Microsoft Archives – Logikal Blog

Why did the Intel Itanium microprocessors fail?

Posted on February 24, 2020 by seasoned_geek 0

I really hate Quora making me join and follow 10 things I don’t care about just to answer this question. What a truly pathetic business model!

You are probably too young to know the entire story. It’s one of bribes, misinformation, and corporate espionage on a scale that makes China look small time today. This is the story as I remember it after having lived through it.

The story starts with the Alpha processor and Digital Equipment Corporation. Microsoft had been bribing everyone they could find trying to kill off VMS because because their platform could not compete. This extended to outright buying of writers at PC Magazine, one of which wrote a “comparison” of graphics libraries to the graphics libraries provided by Microsoft. The following month that same writer released a book covering the either unreleased or just released graphics library from Microsoft. I will leave it to your imagination who won the “comparison.” You could also just wade through the massive number of pages of discovery information generated during the Janet Reno investigation.

Microsoft started a well funded marketing fraud campaign claiming “proprietary bad, open good.” They got the Gartner Group (known for selling whatever they are paid to sell no matter what crime is behind it) to declare Microsoft (the most proprietary operating system in the world at the time) an “Open System” and the fraud used to justify this was that it could run on both Intel and AMD processors. They did not extend the same courtesy to IBM’s MVS which could run on both IBM and AMDAHL hardware.

VMS on Alpha and VAX was everywhere. It had found its way into almost every significant machine room in America and many around the world. In a post-Internet world you cannot begin to understand just how big a selling point DECnet was. It could talk to most everything despite all of the proprietary networking protocols in use.

Microsoft wanted its completely insecure viciously bug riddled OS in that machine room.

The fraud and campaign contributions targeted those controlling military and intelligence spending. It involved dark whispers “that chip is only single sourced” Thus began the new round of criminal fraud aimed at taking out DEC and most importantly VMS. They totally glossed over the fact AMD was in Germany so x86 processors would be single sourced during war time. They also overlooked the fact a billion dollars is tip money to the DOD.

After much wrangling with elected officials Intel got what it really wanted. To be the second source fabrication company for Alpha processors. You see Intel and HP had spent a decade trying to develop a new 64-bit processor from scratch. Nobody really knows the exact dollar amount, but it is huge. Everyone in IT called Intel a one trick pony. They hit on dumb luck making the x86. After years of telling the world a 64-bit version could not be created AMD released one. (That’s why you see Linux distros listed as 64-bit AMD and not just 64-bit. Intel had to use the AMD instructions and play catch up.)

HP considered itself an engineering company and it had made some of the best test equipment every manufactured during the 1980s and early 1990s. Neither they nor Intel had any concept of how to design a new processor from scratch. Stories say Intel kept trying to slip in x86 stuff and HP wanted something which was actually good. (Research SEGMENT:OFFSET addressing for a hint there.)

Now, in another part of the fab plant, they were making Alpha, the best 64-bit processor on the market. Improvements to be made over the next 5 years had already been written and were churning through the development process at DEC. Everybody involved said it would be around 10 years before they would be scrounging for speed and processing improvements or need a new technical wave.

Very secretly lots of the Alpha internals started walking out the fab plant door and into the HP-Intel chip. Some say it was basically a new generation of Alpha that Intel and HP were about to unveil. Reality is they got caught red handed.

DEC was in a bit of financial trouble at the time. G. Q. Bob was an incredibly poor choice for restructuring. He had the cookie cutter MBA mentality of “restructuring.”

Sell off enough of the crown jewels until someone offers to buy what is left of the company.

You can follow the link if you want to read just thumbnails. Basically, many/most believed DEC had Intel so tightly by the short hairs that they would win the entire company in court. Yeah, it was blatant. Did G.Q. Bob do the right thing? No. He cut a deal. The HP/Intel chip could not return execution results in R0 (Register zero) and a host of other changes leaving behind an incompatible and neutered chip. He also sold chip manufacturing to Intel.

MBA view of restructuring, cut all of the $80K and under workers who generate revenue, keep all of management who generate nothing and get paid well north of $100K. Management will save itself at all costs.

Intel and Microsoft had another debtor they could squeeze, Compaq. After the 1997 “deal” moving chip fabrication to Intel, dirty deeds and back room deals got Compaq to buy DEC. The goal was to quickly shut down DEC and put Compaq servers using Intel chips and Microsoft operating systems in every machine room. That’s when Microsoft and Compaq got a hard lesson from the Intelligence community about shutting down a strategic supplier widely used in both intelligence and defense.

Early Itanium chips started being seen in 2001 with full production in 2002. HP tried to force HP-UX customers onto Itanium and they chose to leave HP for another *nix based platform rather than endure the processor. Stories were abundant about early models turning into crispy critters if you tried to run them at their rated clock speed, filling computer rooms with the scent of Itanium Cologne.

Neither Intel nor HP were willing to admit the chip was a total failure. In 2002 HP bought Compaq and almost immediately put a thumb in the eye of the defense industry. They announced they would cease design, sale, and manufacture of Alpha based DEC computers. All users had to use the Itanium based machines they were going to produce and OpenVMS engineering was going to port VMS to the Itanium. Huge outcry came from the VMS community, some of which was still on VAX hardware which also was not going to be maintained or supported anymore. Used Alpha based machines spiked in value. Reports surfaced on just how many years worth of chip improvements were left in the pipeline and on the drawing boards further stoking hatred.

VMS was basically the only OS using Itanium and that was because they had no choice. RHEL stopped supporting the chip in 2007. Debian 7 was the last Debian release to officially support Itanium. Microsoft continued its efforts to get VMS removed from every data center in the world, getting help from HP who ceased development and got rid of OpenVMS Engineering.

The Itanium was over a decade late to the 64-bit party. Big computers didn’t need yet another 64-bit processor. They really needed 128 or 256-bit processors to make the pain of a port worthwhile. Had the Itanium been allowed to be the next generation Alpha it would have been a great chip requiring no port. DEC had unqualified management and Microsoft continued to be Darth Vader incarnate.

In July of 2021, the Itanium will quietly be taken out to the woods and shot. HP and Intel will refused to publicly admit they failed spectacularly. A group of former OpenVMS Engineering team members formed VSI (VMS Software Inc.) and are porting OpenVMS to the 64-bit x86. VMS was famous for “Up-times measured in decades” but that pretty much ceased with Itanium. It cannot even be dreamed about with x86.

Theranos – How All AGILE Projects End in a Regulated World

Posted on September 6, 2018September 6, 2018 by seasoned_geek 0

It’s rather fitting that this story breaks shortly after I finished the first draft of “The Phallus of AGILE and Other Ruminations.” The tale of Theranos is the tale of every AGILE project in an environment where things actually matter.

At the heart of the problem is the institutionalized belief that it is okay to sell failure. Hell, why wouldn’t they. Look how rich Bill Gates got committing mail and wire fraud hand over fist. Putting “Operating System” on the outside of Windows boxes and in every ad, when it was not. Every version prior to Windows NT 3.x was nothing more than a task switching GUI layered on top of DOS. IBM had Presentation Manager on top of OS/2, but, the didn’t offer Presentation manager as an independent operating system. They had ethics, Microsoft did not. Probably still doesn’t to this day.

In order to use AGILE, you have to firmly believe criminal fraud is not only okay, but the preferred method of doing business around the world. At the heart of this belief is a two word phrase:

For Now

Just take this tiny bucket of user stories, work on them for a sprint, code up some Jenkins test scripts which test absolutely nothing and turn it into product for use by paying customers. This is something which is not allowed in the FDA regulated world and shouldn’t be allowed at any business operating in or selling to America.

I’m willing to bet “For Now” is exactly how Theranos got into this fine pickle. Investors screaming for them to go live and start generating revenue meant going live “for now” using the traditional tests. Those developing this be all and end all product working from a single user story without The Four Holy Documents to guide them fully believing if they kept hacking at it, the thing would eventually work.

As a clinician I would like to run a full battery of blood tests in half the time at far less than half the cost using as little as one drop of blood.

While that’s an idea, it isn’t sufficient for a project. Those of you looking to learn more about The Four Holy Documents can wait until “The Phallus of AGILE and Other Ruminations” is printed. It’s not a religion unless you consider doing projects correctly, then, yes, it is a religion and AGILE is this heretical offshoot which has surfaced time and time again trying to justify hacking on the fly. Look up RAD (Rapid Application Development) during the era of DOS. It was later followed by Extreme Programming and now AGILE. I may even have missed a few labels this heretic cult used to market it over the decades.

As an added marketing incentive Extreme Programming adopted the moniker XP which helped sell it to clueless MBAs who knew their company was running the XP operating system so shouldn’t we use XP development practices? Yes, that is the flaw with abbreviations and monikers, like saying the sea is called the sea because you can’t see across it.

So, here we have a company operating by the guiding principal of AGILE “for now” burning through cash without having developed an actual product, just like AGILE. The shell game goes on as those in the know pray to various deities that somehow the boys and girls in the lab would get the thing to work. Just one more sprint and this time things will all be fine.

The goal wasn’t bad. Adopting the AGILE mantra of “for now” and going public was. Hopefully their research wasn’t complete shit. If so, I really hope government funded universities around the world will create The Four Holy Documents, determine which steps have and have not been achieved, and continue the missing pieces based on the strengths of each university. The goal was laudable. Everything which happened afterwards wasn’t. Maybe it can’t be done, but that doesn’t mean it isn’t worth a real try.

Those who don’t believe that last statement should read up on the history of glucose meters. They used to be incredibly expensive, take a rather large quantity of blood (for people testing multiple times per day) and, by some accounts, you had to wait somewhere between 1-15 minutes for a result. Today anyone can walk into a drug store and buy a glucose meter for under $50 which uses test strips that need one small drop of blood and gives you the results in 5 seconds or less.

