Daniel J. Dick

In the mid 1970s, while serving as a Radio Shack sales clerk, I studied Architecture at Fresno City College. And I had no clue what cyber security was.

What I really wanted was to study Acoustics. I wanted to combine my talents in music with my technical aptitude and design concert halls, churches, musical instruments, and anything musical. But only three universities in America had acoustics majors, so I was advised to study Architecture

I had no complaints. I loved everything I learned. Plumbing codes. Material Science. Electrical codes. Drafting. Statics. Calculus, Physics. And Fortran.

A Little Innocent Hacking

While developing my Fortran programming assignments in the computer lab, I became curious about Basic programming and HP Calculator programming.

At this point, I will have to make a confession. I hacked. But not a bad kind of hacking. Nobody got hurt. No grades got changed. My only hack was out of curiosity.

The computer lab had a trove of educational programs all written in the old Dartmouth BASIC that was running on their HP 2000E timesharing minicomputer. Even our Fortran editor was written in BASIC, and we would use this to enter our Fortran programming assignments to be run by the instructor at various times during the week.

The Simplest Hack, What Cyber Security?

In this computer lab were some cards with BASIC programming instructions. So I played.

10 FOR I=1 TO 10
20 PRINT I
30 GOTO 10

And it worked. It counted from 1 to 10. I added “STEP 2” to the end of line 10, and it printed odd numbers only. I added a comma to line 20 and it printed on one line with spaces between the numbers.

Ooooh. What if I loaded up one of those “hidden” tutorials and typed 10 GOTO 100? or 200 or 1000? Could I get it to stop asking for a password???

The Feast Begins!

Well, it worked. And that became my secret treasure trove of learning where I could feast on the tutorials. I could master the concepts in physics and other courses that had given me trouble and explore courses I had never taken including chemistry and BASIC programming.

Eventually, I became very comfortable in several variants of BASIC and built complete accounting packages, an auto financing and leasing system, and went on to development in several languages.

Star Trek Playing and On to Fresno State

At that time, college campus terminals swarmed with college kids playing “Star Trek” games on the slow 300 baud terminals. And I would bring my little brother and our next door neighbor kid, Kevin, to the computer lab to play on the computer terminals.

Then in 1977, I had completed Engineering Statics and needed to transfer to transfer to Fresno State, or CSU, Fresno to continue on to Engineering Dynamics.

Monsters at Fresno State

Compared to Fresno City College, Fresno State’s computers were monsters. They had Cyber computers, Modcomps, and IBM Mainframes for batch programming, PDP 11/45 or PDP 11/70s, I’m not sure. But they ran RSTS.

Students could run just about any programming language available at the time–BASIC, COBOL, APL, Fortran, Lisp, Prolog, Assembly, PL/1. Computer courses were taught in Math, Engineering, and Business as the Computer Science Department had not been started yet.

Even so, we were beginning to see the importance of cyber security. At first, if we saw a password required, that pretty well told us that we were locked out, until we figured out that we were not in fact locked out.

Star Trek Login Harvesting

Students would come in to play their Star Trek games but at a much faster speed–1200 baud!!! Much faster than the slow 300 baud that was akin to the speed of the old TTY33s.

However, students were frustrated. They would start up their favorite Star Trek game, and it would log them out. They would log back in, and it would pick up from where they left off.

But the login screen was fake. Someone was collecting accounts and passwords. And this practice has continued to this day. I usually shut down the program immediately. But sometimes I would just enter a password like “up your nose” or “in your ear”.

Less Innocent Hacking

Years later, I saw a program that made me freeze as if I had stared directly into the devil’s eyes. I believe it was the Morris Worm in C.

• This program contained a list.
• A list of hacking functions to try.
• A bundle of intrusion methods to be attempted in sequence.
• Only one of them had to work.
• The program would break in and install itself and start itself.
• And it would break into every other machine it could get into.
• And it would continue the process forever.

Nothing about this hack looked in the least bit “innocent”. It looked rather deadly.

SATAN, Security Administrator Tool for Analyzing Networks

For years, I ran a program written by Dan Farmer called Computer Oracle and Password System (COPS) to give me a quick cursory view of major security flaws in the configuration of the Unix systems I worked on. This helped me close the most glaring security holes immediately.

However, around 1994 or 1995, when I was a senior systems administrator for Oracle’s Production Unix team at headquarters, I also served on the Security Response Team. At that time, Dan Farmer released a highly controversial Internet port scanner written in Perl with results displayed in a browser via HTML.

A Devil of a Security Program

This program was named to startle systems administrators out of complacency and cause them to exercise more due diligence in protecting system security. Dan Farmer called it, Security Administrator Tool for Analyzing Networks or SATAN.

I went to hear him live at Stanford University and had been practicing to become adept at using it prior to its formal release. And I received permission from management at Oracle to run this program against our Unix systems and produce reports for each system administrator so they could tighten up security on their systems before a hacker discovered the vulnerabilities.

