List of Archived Posts

2009 Newsgroup Postings (08/23 - 09/13)

Lawsuit seeks to pry information from banks on account breaches
Does this count as 'computer' folklore?
Does this count as 'computer' folklore?
Does this count as 'computer' folklore?
Hacker charges also an indictment on PCI, expert says
Need new 3270 emulator: SSH, inexpensive, reliable
FBI arrests programmer for stolen software
Need new 3270 emulator: SSH, inexpensive, reliable
Need new 3270 emulator: SSH, inexpensive, reliable
Cyber crooks increasingly target small business accounts
Does this count as 'computer' folklore?
Does this count as 'computer' folklore?
Need new 3270 emulator: SSH, inexpensive, reliable
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
The Art of Creating Strong Passwords
Need new 3270 emulator: SSH, inexpensive, reliable
comp.arch has made itself a sitting duck for spam
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
Does this count as 'computer' folklore?
Big, beautiful boxes from computer history
Does this count as 'computer' folklore?
The Art of Creating Strong Passwords
PCI SSC Seeks standard for End to End Encryption?
Need new 3270 emulator: SSH, inexpensive, reliable
Does this count as 'computer' folklore?
IBM 2741 - may be nostalgic for some
comp.arch has made itself a sitting duck for spam
Origin of "fork"
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Where Have You Gone, Bell Labs?
As Internet turns 40, barriers threaten its growth
comp.arch has made itself a sitting duck for spam
comp.arch has made itself a sitting duck for spam
Does this count as 'computer' folklore?
IBM Poughkeepsie?
IBM Poughkeepsie?
comp.arch has made itself a sitting duck for spam
comp.arch has made itself a sitting duck for spam
33 Years In IT/Security/Audit
ACP, One of the Oldest Open Source Apps
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Convert DB2 on z/OS to UDB on z/Linux
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Hacker charges also an indictment on PCI, expert says
Hacker charges also an indictment on PCI, expert says
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
Chip with PIN or Chip with signature
Online banking: Which bank is the most secure?
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
Tell me something about how you use signature files!
Declare War on SQL Injection Attacks
Ikea type font change
Ikea type font change
Definition of a computer?
Ikea type font change
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
What happened to computer architecture (and comp.arch?)
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
European Banks Warned: Brace for Rise in Cash Machine Fraud
What happened to computer architecture (and comp.arch?)
European Banks Warned: Brace for Rise in Cash Machine Fraud
Definition of a computer?
U.S. students behind in math, science, analysis says
Client Certificate UI for Chrome?
Definition of a computer?
August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
Definition of a computer?
ATMs by the Numbers
Continous Systems Modelling Package
Definition of a computer?
Definition of a computer?
ATMs by the Numbers
Existence of early 360 software ( was Re: Continous Systems Modelling Package)
A Faster Way to the Cloud
A Faster Way to the Cloud
ATMs by the Numbers
A Faster Way to the Cloud
A Faster Way to the Cloud
ATMs by the Numbers
Voltage SecureData Now Provides Distributed End-to-End Encryption of Sensitive Data
Continous Systems Modelling Package
Continous Systems Modelling Package
Audits V: Why did this happen to us ;-(
A Faster Way to the Cloud

Lawsuit seeks to pry information from banks on account breaches

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Lawsuit seeks to pry information from banks on account breaches
Date: 23 Aug, 2009
Blog: Financial Crime Risk, Fraud and Security
Lawsuit seeks to pry information from banks on account breaches
http://www.computerworld.com/s/article/9136969/Lawsuit_seeks_to_pry_information_from_banks_on_account_breaches_

from above:
Anti-spam company Unspam Technologies filed a lawsuit on Wednesday aimed, in a somewhat roundabout way, at forcing banks to divulge any information they might have about hacking activities affecting their customer accounts.

... snip ...

related to the above:

Real-Time Keyloggers
http://it.slashdot.org/story/09/08/23/2015208/Real-Time-Keyloggers

from above:
The case was filed in order to compel the banks -- which are almost as secretive as the cyber-crooks -- to reveal information such as IP addresses that could lead back to the miscreants ... The technique menaces the 2-factor authentication that some banks have instituted:

... snip ...

Two-factor banking security systems threatened by Trojan
http://www.computerweekly.com/Articles/2008/01/31/229191/two-factor-banking-security-systems-threatened-by-trojan.htm

Part of EU FINREAD from decade ago was targeted at such vulnerability ... some recent posts mentioning EU FINREAD
https://www.garlic.com/~lynn/2009d.html#38 Internet threat: Hackers swarm bank accounts
https://www.garlic.com/~lynn/2009d.html#2 Cyber attackers empty business accounts in minutes

other misc. past posts mentioning EU FINREAD
https://www.garlic.com/~lynn/subintegrity.html#finread

EU FINREAD activity seemed to evaporate with the rapidly spreading opinion that chipcards weren't practical in the consumer market ... a couple recent posts discussing some of the circumstances:
https://www.garlic.com/~lynn/2009l.html#61
https://www.garlic.com/~lynn/2009l.html#64

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Mon, 24 Aug 2009 17:26:25 -0400
"Charlie Gibbs" <cgibbs@kltpzyxm.invalid> writes:
Our crowning achievement was the "Great Wall of Computer Paper" caper. The cards and paper were stored in an office near the student terminal. During the day it was also staffed by teaching assistants who would help out newbies with their programming problems.

during some period of gov. litigation there was a document retention decree for all paper ... which included computer stuff. at one point, at one lab, they were clearing office areas and filling something like three offices/week, wall-to-wall, floor-to-ceiling with paper (mostly green-bar computer output). it had begun to be a bldg. floor loading problem.

i have some vague recollection about gov. finally qualifying the requirement ... so the retention requirement was not quite so onerous ... after they asked for some subset to be delivered ... and the subset delivered was measured in large number of boxcars.

a completely different story was the password rules printed on corporate letterhead and posted to corporate bulletin boards. after that ... all corporate letterhead paper was put under lock & key. old posts with copy of the password rules corporate directive:
https://www.garlic.com/~lynn/2001d.html#52 OT Re: A beautiful morning in AFM.
https://www.garlic.com/~lynn/2001d.html#53 April Fools Day
https://www.garlic.com/~lynn/2008p.html#42 Password Rules

part of the problem ... was some number of people, even after reading in on bldg. bulletin boards, didn't recognize it's April 1st date (even with April 1st having been on Sunday that year).

slightly related 6670 story (having been deployed in departmental supply areas around the bldg ... which somebody over the weekend had used to print the Sunday, April 1st, Corporate Directive and distribute to bldg. building boards) ... was incident involving periodic corporate security audit ... part of which was after-hrs sweep looking for classified information being left out (including classified documents being printed on departmental 6670s and being left out) ... recent post on the subject:
https://www.garlic.com/~lynn/2009l.html#19 Disksize history question

as mentioned corporate security auditors took exception with finding 6670 output with definition of auditors on the separator page (believing that it had been done on purpose) ... it was just one of the random selections from the 6670 file that was printed on 6670 separator page:

[Business Maxims:] Signs, real and imagined, which belong on the walls of the nation's offices:
1) Never Try to Teach a Pig to Sing; It Wastes Your Time and It Annoys the Pig.
2) Sometimes the Crowd IS Right.
3) Auditors Are the People Who Go in After the War Is Lost and Bayonet the Wounded.
4) To Err Is Human -- To Forgive Is Not Company Policy.


... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Tue, 25 Aug 2009 10:22:05 -0400
jmfbahciv <jmfbahciv@aol> writes:
I had an experience the other day which gave me the impression that those bar codes include an item number. I bought the wrong size of sweat pants and had already paid for it. To get the correct size, I had to go through the returns register line. She had to wait until the data, which contained my purchase transaction, had been written out before the code would allow her to enter it as returned. I paid cash so this was not a credit card data base problem.

SKU ... frequently two parts ... vendor and item type. It can go directly into retailers central computer for things like restocking. sometimes you go into a local store looking for an item (say in particular size) ... and if they don't have it ... they can check "the computer" for other stores in the area that might have it (or other stores in the country that might be able to overnight it).

UPC (bar-code, product-level data)
https://en.wikipedia.org/wiki/Universal_Product_Code
https://en.wikipedia.org/wiki/Barcode

above as story of invention of UPC barcode at IBM

EPC (rfid chip, item-level data) wiki pages:
https://en.wikipedia.org/wiki/Electronic_Product_Code
https://en.wikipedia.org/wiki/EPCglobal

in the mid-90s, there were quite a few comments that inhibitor to chip-security in payment cards ... was cost of the chips. we made some statements we would take $500 milspec item and aggresively cost reduct by 2-3 orders of magnitude while improving the integrity. basically, in volume ... chips are cost of wafer and the number of chips that can be gotten from wafer.

we ran into problem that EPC also ran into ... the number of chips from a wafer was starting to be limited by the size of the cut in wafer slicing & dicing (i.e. reducing circuit size and the resulting smaller chips were getting to chip area that was smaller than the area of the cuts).

For EPC, new cutting technology was developed that involved much smaller wafer area (allowing further significant increase in chips per wafer and corresponding significant cost per chip reduction). Other kinds of chips (like common PC processor chips) were avoiding the problem by keeping the size of the chip relatively constant, as circuit size decreased, by increasing circuits per chip.

The patent portfolio for UPC & barcodes is possibly also "famous". This came up when working on claims for related (assigned, i.e. no rights) patents ... mentioned in this recent post
https://www.garlic.com/~lynn/2009h.html#8

at a point when the claims looked like they were around >60 patent applications and would possible be 100+ patent applications before finished ... the patent attorneys were starting to make reference to the "barcode patent portfolio". As mentioned in the above ... at that point somebody looked at cost of filing so many patents around the world and directed that the claims be repackaged as nine patent applications.

A couple references to some unfortunate (other) deployments of "secure" hardware token products in the period resulted in rapid spreading opinion that chipcards weren't practical in the consumer market place (and big pullback in deployments of secure hardware tokens):
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#0 Lawsuit seeks to pry information from banks on account breaches

One possible objective for EPC was to position track (say plactic tube at back of shelves). An RFID sensor could travel down the track at end of shift and do item-level inventory ... being able to correlate what is in the computer and what is on the shelves ... possibly indication of employee theft.

Barcode and SKU codes also show up with regard to "level-III" data for payment card transactions. Payment card issuers started marketing "commercial cards" to companies ... which could be issued to employees for purchases. The backend issuing systems were enhanced with additional approval rules (in addition to things like current credit limit and zip-code). Company could specify rules that limited card use to specific kind of stores (merchant MCC-code, provided in transaction as part of the infrastructure) or to specific merchant or to specific store (doesn't involve level-III data). Appropriately enabled merchants could also include (barcode-scanned), SKU-level data in the electronic transactions (as "level-III" data) ... allowing business rules to control purchases down to the SKU-level.

a couple descriptions of level I, level II, and level III data:
http://www.mymerchantaccountblog.com/2007/04/level-i,-level-ii,-level-iii-data
http://www.gotmerchant.com/level3_credit_card_processing.php

past posts mentioning making (semi-facetious) comments about taking $500 milspec part and aggresively cost reduction at same time improving integrity
https://www.garlic.com/~lynn/aadsm13.htm#18 A challenge
https://www.garlic.com/~lynn/aadsm15.htm#6 x9.59
https://www.garlic.com/~lynn/aadsm21.htm#11 Payment Tokens
https://www.garlic.com/~lynn/aadsm21.htm#26 X.509 / PKI, PGP, and IBE Secure Email Technologies
https://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner (USD10)
https://www.garlic.com/~lynn/aadsm24.htm#23 Use of TPM chip for RNG?
https://www.garlic.com/~lynn/aadsm24.htm#52 Crypto to defend chip IP: snake oil or good idea?
https://www.garlic.com/~lynn/aadsm27.htm#37 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#50 If your CSO lacks an MBA, fire one of you
https://www.garlic.com/~lynn/aadsm28.htm#16 Dutch Transport Card Broken
https://www.garlic.com/~lynn/aadsm28.htm#49 Price point
https://www.garlic.com/~lynn/2002n.html#18 Help! Good protocol for national ID card?
https://www.garlic.com/~lynn/2005u.html#26 RSA SecurID product
https://www.garlic.com/~lynn/2005u.html#32 AMD to leave x86 behind?
https://www.garlic.com/~lynn/2007i.html#5 John W. Backus, 82, Fortran developer, dies
https://www.garlic.com/~lynn/2007i.html#66 John W. Backus, 82, Fortran developer, dies
https://www.garlic.com/~lynn/2007k.html#53 My Dream PC -- Chip-Based
https://www.garlic.com/~lynn/2007l.html#8 John W. Backus, 82, Fortran developer, dies
https://www.garlic.com/~lynn/2007l.html#12 My Dream PC -- Chip-Based
https://www.garlic.com/~lynn/2007l.html#35 My Dream PC -- Chip-Based
https://www.garlic.com/~lynn/2007s.html#59 Translation of IBM Basic Assembler to C?
https://www.garlic.com/~lynn/2007u.html#5 Public Computers
https://www.garlic.com/~lynn/2007u.html#11 Public Computers
https://www.garlic.com/~lynn/2007u.html#70 folklore indeed
https://www.garlic.com/~lynn/2008j.html#33 What is "timesharing" (Re: OS X Finder windows vs terminal window weirdness)
https://www.garlic.com/~lynn/2008j.html#44 What is "timesharing" (Re: OS X Finder windows vs terminal window weirdness)
https://www.garlic.com/~lynn/2008l.html#61 Osama bin Laden gets a cosmetic makevover in his British Vanity Passport
https://www.garlic.com/~lynn/2008n.html#48 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
https://www.garlic.com/~lynn/2008o.html#40 Signposts on the US Government's Trail of IT Failures
https://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
https://www.garlic.com/~lynn/2008p.html#46 Would you say high tech authentication gizmo's are a waste of time/money/effort?
https://www.garlic.com/~lynn/2009b.html#28 Online-Banking Authentication
https://www.garlic.com/~lynn/2009d.html#26 Return of the Smart Card?
https://www.garlic.com/~lynn/2009e.html#21 ATMs At Risk
https://www.garlic.com/~lynn/2009g.html#62 Solving password problems one at a time, Re: The password-reset paradox
https://www.garlic.com/~lynn/2009h.html#54 64 Cores -- IBM is showing a prototype already

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Tue, 25 Aug 2009 13:07:54 -0400
jmfbahciv <jmfbahciv@aol> writes:
I had an experience the other day which gave me the impression that those bar codes include an item number. I bought the wrong size of sweat pants and had already paid for it. To get the correct size, I had to go through the returns register line. She had to wait until the data, which contained my purchase transaction, had been written out before the code would allow her to enter it as returned. I paid cash so this was not a credit card data base problem.

re:
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore?

stock control, anti-fraud, and/or point-of-sale fraud insurance may require matching returns to purchases

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Hacker charges also an indictment on PCI, expert says

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Hacker charges also an indictment on PCI, expert says
Date: 25 Aug, 2009
Blog: Financial Crime Risk, Fraud and Security
re:
https://www.garlic.com/~lynn/2009l.html#50 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#53 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#68 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#0 Lawsuit seeks to pry information from banks on account breaches

a few more related news items ...

U.S. payment-card industry grapples with security
http://www.msnbc.msn.com/id/32541650/ns/technology_and_science-security/
U.S. payment-card industry grapples with security
http://www.reuters.com/article/smallBusinessNews/idUSTRE57N4LQ20090824
U.S. payment-card industry grapples with security
http://ph.news.yahoo.com/rtrs/20090825/tbs-business-us-hackers-7318940.html

Identity theft: Miami hacker cyberthief of the century?
http://www.palmbeachpost.com/localnews/content/state/epaper/2009/08/23/0823hacker.html
Hacker Ring Tied To Major Breaches Just Tip Of The Iceberg
http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=219401263

another news item

Electronic Theft Occurring Despite Security Measures
http://www.redorbit.com/news/technology/1742429/electronic_theft_occurring_despite_security_measures/index.html

for slight drift, recent post in a.f.c. newsgroup regarding getting aads chip strawman on same price curve as EPC RFID chips (looking for cents per chip after improving integrity over $500 milspec chip)
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore

What is wierd is a AADS patent application long after we are gone (my position was eliminated nearly 4yrs ago)
https://www.garlic.com/~lynn/aadssummary.htm

For other trivia ... at the time ECC was invented ... one of the people credited with inventing ECC was in the YKT math department ... which I was working with on various crypto things ... some old crypto symmetric and asymmetric email from the 80s
https://www.garlic.com/~lynn/lhwemail.html#crypto

including old email discussing proposal for PGP-like (public key) email
https://www.garlic.com/~lynn/2007d.html#email810506
https://www.garlic.com/~lynn/2006w.html#email810515

a decade before PGP (and coming up on nearly three decades ago now).

Note that, as per previous posts, a decade ago, EU FINREAD included countermeasure to keylogging PINs ... and at POS we repeatedly stated (back to original/early x9.59 standard work in the mid-90s) that cellphone/PDAs with personal key-entry, was countermeasure to large number of different kinds of POS terminal compromises (effectively attempting to achieve similar purposes as the EU FINREAD objectives ... but at POS).

misc. posts mentioning X9.59 work
https://www.garlic.com/~lynn/subpubkey.html#x959

misc. posts mentioning EU FINREAD
https://www.garlic.com/~lynn/subintegrity.html#finread

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Need new 3270 emulator: SSH, inexpensive, reliable

Refed: **, - **, - **, - **
From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable
Newsgroups: bit.listserv.ibm-main
Date: 25 Aug 2009 12:13:52 -0700
mpost@NOVELL.COM (Mark Post) writes:
SSH depends on SSL to do its encryption.

SSH & SSL both do public key operations

SSL(/TLS) has bunch of stuff in the protocol with (public key) digital certificates.

SSH protocol doesn't require digital certificates for its public key operations.

some "open" ssh references:
http://www.openssh.com/
https://en.wikipedia.org/wiki/OpenSSH

"features"
http://www.openssh.com/features.html

the above describes that OpenSSH supports the following symmetric cryptography (after exchanging symmetric cryptography key using public key operation): 3DES, Blowfish, AES, Arcfour.

It does mention that some code for licensed or patented components may be from external libraries (like OpenSSL) ... although not 3DES, Blowfish, AES, or Arcfour.

I guess that wouldn't preclude a totally different SSH implementation from borrowing something like AES (or Blowfish) encryption implementation from a SSL library (and depending how packaged ... possibly dependent on SSL package to work ... as opposed to including the code in SSH package).

reference to OpenSSH Public Key Authentication
http://sial.org/howto/openssh/publickey-auth/

some "open" SSL references:
http://www.openssl.org/
https://en.wikipedia.org/wiki/OpenSSL

the above mentions that OpenSSL supports the following symmetric cryptography (after exchanging symmetric cryptography key using public key operation): Blowfish, Camellia, DES, RC2, RC4, RC5, IDEA, AES.

also (symmetric cryptography) DES wiki page
https://en.wikipedia.org/wiki/Data_Encryption_Standard
AES wiki page
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Blowfish wiki page
https://en.wikipedia.org/wiki/Blowfish_%28cipher%29

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

FBI arrests programmer for stolen software

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: FBI arrests programmer for stolen software
Newsgroups: alt.folklore.computers
Date: Tue, 25 Aug 2009 15:41:26 -0400
greymausg writes:
I read that article. Russian, wasn't he?. I thought that 'instant' stock gambling was banned back in the 1980's.

i think he was employee/programmer and then possibly walked away with some of it.

Programmer charged with stealing Wall Street-ware
http://www.theregister.co.uk/2009/07/06/goldman_sachs_trading_code/
NJ man charged with stealing Goldman Sachs data
http://www.forbes.com/feeds/ap/2009/07/06/ap6622080.html
Computer programmer arrested for Goldman Sachs theft
http://www.computerweekly.com/Articles/2009/07/07/236790/computer-programmer-arrested-for-goldman-sachs-theft.htm
Ex-Goldman programer out on bail in theft case
http://news.yahoo.com/s/nm/20090706/ts_nm/us_goldman_arrest_13
Ex-Goldman Worker Is Arrested
http://online.wsj.com/article/SB124688855704700671.html
Goldman's Alleged Code Thief Makes Bail
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=227900228
Goldman Trading-Code Investment Put at Risk by Theft
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=ajIMch.ErnD4
Programmer charged with stealing Goldman code freed on bail Cybercrime
http://www.securecomputing.net.au/News/149551,programmer-charged-with-stealing-goldman-code-freed-on-bail.aspx
Ex-Goldman Sachs exec arrested for stealing code
http://www.fiercecio.com/story/ex-goldman-sachs-exec-arrested-stealing-code/2009-07-07
Ex-Goldman Programmer Detailed His Code Downloads to FBI Agent
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=aSDxSdMlPTXU
Ex-Goldman Programmer Described Code Downloads to FBI
http://www.bloomberg.com/apps/news?pid=newsarchive
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=a2GvteRoihQE
Goldman grabs hi-tech hacker
http://www.guardian.co.uk/business/2009/jul/12/goldman-sachs-sergey-aleynikov

and then there is:

Where Goldman Really Makes Its Money
http://www.forbes.com/2009/07/24/goldman-sachs-high-frequency-intelligent-investing-new-york-times.html

and from this description:

Goldman Sachs caught with their pants down?
http://financialcryptography.com/mt/archives/001175.html

from above:
The unbacked, unevidenced allegation in the popular blogs is this: the code that was stolen might be been the code that drove a system that "saw" others' trades before they could be executed. More technically, it is claimed:

The big ticket, the magic wand for a rogue quant shop is technology to grab off FIX PROTOCOL, OCX, or SWIFT messages that precede every transaction_commit at the Exchanges.


... snip ...

the above then goes into some more discussion of how to take financial advantage of such a capability.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Need new 3270 emulator: SSH, inexpensive, reliable

Refed: **, - **, - **
From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable
Newsgroups: bit.listserv.ibm-main
Date: 25 Aug 2009 13:18:56 -0700
gibney@WSU.EDU (Gibney, Dave) writes:
You are not correct. You can make SSL optional and therefore clear if it is not used, if the connection is secure, all data (including Userid/password) is encrypted.

re:
https://www.garlic.com/~lynn/2009m.html#5 Need new 3270 emulator: SSH, inexpensive, reliable

most SSL implementations just has the client validating the server's digital certificate and then validating whether or not the domain name claimed in the digital certificate corresponds to the domain name in the URL used to contact the server (countermeasure to ip-address hijacking). then the server's public key is used to exchange a symmetric key ... for encryption of the actual session (des, aes, blowfish, whatever). then, once the encrypted session is established, client typically presents userid/password for authentication.

we had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... and the startup had invented this technology called SSL that they wanted to use. As part of that deployment ... now frequently called "electronic commerce" ... we had to investigate some number of these new operations called "Certification Authorities" that were issuing things called "digital certificates".

