List of Archived Posts

2010 Newsgroup Postings (10/15 - 11/24)

Hashing for DISTINCT or GROUP BY in SQL
ZeuS attacks mobiles in bank SMS bypass scam
Question: Why Has Debit Grown So Quickly?
When will MVS be able to use cheap dasd
When will MVS be able to use cheap dasd
origin of 'fields'?
When will MVS be able to use cheap dasd
When will MVS be able to use cheap dasd
PCI: Smaller Merchants Threatened
On Scope Scrinkage in PCI DSS
Boyd & Beyond 2010, review at Zenpundit
The Scariest Company in Tech
When will MVS be able to use cheap dasd
Astonishing Speedup In Solving Linear SDD Systems
Electronic Theft Costs Businesses More Than Physical Theft
SAP ON IBM mainframe
The Scariest Company in Tech
ZeuS attacks mobiles in bank SMS bypass scam
Electronic Theft Costs Businesses More Than Physical Theft
Virtualization: Making Seductive Promises a Reality
Electronic Theft Costs Businesses More Than Physical Theft
Compressing the OODA-Loop - Removing the D (and maybe even an O)
60 Minutes News Report:Unemployed for over 99 weeks!
Spooky Myths that Trick Merchants When It Comes to Secure Payments Processes
What Is MERS and What Role Does It Have in the Foreclosure Mess?
bell labs unix publication
Global Sourcing with Cloud Computing and Virtualization
60 Minutes News Report:Unemployed for over 99 weeks!
Survey Outlines Compliance Challenge Among Small Merchants
Linux 2.6.37 kills the Big Kernel Lock
Linux 2.6.37 kills the Big Kernel Lock
Survey Outlines Compliance Challenge Among Small Merchants
Compared even to the development of the phone or TV; the Web developed very quickly
Why are TSO IDs limited to 7 characters
origin of 'fields'?
Tivoli Storage Manager for z/OS (Functionally Stablized & Impending Demise)
Cookies Are Dead in the Fight Against Fraud
WHAT, WHY AND HOW - FRAUD, IMPACT OF AUDIT
Google scares Aussie banks
Compressing the OODA-Loop - Removing the D (and maybe even an O)
The Credit Card Criminals Are Getting Crafty
60 Minutes News Report:Unemployed for over 99 weeks!
Facebook and Twitter fail basic security test
Internet Evolution - Part I: Encryption basics
A Wolf In Sheep's Clothing - New Threat
A Wolf In Sheep's Clothing - New Threat
The Credit Card Criminals Are Getting Crafty
origin of 'fields'?
origin of 'fields'?
The Credit Card Criminals Are Getting Crafty
The Credit Card Criminals Are Getting Crafty
The Credit Card Criminals Are Getting Crafty
Payment Card Industry Pursues Profits Over Security
The Credit Card Criminals Are Getting Crafty
The Credit Card Criminals Are Getting Crafty
Mac Emulator
The Credit Card Criminals Are Getting Crafty
So why doesn't the mainstream IT press seem to get the IBM mainframe?
So why doesn't the mainstream IT press seem to get the IBM mainframe?
They always think we don't understand
Compressing the OODA-Loop - Removing the D (and maybe even an O)
They always think we don't understand
They always think we don't understand
They always think we don't understand
They always think we don't understand
They always think we don't understand
They always think we don't understand
CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future
Visual tour: 25 years of Windows
They always think we don't understand
Compressing the OODA-Loop - Removing the D (and maybe even an O)
They always think we don't understand
They always think we don't understand
IEFBR14
Compressing the OODA-Loop - Removing the D (and maybe even an O)
origin of 'fields'?
e-commerce smackdown as PCI standards revised
The Credit Card Criminals Are Getting Crafty
origin of 'fields'?
I actually miss working at IBM
origin of 'fields'?
The Credit Card Criminals Are Getting Crafty
CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future
The IETF is probably the single element in the global equation of technology competition than has resulted in the INTERNET
CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future
REXX "address" environments

Hashing for DISTINCT or GROUP BY in SQL

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Hashing for DISTINCT or GROUP BY in SQL
Newsgroups: comp.databases.theory
Date: Fri, 15 Oct 2010 20:44:01 -0400
paul c <anonymous@not-for-mail.invalid> writes:
There was a big Texan you'll remember named Tom Simpson who was previously known for creating HASP at IBM and who used to travel up to Toronto to give advice. There was often talk of taking parts of Huron in other directions and one idea was to use some of it as a system programming tool. When Simpson asked, "well, just how would you issue an I/O?", he was taken aback with the answer "oh, that's just a table insert". (ie., persistence wasn't considered a logical requirement unlike in other dbms'.)

re:
http://www.garlic.com/~lynn/2010n.html#80 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#81 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#82 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#83 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#84 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#85 Hashing for DISTINCT or GROUP BY in SQL

Tom was doing RASP before leaving IBM ... something between tss/360 and s/38 approach to disk support ... but with traditional os/360 above. folklore was that he was then doing a "clean-room" re-implementation. and that subsequent litigation and code review only found a very few similar code sequences.

there was somebody that did a port of unix to 370 at univ. a few of us tried to (unsuccesfully) talk the corporation into making him an offer ... but he went to amdahl instead to work on gold (for AU ... eventually announced as UTS). There was some amount of competition between Dallas effort and gold/uts (as a new operating system offering).

about the same time bell labs had contracted with ibm to do a stripped down tss/370 kernel called SSUP that they would layer unix on top of. I suggested to the Amdahl factions that they might resolve their differences with a similar approach (rather than either/or; don't ask why I would even be brought into any of this).

in the past i've posted some old email exchanges about uts/ssup-unix benchmarks.

--
virtualization experience starting Jan1968, online at home since Mar1970

ZeuS attacks mobiles in bank SMS bypass scam

Refed: **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 17 Oct, 2010
Subject: ZeuS attacks mobiles in bank SMS bypass scam
Blog: Financial Crime Risk, Fraud and Security
re:
http://www.garlic.com/~lynn/2010n.html#47 ZeuS attacks mobiles in bank SMS bypass scam
http://www.garlic.com/~lynn/2010n.html#49 ZeuS attacks mobiles in bank SMS bypass scam
http://www.garlic.com/~lynn/2010n.html#77 ZeuS attacks mobiles in bank SMS bypass scam

latest ...

Zeus Botnet Targets Charles Schwab Clients
http://www.pcworld.com/article/208045/zeus_botnet_targets_charles_schwab_clients.html
Zeus botnet gang targets Charles Schwab accounts
http://www.computerworld.com/s/article/9191479/Zeus_botnet_gang_targets_Charles_Schwab_accounts
Zeus botnet gang targets Charles Schwab accounts
http://www.networkworld.com/news/2010/102010-e-crime-now-more-common-than.html

and ...

Microsoft Security Report: Botnets Enemy No. 1
http://www.internetnews.com/security/article.php/3908451/Microsoft+Security+Report+Botnets+Enemy+No+1.htm
Botnets Biggest Cybercrime Threat: Microsoft Report
http://www.esecurityplanet.com/features/article.php/3908316/article.htm
Microsoft Exposes Scope of Botnet Threat
http://www.pcworld.com/businesscenter/article/207961/microsoft_exposes_scope_of_botnet_threat.html
Microsoft Exposes Scope of Botnet Threat
http://www.networkworld.com/news/2010/101710-zeus-botnet-gang-targets-charles.html
Microsoft Exposes Scope of Botnet Threat
http://news.yahoo.com/s/pcworld/20101015/tc_pcworld/microsoftexposesscopeofbotnetthreat

and ...

Playing God: Zeus DIY Botnet Kit Evolves
http://securitywatch.eweek.com/botnets/playing_god_zeus_diy_botnet_kit_evolves.html
Botnets Explained; Take a trip to the other side with our guide to the internet's darkest, smartest, and most profitable criminal networks
http://pcplus.techradar.com/feature/features/botnets-explained-30-09-10

--
virtualization experience starting Jan1968, online at home since Mar1970

Question: Why Has Debit Grown So Quickly?

From: lynn@garlic.com (Lynn Wheeler)
Date: 17 Oct, 2010
Subject: Question: Why Has Debit Grown So Quickly?
Blog: Payment System Network
re:
http://www.garlic.com/~lynn/2010n.html#59 Question: Why Has Debit Grown So Quickly?
http://www.garlic.com/~lynn/2010n.html#79 Question: Why Has Debit Grown So Quickly?

... but the "additonal value" came at higher costs ... in some cases, much higher costs. some of that was at the root of the walmart/merchant class action suit (mentioned upthread) ... also some of the more extreme higher cost products are now even being declined at some merchants.

--
virtualization experience starting Jan1968, online at home since Mar1970

When will MVS be able to use cheap dasd

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: When will MVS be able to use cheap dasd
Newsgroups: bit.listserv.ibm-main
Date: 17 Oct 2010 10:09:04 -0700
PaulGBoulder@AIM.COM (Paul Gilmartin) writes:
Google is reported to operate its enterprise on tens of thousands of commodity PCs running Linux. (But there were reports last January of Google's suffering an attack by a Windows virus.)

Given Google's pragmatism, and the economic advantages of IBM mainframes often touted here, I wonder why Google doesn't replace some of those PCs with a smaller number of z10s or z196s likewise running Linux. The software conversion costs should be minimal, or at worst within Google's resources.

Might it be that there's no practical way to attach those commodity disks to a z?


re:
http://www.garlic.com/~lynn/2010n.html#62 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010n.html#65 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010n.html#75 When will MVS be able to use cheap dasd

more like blades ... in rows & rows of high-density racks ... and they assemble (contributing to being 1/3rd cost of getting effectively same thing from brand name vendor) ... along with lots of environmental engineering for optimizing energy & cooling costs. contributes to stories about their mega datacenters near large water supply and inexpensive, reliable power ... old reference:
http://www.garlic.com/~lynn/2008n.html#79 Google Data Centers 'The Most Efficient In The World'

mainframe price/performance may be getting better ... possibly even approaching brand name blades ... but is still long ways from what google (and some other like ilk) efforts are doing.

i had some of this discussion with the executive responsible for the original MVS POSIX/UNIX support ... major motivation/driver for POSIX was to free customers to arbitrarily move to lowest priced (hardware) vendor with minimal conversion/disruption (accelerating hardware commoditization). At the time, MVS POSIX/UNIX support was unlikely to attract any of that customer set; aka major motivation for MVS POSIX/UNIX support was so it could be checked off the list on RFPs (like gov) where it was mandated (I've done projects in the past with the person claiming responsibility for originating gov. COTS as well as the term/acronym).

another in the genre of mega datacenters:
http://www.garlic.com/~lynn/2010m.html#14 Facebook doubles the size of its first data center

random topic drift & factoid ... the facebook address in silicon valley is new bldg. next door to the old "HONE" datacenter bldg (now has different occupant).

HONE had originally been created to provide operating system "hands-on" experience to branch SEs in the wake of 23jun69 unbundling announcements, and starting to charge for SE services; several cp67 virtual machine datacenters in the US. Then HONE started providing large number of sales&marketing support applications implemented in (CMS) APL (which came to dominate and the original purpose eventually evaporated). In the mid-70s, the various US HONE datacenters (now on vm370 base) were consolidated in silicon valley and the largest single-system-image (mainframe) operation was created (with special enhancements to vm370) Circa 1980, the datacenter was replicated in Dallas and then 3rd in Boulder (with load-balancing and fall-over between the 3centers ... initially motivated by earthquake activity in cal). misc. past posts mentioning hone
http://www.garlic.com/~lynn/subtopic.html#hone

misc. past posts mentioning 23jun69 unbundling
http://www.garlic.com/~lynn/submain.html#unbundle

One of my hobbies over the years was providing (& supporting) highly enhanced operating systems for internal datacenters and HONE was a long time "customer" (when they started cloning HONE datacenters around the world ... they even asked me do some of the early installations).

last year, there was reference to something similar to the HONE support finally being released for zVM (after 3decades) ... prompting post about
http://www.garlic.com/~lynn/2009p.html#43 From The Annals of Release No Software Before Its Time
http://www.garlic.com/~lynn/2009p.html#46 From The Annals of Release No Software Before Its Time

--
virtualization experience starting Jan1968, online at home since Mar1970

When will MVS be able to use cheap dasd

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: When will MVS be able to use cheap dasd
Newsgroups: bit.listserv.ibm-main
Date: Mon, 18 Oct 2010 12:24:46 -0400
ps2os2@YAHOO.COM (Ed Gould) writes:
Lynn:

Somewhere in the mid to late 70's I was given access to a MVS system that ran somew where in IBM (possibly west coast but who knew or cared). The purpose of the access was to see if TSO session manager gave us hardcopy for TSO. We had quite a bill from some ts vendor (sorry do not remember the name) that basically supported hardcopy terminals. My mine is fuzzy but I know the 2741 was "probably" the only real device that IBM supported as a hardcopy device. Once I showed them that they could use TSO session manager for hardcopy they changed their story and all of a sudden needed some type of graphics for hardcopy and I had to say "NO" we can't do that. Their need was probably valid but I could not promise something like graphics hardcopy. I am talking high quality stuff not GDDM stuff. That was the final blow and a few years later they shut us down. 

If I remember correctly TSO session manager was either writen at Boeing by IBM or by Boeing people. I first heard about it at SHARE and unfortunetly at that time it was not cheap (couple hundred a month I think) so we could not afford to buy it and test it out so IBM let me have access to some system that ran it. It was a sort of a pain as I had to walk over to IBM in Chicago which at that time was a solid 6 blocks away. But the fun more than made up for any inconvenience. 


???

re:
http://www.garlic.com/~lynn/2010n.html#62 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010n.html#65 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010n.html#75 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010o.html#3 When will MVS be able to use cheap dasd

vast majority of internal systems were virtual machine (much for interactive and personal computing ... although some also had "guest" operating system) ... and the majority of the systems on the internal network were virtual machine ... i.e. internal network was larger than arpanet/internet from just about the beginning until possibly late '85 or early '86. misc. past posts mentioning internal network
http://www.garlic.com/~lynn/subnetwork.html#internalnet

there was virtual device support for virtual 3270s ... which also could run over network. the person that had developed one of the major internal email clients ... also developed a scripting facility for virtual 3270s (well before PCs and things like HLLAPI). A 0.0x something version of the email client was picked up by the PROFS group with some menu stuff around it ... and showed up in product at customer shops. Later when the author contacted the PROFS group and offerred a much updated & enhanced version ... they claimed they weren't using his email client (they had given awards in the group for its development) and then tried to get him fired. The whole thing went quiet after he pointed out that every PROFS message in the world had his initials included in an internal, non-displayed field.

some old scripts ... including being able autologon, search and save & process output from the RETAIN system
http://www.garlic.com/~lynn/2001k.html#35 Newbie TOPS-10 7.03 question
BUCKET -- Automatic PUT Bucket Retriever:
http://www.garlic.com/~lynn/2001k.html#36 Newbie TOPS-10 7.03 question

A lot of the 43xx machines went in for a form of distributed computing ... and resulted in large upsurge in the number of systems on the internal network in the late 70s and early 80s. In the mid-80s ... that mid-range, distributed market was starting to shift to workstations and large PCs (both internally and with customers) ... which was major reason why arpanet/internet passed internal network in number of nodes.

The communication division 3270 termainal emulation on PCs contributed significantly to early uptake of PCs (customer could get a PC for about the same price as 3270 and in single desktop footprint do both host 3270 terminal and some amount of local computing; 3270s were already justified so there wasn't any additional $$$ justification required to switch to PC). the mid-80s, PC and workstations were getting sophisticated enough that they were becoming their own network nodes as part of distributed computing ... except with heavy mainframe datacenters (both internally and with customers) ... i.e. the communication division was attempting to staunchly preserve their terminal emulation install base. While on the internet ... more&more of these workstations and PCs were becoming network nodes ... and on the internal network, they were still restricted to only doing terminal emulation. misc. past posts mentioning terminal emulation
http://www.garlic.com/~lynn/subnetwork.html#terminal

As a result of the terminal emulation limitations for growing distributed computing sophistication ... lots of data was leaking out of the datacenter onto more distributed-computing friendly platforms. This was also what prompted a senior disk engineer in the late 80s to open a talk at the annual, world-wide communication division internal conference with a statement that the communication division was going to be responsible for the demise of the disk division. The disk division had repeatedly attempted to bring out products that were significantly more distributed-computing friendly only to be blocked by the communication division (who owned strategic responsibility for everything that crossed the walls of the datacenter).

This also shows up with SAA in the late 80s. We had come up with 3-tier network architecture (with mainframe datacenter integral part of the distributed environment) and was out pitching to customer executives ... and taking significant barbs from the communication division and the SAA crowd (although over the years, I had developed a pretty good working relationship with the person promoted to be responsible SAA ... and had large corner office on top floor in somers). misc. past posts mentioning 3-tier architecture
http://www.garlic.com/~lynn/subnetwork.html#3tier

a simple example of the orientation was that the advanced workstation division had shipped the PC/RT with 16bit AT-bus and had developed their own 4mbit token-ring card. For the RS6000, things moved to microchannel and AWD was told that they had to (only) use PS2 adapter cards. The PS2 microchannel 16mbit T/R card was designed/developed for the 300+ stations on lan segment doing terminal emulation ... and as a result the PS2 microchannel 16mbit T/R card had lower per card thruput than the PC/RT 4mbit T/R card (there was joke that if the RS6000 was only to use PS2 adapter cards, it wouldn't run any faster than a PS2).

--
virtualization experience starting Jan1968, online at home since Mar1970

origin of 'fields'?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: origin of 'fields'?
Newsgroups: alt.folklore.computers
Date: Tue, 19 Oct 2010 11:42:24 -0400
Roland Hutchinson <my.spamtrap@verizon.net> writes:
The OED doesn't seem to say anything about how the computer-related sense of the word originated. The bits that seemed at all relevant to me are quoted below, from the online OED (the article is from the 1989 Second Edition). I conjecture that the computing term may possibly derive from the senses that follow it (under "16." in the OED) rather than from the ones grouped with it (mathematical, etc.) under "15.".

somewhat totally unrelated ... the author of rexx took sabbatical to work with the OED2 people ... helping them with the effort ... references here:
http://speleotrove.com/mfc/mfc_biography.html
http://www.drdobbs.com/184409842
http://www.enotes.com/topic/Oxford_English_Dictionary

When will MVS be able to use cheap dasd

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: When will MVS be able to use cheap dasd
Newsgroups: bit.listserv.ibm-main
Date: 19 Oct 2010 09:08:01 -0700
lynn@GARLIC.COM (Anne & Lynn Wheeler) writes:
switch to PC). the mid-80s, PC and workstations were getting sophisticated enough that they were becoming there own network nodes as part of distributed computing ... except with heavy mainframe datacenters (both internally and with customers) ... but the communication division was attempting to staunchly preserve their terminal emulation install base. While on the internet ... more&more of these workstations and PCs were becoming network nodes ... on the internal network, they were still restricted to only doing terminal emulation. misc. past posts mentioning terminal emulation
http://www.garlic.com/~lynn/subnetwork.html#terminal


re:
http://www.garlic.com/~lynn/2010o.html#4 When will MVS be able to use cheap dasd

additional topic drift is nsfnet backbone (the operational precursor to the modern internet). I had been doing HSDT (high-speed data transport) project which included working with some of the participants that would be part of the NSFNET backbone. misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#hsdt

When the RFP came out, there was various internal politics and we were precluded from bidding. The director of NSF wrote a letter to the corporation (copying the CEO) trying to at least get some participation in the activity (had support from chief scientist from various gov. agencies). The letter just aggravated the internal politics that prevented us from bidding on the RFP in the first place (references to having deployed technology internally that was at least five years ahead of all bid submissions <to build something new>, didn't help). ... misc. old email
http://www.garlic.com/~lynn/lhwemail.html#nsfnet

in the middle of HSDT, some of the technology was being built on the other side of the pacific. The friday before a business trip there, the communication group announced a new internal discussion group on high speed communication ... the announcement included the following definitions:


low-speed               <9.6kbits
medium-speed            19.2kbits
high-speed              56kbits
very high-speed         1.5mbits

The following monday in a conference room (on the other side of the pacific), there were the following definitions:

low-speed               <20mbits
medium-speed            100mbits
high-speed              200-300mbits
very high-speed         >600mbits

as an aside, internal discussion groups had come a long way. I had been blamed for online computer conferencing on the internal network in the late 70s and early 80s. Folklore is that when the executive committee (chairman, ceo, pres, etc) were finally informed about computer conferencing (and the internal network), five of six wanted to immediately fire me (the purported hold-out went on to provide the funding channeled into HSDT). misc. mention of internal network
http://www.garlic.com/~lynn/subnetwork.html#internalnet

--
virtualization experience starting Jan1968, online at home since Mar1970

When will MVS be able to use cheap dasd

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: When will MVS be able to use cheap dasd
Newsgroups: bit.listserv.ibm-main
Date: 20 Oct 2010 04:48:14 -0700
re:
http://www.garlic.com/~lynn/2010n.html#62 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010n.html#65 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010n.html#75 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010o.html#3 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010o.html#4 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010o.html#6 When will MVS be able to use cheap dasd

from today

Western Digital Launches First 3TB Hard Drive
http://www.informationweek.com/security/showArticle.jhtml?articleID=198500457

mentions that it is a FBA4096 drive (rather than FBA512 that has been standard for so long) & suggested retail is $239, $74/tbyte (2.5TB drive is $189, $76/tbyte)

recent posts in comp.database.theory thread ... mentions future system and s/38. one of the early isssues was that s/38 treated all disks as one large pool (with potential scatter allocate across all disks) ... so system backup was all available data and single disk failure resulted in doing complete system restore (which was rumored could take days). Supposedly this was motivation for s/38 being early adopter of raid technology ... as countermeasure to single disk failure (since such occurance was so traumatic).
http://www.garlic.com/~lynn/2010n.html#80 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#81 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#82 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#83 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#84 Hashing for DISTINCT or GROUP BY in SQL
http://www.garlic.com/~lynn/2010n.html#85 Hashing for DISTINCT or GROUP BY in SQL

even with million+ hr MTBF drives ... there is still some failures ... which has driven to RAID & hot-pluggable ... being able to transparently handle (mask) single disk failure (and do replacement and restore on-the-fly).

some recent posts mentioning the fba512 to fba4096 move:
http://www.garlic.com/~lynn/2010.html#1 DEC-10 SOS Editor Intra-Line Editing
http://www.garlic.com/~lynn/2010.html#84 locate mode, was Happy DEC-10 Day
http://www.garlic.com/~lynn/2010b.html#85 search engine history, was Happy DEC-10 Day
http://www.garlic.com/~lynn/2010d.html#9 PDS vs. PDSE
http://www.garlic.com/~lynn/2010m.html#1 History of Hard-coded Offsets
http://www.garlic.com/~lynn/2010m.html#41 IBM 3883 Manuals

--
virtualization experience starting Jan1968, online at home since Mar1970

PCI: Smaller Merchants Threatened

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 21 Oct, 2010
Subject: PCI: Smaller Merchants Threatened
Blog: Financial Crime Risk, Fraud and Security
PCI: Smaller Merchants Threatened
http://www.bankinfosecurity.com/articles.php?art_id=3019

from above:
The Payment Card Industry's Security Standards Council may be doing a good job helping lock down larger retailers, but the smaller "Mom and Pop" merchants are becoming the new targets of cyber criminals, says a PCI expert.

... snip ...

This somewhat highlights the security proportional to risk metaphor ... possibly more easily seen with smaller merchants w/o the scaleup issues. Basically the value to the merchant of the transaction/cardholder information is the profit from the transaction ... possibly a few dollars (or in the case of a processor, a few cents). The value of the same information to the crook is the account balance or credit limit ... as a result, a crook may be able to outspend attacking the system by a factor of 100 times what the merchant/processor can afford to spend defending the system (including things like "buying" insiders).
http://www.garlic.com/~lynn/subintegrity.html#harvest

The real solution is to slightly tweak the paradigm and eliminate information leakage as a risk/threat/vulnerability. Part of this is the dual-use scenario ... the same information that attempts are being made to prevent leakage, ideally by keeping it completely confidential and never divulged, is also information that is required in dozens of business processes at millions of locations around the world

another metaphor regarding the current environment is misaligned business process (this was used repeatedly in the fall2008 congressional hearings into the current financial mess, to describe the pivotal role played by the rating agencies). The cardholder/transaction information leakage is at risk to the cardholder ... who has no control regarding the security provisions. At least before the cal. state data breach notification legislation, the merchants & processors had nothing at risk if the information leaked. The approach taken in x9.59 financial transaction standard was to eliminate the risk (to the cardholder) from such information leakage (eliminating the mis-aligned business process)
http://www.garlic.com/~lynn/x959.html#x959

--
virtualization experience starting Jan1968, online at home since Mar1970

On Scope Scrinkage in PCI DSS

Refed: **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 21 Oct, 2010
Subject: On Scope Scrinkage in PCI DSS
Blog: Information Security
On Scope Scrinkage in PCI DSS
http://www.infosecisland.com/blogview/8913-On-Scope-Shrinkage-in-PCI-DSS.html

from above:
People who came to PCI DSS assessments and related services from doing pure information security often view PCI scope reduction as a cheap trick aimed at making PCI DSS compliance undeservedly easier. However, PCI DSS scope shrink is not just a cop out aimed at not protecting the data

... snip ...

re:
http://www.garlic.com/~lynn/2010o.html#8 PCI: Smaller Merchants Threatened

slight x-over from discussion in financial crime, risk, fraud and security (linkedin) group ... note that PCI can be viewed as one of the responses to the (originally cal. more than decade ago) data breach notification legislation. we were tangentially involved having been brought in to help wordsmith the electronic signature legislation ... and some of the parties were heavily involved in privacy issues. they had done detailed citizen surveys and identified identity theft as the NO.1 issue with major type being "account fraud" as a result of data breaches. There seemed to be nothing being done about the problem (especially since the leakage of data wasn't a threat to the operations holding the data ... but to the corresponding account holders). There seemed to be some hope that the publicity from the notifications might motivate institutions to take countermeasures.

for some additional background ... we had been brought in as consults to a small client/server startup that wanted to do payment transactions on their server. They had also invented this technology they called SSL, that they wanted to use. The result is now frequently called "electronic commerce". some past posts
http://www.garlic.com/~lynn/subpubkey.html#sslcerts
and
http://www.garlic.com/~lynn/subnetwork.html#gateway

Somewhat as a result, in the mid-90s we were asked to participate in the x9a10 financial standard working group (which had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments). Part of the effort involved detailed end-to-end threat & vulnerability studies of the different retail payment products, different kinds of retail payments, different modes of retail payments (debit, credit, stored value, gift card, ACH, POS, face-to-face, unattended, internet, wireless, contact, contactless, high-value, low-value, transit turnstile ... aka ALL). The result was the x9.59 financial transaction standard. some references
http://www.garlic.com/~lynn/x959.html#x959

X9.59 did nothing about preventing data leakage ... it just slightly tweaked the paradigm so there was no longer a threat from such leakage. Now the major use of SSL in the world today is this earlier thing we did for "electronic commerce" ... used to hide transaction detail. X9.59 eliminated that need to hide transaction information and so also eliminates the major use of SSL in the world. some past posts
http://www.garlic.com/~lynn/subintegrity.html#harvest

... aka most entities are motivated to take security and/or countermeasures when the risk/threat is to the them.

the card/transaction information leakage is threat to the card holder (not the entity holding the data) ... and prior to breach notification legislation there was little motivation for those entities to do anything.

