List of Archived Posts

2009 Newsgroup Postings (01/19 - 02/08)

In the beginning: The making of the Mac
Are Both The U.S. & UK on the brink of debt disaster?
The 25 Most Dangerous Programming Errors
Slow down to go faster!
Possibility of malicious CPUs
Possibility of malicious CPUs
US credit card payment house breached by sniffing malware
Superworm seizes 9m PCs, 'stunned' researchers say
Do emperors from the banks have new clothes?
New Research Reveals 45% of Card Breach Victims Lose Confidence in Their Financial Accounts
Superworm seizes 9m PCs, 'stunned' researchers say
Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend
Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend
US credit card payment house breaches by sniffing malware
question about ssh-keygen with empty passphrase
It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct
It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct
Fraud -- how can you stay one step ahead?
Barbless
US credit card payment house breached by sniffing malware
what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup?
ICSF and VISA/MasterCard?amex reference list
Evil weather
BarCampBank - informal finance rantathon in London
Researchers wait for Downadup worm's second act
The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
A question about arp tables
ACM fellow for reinventing virtual machines
Online-Banking Authentication
is privacy a security attribute(component or ?). If yes, why? If no why not?
The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
Is SUN going to become x86'ed ??
Heartland Says Entire Industry Should Revamp Security
Phish-Pharming: Using social engineering to hijack domains at the source
Will the recession drive consumers away from credit cards towards prepaid cards / debit cards?
The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
"Larrabee" GPU design question
"Larrabee" GPU design question
The subject is authoritarian tendencies in corporate management, and how they are related to political culture
A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
"Larrabee" GPU design question
Cybercrime cost $1 trillion last year, study
The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
Z11 - Water cooling?
How to defeat new telemarketing tactic
The blame game is on : A blow to the Audit/Accounting Industry or a lesson learned ???
US disaster, debts and bad financial management
Cellphones as Credit Cards? Americans Must Wait
Will the Draft Bill floated in Congress yesterday to restrict trading of naked Credit Default Swaps help or aggravate?
What has the Global Financial Crisis taught the Nations, it's Governments and Decision Makers, and how should they apply that knowledge to manage risks differently in the future?
Credit & Risk Management ... go Simple ?
In your opinion, which facts caused the global crise situation?
Davos 2009 Cybercrime threat rising sharply
In your opinion, which facts caused the global crise situation?
Credit & Risk Management ... go Simple ?
OCR scans of old documents
As bonuses...why breed greed, when others are in dire need?
OCR scans of old documents
Passport RFIDs cloned wholesale by $250 eBay auction spree
Study: Data breaches continue to get more costly for businesses
Study: Data breaches continue to get more costly for businesses
SQL attacks dominated 2008, says IBM
What can agencies such as the SEC do to insure us that something like Madoff's Ponzi scheme will never happen again?
45th anniversary of the System/360 announcement
IBM tried to kill VM?
Fraud Incidents Tied to Heartland Data Breach
Intel's Future is integrated
Amazon Launches Flexible Payments As a Commercial Service
IBM tried to kill VM?
IBM ReVAMPS Venerable Tivoli Storage Software
What can we learn from the meltdown?
IBM tried to kill VM?
OCR scans of old documents
IBM tried to kill VM?
Z11 - Water cooling?
How to defeat new telemarketing tactic
How to defeat new telemarketing tactic
How to defeat new telemarketing tactic

In the beginning: The making of the Mac

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: In the beginning: The making of the Mac
Newsgroups: alt.folklore.computers
Date: Mon, 19 Jan 2009 17:19:17 -0500
re:
http://www.garlic.com/~lynn/2009.html#67 In the beginning: The making of the Mac

The Mac at 25: Successes, regrets, Apple's had a few
http://www.computerworld.com.au/article/273417/mac_25_successes_regrets_apple_had_few

from above:
The Human Interface Guidelines MacPaint/MacWrite The all-in-one design Nailing the hardware and software transitions The iPod , the iPhone and the iTunes Store

... and
The Apple III The Perfomas -- oh God, the Performas The cloning vats Not the best .edu sales structures Clunky and weird online strategies

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Are Both The U.S. & UK on the brink of debt disaster?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Are Both The U.S. & UK on the brink of debt disaster?
Date: Jan 20, 2009
Blog: Equity Markets
The Man Who Beat The Shorts
http://www.forbes.com/forbes/2008/1117/114.html

from above:
Watsa's only sin was in being a little too early with his prediction that the era of credit expansion would end badly. This is what he said in Fairfax's 2003 annual report: "It seems to us that securitization eliminates the incentive for the originator of [a] loan to be credit sensitive. Prior to securitization, the dealer would be very concerned about who was given credit to buy an automobile. With securitization, the dealer (almost) does not care."

... snip ...

Not so much debt itself ... but securitization (along with the rating agencies giving triple-A ratings to toxic CDOs) resulted in huge amount of money being pumped into the lending market ... with nobody caring how it was being used (people lending the money could immediately unload as a toxic CDO ... so regardless of what happened later, every loan made, was profit).

No documentation, no-down-payment, 1% introductory rate ARMs with interest-only payments, became extremely attractive for speculators, since the carrying cost was significantly less than the home appreciation in numerous markets (planning on flipping before the rate reset). the large amount of speculation, in turn, significantly increased the inflation in the market. eventually the bubble bursts, but while it lasted ... lots of people were raking in the money.

The congressional hearings last fall highlighted that both the rating agencies and the toxic CDO issuers/sellers knew that the toxic CDOs weren't worth triple-A ratings ... but the toxic CDO issuers/sellers were paying for the triple-A ratings. This significantly increased the institutions that would deal in the toxic CDOs and correspondingly significantly increased the amount of money available for lending.

A combination of deregulation and not enforcing regulations resulted in numerous greed/corruption hot-spots to combine together into an economic firestorm.

Last spring there was business school article about the effects of securitization (this was before the congressional hearings about rating agencies knew that the toxic CDOs weren't worth triple-A ratings) and estimated that possibly 1000 executives are responsible for 80% of the current mess (and it would go a long way to fixing the situation if the gov. could figure out how they could loose their jobs)
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1933 (gone 404 and/or requires registration)

and related discussions:

Lets play Blame Game...?
http://www.linkedin.com/answers/finance-accounting/economics/FIN_ECO/388807-23540637

answer also archive here
http://www.garlic.com/~lynn/2009.html#42

Are reckless risks a natural fallout of "excessive" executive compensation ?
http://www.linkedin.com/answers/hiring-human-resources/compensation-benefits/HRH_CMP/402114-25283493

answer also archived here
http://www.garlic.com/~lynn/2009.html#80

what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup? thanks.
http://www.linkedin.com/answers/financial-markets/equity-markets/MKT_EQU/401959-32651588

answer also archived here:
http://www.garlic.com/~lynn/2009.html#84

this decade-old, long-winded post mentions needing accurate/trusted valuation of securitized instruments as well as ARM mortgages nearly took citi down two decades ago during S&L crisis
http://www.garlic.com/~lynn/aepay3.htm#riskm

update with a couple recent items

Roubini Predicts U.S. Losses May Reach $3.6 Trillion
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=aS0yBnMR3USk&refer=home

from above:
U.S. financial losses from the credit crisis may reach $3.6 trillion, suggesting the banking system is "effectively insolvent," said New York University Professor Nouriel Roubini, who predicted last year's economic crisis.

... snip ...

A $17 Trillion Alliance Can Save World Economie
http://www.bloomberg.com/apps/news?pid=20601080
http://www.bloomberg.com/apps/news?pid=20601039&sid=atocjtEAf..Y&refer=home
Investors pull record $155B out of hedge funds
http://money.cnn.com/2009/01/21/markets/hedge_fund_flows.reut/index.htm?postversion=2009012114

misc. past posts mentioning the forbes article
http://www.garlic.com/~lynn/2008q.html#68 Obama, ACORN, subprimes (Re: Spiders)
http://www.garlic.com/~lynn/2008q.html#69 if you are an powerful financial regulator , how would you have stopped the credit crunch?
http://www.garlic.com/~lynn/2008r.html#36 Blinkenlights
http://www.garlic.com/~lynn/2008r.html#64 Is This a Different Kind of Financial Crisis?
http://www.garlic.com/~lynn/2008r.html#67 What is securitization and why are people wary of it ?
http://www.garlic.com/~lynn/2008s.html#9 Blind-sided, again. Why?
http://www.garlic.com/~lynn/2008s.html#18 What next? from where would the Banks be hit?
http://www.garlic.com/~lynn/2008s.html#20 Five great technological revolutions
http://www.garlic.com/~lynn/2008s.html#23 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#35 Is American capitalism and greed to blame for our financial troubles in the US?
http://www.garlic.com/~lynn/2008s.html#55 Is this the story behind the crunchy credit stuff?
http://www.garlic.com/~lynn/2009.html#14 What are the challenges in risk analytics post financial crisis?
http://www.garlic.com/~lynn/2009.html#42 Lets play Blame Game...?
http://www.garlic.com/~lynn/2009.html#52 The Credit Crunch: Why it happened?
http://www.garlic.com/~lynn/2009.html#73 CROOKS and NANNIES: what would Boyd do?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The 25 Most Dangerous Programming Errors

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The 25 Most Dangerous Programming Errors
Date: Jan 20, 2009
Blog: Financial Crime Risk, Fraud and Security
re:
http://www.garlic.com/~lynn/2009.html#45 Security experts identify 25 coding errors
http://www.garlic.com/~lynn/2009.html#49 The 25 Most Dangerous Programming Errors
http://www.garlic.com/~lynn/2009.html#60 The 25 Most Dangerous Programming Errors
http://www.garlic.com/~lynn/2009.html#65 The 25 Most Dangerous Programming Errors

and some fall-out regarding the original article:

List creates software security squabble
http://gcn.com/articles/2009/01/19/list-creates-software-security-squabble.aspx

from above:
The release earlier this month of a consensus list of the most serious programming errors to be avoided has garnered quite a bit of attention, some of it predictably negative. Bloggers who are amusing themselves by dissing the effort seem to be missing the forest for the trees.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Slow down to go faster!

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Slow down to go faster!
Date: Jan 20, 2009
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2009.html#88 Slow down to go faster!

... and competition can attempt to disrupt "observe" and/or "orientate" that, in turn, degrades the quality of decide and act. disrupting observe/orientate can be things besides forcing time .... quality/experience can provide a time advantage ... vis-a-vis the competition (iterating OODA-loop faster than the competition).

Boyd had a stories about taking part in some after action reviews of war games. One of his observation was about cases where the staff would practice in the war room all year, while the generals and admirals were out playing golf. When it came time for the actual war games ... the lack of generals/admirals practice and familiarity in the war room, degraded the tempo and effectiveness.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Possibility of malicious CPUs

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Possibility of malicious CPUs
Newsgroups: comp.security.unix
Date: Tue, 20 Jan 2009 10:54:07 -0500
nmm1 writes:
Look up capability architectures. Some were built, and all their users were given full information and invited to hack in. In some cases (like the Cambridge CAP), none did in several years.

in software, there are the descendents of GNOSIS ... originally (mainframe) 370-based implementation by Tymshare ... and then spun-off as Keykos when Tymshare was purchased by M/D (Tymshare was offering commercial time-sharing services on virtual machine vm370 platform ... and GNOSIS was targeted as enhancing their service in several areas).

some Keykos info
http://www.cap-lore.com/CapTheory/KK/

EROS used a lot of Keykos in the implementation
http://www.eros-os.org/

continued as CapRos
http://www.capros.org/

and Coyotos
http://coyotos.org/

from above:
Coyotos is being developed on AMD-64 and Pentium platforms. A port is also underway to recent Coldfire processors. Once we have a baseline kernel working, we would welcome help getting it running on PowerPC and ARM processors as well.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Possibility of malicious CPUs

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Possibility of malicious CPUs
Newsgroups: comp.security.unix
Date: Tue, 20 Jan 2009 12:53:09 -0500
Chris Mattern <syscjm@sumire.gwu.edu> writes:
Possible? Certainly. Likely? Not really. Designing and manufacturing a modern CPU is a massive effort, taking a large number of people. The secret simply could not be kept.

re:
http://www.garlic.com/~lynn/2009b.html#4 Possibility of malicious CPUs

however, there is the potential of introducing copy-chips ... or using the EC mechanism to introduce similar compromises.

"security processors" are typically transported by armored vehicle from the FAB to personalization center ... both because they are worth a lot as well as potential treat of copy-chip introduction/compromise.

one of the things we looked at for AADS ... was part of the design to significantly mitigate the risk ... and even had discussions about applying the technique to common chips used in personal computers.

misc AADS references
http://www.garlic.com/~lynn/x959.html#aads

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

US credit card payment house breached by sniffing malware

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: US credit card payment house breached by sniffing malware
Date: Jan 20, 2009
Blog: Financial Crime Risk, Fraud and Security
US credit card payment house breached by sniffing malware
http://www.theregister.co.uk/2009/01/20/heartland_payment_breach/

and a couple more ...

Debit-card processor claims data breach part of bigger fraud
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126345&intsrc=hm_topic
Debit-card processor claims data breach part of global fraud operation
http://www.networkworld.com/news/2009/012009-massive-theft-of-credit-card.html

Lots of past posts discussing data breaches, sniffing, evesdropping, harvesting
http://www.garlic.com/~lynn/subintegrity.html#harvest

and mention of X9.59 financial standard protocol
http://www.garlic.com/~lynn/x959.html#x959

as countermeasure.

and a little more:

Largest Data Breach in History Tries to Hide Behind Inauguration
http://www.darkreading.com/blog/archives/2009/01/largest_data_br.html

from above:
Heartland Payment Systems, a credit card processor out of Princeton, New Jersey that mostly supports small and medium businesses, announced today, during the Presidential Inauguration, that it is the victim of a massive data breach that could include over 100 Million credit card numbers.

... and
The breach is likely so massive that Heartland set up a special website at http://www.2008breach.com, which by nature of sounding like last year's news, also seems like a convenient attempt to additionally obfuscate the seriousness of the situation

... snip ...

Largest Data Breach Disclosed During Inauguration
http://it.slashdot.org/article.pl?sid=09/01/20/1930252
Heartland data breach could be bigger than TJX's
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126379
Heartland data breach could be bigger than TJX's
http://www.infoworld.com/article/09/01/21/Heartland_data_breach_could_be_bigger_than_TJXs_1.html
Credit-Card Processor Heartland Reports a Massive Data Breach
http://online.wsj.com/article/SB123249174099899837.html
US payment processor Heartland reports massive data breach
http://www.finextra.com/fullstory.asp?id=19542
Millions of Credit Cards Exposed in Data Breach
http://www.consumeraffairs.com/news04/2009/01/heartland_breach.html
Payment Processor Breach May Be Largest Ever
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html?hpid=topnews
It's a good day to disclose the largest credit card data breach ever
http://blogs.zdnet.com/security/?p=2406
Payment processor warns of network breach
http://www.securityfocus.com/brief/889
Heartland Payment Systems Uncovers Malicious Software In Its
Processing System
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212901488
Heartland Payment Systems Hit By Data Security Breach
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=213000512
Payment Processor Heartland Reveals Massive Data Breach
http://www.crn.com/security/212901576
Hackers breach Heartland Payment credit card system
http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm?csp=34
Payments processor discloses massive data breach
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1345521,00.html
Heartland Payment Systems Reports Breach
http://www.eweek.com/c/a/Security/Heartland-Payment-Systems-Reports-Breach/?kc=rss
Heartland Payment Systems Discovers Data Breach
http://www.bankinfosecurity.com/articles.php?art_id=1168&rf=012109eb
Malware caused 'biggest ever' data breach
http://security.cbronline.com/news/malware_caused_biggest_ever_data_breach_210109
Massive Theft of Credit Card Numbers Reported
http://www.networkworld.com/news/2009/012309-downadup-conflicker-worm.html
Cyber Thieves Hit Payment Processor Heartland
http://www.internetnews.com/security/article.php/3797551/Cyber+Thieves+Hit+Payment+Processor+Heartland.htm
PCI's Shield Suffers Another Blow As Heartland Reports a Hack
http://www.digitaltransactions.net/newsstory.cfm?newsid=2063
Heartland Payment Systems hacked. 100mln credit and debit card
accounts affected
http://www.ecommerce-journal.com/news/12559_heartland_payment_systems_hacked_100mln_credit_and_debit_card_accounts_affected
Heartland Payment Systems hacked
http://www.msnbc.msn.com/id/28758856/
Heartland has No Heart for Violated Customers
http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html
Hackers breach Heartland Payment credit card system
http://abcnews.go.com/Business/PersonalFinance/story?id=6695611&page=1
Largest Data Breach Disclosed During Inauguration
http://it.slashdot.org/article.pl?sid=09%2F01%2F20%2F1930252&from=rss
Heartland data security breach - Security Wire Weekly
http://securitywireweekly.blogs.techtarget.com/2009/01/21/heartland-data-security-breach/
Heartland reveals huge credit card scam
http://www.vnunet.com/vnunet/news/2234680/heartland-reveal-massive-credit

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Superworm seizes 9m PCs, 'stunned' researchers say

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Superworm seizes 9m PCs, 'stunned' researchers say
Date: Jan 20, 2009
Blog: Financial Crime Risk, Fraud and Security
Superworm seizes 9m PCs, 'stunned' researchers say
http://www.theregister.co.uk/2009/01/16/9m_downadup_infections/

from above:
They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million

... snip ...

... and recent update

Clock ticking on worm attack code
http://news.bbc.co.uk/2/hi/technology/7832652.stm

from above:
Experts are warning that hackers have yet to activate the payload of the Conficker virus. The worm is spreading through low security networks, memory sticks, and PCs without current security updates

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Do emperors from the banks have new clothes?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Do emperors from the banks have new clothes?
Date: Jan 21, 2009
Blog: Equity Markets
some from this discussion:
http://www.linkedin.com/answers/business-operations/project-management/OPS_PRJ/388884-15688219

Accounting Standards Wilt Under Pressure
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/26/AR2008122601715.html

from above:
In October, largely hidden from public view, the International Accounting Standards Board changed the rules so European banks could make their balance sheets look better. The action let the banks rewrite history, picking and choosing among their problem investments to essentially claim that some had been on a different set of books before the financial crisis started.

... snip ...

... slightly related to accounting with things carried off-balance:
http://www.garlic.com/~lynn/2009.html#84 what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup?

A year ago there was betting that citi was going to "win" the bank "write-down" sweepstakes (i.e. declare the largest losses). This refers to even after citi had won the "write-down" sweepstakes for assets on their books ... citi still had $1.1T of toxic assets carried off-balance.
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
and
http://www.nakedcapitalism.com/2008/07/wither-citigroups-11-trillion-of-off.html?showComment=1216055460000

and would eventually have to come back on the balance sheet (and the associated losses declared).

slightly related discussion in "Boyd" group mentioning Trust, but Verify ... of course in the case of the triple-A ratings for toxic CDOs ... there is also requirement to trust the verifying agencies.
http://www.garlic.com/~lynn/2009.html#57
http://www.garlic.com/~lynn/2009.html#71

update with a couple addition items:

Roubini Predicts U.S. Losses May Reach $3.6 Trillion
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=aS0yBnMR3USk&refer=home

from above:
U.S. financial losses from the credit crisis may reach $3.6 trillion, suggesting the banking system is "effectively insolvent," said New York University Professor Nouriel Roubini, who predicted last year's economic crisis.

... snip ...

A $17 Trillion Alliance Can Save World Economie
http://www.bloomberg.com/apps/news?pid=20601080
http://www.bloomberg.com/apps/news?pid=20601039&sid=atocjtEAf..Y&refer=home
Investors pull record $155B out of hedge funds
http://money.cnn.com/2009/01/21/markets/hedge_fund_flows.reut/index.htm?postversion=2009012114

... and of course, i've been using the Emperor's new clothes parable for some time.
http://www.garlic.com/~lynn/2008j.html#40 dollar coins
http://www.garlic.com/~lynn/2008j.html#60 dollar coins
http://www.garlic.com/~lynn/2008j.html#69 lack of information accuracy
http://www.garlic.com/~lynn/2008k.html#10 Why do Banks lend poorly in the sub-prime market? Because they are not in Banking!
http://www.garlic.com/~lynn/2008k.html#16 dollar coins
http://www.garlic.com/~lynn/2008k.html#27 dollar coins
http://www.garlic.com/~lynn/2008l.html#42 dollar coins
http://www.garlic.com/~lynn/2008m.html#12 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008o.html#35 The human plague
http://www.garlic.com/~lynn/2008q.html#58 Obama, ACORN, subprimes (Re: Spiders)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

New Research Reveals 45% of Card Breach Victims Lose Confidence in Their Financial Accounts

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: New Research Reveals 45% of Card Breach Victims Lose Confidence in Their Financial Accounts
Date: Jan 21, 2009
Blog: Payment Systems Network
New Research Reveals 45% of Card Breach Victims Lose Confidence in Their Financial Accounts
http://sev.prnewswire.com/banking-financial-services/20090120/SF6044320012009-1.html

and a new comment here on

Breach Notification Laws
http://www.schneier.com/blog/archives/2009/01/state_data_brea.html

that may be related to this study ... which came on the same day of the inauguration and the possible 100m account breach ... reference to lots of ongoing news articles archived here:
http://www.garlic.com/~lynn/2009b.html#6

We were tangentially involved in the cal. state data breach notification legislation. We had been brought in to help word-smith the electronic signature legislation and several of the parties were also heavily involved in privacy issues. They had done, detailed, in-depth consumer privacy studies which found that the number one issue was "identity theft" ... a major component was financial transaction and account record breaches, where the attacker could use the information for fraudulent financial transactions. It appeared little or nothing was being done about the situation and it seemed that they felt that the publicity would help motivate countermeasures.

a couple archived answers in other recent discussions where this has come up:
http://www.garlic.com/~lynn/2009.html#29
http://www.garlic.com/~lynn/2009.html#58

As noted, several other jurisdictions have since passed legislation similar to Cal's. There have also been bills introduced at the federal level that have tended to fall into two categories, breach notification legislation that require notification and breach notification legislation that would eliminate the requirement for notification.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Superworm seizes 9m PCs, 'stunned' researchers say

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Superworm seizes 9m PCs, 'stunned' researchers say
Date: Jan 21, 2009
Blog: Financial Crime Risk, Fraud and Security
re:
http://www.garlic.com/~lynn/2009b.html#7 Superworm seizes 9m PCs, 'stunned' researchers say

There were articles in the late 80s & early 90s that part of moving computing out of the dataprocessing center to desktops ... was that it turned everybody into a sysadmin .... which doesn't show up as a separate expense item (allowing reducing number of dataprocessing professional sysadmins ... which does show up as a separate corporate expense item).

Current scenario is somewhat analogous to requiring people to do all of their own automobile maintenance. The maintenance articles did point out requiring trained professionals would have severely limited the PC market growth (since there was no way to produce the number of trained professionals needed). The auto industry has somewhat responded (to the problem) by significantly reducing the amount of maintenance that has been required (compared to 50yrs ago).

With regard to size of the infection, some stories have raised the issue whether the counter actually represents 9million unique PCs ... or whether the unique IP-address from packet sampling (that some organizations have been doing) showing only a couple million ... is closer to the truth ... so best guess is somewhat bounded on the low-side of a couple million from packet sampling ... and on the high-side based on the counter value. Note that infections have continued since the original articles/estimates.

a couple more articles from today ...

Six Percent Of Computers Scanned By Panda Security Infected With Conficker Worm; Infections detected in more than 80 countries; United States, Taiwan and Brazil are among the most affected regions
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212901754
Downadup Worm Invading 1 Million PCs Per Day, Disables Agent-Based Security Solutions
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212901724
Users blame IT managers for Conficker; Microsoft also criticised for security hole
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?RSS&NewsId=12877

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend
Newsgroups: bit.listserv.ibm-main
To: <ibm-main@bama.ua.edu>
Date: Wed, 21 Jan 2009 16:16:58 -0500
joarmc@SWBELL.NET (John McKown) writes:
Single word: greed. On the part of management and the investors. To the nether world with the future, give me an immediate payoff. That explains most of the current US economic meltdown as well. IMO, of course.

recent article ...