There was a time when getting polyps removed was major surgery you might not live through. Today they make you dink nasty stuff, shit your brains out, and line you up like cars outside of Jiffy Lube on Saturday morning. Anyone who doesn’t get this reference simply isn’t old enough. Wait until you turn 50 for that wonderful experience which is required every 3 years thereafter.

Walmart to Go Out of Business Soon

Posted on July 20, 2018 by seasoned_geek 0

I have never been a fan of Walmart (WMT). It’s enslavement and exploitation of the most unfortunate in the world I have always found repulsive. There are also those persistent rumors that many of those “Made in China” products are actually “Made in North Korea” and sent across the border to China where the only thing China does is slap “Made in China” on them before putting them in a container bound for Walmart. It’s completely logical this is actually happening. When you are a hermit kingdom who can count their trading partners on one hand with fingers (plural) left over . . . whatever finished products you export have to either be directly consumed by that trading partner or it must export them to another country. Hellooooooooooooooo Walmart!

Historically I have not liked Microsoft (MSFT). It has committed heinous crimes pushing its bug riddled software into places it should have never went. It has back stabbed and undermined every partner company in its history. You young kids didn’t live through that history, I did! This happened so much myself and others branded getting in bed with Microsoft as contracting corporate AIDS. Even the financial markets and analysts now take note of how every company which either partners with or allows itself to be purchased seems to quickly wither and die.

Now it appears LinkedIn and Walmart will soon be joining their ranks. I love this quote from Berko.

LNKD, with zero earnings prospects in sight, isn’t a bargain at $26 billion; rather, it’s an expensive and seemingly frantic gamble. And MSFT has a really stinky record with takeovers and buyouts. Its purchase of Nokia’s handsets quickly morphed into a $7.5 billion write-off. Microsoft bought Yammer for $1.2 billion, which turned into a black hole, and then put $605 million into Barnes & Noble’s Nook e-reader, which flopped, and its Skype purchase is an embarrassing failure.

MSFT paid $6.3 billion for aQuantive, an online advertising company that’s worthless. MSFT bought Visio for $1.4 billion, Navision for $1.5 billion and Tellme Networks for $800 million, and they’re all worthless. During Steve Ballmer’s tenure, MSFT bought 149 companies, and 121 of them have vaporized into the ether. No wonder Ballmer is bald.

And that’s just the recent history. It gets worse the farther back you go. The pre-Janet Reno days were even worse. Of course, Bill and Hillary Clinton stepped in to keep Bill Gates out of prison, where he really should have went. They’ll help any arch-criminal who can offer a sufficient bribe.

Hopefully you can read this tongue-in-cheek InfoWorld article. It was brought about by Novell (NOVL) trying to get in bed with Microsoft. They tried so hard they halted all DR DOS development while in negotiations. Microsoft then drug the negotiations out until they finally shipped another version of much neglected DOS.

The business landscape is littered with the carcasses of companies who contracted Corporate AIDS getting in bed with Microsoft. A token few managed to get some long term treatment which allows them to exist today as a mere shadow of their former selves. If you don’t believe that take a look at Novell and Caldera. Word Perfect ruled the word processing market. At one time it was owned by Novell then spun off to Caldera to improve relations with Microsoft. (That tongue-in-cheek article wasn’t so tongue-in-cheek.)

My Berko quote already gives you some idea of what happened to Nokia and Windows mobile. At one time Nokia was the best known cell phone maker in the American market. Motorola, which created the cell phone, had already fallen on hard times.

You can read about Zune on your own time.

So, now we have Walmart, evil empire of labor exploitation and tax loop holes, will get in bed with Microsoft just like Novell, Barnes & Noble and soooooo many others have. Glad I don’t hold any Walmart stock!

A TCP/IP Software Appliance

Posted on June 11, 2018June 11, 2018 by seasoned_geek 0

In the very near future, every viable business class operating system will incorporate a TCP/IP Software Appliance. This is not a firewall. What we have today serving as firewalls may or may not server any purpose in the future, but one thing is for certain, we cannot solve our security problems via any hacks to our existing socket and IP libraries nor can security be improved by any future tweaks to SSL/TLS. I have been hearing for some time now that TLS has been breached at the architectural level. I don’t know people high enough up to share any solid information other than to tell me TLS hasn’t been secure for a very long time.

We have a perfect storm creating this security problem and I have been bringing it up on various Usenet newsgroups. Worthless secondary education institutions, even more worthless MBAs being churned out by MBA mills like Keller, a general business mindset focusing entirely on this quarter’s numbers and a judicial system which doesn’t corporate arch villains in prison. (Just how many Wall Street CEOs and board members went to prison over the mortgage fraud scandal which pulled north of a trillion dollars from the global economy? Just how many people in Wells Fargo upper management went to prison for opening a couple million fake accounts without customer knowledge¹, in many cases ruining the customer’s credit rating?)