Also as part of deploying a payment gateway ... requiring SSL for payment transactions between the webserver and the payment network ... we mandated "mutual authentication" ... which hadn't yet been implemented at the time (aka client does public key authentication of the server ... and the server does public key authnetication of the client ... no passwords). By the time we were done ... the payment gateway operation looked much more like SSH ... since both the payment gateway and the webservers had preregistered information about each other (the things called "digital certificates" became purely artificial side-effect of the SSL code library being used). misc. past posts mentioning original payment gateway deployment
https://www.garlic.com/~lynn/subnetwork.html#gateway

SSH has the advantage (compared to typical SSL use) that both parties does "mutual" public key authentication of the other party w/o requiring digital certificates and w/o requiring passwords.

some number of generic past posts mentioning public key operations w/o using (redundant and superfluous) digital certificates.
https://www.garlic.com/~lynn/subpubkey.html#certless

the other issue with SSL ... was that there were some number of requirements about how it was implemented and deployed in order to satisfy security requirements ... many of which were almost immediately violated ... and have subsequently, over the past 15 yrs or so ... have led to a whole lot of exploits and compromises. part of it involves the complexity and indirection introduced by these things called "digital certificates". some number of past posts mentioning SSL (domain name) digital certificates
https://www.garlic.com/~lynn/subpubkey.html#sslcerts

and from long ago and far away ... nearly three decade old email discussing for a PGP-like (certificate-less) public key implementation on the internal network:
https://www.garlic.com/~lynn/2007d.html#email810506
https://www.garlic.com/~lynn/2006w.html#email810515

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Need new 3270 emulator: SSH, inexpensive, reliable

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable
Newsgroups: bit.listserv.ibm-main
Date: 25 Aug 2009 13:54:12 -0700
lynn@GARLIC.COM (Anne & Lynn Wheeler) writes:
we had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... and the startup had invented this technology called SSL that they wanted to use. As part of that deployment ... now frequently called "electronic commerce" ... we had to investigate some number of these new operations called "Certification Authorities" that were issuing things called "digital certificates".

re:
https://www.garlic.com/~lynn/2009m.html#5 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#7 Need new 3270 emulator: SSH, inexpensive, reliable

for a little x-over from this recent thread:
https://www.garlic.com/~lynn/2009l.html#66 ACP, One of the Oldest Open Source Apps

two of the people mentioned in this reference to Jan92 meeting
https://www.garlic.com/~lynn/95.html#13

later left and show up at the small client/server startup responsible for something called "commerce server" ... and wanting to do payment transactions on their server (by that time we had also left) ... now frequently referred to as "electronic commerce".

the resultig "payment gateway" gateway ... I periodically refer to as the original SOA
https://www.garlic.com/~lynn/subnetwork.html#gateway

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Cyber crooks increasingly target small business accounts

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Cyber crooks increasingly target small business accounts
Date: 25 Aug, 2009
Blog: Financial Crime Risk, Fraud and Security
Cyber crooks increasingly target small business accounts
http://www.networkworld.com/news/2009/090709-european-banks-warned-brace-for.html

from above:
The NACHA electronic payments association is warning its 15,000 member of increasing attacks by cyber criminals on small businesses using electronic payment networks.

... snip ...

related articles:

Banks Urge Businesses To Lock Down Online Banking
http://it.slashdot.org/story/09/08/25/2033206/Banks-Urge-Businesses-To-Lock-Down-Online-Banking
Tighter Security Urged for Businesses Banking Online
http://voices.washingtonpost.com/securityfix/2009/08/tighter_security_measures_urge.html
European Cyber-Gangs Target Small U.S. Firms, Group Says
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html
Businesses Reluctant to Report Online Banking Fraud
http://voices.washingtonpost.com/securityfix/2009/08/businesses_reluctant_to_report.html

from above:
A confidential alert sent on Friday by a banking industry association to its members warns that Eastern European cyber gangs are stealing millions of dollars from small to mid-sizes businesses through online banking fraud. Unfortunately, many victimized companies are reluctant to come forward out of fear of retribution by their bank.

... snip ...

slightly related discussion about presentations in the early-to-mid 90s from online home banking (dial-up modems) talking about moving to the internet .... but most of the online cash management/business operations claiming that they would never move to the internet because of security concerns in related thread (news article) "Cyber attackers empty business accounts in minutes":
https://www.garlic.com/~lynn/2009k.html#77
https://www.garlic.com/~lynn/2009l.html#0
https://www.garlic.com/~lynn/2009l.html#2
https://www.garlic.com/~lynn/2009l.html#6
https://www.garlic.com/~lynn/2009l.html#20

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Wed, 26 Aug 2009 08:43:37 -0400
jmfbahciv <jmfbahciv@aol> writes:
sure. I figured that's why the delay. However, there wasn't any way to correlate what I bought (which was a cash transaction) with the piece of clothing other than a serial number (I should have used that term rather than item number) of the item I bought. If each item does have a serial number encoded in the bar code, that's a lot of numbers to keep track of in a grocery store.

re:
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#3 Does this count as 'computer' folklore?

UPC/barcode has been product number ... and inventory control will know how many has been delivered ... and decrement as that particular product has been sold.
https://en.wikipedia.org/wiki/Universal_Product_Code
https://en.wikipedia.org/wiki/Barcode

"UPC encodes 12 decimal digits", first digit is prefix and last digit is error correcting digit.

above has some description of prefix use; exp: "5": Coupons; "LLLLL" manufacturer code, 1st "RRR" family code, 2nd "RR" coupon code (determines amount of the discount).

EPC (with rfid chips) can have enuf digits to have individual item serial number.
https://en.wikipedia.org/wiki/Electronic_Product_Code
https://en.wikipedia.org/wiki/EPCglobal

... from above ...
All EPC numbers contain a header identifying the encoding scheme that has been used. This in turn dictates the length, type and structure of the EPC. EPC encoding schemes frequently contain a serial number which can be used to uniquely identify one object.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Wed, 26 Aug 2009 08:59:05 -0400
jmfbahciv <jmfbahciv@aol> writes:
Kewl. But how did the computer know that the sweat pants I had just purchased was the sweat pants I was returning? another person could have been returning the same item. I concluded that the bar code had to have some kind of serial number that was unique over all items of that kind.

If the number is unique, when do these things get tagged? And where are the tags printed out? I'd have to examine the tags more closely, but ISTR that the tags are the manufacturer's tags, not the grocery store's.


re:
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#3 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#10 Does this count as 'computer' folklore?

kind of fraud ... isn't the serial number of the pants ... it is things like how much did you pay. there have been scams with discount coupons and fraudulent receipts ... where return is claiming that full price was paid when actually a discounted price was paid. they weren't waiting for the transaction to verify the serial number of the pants (it being the item kind of pants was sufficient).

as a countermeasure it may be that the return process has been implemented only using the account record generated by the original transaction. if the account record for the original transaction doesn't exist ... the return process doesn't have an account record in order to execute (possibly analogous trying to do a credit card transaction for an account that doesn't exist).

return process may not actually create its own record ... it may only update a record that has been created by the original transaction.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Need new 3270 emulator: SSH, inexpensive, reliable

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable
Newsgroups: bit.listserv.ibm-main
Date: Wed, 26 Aug 2009 15:40:06 -0400
steve.finch@EDS.COM (Finch, Steve) writes:
Most VPNs do not encrypt the connection from endpoint to endpoint, which is what is PCI requires. The VPN would need to start on the mainframe and go all the way to the PC. Most VPN run on a appliance (server), a hop away from the mainframe. The "last hop" blows' the PCI

original VPN introduced in gateway committee meeting at Fall '94 IETF (internet standards) meeting was gateway-to-gateway (or at least router-to-router) encryption; basically support for something like branch office to tunnel (encrypted) "intranet" connection through the internet (eliminating requiring dedicated line).

Later VPN technology was introduced for individual PCs ... to tunnel (encrypted) remote (home, travelling, road warrier, etc) corporate work through the internet. This eliminated corporations requiring their own private dial-up modem pools (caveat, some corporations opened up remote internet access ... w/o actually requiring encrypted traffic through the internet).

One of the early versions of PC VPN was in the mid-90s regarding online (dialup) home banking moving to the internet ... a big justification was eliminating large racks of dialup modems at the financial institutions supporting proprietary dial-up operations (also eliminating lots of trouble calls from clients regarding the mechanics of PC operating system and drivers supporting serial port modems).

Some of these "PC" implementations were not quite end-to-end ... encryption originating at the PC through the internet to some network box at the institutional end, which handles decryption ... before forwarding to destination mainframe/server.

A well known attack vector, even by the late 90s, for remote PC VPNs (even when encrypted end-to-end) ... were PC zombies ... since they had to have a valid internet connection in order to create the VPN (encrypted) "tunnel" ... a zombie infection on the PC could act as gateway ... forwarding attack traffic coming in via the internet connection and back out through the VPN tunnel, into the corporate intranet.

Some number of VPN software products (for remote PCs) tend to also be packaged with software that attempts to counter such exploits (especially those PC VPN products targeted at the corporate business market).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Date: 27 Aug, 2009
Blog: Payment Systems Nework
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
http://www.darkreading.com/security/government/showArticle.jhtml?articleID=219401468

from above:
New best practices are aimed at helping retailers -- especially small merchants -- but security experts say skimming risk runs deeper

... snip ...

archived posts ... in related breach/PCI news thread:
https://www.garlic.com/~lynn/2009l.html#50
https://www.garlic.com/~lynn/2009l.html#53
https://www.garlic.com/~lynn/2009l.html#61
https://www.garlic.com/~lynn/2009l.html#64
https://www.garlic.com/~lynn/2009l.html#68
https://www.garlic.com/~lynn/2009m.html#4

There are (possibly hundreds of) millions of places around the world where account numbers exist ... and in the current paradigm ... are required to never be exposed/divulged (even presenting card at POS exposes the account number) ... is one of the reasons in the mid-90s that the X9A10 financial standard working group slightly tweaked the paradigm (in the x9.59 financial standard) and eliminated exposing the account number as threat/vulnerability. The X9A10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments.

Since then we've used a few metaphors to characterize the existing paradigm

security proportional to risk vulnerability; in the current paradigm, the value of the information to the merchant is the profit on the transaction (possibly a couple dollars) and the value of the information to the processor can be a few cents per transaction ... while the value of the information to the crooks can be the credit limit and/or account balance (the crooks attacking the infrastructure may be able to outspend the merchant & processor defenders by a factor of one hundred times)

dual-use vulnerability; in the current paradigm, the knowledge of the account number may be sufficient to perform a fraudulent transaction (effectively authentication, as such it needs to be kept confidential and never divulged anywhere) ... while at the same time the account number needs to be readily available for a large number of business processes. The conflicting requirements (never divulged and at the same time readily available) has led to comments that even if the planet was buried under miles of information hiding encryption, it still couldn't prevent information leakage.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

The Art of Creating Strong Passwords

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The Art of Creating Strong Passwords
Date: 27 Aug, 2009
Blog: Information Security Network
The Art of Creating Strong Passwords
http://www.computerworld.com/s/article/9137038/The_Art_of_Creating_Strong_Passwords?taxonomyId=17
The Art of Creating Strong Passwords
http://www.pcworld.com/businesscenter/article/170662/the_art_of_creating_strong_passwords.html
The Art of Creating Strong Passwords
http://www.networkworld.com/news/2009/082509-cyber-crooks-increasingly-target-small.html

from above:
While security has never been more important than it is today, the fastest way for an IT professional to become the most despised person in the company is to start enforcing a strong password policy. A policy perceived as overbearing may cause people to..

... snip ...

40 yrs ago, people need one or two (or no) passwords.

rules were written to make them impossible to guess (and nearly impossible to remember) ... as well as requiring them to be change frequently

since passwords are shared-secrets ... passwords in different security domains have to be unique (as countermeasure to x-domain attacks).

the impossible to remember password rules from 40yrs ago haven't changed a lot ... except passwords have greatly proliferated ... no an individual might have large scores of shared-secrets ... all required to be unique, frequently changed and impossible to remember.

the password rules are still written from institutional-centric standpoint as if individuals have one & only one password to manage. however the human factors of those rules scale horribly ... where humans may have scores of such shared-secrets to manage.

article mentioning users violating rule about requiring unique password for every (possibly hundreds) security domain

4chan pwns Christians on Facebook
http://www.theregister.co.uk/2009/08/24/4chan_pwns_christians/

i.e. human factor issues with being forced to remember large scores (or possibly hundreds) of unique hard to guess (and hard to remember) different passwords.

25 yr old April 1st "strong password" corporate directive ... that had been posted to some number of corporate bulletin boards:
https://www.garlic.com/~lynn/2001d.html#52

It created quite a bit of stir because some number of people didn't recognize it as a April 1st memo (an additional hint was that April 1st was a sunday)

The majority of passwords typically are a shared-secret something you know authentication from 3-factor authentication paradigm ... misc. posts
https://www.garlic.com/~lynn/subintegrity.html#3factor

something you have
something you know
something you are

... although there are "password" something you know authentication that aren't shared-secrets ... misc. posts
https://www.garlic.com/~lynn/subintegrity.html#secrets

vast majority of password/pin/secret deployments are of the shared form. Because shared-secrets tend to be known at both ends, is one of the reasons for requiring a unique secret for every unique secret domain (including countermeasure to x-domain attacks) ... leading to proliferation of the number of shared-secrets required ... and human factors of shared-secrets (to large scores or hundreds) scales very poorly (it is major reason given for studies finding 1/3rd of pin-debit cards have the PIN written on card).

There is some difference between the threats & vulnerabilities between "secrets" and shared-secrets. A shared-secret are things like passwords and PINs where the same value is used at both ends (both by person to prove who they are and at the other end to validate that the person has proved who they area). That is one of the reasons that unique shared-secrets are required for different/unique security domains (as countermeasure to x-domain attacks ... say local garage ISP or social networking website and online banking). They are also "static" data and may have (possibly hundreds of) millions of different places where they might harvested, evesdropped, skimmed, etc.

Multi-factor authentication is thot to be more secure because of assumptions about independent threats & vulnerabilities ... for instance something you know PIN is assumed to be countermeasure to lost/stolen something you have token. However, "PIN-debit" cards have been vulnerable to common skimming where both the PIN and the magstripe are havested at the same time (PIN as shared-secret and magstripe information to create counterfeit card).

The proliferation of shared-secrets has terrible human factors scaling ... faced with dealing with large scores of impossible to remember shared-secrets ... people have to resort to recording them. That is major reason given for 1/3rd of PIN-debit cards having PIN written on them.

There are some number of two-factor hardware tokens ... where a PIN is used to activate "personal" hardware token ... since such a PIN is a something you know (personal) secret ... it doesn't have the same threats & vulnerabilities as a shared-secret PIN. These tokens have countermeasures to trivial counterfeiting and frequently aren't "static data" and aren't subject to trivial replay attacks.

Such a token could be person-centric and used for authentication in large number of different security domains. PIN would be countermeasure to simple lost/stolen (and can eliminate possibly 90-95% of the current vulnerabilities). There is trade-off between a single token (or very small number) and unique token per security domain. However, since a major vulnerability for such tokens is lost/stolen ... the most frequent is purse/wallet carrying all such tokens (whether there is only one or multiple ... so having large number re-introduces human factors problems with little security benefit).

We did a lot of work in this area in the mid-90s in conjunction with the X9A10 financial standard working group. One of the claimed inhibitors was the cost of chips for the tokens ...so we facetiously commented that we would take a $500 milspec part ... aggressive cost reduce by 2-3 orders of magnitude while improving the security ... recent posts getting the chip on EPC/RFID cost curve (i.e. the chips they want to replace barcodes on grocery store items)
https://www.garlic.com/~lynn/2009m.html#2

basically (in quantity) chips are the cost of the wafers and the number of chips per wafers. In the late 90s, the chips area was becoming smaller than the area of the cuts used to separate chips in wafers. Next big step was new cutting technology that significantly reduced the cut area ... allowing further significant increases in chips/wafer.

related post in linkedin financial fraud discussion
https://www.garlic.com/~lynn/2009m.html#4

... another part of the effort was that there were lots of institutional resistance to switching from an institutional-centric paradigm (one token per institution or security domain) and a person-centric paradigm ... where the institutions would accept a person provide token. so there some of infrastructure issues addressed on how an institution could accept a person-provided token (we actually could show sucking out additional infrastructure costs in the process)

a semi-custom chip was still several hundred thousand circuits ... a rough cut at fully custom chip design indicated between 20k-40k circuits ... some current "common" processor chips are several hundred million circuits ... so (modulo wafer area for slicing & dicing) a factor of 10000:1 (four orders of magnitude).

then packaging and provisioning starts to dominate token costs ... and so it is necessary to do paradigm changes for further cost reduction (like switching from institutional-centric to person-centric paradigm ... and/or including the few tens of thousand circuits as part of every other chip).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Need new 3270 emulator: SSH, inexpensive, reliable

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable
Newsgroups: bit.listserv.ibm-main
Date: 27 Aug 2009 09:58:45 -0700
wfarrell@US.IBM.COM (Walt Farrell) writes:
So use the VPN technology that's built-in to z/OS (IPSec), and forego using an external appliance.

re:
https://www.garlic.com/~lynn/2009m.html#5 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#7 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#8 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#12 Need new 3270 emulator: SSH, inexpensive, reliable

my view was that at the fall '94 IETF meeting where VPN was introduced in gateway committee ... the ipsec forces got upset ... until they started referring to VPN as "light-weight ipsec" ... which then allowed others to refer to ipsec as "heavy-weight ipsec".

In that era, ipsec required changes to kernel protocol stacks ... which required upgrading kernels. at the time that was a very expensive undertaking (current kernel/system provisioning technologies have somewhat reduced such costs) and represented barrier to uptake.

Both VPN (deployed in router/gateway boxes) and SSL (deployed as part of browsers/applications) side-stepped the delays and inhibitor/barriers to uptake ... that ipsec was having at the time (which then resulted explosion in market penetration & deployments for VPN & SSL).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

comp.arch has made itself a sitting duck for spam

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: comp.arch has made itself a sitting duck for spam
Newsgroups: comp.arch
Date: Thu, 27 Aug 2009 17:43:11 -0400
Robert Myers <rbmyersusa@gmail.com> writes:
bet-the-company propositions. To be fair, OS/360 was a bet- the-company proposition for IBM, but that was a long time ago.

so was future system (which was going to completely replace 360) ... but was canceled without ever being announced ... some past posts mentioning future system
https://www.garlic.com/~lynn/submain.html#futuresys

fergus/morris book make some claims that it took more than 20 yrs to recover ... recent reference
https://www.garlic.com/~lynn/2009g.html#0

there were also claims that if it had been any company, they wouldn't have survived.

in the 80s, I had sponsored Boyd's briefings at IBM ... he had been head of lightweight fighter plane design at the pentagon ... claimed credit for cutting weight of f15 in half (and significant improvement in f18) ... and responsible for much of f16 design. f20/tigershark also showed a lot of his influence/philosophy ... being significantly cheaper and less complicated than f16, much lower skill level to maintain and much higher ratio of flt hrs to maintenance hrs. There were claims that f20/tigershark fell to heavy lobbying and political influence (from more profitable programs).

boyd had done a 1970 tour in command.of.spook base ... there was some reference to it having been a $2.5B windfall for IBM ... which would have contributed to IBM being able to survive future system. misc. past posts mentioning Boyd
https://www.garlic.com/~lynn/subboyd.html#boyd

boyd has also been credited with battle plan for desert storm and there have been comments that a major problem going into current conflicts was that boyd had died in 1997.

this is something more recent that Boyd would have been in the middle of (if he was still around) regarding drones ...
http://www.theregister.co.uk/2009/04/29/young_usaf_predator_pilot_officer_slam/

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the  Computer
Newsgroups: alt.folklore.computers
Date: Thu, 27 Aug 2009 19:08:03 -0400
greymausg writes:
Most of George W. Bush's people were hippieesque years ago. Thats why they call their ideas 'Neo-Liberal' (The Man Himself had a good following among the 'WanderVogel').

there was folklore that security background checks for executive branch in '93 was cut in half from 14yrs to 7yrs because of the problems with going back into their college and early twenty-something days (there were implcations that they might have been less reliable ... but another possible explanation was that they were younger and therefor 14yrs was more likely to include their college yrs).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Thu, 27 Aug 2009 19:12:49 -0400
re:
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#10 Does this count as 'computer' folklore?

New Study Shows RFID Significantly Improves Item-Level Inventory Accuracy
http://www.physorg.com/news170606806.html

from above:
A new study on the use of radio-frequency identification tags on individual retail items shows that inventory accuracy decreases or diminishes over time with conventional systems that rely on barcodes and/or human counting to track inventory.

... snip ...

above mentions a study involving two Bloomingdale's stores (one with & one w/o RFID inventory).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Big, beautiful boxes from computer history

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Big, beautiful boxes from computer history
Newsgroups: alt.folklore.computers
Date: Thu, 27 Aug 2009 23:17:56 -0400
slashdot ...

Big, beautiful boxes from computer history
http://slashdot.org/submission/1062693/Big-beautiful-boxes-from-computer-history

Computer History Museum Photo Gallery: weird, fascinating photos including a giant Cray, and a 60Kg hard drive
http://www.pcauthority.com.au/Gallery/153867,computer-history-museum-photo-gallery-weird-fascinating-photos-including-a-giant-cray-and-a-60kg-hard-drive.aspx/1

CHM web pages
http://www.computerhistory.org/collections/search/
http://www.computerhistory.org/collections/findingaids/
http://www.computerhistory.org/core/explorethecollection/ and ...
http://www.computerhistory.org/core/curators/

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Fri, 28 Aug 2009 08:34:36 -0400
jmfbahciv <jmfbahciv@aol> writes:
Can't somebody mess up the data when they take the stuff they've bought elsewhere into a new store?

re:
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#10 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#18 Does this count as 'computer' folklore?

loading dock &/or other scan puts into the computer what should be in the bldg.

inventory is scanning for what (from the computer) is still on the shelves. the computer will list the individual item serial nos (EPC RFID) that should be on the shelves. the periodic inventory scan will find the individual item serial nos. of what is still on the shelves.

the mismatch between what the periodic inventory scans find and what the computer believes ... missing or shouldn't be there. the inventory scans are more like an audit ... verifying that what is on the shelves corresponds with what is suppose to be there. somebody sneaking something onto the shelves would be turn up in the audit ... on par with somebody sneaking something off the shelves.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

The Art of Creating Strong Passwords

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: The Art of Creating Strong Passwords
Date: 28 Aug, 2009
Blog: Information Security Network
Crowbar cracks SD cards and retrieves data without a trace
http://gcn.com/articles/2009/08/24/gcn-lab-review-mantech-crowbar.aspx

one of the issues in the above does the password protect sensitive data in the device ... or does it protect use of device ... aka a "non-shared" secret something you know as part of two-factor something you have authentication token. In that case ... the "non-shared" secret something you know is a countermeasure to lost/stolen token.

In this reference to yes card vulnerability
https://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

... it was trivial to skim card information and create a counterfeit card. It was not necessary to skim the pin/password ... since the infrastructure was dependent on asking the card whether or not the correct PIN had been entered ... and a counterfeit yes card would answer YES to all such questions (regardless of what had been entered). Answering YES to the PIN question (and others), was what got it the YES CARD label. The YES answers also prompted somebody to comment that billions of dollars had been spent to prove that chips are less secure than magstripe.

recent posts in (linkedin) Payment Systems Network
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#68 Hacker charges also an indictment on PCI, expert says

there was somewhat large US pilot deployment of the cards (with the yes card vulnerability) in the earlier part of this decade/century ... which subsequently seem to disappear w/o a trace.

other past discussion of yes card
https://www.garlic.com/~lynn/subintegrity.html#yescard

One of the questions for the yes card (that it would always answer YES) was whether the transaction should be offline. So even if the account had been disabled at the issuer (countermeasure to compromised, counterfeit, and/or lost/stolen magstripe cards) ... it would have no effect preventing yes card fraudulent transactions.

