July 03, 2009

Practice independence in your community

Here in the US we're observing our Independence Day this weekend, a celebration that echoes my hopes of independence for HP 3000 community members. Those who are homesteading on the system beyond HP's schedule have already chosen an independent path. They depend on new partners for support. Some community members have chosen the independence of Linux and open source, too, to supplement their 3000 computing power.

I also believe that independence is essential to those members staying with HP. Those companies migrating need to speak out freely about their experiences. As a journalist for almost 30 years, I've seen a decline in the independence of speaking on the record. I'd love to start a revolution in that regard and roll back the calendar, but anonymous sources have become a bulwark in reporting. The journalism community represented at the Washington, DC Newseum — a fine stop for any citizen-tourist in that town — has grave doubts about anonymous sources. We reporters trade credibility for trust when we need to use these sources.

I'd use fewer of these with more customers going on the record. Public meetings, open to both users and the press, are becoming rare indeed. It's up to 3000 community members to speak out online, where the speaker has more control of what's being reported.

In fact, the demise of public meetings was one factor in passing up the HP Technology Forum & Expo this year. This is first year since 1985 that I haven't attended a national-level HP user conference. After 24 annual events in a row, it seemed that things have changed between HP and the press. Last year I complained about the frustration of incomplete press access at HPTF. Things have shifted in HP's press approach, which makes the Internet and blogs the reasonable alternative to hearing community members' voices.

There's been a bit of good change, like hearing HP talk live to the analysts about quarterly reports via the Internet. But when Computerworld is standing outside a meeting door alongside the 3000 NewsWire, then HPTF starts to look like a restricted event. The user forums were ideal for a journalist who wants in-person connections with new sources. Users voicing opinions and telling stories about their customer experience is the meat of a conference. I understand how that won't serve HP as well as it did in the 80s or even the 90s. Sometimes you just have to accept changes.

As a community member you don't have to accept a less independent strategy. HP does operate a few forums online where customers can share opinion and experience. But the filtering is profound these days, probably reflecting the whole spin dance companies do with the media. You control your statements if you can speak out in places like Twitter, Linked In and Facebook (all of which have 3000-related followings and groups), as well as the Connect user group's online MPE forum. We'll be hearing more about that group in awhile, according to Connect board director Chris Koppe.

Until then and beyond, I hope you'll share your independent statements with your community and me here at the NewsWire. Enjoy and exercise your independence as a citizen, community member, or both.

Posted by Ron Seybold at 12:29 PM in Homesteading, Migration, Newsmakers, Web Resources | Permalink | Comments (0)

July 02, 2009

Pros build a life beyond the 3000

3000 veterans have been facing a job shortfall for some time now, but some are finding enough work to stay busy, even in a down economy. We heard yesterday that Applied Technologies' Brian Edminster is "staying busier than you'd believe, given the current economy," working engagements with companies that need his HP 3000 and open source skills.

That's a combination often cited as a safe path into a future where HP won't even support the 3000. While it seems easy to say "get better trained on Microsoft solutions," Michael Anderson of J3K Solutions says MS is only part of a smart future.

"I honestly would not count on Microsoft owning the majority of the market twenty years from now," says Anderson, who left an HP 3000 job to start his own enterprise. "Don’t put all your eggs in one basket. Learn how virtualization improves the efficiency and availability of IT resources and applications. Run multiple operating systems and learn new concepts, look into cloud computing and open source."

Anderson advised not to put all of your effort into learning any Microsoft technology, but to look into platform-independent technologies. He offered a few links to explore:

Basics of the Unix Philosophy
A Unix Programming Portal 
Virtualization
Cloud computing

In that cloud computing summary, 3000 pros might see a reflection of the system's past, where time-sharing provided computing resources to multiple companies over a network. The similarity underscores the value of IT basics the 3000 pro can call upon. Veterans of this community are making a living blending their still-valued 3000 skills and new tools. One supplier of consulting and resales, who wants to comment anonymously, wrote to share his success working with 3000s and other tools.

