Superconductor

PKI is notoriously expensive. The US government alone has spent over $1 billion on the technology and doesn't really seem to have much to show for their investment.

But there are actually even bigger costs from PKI.

Remember the dot-com era?

Baltimore Technologies, a PKI vendor who actually had a fairly good product, at least relative to other PKI offerings, once had a market capitalization of roughly $13 billion. Their revenue never justified this valuation, of course. It actually never even came close. Instead, this was just based on the assumption that PKI was going to be an important enabler of the future Internet.

That never happened, and essentially all of that $13 billion disappeared in a very short time.

That's one of the biggest costs of PKI.

And I'm sure that you could even find several billion of lost value from other companies that was directly due to PKI not working out. And that's the sort of cost that even seems to make the $1 billion that the US government has spent seem relatively small. 

I just realized that today is day that P. G. Wodehouse, arguably the best writer of humor that the Earth has seen in its several billion years of existence, died in 1975. As a member of The Wodehouse Society, it's probably appropriate that I use Wodehouse's ideas whenever I can, and I seem to recall one that may be particularly appropriate for blogging.

I don't recall exactly which book this was in, but in one of his novels Wodehouse noted how he cleverly had outmaneuvered his critics. They were apparently claiming that many of his books featured essentially the same plot as his previous books, just with different characters in them. To deal with this criticism, Wodehouse decided to blatantly reuse a plot, and to do it with exactly the same characters that he had previously used. 

So if doing that sort of thing is good enough for an author the stature of Wodehouse, I might be able to use the same idea and recycle old blog posts, posting the exact same text that I had used previously. If I really felt ambitious, I could even correct any spelling and grammar errors that might have crept into the original posts.

And, as someone pointed out to me today, the news stories that we've seen over the past couple of years that talk in glowing terms about some new academic work that has "broken" AES seem to indicate that people really don't get tired of reading the same thing over and over again.

There's an interesting paper available on the IACR's eprint server: "Ron was wrong, Whit is right," by Adi Shamir and others. Here's the abstract of this paper:

We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for "multiple-secrets" cryptosystems such as RSA is significantly riskier than for "single-secret" ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.

A closer look at the data in the paper, however, suggests a simple explanation for what was observed: at some point (perhaps even continuing through the present day), some implementation of RSA had a bug in it, and that this bug managed to affect the 0.2% of the keys that the paper describes as being weak.

We'll probably find out one day which buggy implementation ended up creating these weak keys,  and we'll also almost certainly find out that this implementation of RSA hadn't been validated by a third party.

That's what certifications like FIPS 140-2 give you. They test to make sure that the implementation of their cryptographic algorithms work like they're supposed to, and that was definitely not the case with the weak keys that this paper describes. So maybe that's the best lesson to be learned from this: don't trust that an implementation of ANY security feature is done correctly, and to rely on third-party validations that security features are indeed correct.

But if it turns out that the buggy implementation was indeed validated, well, that's when things could start to get interesting.

After watching more of the presentations from the recent Is Cryptographic Theory Practically Relevant? workshop, I've come to two conclusions. First, there's definitely a serious disconnection between academic and commercial cryptographers. Next, it certainly looks like the commercial guys have a fairly good understanding of what the academic guys do, but the academic guys don't seem to have as much as understanding of what the commercial guys do.

I'm basing this on some of the comments that the academic guys made at this workshop about the differences between the two environments. I'd say that this misperception may be due to the fact that the people who thought of themselves as being "commercial" instead of "academic" tended to work for very large companies, where the interests of the R&D groups probably aren't that different from the interests of more academic organizations. If this workshop had included people from smaller companies (which it actually didn't seem to do), I'd guess that the discussion would have been a bit different. 

The big hack at on-line game company Steam last year might not have actually exposed sensitive information becuse the data that the hackers ended up might actually have been encrypted. But according to a report at the 1Up web site,

Just because these hackers didn't break Valve's encryption yet doesn't make it impossible or prevent the criminals from selling the files to those who can.

Eh?

Let's assume that some sort of industry standard like 3DES or AES was used to encrypt this data. Cracking either of those requires so much computational power that it will be impossible anywhere on Earth in the forseeable future.

