How to Get Started in Cybersecurity - Part III – It’s 5 O’clock Already?

IBM was a wonderland. Not at first glance, though. The buildings were monolithic remnants of the 70s and the 80s. Never learning the true history of the IBM Essex Junction campus, each time I arrived to work I felt like I had traveled back to where I started in the 70s and 80s – a handful of System/360s, and a larger population of System/370s were in use at the time. All of them being slowly replaced by System/390 and RS/6000s depending on the workload. 

They were still using punch cards for some systems – something about US Federal compliance. To put this perspective, this was the mid-1990s. Every week, I’d be introduced to token ring and their famous MAUs, stockrooms full of IBM 5250 terminals, IBM Selectric Typewriters, IBM PC, PS/2, and even PC Junior! Earlier, I mentioned RS/6000, well they had a bunch of IBM RT PCs that we supported.

Some of the stranger things I witnessed at IBM were Microsoft and IBM still collaborating on OS/2, a PowerPC Laptop with a butterfly keyboard that allowed the owner to choose an OS upon first boot – RISC-based Windows NT 3.5, OS/2 2.X, or AIX! I don’t believe these ever saw the light of day outside of IBM.

Our job in Burlington Vermont (BTV) Decision Support Services (DCS) was to support individual business units’ office productivity and engineering hardware and software if that software was running OS/2 or AIX. To do this, we needed to understand how to:

1.      Connect to one or more mainframes or “get to my VM interface" (part of the CMS/VM OS that the System/3x0 hosted), or “connect to my PROFS OfficeVision (OV/MVS) account.” The CMS/VM back-end could have been anything IBM made between 1972 and 1995.

Before you ask me if I dabbled in this or that model IBM, yes, I have experience with everything IBM made during those years; System/360, System/370, System/390, RS/6000, System/36, System/34, System/38, System/88, CMS/VM, and the applications that ran on them. You might say, “That’s impossible! IBM got rid of those systems years earlier.” To which, I’d reply, “Apparently you never worked at IBM Burlington, VT.” It was a veritable computer museum, and if something worked, it was kept around – either running or for parts. 

2.      Connect to the Internet. Now that was interesting because IBM had just started connecting their systems to the Internet and just started supporting TCP/IP. OS/2 needed an application called CM/2 to create a Winsock of sorts to the TCP/IP backend systems that supported connections out to the Internet. CM/2 was also required of 5250 or any other kind of terminal emulation. This required you to know the Internet; understand the OSI Model, DNS, routing, packet filtering, protocols, scripting, etc. 

3.      Use Microsoft DOS and Windows for Workgroups 3.11. Yes, native Windows was banned at IBM in those days. Employees were not supposed to install DOS/Windows directly on hardware, but OS/2 emulated Windows for Workgroups no problem - it was built-in for crying out loud! Did IBM employees take advantage of it? Well, not until IBM bought Lotus in the 90s, and the OS/2 version of Notes, well, stunk, so there were employees connecting their OfficeVision accounts to Windows for Workgroups emulation running Lotus Notes for Windows. Try and wrap your head around that. 

What made IBM such a learning wonderland for me?

I taught myself to be a system administrator, a network administrator, a hardware engineer, a software engineer, a firewall administrator, an AIX guru, an interoperability expert. System integration is key, ask Oracle. That's how they became the mainstay of the Fortune 500 for the last three decades. Then ask Microsoft CEO, Satya Nadella, who, for lack of a better term, "gets integration" and has brought Microsoft into the 21st century when it comes to integration, privacy, and security.

What were some of the activities that drove me to become a master at all things IBM and 1980s – 1990s operating systems and hardware, and through that, what was to become known later as cybersecurity?

·        To support our departments and business units, we would take parts from systems that didn’t work to put them into other systems that didn’t work to make a working system. Why? Because IBMers were the very last to receive any hardware orders they placed, and once those internal system orders arrived, usually several months later, they were typically wrong or broken, damaged during shipping. Hopefully I'm not talking out of school here. Anyone who worked up at BTV those days knows what I'm talking about.

·        I had access to IBMer’s office libraries, which contained dozens of IBM Redbooks, and OS architecture, hardware and programming language books from the likes of Peter Norton, Evi Nemeth, and Kenneth H. Rosen, to name a few. I taught myself how modern operating systems worked, how Assembly language and memory/processor hardware came together, how to code in Pascal, COLBOL, Fortran, Delphi, Basic, and command shells of all shapes and sizes.

·        Friendly IBMers would show you stuff, like how the IBM firewall worked, how the IBM supporting mainframes worked, how to assemble an RS/6000 out of the box, how to get SAP R/3 working on OS/2, how to request an email account, how to emulate Mosaic for AIX on OS/2, and how the HTTP worked.

·        I became trained in esoteric but groundbreaking technologies like IBM Netdoor and IBM LAN Manager. A year or two later, I became absolutely obsessed with the cryptanalysis of LAN Manager password hashes.

There was one essential problem working for IBM Burlington, especially because I was hired in Burlington and didn’t rise through the ranks or get transferred there from Armonk, Austin, Fishkill, or Endicott. I didn’t make enough money to pay the rent and feed myself. I barely made more money than what I’d take home from my high school jobs. After a while, I looked for another job just to make ends meet. 

Thankfully, I was offered full-time jobs at the UVM Microcomputer Services Department, and the Vermont Federal Bank, respectively, while I continued to contract for IBM nights and weekends. I didn’t want to lose access to all I was learning at IBM and management allowed me to stay on as a contractor and gave me full autonomy.

So where does the Cybersecurity come in? You’ve got to be a jack of all trades to understand the first thing about Cybersecurity. That’s what I became at IBM. You should have an understanding of as much as possible to know what can be taken advantage of, and what can be protected. 

At IBM I learned everything there was to know about supporting network protocols and access controls. The Cybersecurity market at that time was all but nonexistent. Organizations claimed ignorance, didn’t think they were ‘vulnerable’ because they weren’t connected to the big bad Internet, or they were connected, and they did not care or think they would be exploited. "No one can break through our firewall" and "We're not a bank or the Government, so we don't have anything anybody wants on our network" were the justifications to do nothing back then. Sound familiar?

The theme of my history in Cybersecurity is, learn as much as you can about absolutely everything you can. I was fortunate enough to learn when the tech world was a little less complex than it is today. That allowed me to go slow and take side roads if and when I had time. The title of this installment reflects that when I was in my tech tunnel vision at IBM. I wouldn’t realize what it was 5 o’clock. Sometimes I would work for hours into the evening to fix something, get something to work, or set something up that I *thought* wouldn’t work and was blown away when it did.

In my next installment, I’ll recount my time at UVM Microcomputer Services, Vermont Federal Bank, and my ultimate move to Massachusetts to take advantage of a livable salary and the opportunity afforded to technical folks between 1996 and the 2000 dot com crash.