This 3000 expert had a one-year contract to move a company off the HP 3000 to Eloquence and AcuCOBOL, but he's retained the client while working to maintain its network, UPS, and telephone switch as well as removing PC viruses.

Posted by Ron Seybold at 10:28 AM in Homesteading | Permalink | Comments (0)

June 30, 2009

Proving An Open Future for ERP

Open source software is a good fit for the HP 3000 community member, according to several sources. Applied Technologies founder Brian Edminster plans to open a portal for such solutions next month, aimed at the 3000 site looking to modernize. What's more, complete app suites have emerged and rewritten the rules for software ownership. An expert consulting and support firm for ERP solutions is proving that a full-featured ERP app suite, Openbravo, will work for 3000 customers by 2010.

A software collective launched in the '90s by the University of Navarra which has evolved to Openbravo, S.L., Openbravo is utilized by manufacturing firms around the world. Openbravo is big stuff. So large that it is one of the ten largest projects on the SourceForge.net open source repository, until Openbravo outgrew SourceForge. The software, its partners and users have their own Forge running today. HP 3000 support firm the Support Group, inc (tSGi) has put its Entsgo spinoff on track to deploy Openbravo. All the pieces should be ready within nine months, said Entsgo's Engagement Manager Sue Kiesel.

Kiesel and Entsgo are part of the tSGi enterprise that grew up aiding customers of MANMAN, the venerable and stable 3000 ERP app. Entsgo is proving the open source ERP concept this year in segments outside the HP 3000 community. “We’re working on a couple of deals right now that are going to be closing relatively soon,” Kiesel said. “We believe that within six to nine months, the solution will be as robust as MANMAN was at its best.”

Open source solutions can span a wide range of organization, from code forges with revisions and little else to the one-stop feel of a vendor, minus the high costs and long waits. Openbravo is in the latter category, operating with 100 employees and having received more than $18 million in funding. If that doesn't sound much like the Apache and Samba open source experience, then welcome to Open Source 2.0, where subscription fees have replaced software purchases and partner firms join alongside users to develop the software.

Openbravo says the model is "commercial open source business model that eliminates software license fees, providing support, services, and product enhancements via an annual subscription." Entsgo/tSGi business consultant Donnie Poston said the one-stop model makes Openbravo attractive.

“The fact that you have a company that supports it, and you can subscribe to it and verifies it, upgrades it and maintains it — all of that under one company name was enticing to us,” said Poston.

Localization capabilities will be among the last pieces of Openbravo to fall into place, and tSGi president David Floyd says for some HP 3000 owners, the Openbravo solution is ready today. In the meantime, the open source model fits well with HP 3000 strategies.

“In the 3000 community, we’re used to the independence of the open source model,” said Kiesel. “We’re used to tools that are intuitive, and if you look at us, we should be able to embrace open source more than any other community.”

Open source practices turn the enhancement experience upside down for an application. In the traditional model, a single vendor writes software at a significant investment for high profits, then accepts requests for enhancements and repairs. A complex app such as ERP might not even get 10 percent of these requests fulfilled by the average vendor.

The open source community around Openbravo operates like many open source enterprises. Companies create their own enhancements, license them back to the community, and can access bug fixes quickly—all because the ownership is shared and the source code for the app is open.

Entsgo experts such as Kiesel are establishing a trusted advisory resource for Openbravo. Entsgo is a partner to IBM, HP, Oracle, Microsoft, and top-tier ERP vendors, serving small to medium-sized manufacturing and supply chain businesses in Texas and throughout the worldwide manufacturing community.

Posted by Ron Seybold at 04:49 PM in Homesteading, Migration | Permalink | Comments (0)

June 26, 2009

New solutions assist small shop migrations

Birket Foster likes to envision the world of 2012, a future that guarantees more migration experience will be in the community's consciousness. This spring we talked about this time well away from HP’s influence on 3000 ownership and migration. Foster's MB Foster is sharpening its message this year to reflect its business beyond 3000 expertise. In the years to come the company is booked to help manage migrated applications and environments running for customers MB Foster has migrated.