Some of the people arguing with me were at one time college professors who themselves are a large part of the problem. Most colleges have become profit driven businesses willing to put the lowest cost body in a chair in front of students whose parents and/or government are paying the full tuition fee.

Oh come on, you’ve all heard the news reports. In order to generate revenue colleges are handing out grants and scholarships to students whose parents can pay for college, or at least most of it instead of the kids whose parents spent their entire lives working for minimum wage. They’ve learned how to squeeze profits out of scholarship dollars.

If a college has a grant program with $100,000 to give, it can give a full ride to one deserving child of minimum wage parentage generating no revenue for the college or it can give $5,000 to 20 students whose parents could pay for college if they had to. Let’s also assume $100,000 gets you through a 4 year degree covering books, tuition and dorm. If they give it to the highly intelligent and deserving child of minimum wage parents, they generate no revenue. Spreading it out across 20 well off students brings in 20 * $95,000 = $1,900,000. Even non-profit state run colleges are for-profit. They just have to spend that money on executive salaries and football stadiums to remain non-profit.

Grant programs are big business for colleges and universities. You make even more money by putting instructors who are “priced right” in front of students instead of instructors who actually know anything. Think I’m kidding? Lovie Smith’s contract approved by Illinois trusties could pay him up to $29 Million with incentives². Why don’t you research just how much they pay instructors teaching COBOL and relational databases?

Anyone who disbelieves that DeVry and Keller are shit schools needs to consider several facts. Fact 1, I am a DeVry alum. Thankfully I went to a high quality junior college first because I learned basically nothing at DeVry other than the fact DeVry sold my financial aid information to credit card companies before I even started classes. Yes, I took a full time job and had my own place to live. Less than two weeks into my living there a Visa application with my name on it showed up. When I say “place to live” I don’t mean an apartment. I mean I was renting out the in-law’s apartment in the attic of a bungalow, not an apartment in a complex. At that time my parents didn’t even have my mailing address because I had just sent them the letter with all my official contact information the day before. Oh, I also learned about student loan debt and how to work a full time night shift then attend classes during the day.

DeVry changed hands several times to lesser and lesser forms of life. I didn’t follow the sorry history of that “educational institution” but I did read this 2017 article stating the current owners had to inject cash into the schools before they could give them to the new owner³. That’s right, they had to pay the next lower life form to take them off their hands after having done such a superfabulous job of running them, squeezing every nickel out rather than building something someone could be proud of.

In case there is one person in the universe reading this who doesn’t believe businesses are hyper focused on short term gains to the point of sacrificing all future revenue, I’ll just refer you to this article in the Atlantic⁴. I can also point you to this article where Warren Buffet, one of the most respected business minds of our time has called for an end to the quarterly focus⁵.

Circling in the wall of this storm were “industry analysts” paid to commit fraud on a regular basis. They were paid to whisper in the ear of upper management saying “open good, proprietary bad.” Since they are marketing shills paid to commit fraud instead of actual industry analysts, not one of them bothered to think about security. All they knew was that Syphilis Willie Clinton was promising at the height of his #MeToo violations to spend our tax dollars to create the Information Super Highway making the world a Global Village without a Global Village Council to manage it and they wanted in.

At the crux of this issue are the Linux socket and IP libraries. Real operating system vendors had been focused on highly secure proprietary networking using proprietary and pricey networking hardware. This “open” thing meant using completely insecure software and cheap hardware. It rankled to say the least. Of course the blatant criminal fraud of “industry analysts” branding Microsoft operating systems, the most proprietary operating systems in the world, as “open.”

Even if you are a non-technical person who can barely operate a flip phone, you’ve heard about data breaches leading to massive identity theft. These breaches happen in large part because there is no way to secure *nix based IP communications. The simple reality is that the complete anarchy of *nix based IP libraries and applications means there is absolutely no way to know for certain all of the IP ports your application uses. After you scour hundreds of directories looking for cryptic text based configuration files, you still can’t be certain that is all the ports your applications use unless you read each and every line of the application and all supporting libraries yourself.

The simple fact is that *nix does it wrong and every platform which copied the *nix libraries in order to be “open” has also done it wrong.

*nix, and in particular Linux, grew without the slightest input from an architect as to its design. Much of the code was/is hacked out by 12 year old boys who wrote something because they thought it would be kewl.

The TCP/IP library and to some extend the sockets library grew like mold. No planning and no thought what-so-ever to security in an OS developed in complete anarchy.

The bulk of today’s security breaches/mass identity thefts are a direct result of said growth of mold. __ANY__ application can open a port and communicate to the outside world. There is virtually no control and even if you manage to find all of the configuration scripts for package-a, unless you look at the code you cannot be certain that is all the ports it uses.

In a scant few years, platforms which do not totally abandon the *nix sockets and IP libraries will become “non-strategic” in Gartner speak. The financial and criminal penalties are being raised world wide even now. The GDPR is just the beginning⁶.

Carrying with it fines 20 million Euro or 4% of gross income, whichever is greater is a great way for broke governments to balance the books without angering taxpayers.. Other countries will be following suit in just a few years, if for no other reason than to stand in line to get a check after the EU prosecutes some corporation.