The most likely scenario for one of these algorithm being exploited is probably an encounter with aliens who happen to have extremely advanced quantum computers. And even then, cracking any symmetric algorithm is still hard enough to make it not worth the time and effort that it would take hackers to do it. Even if they're extremely advanced aliens.

So even though it's probably technically true that it's not actually impossible for someone to break today's encryption algorithms, it's extremely unlikely. You're much more to hear news about aliens landing than you are to hear about the encryption being broken. And it seems roughly as likely as finding accurate reporting on how hard it actually is to crack today's encryption.

I learned something interesting while I was watching the video "Lessons Learned from Four Years of Implementation Attacks against Real-World Targets", one of the talks at the recent crypto theory and practice workshop.

It seems that fraud is a significant contributor to auto theft. I Googled around a bit and found claims that a typical driver in the US pays an additional $300 in premiums annually because of this. It's apparently much worse in Europe, where it's easy to drive a car to a nearby country that's not interested in cooperating with the law enforcement or insurance people of the country of the car's origin. 

So it seems that high-tech keying systems for cars deal with an odd threat model - one in which the legitimate owner of the car may actually be a bigger threat than a car thief. That's something that makes it harder to design good security protocols than it would be otherwise.

Videos of most of the talks from the recent Is Cryptographic Theory Relevant? workshop that was held at Cambridge University from January 31 through February 2 are now available here.

 I haven't had a chance to watch all of the talks yet, but I've been fairly impressed with the ones that I have watched. The bottom line seems to be that theoretical and practical cryptographers still have lots of work to do. But with events like this workshop, people seem to be realizing what needs to be done. And if even a few of them start doing it, this workshop will definitely have been worth the time and effort that it took to organize it.

I recently mentioned that I had looked at the "Security Threat Report 2012" from Sophos, but I should also mention that this report has all sorts of useful information in it and that you should definitely take the time to download and read it. Of particular interest might be their "What's new in 2012: 10 trends" prediction. Here's their list, which I happen to agree with 100 percent:

1. Social media and the web

We expect cybercriminals to continue their effective mass generation of malware, increasing the number of attacks using new social media platforms and integrated apps.

2. Security means more than Microsoft

Over the past 18 months the bad guys have increased attacks on platforms like Mac OS X and Adobe. We’ll continue to see more targeted attacks on non-Windows platforms in 2012 and 2013.

3. Mobile devices in the spotlight

In 2011 we saw a greater volume of malicious attacks on key platforms such as Android. IT security professionals will need to deal with rapidly evolving mobile platforms, each with a unique set of risks.

4. New web and network technologies force us to learn some lessons

Web technologies are undergoing interesting changes, from HTML5 to IPv6.These new technologies introduce some impressive new capabilities, but they also introduce new attack vectors.

5. Casual consumerization causes backsliding

A casual shift to use of consumer devices without appropriate controls will cause backsliding in security capabilities. IT will once again struggle to deploy reliable security measures for the environment.

6. More hacktivism and targeted attacks

With rising awareness of cybercrime as a means of data theft, intelligence gathering, and political dirty tricks, it’s likely we’ll see more targeted attacks in 2012.These attacks will continue to be a priority issue for certain businesses and organizations.

7. Data regulations proliferate and penalties grow

New regulations and tougher penalties for data breaches will be major concerns for organizations. Proposed laws like the U.S.Stop Online Piracy Act (SOPA), and the European Union’s Data Protection Directive, will have a major impact on data protection and privacy for businesses and private citizens alike.

8. Mobile payment technology may be new target

We’re eagerly waiting for the widespread availability of convenient payment technologies like near field communication (NFC) in mobile devices. We expect cybercriminals are just as eager to target these integrated platforms that hold your life and your money.

9. Cloud services are back in vogue

Some companies were slow to adopt cloud services because of perceived insecurity. But many organizations are now starting to use these services. That means more focus on encrypting data wherever it flows, rather than just protecting the device or the network.

10. The basics still go wrong

Security basics like patching and password management will remain a significant challenge to IT security.

Keeping your devices healthy by identifying missing patches in areas commonly targeted by the bad guys will help significantly. Technologies like file and folder encryption will smooth the adoption of cloud services and new devices.

