The AS/400 Made Off with the Money
February 16, 2009 Alex Woodie
The IBM AS/400 is good at a lot of things, including tracking inventory, processing claims, and tallying sales. And now you can add one more accomplishment to the legendary box’s resume: Running Ponzi schemes. In recent weeks, evidence points to the fact that Bernie Madoff used an AS/400 server to help perpetrate his alleged $50 billion fraud. Data contained on the server, recently confiscated by the Justice Department, will likely play a crucial role in helping to unravel the crime of the century.
Fox Business broke the story about Madoff’s use of the AS/400 to run his alleged Ponzi scheme less than two weeks ago. Reporter Adam Shapiro interviewed a former employee of Bernard Madoff Investment Securities, Nader Ibrahim, about the alleged scheme. In particular, Shapiro focused on the activities of a key former Madoff employee, Frank DiPascali, who is thought to have run the fraudulent activities on the 17th floor of the so-called “Lipstick Building” in New York City where Madoff was based.
“His role was to input data into the computer, which was spitting out what we now know were fraudulent statements,” Shapiro said of DiPascali in his broadcast, which can be viewed here. “One thing that you can be sure, the investigators are zeroing in on that computer . . . .an AS/400, it’s called. An old IBM computer.”
The Fox report came a week after The Wall Street Journal (like Fox, a News Corp holding) published a story on the layout and inner-workings of the 17th floor, based on interviews with Ibrahim and others. “Across the hall was another room, where an old International Business Machines computer generated client statements, former employees say,” the WSJ reported on January 29. “The IBM server operated independently from Madoff’s other computer systems but was supported by tech staffers who also did work for the stock-trading group, according to former employees.”
That Madoff used an IBM server to perpetrate his alleged fraud is no knock against IBM or its products. It seems logical that the same elements that make the AS/400 such a popular platform for business computing–rock-solid stability and nearly impenetrable security–would also be in high demand among white collar criminals, as Madoff is alleged to be. In any event, IBM refused to comment to IT Jungle for this story.
However, for members of the AS/400 community and the enterprise IT community at large, the Madoff affair raises interesting questions about security, ethics, and the transparency of business processes. For starters, how did Madoff generate so much false data without raising any red flags? The answer to this question may lie with the outside accounting firm that audited Madoff’s books, and the federal laws that exempt private brokerages such as Madoff’s from greater scrutiny.
Madoff’s accountant was Friehling & Horowitz, a three-person accounting firm based in the same office building as Madoff. Industry experts are aghast that such a tiny accounting firm was allowed to vouch for accuracy of the books for such a large, multi-billion dollar investment house. Such a small firm lacked the manpower and expertise to accurately assess the books of such a large operation, they say.
However, Madoff was entirely within the law in hiring Friehling & Horowitz. Because it did not audit public companies, Friehling & Horowitz was not required to register with the Public Company Accounting Oversight Board (PCAOB), according to Reuters. The PCAOB was created under the Sarbanes-Oxley Act in 2002 to help prevent the type of fraud we saw with Enron and its accountant, Arthur Anderson. While the Securities and Exchange Commission has mandated that privately held brokerages such as Madoff’s be audited by PCAOB-registered accounting firms, it has delayed implementing that rule several times over the years, providing more cover for Madoff to perpetrate his (alleged) Ponzi scheme.
Even if Madoff’s auditor was investment grade, they may have had a hard time spotting the fraud because it was so pervasive. Auditors typically will look at a wide range of data, and then analyze it for items that look out of place. “If everything appeared to look like a genuine transaction, then I guess you’d only spot it at an accounting level,” says Terry Heath, chief operating officer of Safestone, a System i security software developer based in the United Kingdom. “Unfortunately, if your baseline for normal is corrupt in the first place, it’s obviously hard to spot those events that are out of the ordinary.”
It can’t be known what motives Madoff had for choosing the AS/400 to perpetrate his fraud (if it was even him that selected it for this task), and it may be irrelevant in the end analysis. But it’s interesting when you consider the fact that the AS/400 is a notoriously difficult platform for auditors to crack.
Many regulations that affect IT are commonly written from the point of view of more prevalent Unix and Windows operating systems, the Payment Cardholder’s Industry (PCI) Data Security Standard (DSS) being the most recent example. So even if Madoff’s accounting firm had experience auditing large investment houses, they may have not had much experience dealing with the AS/400. This lack of oversight could have provided more shadowy areas for Madoff and his crew to execute their scheme.
Despite some of the red flags that, in hindsight, should have invited more scrutiny, Madoff and his crew appeared to operate in an above board fashion. Madoff’s business even appeared in several AS/400 marketing databases commonly distributed among ISVs. One company that found Madoff associates in its database is Kisco Information Systems, a developer of System i security software in upstate New York. But many more AS/400 ISVs undoubtedly have Madoff in their marketing databases, and some of them likely sold them software to help them run their AS/400.
When a crime the magnitude of Madoff’s alleged crime surfaces, it takes everybody by surprise. Madoff is alleged to have bilked $50 billion from trusting individuals and institutions, and that’s nothing to take lightly. The fact that he used a powerful business machine to perpetrate the crime is interesting, but the human toll is much more important. And this isn’t the first time an organizations use of AS/400 technology has received guffaws. There’s the urban legend about the Columbian drug cartel that used an AS/400 to run its business. And how can you forget the struggles that Microsoft had getting off the box.
New laws will undoubtedly be passed to try and prevent the next Ponzi scheme (start by closing the PCAOB loopholes). And auditors may bone up on the AS/400 so they’re not startled by the “strangeness” of the platform. While it would be nice if AS/400s weren’t used for illegitimate purposes, that’s ultimately impossible.
Kisco president Rich Loeber, who’s also an amateur theologian, has struggled with the moral question of the responsible use of technology. “I don’t see how anyone can control how the hardware is used,” Loeber says. “Over the years, I’ve given this much thought and my final conclusion is that computers are morally neutral. How they are used is where the morals come in, and that is all controlled by people. I would not be surprised that AS/400s are used in all sorts of immoral ways, Madoff’s company just being one such example.”
What is true of AS/400s and their progeny is, of course, also true of IBM mainframes, Hewlett-Packard and Sun Microsystems Unix boxes, clusters of Linux-X64 servers or Windows tower servers from myriad vendors. That assessment also applies to the systems and application software that rides atop all of this iron. A computer is just a tool, and any morality associated with it comes from the user, not the machine.