Corporate Fraud and Misconduct Risks Driven by Pressure to do 'Whatever It Takes'; Fewer episodes reported by companies with ethics and compliance programs
http://www.informationweek.com/financialservices/news/showArticle.jhtml?articleID=215801487

from above:
Of more than 5,000 U.S. workers polled this summer, 74 percent said they had personally observed misconduct within their organizations during the prior 12 months, unchanged from the level reported by KPMG survey respondents in 2005. Roughly half (46 percent) of respondents reported that what they observed "could cause a significant loss of public trust if discovered," a figure that rises to 60 percent among employees working in the banking and finance industry.

... snip ...

misc. past posts mentioning the above article:
http://www.garlic.com/~lynn/2008s.html#27 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#29 Let IT run the company!
http://www.garlic.com/~lynn/2008s.html#30 How reliable are the credit rating companies? Who is over seeing them?
http://www.garlic.com/~lynn/2008s.html#35 Is American capitalism and greed to blame for our financial troubles in the US?
http://www.garlic.com/~lynn/2008s.html#36 What is the top security threat prediction of 2009?
http://www.garlic.com/~lynn/2008s.html#47 Executive pay: time for a trim?

then this article from last spring that estimated 1000 executives are responsible for 80% of the current crisis and that it would go a long way towards fixing the situation if the gov. could figure out how they loose their jobs.
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1933 (gone 404 and/or requires registration)

misc. past posts mentioning the above article:
http://www.garlic.com/~lynn/2008g.html#32 independent appraisers
http://www.garlic.com/~lynn/2008g.html#44 Fixing finance
http://www.garlic.com/~lynn/2008g.html#52 IBM CEO's remuneration last year ?
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008h.html#89 Credit Crisis Timeline
http://www.garlic.com/~lynn/2008i.html#4 A Merit based system of reward -Does anybody (or any executive) really want to be judged on merit?
http://www.garlic.com/~lynn/2008i.html#67 Do you have other examples of how people evade taking resp. for risk
http://www.garlic.com/~lynn/2008n.html#37 Success has many fathers, but failure has the US taxpayer
http://www.garlic.com/~lynn/2008n.html#65 Whether, in our financial crisis, the prize for being the biggest liar is
http://www.garlic.com/~lynn/2008n.html#69 Another quiet week in finance
http://www.garlic.com/~lynn/2008n.html#74 Why can't we analyze the risks involved in mortgage-backed securities?
http://www.garlic.com/~lynn/2008n.html#95 Blinkylights
http://www.garlic.com/~lynn/2008o.html#15 Financial Crisis - the result of uncontrolled Innovation?
http://www.garlic.com/~lynn/2008o.html#26 SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#35 The human plague
http://www.garlic.com/~lynn/2008o.html#80 Can we blame one person for the financial meltdown?
http://www.garlic.com/~lynn/2008p.html#8 Global Melt Down
http://www.garlic.com/~lynn/2008p.html#9 Do you believe a global financial regulation is possible?
http://www.garlic.com/~lynn/2008q.html#16 realtors (and GM, too!)
http://www.garlic.com/~lynn/2008q.html#18 A few months of legislative vacuum - is this a good thing?
http://www.garlic.com/~lynn/2008q.html#51 Obama, ACORN, subprimes (Re: Spiders)
http://www.garlic.com/~lynn/2008r.html#10 Blinkylights
http://www.garlic.com/~lynn/2009.html#42 Lets play Blame Game...?
http://www.garlic.com/~lynn/2009.html#50 Greed Is
http://www.garlic.com/~lynn/2009.html#73 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#77 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#79 The Credit Crunch: Why it happened?
http://www.garlic.com/~lynn/2009.html#85 Banks' Demise: Why have the Governments hired the foxes to mend the chicken runs?
http://www.garlic.com/~lynn/2009b.html#1 Are Both The U.S. & UK on the brink of debt disaster?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend
Newsgroups: bit.listserv.ibm-main
Date: Wed, 21 Jan 2009 17:25:22 -0500
antonbritz@GMAIL.COM (Anton Britz) writes:
Your first article was created by KPMG , an audit, tax and advisory firm in the USA.. that we all can trust, such as ACCENTURE... registered in BERMUDA so that they pay no taxes in the USA legally.

re:
http://www.garlic.com/~lynn/2009b.html#11 Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend

you mean:

GAO Reports Bailout and Tech Firms Love Tax Havens
http://news.slashdot.org/article.pl?sid=09/01/17/1815221
Bailed-Out Firms Have Tax Havens, GAO Finds
http://www.washingtonpost.com/wp-dyn/content/story/2009/01/16/ST2009011603928.html
International Taxation: Large U.S. Corporations and Federal Contractors with Subsidiaries in Jurisdictions Listed as Tax Havens or Financial Privacy Jurisdictions
http://www.gao.gov/products/GAO-09-157

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

US credit card payment house breaches by sniffing malware

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: US credit card payment house breaches by sniffing malware
Date: Jan 21, 2009
Blog: Payment Systems Network
additional news item URLs found here:
http://www.garlic.com/~lynn/2009b.html#6

we've tried using a number of different metaphors to highlight the situation. one is the security proportional to risk metaphor.

The value of the information to a merchant is the profit on the purchase (possibly a few dollars per account)... the value of the information to the processor is profit on the processing (possibly a few cents per account).

The value of the information to the attacker ... is the balance/credit limit of each account ... say $500/account. The issue in the current paradigm, is the attacker may be able to outspend the defender (merchant or processor) by a factor 2-3 orders of magnitude

one of the issues in the x9.59 financial transaction standard was to slightly tweak the paradigm so the information is useless to the attacker. X9.59 didn't do anything to prevent skimming, sniffing, evesdropping, harvesting, data breaches, etc ... it just made the information useless for the purpose of performing fraudulent financial transactions (removed the financial motivation to the crooks/attackers)

Related news item from today ... also archived here:
http://www.garlic.com/~lynn/2009b.html#9

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

question about ssh-keygen with empty passphrase

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: question about ssh-keygen with empty passphrase.
Newsgroups: comp.security.ssh
Date: Thu, 22 Jan 2009 09:23:41 -0500
Chris Mattern <syscjm@sumire.gwu.edu> writes:
When you use a password, you must send that password to the remote machine to log in. If you're using ssh, you'll send the password encrypted, but you're still sending it, which could be trouble if the session is cracked or if the remote machine is compromised. With a key, *the secret key never leaves the local machine.* The only way they can get the secret key is if they compromise the local machine. Fewer routes of attack == less vulnerability.

for a little more ... a shared-secret is like a pin or password ... frequently something you know authentication ... but also can be something that represents something you have authentication (like contents of magstripe used in payment cards) or something you are authentication (like thumbprint).

normal security recommendations are that a unique shared-secret is required for each unique security domain (in part as countermeasure to x-domain attacks). 40 yrs ago ... with one or two domains ... shared-secret, something you know authentication wasn't too onerous task to remember ... roll forward 40 yrs, and a person may be dealing with large scores of unique security domains, each requiring their own unique shared-secrets ... resulting in enormous human factors problems (having to remember large scores of pin/passwords). For instance, one study found that 1/3rd of pin-debit magstripe cards ... had the pin written on the card.

"private" key normally has a business process where the key is kept confidential and never divulged. in theory, this would allow the same public/private key pair to be used for a large number of different security domains (since problem with x-domain attacks has been eliminated).

public/private key could also help with phishing and social engineering attacks. there are numerous scenarios where people are conditioned to provide shared-secret something you know authentiation ... which attackers can leverage. conditioning the public that the "private" key is never divulged ... would make them more resistent to lots of the phishing and social engneering attacks.

public/private key infrastructure can be further strengthened by embedding the private key in some hardware token ... where the private key is never even divulged to the owner. there are still social engineering attacks trying to convince the owner to use the token (for some operation benefitting the attacker), but large number of common exploits, where an attacker acquires a shared-secret, would be eliminated.

A recent example of shared-secret vulnerability is the recent breach announced on tuesday ... recent post
http://www.garlic.com/~lynn/2009b.html#6 US credit card payment house breached by sniffing malware

a countermeasure is the x9.59 financial standard protocol
http://www.garlic.com/~lynn/x959.html#x959

which can use digital signature (public/private key) to provide end-to-end integrity for financial transactions. x9.59 standard doesn't do anything to eliminate evesdropping, skimming, sniffing, harvesting, data breaches, etc ... it just eliminates the ability of the attacker to use the information for performing fraudulent transactions (since they would still not have the required private key).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct
Date: Jan 22, 2009
Blog: identitymanagement
It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct
http://technet.microsoft.com/en-us/library/cc512578.aspx

from above:
This month I'd like to explore the concepts of identity, authentication, and authorization, to help you understand their important distinctions, and to help guard you against the increasingly common tendency to combine the first two.

... snip ...

also pointed to by:

Identity, Authentication, and Authorization
http://www.schneier.com/blog/archives/2009/01/identity_authen.html

related to dual-use vulnerabiltiy metaphor ... some recent references:
http://www.garlic.com/~lynn/2009.html#60
http://www.garlic.com/~lynn/2009.html#66
http://www.garlic.com/~lynn/2009.html#69
http://www.garlic.com/~lynn/2009.html#72

recent post in ssh newsgroup
http://www.garlic.com/~lynn/2009b.html#14

and similar thread from earlier part of the decade:
http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay12.htm#1 Confusing business process, payment, authentication and identification
http://www.garlic.com/~lynn/aepay12.htm#2 Confusing business process, payment, authentication and identification
http://www.garlic.com/~lynn/aepay12.htm#3 Confusing business process, payment, authentication and identification
http://www.garlic.com/~lynn/aepay12.htm#4 Confusing business process, payment, authentication and identification

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct
Date: Jan 22, 2009
Blog: Financial Crime Risk, Fraud and Security
re:
http://www.garlic.com/~lynn/2009b.html#15 It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct

oh, and there is a different kind of dual-use vulnerability involving the use of digital signatures.

we had been called in to help word-smith the cal. electronic signature legislation. at the time there seemed to be an enormous number of people who confused digital signature and human signature ... possibly because of confusion over the two terms both containing the word signature ... lots of past posts
http://www.garlic.com/~lynn/subpubkey.html#signature

it is possible to use a digital signature in a business process that would meet the requirements for a human signature ... however it is the business process that provides the equivalence ... not the digital signature.

there is also a dual-use vulnerability if a digital signature is used as representing the human signature business process (as indication of read, understood, approves, authorizes, agrees) and if the same "private key" was also used for authentication purposes ... which frequently consists of server sending some random data (as countermeasure to replay attack) to be digitally signed.

past thread/posts discussing this other kind of dual-use vulnerability
http://www.garlic.com/~lynn/aadsm17.htm#57 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm17.htm#59 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#0 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#1 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#2 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#3 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#4 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#6 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#12 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#13 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm18.htm#17 should you trust CAs? (Re: dual-use digital signature vulnerability)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Fraud -- how can you stay one step ahead?

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Fraud -- how can you stay one step ahead?
Date: Jan 22, 2009
Blog: Financial Crime Risk, Fraud and Security
recent article:

Corporate Fraud and Misconduct Risks Driven by Pressure to do 'Whatever It Takes'; Fewer episodes reported by companies with ethics and compliance programs
http://www.informationweek.com/financialservices/news/showArticle.jhtml?articleID=215801487

from above:
Of more than 5,000 U.S. workers polled this summer, 74 percent said they had personally observed misconduct within their organizations during the prior 12 months, unchanged from the level reported by KPMG survey respondents in 2005. Roughly half (46 percent) of respondents reported that what they observed "could cause a significant loss of public trust if discovered," a figure that rises to 60 percent among employees working in the banking and finance industry.

... snip ...

misc. past posts/discussions mentioning above:
http://www.garlic.com/~lynn/2008s.html#27 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#29 Let IT run the company!
http://www.garlic.com/~lynn/2008s.html#30 How reliable are the credit rating companies? Who is over seeing them?
http://www.garlic.com/~lynn/2008s.html#35 Is American capitalism and greed to blame for our financial troubles in the US?
http://www.garlic.com/~lynn/2008s.html#36 What is the top security threat prediction of 2009?
http://www.garlic.com/~lynn/2008s.html#47 Executive pay: time for a trim?
http://www.garlic.com/~lynn/2009b.html#11 Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Barbless

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Barbless
Newsgroups: alt.folklore.computers
Date: Thu, 22 Jan 2009 14:22:43 -0500
krw <krw@att.zzzzzzzzz> writes:
Crap. Paulsen's boondoggle was a lot of money and we've only just started to pull that thread.

recent article:

Roubini Predicts U.S. Losses May Reach $3.6 Trillion
http://www.bloomberg.com/apps/news?pid=20601087&sid=aS0yBnMR3USk&refer=home

from above:
U.S. financial losses from the credit crisis may reach $3.6 trillion, suggesting the banking system is "effectively insolvent," said New York University Professor Nouriel Roubini, who predicted last year's economic crisis.

... snip ...

couple recent posts mentioning above:
http://www.garlic.com/~lynn/2009b.html#1 Are Both The U.S. & UK on the brink of debt disaster?
http://www.garlic.com/~lynn/2009b.html#8 Do emperors from the banks have new clothes?

and old article from last spring that estimated that 1000 executives are responsible for 80% of the problem and it would go a long way to correcting the problems if the gov. could figure out how they loose their jobs:
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1933 (gone 404 and/or requires registration)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

US credit card payment house breached by sniffing malware

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: US credit card payment house breached by sniffing malware
Date: Jan 23, 2009
Blog: Financial Crime Risk, Fraud and Security
re:
http://www.garlic.com/~lynn/2009b.html#6 US credit card payment house breached by sniffing malware
http://www.garlic.com/~lynn/2009b.html#13 US credit card payment house breached by sniffing malware

Banks' Card Reissuance Indicates Probable Scope of Heartland Breach
http://www.digitaltransactions.net/newsstory.cfm?newsid=2066

from above ...
.... evidence is building that banks and credit unions around the country are reissuing cards on a mass scale as a likely result of the breach. That could give credence to early speculation that Heartland's will go down as a huge data breach--one of the largest, if not the largest

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup?
Date: Jan 23, 2009
Blog: Equity Markets
re:
http://www.garlic.com/~lynn/2009.html#84 what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup?

part of citi's problems appears to be trying to decide when/how to bring the $1.1T in toxic assets back on to the balance sheet (and how to value them for declaring the associated losses) ... recent somewhat related article:

Roubini Predicts U.S. Losses May Reach $3.6 Trillion
http://www.bloomberg.com/apps/news?pid=20601087&sid=aS0yBnMR3USk&refer=home

from above:
U.S. financial losses from the credit crisis may reach $3.6 trillion, suggesting the banking system is "effectively insolvent," said New York University Professor Nouriel Roubini, who predicted last year's economic crisis.

... snip ...

couple recent posts mentioning above:
http://www.garlic.com/~lynn/2009b.html#1 Are Both The U.S. & UK on the brink of debt disaster?
http://www.garlic.com/~lynn/2009b.html#8 Do emperors from the banks have new clothes?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

ICSF and VISA/MasterCard?amex reference list

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: ICSF and VISA/MasterCard?amex reference list
Newsgroups: bit.listserv.ibm-main
Date: Fri, 23 Jan 2009 16:25:00 -0500
jayarelim@HOTMAIL.COM (J R) writes:
As Ted mentioned, Canadian banks use it. It is also used extensively by European banks and those in the Antipodes.

What do these banks have in common? They use all the traditional EFT cryptography *plus* the additional functionality for EMV (SmartCards).

Also, being inboard, IBM crypto is inherently more secure than attached outboard offerings and benchmarks an order of magnitude faster.


lots of fast crypto can also be leveraged to do a brute force attack ... the faster and the more secure the better.

remember the "DES cracking" machine (I've a souvenir chip from the machine in a box someplace)
https://en.wikipedia.org/wiki/EFF_DES_cracker

maybe 15-20 yrs ago ... a mainframe connected (internal financial/banking) desktop was compromised ... so that it would perform brute force attacks on PIN numbers ... effectively sending large number of "PINed" zero transactions to the mainframe ... until it found the correct values. 4 digit PINs ... 10k possible values ... on the avg, brute force finds the correct value after half the search space ... i.e. 5k attempts. High-performance mainframe becames a super PIN cracking machine.

PIN'ed operations have some easier attacks:

• a lot of debit cards now can be used in either PIN-debit mode or signature-debit mode ... attacker skims the magstripe information and creates counterfeit card for use in "signature-debit" mode (basically the same as credit card)

multi-factor authentication is nominal considered more secure assuming that the different factors have independent vulnerabilities ... aka PIN something you know authentication is considered countermeasure for lost/stolen (something you have) card. lots of past posts mentioning 3-factor authentication paradigm
http://www.garlic.com/~lynn/subintegrity.html#3factor

Possibly two decades ago, slightly more sophisticated skimming technology started being used to record both the magstripe and the PIN ... at the same time; which invalidaties the assumption about independent vulnerabilities. Note that even with such vulnerabilities, signature-debit fraud numbers are 15 times higher than PIN-debit. part of this can be a lot of fraud is happening as a result of data breaches ... where only the magstripe information is readily available.

some recent posts mentioning the breach hitting the news on tuesday ... and is shaping up to be the largest to-date:
http://www.garlic.com/~lynn/2009b.html#6 US credit card payment house breached by sniffing malware
http://www.garlic.com/~lynn/2009b.html#13 US credit card payment house breached by sniffing malware
http://www.garlic.com/~lynn/2009b.html#19 US credit card payment house breached by sniffing malware

• PINs are a form of shared-secret something you have authentication ... lots of past posts about shared-secret authentication
http://www.garlic.com/~lynn/subintegrity.html#secret
recent post comparing shared-secret and "public-key"
http://www.garlic.com/~lynn/2009b.html#14 question about ssh-keygen with empty passphrase

nominal security procedure for shared-secrets is to have a unique shared-secret for every unique security domain (in part as a countermeasure to x-domain attacks). 40yrs ago with only a couple such shared-secrets, it was relatively easy paradigm to deal with. roll forward 40 yrs ... and now it isn't unusual to have several scores of unique shared-secrets. Because of the human factors dealing with such large number of shared-secrets, some studies have found that 1/3rd of debit cards have the PIN written on them.

The shared-secret paradigm for something you know authentication is not the only kind that is vulnerable to skimming, evesdropping, havesting, sniffing, and/or data breaches ... as already mentioned the information from "magstripes" (something you have authentication) is also vulnerable ... and can be used to create counterfeit cards.

There is a case where a presumably well-designed chip-card was trivially vulnerable to similar (magstripe) skimming attack. The chip would present "static data" and then strong cryptography was used to verify that the information was valid. However, since the information was "static" ... it was trivial to skim the "valid data" and place it in a counterfeit chip-card. POS terminals would ask a (valid) chip-card three questions (after performing crypto validation of the static data): 1) was the correct PIN entered, 2) should the transaction be done offline, and 3) is the transaction within the account credit limit. The counterfeit chip-cards got the nickname YES CARDS ... since they would always answer YES to all three questions. reference to presentation on yes cards at cartes2002:
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html
and misc. past posts mentioning yes cards:
http://www.garlic.com/~lynn/subintegrity.html#yescard

note that a valid chip-card required the correct PIN to be entered before performing a valid transaction. However, it wasn't necessary to even skim the PIN ... since a counterfeit yes card, would always claim that the correct PIN was entered ... regardless of what was entered. there were sarcastic comments from some members of the industry that billions of dollars were spent to prove that chipcards are less secure than magstripe cards.

there were some large scale deployments in the period ... that seem to just evaporate.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Evil weather

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Evil weather
Newsgroups: alt.folklore.computers
Date: Fri, 23 Jan 2009 19:09:34 -0500
Morten Reistad <first@last.name> writes:
As a comparison; Lynn would know how the 43xx series was built. I would guess a high degree of robot made components, but a final manual assembly, at least until 1985ish.

old 43xx email (mostly 4341) ... starting '79
http://www.garlic.com/~lynn/lhwemail.html#43xx

4331 (30jan79-18nov81)
http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_PP4331.html

4341 (30jan79-11feb86)
http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_PP4341.html

4361 (4331 follow-on, 15sep83-17feb87)
http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_PP4361.html

4381 (4341 follow-on, 15sep83-19aug92)
http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_PP4381.html

4381 was originally going to be a risc/801 based processor; Iliad, running "microcode" implementing 370. this was part of corporate-wide effort to move the large number of different internal microprocessors to risc/801 ... including, originally as/400. risc/801 effort was suspended and both 4381 and as/400 moved to their own cisc processor. misc. past posts mentioning 801, romp, rios, iliad
http://www.garlic.com/~lynn/subtopic.html#801

corporation also had a field maintenance/service process that included a "bootstrap" process that started out with "scoping" faulty components. beginning with 3081 ... components were so highly integrated that it was no longer feasable to "scope" faulty components ... and so a "service processor" was introduced ... that had connections to muliple parts of the mainframe ... built during manufacturing (service processor was simple enough that it could be "scoped" as part of bootstraped diagnoses, and then the service processor could be used to analyse the rest of the machine).

because of growing sophisitication required of service processor ... it was decided to move to vm370 running on 4331 as the "serivce processor" for the 3090 (3081 follow-on ... with most of the "service" screens implemented in cms IOS3270) ... since the 4331 could be "scoped". Before 3090 shipped, it was decided to move to a pair of 4361 processors (and instead of having to diagnose a faulty 4361 processor ... switch to the redundant 4361; treat the service processor as redundant FRU) ... see mention of "3092" processor controller:
http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_PP3090.html

here is JR&D article "Electronic Pakaging Evolution in IBM" up to 4300 & 3081
http://domino.research.ibm.com/tchjr/journalindex.nsf/4ac37cf0bdc4dd6a85256547004d47e1/9915bfd45fd3cd0685256bfa0067f4e1?OpenDocument

same from same issue: Semiconductor Manufacturing in IBM, 1957 to the Present: A Perspective
http://domino.research.ibm.com/tchjr/journalindex.nsf/4ac37cf0bdc4dd6a85256547004d47e1/d7a98629df33acbc85256bfa0067f4e3?OpenDocument

and MLC used in 4300 and 3081
http://domino.research.ibm.com/tchjr/journalindex.nsf/a3807c5b4823c53f85256561006324be/94bc3bbb7b2d2a4d85256bfa0067f566?OpenDocument

and for something a little different ... paper about using 4341 as tester in 3081 TCM manufacturing:
http://www.research.ibm.com/journal/rd/271/ibmrd2701G.pdf
from this article:
http://domino.research.ibm.com/tchjr/journalindex.nsf/4ac37cf0bdc4dd6a85256547004d47e1/088481b78493524885256bfa0067f569?OpenDocument

for other historical references ... this is a trip report of several locations ... doesn't actually talk about 4341 ... but does mention watching 3081s being built:
http://www.chilton-computing.org.uk/acd/literature/reports/p014.htm

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

BarCampBank - informal finance rantathon in London

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: BarCampBank - informal finance rantathon in London
Date: Jan 23, 2009
Blog: Financial Cryptography
re:
https://financialcryptography.com/cgi-bin/mt/mt-comments.cgi

this is long-winded, decade old post discussing some of the issues ... including discussion of citi nearly went under two decades ago because of ARMs and not adequately understanding what happens when interest rates adjust.
http://www.garlic.com/~lynn/aepay3.htm#riskm

I believe that some of the people involved in that analysis were part of forming a leading risk analysis (software) company in 1990.

Playing long/short mismatch has been known for centuries to bring down institutions. They (and others) have commented that Bear-Stearns and Lehman had marginal chance of surviving playing long/short mismatch (buying triple-A rated toxic CDOs) ... this discusses long/short mismatch and some number of other related issues:
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
decade old article from the fed
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

Playing long/short mismatch was independent of heavy leveraging, SIVs, and whether or not the (subprime) toxic CDOs deserved their triple-A ratings.

a couple recent, related archived (linkedin) discussions:
http://www.garlic.com/~lynn/2009.html#79 The Credit Crunch: Why it happened?
http://www.garlic.com/~lynn/2009.html#80 Are reckless risks a natural fallout of "excessive" executive compensation?
http://www.garlic.com/~lynn/2009.html#84 what was the idea behind Citigroup's splitting up into two different divisions?
http://www.garlic.com/~lynn/2009b.html#1 Are Both The U.S. & UK on the brink of debt disaster?
http://www.garlic.com/~lynn/2009b.html#8 Do emperors from the banks have new clothes?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Researchers wait for Downadup worm's second act

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Researchers wait for Downadup worm's second act
Date: Jan 24, 2009
Blog: Financial Crime Risk, Fraud and Security
Researchers wait for Downadup worm's second act; The 'well-engineered' worm was written by hackers who know their stuff
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126691

from above:
Downadup, also called "Conficker," has infected an estimated 6% of PCs worldwide. The worm spreads by exploiting a four-month-old vulnerability in Windows, by brute-force password attacks and by hitchhiking on USB devices like flash drives.