Sadly, Dan Farmer was fired from his job because of this controversy, and he went on to be a successful security consultant in demand as he should be.

Since that time, many network port scanners have been developed either as standalone programs like nmap, or as part of a network monitoring program. I worked extensively with programs like Compuware’s EcoTools at Oracle writing agents for monitoring databases and operating systems. Nagios is a popular one today, though I only dabbled with it.

Database and Enterprise Software Security

After studying Advanced Systems and Databases at Stanford, and going through professional training in systems and database administration from several companies, Oracle wanted to start a new department called the Enterprise Systems Center, later known as the Large Systems Support Center.

In the ESC, I helped spec out the data center and prided myself in how fast I could take receipt of large enterprise systems from various manufacturers and have them running and available for use with database software, Veritas, RAID sets, and such ready for intense testing in performance, reliability, and scalability.

I evaluated testing software including Mercury Loadrunner, Pure Performix, and Performance Awareness and chose the latter for its ability to capture and parameterize Oracle’s OCI calls and communication between the client and the database server.

Direct Simulation of Clients

This capturing and parameterizing of OCI (Oracle Call Interface) calls helped us obviate having thousands of PC’s with simulated users on each as one powerful computer, for instance, a large DEC Alpha could parameterize and simulate user activity against a large system from Sun Micro, such as a Sun 6000 system.

We also had large systems from HP, IBM, Sequent, Pyramid and a supercomputer from Silicon Graphics. And my old Mac Pro would likely overpower all of them combined today.

And our job was to break these systems, or at least their software.

A Pace That Could Stop a Clock

I ran load from the DEC to the largest of our Sun systems running Solaris 2.3, and the time of day clock stopped. The machine continued to run, so the realtime clock that triggers process switching must have been functional. But somehow, the kernel caught a hiccup and took the time of day clock update out of the list in the kernel so it was no longer getting updated.

So, Sun went to work on it, fixed it, and handed over Solaris 2.4. And by the time they reached 2.5, it started to appear Solaris might actually become useful, and in a very good way.

Sun Solaris and DEC Unix and Linux

There were so many things to love about it. Unlike many variants of Unix, you did not have to recompile the kernel to reconfigure your shared memory or semaphores or virtual devices, though you might have to change a value in a configuration file and reboot. Maybe.

Of course, Linux seems to have overcome many of these limitations. Yet Linux was not prominent back then. In fact, I started using Linux when it first came out about that time so I could complete my programming assignments with my courses at Stanford without having to drive more than an hour from home to the university.

Cyber Security, Complicated, Frustrating, and Boring

With all the changes to hardware, operating systems, and software, with routers, VPN devices, intrusion detection, firewalls, virtualization, containers, Docker, Kubernetes, web security, and more, security has become anything but simple.

And frankly, I do security out of sheer responsibility–not for the love of that role in general. I cannot honestly say I enjoy security any more than I would enjoy managing email systems and trying to keep spam and serious security violations away. It is often a miserable, thankless job, and those who do it well deserve much support and appreciation. And yet the pain they can inflict on the user community trying to keep security can be excruciating.

Hundreds of Passwords to Forget

People forget their passwords. Or they’re required to change their passwords when they would rather not do so. Sometimes they get royally pissed off and start writing their passwords on yellow sticky notes pasted to their monitors. Or they write them down in password books. Then they make a sequential list of passwords and number them using those numbers to indicate whether this is for Gmail or YouTube or Facebook or Linkedin or one of their 400 different websites. And for each problem, there are a zillion knee-jerk solutions that frustrate much more than they help.

One of my friends became a trainer for the CISSP certification. I read a common thick CISSP book and was already familiar with most of it. But it was great to be able to fill in the gaps. Though I strictly avoided getting certified. Why? Because I wanted to avoid being hired to fill a security role. I wanted a role where I could be a little more free to take on interesting projects in math, software engineering, and business.

PeopleSoft

Speaking of interesting, I loved working at Oracle. I loved my coworkers, but then I usually do. And yet, I became curious about PeopleSoft since it was about 5 minutes from my house. So I paid a visit.

A manager there would not let me go until I finally accepted a position there. He reminded me every few days or weeks of how nice it would be to have more time with my family and not to have to deal with a one hour commute each way.

Eventually, I caved. And I loved PeopleSoft about as much as I loved Oracle. I think my coworkers wanted me to admit that the culture at PeopleSoft was much better, less pressured, more people oriented. And it’s true that I probably do hate interpersonal pressure or unreasonable pressure and find that it interferes with my ability to concentrate well. However, situational pressure is different. I actually thrive on really hard challenges, and I feel really good when I overcome them as long as they were not created by foolish decisions. When that happens, I feel more relieved than elated.

So, while many people burned out at Oracle, I did not leave from burnout. I still loved working there.