--
virtualization experience starting Jan1968, online at home since Mar1970

Boyd & Beyond 2010, review at Zenpundit

Refed: **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 21 Oct, 2010
Subject: Boyd & Beyond 2010, review at Zenpundit
Blog: Linkedin
Boyd & Beyond 2010, review at Zenpundit
http://zenpundit.com/?p=3573

.. comment

I'd be tempted to also recommend a book "Knowledge Machines" ... except it is taken from a 9month study of how I communicate. I had been blamed for online computer conferencing on the internal network in the late 70s and early 80s (which was larger than the internet/arpanet from just about the beginning until possibly late '85 or early '86). Somewhat as a result, a researcher was paid to sit in the back of my office for 9 months ... taking notes on how I communicate. They also got copies of all my incoming and outgoing email as well as logs of all instant messages. The material was used in several papers and books as well as for Stanford PhD (joint between language and computer AI) ... some related posts
http://www.garlic.com/~lynn/subnetwork.html#cmc

... by Murray; amazon says only one left in stock (published in 1995 decade or so after the study). mellowed a bit in old age, there were couple hundred thousand employees on the internal network and at times they would try and accuse me of being responsible for 1/3 to 1/2 of all activity. misc. past posts mentioning internal network
http://www.garlic.com/~lynn/subnetwork.html#internalnet

For other related information ... try search engine with "security taxonomy glossary" ... top references is either one of my web pages or others that reference my web pages. In the early 90s I had gotten involved in applying knowledge base technology to NIH's UMLS and taxonomies then became something of hobby of mine (attempting to structure how people think about a subject).

--
virtualization experience starting Jan1968, online at home since Mar1970

The Scariest Company in Tech

Refed: **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 22 Oct, 2010
Subject: The Scariest Company in Tech
Blog: Disciples of Boyd's Strategy
The Scariest Company In Tech
http://www.conceivablytech.com/3637/business/the-scariest-company-in-tech/

from above:
A rather controversial presentation came to light this week (it was done back in 2001) from an Oracle market intelligence executive. It suggests that Oracle has a CIA-like competitive intelligence unit that would be the envy of some countries and sleeper agents in most of Oracle's competitors.

... snip ...

The first time I scheduled Col. Boyd's briefing, I tried to have it sponsored by the corporate employee education dept. Initially they agreed, but when I provided them a detailed abstract, they changed their mind. They explained the corporation spends a large amount on management education and something about major part being motivation of employees. They decided that exposing the general employee population to Boyd's briefings would be counter productive and I should limit the audience to just people in the competitive analysis organizations (something about viewing management/employee relations as competitive situation). I did make the briefings open to all employees (but w/o the sponsorship of corporate employee education).

Some of the point of the article just might have to do with history of Oracle and who the original "Oracle" effort was being done for.

a couple past posts mentioning Oracle history:
http://www.garlic.com/~lynn/2000e.html#49 How did Oracle get started?
http://www.garlic.com/~lynn/2006c.html#42 IBM 610 workstation computer
http://www.garlic.com/~lynn/2009k.html#31 Disksize history question

bio/history article:
http://www.nndb.com/people/439/000022373/

from above:
As a boy he showed an aptitude for math and science, and as a young man he was a computer programmer for Ampex Corporation. His primary project for Ampex was crafting a large-scale database for the Central Intelligence Agency (CIA). The database was code-named "Oracle".

... snip ...

just doing search engine comes up with some "history" articles that have it rather garbled.

btw, if you download the referenced presentation (from 2001) ... it starts out fairly early with page with Sun Tsu, Attila The Hun, and Larry Ellison. As Boyd and OODA-loops permeate business world ... should start to see more Boyd references.

couple pages on there is something about "What's the fastest database on IBM's fastest computer". I had something to say last year on similar round of articles (that I titled From the Annals of Release No Software Before It's Time; starts out on some non-DBMS software before getting to DBMS):
http://www.garlic.com/~lynn/2009p.html#43

misc. past posts mentioning Col. John Boyd
http://www.garlic.com/~lynn/subboyd.html

--
virtualization experience starting Jan1968, online at home since Mar1970

When will MVS be able to use cheap dasd

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: When will MVS be able to use cheap dasd
Newsgroups: bit.listserv.ibm-main
Date: 23 Oct 2010 05:42:47 -0700
gerhard@VALLEY.NET (Gerhard Postpischil) writes:
I didn't say that 3390 size has any relevance, only that the same considerations apply. Whatever physical medium is used for the FBA disk, each platter will hold multiple records. Due to (cheap) electronics, the gaps are of significant size, so a design with larger blocks will get more data per track. It would be possibly to design a drive specifically for FBA use, with better speed control, to shrink the gaps, but at horrendous expense. Since the manufacturers profit from selling DASD, there is limited incentive to reduce their income.

these days, all physical drives are FBA ... CKD is just hardware emulation layer on top .... for MVS, since it never got around to supporting FBA natively. As previously mentioned ... the first such was 3375 (on top of 3370 fba) ... to provide a mid-range dasd for mvs ... supporting some MVS attempt to expand into the exploding midrange market (since there was no *new* native CKD midrange disk)

as periodically mentioned ... I was told that even if I gave them fully tested & integrated FBA support ... I would still have to show business case for the estimated $26m to cover document and education; roughly ten times in incremental additional sales. I wasn't allowed to use lifecycle savings as part of the business case ... and was further informed that if there there were FBA support ... customers would just switch to buying the same amount in FBA drives (no incremental, new business).

misc. past posts mentioning fba, ckd, multi-track search, etc
http://www.garlic.com/~lynn/submain.html#dasd

misc. past posts getting to play disk engineer in bldgs. 14&15 (random trivia, during the earthquake remediation retrofit of bldg 14, enginneering was moved temporarily offsite "bldg 86")
http://www.garlic.com/~lynn/subtopic.html#disk

checking online sat. photos show bldgs 14&15 still standing ... but many of the ones around it are gone

misc. past posts in this thread:
http://www.garlic.com/~lynn/2010n.html#62 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010n.html#65 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010n.html#75 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010o.html#3 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010o.html#4 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010o.html#6 When will MVS be able to use cheap dasd
http://www.garlic.com/~lynn/2010o.html#7 When will MVS be able to use cheap dasd

--
virtualization experience starting Jan1968, online at home since Mar1970

Astonishing Speedup In Solving Linear SDD Systems

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Astonishing Speedup In Solving Linear SDD Systems
Newsgroups: alt.folklore.computers
Date: Sat, 23 Oct 2010 09:08:29 -0400
random topic from slashdot (although one wonders sometimes about such postings if it is some sort of spoof)

Astonishing Speedup In Solving Linear SDD Systems
http://news.slashdot.org/story/10/10/22/1236215/Astonishing-Speedup-In-Solving-Linear-SDD-Systems

from above:
The new algorithm, by comparison, has a run time of s*[log(s)]^2. That means, if s = 1 million, that the new algorithm run time would be about a billion times faster than Gaussian elimination.'

... snip ...

refs:

FOCS 2010
http://theory.stanford.edu/focs2010/

--
virtualization experience starting Jan1968, online at home since Mar1970

Electronic Theft Costs Businesses More Than Physical Theft

Refed: **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 23 Oct, 2010
Subject: Electronic Theft Costs Businesses More Than Physical Theft
Blog: Information Security Network
Electronic Theft Costs Businesses More Than Physical Theft
http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=212701491

from above:
Phishing is the top information theft threat to U.S. companies, according to a Kroll survey that found physical property fall behind information thievery for the first time in its four-year history.

... snip ...

more ...

E-crime Now More Common Than Real Crime
http://www.networkworld.com/news/2010/123110-what-you-missed-a-major.html
E-crime Now More Common Than Real Crime
http://www.pcworld.com/article/208279/ecrime_now_more_common_than_real_crime.html

middle of last decade there was presentation that e-crime had passed drug crime ... somebody from reuters was there and the item reverberated around the world.

... and no it wasn't me that made the presentation ... although late that day I got an email from the person that did, asking me to dig up open source material supporting the statement. It was trivial to find drug crime numbers all over the web ... but you wouldn't believe how hard it was to find cyber crime numbers.

--
virtualization experience starting Jan1968, online at home since Mar1970

SAP ON IBM mainframe

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: SAP ON IBM mainframe
Newsgroups: bit.listserv.ibm-main
Date: 24 Oct 2010 06:38:20 -0700
and for only a little topic drift, another recent article

The Scariest Company in Tech
http://www.conceivablytech.com/3637/business/the-scariest-company-in-tech

it references a presentation from 2001 that mentions the fastest DBMS on the largest IBM computer. I noticed, in part because of references to warfare historical references in business competitive environment ... i had sponsored Col Boyd's briefings at IBM (and I was at "Boyd 2010" last weekend held at USMC university at Quantico) ... recent comment
http://www.garlic.com/~lynn/2010o.html#11 The Scariest Company in Tech

related post from last year (also about fastest DBMS on IBM computer)
http://www.garlic.com/~lynn/2009p.html#43 From The Annals of Release No Software Before It's Time

recent post/reference to Boyd 2010 (mentions getting blamed for computer conferencing at IBM on the internal network in the late 70s and early 80s)
http://www.garlic.com/~lynn/2010o.html#10 Boyd & Beyond 2010

--
virtualization experience starting Jan1968, online at home since Mar1970

The Scariest Company in Tech

From: lynn@garlic.com (Lynn Wheeler)
Date: 24 Oct, 2010
Subject: The Scariest Company in Tech
Blog: Disciples of Boyd's Strategy
re:
http://www.garlic.com/~lynn/2010o.html#11 The Scariest Company in Tech

I got to deal some with him ... especially when we were doing our HA/CMP product .... old reference to jan92 meeting in his conference room
http://www.garlic.com/~lynn/95.html#13

we were doing DBMS scaleup on non-mainframe platfrom. IBM didn't have any offering in this area ... so were working with the four major DBMS vendors that did (at the time, Oracle was just one of four). We were facilitating their being able to migrate their vax/cluster DBMS support to HA/CMP and then scale it up. This managed to offend some of the commercial mainframe factions ... and the work was transferred (quickly announced as supercomputer for numerical intensive market only) and we were told we couldn't work on anything with more than four processors.

Earlier I had skunk works effort with CIO at se bell ... which was (also) counter to various interests in IBM. To get around the internal politics, the development work would be done at pnw bell and funded by se bell and I would announce & support as product. The justification for se bell was that they would recoup the funding within first year because of the benefits of the new product. The internal politics that finally torpedoed the effort was more innovative than my efforts to get around them.

The industrial espionage (& other activities) by PRC dates back quite awhile ... I'm surprised that it doesn't get more publicity ... it may be somewhat like large fraud exploits at financial institutions ... they find publicity just too embarrassing. Boyd had a story along this line that after the Spinney time article ... the Pentagon created a new document classification "no-spin" (i.e. unclassified but not to be given to Spinney).

--
virtualization experience starting Jan1968, online at home since Mar1970

ZeuS attacks mobiles in bank SMS bypass scam

From: lynn@garlic.com (Lynn Wheeler)
Date: 24 Oct, 2010
Subject: ZeuS attacks mobiles in bank SMS bypass scam
Blog: Financial Crime Risk, Fraud and Security
re:
http://www.garlic.com/~lynn/2010n.html#47 ZeuS attacks mobiles in bank SMS bypass scam
http://www.garlic.com/~lynn/2010n.html#49 ZeuS attacks mobiles in bank SMS bypass scam
http://www.garlic.com/~lynn/2010n.html#77 ZeuS attacks mobiles in bank SMS bypass scam
http://www.garlic.com/~lynn/2010o.html#1 ZeuS attacks mobiles in bank SMS bypass scam

One in Five Compromised Machines Had a Zeus Variant
http://www.spamfighter.com/News-15251-One-in-Five-Compromised-Machines-Had-a-Zeus-Variant.htm

above references

Microsoft Targets Zeus
http://www.govinfosecurity.com/articles.php?art_id=3018

...

Zeus dropper causes computers to be re-infected ... Warnings have been made about a new plug-in for the Zeus Trojan that allows PCs to be constantly re-infected with fresh malware.
http://www.scmagazineuk.com/zeus-dropper-causes-computers-to-be-re-infected/article/181474/

the remarkable ease that end-points are compromised (and lack of effective countermeasures) was well studied in the 90s and led to the EU FINREAD standard ... basically moved the end-point for (at least financial) operations out into a hardened end-point with its own unspoofable display and pin-entry.

Multi-factor authentication is assumed to be more secure if the different factors have independent vulnerabilities/compromises. For instance PINs (something you know authentication) were assumed to be countermeasure to lost/stolen card (something you have authentication). However, increasing end-point compromise sophistication has resulted in PINs and magstripe being skimmed at the same time (common vulnerability) that produces an easily counterfeited card along with the PIN.

misc. past posts mentioning 3-factor authentication paradigm
http://www.garlic.com/~lynn/subintegrity.html#3factor

--
virtualization experience starting Jan1968, online at home since Mar1970

Electronic Theft Costs Businesses More Than Physical Theft

Refed: **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 24 Oct, 2010
Subject: Electronic Theft Costs Businesses More Than Physical Theft
Blog: Information Security
re:
http://www.garlic.com/~lynn/2010o.html#14 Electronic Theft Costs Businesses More Than Physical Theft

part of the issue is that cyber/electronic crime isn't just limited to the internet ... there has been various kinds of electronic financial expoits dating back decades ... involving large financial institutions that are extremely publicity adverse.

i've periodically mentioned this came up in the financial industry PD63 meetings
https://en.wikipedia.org/wiki/Critical_infrastructure_protection

like when it was considering collecting such information in ISAC (one big issue was whether or not ISACs would be subject to FOIA):
http://www.fsisac.com/

for other drift on publicity ... some recent (archived) discussions about purpose of the (originally cal. state) data breach notification legislation
http://www.garlic.com/~lynn/2010n.html#44
http://www.garlic.com/~lynn/2010n.html#46
http://www.garlic.com/~lynn/2010n.html#49
http://www.garlic.com/~lynn/2010n.html#52
http://www.garlic.com/~lynn/2010n.html#56
http://www.garlic.com/~lynn/2010o.html#8
http://www.garlic.com/~lynn/2010o.html#9

--
virtualization experience starting Jan1968, online at home since Mar1970

Virtualization: Making Seductive Promises a Reality

Refed: **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 24 Oct, 2010
Subject: Virtualization: Making Seductive Promises a Reality
Blog: Information Security
reference from long ago and far away
http://web.archive.org/web/20090117083033/http://www.nsa.gov/research/selinux/list-archive/0409/8362.shtml

I was undergraduate in the 60s doing a lot of virtualization work that the vendor was shipping in product ... vendor would even periodically ask for things to be done. I didn't learn about the referenced customers until much later ... but in retrospect ... some of the vendor requests could have originated from those customers.

Besides (virtualization) compartmentalization and isolation aiding security ... it is possible to use virtualization for simplification (i.e. a lot of failure modes are because of overly complex operating environment). The current genre of references to such stuff is virtual appliances (with vmware and others touting the demise of the traditional operating systems with their large, complex, easily compromised environment).

this can be KISS against some (security) companies figuring that they can charge proportional to complexity ... with exploits proportional to complexity ... they may figure the combination will provide long term revenue stream.

--
virtualization experience starting Jan1968, online at home since Mar1970

Electronic Theft Costs Businesses More Than Physical Theft

Refed: **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 25 Oct, 2010
Subject: Electronic Theft Costs Businesses More Than Physical Theft
Blog: Information Security Network
re:
http://www.garlic.com/~lynn/2010o.html#18 Electronic Theft Costs Businesses More Than Physical Theft

for the fun of it ... a financial industry FOIA issue from today

Treasury Shields Citigroup as Deletions Undercut Disclosure
http://www.bloomberg.com/news/2010-10-25/u-s-treasury-shielding-of-citigroup-with-deletions-make-foia-meaningless.html

discussion of the presentation from nov2005 (also mentions the ISAC issue with FOIA):
http://www.garlic.com/~lynn/2009i.html#47 Cyber crime 'more profitable than drugs'

misc. other past posts cyber crime exceeding drug crime
http://www.garlic.com/~lynn/2007n.html#72 Poll: oldest computer thing you still use
http://www.garlic.com/~lynn/2008q.html#25 Cybercrime Could Be As Destructive As Credit Crisis
http://www.garlic.com/~lynn/2009b.html#44 Cybercrime cost $1 trillion last year, study
http://www.garlic.com/~lynn/2009e.html#38 Cybercrime running into trillions, experts claim
http://www.garlic.com/~lynn/2009i.html#56 Credit cards
http://www.garlic.com/~lynn/2009i.html#58 Credit cards

misc. other past posts mentioning FOIA issues:
http://www.garlic.com/~lynn/2000f.html#45 Al Gore and the Internet (Part 2 of 2)
http://www.garlic.com/~lynn/2009f.html#48 Bankers as Partners In Crime Stopping
http://www.garlic.com/~lynn/2009n.html#11 Banks should share cyber crime information
http://www.garlic.com/~lynn/2010j.html#19 Personal use z/OS machines was Re: Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010n.html#76 Mainframe hacking?

--
virtualization experience starting Jan1968, online at home since Mar1970

Compressing the OODA-Loop - Removing the D (and maybe even an O)

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 25 Oct, 2010
Subject: Compressing the OODA-Loop - Removing the D (and maybe even an O)
Blog: Boyd's Strategy
I think Boyd's scenario was that D might be compressed with experience/practice (resembling instinctive) ... as opposed to eliminated (in fact, that can be applied to all aspects of the OODA-loop).

in myers-briggs ... large percentage of population have preference for stimulas-response ... aka taught/learned behavior ... and very small percentage of population have preference for constantly trying to figure out response. In relatively static environment ... learned behavior can dominate because it is wasted energy constantly trying to figure out (repeatedly which has possibly been established for centuries) appropriate response. However, things are reversed in rapidly changing environment ... since the stimulas-response population have not taught/learned behavior to use ... and it is beneficial to have at least some members of the population that tries to figure our appropriate response (for something totally different). In that sense, OODA-loop would tend to be much closer to myers-briggs NTs ... but as pointed out in this article, MBTI has low correlation for other than E-I.
https://en.wikipedia.org/wiki/Myers-Briggs_Type_Indicator

the other approach to rapidly changing environment is large amounts of trial&error (to establish viable learned response(s)).

... in much the same way animals can adapt to ecological niche ... collections of people can adopt behavior to particular niches (codified as cultural responses) ... this has analogy to the observation noted about corporations .... companies won't die because of their false actions. they die because of the continuing of the same actions for too long (which once were right)

one of the postmortems of the S&L crisis had an analogy ... that in rigid regulated environment, natural selection wasn't for innovative practices ... but people that would follow the letter of the regulations ... and such personalities tended to rise to institution president. then, when the regulations were relaxed ... they were at a loss for what to do ... and became easy prey for investment banker predators from wall street (there were also various derogatory references to what S&L presidents might otherwise be qualified for).

subsequent references are that some of the same predators played major roles in the internet IPO bubble and the most recent financial mess.

--
virtualization experience starting Jan1968, online at home since Mar1970

60 Minutes News Report:Unemployed for over 99 weeks!

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 27 Oct, 2010
Subject: 60 Minutes News Report:Unemployed for over 99 weeks!
Blog: Payment Systems Network
The other reason that auto quota went on was to reduce competition and give the US auto industry breathing space with much higher profits to remake themselves. There was then an article in wash post in the early 80s calling for 100% unearned profit tax on the US auto industry (since they continued with business as usual). In the early 90s (a decade later), the auto industry had C4 task force (nearly 20 yrs ago) that brought in several reps from high tech companies ... looking at completely remaking themselves. During the meetings they presented all the reasons why they weren't competitive with foreign makers and what needed to be changed (as it turned out all the primary stakeholders had enormous vested interest in maintaining the status quo).

About the same time as C4 meetings, Dept. of Commerce was holding meetings on HDTV ... it seemed basically keeping the standard in flux trying to give US hitech some competitive edge. This was before internet bubble ... and at the time it was felt which ever country(s) became the major player(s) in digital TV, that would enable them to dominate the rest of hitech. Then the internet bubble happened ... which temporarily put off the problem. During the internet bubble there was some study that estimated over half of skill/staff (making internet bubble possible) was foreign born and it would only take slight declines in US economy and/or improvement in their native economies ... things would then reach tipping point, resulting in hitech migrating out of the US.

There are reports that during the financial mess bubble: 1) financial services industry tripled (as percent of GDP), 2) wall street bonuses spiked by over 400% (from NYS tax report summaries) and 3) there was aggregate of $27T in toxic CDO transactions (i.e. securitized loans and mortgages). The fees and commissions on #3 easily accounts for #1 & #2. One of the issues since the bubble burst is concerted effort to maintain #1 & #2 at peak bubble levels.
Evil Wall Street Exports Boomed With 'Fools' Born to Buy Debt
http://www.bloomberg.com/apps/news?pid=newsarchive&refer=home&sid=a0jln3.CSS6c

Independent of the expansive use of toxic CDOs so large number of parties could skim pieces ... there is the report that the ratio of executive compensation to employee compensation had exploded to 400:1 after having been 20:1 for a long time and 10:1 in much of the rest of the word.

GAO started doing a number of reports on increasing problem with fraudulent and/or errors in financial filings of public companies... apparently because SEC didn't appear to be doing anything, even after sarbanes-oxley. Apparently executive bonuses got a big spike based on the filings ... and even if the filings were later corrected ... there wasn't a corresponding adjustment in the bonuses. So question about SOX: 1) had no effect on fraudulent filings, 2) motivated the increase in fraudulent filings, 3) if it hadn't been for SOX, all financial filings would be fraudulent.

--
virtualization experience starting Jan1968, online at home since Mar1970

Spooky Myths that Trick Merchants When It Comes to Secure Payments Processes

From: lynn@garlic.com (Lynn Wheeler)
Date: 28 Oct, 2010
Subject: Spooky Myths that Trick Merchants When It Comes to Secure Payments Processes
Blog: Payment Systems Network
There was rather large pilot deployment in the US the early part of the century ... it was in the period of the yes card exploit ... dating back to the end of the last century. There was presentation on counterfeit yes cards "being trivial" at Cartes2002 ... there were also presentations at the ATM task force meetings (somebody in the audience making the comment that billions were spent to prove that chips are less secure than magstripe). In the wake of that ... all evidence of the pilot appeared to evaporate w/o a trace.
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

From yesterday there is "Chip-and-PIN crack code released as open source" ... note that recent linkedin behavior appears to nearly strip everything in a comment that contains a URL ... so any followup URL references required a new discussion per URL.
http://www.zdnet.co.uk/news/security/2010/10/25/chip-and-pin-crack-code-released-as-open-source-40090637/?s_cid=938

In any case, since that pilot ... there have been numerous comments that deployments in the US are inhibited by the large projected costs. It may not be the prospect of the cost of a single deployment ... but possibly the requirement for large number of deployments.

We had been called in to consult with small client/server startup that wanted to do payment transaction on their server, the startup had also invented this technology called SSL they wanted to use ... the result is now sometimes called "electronic commerce". Part of that effort was requirements for various things about SSL deployment ... which were also immediately violated. As a result, I coined the references about it being "merchant comfort" (as opposed to "merchant security").
http://www.garlic.com/~lynn/subpubkey.html#sslcert

Somewhat a result of the above, in the md-90s we were asked to participate in the x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments (aka credit, debit, stored value, ACH, POS, face-to-face, unattended, high-value, low-value, internet, contact, contactless, wireless, transit turnstile, etc ... i.e. ALL). The effort required detailed, end-to-end threat and vulnerability analysis of the different environments which resulted in the x9.59 financial transaction standard. X9.59 standard did nothing about leakage of cardholder data ... x9.59 just eliminated crooks being able to use any leaked data (skimming, data breaches, evesdropping, etc) for fraudulent financial transactions.
http://www.garlic.com/~lynn/x959.html#x959

Now the major use of SSL in the world today is this earlier thing we worked on called "electronic commerce" ... for hiding transaction/cardholder detail ... x9.59 eliminates the need to hide such information and therefor eliminates the major use of SSL in the world

--
virtualization experience starting Jan1968, online at home since Mar1970

What Is MERS and What Role Does It Have in the Foreclosure Mess?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 29 Oct, 2010
Subject: What Is MERS and What Role Does It Have in the Foreclosure Mess?
Blog: Financial Crime Risk, Fraud and Security
It seemed to be major part of the whole mortgage securitization

toxic CDOs had been used in S&L crisis to obfuscate underlying value ... but the market was limited. In the most recent round, unregulated loan originators found they could pay rating agencies for triple-A ratings (even when both knew they weren't worth triple-A rating, from fall2008 congressional hearings). This effectively created unlimited source of funds for such institutions and eliminated any reason to care about load quality or borrowers qualification (since everything was immediately sold-off at premium price as triple-A rated toxic CDO). No-documentation, no-down, 1% interest-only payment ARMs became extremely attractive to speculators (possibly 2000% ROI in parts of the country with 20% real estate inflation ... with the speculation further fueling inflation).