... snip ...

its getting lots of play:

Downadup/Conflicker worm: When will the next shoe fall?
http://www.networkworld.com/news/2009/012309-downadup-conflicker-worm.html

from above:
"It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs," says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks

... snip ...

others:
Conficker Hitting Hardest in Asia, Latin America
http://tech.yahoo.com/news/pcworld/20090124/tc_pcworld/confickerhittinghardestinasialatinamerica
Conficker Worm Spreads Fast, Infects Millions
http://www.crn.com/security/212902319
Downadup: The Web's Next Big Threat?
http://itmanagement.earthweb.com/secu/article.php/3798281/Downadup-The-Webs-Next-Big-Threat.htm

past references:
http://www.garlic.com/~lynn/2009b.html#7 Superworm seizes 9m PCs, 'stunned' researchers say
http://www.garlic.com/~lynn/2009b.html#10 Superworm seizes 9m PCs, 'stunned' researchers say

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick.
Date: Jan 24, 2009
Blog: Regulation and Compliance
There was a study last year that the ratio of executive compensation to worker compensation had exploded to 400:1, after being 20:1 for a long time, and 10:1 in most of the rest of the world.

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

some part of the $700B wallstreet bailout possibly goes to replenish the $137B sucked out of the infrastructure (as reward for their part in creating the current situation).

... from a couple weeks ago

Bailed-Out Banks Dole Out Bonuses; Goldman Sachs, CitiGroup, Others Mum on How They Are Using TARP Cash
http://abcnews.go.com/WN/Business/story?id=6498680&page=1

from above:
Goldman Sachs, which accepted $10 billion in government money, and lost $2.1 billion last quarter, announced Tuesday that it handed out $10.93 billion in benefits, bonuses, and compensation for the year.

... snip ...

GAO has started doing a database of increasing number of cases involving executives fiddling public company financial reports (in spite of SOX). The executives get a boost in compensation based on the fiddled numbers. Later the financials may be restated ... but the compensation not forfeited. One example was in 2004 Freddie was fined $400m for $10b fiddling of financials and the CEO replaced ... but allowed to keep tens of millions (hundred?).

GAO references:
http://www.gao.gov/products/GAO-03-138
http://www.gao.gov/products/GAO-06-678
http://www.gao.gov/products/GAO-06-1053R
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

Part of the issue is that there may be extreme downside to the business operation ... but it appears that the executives still believe that they will come out ahead.

There was a study last fall of 270 companies that had redone their executive compensation plans to reduce the motivation for fiddling

Corporate Fraud and Misconduct Risks Driven by Pressure to do 'Whatever It Takes'; Fewer episodes reported by companies with ethics and compliance programs
http://www.informationweek.com/financialservices/news/showArticle.jhtml?articleID=215801487

from above:
Of more than 5,000 U.S. workers polled this summer, 74 percent said they had personally observed misconduct within their organizations during the prior 12 months, unchanged from the level reported by KPMG survey respondents in 2005. Roughly half (46 percent) of respondents reported that what they observed "could cause a significant loss of public trust if discovered," a figure that rises to 60 percent among employees working in the banking and finance industry.

... snip ...

If the overall avg. is 46percent and the financial industry is 60 percent, then the non-financial avg may be as low as 30percent ... making the financial industry twice as bad as other industries.

Last spring there was business school article about the effects of securitization (this was even before the congressional hearings about the rating agencies knowing that the toxic CDOs weren't worth triple-A ratings) and estimated that possibly 1000 executives are responsible for 80% of the current mess (and it would go a long way to fixing the situation if the gov. could figure out how they could loose their jobs)
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1933 (gone 404 and/or requires registration)

of course then there is Boyd's advice:
"There are two career paths in front of you, and you have to choose which path you will follow. One path leads to promotions, titles, and positions of distinction.... The other path leads to doing things that are truly significant for the Air Force, but the rewards will quite often be a kick in the stomach because you may have to cross swords with the party line on occasion. You can't go down both paths, you have to choose. Do you want to be a man of distinction or do you want to do things that really influence the shape of the Air Force? To be or to do, that is the question." Colonel John R. Boyd, USAF 1927-1997

From the dedication of Boyd Hall, United States Air Force Weapons School, Nellis Air Force Base, Nevada. 17 September 1999


... snip ...

I had quoted in post from 2000:
http://www.garlic.com/~lynn/2000e.html#35 War, Chaos & Business

and lots of other past references to John Boyd
http://www.garlic.com/~lynn/subboyd.html

past posts mentioning the The Fed's Too Easy on Wall Street article:
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008h.html#42 The Return of Ada
http://www.garlic.com/~lynn/2008n.html#52 Technology and the current crisis
http://www.garlic.com/~lynn/2008n.html#53 Your thoughts on the following comprehensive bailout plan please
http://www.garlic.com/~lynn/2008n.html#56 VMware Chief Says the OS Is History
http://www.garlic.com/~lynn/2008n.html#69 Another quiet week in finance
http://www.garlic.com/~lynn/2008n.html#82 Fraud in financial institution
http://www.garlic.com/~lynn/2008o.html#18 Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
http://www.garlic.com/~lynn/2008o.html#26 SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#31 The human plague
http://www.garlic.com/~lynn/2008o.html#32 How much is 700 Billion Dollars??
http://www.garlic.com/~lynn/2008p.html#8 Global Melt Down
http://www.garlic.com/~lynn/2008r.html#61 The vanishing CEO bonus
http://www.garlic.com/~lynn/2008r.html#64 Is This a Different Kind of Financial Crisis?
http://www.garlic.com/~lynn/2008s.html#32 How Should The Government Spend The $700 Billion?
http://www.garlic.com/~lynn/2008s.html#33 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#35 Is American capitalism and greed to blame for our financial troubles in the US?
http://www.garlic.com/~lynn/2008s.html#41 Executive pay: time for a trim?
http://www.garlic.com/~lynn/2009.html#73 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#80 Are reckless risks a natural fallout of "excessive" executive compensation ?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

A question about arp tables

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: A question about arp tables...
Newsgroups: comp.protocols.tcp-ip
Date: Sun, 25 Jan 2009 14:54:30 -0500
vjs@calcite.rhyolite.com (Vernon Schryver) writes:
It might be a little easier to read the 1993 version (reno or tahoe?) in
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/if_ether.c?rev=1.1


I still have source copy of '89 version.
2056934 1989-07-19 12:39 tahoe43.tar.gz

We had found a bug in the tahoe IP code calling ARP ... when we were doing our HA/CMP product ... misc. past posts
http://www.garlic.com/~lynn/subtopic.html#hacmp

The ip-routine would save the last returned (MAC) value from the ARP routine. In the "fall-over" case ... we would perform IP-address take-over. Nominally, ARP is suppose to "time-out" the values in the tables ... which would allow IP-address take-over to work (i.e. same ip-address with different MAC address).

The ip "fastpath" (saving of last returned MAC response for IP-address ... and continuing to use that response as long as the IP-address hasn't change) ... would never time-out.

lots of the environments being dealt with were "strongly" client/server (nearly all client activity was with the same server for extended periods of time). Not being able to source update most of the platforms ... a hack was to have the server(s) keep a list of known client IP-address ... and in the case of (fall-over and) ip-address take-over ... "hit" each one of the clients with packet using a different ip-address (force clients to process a different IP-address and a real call to the ARP routine).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

ACM fellow for reinventing virtual machines

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: ACM fellow for reinventing virtual machines
Newsgroups: alt.folklore.computers
Date: Sun, 25 Jan 2009 14:57:21 -0500
and somebody named ACM fellow for reinventing virtual machines:
http://fellows.acm.org/fellow_citation.cfm?id=4094918&srt=year&year=2008

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Online-Banking Authentication

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Online-Banking Authentication
Date: Jan 25, 2009
Blog: identitymanagement
One of the things I did as part of AADS chip strawman was make random (public) key (pair) generation part of the chip manufacturing and test process ... where it was leveraged to also reduce chip verification costs in the fab ... as well as eliminate lots of post-FAB processing steps and costs. I had joked in the mid-90s that I was looking at taking a $500 milspec part and cost reducing it by 2-3 orders of magnitude while increasing the integrity.
http://www.garlic.com/~lynn/x959.html#aads

There are lots of scenarios where any kind of "static data" is skimmed (for impersonation and/or fraudulent purposes) and it is likely that it should be made part of authentication history ... recent post in mainframe thread discussing some of the aspects:
http://www.garlic.com/~lynn/2009b.html#21 ICSF

Long ago and far away, we had been called in to consult with small client/server startup that wanted to do payment transactions on their server ... and they had this technology they had invented called SSL they wanted to use (frequently now referred to as electronic commerce) ... as part of that effort we had to do lots of end-to-end audits of various parts of the business processes ... as well as suggest some number of compensating processes for some.

Then in the mid-90s we were asked to participate in the x9a10 financial standard working group ... which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments (POS, internet, face-to-face, unattended, debit, credit, stored-value, ach, contact, contactless, wireless, giftcard, etc ... i.e. ALL). Part of the effort was doing in-depth, end-to-end threat & vulnerability studies of the various environments. The result was the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959

X9.59 did nothing to prevent evesdropping, skimming, harvesting, phishing, and/or data breaches. However, x9.59 slightly tweaked the paradigm so that such information was no longer useful to the attackers for the purpose of performing fraudulent transactions ... i.e. it eliminated the need to hide the "transactions". Now the major use of SSL in the world today is this earlier thing we worked on called electronic commerce ... for the purpose of hiding the transaction. No longer needing to hide the transaction ... then also eliminates the major purpose for SSL.

for related topic drift ... recent article:

Banks urged to change security policies
http://www.securecomputing.net.au/News/135149,banks-urged-to-change-security-policies.aspx

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

is privacy a security attribute(component or ?). If yes, why? If no why not?

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: is privacy a security attribute(component or ?). If yes, why? If no why not?
Date: Jan 25, 2009
Blog: Information Security
here is the security acronym: PAIN
P ... privacy
A ... authentication
I ... integrity
N ... non-repudiation

lots of existing security, related to idenity theft ... is not disclosing privacy information.

we had been tangentially involved with the cal. breach notification legislation. we had been called in to help word-smith the electronic signature act and several of the parties were also heavily involved in privacy issues. the had done detailed, in-depth consumer privacy studies ... and the number one consumer privacy issue was "identity theft" ... a lot of which involved crooks using harvested financial information from breaches to perform fraudulent transactions ... which there was little or nothing being done about. They seemed to believe that the publicity from breach notifications would motivate countermeasures.

Later we were invited to co-author the x9 financial x9.99 privacy standard .... which required taking into account things like GLBA, HIPAA, and EU-DPD. For that effort, i did a privacy subset of the merged security taxonomy & glossary ... reference here
http://www.garlic.com/~lynn/index.html#glosnote

in the past, there have been some assertions that it was necessary to increase strength of privacy, integrity, and authentication measures equally (to avoid falling prey to attacks on the weakest link) ... however, it is also possible to approach it from a different view point.

Long ago and far away, we had been called in to consult with small client/server startup that wanted to do payment transactions on their server ... and they had this technology they had invented called SSL they wanted to use (frequently now referred to as electronic commerce) ... as part of that effort we had to do lots of end-to-end audits of various parts of the business processes ... as well as suggest some number of compensating processes for some.

Then in the mid-90s we were asked to participate in the x9a10 financial standard working group ... which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments (POS, internet, face-to-face, unattended, debit, credit, stored-value, ach, contact, contactless, wireless, giftcard, etc ... i.e. ALL). Part of the effort was doing in-depth, end-to-end threat & vulnerability studies of the various environments. The result was the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959

X9.59 did nothing to prevent evesdropping, skimming, harvesting, phishing, and/or data breaches. However, x9.59 slightly tweaked the paradigm so that such information was no longer useful to the attackers for the purpose of performing fraudulent transactions ... i.e. it eliminated the need to hide the "transactions".

Now, the major use of SSL in the world today is this early thing we worked on called electronic commerce for the purpose of hiding the transaction. No longer needing to hide the transaction ... then also eliminates the major purpose for SSL.

i.e. X9.59 changed the paradigm so it was no longer necessary to use privacy as countermeasure to fraudulent transactions ... strong integrity and strong authentication was used instead

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick.
Date: Jan 24, 2009
Blog: Regulation and Compliance
re:
http://www.garlic.com/~lynn/2009b.html#25 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick

tv business news show just now was debunking the recent excuses about the excesses; one excuse was the remodeling excesses was done during a completely different environment ... comment was that it was done a year ago ... when the economic environment was akin to Dresden bombing (i.e. economic firestorm) ... before the Lehman bankruptcy ... which then took it more akin to Hiroshima level.

for a little topic drift ... misc. past posts using the economic firestorm analogy:
http://www.garlic.com/~lynn/2008o.html#78 Who murdered the financial system?
http://www.garlic.com/~lynn/2008o.html#80 Can we blame one person for the financial meltdown?
http://www.garlic.com/~lynn/2008o.html#82 Greenspan testimony and securization
http://www.garlic.com/~lynn/2008p.html#60 Did sub-prime cause the financial mess we are in?
http://www.garlic.com/~lynn/2008q.html#20 How is Subprime crisis impacting other Industries?
http://www.garlic.com/~lynn/2008s.html#57 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#62 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2009.html#42 Lets play Blame Game...?
http://www.garlic.com/~lynn/2009.html#52 The Credit Crunch: Why it happened?
http://www.garlic.com/~lynn/2009.html#71 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009b.html#1 Are Both The U.S. & UK on the brink of debt disaster?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Is SUN going to become x86'ed ??

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Is SUN going to become x86'ed ??
Newsgroups: alt.folklore.computers
Date: Mon, 26 Jan 2009 13:06:06 -0500
hcb@fki030.fki.uu.se (Hans-Christian Becker) writes:
(Apologies for the previous empty post.) I never liked digital speedometers either, and I think there is a reason why (among other) sportsbikes have large, analog tachos but digital speedometers. On gives important information, th other one not so much ...

there was some article that a analog watch provides a lot more information than a digital watch ... the spacial relationships of the hands not only indicate the current time but relationships since past time and before future time ... past post
http://www.garlic.com/~lynn/2003p.html#0 pointless embedded systems

boyd made some analogous comments about early heads-up displays done for the f16 ... scrolling digital values ... requiring the pilot to perform lots of (distracting) calculations in their heads ... significantly less efficient and slower than other kinds of (analog) presentations; past post
http://www.garlic.com/~lynn/2006g.html#1 The Pankian Metaphor

misc. past boyd (&/or OODA-loop) references
http://www.garlic.com/~lynn/subboyd.html#boyd

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Heartland Says Entire Industry Should Revamp Security

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Heartland Says Entire Industry Should Revamp Security
Date: Jan 26, 2009
Blog: Financial Crime Risk, Fraud and Security
Heartland Says Entire Industry Should Revamp Security
http://www.pcworld.com/businesscenter/article/158306/heartland_says_entire_industry_should_revamp_security.html

from above:
According to a spokesman, Heartland would like to see the recent breach incident used to help the industry find ways to better protect data by having payments processors work more closely together, possibly with law enforcement, to share information about attacks.

... snip ...

Recent post in a linkedin privacy discussion:
http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/61597-3683456
also archived here:
http://www.garlic.com/~lynn/2009b.html#29

and archived post in linkedin identitymanagement group discussion:
Online-Banking Authentication
http://www.garlic.com/~lynn/2009b.html#28

other recent posts regarding the Heartland breach:
http://www.garlic.com/~lynn/2009b.html#6
http://www.garlic.com/~lynn/2009b.html#13
http://www.garlic.com/~lynn/2009b.html#19

a couple more ...

Heartland tries to rally industry in wake of data breach
http://www.networkworld.com/news/2009/022709-visa-new-payment-processor-data-breach.html
Heartland's Carr Calls for End-to-End Encryption To Stop Breaches
http://www.digitaltransactions.net/newsstory.cfm?newsid=2068

as referenced in other posts ... x9.59 financial standard provided for end-to-end integrity and strong authentication .....
http://www.garlic.com/~lynn/x959.html#x959

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Phish-Pharming: Using social engineering to hijack domains at the source

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Phish-Pharming: Using social engineering to hijack domains at the source
Date: Jan 26, 2009
Blog: Financial Crime Risk, Fraud and Security
Domain name hijacking has been known for a long time.

Part of SSL was motivated by domain name infrastructure related to IP-address hijacking. However, the Certification Authorities still had a business process that would verify that the SSL domain name digital certificate applicant matched the "official" domain name owner, on file, with the official agency responsible for domain name owners. This was a time-consuming and expensive "identification" process ... in addition to being vulnerable to domain name hijacking (i.e. an attacker doing a domain name hijack could apply for and receive a perfectly valid SSL domain name certificate).

We had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... and they had invented this technology called SSL they wanted to use. As part of the payment transaction effort, we had to do some end-to-end business process reviews ... including these new things calling themselves certification authorities and issuing SSL domain name digital certificates. As part of that, we asked for some compensating processes as well as mentioning the domain name hijacking vulnerability (since the certification authorities were dependent on the domain name infrastructure as to the "owner" of a domain name). Lots of past posts mentioning ssl domain name digital certificates
http://www.garlic.com/~lynn/subpubkey.html#sslcert

there are a number of technologies that would improve the integrity of the domain name infrastructure as well as address many of the domain name hijacking scenarios ... however since a large part of the motivation for SSL was based on perceived weaknesses in the domain name infrastructure ... improving the domain name infrastructure has the downside of reducing the motivation for SSL ... several related past posts
http://www.garlic.com/~lynn/subpubkey.html#catch22

a few older posts mentioning domain name hijacking:
http://www.garlic.com/~lynn/aadsmore.htm#client1 Client-side revocation checking capability
http://www.garlic.com/~lynn/aadsmore.htm#client3 Client-side revocation checking capability
http://www.garlic.com/~lynn/aadsmore.htm#client4 Client-side revocation checking capability
http://www.garlic.com/~lynn/aadsmore.htm#pkiart Public Key Infrastructure: An Artifact...
http://www.garlic.com/~lynn/aadsmore.htm#pkiart2 Public Key Infrastructure: An Artifact...
http://www.garlic.com/~lynn/aepay4.htm#dnsinteg2 Domain Name integrity problem
http://www.garlic.com/~lynn/aadsm4.htm#3 Public Key Infrastructure: An Artifact...
http://www.garlic.com/~lynn/aadsm8.htm#softpki2 Software for PKI
http://www.garlic.com/~lynn/aadsm8.htm#softpki16 DNSSEC (RE: Software for PKI)
http://www.garlic.com/~lynn/aadsm9.htm#cfppki5 CFP: PKI research workshop

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Will the recession drive consumers away from credit cards towards prepaid cards / debit cards?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Will the recession drive consumers away from credit cards towards prepaid cards / debit cards?
Date: Jan 26, 2009
Blog: Payment Systems Network
A couple old articles:

Debit Card Volume Passes Credit Card (or did it?)
http://www.netbanker.com/2005/11/debit_card_volume_passes_credi.html
Debit Volume Exceeds Credit, Visa Says
http://www.banktech.com/news/showArticle.jhtml?articleID=167100397

in this post from fall of 2007:
http://www.garlic.com/~lynn/2007r.html#40 Is the media letting banks off the hook on payment card security

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick.
Date: Jan 24, 2009
Blog: Regulation and Compliance
re:
http://www.garlic.com/~lynn/2009b.html#25 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#30 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick

Researchers find lack of trust in leaders, institutions is major factor in US economic crisis
http://www.eurekalert.org/pub_releases/2009-01/msl-rfl012709.php

A Trust Crisis
http://www.financialtrustindex.org/

from above:
What happened to the U.S. economy? Two years ago, we were in the middle of an economic boom. Banks were eager to lend even at the cost of forgoing important covenants, and corporate America (and the entire world) was producing at full steam, so much so that commodities prices were rising in anticipation of a future scarcity.

... snip ...

... and with respect to Dresden reference, I was in Dresden a few yrs ago to visit a security chip fab in the area ... looking at wringing more pennies out of the process; part of aads chip strawman ... some references
http://www.garlic.com/~lynn/x959.html#aads

.... was aggressive cost reduction ... while improving security/integrity; part of it could be view from trying to get the chip on the RFID cost curve (the EPC/UPC kind that are suppose to replace barcodes on products at supermarket checkout) ... w/o sacrificing security ... some recent posts/references
http://www.garlic.com/~lynn/2009.html#72 Double authentication for internet payment
http://www.garlic.com/~lynn/2009b.html#28 Online-Banking Authentication

AADS chip strawman was somewhat related to the work on the x9.59 financial standard ... some references
http://www.garlic.com/~lynn/x959.html#x959

and during the period (more than decade ago) we were also asked to come in to talk to NSCC (since then merged with DTC for DTCC) ... looking at doing something analogous for trades (that we had been doing for payment operations) ... recent NSCC/DTCC reference:
http://www.garlic.com/~lynn/2008s.html#63 Garbage in, garbage out trampled by Moore's law

After some amount of work ... we ran into traders' cultural orientation for ambiguity in trades (a lot of which would have been eliminated with strong authentication on every operation). Significantly improvement in transparency was something that was felt couldn't be done at the time.

Note that a lot of what has gone on during this decade has happened under a shroud of obfuscation and ambiguity ... so there now may be some appetite for increased transparency in market operation.

... in fact, I heard somebody this morning on tv business news show use the line trust, but verify ... some recent posts where i used that line:
http://www.garlic.com/~lynn/2009.html#57 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#71 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009b.html#8 Do emperors from the banks have new clothes?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
Date: Jan 28, 2009
Blog: Business Intelligence
then there is this recent study

Is technology producing a decline in critical thinking and analysis?
http://www.eurekalert.org/pub_releases/2009-01/uoc--itp012709.php
Is Technology Producing A Decline In Critical Thinking And Analysis?
http://www.sciencedaily.com/releases/2009/01/090128092341.htm

... from above ...
Learners have changed as a result of their exposure to technology, says Greenfield, who analyzed more than 50 studies on learning and technology, including research on multi-tasking and the use of computers, the Internet and video games.

.... snip ...

Much of the current economic crisis has to do with deregulation and/or failing to enforce regulation .... resulting in being able to manipulate all sorts of things. Related discussions ... Trust, but verify ... some recent posts
http://www.garlic.com/~lynn/2009b.html#11
http://www.garlic.com/~lynn/2009b.html#12
http://www.garlic.com/~lynn/2009b.html#35

Corporate Fraud and Misconduct Risks Driven by Pressure to do 'Whatever It Takes'; Fewer episodes reported by companies with ethics and compliance programs
http://www.informationweek.com/financialservices/news/showArticle.jhtml?articleID=215801487

from above:
Of more than 5,000 U.S. workers polled this summer, 74 percent said they had personally observed misconduct within their organizations during the prior 12 months, unchanged from the level reported by KPMG survey respondents in 2005. Roughly half (46 percent) of respondents reported that what they observed "could cause a significant loss of public trust if discovered," a figure that rises to 60 percent among employees working in the banking and finance industry.

... snip ...

then this article from last spring that estimated 1000 executives are responsible for 80% of the current crisis and that it would go a long way towards fixing the situation if the gov. could figure out how they loose their jobs.
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1933 (gone 404 and/or requires registration)

Researchers find lack of trust in leaders, institutions is major factor in US economic crisis
http://www.eurekalert.org/pub_releases/2009-01/msl-rfl012709.php
A Trust Crisis
http://www.financialtrustindex.org/

from above:
What happened to the U.S. economy? Two years ago, we were in the middle of an economic boom. Banks were eager to lend even at the cost of forgoing important covenants, and corporate America (and the entire world) was producing at full steam, so much so that commodities prices were rising in anticipation of a future scarcity.

... snip ...

