The Mainframe Blog Home

Bitcoin Needs a Mainframe

The MTGox exchange and Instawallet, which both deal in Bitcoins, are suffering security-related outages. The whole currency declined in value as a result, and the attacks may be a way to manipulate the value of the currency.

LinkedIn Needs a Mainframe

Hackers have stolen over 6 million user passwords from LinkedIn, a popular social media site catering to business professionals.

UPDATE: eHarmony needs to marry a mainframe, while Last.fm needs to tune into a mainframe.

EMC VMware Needs a Mainframe

Somebody stole VMware's source code — the company's most valuable (really only) trade secret — and it showed up on the Internet. I guess that's one way to open source your product.

Oh, the irony!

For the record, I think VMware is a reasonably good product for what it does — although there are plenty of fine X86 virtualization solutions, like KVM — but mainframes are different and special. It's the combination of hardware and software, focused by design on the same goals and outcomes, that matters. (See also: Apple.)

STASH: A "Skunkworks" Project for Secure Clients?

Joe Clabby reports on a (formerly) secret project to use IBM mainframes for virtual hosting of secure desktop environments. It's a fascinating read.

Utah Department of Health Needs a Mainframe

Hackers, perhaps from Eastern Europe, stole the personal details of over 24,000 of Utah's Medicaid beneficiaries from a "server" operated by the Utah Department of Technology Services.

DTS has an "interesting" perspective: "The health department uses 125 of the state’s 520 servers.... 'We pride ourselves on our lean government.'" Those numbers are certainly not "lean" if you have mainframes. Raise your hand if you have 520 or even 125 mainframes. Oh, and I seriously doubt the State of Utah has 520 servers. Those are only the ones DTS knows about, and maybe not even that. For example, I doubt it includes servers at Utah's public universities.

The Utah DTS spokesperson goes on to imply that the solution to secure all those "lean" servers is...to hire more IT staff.

My Mainframe-Related Pet Peeves

In no particular order:

1. "Green screens" are good enough. No, they're not. Do you force your users to submit their input and receive their output via punched cards? User interfaces change and evolve, and appearance often matters. Stanford's IBM mainframe served the world's first interactive Web application. If you haven't provided Web user interfaces on your mainframe to serve users' demands, what on earth are you waiting for?
2. Everyone must use Web interfaces. Some users prefer to continue with their familiar, fast, and efficient 3270 terminal user interfaces. Let them coexist. One size does not fit all.
3. We haven't implemented encryption yet. Every mainframe has built-in encryption support. Why are sensitive account numbers, Social Security numbers, credit card numbers, financial details, and passwords still flying around your network, internal or/and external, "in the clear"? Turn encryption on. Just do it.
4. FTP overuse. FTP is not an application integration solution! Connect two applications using FTP and you've automatically converted two or more business process steps into a "we might get around to it, eventually, if you're lucky" business process. Do you think your customers want that? And why are you copying all that sensitive data anyway? To make it easier for bad guys to get?
5. We don't allow TCP/IP connections to our mainframe "for security reasons." Congratulations, that "security" policy inevitably leads to the least possible secure environment you can imagine as the business finds every possible workaround to keep doing business — a true security nightmare. Let the z/OS Security Server and RACF do their jobs, please.
6. "Open" platforms and storage. If you connect exactly the same storage unit on your SAN (that you're already using for everything else) to a z/VSE system in exactly the same way, does that suddenly make your storage unit "closed"? If you're one of the people responsible for typing in activation keys to make sure Microsoft Windows can actually function, are you the same person who thinks that z/OS and Linux on z, both which eschew keys, are "closed"? Words should have consistent meanings. Many IT vendors have thoroughly debased the word "open," and some of us have fallen for that particular word game. It's past time they stop — and that all of us wise up.
7. "Mainframes are expensive." You know what's expensive? Not knowing the value of your financial holdings during a financial crisis because you've scattered bits of your portfolio records into little servers — that's expensive. Letting unreleased Michael Jackson records escape before you can monetize them. Billions of dollars of credit card fraud. Building yet another massive data center. Paying for 60 more licenses of Brand O middleware (this week). Adding another 20 staff to your payroll (this week) to support the IT mess you've implemented. You know what's not expensive? Mainframes. Stuff that works well isn't expensive.
8. "But that would require us to add MIPS...." So what? Business growth is never free, but it's darn inexpensive if it's a mainframe that's growing. And do you see MIPS listed as a currency, next to the yen, dollar, euro, and pound? It's not. IBM has different prices for different workloads.
9. Mainframe chargeback regimes. Everybody does them wrong. It's only a question of how wrong. Just because a mainframe, as a standard feature, lets you count and apportion various technical quantities like CPU-seconds doesn't mean they have much cost accounting significance. You certainly shouldn't be putting prices on those technical quantities while everything else in your data center (and beyond) remains uncounted, nor should those prices be different than true marginal costs (which can often be zero or near-zero).

Do you have any more I should add to the list?

Sony Still Needs a Mainframe

Hackers illegally accessed and downloaded 50,000 music tracks from Sony, including extremely valuable unreleased tracks performed by the late Michael Jackson. Sony has suffered multiple, serious, recurring security breaches.

Foxconn Needs a Mainframe

Until Foxconn shut down its servers (so that nobody can place manufacturing orders), everybody could place orders.

Foxconn manufactures products on behalf of many well-known companies, including Apple.

Verisign Needs a Mainframe

Versign, which Symantec partly acquired in 2010, was hacked. The extent of the data breach is unknown.

Verisign has admitted it was hacked repeatedly in 2010 and could not pin down what data was stolen.

5 Predictions for the Next 5 Years

In keeping with the season of resolutions and predictions, IBM has gazed into its crystal ball to forecast five innovations that will alter the technology landscape within five years. So let's spend some time considering a couple of these predictions and their impact on mainframe computing.

#2: You will never need a password again. Technically that's no problem whatsoever if you have a mainframe and hasn't been for many years. IBM has done a very good job preserving and extending the mainframe's leadership, positioning the mainframe as the definitive Enterprise Security Hub (or ESH if you like). For example, credit and debit card systems are already getting a lot smarter thanks in large part to the mainframe's security innovations. In an ever more interconnected era (see below) when security is becoming ever more important, more businesses and governments are turning to mainframe-based solutions. The only question in my view is whether mainframe professionals will lead or follow this trend. I vote for the former.

#4: The digital divide will cease to exist. Universal mobile access to computing is going to favor the mainframe. First, there's going to be a direct effect on transaction volumes in existing banking systems, to pick an example. I'm hearing lots of reports that's precisely what's happening, even with only a fraction of the world using smartphones at this point. Second, there will be heightened security requirements (see above). Third, the greater the audience depending on mobile access for services, the greater the cost of service interruptions, thus favoring more resilient systems and solutions. Fourth, the greater the demand, the greater the need for massively scalable systems, i.e. mainframes. That's due to the need for bigger central systems of record as well as worsening data center resource problems in procuring enough space, power, and cooling. The world's telcos, for example, are now seriously rethinking their entire infrastructure which is becoming too costly and unsupportable, after a couple decades of largely unrestrained build-out.

#5: Junk mail will become priority mail. I'm not so sure about e-mail, but the central point here is that transactions are becoming more complex, with more and more heavy information analytics associated with core business processes in order to tailor services much more precisely to customers. That's going to drive the need for massively scalable systems with tight integration. Sound familiar? IBM is right at the vanguard of that trend, with the DB2 Analytics Accelerator as a preeminent example. That technology alone is making whole new analysis-heavy applications possible that were simply never possible before.

What's your forecast? My immediate forecast (or at least wish) is for all of our readers to have a safe, healthy, prosperous, and happy new year.

SK Communications Needs a Mainframe

This report, which details the July intrusion into Korea's largest telecommunications company, an intrusion which resulted in unknown hackers collecting the personal details of up to 35 million Korean citizens, is absolutely chilling and horrifying.

Mitsubishi Needs a Mainframe (Updated)

Mitsubishi Heavy Industries (MHI), Japan's top defense contractor, has discovered targeted viruses on more than 80 of its servers and PCs. Japanese Defense Minister Yasuo Ichikawa is assuring the public that the viruses didn't transmit the weapons plans stored on those computers to another party, but the truth is that nobody knows for sure yet. The Japanese government has ordered MHI to undertake a full investigation, and ministers are quite angry MHI didn't report the incident much earlier. It's an extremely serious security breach.

The Chinese government denies that it was responsible for the viruses. However, most governments spy on other governments. There are other reported attacks targeting defense contractors and Japanese government agencies, but the perpetrator is still unknown.

I know a bit about MHI. MHI is a very big, complex company. Among its many subsidiaries and affiliated companies, MHI has some in-house information technology talent, and some of their people have strong IBM mainframe skills. Unfortunately, as evident in press accounts, MHI did not employ an IBM mainframe as its secure system of record for these weapon designs, which include designs for submarines, missiles, and destroyers. I hope that MHI will leverage its own mainframe-skilled people to support these high security requirements and other mission-critical applications. While the incident is quite bad, the important part now is to learn and to adapt — and to use the right server technology for the mission.

See also Sony Needs a Mainframe and About "(Blank) Needs a Mainframe."

UPDATE #1: DigiNotar, the Dutch certificate authority (which reminds me of CardSystems), is now bankrupt. Hackers penetrated DigiNotar then generated signed SSL certificates which resembled authentic security certificates for Google, Facebook, Yahoo!, and other major Web sites. Hundreds of thousands of people, many in Iran, probably including many democratic movement leaders, then had their formerly secure Web browser sessions intercepted through so-called "man in the middle" attacks. Considering the results of a security audit, DigiNotar needed a mainframe. But it's too late for DigiNotar.

UPDATE #2: Microsoft, which I mentioned last month, still needs a mainframe.

Travelodge Needs a Mainframe (Updated)

The hotel chain faces fines up to £500,000.

UPDATE #1: The Arizona Department of Public Safety needs more safety: a mainframe.

UPDATE #2: Starbucks Singapore still needs a mainframe. It's Monday in Singapore, and Starbucks Singapore cards aren't working at Starbucks Singapore shops again. That's just ridiculously, embarrassingly bad. It's the payment equivalent of going to Starbucks and discovering they've run out of coffee. Memo to Starbucks Singapore: Call NCS, First Data, and/or IBM, ask them for a mainframe-hosted payment card solution, and fix this problem already. Sincerely, your caffeine-addicted (and now dwindling) customer base.

Meanwhile, over at The Coffee Bean shops in Singapore, there's a buy one get one free promotion if you use your Visa payWave card. Visa has a mainframe and uses it. Last I heard they've had a total of a very few seconds of outage (planned and unplanned combined) over the past decade plus — if you merely swiped (or waved) twice, you wouldn't have noticed.

UPDATE #3: To give you a better idea how serious this problem is, the Starbucks Singapore shop near my office has a corporate-issued (and professionally made) "Our cards aren't working" sign posted atop the counter. In other words, Starbucks cards are so unreliable the corporate office had to issue signs to its shops, similar in quality and appearance to its menu boards.

My dear Starbucks friends: do you make your coffee with portable electric tea kettles? Pick the right tool for the job. That would be a mainframe for payments. Mainframes work, and you can buy or rent one. In the meantime, if you need some help you can find me over at The Coffee Bean.

About "(Blank) Needs a Mainframe"

By now Mainframe Blog readers have seen several "...needs a mainframe" posts. We try to set some trends here, and that's the whole point about these posts.

The central premise (if you'll pardon the pun) of mainframe computing is about quality. Sure, you can add, subtract, multiply, divide, and branch on a PC or an iPod. Lots of computers are Turing-complete, including mainframes. But if you have a business or government to run, and if at least some of your business processes are important, then, quite simply, you need a mainframe — and you need to use it. Otherwise, it's going to be much harder to deliver the security, reliability, and other qualities real people increasingly demand.

The information technology industry solved these quality problems a long time ago, and the solutions to those problems involved relying on the highest quality infrastructure (i.e. mainframes) combined with centrally focused, highly disciplined operations and change management (i.e. mainframe-related development and operations), end-to-end. We know that formula works. Yet there are way too many businesses, governments, and their IT organizations that have lost the plot, implementing obscenely complex, Rube Goldberg-esque application architectures to fulfill even the most common and critical business functions. Such architectures are costly, fragile, and vulnerable.

Unfortunately, as we've seen over just the past few weeks, quality is deteriorating. Major businesses are crashing and burning, hard, with security and availability crises causing major disruptions. Public "cloud computing" isn't going very far unless quality improves dramatically and quickly. Only the fit will survive: the organizations that have or adopt mainframes and actually use them for their critical business processes, end-to-end. It's really that simple: "Fit for Quality."

One technology company that distinguishes itself on quality is the world's largest technology company: Apple. Here's a 30 second video example from 1995:

Apple is a remarkable company. Apple has mastered the "it just works" segment of the consumer technology market. As technology (and life) gets ever more complicated, and as the value of time increases, more and more people value technology like Apple's. The same is true in the world's data centers. Businesses and governments want solutions that deliver secure, reliable service. Those qualities are becoming more important every day. And I think IBM ought to press home its advantages and repeat this simple phrase:

U.S. Airways (Now United Airlines) Needs a Mainframe

U.S. Airways, which is merging with United Airlines, had to stop flying on Friday when key applications, notably their boarding system, became unavailable. The airline claims that a power outage near their (only?) data center in Phoenix caused the outage, which in turn caused chaos at U.S. Airways counters and boarding gates despite clear skies and good weather.

If U.S. Airways had a pair of IBM mainframes — one in their primary data center, one in a second data center — if they configured them in a remote cluster (using an appropriate flavor of Geographically Dispersed Parallel Sysplex), and if they actually used those mainframes to support their most critical business processes, end-to-end, then it's extremely unlikely they would have had this problem — and certainly not for hours. That particular infrastructure formula should be familiar. Was U.S. Airways following that formula? If not, why not?

UPDATE #1: The International Monetary Fund needs a mainframe.

UPDATE #2: The United States Senate needs a mainframe.

EMC/RSA "SecurID" Compromised, Lockheed Martin Hacked

Have you seen those key fobs that display a new pseudo-random series of numeric digits every minute or so? To log onto a network or system you have to enter the current set of digits plus your regular credentials (user ID and password), typically.

Unfortunately a group of unknown hackers, possibly a group sponsored by a government, broke into EMC's RSA division and figured out how to duplicate those key fobs, in effect. Then the same group (perhaps) broke into Lockheed Martin, the leading U.S. defense contractor.

It's not clear what sensitive information was taken, and Lockheed Martin isn't saying. However, it's possible the invaders were able to find details about future weapons systems along with operational information about current military deployments in Afghanistan and Iraq, among other places.

I might have more to say in a subsequent post about mainframes, mainframe security systems, and their important role in "defense in depth" — a role which some businesses and governments are not exploiting to full advantage.

UPDATE: RSA has confirmed that SecurID has been compromised.

Sony Needs a Mainframe (Update: Starbucks Singapore, Too)

Sony's Playstation Network, Sony Entertainment Japan, Sony Music Greece, and Sony Ericsson Canada have all been hacked.

UPDATE #1: Skype... er, Microsoft... needs a mainframe, too.

UPDATE #2: Starbucks needs a mainframe, at least in Singapore. I tried to use my Starbucks card to pay for my coffee this morning, but the barista informed me that "the servers are down in Singapore." So Starbucks cards don't work reliably at Starbucks.

UPDATE #3: Sony still needs a mainframe. Sony Pictures has also been hacked. Meanwhile, Starbucks Singapore still needs a mainframe, too. Starbucks Singapore is accepting its own cards once again after days offline. But Starbucks won't accept Singapore-issued cards outside Singapore nor even at Singapore Changi Airport Starbucks locations. Anybody know why I should allocate precious wallet space to a Starbucks Singapore card?

Maybe It's Time for More Mainframe Solutions

Sony reports a huge data breach involving its PlayStation Network. At this writing, Sony has not been able to bring services back online, leaving millions of gamers (and Sony's coffers) poorer.

South Korea's NH Bank also went offline. Preliminary signs point to a sophisticated employee-mounted attack in that case, which wiped out both primary and disaster recovery resources concurrently. Nobody is sure which employee(s), though.

I hope we can all learn from these experiences and others, which unfortunately seem to be growing in frequency and severity.

UPDATE: South Korean investigators now think that North Korean experts were behind the devastating attack on Nonghyup Bank which wiped out many of the bank's credit card records and disabled the bank's core services for several days. Meanwhile, the Korea Internet Security Agency (KISA) reports that 82.7% of South Korean companies do not have any plan for recovery in the event of a disaster or attack. That includes numerous large South Korean businesses. Lack of any DR plan, at least a sub-standard one, would be unthinkable in many countries — and hopefully now unthinkable in Korea. (Photo: Sony executives bow. See the full story at The Australian.)