Then for an offline transaction, the YES CARD would always answer YES to the question about whether the transaction was within the card's credit limit.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

PCI SSC Seeks standard for End to End Encryption?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: PCI SSC Seeks standard for End to End Encryption?
Date: 28 Aug, 2009
Blog: Information Security Network
PCI SSC Seeks standard for End to End Encryption?
http://pcianswers.com/2009/08/27/pci-ssc-seeks-standard-for-end-to-end-encryption/

from above:
I just read an article in the ETA Currents that stated that the PCI SSC is seeking a standard for end to end encryption. While this is certainly a laudable goal, I do have to question that usefulness of the council defining the standard and vetting the...

... snip ...

We had been asked to consult with a small client/server startup that wanted to do payment transactions on their server, the startup had also invented this technology called SSL that they wanted to use. That work is now frequently called "electronic commerce". SSL was being used to encrypt/hide the account number while it traveled through the internet ... from the client to the server ... and then from the server to something called the payment gateway ... some past posts mentioning payment gateway
https://www.garlic.com/~lynn/subnetwork.html#gateway

Possibly because of the work on "electronic commerce", in the mid-90s we were asked to participate in the X9A10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. Part of that effort, was doing detailed end-to-end threat & vulnerability studies of the various environments ... which resulted in the x9.59 standard
https://www.garlic.com/~lynn/x959.html#x959

The account number, however is required to be exposed at dozens & dozens of places as part of standard business processes. There was no way to do end-to-end encryption of the account number (from the client PC or from the POS terminal ... all the way through to the issuing financial institution) ... since the account number was required at dozens of business processes along the way. a trivial such business process is that the account number is effectively used as a kind of "ip-address" for routing the transaction through the payment network to the issuing financial institution, can you imagine the internet working when the network was prevented from having access to the ip-address field in the packet (or mail being delivered when all address fields were inaccessible)?.

So what the x9.59 financial transaction standard did was slightly tweak the paradigm, provide end-to-end "integrity" (in lieu of end-to-end encryption) from the consumer to the consumer's financial institution ... and eliminated exposure of the account number as a threat/vulnerability (aka its no longer necessary to hide the account number as countermeasure to fraudulent transactions). We've periodically commented that in the current paradigm (because of the dozens of business processes that require access to the account number) that even if the planet was buried under miles of (information hiding) encryption, it would still not prevent information leakage.

Now the major use of SSL in the world today is this earlier "electronic commerce" work used for hiding the account number. With x9.59 financial standard, it is no longer necessary to hide the account number ... so the major use of SSL in the world today is also eliminated.

Since then, we've used a few metaphors to characterize the existing (account number hiding) paradigm:

security proportional to risk vulnerability; in the current paradigm, the value of the information to the merchant is the profit on the transaction (possibly a couple dollars) and the value of the information to the processor can be a few cents per transaction ... while the value of the information to the crooks can be the credit limit and/or account balance (the crooks attacking the infrastructure may be able to outspend the merchant & processor defenders by a factor of one hundred times)

dual-use vulnerability; in the current paradigm, the knowledge of the account number may be sufficient to perform a fraudulent transaction (effectively authentication, as such it needs to be kept confidential and never divulged anywhere) ... while at the same time the account number needs to be readily available for a large number of business processes. The conflicting requirements (never divulged and at the same time readily available) has led to comments that even if the planet was buried under miles of information hiding encryption, it still couldn't prevent information leakage.

Part of the issues with the existing paradigm are the requirements for the account number to be available for so many business processes ... as a result the security solutions are, at best, piece-meal patchwork.

X9.59 financial standard with true end-to-end strong integrity and strong authentication (from the consumer straight-through to the consumer's financial institution) ... along with eliminating the threats from exposing the account number ... some parts of the current operations may be found to be redundant and superfluous.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Need new 3270 emulator: SSH, inexpensive, reliable

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable
Newsgroups: bit.listserv.ibm-main
Date: 28 Aug 2009 07:06:42 -0700
steve.finch@EDS.COM (Finch, Steve) writes:
Most VPNs do not encrypt the connection from endpoint to endpoint, which is what is PCI requires. The VPN would need to start on the mainframe and go all the way to the PC. Most VPN run on a appliance (server), a hop away from the mainframe. The "last hop' blows" the PCI

There is discussion of this article in (linkedin) Information Security Network

PCI SSC Seeks standard for End to End Encryption?
http://pcianswers.com/2009/08/27/pci-ssc-seeks-standard-for-end-to-end-encryption/

and some of my post in that discussion
https://www.garlic.com/~lynn/2009m.html#22

misc. past posts in this thread:
https://www.garlic.com/~lynn/2009m.html#5 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#7 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#8 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#12 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#15 Need new 3270 emulator: SSH, inexpensive, reliable

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Sat, 29 Aug 2009 09:29:37 -0400
jmfbahciv <jmfbahciv@aol> writes:
Yep. But couldn't somebody bring in a device that would emit RFs to really screw up the data base?

re:
https://www.garlic.com/~lynn/2009m.html#3 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#10 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#11 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#18 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#20 Does this count as 'computer' folklore?

yep, like somewhere referenced before ... there are also cases of people printing their own barcodes.

for most of these things, crooks are looking on not being detected. if RF is all messed up or stops working ... and/or the inventory is all messed up ... call in the cops. there are lots of things that are supposed to work in a fairly determined manner ... if they deviate too greatly ... call in the cops. Also have lots of video recording.

printed barcodes is only to product level ... RFID is to individual item level ... so rather than RF noise to disable reading ... have to come up with something that looks valid enuf to what is in the inventory computer ... but gives the crooks some financial advantage.

gets more complicated ... and then the stores work on countermeasures for what the crooks come up with.

an analogous ... but different scheme involved counterfeiting giftcards. at one time, giftcards for sale was just left out ... since they had no value & hadn't been registered yet (stealing them had close to zero value). however, crooks would record a whole slew of unsold giftcards ... and then wait until they were sold, loaded & registered ... and then show up with counterfeit giftcards and drain the accounts.
https://www.garlic.com/~lynn/aadsm22.htm#10 thoughts on one time pads
https://www.garlic.com/~lynn/aadsm22.htm#11 thoughts on one time pads
https://www.garlic.com/~lynn/2004j.html#12 US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento

Slightly more sophisticated, simple PDA with magstripe reader/writer & barcode reader ... PDA could be used to record a whole slew of giftcards ... then on return trip could quickly determine some that had been sold (loaded & registered) and counterfeit one in real-time.

Big issue is that magstripe technology is pretty well understood by criminal activity and trivial to counterfeit/duplicate.

Inventory RFID ... being static data ... would be straightforward to counterfeit ... but its use is verifying what is in the computer.

So even if you bring in a counterfeit clothes with counterfeit RFID chips ... for returns ... also need a counterfeit sales return ... and everything has to correspond with exact same information already in the computer. so maybe crooks have to also compromise the computer. turns out if you can compromise the computer ... you are far ahead just having the computer do the direct credit/return w/o having to physically go thru a fake return (so they need pretty strong countermeasures to computer attacks ... because there are a whole laundry list of things that crooks could do ... if they can directly access the computer).

so this talks about doing "security" chip ... and getting it on EPC RFID price curve
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore?

that particular chip was also capability of doing contactless transaction using RF. Now there are some payment cards with effectively EPC RFID static data (basically emulates the magstripe static data ... and so likely has similar threats & vulnerabilities as magstripe cards ... because of static data). the discussed chip, basically is able to do asymmetric crypto operation ... and is very close to the number of circuits and power consumption ... required for EPC RFID chip (so while it could return EPC information ... it could also return some unique data that isn't static, changes every time and is extremely difficult to fake).

recent long winded post discussing payment chipcards that used "static data" ... which could be skimmed/recorded and used to (trivially) create counterfeit yes card:
https://www.garlic.com/~lynn/2009m.html#21 The Art of Creating Strong Passwords

other recent posts mentioning yes cards
https://www.garlic.com/~lynn/2009.html#10 Swedish police warn of tampered credit card terminals
https://www.garlic.com/~lynn/2009.html#11 Swedish police warn of tampered credit card terminals
https://www.garlic.com/~lynn/2009.html#33 European Payments Council calls for action on counterfeit cards
https://www.garlic.com/~lynn/2009.html#34 Swedish police warn of tampered credit card terminals
https://www.garlic.com/~lynn/2009.html#72 Double authentification for internet payment
https://www.garlic.com/~lynn/2009b.html#21 ICSF and VISA/MasterCard?amex reference list
https://www.garlic.com/~lynn/2009b.html#61 Passport RFIDs cloned wholesale by $250 eBay auction spree
https://www.garlic.com/~lynn/2009c.html#56 Why use RFID in personal documents & cards at all?
https://www.garlic.com/~lynn/2009e.html#75 The Future Shape of Payments Is Anything But Flat
https://www.garlic.com/~lynn/2009f.html#7 An interesting take on Verified by Visa Policy
https://www.garlic.com/~lynn/2009f.html#44 Chip and PIN for ID cards: Not such a sharp idea?; Hackers PINing after your details
https://www.garlic.com/~lynn/2009f.html#61 Halifax faces legal challenge on chip-and-pin security
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

IBM 2741 - may be nostalgic for some

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: IBM 2741 - may be nostalgic for some
Newsgroups: bit.listserv.ibm-main,alt.folklore.computers
Date: Sat, 29 Aug 2009 10:11:34 -0400
mike@CORESTORE.ORG (Mike Ross) writes:
Enjoy:

http://www.youtube.com/watch?v=MRsLCF4KNzg


in the above ... the cabinet housing the 2741 only has a couple inches on the side and back ... not enough to place anything.

the science center had plywood board ... finished the same as the 2741 cabinet, that fit snugly around the 2741 in the middle and provided something like 18 inches on one side and in the back (board could be flipped ... placing the extra surface on either the right or left).

that allowed a two tray input/output tray for paper at the back (stack of fan-feed input paper on the bottom and output then on the top). could also put a whole box of fan-fold paper on the floor behind the 2741 ... feed the paper thru the bottom of the tray ... and have the output go to the top tray.

it also provided a shelf for paper (or other objects) to the right (or left). could have program listing (or other paper) on the right to work from when typing.

this board wasn't anchored in anyway ... so had to be careful placing a lot of weight ... or it would tip (since it fit under the gray roller knobs on both sides ... those knobs would somewhat arrest the board from completely flying off).

i had the board and tray for my home 2741 (from 1970) ... and even after the 2741 was replaced in 1977 ... the tray and board continued to knock around the garage (until a move in 1999).

I do still have 2741 (apl) typeball ... some pictures
https://www.garlic.com/~lynn/lhwemail.html#oldpicts

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

comp.arch has made itself a sitting duck for spam

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: comp.arch has made itself a sitting duck for spam
Newsgroups: comp.arch
Date: Sun, 30 Aug 2009 08:23:09 -0400
rpw3@rpw3.org (Rob Warnock) writes:
But my "3-5 times" swag [which, by the way, was just a rough estimate based on my recollection of events from ~35 years ago, not any kind of formal academic study] was meant to speak just to initial development/coding costs of code that "just had to work". You are correct that some of that premium could be discounted by lessened maintenance costs, but I wasn't addressing that per se.

I've used "4-10" times to take a "well tested" application and turn it into a (industrial/business strength) service.

we had been doing the ha/cmp product ... some old posts
https://www.garlic.com/~lynn/subtopic.html#hacmp
part of it was high-availabiilty and part was cluster scale-up ... some old email
https://www.garlic.com/~lynn/lhwemail.html#medusa

this post references a jan92 meeting discussing scale-up
https://www.garlic.com/~lynn/95.html#13

and shortly after the jan92 meeting, the scale-up part was transferred and we were told we couldn't work on anything with more than four processors.

two of the people mentioned in the jan92 meeting later left and show up at a small client/server startup responsible for something called a "commerce server".

we also left and were out doing some consulting. we were brought in to consult at the small client/server startup because they wanted to do payment transactions on the server. the startup had also invented some technology they called "SSL" that they wanted to use; in any case, the result is now frequently called "electronic commerce".

Part of the "electronic commerce" is something called a "payment gateway" some past posts
https://www.garlic.com/~lynn/subnetwork.html#gateway

that handles payment transactions from servers on the internet and the payment network. there had been an "application" first cut ... taking packets from the internet and reformating them into specification defined for the payment network. what was missing was a whole lot of industrial strength stuff that wasn't in the message formats. for instance, the trouble desk at the part of the payment network had objective of 5minutes elapsed time to do first-level problem determination. An early trial of the gateway "application" had a problem (not working, no transactions) ... and after 3hrs of investigation it was closed as NTF (no trouble found).

We put together specification for business critical payment gateway operation ... and the subsequent activity was 5-10 times the activity to do the original (well developed, well tested) application code. The result didn't have a significant different total lines of code ... but there was significant more effort that went into those lines of code.

we also did a JAD with the taligent organization (something of spin-off of the apple object-oriented "pink" operating system effort) ... regarding what it would take to turn taligent into basis for doing business critical dataprocessing ... the net was about 30% change to their existing libraries and 30% new code (with objective of cutting development effort for business critical applications by 50-75 percent).

there is also some overlap/similarity between developing code for business critical applications and developing code for secure applications (and in some core financial processing applications they both apply). "secure" development may also include things like background checks on designers and developers, anybody that is allowed to touch the code or the operation.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Origin of "fork"

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Origin of "fork"
Newsgroups: alt.folklore.computers
Date: Sun, 30 Aug 2009 08:32:53 -0400
jmfbahciv <jmfbahciv@aol> writes:
Nope. Definitely not 33s. I keep forgetting the number of the grey TTYs...they're either 36 or 37...36es. I never heard of a KSR-33. Was there such a beastie?

when i was doing tty/ascii support for cp67 at the university, i didn't think the 33s had paper-tape but the 35s did.

this claims 33s with paper tape
http://www.columbia.edu/cu/computinghistory/teletype.html

above mentions 33s & 35s were upper-case only ... 37s had upper & lower.

this shows paper tape
https://en.wikipedia.org/wiki/ASR-33_Teletype

mentions that the difference between ASR33 and KSR33 was ASR33 had paper-tape and KSR33 didn't.

this has 35
http://www.nadcomm.com/35asr.htm

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Date: 30 Aug, 2009
Blog: Payment Systems Nework
re:
https://www.garlic.com/~lynn/2009m.html#13 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

another

Security expert's PCI analysis misguided, says PCI Council GM
http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1366236,00.html

With regard to acquiring hardware & software ... it isn't so much the cost of a successful deployment; it is the possibility of the cost of non-trivial numbers of failed deployments that seems to be an uptake inhibitor. The last part of the past century and the first part of this century there seemed to be quite an appetite for new deployment. That appetite seemed to have been significantly gone away after some number of failed deployments. It no longer is the cost of a successful deployment ... it is the prospect of having the cost of some number of unsuccessful deployments.

after some of these earlier failures ... there has been quite a bit of work on somewhat generic boxes at merchants with provisioning support (downloading software, updates, configuration, etc) using the same link to the acquirer that is used for transactions (somewhat similar to modern PC generation of using internet to distribute software updates).

This somewhat mitigates the issue of going thru multiple generations where it possibly wasn't gotten quite correct.

One of the classic scenarios was waiters at particular NYC restaurant near times sq in the mid-90s, PDA and card swipe reader pined to their inner label. There was standard card swipe for bill ... but an extra swipe that went to their PDA in inner pocket. At end-of-shift, information was uploading to internet and almost immediately, counterfeit cards were doing transactions on streets of hong kong (today, the extra card swipe could go immediately to internet with wireless/cellphone, w/o having to wait for end-of-shift).

Part of x9.59 financial transaction standard work in the mid-90s, was eliminating skimming as vulnerability ... i.e. it was no longer necessary to hide account number as countermeasure to fraudulent transactions. They (external attackers or "insiders", studies have claimed that 70% of such events involve "insiders") could still do data breaches, skimming, account number harvesting ... could still be done ... but was no longer possible to use the information for fraudulent transactions (eliminating the financial incentive).

there was some concurrent effort at the time on POS chipcard specification ... but involved static data ... so while there was (myopic) focus on countermeasures to lost/stolen card ... there was nothing done for skimming the static information (for creating counterfeit chipcard). The result was the yes card vulnerability in the later part of the past century and the early part of this century. There was such a rather large US deployment of payment chipcard in that timeframe ... that had the yes card vulnerability. There was a presentation about the yes card vulnerability at payment security conference ... and somebody in the audience made the loud comment that billions of dollars were spent to prove chips were less secure than magstripe. In that time-frame, then the US deployment appeared to evaporate w/o a trace.

In this serious of posts in (linkedin) Information Security Network thread:
https://www.garlic.com/~lynn/2009l.html#50 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#53 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#68 Hacker charges also an indictment on PCI, expert says

I mention having early discussions with the people doing the (US) deployment regarding the yes card vulnerability and being told that it was addressed by how valid cards were configured. The (myopic) preoccupation with the chipcard (and countermeasures for lost/stolen card) ... seemed to create blind spot that the yes card vulnerability was skimming with resulting counterfeit cards "attacking" the POS terminal (i.e. it wasn't a attack on valid chipcards, it was an attack on the POS terminal).

old reference to cartes2002 presentation about yes card vulnerability and it being trivial effort to create counterfeit chipcards.
https://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

this a recent thread in a.f.c. newsgroup discussing UPC barcodes and EPC RFID
https://www.garlic.com/~lynn/2009m.html#18 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#20 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#24 Does this count as 'computer' folklore?

mentions in the mid-90s making the semi-facetious comment about taking a $500 milspec card and aggressively cost reducing by 2-3 orders of magnitude while making it more secure ... and eventually getting it on the EPC RFID chip cost curve (i.e. chips being targeted to replace barcodes on grocery store items) ... but with strong integrity, being able to do "dynamic data" (rather than "static data"), being able to do either contact or contactless ... and if contactless, being able to do the "dynamic data" within the power limitations and elapsed time constraints of transit turnstyle.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Where Have You Gone, Bell Labs?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Where Have You Gone, Bell Labs?
Newsgroups: alt.folklore.computers
Date: Sun, 30 Aug 2009 19:54:25 -0400
Where Have You Gone, Bell Labs? How basic research can repair the broken U.S. business model
http://www.businessweek.com/technology/content/apr2011/tc2011047_864635.htm

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

As Internet turns 40, barriers threaten its growth

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: As Internet turns 40, barriers threaten its growth
Newsgroups: alt.folklore.computers
Date: Sun, 30 Aug 2009 19:55:30 -0400
As Internet turns 40, barriers threaten its growth
http://tech.yahoo.com/news/ap/20090830/ap_on_hi_te/us_tec_internet_at40

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

comp.arch has made itself a sitting duck for spam

Refed: **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: comp.arch has made itself a sitting duck for spam
Newsgroups: comp.arch
Date: Sun, 30 Aug 2009 21:25:35 -0400
rpw3@rpw3.org (Rob Warnock) writes:
For one thing, once you already have a "well tested application" it is far too late to apply the techniques I was talking about -- they can really only be done as the code is being initially written. As the old saw says, "testing can prove the presence of bugs but never their absence".

re:
https://www.garlic.com/~lynn/2009m.html#26 comp.arch has made itself a sitting duck for spam

there were some number that considered that some degree of availability could be added. one of the interesting issues we had with some some amount of the payment transactions message formats (that had been converted to packet/internet operation) ... was that in the original, there was some amount of impliciit assumption ... that the transaction messages operated in a circuit enviornment. a straight-forward move of the transaction message formats, to packet environment, failed to carry some number of the implicit circuit-based characteristics. part of retrofitting availability (for "electronic commerce") was compensating processes for the packet enviornment.

also part of the "retrofit" was failure matrix of 30-40 failure conditions that might happen in half dozen states ... and being able to demonstrate automatic recovery ... and/or at least five minute 1st level problem determination for all cases (not necessarily that the code was bug free).

it is frequently & significantly more apparent, that attempting to retrofit security to something (which hasn't been designed from the groundup), doesn't work.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

comp.arch has made itself a sitting duck for spam

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: comp.arch has made itself a sitting duck for spam
Newsgroups: comp.arch
Date: Mon, 31 Aug 2009 08:41:42 -0400
re:
https://www.garlic.com/~lynn/2009m.html#26 comp.arch has made itself a sitting duck for spam
https://www.garlic.com/~lynn/2009m.html#31 comp.arch has made itself a sitting duck for spam

a relatively trivial "high availabiilty" (but important) thing for the payment gateway was "multiple A-record" support.

The "payment gateway" was no-single-point-of-failure ... including multiple links (circuits) into different parts of the internet backbone. I started out planning on advertising multiple routes ... but in the process of deployment, the internet backbone announced moving to hierachical routing only.

this eliminated being able to advertise different routes for the same ip-address ... and required defining the "name" of the payment gateway with multiple ip-addresses ("multiple A-record"). webservers that were contacting the payment gateway, then needed to have "multiple-A record" support. since we had sign-off authority on operation related to payment gateway ... we could mandate the implementation.

we had several cases we felt that the browser needed to do the same thing. one of the early adopters of the commerce server (and payments) was sports product operation that advertised on national sunday football and expected lots of activity during half-time. their ISP was operation that regularly did local presence router maintenance on sundays (they had schedules where webservers in particular areas wouldn't have service on particular sundays because their ISP router would be undergoing maintenance). This was before majority of the internet had any kind of telco-like provisioning.

So we had meeting with lots of the browser developers where I presented multiple A-record implementation and the scenarios where it would be beneficial. The initial response was that it was too complicated/advanced and they weren't going to do it (for the browser<->server side ... we could only advise, we didn't have mandated sign-off authority). I then provided them with client (telnet, ftp, etc) source code examples from 4.3 Tahoe; no budge. I somewhat hypothesised the issues was that there were no examples of "multiple A-record" support given in the various TCP/IP class/text books that they had learned from. It took a year to get mulitple A-record support into the browser.

as to taligent and "pink" ... there was a period where "object-oriented" was all the rage, Apple was doing "pink" object-oriented operating system ... and Sun was doing "spring" object-oriented operating system. At one point we were invited in and given a run-through of "spring" ... and then asked if we would consider heading up effort to turn it out as product (speculation, at least partially, because we had earlier turned out ha/cmp product).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Does this count as 'computer' folklore?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Does this count as 'computer' folklore?
Newsgroups: alt.folklore.computers
Date: Mon, 31 Aug 2009 11:52:05 -0400
Rostyslaw Lewyckyj <urjlew@bellsouth.net> writes:
Why would the store care? It is getting a piece of merchanise in exchange for the refund.

re:
https://www.garlic.com/~lynn/2009m.html#18 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#20 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#24 Does this count as 'computer' folklore?

could be counterfeit items .. analogous to passing counterfeit $100 bills. for low-value items ... returns would be relatively inefficient mechanism for making money off counterfeit itmes ... but could be practical for higher value items (say designer something or another).

they still have the real item ... which they still may be able to sell for more than the cost of the counterfeit item. another fraud periodically seen (previously mentioned) was that the original transaction was discount ... and then going for full value refund (w/o discount) ... this has been used so much that lots of places have countermeasures for the practice.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

IBM Poughkeepsie?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: IBM Poughkeepsie?
Newsgroups: alt.folklore.computers
Date: Mon, 31 Aug 2009 16:31:23 -0400
Eric Chomko <pne.chomko@comcast.net> writes:
Wasn't the old site in Armonk, NY, south and to the east of Poughkeepsie?

here is blurb that claims in 1948 they attempted to locate UN where ibm is now located:
http://www.armonk.com/the-home-of-ibm.html

"Armonk" corporate hdqtrs dedication (21Oct) 1964:
http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_4506VV2107.html

besides Armonk, news plants were completed in Hunstville and East Fishkill
http://www-03.ibm.com/ibm/history/history/year_1964.html

1941, IBM in bldg that had been canning factory
http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_4506VV2041.html

Poughkeepsie ... main plant site constructed in 1948, two wings added in 1952:
http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_4506VV2042.html

IBM East Fishkill over the years:
http://www.poughkeepsiejournal.com/article/20090127/BUSINESS01/90127016/1012

vintage views of ibm facilities
http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_facilities.html

misc.