Since lots of Voltage's customers are large banks, we need to understand the business of banking to understand what our customers need. Because of this, I periodically look at the data that the US Federal Reserve has for the banking industry. Here are two graphs of their H8 series of data (Assets and Liabilities of Commercial Banks in the United States) that I found somewhat interesting. These show the growth rate in loans as well as the total amount of loans that commercial banks have outstanding.

The recent "credit crunch" is much more obvious if you look at the annual growth rate of loans instead of just the total amount of loans.

1n 4 r47h3r Ðr4m471( (h4n93 $1n(3 7h3 Ð07-(0m 3r4, µ$1n9 £337 1$ n0w 4 w4¥ 70 937 £4b3££3Ð 4$ 4 n0v1(3 1n$734Ð 0ƒ 4$ 4n 3xp3r7.

I had an interesting discussion this morning about data breaches, and in this discussion the following following idea about the distribution of the size of data breaches came up.

It certainly looks like the size of data breaches follows a lognormal distribution, so that the number of records exposed in breaches doesn't follow a normal distribution, but the logarithm of the number of records exposed does.

Why should we expect this to be true?

One approach to understanding this gets fairly arcane. You might look at axioms for a reasonable metric for either security or vulnerability and then look at a maximum entropy distribution that fits the constraints that that suggests.

But there's probably a simpler approach.

The size of organizations seems to also follow a lognormal distribution. Let's suppose that the amount of sensitive data that an organization has is roughly proportional to the size of the organization. If data breaches are becoming a virtual certainty, we'd then expect to see that lognormal distribution of breach sizes from that alone, wouldn't we?

VeriSign's latest 10Q report has an interesting paragraph in it. It says this:

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.

The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area. See Item 4 “Controls and Procedures” in Part I of this report.

Now VeriSign is essentially out of the digital certificate business, so it's unlikely that this is another example of a CA/RA being compromised. Instead, they really just focus on DNS for several of the Internet's top-level domains (.com, .edu, etc.), so if anything was affected, it woudl probably have been the integrity of DNS. But without further information from VeriSign, it's not clear exactly what happened. Maybe we'll find that out over the next few weeks.

And as described in the previous post, it's possible to define a group law for points on a circle and it's easy to generalize the geometric interpretation of this operation to points on other conics. Here's an example - of what adding the points (5/4,3/4) and (-5/4,-3/4) to get the point (-17/8,-15/8) on the hyperbola x² -y² = 1 looks like, using the point O = (1,0) as the additive identity, where we find the slope of the line through the two points we want to add, find the second point where the line through O with that slope intersects the curve and call that point the sum:

The recent "Security Threat Report 2012" from Sophos has all sorts of interesting information in it. I found the data about the fraction of PCs that experienced a malware attack over a three-month period interesting. Here's the data from Sophos' report that describes this:

But if we use the number of on-line users in each country as an estimate of the total number of infected PCs in each country, the graph looks much different:

China's definitely a big problem, isn't it?

As described in the previous post, it's possible to define a group law for points on a circle and it's easy to generalize the geometric interpretation of this operation to points on other conics. Here's an example - of what adding the points (-1,0) and (2,3) to get the point (1,0) on the parabola y = x² -1 looks like, using the point O = (0,1) as the additive identity:

(I used this particular curve instead of the simpler y = x² because the simpler curve is singular because of the repeated root at x = 0 and I wanted to avoid worrying about that.)

Tomorrow: the same thing for points on a hyperbola.

I've always been irritated by those vague citiations to analyst reports that you see in sales and marketing presentations. Things like "This market is projected to grow by 1,000,000 percent by 2015 (Forrester)."

I always assume that this really means "This market is projected to grow by 1,000,000 percent by 2015 (but we know you really won't check this outlandish claim)." That's why I so pleased to see how the most recent version of "Imperva's Web Application Attack Report" (PDF) actually included references to analyst estimates that they cited.

There are lots of other reasons to read this report aside from the fact that Imperva did a good job with their references. There's lots of interesting data about how the hacker threat is continuing to evolve. Here's how they summarize what's contined in this report:

• Hackers continue to increase the scale of their attacks: In our last report, we explained that websites are probed about once every two minutes, or 27 times per hour. Over the past six months, the number of probes has dropped to 18. Though a drop, this change does not mean hackers are any less persistent. In fact, when applications are attacked, hacker firepower actually saw a 30% increase. In July, we reported that applications experience about 25,000 attacks per hour. In the last six months, this has increased to nearly 38,000 attacks – or ten per second.

