuers were paying the rating agencies for the triple-A rating.

These triple-A ratings for toxic CDOs also created confidence crisis regarding ratings ... and left perspective buyers wondering what they were getting in any rated financial instrument (froze the general bond market earlier this year, Warren Buffett stepped in to back muni-bonds to compensate for rating trust crisis).

There have also been lots of comments that many institutions buying the (triple-A rated) toxic CDOs were using 30day short-term commercial paper. The long/short mismatch (alone) has been known (for centuries) to take down institutions. Quote was that there was only marginal chance Lehman & Bear-Stearns could survive practicing long/short mismatch (even if the toxic CDOs had deserved the triple-A rating).

There have been reports that wallstreet gave out $137B in bonuses during this period .... reward for having created the situation? Presumably at least part of the $700B bailout would be to replenish the funds taken out of the infrastructure by these bonuses.

much longer discussion in answer to "Global Melt Down" question (in Corporate Goverance) .... archived here
http://www.garlic.com/~lynn/2008p.html#8

to some extent ... relaxing &/or elimination of regulation allowed individual hotbeds of greed and corruption to combine in systemic ways and turn into a firestorm ... also discussed in this answer "Who murdered the financial system?" (in Currency Markets) also archived here:
http://www.garlic.com/~lynn/2008o.html#78

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Serial vs. Parallel

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Serial vs. Parallel
Newsgroups: alt.folklore.computers
Date: Sun, 09 Nov 2008 18:26:00 -0500
"Del Cecchi" <delcecchiofthenorth@gmail.com> writes:
You forgot the true and original, fibre channel, still widely used and the physical basis for most all of the others from iscsi and InfiniBand to SATA and USB etc. Firewire was in there too. And the Telecom guys did their thing as well.

re:
http://www.garlic.com/~lynn/2008p.html#52 Serial vs. Parallel

i've got a lot of old mailing list logs from fiber channel working group ... there was a lot of contention from mainframe channel people about getting higher level FCS 3&4 defined (simulate bus&tag half-duplex ala ESCON, currently referred to as FICON) .... as opposed to much more asynchronous, full-duplex operation.

related to this post mentioning meeting jan92
http://www.garlic.com/~lynn/95.html#13
and cluster scaleup work
http://www.garlic.com/~lynn/lhwemail.html#medusa

and old item from some FCS news collection ... note this was long after we had been told we couldn't work on anything with more than four processors:

3. IBM will enhance its RS/6000 clusters this year by providing optical
channels between systems. Ancor Communications will provide the
   optical communications between machines that can be located up to
2 kilometers apart. Phil Hester, AWD Vice President, said that this
technology will be Beta tested by year's end. "Loosely-coupled
RS/6000s have the ability to scale well beyond the power of ES9000
   mainframes" said Stu Skomra, vice president of marketing at ILAN
Inc., a network integrator that uses RS/6000s, "but the downside to
   this is that there is no single system image for systems administration."
IBM has yet to detail a strategy that allows clusters to be managed
administratively by a single image.
Source: System & Network Integration  Date: June 29, 1992  Page: 12
... snip ...

as noted before, long ago & far away ... Anne had been con'ed into going to POK to be in charge of (mainframe) loosely-coupled architecture. While there, she did peer-coupled shared data architecture ... which (except for IMS hot-standby) saw little uptake until (mainframe) sysplex.
http://www.garlic.com/~lynn/submain.html#shareddata

and misc. past posts mentioning our ha/cmp product
http://www.garlic.com/~lynn/subtopic.html#hacmp

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Barbless

Refed: **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Barbless
Newsgroups: alt.folklore.computers
Date: Sun, 09 Nov 2008 20:49:58 -0500
Anne & Lynn Wheeler <lynn@garlic.com> writes:
Transitioning that to HiPPI, HiPPI switch, and IPI disks ... required feature allowing "intelligent NAS/SAN server" to setup "3rd-party" transfers. The HiPPI switch also required "permission" features that dictated which components were allowed to communicate with other components.

re:
http://www.garlic.com/~lynn/2008p.html#43 Barbless
http://www.garlic.com/~lynn/2008p.html#51 Barbless
http://www.garlic.com/~lynn/2008p.html#56 Barbless

from long ago and far away:
Date: Mon, 22 Oct 90 09:17:01 -0600
From: "*Donald Tolmie" <tolmie_donald_e%ofvax@LANL.GOV>
Subject: Agenda for Austin HIPPI Working Group Meeting

Enclosed is a draft agenda for the HIPPI working group meeting in Austin, Texas, on October 30-31. As always, this draft agenda can be changed at the meeting to include other items and presentations, or re-order items. Specific comments on different items include:

HIPPI-FP is about ready to forward. At the Ft. Lauderdale meeting an optional CRC was voted down. The document needs to have annexes A and B reviewed on a line-by-line basis, otherwise it seems complete. (Annex A is the pseudo code.) The current draft is Rev 2.7, dated Sept. 19, 1990. This was included in the last X3T9.3 mailing, and is also available via FTP from network.com.

HIPPI-LE is also about ready to forward. It was reviewed in detail at a separate HIPPI-LE working group meeting in Ft. Lauderdale. It is also available via FTP.

HIPPI-MI did not get any action in Ft. Lauderdale. Bob Beach said that he would have a new document, based on a "minimalist" approach, for consideration in Austin. Bob also said that this new document would be available before the meeting via FTP, with the new version being announced over e-mail.

HIPPI-SC should generate some lively discussion. In Ft. Lauderdale the "Switch behavior" wording in clause 5, proposed by Jim Hughes, generated some interesting comments. This discussion will continue in Austin. We will also review the changes to Annex B as the result of the "flat addressing" change.

HIPPI-IPI is being carried as a place holder, most of the work is currently being done via changes to the IPI-3 Disk document.