While I disagree with the last bullet on slide 17 of this presentation⁷, page 19 makes a good point fingering AT&T. This is where implementation went off the rails.

From what I’ve read both IBM and Unisys have went down the TCP/IP Software Appliance road. A central point all programs must connect with to communicate on the network. This point built into the OS in such a way that no application can open their own little IP socket. Not something blocked with a priv which can be gotten around, the capability has been physically removed.

I had occasion to revisit some information in my award winning Service Oriented Architecture book⁸. Around page 150 I had the entry for a service I created as part of the book. You see, DEC (Digital Equipment Corporation) was decades ahead of the curve. They started down the path of a TCP/IP Software Appliance. One central place to configure and provide all IP services. The original intent was that no application would have direct access to the network. All applications would have to connect with services defined within the application. They had the inbound side of this almost perfect before the big push for “open” (read that as insecure) standards.

When defining an inbound (receiving) communication service you flagged it as a “listener.” You also set a limit to the number of service instances which could be active at any one time. When a new connection comes in the TCP/IP Software Appliance looks for an active yet idle service to assign the communication to. When it doesn’t find one it checks the current active account against the limit. (This gives you throttle control so one service cannot eat your box.) If you are below the limit it spins up a new service to handle the communication, otherwise that connection request waits until something frees up.

The page in this book isn’t wide enough to provide a good screen shot so here is a screen scrape:

Service: MY_H_SERVICE
                           State:     Enabled
Port:             4445     Protocol:  TCP             Address:  0.0.0.0
Inactivity:          5     User_name: HUGHES          Process:  MY_H_SERVICE
Limit:               5     Active:        0           Peak:         0
 
File:         DEV_DSK:[HUGHES]MY_H_SERVICE.COM
Flags:        Listen
 
Socket Opts:  Rcheck Scheck
 Receive:            0     Send:               0
 
Log Opts:     None
 File:        not defined
 
Security
 Reject msg:  not defined
 Accept host: 0.0.0.0
 Accept netw: 0.0.0.0

You will notice I also highlighted the two Accept lines at the end. Each service can define a list of hosts and networks which can use it. This is a night and day contrast with the hosts file on Linux. Each service choses what can connect with it and it is all in one simple location with a pretty complete tool to maintain.

Admittedly, this was a baby step application near the beginning of the book. If you are interested in the entire application please legally obtain a copy of “The Minimum You Need to Know About Service Oriented Architecture.”

 $ type sys$login:my_h_service.com
$ lf[0:7] = 0x0A
$ cr[0:7] = 0x0D
$!
$ open/read/write net sys$net
$ write net "<HTML>"
$ write net "<HEAD>"
$ write net "<TITLE>OpenVMS</TITLE>"
$ write net "<BODY>"
$ write net " "
$ write net "<p style=""font-size:150%"" >"
$ write net "Providing port services before there was SOA</p>"
$ write net "<p><B>How do you like those apples?</B></p>"
$ write net "</BODY>"
$ write net "</HTML>"
$ write net "Just some ordinary text"
$ exit

A bit later in the book on a different service I ahd a BASIC program which could be spun up and interact with the port. Here are a couple of interesting snippets.

   OPEN "SYS$NET" AS FILE #net_chan%,      &
        MAP PORTINMAP
...

 A930_USER_INPUT:
930 L_TRY_COUNT = 0%
    WHEN ERROR IN
        PRINT "Reading input"
        L_TRY_COUNT = L_TRY_COUNT + 1%
        L_ERR% = 0%
        GET #net_chan%
    USE
        IF L_TRY_COUNT < 1000%
        THEN
            SLEEP 1%
            PRINT "Trying again"
            RETRY
        ELSE
            L_ERR% = ERR
            PRINT "Tried 1000 times to read from internet"
            PRINT "Quiting with error "; L_ERR%
        END IF
    END WHEN

    RETURN

When the program providing the service is launched by the TCP/IP Software Appliance it executes in a process where the logical SYS$NET is defined to be the stream servicing the network communication. You open it just like any other file/stream.

The second snippet just shows the loop which tries up to 1000 times to read from the stream. This is 1000 times per call of the subroutine, not 1000 times total.

You should notice the application has no concept of transport layer security. It has no concept of networks or the Internet. Why? Because all of this must be done by the TCP/IP Software Appliance. No application should ever have any concept it is communicating over the Internet or local network. The only security the application should know about is application level security, be that message encryption, secondary user authentication, or some other thing we have yet to define which has nothing to do with transportation.

Please take a moment to look back at the definition for MY_H_SERVICE. Notice that last major heading: Security.

For connections VMS applications don’t initiate, VMS did it correctly. TCPIP itself just needs a few tweaks. For existing Listener type services it needs:

/SECURITY=NONE, TLS, whatever

/CREDENTIALS=(TYPE=TLS, SOURCE=blah, …)

/whatever_other_supported_transport_security_data_needed

TCPIP itself should be handling all of the transport layer security. The TLS stuff could even be added to the /FLAGS if that made life easier. There is already proxy stuff there.