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/
Computer Models and the Global Economic Crash
http://news.slashdot.org/article.pl?sid=08/12/16/2048235&tid=98

And even with SOX ... it doesn't seem to have reduced such activity ... pbs program discussing some of the deregulation, enron, worldcom, etc
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

so it seemed like it may have motivated GAO to start doing database (even if regulations weren't being enforced)
http://www.gao.gov/products/GAO-03-138
http://www.gao.gov/products/GAO-06-678
http://www.gao.gov/products/GAO-06-1053R
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
Date: Jan 28, 2009
Blog: Business Intelligence
re:
http://www.garlic.com/~lynn/2009b.html#36 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"

The Man Who Beat The Shorts
http://www.forbes.com/forbes/2008/1117/114.html

from above:
Watsa's only sin was in being a little too early with his prediction that the era of credit expansion would end badly. This is what he said in Fairfax's 2003 annual report: "It seems to us that securitization eliminates the incentive for the originator of [a] loan to be credit sensitive. Prior to securitization, the dealer would be very concerned about who was given credit to buy an automobile. With securitization, the dealer (almost) does not care."

... snip ...

The congressional hearings last fall highlighted that both the rating agencies and the toxic CDO issuers/sellers knew that the toxic CDOs weren't worth triple-A ratings ... but the toxic CDO issuers/sellers were paying for the triple-A ratings. This significantly increased the institutions that would deal in the toxic CDOs and correspondingly significantly increased the amount of money available for lending. Part of the testimony was that the rating agencies' business process became misaligned in the early 70s when they switched from the buyers paying for the rating to the issuers/sellers paying for the ratings (opening the opportunity for conflict of interest).

The crash of 2008: A mathematician's view
http://www.eurekalert.org/pub_releases/2008-12/w-tco120808.php

from above:
Markets need regulation to stay stable. We have had thirty years of financial deregulation. Now we are seeing chickens coming home to roost. This is the key argument of Professor Nick Bingham, a mathematician at Imperial College London, in an article published today in Significance, the magazine of the Royal Statistical Society.

... snip ...

With regard to the triple-A ratings on toxic CDOs, supposedly SOX required SEC to do something with respect to the rating agencies ... but there doesn't seem to have been anything besides a Jan2003 report.

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

long winded, decade old post discussing some of the current issues
http://www.garlic.com/~lynn/aepay3.htm#riskm

Some number of the institutions buying triple-A rated toxic CDOs were playing long/short mismatch ... even tho that has been known for centuries to take down institutions. Comment was that Bear-Stearn and Lehman had marginal chance surviving (playing long/short mismatch, independent of the heavy leveraging and whether or not the toxic CDOs deserved triple-A ratings)
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
decade old article from the fed
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

The recent washington post series about CDS ... basically talked about CDS being sold on instruments that were totally unrelated to the original business case risk analysis.
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/30/AR2008123003431_pf.html

recent archived responses in related discussions
http://www.garlic.com/~lynn/2009.html#14 What are the challenges in risk analytics post financial crisis?
http://www.garlic.com/~lynn/2009.html#15 What are the challenges in risk analytics post financial crisis?
http://www.garlic.com/~lynn/2009.html#32 What are the challenges in risk analytics post financial crisis?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
Date: Jan 28, 2009
Blog: Business Intelligence
re:
http://www.garlic.com/~lynn/2009b.html#36 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
http://www.garlic.com/~lynn/2009b.html#37 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"

Here are recent posts mentioning IDC buying "pricing services" division from one of the rating agencies in 1972 ... and there was TV business news show earlier this month mentioning that IDC was helping price the toxic assets that gov. was looking at buying:
http://www.garlic.com/~lynn/2009.html#21
http://www.garlic.com/~lynn/2009.html#31
http://www.garlic.com/~lynn/2009.html#32

'72 was in the period that the congressional hearings mentioned that the rating agencies' business process became misaligned (switching from the buyers paying for ratings to the sellers/issuers paying for the ratings, and increasing the potential for conflict of interest).

disclaimer: i interviewed with IDC in '69 ... but didn't join the organization ... although I continued to have contact with several of the people.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

"Larrabee" GPU design question

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: "Larrabee" GPU design question.
Newsgroups: comp.arch
Date: Wed, 28 Jan 2009 14:22:45 -0500
EricP <ThatWouldBeTelling@thevillage.com> writes:
I don't think you are quite correct here but maybe it's just a terminology difference. I think you mean AST's. VMS was not kernel threaded in 1987 and still wasn't when I last touched it in 1994.

we would periodically visit sequent in the mid-90s and they would claim to be doing nearly all the SMP scaleup for NT (demo'ing NT on their SMP machines)

old email mentioning VMS finally announcing symmetrical multiprocessing support for VMS release 5
http://www.garlic.com/~lynn/2007.html#email880324
http://www.garlic.com/~lynn/2007.html#email880329
in this post
http://www.garlic.com/~lynn/2007.html#46 How many 36-bit Unix ports in the old days?

of course just announcing support for symmetrical multiprocessing doesn't mean that the kernel was multi-threaded. there were some number of symmetrical multiprocessing implementations in the 60s & 70s that used a single global kernel "spin-lock".

for other drift ... compare&swap was invented by Charlie (CAS was chosen because they are his initials) at the science center
http://www.garlic.com/~lynn/subtopic.html#545tech

when he was working on fine-grain SMP kernel locking for cp67. misc. past posts mentioning smp &/or compare&swap
http://www.garlic.com/~lynn/subtopic.html#smp

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

"Larrabee" GPU design question

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: "Larrabee" GPU design question.
Newsgroups: comp.arch
Date: Wed, 28 Jan 2009 14:32:54 -0500
EricP <ThatWouldBeTelling@thevillage.com> writes:
I don't remember what year that happened but according to Wikpedia the uniprocessor DLM was initially in VMS v3 released in 1982 and cluster DLM in v4 in 1984.

when we were started doing our ha/cmp product in the late 80s,
http://www.garlic.com/~lynn/subtopic.html#hacmp

we talked to was some of the relational dbms vendors that had vax/cluster implementations. part of what they gave us were the ten problems/shortcomings in the vms DLM. So, although we had worked on distributed, cluster, &/or loosely-coupled implementations going back to early 70s ... part of the ha/cmp DLM was to make sure that it addressed their listed "shortcomings".

talking to some of the vax/cluster people in the 90s ... they would point out that I had an advantage of being able to start from scratch with the ha/cmp Distributed Lock Manager ... and didn't have to worry about all the baggage that the vms DLM had to carry with it from its early days (although I had to support some amount of vms DLM api semantics to simplify ports from vax/cluster).

for other drift some posts mentioning the original relational/sql implementation
http://www.garlic.com/~lynn/submain.html#systemr

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The subject is authoritarian tendencies in corporate management, and how they are related to political culture

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The subject is authoritarian tendencies in corporate management, and how they are related to political culture.
Date: Jan 28, 2009
Blog: Business Intelligence
re:
http://blogs.harvardbusiness.org/hbreditors/2009/01/letter_from_russia_obama_and_t.html

John Boyd had a comment about it during his briefings in the 80s ... lots of past posts mentioning John Boyd
http://www.garlic.com/~lynn/subboyd.html

basically going into ww2, the army needed to deploy large numbers that had little or no training or skills. As a result they created a heavy-weight, rigid, top/down bureaucratic organization (in order to leverage the scarce skilled resources). Starting a couple decades later, the commercial world was starting to see the effects from the training the young officers got in how to run large bureaucracies (basically only the people at the very top know what they are doing).

this explanation has been used to explain a report from last year that the ratio of executive compensation to worker compensation has recently exploded to 400:1 after having been 20:1 for a long time ... and 10:1 in most of the rest of the world (i.e. top executives justify the huge compensation explosion because they are the only ones in the organization that know what they are doing).

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

some part of the $700B wallstreet bailout possibly goes to replenish the $137B sucked out of the infrastructure (as reward for their part in creating the current situation).

... from a couple weeks ago

Bailed-Out Banks Dole Out Bonuses; Goldman Sachs, CitiGroup, Others Mum on How They Are Using TARP Cash
http://abcnews.go.com/WN/Business/story?id=6498680&page=1

from above:
Goldman Sachs, which accepted $10 billion in government money, and lost $2.1 billion last quarter, announced Tuesday that it handed out $10.93 billion in benefits, bonuses, and compensation for the year.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
Date: Jan 28, 2009
Blog: Business Intelligence
re:
http://www.garlic.com/~lynn/2009b.html#36 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
http://www.garlic.com/~lynn/2009b.html#37 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
http://www.garlic.com/~lynn/2009b.html#38 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"

Original Basel2 draft had a new qualitative section ... but during the review process, nearly all of the qualitative section was eliminated. This led some number to sarcastically comment that it isn't really necessary to understand what you are doing ... just so long as you are able to match up the numbers.

wiki basel2 page
https://en.wikipedia.org/wiki/Basel_II
BIS web page:
http://www.bis.org/
recent basel2 activity
http://www.bis.org/publ/bcbs/basel2enh0901.htm

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

"Larrabee" GPU design question

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: "Larrabee" GPU design question.
Newsgroups: comp.arch
Date: Wed, 28 Jan 2009 17:17:15 -0500
re:
http://www.garlic.com/~lynn/2009b.html#39 "Larrabee" GPU design questions
http://www.garlic.com/~lynn/2009b.html#40 "Larrabee" GPU design questions

HA/CMP was being done on rs/6000.
http://www.garlic.com/~lynn/subtopic.html#hacmp

part of that required first getting standard RDBMSes up and running on AIX. RS/6000 didn't have SMP support and/or instruction similar to compare&swap.

In the interim (after Charlie had invented compare&swap instruction), a lot of DBMS & services implementations had started using compare&swap, for multithreaded operations (even when running in single processor environments).

the initial attempt to justify compare&swap instruction for 370 was rebuffed ... claiming that test&set instruction was deemed sufficient for multiprocessor operation (used on 360s). the challenge was that in order to justify compare&swap instruction for 370, non-smp specific uses had to be invented. thus was invented the descriptions ... substantially similar descriptions (to the original) still are in current day principles of operation ... slightly earlier version available in html:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/dz9zr003/A.6
slightly more recent PDF version
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/download/DZ9ZR006.pdf

rs/6000 w/o multiprocessor and/or compare&swap instruction support, and application multi-threaded use of compare&swap semantics required "atomic" operation ... and/or at the appearance of non-interruptable. The approach was to provide a compare&swap "fast" svc ... with an interrupt into the kernel svc interrupt handler ... which had "fastpath" implementing compare&swap semantics ... executing disabled for interrupts ... and then immediately returning to the application (i.e. atomic/serialized on single processor machine)

from long ago and far away ...


Date: Tue, 17 Apr 90 17:15:08 PDT

From: wheeler
Subject: compare&swap

There wasn't any "easy" way of doing test/set from user space. The lockl/unlockl were internal kernel functions. A fast compare&swap svc simulation showed up sometime by 9013. It isn't in the 9005 low.s source that I just checked. W/o the fastsvc compare&swap there is no way of serializing user code w/o using something like file lock primitive.


... snip ... top of post, old email index

misc. past posts mentioning SMP and/or compare&swap instruction
http://www.garlic.com/~lynn/subtopic.html#smp

I had done the initial prototype for VAXcluster DLM API, and little later that year ...


Date: 7 November 1990, 08:22:28 PDT

From: wheeler
Subject: RFT/LCMP (RS/6000 fault tolerant / loosely-coupled multiprocessor)

we have a cluster manager and a global lock manager with a "NFS" api operational ... and will be installing that plus a demo port of the Ingres "VAXcluster" implementation.

We just about have the VAXcluster global lock manager API implemented, although we still have some details to work out like the deadlock detection/recovery graph (which some applications that run on VAXcluster are dependent on). That should make porting of distributed apps. from the VAXcluster environment easier.


... snip ... top of post, old email index

for some other topic drift, RDBMS Customer survey from Oct90:


Product Comparisons

Scale of 1 to 10 (Poor to Excellent)

Last year's ratings in parentheses

|  Rdb  | SQL/DS | DB2    | Oracle | Ingres |
-------------+-------------------------------------------|
Ease of      |  8.2  |  7.2   |  6.65  |  7.06  |  8.00  |
Installation |       | (6.69) | (6.00) | (7.94) | (8.54) |
|       |        |        |        |        |
Ease of Use  |  7.6  |  7.8   |  6.65  |  7.75  |  7.94  |
|       | (6.42) | (6.07) | (8.33) | (8.62) |
             |       |        |        |        |        |
Documentation|  7.5  |  7.8   |  6.49  |  5.92  |  6.53  |
             |       | (6.33) | (6.20) | (7.11) | (6.62) |
|       |        |        |        |        |
Vendor       |       |        |        |        |        |
Maintenance  |  7.9  |  7.7   |  6.92  |  7.49  |  7.21  |
             |       | (6.69) | (6.87) | (7.72) | (8.00) |
|       |        |        |        |        |
Overall      |       |        |        |        |        |
Satisfaction |  7.9  |  8.2   |  6.84  |  7.89  |  8.00  |
|       | (6.55) | (6.73) | (8.67) | (8.39) |
---------------------------------------------------------------

Rdb    - 31 respondents
SQL/DS - 10 respondents (6 VSE/SP, 3 VM/SP, 1 VM/CMS-HPO)
DB2    - 37 respondents
Oracle - 36 respondents (21 VAX/VMS, 6 MVS/XA, 6 VM,
2 PC w/MS-DOS, 3 UNIX)
Ingres - 16 respondents (14 VAX/VMS, most also had UNIX/ULTRIX systems)

... snip ...

System/R (original relational/sql) work was done on vm/370 in the 70s
http://www.garlic.com/~lynn/submain.html#systemr

and then there was technology transfer to Endicott for SQL/DS.

This post describes a ha/cmp jan92 meeting
http://www.garlic.com/~lynn/95.html#13

and one of the people in the above meeting claimed to have handled much of the technology transfer from Endicott (SQL/DS) to STL for DB2.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Cybercrime cost $1 trillion last year, study

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Cybercrime cost $1 trillion last year, study
Date: Jan 29, 2009
Blog: Financial Crime Risk, Fraud and Security
Cybercrime cost $1 trillion last year, study
http://news.zdnet.com/2100-9595_22-264762.html

from above
Data theft and breaches from cybercrime may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage last year, according to a new study from McAfee.

... snip ...

also ...
Cybercrime cost firms $1 trillion globally, McAfee study says
http://news.cnet.com/8301-1009_3-10152246-83.html?tag=newsLatestHeadlinesArea.0
Cybercrime costing firms $1trillion a year: McAfee
http://security.cbronline.com/news/cybercrime_costing_firms_1trillion_a_year_mcafee_29010
Data breaches cost business GBP700bn in 2008
http://www.computerweekly.com/Articles/2009/01/29/234483/data-breaches-cost-business-700bn-in-2008.htm

a couple of yrs ago ... there was some discussion about news item regarding whether cybercrime exceeded illegal drugs:

Cybercrime surpasses illegal drug trade and we still don't think its a big deal
http://blogs.csoonline.com/cybercrime_surpasses_illegal_drug_trade_and_we_still_don_t_think_it_s_

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick.
Date: Jan 24, 2009
Blog: Regulation and Compliance
re:
http://www.garlic.com/~lynn/2009b.html#25 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#30 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#35 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick

recent update on earlier mentioned articles:

Obama Calls Bonuses 'Shameful' as Dodd Vows to Reclaim Money
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=anzJooSeABDM
Obama: Big Wall Street Bonuses 'Shameful'
http://voices.washingtonpost.com/economy-watch/2009/01/obama_big_wall_street_bonuses.html

i.e.

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice
Bailed-Out Banks Dole Out Bonuses; Goldman Sachs, CitiGroup, Others Mum on How They Are Using TARP Cash
http://abcnews.go.com/WN/Business/story?id=6498680&page=1

and a punch line from the article last spring
The Fed should insist on its prerogative to strictly regulate financial institutions in boom times, not just to bail them out when it all goes bad

and some more ...

Barack Obama calls $18bn Wall Street bonuses 'shameful'
http://www.telegraph.co.uk/news/worldnews/northamerica/usa/barackobama/4391484/Barack-Obama-calls-18bn-Wall-Street-bonuses-shameful.html
Obama Calls Wall Street Bonuses "Shameful"
http://www.cbsnews.com/blogs/2009/01/29/politics/politicalhotsheet/entry4762719.shtml
Obama: Wall Street bonuses shameful, irresponsible
http://www.reuters.com/article/governmentFilingsNews/idUSWBT01053320090129
Obama calls Wall Street bonuses 'shameful'
http://content.usatoday.com/communities/theoval/post/2009/01/62115204/1
Obama Harshly Criticizes Wall St. Bonuses
http://www.nytimes.com/2009/01/30/business/30obama.html
Obama slams Wall Street on bonuses
http://www.msnbc.msn.com/id/28916936/
What Red Ink? Wall St. Paid Fat Bonuses
http://www.nytimes.com/2009/01/29/business/29bonus.html
The Bonuses Keep Coming
http://www.washingtonpost.com/wp-dyn/content/story/2008/01/29/ST2008012900465.html
Obama calls Wall Street bonuses 'shameful'
http://www.iht.com/articles/2009/01/30/business/30obama.php
Obama Blasts Wall Street Bonuses
http://www.businessweek.com/bwdaily/dnflash/content/mar2008/db2008035_449458.htm?chan=globalbiz_europe+index+page_finance%2C+markets+%2Bamp%3B+investing
Obama, Biden 'outraged' by Wall Street bonuses
http://www.boston.com/news/politics/politicalintelligence/2009/01/obama_biden_out.html

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Z11 - Water cooling?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Z11 - Water cooling?
Newsgroups: bit.listserv.ibm-main
Date: Fri, 30 Jan 2009 07:14:21 -0500
David.Jousma@53.COM (Jousma, David) writes:
Without commenting on the actual topic, I can just hear the folks in the Intel space claim that we dino's are now copying their technology for water cooling! I read about all these "hot" PC's now being watercooled, like it is something new....

I do know that the newest P-Series boxes are water cooled, so it would seem to follow that the newer z-series would be too.


... how about somebody named ACM fellow for reinventing virtual machines:
http://fellows.acm.org/fellow_citation.cfm?id=4094918&srt=year&year=2008

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How to defeat new telemarketing tactic

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: How to defeat new telemarketing tactic
Newsgroups: alt.folklore.computers
Date: Fri, 30 Jan 2009 07:10:56 -0500
jmfbahciv <jmfbahciv@aol> writes:
I get that, too. They also state to press 2 to be taken off the list. There is also another one that threatens that this is their third and last call. The next time they call, they state it's the second call. Instead of AOSing, the code is SOSing.

GLBA provided for disclosing "information sharing" with "opt-out" to not "information share" (at a time when cal. state was looking at possibly drafting "opt-in" legislation ... only share if you call them out and permit it).

A few yrs ago, I was at a privacy conference that had a panel discussion with a couple of the FTC commissioners. In the Q&A, somebody from the audience asked about enforcing "opt-out" ... who said they worked on implementations for major insurance companies ... and claimed that the people answering 1-800 "opt-out" calls had no capability to take-down (or record) any information given on the call ... and wanted to know if the FTC had any interest in enforcing the legislation.

a past post mentioning do-not-call list (and apparently elected gov. officials can use the do-not-call list for a "call list")
http://www.garlic.com/~lynn/2008m.html#73 Blinkylights

misc. past references to opt-in/out-out
http://www.garlic.com/~lynn/aepay11.htm#31 Privacy again a hot-button issue for legistlators
http://www.garlic.com/~lynn/aadsm14.htm#21 Financial Privacy To Take The Floor
http://www.garlic.com/~lynn/aadsm26.htm#54 What to do about responsible disclosure?
http://www.garlic.com/~lynn/aadsm28.htm#50 Liability for breaches: do we need new laws?
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005 Make Sense
http://www.garlic.com/~lynn/2007f.html#72 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/2007s.html#55 Translation of IBM Basic Assembler to C?
http://www.garlic.com/~lynn/2007t.html#6 Translation of IBM Basic Assembler to C?
http://www.garlic.com/~lynn/2008m.html#66 With all the highly publicised data breeches and losses, are we all wasting our time?
http://www.garlic.com/~lynn/2008m.html#70 Why SSNs Are Not Appropriate for Authentication and when, where and why should you offer/use it?
http://www.garlic.com/~lynn/2008m.html#71 TJ Maxx - why are they still in business?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

The blame game is on : A blow to the Audit/Accounting Industry or a lesson learned ???

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The blame game is on : A blow to the Audit/Accounting Industry or a lesson learned ???
Date: Jan 30, 2009
Blog: Auditing, Accounting
in the wake of enron & worldcom ... supposedly sox was going to correct things ... pbs program discussing enron/worldcom (also repeal of Glass-Steagall):
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

however, GAO found that the incidents appeared to be increasing ... reference to database GAO started
http://www.gao.gov/products/GAO-03-138
http://www.gao.gov/products/GAO-06-678
http://www.gao.gov/products/GAO-06-1053R
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

other recent references to GAO database:
http://www.garlic.com/~lynn/2009b.html#25 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#36 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"

OTS Says IndyMac, 4 Thrifts Allowed to Restate Capital Levels
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=as3m2L6vrKUQ&refer=home

from above:
The agency let IndyMac backdate a capital injection that helped the lender avoid regulatory restrictions, and also found four other cases where lenders failed to follow reporting policies

... snip ...

Accounting Standards Wilt Under Pressure
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/26/AR2008122601715.html

from above:
In October, largely hidden from public view, the International Accounting Standards Board changed the rules so European banks could make their balance sheets look better. The action let the banks rewrite history, picking and choosing among their problem investments to essentially claim that some had been on a different set of books before the financial crisis started.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

US disaster, debts and bad financial management

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: US disaster, debts and bad financial management
Date: Jan 30, 2009
Blog: Government Policy
article from last spring

The Fed's Too Easy on Wall Street; The Fed should insist on its prerogative to strictly regulate financial institutions in boom times, not just to bail them out when it all goes bad
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

some part of the $700B wallstreet bailout possibly goes to replenish the $137B sucked out of the infrastructure (as reward for their part in creating the current situation).

... from a couple weeks ago

Bailed-Out Banks Dole Out Bonuses; Goldman Sachs, CitiGroup, Others Mum on How They Are Using TARP Cash
http://abcnews.go.com/WN/Business/story?id=6498680&page=1

from above:
Goldman Sachs, which accepted $10 billion in government money, and lost $2.1 billion last quarter, announced Tuesday that it handed out $10.93 billion in benefits, bonuses, and compensation for the year.

... snip ...

and a couple from yesterday

Obama Calls Bonuses 'Shameful' as Dodd Vows to Reclaim Money
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=anzJooSeABDM
Obama: Big Wall Street Bonuses 'Shameful'
http://voices.washingtonpost.com/economy-watch/2009/01/obama_big_wall_street_bonuses.html

in the wake of enron & worldcom ... supposedly sox was going to correct things ... pbs program discussing enron/worldcom (also repeal of Glass-Steagall):
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

however, GAO found that the incidents appeared to be increasing ... reference to database GAO started
http://www.gao.gov/products/GAO-03-138
http://www.gao.gov/products/GAO-06-678
http://www.gao.gov/products/GAO-06-1053R
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

also from last spring, there was business school article about the effects of securitization (this was before the congressional hearings about rating agencies knew that the toxic CDOs weren't worth triple-A ratings) and estimated that possibly 1000 executives are responsible for 80% of the current mess (and it would go a long way to fixing the situation if the gov. could figure out how they could loose their jobs)
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1933 (gone 404 and/or requires registration)

In the congressional hearings last fall, there was repeated mention that the rating agencies knew that the toxic CDOs weren't worth triple-A ratings, but were being payed to give them triple-A ratings anyway. There was discussion that in the early 70s, the rating agencies changed their business model from the buyers paying for the ratings to the issuers/sellers paying for the ratings ... which mis-aligned their business model and opened things up for conflict of interest.