At the Ft. Lauderdale meeting, Clive Towndrow of PSITECH raised the question of whether people would be interested in standardizing a command set for frame buffers. Clive will present something in Austin, and then we will need to decide if we want to persue it or not.

See you in Austin. - Don Tolmie - det@lanl.gov


... snip ... top of post, old email index

the above mentions Jim Hughes, an employee of network systems ... and somebody I worked with a decade earlier in 1980 on HYPERchannel.
http://www.garlic.com/~lynn/2008m.html#20 IBM-MAIN longevity
http://www.garlic.com/~lynn/2008p.html#50 Barbless

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Shedding light on solar cell technology

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Shedding light on solar cell technology
Newsgroups: alt.folklore.computers
Date: Mon, 10 Nov 2008 08:30:00 -0500
re:
http://www.garlic.com/~lynn/2008p.html#45 Near-perfection achieved by solar absorber

Shedding light on solar cell technology
http://www.eetimes.com/document.asp?doc_id=1281232

other recent articles:

Record High Performance With New Solar Cells
http://www.sciencedaily.com/releases/2008/11/081103124224.htm
Solar Roofing Materials
http://www.technologyreview.com/news/410814/solar-roofing-materials/
Panasonic-Sanyo deal focused on solar cells and batteries for hybrid cars
http://www.eetimes.com/document.asp?doc_id=1169715
Tiny solar cells provide big power for nanosensors
http://www.tgdaily.com/content/view/43890/108/
Miniature Solar Cells Much Smaller Than This: o
http://www.wired.com/wiredscience/2008/11/miniature-solar/
Small, Flexible Solar Cells May Bring New Energy Opportunities
http://www.redorbit.com/news/science/1598834/small_flexible_solar_cells_may_bring_new_energy_opportunities/index.html/

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Do you feel secure with your bank's online banking service?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Do you feel secure with your bank's online banking service?
Date: November 10, 2008
Blog: Equity Markets
somewhat related reference here:

Web Security hasn't moved since 1995:
http://financialcryptography.com/mt/archives/001107.html

We had worked with these two people on large database scaleup ... old posting with reference to some of the work in the early 90s
http://www.garlic.com/~lynn/95.html#13

then they left and joined this small client/server startup ... and we were brought in to consult because the startup wanted to do payment transactions on their server ... the startup had also invented this technology called SSL which they wanted to use for the application. Part of the deployment is something called a payment gateway ... lots of past posts reference here
http://www.garlic.com/~lynn/subnetwork.html#gateway

and the result is now frequently called electronic commerce.

A different kind of reference about dialup online banking (from the 80s) moving to the internet in the mid-90s ... discussed in answer archived here:
http://www.garlic.com/~lynn/2008o.html#2

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Barbless

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Barbless
Newsgroups: alt.folklore.computers
Date: Mon, 10 Nov 2008 13:36:17 -0500
David Powell <ddotpowell@icuknet.co.uk> writes:
Unfortunately, we can stuff a million transistors on a chip these days and few can resist that temptation, so say good-bye to the KISS serial techniques of the good old days. USB, in particular, is far to complex for its own good.

there was a separate issue with serial-port (rs232) interface.

in the mid-90s, there were conference presentations that a major motivation of moving online banking to the internet was getting out of significant customer support problems (for banks) related to serial-port (modems). there was presentation talking about dialup online banking operation with inventory of over 60 different modem drivers for wide variety of customer configuration ... and there still being significant customer support issues (and expense). moving to the internet ... both 1) offloaded that customer support to the ISPs and 2) ISPs were able to amortize support across all the customers' online activities.

then around the start of the decade, there was an large attempt to introduce (payment) smartcards for home/online use into the market. as part of that effort there was distribution of large number of serial-port card readers ... which turned out to be a major disaster ... with enormous customer support problems (blue screen of death, customers having to re-install operation system from scratch, etc). as a result the effort was fairly quickly aborted ... along with a rapidly spreading opinion that smartcards weren't practical in the consumer market.

detailed after action reviews showed that it wasn't a problem with the smartcards ... but with the distributed serial-port smartcard readers and associated support problems with serial-port configuration.

this somewhat highlighted ephemeral institutional knowledge disappearing in the few yrs between the time the industry moved online banking to the internet and the disastrous attempt to deploy large number of serial-port smartcard readers.

some part of the design of USB was to address the configuration problems with serial-port.

some recent discussions regarding smartcards in the consumer market:
http://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#18 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#28 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#31 FC5 Special Workshop CFP: Emerging trends in Online Banking and Electronic Payments

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Happy 30th Birthday!

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Happy 30th Birthday!
Newsgroups: comp.sys.ibm.sys3x.misc,comp.sys.ibm.as400.misc,alt.folklore.computers
Date: Tue, 11 Nov 2008 08:06:04 -0500
"Tony Toews [MVP]" <ttoews@telusplanet.net> writes:
Haven't done a lot of work on the S/34, S/36, S/38 and AS/400 in the very late 70s and throughout the '80s I was always curious about the history of the FS project. We heard that code word but that was bout it.

recent post in "Greater IBM" blog in thread about as/400 20th b'day
http://www.garlic.com/~lynn/2008k.html#59 Happy 20th Birthday, AS/400

recent post in "Greater IBM" blog mentioning Future System
http://www.garlic.com/~lynn/2008o.html#66 Open Source, Unbundling, and Future System

slightly tangential post on subject of security for FS documents (in a linkedin blog):
http://www.garlic.com/~lynn/2008o.html#67 Invitation to Join Mainframe Security Guru Group

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Web Security hasn't moved since 1995

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Web Security hasn't moved since 1995
Date: November 11, 2008
Blog: Greater IBM
Web Security hasn't moved since 1995:
http://financialcryptography.com/mt/archives/001107.html

We had worked with these two people on large database scaleup ... old posting with reference to some of the work in the early 90s
http://www.garlic.com/~lynn/95.html#13

then they left and joined this small client/server startup ... and we were brought in to consult because the startup wanted to do payment transactions on their server ... the startup had also invented this technology called SSL which they wanted to use for the application. Part of the deployment is something called a payment gateway ... lots of past posts reference here
http://www.garlic.com/~lynn/subnetwork.html#gateway

and the result is now frequently called electronic commerce.

for some archeological background:

GML was invented by "G", "M", & "L" ... misc. past posts
http://www.garlic.com/~lynn/submain.html#sgml

in 1969 at the science center ... misc. past posts
http://www.garlic.com/~lynn/subtopic.html#545tech

and later standardized as SGML.