What About PeopleSoft?

What does PeopleSoft have to do with security? Not much, really, other than that there were many new layers of security required.

Initially, PeopleSoft was a simple client-server, two-tier framework with a bunch of peripheral software like Crystal Reports, and SQR.

The client software lived on the users’ PCs and communicated directly to the database server. And when updates and upgrades came out, technical staff would have to ship around CDs with software for updating each client individually. A royal pain!

User Accounts on Unix or Database?

PeopleSoft 6 came out where a Tuxedo server was introduced to help out with print requests. But PC clients still connected to the database directly. And security was quite convoluted.

For example, Informix differed from the other databases as it depended on Unix security. However, the other databases kept their accounts inside the database entirely separate from the Unix accounts.

So, for Informix, individual users had to have a Unix account on the database server giving them a database login while the other databases only required a database account and password.

PeopleSoft Security Morphs Over the Years.

Let’s expedite this. It is getting long.

Step by step, PeopleSoft security and architecture matured significantly through the change to a Tuxedo server for printing in PeopleTools 6 to a three tier architecture based on Tuxedo in 7 and bug fixes galore up to 7.45, and then to PIA or PeopleSoft Internet Architecture in PeopleSoft 8.

With PeopleSoft 8, you no longer had to update a hundred or a thousand PCs individually. PeopleSoft was now a web application.

And the Finger Bone is Connected to the Trombone

• Now, your web browser would talk to a webserver.
• The web server would communicate with the Tuxedo servers.
• And the Tuxedo servers would talk to the database server.
• Oh, and there were multiple servers and load balancers to keep any server from being overloaded.
  Oh, yeah. And to top it off, you also needed to divide the network into a publicly visible network, a DMZ for middleware, and an internal network for the database engines.

There were properly defined sequences to execute when updating the software involving shutting down and updating different servers in a way that would not create a conflict. But you no longer had to update a zillion PC clients.

Which Way Does It Go?

And where was security needed in all of this? Everywhere.

• The database systems at the operating systems.
• The database accounts, and roles, which was greatly limited now to just what was needed for connectivity.
• PeopleSoft security to grant or deny users’ access to the application and data.
• Connectivity between Tuxedo and the database servers.
• Connectivity between the web application and the tuxedo servers.
• Load balancers.
• Any VPNs, firewalls, and other network devices required.

It’s all so very simple. I actually found it pretty easy when I was working with it all the time as I was also part of the software architecture team that created the automated esupport or automated multi-layer diagnostics software based on Motive for PeopleSoft.

But that was when I was at PeopleSoft, years before I managed PeopleSoft installations on PeopleSoft 8.x for IBM/Coreo on contract in 2005.

So, Why Do I Dislike CyberSecurity?

On my own, I bought service on a Virtual Private System (VPS). It was basically like having a Linux server of my own in a colocation facility. They gave me an IP address, and before I had anything set up in DNS, I saw floods of spambot and hacker traffic flooding my VPS.

I needed an email server, so I tried a couple that had a reputation for being among the most secure. I plugged in spamassassin. Later on after having created a spam detector in an AI course I took, I considered whether I should just use mine.

But I went nuts. I grabbed a program written in python that would watch the log files for intrusions of any kind and act on those dropping the IP address into a firewall for a period of time. And it helped. But it was also highly active. Still it reduced the activity considerably.

Finally, I got tired of this eating up the time I needed to work on the projects I wanted to work on.

Yeah. I got lazy and went back for a C-panel solution–something I thought I would never do. Not only that, but after developing my websites first on NetObjects Fusion twenty years or so ago and moving to different CMS systems, basically trying most all of them, I put away TikiWiki, Drupal, and others and narrowed down to WordPress before switching to Hugo to get back to a fast static setup. And then I switched back to WordPress again unifying on that.

Convenience is big. Easy is good.

I feel I have learned more about content development and SEO by getting free from the burden of cybersecurity.

All in all, I am happy to help anyone who I can benefit. So, if I could step in, make substantial improvements to someone’s security environment, and then turn it over to someone else for maintenance, I would be happy.

But to stay in a company managing security and nothing but security every day, I would let someone better take that role.

I can document security. I can automate much of security as I did with Ingres between 1990 and 1994. But to be a full-time cybersecurity administrator would not be something I would like to do.

With the help of AI, I could do my best to set up best practices, calendars, means of submitting requests for adding and removing or disabling users or tracking what needs to change when any individual account or password changes, such as a database password used by an application.

But setting up spam blocking, firewalls, intrusion detection, and making sure the monkeys stay out of the system and don’t plant a virus or ransomware, and to integrate these protections into an excellent disaster recovery plan, I suppose I could do it and probably do it well. But it would be one of those projects I would likely promise only 3 to 6 months of work and end up staying 2 or 3 years to get it perfect and bring in any new projects into the whole integrated mess. Neat mess, but mess, nevertheless.