Here are recent posts mentioning IDC buying "pricing services" division from one of the rating agencies in 1972 ... and there was TV business news show earlier this month mentioning that IDC was helping price the toxic assets that gov. was looking at buying:
http://www.garlic.com/~lynn/2009.html#21
http://www.garlic.com/~lynn/2009.html#31
http://www.garlic.com/~lynn/2009.html#32

'72 was in the period that the congressional hearings mentioned that the rating agencies' business process became misaligned (switching from the buyers paying for ratings to the sellers/issuers paying for the ratings, and increasing the potential for conflict of interest).

disclaimer: i interviewed with IDC in '69 ... but didn't join the organization ... although I continued to have contact with several of the people.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Cellphones as Credit Cards? Americans Must Wait

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Cellphones as Credit Cards? Americans Must Wait
Date: Jan 30, 2009
Blog: Credit Card Professionals
We had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... and had this technology called SSL they wanted to use; the result is now frequently referred to as electronic commerce.

then in the mid-90s we were asked to participate in the x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments (i.e. POS, internet, unattended, face-to-face, contact, contactless, wireless, debit, credit, stored-value, ACH, etc ... i.e. *ALL*). Part of this effort included doing detailed end-to-end threat and vulnerability studies. The result was the x9.59 financial transaction standard ... some past posts
http://www.garlic.com/~lynn/x959.html#x959

Part of x9.59 was to slightly tweak the paradigm to eliminate the threat from skimming, harvesting, phishing, evesdropping and/or data breaches. x9.59 didn't eliminate those activities ... but eliminate the ability of the crooks to use the information for fraudulent financial transactions (the ability of the crooks to do data breaches wasn't eliminated ... however the financial incentive to perform breaches was eliminated).

Then a little later in the 90s, we looked at doing the AADS chip strawman ... in support of x9.59 transactions ... which included being physical format agnostic (it didn't make any difference whether the transaction was from a "card" or a "cellphone"), and allowed deployment as "stand-alone" something you have authentication ... or as part of some other something you have component. In addition it had to be able to support multi-factor authentication ... and allowed switching number of authentication factors ... potentially based on the environment and/or value of the transaction. Misc. past AADS references
http://www.garlic.com/~lynn/x959.html#aads

including reference to AADS NACHA RFI and trials.

in the mid-90s, there was some number of telcos getting involved in payment operations. there was growing opinion that their significantly more efficient transaction infrastructure (for call-records) would allow them to leverage getting into micro-payments ... and then they would leverage those volumes to take-over the rest of the payment industry. some number of their efforts appeared and then seem to disappear. the issue appeared to be that while they could efficiently handle enormous number of transactions ... they weren't setup to handle the financial risk and fraud.

since that period, some number of the payment operations have picked up technologies that the telcos had been using for call record transactions (looking at increasing the volumes of their processing)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Will the Draft Bill floated in Congress yesterday to restrict trading of naked Credit Default Swaps help or aggravate?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Will the Draft Bill floated in Congress yesterday to restrict trading of naked Credit Default Swaps help or aggravate?
Date: Jan 31, 2009
Blog: Derivatives Markets
Normally insurance is written on things that have risk analysis and probability of pay-out done ... adjusting the premiums accordingly.

The recent washington post article on CDS described a scenario where detailed risk analysis was done before setting up a business unit ... and then the business unit started selling CDS on things for which they had done little or no risk analysis ... basically treating things as if there would never be a pay-out and the premiums were all profit.

Things were further compounded by a lot of the CDS were for triple-A rated toxic CDOs. In the congressional hearings last fall, it was stated that both the rating agencies and the toxic CDO sellers/issuers knew that the toxic CDOs weren't worth the triple-A rating, but the toxic CDO issuers/sellers were paying for the triple-A rating. Comments were made that the rating agencies' business model had become mis-aligned in the early 70s when they switched from the buyers paying for the ratings to the issuers/sellers paying for the ratings (increasing the potential for conflict of interest).

The result is a lot of FUD (fear, uncertainty & doubt) ... writing insurance w/o knowing the risk (and therefor no idea about expected payouts and no idea how to set the premiums) ... and/or superficial risk assessment based on the triple-A ratings. Which somewhat brings up the trust, but verify theme .. recent linkedin post
http://www.garlic.com/~lynn/2009b.html#8

And a recent post (in a linkedin business intelligence discussion) about IDC buying the "pricing serves" division from one of the rating agencies in 1972 (i.e. period that congressional testimony about their business processes becoming mis-aligned) ... and a tv business news show earlier this month saying IDC was brought in to help the gov. price the toxic assets it was considering buying
http://www.garlic.com/~lynn/2009b.html#38

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What has the Global Financial Crisis taught the Nations, it's Governments and Decision Makers, and how should they apply that knowledge to manage risks differently in the future?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What has the Global Financial Crisis taught the Nations, it's Governments and Decision Makers, and how should they apply that knowledge to manage risks differently in the future?
Date: Jan 31, 2009
Blog: Risk Management
The recent washington post article on CDS described a scenario where detailed risk analysis was done before setting up a business unit ... and then the business unit started selling CDS on things for which they had done little or no risk analysis ... basically treating things as if there would never be a pay-out and the premiums were all profit.

Things were further compounded by a lot of the CDS were for triple-A rated toxic CDOs. In the congressional hearings last fall, it was stated that both the rating agencies and the toxic CDO sellers/issuers knew that the toxic CDOs weren't worth the triple-A rating, but the toxic CDO issuers/sellers were paying for the triple-A rating. Comments were made that the rating agencies' business model had become mis-aligned in the early 70s when they switched from the buyers paying for the ratings to the issuers/sellers paying for the ratings (increasing the potential for conflict of interest).

Recent post (in a linkedin business intelligence discussion) about IDC buying the "pricing serves" division from one of the rating agencies in 1972 (i.e. period that congressional testimony about their business processes becoming mis-aligned) ... and a tv business news show earlier this month saying IDC was brought in to help the gov. price the toxic assets it was considering buying
http://www.garlic.com/~lynn/2009b.html#38

The Man Who Beat The Shorts
http://www.forbes.com/forbes/2008/1117/114.html

from above:
Watsa's only sin was in being a little too early with his prediction that the era of credit expansion would end badly. This is what he said in Fairfax's 2003 annual report: "It seems to us that securitization eliminates the incentive for the originator of [a] loan to be credit sensitive. Prior to securitization, the dealer would be very concerned about who was given credit to buy an automobile. With securitization, the dealer (almost) does not care."

... snip ...

Lenders were able to make no-documentation, no-down payment, 1% interest-only ARMs to all comers, and package and unload them as triple-A rated toxic CDOs (every loan made was profit). Speculators found them extremely attractive since home appreciation in many markets was much larger than the 1% carrying cost (speculation further increased inflation). The triple-A rating significantly increased the institutions willing to deal in the toxic CDOs and significantly increased the amount of money available to the (frequently unregulated) lenders.

supposedly, in the wake of enron & worldcom ... SOX was going to correct things ... pbs program discussing enron/worldcom (also repeal of Glass-Steagall):
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

however, GAO found that the incidents actually increasing ... reference to GAO database:
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

Many of the institutions buying the toxic CDOs were playing long/short mismatch ... which has been known for centuries to take down institutions. The comment was that Bear-Stearns and Lehman had marginal chance of surviving playing long/short mismatch (independent of the heavy leveraging and whether or not the toxic CDOs were worth triple-A rating) ... past discussion of long/short mismatch:
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
and decade old article from the fed
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Credit & Risk Management ... go Simple ?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Credit & Risk Management ... go Simple ?
Date: Jan 31, 2009
Blog: Financial Regulation
How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/

And even with SOX ... it doesn't seem to have reduced such activity ... pbs program discussing some of the deregulation, enron, worldcom, repeal of Glass-Steagall, etc
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

GAO numbers seemed to show activity is increasing (in spite of SOX)
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

The crash of 2008: A mathematician's view
http://www.eurekalert.org/pub_releases/2008-12/w-tco120808.php

from above:
Markets need regulation to stay stable. We have had thirty years of financial deregulation. Now we are seeing chickens coming home to roost. This is the key argument of Professor Nick Bingham, a mathematician at Imperial College London, in an article published today in Significance, the magazine of the Royal Statistical Society.

... snip ...

Corporate Fraud and Misconduct Risks Driven by Pressure to do 'Whatever It Takes'; Fewer episodes reported by companies with ethics and compliance programs
http://www.informationweek.com/financialservices/news/showArticle.jhtml?articleID=215801487

from above:
Of more than 5,000 U.S. workers polled this summer, 74 percent said they had personally observed misconduct within their organizations during the prior 12 months, unchanged from the level reported by KPMG survey respondents in 2005. Roughly half (46 percent) of respondents reported that what they observed "could cause a significant loss of public trust if discovered," a figure that rises to 60 percent among employees working in the banking and finance industry.

... snip ...

If the overall avg. is 46percent and the financial industry is 60 percent, then the non-financial avg may be as low as 30percent ... making the financial industry twice as bad as other industries.

The congressional hearings last fall highlighted that both the rating agencies and the toxic CDO issuers/sellers knew that the toxic CDOs weren't worth triple-A ratings ... but the toxic CDO issuers/sellers were paying for the triple-A ratings. This significantly increased the institutions that would deal in the toxic CDOs and correspondingly significantly increased the amount of money available for lending. In the hearings they noted that in the early 70s, the rating agencies switched from buyers paying for the rating to the sellers/issuers ... resulting in misaligned business process and opening the way for conflict of interest.

A combination of deregulation and not enforcing regulations resulted in numerous greed/corruption hot-spots to combine together into an economic firestorm.

Many of the institutions buying the toxic CDOs were playing long/short mismatch ... which has been known for centuries to take down institutions. The comment was that Bear-Stearns and Lehman had marginal chance of surviving playing long/short mismatch (independent of the heavy leveraging and whether or not the toxic CDOs were worth triple-A rating) ...
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
and decade old article from the fed
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

A couple recent posts mentioning IDC buying "pricing services" division from one of the rating agencies in 1972 ... and there was TV business news show earlier this month mentioning that IDC was helping price the toxic assets that gov. was looking at buying:
http://www.garlic.com/~lynn/2009.html#21
http://www.garlic.com/~lynn/2009.html#31
http://www.garlic.com/~lynn/2009.html#32

'72 was in the period that the congressional hearings mentioned that the rating agencies' business process became misaligned (switching from the buyers paying for ratings to the sellers/issuers paying for the ratings, and increasing the potential for conflict of interest).

disclaimer: i interviewed with IDC in '69 ... but didn't join the organization ... although I continued to have contact with several of the people.

The Man Who Beat The Shorts
http://www.forbes.com/forbes/2008/1117/114.html

from above:
Watsa's only sin was in being a little too early with his prediction that the era of credit expansion would end badly. This is what he said in Fairfax's 2003 annual report: "It seems to us that securitization eliminates the incentive for the originator of [a] loan to be credit sensitive. Prior to securitization, the dealer would be very concerned about who was given credit to buy an automobile. With securitization, the dealer (almost) does not care."

... snip ...

Not so much debt itself ... but securitization (along with the rating agencies giving triple-A ratings to toxic CDOs) resulted in huge amount of money being pumped into the lending market ... with nobody caring how it was being used (people lending the money could immediately unload as a toxic CDO ... so regardless of what happened later, every loan made was profit).

No documentation, no-down-payment, 1% introductory rate ARMs with interest-only payments, became extremely attractive for speculators since the carrying cost was significantly less than the home appreciation in numerous markets (planning on flipping before the rate reset). the large amount of speculation, in turn, significantly increased the inflation in the market. eventually the bubble bursts but while it lasted ... lots of people were raking in the money (in some sense, the 1% funds were allowing speculators to treat the home market like the 1920s unregulated stock market)

Last spring there was business school article about the effects of securitization (this was before the congressional hearings about rating agencies knew that the toxic CDOs weren't worth triple-A ratings) and estimated that possibly 1000 executives are responsible for 80% of the current mess (and it would go a long way to fixing the situation if the gov. could figure out how they could loose their jobs)
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1933 (gone 404 and/or requires registration)

and decade old, long winded post discussing some of the current issues
http://www.garlic.com/~lynn/aepay3.htm#riskm

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

In your opinion, which facts caused the global crise situation?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: In your opinion, which facts caused the global crise situation?
Date: Jan 31, 2009
Blog: Government Policy
Last spring there was business school article about the effects of securitization (this was before the congressional hearings about rating agencies knew that the toxic CDOs weren't worth triple-A ratings) and estimated that possibly 1000 executives are responsible for 80% of the current mess (and it would go a long way to fixing the situation if the gov. could figure out how they could loose their jobs)
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1933 (gone 404 and/or requires registration)

The Man Who Beat The Shorts
http://www.forbes.com/forbes/2008/1117/114.html

from above:
Watsa's only sin was in being a little too early with his prediction that the era of credit expansion would end badly. This is what he said in Fairfax's 2003 annual report: "It seems to us that securitization eliminates the incentive for the originator of [a] loan to be credit sensitive. Prior to securitization, the dealer would be very concerned about who was given credit to buy an automobile. With securitization, the dealer (almost) does not care."

... snip ...

Not so much debt itself ... but securitization (along with the rating agencies giving triple-A ratings to toxic CDOs) resulted in huge amount of money being pumped into the lending market ... with nobody caring how it was being used (people lending the money could immediately unload as a toxic CDO ... so regardless of what happened later, every loan made was profit).

No documentation, no-down-payment, 1% introductory rate ARMs with interest-only payments, became extremely attractive for speculators since the carrying cost was significantly less than the home appreciation in numerous markets (planning on flipping before the rate reset). the large amount of speculation, in turn, significantly increased the inflation in the market. eventually the bubble bursts but while it lasted ... lots of people were raking in the money (in some sense, the 1% funds were allowing speculators to treat the home market like the 1920s unregulated stock market)

Then, many of the institutions buying the toxic CDOs were playing long/short mismatch ... which has been known for centuries to take down institutions. The comment was that Bear-Stearns and Lehman had marginal chance of surviving playing long/short mismatch (independent of the heavy leveraging and whether or not the toxic CDOs were worth triple-A rating) ...
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
and decade old article from the fed
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

The crash of 2008: A mathematician's view
http://www.eurekalert.org/pub_releases/2008-12/w-tco120808.php

from above:
Markets need regulation to stay stable. We have had thirty years of financial deregulation. Now we are seeing chickens coming home to roost. This is the key argument of Professor Nick Bingham, a mathematician at Imperial College London, in an article published today in Significance, the magazine of the Royal Statistical Society.

... snip ...

How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/
Computer Models and the Global Economic Crash
http://news.slashdot.org/article.pl?sid=08/12/16/2048235&tid=98

And even with SOX ... it doesn't seem to have reduced such activity ... pbs program discussing some of the deregulation, enron, worldcom, repeal of Glass-Steagall, etc
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

GAO started doing database about increasing problems (even after SOX)
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

There was somebody on CSPAN that commented during the congressional session that repealed Glass-Steagall, the financial industry made $250m in congressional contributions and in the most recent session that passed $700B bail-out, the financial industry made $2B in congressional contributions.

Supposedly SOX also had something being done about rating agencies ... but there doesn't seem to have been anything except this Jan2003 report:

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

misc. past posts mentioning that with securitization, lenders no longer have to care about loan quality:
http://www.garlic.com/~lynn/2008g.html#32 independent appraisers
http://www.garlic.com/~lynn/2008g.html#44 Fixing finance
http://www.garlic.com/~lynn/2008g.html#52 IBM CEO's remuneration last year ?
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008h.html#89 Credit Crisis Timeline
http://www.garlic.com/~lynn/2008i.html#4 A Merit based system of reward -Does anybody (or any executive) really want to be judged on merit?
http://www.garlic.com/~lynn/2008i.html#67 Do you have other examples of how people evade taking resp. for risk
http://www.garlic.com/~lynn/2008q.html#69 if you are an powerful financial regulator , how would you have stopped the credit crunch?
http://www.garlic.com/~lynn/2008r.html#36 Blinkenlights
http://www.garlic.com/~lynn/2008r.html#64 Is This a Different Kind of Financial Crisis?
http://www.garlic.com/~lynn/2008r.html#67 What is securitization and why are people wary of it ?
http://www.garlic.com/~lynn/2008s.html#9 Blind-sided, again. Why?
http://www.garlic.com/~lynn/2008s.html#18 What next? from where would the Banks be hit?
http://www.garlic.com/~lynn/2008s.html#20 Five great technological revolutions
http://www.garlic.com/~lynn/2008s.html#23 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#35 Is American capitalism and greed to blame for our financial troubles in the US?
http://www.garlic.com/~lynn/2008s.html#55 Is this the story behind the crunchy credit stuff?
http://www.garlic.com/~lynn/2009.html#14 What are the challenges in risk analytics post financial crisis?
http://www.garlic.com/~lynn/2009.html#42 Lets play Blame Game...?
http://www.garlic.com/~lynn/2009.html#52 The Credit Crunch: Why it happened?
http://www.garlic.com/~lynn/2009.html#73 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#77 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#79 The Credit Crunch: Why it happened?
http://www.garlic.com/~lynn/2009.html#85 Banks' Demise: Why have the Governments hired the foxes to mend the chicken runs?
http://www.garlic.com/~lynn/2009b.html#1 Are Both The U.S. & UK on the brink of debt disaster?
http://www.garlic.com/~lynn/2009b.html#11 Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend
http://www.garlic.com/~lynn/2009b.html#18 Barbless
http://www.garlic.com/~lynn/2009b.html#25 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#36 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
http://www.garlic.com/~lynn/2009b.html#37 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
http://www.garlic.com/~lynn/2009b.html#49 US disaster, debts and bad financial management
http://www.garlic.com/~lynn/2009b.html#52 What has the Global Financial Crisis taught the Nations, it's Governments and Decision Makers, and how should they apply that knowledge to manage risks differently in the future?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Davos 2009 Cybercrime threat rising sharply

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Davos 2009 Cybercrime threat rising sharply
Date: Feb 1, 2009
Blog: Financial Crime Risk, Fraud and Security
re:
http://www.garlic.com/~lynn/2009b.html#44 Cybercrime cost $1 trillion last year, study

Davos 2009 Cybercrime threat rising sharply
http://news.bbc.co.uk/1/hi/business/davos/7862549.stm

from above:
The threat of cybercrime is rising sharply, experts have warned at the World Economic Forum in Davos.

Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.


... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

In your opinion, which facts caused the global crise situation?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: In your opinion, which facts caused the global crise situation?
Date: Feb. 1, 2009
Blog: Government Policy
re:
http://www.garlic.com/~lynn/2009b.html#54 In your opinion, which facts caused the global crise situation?

In Dec, CSPAN had a panel from the mortgage industry. They appeared to be somewhat torn between claiming the problems are because the people in the mortgage industry are ignorant and totally incompetent vis-a-vis they just ignored all prudent business processes. They also mentioned that only about 10% of the subprime, no-documentation, no-down, 1% interest only ARM loans could be considered falling into the CRA category (large percentage picked up by speculators that could treat home market like the unregulated 1920s stock market).

These were subprime in another sense. With securitization, they could make intro 1% interest rates ARM ... totally decoupled from the FED PRIME rate. In the past, loans were by regulated financial institutions using deposits. With securitization, unregulated institutions could get into the loan business.

Do a graph of avg. home prices as well as ratio of avg. home prices to avg. salary ... plotted since 1970. The graph is reasonably well behaved until a couple yrs ago when ugly huge pimple/boil starts to spike (speculators taking advantage of 1% interest only ARMs, basically home market acting like the unregulated 1920s stock market) ... which still hasn't completely deflated (totally outside the traditional CRA market of first-time, low-income home buyers)

Long-winded, decade old post discussing some of the current issues
http://www.garlic.com/~lynn/aepay3.htm#riskm

similar discussion:
http://www.garlic.com/~lynn/2009.html#53 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#57 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#59 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#63 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#68 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#71 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#73 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#74 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#77 CROOKS and NANNIES: what would Boyd do?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Credit & Risk Management ... go Simple ?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Credit & Risk Management ... go Simple ?
Date: Feb 1, 2009
Blog: Financial Regulation
re:
http://www.garlic.com/~lynn/2009b.html#53 Credit & Risk Management ... go Simple ?

Also, with regard to the triple-A ratings on toxic CDOs, supposedly SOX required SEC to do something with respect to the rating agencies ... but there doesn't seem to have been anything besides a Jan2003 report.

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

In Dec, CSPAN had a panel from the mortgage industry. They appeared to be somewhat torn between claiming the problems are because the people in the mortgage industry are ignorant and totally incompetent vis-a-vis they just ignored all prudent business processes. They also mentioned that only about 10% of the subprime, no-documentation, no-down, 1% interest only ARM loans could be considered falling into the CRA category (large percentage picked up by speculators that could treat home market like the unregulated 1920s stock market).

These were subprime in another sense. With securitization, they could make loans with 1% interest rates ... totally decoupled from the FED PRIME rate. In the past, loans were by regulated financial institutions using deposits. With securitization, unregulated institutions could get into the loan business.

Do a graph of avg. home prices as well as ratio of avg. home prices to avg. salary ... plotted since 1970. The graph is reasonably well behaved until a couple yrs ago when ugly huge pimple/boil starts to spike (speculators taking advantage of 1% interest only ARMs, basically home market acting like the unregulated 1920s stock market) ... which still hasn't completely deflated (totally outside the traditional CRA market of first-time, low-income home buyers)

The spike in home market somewhat corresponds with:

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

and some part of the $700B wallstreet bailout possibly goes to replenish the $137B sucked out of the infrastructure (as reward for their part in creating the current situation).

... from a couple weeks ago

Bailed-Out Banks Dole Out Bonuses; Goldman Sachs, CitiGroup, Others Mum on How They Are Using TARP Cash
http://abcnews.go.com/WN/Business/story?id=6498680&page=1

from above:
Goldman Sachs, which accepted $10 billion in government money, and lost $2.1 billion last quarter, announced Tuesday that it handed out $10.93 billion in benefits, bonuses, and compensation for the year.

... snip ...

and more recent ...

Obama Calls Bonuses 'Shameful' as Dodd Vows to Reclaim Money
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=anzJooSeABDM
Obama: Big Wall Street Bonuses 'Shameful'
http://voices.washingtonpost.com/economy-watch/2009/01/obama_big_wall_street_bonuses.html

misc. past posts mentioning the The Fed's Too Easy on Wall Street article
http://www.garlic.com/~lynn/2008f.html#76 Bush - place in history
http://www.garlic.com/~lynn/2008g.html#52 IBM CEO's remuneration last year ?
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008h.html#42 The Return of Ada
http://www.garlic.com/~lynn/2008n.html#52 Technology and the current crisis
http://www.garlic.com/~lynn/2008n.html#53 Your thoughts on the following comprehensive bailout plan please
http://www.garlic.com/~lynn/2008n.html#56 VMware Chief Says the OS Is History
http://www.garlic.com/~lynn/2008n.html#69 Another quiet week in finance
http://www.garlic.com/~lynn/2008n.html#82 Fraud in financial institution
http://www.garlic.com/~lynn/2008o.html#18 Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
http://www.garlic.com/~lynn/2008o.html#26 SOX (Sarbanes-Oxley Act), is this really followed and worthful considering current Financial Crisis?
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#31 The human plague
http://www.garlic.com/~lynn/2008o.html#32 How much is 700 Billion Dollars??
http://www.garlic.com/~lynn/2008p.html#8 Global Melt Down
http://www.garlic.com/~lynn/2008r.html#61 The vanishing CEO bonus
http://www.garlic.com/~lynn/2008r.html#64 Is This a Different Kind of Financial Crisis?
http://www.garlic.com/~lynn/2008s.html#32 How Should The Government Spend The $700 Billion?
http://www.garlic.com/~lynn/2008s.html#33 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#35 Is American capitalism and greed to blame for our financial troubles in the US?
http://www.garlic.com/~lynn/2008s.html#41 Executive pay: time for a trim?
http://www.garlic.com/~lynn/2009.html#73 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#80 Are reckless risks a natural fallout of "excessive" executive compensation ?
http://www.garlic.com/~lynn/2009b.html#25 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#41 The subject is authoritarian tendencies in corporate management, and how they are related to political culture
http://www.garlic.com/~lynn/2009b.html#45 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#49 US disaster, debts and bad financial management

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

OCR scans of old documents

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: OCR scans of old documents
Newsgroups: alt.folklore.computers
Date: Sun, 01 Feb 2009 11:10:05 -0500
I found copy of the Glass-Steagall (Pecora) hearings on archive.org (different than archives.gov where the physical originals are). they were done at boston public library last fall. There are PDF as well as semi-decent OCR.

I'm trying to cleanup the OCR'ed copy of the hearings index file (original over 800 pages) ... so I can load it into our repository and generate HTML. While the OCR seems to have done a marvelous job ... there are still a large number of dings ... i'm maybe 10% done trying to clean the OCR'ed copy up so I can load and generate HTML.

