From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Lawsuit seeks to pry information from banks on account breaches Date: 23 Aug, 2009 Blog: Financial Crime Risk, Fraud and SecurityLawsuit seeks to pry information from banks on account breaches
from above:
Anti-spam company Unspam Technologies filed a lawsuit on Wednesday
aimed, in a somewhat roundabout way, at forcing banks to divulge any
information they might have about hacking activities affecting their
customer accounts.
... snip ...
related to the above:
Real-Time Keyloggers
http://it.slashdot.org/story/09/08/23/2015208/Real-Time-Keyloggers
from above:
The case was filed in order to compel the banks -- which are almost as
secretive as the cyber-crooks -- to reveal information such as IP
addresses that could lead back to the miscreants ... The technique
menaces the 2-factor authentication that some banks have
instituted:
... snip ...
Two-factor banking security systems threatened by Trojan
http://www.computerweekly.com/Articles/2008/01/31/229191/two-factor-banking-security-systems-threatened-by-trojan.htm
Part of EU FINREAD from decade ago was targeted at such vulnerability
... some recent posts mentioning EU FINREAD
https://www.garlic.com/~lynn/2009d.html#38 Internet threat: Hackers swarm bank accounts
https://www.garlic.com/~lynn/2009d.html#2 Cyber attackers empty business accounts in minutes
other misc. past posts mentioning EU FINREAD
https://www.garlic.com/~lynn/subintegrity.html#finread
EU FINREAD activity seemed to evaporate with the rapidly spreading
opinion that chipcards weren't practical in the consumer market ... a
couple recent posts discussing some of the circumstances:
https://www.garlic.com/~lynn/2009l.html#61
https://www.garlic.com/~lynn/2009l.html#64
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Mon, 24 Aug 2009 17:26:25 -0400"Charlie Gibbs" <cgibbs@kltpzyxm.invalid> writes:
i have some vague recollection about gov. finally qualifying the requirement ... so the retention requirement was not quite so onerous ... after they asked for some subset to be delivered ... and the subset delivered was measured in large number of boxcars.
a completely different story was the password rules printed on corporate
letterhead and posted to corporate bulletin boards. after that ... all
corporate letterhead paper was put under lock & key. old posts with
copy of the password rules corporate directive:
https://www.garlic.com/~lynn/2001d.html#52 OT Re: A beautiful morning in AFM.
https://www.garlic.com/~lynn/2001d.html#53 April Fools Day
https://www.garlic.com/~lynn/2008p.html#42 Password Rules
part of the problem ... was some number of people, even after reading in on bldg. bulletin boards, didn't recognize it's April 1st date (even with April 1st having been on Sunday that year).
slightly related 6670 story (having been deployed in departmental supply
areas around the bldg ... which somebody over the weekend had used to
print the Sunday, April 1st, Corporate Directive and distribute to
bldg. building boards) ... was incident involving periodic corporate
security audit ... part of which was after-hrs sweep looking for
classified information being left out (including classified documents
being printed on departmental 6670s and being left out) ... recent post
on the subject:
https://www.garlic.com/~lynn/2009l.html#19 Disksize history question
as mentioned corporate security auditors took exception with finding
6670 output with definition of auditors on the separator page (believing
that it had been done on purpose) ... it was just one of the random
selections from the 6670 file that was printed on 6670 separator page:
[Business Maxims:] Signs, real and imagined, which belong on the walls of the nation's offices:
1) Never Try to Teach a Pig to Sing; It Wastes Your Time and It Annoys the Pig.
2) Sometimes the Crowd IS Right.
3) Auditors Are the People Who Go in After the War Is Lost and Bayonet the Wounded.
4) To Err Is Human -- To Forgive Is Not Company Policy.
... snip ...
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Tue, 25 Aug 2009 10:22:05 -0400jmfbahciv <jmfbahciv@aol> writes:
UPC (bar-code, product-level data)
https://en.wikipedia.org/wiki/Universal_Product_Code
https://en.wikipedia.org/wiki/Barcode
above as story of invention of UPC barcode at IBM
EPC (rfid chip, item-level data) wiki pages:
https://en.wikipedia.org/wiki/Electronic_Product_Code
https://en.wikipedia.org/wiki/EPCglobal
in the mid-90s, there were quite a few comments that inhibitor to chip-security in payment cards ... was cost of the chips. we made some statements we would take $500 milspec item and aggresively cost reduct by 2-3 orders of magnitude while improving the integrity. basically, in volume ... chips are cost of wafer and the number of chips that can be gotten from wafer.
we ran into problem that EPC also ran into ... the number of chips from a wafer was starting to be limited by the size of the cut in wafer slicing & dicing (i.e. reducing circuit size and the resulting smaller chips were getting to chip area that was smaller than the area of the cuts).
For EPC, new cutting technology was developed that involved much smaller wafer area (allowing further significant increase in chips per wafer and corresponding significant cost per chip reduction). Other kinds of chips (like common PC processor chips) were avoiding the problem by keeping the size of the chip relatively constant, as circuit size decreased, by increasing circuits per chip.
The patent portfolio for UPC & barcodes is possibly also "famous". This
came up when working on claims for related (assigned, i.e. no rights)
patents ... mentioned in this recent post
https://www.garlic.com/~lynn/2009h.html#8
at a point when the claims looked like they were around >60 patent applications and would possible be 100+ patent applications before finished ... the patent attorneys were starting to make reference to the "barcode patent portfolio". As mentioned in the above ... at that point somebody looked at cost of filing so many patents around the world and directed that the claims be repackaged as nine patent applications.
A couple references to some unfortunate (other) deployments of "secure"
hardware token products in the period resulted in rapid spreading
opinion that chipcards weren't practical in the consumer market place
(and big pullback in deployments of secure hardware tokens):
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#0 Lawsuit seeks to pry information from banks on account breaches
One possible objective for EPC was to position track (say plactic tube at back of shelves). An RFID sensor could travel down the track at end of shift and do item-level inventory ... being able to correlate what is in the computer and what is on the shelves ... possibly indication of employee theft.
Barcode and SKU codes also show up with regard to "level-III" data for payment card transactions. Payment card issuers started marketing "commercial cards" to companies ... which could be issued to employees for purchases. The backend issuing systems were enhanced with additional approval rules (in addition to things like current credit limit and zip-code). Company could specify rules that limited card use to specific kind of stores (merchant MCC-code, provided in transaction as part of the infrastructure) or to specific merchant or to specific store (doesn't involve level-III data). Appropriately enabled merchants could also include (barcode-scanned), SKU-level data in the electronic transactions (as "level-III" data) ... allowing business rules to control purchases down to the SKU-level.
a couple descriptions of level I, level II, and level III data:
http://www.mymerchantaccountblog.com/2007/04/level-i,-level-ii,-level-iii-data
http://www.gotmerchant.com/level3_credit_card_processing.php
past posts mentioning making (semi-facetious) comments about taking $500
milspec part and aggresively cost reduction at same time improving
integrity
https://www.garlic.com/~lynn/aadsm13.htm#18 A challenge
https://www.garlic.com/~lynn/aadsm15.htm#6 x9.59
https://www.garlic.com/~lynn/aadsm21.htm#11 Payment Tokens
https://www.garlic.com/~lynn/aadsm21.htm#26 X.509 / PKI, PGP, and IBE Secure Email Technologies
https://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner (USD10)
https://www.garlic.com/~lynn/aadsm24.htm#23 Use of TPM chip for RNG?
https://www.garlic.com/~lynn/aadsm24.htm#52 Crypto to defend chip IP: snake oil or good idea?
https://www.garlic.com/~lynn/aadsm27.htm#37 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#50 If your CSO lacks an MBA, fire one of you
https://www.garlic.com/~lynn/aadsm28.htm#16 Dutch Transport Card Broken
https://www.garlic.com/~lynn/aadsm28.htm#49 Price point
https://www.garlic.com/~lynn/2002n.html#18 Help! Good protocol for national ID card?
https://www.garlic.com/~lynn/2005u.html#26 RSA SecurID product
https://www.garlic.com/~lynn/2005u.html#32 AMD to leave x86 behind?
https://www.garlic.com/~lynn/2007i.html#5 John W. Backus, 82, Fortran developer, dies
https://www.garlic.com/~lynn/2007i.html#66 John W. Backus, 82, Fortran developer, dies
https://www.garlic.com/~lynn/2007k.html#53 My Dream PC -- Chip-Based
https://www.garlic.com/~lynn/2007l.html#8 John W. Backus, 82, Fortran developer, dies
https://www.garlic.com/~lynn/2007l.html#12 My Dream PC -- Chip-Based
https://www.garlic.com/~lynn/2007l.html#35 My Dream PC -- Chip-Based
https://www.garlic.com/~lynn/2007s.html#59 Translation of IBM Basic Assembler to C?
https://www.garlic.com/~lynn/2007u.html#5 Public Computers
https://www.garlic.com/~lynn/2007u.html#11 Public Computers
https://www.garlic.com/~lynn/2007u.html#70 folklore indeed
https://www.garlic.com/~lynn/2008j.html#33 What is "timesharing" (Re: OS X Finder windows vs terminal window weirdness)
https://www.garlic.com/~lynn/2008j.html#44 What is "timesharing" (Re: OS X Finder windows vs terminal window weirdness)
https://www.garlic.com/~lynn/2008l.html#61 Osama bin Laden gets a cosmetic makevover in his British Vanity Passport
https://www.garlic.com/~lynn/2008n.html#48 In your experience which is a superior debit card scheme - PIN based debit or signature debit?
https://www.garlic.com/~lynn/2008o.html#40 Signposts on the US Government's Trail of IT Failures
https://www.garlic.com/~lynn/2008p.html#11 Can Smart Cards Reduce Payments Fraud and Identity Theft?
https://www.garlic.com/~lynn/2008p.html#46 Would you say high tech authentication gizmo's are a waste of time/money/effort?
https://www.garlic.com/~lynn/2009b.html#28 Online-Banking Authentication
https://www.garlic.com/~lynn/2009d.html#26 Return of the Smart Card?
https://www.garlic.com/~lynn/2009e.html#21 ATMs At Risk
https://www.garlic.com/~lynn/2009g.html#62 Solving password problems one at a time, Re: The password-reset paradox
https://www.garlic.com/~lynn/2009h.html#54 64 Cores -- IBM is showing a prototype already
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Tue, 25 Aug 2009 13:07:54 -0400jmfbahciv <jmfbahciv@aol> writes:
stock control, anti-fraud, and/or point-of-sale fraud insurance may require matching returns to purchases
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Hacker charges also an indictment on PCI, expert says Date: 25 Aug, 2009 Blog: Financial Crime Risk, Fraud and Securityre:
a few more related news items ...
U.S. payment-card industry grapples with security
http://www.msnbc.msn.com/id/32541650/ns/technology_and_science-security/
U.S. payment-card industry grapples with security
http://www.reuters.com/article/smallBusinessNews/idUSTRE57N4LQ20090824
U.S. payment-card industry grapples with security
http://ph.news.yahoo.com/rtrs/20090825/tbs-business-us-hackers-7318940.html
Identity theft: Miami hacker cyberthief of the century?
http://www.palmbeachpost.com/localnews/content/state/epaper/2009/08/23/0823hacker.html
Hacker Ring Tied To Major Breaches Just Tip Of The Iceberg
http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=219401263
another news item
Electronic Theft Occurring Despite Security Measures
http://www.redorbit.com/news/technology/1742429/electronic_theft_occurring_despite_security_measures/index.html
for slight drift, recent post in a.f.c. newsgroup regarding getting
aads chip strawman on same price curve as EPC RFID chips (looking for
cents per chip after improving integrity over $500 milspec chip)
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore
What is wierd is a AADS patent application long after we are gone (my
position was eliminated nearly 4yrs ago)
https://www.garlic.com/~lynn/aadssummary.htm
For other trivia ... at the time ECC was invented ... one of the
people credited with inventing ECC was in the YKT math department
... which I was working with on various crypto things ... some old
crypto symmetric and asymmetric email from the 80s
https://www.garlic.com/~lynn/lhwemail.html#crypto
including old email discussing proposal for PGP-like (public key)
email
https://www.garlic.com/~lynn/2007d.html#email810506
https://www.garlic.com/~lynn/2006w.html#email810515
a decade before PGP (and coming up on nearly three decades ago now).
Note that, as per previous posts, a decade ago, EU FINREAD included countermeasure to keylogging PINs ... and at POS we repeatedly stated (back to original/early x9.59 standard work in the mid-90s) that cellphone/PDAs with personal key-entry, was countermeasure to large number of different kinds of POS terminal compromises (effectively attempting to achieve similar purposes as the EU FINREAD objectives ... but at POS).
misc. posts mentioning X9.59 work
https://www.garlic.com/~lynn/subpubkey.html#x959
misc. posts mentioning EU FINREAD
https://www.garlic.com/~lynn/subintegrity.html#finread
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: lynn@GARLIC.COM (Anne & Lynn Wheeler) Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable Newsgroups: bit.listserv.ibm-main Date: 25 Aug 2009 12:13:52 -0700mpost@NOVELL.COM (Mark Post) writes:
SSL(/TLS) has bunch of stuff in the protocol with (public key) digital certificates.
SSH protocol doesn't require digital certificates for its public key operations.
some "open" ssh references:
http://www.openssh.com/
https://en.wikipedia.org/wiki/OpenSSH
"features"
http://www.openssh.com/features.html
the above describes that OpenSSH supports the following symmetric cryptography (after exchanging symmetric cryptography key using public key operation): 3DES, Blowfish, AES, Arcfour.
It does mention that some code for licensed or patented components may be from external libraries (like OpenSSL) ... although not 3DES, Blowfish, AES, or Arcfour.
I guess that wouldn't preclude a totally different SSH implementation from borrowing something like AES (or Blowfish) encryption implementation from a SSL library (and depending how packaged ... possibly dependent on SSL package to work ... as opposed to including the code in SSH package).
reference to OpenSSH Public Key Authentication
http://sial.org/howto/openssh/publickey-auth/
some "open" SSL references:
http://www.openssl.org/
https://en.wikipedia.org/wiki/OpenSSL
the above mentions that OpenSSL supports the following symmetric cryptography (after exchanging symmetric cryptography key using public key operation): Blowfish, Camellia, DES, RC2, RC4, RC5, IDEA, AES.
also (symmetric cryptography) DES wiki page
https://en.wikipedia.org/wiki/Data_Encryption_Standard
AES wiki page
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Blowfish wiki page
https://en.wikipedia.org/wiki/Blowfish_%28cipher%29
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: FBI arrests programmer for stolen software Newsgroups: alt.folklore.computers Date: Tue, 25 Aug 2009 15:41:26 -0400greymausg writes:
Programmer charged with stealing Wall Street-ware
http://www.theregister.co.uk/2009/07/06/goldman_sachs_trading_code/
NJ man charged with stealing Goldman Sachs data
http://www.forbes.com/feeds/ap/2009/07/06/ap6622080.html
Computer programmer arrested for Goldman Sachs theft
http://www.computerweekly.com/Articles/2009/07/07/236790/computer-programmer-arrested-for-goldman-sachs-theft.htm
Ex-Goldman programer out on bail in theft case
http://news.yahoo.com/s/nm/20090706/ts_nm/us_goldman_arrest_13
Ex-Goldman Worker Is Arrested
http://online.wsj.com/article/SB124688855704700671.html
Goldman's Alleged Code Thief Makes Bail
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=227900228
Goldman Trading-Code Investment Put at Risk by Theft
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=ajIMch.ErnD4
Programmer charged with stealing Goldman code freed on bail Cybercrime
http://www.securecomputing.net.au/News/149551,programmer-charged-with-stealing-goldman-code-freed-on-bail.aspx
Ex-Goldman Sachs exec arrested for stealing code
http://www.fiercecio.com/story/ex-goldman-sachs-exec-arrested-stealing-code/2009-07-07
Ex-Goldman Programmer Detailed His Code Downloads to FBI Agent
http://www.bloomberg.com/apps/news?pid=20601087
http://www.bloomberg.com/apps/news?pid=20601087&sid=aSDxSdMlPTXU
Ex-Goldman Programmer Described Code Downloads to FBI
http://www.bloomberg.com/apps/news?pid=newsarchive
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=a2GvteRoihQE
Goldman grabs hi-tech hacker
http://www.guardian.co.uk/business/2009/jul/12/goldman-sachs-sergey-aleynikov
and then there is:
Where Goldman Really Makes Its Money
http://www.forbes.com/2009/07/24/goldman-sachs-high-frequency-intelligent-investing-new-york-times.html
and from this description:
Goldman Sachs caught with their pants down?
http://financialcryptography.com/mt/archives/001175.html
from above:
The unbacked, unevidenced allegation in the popular blogs is this: the
code that was stolen might be been the code that drove a system that
"saw" others' trades before they could be executed. More technically, it
is claimed:
The big ticket, the magic wand for a rogue quant shop is technology to
grab off FIX PROTOCOL, OCX, or SWIFT messages that precede every
transaction_commit at the Exchanges.
... snip ...
the above then goes into some more discussion of how to take financial advantage of such a capability.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: lynn@GARLIC.COM (Anne & Lynn Wheeler) Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable Newsgroups: bit.listserv.ibm-main Date: 25 Aug 2009 13:18:56 -0700gibney@WSU.EDU (Gibney, Dave) writes:
most SSL implementations just has the client validating the server's digital certificate and then validating whether or not the domain name claimed in the digital certificate corresponds to the domain name in the URL used to contact the server (countermeasure to ip-address hijacking). then the server's public key is used to exchange a symmetric key ... for encryption of the actual session (des, aes, blowfish, whatever). then, once the encrypted session is established, client typically presents userid/password for authentication.
we had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... and the startup had invented this technology called SSL that they wanted to use. As part of that deployment ... now frequently called "electronic commerce" ... we had to investigate some number of these new operations called "Certification Authorities" that were issuing things called "digital certificates".
Also as part of deploying a payment gateway ... requiring SSL for
payment transactions between the webserver and the payment network
... we mandated "mutual authentication" ... which hadn't yet been
implemented at the time (aka client does public key authentication of
the server ... and the server does public key authnetication of the
client ... no passwords). By the time we were done ... the payment
gateway operation looked much more like SSH ... since both the payment
gateway and the webservers had preregistered information about each
other (the things called "digital certificates" became purely artificial
side-effect of the SSL code library being used). misc. past posts
mentioning original payment gateway deployment
https://www.garlic.com/~lynn/subnetwork.html#gateway
SSH has the advantage (compared to typical SSL use) that both parties does "mutual" public key authentication of the other party w/o requiring digital certificates and w/o requiring passwords.
some number of generic past posts mentioning public key operations w/o
using (redundant and superfluous) digital certificates.
https://www.garlic.com/~lynn/subpubkey.html#certless
the other issue with SSL ... was that there were some number of
requirements about how it was implemented and deployed in order to
satisfy security requirements ... many of which were almost immediately
violated ... and have subsequently, over the past 15 yrs or so ... have
led to a whole lot of exploits and compromises. part of it involves the
complexity and indirection introduced by these things called "digital
certificates". some number of past posts mentioning SSL (domain name)
digital certificates
https://www.garlic.com/~lynn/subpubkey.html#sslcerts
and from long ago and far away ... nearly three decade old email
discussing for a PGP-like (certificate-less) public key implementation
on the internal network:
https://www.garlic.com/~lynn/2007d.html#email810506
https://www.garlic.com/~lynn/2006w.html#email810515
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: lynn@GARLIC.COM (Anne & Lynn Wheeler) Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable Newsgroups: bit.listserv.ibm-main Date: 25 Aug 2009 13:54:12 -0700lynn@GARLIC.COM (Anne & Lynn Wheeler) writes:
for a little x-over from this recent thread:
https://www.garlic.com/~lynn/2009l.html#66 ACP, One of the Oldest Open Source Apps
two of the people mentioned in this reference to Jan92 meeting
https://www.garlic.com/~lynn/95.html#13
later left and show up at the small client/server startup responsible for something called "commerce server" ... and wanting to do payment transactions on their server (by that time we had also left) ... now frequently referred to as "electronic commerce".
the resultig "payment gateway" gateway ... I periodically refer to as
the original SOA
https://www.garlic.com/~lynn/subnetwork.html#gateway
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Cyber crooks increasingly target small business accounts Date: 25 Aug, 2009 Blog: Financial Crime Risk, Fraud and SecurityCyber crooks increasingly target small business accounts
from above:
The NACHA electronic payments association is warning its 15,000 member
of increasing attacks by cyber criminals on small businesses using
electronic payment networks.
