d10j...@us.ibm.com (Jim Mulder) writes: > It may depend on which types of risks are being considered. For > example, would you consider it risky to run a stable but unsupported > version of Windows on a machine which is connected to the internet, > since no new security fixes are being provided for that version?
re: http://www.garlic.com/~lynn/2017d.html#90 Old hardware we were doing HA/CMP ... some past posts http://www.garlic.com/~lynn/subtopic.html#hacmp more recent IBM https://www.ibm.com/developerworks/aix/library/au-hacmpcheatsheet/ https://www.ibm.com/developerworks/aix/library/au-powerhaintro/ I'm out marketing and coin the terms "disaster survivability" and "geographic survivability" and I get asked to do a section for the corporate continuous availability strategic document ... but the section gets pulled when both Rochester (as/400) and POK (mainframe) complain that they can't meed the objectives. some past posts http://www.garlic.com/~lynn/submain.html#available we are doing both technical scaleup ... recent post & ref email end jan1992 http://www.garlic.com/~lynn/2017d.html#73 US NII and post about earlier Jan 1992 meeting in Ellison's conference room on commercial scaleup http://www.garlic.com/~lynn/95.html#13 by the end of Jan1992, cluster scaleup is transferred, announced as IBM supercomputer ("technical/scientific *ONLY*") and we are told we can't work on anything with more than four processors ... we leave a few months later. IBM press 17Feb1992 http://www.garlic.com/~lynn/2001n.html#6000clusters1 IBM press 11May1992 http://www.garlic.com/~lynn/2001n.html#6000clusters2 two of the oracle people (in the ellison meeting) leave and show up at small client/server startup responsible for something called "commerce server" and we are brought in as consultants because they want to do payment transactions on their server, the startup had also invented this technology called "SSL" that they want to use, the result is now frequently called "electronic commerce". I have absolute authority over the servers to internet gateway to payment networks, but can only make recommendations about the client<->server interface ... some of which are almost immediately violated, accounting for some number of exploits that continue to this day. some past posts touching on some client<->server issues http://www.garlic.com/~lynn/subpubkey.html#sslcerts A couple yrs later at 1996 Moscone MDC, all the banners say "Internet", but the constant refrain in the sessions say "preserve your investment". The scenario was paradigm that adds automatically executed scripts to application datafiles in the days of small, safe, business LANs ... but then extended to the wild anarchy of the Internet w/o any additional countermeasures (eventually they add checkers for specific exploit script signatures, while leaving the underlying paradigm unchanged, however the exploit scripts evolve/mutate much faster than the checkers) At financial conferences later that year, start seeing presentations by dailup online banking operations explaining why they are moving to the internet (savings on enormous customer support costs associated with proprietary dialup infrastructures). However in the same conferences, the dialup commercial, cash-management operations say they will never move to the internet because of a long list of vulnerabiities. In this period the Internet standards (RFC) author lets me help him with periodically updated/released STD1. He then asks me to do a talk on electronic commerce for USC/ISI and USC computer security graduate department ... which I call Why the Internet isn't Business Critical Dataprocessing. http://www.postel.org/postel.html some stuff I still do http://www.garlic.com/~lynn/rfcietff.htm Later the dialup commercial, cash-management operations also start moving to Internet. Because of exploits the Feds release guidelines that businesses have a dedicated PC for (internet) online banking ... that is *NEVER* used for any other purpose. past posts mentioning the internet http://www.garlic.com/~lynn/subnetwork.html#internet past email mentioning original objective interconnecting the NSF supercomputer centers ... as the regional networks connect into the centers, it evolves into the NSFNET backbone, precursor to modern internet. http://www.garlic.com/~lynn/lhwemail.html#nsfnet in part because of having been involved in "electronic commerce", I'm ask to participate in (US Financial Standards) X9 organization and the X9A10 financial standard working group that had given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments (not just internet). The resulting standard eliminates nearly all existing exploits (breaches, skimming, evesdropping, etc) by eliminating the ability of criminals to use previous transaction information for fraudulent transactions (a major use of SSL in the world today is blocking evesdropping on "electronic commerce" financial transactions, which also would no longer be needed). The problem now is it would be extremely disruptive to existing electronic payment stakeholders. The current solution seems to be adding ever increasing layers of encryption to hide the information ... we periodically comment that even if the world was buried under miles of information hiding encryption, it still wouldn't stop leaks ... because there are dozens of business processes at millions of locations around the world that require previous transaction information (currently, the data has to be simultaneously readily available at all times and also kept absolutely confidential and never divulged, a dual-use conflict; aka the standard eliminated the dual-use conflict). old NACHA RFI response (on our behalf by NACHA member) http://www.garlic.com/~lynn/nacharfi.htm old reference (gone 404 but lives on at wayback machine) where NACHA (succesfully) pilots (for debit) but then no follow-on; 23July2001 item http://web.archive.org/web/20070706004855/http://internetcouncil.nacha.org/News/news.html current nacha https://www.nacha.org/ The TD for the information assurance directorate is doing an assurance session in the trusted computing tract at 2001 intel developer's forum and asks me to do a talk on security chip I've designed; gone 404 but lives on at the wayback machine http://web.archive.org/web/20011109072807/http://www.intel94.com/idf/spr2001/sessiondescription.asp?id=stp+s13 The guy running TPM-chip is sitting in the front row and I quip that it is nice to see that TPM is starting to look more and more like my chip, he quips back that I don't have 200 people helping me with design. I was planning on getting EAL5 or EAL6 evaluation for the chip ... but then (I believe the agency is behind) pull of the crypto evaluation test cases from NIST ... and since I have crypto built into the silicon, the best I can do is EAL4-high evaluation (compareable chips are getting EAL6 on silicon and then loading crypto and other software after evaluation). -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