IBM Somers
https://en.wikipedia.org/wiki/IBM_Somers_Office_Complex

Implementing the Poughkeepsie Green Data Center: Showcasing a Dynamic Infrastructure
http://www.redbooks.ibm.com/abstracts/redp4534.html

for random drift ... mention of 3270 and ibm kingston (up the river from Poughkeepsie)
https://en.wikipedia.org/wiki/IBM_3270

from above:
In contrast, IBM's OfficeVision office productivity software enjoyed great success with 3270 interaction because of its design understanding. And for many years the PROFS calendar was the most commonly displayed screen on office terminals around the world.

... snip ...

recent mention of PROFS main menu getting "burned" into screens:
https://www.garlic.com/~lynn/2009l.html#41 another item related to ASCII vs. EBCDIC

also mention that the PROFS group had "borrowed" a lot of stuff from other organizations
https://www.garlic.com/~lynn/2009.html#8 Is SUN going to become x86'ed ??
https://www.garlic.com/~lynn/2009.html#23 NPR Asks: Will Cloud Computing Work in the White House?
https://www.garlic.com/~lynn/2009k.html#0 Timeline: The evolution of on

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

IBM Poughkeepsie?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: IBM Poughkeepsie?
Newsgroups: alt.folklore.computers
Date: Mon, 31 Aug 2009 21:10:37 -0400
re:
https://www.garlic.com/~lynn/2009m.html#34 IBM Poughkeepsie?

Executive Briefing Center (bldg 705) on plant site ... has aerial view of the site
http://www-03.ibm.com/systems/services/briefingcenter/pbc/location.html

address for the above: Building 705, 2455 South Road, Poughkeepsie, NY 12601

also PDF map of the plant site
http://www-03.ibm.com/systems/resources/systems_services_briefingcenter_pbc_pdf_pok_site.pdf

2455 South Rd (rt 9) satellite photo
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=2455+south+road+poughkeepsie+ny&sll=37.0625,-95.677068&sspn=65.557733,48.691406&ie=UTF8&ll=41.66004,-73.933192&spn=0.00731,0.005944&t=h&z=17

appears to show that bldgs 918, 965, 966 (from the map) have been leveled???

there use to be whole lot of IBM stuff in poughkeepsie area that were off the main plant site ... but possibly has now been all consolidated back to the main plant site.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

comp.arch has made itself a sitting duck for spam

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: comp.arch has made itself a sitting duck for spam
Newsgroups: comp.arch
Date: Tue, 01 Sep 2009 10:07:05 -0400
Duane Rettig <duane@franz.com> writes:
I had similar experiences in a couple of IBM-compatible disk drive companies in the 70's, as well. Our microcontrollers (all SSI based) had 40-bit words, and the trick was not to recode whole instructions (so as to require replacing a whole bank of E-PROMS), but to instead maniplulate the program in such a way that the fewest E-PROMS had to be replaced. It wasn't a question of being strapped for money; it was a question of having such a huge expense for an update, and the trick was to minimize the size of a field change request.

re:
https://www.garlic.com/~lynn/2009m.html#16 comp.arch has made itself a sitting duck for spam
https://www.garlic.com/~lynn/2009m.html#26 comp.arch has made itself a sitting duck for spam
https://www.garlic.com/~lynn/2009m.html#31 comp.arch has made itself a sitting duck for spam
https://www.garlic.com/~lynn/2009m.html#32 comp.arch has made itself a sitting duck for spam

3830s disk controller (for 3330s, then 3350) was horizontal microcode. 3880 disk controller follow-on for 3380 ... went to jib-prime a vertical microcode machine and much slower. 3380 had 3mbyte/sec data transfer (about ten times that of 3330s) ... so 3880 had special hardware data-path ... with jib-prime for just control operations.

i got to play disk engineer in bldgs. 14 (engineering) and 15 (product test lab). misc. past posts
https://www.garlic.com/~lynn/subtopic.html#disk

One of the things was that they were running all mainframe regression tests with stand-alone, scheduled dedicated test time. They had tried doing tesitng under MVS ... but with single testcell (for security ... each development device was kept in its heavy-gage "wire" cage inside the bldgs. "secure" machine room, which was inside a secured bldg, etc) and experienced 15min MTBF. So, for the fun of it, i decided to completely rewrite the operating system I/O supervisor ... so it would be bullet proof and never fail ... and they could then do concurrent "on-demand" testing of any number of "testcells".

Side-effect was there were some number of mainframes (that they had for testing new disks against different mainframe models ... as well as early engineering models of mainframes for testing with disks), which could be co-opt for online timesharing use (even heaviest concurrent testing loads only represented a percent or two of processor utilization).

So one monday morning ... I got a call asking what had done to their systems over the weekends. The largest engineering test mainframe (3033) at the time was showing 30-60 percent interactive degradation. I hadn't done anything over the weekend ... so started looking at what they had done. Turns out that they had replaced a 3830 controller with 16 3330 disk drives (used for our private interactive service) with a new 3880 controller (that included support for 3330 drives). It was quickly evident that it was the 3880 disk controller that was resulting in significant I/O thruput degradation. A lot of detailed analysis was showing how much (& where) slow-down in "control" operations was resulting in significant overall I/O thruput degradation. Then crash program to tweak the 3880 (jib-prime) operations, attempting to mask its slower operation ... fortunately we still had six months before first customer ship.

Mainframe disk controllers had multiple channel paths ... either connecting to different processors (for loosely-coupled/cluster operation) or multiple channel paths by the same processor ... for possibly higher thruput. So ... since I was completely rewriting the I/O supervisor ... I decided to redo the "alternate channel path" logic (primary with one or more alternates to same pool of disks) and turn it into dynamic load-balancing. This then ran into brick-wall with the tweaks to the 3880 slow-down masking; part of the slow-down masking was special caching in 3880 with regard to channel path of the previous operation (on the off-chance the next operation would be on the same channel path). This resulted in a several millisecond difference between consecutive operations on the same channel and consecutive operation with different channels ... totally blowing any attempt to get better thruput with dynamic load-balancing (primary channel path operation ... with only rarely using alternate path ... had significantly higher thrput than trying to maximize concurrent use of all available channel paths).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

comp.arch has made itself a sitting duck for spam

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: comp.arch has made itself a sitting duck for spam
Newsgroups: comp.arch
Date: Tue, 01 Sep 2009 11:25:48 -0400
re:
https://www.garlic.com/~lynn/2009m.html#16 comp.arch has made itself a sitting duck for spam
https://www.garlic.com/~lynn/2009m.html#26 comp.arch has made itself a sitting duck for spam
https://www.garlic.com/~lynn/2009m.html#31 comp.arch has made itself a sitting duck for spam
https://www.garlic.com/~lynn/2009m.html#32 comp.arch has made itself a sitting duck for spam

I had done a lot with dynamic adaptive resource manager as undergraduate in the 60s; a lot of which was shipped in vendor product. Later in transition/morph from 360->370 a lot of it was eliminated in simplification moved. Still later I was asked to put it back in. some past posts about dynamic adaptive resource manager (frequently called fair share since default resource policy was fair share):
https://www.garlic.com/~lynn/subtopic.html#fairshare

This time was at the science center which had been doing a lot in the area of performance data gathering, benchmarking and performance model (some of which was to turn into capacity planning). There was something like ten yrs of performance monitoring data on some systems and several years on some number of other systems. This was used to help validate some of the performance modeling work ... but also being able to characterize and abstract workloads and configurations.

In any case, I was doing a lot of "automated" benchmarking with synthetic workloads and lots of different configurations to validate operation of the dynamic resource management stuff, including looking at "graceful" degradation under extreme/increasing overload conditions. some past posts
https://www.garlic.com/~lynn/submain.html#benchmark

Initially, the extreme overload conditions was consistently resulting in system failures ... and on investigation, they were almost all due to random events related to internal kernel serialization mechanism. So before going much further, I had to redesign and rewrite the whole kernel serialization mechanism to eliminate the constant failures under extreme overload conditions (which also eliminated a lot of spurious and random failures in normal operations, was also included with the resource manager when it eventually shipped).

For the final validation run there was 2000 benchmarks that took 3 months elapsed time to run. The intial 1000 benchmarks were specifically selected combinations of kinds of workload and types of configuration. One of the analytical performance models was modified to look at previous benchmarks (initially the 1000 selected) ... and use the previous results to specify the next "interesting" combination of workload & configuration. It would then validate that the predicted results for that combination corresponded with the measured results. Then it would repeat the process for a total of 1000 additional benchmarks.

A lot of the benchmarking was to look at if thee "resource manager" might have "bugs" ... that wouldn't directly affect system availability ... but not correctly perform resource allocation as per specification (not only analyse actual operations in large number of different circumstances ... but also x-validate actual operation against predicted operation by analytical model ... which also helped calibrate the model calculations).

This particular analytical performance model had also been turned into a sales&marketing tool. Sales/marketing could enter the customer's workload and configuration profile and then ask "what-if" questions regarding worload &/or configuration changes (in theory, would help support additional hardware sales to the customer).

The online sales&marketing support system ... was being replicated all over the world, In the mid-70s, the US systems had been consolidated at a single datacenter and lots of enhancements were added for cluster (loosely-coupled) operations ... including simple fall-over availability. A version of the analytical model tool was also modified to track all the system loads and perform load-balancing by doing the system selection for new sessions.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

33 Years In IT/Security/Audit

Refed: **, - **, - **, - **, - **
From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: 33 Years In IT/Security/Audit
Newsgroups: bit.listserv.ibm-main
Date: 1 Sep 2009 10:17:21 -0700
DocFarmer9999@YAHOO.CO.UK (Doc Farmer) writes:
Today marks when I started my first job in IT. Well, my first PAYING job - I built my first PC for a guy when I was 15, but I'm talking the BIG IRON. I started as a keypunch operator on night-shift (while going to high school during the day for my senior year), I actually ENJOYED reading IBM manuals (still do - doctors have yet to find a cure), and have spent the next third of a century either running, auditing or securing the Armonk Giants.

i got a (undergraduate) student programming job in '66 ... was re-implementing 1401 MPIO (unit record<->tape) front-end for 709 ... on 360/30. possibly just a learning exercise starting to have people getting familiar with 360 and getting ready for the 360/67 that was coming in (to replace the 709/1401 combo).

i got to design my own monitor, interrupt handlers, device drivers, resource control, etc.

the next year ... i got responsibility for univ. os/360 system maintenance & support. I started playing with output stage1 sysgen ... completely reoganizing stage2 deck so as to carefully place files and PDS members for optimized arm seek operation.

360/67 ran os/360 (as 360/65 w/o DAT or virtual memory) nearly all the time ... since tss/360 wasn't coming along very well.

last week jan '68, three people from science center came out to install (virtual machine) cp67 ... univ was 2nd (or 3rd depending on how lincoln labs is counted) install (after science center). ... misc. past posts mentioning science center
https://www.garlic.com/~lynn/subtopic.html#545tech

I then got to also play with all the cp67 source ... rewriting large sections ... old post with part of presentation at fall '68 SHARE meeting describing some amount of cp67 kernel rewrite as well as optimized MFT/14 operation (both stand-alone and in virtual machine):
https://www.garlic.com/~lynn/94.html#18 CP/67 & OS MFT14

with careful placement for optimized disk arm ... and some other stuff ... I had gotten nearly three times thruput improvement for typical univ. student job workload (mft with hasp ... not virtual machine).

eventually graduated and went off to join science center

recent discussion of other related old stuff in comp.arch thread:
https://www.garlic.com/~lynn/2009m.html#16
https://www.garlic.com/~lynn/2009m.html#26
https://www.garlic.com/~lynn/2009m.html#31
https://www.garlic.com/~lynn/2009m.html#32
https://www.garlic.com/~lynn/2009m.html#36
https://www.garlic.com/~lynn/2009m.html#37

a few more months will mark 40yrs since I got home online access (dialup 2741 terminal)

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

ACP, One of the Oldest Open Source Apps

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: ACP, One of the Oldest Open Source Apps
To: <ibm-main@bama.ua.edu>
Date: Tue, 01 Sep 2009 18:11:08 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
some old email indicates that even 9083 hand-picked only came in marginally faster than 3083 (not even on the order of 8.6 that would have been indicated with 3081kx2). 9083 did have a different I/O microcode load to bias for the typical higher channel loads.

Now to get to 3084 (a pair of 3081s for four processors) there were real tricks ... since each processor cache had to take constant signals from three other processor caches instead of only one other processor cache.


re:
https://www.garlic.com/~lynn/2009l.html#58 ACP, One of the Oldest Open Source Apps
https://www.garlic.com/~lynn/2009l.html#65 ACP, One of the Oldest Open Source Apps
https://www.garlic.com/~lynn/2009l.html#66 ACP, One of the Oldest Open Source Apps
https://www.garlic.com/~lynn/2009l.html#67 ACP, One of the Oldest Open Source Apps

besides the hardware tricks to maintain processor thruput in large multiprocessor caches ... in this time-frame there was lots of MVS and VM kernel software work for "multiprocessor" sensitivity.

for instance, dynamic kernel storage allocation was reorgnized to start on cache-line boundaries and end on cache-line boundaries (be multiples of cache-lines). this eliminated scenarios where one processor was using the front part of a cache-line for one puprose and another processor was concurrently using the end of the same cache-line for some other purpose ... and they get into a lot of cache "thrashing" where one processor tells the others that it is taking the cache-line and all the other processors have to get rid of it ... and then one of the other processors doing the same (for the same cache-line). At the time, the kernel changes for multiprocessor sensitivity claimed overall 4-6% increased system thruput.

later for ha/cmp, I found it interesting that I was emulating a lot of multiprocessor hardware cache management for ha/cmp's (software) distributed lock manager (underlying fundamentals are very similar) ... some past ha/cmp posts
https://www.garlic.com/~lynn/subtopic.html#hacmp

especially for ha/cmp cluster scale-up ... mentioned in this old post
https://www.garlic.com/~lynn/95.html#13
and this old email
https://www.garlic.com/~lynn/lhwemail.html#medusa

at the time, most of the RDBMS implementations were doing their cluster implementation using (effectively) "store-thru" cache ... i.e. RDBMS was using computer real storage as cache ... and record location on disk was the "real" location. If a processor had a changed copy of the record in cache (change "committed" with log record ... but not yet written to disk to DBMS "home" record location), it first had to be written to its home location on disk before another processor could obtain it.

for the HA/CMP distributed locking scale-up ... i worked out details of being able to potentially piggy-back the dbms record with the message granting the corresponding lock ... effectively a direct cache-to-cache transfer ... avoiding the latency of waiting for intermediate disk transfer (out to disk from one processor real storage and back into real storage of another processor). in some sense this was able to treat aggregate real storage of all the processors in the cluster as one large coordinated cache (could implement direct storage-to-storage transfers much more efficiently than out to disk). For large clusters ... there was increasing probability that a particular DBMS record already resided in some processor storage.

the real problems weren't so much with doing the direct processor-to-processor transfers (in loosely-coupled/cluster environment) ... it was the ha/cmp recovery (after processor/node failure) ... where a record might have multiple different (commuted) changes ... done on different processors (and recorded in different logs on different processors) ... which haven't yet been written to the DBMS record "home" location.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Date: 1 Sep, 2009
Blog: Payment Systems Nework
re:
https://www.garlic.com/~lynn/2009m.html#13 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#28 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

We had been called in to consult with small client/server startup that wanted to payment transactions on their server ... the startup had also invented this technology they called "SSL" that they wanted to use. We had complete authority on the (SSL) connection between the webserver and something called the "payment gateway" and applied several compensating procedures to "SSL" for that part. We studied the client/server part of the connection and noted that there were several implicit assumptions regarding its use for (really) secure operations. Almost immediately several of those assumptions were violated ... and since we had little authority over that part of the operation ... there was little we could do about. In any case, the result is now frequently called "electronic commerce".

In was the work on what is now frequently called "electronic commerce" that in the mid-90s likely got us invited to participate in the X9A10 financial standard working group ... which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. As previously mentioned that work resulted in the x9.59 financial transaction standard.
https://www.garlic.com/~lynn/x959.html#x959

Part issue is that common SSL primarily just hides the transaction (account number) between the client & server ... it doesn't provide end-to-end integrity all the way from the end-user to the end-user's financial institution.

One of the things done in x9.59 financial transaction standard was to slightly tweak the paradigm and eliminate the requirement to hide the account number (while at the same time providing full end-to-end integrity and strong authentication ... all the way from the end-user to the user's issuing financial institution). Since the primary use of SSL in the world today ... is this earlier thing we did, now frequently called "electronic commerce" ... which primarily used to hide the account number in transmission between the browser and the webserver ... and with x9.59, it is no longer required to hide that information ... it would also eliminate the primary use of "SSL" in the world.

For little topic drift ... this is recent posts in comp.arch discussing some of the other stuff we had to do for "electronic commerce" and the payment gateway
https://www.garlic.com/~lynn/2009m.html#31
https://www.garlic.com/~lynn/2009m.html#32

other past posts mentioning the payment gateway work
https://www.garlic.com/~lynn/subnetwork.html#gateway

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the  Computer
Newsgroups: alt.folklore.computers
Date: Wed, 02 Sep 2009 00:31:27 -0400
Larry Elmore <lelmore@verizon.spam_me_not.net> writes:
Well, I'll be damned. Upon checking, you're right. Because some areas were so flood-prone that private insurance was effectively unavailable, Congress stepped in where angels fear to tread, and subsidized this nonsense. It's not even based upon risk or history, fer cryin' out loud. Government idiocy in action is something to behold.

there was program (pbs?) on federal flood insurance ... something about half of it going to the same state year after year. supposedly somebody in congress got a bill/admendment thru that flood insurance would no longer go to rebuild in the same place.

the program was highlighting that a lot of the insurance was still going to rebuild in the same place ... sometimes nearly yearly (in violation of the bill/admendment). there was some statements about it actually being a federal subsidy to economic interests in the state ... and/or friends of same.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Date: 2 Sep, 2009
Blog: Payment Systems Nework
For one reason (in response to an early comment) was the observation about large chip-based deployment in the US ... in the earlier part of this century/decade.

The consumer & POS experience was identical to magstripe. The problem was that the skimming characteristic of the chip resulted in much worse threat & vulnerability than the skimming characteristic of magstripe. An assumption is that the much worse fraud characteristic of the chip contributed significantly to the apparent evaporation of that deployment w/o a trace ... and possibly still contributes to tarnished of chip deployments in the US.

That was a case of actual usage ... where the chip being deployed resulted in much worse skimming fraud consequences than exist with magstripe skimming (consumer, merchant, etc experience at POS was the same as magstripe ... it was that possible lack of understanding of skimming threats and vulnerabilities ... resulted in deploying a chip that had much worse skimming threat and vulnerability than magstripe). There has been no mention that the failed deployment was because the identical POS experience (for both consumers and merchants) contributed to the failed deployment.

One might make the claim that the failed deployment in the US was precisely because of problems with the lab & academic issues (related to skimming) and had absolutely nothing at all to do with the POS issues.

past posts in this thread
https://www.garlic.com/~lynn/2009m.html#13
https://www.garlic.com/~lynn/2009m.html#28
https://www.garlic.com/~lynn/2009m.html#40

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Convert DB2 on z/OS to UDB on z/Linux

From: lynn@GARLIC.COM (Anne & Lynn Wheeler)
Subject: Re: Convert DB2 on z/OS to UDB on z/Linux
Newsgroups: bit.listserv.ibm-main
Date: 2 Sep 2009 13:06:44 -0700
mpost@NOVELL.COM (Mark Post) writes:
Correct, although as is IBM's wont, it's now called DB2 LUW (Linux/UNIX/Windows). A completely different code base from DB2 on z/OS, with some differences in available features, but as close as you're going to get to the DB2 you might be used to on z/OS.

original SQL/RDBMS was system/r in bldg. 28. there was then system/r technology transfer from bldg. 28 to endicott for sql/ds. misc. past posts
https://www.garlic.com/~lynn/submain.html#systemr

now one of the people mentioned in this old post
https://www.garlic.com/~lynn/95.html#13

mentions that he had been in STL and did most of the technology transfer from Endicott back to STL for DB2.

Later there was C-language RDBMS implementation, originally for OS2 (done at the same lab. that was doing C-language work) ... code name "shelby" (also codenames persist and crosswinds).

one of the early problems with system/r (and descendants) was the PLS implementation. The PLS (and other 370 related) group had been killed off during the future system period ... and it took a long time to reconsititute it.
https://www.garlic.com/~lynn/submain.html#futuresys

old reference to several of the issues ... somewhat involving system/r ... including the PLS issue
https://www.garlic.com/~lynn/2007d.html#email800920
in this post:
https://www.garlic.com/~lynn/2007d.html#17

there is also one that is nearly twice as long, dated four days later, that can be found here:
https://web.archive.org/web/20081115000000*/http://research.microsoft.com/~gray//papers/CritiqueOfIBM%27sCSResearch.doc

misc. past posts mentioning shelby:
https://www.garlic.com/~lynn/2005b.html#1 Foreign key in Oracle Sql
https://www.garlic.com/~lynn/2005u.html#41 Mainframe Applications and Records Keeping?
https://www.garlic.com/~lynn/2006w.html#13 IBM sues maker of Intel-based Mainframe clones
https://www.garlic.com/~lynn/2007j.html#12 Newbie question on table design
https://www.garlic.com/~lynn/2007s.html#21 Ellison Looks Back As Oracle Turns 30
https://www.garlic.com/~lynn/2008l.html#57 No offense to any one but is DB2/6000 an old technology. Does anybody still use it, if so what type of industries??
https://www.garlic.com/~lynn/2009f.html#58 Opinion: The top 10 operating system stinkers

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the  Computer
Newsgroups: alt.folklore.computers
Date: Wed, 02 Sep 2009 16:07:11 -0400
somebody on health care this morning claimed that canada's health care spending is 9% of GNP and US is 19% of GNP (better than twice the percentage of total country resources) and US is increasing fast (as percentage of GNP).

i've been hearing for the past several weeks that US has the highest percentage of GNP spending on health care ... but one of the lowest levels of care for 1st world countries / industrial nations; however this was first time I heard it quantified.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Date: 2 Sep, 2009
Blog: Payment Systems Nework
past posts in this thread
https://www.garlic.com/~lynn/2009m.html#13
https://www.garlic.com/~lynn/2009m.html#28
https://www.garlic.com/~lynn/2009m.html#40
https://www.garlic.com/~lynn/2009m.html#42

The skimming technology related to yes card was nearly identical to the magstripe skimming technology (end-point POS terminal compromise and record the information being processed by the POS terminal). For organized crime ... the ROI allowing electronics to skim the information, is orders of magnitude better than dealing with visible.