... snip ...
related articles:
Banks Urge Businesses To Lock Down Online Banking
http://it.slashdot.org/story/09/08/25/2033206/Banks-Urge-Businesses-To-Lock-Down-Online-Banking
Tighter Security Urged for Businesses Banking Online
http://voices.washingtonpost.com/securityfix/2009/08/tighter_security_measures_urge.html
European Cyber-Gangs Target Small U.S. Firms, Group Says
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html
Businesses Reluctant to Report Online Banking Fraud
http://voices.washingtonpost.com/securityfix/2009/08/businesses_reluctant_to_report.html
from above:
A confidential alert sent on Friday by a banking industry association
to its members warns that Eastern European cyber gangs are stealing
millions of dollars from small to mid-sizes businesses through online
banking fraud. Unfortunately, many victimized companies are reluctant
to come forward out of fear of retribution by their bank.
... snip ...
slightly related discussion about presentations in the early-to-mid
90s from online home banking (dial-up modems) talking about moving to
the internet .... but most of the online cash management/business
operations claiming that they would never move to the internet because
of security concerns in related thread (news article) "Cyber attackers
empty business accounts in minutes":
https://www.garlic.com/~lynn/2009k.html#77
https://www.garlic.com/~lynn/2009l.html#0
https://www.garlic.com/~lynn/2009l.html#2
https://www.garlic.com/~lynn/2009l.html#6
https://www.garlic.com/~lynn/2009l.html#20
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Wed, 26 Aug 2009 08:43:37 -0400jmfbahciv <jmfbahciv@aol> writes:
UPC/barcode has been product number ... and inventory control will know how
many has been delivered ... and decrement as that particular product has
been sold.
https://en.wikipedia.org/wiki/Universal_Product_Code
https://en.wikipedia.org/wiki/Barcode
"UPC encodes 12 decimal digits", first digit is prefix and last digit is error correcting digit.
above has some description of prefix use; exp: "5": Coupons; "LLLLL" manufacturer code, 1st "RRR" family code, 2nd "RR" coupon code (determines amount of the discount).
EPC (with rfid chips) can have enuf digits to have individual item
serial number.
https://en.wikipedia.org/wiki/Electronic_Product_Code
https://en.wikipedia.org/wiki/EPCglobal
... from above ...
All EPC numbers contain a header identifying the encoding scheme that
has been used. This in turn dictates the length, type and structure of
the EPC. EPC encoding schemes frequently contain a serial number which
can be used to uniquely identify one object.
... snip ...
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Wed, 26 Aug 2009 08:59:05 -0400jmfbahciv <jmfbahciv@aol> writes:
kind of fraud ... isn't the serial number of the pants ... it is things like how much did you pay. there have been scams with discount coupons and fraudulent receipts ... where return is claiming that full price was paid when actually a discounted price was paid. they weren't waiting for the transaction to verify the serial number of the pants (it being the item kind of pants was sufficient).
as a countermeasure it may be that the return process has been implemented only using the account record generated by the original transaction. if the account record for the original transaction doesn't exist ... the return process doesn't have an account record in order to execute (possibly analogous trying to do a credit card transaction for an account that doesn't exist).
return process may not actually create its own record ... it may only update a record that has been created by the original transaction.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable Newsgroups: bit.listserv.ibm-main Date: Wed, 26 Aug 2009 15:40:06 -0400steve.finch@EDS.COM (Finch, Steve) writes:
Later VPN technology was introduced for individual PCs ... to tunnel (encrypted) remote (home, travelling, road warrier, etc) corporate work through the internet. This eliminated corporations requiring their own private dial-up modem pools (caveat, some corporations opened up remote internet access ... w/o actually requiring encrypted traffic through the internet).
One of the early versions of PC VPN was in the mid-90s regarding online (dialup) home banking moving to the internet ... a big justification was eliminating large racks of dialup modems at the financial institutions supporting proprietary dial-up operations (also eliminating lots of trouble calls from clients regarding the mechanics of PC operating system and drivers supporting serial port modems).
Some of these "PC" implementations were not quite end-to-end ... encryption originating at the PC through the internet to some network box at the institutional end, which handles decryption ... before forwarding to destination mainframe/server.
A well known attack vector, even by the late 90s, for remote PC VPNs (even when encrypted end-to-end) ... were PC zombies ... since they had to have a valid internet connection in order to create the VPN (encrypted) "tunnel" ... a zombie infection on the PC could act as gateway ... forwarding attack traffic coming in via the internet connection and back out through the VPN tunnel, into the corporate intranet.
Some number of VPN software products (for remote PCs) tend to also be packaged with software that attempts to counter such exploits (especially those PC VPN products targeted at the corporate business market).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks Date: 27 Aug, 2009 Blog: Payment Systems NeworkPCI Council Releases Recommendations For Preventing Card-Skimming Attacks
from above:
New best practices are aimed at helping retailers -- especially small
merchants -- but security experts say skimming risk runs deeper
... snip ...
archived posts ... in related breach/PCI news thread:
https://www.garlic.com/~lynn/2009l.html#50
https://www.garlic.com/~lynn/2009l.html#53
https://www.garlic.com/~lynn/2009l.html#61
https://www.garlic.com/~lynn/2009l.html#64
https://www.garlic.com/~lynn/2009l.html#68
https://www.garlic.com/~lynn/2009m.html#4
There are (possibly hundreds of) millions of places around the world where account numbers exist ... and in the current paradigm ... are required to never be exposed/divulged (even presenting card at POS exposes the account number) ... is one of the reasons in the mid-90s that the X9A10 financial standard working group slightly tweaked the paradigm (in the x9.59 financial standard) and eliminated exposing the account number as threat/vulnerability. The X9A10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments.
Since then we've used a few metaphors to characterize the existing paradigm
• security proportional to risk vulnerability; in the current paradigm, the value of the information to the merchant is the profit on the transaction (possibly a couple dollars) and the value of the information to the processor can be a few cents per transaction ... while the value of the information to the crooks can be the credit limit and/or account balance (the crooks attacking the infrastructure may be able to outspend the merchant & processor defenders by a factor of one hundred times)
• dual-use vulnerability; in the current paradigm, the knowledge of the account number may be sufficient to perform a fraudulent transaction (effectively authentication, as such it needs to be kept confidential and never divulged anywhere) ... while at the same time the account number needs to be readily available for a large number of business processes. The conflicting requirements (never divulged and at the same time readily available) has led to comments that even if the planet was buried under miles of information hiding encryption, it still couldn't prevent information leakage.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: The Art of Creating Strong Passwords Date: 27 Aug, 2009 Blog: Information Security NetworkThe Art of Creating Strong Passwords
from above:
While security has never been more important than it is today, the
fastest way for an IT professional to become the most despised person
in the company is to start enforcing a strong password policy. A
policy perceived as overbearing may cause people to..
... snip ...
40 yrs ago, people need one or two (or no) passwords.
rules were written to make them impossible to guess (and nearly impossible to remember) ... as well as requiring them to be change frequently
since passwords are shared-secrets ... passwords in different security domains have to be unique (as countermeasure to x-domain attacks).
the impossible to remember password rules from 40yrs ago haven't changed a lot ... except passwords have greatly proliferated ... no an individual might have large scores of shared-secrets ... all required to be unique, frequently changed and impossible to remember.
the password rules are still written from institutional-centric standpoint as if individuals have one & only one password to manage. however the human factors of those rules scale horribly ... where humans may have scores of such shared-secrets to manage.
article mentioning users violating rule about requiring unique password for every (possibly hundreds) security domain
4chan pwns Christians on Facebook
http://www.theregister.co.uk/2009/08/24/4chan_pwns_christians/
i.e. human factor issues with being forced to remember large scores (or possibly hundreds) of unique hard to guess (and hard to remember) different passwords.
25 yr old April 1st "strong password" corporate directive ... that had
been posted to some number of corporate bulletin boards:
https://www.garlic.com/~lynn/2001d.html#52
It created quite a bit of stir because some number of people didn't recognize it as a April 1st memo (an additional hint was that April 1st was a sunday)
The majority of passwords typically are a shared-secret something
you know authentication from 3-factor authentication paradigm
... misc. posts
https://www.garlic.com/~lynn/subintegrity.html#3factor
• something you have
• something you know
• something you are
... although there are "password" something you know authentication
that aren't shared-secrets ... misc. posts
https://www.garlic.com/~lynn/subintegrity.html#secrets
vast majority of password/pin/secret deployments are of the shared form. Because shared-secrets tend to be known at both ends, is one of the reasons for requiring a unique secret for every unique secret domain (including countermeasure to x-domain attacks) ... leading to proliferation of the number of shared-secrets required ... and human factors of shared-secrets (to large scores or hundreds) scales very poorly (it is major reason given for studies finding 1/3rd of pin-debit cards have the PIN written on card).
There is some difference between the threats & vulnerabilities between "secrets" and shared-secrets. A shared-secret are things like passwords and PINs where the same value is used at both ends (both by person to prove who they are and at the other end to validate that the person has proved who they area). That is one of the reasons that unique shared-secrets are required for different/unique security domains (as countermeasure to x-domain attacks ... say local garage ISP or social networking website and online banking). They are also "static" data and may have (possibly hundreds of) millions of different places where they might harvested, evesdropped, skimmed, etc.
Multi-factor authentication is thot to be more secure because of assumptions about independent threats & vulnerabilities ... for instance something you know PIN is assumed to be countermeasure to lost/stolen something you have token. However, "PIN-debit" cards have been vulnerable to common skimming where both the PIN and the magstripe are havested at the same time (PIN as shared-secret and magstripe information to create counterfeit card).
The proliferation of shared-secrets has terrible human factors scaling ... faced with dealing with large scores of impossible to remember shared-secrets ... people have to resort to recording them. That is major reason given for 1/3rd of PIN-debit cards having PIN written on them.
There are some number of two-factor hardware tokens ... where a PIN is used to activate "personal" hardware token ... since such a PIN is a something you know (personal) secret ... it doesn't have the same threats & vulnerabilities as a shared-secret PIN. These tokens have countermeasures to trivial counterfeiting and frequently aren't "static data" and aren't subject to trivial replay attacks.
Such a token could be person-centric and used for authentication in large number of different security domains. PIN would be countermeasure to simple lost/stolen (and can eliminate possibly 90-95% of the current vulnerabilities). There is trade-off between a single token (or very small number) and unique token per security domain. However, since a major vulnerability for such tokens is lost/stolen ... the most frequent is purse/wallet carrying all such tokens (whether there is only one or multiple ... so having large number re-introduces human factors problems with little security benefit).
We did a lot of work in this area in the mid-90s in conjunction with
the X9A10 financial standard working group. One of the claimed
inhibitors was the cost of chips for the tokens ...so we facetiously
commented that we would take a $500 milspec part ... aggressive cost
reduce by 2-3 orders of magnitude while improving the security
... recent posts getting the chip on EPC/RFID cost curve (i.e. the
chips they want to replace barcodes on grocery store items)
https://www.garlic.com/~lynn/2009m.html#2
basically (in quantity) chips are the cost of the wafers and the number of chips per wafers. In the late 90s, the chips area was becoming smaller than the area of the cuts used to separate chips in wafers. Next big step was new cutting technology that significantly reduced the cut area ... allowing further significant increases in chips/wafer.
related post in linkedin financial fraud discussion
https://www.garlic.com/~lynn/2009m.html#4
... another part of the effort was that there were lots of institutional resistance to switching from an institutional-centric paradigm (one token per institution or security domain) and a person-centric paradigm ... where the institutions would accept a person provide token. so there some of infrastructure issues addressed on how an institution could accept a person-provided token (we actually could show sucking out additional infrastructure costs in the process)
a semi-custom chip was still several hundred thousand circuits ... a rough cut at fully custom chip design indicated between 20k-40k circuits ... some current "common" processor chips are several hundred million circuits ... so (modulo wafer area for slicing & dicing) a factor of 10000:1 (four orders of magnitude).
then packaging and provisioning starts to dominate token costs ... and so it is necessary to do paradigm changes for further cost reduction (like switching from institutional-centric to person-centric paradigm ... and/or including the few tens of thousand circuits as part of every other chip).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: lynn@GARLIC.COM (Anne & Lynn Wheeler) Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable Newsgroups: bit.listserv.ibm-main Date: 27 Aug 2009 09:58:45 -0700wfarrell@US.IBM.COM (Walt Farrell) writes:
my view was that at the fall '94 IETF meeting where VPN was introduced in gateway committee ... the ipsec forces got upset ... until they started referring to VPN as "light-weight ipsec" ... which then allowed others to refer to ipsec as "heavy-weight ipsec".
In that era, ipsec required changes to kernel protocol stacks ... which required upgrading kernels. at the time that was a very expensive undertaking (current kernel/system provisioning technologies have somewhat reduced such costs) and represented barrier to uptake.
Both VPN (deployed in router/gateway boxes) and SSL (deployed as part of browsers/applications) side-stepped the delays and inhibitor/barriers to uptake ... that ipsec was having at the time (which then resulted explosion in market penetration & deployments for VPN & SSL).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: comp.arch has made itself a sitting duck for spam Newsgroups: comp.arch Date: Thu, 27 Aug 2009 17:43:11 -0400Robert Myers <rbmyersusa@gmail.com> writes:
fergus/morris book make some claims that it took more than
20 yrs to recover ... recent reference
https://www.garlic.com/~lynn/2009g.html#0
there were also claims that if it had been any company, they wouldn't have survived.
in the 80s, I had sponsored Boyd's briefings at IBM ... he had been head of lightweight fighter plane design at the pentagon ... claimed credit for cutting weight of f15 in half (and significant improvement in f18) ... and responsible for much of f16 design. f20/tigershark also showed a lot of his influence/philosophy ... being significantly cheaper and less complicated than f16, much lower skill level to maintain and much higher ratio of flt hrs to maintenance hrs. There were claims that f20/tigershark fell to heavy lobbying and political influence (from more profitable programs).
boyd had done a 1970 tour in command.of.spook base ... there was some
reference to it having been a $2.5B windfall for IBM ... which would
have contributed to IBM being able to survive future system. misc.
past posts mentioning Boyd
https://www.garlic.com/~lynn/subboyd.html#boyd
boyd has also been credited with battle plan for desert storm and there have been comments that a major problem going into current conflicts was that boyd had died in 1997.
this is something more recent that Boyd would have been in the middle
of (if he was still around) regarding drones ...
http://www.theregister.co.uk/2009/04/29/young_usaf_predator_pilot_officer_slam/
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Thu, 27 Aug 2009 19:08:03 -0400greymausg writes:
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Thu, 27 Aug 2009 19:12:49 -0400re:
New Study Shows RFID Significantly Improves Item-Level Inventory
Accuracy
http://www.physorg.com/news170606806.html
from above:
A new study on the use of radio-frequency identification tags on
individual retail items shows that inventory accuracy decreases or
diminishes over time with conventional systems that rely on barcodes
and/or human counting to track inventory.
... snip ...
above mentions a study involving two Bloomingdale's stores (one with & one w/o RFID inventory).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Big, beautiful boxes from computer history Newsgroups: alt.folklore.computers Date: Thu, 27 Aug 2009 23:17:56 -0400slashdot ...
Big, beautiful boxes from computer history
http://slashdot.org/submission/1062693/Big-beautiful-boxes-from-computer-history
Computer History Museum Photo Gallery: weird, fascinating photos
including a giant Cray, and a 60Kg hard drive
http://www.pcauthority.com.au/Gallery/153867,computer-history-museum-photo-gallery-weird-fascinating-photos-including-a-giant-cray-and-a-60kg-hard-drive.aspx/1
CHM web pages
http://www.computerhistory.org/collections/search/
http://www.computerhistory.org/collections/findingaids/
http://www.computerhistory.org/core/explorethecollection/
and ...
http://www.computerhistory.org/core/curators/
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Fri, 28 Aug 2009 08:34:36 -0400jmfbahciv <jmfbahciv@aol> writes:
loading dock &/or other scan puts into the computer what should be in the bldg.
inventory is scanning for what (from the computer) is still on the shelves. the computer will list the individual item serial nos (EPC RFID) that should be on the shelves. the periodic inventory scan will find the individual item serial nos. of what is still on the shelves.
the mismatch between what the periodic inventory scans find and what the computer believes ... missing or shouldn't be there. the inventory scans are more like an audit ... verifying that what is on the shelves corresponds with what is suppose to be there. somebody sneaking something onto the shelves would be turn up in the audit ... on par with somebody sneaking something off the shelves.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: The Art of Creating Strong Passwords Date: 28 Aug, 2009 Blog: Information Security NetworkCrowbar cracks SD cards and retrieves data without a trace
one of the issues in the above does the password protect sensitive data in the device ... or does it protect use of device ... aka a "non-shared" secret something you know as part of two-factor something you have authentication token. In that case ... the "non-shared" secret something you know is a countermeasure to lost/stolen token.
In this reference to yes card vulnerability
https://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html
... it was trivial to skim card information and create a counterfeit card. It was not necessary to skim the pin/password ... since the infrastructure was dependent on asking the card whether or not the correct PIN had been entered ... and a counterfeit yes card would answer YES to all such questions (regardless of what had been entered). Answering YES to the PIN question (and others), was what got it the YES CARD label. The YES answers also prompted somebody to comment that billions of dollars had been spent to prove that chips are less secure than magstripe.
recent posts in (linkedin) Payment Systems Network
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#68 Hacker charges also an indictment on PCI, expert says
there was somewhat large US pilot deployment of the cards (with the yes card vulnerability) in the earlier part of this decade/century ... which subsequently seem to disappear w/o a trace.
other past discussion of yes card
https://www.garlic.com/~lynn/subintegrity.html#yescard
One of the questions for the yes card (that it would always answer YES) was whether the transaction should be offline. So even if the account had been disabled at the issuer (countermeasure to compromised, counterfeit, and/or lost/stolen magstripe cards) ... it would have no effect preventing yes card fraudulent transactions.
Then for an offline transaction, the YES CARD would always answer YES to the question about whether the transaction was within the card's credit limit.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: PCI SSC Seeks standard for End to End Encryption? Date: 28 Aug, 2009 Blog: Information Security NetworkPCI SSC Seeks standard for End to End Encryption?
from above:
I just read an article in the ETA Currents that stated that the PCI
SSC is seeking a standard for end to end encryption. While this is
certainly a laudable goal, I do have to question that usefulness of
the council defining the standard and vetting the...
... snip ...