Later, a clone of CMS SCRIPT command (from waterloo) morphed into HTML at CERN ... some details
http://infomesh.net/html/history/early/

CMS SCRIPT command had been done in the mid-60s ... as part of cp67/cms ... as flavor of CTSS document formatting RUNOFF command. Later GML tag support was added to the command.

In addition to GML being invented at the science center ... the science center was also responsible for (virtual machine) cp67/cms system as well as the internal network technology (which was larger than internet/arpanet from nearly the beginning until possibly mid-85) ... some past posts
http://www.garlic.com/~lynn/subnetwork.html#internalnet

the first webserver outside europe/cern was on (cern's "sister" lab) SLAC's vm/cms system
http://www.slac.stanford.edu/history/earlyweb/history.shtml

some recent related posts
http://www.garlic.com/~lynn/2008d.html#15 more on (the new 40+yr old) virtualization
http://www.garlic.com/~lynn/2008e.html#47 System z10 announcement (in English)
http://www.garlic.com/~lynn/2008j.html#86 CLIs and GUIs
http://www.garlic.com/~lynn/2008m.html#58 Blinkylights

for random W3C trivia ... their office is less than half mile from the old science center location (W3C previous location at 32 Vassar St was barely a block away)

...

After having worked on what is now frequently called "electronic commerce" ... we were invited to participate in the X9A10 financial standard working group which in the mid-90s had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments (POS, internet, face-to-face, unattended, credit, debit, stored-value, ACH, i.e. ALL). The result was the x9.59 financial standard some refs
http://www.garlic.com/~lynn/x959.html#x959

Part of the work involved detailed, end-to-end, thread & vulnerability studies of the various environments. We've come up with some metaphors (characterizing the current system that x9.59 fixed):
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law

The major use of SSL in the world today is this electronic commerce stuff to hide details about transactions (since crooks can use the information to perform fraudulent transactions). One of the things that X9.59 did was tweak the paradigm to eliminate that threat (i.e. doesn't eliminate data breaches, evesdropping, skimming, ... but eliminates the threat of fraudulent transactions that result from data breaches, evesdropping, skimming).

Some of that is discussed in this thread about kansas city fed paper "Can Smart Cards Reduce Payments Fraud and Identity Theft?" (which also mentions x9.59 )
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#28

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

"The Register" article on HP replacing z

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: "The Register" article on HP replacing z
Newsgroups: bit.listserv.ibm-main
Date: Tue, 11 Nov 2008 16:03:46 -0500
Rex.Pommier@CNASURETY.COM (Pommier, Rex R.) writes:
I concur also. I wonder what year my company was included in the "250 per 2 years" statistic. We brought in a brand-spanking-new HP superdome back in 2001 as our mainframe (a 7060H50!!) killer. As per my CTO back then "don't do any maintenance to the mainframe because it will be gone in 3 years". You can guess the rest. Our z9-BC is running happily; the superdome is in the process of being replaced by newer, smaller (physically) HP-UX boxes, and the "get off the mainframe" project has been shelved.

superdome involved some people that had been involved in ibm risc group. it was somewhat positioned as more cost-effective (convex) examplar.

SCI was commodity (NUMA) shared memory scaleup technology ... somewhat out of SLAC. DG & Sequent had done NUMA 256 processor machines (64-port SCI, with 64 boards & four 486 processors per board). IBM later bought Sequent. Convex had done NUMA 128 processor machines (64-port SCI, with 64 boards & two HP RISC processors per board). HP bought Convex ... and superdome was somewhat positioned as a more cost-effective Examplar. SGI also did SCI NUMA machines with MIPS RISC processors.

Part of the issue has been the programming complexity to take advantage of NUMA architectures ... not unlike all the current stuff about how to migrate traditional desktop software to take advantage of multi-core processors.

There are also still a large number of issues with regard to maturity level of all the u*ix systems for business critical dataprocessing vis-a-vis legacy commercial systems. This is less of an issue when there is a large DBMS or other large application subsystem (possibly in a single, dedicated environment) that masks underlying operating system characteristics.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

ATM PIN through phone or Internet. Is it secure? Is it allowed by PCI-DSS?, Visa, MC, etc.?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: ATM PIN through phone or Internet. Is it secure? Is it allowed by PCI-DSS?, Visa, MC, etc.?
Date: November 11, 2008
Blog: Payment Systems Network
NACHA had done "pin-debit" trial ... which was declared a success ... however it got caught in the period when there was a rapidly spreading opinion that smartcards weren't practical in the consumer market.