• Hackers exploit five common application vulnerabilities: We have identified and investigated malicious traffic containing the following technical attacks: Remote File Inclusion (RFI), SQL Injection (SQLi), Local File Inclusion (LFI), Cross Site Scripting (XSS) and Directory Traversal (DT). Cross Site Scripting and Directory Traversal are the most prevalent classical attack types.

• Hackers are relying on business logic attacks due to their ability to evade detection: We also investigated two types of Business Logic attacks: Email Extraction and Comment Spamming (EmExt and ComSpm, respectively, in following Figures and Tables). Comment Spamming injects malicious links into comment fields to defraud consumers and alter search engine results. Email Extraction simply catalogs email addresses for building spam lists. These Business Logic attacks accounted for 14% of the analyzed malicious traffic. Email Extraction traffic was more prevalent than Comment Spamming. A full anatomy of BLAs is described in this report.

• The geographic origin of Business Logic attacks were:
  • Email extraction was dominated by hosts based in African countries.
  • An unusual portion of the Comment-spamming activity was observed from eastern-European countries.

It's fairly well known that you can define way to add points on an elliptic curve - defining a so-called "group law" for the points. It turns out that it's not too hard to do the same thing for a circle. This shouldn't be too surprising: an elliptic curve is roughly the product of two circles, so we should expect the same structure on just a single circle. And as I previously mentioned, all quadratics are really just circles if we define our coordinates correctly, so we should even expect this idea to work on other conics than circles.

With a circle, it's easy to find an appropriate group law: given points P = e^ia and Q = e^ib, just define P + Q = e^i(a+b). That corresponds to adding the angles to the points. But if we think a bit more about what this means geometrically, it's easy to apply the same idea to adding points on parabolas or hyperbolas. 

The slope of the line through P and Q is just

m = (cos b - cos a) / (sin b - sin a)

Now let's draw a line through (1,0) with a slope of m. This line is given by

y = m (x -1)

Substituting that into the equation of the circle

x² + y² = 1

we find that

x² + m²(x - 1)² = 1

or

(1 + m²) x² - 2 m² x + m² = 0

One solution to this is obvious: x = 1.

Once we see that, we can factor out (x - 1) to get the other root: x = (m² - 1) / (m² + 1).

And if we then substitute the definition of m in terms of a and b and simplify things a bit we find that this other root  actually x = cos(a + b) so that the sum of the two points is (cos(a + b), sin(a + b)).

This leads to the following geometric way of thinking about the group law on a circle

1. Draw a line through the two points P and Q
2. Draw the line with the same slope that passes through the point (1,0)
3. Call the second point where that line intersects the circle the point P + Q.

And just like the point at infinity is the additive identity in an elliptic curve group, the point O = (1,0) is the additive identity in this case. (And just like with elliptic curves, there's nothing special about this point. Any other one would have worked just as well.)

What does this look like?

Here's a picture that shows what adding the points (3/5,4/5) and (-4/5,-3/5) to get (0,-1) looks like:

Tomorrow: a picture of what doing this with points on a parabola looks like.

I just came across an interesting study by the Congressional Budget Office. According to the CBO, it looks like most government employees are indeed paid too much. Oddly enough, the amount of being overpaid seems to be inversely related to education - the less education government employees have, the more they're overpaid.

Government employees with no more than a high-school education make about 21 percent more in wages alone than their private-sector counterparts and a full 72 percent more in benefits. On the high end, however, people with professional degrees and PhDs actually make less working for the government than they would in the private sector: 23 percent less in wages alone and roughly the same level of benefits.

Perhaps this explains, at least in part, how recent research (PDF) has shown that the government actually has no problem at all in finding qualified information security workers.

dF(x) / dx ≈ ΔF(x) / Δx

= (f(x) Δx) / Δx

= f(x)

Obvious, isn't it?

I was playing cards (a variant of Gin Rummy) with some people recently. When it was my turn to shuffle, I would try to do a very good job of it. I wanted the cards to be well-randomized.