Individual compensation related to toxic CDOs transactions (some estimates that there was aggregate of $27T in such transactions during the bubble) were so huge ... that it eliminated any possible concern about consequences to the institution, economy and/or country. I heard there was even humorous musical chairs references on wall street... wondering who would be left holding toxic CDOs when the music stopped (bubble burst) ...
Evil Wall Street Exports Boomed With 'Fools' Born to Buy Debt
http://www.bloomberg.com/apps/news?pid=newsarchive&refer=home&sid=a0jln3.CSS6c

One of the articles mention that when the credit agencies started accepting money to give triple-A ratings to toxic CDOs ... they specified that the holder of the title needed to be completely separate from the owners of the toxic CDOs (aka claiming that it was set up to comply with some condition for getting the triple-A rating ... separate from the other reasons given for setting it up).

(triple-A rated) toxic CDOs were no little thing ...

There are reports that during the financial mess bubble: 1) financial services industry tripled (as percent of GDP), 2) wall street bonuses spiked by over 400% (from NYS tax report summaries) and 3) there was aggregate of $27T in toxic CDO transactions (i.e. securitized loans and mortgages). The fees and commissions on #3 easily accounts for #1 & #2.

One of the issues since the bubble burst is concerted effort to maintain #1 & #2 at peak bubble levels. Also, there were comments about #1 ... about it not only didn't provide any positive benefit to the economy and the country ... it had the opposite effect.

--
virtualization experience starting Jan1968, online at home since Mar1970

bell labs unix publication

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: bell labs unix publication
Newsgroups: alt.folklore.computers
Date: Fri, 29 Oct 2010 19:20:27 -0400
this just showed up on a mailing list
http://bstj.bell-labs.com/

so for those of you that might not have an original copy
http://bstj.bell-labs.com/oldfiles/year.1978/BSTJ.1978.5706-2.html

--
virtualization experience starting Jan1968, online at home since Mar1970

Global Sourcing with Cloud Computing and Virtualization

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 30 Oct, 2010
Subject: Global Sourcing with Cloud Computing and Virtualization
Blog: Cloud Computing, Virtualization & Global Sourcing
Cloud computing is very similar to the (virtual machine based) online time-sharing services of the 60s & &70s ... which were obsoleted with the shift to (dedicated) personal computers in the 80s. There were loads of internal offerings ... like
http://web.archive.org/web/20090117083033/http://www.nsa.gov/research/selinux/list-archive/0409/8362.shtml

the first two (external) commercial time-sharing services were IDC and NCSS ... then there was TYMSHARE ... and when boeing re-org'ed a lot of its data processing into BCS ... BCS also started offering virtual machine based online time-sharing services.

The original relational/sql implementation was all done on an (internal) virtual machine base.
http://www.garlic.com/~lynn/submain.html#systemr

early 4GL was NOMAD done by NCSS
https://en.wikipedia.org/wiki/Nomad_software
https://en.wikipedia.org/wiki/National_CSS

precursor to nomad at ncss was RAMIS
https://en.wikipedia.org/wiki/Ramis_software

On RDBMS scaling topic drift ... old thread from last year titled "Annals of Release No Software Before Its Time" ... nearly 20 year gap
http://www.garlic.com/~lynn/2009p.html#43 From The Annals of Release No Software Before Its Time
http://www.garlic.com/~lynn/2009p.html#46 From The Annals of Release No Software Before Its Time

and misc. posts on original sql/relational implementation (System/R) done in bldg. 28 (70s) on virtual machine platform
http://www.garlic.com/~lynn/submain.html#systemr

--
virtualization experience starting Jan1968, online at home since Mar1970

60 Minutes News Report:Unemployed for over 99 weeks!

From: lynn@garlic.com (Lynn Wheeler)
Date: 31 Oct, 2010
Subject: 60 Minutes News Report:Unemployed for over 99 weeks!
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#22 60 Minutes News Report:Unemployed for over 99 weeks!

Just now on sunday talk/news show ... mentions that US now ranks 52nd in quality of science and math education. It went on to say that new (hi-tech) industry will be knowledge based ... and there isn't the skills in the country to support such hi-tech (high earning for workers) industry. This mantra has been repeated frequently for at least 20yrs (including observations from the 90s about near tipping point for hitech migrating out of the country).

--
virtualization experience starting Jan1968, online at home since Mar1970

Survey Outlines Compliance Challenge Among Small Merchants

Refed: **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 02 Nov, 2010
Subject: Survey Outlines Compliance Challenge Among Small Merchants
Blog: Financial Crime Risk, Fraud and Security
Survey Outlines Compliance Challenge Among Small Merchants
http://www.digitaltransactions.net/newsstory.cfm?newsid=2683

from above:
The risk these merchants face can be dire, with the costs of a breach including not just network fines but reimbursement to issuers to reissue cards, litigation expenses, and fees for forensic audits

... snip ...

aka ... security proportional to risk; value of card/account data to merchant is the profit from the transaction, possibly a few dollars (for the processor possibly a few cents) ... while the value of the same data to the crook is the credit-limit/account-balance. As a result ... a crook may be able to afford to outspend merchant (or processor) by a factor of 100 times or more

--
virtualization experience starting Jan1968, online at home since Mar1970

Linux 2.6.37 kills the Big Kernel Lock

From: lynn@garlic.com (Lynn Wheeler)
Date: 03 Nov, 2010
Subject: Linux 2.6.37 kills the Big Kernel Lock
Blog: Vintage Computing & Computers
Linux 2.6.37 kills the Big Kernel Lock
http://blog.internetnews.com/skerner/2010/11/linux-2637-kills-the-big-kerne.html

from above:
The part that I think deserves some extra mention is that we've finally largely gotten rid of the BKL (big kernel lock) in all the core stuff

... snip ...

BKL was common place in the 60s & 70s. When Charlie was doing work on fine-grain multiprocessor locking on (virtual machine) cp67 in the 60s, he invented the compare&swap instruction (actually name was chosen since CAS are Charlie's initials)

Trying to get compare&swap added to 370 met with lots of resistance ... favorite son operating system claiming that test&set (from 360) was more than sufficient (effectively for BKL). Challenge to get compare&swap to 370 was to come up with uses that were not (kernel) multiprocessor specific ... thus were more the multiprogramming/multithreaded uses ... description/examples still included in present day principles of operation

rdlk from Burroughs large systems
https://en.wikipedia.org/wiki/Burroughs_large_systems
The Architecture of the Burroughs B5000 -20 Years Later and Still Ahead of the Times?
http://www.ajwm.net/amayer/papers/B5000.html

implies read-lock ... does atomic fetch of previous value from location and then stores new value (with no other operation) ... aka an atomic swap/replace operation (but not an atomic compare and conditional replace)

compare&swap was different kind of atomic operation. Typically, a non-atomic fetch of a value occured ... that value could be updated (like increment/decrement of counter) or replaced with new value (like push/pop of LIFO list). The atomic compare&swap would fetch the current value, compare current with "old" value (in register) and IFF the value hadn't changed (still equal), would replace it with new value. If compare failed, typically it would loop back to start of sequence to refetch the location and repeat the operation. compare&swap could be used for things like push/pop of LIFO list w/o actually requiring locking semantics.

compare&swap could (also) be used to simulate test&set locking convention by just using a zero value in register for compare and non-zero register value for replace.

Large multithreaded DBMS implementations started using compare&swap in the 80s (whether running on multiprocessor or not) because interruptable, user space code could do a lot of multithreaded operations w/o requiring locking semantics (&/or invoking disabled kernel operation). several other platforms started implementating instructions with similar semantics to support large multithreaded operation.

--
virtualization experience starting Jan1968, online at home since Mar1970

Linux 2.6.37 kills the Big Kernel Lock

From: lynn@garlic.com (Lynn Wheeler)
Date: 04 Nov, 2010
Subject: Linux 2.6.37 kills the Big Kernel Lock
Blog: Vintage Computing & Computers
re:
http://www.garlic.com/~lynn/2010o.html#29 Linux 2.6.37 kills the Big Kernel Lock

the advantage of compare&swap was not only could it be used for semaphores ... but it could be used for a variety of atomic operations w/o requiring any sort of semaphore. in fact, that was the examples that got it justified for 370 ... since the claim was that test&set was sufficient for semaphore.

recent principles of operation section for multiprogramming and multiprocessing examples ... the first five from the original 370 (PLO is more recent instruction).
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/dz9zr003/A.6?DT=20040504121320

including "bypassing post & wait" and "free-pool manipulation" ... aka being able to perform various operations atomicly w/o requiring lock/semaphore semantics.

The issue for highly multithreaded interruptable user-space applications (like large DBMS) ... independent of whether in single processor or multiprocessor environment ... was in the lock/semaphore scenario ... a thread might be interrupted between setting the lock/semaphore and before it was cleared ... and other threads become blocked waiting for the thread holding the lock. compare&swap allowed a lot of operations to be performed atomically w/o lock/semaphore semantics.

lifo list "POP" example (if CS is unsuccessful, the unequal contents replaces the first


L R1,anchor     1st element on list
loop
L R2,0(R1)      next element on threaded list
    CS R1,R2,anchor remove 1st element and replace w/2nd
BNZ loop        retry if anchor changed

lifo list "PUSH" example

L  R1,anchor    1st elemant on lit
loop
ST R1,0(R2)     chain old 1st to new 1st
    CS R1,R2,anchor add new to top of list
BNZ loop retry  if anchor changed

initially (370) had two forms of compare&swap ... single word compare&swap and double-word compare&swap. The principles of operation has example of add/remove of element from a double (forward & back) threaded list.

misc. past post mentioning science center (4th flr, 545 tech sq ... i was there in the 70s and worked on cp67 w/charlie)
http://www.garlic.com/~lynn/subtopic.html#545tech

misc. past posts mentioning multiprocessor and/or comapre&swap instruction
http://www.garlic.com/~lynn/subtopic.html#smp

for the fun of it ... compare@swap wiki
https://en.wikipedia.org/wiki/compare-and-swap

from above:
CAS is used to implement synchronization primitives like semaphores and mutexes, as well as more sophisticated lock-free and wait-free algorithms. Maurice Herlihy (1991) proved that CAS can implement more of these algorithms than atomic read, write, and fetch-and-add, and that, assuming a fairly large amount of memory, it can implement all of them.

... snip ...

misc other posts about original relational/sql dbms implemented on (virtual machine) vm370 (370 successor to 360 virtual machine cp67)
http://www.garlic.com/~lynn/submain.html#systemr

other cp/cms wiki
https://en.wikipedia.org/wiki/CP/CMS

CP67/cms was done at the science center (4th flr, 545 tech sq) and then also installed at lincoln labs. In jan68, 3 people came out to the univ and installed cp67/cms (for the 3rd location after cambridge and lincoln labs). I got to do a lot of work on cp67 as an undergraduate ... and then after graduation joined the science center.

--
virtualization experience starting Jan1968, online at home since Mar1970

Survey Outlines Compliance Challenge Among Small Merchants

Refed: **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 05 Nov, 2010
Subject: Survey Outlines Compliance Challenge Among Small Merchants
Blog: Financial Crime Risk, Fraud and Security
Survey Outlines Compliance Challenge Among Small Merchants
http://www.digitaltransactions.net/newsstory.cfm?newsid=2683

from above:
The risk these merchants face can be dire, with the costs of a breach including not just network fines but reimbursement to issuers to reissue cards, litigation expenses, and fees for forensic audits

... snip ...

aka ... <b>security proportional to risk</b>; value of card/account data to merchant is the profit from the transaction (possibly a few dollars, and to the processor possibly a few cents) ... while the value of the same data to the crook is the credit-limit/account-balance. As a result ... a crook may be able to afford to outspend merchant/processor by a factor of 100 times.

part of the security proportional to risk

Verisign Offers $1 Promo For Its Trust Seals; One-day promotion offered on Nov. 3 to help SMBs promote consumer confidence in their e-commerce sites.
http://www.informationweek.com/news/software/database_apps/showArticle.jhtml?articleID=208403005

as noted, merchants need to have some minimum profit level to afford such items ... and many merchants outsource their payment processing to some 3rd party ... which have their own (/different) SSL/certificate (assuming the merchant is using SSL at all).

related blog entry: VeriSign takes the "Trust" out of "SSL certificates"
https://financialcryptography.com/mt/archives/001292.html

long ago and far away, we had been called in to consult with small client/server startup that wanted to do payment transactions on their server; the startup had also invented this technology called SSL they wanted to use; the result is now frequently called "electronic commerce". Part of the effort was doing detailed end-to-end, threat & vulnerability analysis and establishing some assumptions about how SSL was deployed and used.

This included the assumption that the end user knew the relationship between the website they thought they were talking to and the URL they entered into the browser; the browser would then use SSL to establish the relationship between the webserver actually being talked to and the URL. Both parts were necessary in order to establish that the webserver the user thought they were talking to, was actually the webserver they were talking to.

Almost immediately, the assumption was invalidated when the merchants found that SSL cut their throughput by 90-95% and they dropped back to just using SSL for checkout/paying. Now a user clicks on a button (provided by unvalidated website) for the checkout/paying (URL). In effect, SSL is then reduced to just confirming that the webserver is whatever the webserver claims to be ... aka a criminal organization obtaining a valid SSL certificate for their website (of which there are at least hundreds of thousands). This is part of what prompted me to coin the term merchant comfort certificates (to differentiate that they weren't actually providing security).

misc. past posts mentioning SSL certs
http://www.garlic.com/~lynn/subpubkey.html#sslcert

-- <b>virtualization</b> experience starting Jan1968, online at home since Mar1970

Compared even to the development of the phone or TV; the Web developed very quickly

From: lynn@garlic.com (Lynn Wheeler)
Date: 05 Nov, 2010
Subject: Compared even to the development of the phone or TV; the Web developed very quickly
Blog: Linkedin
NSFNET backbone was the operational precursor to modern internet ... some past email from the period
http://www.garlic.com/~lynn/lhwemail.html#nsfnet

This then is reference of how html evolved from gml/sgml ...
http://infomesh.net/html/history/early/

which was invented at the science center in 1969 ... some past posts mentioning gml/sgml
http://www.garlic.com/~lynn/submain.html#sgml

for other topic drift ... the internal network was larger than the arpanet/internet from just about the beginning until late '85 or early '86 ... misc. past posts about the internal network
http://www.garlic.com/~lynn/subnetwork.html#internalnet

--
virtualization experience starting Jan1968, online at home since Mar1970

Why are TSO IDs limited to 7 characters

Refed: **, - **, - **, - **
From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Why are TSO IDs limited to 7 characters
Newsgroups: bit.listserv.ibm-main
Date: 5 Nov 2010 15:13:57 -0700
steve@TRAINERSFRIEND.COM (Steve Comstock) writes:
No. I was working for IBM when TSO was announced. It was then, truly an Option, and supported any kind of terminal, but it took ISPF to provide the front end for full screen 3270 type interface we're used to today.

i had hacked hasp on mvt 15/16 to implement syntax of the cms editor (from scratch) and crje function ... that i thot was better than tso (when it came along) ... with both 2741 and ascii/tty terminal support. I had earlier done the ascii/tty terminal support for cp67.

Part of doing ascii/tty terminal support ... i tried to make the 2702 controller do something that it couldn't quite do ... which was part of motivation for clone controller effort at the univ (four of us got blamed for clone controller business in writeup).

much later the company declared cms as the "strategic online/conversational solution" ... which appeared to prompt the TSO product manager to ask me if i would be interested in redoing mvs scheduler (in attempt to improve TSO human factors characteristics). old email reference ...
http://www.garlic.com/~lynn/2006b.html#email800310

part of this had shown up with the introduction of 3274 controller ... the channel attached 3274 controller (for 3278) had significant higher processing latency than the channel attach 3272 controller (for 3277) resulting in increase in response; however tso base response was already so bad ... it didn't notice the difference. some numbers from old comparison in this post
http://www.garlic.com/~lynn/2001m.html#19 3270 protocol

one of the issues was that several operations had difficulty adapting to the 23jun69 unbundling announcement and starting to charge for software ... including requirement that revenue had to be at least as much as cost/expenses. there was a little latitude being able to make the calculations at the organization level (aggregate revenue from multiple products against aggregate costs). old posts about ISPF being able to match up with another product to offset its high run rate (not being able to actually charge enuf for ISPF to offset the costs). misc. past posts on the subject
http://www.garlic.com/~lynn/2000d.html#17 Where's all the VMers?
http://www.garlic.com/~lynn/2001m.html#33 XEDIT on MVS
http://www.garlic.com/~lynn/2009s.html#46 DEC-10 SOS Editor Intra-Line Editing
http://www.garlic.com/~lynn/2010g.html#6 Call for XEDIT freaks, submit ISPF requirements
http://www.garlic.com/~lynn/2010g.html#50 Call for XEDIT freaks, submit ISPF requirements
http://www.garlic.com/~lynn/2010m.html#84 Set numbers off permanently

--
virtualization experience starting Jan1968, online at home since Mar1970

origin of 'fields'?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: origin of 'fields'?
Newsgroups: alt.folklore.computers
Date: Sat, 06 Nov 2010 10:27:57 -0400
jmfbahciv <See.above@aol.com> writes:
Which are consistent. It's the humans who drive me crazy because they aren't.

long ago and far away .... univ. ran a business application from the administration dept ... every business day. the application had started on 407 ... been converted to 709 cobol program (that simulated the 407 plug-board application) and then to 360 cobol ... still printed out the 407 sense indicators at the end of the run. one day the sense indicators changed ... and they stopped all data processing and tried to find somebody that might know what it met. after an hour or so (not being able to find anybody that knew what it met) ... they finally decided to run it again and see if the results were the same.

--
virtualization experience starting Jan1968, online at home since Mar1970

Tivoli Storage Manager for z/OS (Functionally Stablized & Impending Demise)

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Tivoli Storage Manager for z/OS (Functionally Stablized & Impending Demise)
Newsgroups: bit.listserv.ibm-main
Date: 6 Nov 2010 07:46:59 -0700
edjaffe@PHOENIXSOFTWARE.COM (Edward Jaffe) writes:
I guess we're one of the other four. TSM for z/OS works great for us. It's hooked into our mainframe-based "cron" facilities, uses large DASD EAVs, uses the same tapes and drives that HSM uses--which get moved by RMM to the same off-site locations, etc. I really don't want to try to come up with an alternate PC and zFS file backup strategy...

... random trivia ... started as cmsback that I implemented in the late 70s for internal use. cmsback went thru several internal releases before morphing into workstation datasave for product release. It then morphed into ADSM ... adstar storage manager ... in the period of the early 90s when the disk division was renamed (adstar) as part of anticipation of being spun off as independent business. That decision was reversed after new management was brought in (after the company had gone into the red). However, later the disk business unit was sold off ... and ADSM morphed into TSM

tsm wiki page
https://en.wikipedia.org/wiki/IBM_Tivoli_Storage_Manager

tivoli bought by ibm in 4mar1996
https://en.wikipedia.org/wiki/Tivoli_Software

old cmsback related email
http://www.garlic.com/~lynn/lhwemail.html#cmsback

one of the early cmsback adopters was HONE ... one of my favorite and long-term internal customers for my highly enhanced operating systems.
http://www.garlic.com/~lynn/subtopic.html#hone

somewhat truncated ibm version:
http://ibm-vbc.centers.ihost.com/sme/tpearson/blogpost/66/2010/10/ibm-storwize-product-name-decoder-ring

--
virtualization experience starting Jan1968, online at home since Mar1970

Cookies Are Dead in the Fight Against Fraud

Refed: **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 06 Nov, 2010
Subject: Cookies Are Dead in the Fight Against Fraud
Blog: Financial Crime Risk, Fraud and Security
lcamtuf's blog: HTTP cookies, or how not to design protocols
http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

from earlier this week ... akin to recent reference to security proportional to risk and coining the term merchant comfort certificates ... because security requirements for deployment and use of SSL were almost immediately violated (in "Survey Outlines Compliance Challenge Among Small Merchants" discussion)
http://www.garlic.com/~lynn/2010o.html#28 Survey Outlines Compliance Challenge Among Small Merchants
http://www.garlic.com/~lynn/2010o.html#31 Survey Outlines Compliance Challenge Among Small Merchants

aka ... lots of low hanging fruit is being left around for the crooks ... almost as if there was plot by experts for job security .... one of the x-over references from other discussion in this group (on the theme of security proportional to risk & long ago and far away having coined the term "merchant comfort certificates") misc. past posts on ssl certificate
http://www.garlic.com/~lynn/subpubkey.html#sslcerts

VeriSign takes the "Trust" out of "SSL certificates"
http://financialcryptography.com/mt/archives/001292.html

Some of the problem has been confusing identification and authentication. Somewhat as a result for having worked on what is now commonly called "electronic commerce" (with small client/server startup that had invented SSL), in the mid-90s we were invited to participate in the x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. The result was x9.59 financial transaction standard which required strong authentication for the transaction (between the individual and the individual's financial institution). x9.59 was agnostic on the question of identification ... although many financial institutions are under mandates regarding "know your customer" when accounts are being opened.
http://www.garlic.com/~lynn/x959.html#x959

Part of x9.59 also eliminated the current retail payment skimming, evesdropping, data breach, etc exploits ... aka it did nothing regarding hiding the information in transactions ... it just eliminated the usefulness of the information to crooks for performing fraudulent transactions. Since the major use of SSL in the world today is hiding transaction details (as countermeasure to crooks using the information for fraudulent transactions) and x9.59 eliminated the need to hide such information, it also eliminated the major use of SSL in the world today.

There are been some analysis in the past that vastly improved transaction security (like x9.59) would eliminate that low-hanging fruit (sending the crooks elsewhere). Also, a side-effect of vastly improved security would go a long way to commoditizing retail payments and such commoditizing could have enormous impact on the bottom line of many financial institutions (has run 40-60% of the bottom line for some large US financial institutions).

Eliminating such low-hanging fruit is likely to drive crooks to other vulnerabilities ... like (from "account fraud" aka fraudulent transactions against existing accounts to) "new account fraud". One of the issue in retail payment "account fraud" ... financial institutions have been able to charge off the costs against retailers (even making a profit) ... while "new account fraud" ... involving opening new accounts ... is purely a financial institution operation (including involving things like "know your customer" mandates). Some of the "new account" fraud cost gets born by the "identity theft" victims ... however there are some numbers that 1/3rd (and growing) of such activity involve "synthetic IDs" (where there is no corresponding real person).

I've used "bank vault door" as metaphor for lots of this stuff ... except installed in open field with no walls, floors, ceilings .... the crooks just walk around the door. The other metaphor is "emperor's new clothes" ... despite all the claims ... the crooks know that it doesn't exist.

--
virtualization experience starting Jan1968, online at home since Mar1970

WHAT, WHY AND HOW - FRAUD, IMPACT OF AUDIT

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 06 Nov, 2010
Subject: WHAT, WHY AND HOW - FRAUD, IMPACT OF AUDIT
Blog: Financial Crime Risk, Fraud and Security
As been shown there has been a remarkable lack of adult supervision of wall street, financial institutions and public companies. during the first part of this century. ENRON did result in SOX ... the audits were suppose to prevent such things from happening again. However, (possibly because it appeared that SEC was doing little or nothing ... also showed up in the Madoff hearings), GAO started doing reports of increase in financial filings by public companies that were fraudulent and/or had accounting errors. One explanation was that the fraudulent financial filings increased executive bonuses and even if the filings were later corrected, the bonuses weren't adjusted. Then did 1) SOX audits have no effect on fraudulent financial filings, 2) SOX audits motivated increase in fraudulent financial filings, or 3) if it weren't for SOX audits, all public company financial filings would be fraudulent.

In the Madoff hearings, the person that had tried for a decade to get the SEC to do something about Madoff, testified that tips turn up 13 times more fraud than audits (and that SEC didn't have a tip hotline, but had a 1-800 number for companies to complain about audits).

What came out in both the fall2008 credit agency hearings and the Madoff hearings was that "aligning the business processes" ... so individuals are motivated to do the right thing ... is much more effective than regulations (and fraud discovery); when the business processes are "mis-aligned" (and people are motivated to do the wrong thing, then regulations are significantly more difficult). In the credit agency hearings, having the sellers pay for the ratings ... and in the case of toxic CDOs, the credit agencies were being paid for triple-A ratings when both the sellers and the rating agencies knew they weren't worth triple-A.

Medicare/Medicaid is trying to grapple with some of this, fraud discovery, prosecution and financial recovery is extremely difficult and expensive ... as a result there has been some focus on developing business processes that go a long ways towards precluding a lot of the fraud from happening (in-addition to trying to catch it after the fact).

There was economic conference where it mentioned congress as the most corrupt institution on earth. Sarbanes-Oxley was billed as eliminating lots of the problems ... but it seemed unable to turn the tide. SOX even included requirement that SEC look at the rating agencies (which played a critical pivotal role in the recent financial mess) ... in addition to everything else that was in the legislation. A few corrupt executives are likely to set the tone for compromising as many others as possible ... in support of their position. There is the joke about the only persons that should be considered for executive positions are the ones that don't want it ... since so many of the ones that want such positions are in it for the greed and corruption.

--
virtualization experience starting Jan1968, online at home since Mar1970

Google scares Aussie banks

Refed: **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 08 Nov, 2010
Subject: Google scares Aussie banks
Blog: Linkedin
Google scares Aussie banks
http://www.zdnet.com.au/google-scares-aussie-banks-339307074.htm

from above:
Google could be the biggest threat to the big four banks because of the trust online users place in it and its ability to engage with customers, according to banking executives.

... snip ...

In the US, something similar happened in the late 90s and fear that WalMart and Microsoft would become banks. GLBA (besides repealing Glass-Steagall) supposedly addressed the issue, rhetoric on the floor of congress was that the main purpose of GLBA was that if you were already a bank, you got to remain a bank and if you weren't already a bank, you didn't get to become a bank. This reared its head a few years later when it looked like Walmart was going to purchase an (existing) ILC. I don't know how such GLBA provisions fit when recently the Federal Reserve gave some large (non-bank) wall street firms (new) bank charters (and access to federal reserve bail-out assistance).

