When an Investment Dealer’s Digest article lumped some of the blame for Bernie Madoff’s scam onto the AS/400 (“The Technology Behind the Scam”) and Madoff’s “antiquated systems,” IBM’s venerable business system, the iSeries developer community was quick to defend its fabled friend. After all, technologies don’t scam people, people scam people.
John Dodge does dig up some juicy details on the Ponzi scheme’s execution based on forensic reports:
“[House 17] was a closed system, separate and distinct from any computer system utilized by the other BLMIS business units; consistent with one designed to mass produce fictitious customer statements,” according to Looby’s declaration. House 17′s expressed purpose was to maintain phony records and crank out millions of phony IRS 1099s on capital gains and dividends, trade confirmations, management reports and customer statements.
The AS/400 was like a giant Selectric — indeed, the Application System/400 is a multipurpose server that’s very good at printing. IBM publishes several technical overviews for IT professionals known as “RedBooks” on the AS/400′s extensive printing capabilities and also offers printing and forms design software for it.
But does the AS/400 actually make it any easier to perpetrate an $18 billion scam? Or is it simply a reliable Wall Street standard, a poor technology caught up in the wrong place at the wrong time with the wrong crowd? Vernon Hamberg, a software architect and regular on the Midrange technical dicussion list, wrote a spirited defense of the platform, which he kindly offered to let me publish here:
I read with interest the article by John Dodge about technology behind the Madoff scam. It appears, from a quick read, to put much of the blame squarely on the AS/400 – the technology in question. I strongly object to this – it is, in my opinion, completely wrong-headed. I learned long ago that computers are stupid – they do exactly what you tell them, not what you want. If things were done on these systems that allowed Madoff to carry out his Ponzi scheme, it is not the system’s fault. It is some programmer, some auditor, some whatever human being behind it all.
I am a computer professional who works on these so-called legacy systems – a false categorization, unless you lump Unix systems in along with it. (Unix came out over 40 years ago – shall we talk legacy?) The IBM midrange systems have a tremendous feature, backward-compatibility – anything you wrote 20 years ago can be compiled on current systems without any change in source code. Talk to us about VB.net – about API calls in Windows that don’t work in the next release.
This strength of the system was exploited by a human – the extreme segregation of computing resources that let Madoff get away with his scheme. Mr Dodge’s report of the printing characteristics – well, it is a very narrow presentation of the system’s capabilities. That seems completely beside the point. And this is not unique to these systems. At all!! A distinction without a difference.
I appreciate you taking the time to read this. I ask you to publish a retraction or clarification – e.g., that the technology behind it was NOT to blame. Perhaps something about the true strengths of the platform and how human beings were able to take those strengths and fleece other people in such a way. THAT would be an interesting study in human nature – not the veiled suggestion of culpability of any technology as against that of those who use it.
Vernon M. Hamberg
RJS Software Systems
What are your thoughts? Does complex, custom legacy software make it easier to quietly caper, or are villains just villains, no matter how shiny the software and technology? I’d love to hear your thoughts in the comments or at Michael@ITKnowledgeExchange.com.
More on the Bernie Madoff scam:
Security guru Bruce Schneier recently noted some Columbia University research on “Laissez-Faire File Sharing,” which advocates allowing users to set their own sharing permissions, with a focus on access auditing rather than access control (administrator policies don’t stop users from receiving or sharing a file, but all the viewers and editors of that file are then logged for later review and flagging).
Schneier simplifies it as a Wikipedian ideal (“Everybody has access to everything, but there are audit mechanisms in place to prevent abuse”), but that shortchanges the idea. Not all users can access files, for example: They must be granted access by a current user. The paper’s authors argue that this is already happening in an underground IT economy through e-mail attachments, USB thumbdrives and other workarounds, and that by working with the system, rather than against it, the new paradigm has the potential the “potential to increase both productivity and security.”
The paper outlines 5 cornerstones of Laissez-Faire File Sharing: Continued »
A newly disclosed SSL security hole allows savvy attackers to inject data into supposedly secure streams of the encryption standard, but while standards bodies and major vendors are quickly working to plug the vulnerability, it seems the attack avenues are currently relatively minimal.
As The Register reported on the SSL bug:
Indeed, Moxie Marlinspike a security researcher who has repeatedly exposed serious shortcomings in SSL, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.
“It’s clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected,” he wrote in an email. “I haven’t found these attacks to be very useful in practice.”
The security hole has been known since August in some circles, with ICASI (Industry Consortium for Advancement of Security on the Internet) heading up “Project Mogul,” an attempt to roll out an industry-wide set of security patches in a coordinated manner.