We weren't members of NACHA ... but we got somebody from NSCC to submit our proposal ... over the years we had worked with large number of parties in and around manhatten ... slightly related recent post:
http://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing

copy of the NACHA submission:
http://www.garlic.com/~lynn/nacharfi.htm

The pilot was eventually declared a rousing success ... reference
http://web.archive.org/web/20070706004855/http://internetcouncil.nacha.org/News/news.html
and document here:
http://internetcouncil.nacha.org/docs/ISAP_Pilot/ISAPresultsDocument-Final-2.PDF

some related recent discussion (in this group) about Kansas City Fed paper about "Can Smart Cards Reduce Payments Fraud and Identity Theft?"

also reference archived here:
http://www.garlic.com/~lynn/2008p.html#65

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Is there any technology that we are severely lacking in the Financial industry?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Is there any technology that we are severely lacking in the Financial industry?
Date: November 11, 2008
Blog: Banking and Finance Technologies
many articles indicate there was lots of risk analysis software .... it was that people were providing bad data in order to obtain the desired results ... some older articles:

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers/
Subprime = Triple-A ratings? or 'How to Lie with Statistics' (gone 404 but lives on at the wayback machine)
https://web.archive.org/web/20071111031315/http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

in recent congressional testimony, both the toxic CDO issuers and the rating agencies knew that the toxic CDOs didn't deserve triple-A ratings ... but the toxic CDO issuers were paying the rating agencies to give them triple-A ratings anyway.

there have been articles that many of the institutions buying triple-A rated toxic CDOs were leveraging short term commercial paper. It has been known for long time (in some cases centuries) that long/short mismatch takes down institutions. The comment was that neither Bear Stearns nor Lehman Brothers had more than a marginal chance of survival when funding 30 year sub-prime mortgage loans with thirty day borrowings (potentially even dealing with toxic CDOs that deserved the triple-A ratings)

San Fran FED article from 2000 discussing long/short mismatch problems:
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

article from last year about many financial institutions carrying such transactions offbalance (and there may be quite a bit still lurking):
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html

long-winded, decade old posting discussing some of the current problems
http://www.garlic.com/~lynn/aepay3.htm#riskm

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Password Rules

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Password Rules
Date: November 12, 2008
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2008p.html#42 Password Rules

I like the punch line in the april first "password rules" better.

upper/lower/digits offers 26+26+10 ... rounded up to 64 or 2**6 per character. eight chars of purely random is 2**56 possibilities ... or nearly the same as DES (encryption) key. Brute force attacks (try all possible) on DES keys takes less than a day and is considered broken. characteristic of human factors is that actual choice for passwords is frequently from a couple thousand possibilities. attackers know this and use the list of those couple thousand to try first.

normally, "password rules" try to eliminate the (few) easy guesses ... but hopefully still leave trillions and trillions of possibilities (that attackers have to guess from). the "punch line" explores the possibility that "paassword rules" might be so comprehensive that the number of allowable passwords are significantly reduced.

slightly related "6670" item from "What's your funniest memory of life at IBM?" thread at www.ibmconnection.com:

6670 Separater page

SJR got some early 6670s (basically copier3 with computer hookup) and did driver that included putting random quotes on the separator page. These machines were placed around the building (normally in each department's supply room). The random quotes were drawn from two files ... a copy of the "ibmjargon" file and a separate file with a collection from numerous sources.

Not long afterwards there was a corporate audit ... which was somewhat contentious. They wanted all "demo" programs (frequently "games" by any other name) removed from the corporate computers and a few of us made the case that these "demo" programs had valid corporate education purposes (which didn't make the auditors very happy).

They also did after hour audits of whether classified material was being left out (and/or being printed and left on the 6670s around the building). They found one (non-classified) output on the top of one of the departmental 6670s with the following on the separator page:

[Business Maxims:] Signs, real and imagined, which belong on the walls of the nation's offices:
1) Never Try to Teach a Pig to Sing; It Wastes Your Time and It Annoys the Pig.
2) Sometimes the Crowd IS Right.
3) Auditors Are the People Who Go in After the War Is Lost and Bayonet the Wounded.
4) To Err Is Human -- To Forgive Is Not Company Policy.


... which they tried to claim we had done on purpose.

....

above also referenced in post to "Using Military Philosophy to Drive High Value Sale" in "xing" Greater IBM Connection ... archived here:
http://www.garlic.com/~lynn/2008h.html#8a

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Alternative credit card network

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Alternative credit card network
Date: November 13, 2008
Blog: Credit Card Professionals
There are a number of aspects of "network" .... part of it effectively can be characterized as interconnection ... representative by the numerous "value added networks" that cropped up in the 70s and 80s.

One of the results of the increasing prevalence of the internet in the 90s ... was that these legacy "value added networks" were obsoleted.

One of the remaining features of the "value added networks" ... is that the physical installations ... still may provide some additional level of security and confidence compared to the wild anarchy associated with internet connections.

Advances in internet authentication and connectivity technology will tend to eliminate such differentiation.

Some of that appears to be somewhat in stasis ... not making a whole lot of progress. Part of that is referenced in various "Web Security hasn't moved since 1995" discussions ... some archived here:
http://www.garlic.com/~lynn/2008p.html#67

Then there are all the discussions referring to the Kansas City Fed article: "Can Smart Cards Reduce Payments Fraud and Identity Theft?":
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19
http://www.garlic.com/~lynn/2008p.html#22
http://www.garlic.com/~lynn/2008p.html#32
http://www.garlic.com/~lynn/2008p.html#44
http://www.garlic.com/~lynn/2008p.html#49
http://www.garlic.com/~lynn/2008p.html#55
http://www.garlic.com/~lynn/2008p.html#59

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

History of preprocessing (Burroughs ALGOL)

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: History of preprocessing (Burroughs ALGOL)
Newsgroups: alt.folklore.computers,comp.sys.unisys
Date: Thu, 13 Nov 2008 10:20:00 -0500
HVlems <hvlems@freenet.de> writes:
The quick answer to your second question is: yes. For most people, Algol is similar to Algol60 (like Fortran implies Fortran IV). Algol60 is well documented in its Revised Report. The problem with Algol60 is that the Rev.Rep. has no I/O functions. The language is ideal for writing down algorithms and I'm sure that was one of its design goals. It's somewhat of a drawback for a programming language though and all Algol(60) implementations have different ways of getting input and writing output.