Note that Walmart's publicity about the purchase of ILC was purely to become its own acquirer. Walmart supposedly does something like 25-30 percent of all retail transactions in the US (and corresponding percent of electronic payment transactions). Becoming its own acquiring bank would have significantly affected the revenue of a few large merchant banks. The publicity against the ILC purchase was by community banks that somehow the Walmart purchase would affect their issuing revenue (aka there wouldn't be a lot of public support for the few large merchant banks so it was translated into threat to all the community banks).

some x-over
http://www.garlic.com/~lynn/2010o.html#36 Cookies Are Dead in the Fight Against Fraud

past reference to walmart and ILC
http://www.garlic.com/~lynn/2007i.html#42 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007i.html#47 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2008c.html#7 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008c.html#11 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2008c.html#12 Toyota Sales for 2007 May Surpass GM
http://www.garlic.com/~lynn/2009h.html#19 Does anyone know of merchants who have successfully bypassed interchange costs
http://www.garlic.com/~lynn/2009i.html#77 Financial Regulatory Reform - elimination of loophole allowing special purpose institutions outside Bank Holding Company (BHC) oversigh
http://www.garlic.com/~lynn/2009j.html#1 Is it possible to have an alternative payment system without riding on the Card Network platforms?
http://www.garlic.com/~lynn/2010.html#70 Post Office bank account 'could help 1m poor'
http://www.garlic.com/~lynn/2010h.html#32 In the News: SEC storms the 'Castle'
http://www.garlic.com/~lynn/2010i.html#62 blasts from the past -- old predictions come true
http://www.garlic.com/~lynn/2010i.html#63 Wal-Mart to support smartcard payments
http://www.garlic.com/~lynn/2010j.html#28 The Durbin Amendment Ignites a Lobbying Frenzy on Capitol Hill

--
virtualization experience starting Jan1968, online at home since Mar1970

Compressing the OODA-Loop - Removing the D (and maybe even an O)

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 08 Nov, 2010
Subject: Compressing the OODA-Loop - Removing the D (and maybe even an O)
Blog: Boyd's Strategy
re:
http://www.garlic.com/~lynn/2010o.html#21 Compressing the OODA-Loop - Removing the D (and maybe even an O)

news item

Force of habit; New study shows that costs and rewards of behavior help the brain form optimal habits.
http://web.mit.edu/newsoffice/2010/habits-1026.html

similar, but different to the article about bees

Tiny brained bees solve a complex mathematical problem
http://www.sciencedaily.com/releases/2010/10/101025090020.htm

Alone, one-on-one with Boyd ... he could play what seemed to be a conversational game ... interleaving two different threads in the conversation ... so there was added task of figuring out which thread his most recent comment was about ... and formulating the appropriate response. Every interaction was an OODA-loop (since there was added orientation requirement placing comment in correct thread).

In another thread, I commented that in the early 90s I had gotten involved in applying some knowledge base technology to NLM's UMLS (how do you think about medical knowledge). Since then, taxonomies have somewhat become a hobby of mine (trying to structure how to think about topic) ... if you do search engine on "security taxonomy glossary" ... the first page tends to be my page and/or other pages that refer to my page (security tends to get hits from all over the world ... including quite a few that appear to be gov. &/or military related).

another take on stimulus-response

Frontal Lobe of the Brain Is Key to Automatic Responses to Various Stimuli, Say Scientists
http://www.sciencedaily.com/releases/2010/10/101020131714.htm

and one for observe (attention)

How Brain is Wired for Attention
http://www.sciencedaily.com/releases/2010/11/101101151724.htm

I've been using cognitive dissonance for several years to describe why we currently have so much payment transaction fraud ... both on the internet as well at POS and ATM machines. For decades, retailers have been conditioned that their "interchange fees" (deducted from what banks actually give merchants on credit & debit transactions) increase as fraud increases. In the early part of this century, there were several secure/safe payment products floated for POS & internet that would have drastically reduced fraud. These products initially found high approval/acceptance among the major retailers. Then they were informed that the interchange fees for these products would actually be surcharge on top of the current highest interchange fees (basically reversing decades of conditioning that interchange fees would go up/down proportional to fraud). As a result, none of these products actually made it past the pilot phase.

one of my favorite/frequent metaphors I've used the past couple years is that the lack of adult supervision for wall street, financial institutions and public companies for much of this century is major factor in the current mess.

Another tangent/facet have been some studies that show people tend to be constrained in interpreting (aka "Orient") their environment, by their native language. This compliments the reference about the different parts of brain involved in different kinds of learning. The learning that can be described in words ... will tend to be constrained by the words (& their meanings) available to the participants. This then wanders into taxonomies and glossaries ... the structure of how people think about a subject.

For another tangent ... there is the issue of people learning a new language and one indication of proficiency is when they "dream" in the new language and/or can do concurrent translation. In computer area, there are discussions about (relatively few) people that are really proficient in programming computers ... when they dream in computer language (significant different level of proficiency from those that think about computer programming in their native language and then laboriously translate that understanding into some computer language).

There is recent item about blind people adapting the part of the brain normally used for sight to enhancing other senses

People Blind from Birth Use Visual Brain Area to Improve Other Senses: Can Hear and Feel With Greater Acuity
http://www.sciencedaily.com/releases/2010/10/101006131203.htm

Slightly different facet ... while Boyd played significant role in development of F16 ... he would point out that he complained bitterly when they first put in heads-up display ... that the engineers didn't understand how a pilot flew. Initial heads-up display had scrolling numbers ... like digital read-out ... and pilots had to interpret the numbers ... delay with translating the numbers into how a pilot flies. It wasn't until they started doing analog display that it could work directly with the stimulus-response part of the brain w/o the delay going through the processing in other parts of the brain.

... and metaphors (and other mechanisms) when the language lacks appropriate words to provide the context (long ago & far away I would make computers do things ... and then would be criticized for not being able to translate what was happening into English). Note, some organizations believe their taxonomy among their most valuable assets (crown jewels).

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 08 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
There are a series of issues

• most debit cards these days are enabled for signature-debit ... that is they can be used both for pin-debit and signature-debit. just skimming the magstripe of a debit card allows most to be used for signature-debit (w/o pin)

• skimming technology is getting more advanced ... in some cases being installed during device manufacturing ... including be able to skim both magstripe and pin (if it is used)

• this discusses IBM 3624 "natural pin" (based on PAN) ... basically an encoding of the PAN
https://en.wikipedia.org/wiki/Personal_identification_number

very analogous to card security code (that is encoded on magstripe of credit cards):
https://en.wikipedia.org/wiki/Card_security_code

there is also discussion of IBM 3624 + offset ... basically technique allow user to select their own pin. the offset (difference between natural pin and user pin) can be stored at issuer database and/or encoded in the magstripe. There is more discussion of vulnerabilities of different methods in the wiki PIN article.

Note that early in credit magstripe use, there was problem with criminals generating acceptable magstripes purely from computer generated formula. Card security code (encoded on the magstripe) was introduced as countermeasure to such activity. However, skimming gets around the problem by copying a complete, valid magstripe (including correct card security code).

Early in the days of signature-debit ... there were some publicity claiming debit magstripe was worse than credit magstripe. The issue was that until signature-debit, requiring a PIN was also an effective countermeasure to computer generated magstripes (and so the debit industry didn't require card security code on magstripe). Simply adding signature-debit capability (i.e. not requiring PIN) made such cards vulnerable to the computer generated counterfeit magstripes.

disclaimer ... I had several offices & labs where 3624 was designed (los gatos lab)
https://en.wikipedia.org/wiki/IBM_3624

--
virtualization experience starting Jan1968, online at home since Mar1970

60 Minutes News Report:Unemployed for over 99 weeks!

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 08 Nov, 2010
Subject: 60 Minutes News Report:Unemployed for over 99 weeks!
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#22 60 Minutes News Report:Unemployed for over 99 weeks!
http://www.garlic.com/~lynn/2010o.html#27 60 Minutes News Report:Unemployed for over 99 weeks!

same sunday talk/news show ... week later ... there was some reference that for a couple decades, the US has been using various economic slight of hand to cover-up that increasing percentage of the population aren't qualified to compete in modern world.

In several business sectors, a major accelerator of off-shoring was the internet bubble and y2k remediation occurring at the same time. there were all sort of stories about the internet bubble hiring people at 2-3 times their previous salary (and/or promising them that they would become millionaires with equity). As a result there was extreme shortage of skills for y2k remediation (besides the fact that it wasn't going to be a career). This forced a lot of bread&butter corporations to go overseas for their y2k remediation work. Later, these same corporations tended to continue with those overseas relationships (regarding their core/legacy business technology). The complaints didn't really start until the internet bubble burst.

There is also the folklore of a large financial institution outsourcing some core financial transaction y2k remediation to the lowest bidder ... which they eventually found out was a front for a criminal organization (later finding some unexpected hidden stealth transactions).

for other topic drift ... there was "CENTURY" discussion group on the internal network in the early 80s about pending Y2K problem ... old reference from 99 about one of the posts in the discussion (from somebody working at NASA)
http://www.garlic.com/~lynn/99.html#email841207
in this post
http://www.garlic.com/~lynn/99.html#24 BA Solves Y2K

--
virtualization experience starting Jan1968, online at home since Mar1970

Facebook and Twitter fail basic security test

From: lynn@garlic.com (Lynn Wheeler)
Date: 08 Nov, 2010
Subject: Facebook and Twitter fail basic security test
Blog: Linkedin
Facebook and Twitter fail basic security test
http://news.yahoo.com/s/digitaltrends/20101108/tc_digitaltrends/facebookandtwitterfailbasicsecuritytest

from above:
Riding off of the coattails of the FireSheep Firefox exploit, Digital Society has studied the basic security functions of 11 popular websites and given them grades. The results are not stellar for most, especially social networking sites Twitter and Facebook, which both received failing grades.

... snip ...

Long ago and far away we were called in to consult with small client/server startup that wanted to do payment transactions on their server; they had also invented this technology called SSL they wanted to use; the result is now frequently called "electronic commerce". Part of the effort was study regarding security requirements for SSL deployment and use. Almost immediately the security requirements were violated because webservers found SSL cut their thruput 90-95%, dropping back to just using it for paying/checkout

recent related/similar comments
http://www.garlic.com/~lynn/2010b.html#12 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010b.html#15 security and online banking
http://www.garlic.com/~lynn/2010e.html#45 PCI tokenization push promising but premature, experts say
http://www.garlic.com/~lynn/2010e.html#68 Entry point for a Mainframe?
http://www.garlic.com/~lynn/2010f.html#21 The 2010 Census
http://www.garlic.com/~lynn/2010f.html#25 Should the USA Implement EMV?
http://www.garlic.com/~lynn/2010f.html#92 Why do most websites use HTTPS only while logging you in...and not for the entire session?
http://www.garlic.com/~lynn/2010g.html#16 Far and near pointers on the 80286 and later
http://www.garlic.com/~lynn/2010g.html#60 Far and near pointers on the 80286 and later
http://www.garlic.com/~lynn/2010g.html#66 What is the protocal for GMT offset in SMTP (e-mail) header
http://www.garlic.com/~lynn/2010g.html#79 In SSL We Trust? Not Lately
http://www.garlic.com/~lynn/2010l.html#57 A mighty fortress is our PKI
http://www.garlic.com/~lynn/2010m.html#89 UAE Man-in-the-Middle Attack Against SSL
http://www.garlic.com/~lynn/2010n.html#25 Will new card innovation help interchange and improve retention?
http://www.garlic.com/~lynn/2010n.html#37 Do we really need to care about DNS Security?
http://www.garlic.com/~lynn/2010n.html#44 Who are these people who think cybersecurity experts are crying wolf?
http://www.garlic.com/~lynn/2010n.html#47 ZeuS attacks mobiles in bank SMS bypass scam
http://www.garlic.com/~lynn/2010o.html#23 Spooky Myths that Trick Merchants When It Comes to Secure Payments Processes
http://www.garlic.com/~lynn/2010o.html#31 Survey Outlines Compliance Challenge Among Small Merchants

--
virtualization experience starting Jan1968, online at home since Mar1970

Internet Evolution - Part I: Encryption basics

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 08 Nov, 2010
Subject: Internet Evolution - Part I: Encryption basics
Blog: Linkedin
The internal network was larger than the arpanet/internet from just about the beginning until possibly late '85/early '86. One of the differences was that all internal network links had to be encrypted ... and the only practical implementation at the time were link encryptors (in the mid-80s, the internal network supposedly had over half of all link encryptors in the world). A big early issue was talking various govs. around the world into allowing inter-plant (intra-company) encryption ... especially when the links crossed national boundaries.
http://www.garlic.com/~lynn/subnetwork.html#internalnet

Some govs. in the far east ... others in europe, not just France. Some hard fought arguments ... using line that the physical links were purely between (the same corporate) internal locations would eventually prevail. However, when I was doing T1 and faster links in the early to mid-80s ... I found out about the three kinds of crypto (the kind they don't care about, the kind you can't do, and the kind you can only do for them). I got tired of what I was paying for T1 link encryptors (and difficulty of getting anything faster) and got involved in designing my own. Eventually out the other end ... I was finally told that I could build as many as I wanted ... but couldn't use/keep any

--
virtualization experience starting Jan1968, online at home since Mar1970

A Wolf In Sheep's Clothing - New Threat

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: A Wolf In Sheep's Clothing - New Threat
Newsgroups: alt.computer.security
Date: Tue, 09 Nov 2010 14:23:23 -0500
Facebook and Twitter fail basic security test
http://news.yahoo.com/s/digitaltrends/20101108/tc_digitaltrends/facebookandtwitterfailbasicsecuritytest

from above:
Riding off of the coattails of the FireSheep Firefox exploit, Digital Society has studied the basic security functions of 11 popular websites and given them grades. The results are not stellar for most, especially social networking sites Twitter and Facebook, which both received failing grades.

... snip ...

Long ago and far away we were called in to consult with small client/server startup that wanted to do payment transactions on their server; they had also invented this technology called SSL they wanted to use; the result is now frequently called "electronic commerce". Part of the effort was study regarding security requirements for SSL deployment and use. Almost immediately the security requirements were violated because webservers found SSL cut their thruput 90-95%, dropping back to just using it for paying/checkout

--
virtualization experience starting Jan1968, online at home since Mar1970

A Wolf In Sheep's Clothing - New Threat

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: A Wolf In Sheep's Clothing - New Threat
Newsgroups: alt.computer.security
Date: Tue, 09 Nov 2010 15:24:04 -0500
"FromTheRafters" <erratic.howard@gmail.com> writes:
Reading around on the net, I see recommendations for transport layer security as having some effect against this attack - I don't see how, if this really is about a cookie *file* on a computer on the usecured wireless network as indicated in the OP's quote. Getting hold of *cookies* in this sense must not be quite the same as getting hold of *cookie files* stored on a computer on the affected network - or else SSL/TLS wouldn't have any effect on it.

re:
http://www.garlic.com/~lynn/2010o.html#44 A Wolf In Sheep's Clothing - New Threat

cookie capture is evesdropping on open communication channel (during cookie transfer) ... followed by a replay attack of the harvested cookie ... then encrypting the communication is countermeasure to evesdropping (as opposed to a trojan running on the victim machine that harvests the cookie from disk file).

there is separate discussion about cookies being a poor solution

lcamtuf's blog: HTTP cookies, or how not to design protocols
http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 10 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty

for other info ... same location (los gatos lab) that did ATM machines also used to manage the magstripe standard
https://en.wikipedia.org/wiki/Magnetic_stripe_card

for little other drift ... a lot of DBMS backends are due to this work (by Jim):
https://en.wikipedia.org/wiki/ACID
and
http://www.tpc.org/information/about/history.asp

a Nov'08 posting in this group (father of modern financial dataprocessing)
http://www.garlic.com/~lynn/2008p.html#27

note that the x9a10 financial standard working group did something different for the x9.59 financial transaction standard (had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments) ... basically unique dynamic data for every transaction ... and as a result eliminated the requirement to hide/encrypt information.
http://www.garlic.com/~lynn/x959.html#x959

one big issue is compromised end-points (either aftermarket and/or at time of manufacture) and/or counterfeit end-points, that capture the data at time-of-entry. There have been past reports that in one market segment, 1/3rd of POS terminals had been compromised during the manufacturing process.

--
virtualization experience starting Jan1968, online at home since Mar1970

origin of 'fields'?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: origin of 'fields'?
Newsgroups: alt.folklore.computers
Date: Wed, 10 Nov 2010 17:33:13 -0500
Ibmekon writes:
Microsoft sell you a car - with a padlock on the hood. You want service, you pay an MS certified tech. You pick the lock and fix it yourself, the warranty is void, the insurance void, the car illegal on the road.

IBM kept hold of the early mainframe software market by bundling packages - refusing to give any technical details to competitors.

The more things change...


... bundling was a bit different. sofware & source was free ... the legal actions that resulted in the 23jun69 unbundling announcement ... was to get IBM to start charging (separately) for software. The issue was that software houses couldn't make any money selling software that IBM was giving away for free. ... misc. past posts mentioning 23jun69 unbundling
http://www.garlic.com/~lynn/submain.html#unbundle

IBM was able to make the case that kernel software should still be free.

as an undergraduate ... I had added tty/ascii terminal support to (virtual machine) cp67 (from IBM ran on virtual memory 360/67 mainframe). As part of the effort, i tried to make the 2702 terminal controller do something that it couldn't quite do. That somewhat motivated the univ. to start clone controller effort, reverse engineered the (internal) channel (i/o) interface in order to build a channel attachment interface that would go into interdata/3 ... programmed to emulate 2702 (but do the extra functions). there was writeups that blamed four of us for clone controller business ... some past posts mentioning clone controller
http://www.garlic.com/~lynn/subtopic.html#360pcm

there were legal actions to get IBM to publish the internal hardware interfaces ... so that other vendors could more easily build various clone controller hardware boxes for various pieces of IBM mainframes. At the time, mainframes were rented/leased ... they weren't sold. some of this is somewhat analogous to the phone company legal actions in the 80s and customers being able to install/operate phones from other vendors.

one of the side-effects of mainframes being rented/leased was that the monthly charges were based on useage ... mainframes had meters that were read ... somewhat like home utility meters that utility companies read for gas/electricity use. The mainframe meter would run anytime the processor was executing instructions and/or the channels were executing channel (i/o) programs. This turned out to be a challenge to providing 7x24 online timesharing (cp67) service. Most online timesharing services recovered their monthly "costs" with their own useage charges. Initially, offshift useage tended to be extremely light ... useage not covering the operational costs. Two early efforts for cp67 was 1) eliminate off-shift "operator" requirement (so machine could operate darkroom/unattended) and 2) not have the "billing" meter run when there was no user activity (as part of minimizing infrastructure costs for operating 7x24 online timesharing service). misc. past posts mentioning early virtual machine online timesharing services
http://www.garlic.com/~lynn/submain.html#timeshare

the clone controller hardware boxes are cited as motivation for the future system effort in the 70s ... some past posts mentioning FS
http://www.garlic.com/~lynn/submain.html#futuresys

and article by corporate executive involved in FS effort:
http://web.archive.org/web/20110718153549/http://www.ecole.org/Crisis_and_change_1995_1.htm
http://www.ecole.org/en/seances/CM07

quote from above:
IBM tried to react by launching a major project called the 'Future System' (FS) in the early 1970's. The idea was to get so far ahead that the competition would never be able to keep up, and to have such a high level of integration that it would be impossible for competitors to follow a compatible niche strategy. However, the project failed because the objectives were too ambitious for the available technology. Many of the ideas that were developed were nevertheless adapted for later generations. Once IBM had acknowledged this failure, it launched its 'box strategy', which called for competitiveness with all the different types of compatible sub-systems. But this proved to be difficult because of IBM's cost structure and its R&D spending, and the strategy only resulted in a partial narrowing of the price gap between IBM and its rivals.

... snip ...

I was at the science center during this period ... some posts mentioning science center at 545 tech sq
http://www.garlic.com/~lynn/subtopic.html#545tech

and was less than complimentary about FS ... drawing comparision with it and cult film that had been playing constantly down in central sq. ... probabaly wasn't career enhancing ... especially after they killed FS. The distraction of FS (which was going to be as different from 360/370 as 360 had been different from prior generations) also resulted in letting 370 hardware and software product pipelines go dry (since it was going to be replaced) ... which is credited with allowing clone processors to gain market foothold. somebody else's quote from ferguson and morris book on the subject (in this old post)
http://www.garlic.com/~lynn/2001f.html#33

After FS was killed, there was mad rush to get hardware & software products back into the product pipeline (and since I had continued doing 370 stuff during the period ... bunch of stuff that I had been doing was picked up and shipped). The clone processors seemed to motivate the decision to finally start charging for kernel sofware and my resource manager was selected to be the first guinea pig (most of the resource manager I had originally done as undergraduate in the 60s for cp67 ... but had been dropped in the morph from cp67 to vm370) and i got to spend some amount of time with business and legal people on policies related to charging for kernel software. misc. past posts related to my resource manager (either cp67 and/or vm370)
http://www.garlic.com/~lynn/subtopic.html#fairshare

misc old email related to migrating code from cp67 to vm370 (and one of my hobbies which was shipping and supporting highly modified operating systems for internal datacenters):
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

for other drift ... recent mention of getting named to a mainframe "hall of fame"
http://www.mainframezone.com/blog/mainframe-hall-of-fame-four-new-members-added/
full list
http://www.mainframezone.com/static/mainframe-hall-of-fame/

another reference to some of the "mad rush" to get products into 370 product pipeline (after FS was killed):
http://www.jfsowa.com/computer/memo125.htm

over my career I managed to make some number of observations that weren't career enhancing. In my executive departure interview (the year that the company went into the red), one of the departing lines was they could have forgiven me for being wrong, but they were never going to forgive me for being right.

--
virtualization experience starting Jan1968, online at home since Mar1970

origin of 'fields'?

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: origin of 'fields'?
Newsgroups: alt.folklore.computers
Date: Thu, 11 Nov 2010 07:42:14 -0500
re:
http://www.garlic.com/~lynn/2010o.html#47 origin of 'fields'

one of the things for cp67 that helped with unattended (off-shift) operations was automatic re-ipl/reboot ... mentioned here in story about cp67 use (at mit datacenter in adjacent bldg. at tech sq) vis-a-vis multics (in the flr above science center in tech sq):
http://www.multicians.org/thvv/360-67.html

however as more & more function was implemented in service virtual machines (current venacular is virtual appliances) ... it wasn't sufficient to just reboot the machine and allow users to log in ... it became increasingly necessary to automagically get the service virtual machines up and operating w/o human intervention. one of the things I did that was mentioned in these old emails
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750102
http://www.garlic.com/~lynn/2006w.html#email750430

... among the stuff picked up and shipped (for vm370; as part of mad rush to get products back into 370 product pipeline after FS was killed) as the autolog facility (even before packaging the stuff for my charged-for "resource manager", guinea pig for the change to start charging for kernel software).

The science center was doing a lot of performance related technology, performance monitoring and reporting, various kinds of system models & simulators, workload & configuration profiling (some of which eventually morphing into capacity planning). one of these efforts eventually morphed into the performance predictor that was made available to sales support on the internal (online virtual machine based, world-wide sales&marketing support) HONE system ... some past posts
http://www.garlic.com/~lynn/subtopic.html#hone

in the mid-70s, the various US HONE datacenters were consolidated in northern cal. ... in fact, the (new) facebook bldg was built next door to that old HONE datacenter. the performance predictor was system analytical model implemented in APL and allowed sales support people to enter customer workload and configuration profiles and then ask "what-if" questions about what would happen if the workload and/or configuration changed (like what would be the effect of adding more memory).

as part of continuing my (dynamic adaptive) resource manager work ... dating back to my undergraduate days in the 60s ... I would do a lot of benchmarking ... validating resource manager across a wide range of workload and configuraitons (using a synthetic workload generator ... and selecting benchmarks based on a lot of the workload profiling work ... including statistics gathered from hundreds of internal datacenters). That evolved into automatic benchmarking procedures ... rebooting between each benchmark ... and the reason that I originally created the "autolog" command. The "final" benchmark run before release of my (vm370) "resource manager" was 2000 benchmarks that took three months elapsed time to run. some past posts
http://www.garlic.com/~lynn/submain.html#bench

the above referenced "old" email mentions "csc/vm" system ... one of my hobbies was shipping & supporting highly enhanced operating systems to internal datacenters (including the HONE complex ... the primary had been consolidated in northern cal., but there were also HONE clones all over the world).

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 11 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty

x-over post from Financial Crime Risk, Fraud and Security group

Chip & PIN Needs PCI; PCI Council's European Head Says EMV Alone is Not Enough
http://www.bankinfosecurity.com/articles.php?art_id=3044

while no magstripe eliminates the straight-forward skimming ... the above mentions that the same data is carried in the clear on EMV transactions

and of course ... there is this from earlier last week

Chip-and-PIN crack code released as open source
http://www.zdnet.co.uk/news/security/2010/10/25/chip-and-pin-crack-code-released-as-open-source-40090637/

There was a rather large pilot done in the US in the early part of the century ... but it was in the period of the YES CARD exploit ... and in the aftermath, all evidence of the pilot appeared to disappear w/o a trace. There has been comments about resistance to such a deployment because of costs ... however, it may not be an issue of a single deployment ... but the prospect that there might have to be a whole series of deployments. misc. past YES CARD posts
http://www.garlic.com/~lynn/subintegrity.html#yescard

The YES CARD was easily counterfeited cards ... there was an old reference to presentation at cartes 2002 that the counterfeiting was trivial ... the URL has gone 404 ... but lives on at the wayback machine
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

disclaimer ... i did the AADS chip strawman in the 90s ... in the mid-90s I semi-facetiously claimed that I would take a $500 milspec item and aggressively cost reduce by 2-3 orders of magnitude while making it more secure. By the late 90s, it was on technology cost curve with EPC RFID (i.e. chips to replace grocery store bar codes) ... limitation on how chips were separated from wafer in the manufacturing process. Basically volume costs are wafer manufacturing ... and per chip cost then is number of chips per wafer; increasing chips per wafer was being limited by technology that sawed the wafer into individual chips. Eventually EPC RFID industry developed a number of solutions.
http://www.garlic.com/~lynn/x959.html#aads

... and in the mid-90s, I was also co-author of the x9.59 financial transaction standard in the x9a10 financial standard working group ... we had been invited to participate in the x9a10 financial standard working group because we had done this work on what is now frequently called "electronic commerce" (i.e. we had been invited in to consult with small client/server startup that wanted to do payment transactions on their server ... the startup had also invented this technology called SSL they wanted to use).
http://www.garlic.com/~lynn/x959.html#x959

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 11 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#49 The Credit Card Criminals Are Getting Crafty

A decade ago we were tangentially involved in the cal. data breach notification legislation. We had been brought in to help wordsmith the cal. electronic signature legislation and many of the parties were also heavily involved in privacy issues. They had done detailed consumer/citizen privacy surveys and the #1 issue was identity theft, namely the form involving "account fraud" with criminals performing fraudulent transactions against existing accounts. There seemed to be little or nothing to be done about such activity and it was apparently believed that the publicity from the notifications might result in corrective actions (in fact, the PCI stuff can be assumed to be prompted by the cal. legislation).