Harvard Business has an interesting post by Michael Schrage on how to deal with BlackBerry junkies and other techno abusers, pointing the finger at two pilots who allegedly lost track of their current flight while scheduling future flights via their laptops.
IT is supposed to be about enabling the business, but what happens when it has users hell bent on using good technology to their own or corporate detriment? It’s not a new question: Enabling Internet browsing alone has caused innumerable productivity drains, from hours lost to cat videos and Facebook to more serious corporate threats like making data leakage as simple as sending an e-mail to a personal account.
How much of policing this double-edged sword is IT’s job, and how much is it up to management, HR and other departments? Have you ever had a case where you pushed back? I’d love to hear your thoughts at Michael@ITknowledgeExchange.com.
This is a guest post by Claude Roeltgen, author of the book IT’s Hidden Face. His book tackles the communications gulf between IT … and the rest of the world. Interested in being a guest blogger on the IT Watch Blog? E-mail Michael@ITKnowledgeExchange.com. -MM
“Why?” is the most frequently asked question by people when something goes wrong in real life. Not so in IT – Users never ask this question when something happens. They say “Fix it” and “I don’t want to know what happened.”
Business users like to reproach us IT guys with sitting in an ivory tower using strange gobbledygook. But, let’s face it, they are happy enclosing us there and do nothing to understand the hidden world of IT in a company. “IT” and “problem” are synonyms, and for the vast majority of users, that’s as far as it goes. The public knows more about the biology of deep sea fish than about the internal mechanics of an IT department.
Even the best CIOs get into a defensive position all the time. “Be faster”, “be cheaper”, “reduce complexity”, “you need to understand the business better”, “why doesn’t this work for us?”, “why are we over budget and time?” are heard all the time, but are generally poorly answered. Users tell us “I install software in 10 minutes on my PC at home, why do you need so long?” Defensive fights all the time.
What should we do then to make things better? Well, there are a lot of things we can do. We have to tell the realities of our world in words that every business user will understand, and, no doubt, there’s a lot we can talk about. Like the fact that there are no two identical IT-biotopes and therefore they all have their own specific set of problems. Or that we have to deal with an incredibly immature software industry that delivers new software containing thousands of errors. Let’s tell them that software providers have outsourced quality assurance to their customers. Or that systems presented by providers can sometimes be called more accurately “cheatware” than “software”. We can write newsletters to our users giving them background information in their words about what is happening – we need to have a constant dialogue with our users and we need to be patient with them. We need to explain why we say “no” sometimes. We must become good in marketing ourselves. Today, we leave marketing IT to consultants. And this is not good for us!
Not enough ghosts and goblins running around for you? Just wait: News that Time Warner Cable has deployed a dual Wi-Fi router/cable modem with a gaping security hole should send chills up the most hardened IT professional’s spine.
David Chen exposed the hole, which allows an attacker to remotely log in to a router’s administrative interface and possibly intercept traffic. Since being exposed by Chen, the story has been picked up by Wired’s Threat Level, CNET’s InSecurity Complex, and ITKnowledgeExchange’s own Sister CISA CISSP. The latter noted another particularly spooky aspect of the tale in a follow-up post on the Time Warner security hole:
Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.
(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)
Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.
It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.
Boo! And while it would be easy to respond that users have a responsibility to change their default passwords (they do!), the story goes a little deeper: This is putting sensitive corporate data at risk.
With more and more companies pushing for remote working both as a Swine Flu precaution and a way to cut office costs, an insecure router being pushed out could easily expose data that isn’t properly secured to all sorts of attackers, even those just trolling for random open vulnerabilities, like Chen did.
Fortunately, he also provided some quick fixes as Time Warner Cable works on a fix to push out (or not). Modify slightly and pass on to your users if your employees are working in a Time Warner Cable subscription area:
- Change the default configuration of the routers to use WPA2 instead of WEP for wifi encryption. It’s ok if you don’t want the customers to change their wifi settings, but at least use a key that’s not derived from the router’s MAC address (which is broadcasted over wifi).
- Disable access to the router’s web admin page from outside IPs. The options are in the router (see below), a simple config change would block access to the router from the internet.
- Block traffic to port 8080, 8181, 23 (those are the ports that are open on the SMC8014 routers) at the ISP level. This of course should be a temporary fix until the hardware can be replaced with something more secure.
- Of course the best idea would be to immediately recall those routers and issue your [users] real cable modems and decent wifi routers with good security.
Have a happy Halloween!