What has emerged—solutions, utilities, apps, IT strategy—to help the smallest 3000 shops step away?

When we look at the marketplace, it’s the small shops that are going to suffer the most. As soon as they move to Windows, there’s a lot more work to be done that what they had to do for their 3000s. HP 3000s are like a magic thing you set and forget. Moving from a 3000 to the Windows environment means you have to pay attention to things. Like putting new patches on, or some virus will break out. Or fixing the database from time to time to make sure it’s performance-tuned. Although the 3000 databases could get out of hand occasionally, it was very rare.

   The good news for these shops is that those of us who have been migrating people since 2002 have refined the processes and introduced new tools. MB Foster built nine parsers in the last seven years. Some help with moving scripts from MPE-land to Linux or Unix or Windows. Some help with changing and fixing data on the fly, like moving integers stored in a Big Endian format to Little Endian. We also have a scheduler system written for Windows, one more like the job scheduler you had on the 3000.

   We built these kinds of power tools to assist us in migrations. We’ve been moving data since 1985, so we know a lot about the context of data. Our team put a tool together for the datamart team that pulls an IMAGE database into Oracle or SQL Server. This saved people from having to write all the scripts to do that. By the time HP decided to phase out the 3000, we had a tool that got tweaked to generate a few new things to help migration to Unix, Linux and Windows.

Three years from now, does the market miss the final level of HP’s 3000 support?

No, those people are already working with companies like Allegro, Beechglen or Gilles Schipper. I’m sure that the only thing that annoys these guys is HP, announcing that it will keep taking money for support. That’s a long support tail, and HP has already removed resources from it. HP won’t stack any new resources behind it.

So more than a year after the announced HP support exit date, you think HP will continue to sell 3000 support?

I don’t think HP is planning on leaving the 3000 support business. As long as there’s enough money coming in, they’ll do it. And some of the companies just look at the support from an appliance point of view. They tell themselves, “As long as I can say the original vendor will support us, it’s the same as an insurance company that will support us, too.” But when the hurricane comes through, does the insurance company declare bankruptcy and go away? Or does it actually deliver?

In the 3000’s community of 2012, do hardware and environments carry the same weight in strategies?

It’s not just the 3000 market that’s changing. Companies have mergers and acquisitions and they want to make changes. You will be encouraged to come along.

Three years from now we’ll be closer to the point where the hardware is totally irrelevant and the operating system is totally irrelevant. Because the skills sets for those elements will be hard to come by, people who are going to manage and update security for systems will be working for the Regional Bell Operating Companies (RBOC) and ISPs. The larger hardware vendors want to do a virtualized farm for an RBOC. The servers you once spent half a million dollars on are being replaced by systems that cost $20,000. The vendors can’t sell the same number of servers, so they have to find a way of consolidating. 

It’s 2012: What business resource is most in demand for 3000 shops making a transition?

It starts with the end-users. Since the HP 3000 is a robust machine, technology is not the issue. But when the end users leave, and the last person who knows how use MANMAN, you will be a world of hurt because you don’t have a training plan for how to train the next person in. It’s really going to be a human resource issue. The 3000 will probably run forever, given that you can swap a motherboard if you need to. The issue will be where to find a person to swap that motherboard, and how would we bring the system back up, and what does that mean to the application when it died in the middle of the day-end batch. Those are the kinds of things people are going to have to deal with at some point.

Posted by Ron Seybold at 06:09 AM in Homesteading, Migration, Newsmakers | Permalink | Comments (0)

June 23, 2009

Pages stay open in state of play

NewsWire Editorial

   The story finished with shots of film across the movie screen. Close ups of negative film, getting prepped to make a newspaper, something to offer the world facts and ideals to live up to. Print publishing stands at the heart of State of Play, this spring’s movie about journalism, newspapers’ age, and speaking power to truth. Abby and I sat and watched the printing montage roll over the credits as she said, “The same way we still print the NewsWire.” I squeezed her hand and blinked back a tear, because print journalism remains stamped in my heart.