Additionally, to support outbound only communications it needs

/NOFILE

/FLAGS=(Writer) – which turns off Listener

The combination of these two (plus whatever security) would create a service on a port which refused all inbound connections but could be utilized via either a LIB$ or SYS$ call from descriptor based languages.

LIB$GET_WRITER_SERVICE( SERVICE_NAME by DESC,
                        DEST_HOST_NAME by DESC,
                        DEST_HOST_SERVICE by DESC,
                        DEST_PORT by DESC optional,
                        LOGICAL_NAME by DESC optional)

The port would be needed to support IPv4 services without names. The logical name would be a process level logical to assign the value. If not provided should default to SYS$NET_OUT. Well, I assume SYS$NET is process level, if job level, fine.

Every descriptor based language which needs to initiate outbound communications could just call this, completely oblivious to the transport layer security and upon success,

     OPEN logical_name$ FOR OUTPUT 
				AS FILE # rpt_chan%

In case I lost the PC crowd, most real operating systems pass parameters by descriptor. It’s a pointer to a structure which tells both sides what the data type of the parameter is, it’s location, size, organization, etc. There is one common base structure which matches the beginning of all larger descriptor structures. The type of the descriptor defines the size of the descriptor. This is why you can write subroutines/functions in C, BASIC, COBOL, FORTRAN, etc. and call them from each other without having to do anything kinky in the code. There is no chance of overrun or missing null terminators or any of the other penetration techniques you hear about on lessor operating systems.

Now, if there are technical reasons GET_WRITER_SERVICE needs to be SYS$ instead of LIB$, that is fine. What matters is that an application should have no knowledge of transport layer security and no ability to create its own connection. If security needs to switch from NONE to TLS to LEFT-HANDED-MONKEY-WRENCHS, so be it. The service definition changes and the application goes merrily on its way.

While much of this conversation has occurred from the VMS operating system point of view, it is what every operating system must do. Now that the EU Global Privacy Law⁹ is a reality it won’t take long for the simple wording of the law to be interpreted by the courts as

If you have a breach which wasn’t someone writing a password on a yellow sticky, you didn’t take adequate security measures.

In under three years there will be two classes of operating systems in data centers.

Operating systems with a built in TCP/IP Software Appliance.
Operating systems the business is quickly divesting itself of due to legal liabilities.

I’m not really good with the Dia drawing tool. I wanted to put the programs and appliance in a box but couldn’t make it work. In short, this is how the flow must go in the future once all viable operating systems implement the TCP/IP Software Appliance.

All applications will establish connection with the software appliance utilizing whatever services it has defined. The software appliance will handle all transport layer security which may also include first level user validation. The applications themselves will have no knowledge of the network.

What I mean by first level user validation is that Security heading in the configuration may specify a user database and handshaking method where, upon connection attempt, the outside world will pass in a username and password in some agreed upon encrypted format. The actual service or program on the other side may have additional username and password security which must also succeed before full communication occurs.

Your application simply does what it does. What is on the other side of the software appliance does not matter. That is the responsibility of the TCPIP package. Whether it is no security, the ever insecure TLS, or the new, not yet identified as insecure security plug-in, or the next not yet identified as insecure security plug-in. That is all the responsibility of the TCPIP.

Application level security is handled by the APP. If it needs a 3-level key exchange, then it does the key exchange reading and writing from that stream. If it needs to perform a multi-layered lossless encryption understood by the receiving app before sending it through the communications channel, so be it.

One should not really mention either REST or JASON when discussing security. Within two years REST will be both a memory and a banned practice¹⁰. The land of anarchy and 12 year old boys cannot adhere to an enforceable standard.

Even though the perfect OOP exists for networking, and it does in the Qt networking and QIODevice based classes, saddling a non-embedded application with that responsibility is an architectural crime against humanity. It also makes it physically impossible to verify system security. This is the primary reason so many *nix and Windows based systems are constantly breached. Now you don’t have one software appliance through which everything must get, you have 5000 programs, most of which coded by the lowest cost off-shore labor one could find, all with gaping bugs and security holes.

The 12 year old boys all code for their one PC. Even the Windows developers aren’t any better. None of them ever grasped file versioning or what is required to play at the midrange and up level. Exposing customer data to breaches on a program by program basis is the horrific idea put forth by these 12 year old boys. There is no singular point where you can shut it down or control it.

RSYSLOG, currently the most popular Linux system log, is a great example of this tragedy. The “default” configuration is not to accept messages from remote systems. Your TOTAL control over this is (on Debian based systems) in /etc/rsyslog.conf

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

That’s it. 2 lines for TCP and 2 other lines for UDP. Now “allowed networks” “allowed hosts” or anything else. Even if they _had_ provided something in the configuration, you would still have a viciously insecure system people were running around calling secure. Someone would have to find each and every config file, no matter what it was called or where it was stored, to determine what is getting in from where. A physical impossibility to maintain.