We had been asked to consult with a small client/server startup that
wanted to do payment transactions on their server, the startup had
also invented this technology called SSL that they wanted to use. That
work is now frequently called "electronic commerce". SSL was being
used to encrypt/hide the account number while it traveled through the
internet ... from the client to the server ... and then from the
server to something called the payment gateway ... some past posts
mentioning payment gateway
https://www.garlic.com/~lynn/subnetwork.html#gateway
Possibly because of the work on "electronic commerce", in the mid-90s
we were asked to participate in the X9A10 financial standard working
group which had been given the requirement to preserve the integrity
of the financial infrastructure for all retail payments. Part of that
effort, was doing detailed end-to-end threat & vulnerability studies
of the various environments ... which resulted in the x9.59 standard
https://www.garlic.com/~lynn/x959.html#x959
The account number, however is required to be exposed at dozens & dozens of places as part of standard business processes. There was no way to do end-to-end encryption of the account number (from the client PC or from the POS terminal ... all the way through to the issuing financial institution) ... since the account number was required at dozens of business processes along the way. a trivial such business process is that the account number is effectively used as a kind of "ip-address" for routing the transaction through the payment network to the issuing financial institution, can you imagine the internet working when the network was prevented from having access to the ip-address field in the packet (or mail being delivered when all address fields were inaccessible)?.
So what the x9.59 financial transaction standard did was slightly tweak the paradigm, provide end-to-end "integrity" (in lieu of end-to-end encryption) from the consumer to the consumer's financial institution ... and eliminated exposure of the account number as a threat/vulnerability (aka its no longer necessary to hide the account number as countermeasure to fraudulent transactions). We've periodically commented that in the current paradigm (because of the dozens of business processes that require access to the account number) that even if the planet was buried under miles of (information hiding) encryption, it would still not prevent information leakage.
Now the major use of SSL in the world today is this earlier "electronic commerce" work used for hiding the account number. With x9.59 financial standard, it is no longer necessary to hide the account number ... so the major use of SSL in the world today is also eliminated.
Since then, we've used a few metaphors to characterize the existing (account number hiding) paradigm:
• security proportional to risk vulnerability; in the current paradigm, the value of the information to the merchant is the profit on the transaction (possibly a couple dollars) and the value of the information to the processor can be a few cents per transaction ... while the value of the information to the crooks can be the credit limit and/or account balance (the crooks attacking the infrastructure may be able to outspend the merchant & processor defenders by a factor of one hundred times)
• dual-use vulnerability; in the current paradigm, the knowledge of the account number may be sufficient to perform a fraudulent transaction (effectively authentication, as such it needs to be kept confidential and never divulged anywhere) ... while at the same time the account number needs to be readily available for a large number of business processes. The conflicting requirements (never divulged and at the same time readily available) has led to comments that even if the planet was buried under miles of information hiding encryption, it still couldn't prevent information leakage.
Part of the issues with the existing paradigm are the requirements for the account number to be available for so many business processes ... as a result the security solutions are, at best, piece-meal patchwork.
X9.59 financial standard with true end-to-end strong integrity and strong authentication (from the consumer straight-through to the consumer's financial institution) ... along with eliminating the threats from exposing the account number ... some parts of the current operations may be found to be redundant and superfluous.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: lynn@GARLIC.COM (Anne & Lynn Wheeler) Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable Newsgroups: bit.listserv.ibm-main Date: 28 Aug 2009 07:06:42 -0700steve.finch@EDS.COM (Finch, Steve) writes:
PCI SSC Seeks standard for End to End Encryption?
http://pcianswers.com/2009/08/27/pci-ssc-seeks-standard-for-end-to-end-encryption/
and some of my post in that discussion
https://www.garlic.com/~lynn/2009m.html#22
misc. past posts in this thread:
https://www.garlic.com/~lynn/2009m.html#5 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#7 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#8 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#12 Need new 3270 emulator: SSH, inexpensive, reliable
https://www.garlic.com/~lynn/2009m.html#15 Need new 3270 emulator: SSH, inexpensive, reliable
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Sat, 29 Aug 2009 09:29:37 -0400jmfbahciv <jmfbahciv@aol> writes:
yep, like somewhere referenced before ... there are also cases of people printing their own barcodes.
for most of these things, crooks are looking on not being detected. if RF is all messed up or stops working ... and/or the inventory is all messed up ... call in the cops. there are lots of things that are supposed to work in a fairly determined manner ... if they deviate too greatly ... call in the cops. Also have lots of video recording.
printed barcodes is only to product level ... RFID is to individual item level ... so rather than RF noise to disable reading ... have to come up with something that looks valid enuf to what is in the inventory computer ... but gives the crooks some financial advantage.
gets more complicated ... and then the stores work on countermeasures for what the crooks come up with.
an analogous ... but different scheme involved counterfeiting giftcards.
at one time, giftcards for sale was just left out ... since they had no
value & hadn't been registered yet (stealing them had close to zero
value). however, crooks would record a whole slew of unsold giftcards
... and then wait until they were sold, loaded & registered ... and then
show up with counterfeit giftcards and drain the accounts.
https://www.garlic.com/~lynn/aadsm22.htm#10 thoughts on one time pads
https://www.garlic.com/~lynn/aadsm22.htm#11 thoughts on one time pads
https://www.garlic.com/~lynn/2004j.html#12 US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento
Slightly more sophisticated, simple PDA with magstripe reader/writer & barcode reader ... PDA could be used to record a whole slew of giftcards ... then on return trip could quickly determine some that had been sold (loaded & registered) and counterfeit one in real-time.
Big issue is that magstripe technology is pretty well understood by criminal activity and trivial to counterfeit/duplicate.
Inventory RFID ... being static data ... would be straightforward to counterfeit ... but its use is verifying what is in the computer.
So even if you bring in a counterfeit clothes with counterfeit RFID chips ... for returns ... also need a counterfeit sales return ... and everything has to correspond with exact same information already in the computer. so maybe crooks have to also compromise the computer. turns out if you can compromise the computer ... you are far ahead just having the computer do the direct credit/return w/o having to physically go thru a fake return (so they need pretty strong countermeasures to computer attacks ... because there are a whole laundry list of things that crooks could do ... if they can directly access the computer).
so this talks about doing "security" chip ... and getting it
on EPC RFID price curve
https://www.garlic.com/~lynn/2009m.html#2 Does this count as 'computer' folklore?
that particular chip was also capability of doing contactless transaction using RF. Now there are some payment cards with effectively EPC RFID static data (basically emulates the magstripe static data ... and so likely has similar threats & vulnerabilities as magstripe cards ... because of static data). the discussed chip, basically is able to do asymmetric crypto operation ... and is very close to the number of circuits and power consumption ... required for EPC RFID chip (so while it could return EPC information ... it could also return some unique data that isn't static, changes every time and is extremely difficult to fake).
recent long winded post discussing payment chipcards that used "static
data" ... which could be skimmed/recorded and used to (trivially) create
counterfeit yes card:
https://www.garlic.com/~lynn/2009m.html#21 The Art of Creating Strong Passwords
other recent posts mentioning yes cards
https://www.garlic.com/~lynn/2009.html#10 Swedish police warn of tampered credit card terminals
https://www.garlic.com/~lynn/2009.html#11 Swedish police warn of tampered credit card terminals
https://www.garlic.com/~lynn/2009.html#33 European Payments Council calls for action on counterfeit cards
https://www.garlic.com/~lynn/2009.html#34 Swedish police warn of tampered credit card terminals
https://www.garlic.com/~lynn/2009.html#72 Double authentification for internet payment
https://www.garlic.com/~lynn/2009b.html#21 ICSF and VISA/MasterCard?amex reference list
https://www.garlic.com/~lynn/2009b.html#61 Passport RFIDs cloned wholesale by $250 eBay auction spree
https://www.garlic.com/~lynn/2009c.html#56 Why use RFID in personal documents & cards at all?
https://www.garlic.com/~lynn/2009e.html#75 The Future Shape of Payments Is Anything But Flat
https://www.garlic.com/~lynn/2009f.html#7 An interesting take on Verified by Visa Policy
https://www.garlic.com/~lynn/2009f.html#44 Chip and PIN for ID cards: Not such a sharp idea?; Hackers PINing after your details
https://www.garlic.com/~lynn/2009f.html#61 Halifax faces legal challenge on chip-and-pin security
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: IBM 2741 - may be nostalgic for some Newsgroups: bit.listserv.ibm-main,alt.folklore.computers Date: Sat, 29 Aug 2009 10:11:34 -0400mike@CORESTORE.ORG (Mike Ross) writes:
the science center had plywood board ... finished the same as the 2741 cabinet, that fit snugly around the 2741 in the middle and provided something like 18 inches on one side and in the back (board could be flipped ... placing the extra surface on either the right or left).
that allowed a two tray input/output tray for paper at the back (stack of fan-feed input paper on the bottom and output then on the top). could also put a whole box of fan-fold paper on the floor behind the 2741 ... feed the paper thru the bottom of the tray ... and have the output go to the top tray.
it also provided a shelf for paper (or other objects) to the right (or left). could have program listing (or other paper) on the right to work from when typing.
this board wasn't anchored in anyway ... so had to be careful placing a lot of weight ... or it would tip (since it fit under the gray roller knobs on both sides ... those knobs would somewhat arrest the board from completely flying off).
i had the board and tray for my home 2741 (from 1970) ... and even after the 2741 was replaced in 1977 ... the tray and board continued to knock around the garage (until a move in 1999).
I do still have 2741 (apl) typeball ... some pictures
https://www.garlic.com/~lynn/lhwemail.html#oldpicts
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: comp.arch has made itself a sitting duck for spam Newsgroups: comp.arch Date: Sun, 30 Aug 2009 08:23:09 -0400rpw3@rpw3.org (Rob Warnock) writes:
we had been doing the ha/cmp product ... some old posts
https://www.garlic.com/~lynn/subtopic.html#hacmp
part of it was high-availabiilty and part was cluster
scale-up ... some old email
https://www.garlic.com/~lynn/lhwemail.html#medusa
this post references a jan92 meeting discussing scale-up
https://www.garlic.com/~lynn/95.html#13
and shortly after the jan92 meeting, the scale-up part was transferred and we were told we couldn't work on anything with more than four processors.
two of the people mentioned in the jan92 meeting later left and show up at a small client/server startup responsible for something called a "commerce server".
we also left and were out doing some consulting. we were brought in to consult at the small client/server startup because they wanted to do payment transactions on the server. the startup had also invented some technology they called "SSL" that they wanted to use; in any case, the result is now frequently called "electronic commerce".
Part of the "electronic commerce" is something called a "payment
gateway" some past posts
https://www.garlic.com/~lynn/subnetwork.html#gateway
that handles payment transactions from servers on the internet and the payment network. there had been an "application" first cut ... taking packets from the internet and reformating them into specification defined for the payment network. what was missing was a whole lot of industrial strength stuff that wasn't in the message formats. for instance, the trouble desk at the part of the payment network had objective of 5minutes elapsed time to do first-level problem determination. An early trial of the gateway "application" had a problem (not working, no transactions) ... and after 3hrs of investigation it was closed as NTF (no trouble found).
We put together specification for business critical payment gateway operation ... and the subsequent activity was 5-10 times the activity to do the original (well developed, well tested) application code. The result didn't have a significant different total lines of code ... but there was significant more effort that went into those lines of code.
we also did a JAD with the taligent organization (something of spin-off of the apple object-oriented "pink" operating system effort) ... regarding what it would take to turn taligent into basis for doing business critical dataprocessing ... the net was about 30% change to their existing libraries and 30% new code (with objective of cutting development effort for business critical applications by 50-75 percent).
there is also some overlap/similarity between developing code for business critical applications and developing code for secure applications (and in some core financial processing applications they both apply). "secure" development may also include things like background checks on designers and developers, anybody that is allowed to touch the code or the operation.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Origin of "fork" Newsgroups: alt.folklore.computers Date: Sun, 30 Aug 2009 08:32:53 -0400jmfbahciv <jmfbahciv@aol> writes:
this claims 33s with paper tape
http://www.columbia.edu/cu/computinghistory/teletype.html
above mentions 33s & 35s were upper-case only ... 37s had upper & lower.
this shows paper tape
https://en.wikipedia.org/wiki/ASR-33_Teletype
mentions that the difference between ASR33 and KSR33 was ASR33 had paper-tape and KSR33 didn't.
this has 35
http://www.nadcomm.com/35asr.htm
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks Date: 30 Aug, 2009 Blog: Payment Systems Neworkre:
another
Security expert's PCI analysis misguided, says PCI Council GM
http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1366236,00.html
With regard to acquiring hardware & software ... it isn't so much the cost of a successful deployment; it is the possibility of the cost of non-trivial numbers of failed deployments that seems to be an uptake inhibitor. The last part of the past century and the first part of this century there seemed to be quite an appetite for new deployment. That appetite seemed to have been significantly gone away after some number of failed deployments. It no longer is the cost of a successful deployment ... it is the prospect of having the cost of some number of unsuccessful deployments.
after some of these earlier failures ... there has been quite a bit of work on somewhat generic boxes at merchants with provisioning support (downloading software, updates, configuration, etc) using the same link to the acquirer that is used for transactions (somewhat similar to modern PC generation of using internet to distribute software updates).
This somewhat mitigates the issue of going thru multiple generations where it possibly wasn't gotten quite correct.
One of the classic scenarios was waiters at particular NYC restaurant near times sq in the mid-90s, PDA and card swipe reader pined to their inner label. There was standard card swipe for bill ... but an extra swipe that went to their PDA in inner pocket. At end-of-shift, information was uploading to internet and almost immediately, counterfeit cards were doing transactions on streets of hong kong (today, the extra card swipe could go immediately to internet with wireless/cellphone, w/o having to wait for end-of-shift).
Part of x9.59 financial transaction standard work in the mid-90s, was eliminating skimming as vulnerability ... i.e. it was no longer necessary to hide account number as countermeasure to fraudulent transactions. They (external attackers or "insiders", studies have claimed that 70% of such events involve "insiders") could still do data breaches, skimming, account number harvesting ... could still be done ... but was no longer possible to use the information for fraudulent transactions (eliminating the financial incentive).
there was some concurrent effort at the time on POS chipcard specification ... but involved static data ... so while there was (myopic) focus on countermeasures to lost/stolen card ... there was nothing done for skimming the static information (for creating counterfeit chipcard). The result was the yes card vulnerability in the later part of the past century and the early part of this century. There was such a rather large US deployment of payment chipcard in that timeframe ... that had the yes card vulnerability. There was a presentation about the yes card vulnerability at payment security conference ... and somebody in the audience made the loud comment that billions of dollars were spent to prove chips were less secure than magstripe. In that time-frame, then the US deployment appeared to evaporate w/o a trace.
In this serious of posts in (linkedin) Information Security Network thread:
https://www.garlic.com/~lynn/2009l.html#50 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#53 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#68 Hacker charges also an indictment on PCI, expert says
I mention having early discussions with the people doing the (US) deployment regarding the yes card vulnerability and being told that it was addressed by how valid cards were configured. The (myopic) preoccupation with the chipcard (and countermeasures for lost/stolen card) ... seemed to create blind spot that the yes card vulnerability was skimming with resulting counterfeit cards "attacking" the POS terminal (i.e. it wasn't a attack on valid chipcards, it was an attack on the POS terminal).
old reference to cartes2002 presentation about yes card
vulnerability and it being trivial effort to create counterfeit
chipcards.
https://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html
this a recent thread in a.f.c. newsgroup discussing UPC barcodes and
EPC RFID
https://www.garlic.com/~lynn/2009m.html#18 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#20 Does this count as 'computer' folklore?
https://www.garlic.com/~lynn/2009m.html#24 Does this count as 'computer' folklore?
mentions in the mid-90s making the semi-facetious comment about taking a $500 milspec card and aggressively cost reducing by 2-3 orders of magnitude while making it more secure ... and eventually getting it on the EPC RFID chip cost curve (i.e. chips being targeted to replace barcodes on grocery store items) ... but with strong integrity, being able to do "dynamic data" (rather than "static data"), being able to do either contact or contactless ... and if contactless, being able to do the "dynamic data" within the power limitations and elapsed time constraints of transit turnstyle.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Where Have You Gone, Bell Labs? Newsgroups: alt.folklore.computers Date: Sun, 30 Aug 2009 19:54:25 -0400Where Have You Gone, Bell Labs? How basic research can repair the broken U.S. business model
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: As Internet turns 40, barriers threaten its growth Newsgroups: alt.folklore.computers Date: Sun, 30 Aug 2009 19:55:30 -0400As Internet turns 40, barriers threaten its growth
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: comp.arch has made itself a sitting duck for spam Newsgroups: comp.arch Date: Sun, 30 Aug 2009 21:25:35 -0400rpw3@rpw3.org (Rob Warnock) writes:
there were some number that considered that some degree of availability could be added. one of the interesting issues we had with some some amount of the payment transactions message formats (that had been converted to packet/internet operation) ... was that in the original, there was some amount of impliciit assumption ... that the transaction messages operated in a circuit enviornment. a straight-forward move of the transaction message formats, to packet environment, failed to carry some number of the implicit circuit-based characteristics. part of retrofitting availability (for "electronic commerce") was compensating processes for the packet enviornment.
also part of the "retrofit" was failure matrix of 30-40 failure conditions that might happen in half dozen states ... and being able to demonstrate automatic recovery ... and/or at least five minute 1st level problem determination for all cases (not necessarily that the code was bug free).
it is frequently & significantly more apparent, that attempting to retrofit security to something (which hasn't been designed from the groundup), doesn't work.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: comp.arch has made itself a sitting duck for spam Newsgroups: comp.arch Date: Mon, 31 Aug 2009 08:41:42 -0400re:
a relatively trivial "high availabiilty" (but important) thing for the payment gateway was "multiple A-record" support.
The "payment gateway" was no-single-point-of-failure ... including multiple links (circuits) into different parts of the internet backbone. I started out planning on advertising multiple routes ... but in the process of deployment, the internet backbone announced moving to hierachical routing only.
this eliminated being able to advertise different routes for the same ip-address ... and required defining the "name" of the payment gateway with multiple ip-addresses ("multiple A-record"). webservers that were contacting the payment gateway, then needed to have "multiple-A record" support. since we had sign-off authority on operation related to payment gateway ... we could mandate the implementation.
we had several cases we felt that the browser needed to do the same thing. one of the early adopters of the commerce server (and payments) was sports product operation that advertised on national sunday football and expected lots of activity during half-time. their ISP was operation that regularly did local presence router maintenance on sundays (they had schedules where webservers in particular areas wouldn't have service on particular sundays because their ISP router would be undergoing maintenance). This was before majority of the internet had any kind of telco-like provisioning.