The x9a10 financial standard work that led to x9.59 financial standard slightly tweaked the paradigm eliminating the PAN as vulnerability.
https://www.garlic.com/~lynn/x959.html#x959

The x9.59 work in the mid-90s avoided the problems that led to the later yes card vulnerability (as well as a whole slew of other shortcomings). X9.59 also demonstrated that an x9.59 chipcard could work in the same POS terminal deployed for the failed chipcard deployment (related to yes card vulnerability).
https://www.garlic.com/~lynn/subintegrity.html#yescard

The merchant and consumers would distinguish no operational difference ... other than there was no longer a skimming vulnerability and/or any problems with exposing the PAN.

The terminals being deployed for chipcards have had ability for provisioning from merchant acquiring (including software update downloads over same link used for transaction traffic). A trivial change in the POS terminal software (for chipcard capable POS, downloaded from merchant acquiring) allows for transparently differentiating whether a x9.59 transaction was being done or a non-x9.59 transaction was being done.

There is an operational difference, since X9.59 no longer has the skimming vulnerability and no problems with exposing the PAN. Since there is no longer a skimming vulnerability ... X9.59 also works equally well for contact and contactless processing. It also eliminates the necessity of using SSL (in internet environment) to hide the transaction (again since skimming has been eliminated as a vulnerability).

for those on linkedin

Hacker charges also an indictment on PCI, expert says
http://www.linkedin.com/newsArticle?viewDiscussion=
http://www.linkedin.com/newsArticle?viewDiscussion=
http://www.linkedin.com/newsArticle?viewDiscussion=http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424articleID=59707682http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424gid=50424articleID=59707682http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424gid=50424articleID=59707682http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424gid=50424

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
http://www.linkedin.com/newsArticle?viewDiscussion=
http://www.linkedin.com/newsArticle?viewDiscussion=
http://www.linkedin.com/newsArticle?viewDiscussion=http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424articleID=61974479http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424gid=50424articleID=61974479http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424gid=50424articleID=61974479http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424gid=50424

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the  Computer
Newsgroups: alt.folklore.computers
Date: Thu, 03 Sep 2009 16:49:29 -0400
Dave Garland <dave.garland@wizinfo.com> writes:
It's got problems. The reimbursement rates are screwed up. Politicians left a big gap in drug coverage. (OTOH, drug coverage might work better if the politicians hadn't forbidden medicare negotiating with the drug companies to get a better deal.)

60 minutes had a segment on the process. compared costs for several identical drugs at VA (which is allowed to negotiate) being approx. 1/3rd that of option where not allowed to negotiate.

the 60 minute segment said that the line for not negotiating prices was put in late in the game ... and that there were 12-18 congressman and staffers that prevented an updated GAO report to be distributed ... that reflected cost of the bill (doubled or more after that change was added to the bill).

the 60 minute segment had those 12-18 shepherding the bill thru (including getting the non-negotiating change just before the vote ... and preventing the gao cost update reflecting the change, from being distributed) ... and something like 6-12 months after bill passage ... all had left and were working for drug companies.

past post mentioning the cbs 60 min segment (looking at passage of the drug bill):
https://www.garlic.com/~lynn/2007q.html#7 what does xp do when system is copying

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
Date: 2 Sep, 2009
Blog: Payment Systems Nework
past SSL reference in this thread
https://www.garlic.com/~lynn/2009m.html#40

related to SSL ... DNSSEC can improve the trust in theinformation in SSL digital certificates ... a couple recent items about DNSSEC:

Educause Announces Plans To Sign .edu TLD With DNSSEC
http://news.slashdot.org/story/09/09/03/1845245/Educause-Announces-Plans-To-Sign-edu-TLD-With-DNSSEC
Security of .edu Internet Domain to Increase EDUCAUSE
http://www.educause.edu/About+EDUCAUSE/PressReleases/SecurityofeduInternetDomaintoI/178963

however, pervasive deployment of DNSSEC can also eliminate the need for SSL digital certificates ... using public key available from the DNS infrastructure (instead of needing SSL digital certificate to obtain the public key) ... misc. past posts that DNSSEC may represent a catch-22 for the SSL digital certificate industry:
https://www.garlic.com/~lynn/subpubkey.html#catch22

past posts discussing SSL digital certificates
https://www.garlic.com/~lynn/subpubkey.html#sslcert

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Hacker charges also an indictment on PCI, expert says

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Hacker charges also an indictment on PCI, expert says
Date: 4 Sep, 2009
Blog: Payment Systems Nework
re:
https://www.garlic.com/~lynn/2009l.html#50 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#53 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#68 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#4 Hacker charges also an indictment on PCI, expert says

footnote on TPM ...

in the mid-90s, I had semi-facetious commented that I would take a $500 milspec part, aggressive cost reduce by 2-3 orders of magnitude while increasing the integrity.

part of the requirements that I had for AADS chip strawman design was not only handle high-value secure contact transactions but also be able to perform secure contactless transaction within the power constraints and elapsed-time limitations of transit turnstyle (aka very little power executing in very small fraction of a section)

I figured that while I was at it ... I might as well make provisions so that it could also be used as a "TPM" chip. I gave a presentation on it at the trusted computing track at the Intel Developer's Conference. It turns out that the guy running trusted computing was in the front row ... so I took the opportunity to comment that it was nice to see that over the previous two years, the TPM chip was starting to look more & more like my AADS chip strawman. He quipped back that I didn't have the benefit of a committee of 200 people helping me with the design.

Part of the objective of TPM chip (in trusted computing) is to provide extra checks that trusted software is executing and hasn't been compromised. It turns out that this becomes a similar issue in the move to electronic provisioning for POS terminals (and supporting things like downloads from the acquirer). So there has been a fair amount of looking at not only using AADS chip strawman as various format agnostic, personal authentication tokens (or embedded in other things like cellphones) ... but also as a kind of TPM chip in POS terminals (and other similar devices).

old reference to Intel Developer's Conference trusted computing track
https://web.archive.org/web/20011109072807/http://www.intel94.com/idf/spr2001/sessiondescription.asp?id=stp%2bs13

Some AADS chip stuff:
https://www.garlic.com/~lynn/x959.html#aads

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Hacker charges also an indictment on PCI, expert says

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Hacker charges also an indictment on PCI, expert says
Date: 4 Sep, 2009
Blog: Payment Systems Nework
re:
https://www.garlic.com/~lynn/2009m.html#48 Hacker charges also an indictment on PCI, expert says

In the 90s, the EU finread standard ... some past posts
https://www.garlic.com/~lynn/subintegrity.html#finread

moved all that into a tamper-resistant external device (basically part of the card acceptor device) that wasn't vulnerable to the PC compromises and had countermeasures in case the connected PC was compromised.

What happened in the early part of this century/decade was that there was a program for consumer cards ... which distributed "free" serial-port card acceptor device. The resulting enormous consumer configuration and installation problems resulting in rapid spreading opinion that chipcards weren't practical in the consumer environment (even tho the problems weren't in any way ... directly related to the chipcards). In the wake of that failed deployment and rapid spreading opinion that chipcards weren't practical in the consumer market ... all consumer related chipcard programs were pulled and/or evaporated (including the EU finread work ... which represented real countermeasures to compromised PCs).

Part of the issue was that the financial industry was aware of the enormous consumer support issues with serial-port devices from the online (dialup) banking programs from the 80s & early 90s. Presentations in the early to mid-90s about moving from RYO online banking efforts to the internet ... frequently cited as a major motivation was eliminating the financial involvement in enormous costs related to consumer support issues with online access (especially serial-port devices).

All that institutional experience and knowledge regarding the enormous consumer serial-port support issues appeared to be ephemeral and apparently managed to evaporate in a five yr period between starting to move online banking to the internet (and off the proprietary dialup implementations) ... and the period deploying the "free" serial-port card acceptor devices.

Note in that period ... the awareness of the tremendous customer support problems with serial-port operation was a major motivation for the development of USB. There is possibility that organizations having lost all institutional knowledge regarding enormous consumer serial-port support problems ... were sitting ducks for unloading obsolete serial-port devices ... because of everything moving to USB.

The resulting failed deployment of the serial-port card acceptor devices (because of the enormous consumers support issues with serial-port) ... then resulted in a rapidly spreading opinion in the financial (and other industries) that chipcards weren't practical in the consumer market.

Shortly after that, there was several products with other kinds of solutions for secure PC financial operations. There were some number of pilots with significant satisfaction by both consumers and merchants. However, all of these failed to transition out of pilot.

Most of these encountered a severe cognitive dissonance with online merchants. Merchants have been conditioned for much higher interchange fees regarding online CNP (card not present)/MOTO transactions (justification being the much higher fraud rates). The online merchants had huge appetite for secure products that also represented much lower interchange fees. However, for that generation of secure online products, some into pilot stages, the merchants were then told that interchange fees would actually be higher than for internet CNP/MOTO (not lower). The merchants, having been conditioned that interchange fees were proportional to fraud rate ... appeared to not be able to reconcile online products that lowered fraud rate (compared to online CNP/MOTO) ... but would have even higher interchange fee than online CNP/MOTO (i.e. cognitive dissonance).

In the X9.59 financial transaction standard scenario
https://www.garlic.com/~lynn/x959.html#x959

... it basically provides end-to-end integrity (from the originating end-point thru to the issuing institution; eliminating fraud from skimming, data breaches, etc). The EU finread standard moved the "end-point" into an external secure environment (and out of the PC, the PC just becomes an intermediary point that is potentially restricted to just denial-of-service/DOS attacks).

Somewhat related to X9.59 financial transaction scenario ... was something we called parameterised risk management ... which allowed the issuing financial institution to evaluate a larger variety of factors as part of approving a transaction. One of the factors can be the physical location (if known) and/or end-point security (if known).

The EU finread standard provided for a secure end-point ... but the standard didn't provide for any way of proving a trusted finread end-point was being used. X9.59 provides for consumer authentication mechanism for each transaction ... but also provides for end-point optional authentication (allowing the issuing institution the option of evaluating the integrity of the consumer's authentication as well as the integrity of the end-point transaction environment).

So the previously mentioned chip, that could be in the user's authentication token ... and the same chip can be used as TPM for PCs and POS terminals ... AND the same chip can also be used in a EU finread device (to prove whether a trusted EU finread end-point was being used for the transaction).

The EU finread standard is external card acceptor device including its own pinpad and display ... and the entered PIN went directly from PIN pad to the card ... w/o ever going thru the PC.

The EU finread standard was purposefully countermeasure against all kinds of PIN skimming ... as well as countermeasure that PC trojan couldn't directly execute transactions with the hardware token (supplying the skimmed PIN w/o the owners involvement/ knowledge).

The EU finread standard also had its own display ... so that the transaction being authenticated (in the external EU finread device ) could also not be spoofed ... i.e. PIN couldn't be evesdropped, PINs and transactions couldn't be executed w/o owners participation and trojan software could claim that one transaction was being executed ... while the token was being used to execute a totally different transaction ("is what you see, actually what you are doing").

The EU finread standard specifically specified an external card acceptor device with its own trusted pin-pad and trusted display ... that required human operation and was immune from (and countermeasures for) PC compromises (which were well known and studied by at least the mid-90s)

The issue of parameterised risk management & x9.59 was adding trusted/proof for the issuing financial institution ... not just that EU finread devices were available ... but issuing financial institution could also trust when an EU finread device was actually being used (as end-point for trusted transaction execution evnironment)

and possibly those with linkedin access:
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424

As a person-centric exercise ... a demonstration was done that a AADS chip strawman token works for X9.59 financial standard transactions ... but that the same token could work w/o any changes, for both Kerberos and RADIUS.

Kerberos is widely used underlying authentication technology used on large number of platforms ... including m'soft window platforms. Kerberos originated out of MIT Project Athena (in previous life in late 80s and early 90s, one task was periodically go by and review Project Athena activities). Misc. past posts discussing person-centric for financial transactions and Kerberos
https://www.garlic.com/~lynn/subpubkey.html#kerberos

RADIUS is commingly used underlying authentication technology used by ISPs world-wide. Misc. past posts discussing person-centric authentication for financial transactions and RADIUS (I did some number of RADIUS configurations in the early 90s, it originally was done by vendor for their dail-up modem pools, but then was contributed to IETF internet standard and became much more widely used):
https://www.garlic.com/~lynn/subpubkey.html#radius

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the  Computer
Newsgroups: alt.folklore.computers
Date: Fri, 04 Sep 2009 12:35:35 -0400
Dave Garland <dave.garland@wizinfo.com> writes:
That stuff gets written into the chart anyhow. A clerical specialist (back when I worked in a hospital office, they were called "coders", but of insurance codes rather than computer instructions) takes the info and does the insurance paperwork (which is, or was, different for every insurance company, as was the details of what they'd cover and not cover) and tries to find some way to charge the company for whatever was done. The government paperwork is pretty minor in comparison to the private insurance paperwork.

medicare instituted standardized DRGs ... which were standardized codes/descriptors ... which resulted in high uptake everywhere else.

we looked at some of this a decade ago. one of the benefits was standardization across wide range of different places. A periodically cited reference was DRG for hip-replacement ... outcomes normalized for health, age, etc ... found that hospital on east coast had avg two week hospital stay ... while same for hospital in Santa Cruz had avg. one week hospital stay (again outcomes were normalized for age, health, other areas ... so shorter stay didn't have higher relapses, re-admittance, etc. ... implication was that the avg care at the west coast hospital was superior).

recently there have been some studies that hospitals which have the highest degree of automation avg. 30% better care than others. there may be what is cause and what is effect ... like the best hospitals with best practices everywhere else ... may more likely to have also the best practices for dataprocessing ... as opposed to the best dataprocessing resulting in other best practices.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Chip with PIN or Chip with signature

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Chip with PIN or Chip with signature
Date: 4 Sep, 2009
Blog: Payment Systems Nework
a little discussion x-over from this threads/articles:

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424
Hacker charges also an indictment on PCI, expert says
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424

In the x9.59 financial standard and related parameterised risk management

a hardware token fullfils something you have authentication ... from 3-factor authentication model
https://www.garlic.com/~lynn/subintegrity.html#3factor

something you have (hardware token)
something you know (pin, password)
something you are (biometrics, thumbprint iris)

an x9.59 token solution works the same regardless of number of authentication factors ... and the transaction environment and/or issuing institution can mandate degree of authentication (based on risk &/or value of transaction).

and as discussed, the same chip can also be embedded in the transaction execution environment (POS terminal, card acceptor device) and can also become part of the factors considered by issuing financial institutions for parameterised risk management.

The business rules for level/factors for authentication aren't in the token ... but possibly multiple different authentication factors are supported by the token ... and based on the authentication factors involved ... the token just includes that information as part of the authenticated transaction.

Part of this was removing barriers for a person-centric token paradigm ... a person's token could be used across a broad range of different environments w/o constant, expensive, cumbersome and vulnerable chipcard provisioning. The chip works perfectly fine in an institutional-centric environment (one token per institution) ... but barriers are removed for it to operate in a person-centric paradigm (common token for possibly all environments). Related to enabling for person-centric environment is that a broad range of different environments are likely to also have a broad range of risks and authentication requirements (i.e. parameterised risk management) ... and therefor for a common token to be successful ... it can't mandate the same authentication requirements for all the different environments.

As a person-centric exercise ... a demonstration was done that a AADS chip strawman token works for X9.59 financial standard transactions ... but that the same token could work w/o any changes, for both Kerboeros and RADIUS.

Kerberos is widely used underlying authentication technology used on large number of platforms ... including m'soft window platforms. Kerberos originated out of MIT Project Athena (in previous life in late 80s and early 90s, one task was periodically go by and Project Athena activities). Misc. past posts discussing person-centric for financial transactions and Kerberos
https://www.garlic.com/~lynn/subpubkey.html#kerberos

RADIUS is commingly used underlying authentication technology used by ISPs world-wide. Misc. past posts discussing person-centric authentication for financial transactions and RADIUS (I did some number of RADIUS configurations in the early 90s, it originally was done by vendor for their dail-up modem pools, but then was contributed to IETF internet standard and became much more widely used):
https://www.garlic.com/~lynn/subpubkey.html#radius

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Online banking: Which bank is the most secure?

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Online banking: Which bank is the most secure?
Date: 5 Sep, 2009
Blog: Financial Crime Risk, Fraud and Security
Online banking: Which bank is the most secure?
http://software.silicon.com/security/0%2C39024655%2C39501469%2C00.htm

from above:
Of the 10 banks and building societies surveyed, Barclays' security was rated the best by Which? Computing, while Abbey and Halifax were given the wooden spoon for their poor security.

... snip ...

Court Allows Woman to Sue Bank for Lax Security After $26,000 Stolen by Hacker
http://www.wired.com/threatlevel/2009/09/citizens-financial-sued/

from above:
An Illinois district court has allowed a couple to sue their bank on the novel grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers' user name and password.

... snip ...

in shared-secret authentication paradigm ... people are frequently required to divulge their password ... and therefor become conditioned to having to give out some sort of shared-secret (pin, password, ssn#, DOB, etc). then an attacker can impersonate the victim by repeating the shared-secret.

The (static-data) shared-secret paradigm also is at the root of skimming, data-breaches and large variety of other vulnerabilities (attackers obtaining the information and then simply being able to replay the information as part of impersonating the individual).

from 3-factor authentication paradigm ... some number of past posts
https://www.garlic.com/~lynn/subintegrity.html#3factor

something you have (hardware token, magstripe)
something you are (pin, password)
something you are (biometrics, fingerprint, etc)

these can be implemented in various ways ... "static data" vis-a-vis "dynamic data" ... shared-secret vis-a-vis "secret", etc.

It is possible to design authentication such that the end-user is never required to divulge some piece of information ... and as a result, a publicity program can be put in place to remind users that it is never necessary to do something ... just because they are told to ... which could greatly improve public's resistance to common social engineering (and reduce the benefits to attackers for doing social engineering).

somewhat related discussion in payment systems network:

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424
Hacker charges also an indictment on PCI, expert says
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424

for the fun of it ... magstripe invention and then standards managed out of los gatos lab:
https://en.wikipedia.org/wiki/Magnetic_stripe

and early development of ATM machines at los gatos lab:
https://en.wikipedia.org/wiki/IBM_3624

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of   the  Computer
Newsgroups: alt.folklore.computers
Date: Sat, 05 Sep 2009 12:27:29 -0400
Stan Barr <plan.b@dsl.pipex.com> writes:
As many American gentlemen found out when bringing their "servants" to England. As soon as the slave's feet touched English soil (usually Liverpool) he was free. At least one man went to court to recover his "property" and, of course, lost.

(Not just England, btw. Mustn't upset the Scots, Welsh and Irish by leaving them out!)


my wife's dad had gotten a set of history books for some sort of distinction at west point (they were 1880 history lectures by some professor including discussing formation of the country). one of the points was that if it hadn't been for the influence of the scots in the mid-atlantic states ... the influence of the english from ny & new england states would have resulted in significantly different form of government (much less individual freedom).

there was a bbc (ww1) blackadder segment that had question about what does a englishman do when they meet a man in a skirt ... the reply was "run him thru and nick his land" (referring to attempt at scottish genocide and appropriating all the country). the same segment had some reference to all the military experience the english had going into ww1 ... and the response was shooting pygmies attacking with mangoes didn't do a lot for preparing for ww1.

there was some later reference about why so many scottish young men served in ww1 was that after the english had moved in and took over everything, scottish young men had no other opportunity (but the army).

for slightly other drift, recent references to "A Peace to End All Peace", original edition 1989 (although they've come out with 20th annv edition) that was apparently based on a lot of declassified british documents about ww1 (and discusses much of current circumstances are the result of activity in the middle east by the allies ending ww1)
https://www.garlic.com/~lynn/2009i.html#40 64 Cores -- IBM is showing a prototype already
https://www.garlic.com/~lynn/2009j.html#47 Specifications

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of   the  Computer
Newsgroups: alt.folklore.computers
Date: Sat, 05 Sep 2009 12:57:15 -0400
Patrick Scheible <kkt@zipcon.net> writes:
I left the Scots and Irish out deliberately because the situation there was less clear-cut. They had no slavery, but there may have been indentured servitude still. I think Welsh law on that subject was like English, but I didn't want to commit myself.

it seemed like the english imposed it on others ... including exporting them to various colonies

re:
https://en.wikipedia.org/wiki/Indentured_servant

from above:
Indentured servitude was a common part of the landscape in England and Ireland during the 1600s. During the 1600s, many Irish were also kidnapped and taken to Barbados. In 1643, there were 37,200 whites in Barbados (86% of the population).[19] Many indentured servants were captured by the English during Cromwell's expeditions to Ireland and Scotland, who were forcibly brought over between 1649 and 1655.

... snip ...

and ...
Many white Irish slaves were taken to Montserrat during the slave trade: it is the only territory in the world, other than the Republic of Ireland, to have a public holiday for St Patrick Day.

... snip ...

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Tell me something about how you use signature files!

Refed: **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Tell me something about how you use signature files!
Blog: Web Development
Date: Sat, 06 Sep 2009
I got blamed for online computer conferencing on the internal network in the late 70s & early 80s (the internal network was larger than the arpanet/internet from just about the beginning until possibly late '85 or early '86). Signatures grew to be both internal & external phone nos. as well as internal and external email. Was also one of the first to get business cards with email in addition to phone.

At some point, corporation said that business cards were purely external contact and shouldn't carry internal email. The problem was that up until then cards were normal for both internal and external contacts and frequently carried both internal and external phone nos (which implied that they were being somewhat inconsistent regarding internal email address).