APL had similar lack of I/O functions ... or any sort of semantics for dealing with standard operating system functions.

the (cambridge) science center created some contention for the port of apl\360 to cms\apl. Part of the port was drastically increasing the workspace size ... which was typically 16k or 32k bytes in apl\360 installations. cms\apl opened it up to size of virtual memory, although the original APL (internal) storage management had to be reworked to be much more virtual memory friendly.

I recently referred to cms\apl opened APL use up to a lot more real world applications (part of that was just the significant increase in workspace size) ...
http://www.garlic.com/~lynn/2008p.html#42 Password Rules

however, another change for cms\apl (creating some contention in the APL community about violating purity of APL language) was that interfaces were defined for accessing system services (including i/o operations). This was later reworked (to the satisfaction of the APL purists) to use "shared variables" abstraction (where the "shared variables" were sort of a message passing interface between an APL application and specific operations ... like I/O or other system services) ... reference here:
https://en.wikipedia.org/wiki/Shared_Variables

the above slightly garbles the reference ... since cms\apl and apl\cms predated apl\sv (cms\apl was first done by cambridge science center for cp67/cms ... then the palo alto science center did apl\cms for vm370/cms ... palo alto also did the 370/145 apl microcode "assist").

lots of past posts mentioning apl (&/or HONE ... which made extensive use of APL in delivering applications world-wide for sales & marketing)
http://www.garlic.com/~lynn/subtopic.html#hone

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

2008 Data Breaches: 30 Million and Counting

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: 2008 Data Breaches: 30 Million and Counting
Date: November 13, 2008
Blog: Payment Systems Network
2008 Data Breaches: 30 Million and Counting
http://www.informationweek.com/financialservices/news/showArticle.jhtml?articleID=212501185

some x-over in discussion about Kansas City Fed article "Can Smart Cards Reduce Payments Fraud and Identity Theft?"
http://www.garlic.com/~lynn/2008p.html#49 Can Smart Cards Reduce Payments Fruad and Identity Theft?

there was rather good size deployment in the NE US in the earlier part of this decade ... but seem to totally disappear shortly ... possibly because of some vulnerabilities .... here is reference to article discussing presentation at cartes 2002
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

from above
It was stated that cloning an EMV card is a relatively simple task, with all the necessary information and equipment available on the Internet.

... snip ...

in the mid-90s, the x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments (credit, debit, stored-value, ach, check, POS, online, e-commerce, transit, unattended, low-value, high-value, aka ALL). part of that was detailed, end-to-end, threat and vulnerability studies of varous environments; including the scenarios mentioned in the Cartes 2002 presentation. The result was x9.59 financial standard protocol (mentioned in the kansas city fed article)
http://www.garlic.com/~lynn/x959.html#x959

Another part of x9.59 financial standard protocol was to slightly tweak the paradigm to eliminate the threat from breaches. It didn't do anything about eliminating breaches, but it eliminated the threat that crooks using information from breaches for fraudulent transactions.

Part of the issue wasn't so much the cost of A (single) smartcard deployment... but potentially facing the costs of repeated smartcard deployments ... as industry went through a series of trial&error approach to figuring out smartcard security .... as per the reference to deployments in early part of this decade ... that then seemed to fade away.

There was a presentation in industry conference a couple years ago on various fraud techniques in the payment card market ... including large display of various compromised POS terminals. There was also discussion of finding YES CARDS in various parts of the world and their operational characteristics ... which prompted somebody in the audience to loadly comment about industry spending billions of dollars to prove smartcards are less secure than magstripe.
http://www.garlic.com/~lynn/subintegrity.html#yescard

Also, as per earlier comments ... x9.59 eliminated the threat of data breaches (skimming, evesdropping, etc) ... and therefor the motivation fo performing data breaches.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Alternative credit card network

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Alternative credit card network
Date: November 13, 2008
Blog: Credit Card Professionals
There are a number of aspects of "network" .... part of it effectively can be characterized as interconnection ... representated by the numerous "value added networks" that cropped up in the 70s and 80s.

One of the results of the increasing prevalence of the internet in the 90s ... was that these legacy "value added networks" were obsoleted.

One of the remaining features of the "value added networks" ... is that the physical installations ... still may provide some additional level of security and confidence compared to the wild/hostile anarchy associated with internet connections.

Advances in internet authentication and connectivity technology will move towards eliminating such differentiation.

Some of that appears to be somewhat in stasis ... not making a whole lot of progress. Part of that is referenced in various Web Security hasn't moved since 1995 discussions ... some archived here:
http://www.garlic.com/~lynn/2008p.html#67

Then there are all the discussions referring to the Kansas City Fed article: Can Smart Cards Reduce Payments Fraud and Identity Theft?:
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19
http://www.garlic.com/~lynn/2008p.html#22
http://www.garlic.com/~lynn/2008p.html#32
http://www.garlic.com/~lynn/2008p.html#44
http://www.garlic.com/~lynn/2008p.html#49
http://www.garlic.com/~lynn/2008p.html#55
http://www.garlic.com/~lynn/2008p.html#59

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Multi-Factor Authentication - Moving Beyond Passwords for Security of Online Transactions

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Multi-Factor Authentication - Moving Beyond Passwords for Security of Online Transactions
Date: November 13, 2008
Blog: Payment and Fraud Professionals
There are assumptions that multi-factor authentication represents higher security ... however that is predicated on the different factors being subject to independent threats and vulnerabilities. For instance (something you know authentication) PINs are nominally considered countermeasure to lost/stolen cards.