In the same time frame, there was EU work going on ... including the EU FINREAD standard for consumer use ... to address the issue of compromises and vulnerabilities in end-points. We had meetings with some of the FINREAD participants and pointed out that while the standard called for hardened end-points (immune from current slew of trojans, viruses, etc) ... there was no provisions for relying party to "know" that such a device had been used.

One of the provisions in the x9.59 financial standard was to allow authentication of both the end-user as well as the environment that the transaction was taking place ... somewhat comes under a paradigm we called parameterised risk management ... aka a unified environment where it would always be possible to require that "security is proportional to risk" ... aka that the cost to the crook is greater than any expected fraudulent return (being able to dynamically adjust the number and types of authentication factors in view of the environment that the transaction is taken place, the value of the transaction, and/or the risk as a result of performing the transaction).

as an aside ... with regard to los gatos lab (its involvement in atm machines and managing the magstripe standard) ... it also was the pioneer in the use of scanning electron microscope for analyzing chip operation (originally for debugging chip operation as opposed to reverse engineering and/or use for compromise). for other los gatos trivia, the los gatos lab had also done the LSM for chip logic simulation ... it was somewhat unique, most such simulation simplifies things by assuming synchronous clock ... while LSM had "clock" support ... which can be used for chips with asynchronous clocks and/or digital chips that include analog circuits (like the original thin-film disk R/W heads).

as mentioned previously in the early part of this century ... there was lots of financial institutions paying all sorts of money for deployments of new technology .... which failed for various reasons (like the large chip&pin pilot that had YES CARD vulnerability). this resulted in extremely risk adverse attitude ... and extremely conservative wait&see attitude before doing it again (avoid being burned again).

part of the AADS chip strawman was not only driving to sub-cent chip cost ... but also enabling person-centric operation. The x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments (debit, credit, stored-value, ACH, high-value, low-value, contact, contactless, transit turnstile, wireless, POS, unattended, internet, etc ... aka ALL). That ALL directive then also drove the AADS chip strawman effort ... not only same chip being able to be used for extremely high-value transactions but also meet the power & elapsed time requirements of contactless transit turnstile ... but in the person-centric operation only a single token is required for all authentication operations.

Issuing complained about chips were costing dollars to add to magstripe ... then complained about cents and even when it went sub-cents. Then came back (with person-centric) that they no longer had to issue anything and all costs were eliminated ... they complained that the current card had acquired marketing attributes ... unrelated to its use for authentication purposes.

Part of generalizing the AADS chip strawman for person-centric and all authentication purposes ... got invited to give talk at TCPA track at intel developer's forum
http://web.archive.org/web/20011109072807/http://www.intel94.com/idf/spr2001/sessiondescription.asp?id=stp+s13

guy running TCPA was sitting in the front row ... and I quiped about it being nice that over the previous year or so that the design of the TCPA chip started looking more like the AADS chip strawman (I made some claim that unmodified AADS chip strawman could also do the functions required of TPM). He quiped back that I didn't have a committee of 200 people helping with the chip design.

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 11 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#49 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#50 The Credit Card Criminals Are Getting Crafty

For truly off the wall ... a couple old 1981 emails, part of discussion doing a pgp-like asymmetric cryptography implementation on the internal network (internal network was larger than the arpanet/internet from just about the beginning until late '85 or possibly early '86):
http://www.garlic.com/~lynn/2007d.html#email810506
and
http://www.garlic.com/~lynn/2006w.html#email810515

for whatever reason, I had also been blamed for online computer conferencing on the internal network in the late 70s and early 80s.

we had been approached early by the transit industry about AADS chip strawman being able to be used at transit gates. one of the issues in the 90s was that the frequently used asymmetric cryptography implementation couldn't meet either the transit gate elapsed time constraints or the transit gate contactless power limitations. We showed how ECC could be used w/o sacrificing security and integrity and be able to meet transit gate requirements (it also had been much better resistance to differential power attack).

Turns out that one of the "inventors" of ECC in the mid-80s was in the YKT math department ... and although I lived and worked in silicon valley (offices in various bldgs) ... I was officially part of YKT and had to commute there a couple times a month.

One of the things I did get to do was put in 4.5M satellite dishes at YKT and in the back parking lot at Los Gatos lab ... and used transponder on SBS4 (about 20mbits capacity) ... which went up on the original Discovery flt ... Discovery currently is in the news attempting its last flt.

other tidbits ... one of the differences between the arpanet/internet and the internal network was that all the internal network links had to be encrypted ... so the PGP-like publickey stuff was purely countermeasure to internal threats. In the mid-80s, the claim was that the internal network had over half of all the link encryptors in the world ... and it periodically represented quite a challenge to get operational approval in various parts of the world when links would be crossing various national boundaries.

I also had a different kind of challenge at the time in HSDT with T1 and higher speed links ... I didn't like what I had to pay for T1 link encryptors and it was quite difficult to get encryptors that ran any faster ... I eventually started working on project to design my own (to handle multiple mbyte/sec rates ... not mbit/sec rates).
http://www.garlic.com/~lynn/subnetwork.html#hsdt

--
virtualization experience starting Jan1968, online at home since Mar1970

Payment Card Industry Pursues Profits Over Security

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 11 Nov, 2010
Subject: Payment Card Industry Pursues Profits Over Security
Blog: Financial Crime Risk, Fraud and Security
There was report that EU financial institutions had less then 10% of their bottom line from payment transactions while US financial institutions avg. approx. 40% (and for some large institutions 60%). There can be an order of magnitude difference in fees between the highest fraud transactions and lowest fraud transactions. Drastically improving security could effectively commoditize the payment industry and represent a factor of 10 times (or more) reduction in the bottom line coming from payment transactions (which would represent a significant larger issue for US institutions compared to EU).

In the early part of the century there were a number of safe/secure payment products produced for the internet that got quite high acceptance from the major internet merchants. Merchants had been conditioned for decades that interchange fees were proportional to fraud ... but then came the "cognitive dissonance" when they were told that these products would essentially be a surcharge on top of the highest fee that they were already paying (and the interest evaporated).

There actually are a couple of issues. Part of the excuse for any improvement in the POS technology is that US is much larger market (significant more POS terminals and payment cards) than individual EU countries ... and so deployment would be much more expensive ... and that expense (also) represents a deployment inhibitor

However, there actually was a rather large deployed chipcard POS pilot in the US the early part of this century. However, it was in a period when the technology was vulnerable to the YES CARD exploit. There was a presentation that it was trivial to create a counterfeit YES CARD ... the last paragraph discusses the presentation ... the original has gone 404 but it lives on at the wayback machine:
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

There was also presentations on YES CARD at the ATM Integrity task force meetings ... that prompted somebody in the audience to comment that they've managed to spend billions of dollars to prove chipcards are less secure than magstripe cards (spend all that money to find out that it actually made the fraud problem worse).

In the aftermath, evidence of the pilot seemed to disappear w/o a trace ... and the US seemed to have gotten quite a bit more risk adverse ... the issue of the deployment costs possibly being that numerous deployments might be required before they got it right (as opposed to simply the cost of a single deployment).

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 12 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#49 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#50 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#51 The Credit Card Criminals Are Getting Crafty

Protecting Card Data at the Point of Sale
http://www.pcworld.com/businesscenter/article/210475/protecting_card_data_at_the_point_of_sale.html

nearly all these efforts showed up after the work on the cal. state data breach notification legislation in the late 90s (separate programs by the different products eventually merging on 25dec2004)
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

as mentioned upthread ... it seemed that the organizations were prompted to do the legislation because 1) it was the #1 consumer concern and 2) at the time, nothing seemed to being done in the area ... and it was hoped that the publicity from the notifications would motivate action.

Since the cal. state legislation, numerous other states have passed similar legislation. At the federal level, there have been numerous "notification" bills proposed in the past decade that fall into two general categories 1) similar to cal. state legislation and 2) notification bills that would preempt the state legislation and eliminate most notification requirements.

The organizations were also in the middle of doing a "opt-in sharing" privacy legislation when GLBA passed (bank modernization act). The rhetoric on the floor of congress was that the main purpose of GLBA was "if you were already a bank you got to remain a bank, but if you weren't already a bank, you didn't get to become a bank" (specifically calling out walmart and microsoft). GLBA also repealed Glass-Steagall (significant factor in the current financial mess) and had "out-out sharing" privacy (federal preemption of the cal. state work).

A few yrs ago at annual privacy conference in Wash DC, there was a panel of FTC commissioners. Somebody in the audience got up and asked if they were going to do anything about "opt-out privacy sharing". They claimed to be involved in "call-center" operations utilized by large percentage of financial institutions and claimed that they operated the "1-800" opt-out privacy line w/o recording any information from the calls.

I've frequently made use of a number of metaphors to describe the current paradigm

security proportional to risk metaphor .... the value of the card/transaction data to the merchant is the profit on the transaction (possibly a few dollars, for the processor, possibly a few cents). The value of the same data to the crooks is the account balance/credit limit. As a result, the crooks may be able to outspend the merchants/processors by a factor of 100 to 1000 times (attacking the system) ... something like in a valley with no cover and the enemy holding all the high ground.

misaligned business processs metaphor (this phrase was also used repeatedly in fall2008 hearings into current financial mess regarding other business processes). Normally organizations are motivated to provide security to protect their assets (that are at risk). One of the reasons for the lack of security by merchants & processors was it wasn't their assets (customer card/account/transaction data) at risk.

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

Refed: **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 12 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#49 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#50 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#51 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#53 The Credit Card Criminals Are Getting Crafty

The cost of the POS terminal replacement is mostly misdirection and obfuscation ... unless you are talking about constantly having to repeatedly redeploy because of never quite getting it right (and/or some of the changes actually worsen the situation like in the case of the YES CARD); replace 10 million terminals even at $100 is only a billion (and its capital not re-occurring expense, avg. capital over 10yrs, it is only $100m/yr).

The cost of quantity one parts in retail electronic store to build at contact reader is couple dollars ... volume manufacturing for basic device was around a dollar. Moving to contactless is even less. (using efficient crypto).

A major thing done by x9.59 financial standard in the mid-90s was eliminate the card/account transaction information as a risk ... effectively "aligning the business process" (didn't do anything to prevent skimming, evesdropping, breaches, etc ... just eliminated the motivation to the crooks to perform such operations ... since the information was no longer useful for performing fraudulent financial transactions). Eliminating skimming, evesdropping and breach risk at POS reduces the cost of nearly every component.

One of the current/big risks in POS is counterfeit/compromised end-point for skimming information ... where the crook then uses the skimmed information for fraudulent transactions as far away as possible (from the compromised unit ... attempting to maximize the ROI on that compromise (obfuscating where the compromise is).

Eliminating skimming as risk ... then the remaining risk is the crook uses a compromised end-point for actually performing the fraudulent transactions. Knowing that fraudulent financial transactions can now only occur at the actual compromised end-point ... results in much more rapid/effecitve countermeasure shutting down the compromised device (significantly reducing the amount of potential fraud; sort of having high visibility in the operational theater and being able to immediately identify the actual threat point). Such a change can be leveraged to significantly commoditize all the outlying components in the infrastructure (reducing the overall infrastructure costs). Knowing that there may be nearly immediate response also acts as deterrent.

for another aspect, nearly all new terminals for the past 15 yrs support online provisioning (acquirer being able to download configuration and software changes). one of the exercises the end of the last century was take an AADS token (with possibly both contact and contactless interfaces) and be able to have acquirer download new software into deployed existing terminal (with some sort of chip interface) that enabled the POS terminal to dynamically recognize what kind of chip it was talking to, and if it was an AADS chip, perform a x9.59 transaction.

A problem that has somewhat come along with online provisioning is ISO slamming ... ISO installing POS terminal for free at merchant ... basically recovering cost by tacking on extra transaction charge. Different ISO comes in and reconfigures the terminal to work on different contract. I mentioned upthread claiming that AADS chip could effectively operate as TCPA TPM. The ISO slamming looked at adding AADS chip to POS terminal to perform configuration authentication (similar to TCPA kinds of TPM function) as countermeasure to ISO slamming.

--
virtualization experience starting Jan1968, online at home since Mar1970

Mac Emulator

Refed: **, - **, - **
From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Mac Emulator
Newsgroups: bit.listserv.ibm-main
Date: 13 Nov 2010 05:56:39 -0800
when stl was going to move 300 people from the IMS group off-site ... they looked at remote 3270s support but found it terribly unacceptable ... after being use to on-site, channel attached, local 3270 vm370 response.

I did the support for them that used HYPERChannel as channel extender to put 300 "channel-attached" local 3270s at the remote site. Even tho the connection was T1 (running over plant site "campus" T3 microwave), IMS group at the remote site didn't notice any degradation in response (actually system thruput went up 10-15% because the 3274 controllers were removed from direct channel attachment and replaced with the HYPERChannel A22x boxes which had significantly lower channel busy for the same operations)

misc. past posts mentioning various HYPERChannel work (&/or HSDT project)
http://www.garlic.com/~lynn/subnetwork.html#hsdt

The operation was then replicated in Boulder when IMS field support group was moved to building across the highway. Instead of having T1 channel on T3 microwave, they had T1 infrared modems between the roofs of the two bldgs. There was concern about loss of signal during heavy storms .... however, the noticeably case was during a white-out snow storm (when nobody could get into work) ... there was sporadic bit-errors recorded. The biggest problem was that the modems were mounted on wooden poles on the roofs of the two (multi-story) bldgs and they (initially) lost alignment during the day (uneven sun heating on the sides of the bldgs ... resulting in bldg alignment changing).

... image of the 3270 logo screen at the offsite IMS location
http://www.garlic.com/~lynn/vmhyper.jpg

3270 logo screen shot

it is from 1980 35mm slide presentation on the effort ... above was 35mm slide of 3270 that was scanned and cropped just to show the logo screen.

another part of the 1980 35mm slide presentation
http://www.garlic.com/~lynn/hyperlink.jpg

HYPERChannel channel extender

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

Refed: **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 13 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#49 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#50 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#51 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#53 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#54 The Credit Card Criminals Are Getting Crafty

There was a semi-custom AADS chip done ... under million circuits ... evaluated at EAL4+ shipped out the door (there are some chips that have higher evaluation on bare silicon w/o applications) ... and was able to meet the transit gate contactless power & elapsed time limitations (included public key operations). Note that common public key ops are much more compute intensive, taking extended elapsed time and significant power.

There was first pass at a fully custom AADS chip that came out to 40,000 circuits ... shortened the elapsed time as well enormously cutting power requirements (size and power consumption approx. proportional to number of circuits).

For some take on more common public key ops ... the associations published an internet payment transaction specification in '96 using such public key operations. I did a public-key operation profile and a business operation profile for the specification. I then had a friend do a bunch of benchmarks using the public-key profile (with a copy of the BSAFE library that he had improved to run four times faster). When I reported the results back to the members responsible for the specification ... the response was that it was 100 times too slow (instead of four times too fast). Six months later, when there was pilot code operational, the benchmark numbers were within a couple percent of pilot measurements (the four times speedup had been incorporated into standard BSAFE distribution). One conclusion might be that the members responsible for the specification had never actually done any public key operations ... the joke about professor saying that such details are left as exercise for students.

the other part of the public key paradigm chosen by the associations involved "certificates" which had to be appended on every transaction. "Certificates" had originally been created to address an issue with first time communication between strangers with no prior relationship; I was able to trivially demonstrate that certificates were redundant and superfluous on transactions between cardholder and their issuing financial institution (having an existing relationship).

The enormous issue with "certificates" in payment transactions (besides being redundant and superfluous) was that they represented a 100 times payload bloat for typical payment transaction size. This was much more apparent during the design of the association internet payment specification ... and so they had an "internet" gateway do the final public key operations and then generate a standard payment transaction (for the payment network) that simply turned on a flag (no TRUE end-to-end security). Later, there was presentation by interchange business person at an ISO meeting in the EU about the increasing number of transactions coming through with the flag turned on ... and when investigated, there was no public key operations (i.e. merchants & merchant processors were possibly motivated to turn on the flag because it affected the interchange rate).

choice of public key paradigm with 100 times computational bloat and 100 times payload bloat then affected the "secure" solution for POS transactions which continues to this day.
http://www.garlic.com/~lynn/subpubkey.html#bloat

By comparison, in the same time frame, there was enormous optimization work by the X9A10 financial standard working group (for the x9.59 financial transaction standard, besides the work for meeting transit gate power & elapsed time requirements) to eliminate all that bloat, allowing for TRUE, complete, end-to-end transaction security (from cardholder to cardholder's issuing financial institution). A side-effect of TRUE end-to-end transaction security is that whole classes of vulnerabilities stop being a problem (like skimming, evesdropping, breaches, etc).

for another metaphor ... with TRUE end-to-end transaction security ... the attack surface is radically reduced ... allowing available resources to be concentrated, defending the enormously reduced number of attack points.

w/o TRUE end-to-end transaction security ... there is enormous attack surface that has to be defended

Encryption adoption driven by PCI, fear of cyberattacks; Regulatory compliance pushes more than two thirds of organizations to encrypt
http://www.networkworld.com/news/2010/111610-encryption-adoption.html

--
virtualization experience starting Jan1968, online at home since Mar1970

So why doesn't the mainstream IT press seem to get the IBM mainframe?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 14 Nov, 2010
Subject: So why doesn't the mainstream IT press seem to get the IBM mainframe?
Blog: MainframeZone
the 3278/3274 was big step down from 3277/3272 ... which had much faster response. Battles over "human factors" eventual response was that 3278 wasn't for interactive computing but "text entry" (basically keypunching paradigm). It was also possible to significantly improve the human factors of 3277 .... but with the 3278 ... a lot of the electronics were moved back into the shared 3274 controller (significantly slowing down overall operation, increasing channel busy per operation, and eliminating being able to do any hardware hacks in the local terminal).

PC terminal emulation provided for early rapid uptake of PCs (could get PC for about the same as 3270 terminal and in single footprint get host terminal emulation and some local computing; "no-brainer" since 3270 terminal was already justified). Later communication group protecting the terminal emulation install base became major road block. After disk division had several advanced products blocked by the communication group (communication group had strategic responsibility for anything that crossed the datacenter walls), a senior disk division engineer got a talk scheduled at the communication group world-wide, annual (internal) conference. He opened the talk with statement that the communication group was going to be responsible for the demise of the disk division. As PCs became more sophisticated, the terminal emulation paradigm was become increasing bottleneck ... and customers were moving data (out of the datacenter) to more distributed computing friendly platforms.

A trivial example was the workstation division that had PC/RT with 16bit AT-bus and did their own 4mbit token/ring card. For the RS/6000 with microchannel, the workstation division was "forced" to use PS2 cards. It turns out that the PS2 microchannel 16mbit T/R card (with design point of 300+ stations sharing same bandwidth for terminal emulation) had lower per-card thruput than the PC/RT 4mbit T/R card. There eventually was joke that if the only thing that RS6000 was allowed to use was PS2 cards, it would run as slow as PS2.

This is recent post (from yesterday) in ibm-main mailing list about special project that I did for the IMS development group ... when 300 people were moved from STL to offsite bldg.
http://www.garlic.com/~lynn/2010o.html#55

this is older post with some of the old 3272/3274 comparison data
http://www.garlic.com/~lynn/2001m.html#19

About the time the disk division's problems with the communication group started ... one of my (internal) projects was high-speed data transport ... and I was having some hardware built on the other side of the pacific. The Friday before a overseas trip, the communication group sent out an announcement for advanced communication online discussion ... the announcement included the following definitions:
low-speed <9.6kbits medium-speed 19.2kbits high-speed 56kbits very high-speed 1.5mbits

The following Monday in a conference room (on the other side of the pacific), there were the following definitions:
low-speed <20mbits medium-speed 100mbits high-speed 200-300mbits very high-speed >600mbits

--
virtualization experience starting Jan1968, online at home since Mar1970

So why doesn't the mainstream IT press seem to get the IBM mainframe?

Refed: **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 15 Nov, 2010
Subject: So why doesn't the mainstream IT press seem to get the IBM mainframe?
Blog: MainframeZone
re:
http://www.garlic.com/~lynn/2010o.html#57 So why doesn't the mainstream IT press seem to get the IBM mainframe?

Note that mainframes would have been ideal platform of choice for web ... if it hadn't been for all the problems with the interconnect ... as referenced up post.

original web server outside cern was on slac vm system
http://www.slac.stanford.edu/history/earlyweb/history.shtml

HTML was evoluation process from SGML ... which was ISO standard of GML that had been invented at science center in 1969. Original CMS document processing was "runoff" controls from CTSS days ... but then GML processing was added. Waterloo did a clone ... and that shows up in look at early HTML evolution:
http://infomesh.net/html/history/early/

We had been called in to consult with small client/server startup that wanted to do payment transactions on their server; the startup had also invented some technology called SSL that they wanted to use; the result is now frequently called "electronic commerce". Lots of these e-commerce operations really wanted darkroom, unattended operations for their servers ... which was difficult to come by in non-mainframe platforms.

We had done some of that in our HA/CMP product before we left ... and some of the work on electronic commerce involved retrofitting some technology to platforms that had never really been used in that way before.

old reference to HA/CMP scaleup for commercial use ... before it was transferred, announced for numerical intensive only and we were told we couldn't work on anything with more than four processors (we didn't stay around long after that):
http://www.garlic.com/~lynn/95.html#13

total trivia ... two of the people mentioned in the above jan92 meeting in ellison's conference room ... show up at the small client/server startup responsible for something called the "commerce server" ... when we were brought in to consult on doing payment transactions

other archaic trivia ... prior to transfer of cluster scaleup and telling us that we couldn't work on anything with more than four processors, the responsible organization had been heavily funding Chen Supercomputers. That flounders and later Chen shows up as CTO of Sequent. Before IBM buys Sequent, we do some consulting for Chen, including looking at FLEX (Sequent was strategic platform for FLEX). In the 70s, Endicott had sucked me into some microcode assists ... and there was numerous similarities between how mainframes used microcode to implement 370s and what FLEX was doing.

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 16 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
I was on day trip to wall street yesterday and finished reading GRIFTOPIA
http://www.amazon.com/Griftopia-Machines-Vampire-Breaking-America/dp/0385529953

during the flt (on a kindle, i was somewhat surprised the number of people that had kindles out). It paints a picture that there is little effective difference between the parties ... and majority of political rhetoric appears to be distraction/entertainment for the populace (a little like roman games). It claims that the effective bailout is now somewhere between $13T and $14T (way above what was appropriated in TARP).

As to auto bailout, in the very early 90s (20 years ago), the auto industry had C4 taskforce looking at how to completely remake themselves. Some number of technology companies were invited to participate. During the meetings, they laid out the major issues and everything that needed to be changed; however all the major stakeholders had too much vested interest in the status quo and nothing appeared to change (there has been some recent stories that there still hasn't been much substantive change). At the time, I actually had opportunity to offline chide some of the mainframe brethren ... some number of the issues raised also applied to them at the time.

I've been following Walker since the days when he was comptroller general (and making statements about nobody in congress is capable of middle school arithmetic) Current budget problems started getting much worse when congress let the fiscal responsibility act expire in 2002. Walker's book is somewhat less inflammatory (than Taibbi's) ... but still presents a very similar story (from a different perspective):

Comeback America: Turning the Country Around and Restoring Fiscal Responsibility
http://www.amazon.com/Comeback-America-Turning-Restoring-Responsibility/dp/1400068606

GRIFTOPIA gives long list of "business" people that were involved in lots of the critical activities (also Comeback America to a lesser extent since it isn't as focused on the personalities). One of the things pointed out in GRIFTOPIA is that numerous of the major business players are keeping lower profile for this administration.

worked out really well for them ... there has been "The 10 Highest-Paid CEOs Who Laid Off The Most Employees" discussion in the "IBM Alumni" (linkedin) group ... item from today:

update from today Economic Recovery Limps along While Paychecks for CEOs Soar. Imagine the number of jobs that could be created if these leaders showed some real leadership and took smaller salaries
http://www.consumeraffairs.com/news04/2010/11/economic-recovery-limps-along-while-paychecks-for-ceos-soar.html

goes along with the report that ratio of executive to worker compensation had exploded to 400:1 after having been 20:1 for a long time and 10:1 in most of the rest of the world.

....

Two years ago there was (CBS?) news broadcast of roundtable discussion at an annual economist conference. Part was that congress is the most corrupt institution on the face of the earth ... due largely to heavy lobbying ... frequently involving tax provisions. The current tax code is 65,000 pages and dealing with it involves something like 6% of GDP. Going to flat-rate tax would result in reducing the tax-code to 400-500 pages and gain back nearly all of that 6% in lost productivity (which would more than offset any desirable special provisions lost in the current paradigm --- also going a long way to eliminating significant amount of graft & corruption from heavy lobbying). The roundtable discussion ended with semi-humorous observation that Ireland is one of the bodies lobbying against US changing to flat-rate tax rate (apparently complexity of dealing with US tax code is one of the reasons companies give for setting up in Ireland).

Note that GRIFTOPIA lists significant number of US companies with a 1% effective tax collection (actual percent of profits paid in taxes) ... regardless of actual tax rate. "Comeback America" has stats that the percent of total tax collections coming from corporations has significantly fallen in the past 50 years.

There are some related reports about wall street ... from NY state ... avg. wall street bonuses spiked by over 400% during the recent bubble (and since the bubble burst, lots of activity to try and maintain bonuses at peak level) ... at the same time the size of the financial industry has tripled (as percent of GDP) ... with no benefit to the economy or country (and in fact, just the opposite).

There has been report that something like $27T in toxic CDO transactions were done during the bubble (effectively unregulated). The fees, commissions, etc ... on those transactions would account for both the spike in bonuses as well as the tripling in size of the financial sector. At the height of the bubble ... I heard references to "musical chairs" and who might be left holding the toxic stuff when the music stopped ... however, the (individual) compensation and bonuses were so huge from the toxic CDO transactions that it seem to eliminate any concern about what might it all do to their companies, the economy, and/or the country. GRIFTOPIA doesn't actually mention "musical chairs" ... but it has references that come pretty close.

... that is why it might be useful to also read (former comptroller general) walker's book ... which is much drier and much less of story read ... but covers much of the same subject matter from different view point.

For yet a different viewpoint ... i've periodically mentioned that early last year I was asked to HTML'ize the Pecora hearings (had been scanned the previous fall at boston public library) adding lots of indexing and HREFs relating what happened then with citations of what happened this time ... in anticipation that the incoming gov. would have appetite for addressing the subject. After putting a lot of work into the effort ... I was then told that it turned out that there wasn't really that much of an appetite to do anything after all.. 56 minutes ago

One of the results of the Pecora hearings was Glass-Steagall as countermeasure to preventing the types of things identified by the Pecora hearings. There are numerous items this time (after Glass-Steagall was repealed) that bear lots of resemblance to things identified by the Pecora hearings ... and there has yet to be anything resembling a modern version of Glass-Steagall (as countermeasure to events of the last decade).

It would help to read the book ... besides various direct references (some that easily found in news items/URLs from the period) ... Taibbi tries to represent positions of various sides ... then what shows up in administrative position/legislation (as indirect reference as to what parties have major influence). Walker also represents various implications of various legislation.

Taibbi book does have couple pages in the book about instances of FUD raised regarding what he was saying ... FUD that managed to avoid saying that anything was incorrect.

--
virtualization experience starting Jan1968, online at home since Mar1970

Compressing the OODA-Loop - Removing the D (and maybe even an O)

Refed: **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 16 Nov, 2010
Subject: Compressing the OODA-Loop - Removing the D (and maybe even an O)
Blog: Boyd's Strategy
re:
http://www.garlic.com/~lynn/2010o.html#21 Compressing the OODA-Loop - Removing the D (and maybe even an O)
http://www.garlic.com/~lynn/2010o.html#39 Compressing the OODA-Loop - Removing the D (and maybe even an O)

metaphors (and other mechanisms) when the language lacks appropriate words to provide the context (long ago & far away I would make computers do things ... and then would be criticized for not being able to translate what was happening into English). Note, some organizations believe their taxonomy among their most valuable assets (crown jewels).

the inverse of blind people hear & feel better

Deaf Adults See Better Than Hearing People, New Study Finds
http://www.sciencedaily.com/releases/2010/11/101110205051.htm

part of the fluidity would be the learning moving into the stimulus-response part of the brain (upthread reference): Frontal Lobe of the Brain Is Key to Automatic Responses to Various Stimuli, Say Scientists. At 8, I learned to drive on a '38 chevy truck, manual with no synchromesh ... had to double-clutch both on up-shifting and down-shifting. Later, synchromesh would be on all but 1st gear ... however, the experience as kid and I could down-shift into 1st gear while moving.

not a completely lost art:
https://en.wikipedia.org/wiki/Manual_transmission

from above:
Heavy duty trucks often use unsynchronized transmissions. Military trucks usually have synchronized transmissions, allowing untrained personnel to operate them in emergencies. In the United States, traffic safety rules refer to non-synchronous transmissions in classes of larger commercial motor vehicles. In Europe, heavy duty trucks use synchronized gearboxes as standard.

... snip ...

item (from tomorrow) on language affecting thought processes

Language May Help Create, Not Just Convey, Thoughts and Feelings
http://www.sciencedaily.com/releases/2010/11/101103111206.htm

somewhat related is this thread that Scott pointed at

A Hipbone Approach IV: Polar bears and polar opposites
http://zenpundit.com/?p=3602

which mentions Einstein's comment about thought processes. Some of this may get into people's preference and comfort zone ... how much might they confine themselves to thought processes of a (specific) language.

I've made reference in the past about getting blamed for online computer conferencing in the late 70s and early 80s on the corporate internal network (larger than arpanet/internet from just about beginning until possibly late 85 or early 86). Somewhat one of the outcomes was a researcher was paid to study how I communicated, they sat in the back of my office for nine months taking notes on my conversations (face-to-face, phone, etc), got copies of all my incoming & outgoing email as well as logs of all instant messages. The result was also a stanford PHD thesis (joint between language and computer AI), as well as material for papers and books. The researcher had previously spent some years as an ESL (english as 2nd language) teacher ... and observed that English seemed to be my 2nd language (my thought processes don't appear to correspond to English) ... the issue is that leaves me with no primary natural language.

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 17 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#59 They always think we don't understand

A post from last year in financial/payment (linkedin) group discussion titled "The Paradox of Economic Recovery"
http://www.garlic.com/~lynn/2009h.html#25 The Paradox of Economic Recovery

which has some of the original references to items I mentioned upthread. Part of the issue was that the country got itself into such a deep hole (which resulted in all sorts of collateral damage spreading out into numerous sectors of the economy) ... that it is going to take a long time to get out of it ... and is going to totally frustrate the instant gratification generation & doesn't fit into 15min sound-bites.

Off-topic observation ... in the 90s, it was quite common to have incoming freshman getting their first access to online computing ... discover usenet discussion groups ... and the start of fall semester there would be a lot of requests for answers to homework questions as well as "flame-wars" ... wiki reference
https://en.wikipedia.org/wiki/Flaming_%28Internet%29

disclaimer: I was blamed for online computer conferencing on the ibm corporate internal network in the late 70s & early 80s (the internal network was larger than the arpanet/internet from just about the beginning until late '85 or possibly early '86)

posts in (linkedin) Systems Thinking group discussion (with various references):
http://www.garlic.com/~lynn/2009h.html#36 Analysing risk, especially credit risk in Banks, which was a major reason for the current crisis
http://www.garlic.com/~lynn/2009h.html#40 Analysing risk, especially credit risk in Banks, which was a major reason for the current crisis

and then one in Greater IBM group discussion
http://www.garlic.com/~lynn/2009h.html#49 IBM to Build Europe, Aisa 'Smart Infrastructure'

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 17 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#59 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#61 They always think we don't understand

was ... not am ... IBM Systems mag. did an article on me spring of 2005 ... they even sent photographer to the house for photo shoot ... for the paper version ... pictures aren't in the online version:
http://www.ibmsystemsmag.com/mainframe/stoprun/Stop-Run/Making-History/

more recently added to the mainframe hall-of-fame
http://www.mainframezone.com/blog/mainframe-hall-of-fame-four-new-members-added/

folklore is that when somebody finally got around to telling the executive committee (ceo, pres, etc) about online computer conferencing (and the internal network) in the early 80s, five of six wanted to fire me. Later supposedly it was the sixth that was responsible for funding my HSDT (high speed data transport) project ... some past posts on HSDT
http://www.garlic.com/~lynn/subnetwork.html#hsdt

some past posts mentioning internal network
http://www.garlic.com/~lynn/subnetwork.html#internalnet

my wife use to really offend senior executives when she would remind them that I had never been wrong. Later when we both left, in my executive exit interview ... one of the comments was they could have forgiven me for being wrong, but they would never forgive me for being right.

one of the things done with HSDT was working with some of the entities that would be in the NSFNET backbone (operational precursor to the modern internet), including NSF. Possibly because of past offenses and internal politics, wasn't allowed to bid on NSFNET backbone RFP when it came out. Director of NSF even sent letter to the company ... but that appeared to just aggravate the internal politics. Some past related email from the period
http://www.garlic.com/~lynn/lhwemail.html#nsfnet

for several years I was the only IBM attendee here (invitation only):
https://en.wikipedia.org/wiki/The_Hackers_Conference

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 17 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#59 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#61 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#62 They always think we don't understand

one of my hobbies used to be building and supporting production operating systems for internal datacenters ... including the world-wide sales&marketing support HONE systems .... misc. past posts mentioning HONE
http://www.garlic.com/~lynn/subtopic.html#hone

hdqtrs data processing division executive position, that HONE reported to, use to be one of the "fast track" positions ... a branch manager "star" would get promoted to that position and then after a year or two start moving up the executive ranks. There would usually be some turbulence when some new executive eventually learned where HONE got its system (it usually also came as a shock that the company was run on virtual machine operating system ... and not the premier mainframe operating system that the branch offices sold customers).

some old email mentioning when I called it CSC/VM ... when I was at the science center ... before transferring to research:
http://www.garlic.com/~lynn/2006v.html#email731212 731212
http://www.garlic.com/~lynn/2006w.html#email750102 750102
http://www.garlic.com/~lynn/2006w.html#email750430 750430

my work with HONE actually started out with it on a (virtual machine) CP67 system ... predating vm370.

another hobby (after transferring to research) was that they let me play disk engineer in bldgs. 14&15. some past posts
http://www.garlic.com/~lynn/subtopic.html#disk

and working on the original sql/relational database, system/r
http://www.garlic.com/~lynn/submain.html#systemr

misc past posts mentioning SJR/VM (after I had transferred to research):
http://www.garlic.com/~lynn/2006u.html#26 Assembler question
http://www.garlic.com/~lynn/2006y.html#35 The Future of CPUs: What's After Multi-Core?
http://www.garlic.com/~lynn/2007.html#3 The Future of CPUs: What's After Multi-Core?
http://www.garlic.com/~lynn/2007b.html#51 Special characters in passwords was Re: RACF - Password rules
http://www.garlic.com/~lynn/2007c.html#12 Special characters in passwords was Re: RACF - Password rules
http://www.garlic.com/~lynn/2008h.html#46 Whitehouse Emails Were Lost Due to "Upgrade"
http://www.garlic.com/~lynn/2008s.html#39 The Internet's 100 Oldest Dot-Com Domains
http://www.garlic.com/~lynn/2009i.html#35 SEs & History Lessons
http://www.garlic.com/~lynn/2010b.html#100 "The Naked Mainframe" (Forbes Security Article)
http://www.garlic.com/~lynn/2010d.html#70 LPARs: More or Less?
http://www.garlic.com/~lynn/2010f.html#24 Would you fight?
http://www.garlic.com/~lynn/2010l.html#20 Old EMAIL Index
http://www.garlic.com/~lynn/2010n.html#62 When will MVS be able to use cheap dasd

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 17 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#59 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#61 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#62 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#63 They always think we don't understand

left '92 in last good buyout with "leave" that bridged me to 30yrs. in the late 70s they started telling me I would never have career or promotions. first day on leave/bridge (with no chance of coming back), I get letter at home saying I had been promoted.

this is post about jan92 meeting in Ellison's conference room on cluster scaleup
http://www.garlic.com/~lynn/95.html#13

within a month, the effort was transferred and we were told we couldn't work on anything with more than four processors ... not long afterwards left. old email mentioning cluster scaleup
http://www.garlic.com/~lynn/lhwemail.html#medusa

last email referenced in above, was possibly only hrs before effort was transferred:
http://www.garlic.com/~lynn/2006x.html#email920129

after being transferred it was announced as supercomputer for numerical intensive market place (only, none of the work for commercial or DBMS). past posts mentioning ha/cmp
http://www.garlic.com/~lynn/subtopic.html#hacmp

post last year: From The Annals of Release No Software Before Its Time
http://www.garlic.com/~lynn/2009p.html#43

for complete trivia ... two of the other people mentioned in Jan92 Ellison conference room meeting ... later show up at a small client/server startup responsible for something called the "commerce server". We were called in as consultants because they wanted to do payment transactions on the server; the startup had also invented this technology called SSL they wanted to use; the result is now frequently called "electronic commerce".

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 17 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#59 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#61 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#62 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#63 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#64 They always think we don't understand

Was at a financial services company for decade. Somewhat as a result of having done what is now called "electronic commerce" ... in the mid-90s was asked to participate in the x9a10 financial standard working group ... which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. The x9a10 work resulted in the x9.59 financial transaction standard ... was also co-author of the x9.99 financial privacy standard (which involved having to deal with some of GLBA ... other than the part that repealed Glass-Steagall). Some recent posts in (linkedin) Payment Systems Group
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#49 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#50 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#51 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#53 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#54 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#56 The Credit Card Criminals Are Getting Crafty

for the fun of it .. some other corporate/mainframe posts in the (linkedin) mainframezone group
http://www.garlic.com/~lynn/2010o.html#57 So why doesn't the mainstream IT press seem to get the IBM mainframe?
http://www.garlic.com/~lynn/2010o.html#58 So why doesn't the mainstream IT press seem to get the IBM mainframe?

one of the other things I did while at IBM was sponsor John Boyd's briefings ... including OODA-loops and how to prevail in competitive situation. Lots of past posts mentioning John Boyd
http://www.garlic.com/~lynn/subboyd.html#boyd1
and various URLs from around the web mentioning John and/or OODA-loops
http://www.garlic.com/~lynn/subboyd.html#boyd2

Boyd is credited for having done battle plan/strategy for Desert Storm ... and there has been quotes that big problem with the current conflicts in the area is that John died in 1997. While Air Force pretty much disowned him, he was adopted by the Marines and there is a section of the Marine museum in Quantico for John.

as undergraduate ... Boeing had me in to help setup online timesharing operations ... sort of part of getting BCS going (I guess I was among the first dozen or so BCS employees and listed as full-time employee and middle management badge that got me into good hdqtrs parking at Boeing Field ... even tho I was undergraduate and still going to school). At the time, I thought that Boeing Renton was the largest datacenter. However, about the same time, one of Boyd's biographies list him as doing a tour in charge of "spook base" ... which they list as a $2.5B windfall for IBM (nearly $20B in today's dollars) ... in dollars, it would make it ten times larger than Boeing Renton.

For the first of John's briefings at IBM, I tried to have it sponsored through employee education department. Initially they agreed, but when I provided them with a more detailed abstract, they declined and suggested that I restrict those attending to just people in competitive analysis departments. They said that the company spends a lot of money educating managers on how to deal with employees and they felt that letting general employees attend Boyd's briefings could be counter productive (effectively implying that management/employee relationships are a competitive environment).

Boyd wiki page
https://en.wikipedia.org/wiki/John_Boyd_%28military_strategist%29
OODA-loop wiki page
https://en.wikipedia.org/wiki/OODA_loop

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 18 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#59 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#61 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#62 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#63 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#64 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#65 They always think we don't understand

from budget reform & fiscal responsibility standpoint (former comptroller general walker's book goes into this into much more detail) ... see "military reform" section on Boyd's wiki page
https://en.wikipedia.org/wiki/John_Boyd_%28military_strategist%29

in the early 80s, chuck was on the cover of time with an 18pg article that went into lots of details (much of it orchestrated by Boyd) ... reference here:
http://www.phibetaiota.net/2009/08/contributing-editor-franklin-chuck-spinney/

another reference:
http://www.counterpunch.org/spinney12232008.html

something more recent:
http://www.phibetaiota.net/2010/11/journal-chuck-spinney-objects-on-israel-gaza-blocade-and-f-35-lemon/

as walker points out ... reform of the pentagon is important, but has decreasing effect since it went from 50% of the budget to 20% (and declining). the enormous exploding parts of the budget are the unfunded mandates in the retirement & medical area (especially starting after congress let the fiscal responsibility act expire in 2002).

60 minutes had segment on the machinations that slipped a one liner into medicare part-d ... and was careful to make sure nobody noticed ... which accounts for huge percentage of the unfunded mandates (sentence eliminated any competitive bidding on drugs). They showed side by side, identical drugs ... VA's price is 1/3rd part-d's price (since VA is allowed competitive bidding). 60 minutes segment had the 18 core participants (responsible for the one liner) ... having resigned and working for drug companies within six months of bill passage. More recent health care legislation that went to congress also excluded competitive bidding

Fixing The US Budget -- Straightforward Or The Hardest Problem On Earth?
http://baselinescenario.com/2010/11/18/fixing-the-us-budget/

from somebody at

Peter G. Peterson Institute for International Economics
http://www.iie.com/
and
http://www.iie.com/institute/aboutiie.cfm

after Walker resigned as comptroller general
https://en.wikipedia.org/wiki/David_M._Walker_%28U.S._Comptroller_General%29

he took aver as head of

Peter G. Peterson Foundation
http://www.pgpf.org/Issues.aspx

Boyd was core of military reform. When Boyd was head of lightweight fighter design he redid a lot of the F15 & F18 (cutting weight in half, making much more agile). He then was critical driving force behind F16. Boyd told story about the people responsible for F15 tried to have him thrown in Leavenworth for the rest of his life (viewing his work on F16 as competitive with F15). The line was that he was using enormous amounts of unauthorized supercomputer time as part of F16 effort ... which amounted to theft of tens of millions of gov. property.

Later he ripped the people doing heads-up display on F16 ... since the engineers didn't understand how pilot flew plane (they initially had scrolling digital numbers ... which took a large amount of pilot attention to translate into anything meaningful ... akin to texting while driving).

Later he was big backer of F20/tigershark (over F16) ... since you could buy large number of F20s for every F16 ... and the number of flying hrs per hrs of maintenance was significantly higher (the total number of hrs having F20s flying per dollar spent was enormously larger) ... the skill level for F20 maintenance was also much lower. They eventually thot it was ideal plane for overseas customers (even if lobby in US was too strong). Lobbying in congress eventually got provision in foreign aid bill that would fully pay for foreign country purchase of F16s (but not if they bought F20s).

Part of Boyd's briefing in the 80s was that US business was starting to come under the effect of US Army organization for WW2. Going into WW2, US had very few skilled resources so they created a very rigid, top-down, command&control infrastructure to manage huge numbers of unskilled resources being thrown into the conflict (and leverage the very few skilled resources that they had). Boyd's briefings had lots of WW2 examples where the US strategic objective was win by overwhelming (relatively unskilled) resources. As those young army officers started to permeate business executive ranks ... they would emulate their early training ... huge organizations with rigid top-down command&control structures ... assuming that the vast number of workers didn't really know what they were doing.

This attitude was used recently to explain report that ratio of executive to employee compensation had exploded to 400:1 (after having been 20:1 for a long time and 10:1 in most of the rest of the world) ... justified because of assumption that only the top executives have any idea about what they are doing.

One of the budget numbers is purely demographics ... somewhat related to walker's periodic comments that members of congress aren't capable of even simple middle school arithmetic. Baby boomer generation is four times larger than the previous generation (a major reason it is called the baby boomer generation) and twice as large as the following generation (basic big population bubble moving through the economy). During baby boomer peak earning years ... it is relatively trivial to siphon off taxes to support the previous (retired) generation. As baby boomers move into retirement, the ratio of workers (in peak earning yrs) to number of retirees declines by factor of eight (number of retirees increase by factor of four, their replacements are only half as many; doesn't even take into account baby boomers are living longer). The ratio of geriatric health care workers will also tend to decline by factor of eight (retiree generation increases by factor of four, their working replacements are cut in half). Those effects spread out throughout the whole economy.

I was tangentially involved in some B2 ... because of the HSDT stuff ... I got on the XTP technical advisory board. Various operations were looking at XTP for naval ship operations and airplane operation ... so there would be members of agencies and their contractors at the meetings. At one point the B2 group brought B2 coffee mugs for the organization (heat sensitive plastic that while cold showed B2 on radar screen image, but pour in hot coffee the B2 would disappear).

Besides the raw demographics of the baby boomer population bubble ... there is also the following generation is less educated and less skilled (along with better educated foreign competition), results in lower (inflation adjusted) per capita taxable income. 1990 census had 1/3rd of 18 yr olds didn't graduate from high school ... as well as 1/2 of 18 yr olds (even those that did graduate from high school) were functionally illiterate. Foreign auto manufacturers (setting up operation in the US) claimed they had to require minimum two year junior college degree ... in order to get workers with high school level education (also recent item that US ranks 52nd in quality of math & science education).

So if (inflation adjusted) per capita taxable income is cut in half ... along with the ratio of the number of peak earning workers to retirees is cut by factor of eight ... that would result in cut by factor of 16 in ratio of tax collections per retiree.

As an aside ... everybody pretty much agrees that while pork is symptomatic of the overall problem ... it only amounts to possibly less than 10% of the actual problem. Lots of what goes on in the press is obfuscation and mis-direction (appearance of "sides" could even be likened to the roman games as distraction for the populace).

Note that towards end of WW2, combat engineers did got something of dynamic structure. My wife's father was west point and then army sent him to Berkeley for graduate degree (all before WW2). Nearing the end of WW2, he was put in command of the 1154tth engineering combat group. The engineering combat groups were organizational command structure that would tend to have 3-6 engineering battalions, but they would float between different commands ... as requirements demanded. Towards the end, he was frequently in front of the tanks and ranking officer in enemy territory ...acquiring a number of senior officer daggers in surrenders. I've done some research at the national archives on the 1154th ... was able to find many of their weekly status reports (which had to be declassified).

Possibly as a reward, afterwards they posted him to Nanking as military adviser to the general (he did get to take along his family).

Boyd has story that it was deliberate strategic decision that Shermans were so under-guned and under-armored ... because it made it cheaper to turn out enormous numbers. The observation was that it did result in morale problem with the crews ... jokes about washing the insides out with hose (some reference to shermans cremating lots of their crews) and putting it back in service with new crew. There were comments that crews were getting so scarce towards the end ... that even the cooks were recruited. My uncle was tank mechanic in Europe for just about the whole conflict. The thing that possibly saved him was he was really big and wouldn't fit inside.

Boyd had similar vietnam story. He reviewed the airforce air-to-air missile before the conflict and said that it would hardly ever hit the enemy, even tho all their trial runs showed it hitting every time (some comment about the engineers not really understanding what happens in air-to-air combat). In the middle of vietnam, Boyd turned out to be correct. Commanding airforce general in vietnam grounds all fighters while the airforce missiles are replaced with navy sidewinders (significantly better hit rate). The general last three months before he is called on the carpet in the Pentagon (and replaced). Some of the Pentagon are so far away from the conflict that they measure things based on different criteria, like budget share. It was bad enough that the general was loosing less planes & pilots and not using air force missiles .... all reducing airforce budget share ... but the absolute worse was that he was also increasing navy budget share by using navy missiles.

My impression was that being on the leading edge into Germany and liberating some camps ... possibly resulted in him not staying in Germany after the hostilities ended.

My wife has story about being evacuated in army cargo plane from Nanking on 3hrs notice (when the city was ringed) ... and landing at Tsing Tao airfield after dark (they used truck and car headlights to illuminate the field). The family then lived on the USS Repose for 3months in Tsing Tao harbor before getting transport back to the states.

One of things that doesn't get much play in the US, is about the 3 sisters ... the family married the sisters off to the different sides so it didn't matter who eventually would win.
https://en.wikipedia.org/wiki/Soong_sisters

my wife's mother attended some state dinners in nanking with the youngest sister.

part of one of the 1154th status reports:
On 28 Apr we were put in D/S of the 13th Armd and 80th Inf Divs and G/S Corps Opns. The night of the 28-29 April we cross the DANUBE River and the next day we set-up our OP in SCHLOSS PUCHHOF (vic PUCHOFF); an extensive structure remarkable for the depth of its carpets, the height of its rooms, the profusion of its game, the superiority of its plumbing and the fact that it had been owned by the original financial backer of the NAZIS, Fritz Thyssen. Herr Thyssen was not at home.

Forward from the DANUBE the enemy had been very active, and an intact bridge was never seen except by air reconnaissance. Maintenance of roads and bypasses went on and 29 April we began constructing 835' of M-2 Tdwy Br, plus a plank road approach over the ISAR River at PLATTLING. Construction was completed at 1900 on the 30th. For the month of April we had suffered no casualties of any kind and Die Gotterdamerung was falling, the last days of the once mighty WHERMACHT.


... snip ...

I used digital camera to image each page, national archives gave me a declassification sticker that had to be included in the image of each page.

Long ago and far away, we visited somebody at College Park the first week that they started moving people in (about helping with digitizing lots of their records). It was explained that it was expensive marble edifice which was directed appropriations using nearly all of available national archives budget ... supposedly as a gift to Maryland construction industry (leaving nothing for preserving a lot of records that were rotting in damp basement of warehouse in wash). Directed appropriations is a form of pork (by congress) where agencies are directed how to spend money .... frequently w/o actually allocating any additional funds. --
virtualization experience starting Jan1968, online at home since Mar1970

CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future

Refed: **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 18 Nov, 2010
Subject: CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future
Blog: Payment Systems Network
This came up in the early 90s ... proposing radically increased sophistication for financial chipcards (with scores being carried in everybody's wallet/purse) ... and at what point are you better off just having a single integrated device like a smartphone.

The banks have wrapped a bunch of marketing and branding stuff around institution issued cards ... which eventually comes up anytime there is any discussion migrating to a (single) user owned device. Individuals with dozens of cards collapse down to their smartphone (which they already have). unit cost of smartphone for 1.3B cards is pretty much obfuscation and misdirection. US has had land-line subsidized programs for the poor and with increasing number of households going w/o land-lines ... the programs are shifting to subsidized cellphones. This is getting down into 1/3rd or so of the population that are "unbanked" (and therefor tend to not have cards anyway) ... where it is becoming more likely they'll have cellphone than a bank card.

Cellphone operators attempted entry into the market into the late-90s ... figuring a bunch of optimization by combining cellphone bill and credit card bill (not just using the cellphone for authentication device ... but trying to take over the whole payment business). They got badly burned because they didn't have good processes for handling people that didn't pay their bill (and got out of the business). There is a distinction between just using the cell/smart phone as an intelligent (person-centric) something you have authentication device ... as opposed to having the cellphone operator also providing financial services and taken over the whole payment processing industry. The failed attempt at doing everything sort of derailed the activities for past ten years.