We all noticed that when I shuffled, it took longer for someone to win the round. We assumed that the more random the cards, the harder it would be to get triplets or straights. You see, after a round, when we collected the cards, they were bunched together (people had laid down triplets and straights, the cards in their hands were collected in partial groups). Before the shuffle, they were not random. So a quick shuffle meant, obviously, that there was less randomizing, the bunches tended to stay together just a bit more for the next round. A card in play was more likely to have a "partner" card in play nearby. And more likely to be only 2 or 3 cards away, which is what was needed for the same person to get both cards on the deal.

OK, there's nothing radical about this analysis. But what was interesting for me was that one of the players started asking me to shuffle less. She won more with fewer shuffles. My guess is that there are two overall strategies, play as if the deck is random and play as if it is not. She had learned (maybe subconsciously) how to play with a strategy of non-random cards and this was successful whenever she played. However, that strategy did not work with more random cards.

According to the information at dailychanges.com, the number of domain names actually decreased recently. The most recent data shows that although there were over 77,000 new domain names registered on January 23, 2012, there were also over 85,000 domain names deleted. That's something that I hadn't seen before. And I wouldn't be too surprised if this actually changes from day to day and isn't part of a bigger trend.

According to the data from statcounter.com, the Symbian operating system is still more popular than the ones that we hear about in the news so much: iOS and Android. That might change in a year or so, however.

 That probably explains why most attacks on mobile devices target Symbian, doesn't it?

According to a recent article on the CSO magazine web site, there's not enough innovation in the information security industry to let businesses keep up with the ever-changing threats that they face.

Is this really true?

Voltage has created an innovation or two, and because that's the sort of stuff that I see on a day-to-day basis, my first thought was that this can't possibly be true. After all, if we're doing it, others must be doing it too.

But then I remembered going last year's RSA Conference and how unimpressed I was by what vendors were offering. I didn't really see much that I thought was innovative. (No, no CEO claiming that the next 12 months were going to be "the year of PKI" doesn't count as the sort or innovation that we're interested in here.)

This year's conference isn't too far off. It starts at the end of next month, and this year I'll be looking at what I see at it in terms of checking whether or not the claim that there's not enough innovation in the industry is true. I hope that I'll see some good counterexamples, but I'm really not expecting to.

The recent Supreme Court opinion (PDF) in US v. Jones had an interesting comment that's particularly relevant to how the relationship between privacy and the Internet will develop in the future.

In case you've forgotten, this particular case related to the government's right to place a GPS tracking device on someone's car. The court ruled that this particular use of the technology was indeed an infringment of the person's Fourth Amendment rights, which was an interesting ruling. But here's what Justice Sotomayer said that I found particularly notable:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.

I'd say that that's a good idea, and one that definitely needs to be considered more carefully by the courts.

I was playing with a graphing program this morning and tried graphing an elliptic curve and all of the lines that you'd use to add the points on the curve with integer coordinates using the cord-and-tanget method of addition. Here's what I got for the elliptic curve y² = x³ + 1.

There must be something interesting that you can state and prove about the intersections of those lines.

There's an interesting article at the allbusiness.com web site that talks about some unusual risks that appeared in 2011. Here's one of the incidents that this article describes:

Newspaper Burned by Exploding Donuts

Apparently crazy court decisions are not solely an American invention. A Chilean newspaper, La Tercera, was recently ordered to pay $163,000 US to 13 people who suffered burns after the churros they were cooking exploded. The court agreed that the temperature listed in the paper’s recipe was too hot, which caused the dough to explode.

The plaintiffs won’t be rolling in dough, but this is a very unique legal theory. I wonder if U.S. newspapers will discontinue printing recipes to mitigate their risk.

It looks like the President's Challenge web site has been hacked and users' data stolen. Here's what the email to users of the site said:

We are writing to inform you about a security issue involving the President’s Challenge website [www.presidentschallenge.org]. 

Hackers recently accessed our database, which included personal information such as your username, password, security question and answer, email address, date of birth, city and state, and, if you provided it, your name. The hackers were also able to access data such as your logged activities, your nutrition goals, what groups you are in, and messages you had sent and received within the online tracker. 

After we learned about the attack, we quickly took down the President’s Challenge website on January 11 and began the process of determining what information the hackers accessed and how it may affect you. We also contacted law enforcement to alert them to the hackers’ illegal activity.

Please note that we do not keep credit card numbers or Social Security numbers for users of our online tracker and shop. Regardless, we are alerting you so you can change your login information on any website where you might have used the same or similar username and/or password, and so you can generally monitor your personal and financial information.