    I entered journalism in 1980, an era when the only outlet for a deep story was pages of print. Pages created with the same method we use to make this newsletter you hold. Layout images become negatives, the negs become metal plates, the metal carries ink onto paper, the folded paper rolls onto a truck at the back door and into the world. Old school, like HP 3000 computing, built around old ideals.

   But just like printed news, the costs to maintain these old ideals keep rising. This quarter the US Postal Service raised our rates to mail, and last year our ink and paper got a hike. Print journalism has no cost path to follow but upward. Experience with HP 3000 environments follows a similar track, since the resource of experts is becoming more rare. At the same time as old school economics creep up, online reporting and open source computing costs less. You may discover, if you have a wise eye, that you get what you pay for.

    Near the end of State of Play, the print reporter Cal McAffrey shouts out a bit of gospel. People know the difference between journalism and chatter, he tells a politician. The former moves slower but is more certain of facts. The latter appears in legion, built upon opinion and spectacle.

    But as we have learned here at the NewsWire, and you accept in your IT careers, the old and the new both deliver value. MPE/iX is superior in its elegance, reliability and its integration with hardware. Nobody will be tempted to use it to deliver Web-based information or drive applets with Java. There are fundamentals for any environment, however, and right at the bottom is genuine field information: support based on experience of participants in the real world.

    To go forward with the 3000 as your computing heartbeat, you’ll need faith in your fellow man. Support solutions now flow from sources outside of HP. We’re now all working in the first year when the 3000’s creators will deliver no more hope of improvement or repair. This state of play is a risk some business owners cannot tolerate. Others see the risks in choosing the right replacement. For some, that’s a choice they cannot afford to get wrong.

Posted by Ron Seybold at 07:56 AM in Homesteading | Permalink | Comments (0)

June 19, 2009

Ongoing sales suggest panic has slowed

It's a dubious fact you'll hear among community members and partners: Practically just about everyone has migrated from the HP 3000. But 3000 resellers report that their continued sales suggest much less urgency to move this year than in 2005 or earlier.

"I sell 9X9s and e3000 N4000's every month," reports Bay Pointe Technology's Bob Sigworth. "The migration panic has slowed considerably. Are we selling to new MPE users? No. But there are many, I repeat many, large, companies that are adding to their infrastructure and have no plans to migrate. Why? MPE is solid as a rock and the third-party support people are better than ever."

The topic surfaced recently when options beyond the HP 3000 came up in the 3000 newsgroup. "What is OpenMPE fighting for?" said one community volunteer. "Some version of MPE that sits on a Windows or Linux box. What's the point of that?"

The point is the same as the data point of continued sales of 3000s and good third-party support suppliers. There's life beyond HP, and a life beyond the 3000. Companies make a case every day for both kinds of life. Nobody's in a panic by now, more than seven years after HP started its 3000 exit.

And if MPE can sit on a Linux box, that's important for hardware options far into the future. Hewlett-Packard's 3000 hardware, aging all the time, can be taken out of the homesteading formula sometime in the future, perhaps beyond 2012, when the existing hardware has run its course. (You can contact Strobe Data to see how this emulation works to replace hardware for the HP 1000, and Digital Vaxen -- and for whom.)

Many other things are needed to make MPE on Linux a success, like support, marketing, R&D -- the usual list of suspects to make any product succeed. Oh, modifiable source wouldn’t hurt, either. See that pipe to HP, above, to send your requests for real source.

Posted by Ron Seybold at 12:22 PM in Homesteading | Permalink | Comments (0)

June 18, 2009

Support Group partners with Blue Line for solutions

Offerings from the Support Group inc. (tSGI) gained scope and depth recently, when the HP 3000 outsourcing and support company announced a partnership with Blue Line Services. The companies, which are both headquartered in Texas, will share marketing and resources for on-site and support center operations.

"We have partnered our expert services to bring complete end-to-end coverage to the HP 3000 community," said tSGi Account Manager and Business Systems consultant Donnie Poston. "With our combined services you can now have HP 3000 hardware, software and MPE operations support and management under one roof."