Ubuntu tried to address this issue with an ill-fated release where they shipped UFW, unanounced and enabled. Nothing worked. The Ubuntu Fire Wall blocked everything. Mass outrage. Only people with another system that could actually reach the Internet found the message about how to disable the firewall.

Midrange and higher class systems need a manageable, full tested appliance through which all things go.

TCPIP> show service/full syslogtcp
 
Service: SYSLOGTCP
                           State:     Enabled
Port:              601     Protocol:  TCP             Address:  0.0.0.0
Inactivity:          0     User_name: UCX_SYSLOGD     Process:  SYSLOGTCP
Limit:              12     Active:        2           Peak:         4
 
File:         DEV_DSK:[UCX_SYSLOGD]SYSLOGTCP_STARTUP.COM
Flags:        None
 
Socket Opts:  Rcheck Scheck
 Receive:            0     Send:               0
 
Log Opts:     Acpt Actv Dactv Conn Error Exit Logi Logo Mdfy Rjct TimO Addr
 File:        DEV_DSK:[UCX_SYSLOGD]SYSLOGTCP.LOG
 
Security
 Reject msg:  not defined
 Accept host: 0.0.0.0
 Accept netw: 192.168.1.0:255.255.255.0

There is only one place to look to find what network and host can reach what service. There are flags and logging and all kinds of other things to help with security. None of that stuff exists in *nix. I ass-u-me none of that stuff exists in Windows, but wouldn’t know.

Professionals don’t use Microsoft products.

A simple stream/file based API exists between the program on VMS and the TCPIP Software Appliance on VMS.

The systems manager configures whatever he/she needs to configure for services, allowed networks, ports, flags and protocol level security method of the week. They can change protocol security method of the week every other day if they wish. The App doesn’t care. If the service decides to allow insecure TLS methods 1, 2 and current, then they enable all three on the service definition and the TCPIP Software Appliance uses the various plug-ins to communicate accordingly to each connection.

The outside world runs whatever the Hell the outside world runs, security and integrity be damned.

This is far more secure than anything I’ve heard talked about before. Made even more secure by the fact your programs on the back side can run as regular ordinary users without need for the privs of God.

Here’s a really great thing. Go pull down the Freeware SYSLOGD code. The only reason it runs is because it runs with the privs of GOD. It passes hard coded quoted text strings into routines which thump new values into them. An ordinary user gets an access violation extraordinaire. Running under do-anything-you-want you don’t even get a ripple.

Personally I’m used to such software appliances. MQSeries, mqtt, that COOA object message queuing thing whose name I don’t remember and many others. All software appliances. How they do what they do, the APP doesn’t care. We do an OPEN. We do a PUT/Write or a Read if either ReadyRead or ReadyWrite is set. We close when the app has decided to stop talking.

MQSeries has been on VMS for many years now. Mqtt and COOA were all on various *nix flavors. Why? Because people realize that *nix did it wrong and propagating really bad sh*t isn’t going to move an industry forward. Even creators of Web pages and Web services are starting to use mqtt¹¹.

Why?

Because *nix did it wrong.

Yes, the GDPR, first of many such laws to come, when fully enforced, will necessitate the Keller MBA mentality of using the cheapest piece of shit off a Walmart shelf to run your company then have it operated by the lowest wage worker found anywhere on the planet change to focus, once again, on quality products operated by skilled labor.

In the 1970s and 1980s businesses believed, and rightly so, their software systems provided a competitive advantage in the marketplace. Their custom written systems allowed them to conduct business in ways competitors could not.

Then we had the rise of the worthless cookie cutter (notably Keller) MBAs. They weren’t going to start off in the mail room and learn what a company actually did, THEY WERE MANAGEMENT! This necessitated every company being the same, otherwise these MBAs would be, justifiably, unemployed. Thus came the rise of OTS and totally untested “Turn the Knob” software in an effort to make every company be the same so that the output of the MBA mills could find employment. MBAs from Keller are the management equivalent of H1-B workers for those not from America.

This race to the bottom started in the 1990s and has continued to this day. Filling data centers with worthless x86 computers running free/low cost operating systems with known 8-lane wide security holes hoping to avoid prison when the big breach happens.

A firewall couldn’t protect Equifax from the Keller quality MBAs running the company.

The TCP/IP and Socket libraries must be purged from any new OS release. A TCP/IP Software Appliance which provides a stream/file level interface, removing all port creation and transport layer security is the only way forward.

It’s up or out in IT, but many, like WANG Computer of days gone bye, are clinging to an obsolete one trick pony.