Later in the 80s, when I started using emacs for email, I configured to using unix "fortune" to add to the signature line ... which was just "zippy" file at the time. I did add a couple other files that had been kicking around internally and would randomly select from available files.

recent post discussing the subject:
https://www.garlic.com/~lynn/2009l.html#19

in the early 80s, as the corporate executives became aware of the computer conferencing ... there was a fairly large investigation into the emerging phenomena. Part of the results was deployment of an "official" tool and sanctioned activity. With the official "tool", users could select a number of ways how they interacted ... including both a "usenet" kind of mode as well as a "listserv" kind of mode (mailing list, predating listserv by a number of yrs). a recent post mentioning "TOOLSRUN":
https://www.garlic.com/~lynn/2009j.html#79 Timeline: The evolution of online communities
https://www.garlic.com/~lynn/2009k.html#6 Timeline: The evolution of online communities

for the internal network ... a distribution list driver was developed ... which efficiently transmitted information when there was multiple recipients
https://www.garlic.com/~lynn/2009k.html#12 Timeline: The evolution of online communities
https://www.garlic.com/~lynn/2009k.html#13 Timeline: The evolution of online communities

bitnet (& earn) was the external university implementation (using the internal network technology) ... and the distribution list processing was eventually made available as part of the product. ... misc. past posts mentioning bitnet (earn in europe)
https://www.garlic.com/~lynn/subnetwork.html#bitnet

misc. past posts mentioning the internal network
https://www.garlic.com/~lynn/subnetwork.html#internalnet

bits & pieces of various email (dating back to 1973)
https://www.garlic.com/~lynn/lhwemail.html

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Declare War on SQL Injection Attacks

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Declare War on SQL Injection Attacks
Blog: Information Security Network
Date: Sun, 06 Sep 2009
Declare War on SQL Injection Attacks
http://www.pcworld.com/businesscenter/article/171514/declare_war_on_sql_injection_attacks.html

from above:
Analysis: Like smallpox or polio, this pest should be eliminated, and it just takes some attention and some code.

... snip ...

for the fun of it ... misc. past posts about original relational/sql implementation
https://www.garlic.com/~lynn/submain.html#systemr

We had been called in to consult with small client/server startup that wanted to do payment transactions on their server ... the startup had also invented this technology called SSL that they wanted to use; the result is now frequently called electronic commerce.

In the following period, webservers that had RDBMS were always having much larger number of compromises & exploits than straight flat file implementations. It wasn't any single thing ... but in aggregate, RDBMS environments tend to be significantly more complex than flat file implementations ... and compromises/exploits are frequently proportional to complexity.

Past references to having worked on high availability and cluster scale-up
https://www.garlic.com/~lynn/subtopic.html#hacmp

this post mentions a Jan92 meeting on the subject:
https://www.garlic.com/~lynn/95.html#13

two of the people from the above referenced, Jan92 meeting then leave and show up at the small client/server startup responsible for something called the "commerce server" (which started out as a multi-store "MALL" implementation built with RDBMS from their previous employer).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Ikea type font change

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Ikea type font change
Newsgroups: alt.folklore.computers
Date: Sun, 06 Sep 2009 15:08:25 -0400
Elliott Roper <nospam@yrl.co.uk> writes:
Well! They have gone for another lap round the plughole. Remember all the VT220's hanging off VMS wherever you went in their shops?

They used to know what classy meant.


atex (was on vax cluster) ... following lists history and some of the customers (including times):
https://en.wikipedia.org/wiki/Atex_%28software%29

then atex was one of the early ha/cmp adopters (would have been during its kodak days ... see the wiki reference)
https://www.garlic.com/~lynn/subtopic.html#hacmp

current web page:
http://www.atex.com/

the wiki makes reference to "Atex messaging" being major predecessor of e-mail and instant messaging ... although atex wasn't founded until 1973, so couldn't have predated the virtual machine based sutff on the internal network.
https://www.garlic.com/~lynn/subnetwork.html#internalnet

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Ikea type font change

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Ikea type font change
Newsgroups: alt.folklore.computers
Date: Sun, 06 Sep 2009 15:35:01 -0400
re:
https://www.garlic.com/~lynn/2009m.html#57 Ikea type font change

mar '91
http://www.nytimes.com/1991/03/17/business/can-atex-keep-its-proprietary-place-in-the-newsroom.html?pagewanted=2

from above:
Last year, Kodak formed an alliance with I.B.M. to help rescue Atex by replacing its system of Digital Equipment Corporation minicomputers and terminals with systems based on I.B.M.'s RS/6000 file-server computers and PS/2 desk-top machines.

... snip ...

above mentions in '88 NYT announced $22m plan for customized version of Atex.

feb '1995 article
http://findarticles.com/p/articles/mi_m3065/is_n2_v24/ai_16328496/

by '95 , kodak had sold them off ... and they were moving a lot of the front-end stuff to desktop computers ... mentions rs/6000 (again doesn't call out the ha/cmp configurations).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Definition of a computer?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Definition of a computer?
Newsgroups: alt.folklore.computers
Date: Sun, 06 Sep 2009 16:21:25 -0400
greymausg writes:
I remember a mountain commonage in the Roundwood, Co Wicklow area, must be almost 50 years ago. (A commonage is an area where all livestock are allowed mix, no fences, but in fact the various flocks would tend to stay together). In the Autumn, all the sheep would be gathered in one field where there was a penning area, and one of these pens was a long one with smaller pens along each side, the sheep would be pushed down the long pen, actually, after the first one going, the rest would mostly follow, and each owner would open a gate as his sheep would pass by, and let them into his pen. Sorta

... open range ... roundup in the fall ... when I was really young, I got a large tincan of disinfect with spout ... and my job was to squeeze a stream of disinfectant on the head where the horns had just been snipped (there was also branding & snipping going on at the other end).

young cows tended to stay with their mother ... so whatever brand the mother had, was assumed that the calf got the same brand.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Ikea type font change

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Ikea type font change
Newsgroups: alt.folklore.computers
Date: Sun, 06 Sep 2009 17:25:22 -0400
Elliott Roper <nospam@yrl.co.uk> writes:
I think you might have shot off at an understandable tangent. Possibly because of the Verdana drama, I was, however, referring to the in-house point of sale system in IKEA. It had nothing to do with Atex typesetting systems.

It seems that "Sweden" is the sole member of the intersecting sets.

As an earlier step in cred losing at IKEA, they stopped Macs posing in their furniture layouts in the catalogues and started using some mediocre ugliness from hp. Only a short step from there to Verdana. We are *doomed*.

By the way that wiki article was malarkey. I was one of the pioneers of computer typesetting in Australia and Atex were nowhere in the days of VT220's. Cybergraphics was a one hit wonder in the mid 1990's. They seem to have disappeared after some kind of merger with Geac which also went bust. Not sure who owns it now. Besides it was a horrid pc based thing. How could they possibly understand good typography <wan grin>


re:
https://www.garlic.com/~lynn/2009m.html#57 Ikea type font change

it was a "typefont plus dec/vms plus NYT" to atex topic drift (NYT/atex moving to atex rs6000 hacmp)

aka mar '91 article reference:
https://www.garlic.com/~lynn/2009m.html#58 Ikea type font change

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the  Computer
Newsgroups: alt.folklore.computers
Date: Sun, 06 Sep 2009 18:37:26 -0400
Dave Garland <dave.garland@wizinfo.com> writes:
You got that right. And insurance companies don't want old people, because they're more likely to develop health problems, and it's hard to charge them enough to maintain high profits. That's why I'm hoping that we get the system reformed.

there was statistics that the "baby boomers" moving into retirement increases the size (over the previous retired generation) by a factor of four times ... and the following generation is only half as large (i.e. the reason that the generation is called the baby boomers) ... that results in increase in ratio of eight times (ratio of number in retiring generation to number in following generation).

it was relatively easy for everybody to tax the babyboomer generation to pay for the prior generations ... but it gets/becomes much more difficult when the babyboomers are the ones retiring (and the ratio changes by factor of eight times).

it isn't just the following generation making up coverage shortfalls for the retired babyboomer generation ... but also the ratio of health care works to number of retirees is cut by a factor of eight times (four times as many retirees, only half as many all kinds of workers, including health care workers).

it is possible that society in general (or at least as it has been known for the past couple decades) isn't going to be able to afford that ratio of old people.

past posts mentioning the baby boomer bulge moving into retirement and significantly changing ratio
https://www.garlic.com/~lynn/2008h.html#26 The Return of Ada
https://www.garlic.com/~lynn/2008i.html#98 dollar coins
https://www.garlic.com/~lynn/2008l.html#37 dollar coins
https://www.garlic.com/~lynn/2008m.html#3 Medical care
https://www.garlic.com/~lynn/2008n.html#13 Michigan industry
https://www.garlic.com/~lynn/2008n.html#20 Michigan industry
https://www.garlic.com/~lynn/2008o.html#8 The end of the baby boomers, US bonds maturing, and then what?
https://www.garlic.com/~lynn/2008o.html#58 Everyone is getting same deal out of life: babyboomers can't retire but they get SS benefits intact

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of  the  Computer
Newsgroups: alt.folklore.computers
Date: Mon, 07 Sep 2009 10:58:39 -0400
Ahem A Rivet's Shot <steveo@eircom.net> writes:
It is not the profits that are the issue, it's the short attention span produced by the quarterly cycle.

Just for fun and to drag it back to computing - a similar issue arises in software development where a tight focus on quarterly (or monthly) feature production interferes with the desire to spend some time getting the core structure good, clean, stable and reliable without necessarily producing any visible improvement until afterwards when people have more time to build new stuff because they're not constantly chasing bugs in the old stuff.


recent post alluding to quality (in this case good security) would affect profits
https://www.garlic.com/~lynn/2009m.html#49 Hacker charges also an indictment on PCI, expert says

the conundrum is that upwards of 50% of the bottom line of US financial institutions have been payment transactions fees ... interchange fees (paid by merchants) have been somewhat proportional to the amount of risk/fraud related to the transaction (the more risk, the higher the interchange fees, internet CNP/MOTO ... aka card-not-present, mail-order/telephone-order ... being the highest). There is at least order of magnitude difference in interchange fees between the payments with the lowest risk and the highest risk payments. Reducing overall risk & related interchange fees by order of magnitude might imply nearly 50% cut in consumer financial institution bottom line.

This was lots of the cognitive dissonance between merchants and financial institutions over introduction of more secure payment products ... where there was an effort to somewhat change the whole landscape, preseving the existing interchange fees proportional to risk ... but then for newer, safer products (that could significantly reduce risk & fraud) ... introduce a new paraidgm where the fees for those products are even higher than the fees for the highest risk/fraud (and they were unable to sell the new paradigm to the merchants). Merchants have rallying back with points that interchange fees are the largest expense for some. Just now a TV program on health care costs and the huge burden on corporations (auto companies citing past references when employee benefits exceeded all their other costs). Retail stores have recently been making statements that interchange fees exceed their employee health benefit costs.

Significantly reducing fraud & significantly improved security can be considered a quality issue ... both good security and good quality having to be designed/built in from the ground up .... and poor quality and poor security overlap with high risk and high fraud.

other recent posts on cognitive dissonance with respect to interchange fees:
https://www.garlic.com/~lynn/2009f.html#60 Cobol hits 50 and keeps counting
https://www.garlic.com/~lynn/2009g.html#62 Solving password problems one at a time, Re: The password-reset paradox
https://www.garlic.com/~lynn/2009g.html#64 What happened to X9.59?
https://www.garlic.com/~lynn/2009i.html#51 64 Cores -- IBM is showing a prototype already

other posts on the above fraud/security issue:
https://www.garlic.com/~lynn/2009l.html#50 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#53 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#68 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#4 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#13 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#28 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#40 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#42 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#45 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#47 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#48 Hacker charges also an indictment on PCI, expert says

parts of older thread on the subject:
https://www.garlic.com/~lynn/aadsm27.htm#31 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#32 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#33 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#34 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#35 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#37 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#38 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#39 a fraud is a sale, Re: The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#40 a fraud is a sale, Re: The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#41 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#42 The bank fraud blame game

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

What happened to computer architecture (and comp.arch?)

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: What happened to computer architecture (and comp.arch?)
Newsgroups: comp.arch
Date: Mon, 07 Sep 2009 13:38:26 -0400
Mayan Moudgill <mayan@bestweb.net> writes:
Consider this: at one time, IBM had at least 7 teams developing different processors: Rochester, Endicott, Poughkeepsie/Fishkill, Burlington, Raliegh, Austin & Yorktown Heights (R&D).

don't forget los gatos vlsi lab ... did chips for various disk division products (like jib prime for 3880 disk controller) . also put in lots of work on blue iliad (1st 32bit 801 ... never completed). then there was stuff going outside the US.

one might point out that the number of circuits going into many current processors drawfs the aggregate number of circuits in all of those chips from the past.

los gatos also did the LSM (los gatos state machine ... renamed the logic simulation machine). it was used for logic verification of some number of chip designs ... not just Los Gatos chips. One of the things that differentiated LSM (from most of the other, similar hardware logic simulators of the period) was that it had a "clock" .. which provided for handling non-synchronous designs and/or digital chips that included analog circuits (possibly what one might find in disk r/w heads).

part of the 801/iliad risc effort in the late 70s & early 80s was converge the large number of different processor chips to 801 (significant numbers were "embedded") ... it wasn't just the chip design ... but each chip tended to have customized software development and programming environment.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the  Computer
Newsgroups: alt.folklore.computers
Date: Mon, 07 Sep 2009 14:09:12 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
there was statistics that the "baby boomers" moving into retirement increases the size (over the previous retired generation) by a factor of four times ... and the following generation is only half as large (i.e. the reason that the generation is called the baby boomers) ... that results in increase in ratio of eight times (ratio of number in retiring generation to number in following generation).

re:
https://www.garlic.com/~lynn/2009m.html#61 August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

with a little x-over from (not just auto industry but steel industry also):
https://www.garlic.com/~lynn/2009m.html#62 August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

when the baby boomer bubble was at its height ... it represented a significant worker bubble as well as a significant (economic) consumer bubble.

a lot of the companies set up retirement scams that weren't fully-funded ... paying the (much smaller number of) retirees out of operating funds ... pocketing the difference between fully funded retirement plan and what they were paying out.

when the unfunded retirement liability starts to bankrupt the company (... combination of baby boomer bubble moving into retirement as well as some economic downturn since retirees tend to buy less, the following worker/consummer generation only half as large, something about 69% of US economy is consumer purchases)

(... in any case), declare bankrupty, walk away with the pocketed funds from the previous couple decades of unfunded liabiilties (bankruptcy moving the huge unfunded liabilities to the fed books) ... i.e. the scam allowed some number of people to walk away the money in their pockets (the amount equivalent to the unfunded retirement liabilities). there is some similarity between the unfunded retirement scam and ponzi schemes (taking advantage of the huge baby boomer bubble during the height of their working & consuming years).

the paper IOUs in the social security system are a similar scam.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

European Banks Warned: Brace for Rise in Cash Machine Fraud

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: European Banks Warned: Brace for Rise in Cash Machine Fraud
Date: 7 Sep, 2009
Blog: Financial Crime Risk, Fraud and Security
European Banks Warned: Brace for Rise in Cash Machine Fraud
http://www.pcworld.com/businesscenter/article/171542/european_banks_warned_brace_for_rise_in_cash_machine_fraud.html

from above:
Banks are likely to see cash-machine fraud rise unless steps are taken to improve their cash-machine infrastructure, the European Network and Information

... snip ...

European banks warned: brace for rise in cash machine fraud
http://www.networkworld.com/news/2009/091409-heartland-ceo-credit-card-encryption.html
EU agency 'alarmed' by rise in cash machine fraud
http://www.finextra.com/fullstory.asp?id=20448
Huge rise in cash-machine crime, watchdog warns Money The Guardian
http://www.guardian.co.uk/uk/2009/sep/07/cash-machine-crime-increase-fraud
EU urges wise-up to combat rampant ATM crime
http://www.theregister.co.uk/2009/09/07/eu_atm_crimebuster_drive/

for historical reference .... invention of magstripe and management of magstripe standards at Los Gatos lab:
https://en.wikipedia.org/wiki/Magnetic_stripe_card
and early ATM machines also done at Los Gatos lab
https://en.wikipedia.org/wiki/IBM_3624
3624 introduce PIN-block used for encrypted transmission of PIN
https://en.wikipedia.org/wiki/Personal_identification_number

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

What happened to computer architecture (and comp.arch?)

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: What happened to computer architecture (and comp.arch?)
Newsgroups: comp.arch
Date: Mon, 07 Sep 2009 17:54:01 -0400
Robert Myers <rbmyersusa@gmail.com> writes:
You've such a way with words. Nick. Browsers, which are probably the OS of the future, are already multi-threaded or soon to be. No longer does the browser freeze because of some java script in an open tab. Browsers that don't seize that advantage will fall by the wayside. The same will happen all over software, and at increasing levels of fineness of division of labor.

i frequently have couple hundred concurrent tabs ... since tabs originally introduced. lots of improvements over the past 4-5 yrs on handling multiple hundred concurrent tabs ... they all along did some amount of internal multi-threading ... but not necessarily mapping concurrent threads to different processors.

in any case, just mapping tab/threads to processors, won't necessarily fix my problems for some time yet (having at least as many physical processors as I have concurrent tabs).

in my undergraduate days ... I did a lot on resource management and scheduling ... and when threads were totally independent I could take advantage of multiple physical processors (and not let hogs, hog resources).

however, one of the premier multi-threaded transaction processing from 60s was CICS (univ. where I was undergraduate was selected to be one of the original cics product betatest locations and I got tasked to support/debug the deployment, 40yrs ago now).

In any case ... it wasn't until a couple yrs ago that CICS multi-threaded support was upgraded to support multiple processors (up until then large installations might have 100 or more different concurrent CICS "images" ... some still have multiple concurrent CICS images). cics multiprocessor exploitation
http://www.ibmsystemsmag.com/mainframe/septemberoctober05/tipstechniques/10093p1.aspx

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

European Banks Warned: Brace for Rise in Cash Machine Fraud

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: European Banks Warned: Brace for Rise in Cash Machine Fraud
Date: 8 Sep, 2009
Blog: Financial Crime Risk, Fraud and Security
re:
https://www.garlic.com/~lynn/2009m.html#65 European Banks Warned: Brace for Rise in Cash Machine Fraud

ATM fraud increases
http://www.themoneytimes.com/articles/20080313/carlyle_fails_in_negotiations_banks_may_seize_assets-id-1018813.html

from above:
ATM fraud in Europe is rising fast, with criminals using increasingly sophisticated methods of attack.

... snip ...

ATM fraud continues to climb as consumers warned over risks and potential losses
http://www.scmagazineuk.com/ATM-fraud-continues-to-climb-as-consumers-warned-over-risks-and-potential-losses/article/148281/

from above:
annual cash machine losses in Europe is approaching 500 million, with a total of 10,302 skimming incidents reported in Europe in 2008, a 149 per cent rise in ATM attacks.

... snip ...

Hackers turn attention to ATMs; Experts urge banks to re-examine the security of their back-end infrastructure
http://www.pcmag.co.uk/v3/news/2249021/hackers-turn-attention-atms

from above:
While the rise in attacks on internet banking systems is well documented, the ATM Crime (PDF) research points to a 149 per cent rise in ATM attacks last year, including 10,302 so-called 'skimming' incidents.

... snip ...

for the fun of it ... Los Gatos lab post/reference in comp.arch newsgroup yesterday
https://www.garlic.com/~lynn/2009m.html#63 What happened to computer architecture

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Definition of a computer?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Definition of a computer?
Newsgroups: alt.folklore.computers
Date: Tue, 08 Sep 2009 16:00:33 -0400
Chris Barts <chbarts+usenet@gmail.com> writes:
True in spades. USB alone has saved so much headache its creator should be declared a saint and given a week of feast days.

a few recent posts discussing the major motivation for creation and deployment of USB:
https://www.garlic.com/~lynn/2009l.html#2 Cyber attackers empty business accounts in minutes
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#12 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#49 Hacker charges also an indictment on PCI, expert says

basically after-market deployments of serial-port devices ... especially dial-up modems was enormous headache.

major motivation given for dial-up online consumer banking moving to the internet was to offload to the ISPs, their enormous customer support costs (related to dial-up serial-port modems) ... although in the early-to-mid 90s presentation ... while online consumer banking was talking about moving to the internet, in large part because of enormous serial-port customer support costs .... online commerical/cash-management banking presentations (from the period) were adamant that they would never move to the internet (because uncontrollable security problems).

in any case, after USB was being deployed ... apparently the loss (in period of 4-5yrs) of ephmeral institutional knowledge (regarding enormous serial-port consumer support costs) ... resulted in major financial deployment of an (obsolete) serial-port device (that was suppose to significantly improved security of internet financial transactions). the enormous customer support problems reappeared ... which they weren't prepared for &/or staffed for ... resulting in the whole thing being terminated and disappearing w/o a trace.

that failed deployment also led to rapidly spreading rumor (in the industry) that authentication hardware tokens weren't practical in the consumer market (it wasn't that the tokens weren't practical ... it was the attempt to use serial-port interface which wasn't practical).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

U.S. students behind in math, science, analysis says

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: U.S. students behind in math, science, analysis says
Newsgroups: alt.folklore.computers
Date: Tue, 08 Sep 2009 18:40:56 -0400
also has made cnn tv news

U.S. students behind in math, science, analysis says
http://www.cnn.com/2009/US/08/25/students.science.math/

however, this has been going on for a couple decades ... didn't quote study that claimed US would contribute to more robust US economy and GDP. past threads

past threads over past couple yrs:
https://www.garlic.com/~lynn/2007r.html#33 Students mostly not ready for math, science college courses
https://www.garlic.com/~lynn/2007r.html#36 Students mostly not ready for math, science college courses
https://www.garlic.com/~lynn/2007r.html#38 Students mostly not ready for math, science college courses
https://www.garlic.com/~lynn/2007r.html#46 Students mostly not ready for math, science college courses
https://www.garlic.com/~lynn/2007s.html#22 America Competes spreads funds out
https://www.garlic.com/~lynn/2007u.html#78 Education ranking
https://www.garlic.com/~lynn/2008.html#57 Computer Science Education: Where Are the Software Engineers of Tomorrow?
https://www.garlic.com/~lynn/2008.html#62 competitiveness
https://www.garlic.com/~lynn/2008b.html#57 Govt demands password to personal computer
https://www.garlic.com/~lynn/2008e.html#61 Study Finds Sharp Math, Science Skills Help Expand Economy
https://www.garlic.com/~lynn/2008e.html#63 Study Finds Sharp Math, Science Skills Help Expand Economy
https://www.garlic.com/~lynn/2008f.html#22 Study Finds Sharp Math, Science Skills Help Expand Economy
https://www.garlic.com/~lynn/2008f.html#70 Study Finds Sharp Math, Science Skills Help Expand Economy
https://www.garlic.com/~lynn/2008f.html#81 Is IT becoming extinct?
https://www.garlic.com/~lynn/2008n.html#18 VMware Chief Says the OS Is History
https://www.garlic.com/~lynn/2008o.html#58 Everyone is getting same deal out of life: babyboomers can't retire but they get SS benefits intact
https://www.garlic.com/~lynn/2008s.html#20 Five great technological revolutions
https://www.garlic.com/~lynn/2009d.html#21 IBM 'pulls out of US'

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Client Certificate UI for Chrome?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
Subject: Re: Client Certificate UI for Chrome?
Date: Tue, 08 Sep 2009 21:30:38 -0400
From: Anne & Lynn Wheeler <lynn@garlic.com>
MailingList: cryptograpy
On 09/06/2009 03:34 AM, Peter Gutmann wrote:
There's a variant of this, the site-specific browser (SSB), that takes you to (for example) your bank in a strongly sandboxed, hardened environment. This reduces the cognitive load on the user from a more or less impossible-to- follow set of instructions to "only ever do your banking by clicking on this desktop icon". This isn't by any means a general solution, but by solving for the most common cases (your bank, Paypal, eBay, Amazon) you'd address a fairly large chunk of the problem. See "Breaking out of the Browser to Defend Against Phishing Attacks" by Smetters and Stewart for more details on this.

in the early to mid-90s ... dialup online consumer banking operations were talking about migration to internet ... a major motivation was that they had enormous consumer support for (serial-port) modems ... which they could offload on to the ISPs (which would be able to amortize all the serial port modem gorp across all the online activity). one such dialup online banking presentation in the period claimed to have well over 60 different software modem drivers (and significant customer call center support operation).

however, at the same time, the dialup online commercial/cash-management banking operations were making presentations, claiming that they would never move to the internet because of the myriad of unsolved (possibly unsolvable) internet security problems. the circumstances hasn't improved a whole lot in the 15yr interim.