Poston said the companies started talks about working together early this year, when engagements with HP 3000 customers gave the firms some common group. They plan to share customer lists and use each other's support teams to back up one another's client lists. Marketing and sales support are also on the combined efforts list.

The new partners also offer support, system sales and solutions for other HP systems. As an example, Blue Line is putting HP's LeftHand SAN storage solution into the mix of options for enterprise IT customers. LeftHand can be purchased from many PC-based suppliers, but resellers with HP 3000 background are fewer in number.

Even though tSGi is best known for supporting and implementing ERP applications, the company offers independent support outside that sector. "we have HP 3000/MPE accounts that do not use MANMAN," said Poston. "We manage the HP 3000 and OS for them.  They either have homegrown apps, or have folks that manage the ERP/MRP type apps onsite."

tSGi announced that it is offering discount support rates for existing and new customers who sign a 2 year support contract.

Posted by Ron Seybold at 05:30 AM in Homesteading, Migration, Newsmakers | Permalink | Comments (0)

June 17, 2009

OpenMPE list tracks unresolved challenges

    The OpenMPE advocacy group worked with HP for almost seven years on post-HP support issues. The volunteer work was hamstrung from the start by two conditions dictated by the vendor. First, discussions directly with HP were confidential. Second, the volunteer group had no leverage with a vendor which was leaving a marketplace behind. In leaving the development lab business this year, HP's best effort still left unresolved challenges for homesteaders.

    In source code matters, the vendor has not revealed which parts of MPE/iX code can be licensed for read-only access. It also offered no assistance in license talks with companies that own rights to internal parts of the OS such as the streaming module, Posix interface or basic-level ODBC middleware. (The last piece of software has rights owned by MB Foster Associates, whose chairman Birket Foster sits on the OpenMPE board, so talks should be uncomplicated on that module.)

    Other aspects of creating an emulator — which would extend the lifespan for MPE/iX on newer hardware — haven’t gotten any public response. The HPSUSAN number for HP 3000 systems, wired into stable storage on HP’s gear, will need an equivalent in software for any emulator to use third party applications. HP will sell an emulator license for MPE/iX whenever an emulator hits the market. But such an emulator would provide no mechanism for app vendors to enforce licenses, unless HP opens up technical details.

    OpenMPE requested the HP 3000 test and development machines from HP’s lab, but the vendor answered no, although these 3000 devices have no clear use to a 3000 lab which is so shut down not even HP support can use it. OpenMPE worked closely with the lab during 2007 to review the MPE/iX build process, hoping to ensure the OS could be unpacked later in the 3000’s life for fixes and patches. But HP didn’t finish proposed stages to complete this review, which would ensure outside engineers could decipher the code written in an HP variant language called Modcal.

    The SSH security shell for MPE/iX is also on the OpenMPE issues list. The vendor has provided little assistance in bringing the tool up to industry standards for the Secure Copy Protocol (SCP). The SSH/SCP issue is a good example of lab work that’s been requested by OpenMPE but didn’t get addressed enough by HP to become a tool for 3000 homesteaders.

   While HP did address a request for HP 3000 hardware internals documentation — again, with a ‘no’ — the vendor has reported nothing about making its Response Center’s knowledge base for 3000 problems available to the community in the future.

    OpenMPE chairman Birket Foster says although his group is now facing a closed 3000 lab at HP, the unresolved issues may still benefit from resources elsewhere inside the vendor. “Just because HP’s [3000] division has gone away doesn’t mean there are no more advocacy opportunities for OpenMPE,” he said. The group can petition HP’s support organization, he said, as well as the software license transfer group. SLT will be operating inside HP for the foreseeable future and can address the CPU board issues, Foster said.

  “OpenMPE got a formal recognition from HP that they need to have the ability for someone in the field to change the stable storage on a 3000’s board,” he said, “in the case of an emergency where a machine blows up. These are things that would be of service to a community that paid HP’s [3000 expert] paychecks for years. There are still people inside HP whose checks come from the fact that they know how to spell HP 3000.