This is somewhat analogous to the merged glossaries & taxonomies
http://www.garlic.com/~lynn/index.html#glosnote

where I've tried to organize how to think about the subject matter ... including financial
http://www.garlic.com/~lynn/financial.htm

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

As bonuses...why breed greed, when others are in dire need?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: As bonuses...why breed greed, when others are in dire need?
Date: Feb 1, 2009
Blog: Equity Markets
related answer in this discussion:
http://www.linkedin.com/answers/finance-accounting/financial-regulation/FIN_FRG/403095-873917

also archived here:
http://www.garlic.com/~lynn/2009b.html#53
http://www.garlic.com/~lynn/2009b.html#57

With regard to the triple-A ratings on toxic CDOs, supposedly SOX required SEC to do something with respect to the rating agencies ... but there doesn't seem to have been anything besides a Jan2003 report.

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

In Dec, CSPAN had a panel from the mortgage industry. They appeared to be somewhat torn between claiming the problems are because the people in the mortgage industry are ignorant and totally incompetent vis-a-vis they just ignored all prudent business processes. They also mentioned that only about 10% of the subprime, no-documentation, no-down, 1% interest only ARM loans could be considered falling into the CRA category (large percentage picked up by speculators that could treat home market like the unregulated 1920s stock market).

These were subprime in another sense. With securitization, they could make loans with 1% interest rates ... totally decoupled from the FED PRIME rate. In the past, loans were by regulated financial institutions using deposits. With securitization, unregulated institutions could get into the loan business.

Do a graph of avg. home prices as well as ratio of avg. home prices to avg. salary ... plotted since 1970. The graph is reasonably well behaved until a couple yrs ago when ugly huge pimple/boil starts to spike (speculators taking advantage of 1% interest only ARMs, basically home market acting like the unregulated 1920s stock market) ... which still hasn't completely deflated (totally outside the traditional CRA market of first-time, low-income home buyers)

The spike in home market speculation corresponds with:

The Fed's Too Easy on Wall Street
http://www.businessweek.com/stories/2008-03-19/the-feds-too-easy-on-wall-streetbusinessweek-business-news-stock-market-and-financial-advice

from above:
Here's a staggering figure to contemplate: New York City securities industry firms paid out a total of $137 billion in employee bonuses from 2002 to 2007, according to figures compiled by the New York State Office of the Comptroller. Let's break that down: Wall Street honchos earned a bonus of $9.8 billion in 2002, $15.8 billion in 2003, $18.6 billion in 2004, $25.7 billion in 2005, $33.9 billion in 2006, and $33.2 billion in 2007.

... snip ...

and some part of the $700B wallstreet bailout possibly goes to replenish the $137B sucked out of the infrastructure (as reward for their part in creating the current situation).

... from a couple weeks ago

Bailed-Out Banks Dole Out Bonuses; Goldman Sachs, CitiGroup, Others Mum on How They Are Using TARP Cash
http://abcnews.go.com/WN/Business/story?id=6498680&page=1

from above:
Goldman Sachs, which accepted $10 billion in government money, and lost $2.1 billion last quarter, announced Tuesday that it handed out $10.93 billion in benefits, bonuses, and compensation for the year.

... snip ...

and more recent ...

Obama Calls Bonuses 'Shameful' as Dodd Vows to Reclaim Money
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=anzJooSeABDM
Obama: Big Wall Street Bonuses 'Shameful'
http://voices.washingtonpost.com/economy-watch/2009/01/obama_big_wall_street_bonuses.html

There seems to be some amount of similarity between the speculation in the 1920s unregulated stock market and the current (mostly) unregulated speculation in the home market ... which followed the repeal of Glass-Steagall act a decade ago (Glass-Steagall had been put in place in the aftermath of the '29 crash).

The Glass-Steagall (Pecora) hearing documents were scanned at the Boston public library last fall and put on line ... including a reasonably good OCR'd effort. I'm currently working on trying to clean up the OCR'ed hearings index (over 800 pages) ... making it loadable and also generate HTML.

This is similar to some of the stuff I do for (internet) RFC standards
http://www.garlic.com/~lynn/rfcietff.htm

and merged taxonomy and glossaries
http://www.garlic.com/~lynn/index.html#glosnote

where I try and also organize how to "think" about the subject matter

... including payments (started when working on X9.59 financial industry transaction standard)
http://www.garlic.com/~lynn/payment.htm
security (also partially in support of X9.59)
http://www.garlic.com/~lynn/secure.htm
privacy (partially done to support my work as co-author of X9.99 financial industry Privacy standard)
http://www.garlic.com/~lynn/privacy.htm
financial (supporting lots of financial standards activity)
http://www.garlic.com/~lynn/financial.htm

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

OCR scans of old documents

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: OCR scans of old documents
Newsgroups: alt.folklore.computers
Date: Mon, 02 Feb 2009 09:28:37 -0500
hancock4 writes:
These are the hearings when the bill was originally passed in the 1930s?

off topic:

This is the same law regulating banks that was repealed a few years ago, and may have allowed the huge banking failures last October? The law that was supposed to put up a wall so that banks wouldn't be "too big fail" and drag down everyone else with them?

IMHO repealing that law was the one of the stupiest things ever done and a major reason we're in the mess today.


re:
http://www.garlic.com/~lynn/2009b.html#58 OCR scans of old documents

National Archives entry for the "physical copies" (170+ ft of shelf space):
Records Relating to the Investigation of Stock Exchange Practices, compiled 1932 - 1934, documenting the period 1929 - 1934; ARC Identifier 563053; Series from Record Group 46: Records of the U.S. Senate, 1789 - 2006

... snip ...

The scanned PDF files (at archive.org) are about a gigabyte.

The "index" (PDF) file is over 800 pages (and 61mbytes). The OCR'd flavor is 2.7mbytes ... with several percent dings (which I'm in the process of cleaning). Maybe will have an initial "HTML'ed" version in a week or so.

PBS website discussing enron, worldcom, repeal of Glass-Steagall:
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

GLBA (Bank Modernization Act) repealed Glass-Steagall also provided for some financial "privacy" ... notifications regarding information sharing and "opt-out". Recent discussion of "opt-out"
http://www.garlic.com/~lynn/2009b.html#47 How to defeat new telemarketing tactic

There was a recent CSPAN program where somebody commented that in the congressional session that repealed Glass-Steagall, the financial industry had made $250M in contributions and in the most recent congressional session that passed the $700B bail-out, there were $2B in contributions. I think this lastest is the same session that there was some note that it had the lowest attendence (& productivity) in the history of the organization:
http://www.garlic.com/~lynn/2008o.html#12 The human plague

Recent discussion (on linkedin) about some of the issues and working on cleaning/loading the Glass-Steagall hearings index using the same technology I use for the (internet standards) RFC index and several merged taxonomies and glossaries:
http://www.garlic.com/~lynn/2009b.html#59 As bonuses...why breed greed, when others are in dire need?

I was one of the co-authors of the financial privacy standard (X9.99) and had to spend some time considering GLBA ... see reference to merged privacy taxonomy & glossary
http://www.garlic.com/~lynn/index.html#glosnote

some number of posts (on linkedin) discussing some of the issues:
http://www.garlic.com/~lynn/2009.html#58 HONEY I LOVE YOU, but please cut the cards
http://www.garlic.com/~lynn/2009.html#73 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#77 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#79 The Credit Crunch: Why it happened?
http://www.garlic.com/~lynn/2009.html#80 Are reckless risks a natural fallout of "excessive" executive compensation ?
http://www.garlic.com/~lynn/2009.html#84 what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup?
http://www.garlic.com/~lynn/2009.html#85 Banks' Demise: Why have the Governments hired the foxes to mend the chicken runs?
http://www.garlic.com/~lynn/2009b.html#1 Are Both The U.S. & UK on the brink of debt disaster?
http://www.garlic.com/~lynn/2009b.html#11 Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend
http://www.garlic.com/~lynn/2009b.html#25 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#36 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
http://www.garlic.com/~lynn/2009b.html#41 The subject is authoritarian tendencies in corporate management, and how they are related to political culture
http://www.garlic.com/~lynn/2009b.html#45 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#48 The blame game is on : A blow to the Audit/Accounting Industry or a lesson learned ???
http://www.garlic.com/~lynn/2009b.html#49 US disaster, debts and bad financial management
http://www.garlic.com/~lynn/2009b.html#52 What has the Global Financial Crisis taught the Nations, it's Governments and Decision Makers, and how should they apply that knowledge to manage risks differently in the future?
http://www.garlic.com/~lynn/2009b.html#53 Credit & Risk Management ... go Simple ?
http://www.garlic.com/~lynn/2009b.html#54 In your opinion, which facts caused the global crise situation?
http://www.garlic.com/~lynn/2009b.html#57 Credit & Risk Management ... go Simple ?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Passport RFIDs cloned wholesale by $250 eBay auction spree

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Passport RFIDs cloned wholesale by $250 eBay auction spree
Date: Jan 21, 2009
Blog: Smart Cards
Passport RFIDs cloned wholesale by $250 eBay auction spree
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/

from above:
The $250 proof-of-concept device - which researcher Chris Paget built in his spare time - operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners.

... snip ...

This isn't new ... it has been going on for some time

German hackers clone RFID e-passports
http://www.desktops.engadget.com/2006/08/03/german-hackers-clone-rfid-e-passports/

Part of the issue is that a lot of the RFID technology was developed for EPC/UPC (barcode replacement) for things like grocery store checkout ... easily read "static data" ... if that "static data" is personal information ... rather than product identifier ... then there are all sorts of issues.

The issue of "static data" shows up as problem in nearly all authentication schemes .... it shows up in something you know authentication (like password or PIN) .... some past posts
http://www.garlic.com/~lynn/subintegrity.html#secrets

Another example is the yes card (payment card) compromise ... lots of past reference
http://www.garlic.com/~lynn/subintegrity.html#yescard

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Study: Data breaches continue to get more costly for businesses

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Study: Data breaches continue to get more costly for businesses
Date: Feb 3, 2009
Blog: Payment Systems Network
Study: Data breaches continue to get more costly for businesses
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127147

from above:
Data breaches are costing companies more and more, with lost revenue being a big factor as customers increasingly shun businesses that have lost information, according to a new study.

Average cost of breaches hits $202 per stolen record, according to Ponemon report


... snip ...

A few more recent, related items:

Heartland Data Breach: Nine More Institutions Linked
http://www.bankinfosecurity.com/articles.php?art_id=1187
Data Breach Costs Rose Significantly In 2008, Ponemon Study Says
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=213000466
Data-Breach Costs Rising, Study Finds
http://it.slashdot.org/article.pl?sid=09/02/02/1833219
Data Loss Costing Companies $6.6 Million Per Breach
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=216500718
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=213000512
Data Breach Costs On The Rise, Study Finds
http://www.crn.com/security/213000464
Data breach costs rise as firms brace for next loss
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1346623,00.html

with respect to financial related information that attackers can use to perform fraudulent transaction, we've used a number of metaphors attempting to characterize the threat & vulnerability.

One is the security proportional to risk metaphor.

One of the issues is the value of a repository to a merchant is the profit from the transactions ... which may amount to a few dollars per account. The value of such a repository to a processor is possibly only a few cents per account. However, the value of the repository to an attacker is the balance or credit limit per account, which can be several hundred dollars per account. As a result, an attacker may be able to outspend the defenders by 2-3 orders of magnitude (spend 100 times, or more for a data breach than merchant or processor can afford to spend defending the repository).

An alternative is to tweak the paradigm and eliminate the usefulness of the information to the crooks for performing fraudulent transactions.

In the mid-90s, the X9A10 financial standard working group was given the requirement to preserve the integrity of the financial infrastructure for all retail payments. Part of the effort was detailed, end-to-end study of threats and vulnerabilities. Part of the resulting X9.59 financial standard was to make such a "tweak"
http://www.garlic.com/~lynn/x959.html#x959

recent posts mentioning data breach:
http://www.garlic.com/~lynn/2009.html#7 Swedish police warn of tampered credit card terminals
http://www.garlic.com/~lynn/2009.html#20 Data losses set to soar
http://www.garlic.com/~lynn/2009.html#25 Wrong Instrument for Recurring Payments
http://www.garlic.com/~lynn/2009.html#29 Data losses set to soar
http://www.garlic.com/~lynn/2009.html#34 Swedish police warn of tampered credit card terminals
http://www.garlic.com/~lynn/2009.html#58 HONEY I LOVE YOU, but please cut the cards
http://www.garlic.com/~lynn/2009b.html#6 US credit card payment house breached by sniffing malware
http://www.garlic.com/~lynn/2009b.html#9 New Research Reveals 45% of Card Breach Victims Lose Confidence in Their Financial Accounts
http://www.garlic.com/~lynn/2009b.html#13 US credit card payment house breaches by sniffing malware
http://www.garlic.com/~lynn/2009b.html#19 US credit card payment house breached by sniffing malware
http://www.garlic.com/~lynn/2009b.html#21 ICSF and VISA/MasterCard?amex reference list
http://www.garlic.com/~lynn/2009b.html#28 Online-Banking Authentication
http://www.garlic.com/~lynn/2009b.html#29 is privacy a security attribute(component or ?). If yes, why? If no why not?
http://www.garlic.com/~lynn/2009b.html#32 Heartland Says Entire Industry Should Revamp Security
http://www.garlic.com/~lynn/2009b.html#44 Cybercrime cost $1 trillion last year, study
http://www.garlic.com/~lynn/2009b.html#50 Cellphones as Credit Cards? Americans Must Wait

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Study: Data breaches continue to get more costly for businesses

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Study: Data breaches continue to get more costly for businesses
Date: Feb 04, 2009
Blog: Payment Systems Network
re
http://www.garlic.com/~lynn/2009b.html#62 Study: Data breaches continue to get more costly for businesses

Some other references to this report:

The un-internalised cost of your data breach
https://financialcryptography.com/mt/archives/001148.html
300 Multiple Choices
http://www.emergentchaos.com/archives/2009/02/first_impressions_of_the.html

part of the above is related to this discussion item from two weeks ago:

New Research Reveals 45% of Card Breach Victims Lose Confidence in Their Financial Accounts
http://sev.prnewswire.com/banking-financial-services/20090120/SF6044320012009-1.html

also archived here
http://www.garlic.com/~lynn/2009b.html#9

for slightly more (metaphor) topic drift ... a couple recent references:
http://www.garlic.com/~lynn/2008p.html#5 Privacy, Identity theft, account fraud
http://www.garlic.com/~lynn/2008p.html#7 Dealing with the neew MA ID protection law
http://www.garlic.com/~lynn/2008p.html#59 Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.garlic.com/~lynn/2008p.html#67 Web Security hasn't moved since 1995
http://www.garlic.com/~lynn/2008p.html#76 Multi-Factor Authentication - Moving Beyond Passwords for Security of Online Transactions
http://www.garlic.com/~lynn/2008r.html#53 21 million German bank account details on black market
http://www.garlic.com/~lynn/2008s.html#10 Data leakage - practical measures to improve Information Governance

a few other recent posts mentioning breaches
http://www.garlic.com/~lynn/2009.html#7 Swedish police warn of tampered credit card terminals
http://www.garlic.com/~lynn/2009.html#25 Wrong Instrument for Recurring Payments
http://www.garlic.com/~lynn/2009.html#29 Data losses set to soar
http://www.garlic.com/~lynn/2009.html#34 Swedish police warn of tampered credit card terminals
http://www.garlic.com/~lynn/2009.html#56 Data losses set to soar
http://www.garlic.com/~lynn/2009.html#74 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009.html#78 Double authentification for internet payment
http://www.garlic.com/~lynn/2009b.html#6 US credit card payment house breached by sniffing malware
http://www.garlic.com/~lynn/2009b.html#12 Amid Economic Turbulence, Mainframes Counter IT Cost-Cutting Trend
http://www.garlic.com/~lynn/2009b.html#13 US credit card payment house breaches by sniffing malware
http://www.garlic.com/~lynn/2009b.html#14 question about ssh-keygen with empty passphrase
http://www.garlic.com/~lynn/2009b.html#21 ICSF and VISA/MasterCard?amex reference list
http://www.garlic.com/~lynn/2009b.html#28 Online-Banking Authentication
http://www.garlic.com/~lynn/2009b.html#29 is privacy a security attribute(component or ?). If yes, why? If no why not?
http://www.garlic.com/~lynn/2009b.html#44 Cybercrime cost $1 trillion last year, study
http://www.garlic.com/~lynn/2009b.html#50 Cellphones as Credit Cards? Americans Must Wait
http://www.garlic.com/~lynn/2009b.html#61 Passport RFIDs cloned wholesale by $250 eBay auction spree

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

SQL attacks dominated 2008, says IBM

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: SQL attacks dominated 2008, says IBM
Date: Feb 4, 2009
Blog: Financial Crime Risk, Fraud and Security
SQL attacks dominated 2008, says IBM
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=110348

from above:
"SQL injection, in particular, took off in 2008," says X-Force researcher Tom Cross, noting that the annual trend report concludes that 55 percent of all vulnerability disclosures made by vendors affected web applications, a number that does not include custom-developed web applications.

... snip ...

We had been called in to consult with small client/server startup that wanted to payment transactions on their server ... and they had this technology called SSL they wanted to use. Part of that required some detailed end-to-end threat & vulnerability studies (including these new operations calling themselves Certifications Authorities) as well as how the "servers" actually operated doing payments. The effort is now frequently referred to as "electornic commerce".

At the time, lots of these severs were moving into RDBMS as platform for their operations. One of the things found at the time was that the complexity of RDBMS operation was a source of many of the threats and vulnerabilities ... i.e. various kinds of human errors and/or mistakes ... as a result of the complexity of the operation.

For some topic drift ... past references to working on the original relational/SQL effort
http://www.garlic.com/~lynn/submain.html#systemr

... update ... a SQL attack:

Kaspersky breach exposes sensitive database, says hacker
http://www.theregister.co.uk/2009/02/08/kaspersky_compromise_report/

from above ...
In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing "users, activation codes, lists of bugs, admins, shop, etc." Kaspersky has declined to comment, but two security experts who reviewed the evidence said the claims appeared convincing.

... snip ...

related topic about threat & vulnerability studies
http://www.garlic.com/~lynn/2009.html#49 The 25 Most Dangerous Programming Errors
http://www.garlic.com/~lynn/2009.html#45 Security experts identify 25 coding errors
http://www.garlic.com/~lynn/2009.html#49 The 25 Most Dangerous Programming Errors
http://www.garlic.com/~lynn/2009.html#60 The 25 Most Dangerous Programming Errors
http://www.garlic.com/~lynn/2009.html#65 The 25 Most Dangerous Programming Errors
http://www.garlic.com/~lynn/2009b.html#2 The 25 Most Dangerous Programming Errors

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What can agencies such as the SEC do to insure us that something like Madoff's Ponzi scheme will never happen again?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What can agencies such as the SEC do to insure us that something like Madoff's Ponzi scheme will never happen again?
Date: Feb 4, 2009
Blog: Equity Markets
Congressional hearing this morning on the Madoff ponzi scheme with the person that turned in documentation a decade ago to the SEC and repeatedly several times since.

Repeated theme was that crooks & fraud thrive where there is lack of visibility and transparency ... and the major recommendation is to change the culture to provide transparency in all aspects of the operations. There is need for new legislation and regulations, but they will always lag behind the crooks. Much more important is creating institutional and infrastructure transparency.

A couple other highlights
could only think of one person at SEC (in some field office, gave their name) that had any understanding of financial transactions ... all the others at the SEC had no understanding (and were mostly lawyers).

only 4% of fraud is turned up by audits ... over 50% from tips; tips are 13 times more effective than audits. SEC has a 1-800 hotline for companies to complain about too vigorous investigation. there is no corresponding "tip" line.

The Madoff ponzi scheme isn't the only one, tomorrow morning there will be detailed documentation turned in to the authorities about a (different) "small" $1b ponzi scheme.

if it wasn't for the current financial crisis, the Madoff ponzi scheme easily could have continued to $100B

None of the clients he advised, had gotten involved with Madoff


...

Long-winded decade old post mentioning some of the current issues
http://www.garlic.com/~lynn/aepay3.htm#riskm

We had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... and they had this technology they wanted to use called SSL. there had to be a whole lot of work to turn technology into actual business processes to do financial transactions (frequently now called "electronic commerce"). then in the mid-90s, we were invited to participate in the x9a10 financial standards working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments ... which resulted in the x9.59 financial standard ... some references
http://www.garlic.com/~lynn/x959.html#x959

Somewhat as the result of "electronic commerce" & x9.59 work, we were asked to come in to NSCC (since combined with DTC and renamed DTCC) to see if we could do something similar for all the operations in the securities industry. After some amount of effort, it was eventually suspended because a side-effect of the increased integrity would have created significantly more transparency in all aspects of the industry. This ran into conflict with pervasive cultural for lots of obfuscation and lack of transparency
http://www.garlic.com/~lynn/2008s.html#63 Garbage in, garbage out trampled by Moore's law

... and in the past decade, a lot of the institution computerized risk models were being purposefully manipulated/fiddled to permit the desired objectives (garbage in, garbage out)
How Wall Street Lied to Its Computers
http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers//
Subprime = Triple-A ratings? or 'How to Lie with Statistics'
http://www.bloggingstocks.com/2007/07/25/subprime-triple-a-ratings-or-how-to-lie-with-statistics/
Computer Models and the Global Economic Crash
http://news.slashdot.org/article.pl?sid=08/12/16/2048235&tid=98

the term Emperor's new clothes was used in the hearings with reference to what is going on and the people at the SEC not being able to understand what is happening.

misc. past posts mentioning the Emperor's new clothes theme:
http://www.garlic.com/~lynn/2008j.html#40 dollar coins
http://www.garlic.com/~lynn/2008j.html#60 dollar coins
http://www.garlic.com/~lynn/2008j.html#69 lack of information accuracy
http://www.garlic.com/~lynn/2008k.html#10 Why do Banks lend poorly in the sub-prime market? Because they are not in Banking!
http://www.garlic.com/~lynn/2008k.html#16 dollar coins
http://www.garlic.com/~lynn/2008k.html#27 dollar coins
http://www.garlic.com/~lynn/2008l.html#42 dollar coins
http://www.garlic.com/~lynn/2008m.html#12 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008o.html#35 The human plague
http://www.garlic.com/~lynn/2008q.html#58 Obama, ACORN, subprimes (Re: Spiders)
http://www.garlic.com/~lynn/2009b.html#8 Do emperors from the banks have new clothes?

misc. other posts in the garbage in, garbage out thread
http://www.garlic.com/~lynn/2008s.html#23 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#24 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#27 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#28 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#33 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#57 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#59 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#60 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#62 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#70 Garbage in, garbage out trampled by Moore's law

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

45th anniversary of the System/360 announcement

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: 45th anniversary of the System/360 announcement
Newsgroups: alt.folklore.computers
Date: Thu, 05 Feb 2009 11:28:19 -0500
x-over post from ibm-main:

NBoike@MSPTECHMEDIA.COM (Natalie Boike) writes:
Hello all,

I don't know if this is the appropriate forum, but IBM Systems Magazine, Mainframe edition is collecting ³mainframe memories² in recognition of the 45th anniversary of the System/360 announcement. The magazine is hoping to review how the mainframe has changed the industry by publishing user, client and vendor memories in the magazine and on our Web site.

Were you one of the 100,000 businessmen who attended the announcement meeting? Did you play a role in helping the 360 evolve over the years? Amusing or earnest, momentous or trivial, we¹d like to hear how the IBM mainframe has impacted your life. Share you story by e-mailing me at nboike@msptechmedia.com before April 13.

Thanks!


--
40+yrs virtualization experience (since Jan68), online at home since Mar70

IBM tried to kill VM?