So we had meeting with lots of the browser developers where I presented multiple A-record implementation and the scenarios where it would be beneficial. The initial response was that it was too complicated/advanced and they weren't going to do it (for the browser<->server side ... we could only advise, we didn't have mandated sign-off authority). I then provided them with client (telnet, ftp, etc) source code examples from 4.3 Tahoe; no budge. I somewhat hypothesised the issues was that there were no examples of "multiple A-record" support given in the various TCP/IP class/text books that they had learned from. It took a year to get mulitple A-record support into the browser.
as to taligent and "pink" ... there was a period where "object-oriented" was all the rage, Apple was doing "pink" object-oriented operating system ... and Sun was doing "spring" object-oriented operating system. At one point we were invited in and given a run-through of "spring" ... and then asked if we would consider heading up effort to turn it out as product (speculation, at least partially, because we had earlier turned out ha/cmp product).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Does this count as 'computer' folklore? Newsgroups: alt.folklore.computers Date: Mon, 31 Aug 2009 11:52:05 -0400Rostyslaw Lewyckyj <urjlew@bellsouth.net> writes:
could be counterfeit items .. analogous to passing counterfeit $100 bills. for low-value items ... returns would be relatively inefficient mechanism for making money off counterfeit itmes ... but could be practical for higher value items (say designer something or another).
they still have the real item ... which they still may be able to sell for more than the cost of the counterfeit item. another fraud periodically seen (previously mentioned) was that the original transaction was discount ... and then going for full value refund (w/o discount) ... this has been used so much that lots of places have countermeasures for the practice.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: IBM Poughkeepsie? Newsgroups: alt.folklore.computers Date: Mon, 31 Aug 2009 16:31:23 -0400Eric Chomko <pne.chomko@comcast.net> writes:
"Armonk" corporate hdqtrs dedication (21Oct) 1964:
http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_4506VV2107.html
besides Armonk, news plants were completed in Hunstville and East Fishkill
http://www-03.ibm.com/ibm/history/history/year_1964.html
1941, IBM in bldg that had been canning factory
http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_4506VV2041.html
Poughkeepsie ... main plant site constructed in 1948, two
wings added in 1952:
http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_4506VV2042.html
IBM East Fishkill over the years:
http://www.poughkeepsiejournal.com/article/20090127/BUSINESS01/90127016/1012
vintage views of ibm facilities
http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_facilities.html
misc.
IBM Somers
https://en.wikipedia.org/wiki/IBM_Somers_Office_Complex
Implementing the Poughkeepsie Green Data Center: Showcasing a Dynamic
Infrastructure
http://www.redbooks.ibm.com/abstracts/redp4534.html
for random drift ... mention of 3270 and ibm kingston (up the river from
Poughkeepsie)
https://en.wikipedia.org/wiki/IBM_3270
from above:
In contrast, IBM's OfficeVision office productivity software enjoyed
great success with 3270 interaction because of its design
understanding. And for many years the PROFS calendar was the most
commonly displayed screen on office terminals around the world.
... snip ...
recent mention of PROFS main menu getting "burned" into screens:
https://www.garlic.com/~lynn/2009l.html#41 another item related to ASCII vs. EBCDIC
also mention that the PROFS group had "borrowed" a lot of stuff from
other organizations
https://www.garlic.com/~lynn/2009.html#8 Is SUN going to become x86'ed ??
https://www.garlic.com/~lynn/2009.html#23 NPR Asks: Will Cloud Computing Work in the White House?
https://www.garlic.com/~lynn/2009k.html#0 Timeline: The evolution of on
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: IBM Poughkeepsie? Newsgroups: alt.folklore.computers Date: Mon, 31 Aug 2009 21:10:37 -0400re:
Executive Briefing Center (bldg 705) on plant site ... has aerial view
of the site
http://www-03.ibm.com/systems/services/briefingcenter/pbc/location.html
address for the above: Building 705, 2455 South Road, Poughkeepsie, NY 12601
also PDF map of the plant site
http://www-03.ibm.com/systems/resources/systems_services_briefingcenter_pbc_pdf_pok_site.pdf
2455 South Rd (rt 9) satellite photo
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=2455+south+road+poughkeepsie+ny&sll=37.0625,-95.677068&sspn=65.557733,48.691406&ie=UTF8&ll=41.66004,-73.933192&spn=0.00731,0.005944&t=h&z=17
appears to show that bldgs 918, 965, 966 (from the map) have been leveled???
there use to be whole lot of IBM stuff in poughkeepsie area that were off the main plant site ... but possibly has now been all consolidated back to the main plant site.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: comp.arch has made itself a sitting duck for spam Newsgroups: comp.arch Date: Tue, 01 Sep 2009 10:07:05 -0400Duane Rettig <duane@franz.com> writes:
3830s disk controller (for 3330s, then 3350) was horizontal microcode. 3880 disk controller follow-on for 3380 ... went to jib-prime a vertical microcode machine and much slower. 3380 had 3mbyte/sec data transfer (about ten times that of 3330s) ... so 3880 had special hardware data-path ... with jib-prime for just control operations.
i got to play disk engineer in bldgs. 14 (engineering) and 15 (product
test lab). misc. past posts
https://www.garlic.com/~lynn/subtopic.html#disk
One of the things was that they were running all mainframe regression tests with stand-alone, scheduled dedicated test time. They had tried doing tesitng under MVS ... but with single testcell (for security ... each development device was kept in its heavy-gage "wire" cage inside the bldgs. "secure" machine room, which was inside a secured bldg, etc) and experienced 15min MTBF. So, for the fun of it, i decided to completely rewrite the operating system I/O supervisor ... so it would be bullet proof and never fail ... and they could then do concurrent "on-demand" testing of any number of "testcells".
Side-effect was there were some number of mainframes (that they had for testing new disks against different mainframe models ... as well as early engineering models of mainframes for testing with disks), which could be co-opt for online timesharing use (even heaviest concurrent testing loads only represented a percent or two of processor utilization).
So one monday morning ... I got a call asking what had done to their systems over the weekends. The largest engineering test mainframe (3033) at the time was showing 30-60 percent interactive degradation. I hadn't done anything over the weekend ... so started looking at what they had done. Turns out that they had replaced a 3830 controller with 16 3330 disk drives (used for our private interactive service) with a new 3880 controller (that included support for 3330 drives). It was quickly evident that it was the 3880 disk controller that was resulting in significant I/O thruput degradation. A lot of detailed analysis was showing how much (& where) slow-down in "control" operations was resulting in significant overall I/O thruput degradation. Then crash program to tweak the 3880 (jib-prime) operations, attempting to mask its slower operation ... fortunately we still had six months before first customer ship.
Mainframe disk controllers had multiple channel paths ... either connecting to different processors (for loosely-coupled/cluster operation) or multiple channel paths by the same processor ... for possibly higher thruput. So ... since I was completely rewriting the I/O supervisor ... I decided to redo the "alternate channel path" logic (primary with one or more alternates to same pool of disks) and turn it into dynamic load-balancing. This then ran into brick-wall with the tweaks to the 3880 slow-down masking; part of the slow-down masking was special caching in 3880 with regard to channel path of the previous operation (on the off-chance the next operation would be on the same channel path). This resulted in a several millisecond difference between consecutive operations on the same channel and consecutive operation with different channels ... totally blowing any attempt to get better thruput with dynamic load-balancing (primary channel path operation ... with only rarely using alternate path ... had significantly higher thrput than trying to maximize concurrent use of all available channel paths).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: comp.arch has made itself a sitting duck for spam Newsgroups: comp.arch Date: Tue, 01 Sep 2009 11:25:48 -0400re:
I had done a lot with dynamic adaptive resource manager as undergraduate
in the 60s; a lot of which was shipped in vendor product. Later in
transition/morph from 360->370 a lot of it was eliminated in
simplification moved. Still later I was asked to put it back in. some
past posts about dynamic adaptive resource manager (frequently called
fair share since default resource policy was fair share):
https://www.garlic.com/~lynn/subtopic.html#fairshare
This time was at the science center which had been doing a lot in the area of performance data gathering, benchmarking and performance model (some of which was to turn into capacity planning). There was something like ten yrs of performance monitoring data on some systems and several years on some number of other systems. This was used to help validate some of the performance modeling work ... but also being able to characterize and abstract workloads and configurations.
In any case, I was doing a lot of "automated" benchmarking with
synthetic workloads and lots of different configurations to validate
operation of the dynamic resource management stuff, including looking at
"graceful" degradation under extreme/increasing overload
conditions. some past posts
https://www.garlic.com/~lynn/submain.html#benchmark
Initially, the extreme overload conditions was consistently resulting in system failures ... and on investigation, they were almost all due to random events related to internal kernel serialization mechanism. So before going much further, I had to redesign and rewrite the whole kernel serialization mechanism to eliminate the constant failures under extreme overload conditions (which also eliminated a lot of spurious and random failures in normal operations, was also included with the resource manager when it eventually shipped).
For the final validation run there was 2000 benchmarks that took 3 months elapsed time to run. The intial 1000 benchmarks were specifically selected combinations of kinds of workload and types of configuration. One of the analytical performance models was modified to look at previous benchmarks (initially the 1000 selected) ... and use the previous results to specify the next "interesting" combination of workload & configuration. It would then validate that the predicted results for that combination corresponded with the measured results. Then it would repeat the process for a total of 1000 additional benchmarks.
A lot of the benchmarking was to look at if thee "resource manager" might have "bugs" ... that wouldn't directly affect system availability ... but not correctly perform resource allocation as per specification (not only analyse actual operations in large number of different circumstances ... but also x-validate actual operation against predicted operation by analytical model ... which also helped calibrate the model calculations).
This particular analytical performance model had also been turned into a sales&marketing tool. Sales/marketing could enter the customer's workload and configuration profile and then ask "what-if" questions regarding worload &/or configuration changes (in theory, would help support additional hardware sales to the customer).
The online sales&marketing support system ... was being replicated all over the world, In the mid-70s, the US systems had been consolidated at a single datacenter and lots of enhancements were added for cluster (loosely-coupled) operations ... including simple fall-over availability. A version of the analytical model tool was also modified to track all the system loads and perform load-balancing by doing the system selection for new sessions.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: lynn@GARLIC.COM (Anne & Lynn Wheeler) Subject: Re: 33 Years In IT/Security/Audit Newsgroups: bit.listserv.ibm-main Date: 1 Sep 2009 10:17:21 -0700DocFarmer9999@YAHOO.CO.UK (Doc Farmer) writes:
i got to design my own monitor, interrupt handlers, device drivers, resource control, etc.
the next year ... i got responsibility for univ. os/360 system maintenance & support. I started playing with output stage1 sysgen ... completely reoganizing stage2 deck so as to carefully place files and PDS members for optimized arm seek operation.
360/67 ran os/360 (as 360/65 w/o DAT or virtual memory) nearly all the time ... since tss/360 wasn't coming along very well.
last week jan '68, three people from science center came out to install
(virtual machine) cp67 ... univ was 2nd (or 3rd depending on how lincoln
labs is counted) install (after science center). ... misc. past posts
mentioning science center
https://www.garlic.com/~lynn/subtopic.html#545tech
I then got to also play with all the cp67 source ... rewriting large
sections ... old post with part of presentation at fall '68 SHARE
meeting describing some amount of cp67 kernel rewrite as well as
optimized MFT/14 operation (both stand-alone and in virtual machine):
https://www.garlic.com/~lynn/94.html#18 CP/67 & OS MFT14
with careful placement for optimized disk arm ... and some other stuff ... I had gotten nearly three times thruput improvement for typical univ. student job workload (mft with hasp ... not virtual machine).
eventually graduated and went off to join science center
recent discussion of other related old stuff in comp.arch thread:
https://www.garlic.com/~lynn/2009m.html#16
https://www.garlic.com/~lynn/2009m.html#26
https://www.garlic.com/~lynn/2009m.html#31
https://www.garlic.com/~lynn/2009m.html#32
https://www.garlic.com/~lynn/2009m.html#36
https://www.garlic.com/~lynn/2009m.html#37
a few more months will mark 40yrs since I got home online access (dialup 2741 terminal)
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: ACP, One of the Oldest Open Source Apps To: <ibm-main@bama.ua.edu> Date: Tue, 01 Sep 2009 18:11:08 -0400Anne & Lynn Wheeler <lynn@garlic.com> writes:
besides the hardware tricks to maintain processor thruput in large multiprocessor caches ... in this time-frame there was lots of MVS and VM kernel software work for "multiprocessor" sensitivity.
for instance, dynamic kernel storage allocation was reorgnized to start on cache-line boundaries and end on cache-line boundaries (be multiples of cache-lines). this eliminated scenarios where one processor was using the front part of a cache-line for one puprose and another processor was concurrently using the end of the same cache-line for some other purpose ... and they get into a lot of cache "thrashing" where one processor tells the others that it is taking the cache-line and all the other processors have to get rid of it ... and then one of the other processors doing the same (for the same cache-line). At the time, the kernel changes for multiprocessor sensitivity claimed overall 4-6% increased system thruput.
later for ha/cmp, I found it interesting that I was emulating a lot of
multiprocessor hardware cache management for ha/cmp's (software)
distributed lock manager (underlying fundamentals are very similar)
... some past ha/cmp posts
https://www.garlic.com/~lynn/subtopic.html#hacmp
especially for ha/cmp cluster scale-up ... mentioned
in this old post
https://www.garlic.com/~lynn/95.html#13
and this old email
https://www.garlic.com/~lynn/lhwemail.html#medusa
at the time, most of the RDBMS implementations were doing their cluster implementation using (effectively) "store-thru" cache ... i.e. RDBMS was using computer real storage as cache ... and record location on disk was the "real" location. If a processor had a changed copy of the record in cache (change "committed" with log record ... but not yet written to disk to DBMS "home" record location), it first had to be written to its home location on disk before another processor could obtain it.
for the HA/CMP distributed locking scale-up ... i worked out details of being able to potentially piggy-back the dbms record with the message granting the corresponding lock ... effectively a direct cache-to-cache transfer ... avoiding the latency of waiting for intermediate disk transfer (out to disk from one processor real storage and back into real storage of another processor). in some sense this was able to treat aggregate real storage of all the processors in the cluster as one large coordinated cache (could implement direct storage-to-storage transfers much more efficiently than out to disk). For large clusters ... there was increasing probability that a particular DBMS record already resided in some processor storage.
the real problems weren't so much with doing the direct processor-to-processor transfers (in loosely-coupled/cluster environment) ... it was the ha/cmp recovery (after processor/node failure) ... where a record might have multiple different (commuted) changes ... done on different processors (and recorded in different logs on different processors) ... which haven't yet been written to the DBMS record "home" location.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks Date: 1 Sep, 2009 Blog: Payment Systems Neworkre:
We had been called in to consult with small client/server startup that wanted to payment transactions on their server ... the startup had also invented this technology they called "SSL" that they wanted to use. We had complete authority on the (SSL) connection between the webserver and something called the "payment gateway" and applied several compensating procedures to "SSL" for that part. We studied the client/server part of the connection and noted that there were several implicit assumptions regarding its use for (really) secure operations. Almost immediately several of those assumptions were violated ... and since we had little authority over that part of the operation ... there was little we could do about. In any case, the result is now frequently called "electronic commerce".
In was the work on what is now frequently called "electronic commerce"
that in the mid-90s likely got us invited to participate in the X9A10
financial standard working group ... which had been given the
requirement to preserve the integrity of the financial infrastructure
for all retail payments. As previously mentioned that work resulted in
the x9.59 financial transaction standard.
https://www.garlic.com/~lynn/x959.html#x959
Part issue is that common SSL primarily just hides the transaction (account number) between the client & server ... it doesn't provide end-to-end integrity all the way from the end-user to the end-user's financial institution.
One of the things done in x9.59 financial transaction standard was to slightly tweak the paradigm and eliminate the requirement to hide the account number (while at the same time providing full end-to-end integrity and strong authentication ... all the way from the end-user to the user's issuing financial institution). Since the primary use of SSL in the world today ... is this earlier thing we did, now frequently called "electronic commerce" ... which primarily used to hide the account number in transmission between the browser and the webserver ... and with x9.59, it is no longer required to hide that information ... it would also eliminate the primary use of "SSL" in the world.
For little topic drift ... this is recent posts in comp.arch
discussing some of the other stuff we had to do for "electronic
commerce" and the payment gateway
https://www.garlic.com/~lynn/2009m.html#31
https://www.garlic.com/~lynn/2009m.html#32
other past posts mentioning the payment gateway work
https://www.garlic.com/~lynn/subnetwork.html#gateway
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Wed, 02 Sep 2009 00:31:27 -0400Larry Elmore <lelmore@verizon.spam_me_not.net> writes:
the program was highlighting that a lot of the insurance was still going to rebuild in the same place ... sometimes nearly yearly (in violation of the bill/admendment). there was some statements about it actually being a federal subsidy to economic interests in the state ... and/or friends of same.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks Date: 2 Sep, 2009 Blog: Payment Systems NeworkFor one reason (in response to an early comment) was the observation about large chip-based deployment in the US ... in the earlier part of this century/decade.
The consumer & POS experience was identical to magstripe. The problem was that the skimming characteristic of the chip resulted in much worse threat & vulnerability than the skimming characteristic of magstripe. An assumption is that the much worse fraud characteristic of the chip contributed significantly to the apparent evaporation of that deployment w/o a trace ... and possibly still contributes to tarnished of chip deployments in the US.
That was a case of actual usage ... where the chip being deployed resulted in much worse skimming fraud consequences than exist with magstripe skimming (consumer, merchant, etc experience at POS was the same as magstripe ... it was that possible lack of understanding of skimming threats and vulnerabilities ... resulted in deploying a chip that had much worse skimming threat and vulnerability than magstripe). There has been no mention that the failed deployment was because the identical POS experience (for both consumers and merchants) contributed to the failed deployment.
One might make the claim that the failed deployment in the US was precisely because of problems with the lab & academic issues (related to skimming) and had absolutely nothing at all to do with the POS issues.
past posts in this thread
https://www.garlic.com/~lynn/2009m.html#13
https://www.garlic.com/~lynn/2009m.html#28
https://www.garlic.com/~lynn/2009m.html#40
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: lynn@GARLIC.COM (Anne & Lynn Wheeler) Subject: Re: Convert DB2 on z/OS to UDB on z/Linux Newsgroups: bit.listserv.ibm-main Date: 2 Sep 2009 13:06:44 -0700mpost@NOVELL.COM (Mark Post) writes:
now one of the people mentioned in this old post
https://www.garlic.com/~lynn/95.html#13
mentions that he had been in STL and did most of the technology transfer from Endicott back to STL for DB2.
Later there was C-language RDBMS implementation, originally for OS2 (done at the same lab. that was doing C-language work) ... code name "shelby" (also codenames persist and crosswinds).
one of the early problems with system/r (and descendants) was the PLS
implementation. The PLS (and other 370 related) group had been killed
off during the future system period ... and it took a long time to
reconsititute it.
https://www.garlic.com/~lynn/submain.html#futuresys
old reference to several of the issues ... somewhat involving system/r
... including the PLS issue
https://www.garlic.com/~lynn/2007d.html#email800920
in this post:
https://www.garlic.com/~lynn/2007d.html#17
there is also one that is nearly twice as long, dated four days later,
that can be found here:
https://web.archive.org/web/20081115000000*/http://research.microsoft.com/~gray//papers/CritiqueOfIBM%27sCSResearch.doc
misc. past posts mentioning shelby:
https://www.garlic.com/~lynn/2005b.html#1 Foreign key in Oracle Sql
https://www.garlic.com/~lynn/2005u.html#41 Mainframe Applications and Records Keeping?
https://www.garlic.com/~lynn/2006w.html#13 IBM sues maker of Intel-based Mainframe clones
https://www.garlic.com/~lynn/2007j.html#12 Newbie question on table design
https://www.garlic.com/~lynn/2007s.html#21 Ellison Looks Back As Oracle Turns 30
https://www.garlic.com/~lynn/2008l.html#57 No offense to any one but is DB2/6000 an old technology. Does anybody still use it, if so what type of industries??
https://www.garlic.com/~lynn/2009f.html#58 Opinion: The top 10 operating system stinkers
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Wed, 02 Sep 2009 16:07:11 -0400somebody on health care this morning claimed that canada's health care spending is 9% of GNP and US is 19% of GNP (better than twice the percentage of total country resources) and US is increasing fast (as percentage of GNP).
i've been hearing for the past several weeks that US has the highest percentage of GNP spending on health care ... but one of the lowest levels of care for 1st world countries / industrial nations; however this was first time I heard it quantified.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks Date: 2 Sep, 2009 Blog: Payment Systems Neworkpast posts in this thread
The skimming technology related to yes card was nearly identical to the magstripe skimming technology (end-point POS terminal compromise and record the information being processed by the POS terminal). For organized crime ... the ROI allowing electronics to skim the information, is orders of magnitude better than dealing with visible.