The "serial-port" specific issues were major motivation for development of USB. There was a financial hardware authentication token deployment in the early days of USB ... but attempted to use (obsolete) serial-port interface boxes. The financial industry institutional knowledge regarding the enormous difficulty and costs associated with serial port appeared to evaporate in the few years between the migration of dialup online banking to the internet and the time of the secure hardware authentication token. They weren't prepared for the difficulty or staffed to handle the resulting significant customer support problems ... and eventually the deployment floundered and disappeared.

In the aftermath of failed deployment there was rapidly spreading opinion in the industry that hardware tokens weren't practical in the consumer market ... when, in actual fact, serial-port devices weren't practical in the consumer market (which some in the industry already knew).

... long ago and far away ... some number would claim that there weren't hard numbers for (my) scheduler products. For one product I shipped, I did a set of 2000 automated benchmarks that took three months elapsed time to run .. that were strategically designed to validate operation with large variety of workloads, configurations and scheduling policies.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Definition of a computer?

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Definition of a computer?
Newsgroups: alt.folklore.computers
Date: Tue, 08 Sep 2009 22:26:41 -0400
Chris Barts <chbarts+usenet@gmail.com> writes:
(IIRC, IBM once had an OS called MFT, or Multiprogramming with a Fixed number of Tasks. I'm guessing it was a lot more complex than my toy above, but it seems to capture some of the idea.)

part of presentation I made at fall68 (ibm user group) SHARE meeting in Atlantic City and some work I had been doing on MFT and cp67.
https://www.garlic.com/~lynn/94.html#18 CP/67 & OS MFT14

most of the time the univ. ran its 360/67 as non-virtual memory os/360 ... in the 68 time-period with os360 version 14 (MFT). I had done a lot of work to speed up thruput with MFT14 by almost factor of 3 times for typical university workload.

the last week of jan68, three people had come out from science center and installed cp67. in the following months ... i also redesigned & rewrote large sections of cp67 code.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the  Computer
Newsgroups: alt.folklore.computers
Date: Tue, 08 Sep 2009 22:46:16 -0400
greymausg writes:
We should watch what the Japanese do, they have a larger, so far, problem. There were reports of them establishing nursing homes in Gambia so the old could be managed more cheaply..

From my personal experience, old people can live far more modestly than younger ones, the problem is medical costs, which is why pensioners here went ballistic when reductions were proposed in that area. An elderly friend of mine managed on food costs of about 15 dollars equivelent per week, because that was what he was used to. Think of the old people who have cars years old, and use them sparingly.


re:
https://www.garlic.com/~lynn/2009m.html#61 August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

the baby boomer bubble moves into retirement and say they cut their spending in half ... they are no longer earning as much and their retirement income is questionable.

one of the problems then
https://www.garlic.com/~lynn/2009m.html#64 August 7, 1944: today is the 65th Anniversary of the Birth of the Computer

is retiring baby boomers not only represents a significant reduction in the work force ... following generation is only half as large (... and a huge increase in the retirement population) ... but also a significant reduction in the consumer economy ... which doesn't bode well for an economy/GDP that is possibly 69% consumer driven.

on one hand parsimonious, aging baby boomer may not require much retirement income ... but then they also aren't helping drive a consumer economy (say possibly 20% reduction in GDP?).

to say nothing of the possibly issue that the following generations may not have the necessary math & science skills to maintain the society at a high standard of living
https://www.garlic.com/~lynn/2009m.html#69 U.S. students behind in math, science, analysis says

.. also contributing to big further declines in GDP

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Definition of a computer?

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Definition of a computer?
Newsgroups: alt.folklore.computers
Date: Wed, 09 Sep 2009 09:15:29 -0400
jmfbahciv <jmfbahciv@aol> writes:
You are young. Operators often "interrupted" the connection because they thought the circuit was broken. We often had to call the telephone operator that we were going to call a computer and ask for the connection not to be interrupted.

re:
https://www.garlic.com/~lynn/2009m.html#68 Definition of a computer?

this particular set of problems were specific to serial-port (especially customers installing after-market serial-port devices) ... somewhat independent of the dial-up/modem related problems.

One (dial-up) online banking operation claimed to have over built up library of 60 different device drivers for their cusotmer base ... to try and have one that actually worked for some subset of customers.

in the serial-port device for interfacing to (security/authentication) hardware tokens ... there were all sorts of installation & configuration problems ... interrupt conflicts, BSOD, people having to re-install from scratch. customer call center calls that went on for an hour or more ... w/o any guarantee that the problems would be resolved. Medium sized business operation with a couple thousands PCs figured that it would avg. $500/PC to have a professional do the installation/configuration (correctly) for each PC.

there is a related thread in crypto mailing list about how to "fix internet security problems" ... recent post
https://www.garlic.com/~lynn/2009m.html#70 Client Certificate UI for Chrome?

consumer dial-up online home banking operations saying that they would move to the internet, in large part motivated by huge consumer support problems related to serial-port ... while commercial/cash-management dial-up online banking operations saying that the would never move to the internet, because of the significant, unaddressed security problems.

In the 14-15 yrs since those presentations ... the internet security problems of the commercial/cash-management online banking operations have hardly changed at all.

a couple other posts in the thread from crypto mailing list:
https://www.garlic.com/~lynn/2009k.html#72 Client Certificate UI for Chrome?
https://www.garlic.com/~lynn/2009l.html#62 Client Certificate UI for Chrome? -- OT anonymous-transaction

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

ATMs by the Numbers

Refed: **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: ATMs by the Numbers
Newsgroups: alt.folklore.computers
Date: Wed, 09 Sep 2009 09:41:40 -0400
ATMs by the Numbers
http://www.wired.com/culture/culturereviews/magazine/17-09/st_atms

from above:
September 9 is the 40th birthday of the automated teller machine in the US. To celebrate the invention that spews twenties at two in the morning, we're spitting out some numbers of our own.

... snip ...

for the fun of it ... magstripe invention and then standards managed out of los gatos lab:
https://en.wikipedia.org/wiki/Magnetic_stripe

and early development of ATM machines at los gatos lab:
https://en.wikipedia.org/wiki/IBM_3624

recent post discussing some other stuff at los gatos lab (has been torn down)
https://www.garlic.com/~lynn/2009m.html#63 What happened to computer architecture (and comp.arch?)

if internet security hasn't hardly changed in the last 14-15 yrs ...
https://www.garlic.com/~lynn/2009m.html#73 Definition of a computer?
and
https://www.garlic.com/~lynn/2009k.html#72 Client Certificate UI for Chrome?
https://www.garlic.com/~lynn/2009l.html#62 Client Certificate UI for Chrome? -- OT anonymous-transaction
https://www.garlic.com/~lynn/2009m.html#70 Client Certificate UI for Chrome?

neither has ATM machine security
https://www.garlic.com/~lynn/2009m.html#65 European Banks Warned: Brace for Rise in Cash Machine Fraud
https://www.garlic.com/~lynn/2009m.html#67 European Banks Warned: Brace for Rise in Cash Machine Fraud

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Continous Systems Modelling Package

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Continous Systems Modelling Package
Newsgroups: alt.folklore.computers
Date: Wed, 09 Sep 2009 11:04:10 -0400
jmfbahciv <jmfbahciv@aol> writes:
A physicist I know told me that one of the chemists was running a job that would take 3 months. They had a bodacious thunder storm and the area lost power...and the guy only had one more month to go.

old posts about Palo Alto Science Center application that they would run on san jose research 370/195 ... it was something like an hour or so but queue/turn-around on 370/195 could be several weeks. they setup to run it on PASC vm system 370/145 in the background (soaking up whatever spare cycles ... typically mostly offshift and weekends). the 370/145 was about 1/30th the processing of 370/195 ... so a couple hr run on 370/195 might take a couple weeks (getting necessary spare cycles) on 370/145 ... that was still more frequent than the queue/turn-around on the 195. They did have to add checkpointing.

... at the cambridge science center, i did do a set of 2000 automated benchmarks that took 3 months elapsed time as part of putting out "resource manager" ... but could be restarted at individual benchmarks. there was years of observation data from lots of internal systems ... that sort-of defined the domain of workloads and configurations. The first (pre-defined) 1000 benchmarks was selected to cover the matrix of possible workloads and configurations.

CSC had done a lot of work in system modeling ... one was an analytical model implemented in APL. This had been enhanced and made available as a sales/marketing tool on the world-wide HONE system. Sales people could characterize their customer workloads & configurations and then ask what-if questions about what happens with configuration and/or workload changes. past posts mentioning world-wide sales/marketing HONE system
https://www.garlic.com/~lynn/subtopic.html#hone

This modeling application was modified to select workload/conguration benchmark (based on past results), predict what the system would do, kick-off that benchmark ... and then compare the actual results with the predicted results. It then would calculate another workload/configuration for the next benchmark ... repeating 1000 times. misc. past posts mentioning automated benchmarking
https://www.garlic.com/~lynn/submain.html#benchmark

misc. past posts mentioning sjr 370/195 batch service
https://www.garlic.com/~lynn/2001n.html#39 195 was: Computer Typesetting Was: Movies with source code
https://www.garlic.com/~lynn/2002j.html#30 Weird
https://www.garlic.com/~lynn/2002n.html#63 Help me find pics of a UNIVAC please
https://www.garlic.com/~lynn/2003j.html#69 Multics Concepts For the Contemporary Computing World
https://www.garlic.com/~lynn/2004.html#21 40th anniversary of IBM System/360 on 7 Apr 2004
https://www.garlic.com/~lynn/2005.html#8 [Lit.] Buffer overruns
https://www.garlic.com/~lynn/2005f.html#4 System/360; Hardwired vs. Microcoded
https://www.garlic.com/~lynn/2005f.html#5 System/360; Hardwired vs. Microcoded
https://www.garlic.com/~lynn/2005f.html#22 System/360; Hardwired vs. Microcoded
https://www.garlic.com/~lynn/2005o.html#44 Intel engineer discusses their dual-core design
https://www.garlic.com/~lynn/2005u.html#44 POWER6 on zSeries?
https://www.garlic.com/~lynn/2006c.html#6 IBM 610 workstation computer
https://www.garlic.com/~lynn/2006c.html#44 IBM 610 workstation computer
https://www.garlic.com/~lynn/2006l.html#6 Google Architecture
https://www.garlic.com/~lynn/2006t.html#41 The Future of CPUs: What's After Multi-Core?
https://www.garlic.com/~lynn/2006x.html#27 The Future of CPUs: What's After Multi-Core?
https://www.garlic.com/~lynn/2007f.html#10 Beyond multicore
https://www.garlic.com/~lynn/2007f.html#20 Historical curiosity question
https://www.garlic.com/~lynn/2007j.html#13 Interrupts
https://www.garlic.com/~lynn/2007j.html#16 Newbie question on table design
https://www.garlic.com/~lynn/2007l.html#52 Drums: Memory or Peripheral?
https://www.garlic.com/~lynn/2008l.html#60 recent mentions of 40+ yr old technology
https://www.garlic.com/~lynn/2008r.html#32 What if the computers went back to the '70s too?
https://www.garlic.com/~lynn/2008r.html#34 What if the computers went back to the '70s too?
https://www.garlic.com/~lynn/2009k.html#49 A Complete History Of Mainframe Computing

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Definition of a computer?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Definition of a computer?
Newsgroups: alt.folklore.computers
Date: Wed, 09 Sep 2009 15:35:35 -0400
Paul <pssawyer@comcast.net.INVALID> writes:
And in some places. The Phone Co. would tell you that you could not use a residential line for data, that you had to order and pay for a business line.

re:
https://www.garlic.com/~lynn/2009m.html#68 Definition of a computer?
https://www.garlic.com/~lynn/2009m.html#73 Definition of a computer?

we had moved into a new development next to high-tech business park ... it was fully fiber optic ... but at the time the only "residential" high-speed was ADSL (>T1) ... which only ran over copper (say $40/month). the phone company was willing to offer me (business) T1 frame-relay at the low-introductory price of $1200/month.

at earlier time & place ... before being able to get ADSL ... i had ISDN for a few months that had $.04/min (per 56kbit channel) use charges ... use charges bill for those months ran $400-$600 per month.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Definition of a computer?

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Definition of a computer?
Newsgroups: alt.folklore.computers
Date: Wed, 09 Sep 2009 15:44:08 -0400
"Charlie Gibbs" <cgibbs@kltpzyxm.invalid> writes:
The IBM 360 line managed quite nicely...

re:
https://www.garlic.com/~lynn/2009m.html#71 Definition of a computer?

os/360 had sort of a dynamic allocated stack convention ... basically (dynamically allocated) "saveareas" that were all threaded together; used for "reentrant" procedures. it was also possible to thread in static allocated "saveareas" ... when "reentrant" wasn't a requirement.

cp/67 originally installed at the univ. (jan68) had a 100 entry pre-allocated savearea ... used for dynamic call/returns (unallocated, available areas were on push/pop stack ... and when the stack was empty the system crashed). one of the things that i did early on, was be able to extend when the available were exhausted (and not crash).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

ATMs by the Numbers

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: ATMs by the Numbers
Newsgroups: alt.folklore.computers
Date: Thu, 10 Sep 2009 11:46:44 -0400
re:
https://www.garlic.com/~lynn/2009m.html#74 ATMs by the Numbers

post from last year somewhat related to ATMs
https://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing

regarding tribute held for jim gray may of 2008
https://web.archive.org/web/20080616153833/http://www.eecs.berkeley.edu/IPRO/JimGrayTribute/pressrelease.html

quote from above:
Gray is known for his groundbreaking work as a programmer, database expert and Microsoft engineer. Gray's work helped make possible such technologies as the cash machine, ecommerce, online ticketing, and deep databases like Google. In 1998, he received the ACM A.M. Turing Award, the most prestigious honor in computer science. He was appointed an IEEE Fellow in 1982, and also received IEEE Charles Babbage Award.

... snip ...

earlier posts mentioning above:
https://www.garlic.com/~lynn/2008i.html#32 A Tribute to Jim Gray: Sometimes Nice Guys Do Finish First
https://www.garlic.com/~lynn/2008i.html#36 A Tribute to Jim Gray: Sometimes Nice Guys Do Finish First

another recent post mentioning cash machines, ecommerce, etc.
https://www.garlic.com/~lynn/2008s.html#25 Web Security hasn't moved since 1995

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Existence of early 360 software ( was Re: Continous Systems Modelling Package)

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Existence of early 360 software ( was Re: Continous Systems Modelling Package)
Newsgroups: alt.folklore.computers
Date: Thu, 10 Sep 2009 22:50:13 -0400
"Dave Wade" <g8mqw@yahoo.com> writes:
I wasn't going to use a current operating system. I use a copy of VM/370 R6 which I guess dates from around 1980. Its not really Y2K compliment either.

i had a bunch of stuff from late 60s (from univ. before I graduated) and early 70s ... mostly cp67 and early vm370 ... but also some os360 stuff ... I had carefully copied to newer tape media over the years ... and replicated on several tapes. however, at some point in the mid-80s, the lab datacenter had some operational issues and allocates tapes were being mounted as scratch (& getting overwritten).

about the only thing really saved ... was shortly before the troubles in the datacenter tape library ... Melinda Varian got me to pull off the original multi-level source update procedures (originally created for cp67/cms). old email (and send her copies)

https://www.garlic.com/~lynn/2006w.html#email850906 and
https://www.garlic.com/~lynn/2006w.html#email850908
in this post
https://www.garlic.com/~lynn/2006w.html#42 vmshare

In the 8Sep85 email, Melinda was "surprised" that effectively most of the multi-level update function was in existance by summer of 1970.

above post also discusses the troubles in the lab datacenter tape library.

After joining the science center ... I enhanced the (cp67) kernel build process (which placed a copy of the kernel image on tape) ... to append on the tape all the source and executables necessary to recreate the kernel from scratch. I had archived/saved ... and replicated some number of these production build tapes (from which was able to recover the early multi-level update procedures for Melinda).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

A Faster Way to the Cloud

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: A Faster Way to the Cloud
Newsgroups: alt.folklore.computers
Date: Fri, 11 Sep 2009 10:20:11 -0400
A Faster Way to the Cloud
http://www.technologyreview.com/computing/23451/?a=f

is this a replay of ...
https://www.garlic.com/~lynn/2004k.html#8 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#9 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#12 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#13 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#16 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#17 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#18 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#19 FAST TCP makes dialup faster than broadband?

in the early 80s ... HSDT ... misc. past posts
https://www.garlic.com/~lynn/subnetwork.html#hsdt

was dealing with this ... part of the way I addressed it was with rate-based pacing.

in aug88, acm sigcomm had paper that slow-start was non-stable in heterogeneous internet ... and same month there was paper on (x-country) gbit links at IETF meeting. I pointed out that the latency*bandwidth product was nearly identical to high-speed satellite links (lower bandwidth but higher latency).

about same time, I was doing rfc1044 support in mainframe TCP support. at the time, the product was getting about 44kbytes/sec thruput using nearly all of a 3090 cpu. a little later in testing 1044 support at cray research, between 4341 and cray ... was getting mbyte/sec (4341 channel media speed) using only modest amount of 4341 processor ... nearlly three orders (1000 times) magnitude improvement in terms of bytes moved per instruction executed. misc. past posts
https://www.garlic.com/~lynn/subnetwork.html#1044

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

A Faster Way to the Cloud

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: A Faster Way to the Cloud
Newsgroups: alt.folklore.computers
Date: Sat, 12 Sep 2009 13:18:34 -0400
Jorgen Grahn <grahn+nntp@snipabacken.se> writes:
Is *this* what cloud computing is about? I would have thought that most computations done today

(a) can be done in seconds on an old Pentium box, or (b) are important enough to need local, dedicated hardware, or (c) read or write so large datasets that doing it remote is impractical or would cost as much as the hardware in (b)


re:

there are lots of stuff being done today involving hundreds (or tens of thousands) of processors.

some of this was blades and grids originally done for national labs. and other places doing huge physics data collection and/or simulation.

some of the vendors then started trying to pitch configurations for the commercial market ... some of the early adopters were in the financial market doing various kinds of sophisticated financial modeling. physics community had been developing distributing resource allocation applications so that multiple applications could be sequentially scheduled and/or concurrent scheduling on subsets of the total configuration (this is old-time batch moved to massive parallel environment). some of the financial early adopters started picking up on such stuff.

the national labs and other environments having these massive configurations also got involved in gbit+ interconnects between various of these datacenters. a big thing in the annual "supercomputer" conference is contests for aggregate effective thruput.
http://www.supercomputing.org/about.php

i've posted before a (failed) financial industry forey into this from the 90s with massive parallel "killer" micros. This was that a lot of the batch financial applications from the 60s ... were (partially) put online in the 70s & 80s ... however, settlement and other bookkeeping tasks continued to be done in (overnight) batch (window). In the 90s, a combination of increasing business load and globalization (decreasing the elpased time for the overnight batch window) ... drove efforts for implementing straight-through processing (using massive numbers of parallel killer micros). the failure of several billion dollar efforts in the 90s was in large part using off-the-shelf "modern parallelization" technologies. Several programs were well into deployment phase when it was discovered that the overhead of the new paralleization technologies resulted in 100 times increase in overhead (compared to 60s overnight batch), totally swamping any anticipated thruput increases (resulting in projects being aborted and efforts evaporting for at least another decade).

Cloud tends to also have the flavor of old-time commercial time-sharing service bureaus ... some past posts
https://www.garlic.com/~lynn/submain.html#timeshare

where, rather than having the resources in-house, ... services are coming from external agency. Gbit links are enablers for some of this.