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: IBM tried to kill VM?
Newsgroups: alt.folklore.computers
Date: Thu, 05 Feb 2009 21:31:47 -0500
Chris Barts <chbarts+usenet@gmail.com> writes:
All your posts about VM at IBM, and some bits got triggered in my head: Didn't IBM try to kill VM? Wasn't IBM's strategy focused on OS/360 and MVS, with VM just in the way from a corporate standpoint? Because it doesn't make sense to have multiple incompatible OSes for the 'same' hardware, as DEC learned when they standardized around VMS when they killed the 36-bit line in favor of the VAX and the Alpha.

how many times?

it wasn't suppose to have even gotten started ... there was some creative financing at the science center
http://www.garlic.com/~lynn/subtopic.html#545tech

to fund the hardware modifications that added virtual memory to 360/40 ... and then to replace the 360/40 with a 360/67 (when standard product machine with virtual memory came available). the "official" time-sharing and virtual memory system was "tss/360". lots more of this history can be seen in Melinda's history at:
http://www.leeandmelindavarian.com/Melinda/
http://www.leeandmelindavarian.com/Melinda/

then there followed several attempts by tss/360 group to have the cp/67 effort terminated

then there was lots of effort by "os/360" group to not have a cp67->vm370 product effort (when virtual memory was added as standard feature to 370).

cp67 & vm370 weren't exactly incompatible ... since a number of customers would run standard os/360 products in virtual machines ... and the biggest customer was internal corporate development (so they were some ambivalent regarding this other operating system ... since so much of internal operation had become dependent on it).

internally, first there was a custom modification so that cp67 (running on real 360/67) would simulate the 370 architecture (which had a number of differences from 360/67 virtual memory architecture) ... for development of virtual memory support in the other operating systems (os/360, dos/360 ... for dos/vs, vs1, vs2). In addition to doing development under cp67 ... the initial prototype for vs2 involved borrowing code from cp67 for part of the actual implementation (i.e. for morph of os/360 MVT to vs2/svs). Then there was a version of cp67 modified to run on real 370 architecture (first system to run on real 370 virtual memory hardware ... in some cases, was used as early hardware regression test).

the company then went through its "Future System" period
http://www.garlic.com/~lynn/submain.html#futuresys

... when lots of work on 370 hardware & software projects went into abeyance ... since "Future System" was going to completely replace 370. After "Future System" was killed, there was a mad rush to get products back into the 370 product line. As part of the mad rush, there was crash program to breath life into a 370 following (31-bit, 370-xa). The group responsible for "mvs/xa" made the case that vm370 product needed to be killed, the vm370 product group shutdown (at the time in the old SBC bldg. in Burlington Mall), and all the people transferred to helping with mvs/xa development (if they were going to meet their schedule). Endicott eventually managed to save the vm370 product mission ... but it had to reconstitute a development group from scratch.

Some number of people from the vm370 product development decided to leave the company and stay in the boston area ... rather than move (this was 1976). There was joke that the mvs/xa decision to kill vm370 was one of the biggest contributions to vms (since some number of the people that stayed in the boston area went to DEC).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Fraud Incidents Tied to Heartland Data Breach

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Fraud Incidents Tied to Heartland Data Breach
Date: Feb 06, 2009
Blog: Payment Systems Network
Fraud Incidents Tied to Heartland Data Breach
http://www.bankinfosecurity.com/articles.php?art_id=1195

from above:
Credit Unions Report Fraudulent Charges Against Members' Cards, ... avg nearly $700/card

... snip ...

long term studies have avg. (consumer) losses per card running @$1000.

that is separate than the institutional "costs" (per account) of breaches rising ... recent breach costs references/discussions:
http://www.garlic.com/~lynn/2009b.html#62 Study: Data breaches continue to get more costly for businesses
http://www.garlic.com/~lynn/2009b.html#63 Study: Data breaches continue to get more costly for businesses

and
https://financialcryptography.com/mt/archives/001148.html

which makes mention of the difference between the avg (rising) institutional "costs" per account and the avg consumer losses per card

then there is this:
http://www.garlic.com/~lynn/2009b.html#9 New Research Reveals 45% of Card Breach Victims Lose Confidence in Their Financial Accounts

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Intel's Future is integrated

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Intel's Future is integrated
Newsgroups: alt.folklore.computers
Date: Fri, 06 Feb 2009 12:56:06 -0500
Intel's Future is integrated
http://www.internetnews.com/hardware/article.php/3801136/Intels+Future+is+Integrated.htm

As part of our HA/CMP project in the early 90s'
http://www.garlic.com/~lynn/subtopic.html#hacmp

we had contracted for a some amount of market research with one of the people that did a lot of work for Dataquest (since bought by Gartner).

In that period, the head of the (IBM) PC division contracted with Dataquest for extensive look at PC market and its future. The contract included several hr panel/round table discussion with a dozen of the leading PC experts in silicon valley (including video taping). I was contacted about participating ... but a combination of being vocal about PC market (internally) and an employee of the company ... I first cleared my participation with our executives (as opposed to PC division). I got approval ... but they asked that Dataquest "garble" my introduction on video tape & transcription.

One of my themes was lot higher level of functional integration as more and more capability and circuits became available.

Misc. past posts mentioning dataquest:
http://www.garlic.com/~lynn/2002k.html#55 Moore law
http://www.garlic.com/~lynn/2004.html#34 Two subjects: 64-bit OS2/eCs, Innotek Products
http://www.garlic.com/~lynn/2005t.html#21 What ever happened to Tandem and NonStop OS ?
http://www.garlic.com/~lynn/2007g.html#81 IBM to the PCM market
http://www.garlic.com/~lynn/2007h.html#0 The Perfect Computer - 36 bits?
http://www.garlic.com/~lynn/2008d.html#60 more on (the new 40+ yr old) virtualization
http://www.garlic.com/~lynn/2008o.html#5 Houses
http://www.garlic.com/~lynn/2008o.html#6 Houses

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Amazon Launches Flexible Payments As a Commercial Service

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Amazon Launches Flexible Payments As a Commercial Service
Date: Feb 06, 2009
Blog: Payment Systems Network
Amazon Launches Flexible Payments As a Commercial Service
http://www.digitaltransactions.net/newsstory.cfm?newsid=2083

also from the article:
Pricing for the commercial product remains the same as for the beta version. Amazon Payments transfers cost 1.5% plus a penny. ACH debits are 2% plus a nickel, and the fee for payments backed by credit cards is 2.9% plus 30 cents.

... snip ...

We had been called in to consult with small client/server startup that wanted to do payments on their server ... and had this technology called SSL they wanted to use. Part of the effort required doing some detailed end-to-end threat & vulnerability analysis ... including looking at the end-to-end operations of these new things calling themselves "Certification Authorities" ... issuing SSL domain name digital certificates ... some past posts:
http://www.garlic.com/~lynn/subpubkey.html#sslcert

The result is now frequently referred to as electronic commerce. Part of the deployment was something called a payment gateway ... lots of past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

One of the things the major retailers were always looking at was their fully loaded costs associated with payment transactions.

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

IBM tried to kill VM?

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: IBM tried to kill VM?
Newsgroups: alt.folklore.computers
Date: Fri, 06 Feb 2009 14:43:08 -0500
hancock4 writes:
Also, for business customers, was increased CPU speed really that significant? I don't think S/360 tape and disk I/O were--at first-- much faster than 7090/1401 I/O, and for business users that was key. The only big advtg I can think of is that the S/360 printer and card reader were faster.

re:
http://www.garlic.com/~lynn/2009b.html#67 IBM tried to kill VM?

my first programming job was porting 1401 MPIO to 360/30. The univ. ran 709 with 1401 for unit record front-end (card->tape & tape->printer/punch). The 360/30 had 1401 hardware emulation mode ... so it could be used w/o actually requiring MPIO port ... but possibly they felt it was an exercise in getting acquainted with 360.

It was good for me since I got to design & implement my own monitor, storage management, device drivers, multitasking, some number of other things.

The 709 ibsys monitor would process student (fortran) jobs in subsecond elapsed time (tape-to-tape).

When 360/67 (running in 360/65 mode; replace 1401/70) with os/360 MFT ... it was taking nearly a minute per student fortran jobs ... this was a lot of (serialized) unit record latency and job-scheduler in 3-step fortran compile, link/edit & go.

My student programming job grew into having repsonsibility for system programming support for os/360. I first added HASP ... which help things by eliminating the serialized unit record latency (spooling, overlapping unit record operation with program comple & execution).

However, it was still taking much longer to process student fortran workload than the 709/1401 lashup.

old post with some elapsed time numbers from presentation I gave at fall68 SHARE meeting in Atlantic City
http://www.garlic.com/~lynn/94.html#18 CP/67 & OS MFT14

Part of the numbers were thruput comparison of os/360 running in cp/67 virtual machine. However, part of the numbers are heavy optimization work that i had done on os/360 getting avg. student job elapsed time down under 13seconds ... compared to an "out-of-the-box" system that was (still) over 30 seconds (having added HASP).

Part of the difference between 709 monitor and os/360 ... was each "job step" in os/360 (3 steps in normal job) required an enormous number of (random) disk accesses. I was able to achieve significant reduction in elapsed time ... by very carefully placing required data on disk to optimize disk arm motion.

The student job problem was eventually solved when we installed Watfor from University of Waterloo ... basically a "monitor" (more analogous to 709 operation) ... which required a single "system" job step (to load watfor) and then it would serially process large number of student fortran jobs (finally processing on 360 was faster than 709).

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

IBM Revamp Venerable Tivoli Storage Software

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: IBM Revamp Venerable Tivoli Storage Software
Newsgroups: alt.folklore.computers
Date: Fri, 06 Feb 2009 14:49:35 -0500
IBM Revamp Venerable Tivoli Storage Software; Latest version tackles hot areas like dedupe while adding database integration and reporting.
http://www.internetnews.com/storage/article.php/3801106/IBM+Revamp+Venerable+Tivoli+Storage+Software.htm

I had started this long ago and far away ... when I implemented "CMSBACK" ... various old email references
http://www.garlic.com/~lynn/lhwemail.html#cmsback

which was used internally at a number of internal datacenters and went thru 3-4 (internal) releases. then a number of client applications were written for different platforms and released as Workstation DataSave Facility. It was then transferred from the research division to the disk division and renamed ADSM. When the disk division was sold off, ADSM was transferred to Tivoli business unit and renamed TSM.

various old posts mentioning archive/backup
http://www.garlic.com/~lynn/submain.html#backup

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

What can we learn from the meltdown?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: What can we learn from the meltdown?
Date: Feb 07, 2009
Blog: Payment Systems Network
The Glass-Steagall hearings were scanned (OCR'ed) at the Boston Public Library last fall and put online. I've been trying to clean up some of the OCR ... (starting with the INDEX document) which are remarkable good considering the age/quality of the original documents.
http://www.garlic.com/~lynn/2009b.html#60 OCR scans of old documents

OCR'ing lost the indention in the original documents ... so that, in itself of some loss of information (how different items were organized). For at least some of the index entries ... they would periodically add some of the underlying information .. a couple of the entries:
Brokers loans made by, as cause of speculative mania in years prior to 1929 in opinion of Otto H. Kahn 1010

"Uncontrolled" because even where made indirectly through banks, reserves against such loans were not required and because completely unregulated, said Charles H. E. Scheer 6313


... snip ...

the analogy was that securitization contributed to speculators being able to treat the home market like the unregulated stock market of the '20s.

Previously, loans were made by financial institutions from deposits. With securitization, (often unregulated) institutions could have access to funds for lending.

The Man Who Beat The Shorts
http://www.forbes.com/forbes/2008/1117/114.html

from above:
Watsa's only sin was in being a little too early with his prediction that the era of credit expansion would end badly. This is what he said in Fairfax's 2003 annual report: "It seems to us that securitization eliminates the incentive for the originator of [a] loan to be credit sensitive. Prior to securitization, the dealer would be very concerned about who was given credit to buy an automobile. With securitization, the dealer (almost) does not care."

... snip ...

With securitization, loans could be unloaded immediately ... not caring about quality ... every loan made was a profit for them. The no-documentation, no-down, 1% introductory, interest-only, ARM became quite attractive to speculators ... since the carrying cost was significantly less than the inflation in many parts of the country (planning on flipping before the rate reset); with the speculation significantly fanning the inflation flames.

Plot the avg. home prices and the ratio of home prices to salary (since the early 70s) ... there is an ugly huge pimple/boil/bubble starting to increase the early part of this decade ... which still hasn't completely deflated.

In the congressional hearings last fall, there was repeated reference to both the toxic-CDO issuers/sellers and the rating agencies were aware that the toxic CDOs weren't worth the triple-A ratings. The explanation was that the rating agencies' business model became misaligned in the early 70s when the rating agencies switched from the buyers to the sellers paying for the ratings (and contributed to conflict of interest).

The toxic CDO triple-A ratings significantly increased the institutions that would deal in toxic CDOs and also significantly increased the amount of money available to those lending.

On the institutional side buying the triple-A rated toxic CDOs, several were playing long/short mismatch ... which has been known for centuries to take down institutions. The comment was that Lehman and Bear Stearns had marginal chance of surviving long/short mismatch (independent of heavy leveraging and whether or not the toxic CDOs were worth triple-A rating) ... article on the subject:
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
decade old article from the fed
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

long-winded, decade old post discussing some of the issues:
http://www.garlic.com/~lynn/aepay3.htm#riskm

PBS pages discussing Enron, Worldcom, deregulation, and repeal of Glass-Steagall
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

Supposedly SOX had SEC doing something about the rating agencies, but not much seemed to be done except this study:

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

Other evidence that SEC wasn't doing something was from the recent Madoff hearings .... from individual turning over documents about Madoff (starting decade ago). Recent discussion:
http://www.garlic.com/~lynn/2009b.html#65 What can agencies such as the SEC do to insure us that something like Madoff's Ponzi scheme will never happen again?

The repeated theme was that crooks & fraud thrive where there is lack of visibility and transparency ... and the major recommendation is to change the culture to provide transparency in all aspects of the operations. There is need for new legislation and regulations, but they will always lag behind the crooks. Much more important is creating institutional and infrastructure transparency.

A couple other misc. other "highlights"
could only think of one person at SEC (in some field office, gave their name) that had any understanding of financial transactions ... all the others at the SEC had no understanding (and were mostly lawyers).

only 4% of fraud is turned up by audits ... over 50% from tips; tips are 13 times more effective than audits. the SEC has a 1-800 hotline for companies to complain about too vigorous investigating, there is no corresponding tip hotline.

The Madoff ponzi scheme isn't the only one, he will turning over detailed documentation to the authorities about a (different) "small" $1b ponzi scheme.

None of the clients he advised, had gotten involved with Madoff


...

Corporate Fraud and Misconduct Risks Driven by Pressure to do 'Whatever It Takes'; Fewer episodes reported by companies with ethics and compliance programs
http://www.informationweek.com/financialservices/news/showArticle.jhtml?articleID=215801487

from above:
Of more than 5,000 U.S. workers polled this summer, 74 percent said they had personally observed misconduct within their organizations during the prior 12 months, unchanged from the level reported by KPMG survey respondents in 2005. Roughly half (46 percent) of respondents reported that what they observed "could cause a significant loss of public trust if discovered," a figure that rises to 60 percent among employees working in the banking and finance industry.

... snip ...

If the overall avg. is 46 percent and the financial industry is 60 percent, then the non-financial avg may be as low as 30percent ... making the financial industry twice as bad as other industries.

so even so it didn't look like SEC was doing much, GAO was at least compiling database of various misdeeds
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

misc. recent posts mentioning the pbs.org web pages:
http://www.garlic.com/~lynn/2009.html#58 HONEY I LOVE YOU, but please cut the cards
http://www.garlic.com/~lynn/2009.html#84 what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup?
http://www.garlic.com/~lynn/2009b.html#36 A great article was posted in another BI group: "To H*** with Business Intelligence: 40 Percent of Execs Trust Gut"
http://www.garlic.com/~lynn/2009b.html#48 The blame game is on : A blow to the Audit/Accounting Industry or a lesson learned ???
http://www.garlic.com/~lynn/2009b.html#49 US disaster, debts and bad financial management
http://www.garlic.com/~lynn/2009b.html#52 What has the Global Financial Crisis taught the Nations, it's Governments and Decision Makers, and how should they apply that knowledge to manage risks differently in the future?
http://www.garlic.com/~lynn/2009b.html#53 Credit & Risk Management ... go Simple ?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

IBM tried to kill VM?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: IBM tried to kill VM?
Newsgroups: alt.folklore.computers
Date: Sat, 07 Feb 2009 11:08:04 -0500
Walter Bushell <proto@panix.com> writes:
Until they found out what it would cost to convert the programs.

re:
http://www.garlic.com/~lynn/2009b.html#67 IBM tried to kill VM?
http://www.garlic.com/~lynn/2009b.html#71 IBM tried to kill VM?

the univesity had a 407 "plug-board" accounting program that ran daily. this morphed into a 1401 program that simulated the 407 plugboard. then this was auto-translated into 360 cobol program (still ran daily).

daily runs on 360/67 (running as 360/65 with os/360) still ended by printing out the 407 sense switch settings. one day, there was different values printed. everything was suspended while they tried to figure out what happened. after an hr or so (not being able to find anybody that understood the program) ... they decided just to rerun the application.

In the early 70s, Amdahl had a seminar at MIT (large auditorium with lots of attendence). One question was what justification did he use to get (venture) funding for his clone processor business. His reply was that customers already had a couple hundred billion invested in 360 software applications ... and even if IBM were to totally walk away from 360, there was enough applications to keep him in business until the end of the century.

misc. past posts mentioning 407 plug-board:
http://www.garlic.com/~lynn/99.html#137 Mainframe emulation
http://www.garlic.com/~lynn/2000.html#19 Computer of the century
http://www.garlic.com/~lynn/2001f.html#5 Emulation (was Re: Object code (was: Source code - couldn't resist compiling it :-))
http://www.garlic.com/~lynn/2001m.html#52 Author seeks help - net in 1981
http://www.garlic.com/~lynn/2002d.html#21 Mainframers: Take back the light (spotlight, that is)
http://www.garlic.com/~lynn/2003j.html#23 A Dark Day
http://www.garlic.com/~lynn/2003n.html#41 When nerds were nerds
http://www.garlic.com/~lynn/2004d.html#44 who were the original fortran installations?
http://www.garlic.com/~lynn/2005e.html#29 Using the Cache to Change the Width of Memory
http://www.garlic.com/~lynn/2005n.html#3 Data communications over telegraph circuits
http://www.garlic.com/~lynn/2006b.html#5 IBM 610 workstation computer
http://www.garlic.com/~lynn/2006s.html#66 Why these original FORTRAN quirks?; Now : Programming practices
http://www.garlic.com/~lynn/2008c.html#10 Usefulness of bidirectional read/write?

misc. past posts mentioning Amdahl's talk at MIT:
http://www.garlic.com/~lynn/2001j.html#23 OT - Internet Explorer V6.0
http://www.garlic.com/~lynn/2002j.html#20 MVS on Power (was Re: McKinley Cometh...)
http://www.garlic.com/~lynn/2003.html#36 mainframe
http://www.garlic.com/~lynn/2003e.html#13 unix
http://www.garlic.com/~lynn/2003e.html#15 unix
http://www.garlic.com/~lynn/2003h.html#32 IBM system 370
http://www.garlic.com/~lynn/2003i.html#3 A Dark Day
http://www.garlic.com/~lynn/2003p.html#30 Not A Survey Question
http://www.garlic.com/~lynn/2004d.html#22 System/360 40th Anniversary
http://www.garlic.com/~lynn/2004h.html#20 Vintage computers are better than modern crap !
http://www.garlic.com/~lynn/2004l.html#51 Specifying all biz rules in relational data
http://www.garlic.com/~lynn/2004m.html#53 4GHz is the glass ceiling?
http://www.garlic.com/~lynn/2004o.html#66 Integer types for 128-bit addressing
http://www.garlic.com/~lynn/2005b.html#47 The mid-seventies SHARE survey
http://www.garlic.com/~lynn/2005e.html#35 Thou shalt have no other gods before the ANSI C standard
http://www.garlic.com/~lynn/2005r.html#49 MVCIN instruction
http://www.garlic.com/~lynn/2006.html#7 EREP , sense ... manual
http://www.garlic.com/~lynn/2006c.html#18 Change in computers as a hobbiest
http://www.garlic.com/~lynn/2007f.html#61 Is computer history taught now?
http://www.garlic.com/~lynn/2007f.html#77 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007g.html#57 IBM to the PCM market(the sky is falling!!!the sky is falling!!)
http://www.garlic.com/~lynn/2007k.html#46 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007m.html#15 Patents, Copyrights, Profits, Flex and Hercules
http://www.garlic.com/~lynn/2007m.html#34 IBM 8000 ???
http://www.garlic.com/~lynn/2007p.html#9 CA to IBM product swap
http://www.garlic.com/~lynn/2007t.html#68 T3 Sues IBM To Break its Mainframe Monopoly
http://www.garlic.com/~lynn/2007v.html#101 It keeps getting uglier
http://www.garlic.com/~lynn/2008g.html#54 performance of hardware dynamic scheduling
http://www.garlic.com/~lynn/2008k.html#53 recent mentions of 40+ yr old technology
http://www.garlic.com/~lynn/2008m.html#1 Yet another squirrel question - Results (very very long post)

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

OCR scans of old documents

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: OCR scans of old documents
Newsgroups: alt.folklore.computers
Date: Sat, 07 Feb 2009 11:13:10 -0500
re:
http://www.garlic.com/~lynn/2009b.html#58 OCR scans of old documents
http://www.garlic.com/~lynn/2009b.html#60 OCR scans of old documents

for the fun of it ... recent post with a couple of quotes from the hearings index:
http://www.garlic.com/~lynn/2009b.html#73 What can we learn from the meltdown?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

IBM tried to kill VM?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: IBM tried to kill VM?
Newsgroups: alt.folklore.computers
Date: Sat, 07 Feb 2009 11:48:16 -0500
Walter Bushell <proto@panix.com> writes:
What they didn't reconvert the program directly to 360. Ah, no such program and beyond I/O probably consumed close to 0 resources.

I've found that if you replace a program, with one of immensely greater functionality but leave 1 out of a million features of the old, you'll get endless complaints.


re:
http://www.garlic.com/~lynn/2009b.html#74 IBM tried to kill VM?

I think there was an intermediate step where the 1401 program (that emulated 407 plug-board) was auto-translated to 709 cobol ... and then the 709 cobol was auto-translated to 360 cobol (and as mentioned, they couldn't find anybody still around that understood the original 407 plug-board).

recent related "re-engineering" post
http://www.garlic.com/~lynn/2009.html#87 Cleaning Up Spaghetti Code vs. Getting Rid of It

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

Z11 - Water cooling?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Z11 - Water cooling?
Newsgroups: bit.listserv.ibm-main,alt.folklore.computers
Date: Sat, 07 Feb 2009 14:32:15 -0500
R.Skorupka@BREMULTIBANK.COM.PL (R.S.) writes:
I don't believe! I know pure H2O is dielectric, but it is virtually impossible to keep it so clean especially in contact with metal (I assume the conductors were metallic). So I think, the water had to be *isolated*. That's all. I saw some study of cooling power generator conductors (22kV, ??kA). Tubes (skin effect). The goal was to have the liquid circulation insulated. It is feasible even assuming fill up.