Posted by Ron Seybold at 04:58 AM in Homesteading | Permalink | Comments (0)

June 16, 2009

Retired HP lab leaves issues behind

    HP’s 3000 operations closed out development this year with assurances the vendor had addressed all issues around exiting the community. But while a 3000 issues list logs many HP decisions, some key items remain unresolved.

   The OpenMPE advocacy group worked with HP for almost seven years on post-HP support issues. The list of items which has grown and shrank has been maintained by group director Matt Perdue most recently. The board has signed an official Confidential Disclosure Agreement this year with HP, which curtails the information OpenMPE can share.

   But the list the group could share with the NewsWire shows some missing procedures and unspecified dates for issues such as modernizing security software and receiving OS tapes during 2011. The uncompleted issues present a sizable array of projects and puzzles the community must complete or solve with other resources.

    The issue with the broadest potential impact on homesteading customers appears to be resources for the HP 3000 hardware emulator project. Perdue said the OpenMPE board — which includes Alan Tibbetts of emulator vendor Strobe Data — asked if the 3000 emulator would get the same treatment from HP as Strobe’s HP 1000 deal.

   “There are some things HP’s included that are going to help us, and a coule of things that we wish we had received,” Perdue said. “We’re talking about test suites [HP used on MPE/iX]. Without them, not even Stan [Sieler of Allegro Consultants] feels comfortable about releasing a binary patch that hasn’t been tested [with the suites].”

   Tibbetts told the board that Strobe had to devise its own set of tests to work with the HP 1000’s RTE operating environment in emulation. “Why HP doesn’t want to release those MPE suites, I don’t know,” Perdue said. “I would think, why not?”

   In a strict accounting of questions with HP responses, the test suite request has been addressed with an answer of “no.” HP refused to enable 9x7 servers to run modern versions of MPE/iX, or remove throttling in MPE that slows 3000s. But even discounting these refusals, some items have no details available this year, or even a deadline of when the processes will be revealed.

    The process to unlock HP’s 3000-specific diagnostics has no deadline or details. HP said last year it would free up these tools after HP’s support ends, but not how much longer afterward, or how.

   Per-call charges to restore 3000 CPU boards with HP’s SS_CONFIG and SSUPDATE utilities are not spelled out. These services are available to HP’s support customers, but only until 2011.

Posted by Ron Seybold at 04:55 AM in Homesteading | Permalink | Comments (0)

June 11, 2009

Will PCI standards kick 3000s out of service?

The answer to the question is being researched by HP 3000 customers today. Those who accept credit cards for payments, and process more than 20,000 Visa sales a year, are preparing for new standards from merchant banks to meet the Payment Card Industry (PCI) Data Security Standard (DSS).

All major credit card brands collectively adopted PCI DSS in 2006 as the requirement for organizations that process, store or transmit payment cardholder data. Ecometry's HP 3000 customers know their e-commerce software vendor will not be certifying HP 3000s for the 2010 standard. But it appears that Ecometry's owner Escalate isn't qualified to certify PCI compliance anyway.

The standard is broader than just software design, covering practices and processes as fundamental as whether and how to store cardholder data. (Don't, unless you must; encrypted plenty if you do.) Escalate wants to convert every Ecometry site to the Unix/Windows versions of the app, which Escalate will be glad to assure as PCI DSS compliant.

But security vendor Paul Taffel, who's just rolled out new features in IDent/3000, says Ecometry is far from the only place to have compliant standards implemented. A Qualified Security Assessor (QSA) can perform an audit to verify compliance — so 3000 sites can continue to process credit card transactions. Or so it appears. Merchant banks will decide.

The PCI Web site and associated white papers include a vast, 28-page listing of QSA providers. A PCI council certifies these providers. QSA is conferred by the PCI Security Standards Council to individuals who meet specific information security education requirements and have taken the appropriate training from the PCI Security Standards Council. They must also be employed by an Approved PCI Security and Auditing Firm. These assessors will be performing PCI compliance audits relating to the protection of cardholder data.