Next Google phone will be mobile wallet: CEO
http://news.yahoo.com/s/afp/20101116/tc_afp/usitinternettelecomgoogle

took decade or so ... but looks like coming back ....

Does iWallet iPhone Mean Apple vs. PayPal?
http://www.pcworld.com/article/210785/does_iwallet_iphone_mean_apple_vs_paypal.html
Verizon, AT&T, T-Mobile form joint digital wallet venture
http://www.computerworld.com/s/article/9196783/Verizon_AT_T_T_Mobile_form_joint_digital_wallet_venture
Mobile Providers Form New Digital Wallet Venture
http://news.yahoo.com/s/pcworld/20101116/tc_pcworld/mobileprovidersformnewdigitalwalletventure
Mobile providers form new digital wallet venture
http://www.networkworld.com/news/2010/111610-mobile-providers-form-new-digital.html
Google Announces Next Generation Smartphone
http://www.redorbit.com/news/technology/1951325/google_announces_next_generation_smartphone/index.html
Google to turn mobiles into payment devices
http://www.networkworld.com/news/2010/111610-google-to-turn-mobiles-into.html
Bump and You Can Pay with Google's New Smartphone
http://news.yahoo.com/s/nf/20101116/bs_nf/76100
Wireless Carriers Unveil Isis, Their Mobile Payments Joint Venture
http://www.digitaltransactions.net/news/story/2803

becoming latest, greatest (more than 10yr old) thing (even mit publication doing articles)

When Mobile Phone Payments Go Social; Your cell phone could soon tell your friends what you're buying and where
http://www.technologyreview.com/business/26647/?p1=A6

magstripe has gotten so cheap that fully loaded cost of issuing a (new) magstripe totally swamps the cost of the magstripe by couple orders of magnitude (see damages being claimed when there is breach and issuers have to send out new magstripe).

much of the objections based on economics is obfuscation and misdirection. when pressed a little about new technologies that would eliminate issuing and save really enormous amounts of money (both in fraud and in-house administrative costs of sending out new magstripe ... that makes actual token/card physical costs immaterial) ... the marketing departments step in with comments about current magstripe issuing is really about marketing and branding.

Note that compromises of cellphones is similar to compromises of PCs as well as compromises of ATM machines and POS terminals (some of which have been done during manufacturing).

X9.59 financial transaction eliminated breaches, evesdropping, and skimming as compromises (i.e. crooks were no longer able to use the harvested information for performing fraudulent transactions ... drastically reducing the attack surface and leaving enormously reduced number of attack points).

That still left end-point compromises ... where Trojan performs the fraudulent transaction on the compromised end-point (as opposed to harvesting the information for fraudulent transactions performed at some other location). Part of it is that limiting fraudulent transactions to the compromised device significantly simplifies identifying the point of compromise and shutting it down. Also, given that the number and types of compromises have been enormously reduced ... there is possibility that concentrating resources on just those points will result in better/faster solutions.

Gartner: Users of mobile payments to double by 2012; Impact to be felt most in developing world where access to banking is limited
http://www.computerworld.com/s/article/9133633/Gartner_Users_of_mobile_payments_to_double_by_2012

In the past, one of the story lines in the press was that mobile payments would be the province of the more affluent with cellphones and the less well-off would have to make do with magstripe. This implies that it could turn out to actually be the reverse

X9.59 just provided for strong something you have authentication for all payment transactions ... end-to-end TRUE transaction security from the end-user to the end-user's financial institution (the x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments; i.e. debit, credit, stored-value, ach, POS, face-to-face, unattended, internet, contact, contactless, high-value, low-value, wireless, transit turnstile, etc; aka ALL). There was lots of work on eliminating the 100*times computational bloat and 100*times payload bloat that were characteristic of some other payment transaction specification from the period (that seriously interfered with being able to provide REAL end-to-end transaction security).

The associations' specification for internet payment transaction from the mid-90s did include things like merchant (and other) certificates ... that contributed significantly to their 100*times computational bloat and 100*times payload bloat (pretty much eliminating any possibility that there could be TRUE end-to-end transaction security). some past posts
http://www.garlic.com/~lynn/subpubkey.html#bloat

The complimentary AADS chip strawman work was chip circuits that could support the requirement given to the x9a10 financial standard working group ... be able to support very high REAL, end-to-end transaction security (w/o 100*times computational bloat and 100*times payload bloat) while circuits could also perform the function within the power limitations and elapsed time limitations of contactless transit gate operation. The AADS chip strawman allowed for format agnostic, person-centric, even allowing an AADS chip to be included in something like a cellphone or even AADS circuits included in corner of some other chip (preliminary pass at pure AADS custom design was 40,000 circuits ... either very small flake of dedicated silicon or included in existing chips that frequently run to 100s of million circuits).

ISO 8583 standard was extended to include carrying extremely lightweight x9.59 authentication field ... the ISO 8583 change was done in such a way that same field could be used by other specifications for carrying enormous 100* payload bloat authentication information.

--
virtualization experience starting Jan1968, online at home since Mar1970

Visual tour: 25 years of Windows

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Visual tour: 25 years of Windows
Newsgroups: alt.folklore.computers
Date: Fri, 19 Nov 2010 11:02:43 -0500
Visual tour: 25 years of Windows
http://www.computerworld.com/s/article/9196998/Visual_tour_25_years_of_Windows

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 18 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#59 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#61 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#62 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#63 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#64 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#65 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#66 They always think we don't understand

not exactly trouble shooters ... but in Boyd's briefing Organic Design For Command And Control he has organizational information channels that bypass middle management and "yes man" filtering. Some bits and pieces in old post in 94
http://www.garlic.com/~lynn/94.html#8

taken from Boyd briefing I sponsored at IBM in 1983.
• Napoleon's use of staff officers for personal reconnaissance • British GHQ "phantom" recce regiment in WW II • Patton's "household cavalry" • My use of "legal eagle" and comptroller at NKP

... snip ...

couple URLs with copy of briefing
http://www.ausairpower.net/APA-Boyd-Papers.html
http://www.ausairpower.net/JRB/organic_design.ppt
http://globalguerrillas.typepad.com/JohnBoyd/Organic%20Design%20for%20Command%20and%20Control.pdf

NKP was also known as "spook base". Reference here ... but doesn't mention anything about datacenter that would represent a $2.5B "windfall" to IBM (as mentioned in one of Boyd biographies).
http://aircommandoman.tripod.com/

baby boomer generation is four times previous and nearly twice the following. during baby boomer peak earning years, relatively easy to siphon off money from baby boomers to pay for retirees. baby boomers move into retirement and now the ratio of peak earning worker generation to retirees is cut by factor of eight times (four times as many retirees, half as many workers).

current SS/medicare tax rate is approx. 15% (with employer matching) ... with ratio of workers to retirees cut by a factor of eight times, the taxes per worker will have to be increased by eight times to maintain same level of benefits per retiree ... i.e. SS/medicare taxes increased to 8*15 or 120percent.

simple middle school arithmetic even tho former comptroller general has been claiming for nearly a decade that nobody in congress is capable of middle school arithmetic.

this doesn't take into account baby boomers living longer than previous generation ... requiring further uplift in tax collections by increasing tax rate (to cover having to provide benefits for longer period for the four times as many retirees). also following generation has lower education, lower skill and facing better educated foreign competition ... likely decreasing their (inflation adjusted) taxable income (rather than half total taxable income because of half as many workers, possibly only 1/4th the total taxable income); the shortfall with lower total taxable income would have to be made up by further increase in tax rate. Say combined factors may require SS&medicare tax rate increasing to possibly 300percent (from base 120percent).

misc. old posts doing the above calculation:
http://www.garlic.com/~lynn/2008i.html#98 dollar coins
http://www.garlic.com/~lynn/2008l.html#37 dollar coins
http://www.garlic.com/~lynn/2008n.html#18 VMware Chief Says the OS Is History
http://www.garlic.com/~lynn/2008n.html#29 Blinkylights
http://www.garlic.com/~lynn/2008o.html#58 Everyone is getting same deal out of life: babyboomers can't retire but they get SS benefits intact
http://www.garlic.com/~lynn/2009m.html#61 August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
http://www.garlic.com/~lynn/2009m.html#64 August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
http://www.garlic.com/~lynn/2009o.html#37 Young Developers Get Old Mainframers' Jobs
http://www.garlic.com/~lynn/2009o.html#72 I would like to understand the professional job market in US. Is it shrinking?
http://www.garlic.com/~lynn/2010.html#37 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010.html#38 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010b.html#24 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010b.html#56 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010b.html#59 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010d.html#46 search engine history, was Happy DEC-10 Day
http://www.garlic.com/~lynn/2010f.html#45 not even sort of about The 2010 Census
http://www.garlic.com/~lynn/2010i.html#72 Favourite computer history books?
http://www.garlic.com/~lynn/2010i.html#74 Favourite computer history books?

--
virtualization experience starting Jan1968, online at home since Mar1970

Compressing the OODA-Loop - Removing the D (and maybe even an O)

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 20 Nov, 2010
Subject: Compressing the OODA-Loop - Removing the D (and maybe even an O)
Blog: Boyd's Strategy
more than a decade ago I looked at copyrighting the term business science ... basically defining the the things that are needed to measure/compare (aka orient) business processes.

when the Basel II draft was first circulated, there was new section on qualitative ... executives & boards actually understanding financial institution business process ... up until then Basel accords had been quantitative "risk adjusted capital" (how much capital in reserves based on quantitative judgement of institutional risk). we were ready to go around to the institutions and help them do qualitative understanding of their business. however, during the draft review process, the qualitative section was gutted and quantitative requirements cut back.
https://en.wikipedia.org/wiki/Basel_II

we claimed that original Basel II draft could have significantly helped alleviate the current financial mess (since it would have required both the board and the top executives understand what was going on). now some of the postmortems aren't so clear. Things sort of swing back and forth between they didn't know what was going on ... totally unqualified for their job ... but at the same time qualified for the enormous bonuses that should continue and knew exactly what they were doing ... NYS comptroller had report that wall street bonuses spiked over 400% during the bubble; and they're fighting to keep them from returning to pre-bubble levels.

Now they are fighting over what should be in Basel III and whether it can help return things to a stable situation (some amount of unnatural financial acts should continue in order to prevent the mess from plunging the world into major depression?, one theory essentially the world became addicted to the conditions that caused the mess and going cold turkey would be too traumatic).

For the fun of it a "business science" posting from 1995 ... with a busy graphic that was difficult to render into ASCII ... back when ISPs were frequently "shell accounts" (I've encountered a much simplified version of it by some beltway bandits in the past decade).
http://www.garlic.com/~lynn/95.html#8aa 2nd wave?

A study of successful silicon valley startups (late last century) claimed that the most common characteristic that they shared, was having completely changed their business plan at least once (agile & OODA-loop), somewhat related to fog-of-war. Old post reference
http://www.garlic.com/~lynn/2004k.html#15

with reference to (URL still good):
http://www.newswise.com/articles/view/506559/
Stanford Business School: Studying business successes without also looking at failures tends to create a misleading or entirely wrong picture of what it takes to succeed. A faculty member examines undersampling of failure and finds companies that fail often do the same things as companies that succeed.

a few other past references to business science
http://www.garlic.com/~lynn/2003k.html#41 An Understanding Database Theory
http://www.garlic.com/~lynn/2006w.html#47 'Innovation' and other crimes
http://www.garlic.com/~lynn/2008d.html#38 outsourcing moving up value chain
http://www.garlic.com/~lynn/2008i.html#29 What is your definition of "Information"?
http://www.garlic.com/~lynn/2009.html#54 Business Science
http://www.garlic.com/~lynn/2009.html#59 CROOKS and NANNIES: what would Boyd do?
http://www.garlic.com/~lynn/2009g.html#21 IBM forecasts 'new world order' for financial services

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 21 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#69 They always think we don't understand

with respect to GAO audits of public company financial filings showing increase in number of fraudulent filings (even after Sarbanes-Oxley and SEC apparently not doing anything) ... one motivation was that it increased executive bonuses ... which also contributed to the report that executive to employee compensation exploded to 400:1 (after having been 20:1 for a long time and 10:1 in the rest of the world) ...

in the Madoff hearings, the person that tried (unsuccessfully) for a decade to get SEC to something about Madoff, testified that tips turn up 13 times more fraud than audits (and SEC didn't have a tip hotline, but had 1-800 number for companies to complain about audits).

archived reference to 400:1 in original thread
http://www.garlic.com/~lynn/2010o.html#59
archived reference in (linkedin) fiancail crime group mentioning GAO audits (of public company financial filings):
http://www.garlic.com/~lynn/2010o.html#37

other past posts mentioning Madoff:
http://www.garlic.com/~lynn/2009b.html#65 What can agencies such as the SEC do to insure us that something like Madoff's Ponzi scheme will never happen again?
http://www.garlic.com/~lynn/2009b.html#73 What can we learn from the meltdown?
http://www.garlic.com/~lynn/2009b.html#80 How to defeat new telemarketing tactic
http://www.garlic.com/~lynn/2009c.html#0 Audit II: Two more scary words: Sarbanes-Oxley
http://www.garlic.com/~lynn/2009c.html#4 How to defeat new telemarketing tactic
http://www.garlic.com/~lynn/2009c.html#20 Decision Making or Instinctive Steering?
http://www.garlic.com/~lynn/2009c.html#29 How to defeat new telemarketing tactic
http://www.garlic.com/~lynn/2009c.html#39 'WHO IS RESPONSIBLE FOR THE GLOBAL MELTDOWN'
http://www.garlic.com/~lynn/2009c.html#44 How to defeat new telemarketing tactic
http://www.garlic.com/~lynn/2009c.html#51 How to defeat new telemarketing tactic
http://www.garlic.com/~lynn/2009d.html#0 PNC Financial to pay CEO $3 million stock bonus
http://www.garlic.com/~lynn/2009d.html#3 Congress Set to Approve Pay Cap of $500,000
http://www.garlic.com/~lynn/2009d.html#37 NEW SEC (Enforcement) MANUAL, A welcome addition
http://www.garlic.com/~lynn/2009d.html#42 Bernard Madoff Is Jailed After Pleading Guilty -- are there more "Madoff's" out there?
http://www.garlic.com/~lynn/2009d.html#47 Bernard Madoff Is Jailed After Pleading Guilty -- are there more "Madoff's" out there?
http://www.garlic.com/~lynn/2009d.html#57 Lack of bit field instructions in x86 instruction set because of patents ?
http://www.garlic.com/~lynn/2009d.html#61 Quiz: Evaluate your level of Spreadsheet risk
http://www.garlic.com/~lynn/2009d.html#62 Is Wall Street World's Largest Ponzi Scheme where Madoff is Just a Poster Child?
http://www.garlic.com/~lynn/2009d.html#63 Do bonuses foster unethical conduct?
http://www.garlic.com/~lynn/2009d.html#73 Should Glass-Steagall be reinstated?
http://www.garlic.com/~lynn/2009d.html#75 Whistleblowing and reporting fraud
http://www.garlic.com/~lynn/2009e.html#0 What is swap in the financial market?
http://www.garlic.com/~lynn/2009e.html#15 The background reasons of Credit Crunch
http://www.garlic.com/~lynn/2009e.html#35 Architectural Diversity
http://www.garlic.com/~lynn/2009e.html#36 Architectural Diversity
http://www.garlic.com/~lynn/2009e.html#37 How do you see ethics playing a role in your organizations current or past?
http://www.garlic.com/~lynn/2009e.html#40 Architectural Diversity
http://www.garlic.com/~lynn/2009e.html#53 Are the "brightest minds in finance" finally onto something?
http://www.garlic.com/~lynn/2009e.html#70 When did "client server" become part of the language?
http://www.garlic.com/~lynn/2009f.html#2 CEO pay sinks - Wall Street Journal/Hay Group survey results just released
http://www.garlic.com/~lynn/2009f.html#29 What is the real basis for business mess we are facing today?
http://www.garlic.com/~lynn/2009f.html#31 What is the real basis for business mess we are facing today?
http://www.garlic.com/~lynn/2009f.html#38 On whom or what would you place the blame for the sub-prime crisis?
http://www.garlic.com/~lynn/2009f.html#43 On whom or what would you place the blame for the sub-prime crisis?
http://www.garlic.com/~lynn/2009f.html#45 Artificial Intelligence to tackle rogue traders
http://www.garlic.com/~lynn/2009f.html#47 TARP Disbursements Through April 10th
http://www.garlic.com/~lynn/2009f.html#49 Is the current downturn cyclic or systemic?
http://www.garlic.com/~lynn/2009f.html#51 On whom or what would you place the blame for the sub-prime crisis?
http://www.garlic.com/~lynn/2009f.html#65 Just posted third article about toxic assets in a series on the current financial crisis
http://www.garlic.com/~lynn/2009f.html#67 Just posted third article about toxic assets in a series on the current financial crisis
http://www.garlic.com/~lynn/2009g.html#1 Future of Financial Mathematics?
http://www.garlic.com/~lynn/2009g.html#5 Do the current Banking Results in the US hide a grim truth?
http://www.garlic.com/~lynn/2009g.html#7 Just posted third article about toxic assets in a series on the current financial crisis
http://www.garlic.com/~lynn/2009g.html#29 Transparency and Visibility
http://www.garlic.com/~lynn/2009g.html#33 Treating the Web As an Archive
http://www.garlic.com/~lynn/2009g.html#34 Board Visibility Into The Business
http://www.garlic.com/~lynn/2009g.html#76 Undoing 2000 Commodity Futures Modernization Act
http://www.garlic.com/~lynn/2009g.html#77 A new global system is coming into existence
http://www.garlic.com/~lynn/2009h.html#3 Consumer Credit Crunch and Banking Writeoffs
http://www.garlic.com/~lynn/2009h.html#17 REGULATOR ROLE IN THE LIGHT OF RECENT FINANCIAL SCANDALS
http://www.garlic.com/~lynn/2009h.html#22 China's yuan 'set to usurp US dollar' as world's reserve currency
http://www.garlic.com/~lynn/2009i.html#13 64 Cores -- IBM is showing a prototype already
http://www.garlic.com/~lynn/2009i.html#23 Why are z/OS people reluctant to use z/OS UNIX? (Are settlements a good argument for overnight batch COBOL ?)
http://www.garlic.com/~lynn/2009i.html#40 64 Cores -- IBM is showing a prototype already
http://www.garlic.com/~lynn/2009i.html#54 64 Cores -- IBM is showing a prototype already
http://www.garlic.com/~lynn/2009i.html#60 In the USA "financial regulator seeks power to curb excess speculation."
http://www.garlic.com/~lynn/2009j.html#12 IBM identity manager goes big on role control
http://www.garlic.com/~lynn/2009j.html#21 The Big Takeover
http://www.garlic.com/~lynn/2009j.html#30 An Amazing Document On Madoff Said To Have Been Sent To SEC In 2005
http://www.garlic.com/~lynn/2009l.html#5 Internal fraud isn't new, but it's news
http://www.garlic.com/~lynn/2009m.html#89 Audits V: Why did this happen to us ;-(
http://www.garlic.com/~lynn/2009n.html#13 UK issues Turning apology (and about time, too)
http://www.garlic.com/~lynn/2009n.html#49 Opinions on the 'Unix Haters' Handbook'
http://www.garlic.com/~lynn/2009o.html#23 Opinions on the 'Unix Haters' Handbook'
http://www.garlic.com/~lynn/2009o.html#71 "Rat Your Boss" or "Rats to Riches," the New SEC
http://www.garlic.com/~lynn/2009o.html#84 Opinions on the 'Unix Haters' Handbook'
http://www.garlic.com/~lynn/2009p.html#20 U.K. lags in information security management practices
http://www.garlic.com/~lynn/2009p.html#51 Opinions on the 'Unix Haters' Handbook
http://www.garlic.com/~lynn/2009p.html#57 MasPar compiler and simulator
http://www.garlic.com/~lynn/2009r.html#35 70 Years of ATM Innovation
http://www.garlic.com/~lynn/2009r.html#47 70 Years of ATM Innovation
http://www.garlic.com/~lynn/2009r.html#53 70 Years of ATM Innovation
http://www.garlic.com/~lynn/2009r.html#61 70 Years of ATM Innovation
http://www.garlic.com/~lynn/2009s.html#45 Audits VII: the future of the Audit is in your hands
http://www.garlic.com/~lynn/2009s.html#47 Audits VII: the future of the Audit is in your hands
http://www.garlic.com/~lynn/2010.html#37 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010b.html#82 Oldest Instruction Set still in daily use?
http://www.garlic.com/~lynn/2010c.html#34 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010c.html#87 search engine history, was Happy DEC-10 Day
http://www.garlic.com/~lynn/2010d.html#8 search engine history, was Happy DEC-10 Day
http://www.garlic.com/~lynn/2010e.html#77 Madoff Whistleblower Book
http://www.garlic.com/~lynn/2010f.html#4 LPARs: More or Less?
http://www.garlic.com/~lynn/2010f.html#33 The 2010 Census
http://www.garlic.com/~lynn/2010f.html#46 not even sort of about The 2010 Census
http://www.garlic.com/~lynn/2010f.html#54 The 2010 Census
http://www.garlic.com/~lynn/2010f.html#56 Handling multicore CPUs; what the competition is thinking
http://www.garlic.com/~lynn/2010h.html#15 The Revolving Door and S.E.C. Enforcement
http://www.garlic.com/~lynn/2010h.html#16 The Revolving Door and S.E.C. Enforcement
http://www.garlic.com/~lynn/2010h.html#31 In the News: SEC storms the 'Castle'
http://www.garlic.com/~lynn/2010h.html#41 Profiling of fraudsters
http://www.garlic.com/~lynn/2010h.html#43 COBOL - no longer being taught - is a problem
http://www.garlic.com/~lynn/2010h.html#47 COBOL - no longer being taught - is a problem
http://www.garlic.com/~lynn/2010h.html#58 S.E.C. Moves to Tighten Rules on Bonds Backed by Consumer Loans
http://www.garlic.com/~lynn/2010h.html#67 The Python and the Mongoose: it helps if you know the rules of engagement
http://www.garlic.com/~lynn/2010h.html#69 Idiotic programming style edicts
http://www.garlic.com/~lynn/2010i.html#34 Idiotic programming style edicts
http://www.garlic.com/~lynn/2010i.html#41 Idiotic programming style edicts
http://www.garlic.com/~lynn/2010i.html#42 "Fraud & Stupidity Look a Lot Alike"
http://www.garlic.com/~lynn/2010i.html#47 "Fraud & Stupidity Look a Lot Alike"
http://www.garlic.com/~lynn/2010i.html#48 "Fraud & Stupidity Look a Lot Alike"
http://www.garlic.com/~lynn/2010k.html#6 taking down the machine - z9 series
http://www.garlic.com/~lynn/2010k.html#29 Snow White and the Seven Dwarfs
http://www.garlic.com/~lynn/2010l.html#14 Age
http://www.garlic.com/~lynn/2010l.html#38 Who is Really to Blame for the Financial Crisis?
http://www.garlic.com/~lynn/2010m.html#37 A Bright Future for Big Iron?
http://www.garlic.com/~lynn/2010m.html#62 Dodd-Frank Act Makes CEO-Worker Pay Gap Subject to Disclosure
http://www.garlic.com/~lynn/2010n.html#35 Idiotic programming style edicts
http://www.garlic.com/~lynn/2010n.html#36 Idiotic programming style edicts

--
virtualization experience starting Jan1968, online at home since Mar1970

They always think we don't understand

Refed: **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 21 Nov, 2010
Subject: They always think we don't understand
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#69 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#71 They always think we don't understand

There are a quite a few articles like this ... however they pretty much ignore the simple effects of the baby boomer population bubble moving through the economy. It is much easier to tax the baby boomer generation to pay for the retirement of the previous generation ... but then the baby boomer generation moves into retirement and that ratio of workers (in the following generation) to retirees (in the baby boomer generation) is cut by a factor of eight times. It is not just the total worker taxable income (available for taxation) that becomes an issue ... but things like where do the necessary geriatric health care workers come from (separate from the issue is there enough money to pay for them)?

Baby Boomers: The Greediest Generation; Chairs of deficit panel understate the problem. Deep cuts in Medicare and Social Security are needed to rescue our children's future.
http://www.forbes.com/2010/11/11/greedy-boomers-social-security-medicare-cuts-personal-finance-kotlikoff.html

--
virtualization experience starting Jan1968, online at home since Mar1970

IEFBR14

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: IEFBR14
Newsgroups: bit.listserv.ibm-main
Date: 21 Nov 2010 09:19:54 -0800
Allodoxaphobia <knock_yourself_out@example.net> writes:
I believe the eyecatchers evolved over time. First just the module name. Then some pin-head lawyer in Armonk convinced them they needed a copyright statement.

the other justification was the unbundling announcement and starting to charge for software (lots of legal action by the gov. and others) and then copyright law ambiquity ... did both the original source as well as the executable code require copyright statement? (they did manage to make the case that kernel software should still be free). misc. past posts mentioning 23jun69 unbundling
http://www.garlic.com/~lynn/submain.html#unbundle

various copyrighted material makes statements about granting various kinds of rights for "derived works" (aka in the case of software, compiled/exeutable code) as long as the copyright notice is included.

--
virtualization experience starting Jan1968, online at home since Mar1970

Compressing the OODA-Loop - Removing the D (and maybe even an O)

From: lynn@garlic.com (Lynn Wheeler)
Date: 21 Nov, 2010
Subject: Compressing the OODA-Loop - Removing the D (and maybe even an O)
Blog: Boyd's Strategy
re:
http://www.garlic.com/~lynn/2010o.html#70 Compressing the OODA-Loop - Removing the D (and maybe even an O)

genetic algorithms are typically used with form of simulation/modeling ... there was big uptick in mid to late 90s when chips were becoming too large to perform complete logic verification and "coverage" was dropping below five percent of the possible cases. there was lot of work in silicon valley attempting to improve the selection of what cases were covered. we consulted with one organization that was working with Stanford group investigating genetic algorithms (a lot of patents were being written in real time) ... as well as hired a whole institute (12 time-zones away, after the wall fell, could get one of the foremost institutes in the world for approx. the price of a single person in the US).