We are in the process of securing the President’s Challenge website, and we expect to bring it back online within the next few days. Before you log in, you will be prompted to reset your password. You will then be able to log your activities and, for PALA+ users, your nutrition goals for the past three weeks. All of your previously logged activities and nutrition goals are still stored in the database.

We are sincerely sorry for this situation and any inconvenience or concern it causes you. We take your privacy very seriously. Before the attack, our website was routinely reviewed for security flaws. We are currently reviewing our security practices to make them even stronger and to reduce the probability of a future breach.

I haven't heard how many users were affected by this breach. The President's Challenge is somewhat popular with Boy Scouts, who can get some sort of recognition for completing it, so there may actually be lots of people affected by this breach, including lots of children.

It looks like the article on the XTS mode of AES finally made its way into Cryptologia. If you don't subscribe to Cryptologia, you can get a copy of the article here, although you'll have to pay either $58 for the entire issue that it's in or $43 for the single article. Either price seems a bit high to me.

If you've ever watched baseball, you know that many baseball players use chewing tobacco. It gives them no competitive advantage, as steroids or other drugs do, so why do it? Because they're addicted. So why did they start in the first place? Because when they were kids they saw professional baseball players chewing tobacco.

Kids are stupid, sure, but I think there's something else to it. Kids like to get the "Big League" feeling. They see what goes on in the big leagues, then copy it so that while playing in the junior leagues, for a moment they're living a fantasy of being in the majors.

This happens to adults, as well, I think. I used to play in an intramural basketball league. I chose the least competitive league there was. Yet every so often someone would do the little cheating things you see in the NBA. For example, someone might surreptitiously grab the shirt of an opponent during a free throw or foul hard on a breakaway layup to prevent the two points.

People like this know they aren't in the big leagues, but I think this is an opportunity to pretend a little. To live out the fantasy, if only on a very small scale.

I think programmers are susceptible to this as well. It's not quite the same, but it's there. I think one image that young, inexperienced programmers have is that of the master who cranks out a program in just a few seconds or minutes. I think that many programmers see themselves as masters and enjoy writing something in a very short time. I think this image comes from the programming culture and Hollywood.

So some programmers get into the habit of getting a program written and running in just a short amount of time. It's like being in the big leagues. A problem is stated and then after just a few minutes, the solution is done. "Man I'm good!"

Sometimes the quick program is fine, but I think this sort of thinking bleeds into the regular programming tasks. I think this desire to quickly do some programming tasks leads to bad code in general.

Sure, many programming jobs take hours, days, or weeks, but like chewing tobacco, the habit of cranking out something very quickly becomes part of the day-to-day mindset.  

Even though a plan might call for a feature to be added in the next release 4 months away, some of the coding will be done quickly. Not because there is a time limit of minutes or hours, but because the habit is there. No documentation, no comments, single-character variable names, no attention to detail, no attention to aesthetics, no attention to efficiency, no thought of generalizations, no thought to expansion or portability or maintainability. These are what happens when you have no time to get the job done, when the deadline is minutes away.

So if you have time to do it right, why is there code with no documentation, no comments, single-character variable names, and so on? Because programmers get into bad habits from trying to emulate the image of the master who can crank out the code in record time.

What is iⁱ? That's easy enough to figure out. What's slightly more difficult to understand is why I get asked questions like this. Something about giving answers, I suppose.

In any event, for any complex numbers a and b we have that

a^b = e^{b log a}

And for any complex z we have that

log z = ln |z| + i arg z

So that

log i = ln 1 + i (π/2 + 2nπ)

= i (π/2 + 2nπ)

So that we have that

iⁱ = e ^{i (i (π/2 + 2nπ))}

= e^–π/2 e^-2nπ

For the principle branch of the logarithm, this just reduces to

iⁱ = e^–π/2 ≈ 0.20788

but even in the cases where n ≠ 0 we still always have that iⁱ is a real number. In fact, if we plot the values of iⁱ for -2 ≤ n ≤ 2, here's what we get.

So in addition to having the principle value of e^–π/2, we can also make iⁱ either as big as we want to (by taking n<<0) or as close to 0 as we want (by taking n>>0), but in any case, it's still always a real number.