The x9a10 financial standard work that led to x9.59 financial standard
slightly tweaked the paradigm eliminating the PAN as vulnerability.
https://www.garlic.com/~lynn/x959.html#x959
The x9.59 work in the mid-90s avoided the problems that led to the
later yes card vulnerability (as well as a whole slew of other
shortcomings). X9.59 also demonstrated that an x9.59 chipcard could
work in the same POS terminal deployed for the failed chipcard
deployment (related to yes card vulnerability).
https://www.garlic.com/~lynn/subintegrity.html#yescard
The merchant and consumers would distinguish no operational difference ... other than there was no longer a skimming vulnerability and/or any problems with exposing the PAN.
The terminals being deployed for chipcards have had ability for provisioning from merchant acquiring (including software update downloads over same link used for transaction traffic). A trivial change in the POS terminal software (for chipcard capable POS, downloaded from merchant acquiring) allows for transparently differentiating whether a x9.59 transaction was being done or a non-x9.59 transaction was being done.
There is an operational difference, since X9.59 no longer has the skimming vulnerability and no problems with exposing the PAN. Since there is no longer a skimming vulnerability ... X9.59 also works equally well for contact and contactless processing. It also eliminates the necessity of using SSL (in internet environment) to hide the transaction (again since skimming has been eliminated as a vulnerability).
for those on linkedin
Hacker charges also an indictment on PCI, expert says
http://www.linkedin.com/newsArticle?viewDiscussion=
http://www.linkedin.com/newsArticle?viewDiscussion=
http://www.linkedin.com/newsArticle?viewDiscussion=http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424articleID=59707682http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424gid=50424articleID=59707682http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424gid=50424articleID=59707682http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424gid=50424
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
http://www.linkedin.com/newsArticle?viewDiscussion=
http://www.linkedin.com/newsArticle?viewDiscussion=
http://www.linkedin.com/newsArticle?viewDiscussion=http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424articleID=61974479http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424gid=50424articleID=61974479http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424gid=50424articleID=61974479http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424gid=50424
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Thu, 03 Sep 2009 16:49:29 -0400Dave Garland <dave.garland@wizinfo.com> writes:
the 60 minute segment said that the line for not negotiating prices was put in late in the game ... and that there were 12-18 congressman and staffers that prevented an updated GAO report to be distributed ... that reflected cost of the bill (doubled or more after that change was added to the bill).
the 60 minute segment had those 12-18 shepherding the bill thru (including getting the non-negotiating change just before the vote ... and preventing the gao cost update reflecting the change, from being distributed) ... and something like 6-12 months after bill passage ... all had left and were working for drug companies.
past post mentioning the cbs 60 min segment (looking at passage of the
drug bill):
https://www.garlic.com/~lynn/2007q.html#7 what does xp do when system is copying
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks Date: 2 Sep, 2009 Blog: Payment Systems Neworkpast SSL reference in this thread
related to SSL ... DNSSEC can improve the trust in theinformation in SSL digital certificates ... a couple recent items about DNSSEC:
Educause Announces Plans To Sign .edu TLD With DNSSEC
http://news.slashdot.org/story/09/09/03/1845245/Educause-Announces-Plans-To-Sign-edu-TLD-With-DNSSEC
Security of .edu Internet Domain to Increase EDUCAUSE
http://www.educause.edu/About+EDUCAUSE/PressReleases/SecurityofeduInternetDomaintoI/178963
however, pervasive deployment of DNSSEC can also eliminate the need
for SSL digital certificates ... using public key available from the
DNS infrastructure (instead of needing SSL digital certificate to
obtain the public key) ... misc. past posts that DNSSEC may represent
a catch-22 for the SSL digital certificate industry:
https://www.garlic.com/~lynn/subpubkey.html#catch22
past posts discussing SSL digital certificates
https://www.garlic.com/~lynn/subpubkey.html#sslcert
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Hacker charges also an indictment on PCI, expert says Date: 4 Sep, 2009 Blog: Payment Systems Neworkre:
footnote on TPM ...
in the mid-90s, I had semi-facetious commented that I would take a $500 milspec part, aggressive cost reduce by 2-3 orders of magnitude while increasing the integrity.
part of the requirements that I had for AADS chip strawman design was not only handle high-value secure contact transactions but also be able to perform secure contactless transaction within the power constraints and elapsed-time limitations of transit turnstyle (aka very little power executing in very small fraction of a section)
I figured that while I was at it ... I might as well make provisions so that it could also be used as a "TPM" chip. I gave a presentation on it at the trusted computing track at the Intel Developer's Conference. It turns out that the guy running trusted computing was in the front row ... so I took the opportunity to comment that it was nice to see that over the previous two years, the TPM chip was starting to look more & more like my AADS chip strawman. He quipped back that I didn't have the benefit of a committee of 200 people helping me with the design.
Part of the objective of TPM chip (in trusted computing) is to provide extra checks that trusted software is executing and hasn't been compromised. It turns out that this becomes a similar issue in the move to electronic provisioning for POS terminals (and supporting things like downloads from the acquirer). So there has been a fair amount of looking at not only using AADS chip strawman as various format agnostic, personal authentication tokens (or embedded in other things like cellphones) ... but also as a kind of TPM chip in POS terminals (and other similar devices).
old reference to Intel Developer's Conference trusted computing track
https://web.archive.org/web/20011109072807/http://www.intel94.com/idf/spr2001/sessiondescription.asp?id=stp%2bs13
Some AADS chip stuff:
https://www.garlic.com/~lynn/x959.html#aads
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Hacker charges also an indictment on PCI, expert says Date: 4 Sep, 2009 Blog: Payment Systems Neworkre:
In the 90s, the EU finread standard ... some past posts
https://www.garlic.com/~lynn/subintegrity.html#finread
moved all that into a tamper-resistant external device (basically part of the card acceptor device) that wasn't vulnerable to the PC compromises and had countermeasures in case the connected PC was compromised.
What happened in the early part of this century/decade was that there was a program for consumer cards ... which distributed "free" serial-port card acceptor device. The resulting enormous consumer configuration and installation problems resulting in rapid spreading opinion that chipcards weren't practical in the consumer environment (even tho the problems weren't in any way ... directly related to the chipcards). In the wake of that failed deployment and rapid spreading opinion that chipcards weren't practical in the consumer market ... all consumer related chipcard programs were pulled and/or evaporated (including the EU finread work ... which represented real countermeasures to compromised PCs).
Part of the issue was that the financial industry was aware of the enormous consumer support issues with serial-port devices from the online (dialup) banking programs from the 80s & early 90s. Presentations in the early to mid-90s about moving from RYO online banking efforts to the internet ... frequently cited as a major motivation was eliminating the financial involvement in enormous costs related to consumer support issues with online access (especially serial-port devices).
All that institutional experience and knowledge regarding the enormous consumer serial-port support issues appeared to be ephemeral and apparently managed to evaporate in a five yr period between starting to move online banking to the internet (and off the proprietary dialup implementations) ... and the period deploying the "free" serial-port card acceptor devices.
Note in that period ... the awareness of the tremendous customer support problems with serial-port operation was a major motivation for the development of USB. There is possibility that organizations having lost all institutional knowledge regarding enormous consumer serial-port support problems ... were sitting ducks for unloading obsolete serial-port devices ... because of everything moving to USB.
The resulting failed deployment of the serial-port card acceptor devices (because of the enormous consumers support issues with serial-port) ... then resulted in a rapidly spreading opinion in the financial (and other industries) that chipcards weren't practical in the consumer market.
Shortly after that, there was several products with other kinds of solutions for secure PC financial operations. There were some number of pilots with significant satisfaction by both consumers and merchants. However, all of these failed to transition out of pilot.
Most of these encountered a severe cognitive dissonance with online merchants. Merchants have been conditioned for much higher interchange fees regarding online CNP (card not present)/MOTO transactions (justification being the much higher fraud rates). The online merchants had huge appetite for secure products that also represented much lower interchange fees. However, for that generation of secure online products, some into pilot stages, the merchants were then told that interchange fees would actually be higher than for internet CNP/MOTO (not lower). The merchants, having been conditioned that interchange fees were proportional to fraud rate ... appeared to not be able to reconcile online products that lowered fraud rate (compared to online CNP/MOTO) ... but would have even higher interchange fee than online CNP/MOTO (i.e. cognitive dissonance).
In the X9.59 financial transaction standard scenario
https://www.garlic.com/~lynn/x959.html#x959
... it basically provides end-to-end integrity (from the originating end-point thru to the issuing institution; eliminating fraud from skimming, data breaches, etc). The EU finread standard moved the "end-point" into an external secure environment (and out of the PC, the PC just becomes an intermediary point that is potentially restricted to just denial-of-service/DOS attacks).
Somewhat related to X9.59 financial transaction scenario ... was something we called parameterised risk management ... which allowed the issuing financial institution to evaluate a larger variety of factors as part of approving a transaction. One of the factors can be the physical location (if known) and/or end-point security (if known).
The EU finread standard provided for a secure end-point ... but the standard didn't provide for any way of proving a trusted finread end-point was being used. X9.59 provides for consumer authentication mechanism for each transaction ... but also provides for end-point optional authentication (allowing the issuing institution the option of evaluating the integrity of the consumer's authentication as well as the integrity of the end-point transaction environment).
So the previously mentioned chip, that could be in the user's authentication token ... and the same chip can be used as TPM for PCs and POS terminals ... AND the same chip can also be used in a EU finread device (to prove whether a trusted EU finread end-point was being used for the transaction).
The EU finread standard is external card acceptor device including its own pinpad and display ... and the entered PIN went directly from PIN pad to the card ... w/o ever going thru the PC.
The EU finread standard was purposefully countermeasure against all kinds of PIN skimming ... as well as countermeasure that PC trojan couldn't directly execute transactions with the hardware token (supplying the skimmed PIN w/o the owners involvement/ knowledge).
The EU finread standard also had its own display ... so that the transaction being authenticated (in the external EU finread device ) could also not be spoofed ... i.e. PIN couldn't be evesdropped, PINs and transactions couldn't be executed w/o owners participation and trojan software could claim that one transaction was being executed ... while the token was being used to execute a totally different transaction ("is what you see, actually what you are doing").
The EU finread standard specifically specified an external card acceptor device with its own trusted pin-pad and trusted display ... that required human operation and was immune from (and countermeasures for) PC compromises (which were well known and studied by at least the mid-90s)
The issue of parameterised risk management & x9.59 was adding trusted/proof for the issuing financial institution ... not just that EU finread devices were available ... but issuing financial institution could also trust when an EU finread device was actually being used (as end-point for trusted transaction execution evnironment)
and possibly those with linkedin access:
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424
As a person-centric exercise ... a demonstration was done that a AADS chip strawman token works for X9.59 financial standard transactions ... but that the same token could work w/o any changes, for both Kerberos and RADIUS.
Kerberos is widely used underlying authentication technology used on
large number of platforms ... including m'soft window
platforms. Kerberos originated out of MIT Project Athena (in previous
life in late 80s and early 90s, one task was periodically go by and
review Project Athena activities). Misc. past posts
discussing person-centric for financial transactions and
Kerberos
https://www.garlic.com/~lynn/subpubkey.html#kerberos
RADIUS is commingly used underlying authentication technology used by
ISPs world-wide. Misc. past posts discussing person-centric
authentication for financial transactions and RADIUS (I did some
number of RADIUS configurations in the early 90s, it originally was
done by vendor for their dail-up modem pools, but then was contributed
to IETF internet standard and became much more widely used):
https://www.garlic.com/~lynn/subpubkey.html#radius
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Fri, 04 Sep 2009 12:35:35 -0400Dave Garland <dave.garland@wizinfo.com> writes:
we looked at some of this a decade ago. one of the benefits was standardization across wide range of different places. A periodically cited reference was DRG for hip-replacement ... outcomes normalized for health, age, etc ... found that hospital on east coast had avg two week hospital stay ... while same for hospital in Santa Cruz had avg. one week hospital stay (again outcomes were normalized for age, health, other areas ... so shorter stay didn't have higher relapses, re-admittance, etc. ... implication was that the avg care at the west coast hospital was superior).
recently there have been some studies that hospitals which have the highest degree of automation avg. 30% better care than others. there may be what is cause and what is effect ... like the best hospitals with best practices everywhere else ... may more likely to have also the best practices for dataprocessing ... as opposed to the best dataprocessing resulting in other best practices.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Chip with PIN or Chip with signature Date: 4 Sep, 2009 Blog: Payment Systems Neworka little discussion x-over from this threads/articles:
PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424
Hacker charges also an indictment on PCI, expert says
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424
In the x9.59 financial standard and related parameterised risk management
a hardware token fullfils something you have authentication ... from
3-factor authentication model
https://www.garlic.com/~lynn/subintegrity.html#3factor
• something you have (hardware token)
• something you know (pin, password)
• something you are (biometrics, thumbprint iris)
an x9.59 token solution works the same regardless of number of authentication factors ... and the transaction environment and/or issuing institution can mandate degree of authentication (based on risk &/or value of transaction).
and as discussed, the same chip can also be embedded in the transaction execution environment (POS terminal, card acceptor device) and can also become part of the factors considered by issuing financial institutions for parameterised risk management.
The business rules for level/factors for authentication aren't in the token ... but possibly multiple different authentication factors are supported by the token ... and based on the authentication factors involved ... the token just includes that information as part of the authenticated transaction.
Part of this was removing barriers for a person-centric token paradigm ... a person's token could be used across a broad range of different environments w/o constant, expensive, cumbersome and vulnerable chipcard provisioning. The chip works perfectly fine in an institutional-centric environment (one token per institution) ... but barriers are removed for it to operate in a person-centric paradigm (common token for possibly all environments). Related to enabling for person-centric environment is that a broad range of different environments are likely to also have a broad range of risks and authentication requirements (i.e. parameterised risk management) ... and therefor for a common token to be successful ... it can't mandate the same authentication requirements for all the different environments.
As a person-centric exercise ... a demonstration was done that a AADS chip strawman token works for X9.59 financial standard transactions ... but that the same token could work w/o any changes, for both Kerboeros and RADIUS.
Kerberos is widely used underlying authentication technology used on
large number of platforms ... including m'soft window
platforms. Kerberos originated out of MIT Project Athena (in previous
life in late 80s and early 90s, one task was periodically go by and
Project Athena activities). Misc. past posts discussing person-centric
for financial transactions and Kerberos
https://www.garlic.com/~lynn/subpubkey.html#kerberos
RADIUS is commingly used underlying authentication technology used by
ISPs world-wide. Misc. past posts discussing person-centric
authentication for financial transactions and RADIUS (I did some
number of RADIUS configurations in the early 90s, it originally was
done by vendor for their dail-up modem pools, but then was contributed
to IETF internet standard and became much more widely used):
https://www.garlic.com/~lynn/subpubkey.html#radius
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Online banking: Which bank is the most secure? Date: 5 Sep, 2009 Blog: Financial Crime Risk, Fraud and SecurityOnline banking: Which bank is the most secure?
from above:
Of the 10 banks and building societies surveyed, Barclays' security
was rated the best by Which? Computing, while Abbey and Halifax were
given the wooden spoon for their poor security.
... snip ...
Court Allows Woman to Sue Bank for Lax Security After $26,000 Stolen
by Hacker
http://www.wired.com/threatlevel/2009/09/citizens-financial-sued/
from above:
An Illinois district court has allowed a couple to sue their bank on
the novel grounds that it may have failed to sufficiently secure their
account, after an unidentified hacker obtained a $26,500 loan on the
account using the customers' user name and password.
... snip ...
in shared-secret authentication paradigm ... people are frequently required to divulge their password ... and therefor become conditioned to having to give out some sort of shared-secret (pin, password, ssn#, DOB, etc). then an attacker can impersonate the victim by repeating the shared-secret.
The (static-data) shared-secret paradigm also is at the root of skimming, data-breaches and large variety of other vulnerabilities (attackers obtaining the information and then simply being able to replay the information as part of impersonating the individual).
from 3-factor authentication paradigm ... some number of past posts
https://www.garlic.com/~lynn/subintegrity.html#3factor
• something you have (hardware token, magstripe)
• something you are (pin, password)
• something you are (biometrics, fingerprint, etc)
these can be implemented in various ways ... "static data" vis-a-vis "dynamic data" ... shared-secret vis-a-vis "secret", etc.
It is possible to design authentication such that the end-user is never required to divulge some piece of information ... and as a result, a publicity program can be put in place to remind users that it is never necessary to do something ... just because they are told to ... which could greatly improve public's resistance to common social engineering (and reduce the benefits to attackers for doing social engineering).
somewhat related discussion in payment systems network:
PCI Council Releases Recommendations For Preventing Card-Skimming
Attacks
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=61974479&gid=50424
Hacker charges also an indictment on PCI, expert says
http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=59707682&gid=50424
for the fun of it ... magstripe invention and then standards managed
out of los gatos lab:
https://en.wikipedia.org/wiki/Magnetic_stripe
and early development of ATM machines at los gatos lab:
https://en.wikipedia.org/wiki/IBM_3624
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Sat, 05 Sep 2009 12:27:29 -0400Stan Barr <plan.b@dsl.pipex.com> writes:
there was a bbc (ww1) blackadder segment that had question about what does a englishman do when they meet a man in a skirt ... the reply was "run him thru and nick his land" (referring to attempt at scottish genocide and appropriating all the country). the same segment had some reference to all the military experience the english had going into ww1 ... and the response was shooting pygmies attacking with mangoes didn't do a lot for preparing for ww1.
there was some later reference about why so many scottish young men served in ww1 was that after the english had moved in and took over everything, scottish young men had no other opportunity (but the army).
for slightly other drift, recent references to "A Peace to End All
Peace", original edition 1989 (although they've come out with 20th annv
edition) that was apparently based on a lot of declassified british
documents about ww1 (and discusses much of current circumstances are the
result of activity in the middle east by the allies ending ww1)
https://www.garlic.com/~lynn/2009i.html#40 64 Cores -- IBM is showing a prototype already
https://www.garlic.com/~lynn/2009j.html#47 Specifications
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Sat, 05 Sep 2009 12:57:15 -0400Patrick Scheible <kkt@zipcon.net> writes:
re:
https://en.wikipedia.org/wiki/Indentured_servant
from above:
Indentured servitude was a common part of the landscape in England and
Ireland during the 1600s. During the 1600s, many Irish were also
kidnapped and taken to Barbados. In 1643, there were 37,200 whites in
Barbados (86% of the population).[19] Many indentured servants were
captured by the English during Cromwell's expeditions to Ireland and
Scotland, who were forcibly brought over between 1649 and 1655.
... snip ...
and ...
Many white Irish slaves were taken to Montserrat during the slave trade:
it is the only territory in the world, other than the Republic of
Ireland, to have a public holiday for St Patrick Day.
... snip ...