However, multi-factors can be deceptive ... for instance in this recent: Do soft certificates provide two-factor authentication discussion (in Information Security) ... some archived here:
http://www.garlic.com/~lynn/2008p.html#58

there is some attempt to equate encrypted "software container" (using a PIN as encryption key) with two-factor authentication. The equivalent scenario is that the PIN would be countermeasure to lost/stolen laptop.

However, there are some serious issues. Real hardware tokens tend to have countermeasure to (brute-force) PIN guessing. However, using a (four-digit) PIN as an encryption key is vulnerable to brute-force attack in less than a second elapsed time ... effectively providing no protection what-so-ever.

Something you know authentication requires countermeasures to brute-force guessing ... when it is used as a encryption key ... then frequently the only brute-force countermeasure is the elapsed time it takes to make all possible guesses. This is typically found in systems related to choosing passwords and/or encryption keys ... for instance rejecting selections that might be guessed in too short of an elapsed time ... recent, somewhat related posts
http://www.garlic.com/~lynn/2008p.html#42 Password Rules
http://www.garlic.com/~lynn/2008p.html#71 Password Rules

In personal computing environment, various trojan horse/virus compromises tends to represent a much larger threat than lost/stolen. In those situations, the compromise captures both files and keystrokes .... which can represent a common vulnerability to something you have authentication, as well as something you know authentication ... invalidating any (multi-factor authentication) assumption about being more secure because of independent threats/vulnerabilities.

misc. past posts about 3-factor authentication metaphor
http://www.garlic.com/~lynn/subintegrity.html#3factor

For other topic drift ... recent discussions about Kansas City Fed paper "Can Smart Cards Reduce Payments Fraud and Identity Theft"
http://www.garlic.com/~lynn/2008p.html#11
http://www.garlic.com/~lynn/2008p.html#14
http://www.garlic.com/~lynn/2008p.html#15
http://www.garlic.com/~lynn/2008p.html#18
http://www.garlic.com/~lynn/2008p.html#19
http://www.garlic.com/~lynn/2008p.html#22
http://www.garlic.com/~lynn/2008p.html#32
http://www.garlic.com/~lynn/2008p.html#44
http://www.garlic.com/~lynn/2008p.html#49
http://www.garlic.com/~lynn/2008p.html#55
http://www.garlic.com/~lynn/2008p.html#59

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?
Date: November 13, 2008
Blog: Change Management
There was an article (I think washington post), 25+yrs ago suggesting 100% unearned profit tax for the automobile industry. The scenario was that the gov. gave the industry billions in breaks ... and the money was suppose to go to remaking the industry more competitive. Instead the money was going to executive bonuses, worker benefits and stockholder dividends ... not the original purpose.

Over the yrs, there have been lots of studies regarding what would it take to make the industry competitive ... but it seemed that actual change was very difficult or impossible. I participated in some of the "C4" meetings circa 1990 that was one such series of studies; this was looking at leveraging IT (i.e. dataprocessing) technology to be able to compete with foreign manufacturers

there are some references that what was going over nearly 30yrs doesn't have much applicability to current situation

the (post?) article pointed out that the us automobile effectively had billions in gov. benefits ... the stated purpose was to allow breathing room to remake themselves ... but they just continued business as usual and applied the money for executive and worker benefits. however, with history of 30yrs of this ... it isn't likely that additional gov. funds is going to make any significant difference.

(post) article had part of the benefits was import quotas ... eliminating the downward pressure on us car prices (from low priced foreign imports) ... which allowed the us industry to nearly double the price of their products over a short period of time ... w/o any other significant changes (drastically increasing US profits).

the downside was that car prices were now much larger multiple of avg. salary ... which resulted in car loans having to move from 2-3yrs to five (or even six) yrs. this, in turn, really aggravated issue of manufacturing quality.

Turns out there is some overlap with response to this question in Banking and Finance Technologies: "Is there any technology that we are severely lacking in the Financial industry?" ... discussing various mechanisms that got us into current crisis ... also archived here:
http://www.garlic.com/~lynn/2008p.html#70
also here
http://www.garlic.com/~lynn/2008p.html#8

... including playing long/short mismatch ... which as been known for centuries to take down institutions (quote was that bear stearns and & lehman only had marginal chance of surviving playing long/short mismatch). this referenced article discusses long/short mismatch including example of 5yr auto loan for automobile that only last 3yrs:
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html

recent business tv new shows have mentioned other downsides of the import quotas, including foreign companies learning to efficiently build cars in the US. they contrasted that with US companies which have number of profitable overseas operations ... but they've failed to apply that in the US. the downside is that all these "overseas" US cars are now subject to those import quotas. eliminating those quotas now ... allowing importing of US "foreign" cars ... wouldn't actually help domestic operations (or the US workers).

misc. recent posts mentioning C4 effort:
http://www.garlic.com/~lynn/2008.html#84 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008.html#85 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008c.html#22 Toyota Beats GM in Global Production
http://www.garlic.com/~lynn/2008c.html#68 Toyota Beats GM in Global Production
http://www.garlic.com/~lynn/2008e.html#30 VMware signs deal to embed software in HP servers
http://www.garlic.com/~lynn/2008e.html#31 IBM announced z10 ..why so fast...any problem on z 9
http://www.garlic.com/~lynn/2008f.html#50 Toyota's Value Innovation: The Art of Tension
http://www.garlic.com/~lynn/2008h.html#65 Is a military model of leadership adequate to any company, as far as it based most on authority and discipline?
http://www.garlic.com/~lynn/2008i.html#31 Mastering the Dynamics of Innovation
http://www.garlic.com/~lynn/2008k.html#2 Republican accomplishments and Hoover
http://www.garlic.com/~lynn/2008k.html#50 update on old (GM) competitiveness thread
http://www.garlic.com/~lynn/2008k.html#58 Mulally motors on at Ford
http://www.garlic.com/~lynn/2008m.html#21 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008m.html#48 Blinkylights
http://www.garlic.com/~lynn/2008m.html#52 Are family businesses unfair competition?
http://www.garlic.com/~lynn/2008n.html#4 Michigan industry

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Web Security hasn't moved since 1995

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Web Security hasn't moved since 1995
Date: November 13, 2008
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2008p.html#67 Web Security hasn't moved since 1995

1000th Node on Internal Network

recent post discussing various old references to number of nodes on arpanet/internet vis-a-vis the internal network
http://www.garlic.com/~lynn/2008m.html#18

arpanet/internet had approx 255 nodes on the "great" switch-over to internetworking protocol (1/1/83) ... introduction of internetworking protocol (and gateways) simplified adding nodes. The internet growth lists 562 nodes by aug83 (better than doubled in size since 1st of the year).