Caroline Bender has a wonderful post on the somewhat snarkily titled Business Women’s Finishing School & Social Club about “Youthful Management.” Really, it’s about bridging the generation gap, particularly for those who find themselves employed by younger, perhaps less tactful if more energetic, bosses:
The young must lead because their skills are current, and the mature must advise them based on their experience, because their training is no longer applicable.
This can be unsettling for both parties, who are in such different stages of human development, much less career development, that the gap widens. It can be difficult for report to someone your daughter’s age; it can be even harder to motivate a staffer who has clocked 25 years already.
Ouch, but often too applicable in the often fast-moving world of IT (the COBOL Y2K Renaissance aside). Bender offers some great advice for how older workers can mesh with younger executives, ranging from knowing when to stop trying too hard to fit; to toeing the line on corporate outings.
Have you found your own job role transitioning due to generational differences, either as a Boomer or a Gen Xer or even a Gen Yer? I’d love to hear what you’ve seen in the workplace, either in the comments or at Michael@ITKnowledgeExchange.com, or @Morisy on Twitter.
Juniper’s currently unveiling their ‘New Network Initiative,’ and there’s no lack of interest. As the normally staid Tom Nolle blogs at Uncommon Wisdom:
We can’t apologize for the characterization here; Juniper announced a radical combination of an extensive service-layer software system and a new semiconductor architecture, taking the most profound step the company has taken since it was founded.
The new chip is a family, the first member of which is Trio. It is based on a “Network Instruction Set Processor” model that builds software on the device using instructions customized for network behavior control rather than general-purpose instructions, as NPs do. In this respect, the chip is almost like an ASIC, but unlike an ASIC it’s programmable at the primitive NISP-instruction level, so new features can be added right down to the instruction level.
That’s the tech speak, but Juniper Networks is using the launch as a chance to re-brand, with a new logo, a flashy advertising campaign and a jettisoning of the “high performance” slogan for a focus on being “the new network”:
[kml_flashembed movie="http://www.youtube.com/v/pb48EBFXjys" width="425" height="350" wmode="transparent" /]
And it’s certainly earned the company its share of buzz, including some strong Twitter chatter and the chance to ring the NYSE opening bell. If you’re quick, you can still catch some of the announcement which is being broadcast here. Let me know what you think, either in the comments or at Michael@ITKnowledgeExchange.com. Is this truly a networking revolution?
The latest and greatest Google Android device, the Motorola Droid from Verizon, is coming, and Verizon hasn’t made any bones about what it’s targeting with the high-profile launch: Apple and AT&T’s Apple marketshare, which has skyrocketed to 30% in the past few years. If they’re successful, it will be one more device IT must learn to manage, along with BlackBerry, Windows Mobile, the iPhone …
No wonder the Droid promotional images look so menacing.
Just in time for Halloween, it looks like Nokia Siemens Networks is trying to re-animate the vision of Microsoft’s decrepit Passport single sign-on system, but this time in the hands of telecom companies. The times sure have changed, but will users be spooked by having their data in the hands of Verizon, AT&T and other service providers?
Out at SuperComm, Nokia Siemens Networks invited me over to hear the latest about its One-NDS subscriber data management platform. One-NDS is in version 8.0, and as the NSN representatives explained it, it has ambitious plans for when it finally grows up: Provide a single sign-on service, managed and maintained by telecoms.
The Nokia Siemens representatives told me the service could allow a user to access the same services, with a single sign-on, from, for example, a home computer, their cell phone and a TV, and pointed to services like Google Apps, Amazon and Yahoo! as potential tie-ins. Eventually, Nokia Siemens hopes, carriers will hold and control all aspects of the “digital self,” giving users a central, secure way to control how their information is being used online, and who’s allowed to use it.
When I asked them why NSN and telecoms would succeed here when Microsoft struggled so mightily, they pointed to a recent global survey they took: 82% of the 9,200 respondents said privacy is an important topic, while 45% responded that they felt like they lack control over their personal data.
But why telecoms? Nokia Siemens had a survey for that, too: They didn’t say that telecoms were trusted or loved by users, but that they were at least more trusted than other industries, including insurance companies, loyalty card providers and the government.
While it’s certainly no small feat to rank better in a survey than an industry satirized for Mafioso shake-downs, I have to wonder if users will really trust an industry that considers nickel-and-diming them standard operating procedure with their most sensitive data in what will likely be a proprietary platform.
Even Microsoft Passport’s descendant, Microsoft Live ID, seems to have learned a lesson in the intervening years: It’s announced support for OpenID, which drops the centralized control in favor of a more open, diverse ecosystem of authenticators and which lately seems to have actually gained some traction as more major online destinations announce their own support for the protocol.