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Tell me something about how you use signature files! Blog: Web Development Date: Sat, 06 Sep 2009I got blamed for online computer conferencing on the internal network in the late 70s & early 80s (the internal network was larger than the arpanet/internet from just about the beginning until possibly late '85 or early '86). Signatures grew to be both internal & external phone nos. as well as internal and external email. Was also one of the first to get business cards with email in addition to phone.
At some point, corporation said that business cards were purely external contact and shouldn't carry internal email. The problem was that up until then cards were normal for both internal and external contacts and frequently carried both internal and external phone nos (which implied that they were being somewhat inconsistent regarding internal email address).
Later in the 80s, when I started using emacs for email, I configured to using unix "fortune" to add to the signature line ... which was just "zippy" file at the time. I did add a couple other files that had been kicking around internally and would randomly select from available files.
recent post discussing the subject:
https://www.garlic.com/~lynn/2009l.html#19
in the early 80s, as the corporate executives became aware of the
computer conferencing ... there was a fairly large investigation into
the emerging phenomena. Part of the results was deployment of an
"official" tool and sanctioned activity. With the official "tool",
users could select a number of ways how they interacted ... including
both a "usenet" kind of mode as well as a "listserv" kind of mode
(mailing list, predating listserv by a number of yrs). a recent post
mentioning "TOOLSRUN":
https://www.garlic.com/~lynn/2009j.html#79 Timeline: The evolution of online communities
https://www.garlic.com/~lynn/2009k.html#6 Timeline: The evolution of online communities
for the internal network ... a distribution list driver was developed
... which efficiently transmitted information when there was multiple
recipients
https://www.garlic.com/~lynn/2009k.html#12 Timeline: The evolution of online communities
https://www.garlic.com/~lynn/2009k.html#13 Timeline: The evolution of online communities
bitnet (& earn) was the external university implementation (using the
internal network technology) ... and the distribution list processing
was eventually made available as part of the product. ... misc. past
posts mentioning bitnet (earn in europe)
https://www.garlic.com/~lynn/subnetwork.html#bitnet
misc. past posts mentioning the internal network
https://www.garlic.com/~lynn/subnetwork.html#internalnet
bits & pieces of various email (dating back to 1973)
https://www.garlic.com/~lynn/lhwemail.html
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Declare War on SQL Injection Attacks Blog: Information Security Network Date: Sun, 06 Sep 2009Declare War on SQL Injection Attacks
from above:
Analysis: Like smallpox or polio, this pest should be eliminated, and
it just takes some attention and some code.
... snip ...
for the fun of it ... misc. past posts about original relational/sql
implementation
https://www.garlic.com/~lynn/submain.html#systemr
We had been called in to consult with small client/server startup that wanted to do payment transactions on their server ... the startup had also invented this technology called SSL that they wanted to use; the result is now frequently called electronic commerce.
In the following period, webservers that had RDBMS were always having much larger number of compromises & exploits than straight flat file implementations. It wasn't any single thing ... but in aggregate, RDBMS environments tend to be significantly more complex than flat file implementations ... and compromises/exploits are frequently proportional to complexity.
Past references to having worked on high availability and cluster
scale-up
https://www.garlic.com/~lynn/subtopic.html#hacmp
this post mentions a Jan92 meeting on the subject:
https://www.garlic.com/~lynn/95.html#13
two of the people from the above referenced, Jan92 meeting then leave and show up at the small client/server startup responsible for something called the "commerce server" (which started out as a multi-store "MALL" implementation built with RDBMS from their previous employer).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Ikea type font change Newsgroups: alt.folklore.computers Date: Sun, 06 Sep 2009 15:08:25 -0400Elliott Roper <nospam@yrl.co.uk> writes:
then atex was one of the early ha/cmp adopters (would have been during
its kodak days ... see the wiki reference)
https://www.garlic.com/~lynn/subtopic.html#hacmp
current web page:
http://www.atex.com/
the wiki makes reference to "Atex messaging" being major predecessor of
e-mail and instant messaging ... although atex wasn't founded until
1973, so couldn't have predated the virtual machine based sutff on the
internal network.
https://www.garlic.com/~lynn/subnetwork.html#internalnet
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Ikea type font change Newsgroups: alt.folklore.computers Date: Sun, 06 Sep 2009 15:35:01 -0400re:
from above:
Last year, Kodak formed an alliance with I.B.M. to help rescue Atex by
replacing its system of Digital Equipment Corporation minicomputers and
terminals with systems based on I.B.M.'s RS/6000 file-server computers
and PS/2 desk-top machines.
... snip ...
above mentions in '88 NYT announced $22m plan for customized version of Atex.
feb '1995 article
http://findarticles.com/p/articles/mi_m3065/is_n2_v24/ai_16328496/
by '95 , kodak had sold them off ... and they were moving a lot of the front-end stuff to desktop computers ... mentions rs/6000 (again doesn't call out the ha/cmp configurations).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Definition of a computer? Newsgroups: alt.folklore.computers Date: Sun, 06 Sep 2009 16:21:25 -0400greymausg writes:
young cows tended to stay with their mother ... so whatever brand the mother had, was assumed that the calf got the same brand.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Ikea type font change Newsgroups: alt.folklore.computers Date: Sun, 06 Sep 2009 17:25:22 -0400Elliott Roper <nospam@yrl.co.uk> writes:
it was a "typefont plus dec/vms plus NYT" to atex topic drift (NYT/atex moving to atex rs6000 hacmp)
aka mar '91 article reference:
https://www.garlic.com/~lynn/2009m.html#58 Ikea type font change
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Sun, 06 Sep 2009 18:37:26 -0400Dave Garland <dave.garland@wizinfo.com> writes:
it was relatively easy for everybody to tax the babyboomer generation to pay for the prior generations ... but it gets/becomes much more difficult when the babyboomers are the ones retiring (and the ratio changes by factor of eight times).
it isn't just the following generation making up coverage shortfalls for the retired babyboomer generation ... but also the ratio of health care works to number of retirees is cut by a factor of eight times (four times as many retirees, only half as many all kinds of workers, including health care workers).
it is possible that society in general (or at least as it has been known for the past couple decades) isn't going to be able to afford that ratio of old people.
past posts mentioning the baby boomer bulge moving into retirement and
significantly changing ratio
https://www.garlic.com/~lynn/2008h.html#26 The Return of Ada
https://www.garlic.com/~lynn/2008i.html#98 dollar coins
https://www.garlic.com/~lynn/2008l.html#37 dollar coins
https://www.garlic.com/~lynn/2008m.html#3 Medical care
https://www.garlic.com/~lynn/2008n.html#13 Michigan industry
https://www.garlic.com/~lynn/2008n.html#20 Michigan industry
https://www.garlic.com/~lynn/2008o.html#8 The end of the baby boomers, US bonds maturing, and then what?
https://www.garlic.com/~lynn/2008o.html#58 Everyone is getting same deal out of life: babyboomers can't retire but they get SS benefits intact
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Mon, 07 Sep 2009 10:58:39 -0400Ahem A Rivet's Shot <steveo@eircom.net> writes:
the conundrum is that upwards of 50% of the bottom line of US financial institutions have been payment transactions fees ... interchange fees (paid by merchants) have been somewhat proportional to the amount of risk/fraud related to the transaction (the more risk, the higher the interchange fees, internet CNP/MOTO ... aka card-not-present, mail-order/telephone-order ... being the highest). There is at least order of magnitude difference in interchange fees between the payments with the lowest risk and the highest risk payments. Reducing overall risk & related interchange fees by order of magnitude might imply nearly 50% cut in consumer financial institution bottom line.
This was lots of the cognitive dissonance between merchants and financial institutions over introduction of more secure payment products ... where there was an effort to somewhat change the whole landscape, preseving the existing interchange fees proportional to risk ... but then for newer, safer products (that could significantly reduce risk & fraud) ... introduce a new paraidgm where the fees for those products are even higher than the fees for the highest risk/fraud (and they were unable to sell the new paradigm to the merchants). Merchants have rallying back with points that interchange fees are the largest expense for some. Just now a TV program on health care costs and the huge burden on corporations (auto companies citing past references when employee benefits exceeded all their other costs). Retail stores have recently been making statements that interchange fees exceed their employee health benefit costs.
Significantly reducing fraud & significantly improved security can be considered a quality issue ... both good security and good quality having to be designed/built in from the ground up .... and poor quality and poor security overlap with high risk and high fraud.
other recent posts on cognitive dissonance with respect to
interchange fees:
https://www.garlic.com/~lynn/2009f.html#60 Cobol hits 50 and keeps counting
https://www.garlic.com/~lynn/2009g.html#62 Solving password problems one at a time, Re: The password-reset paradox
https://www.garlic.com/~lynn/2009g.html#64 What happened to X9.59?
https://www.garlic.com/~lynn/2009i.html#51 64 Cores -- IBM is showing a prototype already
other posts on the above fraud/security issue:
https://www.garlic.com/~lynn/2009l.html#50 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#53 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#61 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#64 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009l.html#68 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#4 Hacker charges also an indictment on PCI, expert says
https://www.garlic.com/~lynn/2009m.html#13 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#28 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#40 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#42 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#45 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#47 PCI Council Releases Recommendations For Preventing Card-Skimming Attacks
https://www.garlic.com/~lynn/2009m.html#48 Hacker charges also an indictment on PCI, expert says
parts of older thread on the subject:
https://www.garlic.com/~lynn/aadsm27.htm#31 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#32 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#33 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#34 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#35 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#37 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#38 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#39 a fraud is a sale, Re: The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#40 a fraud is a sale, Re: The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#41 The bank fraud blame game
https://www.garlic.com/~lynn/aadsm27.htm#42 The bank fraud blame game
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: What happened to computer architecture (and comp.arch?) Newsgroups: comp.arch Date: Mon, 07 Sep 2009 13:38:26 -0400Mayan Moudgill <mayan@bestweb.net> writes:
one might point out that the number of circuits going into many current processors drawfs the aggregate number of circuits in all of those chips from the past.
los gatos also did the LSM (los gatos state machine ... renamed the logic simulation machine). it was used for logic verification of some number of chip designs ... not just Los Gatos chips. One of the things that differentiated LSM (from most of the other, similar hardware logic simulators of the period) was that it had a "clock" .. which provided for handling non-synchronous designs and/or digital chips that included analog circuits (possibly what one might find in disk r/w heads).
part of the 801/iliad risc effort in the late 70s & early 80s was converge the large number of different processor chips to 801 (significant numbers were "embedded") ... it wasn't just the chip design ... but each chip tended to have customized software development and programming environment.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Mon, 07 Sep 2009 14:09:12 -0400Anne & Lynn Wheeler <lynn@garlic.com> writes:
with a little x-over from (not just auto industry but steel industry
also):
https://www.garlic.com/~lynn/2009m.html#62 August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
when the baby boomer bubble was at its height ... it represented a significant worker bubble as well as a significant (economic) consumer bubble.
a lot of the companies set up retirement scams that weren't fully-funded ... paying the (much smaller number of) retirees out of operating funds ... pocketing the difference between fully funded retirement plan and what they were paying out.
when the unfunded retirement liability starts to bankrupt the company (... combination of baby boomer bubble moving into retirement as well as some economic downturn since retirees tend to buy less, the following worker/consummer generation only half as large, something about 69% of US economy is consumer purchases)
(... in any case), declare bankrupty, walk away with the pocketed funds from the previous couple decades of unfunded liabiilties (bankruptcy moving the huge unfunded liabilities to the fed books) ... i.e. the scam allowed some number of people to walk away the money in their pockets (the amount equivalent to the unfunded retirement liabilities). there is some similarity between the unfunded retirement scam and ponzi schemes (taking advantage of the huge baby boomer bubble during the height of their working & consuming years).
the paper IOUs in the social security system are a similar scam.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: European Banks Warned: Brace for Rise in Cash Machine Fraud Date: 7 Sep, 2009 Blog: Financial Crime Risk, Fraud and SecurityEuropean Banks Warned: Brace for Rise in Cash Machine Fraud
from above:
Banks are likely to see cash-machine fraud rise unless steps are taken
to improve their cash-machine infrastructure, the European Network and
Information
... snip ...
European banks warned: brace for rise in cash machine fraud
http://www.networkworld.com/news/2009/091409-heartland-ceo-credit-card-encryption.html
EU agency 'alarmed' by rise in cash machine fraud
http://www.finextra.com/fullstory.asp?id=20448
Huge rise in cash-machine crime, watchdog warns Money The Guardian
http://www.guardian.co.uk/uk/2009/sep/07/cash-machine-crime-increase-fraud
EU urges wise-up to combat rampant ATM crime
http://www.theregister.co.uk/2009/09/07/eu_atm_crimebuster_drive/
for historical reference .... invention of magstripe and management of
magstripe standards at Los Gatos lab:
https://en.wikipedia.org/wiki/Magnetic_stripe_card
and early ATM machines also done at Los Gatos lab
https://en.wikipedia.org/wiki/IBM_3624
3624 introduce PIN-block used for encrypted transmission of PIN
https://en.wikipedia.org/wiki/Personal_identification_number
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: What happened to computer architecture (and comp.arch?) Newsgroups: comp.arch Date: Mon, 07 Sep 2009 17:54:01 -0400Robert Myers <rbmyersusa@gmail.com> writes:
in any case, just mapping tab/threads to processors, won't necessarily fix my problems for some time yet (having at least as many physical processors as I have concurrent tabs).
in my undergraduate days ... I did a lot on resource management and scheduling ... and when threads were totally independent I could take advantage of multiple physical processors (and not let hogs, hog resources).
however, one of the premier multi-threaded transaction processing from 60s was CICS (univ. where I was undergraduate was selected to be one of the original cics product betatest locations and I got tasked to support/debug the deployment, 40yrs ago now).
In any case ... it wasn't until a couple yrs ago that CICS
multi-threaded support was upgraded to support multiple processors (up
until then large installations might have 100 or more different
concurrent CICS "images" ... some still have multiple concurrent CICS
images). cics multiprocessor exploitation
http://www.ibmsystemsmag.com/mainframe/septemberoctober05/tipstechniques/10093p1.aspx
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: European Banks Warned: Brace for Rise in Cash Machine Fraud Date: 8 Sep, 2009 Blog: Financial Crime Risk, Fraud and Securityre:
ATM fraud increases
http://www.themoneytimes.com/articles/20080313/carlyle_fails_in_negotiations_banks_may_seize_assets-id-1018813.html
from above:
ATM fraud in Europe is rising fast, with criminals using increasingly
sophisticated methods of attack.
... snip ...
ATM fraud continues to climb as consumers warned over risks and
potential losses
http://www.scmagazineuk.com/ATM-fraud-continues-to-climb-as-consumers-warned-over-risks-and-potential-losses/article/148281/
from above:
annual cash machine losses in Europe is approaching 500 million, with
a total of 10,302 skimming incidents reported in Europe in 2008, a 149
per cent rise in ATM attacks.
... snip ...
Hackers turn attention to ATMs; Experts urge banks to re-examine the
security of their back-end infrastructure
http://www.pcmag.co.uk/v3/news/2249021/hackers-turn-attention-atms
from above:
While the rise in attacks on internet banking systems is well
documented, the ATM Crime (PDF) research points to a 149 per cent rise
in ATM attacks last year, including 10,302 so-called 'skimming'
incidents.
... snip ...
for the fun of it ... Los Gatos lab post/reference in comp.arch
newsgroup yesterday
https://www.garlic.com/~lynn/2009m.html#63 What happened to computer architecture
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Definition of a computer? Newsgroups: alt.folklore.computers Date: Tue, 08 Sep 2009 16:00:33 -0400Chris Barts <chbarts+usenet@gmail.com> writes:
basically after-market deployments of serial-port devices ... especially dial-up modems was enormous headache.
major motivation given for dial-up online consumer banking moving to the internet was to offload to the ISPs, their enormous customer support costs (related to dial-up serial-port modems) ... although in the early-to-mid 90s presentation ... while online consumer banking was talking about moving to the internet, in large part because of enormous serial-port customer support costs .... online commerical/cash-management banking presentations (from the period) were adamant that they would never move to the internet (because uncontrollable security problems).
in any case, after USB was being deployed ... apparently the loss (in period of 4-5yrs) of ephmeral institutional knowledge (regarding enormous serial-port consumer support costs) ... resulted in major financial deployment of an (obsolete) serial-port device (that was suppose to significantly improved security of internet financial transactions). the enormous customer support problems reappeared ... which they weren't prepared for &/or staffed for ... resulting in the whole thing being terminated and disappearing w/o a trace.
that failed deployment also led to rapidly spreading rumor (in the industry) that authentication hardware tokens weren't practical in the consumer market (it wasn't that the tokens weren't practical ... it was the attempt to use serial-port interface which wasn't practical).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: U.S. students behind in math, science, analysis says Newsgroups: alt.folklore.computers Date: Tue, 08 Sep 2009 18:40:56 -0400also has made cnn tv news
U.S. students behind in math, science, analysis says
http://www.cnn.com/2009/US/08/25/students.science.math/
however, this has been going on for a couple decades ... didn't quote study that claimed US would contribute to more robust US economy and GDP. past threads
past threads over past couple yrs:
https://www.garlic.com/~lynn/2007r.html#33 Students mostly not ready for math, science college courses
https://www.garlic.com/~lynn/2007r.html#36 Students mostly not ready for math, science college courses
https://www.garlic.com/~lynn/2007r.html#38 Students mostly not ready for math, science college courses
https://www.garlic.com/~lynn/2007r.html#46 Students mostly not ready for math, science college courses
https://www.garlic.com/~lynn/2007s.html#22 America Competes spreads funds out
https://www.garlic.com/~lynn/2007u.html#78 Education ranking
https://www.garlic.com/~lynn/2008.html#57 Computer Science Education: Where Are the Software Engineers of Tomorrow?
https://www.garlic.com/~lynn/2008.html#62 competitiveness
https://www.garlic.com/~lynn/2008b.html#57 Govt demands password to personal computer
https://www.garlic.com/~lynn/2008e.html#61 Study Finds Sharp Math, Science Skills Help Expand Economy
https://www.garlic.com/~lynn/2008e.html#63 Study Finds Sharp Math, Science Skills Help Expand Economy
https://www.garlic.com/~lynn/2008f.html#22 Study Finds Sharp Math, Science Skills Help Expand Economy
https://www.garlic.com/~lynn/2008f.html#70 Study Finds Sharp Math, Science Skills Help Expand Economy
https://www.garlic.com/~lynn/2008f.html#81 Is IT becoming extinct?
https://www.garlic.com/~lynn/2008n.html#18 VMware Chief Says the OS Is History
https://www.garlic.com/~lynn/2008o.html#58 Everyone is getting same deal out of life: babyboomers can't retire but they get SS benefits intact
https://www.garlic.com/~lynn/2008s.html#20 Five great technological revolutions
https://www.garlic.com/~lynn/2009d.html#21 IBM 'pulls out of US'
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
Subject: Re: Client Certificate UI for Chrome? Date: Tue, 08 Sep 2009 21:30:38 -0400 From: Anne & Lynn Wheeler <lynn@garlic.com> MailingList: cryptograpyOn 09/06/2009 03:34 AM, Peter Gutmann wrote:
however, at the same time, the dialup online commercial/cash-management banking operations were making presentations, claiming that they would never move to the internet because of the myriad of unsolved (possibly unsolvable) internet security problems. the circumstances hasn't improved a whole lot in the 15yr interim.