I was doing dynamic adaptive computer resource management starting as an undergraduate in the 60s. Later at the science center we had complex verification of the work; basically had huge amount of real data as to large number of different computer configurations and workloads. We built a n-dimensional scatter graph of the observations for large set of parameters (looked very similar to Boyd's profiles of jet fighter operation ... used to compare your fighter against the enemies as part of developing combat strategy).

The "operational sphere" was then used to compose 1000 sample synthetic benchmarks that represented configuration and workloads coverage (pretty much evenly distributed) to validate my ability to do dynamic adaptive computer resource management. Then a sort of genetic algorithm was created that looked at all previous benchmark results to select the next (synthetic) configuration and workload. This was repeated 1000 times (searching for anomalies that weren't found by selecting evenly distributed test points). The whole thing was automated and turned loose ... the full 2000 took three months elapsed time to run (mid-70s).

One of the things that attracted me to Boyd was was the similarities between the work we had done to characterized computer operation (some of it eventually morphing into capacity planning) and how he characterized fighter operation.

Some of this has repercussions with lots of financial ... which frequently assume continuous ... and when there is an anomaly or discontinuity ... they run to the gov. for bail-out (this happened in the late 90s with hedge funds).

archeological reference to Boyd (& dynamic adaptive resource manager) post in early 94
http://www.garlic.com/~lynn/94.html#8

wiki reference to Genetic algorithm (mostly from standpoint of finding solution)
https://en.wikipedia.org/wiki/Genetic_algorithm

In the case of chip verification (and my resource manager testing), the objective was selecting large number of cases for testing ... that possibly would have been ignored using other techniques.

... and item about the earlier "bees" reference:
http://www.geekosystem.com/bees-havent-solved-traveling-salesman-problem/

--
virtualization experience starting Jan1968, online at home since Mar1970

origin of 'fields'?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: origin of 'fields'?
Newsgroups: alt.folklore.computers
Date: Mon, 22 Nov 2010 09:16:03 -0500
Ibmekon writes:
More is the pity.

Is mental arithmetic generally still taught ?

For a UK citizen a quick analysis of 4.8 trillion UK pounds debt, for a population of 60 million plus, at 3 percent plus annual interest would lead to an average taxpayer knowing more about the economy than most politicians.


I've mentioned this before ... for some time, the former comptroller general has been making the comment that nobody in congress has been capable of simple middle school arithmetic.

simple scenario is that baby boomer generation is four times as large as the previous generation and nearly twice as large as following generation. it was relatively simple for congress to siphon off funds from baby boomer generation (during peak working years) to pay for all sorts of things (including retirement of the previous generation) ... however there is all sorts of issue as the baby boomer population bubble moves through life.

current ss/medicate/etc taxes are approx. 15% (with employee matching). as baby boomer population bubble moves into retirement that ratio of workers to retirees is cut by factor of eight (four times as many retirees, half as many workers paying for those retirees) ... so tax rate needs to be increase by factor of eight, i.e. to 8*15 or 120percent.

this doesn't even take into account baby boomers living longer, reguiring more tax collections. it also doesn't take into account that the following generation has lower education, lower skills, and facing better educated foreign competition (so total, inflation adjusted taxable income rather than half ... because half as many workers, it may only be 1/4th). the combination of factors, may require further uplift of the tax rate to meet required tax collection ... say to 300%.

the cut in ratio of workers to retirees by factor of eight also has various other implications ... like the number of geriatric health care workers (separate from whether there is the money to pay for them).

comptroller general has pointed out that things really started to get bad after congress let the fiscal responsibility act expire in 2002 (by far the worst is something like $40+T in unfunded mandates from medicare part-d done in 2003).

former comptroller general:
https://en.wikipedia.org/wiki/David_M._Walker_%28U.S._Comptroller_General%29

resigned before end of term and became head of

Peter G. Peterson Foundation
http://www.pgpf.org/Issues.aspx

and has book that came out eariler this year:

Comeback America: Turning the Country Around and Restoring Fiscal Responsibility
http://www.amazon.com/Comeback-America-Turning-Restoring-Responsibility/dp/1400068606

related item from last week

Fixing The US Budget -- Straightforward Or The Hardest Problem On Earth?
http://baselinescenario.com/2010/11/18/fixing-the-us-budget/

from somebody at

Peter G. Peterson Institute for International Economics
http://www.iie.com/
and
http://www.iie.com/institute/aboutiie.cfm

misc. past posts mentioning comptroller general
http://www.garlic.com/~lynn/2006f.html#41 The Pankian Metaphor
http://www.garlic.com/~lynn/2006f.html#44 The Pankian Metaphor
http://www.garlic.com/~lynn/2006g.html#9 The Pankian Metaphor
http://www.garlic.com/~lynn/2006g.html#14 The Pankian Metaphor
http://www.garlic.com/~lynn/2006g.html#27 The Pankian Metaphor
http://www.garlic.com/~lynn/2006h.html#2 The Pankian Metaphor
http://www.garlic.com/~lynn/2006h.html#3 The Pankian Metaphor
http://www.garlic.com/~lynn/2006h.html#4 The Pankian Metaphor
http://www.garlic.com/~lynn/2006h.html#17 The Pankian Metaphor
http://www.garlic.com/~lynn/2006h.html#19 The Pankian Metaphor
http://www.garlic.com/~lynn/2006h.html#33 The Pankian Metaphor
http://www.garlic.com/~lynn/2006o.html#61 Health Care
http://www.garlic.com/~lynn/2006p.html#17 Health Care
http://www.garlic.com/~lynn/2006r.html#0 Cray-1 Anniversary Event - September 21st
http://www.garlic.com/~lynn/2006t.html#26 Universal constants
http://www.garlic.com/~lynn/2007j.html#20 IBM Unionization
http://www.garlic.com/~lynn/2007j.html#91 IBM Unionization
http://www.garlic.com/~lynn/2007k.html#19 Another "migration" from the mainframe
http://www.garlic.com/~lynn/2007o.html#74 Horrid thought about Politics, President Bush, and Democrats
http://www.garlic.com/~lynn/2007p.html#22 U.S. Cedes Top Spot in Global IT Competitiveness
http://www.garlic.com/~lynn/2007q.html#7 what does xp do when system is copying
http://www.garlic.com/~lynn/2007s.html#1 Translation of IBM Basic Assembler to C?
http://www.garlic.com/~lynn/2007t.html#13 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2007t.html#14 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2007t.html#15 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2007t.html#24 Translation of IBM Basic Assembler to C?
http://www.garlic.com/~lynn/2007t.html#25 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2007t.html#33 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2007t.html#35 Newsweek article--baby boomers and computers
http://www.garlic.com/~lynn/2007v.html#26 2007 Year in Review on Mainframes - Interesting
http://www.garlic.com/~lynn/2008d.html#40 Computer Science Education: Where Are the Software Engineers of Tomorrow?
http://www.garlic.com/~lynn/2008e.html#50 fraying infrastructure
http://www.garlic.com/~lynn/2008f.html#86 Banks failing to manage IT risk - study
http://www.garlic.com/~lynn/2008g.html#1 The Workplace War for Age and Talent
http://www.garlic.com/~lynn/2008h.html#3 America's Prophet of Fiscal Doom
http://www.garlic.com/~lynn/2008h.html#26 The Return of Ada
http://www.garlic.com/~lynn/2008.html#57 Computer Science Education: Where Are the Software Engineers of Tomorrow?
http://www.garlic.com/~lynn/2008i.html#98 dollar coins
http://www.garlic.com/~lynn/2008n.html#8 Taxcuts
http://www.garlic.com/~lynn/2008n.html#9 Taxcuts
http://www.garlic.com/~lynn/2008n.html#17 Michigan industry
http://www.garlic.com/~lynn/2009f.html#20 What is the real basis for business mess we are facing today?
http://www.garlic.com/~lynn/2009n.html#55 Hexadecimal Kid - articles from Computerworld wanted
http://www.garlic.com/~lynn/2009p.html#86 Opinions on the 'Unix Haters' Handbook
http://www.garlic.com/~lynn/2009p.html#87 IBM driving mainframe systems programmers into the ground
http://www.garlic.com/~lynn/2010b.html#60 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010c.html#3 Oldest Instruction Set still in daily use?
http://www.garlic.com/~lynn/2010c.html#9 Oldest Instruction Set still in daily use?
http://www.garlic.com/~lynn/2010c.html#23 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010f.html#34 The 2010 Census
http://www.garlic.com/~lynn/2010f.html#46 not even sort of about The 2010 Census
http://www.garlic.com/~lynn/2010.html#36 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010.html#37 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010m.html#79 Idiotic take on Bush tax cuts expiring
http://www.garlic.com/~lynn/2010o.html#66 They always think we don't understand
http://www.garlic.com/~lynn/2010o.html#69 They always think we don't understand

--
virtualization experience starting Jan1968, online at home since Mar1970

e-commerce smackdown as PCI standards revised

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 22 Nov, 2010
Subject: e-commerce smackdown as PCI standards revised
Blog: Payment System Network
e-commerce smackdown as PCI standards revised
http://www.theregister.co.uk/2010/11/01/pci_revisions/

There are several issues ... in the current paradigm

dual-use vulnerability - transaction information used for normal business processes ... is also sufficient information to originate (effectively authenticate) a transaction. As a result the same information has to be kept both 1) totally confidential and never divulged ... even to never using card at POS device and 2) readily available for dozens of business processes at millions of locations around the world. As a result, I've frequently commented that even if the planet was buried under miles of information hiding cryptography, it still wouldn't prevent information leakage.

security proportional to risk - the value of the transaction information to the merchant is the profit on the transaction (possibly only a couple dollars, may be only a few cents for the processor). at the same time, the value of the transaction information to the crooks is the credit limit/account balance. As a result, the crooks may be able to afford to outspend the merchant/processors by a factor of 100 times or more (attacking the system, compared to what is available to defend the system).

I was tangentially involved in the (original) cal. state data breach notification legislation (over a decade ago), when we were brought in to help wordsmith the electronic signature legislation. Some of the parties involved were also heavily involved in privacy issues and had done in-depth, detailed privacy surveys of the public. The #1 issue was identity theft, namely the form of "account fraud" ... involving fraudulent financial transactions against existing accounts. There appeared to be little or nothing being done in this area ... and so apparently they hoped that the publicity from notification might prompt some corrective action. Nearly all of the current measures (in the years since) appeared to have been motivated by that legislation. A big issue is normally security is by entities to protect their own assets. In the case of account fraud, the compromised information didn't put the entities holding the information at risk ... but the threat was to other entities (the account owners).

aka paradigm broken as designed and/or (used numerous times in congressional hearings into the financial mess as well as Madoff) mis-aligned business processes, trying to motivate merchants & processors to provide information security that is all out of proportion to the value of the information to them.

At the same time that cal. state parties were working on (original) data breach notification legislation, they were also working on an "opt-in" personal information sharing legislation (i.e. person has to explicitly authorize sharing of personal information). That work was headed off when GLBA included "opt-out" personal information sharing (i.e. person had to explicitly specify no information sharing, basically "federal pre-emption" of the cal. state work). The rhetoric on the floor of congress was that the primary purpose of GLBA was that banks that were already banks, got to remain banks, but those that weren't already banks couldn't become banks (specifically calling out walmart and m'soft). However, GLBA also included other provisions like repeal of Glass-Steagall and (federal preemption) PII sharing "opt-out".

At an annual privacy conference a few years ago, there was panel of FTC commissioners and somebody in the room got up and asked the FTC if they were going to do anything about GLBA "opt-out", they said that they were associated with call centers that were used by majority of financial institution and claimed that the "opt-out" lines had no provisions for recording/logging information (i.e. no evidence of any "opt-out").

With respect to notification, in the years since the cal. state legislation, there have been numerous bills introduced at the federal level ... which having fallen into general categories, bills similar to the cal. legislation and "notification" bills that would essentially eliminate most notification requirements.

disclaimer: i was co-author of the financial industry privacy standard (x9.99 which has gone on to be international ISO standard) ... which had to follow GLBA ... as well as to take into account some HIPAA issues (and tried to take into account EU-DPD in anticipation of moving to ISO).

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

From: lynn@garlic.com (Lynn Wheeler)
Date: 13 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#49 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#50 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#51 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#53 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#54 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#56 The Credit Card Criminals Are Getting Crafty

There are several issues. The current paradigm has crooks harvesting information from some compromised point ... and then frequently performing fraudulent financial transactions as far away from the compromise as possible .... sometimes using very sophisticated obfuscation and misdirection (preserving the investment in the original compromise). In the case of harvesting compromises ... there have been cases where the compromise has been installed at manufacturing.

In the mid-90s the x9a10 financial standards working group eliminated that form of vulnerability (i.e. harvesting standard transaction information as vulnerability/threat) with the x9.59 financial transaction standard. One of the provisions in the X9.59 standard was also that it (sufficiently super lightweight & strong security) allowed for both the account holder and the transaction environment (aka POS terminal or other device) to be authenticated on every transaction.

One of the issues that eliminating harvesting, skimming, and breaches as a threat/vulnerability ... that leaves compromised end-points which actually perform fraudulent transactions. Having the fraudulent transaction only at the point of compromise, significantly improves being able to identify the compromise and take countermeasures.

--
virtualization experience starting Jan1968, online at home since Mar1970

origin of 'fields'?

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: origin of 'fields'?
Newsgroups: alt.folklore.computers
Date: Mon, 22 Nov 2010 15:22:18 -0500
"Charlie Gibbs" <cgibbs@kltpzyxm.invalid> writes:
Their "solution" is to maintain the population explosion by encouraging immigration and high birth rates. The fact that "sustainable growth" is a cruel oxymoron is conveniently ignored; by the time the consequences are really felt, today's politicians will have retired with pensions sufficiently lavish to isolate themselves from the rest of the world.

re:
http://www.garlic.com/~lynn/2010o.html#75 origin of 'fields'?

or resigned and gone to work for the special interests. past posts reference to the 60mins segment on orchestrating the one liner in part-d precluding competitive binding (side-by-side comparison of identical drugs that were 1/3rd the cost to the VA, which allows competitive bidding) & within six months ... 18 individuals had resigned and working for their special interests
http://www.garlic.com/~lynn/2010c.html#0 Oldest Instruction Set still in daily use?
http://www.garlic.com/~lynn/2010f.html#34 The 2010 Census
http://www.garlic.com/~lynn/2010f.html#46 not even sort of about The 2010 Census
http://www.garlic.com/~lynn/2010o.html#66 They always think we don't understand

--
virtualization experience starting Jan1968, online at home since Mar1970

I actually miss working at IBM

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 22 Nov, 2010
Subject: I actually miss working at IBM
Blog: Greater IBM
I remember going by Somers periodically as the company was heading into the red and having discussions like the effects that hardware commoditization was having on the industry ... and what was needed to respond to the changing landscape. Then go back a month later, six months later, year later, etc ... and nothing had changed. One explanation was that a significant number in Somers were being paid large premium for their past experience given static, status quo environment; while they appeared to demonstrate that they understood the issues in detail (and what was needed), they (also) appeared to be trying to stave off any major changes until after retirement (disruptive changes threatening their position).

--
virtualization experience starting Jan1968, online at home since Mar1970

origin of 'fields'?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: origin of 'fields'?
Newsgroups: alt.folklore.computers
Date: Mon, 22 Nov 2010 17:35:24 -0500
"Charlie Gibbs" <cgibbs@kltpzyxm.invalid> writes:
That happens all too often. I once wrote a system to replace a bunch of slips in a shoebox. In the process of "automating the shoebox", I had to look at it and then proceed based on a series of educated guesses; only when the users saw what I had written were they able to tell me what they really wanted. In effect, I wrote the programs and then got the specs.

there once was a large retailer that considered just eliminating the slips ... since the slips were only needed in customer dispute ... and the total of all customer disputes was less than the cost of keeping the slips ... that is until somebody asked what might happen if the public found out that all disputes were being settled automatically.

--
virtualization experience starting Jan1968, online at home since Mar1970

The Credit Card Criminals Are Getting Crafty

From: lynn@garlic.com (Lynn Wheeler)
Date: 23 Nov, 2010
Subject: The Credit Card Criminals Are Getting Crafty
Blog: Greater IBM
re:
http://www.garlic.com/~lynn/2010o.html#40 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#46 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#49 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#50 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#51 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#53 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#54 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#56 The Credit Card Criminals Are Getting Crafty
http://www.garlic.com/~lynn/2010o.html#77 The Credit Card Criminals Are Getting Crafty

There was a large (regional) pilot in the US the early part of this century ... during the YES CARD period ("trivial" to clone a card); there were presentations at Cartes 2002 and at the the ATM Integrity Taskforce meetings (where somebody observed that billions were spent to prove that chips were less secure than magstripe). In the wake of the YES CARD, all evidence of the pilot appeared to disappear w/o a trace. My impression that it would be sometime before it would be tried again (possibly letting others make sure that it is thoroughly vetted). misc. past YES CARD posts
http://www.garlic.com/~lynn/subintegrity.html#yescard

there is reference to Cartes 2002 presentation here (at the bottom), the original has gone 404, but it lives on at the wayback machine.
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

The funny thing was that those doing the regional pilot were informed of the YES CARD exploit and their response was to modify the configuration in valid issued cards ... which had no effect on the fraud. The basic exploit was replacing valid terminals with counterfeit terminals in order to skim the necessary information for (trivially) creating a counterfeit YES CARD ... which is then used with other terminals. Whatever configuration options used in valid, issued cards were totally orthogonal to the YES CARD.

Part of the issue is that there is little or no external way of differentiating a counterfeit end-point. This came up with the EU FINREAD standard during the 90s ... which was a countermeasure to lots of the well-known end-user PC vulnerabilities ... basically hardened device that moved the transaction end-point out of the PC with its own unspoofable PIN-pad and display. While the EU FINREAD standard provided all the specifications for a trusted device ... there was no assurance process that easily demonstrated that any specific device was actually an EU FINREAD device. That was one of the reasons that X9.59 financial transaction standard provided option for the transaction also carrying transaction environment/device authentication information. misc. past posts mentioning EU FINREAD:
http://www.garlic.com/~lynn/subintegrity.html#finread

--
virtualization experience starting Jan1968, online at home since Mar1970

CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future

Refed: **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 24 Nov, 2010
Subject: CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#67 CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future

How Mobile Phones Jump-Start Developing Economies; Ubiquitous handsets introduce mobile payments to those who lack bank accounts.
http://www.technologyreview.com/business/26650/

Indian Banks Introducing Instant Mobile Retail Payments
http://www.pcworld.com/article/211451/indian_banks_introducing_instant_mobile_retail_payments.html

Europe had big chip based deployments in the 90s with private operators ... but the chips they were slow and the protocol was power hungry (aka contact), extremely complex and time-consuming (security tends to be inversely proportional to complexity ... aka or proportional to KISS). They were extremely oriented towards offline since the high expense &/or lack of connectivity left over from the 80s.

We had been asked to design and cost backend data processing for one of the main products deployment in the states ... but quickly discovered that the main business justification was the float on the balance to the operators. When the EU central banks made announcement that the operators would start having to pay interest on the card balances ... the products quickly disappeared.

Transit community had approached some of the operators ... and in a industry transit meeting, they came back with a solution ... a sleeve that provided the necessary power to the card (since standard RFID power wasn't even marginally adequate) and also handled the conversion of the protocol chatter to "contactless". However, there was still a significant elapsed time issue for the protocol ... so they solved that problem by proposing a long electro-magnetic tunnel that people would walk slowly through as they approached the transit turnstile (so the protocol chatter had completed by the time they had reached the turnstile).

In the 90s, the transit industry had made a request that x9.59 financial transaction standard could be done by a chip within the power & elapsed time constraints of transit turnstile (w/o battery substitute ... just using the power available from the RFID signal to drive the chip) ... and do w/o any loss of security ... be able to use the same chip & transaction for high-value transactions as well as low-value (& transit) transactions (maintaining both high security and the tight power & elapsed time constraints of transit, drove a lot of KISS in the x9.59 standard)

Back to my original response ... current generation of chipcards can be viewed as advance in the 80s with compact chip computing ... but w/o corresponding advance in human interface technology. So there is ISO standard to allow people to carry around the computing capability with standard specification that would connect with stationary devices that contained human interface.

The change in 90s was evolution of portable human interfaces in approx. same physical size. Much of the issue since then is that much of the financial industry has a lot of vested interest in institutional issued ... transition to some other kinds of device has much more to do with things like loosing business control of the payment infrastructure.

--
virtualization experience starting Jan1968, online at home since Mar1970

The IETF is probably the single element in the global equation of technology competition than has resulted in the INTERNET

Refed: **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 24 Nov, 2010
Subject: The IETF is probably the single element in the global equation of technology competition than has resulted in the INTERNET
Blog: IETF - The Internet Engineering Task Force
TCP/IP protocol was technology basis for the INTERNET .... while the NSFNET backbone could be considered the operational basis for the modern INTERNET and CIX was the business basis for the modern INTERNET.
http://www.garlic.com/~lynn/subnetwork.html#nsfnet

IETF (& tcp/ip) has been contrasted with ISO (& OSI) ... with IETF requiring interoperable implementations before standards progressed ... while ISO allowed standards to be passed that had never been implemented. In that sense, Interop meetings provided one of the venues for interoperable testing. misc. past posts mentioning interop '88
http://www.garlic.com/~lynn/subnetwork.html#interop88

There have been some number of changes over the years ... with increasing commercial influence ... including the change in the RFC copyright provisions (from granting IETF/ISOC unlimited rights ... to RFC authors retaining all rights).

With respect to ISO/OSI ... I was involved in taking "high-speed protocol" to X3S3.3 (ANSI ISO chartered body for OSI level 3&4 related protocols). X3S3.3 turned it down ... supposedly ISO also had requirement that (networking) standardization could only be done for OSI "conforming" protocols. "high-speed protocol" lack of conformance with OSI included supporting "internetworking" ... which doesn't exist in OSI. misc. past posts mentioning HSP & OSI
http://www.garlic.com/~lynn/subnetwork.html#xtphsp

trivia question ... what was part of the specification in RFC1122 that came from experience with setting up floor nets at Interop '88?

--
virtualization experience starting Jan1968, online at home since Mar1970

CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: lynn@garlic.com (Lynn Wheeler)
Date: 24 Nov, 2010
Subject: CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future
Blog: Payment Systems Network
re:
http://www.garlic.com/~lynn/2010o.html#67 CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future
http://www.garlic.com/~lynn/2010o.html#82 CARD AUTHENTICATION TECHNOLOGY - Embedded keypad on Card - Is this the future

Back to my original response ... current generation of chipcards can be viewed as advance in the 80s with compact chip computing ... but w/o corresponding advance in human interface technology. So there is ISO standard to allow people to carry around the computing capability with standard specification that would connect with stationary devices that contained human interface.

The change in 90s was evolution of portable human interfaces in approx. same physical size. Much of the issue since then is that much of the financial industry has a lot of vested interest in institutional issued ... transition to some other kinds of device has much more to do with things like loosing business control of the payment infrastructure.

wasn't talking about financial institution operations when I mentioned "private operators" (in previous post) ... basically "stored-value" for offline.

this is old reference to mondex, cybercash, etc
http://www.cse.tkk.fi/fi/opinnot/T-110.5290/1996_Tik-110.501/seminars/works/koju/bitmoney.html

there were some pilot mondex (and others) efforts in the US and the global mondex operator was major sponsor of IETF (internet) standard activity that had a number of meetings (rfc2801 IOTP). some number of these were looking at full US rollout ... that all appeared to be interrupted by announcement that they would loose the float in the cards.

X9a10 was requested by transit industry to be able to do highly secure x9.59 transaction with secure (EAL4+) chip in the 90s with "dynamic data" ... well under the transit industry turnstile power and elapsed time requirement. part of the issue was that different public key (but at least as secure) technology was used for the implementation (late 90s chip technology required significantly more attention to detail to meet power & elapsed time requirement).

I gave presentation on the chip at the Intel Developer's Forum in the trusted computing track in 2001. There was somebody from gov. agency there and I claimed that the chip was at least as secure as anything they did in their in-house fab at possibly 1/100th to 1/1000th the cost.

disclaimer ... I reported to YKT in the 80s when one of the people in the math department invented ECC.

(internet standard) rfc2801 abstract mentions at least Mondex, CyberCoin, GeldKarte (attempted to be carried in the rfc2801 IOTP specification) ... disclaimer, I participated in some of the early internet/IETF IOTP meetings.

for more internet/ietf standards information see my RFC INDEX
http://www.garlic.com/~lynn/rfcietff.htm

My reference to deployments with the YES CARD vulnerabilities were in the early part of this decade (not in the 90s). There were some pilots before that, like IBM & Safeway did UK pilot in 1997. The presentation at cartes2002 mentions counterfeit YES CARD started appearing in 1999.
http://www.garlic.com/~lynn/subintegrity.html#yescard

--
virtualization experience starting Jan1968, online at home since Mar1970

REXX "address" environments

Refed: **, - **, - **, - **
From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: REXX "address" environments
Newsgroups: bit.listserv.ibm-main
Date: 24 Nov 2010 15:51:48 -0800
shmuel+ibm-main@PATRIOT.NET (Shmuel Metz , Seymour J.) writes:
I generally preferred XEDIT but I missed having two kinds of shift. But I'm a tool-building guy and XEDIT had better facilities for building edit macros than ISPF/PDF EDIT has.

there were several internally developed 3270/fullscreen editors prior to & more mature than xedit (internal development heavily ran on virtual machine based platform regardless of the platform that the development was for).

when xedit was selected for the product release ... there was some clamor about there were much better alternatives. In one "truth is greater than fiction" there was a response that effectively said that one of the other editors being better & more mature than xedit ... was the fault of the author of the other editor ... and therefor it was his responsibility to improve xedit to fix the deficiencies (almost totally orthogonal to selecting one of the alternatives for product release, in place of xedit).

--
virtualization experience starting Jan1968, online at home since Mar1970


previous, next, index - home