Regarding to "z11" water cooling: what's wrong with water cooling??? Why should we be ashamed of water cooling? Is it old-fashioned? Dino-like? Really? Look at newest graphic cards and CPU in PC game high-end boxes. They almost require liquid cooling. Liquid cooling means hi-tech nowadays. "The most sophisticated" (sales pitch quotation) rack solutions are water-cooled.


re:
http://www.garlic.com/~lynn/2009b.html#46 Z11 - Water cooling?

there is old folklore of the 3081 TCM modules ... with closed system liquid cooling, heat exchange, and liquid on the outboard side to handle all the heat.

one of the stories is that there was thermal sensors ... that would kill the power (to keep from melting) ... but no flow sensors on the outboard cooling side. a customer lost flow on the outboard flow side ... but by the time the thermal sensors tripped the power, it was too late ... there was so much heat on the inboard side ... that they lost the TCMs. After that, customer sites were retrofitted with flow sensors on the outboard side of the heat exchange (that would kill power, before the heat had started to build up enough to trip the thermal sensors).

some TCM URL references
http://www-03.ibm.com/ibm/history/exhibits/attic2/attic2_015.html
http://domino.watson.ibm.com/tchjr/journalindex.nsf/c469af92ea9eceac85256bd50048567c/5b94a637584c972785256bfa0067f507?OpenDocument
http://ibmcollectables.com/gallery/view_album.php?set_albumName=album122
https://en.wikipedia.org/wiki/IBM_3081
http://www.vm.ibm.com/devpages/LUNSFORD/rdl_prof.html

recent post mentioning 4341s being used to test 3081 TCMs:
http://www.garlic.com/~lynn/2009b.html#22 Evil weather

one of the issues with TCMs was that field engineers could no longer do "bootstrap" diagnostics that started with scoping. approach in 3081 was a "service processor" that had probes into all the TCMs ... and the "service processor" was "scopable" (field engineers could diagnose/replace the service processor ... and then use the service processor to diagnose the rest of the machine).

with the increase in requirements and sophistication of "service processor", for the 3090, it was initially decided to go with 4331 running a highly modified version of vm370 release 6, and all the screens/menus done in CMS IOS3270. By the time 3090 shipped, the 4331 had been replaced by a pair of 4361s (redundant machines as alternative to having to diagnose the machine in the field) ... still running highly modified version of vm370 release 6 (and all the screens done in CMS IOS3270).

misc past posts mentioning TCMs
http://www.garlic.com/~lynn/2000b.html#36 How to learn assembler language for OS/390 ?
http://www.garlic.com/~lynn/2000b.html#37 How to learn assembler language for OS/390 ?
http://www.garlic.com/~lynn/2000b.html#38 How to learn assembler language for OS/390 ?
http://www.garlic.com/~lynn/2000d.html#61 "all-out" vs less aggressive designs (was: Re: 36 to 32 bit transition)
http://www.garlic.com/~lynn/2001k.html#7 hot chips and nuclear reactors
http://www.garlic.com/~lynn/2002b.html#3 Microcode? (& index searching)
http://www.garlic.com/~lynn/2002b.html#5 Microcode? (& index searching)
http://www.garlic.com/~lynn/2002d.html#13 IBM Mainframe at home
http://www.garlic.com/~lynn/2002e.html#20 What goes into a 3090?
http://www.garlic.com/~lynn/2002l.html#10 What is microcode?
http://www.garlic.com/~lynn/2004n.html#15 360 longevity, was RISCs too close to hardware?
http://www.garlic.com/~lynn/2004n.html#22 Shipwrecks
http://www.garlic.com/~lynn/2004p.html#35 IBM 3614 and 3624 ATM's
http://www.garlic.com/~lynn/2004p.html#36 IBM 3614 and 3624 ATM's
http://www.garlic.com/~lynn/2004p.html#41 IBM 3614 and 3624 ATM's
http://www.garlic.com/~lynn/2005b.html#51 History of performance counters
http://www.garlic.com/~lynn/2005h.html#13 Today's mainframe--anything to new?
http://www.garlic.com/~lynn/2006r.html#36 REAL memory column in SDSF
http://www.garlic.com/~lynn/2007g.html#23 The Perfect Computer - 36 bits?
http://www.garlic.com/~lynn/2007g.html#29 The Perfect Computer - 36 bits?
http://www.garlic.com/~lynn/2007h.html#9 21st Century ISA goals?
http://www.garlic.com/~lynn/2007t.html#77 T3 Sues IBM To Break its Mainframe Monopoly
http://www.garlic.com/~lynn/2008d.html#52 Throwaway cores
http://www.garlic.com/~lynn/2008h.html#80 Microsoft versus Digital Equipment Corporation

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How to defeat new telemarketing tactic

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: How to defeat new telemarketing tactic
Newsgroups: alt.folklore.computers
Date: Sun, 08 Feb 2009 11:25:06 -0500
jmfbahciv <jmfbahciv@aol> writes:
That's not the problem. The problem is that the financial sector has no metric to evaluate worth. So most are doing nothing, i.e., making no monetary decisions such as issuing loans or investing in infrastructure, until that has been cleared up. Everything that Congress and Obama flap their lips about "doing something" is completely ignoring this. Am I wrong about this assessment, Morten? Or Lynn or Sidd?

CDO-like instruments were used two decades ago in the S&L crisis to obfuscate the underlying value (be able to sell more than what the components were actually worth).

The Man Who Beat The Shorts
http://www.forbes.com/forbes/2008/1117/114.html

from above:
Watsa's only sin was in being a little too early with his prediction that the era of credit expansion would end badly. This is what he said in Fairfax's 2003 annual report: "It seems to us that securitization eliminates the incentive for the originator of [a] loan to be credit sensitive. Prior to securitization, the dealer would be very concerned about who was given credit to buy an automobile. With securitization, the dealer (almost) does not care."

... snip ...

It wasn't that they have no metric ... it was that they no longer had to care. Some number of institutions are in trouble because of this and other imprudent and bad business decisions. I've mentioned past CSPAN program with panel of representatives from mortgage industry ... and they were somewhat torn between claiming that the industry was ignorant and totally incompetent and just ignored all prudent business processes.
http://www.garlic.com/~lynn/2008s.html#5 Greed - If greed was the cause of the global meltdown then why does the biz community appoint those who so easily succumb to its temptations?

As a result of a period of really, really bad business practices by lots of the institutions ... their financial matters are really a mess ... the big problem is cleaning up the horrendous mess they made for themselves and getting their books back into some rational state. Several people in the past couple weeks have gone on the record that several of the major financial institutions are insolvent and should be allowed to fail and go into bankruptcy ... and not be allowed to linger on using government funds.

In congressional hearings last fall made several statements that both the rating agencies and the toxic CDO sellers/issuers knew that the toxic CDOs weren't worth triple-A rating, but the sellers/issuers were paying for triple-A rating. They further observed that in the early 70s, the rating agencies "mis-aligned" their business process by changing from buyers paying for the ratings to the sellers paying for the ratings (greatly increasing potential for conflict of interest).

A month ago there was news item mentioning IDC was helping gov. try and price the toxic assets. Past posts mentioning IDC (early cp67 timesharing service bureau moving upstream in providing financial information) bought "pricing services" division from one of the rating agencies in 1972 ... period that testimony mentioned rating agency business model became misaligned.
http://www.garlic.com/~lynn/2009.html#21 Banks to embrace virtualisation in 2009: survey
http://www.garlic.com/~lynn/2009.html#31 Banks to embrace virtualisation in 2009: survey
http://www.garlic.com/~lynn/2009.html#32 Banks to embrace virtualisation in 2009: survey

Past couple days ... there have also been several people interviewed saying that there will always be a problem trying to price some of these complex securitized instruments ... that they have to be broken down into their individual loans ... and priced like before.

There is some issue with trying to price toxic CDOs because of the complexity of the way some have been sliced and diced and then stiched back togther. There is also the issue (from old threads) where FUD damaging trust in the rating agencies froze up market in more traditional financial instruments (that don't have all the obfuscation of toxic CDOs ... but having been paid to give triple-A ratings to toxic CDOs ... what else might they have done) ... aka Warren Buffett stepping in to unfreeze the muni bond market:
http://www.garlic.com/~lynn/2008j.html#20 dollar coins
http://www.garlic.com/~lynn/2008k.html#16 dollar coins
http://www.garlic.com/~lynn/2008o.html#45 The human plague
http://www.garlic.com/~lynn/2008o.html#52 Why is sub-prime crisis of America called the sub-prime crisis?
http://www.garlic.com/~lynn/2008p.html#60 Did sub-prime cause the financial mess we are in?

Mortgages/loans used to be by regulated institutions using deposits. Being able to unload the loans as toxic CDOs ... the (often unregulated) lenders no longer had to care about the lendee (every loan made was a profit for them, regardless of who, what, why the loan was for). The triple-A ratings significantly increased the institutions that would deal in toxic CDOs, and therefor also greatly increased the amount of money for these lenders.

No documentation, no-down-payment, 1% introductory rate ARMs with interest-only payments, became extremely attractive for speculators since the carrying cost was significantly less than the home appreciation in numerous markets (planning on flipping before the rate reset). the large amount of speculation, in turn, significantly increased the inflation in the market. eventually the bubble bursts but while it lasted ... lots of people were raking in the money.

Plot avg. home prices as well as the ratio of avg. home prices to avg. salary back to 1970 ... there is a huge, ugly pimple/boil/bubble starting the early part of this decade that has not fully deflated.

Basically, speculators were able to treat the home market like the 1920s unregulated stock market. The speculation not only fueled the ugly home market price spike ... but also created the impressison that the demand was greater than the supply. Not only is the price bubble having to deflate, but prices may reset to lower than the original point as the excess supply has to be sold off (law of supply and demand).

There shouldn't be a return to the irrational lending practices fueled by securitization and toxic CDOs. In the hot real estate markets (earlier in this decade) the combination of big spike (that has to deflate) and excess supply/overbuilding (having to be sold off) creates ambiguity about where the property values will reset to ... and contributes to downward pressure on lending.

However, there are lots of communities that never really got into the big inflation real estate spike ... and community financial institutions that continue to make loans like they have always done. I previously mentioned CSPAN interview with somebody from community banking that said they will be somewhat affected ... because the FDIC will have to increase assessments for all banks (reducing the money they traditionally have had to lend) ... in order to cover the take-over cost of all the bad/failing institutions
http://www.garlic.com/~lynn/2008s.html#18 What next? from where would the Banks be hit?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How to defeat new telemarketing tactic

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: How to defeat new telemarketing tactic
Newsgroups: alt.folklore.computers
Date: Sun, 08 Feb 2009 14:03:53 -0500
re:
http://www.garlic.com/~lynn/2009b.html#78 How to defeat new telemarketing tactic

with toxic CDOs/securitization, lenders could obfuscate the underlying value (going back at least two decades ago to S&L crisis)

with paying for triple-A ratings on toxic CDOs, the number of institutions that would buy them was enormously increased and the amount of money available was enormously increased.

The combination of enormous amount of money and securitizaiton (lenders not having any motivation about loan quality) was leveraged by speculators to treat the home market like the unregulated stock market of the 20s. The resulting credit crisis has some simularities with the '29 stock market crash and some differencies ... in part because of difference between stock ownership and home ownership. Crashing the home market permeates out into lots of segments of the economy.

some quotes found in the Glass-Steagall hearings ... recent post
http://www.garlic.com/~lynn/2009b.html#73 What can we learn from the meltdown?
Brokers loans made by, as cause of speculative mania in years prior to 1929 in opinion of Otto H. Kahn 1010

"Uncontrolled" because even where made indirectly through banks, reserves against such loans were not required and because completely unregulated, said Charles H. E. Scheer 6313


... snip ...

This is all on the lending side (frequently by unregulated institutions that didn't need or require deposits as source of funds) ... turning home market speculation into the 1920s unregulated stock market.

There was then a lot of (other) problems with the institutions buying these triple-A rated toxic CDOs (some of them traditional banks that weren't actually making the original loans ... but were now buying/investing in the triple-A rated toxc CDOs.

Part of the issue was some number of the institutions were playing long/short mismatch, which has been known for centuries to take down institutions. One past comment was that Lehman and Bear-Stearns had marginal chance of surviving playing long/short mismatch (independent of the heavy leveraging, whether or not the toxic CDOs deserved their triple-A rating, and being carried off-balance). past post:
http://www.garlic.com/~lynn/2008o.html#37 The human plague
decade old Fed article about playing long/short mismatch
http://www.frbsf.org/economic-research/publications/economic-letter/2000/september/short-term-international-borrowing-and-financial-fragility/

Also, as in the parallel with the crash of '29 ... numerous banks were also carrying these instruments off-balance. Last year there was betting that Citi was going to win the "write-down" sweepstakes (delaring the largest losses). Even after Citi had won the "write-down" sweepstakes, there was observation that Citi still was carrying $1.1T of toxic assets off-balance (and would evenually have to bring them back onto the books) ... recent post
http://www.garlic.com/~lynn/2009b.html#8 Do emperors from the banks have new clothes

and some other references
http://www.forbes.com/2007/11/13/citigroup-suntrust-siv-ent-fin-cx_bh_1113hamiltonmatch.html
http://www.nakedcapitalism.com/2008/07/wither-citigroups-11-trillion-of-off.html?showComment=1216055460000

Some number of financial institutions are considered insolvent because of all of these toxic assets they are carrying. This is independent of the problem with the ambiquity being able to value collaterial assets as part of lending (in a falling market). Which is also independent of loss of confidence/trust in rating agencies (because of the triple-A ratings on toxic CDOs) that had been integral to investment decisions.

This is my past comments about deregulation and lack of regulation enforcement resulted in lots of separate hot beds of greed and corruption to merge into an economic firestorm
http://www.garlic.com/~lynn/2008f.html#79 Bush - place in history
http://www.garlic.com/~lynn/2008o.html#78 Who murdered the financial system?
http://www.garlic.com/~lynn/2008o.html#80 Can we blame one person for the financial meltdown?
http://www.garlic.com/~lynn/2008o.html#82 Greenspan testimony and securization
http://www.garlic.com/~lynn/2008p.html#60 Did sub-prime cause the financial mess we are in?
http://www.garlic.com/~lynn/2008q.html#20 How is Subprime crisis impacting other Industries?
http://www.garlic.com/~lynn/2008s.html#57 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#62 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2009.html#71 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009b.html#1 Are Both The U.S. & UK on the brink of debt disaster?
http://www.garlic.com/~lynn/2009b.html#30 The recently revealed excesses of John Thain, the former CEO of Merrill Lynch, while the firm was receiving $25 Billion in TARP funds makes me sick
http://www.garlic.com/~lynn/2009b.html#53 Credit & Risk Management ... go Simple ?

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

How to defeat new telemarketing tactic

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: How to defeat new telemarketing tactic
Newsgroups: alt.folklore.computers
Date: Sun, 08 Feb 2009 14:25:23 -0500
re:
http://www.garlic.com/~lynn/2009b.html#78 How to defeat new telemarketing tactic
http://www.garlic.com/~lynn/2009b.html#79 How to defeat new telemarketing tactic

... to repeat, i've made some number of references to a lot of these hot beds and greed and corruption had been around for some time ... it was, in large part deregulation and lack of regulation enforcement allowing them to combine together into an economic firestorm.

The crash of 2008: A mathematician's view
http://www.eurekalert.org/pub_releases/2008-12/w-tco120808.php

from above:
Markets need regulation to stay stable. We have had thirty years of financial deregulation. Now we are seeing chickens coming home to roost. This is the key argument of Professor Nick Bingham, a mathematician at Imperial College London, in an article published today in Significance, the magazine of the Royal Statistical Society.

... snip ...

pbs web pages (previously mentioned) discussing enron, worldcom, deregulation, repeal of Glass-Steagall
http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/

There was CSPAN program that mentioned during the congressional session that repealed Glass-Steagall, the financial industry contributed $250m to congress ... and in the most recent session that passed the $700b bail-out bill, there were $2b in contributions.

Enron and Worldcom had also been laid at the deregulation door. Supposedly Sarbanes-Oxley was going to correct some of it.

With regard to the triple-A ratings on toxic CDOs, supposedly SOX required SEC to do something with respect to the rating agencies ... but there doesn't seem to have been anything besides a Jan2003 report.

Report on the Role and Function of Credit Rating Agencies in the Operation of the Securities Markets; As Required by Section 702(b) of the Sarbanes-Oxley Act of 2002
http://www.sec.gov/news/studies/credratingreport0103.pdf

Possibly in part because SEC didn't seem to be doing anything, GAO started doing database of executives fiddling public company financial reports (in spite of SOX). The executives get a boost in compensation based on the fiddled numbers. Later the financials may be restated ... but the compensation not forfeited. One example was in 2004 Freddie was fined $400m for $10b fiddling of financials and the CEO replaced ... but allowed to keep tens of millions (hundred?).
http://www.gao.gov/special.pubs/gao-06-1079sp//index.html

from above:
The database consists of two files: (1) a file that lists 1,390 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between July 1, 2002, and September 30, 2005, and (2) a file that lists 396 restatement announcements that we identified as having been made because of financial reporting fraud and/or accounting errors between October 1, 2005, and June 30, 2006.

... snip ...

Then there congressional hearing last week into the Madoff ponzi scheme ... which had a person that has been trying to get the SEC to do something about it for the past decade ... recent posts
http://www.garlic.com/~lynn/2009b.html#65 What can agencies such as the SEC do to insure us that something like Madoff's Ponzi scheme will never happen again?
http://www.garlic.com/~lynn/2009b.html#73 What can we learn from the meltdown?

In his testimony, there was repeated theme that crooks & fraud thrive where there is lack of visibility and transparency ... and the major recommendation is to change the culture to provide transparency in all aspects of the operations. There is need for new legislation and regulations, but they will always lag behind the crooks. Much more important is creating institutional and infrastructure transparency.

A couple other tidbits:
could only think of one person at SEC (in some field office, gave their name) that had any understanding of financial transactions ... all the others at the SEC had no understanding (and were mostly lawyers).

only 4% of fraud is turned up by audits ... over 50% from tips; tips are 13 times more effective than audits. SEC has a 1-800 hotline for companies to complain about too vigorous investigation. there is no corresponding "tip" line.

The Madoff ponzi scheme isn't the only one, in the process of turning over detailed documentation to the authorities about a (different) "small" $1b ponzi scheme.

if it wasn't for the current financial crisis, the Madoff ponzi scheme easily could have continued to $100B

None of the clients he advised, had gotten involved with Madoff


...

Long-winded decade old post mentioning some of the current issues
http://www.garlic.com/~lynn/aepay3.htm#riskm

We had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... and they had this technology they wanted to use called SSL. there had to be a whole lot of work to turn technology into actual business processes to do financial transactions (frequently now called "electronic commerce"). then in the mid-90s, we were invited to participate in the x9a10 financial standards working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments ... which resulted in the x9.59 financial standard ... some references
http://www.garlic.com/~lynn/x959.html#x959

Somewhat as the result of "electronic commerce" & x9.59 work, we were asked to come in to NSCC (since combined with DTC and renamed DTCC) to see if we could do something similar for all the operations in the securities industry. After some amount of effort, it was eventually suspended because a side-effect of the increased integrity would have created significantly more transparency in all aspects of the industry. This ran into conflict with pervasive cultural for lots of obfuscation and lack of transparency
http://www.garlic.com/~lynn/2008s.html#63 Garbage in, garbage out trampled by Moore's law

misc. past posts mentioning Glass-Steagall:
http://www.garlic.com/~lynn/2008b.html#12 Computer Science Education: Where Are the Software Engineers of Tomorrow?
http://www.garlic.com/~lynn/2008c.html#11 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008c.html#87 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008d.html#85 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008e.html#42 Banks failing to manage IT risk - study
http://www.garlic.com/~lynn/2008e.html#59 independent appraisers
http://www.garlic.com/~lynn/2008f.html#1 independent appraisers
http://www.garlic.com/~lynn/2008f.html#13 independent appraisers
http://www.garlic.com/~lynn/2008f.html#17 independent appraisers
http://www.garlic.com/~lynn/2008f.html#43 independent appraisers
http://www.garlic.com/~lynn/2008f.html#46 independent appraisers
http://www.garlic.com/~lynn/2008f.html#53 independent appraisers
http://www.garlic.com/~lynn/2008f.html#71 Bush - place in history
http://www.garlic.com/~lynn/2008f.html#73 Bush - place in history
http://www.garlic.com/~lynn/2008f.html#75 Bush - place in history
http://www.garlic.com/~lynn/2008f.html#79 Bush - place in history
http://www.garlic.com/~lynn/2008f.html#94 Bush - place in history
http://www.garlic.com/~lynn/2008f.html#96 Bush - place in history
http://www.garlic.com/~lynn/2008f.html#97 Bush - place in history
http://www.garlic.com/~lynn/2008g.html#2 Bush - place in history
http://www.garlic.com/~lynn/2008g.html#4 CDOs subverting Boyd's OODA-loop
http://www.garlic.com/~lynn/2008g.html#16 independent appraisers
http://www.garlic.com/~lynn/2008g.html#44 Fixing finance
http://www.garlic.com/~lynn/2008g.html#51 IBM CEO's remuneration last year ?
http://www.garlic.com/~lynn/2008g.html#52 IBM CEO's remuneration last year ?
http://www.garlic.com/~lynn/2008g.html#57 Credit crisis could cost nearly $1 trillion, IMF predicts
http://www.garlic.com/~lynn/2008g.html#59 Credit crisis could cost nearly $1 trillion, IMF predicts
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008g.html#67 independent appraisers
http://www.garlic.com/~lynn/2008h.html#1 subprime write-down sweepstakes
http://www.garlic.com/~lynn/2008h.html#28 subprime write-down sweepstakes
http://www.garlic.com/~lynn/2008h.html#32 subprime write-down sweepstakes
http://www.garlic.com/~lynn/2008h.html#89 Credit Crisis Timeline
http://www.garlic.com/~lynn/2008j.html#12 To: Graymouse -- Ireland and the EU, What in the H... is all this about?
http://www.garlic.com/~lynn/2008j.html#66 lack of information accuracy
http://www.garlic.com/~lynn/2008k.html#28 dollar coins
http://www.garlic.com/~lynn/2008k.html#36 dollar coins
http://www.garlic.com/~lynn/2008k.html#41 dollar coins
http://www.garlic.com/~lynn/2008l.html#42 dollar coins
http://www.garlic.com/~lynn/2008l.html#67 dollar coins
http://www.garlic.com/~lynn/2008l.html#70 dollar coins
http://www.garlic.com/~lynn/2008m.html#16 Fraud due to stupid failure to test for negative
http://www.garlic.com/~lynn/2008m.html#73 Blinkylights
http://www.garlic.com/~lynn/2008n.html#12 Blinkylights
http://www.garlic.com/~lynn/2008n.html#19 Blinkylights
http://www.garlic.com/~lynn/2008n.html#53 Your thoughts on the following comprehensive bailout plan please
http://www.garlic.com/~lynn/2008n.html#78 Isn't it the Federal Reserve role to oversee the banking system??
http://www.garlic.com/~lynn/2008n.html#99 Blinkylights
http://www.garlic.com/~lynn/2008o.html#12 The human plague
http://www.garlic.com/~lynn/2008o.html#18 Once the dust settles, do you think Milton Friedman's economic theories will be laid to rest
http://www.garlic.com/~lynn/2008o.html#19 What's your view of current global financial / economical situation?
http://www.garlic.com/~lynn/2008o.html#28 Does anyone get the idea that those responsible for containing this finanical crisis are doing too much?
http://www.garlic.com/~lynn/2008o.html#37 The human plague
http://www.garlic.com/~lynn/2008o.html#39 The human plague
http://www.garlic.com/~lynn/2008o.html#43 The human plague
http://www.garlic.com/~lynn/2008o.html#44 The human plague
http://www.garlic.com/~lynn/2008o.html#51 Why are some banks failing, and others aren't?
http://www.garlic.com/~lynn/2008o.html#78 Who murdered the financial system?
http://www.garlic.com/~lynn/2008o.html#80 Can we blame one person for the financial meltdown?
http://www.garlic.com/~lynn/2008o.html#83 Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'
http://www.garlic.com/~lynn/2008p.html#8 Global Melt Down
http://www.garlic.com/~lynn/2008p.html#9 Do you believe a global financial regulation is possible?
http://www.garlic.com/~lynn/2008q.html#26 Blinkenlights
http://www.garlic.com/~lynn/2008q.html#66 Blinkenlights
http://www.garlic.com/~lynn/2008r.html#64 Is This a Different Kind of Financial Crisis?
http://www.garlic.com/~lynn/2008s.html#9 Blind-sided, again. Why?
http://www.garlic.com/~lynn/2008s.html#20 Five great technological revolutions
http://www.garlic.com/~lynn/2008s.html#23 Garbage in, garbage out trampled by Moore's law
http://www.garlic.com/~lynn/2008s.html#35 Is American capitalism and greed to blame for our financial troubles in the US?
http://www.garlic.com/~lynn/2008s.html#55 Is this the story behind the crunchy credit stuff?
http://www.garlic.com/~lynn/2009.html#58 HONEY I LOVE YOU, but please cut the cards
http://www.garlic.com/~lynn/2009.html#84 what was the idea behind Citigroup's splitting up into two different divisions? what does this do for citigroup?
http://www.garlic.com/~lynn/2009b.html#48 The blame game is on : A blow to the Audit/Accounting Industry or a lesson learned ???
http://www.garlic.com/~lynn/2009b.html#49 US disaster, debts and bad financial management
http://www.garlic.com/~lynn/2009b.html#52 What has the Global Financial Crisis taught the Nations, it's Governments and Decision Makers, and how should they apply that knowledge to manage risks differently in the future?
http://www.garlic.com/~lynn/2009b.html#53 Credit & Risk Management ... go Simple ?
http://www.garlic.com/~lynn/2009b.html#54 In your opinion, which facts caused the global crise situation?
http://www.garlic.com/~lynn/2009b.html#58 OCR scans of old documents
http://www.garlic.com/~lynn/2009b.html#59 As bonuses...why breed greed, when others are in dire need?
http://www.garlic.com/~lynn/2009b.html#60 OCR scans of old documents

--
40+yrs virtualization experience (since Jan68), online at home since Mar70




previous, next, index - home