The "serial-port" specific issues were major motivation for development of USB. There was a financial hardware authentication token deployment in the early days of USB ... but attempted to use (obsolete) serial-port interface boxes. The financial industry institutional knowledge regarding the enormous difficulty and costs associated with serial port appeared to evaporate in the few years between the migration of dialup online banking to the internet and the time of the secure hardware authentication token. They weren't prepared for the difficulty or staffed to handle the resulting significant customer support problems ... and eventually the deployment floundered and disappeared.
In the aftermath of failed deployment there was rapidly spreading opinion in the industry that hardware tokens weren't practical in the consumer market ... when, in actual fact, serial-port devices weren't practical in the consumer market (which some in the industry already knew).
... long ago and far away ... some number would claim that there weren't hard numbers for (my) scheduler products. For one product I shipped, I did a set of 2000 automated benchmarks that took three months elapsed time to run .. that were strategically designed to validate operation with large variety of workloads, configurations and scheduling policies.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Definition of a computer? Newsgroups: alt.folklore.computers Date: Tue, 08 Sep 2009 22:26:41 -0400Chris Barts <chbarts+usenet@gmail.com> writes:
most of the time the univ. ran its 360/67 as non-virtual memory os/360 ... in the 68 time-period with os360 version 14 (MFT). I had done a lot of work to speed up thruput with MFT14 by almost factor of 3 times for typical university workload.
the last week of jan68, three people had come out from science center and installed cp67. in the following months ... i also redesigned & rewrote large sections of cp67 code.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: August 7, 1944: today is the 65th Anniversary of the Birth of the Computer Newsgroups: alt.folklore.computers Date: Tue, 08 Sep 2009 22:46:16 -0400greymausg writes:
the baby boomer bubble moves into retirement and say they cut their spending in half ... they are no longer earning as much and their retirement income is questionable.
one of the problems then
https://www.garlic.com/~lynn/2009m.html#64 August 7, 1944: today is the 65th Anniversary of the Birth of the Computer
is retiring baby boomers not only represents a significant reduction in the work force ... following generation is only half as large (... and a huge increase in the retirement population) ... but also a significant reduction in the consumer economy ... which doesn't bode well for an economy/GDP that is possibly 69% consumer driven.
on one hand parsimonious, aging baby boomer may not require much retirement income ... but then they also aren't helping drive a consumer economy (say possibly 20% reduction in GDP?).
to say nothing of the possibly issue that the following generations may
not have the necessary math & science skills to maintain the society at
a high standard of living
https://www.garlic.com/~lynn/2009m.html#69 U.S. students behind in math, science, analysis says
.. also contributing to big further declines in GDP
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Definition of a computer? Newsgroups: alt.folklore.computers Date: Wed, 09 Sep 2009 09:15:29 -0400jmfbahciv <jmfbahciv@aol> writes:
this particular set of problems were specific to serial-port (especially customers installing after-market serial-port devices) ... somewhat independent of the dial-up/modem related problems.
One (dial-up) online banking operation claimed to have over built up library of 60 different device drivers for their cusotmer base ... to try and have one that actually worked for some subset of customers.
in the serial-port device for interfacing to (security/authentication) hardware tokens ... there were all sorts of installation & configuration problems ... interrupt conflicts, BSOD, people having to re-install from scratch. customer call center calls that went on for an hour or more ... w/o any guarantee that the problems would be resolved. Medium sized business operation with a couple thousands PCs figured that it would avg. $500/PC to have a professional do the installation/configuration (correctly) for each PC.
there is a related thread in crypto mailing list about how to "fix
internet security problems" ... recent post
https://www.garlic.com/~lynn/2009m.html#70 Client Certificate UI for Chrome?
consumer dial-up online home banking operations saying that they would move to the internet, in large part motivated by huge consumer support problems related to serial-port ... while commercial/cash-management dial-up online banking operations saying that the would never move to the internet, because of the significant, unaddressed security problems.
In the 14-15 yrs since those presentations ... the internet security problems of the commercial/cash-management online banking operations have hardly changed at all.
a couple other posts in the thread from crypto mailing list:
https://www.garlic.com/~lynn/2009k.html#72 Client Certificate UI for Chrome?
https://www.garlic.com/~lynn/2009l.html#62 Client Certificate UI for Chrome? -- OT anonymous-transaction
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: ATMs by the Numbers Newsgroups: alt.folklore.computers Date: Wed, 09 Sep 2009 09:41:40 -0400ATMs by the Numbers
from above:
September 9 is the 40th birthday of the automated teller machine in the
US. To celebrate the invention that spews twenties at two in the
morning, we're spitting out some numbers of our own.
... snip ...
for the fun of it ... magstripe invention and then standards managed out
of los gatos lab:
https://en.wikipedia.org/wiki/Magnetic_stripe
and early development of ATM machines at los gatos lab:
https://en.wikipedia.org/wiki/IBM_3624
recent post discussing some other stuff at los gatos lab (has been torn
down)
https://www.garlic.com/~lynn/2009m.html#63 What happened to computer architecture (and comp.arch?)
if internet security hasn't hardly changed in the last 14-15
yrs ...
https://www.garlic.com/~lynn/2009m.html#73 Definition of a computer?
and
https://www.garlic.com/~lynn/2009k.html#72 Client Certificate UI for Chrome?
https://www.garlic.com/~lynn/2009l.html#62 Client Certificate UI for Chrome? -- OT anonymous-transaction
https://www.garlic.com/~lynn/2009m.html#70 Client Certificate UI for Chrome?
neither has ATM machine security
https://www.garlic.com/~lynn/2009m.html#65 European Banks Warned: Brace for Rise in Cash Machine Fraud
https://www.garlic.com/~lynn/2009m.html#67 European Banks Warned: Brace for Rise in Cash Machine Fraud
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Continous Systems Modelling Package Newsgroups: alt.folklore.computers Date: Wed, 09 Sep 2009 11:04:10 -0400jmfbahciv <jmfbahciv@aol> writes:
... at the cambridge science center, i did do a set of 2000 automated benchmarks that took 3 months elapsed time as part of putting out "resource manager" ... but could be restarted at individual benchmarks. there was years of observation data from lots of internal systems ... that sort-of defined the domain of workloads and configurations. The first (pre-defined) 1000 benchmarks was selected to cover the matrix of possible workloads and configurations.
CSC had done a lot of work in system modeling ... one was an analytical
model implemented in APL. This had been enhanced and made available as a
sales/marketing tool on the world-wide HONE system. Sales people could
characterize their customer workloads & configurations and then ask
what-if questions about what happens with configuration and/or workload
changes. past posts mentioning world-wide sales/marketing HONE system
https://www.garlic.com/~lynn/subtopic.html#hone
This modeling application was modified to select workload/conguration
benchmark (based on past results), predict what the system would do,
kick-off that benchmark ... and then compare the actual results with the
predicted results. It then would calculate another
workload/configuration for the next benchmark ... repeating 1000 times.
misc. past posts mentioning automated benchmarking
https://www.garlic.com/~lynn/submain.html#benchmark
misc. past posts mentioning sjr 370/195 batch service
https://www.garlic.com/~lynn/2001n.html#39 195 was: Computer Typesetting Was: Movies with source code
https://www.garlic.com/~lynn/2002j.html#30 Weird
https://www.garlic.com/~lynn/2002n.html#63 Help me find pics of a UNIVAC please
https://www.garlic.com/~lynn/2003j.html#69 Multics Concepts For the Contemporary Computing World
https://www.garlic.com/~lynn/2004.html#21 40th anniversary of IBM System/360 on 7 Apr 2004
https://www.garlic.com/~lynn/2005.html#8 [Lit.] Buffer overruns
https://www.garlic.com/~lynn/2005f.html#4 System/360; Hardwired vs. Microcoded
https://www.garlic.com/~lynn/2005f.html#5 System/360; Hardwired vs. Microcoded
https://www.garlic.com/~lynn/2005f.html#22 System/360; Hardwired vs. Microcoded
https://www.garlic.com/~lynn/2005o.html#44 Intel engineer discusses their dual-core design
https://www.garlic.com/~lynn/2005u.html#44 POWER6 on zSeries?
https://www.garlic.com/~lynn/2006c.html#6 IBM 610 workstation computer
https://www.garlic.com/~lynn/2006c.html#44 IBM 610 workstation computer
https://www.garlic.com/~lynn/2006l.html#6 Google Architecture
https://www.garlic.com/~lynn/2006t.html#41 The Future of CPUs: What's After Multi-Core?
https://www.garlic.com/~lynn/2006x.html#27 The Future of CPUs: What's After Multi-Core?
https://www.garlic.com/~lynn/2007f.html#10 Beyond multicore
https://www.garlic.com/~lynn/2007f.html#20 Historical curiosity question
https://www.garlic.com/~lynn/2007j.html#13 Interrupts
https://www.garlic.com/~lynn/2007j.html#16 Newbie question on table design
https://www.garlic.com/~lynn/2007l.html#52 Drums: Memory or Peripheral?
https://www.garlic.com/~lynn/2008l.html#60 recent mentions of 40+ yr old technology
https://www.garlic.com/~lynn/2008r.html#32 What if the computers went back to the '70s too?
https://www.garlic.com/~lynn/2008r.html#34 What if the computers went back to the '70s too?
https://www.garlic.com/~lynn/2009k.html#49 A Complete History Of Mainframe Computing
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Definition of a computer? Newsgroups: alt.folklore.computers Date: Wed, 09 Sep 2009 15:35:35 -0400Paul <pssawyer@comcast.net.INVALID> writes:
we had moved into a new development next to high-tech business park ... it was fully fiber optic ... but at the time the only "residential" high-speed was ADSL (>T1) ... which only ran over copper (say $40/month). the phone company was willing to offer me (business) T1 frame-relay at the low-introductory price of $1200/month.
at earlier time & place ... before being able to get ADSL ... i had ISDN for a few months that had $.04/min (per 56kbit channel) use charges ... use charges bill for those months ran $400-$600 per month.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Definition of a computer? Newsgroups: alt.folklore.computers Date: Wed, 09 Sep 2009 15:44:08 -0400"Charlie Gibbs" <cgibbs@kltpzyxm.invalid> writes:
os/360 had sort of a dynamic allocated stack convention ... basically (dynamically allocated) "saveareas" that were all threaded together; used for "reentrant" procedures. it was also possible to thread in static allocated "saveareas" ... when "reentrant" wasn't a requirement.
cp/67 originally installed at the univ. (jan68) had a 100 entry pre-allocated savearea ... used for dynamic call/returns (unallocated, available areas were on push/pop stack ... and when the stack was empty the system crashed). one of the things that i did early on, was be able to extend when the available were exhausted (and not crash).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: ATMs by the Numbers Newsgroups: alt.folklore.computers Date: Thu, 10 Sep 2009 11:46:44 -0400re:
post from last year somewhat related to ATMs
https://www.garlic.com/~lynn/2008p.html#27 Father Of Financial Dataprocessing
regarding tribute held for jim gray may of 2008
https://web.archive.org/web/20080616153833/http://www.eecs.berkeley.edu/IPRO/JimGrayTribute/pressrelease.html
quote from above:
Gray is known for his groundbreaking work as a programmer, database
expert and Microsoft engineer. Gray's work helped make possible such
technologies as the cash machine, ecommerce, online ticketing, and
deep databases like Google. In 1998, he received the ACM A.M. Turing
Award, the most prestigious honor in computer science. He was
appointed an IEEE Fellow in 1982, and also received IEEE Charles
Babbage Award.
... snip ...
earlier posts mentioning above:
https://www.garlic.com/~lynn/2008i.html#32 A Tribute to Jim Gray: Sometimes Nice Guys Do Finish First
https://www.garlic.com/~lynn/2008i.html#36 A Tribute to Jim Gray: Sometimes Nice Guys Do Finish First
another recent post mentioning cash machines, ecommerce, etc.
https://www.garlic.com/~lynn/2008s.html#25 Web Security hasn't moved since 1995
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Existence of early 360 software ( was Re: Continous Systems Modelling Package) Newsgroups: alt.folklore.computers Date: Thu, 10 Sep 2009 22:50:13 -0400"Dave Wade" <g8mqw@yahoo.com> writes:
about the only thing really saved ... was shortly before the troubles in the datacenter tape library ... Melinda Varian got me to pull off the original multi-level source update procedures (originally created for cp67/cms). old email (and send her copies)
https://www.garlic.com/~lynn/2006w.html#email850906
and
https://www.garlic.com/~lynn/2006w.html#email850908
in this post
https://www.garlic.com/~lynn/2006w.html#42 vmshare
In the 8Sep85 email, Melinda was "surprised" that effectively most of the multi-level update function was in existance by summer of 1970.
above post also discusses the troubles in the lab datacenter tape library.
After joining the science center ... I enhanced the (cp67) kernel build process (which placed a copy of the kernel image on tape) ... to append on the tape all the source and executables necessary to recreate the kernel from scratch. I had archived/saved ... and replicated some number of these production build tapes (from which was able to recover the early multi-level update procedures for Melinda).
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: A Faster Way to the Cloud Newsgroups: alt.folklore.computers Date: Fri, 11 Sep 2009 10:20:11 -0400A Faster Way to the Cloud
is this a replay of ...
https://www.garlic.com/~lynn/2004k.html#8 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#9 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#12 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#13 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#16 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#17 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#18 FAST TCP makes dialup faster than broadband?
https://www.garlic.com/~lynn/2004k.html#19 FAST TCP makes dialup faster than broadband?
in the early 80s ... HSDT ... misc. past posts
https://www.garlic.com/~lynn/subnetwork.html#hsdt
was dealing with this ... part of the way I addressed it was with rate-based pacing.
in aug88, acm sigcomm had paper that slow-start was non-stable in heterogeneous internet ... and same month there was paper on (x-country) gbit links at IETF meeting. I pointed out that the latency*bandwidth product was nearly identical to high-speed satellite links (lower bandwidth but higher latency).
about same time, I was doing rfc1044 support in mainframe TCP support.
at the time, the product was getting about 44kbytes/sec thruput using
nearly all of a 3090 cpu. a little later in testing 1044 support at
cray research, between 4341 and cray ... was getting mbyte/sec (4341
channel media speed) using only modest amount of 4341 processor
... nearlly three orders (1000 times) magnitude improvement in terms
of bytes moved per instruction executed. misc. past posts
https://www.garlic.com/~lynn/subnetwork.html#1044
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: A Faster Way to the Cloud Newsgroups: alt.folklore.computers Date: Sat, 12 Sep 2009 13:18:34 -0400Jorgen Grahn <grahn+nntp@snipabacken.se> writes:
there are lots of stuff being done today involving hundreds (or tens of thousands) of processors.
some of this was blades and grids originally done for national labs. and other places doing huge physics data collection and/or simulation.
some of the vendors then started trying to pitch configurations for the commercial market ... some of the early adopters were in the financial market doing various kinds of sophisticated financial modeling. physics community had been developing distributing resource allocation applications so that multiple applications could be sequentially scheduled and/or concurrent scheduling on subsets of the total configuration (this is old-time batch moved to massive parallel environment). some of the financial early adopters started picking up on such stuff.
the national labs and other environments having these massive
configurations also got involved in gbit+ interconnects between various
of these datacenters. a big thing in the annual "supercomputer"
conference is contests for aggregate effective thruput.
http://www.supercomputing.org/about.php
i've posted before a (failed) financial industry forey into this from the 90s with massive parallel "killer" micros. This was that a lot of the batch financial applications from the 60s ... were (partially) put online in the 70s & 80s ... however, settlement and other bookkeeping tasks continued to be done in (overnight) batch (window). In the 90s, a combination of increasing business load and globalization (decreasing the elpased time for the overnight batch window) ... drove efforts for implementing straight-through processing (using massive numbers of parallel killer micros). the failure of several billion dollar efforts in the 90s was in large part using off-the-shelf "modern parallelization" technologies. Several programs were well into deployment phase when it was discovered that the overhead of the new paralleization technologies resulted in 100 times increase in overhead (compared to 60s overnight batch), totally swamping any anticipated thruput increases (resulting in projects being aborted and efforts evaporting for at least another decade).
Cloud tends to also have the flavor of old-time commercial time-sharing
service bureaus ... some past posts
https://www.garlic.com/~lynn/submain.html#timeshare
where, rather than having the resources in-house, ... services are coming from external agency. Gbit links are enablers for some of this.
"clouds" as old-time commerical time-sharing service bureaus are being faced with the security, protection, privacy and isolation requirements that were addressed in the 60s & 70s by the antecedents.
misc. past posts mentioning overnight batch window & straight-through
processing
https://www.garlic.com/~lynn/2004.html#51 Mainframe not a good architecture for interactive workloads
https://www.garlic.com/~lynn/2006s.html#40 Ranking of non-IBM mainframe builders?
https://www.garlic.com/~lynn/2007e.html#31 Quote from comp.object
https://www.garlic.com/~lynn/2007l.html#15 John W. Backus, 82, Fortran developer, dies
https://www.garlic.com/~lynn/2007m.html#36 Future of System/360 architecture?
https://www.garlic.com/~lynn/2007u.html#19 Distributed Computing
https://www.garlic.com/~lynn/2007u.html#21 Distributed Computing
https://www.garlic.com/~lynn/2007u.html#37 folklore indeed
https://www.garlic.com/~lynn/2007u.html#44 Distributed Computing
https://www.garlic.com/~lynn/2007u.html#61 folklore indeed
https://www.garlic.com/~lynn/2007v.html#19 Education ranking
https://www.garlic.com/~lynn/2007v.html#27 folklore indeed
https://www.garlic.com/~lynn/2007v.html#64 folklore indeed
https://www.garlic.com/~lynn/2007v.html#69 Controlling COBOL DDs named SYSOUT
https://www.garlic.com/~lynn/2007v.html#72 whats the world going to do when all the baby boomers retire
https://www.garlic.com/~lynn/2007v.html#81 Tap and faucet and spellcheckers
https://www.garlic.com/~lynn/2008b.html#74 Too much change opens up financial fault lines
https://www.garlic.com/~lynn/2008c.html#92 CPU time differences for the same job
https://www.garlic.com/~lynn/2008d.html#30 Toyota Sales for 2007 May Surpass GM
https://www.garlic.com/~lynn/2008d.html#31 Toyota Sales for 2007 May Surpass GM
https://www.garlic.com/~lynn/2008d.html#73 Price of CPU seconds
https://www.garlic.com/~lynn/2008d.html#87 Berkeley researcher describes parallel path
https://www.garlic.com/~lynn/2008d.html#89 Berkeley researcher describes parallel path
https://www.garlic.com/~lynn/2008g.html#55 performance of hardware dynamic scheduling
https://www.garlic.com/~lynn/2008h.html#50 Microsoft versus Digital Equipment Corporation
https://www.garlic.com/~lynn/2008h.html#56 Long running Batch programs keep IMS databases offline
https://www.garlic.com/~lynn/2008p.html#26 What is the biggest IT myth of all time?
https://www.garlic.com/~lynn/2008p.html#30 Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technolgies?
https://www.garlic.com/~lynn/2008r.html#7 If you had a massively parallel computing architecture, what unsolved problem would you set out to solve?
https://www.garlic.com/~lynn/2009.html#87 Cleaning Up Spaghetti Code vs. Getting Rid of It
https://www.garlic.com/~lynn/2009c.html#43 Business process re-engineering
https://www.garlic.com/~lynn/2009d.html#14 Legacy clearing threat to OTC derivatives warns State Street
https://www.garlic.com/~lynn/2009f.html#55 Cobol hits 50 and keeps counting
https://www.garlic.com/~lynn/2009h.html#1 z/Journal Does it Again
https://www.garlic.com/~lynn/2009h.html#2 z/Journal Does it Again
https://www.garlic.com/~lynn/2009i.html#21 Why are z/OS people reluctant to use z/OS UNIX?