By comparison, the internal network passed 1000th nodes in jun83. see image of 1000th node commemorative globe in this post
http://www.garlic.com/~lynn/2008m.html#35

old post that includes a copy of the internal network 1000th node announcement
http://www.garlic.com/~lynn/2006k.html#8

as well as references to other internal network changes during 1983.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

PIN entry on digital signatures + extra token

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: PIN entry on digital signatures + extra token
Date: November 13, 2008
Blog: Smart Cards Group
we were asked to help word smith the cal. state electronic signature legislation (and then some fed electronic signature legislation). part of that effort highlighted apparent cognitive dissonance (&/or semantic confusion) because the terms "digital signature" and "human signature" both contain the word "signature". lots of past posts discussing "electronic signatures" requiring manual operations that fulfills "human signature" requirement to demonstrate read, understood, aggrees, approves, and/or authorizes.
http://www.garlic.com/~lynn/subpubkey.html#signature

asymmetric cryptography is technology with a pair of keys where one key decodes what the other key encodes.

public key is a business process where one of the key pair is published ("public key") and the other key ("private key") is kept confidential and never divulged.

digital signature is a something you have authentication process ... ability to generate a digital signature demonstrates possession of a (unique) "private key".

In the electronic signature scenario ... the manual entry of the PIN is the equivalent of the "human signature". Given the appropriately certified hardware ... the hardware may be certified to generate a "digital signature" only in response to the manual entry of the PIN. The "digital signature" isn't the equivalent of "human signature" ... however given appropriately certified hardware ... the existence of a "digital signature" can be taken as proof that manual PIN entry (representing the "human signature") was performed.

For purely authentication purposes, the existence of the "digital signature" indicates possession of a unique hardware token with a unique key ... it is possible to have a token that is inserted into a reader and a PIN is entered. As long as the hardware token remains in the reader, then the token might perform arbitrary number of digital signatures (i.e. something you have authentication) w/o requiring the PIN to be re-entered each time (and still meet two-factor authentication requirement).

Multi-factor authentication is nominally considered more secure assuming the different factors have independent threats/vulnerabilities. For purely authentication purposes, a PIN is something you know authentication and a countermeasure to lost/stolen (something you have) token. misc. past post discussion 3-factor authentication paradigm
http://www.garlic.com/~lynn/subintegrity.html#3factor

This is independent of using the manual entry of a PIN to demonstrate "human signature" equivalent for having read, understood, agrees, approves, and/or authorizes.

"digital signature" as proof of possession of a unique "private key" (also something you have authentication) ...

which is only contained in a unique/certified hardware token (again something you have authentication) ...

where that specific/unique hardware token is certified to only generate a "digital signature" in response to manually entered PIN (also requires certifying the environment where the PIN is entered)

as a certified process ... linking the existence of a "digital signature" to manual PIN-entry, where the manual PIN-entry is construed as "human signature" (i.e. evidence of read, understood, agrees, approves, and/or authorizes)

is covered in some of the AADS patent portfolio
http://www.garlic.com/~lynn/aadssummary.htm

disclaimer: neither of us retain any rights to the assigned patents.

Part of AADS was parameterised risk management ... where the same hardware token can operate as single factor authentication (purely something you have authentication) as well as multi-factor (two or more factors) authentication (PINs, and/or biometrics) ... as well in both "session" mode (i.e.one PIN/biometric per power-on, multiple digital signatures per manual interaction) and "manual signature" mode (manual PIN/biometric required per signature). It was also possible to differentiate when the same hardware token switches between modes ... w/o requiring the token to be power cycled. So the same token could be used for single factor authentication ... say for low-value transit gate operation .... or for very high-value ("human signature") transaction ... possibly requiring PIN as well as multiple biometrics.

other recent posts mentioning parameterised risk management:
http://www.garlic.com/~lynn/2008i.html#1 Do you belive Information Security Risk Assessment has shortcoming like
http://www.garlic.com/~lynn/2008i.html#70 Next Generation Security
http://www.garlic.com/~lynn/2008l.html#52 Payments Security in RFS
http://www.garlic.com/~lynn/2008o.html#13 What risk of possible data leakage do you see for your organization?
http://www.garlic.com/~lynn/2008o.html#17 what will be a wow feature in a credit card
http://www.garlic.com/~lynn/2008o.html#47 Will cards with PayPass (from MasterCard) be using CHIP & PIN in the future?
http://www.garlic.com/~lynn/2008o.html#60 Biometric Credit cards
http://www.garlic.com/~lynn/2008o.html#64 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
http://www.garlic.com/~lynn/2008o.html#70 What happened in security over the last 10 years?
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law
http://www.garlic.com/~lynn/2008p.html#15 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#22 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#32 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#59 Can Smart Cards Reduce Payments Fraud and Identity Theft?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Making tea

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Making tea
Newsgroups: alt.folklore.computers
Date: Thu, 13 Nov 2008 20:33:54 -0500
krw <krw@att.bizzzzzzzzzz> writes:
Not by much. VT has WA beat all to hell for miserable climate (and politics). An acquaintance, upon moving to VT from Seattle remarked that they once thought that WA had bad weather but they'd recently learned something.

