Sad but true. Charles
-----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Woodger Sent: Saturday, March 18, 2017 8:54 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ComputerWorld Says: Cobol plays major role in U.S. government breaches My gosh, ho-hum, what a bag of nonsense passing itself off as a contribution to research. And then there's the journalism. Tom Marchant phrased it eloque... well, bluntly. The researchers who wrote the paper, dated March 7, 2017, used a media article to come up with "It's COBOL wot dun it" for OPM, whereas the report "The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation" by the Committee on Oversight and Government Reform, published September 7, 2016, doesn't even mention COBOL. Journalists (I'm assuming there are more articles, it's "easy" journalism) quote the report, quoting them. Self-referential, self-defining. Just meaningless. The report on the OPM breach doesn't even go as far as to say that access was gained to a Mainframe (in terms of a hack). What is clear is that the hackers (at least two) spent years, yes, years, wandering about various Windows servers belonging to OPM. They exfiltrated (my word of the day) documents relating to the Mainframe system. Mmm.... Powerpoint, Visio, XLSX, etc... Enough on OPM. Now, Research is closely related to Brain Science and Rocket Surgery. If you can do it, you're really cool, and will be recognised above the mundane who only have to deal with known facts. However, Bad Research is related to what? Bad Journalism? Great. Take "security by antiquity". Anyone ever heard of that? I put that into a search box along with the word computer and got 438 results. I put "security by obscurity", a term that I've heard of, and which includes being unaware of the enormous amount of documentation IBM provides publicly, and computer into the same search box and got 38,000 hits (38,417.83 in Research Terms). So, build a Straw Man, then set fire to him, to general applause. Take "legacy system". If you are writing for someone else, and you use jargon, or terminology, or concepts which are not clearly defined and accepted, then you define, exactly, how you use those terms. Because otherwise the use is meaningless. Obviously "legacy" means Mainframe/COBOL. Except they talk of migrating "legacy" to the Cloud. So obviously they don't mean Mainframe/COBOL. Or, perhaps more accurately, they have a version of Lewis Carol's Humpty Dumpty: "any word or phrase means exactly what I mean it to mean at that moment, even if contradicted shortly thereafter, and contradicted further several times later". In Bad Research, look for figures with pin-point accuracy: "increased by 1,121 percent". Increased by what? What does that final one percent mean? Or even the final 20%? Let me define "information about computers ages very quickly" to mean "in situations where the fundamentals of what you are talking about change very rapidly, discussion that is five years old may be useless". Let me be generous and extend that to 10 years, else the main publication they refer to, from 2009, is outside the range. Let's say every computer-related paper they reference which is older than 10 years would have to be seriously question for its use in this context. Whoops. That puts a lot of stuff under question. Surely "criminal behaviour" doesn't change so fast? Oooh. Economic criminal behaviour. Relating to hacking. How much does it cost these days to get a domain, a laptop and some harddisks/sticks? So that has changed, as rapidly. Oooh. Another problem. The whole OPM thing is supposed to be done by either "hacking groups" who just don't like government/business and material consequences are perhaps an aside, or "hacking groups" specifically backed by a certain foreign government. Neither of these fit into ordinary "criminal" analysis, and no case is made in the research for why anything should fit into the criminal analysis. So scratch all that junk. Table 4. I can't make head of tail of it, but, at least Table 2 defines indicents. Of the eight categories, four are nothing to do with "cyber criminals": Improper Usage; Unauthorized Equipment; Policy Violation; Non-Cyber Incidents. Taking out all those does what for 1,121 percent? If the paper were coherent and internally consistent, I'd go on. But it isn't, so I won't. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN