Obsidian Wings

At the end, the article notes that the country which is most vulnerable to cyber attacks is the US. A good part of the reason is not that we are so dependent on networked computers. Most advanced countries are, these days. Rather the problem is that we were first.

A lot of our core systems are still running on decades-old code. They don't have modern defenses built in. And retrofitting those kinds of defenses (even once you convince companies to spend money doing so) faces a serious problem: the folks who actually know the programming languages involved are either retired or close to doing so. Worse, in some cases the source code is lost. Which means retrofitting is difficult to impossible -- the only real option is to recreate the application from scratch. And fix all the inevitable bugs which, in the old system, have been gradually cleaned up over the course of years.

It will be neither cheap nor painless. We may get motivated once we have been badly burned a few times. Maybe.

Yeah. But then all those mainframe programmers were around 50. Now, they're more like 70.

I admit I was speaking from first-hand knowledge.

surely one can learn COBOL or FORTRAN or suchlike in a day

You can probably learn to read CoBOL in a day. At least roughly. (FORTRAN not so much.) But learn to write it that fast? No.

Back in the day, my first employer gave a class for programmers. The CoBOL portion was more like 6 weeks. That didn't qualify you to write, or modify, actual programs. It merely got you to the point where, under close supervision**, you could learn on the job, starting with extremely simple tasks. Actually becoming proficient, to the point where you could create the necessary new code, takes years.

** Which supervision assumes available experienced staff -- in numbers substantially greater than the trainees. Which are likewise in short supply.

This is probably something I should know, but I don't.

My COBOL days were back in the mid-80's, before there even was an Internet to speak of. Most of the COBOL-powered systems I worked on had no concept of being connected to a network that offered any path to or from the outside world. There was some concept of networking in the sense of time-sharing connections (from green screens!). But it was kind of a closed system.

I may be working from assumptions that are not accurate, but how vulnerable are COBOL mainframe systems to black-hat hacking? How would a hostile party even get access to the system?

I have written exactly one COBOL program, back in the summer of 1976.

Much the same. Except it was in the aforementioned class in the spring of '74. I can read it, and make tuning recommendations -- done that for years. But write it? No way.

We all have blood on our hands, I suppose, but ISIS are bloodthirsty thugs.

Absent a far better world than appears to be on offer, we are mostly left distinguishing between those (countries, organizations, or just individuals) who do some bad things and those for whom doing bad things is the be all and end all of their existence.

Not to say that we shouldn't work towards that better world. But for the moment, we need to at least be clear on who is worse and who is less bad. Otherwise we end up doing nothing, and the guys who live to hurt others (including Trump, from everything I've seen of him in action) win.

I don't buy wj's argument about the six-week course.

Just to be clear, it wasn't an argument. It was a report of first hand experience.

There’s nothing I like more than a rip-roarin’ coding kerfuffle!

I suggest that new concepts are hard to learn, but new syntax is not.

Languages come with ecosystems. There are transferable concepts, which are expressed using different syntax in different languages. And, if you understand them in one language, it can be fairly straightforward to say, oh, this is how you do [fill in the blank] in this language.

Which will get you about three steps beyond "hello, world" in the new language. You might be able to stand up a toy application, a proof of concept.

Then, in order to become effective in any kind of real-world context in that new language, you have to learn all of the conventions and idioms that people who have been working in that language for 5 or 10 or 30 years are familiar with.

And then, in order to *really* become effective in any kind of real-world industrial context in that new language - in order to deliver shippable product, to demanding real-world timelines, to demanding real-world SLAs - you need to understand all of the common industrial tooling that goes along with that language. Development environments and frameworks, test environments and frameworks, build and deploy pipelines, common deployment architectures, standard development workflows.

And then you're ready to work in that language, for a living. And you get to compete for work with everyone else who works in that language for a living, so best be on top of your game.

It takes more than a day, with a long lunch break.

Conceptually, COBOL doesn't go that deeply into sophisticated computing concepts. No lambdas, no partial evaluations, no recursion if I recall correctly. No direct interaction with memory, no direct interaction with anything close to the machine. Nobody worries about the size of the cache line when they're coding in COBOL, as far as I know. It's a relatively simple language, in those terms.

If you were required to either make sense of a non-trivial system built in COBOL, or for that matter build one from scratch, it would still prove to be a challenge. Even if you're good at this stuff.

My opinion.

Maybe this will resonate more for Pro Bono. You know the law in the UK. So, can you pick up the law in another country in a day or two? To the point that you could represent someone in court? After all, both countries doubtless have laws against stuff like murder and theft -- so how hard could it be?

And that's before we get to questions about stuff that's legal in one place, but criminal in another. Entirely normal husband prerogative in Saudi Arabia is spouse abuse and felony battery in the US, to give just one example.

And btw, we accidentally armed ISIS. We would send weapons illegally to some favored Syrian groups and a few weeks later ISIS has them. Oopsie.

https://www.conflictarm.com/reports/weapons-of-the-islamic-state/

Starts on page 36.

LAMBDA THE ULTIMATE!!!!

Fight me!

Sorry, forgot smileys.

:) :) :)

OK, give me an example of a national government with clean hands.

I don't think the lack of a purely good national government negates Donald's point. He's saying the relative goodness of the US (or whatever country) when compared to the worst nations or quasi-state regimes doesn't excuse our wrongs. Yes, we're better than ISIS. And I'm a better person than Charles Manson. Yay for me!

Oooh, you know what? I could probably cheat on my wife and still be a better person than Charles Manson. I guess that makes it okay. (Not that I think you think that, wj. Just illustrating Donald's point.)

But I suspect (no direct knowledge) that a similar problem is going to be found in mission-critical ADA code.

With exactly that thought in mind, new code for the F-35 is being written in C and C++, with a dash of assembler. The only ADA is legacy code brought over from the F-22. More accurately, subsets of C and C++. Certain language features are disallowed, and there are automated checks to verify that they have not been used.

Imo a lot of official (approved) saints were giant digestive rear exits.
Moderate crooks would probably be a great improvement over both the current state of things and an imaginable rule by saints.

But it is reasonable to beat ourselves up when we do something objectively horrible, which, on occasion, we have

Sure. Just not to act like we do it routinely and enthusiastically, as some others seem to.

@russell: The first system I was involved with (in 1979) was in effect a communications hub that allowed systems that were initially designed as stand-alone systems to talk to each other. Since none of the systems supported networking, the computers communicated with each other by having operators move magnetic tape, or in one case punched paper tape, from one machine to another. It was a really kludgy system, but an improvement over having to type the same information into six different systems.

I wonder how many of stand-alone systems are still truly stand-alone, given all the various reasons one might want a legacy system to communicate with other computer systems. If the narrative around the StuxNet virus is accurate, the Iranians had a data path from the internet to their uranium enrichment centrifuges which involved moving USB sticks from computer to computer. Apparently the temptations of computer networking are hard to resist even if you are conducting a top secret military program.

out of curiosity, I went and looked at a COBOL tutorial. It's been.... 30 years since I wrote any COBOL.

In general I sort of take Pro Bono's point about transferable concepts between languages. That said, COBOL is really an oddball. Logically it is just not overly sophisticated, but it has... baggage.

Maybe I'll brush up and get a side hustle or a retirement part-time thing going!

hsh -- the music analogy is a good one. I played the piano a lot up until I left home for college, then rarely. As a teenager I was the accompanist for school plays and the school choir, and I played the organ at Mass on Sundays. Music, like coding, is something I pick up quickly in my dilettantish way. Then I tend to reach a plateau where I would have to work really hard, and look dumb sometimes, and ... I go on to the next thing.

But I stumbled across an enticement to learn to play the fiddle (folk music) when I was forty, and took to it enthusiastically. The guy who was teaching me informally said I had the steepest learning curve he had ever seen. Well duh. ;-)

But that was a combination of some innate talent – music is one of the things I pick up quickly – and all the music I had played as a kid. Soon I was playing in a contra dance band. But when my little local band broke up, and I was coasting along on the platueau, well, I had kids to raise, work and volunteer work to do.....etc.

I have done a lot of coding in my life based on that model, coupled with being the holder of thirty years of institutional knowledge of the systems at my (former) place of work. But I haven't got a clue what russell and wj and Michael Cain and others are talking about here most of the time when the subject turns technical. I had my niche, and that involved being competent at some baseline level in a number of languages/environments. But besides russell's comment 9:11 pm on 10/2, there’s something else. If you're learning some new (or old, as in Cobol) language in order to do some rewriting or enhancing of old code, learning the application can be an even bigger effort than learning the language. I'd like to see anyone jump into my old workplace and start being effective (in whatever language) writing code having to do with expatriate compensation after a lunch break's worth of study. Yeah, good luck with that.

***

Maybe a better comparison than moving between jurisdictions as a lawyer would be – learning a natural language. Although I do think learning a programming language is easier, there rae similarities in that you can become competent at some baseline level relatively quickly (ordering in a restaurant, asking directions, whatever; and all the quicker if you’re going from Spanish to Italian rather than Chinese to Finnish). But to become fluent in all the nuance and idiom of a natural language takes longer. I take russell’s 9:11 on 10/2 to be an attempt to address some of that, and if that didn’t make pro bono pause I’m not sure why I’m bothering to add anything more. Just procrastinating on today’s chores, I guess.

Music, like coding, is something I pick up quickly in my dilettantish way. Then I tend to reach a plateau where I would have to work really hard, and look dumb sometimes, and ... I go on to the next thing.

Are you sure we're not related? ;^)

(Perhaps I've joked before that the one thing I've been able to master in life is being a dilettante.)

writing code having to do with expatriate compensation

Not only this, but my particular company's particular implementation of expatriate compensation....

somewhere that requires more expertise. Maybe an advisor on somebody's campaign committee

LOL

My son told me that there are consulting firms that hire themselves out to NFL teams to help the teams pick coaches. I'm like WTF? There can't be more than a hundred people on earth who would be viable candidates for NFL head coaching jobs, and there are only what, 32 teams? Surely they all know everything about everyone already...

To come down to earth, I suppose these firms help with picking candidates for other roles on the coaching staff besides top dog, but still.

Okay, and maybe they serve as go-betweens for communications that can't be done directly for "political" reasons....

Wandering off the point here, so I'll stop now.

he knew so little about politics that he didn't even manage to get enough signatures to get on the primary ballot

And he knew so little about life that he didn't even know that being competent as a teacher and coach didn't mean you would automatically be highly competent, with no preparation, at whatever you decided (dilettantishly?) to do next.

This isn't Dunning-Kruger...it's more like the smartest guy in the room effect, but if there's a formal name for it I've forgotten what it is.

Closer to the OP's topic... Back in the mid-1970s, the Bell System got serious about deploying lots of network gear and support systems for configuring/managing that gear remotely. Getting hacked -- or more accurately, avoiding getting hacked -- was a hot topic for discussion inside Bell Labs. The Labs eventually settled on the expensive, but more reliable, approach of building a physically separate data network to run operations over. Having lived through that, I am always perplexed when it comes out that, for example, critical pieces of the US power grid can be manipulated from the public internet. There shouldn't be connections between the public internet and the network for controlling the power grid.

My son told me that there are consulting firms that hire themselves out to NFL teams to help the teams pick coaches

It's like rule 34 - if it exists, there is a consulting firm for it.

I think they're one and the same.

This is true, but I feel like there's another label for a subset of what D-K covers, specifically for people who are in fact unusually competent, even brilliant, in one way, and therefore think they're geniuses in every other way as well. But if there is, I can't think of it. (Mansplaining is a related concept.... ;-)

We all appear to have failed to express delight that liberal japonicus is still alive.
I for one would like to correct that.

In honour of his Korean Odyssey, I’m posting this fun story on their justice system:
http://m.koreatimes.co.kr/pages/article.asp?newsIdx=276661
Prosecutor-General Yoon Seok-youl announced Friday that the prosecution will no longer allow the press the opportunity to photograph suspects or witnesses arriving for questioning by prosecutors.

To date, it has been common practice for the prosecutors' office to alert the media in advance, allowing journalists to photograph such high-profile people on a "press photo line" at the main entrance. This arrangement "updated the public" on ongoing investigations, but also served as a powerful political tool, making targeted suspects look guilty before any allegations were proven...

This is deeply disturbing:
https://www.politico.com/news/2019/10/05/justice-department-russia-probe-028545

Excellent band names - thanks Janie!

...people who are in fact unusually competent, even brilliant, in one way, and therefore think they're geniuses in every other way as well.

There's a tendency for people to forget that the point where they're recognized as brilliant is usually well into a career, not just a job (or equivalents in hobby fields). So they think they can start at that level in a different field without all of the career-laying scut work.

After a tech career where I was very, very good, I went back to grad school, got an MA in public policy, and started in an excellent entry position in my state government. I believe I could have been very, very good in that field as well -- but I discovered that I wasn't willing (and to a certain degree, wasn't able) to put in the time to reach that point.