https://www.garlic.com/~lynn/2009i.html#23 Why are z/OS people reluctant to use z/OS UNIX? (Are settlements a good argument for overnight batch COBOL ?)
https://www.garlic.com/~lynn/2009i.html#26 Why are z/OS people reluctant to use z/OS UNIX?
https://www.garlic.com/~lynn/2009i.html#30 Why are z/OS people reluctant to use z/OS UNIX?
https://www.garlic.com/~lynn/2009i.html#38 Why are z/OS people reluctant to use z/OS UNIX?
https://www.garlic.com/~lynn/2009i.html#43 Why are z/OS people reluctant to use z/OS UNIX? (Are settlements a good argument for overnight batch COBOL ?)
https://www.garlic.com/~lynn/2009i.html#60 In the USA "financial regulator seeks power to curb excess speculation."
https://www.garlic.com/~lynn/2009l.html#57 IBM halves mainframe Linux engine prices
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: ATMs by the Numbers Newsgroups: alt.folklore.computers Date: Sat, 12 Sep 2009 13:39:33 -0400D.J. <jollycamper72@cableone.net> writes:
some of these were enormously thick and weighed tons ... in order to maintain exact curvature for image acquisition.
in the early 80s ... i got to participate in some of the berkeley 10m stuff ... which was 36 1.8meter mirrors that were adjusted dynamically to maintain focus ... addressing the ever increasing problem with massive single unit mirros.
berkeley 10m observatory was going to move to CCD and away from film
... and at the time dealing with 200x200 CCD prototypes. there wanted to
have provisions for remote observation w/o requiring people to actually
travel to the observatory. we had started HSDT at the time and was one
of the few dealing in higher speed computer links ... which appeared
to major motivation in getting us involved ... misc past hsdt posts
https://www.garlic.com/~lynn/subnetwork.html#hsdt
they eventually got >$80m grant from keck foundation ... and it was
renamed keck 10m ... since building original ... they built a second
that can operate in tandem ...
http://www.keckobservatory.org/
somewhat topic drift ... was part of HSDT was digital TDMA earth stations that had custom design ... and two different vendors were building the stations to the spec ... and we were going to operate in parallel to compare effectiveness, etc (there was also a rumor that large telco had approached them to build duplicate set to our specs ... little industrial espionage).
one of the TDMA earth station companies was a spin-off of TIW ... an iron works company ... which turned out had contracts to do some of the really-large (deep-space) antennas (and apparently decided to take a flyer into the electronics part of the business). In any case, TIW won the original contract to do much of the physical construction for Keck.
misc. past posts mentioning berkeley/keck 10m:
https://www.garlic.com/~lynn/2005l.html#9 Jack Kilby dead
https://www.garlic.com/~lynn/2006t.html#12 Ranking of non-IBM mainframe builders?
https://www.garlic.com/~lynn/2007c.html#20 How many 36-bit Unix ports in the old days?
https://www.garlic.com/~lynn/2007c.html#50 How many 36-bit Unix ports in the old days?
https://www.garlic.com/~lynn/2007t.html#30 What do YOU call the # sign?
https://www.garlic.com/~lynn/2008f.html#80 A Super-Efficient Light Bulb
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: A Faster Way to the Cloud Newsgroups: alt.folklore.computers Date: Sat, 12 Sep 2009 14:11:10 -0400Jorgen Grahn <grahn+nntp@snipabacken.se> writes:
lots of IP implementations use MTU of 1500 ... of the things that the supercomputer high-speed efforts is try and override MTU fragmentation to more like 128k ... increase MTU by factor of 100 times.
tcp is session oriented protocol ... and minimum packet exchange is 7 packets (setup, data, tear-down ... which is serialized operation). early assumptions about tcp sessions being long-lived encountered lots of problems when HTTP was using TCP session protocl for supposedly packet operation. There was period in the mid-90s for six month period or so ... where increasing workload was resulting in major servers spending 90-95% of cpu processing in some of the session setup/tear-down gorp.
we had been brought in to consult with small client/server startup that wanted to do payment transactions on their server ... and the startup had this technology they had invented called "SSL" they had invented (the result is now frequently called "electronic commerce"). as this startup grew ... the load on their download machines were significantly increasing ... and they were duplicating the number of servers nearly constantly (in large part because of the tcp setup/tear-down cpu overhead). eventually they installed a sequent machine ... in part because sequent had addressed the tcp setup/tear-down cpu overhead for some commercial installations that would have 20,000 telnet session.
standard tcp is ack packet protocol ... with limit on number of
outstanding, pending-ack packets ... to avoid congestion.
https://en.wikipedia.org/wiki/TCP_congestion_avoidance_algorithm
above references this ... which was source of the "fast tcp" 2004 news
item (mentioned in original post) that had reference to being able to
beat normal tcp on broadband with fast tcp on dial-up:
https://en.wikipedia.org/wiki/FAST_TCP
what i did in the early 80s for rate-based pacing was independent of the number of packets outstanding. a major congestion problem is multiple back-to-back packets arriving at intermediate router. packet/ack scenario has deficiency that returning ACKs can bunch up and multiple ACKs return to the sender in single block. The sender then has multiple open packet "windows" and transmits all back-to-back ... leading to exact thing that commonly results in congestion. It then has to back-off and start all over. this was subject of '88 acm sigcomm paper about slow-start (& ack window) paradigm not being stable in real-world environment. rate-based pacing explicitly controls the transmission frequency of packets ... independent of outstanding and/or arriving ACKs ... explicitly ocntrolling one of the primary characteristics that results in congestion and packet loss (i.e. back-to-back packet transmission and arrival).
I've conjectured that one of the reasons for ACK-paradigm mechanism in the 80s (rather than rate-based pacing solution) for congestion control ... was large number of platforms with extremely inadequate timer facilities (necessary for establishing a rate-based mechanism).
Some of the real-time and streaming protocls for IP ... are tending in the rate-based direction.
my RFC IETF index
https://www.garlic.com/~lynn/rfcietff.htm
select Term (term->RFC#) (in the RFCs listed by section)
rfc's related to congestion:
congestion
see also performance
5681 5634 5622 5594 5562 5559 5553 5520 5495 5467 5420 5405 5348 5290
5284 5238 5166 5151 5150 5129 5127 5097 5063 5062 5061 5033 4974 4960
4923 4920 4898 4895 4888 4875 4874 4873 4872 4860 4859 4828 4820 4804
4783 4782 4774 4736 4654 4653 4594 4558 4542 4495 4460 4420 4411 4410
4342 4341 4340 4336 4230 4222 4208 4124 4090 4015 3940 3936 3828 3782
3758 3742 3738 3726 3714 3708 3649 3540 3522 3520 3517 3496 3477 3476
3474 3473 3468 3465 3451 3450 3448 3436 3390 3309 3210 3209 3182 3181
3175 3168 3159 3124 3097 3042 2997 2996 2988 2961 2960 2914 2889 2884
2872 2861 2816 2814 2753 2752 2751 2750 2749 2747 2746 2745 2582 2581
2556 2490 2481 2414 2382 2380 2379 2309 2210 2209 2208 2207 2206 2205
2140 2098 2001 1859 1372 1254 1110 1106 1080 1018 1016 896 813 449 442
210 59 19
flow control related RFCs
flow control
see also congestion , traffic engineering
5553 5520 5495 5467 5420 5284 5151 5150 5063 4974 4920 4875 4874 4873
4872 4860 4859 4804 4783 4736 4558 4495 4420 4411 4230 4208 4124 4090
3936 3726 3520 3496 3477 3476 3474 3473 3468 3210 3209 3182 3181 3175
3159 3097 2997 2996 2961 2872 2816 2814 2753 2752 2751 2750 2749 2747
2746 2745 2490 2382 2380 2379 2210 2209 2208 2207 2206 2205 2098 1859
1372 1080 449 442 210 59
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: A Faster Way to the Cloud Newsgroups: alt.folklore.computers Date: Sat, 12 Sep 2009 14:36:40 -0400re:
another place that we got into 100mbit & gbit links was in disaster
survivability ... I had coined the terms disaster survivability and
geographic survivability ... misc. past posts mentioning availability
https://www.garlic.com/~lynn/submain.html#available
when I was out doing marketing for our ha/cmp product
https://www.garlic.com/~lynn/subtopic.html#hacmp
cost of dataprocessing and high-speed links were dropping and having replicated "hot" datacenters ... at geographic separation was becoming more and more practical & cost effective for increasing number of applications.
this frequently required being able to replicate the disk traffic over high-speed links to remote locations.
we had been on the xtp technical advisery board ... doing high-speed
protocol, where spent a lot of time on setup/teardown efficiency,
latency, thruput, flow-control, etc. there was some other parties
involved in xtp that were extremely focused on latency and redundancy
for onboard ship and jet plane operation ... while others on xtp were
working on streaming video and other real-time content. misc. past
posts mentioning xtp &/or high-speed protocol
https://www.garlic.com/~lynn/subnetwork.html#xtphsp
This was concurrent with ha/cmp and there were a few contentious instances in ha/cmp ... where I was constantly trying to adapt ip infrastructure as platform for all operations ... as opposed to taking shortcut by going underneath the ip-layer and implementing ha/cmp function (like distributed lock manager) directly to specific hardware media MAC interfaces.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: ATMs by the Numbers Newsgroups: alt.folklore.computers Date: Sat, 12 Sep 2009 15:09:47 -0400re:
14.5 ton mirror
http://www.astro.caltech.edu/palomar/aluminization.html
each 36 segment for keck/berkeley 10m is still 3in and weighs about
half a ton
http://www.lbl.gov/Science-Articles/Archive/keck-telescope.html
wiki page
https://en.wikipedia.org/wiki/W._M._Keck_Observatory
above references lots of steel for stiffness, about 270 tons per telescope ... for total 300 tons for each keck 10m.
CCD technology has come along way since the 200x200 (40k) being tested in early part of the effort. There were rumors at the time that spielberg might have 2048x3072 (6megapixal).
from 2003
http://keckobservatory.org/index.php/news/keck_observatorys_premier_planet-hunting_machine_is_getting_even_better/
... lists having "mosaic of three 2048x4096 CCD chips with 15-micron pixels arranged in stacked configuration for 6144x4096 pixels."
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Voltage SecureData Now Provides Distributed End-to-End Encryption of Sensitive Data Date: 12 Sep, 2009 Blog: Mainframe Experts NetworkVoltage SecureData Now Provides Distributed End-to-End Encryption of Sensitive Data
somewhat related article from Thursday looking at alternatives ...
Alliance proposes new rules for payments in U.S.
http://www.contactlessnews.com/2009/09/10/alliance-proposes-new-rules-for-payments-in-u-s
and some comments (on article) posted to (linkedin) payment systems
combination of x9.59 financial standard and aads chip strawman was able to eliminate any distinction between contact and contactless operation ... or as embedded operation in cellphone and other kinds of wireless operation ... as well as aggressive technology cost reduction ... incremental cost of crypto processing was eliminated ... and remaining compatible with existing payment networks. To some extent it achieves all the benefits of alternatives mentioned in the article.
....
some references to x9.59 financial transaction standard
https://www.garlic.com/~lynn/x959.html#x959
... and other recent long-winded posts on the subject:
https://www.garlic.com/~lynn/2009j.html#13 PCI SSC Seeks Input on Security Standards
https://www.garlic.com/~lynn/2009j.html#26 Price Tag for End-to-End Encryption: $4.8 Billion, Mercator Says
https://www.garlic.com/~lynn/2009j.html#33 IBM touts encryption innovation
https://www.garlic.com/~lynn/2009j.html#57 How can we stop Credit card FRAUD?
https://www.garlic.com/~lynn/2009k.html#28 Network Solutions breach exposed 500k card accounts
https://www.garlic.com/~lynn/2009m.html#22 PCI SSC Seeks standard for End to End Encryption?
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Continous Systems Modelling Package Newsgroups: alt.folklore.computers Date: Sun, 13 Sep 2009 00:33:13 -0400hancock4 writes:
... including into the back rooms with the old (physical) card catalog
... i think cut-over was sometime in the 80s(?). somebody's picture
http://www.flickr.com/photos/tinfoilraccoon/630521081/
http://www.flickr.com/photos/tinfoilraccoon/630521651/in/photostream/
http://www.flickr.com/photos/tinfoilraccoon/630521651/in/set-72157600497738847/
then there is this:
http://www.flickr.com/photos/mollyali/3114190191/
http://www.flickr.com/photos/mollyali/3114189953/in/photostream/
in the 60s, when i was undergraduate ... the univ. library got an ONR
grant to do online catalog ... part of the money went to getting a 2321
datacell
http://www.columbia.edu/cu/computinghistory/datacell.html
and
http://www-03.ibm.com/ibm/history/exhibits/storage/storage_2321.html
http://www-03.ibm.com/ibm/history/exhibits/storage/storage_PH2321B.html
IBM also selected the project to be one of the original beta testers of
the (first) CICS product. at the univ. i got tasked with support/debug
of CICS. misc. past posts mentioning CICS (&/or bdam)
https://www.garlic.com/~lynn/submain.html#cics
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: Continous Systems Modelling Package Newsgroups: alt.folklore.computers Date: Sun, 13 Sep 2009 01:09:05 -0400Joe Pfeiffer <pfeiffer@cs.nmsu.edu> writes:
there were a couple of people there that had started on the project
about the same time I was playing with CICS & BDAM for the univ. library
... and started out doing something very similar.
https://www.garlic.com/~lynn/2009m.html#87 Continous Systems Modelling Package
and the mid-90s design/implementation was pretty much what they had started out with in the late 60s.
basically each item got a record in BDAM file. Then the item was indexed in 80 or so different ways (keywords, authors, title, subject matter, etc. queries would retrieve the correspodning index record ... which had all the BDAM record numbers of items that matched. boolean "AND" & "OR" was done by corresponding operation on the corresponding list of BDAM record numbers (AND was those only BDAM record numbers in both lists, OR was combination with duplicates removed of all BDAM record numbers in both lists).
by the early 80s, the number of items was so large ... that queries out to 5-6 boolean terms tended to be bimodel ... thousands (millions) of matched items ... and adding one more boolean term ... could result in zero matched items. holy grail was how to find query that would have greater than zero but fewer than hundred. at that time the default query response was the number of items ... not the actual items.
in the early 80s a query application was developed, originally for apple called Grateful Med. it would managed set of queries and the number of responses ... helping the user search for the magic query that resulted in a manageable number of responses.
this fumbles the reference to grateful med ... as being the database
... as opposed to the personal computer based query application
https://en.wikipedia.org/wiki/Information_science
the above somewhat lumps NLM with Dialog ... but doesn't mention Lexis/Nexis. At least up thru 90s ... both Dialog and Lexis/Nexis also had very similar (ibm) mainframe implementations.
in late 70s and much of 80s, I could do a whole day in Palo Alto area going from SLAC (large virtual machine vm370 based operation ... also where the first webserver outside of europe/cern was done on vm370/cms), HONE (consolidated, internal virtual machine vm370 based online marketing and support support system), Tymshare (virtual machine vm370 based online commercial time-sharing service bureaus) and Dialog (ibm mainframe but not vm370, eventually Lockheed sold it off).
misc. past posts mentioning hone
https://www.garlic.com/~lynn/subtopic.html#hone
misc. past posts mentioning (virtual machine based) online commercial
time-sharing service bureaus:
https://www.garlic.com/~lynn/submain.html#timeshare
with commercial time-sharing x-over in this recent post:
https://www.garlic.com/~lynn/2009m.html#81 A Faster Way to the Cloud
misc. past posts mentioning grateful med:
https://www.garlic.com/~lynn/2001j.html#1 Off-topic everywhere [was: Re: thee and thou
https://www.garlic.com/~lynn/2001m.html#51 Author seeks help - net in 1981
https://www.garlic.com/~lynn/2002g.html#3 Why are Mainframe Computers really still in use at all?
https://www.garlic.com/~lynn/2004f.html#0 c.d.theory glossary (repost)
https://www.garlic.com/~lynn/2004n.html#47 Shipwrecks
https://www.garlic.com/~lynn/2006l.html#31 Google Architecture
https://www.garlic.com/~lynn/2008l.html#80 Book: "Everyone Else Must Fail" --Larry Ellison and Oracle ???
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Audits V: Why did this happen to us ;-( Date: September 13, 2009 10:41 AM Blog: Financial Cryptographyre: Audits V: Why did this happen to us ;-(
misc. past posts referencing bank modernization act repealing
Glass-Steagall ... which contributed significantly to the current
problem.
https://www.garlic.com/~lynn/2009c.html#65 is it possible that ALL banks will be nationalized?
https://www.garlic.com/~lynn/2009d.html#28 I need insight on the Stock Market
https://www.garlic.com/~lynn/2009d.html#42 Bernard Madoff Is Jailed After Pleading Guilty -- are there more "Madoff's" out there?
https://www.garlic.com/~lynn/2009d.html#73 Should Glass-Steagall be reinstated?
https://www.garlic.com/~lynn/2009i.html#13 64 Cores -- IBM is showing a prototype already
https://www.garlic.com/~lynn/2009i.html#54 64 Cores -- IBM is showing a prototype already
https://www.garlic.com/~lynn/2009i.html#77 Financial Regulatory Reform - elimination of loophole allowing special purpose institutions outside Bank Holding Company (BHC) oversigh
https://www.garlic.com/~lynn/2009l.html#5 Internal fraud isn't new, but it's news
and when there was talk about oversight of unregulated over-the-counter commodities, the same person (and his wife) were involved in the commodities modernization act ... precluding any oversight ... which resulted in Enron. In the wake of Enron, SOX was passed w/o actually addressing the underlying problem, resulting in AIG.
In earlier part of this decade, I was at conference of european financial executives and pontificated about SOX not being able to do anything about serious fraud activity (and it being the auditor full employment act).
In part what was needed were business processes that would preclude types of things that SOX was trying to catch after the fact.
One of the issues with audit was having independent sources of information and being able to compare for inconsistencies ... say looking at the books of a large number of different entities and verifying that entries for various kinds of transactions on one set of books ... matched entries for the same transactions in other books.
I liked the early ISO 9000 audits ... people were asked if what they were doing was documented and whether or not they had read and understood those documents.
Part of the current circumstances also involved entities being able to carry significant percentage "off-books". There currently is lots of hand-wringing about audit rule changes regarding having to bring all those entries back onto the books ... and the possibility that many current financial entities would then have to be declared insolvent.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
From: Anne & Lynn Wheeler <lynn@garlic.com> Subject: Re: A Faster Way to the Cloud Newsgroups: alt.folklore.computers Date: Sun, 13 Sep 2009 13:49:44 -0400Anne & Lynn Wheeler <lynn@garlic.com> writes:
somewhat related recent news item:
First Look At Amazon's Oregon Data Center -- Amazon Data Center
http://www.informationweek.com/news/hardware/processors/232602151
past posts referencing mega data centers on the columbia
https://www.garlic.com/~lynn/2008d.html#72 Price of CPU seconds
https://www.garlic.com/~lynn/2008n.html#68 VMware Chief Says the OS Is History
https://www.garlic.com/~lynn/2008n.html#79 Google Data Centers 'The Most Efficient In The World'
https://www.garlic.com/~lynn/2008r.html#56 IBM drops Power7 drain in 'Blue Waters'
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970