seattle & boston have about the same inches of rain per year ... just that seattle tends to have more light drizzle. seattle is far enuf north that days in winter are noticeably shorter ... coupled with winter overcast days results in seasonal affective disorder
https://en.wikipedia.org/wiki/Seasonal_affective_disorder

it has also been used to explain high coffee per capita consumption (seattle as well as Scandinavia)
http://starbucksgossip.typepad.com/_/2007/11/survey-seattl-1.html

we did temporary assignment may99 to sep2000 ... didn't bother me. recent reference
http://www.garlic.com/~lynn/2008b.html#37 Tap and faucet and spellcheckers

later there was attempt to talk us into moving back for me to take position of chief security architect (also mentioned here):
http://www.garlic.com/~lynn/2007o.html#7 Hypervisors May Replace Operating Systems As King Of The Data Center
http://www.garlic.com/~lynn/2008b.html#5 folklore indeed

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How to Plan a High Value Sales Campaign Using Military Principles

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: How to Plan a High Value Sales Campaign Using Military Principles
Date: November 14, 2008
Blog: Greater IBM
answer to similar discussion in "xing" Greater IBM ... archived here
http://www.garlic.com/~lynn/2008h.html#8a

more recently there was introduction of MBA program based on Boyd's teachings ... referenced in this post
http://www.garlic.com/~lynn/2008n.html#39 Wrapping up the FBEMBA

I had sponsored Boyd's briefings at IBM in the early 80s .... a lot of it was applying conflict experience/history (mostly military) to competitive commercial situations.

Lots of past posts mentioning Boyd:
http://www.garlic.com/~lynn/subboyd.html

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?
Date: November 14, 2008
Blog: Change Management
re:
http://www.garlic.com/~lynn/2008p.html#77 Tell me why the taxpayer should be saving GM and Chrysler (and Ford) managers & shareholders at this stage of the game?

Dumbest People' Industry Image May Cost Wagoner Job
http://www.bloomberg.com/apps/news?pid=20601109

a couple quotes from above:
"There's the feeling that next to financial services, automotive execs are the dumbest people in the world"

"It's pretty clear that management has made some pretty bad decisions over the last 20 years"

"Toyota generated pretax profit of $922 per vehicle on North American sales in 2007, while GM lost $729"


... snip ...

maybe closer to 30 (or even more)?

for another facet regarding the problems ... there were a number of articles in the 90s related to the downward spiral of the US education system.

One was that foreign auto makers (establishing plants in the US) were requiring junior college degrees in order to get workers with high school education.

From 1990 census information ... there was articles that half of US manufacturing workers were "subsidized" (i.e. worker benefits exceeded the value of their work) and half of 18 yr olds were functionally illiterate. There were calculations at the time ... assuming trends continued ... that by 2020 ... only 3percent of US workers would not be subsidized (i.e. value of work at least equivalent to benefits received).

older reference to 94-98 international literacy survey
http://www.garlic.com/~lynn/2004b.html#38

recent reports have US education ranking at or near the bottom of industrial nations ... a couple recent posts:
http://www.garlic.com/~lynn/2007u.html#78 Education ranking
http://www.garlic.com/~lynn/2008h.html#3 America's Prophet of Fiscal Doom

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Residual Risk Methodology for Single Factor Authentication

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Residual Risk Methodology for Single Factor Authentication
Date: November 15, 2008
Blog: Information Security
re:
http://help.linkedin.com/app/answers/detail/a_id/35227

In general, multi-factor authentication is considered more secure if the different authentication factors are subject to independent threats/vulnerabilities. For instance, PIN (something you know authentication) is normally considered countermeasure to lost/stolen card/token (something you have authentication). misc. past posts mentioning 3-factor authentication paradigm
http://www.garlic.com/~lynn/subintegrity.html#3factor

for instance, a year or two ago ... there was report that (single-factor) "signature debit" (magstripe debit card transactions that don't require pin) had 15 times the fraud level of (two factor) "pin debit".

shared-secret something you know authentication tends to be vulnerable to guessing attacks as well as skimming, evesdropping, &/or harvesting attacks. A 2nd factor something you have token would nominally be considered countermeasure to such attacks against shared-secrets. some past posts mentioning shared-secrets
http://www.garlic.com/~lynn/subintegrity.html#secrets

A "magstripe" something you have authentication is static data ... and in the past couple decades "skimming" attacks have appeared that record the magstripe for the production of counterfeit card. At POS terminal, it is potentially possible for a skimming attack to record both the "magstripe" and the "pin" at the same time ...invalidating assumption about multi-factor authentication being subject to independent threat/vulnerabilities (and therefor more secure)

In general, risk assessment requires detailed end-to-end, threat and vulnerability study to look at the mechanisms that might compromise the infrastructure (i.e. the various threats on the "single factor" authentication used, as well as the various threats from authentication not being used).

With regard to something you know authentication ... the enormous proliferation of the single-factor shared-secret, something you know authentication paradigm has resulted in individuals being required to memorize scores or hundreds of different "secrets". This is an enormous human factor risk. One aspect of the difficulty can be seen in one study that claims 1/3rd of pin-debit cards have the PIN written on them.

Slightly related answer in linkedin "Payment and Fraud Professionals" to Multi-Factor Authentication - Moving Beyond Passwords for Security of Online Transactions:
http://www.garlic.com/~lynn/2008p.html#76

the above references extended discussion in several linkedin groups about the recent Kansas City Fed paper "Can Smart Cards Reduce Payments Fraud and Identity Theft"

--
40+yrs virtualization experience (since Jan68), online at home since Mar70




previous, next, index - home