Third party solutions are available to get 3000 sites better credit card security. "The combination of Fluent Edge’s credit card encryption with IDent’s other features, and Vesoft’s Logon security, together provide a robust set of features that certainly fulfill the spirit of the PCI requirements," Taffel says.

The simple answer, for the Ecometry sites who rely completely on Escalate services, would be yes: HP 3000s won't pass the PCI DSS. But any Ecometry site which plans to remain on the HP 3000 after 2010 will be using a third-party solution anyway, since the Ecometry app loses support in that year. These Ecometry customers are leaving their vendor behind to continue to use an application which does the job without many problems. That no-fuss model is what made the 3000 an elegant and efficient business choice to begin with.

Posted by Ron Seybold at 01:06 PM in Homesteading, Migration, User Reports | Permalink | Comments (0)

June 10, 2009

New PCI utility adds 3000 compliance tools

HP 3000 software doesn't get much updating these days. I don't mean applications running business on 3000s. Those have to be enhanced and upgraded regularly. But 3000-based off the shelf apps, or vendor utilities, haven't seen much new code since 2005 or even earlier. The exceptions to that situation are starting to work together.

Last week the community got notice of a new feature for IDent/3000, a PCI compliance utility written, sold and supported by Paul Taffel. He's developed numerous solutions for 3000s over the past two decades. At one time he was developing for Orbit Software, and most recently he's been in the development team at Quest Software.

Taffel's IDent/3000 added the ability to detect file changes by means of "of a cryptographically-secure state-of-the-art checksum algorithm, Whirlpool. Whirlpool creates a 512-bit message digest for each monitored file; IDent stores these signatures, and uses them to detect new, changed, and deleted files."

3000 sites in the e-commerce community have deployed IDent over the past year. Taffel is looking for more traction for a tool that appears to have many unique security features. He says he created IDent when Adager's CEO Rene Woc put him in touch "with a couple of Ecometry sites who realized that there was no way to meet PCI requirements with existing MPE features. These sites fed me with requirements, and I came up with a collection of solutions to take care of each requirement."

His current duties extend the security of a 3000 server which processes many late-night purchases from Americans watching television.

Taffel developed IDent/3000, then landed a job at Mouton Logistics Management, which runs its own customized e-commerce app. Mouton is a processing clearinghouse for many vendors who sell through infomercials. In a weak economy, Taffel says, infomercials are doing strong business.

The Ecometry sites working with IDent want to remain on their HP 3000s. Taffel counted on advice from IT managers at Ecometry customer sites. Ecometry has reported at its latest user group conference that 75 sites that haven't scheduled any migration away from the 3000. Other companies have home-grown e-commerce solutions on a 3000.

"The company makes a lot of use of their 3000s, and needs to become PCI-compliant, too," he says. "IDent covers all parts of the PCI spec with the exception of credit card number encryption (because Ecometry already provide that option). I am also working on credit card encryption for Moulton, but that is not included in IDent."

Taffel outlined the features that IDent offers to companies that need to meet new PCI standards in 2010:

This last feature, protecting log files, is essential for PCI. Taffel says that it's "key that if you have a breach, which parts of the database have been compromised? You must be auditing the access to know the extent of the compromise." If a hacker gets into data and then erases the log files on the way out, encryption alone isn't going to repair the problem, or satisfy PCI auditors.

Even the Whirlpool algorithm can't secure a system if implemented incompletely. "My main problem with encryption is with its real-world use," Taffel says. "There are a lot of front doors getting bolts added while back doors remain open."

Security software is never a favorite investment for computer owners. "No one invests in security software unless they have to," Taffel says. "Most small companies can self-certify that they’re PCI compliant, but the bigger ones have to use external auditors, so they’re the motivated ones."

PCI is posing plenty of puzzles for IT directors. "The PCI requirements are not 100 clear," Taffel says. "Everyone who reads them comes away with a different understanding of what they require. Hence, IDent is highly configurable, basically a collection of tools that can be configured as each site sees fit."

Posted by Ron Seybold at 06:00 PM in Homesteading | Permalink | Comments (0)