1 https://www.bloomberg.com/view/articles/2016-09-09/wells-fargo-opened-a-couple-million-fake-accounts

2 http://chicago.cbslocal.com/2016/03/16/lovie-smiths-contract-approved-by-illinois-trustees-could-pay-him-up-to-29m-with-incentives/

3 http://www.chicagotribune.com/business/ct-biz-devry-university-new-ownership-20171205-story.html

4 https://www.theatlantic.com/business/archive/2016/12/short-term-thinking/511874/

5 https://www.wsj.com/articles/SB125244043531193463

6 https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

7 http://www.chipps.com/1/Where%20Did%20TCPIP%20Come%20From.pptx

8 http://www.theminimumyouneedtoknow.com/soa_book.html

9 https://www.usnews.com/news/best-countries/articles/2016-03-22/us-eu-chase-a-global-standard-on-data-privacy

10 https://www.csoonline.com/article/2124905/identity-management/why-rest-security-doesn-t-exist–and-what-to-do-about-it-.html

11 https://stackoverflow.com/questions/16047344/can-a-web-browser-use-mqtt

Expires Faster Than Milk

Posted on April 8, 2018 by seasoned_geek 1

It’s amazing how quickly things become useless and outdated on the Internet. What is worse is people usually choose one of the first five search results and consider it Gospel no matter how horribly out of date it is. Recently I got a bit nostalgic for some of the DOS work I used to do. Greenleaf libraries were a mainstay in my development tool chest no matter what compiler I was using.

There CommLib product was awesome. Data Windows provided a rather great ASCII graphics mouse enabled user interface. The Greenleaf Database library was also quite a treasure. I never owned a copy of their Functions or Super Functions products. Part of me wonders if that isn’t what morphed into the Boost library or at least the inspiration behind it.

Kids today don’t understand. They come to C/C++ with quite an arsenal of string, date, and time functions. It wasn’t always so. In the early days we were all rolling our own. Part of it was ego, but the major part was compiler vendors didn’t provide much in the way of support and there was no standard. You also aren’t old enough to remember when Janet Reno, with Hillary Clinton whispering in her ear, committed a crime against the human species not putting Bill Gates in prison AND allowing Microsoft to trademark Windows in the software world DESPITE numerous DOS based windowing libraries predating the Microsoft claim.

The result of this was Microsoft’s lawyers sending threatening letters to each and every software vendor with “Window” or “Windows” in their product name even when that product existed years before Microsoft shipped Windows. Most of these companies were small so the threat of an 800-pound gorilla was enough to get them to pull the product. I don’t know of one which renamed their product and kept going. I don’t believe this round of Microsoft criminal activity allowed for that option.

These threats went deep. Like Jihadists trying to purge all historical artifacts which disprove their claim, the legal threats and historical destruction ran amuck with the blessings of both the Clinton’s and Janet reno.

screen shot

I clicked on some of those Dr. Dobb links and they don’t work anymore. The Dr. Dobb’s site still exists and is being archived for posterity, but those links don’t work. It appears that only Google’s blatant for profit copyright infringement has thus far escaped the purge of the Microsoft lawyers.

boosk links

I clicked on some of those books.google.com links and they worked. That EDM2 link worked as well. There they flag all GreenLeaf products as “discontinued.” That’s been both true and false over the years. Greenleaf folded up, for a few years, then, some other shop began selling at least the database library and perhaps a few others. Then I lost track of it.

Part of this mental journey came from wondering if any of the Functions or Super Functions would still serve a purpose today as well as very fond memories of CommLib, having exchanged many emails with Mark, Ruby and I believe someone named Billy back in the day. Putting it mildly, I was probably viewed as a support nightmare. I was replacing burnt EPROM embedded systems with cast-off PCs running DOS so I was pushing the libraries. I was also using the much stricter Watcom and they were using the rather lax Borland.

While, technically, CommLib is “discontinued,” I happily found Mark Nelson’s “Dr. Dobb’s” article about “Any Serial Port.” At some point I know I’m going to find myself on an embedded Linux project which isn’t using Qt and I will be more than willing to take a serious look at what the project has to offer.

If submitting stuff to the Qt project wasn’t such a royal pain in the ass, I might even be willing to hack the QSerialPort class to give it the features everyone needs. Features CommLib had back in the days of DOS. A double ring buffer which understands the concept of a record, be it a fixed length record, or one bounded by begin and end characters. Doesn’t matter if you are reading from a truck scale or some other source, everyone needs that.

Hey, while I’m on the topic, I certainly hope vendors of truck scales have finally stopped several bad practices. CommLib, at the time, didn’t recognize multiple character begin and end markers. Scale vendors would do one of two thing:

Put the CRC byte in front of the ending byte without restricting the range of CRC values so it could have the same value as the ending marker.
Put the CRC byte after the ending marker so your “record” logic couldn’t retrieve everything it needed to process the read without doing an extra one-byte read.

For those of you who don’t think it is a problem, try, within the limits of 16-bit DOS, the configuration information for 7 different scale brands, each one of which uses a different packet format, baud and frequency rate. Any one of these scales can be on any port.

Damn! I was a geek back then.

I do hope the Greenleaf crew has prospered in their lives after Greenleaf. I have fond memories of all the misspent hours in front of my AST Premium 286 putting their products to work.

Information, like youth, really does expire faster than milk.