"clouds" as old-time commerical time-sharing service bureaus are being faced with the security, protection, privacy and isolation requirements that were addressed in the 60s & 70s by the antecedents.

misc. past posts mentioning overnight batch window & straight-through processing
https://www.garlic.com/~lynn/2004.html#51 Mainframe not a good architecture for interactive workloads
https://www.garlic.com/~lynn/2006s.html#40 Ranking of non-IBM mainframe builders?
https://www.garlic.com/~lynn/2007e.html#31 Quote from comp.object
https://www.garlic.com/~lynn/2007l.html#15 John W. Backus, 82, Fortran developer, dies
https://www.garlic.com/~lynn/2007m.html#36 Future of System/360 architecture?
https://www.garlic.com/~lynn/2007u.html#19 Distributed Computing
https://www.garlic.com/~lynn/2007u.html#21 Distributed Computing
https://www.garlic.com/~lynn/2007u.html#37 folklore indeed
https://www.garlic.com/~lynn/2007u.html#44 Distributed Computing
https://www.garlic.com/~lynn/2007u.html#61 folklore indeed
https://www.garlic.com/~lynn/2007v.html#19 Education ranking
https://www.garlic.com/~lynn/2007v.html#27 folklore indeed
https://www.garlic.com/~lynn/2007v.html#64 folklore indeed
https://www.garlic.com/~lynn/2007v.html#69 Controlling COBOL DDs named SYSOUT
https://www.garlic.com/~lynn/2007v.html#72 whats the world going to do when all the baby boomers retire
https://www.garlic.com/~lynn/2007v.html#81 Tap and faucet and spellcheckers
https://www.garlic.com/~lynn/2008b.html#74 Too much change opens up financial fault lines
https://www.garlic.com/~lynn/2008c.html#92 CPU time differences for the same job
https://www.garlic.com/~lynn/2008d.html#30 Toyota Sales for 2007 May Surpass GM
https://www.garlic.com/~lynn/2008d.html#31 Toyota Sales for 2007 May Surpass GM
https://www.garlic.com/~lynn/2008d.html#73 Price of CPU seconds
https://www.garlic.com/~lynn/2008d.html#87 Berkeley researcher describes parallel path
https://www.garlic.com/~lynn/2008d.html#89 Berkeley researcher describes parallel path
https://www.garlic.com/~lynn/2008g.html#55 performance of hardware dynamic scheduling
https://www.garlic.com/~lynn/2008h.html#50 Microsoft versus Digital Equipment Corporation
https://www.garlic.com/~lynn/2008h.html#56 Long running Batch programs keep IMS databases offline
https://www.garlic.com/~lynn/2008p.html#26 What is the biggest IT myth of all time?
https://www.garlic.com/~lynn/2008p.html#30 Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
https://www.garlic.com/~lynn/2008r.html#7 If you had a massively parallel computing architecture, what unsolved problem would you set out to solve?
https://www.garlic.com/~lynn/2009.html#87 Cleaning Up Spaghetti Code vs. Getting Rid of It
https://www.garlic.com/~lynn/2009c.html#43 Business process re-engineering
https://www.garlic.com/~lynn/2009d.html#14 Legacy clearing threat to OTC derivatives warns State Street
https://www.garlic.com/~lynn/2009f.html#55 Cobol hits 50 and keeps counting
https://www.garlic.com/~lynn/2009h.html#1 z/Journal Does it Again
https://www.garlic.com/~lynn/2009h.html#2 z/Journal Does it Again
https://www.garlic.com/~lynn/2009i.html#21 Why are z/OS people reluctant to use z/OS UNIX?
https://www.garlic.com/~lynn/2009i.html#23 Why are z/OS people reluctant to use z/OS UNIX? (Are settlements a good argument for overnight batch COBOL ?)
https://www.garlic.com/~lynn/2009i.html#26 Why are z/OS people reluctant to use z/OS UNIX?
https://www.garlic.com/~lynn/2009i.html#30 Why are z/OS people reluctant to use z/OS UNIX?
https://www.garlic.com/~lynn/2009i.html#38 Why are z/OS people reluctant to use z/OS UNIX?
https://www.garlic.com/~lynn/2009i.html#43 Why are z/OS people reluctant to use z/OS UNIX? (Are settlements a good argument for overnight batch COBOL ?)
https://www.garlic.com/~lynn/2009i.html#60 In the USA "financial regulator seeks power to curb excess speculation."
https://www.garlic.com/~lynn/2009l.html#57 IBM halves mainframe Linux engine prices

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

ATMs by the Numbers

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: ATMs by the Numbers
Newsgroups: alt.folklore.computers
Date: Sat, 12 Sep 2009 13:39:33 -0400
D.J. <jollycamper72@cableone.net> writes:
Interesting. I read several years ago of an astronomer who shot the main mirror in a telescope because the telescope wasn't working to his expectations. I remember it as a 36 inch mirror, the telescope was used for sky surveys. Ah, it was the McDonald Observatory in Texas. The bullets became imbedded in the mirror, but it didn't shatter.

re:
https://www.garlic.com/~lynn/2009m.html#74 ATMs by the Numbers
https://www.garlic.com/~lynn/2009m.html#78 ATMs by the Numbers

some of these were enormously thick and weighed tons ... in order to maintain exact curvature for image acquisition.

in the early 80s ... i got to participate in some of the berkeley 10m stuff ... which was 36 1.8meter mirrors that were adjusted dynamically to maintain focus ... addressing the ever increasing problem with massive single unit mirros.

berkeley 10m observatory was going to move to CCD and away from film ... and at the time dealing with 200x200 CCD prototypes. there wanted to have provisions for remote observation w/o requiring people to actually travel to the observatory. we had started HSDT at the time and was one of the few dealing in higher speed computer links ... which appeared to major motivation in getting us involved ... misc past hsdt posts
https://www.garlic.com/~lynn/subnetwork.html#hsdt

they eventually got >$80m grant from keck foundation ... and it was renamed keck 10m ... since building original ... they built a second that can operate in tandem ...
http://www.keckobservatory.org/

somewhat topic drift ... was part of HSDT was digital TDMA earth stations that had custom design ... and two different vendors were building the stations to the spec ... and we were going to operate in parallel to compare effectiveness, etc (there was also a rumor that large telco had approached them to build duplicate set to our specs ... little industrial espionage).

one of the TDMA earth station companies was a spin-off of TIW ... an iron works company ... which turned out had contracts to do some of the really-large (deep-space) antennas (and apparently decided to take a flyer into the electronics part of the business). In any case, TIW won the original contract to do much of the physical construction for Keck.

misc. past posts mentioning berkeley/keck 10m:
https://www.garlic.com/~lynn/2005l.html#9 Jack Kilby dead
https://www.garlic.com/~lynn/2006t.html#12 Ranking of non-IBM mainframe builders?
https://www.garlic.com/~lynn/2007c.html#20 How many 36-bit Unix ports in the old days?
https://www.garlic.com/~lynn/2007c.html#50 How many 36-bit Unix ports in the old days?
https://www.garlic.com/~lynn/2007t.html#30 What do YOU call the # sign?
https://www.garlic.com/~lynn/2008f.html#80 A Super-Efficient Light Bulb

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

A Faster Way to the Cloud

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: A Faster Way to the Cloud
Newsgroups: alt.folklore.computers
Date: Sat, 12 Sep 2009 14:11:10 -0400
Jorgen Grahn <grahn+nntp@snipabacken.se> writes:
Which is, of course, incorrect. Latency would punish such a protocol mercilessly.

re:
https://www.garlic.com/~lynn/2009m.html#80 A Faster Way to the Cloud
https://www.garlic.com/~lynn/2009m.html#81 A Faster Way to the Cloud

lots of IP implementations use MTU of 1500 ... of the things that the supercomputer high-speed efforts is try and override MTU fragmentation to more like 128k ... increase MTU by factor of 100 times.

tcp is session oriented protocol ... and minium packet exchange is 7 packets (setup, data, tear-down ... which is serialized operation). early assumptions about tcp sessions being long-lived encountered lots of problems when HTTP was using TCP session protocl for supposedly packet operation. There was period in the mid-90s for six month period or so ... where increasing workload was resulting in major servers spending 90-95% of cpu processing in some of the session setup/tear-down gorp.

we had been brought in to consult with small client/server startup that wanted to do payment transactions on their server ... and the startup had this technology they had invented called "SSL" they had invented (the result is now frequently called "electronic commerce"). as this startup grew ... the load on their download machines were significantly increasing ... and they were duplicating the number of servers nearly constantly (in large part because of the tcp setup/tear-down cpu overhead). eventually they installed a sequent machine ... in part because sequent had addressed the tcp setup/tear-down cpu overhead for some commercial installations that would have 20,000 telnet session.

standard tcp is ack packet protocol ... with limit on number of outstanding, pending-ack packets ... to avoid congestion.
https://en.wikipedia.org/wiki/TCP_congestion_avoidance_algorithm

above references this ... which was source of the "fast tcp" 2004 news item (mentioned in original post) that had reference to being able to beat normal tcp on broadband with fast tcp on dial-up:
https://en.wikipedia.org/wiki/FAST_TCP

what i did in the early 80s for rate-based pacing was independent of the number of packets outstanding. a major congestion problem is multiple back-to-back packets arriving at intermediate router. packet/ack scenario has deficiency that returning ACKs can bunch up and multiple ACKs return to the sender in single block. The sender then has multiple open packet "windows" and transmits all back-to-back ... leading to exact thing that commonly results in congestion. It then has to back-off and start all over. this was subject of '88 acm sigcomm paper about slow-start (& ack window) paradigm not being stable in real-world environment. rate-based pacing explicitly controls the transmission frequency of packets ... independent of outstanding and/or arriving ACKs ... explicitly ocntrolling one of the primary characteristics that results in congestion and packet loss (i.e. back-to-back packet transmission and arrival).

I've conjectured that one of the reasons for ACK-paradigm mechanism in the 80s (rather than rate-based pacing solution) for congestion control ... was large number of platforms with extremely inadequate timer facilities (necessary for establishing a rate-based mechanism).

Some of the real-time and streaming protocls for IP ... are tending in the rate-based direction.

my RFC IETF index
https://www.garlic.com/~lynn/rfcietff.htm

select Term (term->RFC#) (in the RFCs listed by section)

rfc's related to congestion:
congestion
see also performance
5681 5634 5622 5594 5562 5559 5553 5520 5495 5467 5420 5405 5348 5290 5284 5238 5166 5151 5150 5129 5127 5097 5063 5062 5061 5033 4974 4960 4923 4920 4898 4895 4888 4875 4874 4873 4872 4860 4859 4828 4820 4804 4783 4782 4774 4736 4654 4653 4594 4558 4542 4495 4460 4420 4411 4410 4342 4341 4340 4336 4230 4222 4208 4124 4090 4015 3940 3936 3828 3782 3758 3742 3738 3726 3714 3708 3649 3540 3522 3520 3517 3496 3477 3476 3474 3473 3468 3465 3451 3450 3448 3436 3390 3309 3210 3209 3182 3181 3175 3168 3159 3124 3097 3042 2997 2996 2988 2961 2960 2914 2889 2884 2872 2861 2816 2814 2753 2752 2751 2750 2749 2747 2746 2745 2582 2581 2556 2490 2481 2414 2382 2380 2379 2309 2210 2209 2208 2207 2206 2205 2140 2098 2001 1859 1372 1254 1110 1106 1080 1018 1016 896 813 449 442 210 59 19


flow control related RFCs
flow control
see also congestion , traffic engineering
5553 5520 5495 5467 5420 5284 5151 5150 5063 4974 4920 4875 4874 4873 4872 4860 4859 4804 4783 4736 4558 4495 4420 4411 4230 4208 4124 4090 3936 3726 3520 3496 3477 3476 3474 3473 3468 3210 3209 3182 3181 3175 3159 3097 2997 2996 2961 2872 2816 2814 2753 2752 2751 2750 2749 2747 2746 2745 2490 2382 2380 2379 2210 2209 2208 2207 2206 2205 2098 1859 1372 1080 449 442 210 59


--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

A Faster Way to the Cloud

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: A Faster Way to the Cloud
Newsgroups: alt.folklore.computers
Date: Sat, 12 Sep 2009 14:36:40 -0400
re:
https://www.garlic.com/~lynn/2009m.html#80 A Faster Way to the Cloud
https://www.garlic.com/~lynn/2009m.html#81 A Faster Way to the Cloud
https://www.garlic.com/~lynn/2009m.html#83 A Faster Way to the Cloud

another place that we got into 100mbit & gbit links was in disaster survivability ... I had coined the terms disaster survivability and geographic survivability ... misc. past posts mentioning availability
https://www.garlic.com/~lynn/submain.html#available

when I was out doing marketing for our ha/cmp product
https://www.garlic.com/~lynn/subtopic.html#hacmp

cost of dataprocessing and high-speed links were dropping and having replicated "hot" datacenters ... at geographic separation was becoming more and more practical & cost effective for increasing number of applications.

this frequently required being able to replicate the disk traffic over high-speed links to remote locations.

we had been on the xtp technical advisery board ... doing high-speed protocol, where spent a lot of time on setup/teardown efficiency, latency, thruput, flow-control, etc. there was some other parties involved in xtp that were extremely focused on latency and redundancy for onboard ship and jet plane operation ... while others on xtp were working on streaming video and other real-time content. misc. past posts mentioning xtp &/or high-speed protocol
https://www.garlic.com/~lynn/subnetwork.html#xtphsp

This was concurrent with ha/cmp and there were a few contentious instances in ha/cmp ... where I was constantly trying to adapt ip infrastructure as platform for all operations ... as opposed to taking shortcut by going underneath the ip-layer and implementing ha/cmp function (like distributed lock manager) directly to specific hardware media MAC interfaces.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

ATMs by the Numbers

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: ATMs by the Numbers
Newsgroups: alt.folklore.computers
Date: Sat, 12 Sep 2009 15:09:47 -0400
re:
https://www.garlic.com/~lynn/2009m.html#74 ATMs by the Numbers
https://www.garlic.com/~lynn/2009m.html#78 ATMs by the Numbers
https://www.garlic.com/~lynn/2009m.html#82 ATMs by the Numbers

14.5 ton mirror
http://www.astro.caltech.edu/palomar/aluminization.html

each 36 segment for keck/berkeley 10m is still 3in and weighs about half a ton
http://www.lbl.gov/Science-Articles/Archive/keck-telescope.html

wiki page
https://en.wikipedia.org/wiki/W._M._Keck_Observatory

above references lots of steel for stiffness, about 270 tons per telescope ... for total 300 tons for each keck 10m.

CCD technology has come along way since the 200x200 (40k) being tested in early part of the effort. There were rumors at the time that spielberg might have 2048x3072 (6megapixal).

from 2003
http://keckobservatory.org/index.php/news/keck_observatorys_premier_planet-hunting_machine_is_getting_even_better/

... lists having "mosaic of three 2048x4096 CCD chips with 15-micron pixels arranged in stacked configuration for 6144x4096 pixels."

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Voltage SecureData Now Provides Distributed End-to-End Encryption of Sensitive Data

Refed: **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Voltage SecureData Now Provides Distributed End-to-End Encryption of Sensitive Data
Date: 12 Sep, 2009
Blog: Mainframe Experts Network
Voltage SecureData Now Provides Distributed End-to-End Encryption of Sensitive Data
http://www.reuters.com/article/pressRelease/idUS154375+09-Oct-2008+MW20081009

somewhat related article from Thursday looking at alternatives ...

Alliance proposes new rules for payments in U.S.
http://www.contactlessnews.com/2009/09/10/alliance-proposes-new-rules-for-payments-in-u-s

and some comments (on article) posted to (linkedin) payment systems

combination of x9.59 financial standard and aads chip strawman was able to eliminate any distinction between contact and contactless operation ... or as embedded operation in cellphone and other kinds of wireless operation ... as well as aggressive technology cost reduction ... incremental cost of crypto processing was eliminated ... and remaining compatible with existing payment networks. To some extent it achieves all the benefits of alternatives mentioned in the article.

....

some references to x9.59 financial transaction standard
https://www.garlic.com/~lynn/x959.html#x959

... and other recent long-winded posts on the subject:
https://www.garlic.com/~lynn/2009j.html#13 PCI SSC Seeks Input on Security Standards
https://www.garlic.com/~lynn/2009j.html#26 Price Tag for End-to-End Encryption: $4.8 Billion, Mercator Says
https://www.garlic.com/~lynn/2009j.html#33 IBM touts encryption innovation
https://www.garlic.com/~lynn/2009j.html#57 How can we stop Credit card FRAUD?
https://www.garlic.com/~lynn/2009k.html#28 Network Solutions breach exposed 500k card accounts
https://www.garlic.com/~lynn/2009m.html#22 PCI SSC Seeks standard for End to End Encryption?

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Continous Systems Modelling Package

From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Continous Systems Modelling Package
Newsgroups: alt.folklore.computers
Date: Sun, 13 Sep 2009 00:33:13 -0400
hancock4 writes:
Just a comment... in past days the Internet interface was via Telnet or direct dial-up to the library or college. Most catalogs didn't require a sign on for general use.

Books could be searched for and then requested by Inter-Library Loan. (Today the ILL has a centralized catalog).

I will say that some of the earlier on-line catalogs weren't that good and response time was slow. Some had only new works, old works were cataloged on cards.


we got a tour of LOC a few months back
http://www.loc.gov/rr/main/inforeas/card.html

... including into the back rooms with the old (physical) card catalog ... i think cut-over was sometime in the 80s(?). somebody's picture
http://www.flickr.com/photos/tinfoilraccoon/630521081/
http://www.flickr.com/photos/tinfoilraccoon/630521651/in/photostream/
http://www.flickr.com/photos/tinfoilraccoon/630521651/in/set-72157600497738847/

then there is this:
http://www.flickr.com/photos/mollyali/3114190191/
http://www.flickr.com/photos/mollyali/3114189953/in/photostream/

in the 60s, when i was undergraduate ... the univ. library got an ONR grant to do online catalog ... part of the money went to getting a 2321 datacell
http://www.columbia.edu/cu/computinghistory/datacell.html
and
http://www-03.ibm.com/ibm/history/exhibits/storage/storage_2321.html
http://www-03.ibm.com/ibm/history/exhibits/storage/storage_PH2321B.html

IBM also selected the project to be one of the original beta testers of the (first) CICS product. at the univ. i got tasked with support/debug of CICS. misc. past posts mentioning CICS (&/or bdam)
https://www.garlic.com/~lynn/submain.html#cics

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Continous Systems Modelling Package

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: Continous Systems Modelling Package
Newsgroups: alt.folklore.computers
Date: Sun, 13 Sep 2009 01:09:05 -0400
Joe Pfeiffer <pfeiffer@cs.nmsu.edu> writes:
Don't get me wrong, I recognize that in almost every way a modern online catalog is superior. I was just thinking of the one advantage of the old way, and since I've been playing with some AJAX in doing a web interface to some light switches in my house I started wondering about improvements to the interface.

I really don't understand how many on-line databases can be so criminally slow. NMSU's library has under two million volumes, there can't conceivably be more than a few hundred people doing lookups on a Saturday night (an extremely generous estimate, and when I did an author search on "Asimov" that turned up about 130 records it took over ten seconds. How is this possible?


mid-90s ... we spent some time at the national library of medicine. (online catalog/index).
http://www.nlm.nih.gov/

there were a couple of people there that had started on the project about the same time I was playing with CICS & BDAM for the univ. library ... and started out doing something very similar.
https://www.garlic.com/~lynn/2009m.html#87 Continous Systems Modelling Package

and the mid-90s design/implementation was pretty much what they had started out with in the late 60s.

basically each item got a record in BDAM file. Then the item was indexed in 80 or so different ways (keywords, authors, title, subject matter, etc. queries would retrieve the correspodning index record ... which had all the BDAM record numbers of items that matched. boolean "AND" & "OR" was done by corresponding operation on the corresponding list of BDAM record numbers (AND was those only BDAM record numbers in both lists, OR was combination with duplicates removed of all BDAM record numbers in both lists).

by the early 80s, the number of items was so large ... that queries out to 5-6 boolean terms tended to be bimodel ... thousands (millions) of matched items ... and adding one more boolean term ... could result in zero matched items. holy grail was how to find query that would have greater than zero but fewer than hundred. at that time the default query response was the number of items ... not the actual items.

in the early 80s a query application was developed, originally for apple called Grateful Med. it would managed set of queries and the number of responses ... helping the user search for the magic query that resulted in a manageable number of responses.

this fumbles the reference to grateful med ... as being the database ... as opposed to the personal computer based query application
https://en.wikipedia.org/wiki/Information_science

the above somewhat lumps NLM with Dialog ... but doesn't mention Lexis/Nexis. At least up thru 90s ... both Dialog and Lexis/Nexis also had very similar (ibm) mainframe implementations.

in late 70s and much of 80s, I could do a whole day in Palo Alto area going from SLAC (large virtual machine vm370 based operation ... also where the first webserver outside of europe/cern was done on vm370/cms), HONE (consolidated, internal virtual machine vm370 based online marketing and support support system), Tymshare (virtual machine vm370 based online commercial time-sharing service bureaus) and Dialog (ibm mainframe but not vm370, eventually Lockheed sold it off).

misc. past posts mentioning hone
https://www.garlic.com/~lynn/subtopic.html#hone

misc. past posts mentioning (virtual machine based) online commercial time-sharing service bureaus:
https://www.garlic.com/~lynn/submain.html#timeshare
with commercial time-sharing x-over in this recent post:
https://www.garlic.com/~lynn/2009m.html#81 A Faster Way to the Cloud

misc. past posts mentioning grateful med:
https://www.garlic.com/~lynn/2001j.html#1 Off-topic everywhere [was: Re: thee and thou
https://www.garlic.com/~lynn/2001m.html#51 Author seeks help - net in 1981
https://www.garlic.com/~lynn/2002g.html#3 Why are Mainframe Computers really still in use at all?
https://www.garlic.com/~lynn/2004f.html#0 c.d.theory glossary (repost)
https://www.garlic.com/~lynn/2004n.html#47 Shipwrecks
https://www.garlic.com/~lynn/2006l.html#31 Google Architecture
https://www.garlic.com/~lynn/2008l.html#80 Book: "Everyone Else Must Fail" --Larry Ellison and Oracle ???

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Audits V: Why did this happen to us ;-(

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Audits V: Why did this happen to us ;-(
Date: September 13, 2009 10:41 AM
Blog: Financial Cryptography
re: Audits V: Why did this happen to us ;-(
https://financialcryptography.com/mt/archives/001144.html

misc. past posts referencing bank modernization act repealing Glass-Steagall ... which contributed significantly to the current problem.
https://www.garlic.com/~lynn/2009c.html#65 is it possible that ALL banks will be nationalized?
https://www.garlic.com/~lynn/2009d.html#28 I need insight on the Stock Market
https://www.garlic.com/~lynn/2009d.html#42 Bernard Madoff Is Jailed After Pleading Guilty -- are there more "Madoff's" out there?
https://www.garlic.com/~lynn/2009d.html#73 Should Glass-Steagall be reinstated?
https://www.garlic.com/~lynn/2009i.html#13 64 Cores -- IBM is showing a prototype already
https://www.garlic.com/~lynn/2009i.html#54 64 Cores -- IBM is showing a prototype already
https://www.garlic.com/~lynn/2009i.html#77 Financial Regulatory Reform - elimination of loophole allowing special purpose institutions outside Bank Holding Company (BHC) oversigh
https://www.garlic.com/~lynn/2009l.html#5 Internal fraud isn't new, but it's news

and when there was talk about oversight of unregulated over-the-counter commodities, the same person (and his wife) were involved in the commodities modernization act ... precluding any oversight ... which resulted in Enron. In the wake of Enron, SOX was passed w/o actually addressing the underlying problem, resulting in AIG.

In earlier part of this decade, I was at conference of european financial executives and pontificated about SOX not being able to do anything about serious fraud activity (and it being the auditor full employment act).

In part what was needed were business processes that would preclude types of things that SOX was trying to catch after the fact.

One of the issues with audit was having independent sources of information and being able to compare for inconsistencies ... say looking at the books of a large number of different entities and verifying that entries for various kinds of transactions on one set of books ... matched entries for the same transactions in other books.

I liked the early ISO 9000 audits ... people were asked if what they were doing was documented and whether or not they had read and understood those documents.

Part of the current circumstances also involved entities being able to carry significant percentage "off-books". There currently is lots of hand-wringing about audit rule changes regarding having to bring all those entries back onto the books ... and the possibility that many current financial entities would then have to be declared insolvent.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

A Faster Way to the Cloud

Refed: **, - **, - **, - **
From: Anne & Lynn Wheeler <lynn@garlic.com>
Subject: Re: A Faster Way to the Cloud
Newsgroups: alt.folklore.computers
Date: Sun, 13 Sep 2009 13:49:44 -0400
Anne & Lynn Wheeler <lynn@garlic.com> writes:
Cloud tends to also have the flavor of old-time commercial time-sharing service bureaus ... some past posts
https://www.garlic.com/~lynn/submain.html#timeshare

where, rather than having the resources in-house, ... services are coming from external agency. Gbit links are enablers for some of this.

"clouds" as old-time commerical time-sharing service bureaus are being faced with the security, protection, privacy and isolation requirements that were addressed in the 60s & 70s by the antecedents.


re:
https://www.garlic.com/~lynn/2009m.html#80 A Faster Way to the Cloud
https://www.garlic.com/~lynn/2009m.html#81 A Faster Way to the Cloud
https://www.garlic.com/~lynn/2009m.html#83 A Faster Way to the Cloud
https://www.garlic.com/~lynn/2009m.html#84 A Faster Way to the Cloud

somewhat related recent news item:

First Look At Amazon's Oregon Data Center -- Amazon Data Center
http://www.informationweek.com/news/hardware/processors/232602151

past posts referencing mega data centers on the columbia
https://www.garlic.com/~lynn/2008d.html#72 Price of CPU seconds
https://www.garlic.com/~lynn/2008n.html#68 VMware Chief Says the OS Is History
https://www.garlic.com/~lynn/2008n.html#79 Google Data Centers 'The Most Efficient In The World'
https://www.garlic.com/~lynn/2008r.html#56 IBM drops Power7 drain in 'Blue Waters'

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970




previous, next, index - home