Superconductor

I wsa just looking through my old copy of Computer Parables. Even though this book was published in 1989, well before the dot-com era, it seemed to understand what the Internet would one day become:

"A programmer once built a vast database containing all the literature, facts, figures, and data in the world. Then he built an advanced querying system that linked that knowledge together, allowing him to wander through the database at will. Satisfied and pleased, he sat down before his computer to enjoy the fruits of his labor.

After three minutes, the programmer had a headache. After three hours, the programmer felt ill. After three days, the programmer destroyed his database. When asked why, he replied: “That system put the world at my fingertips. I could go anywhere, see anything. Because I was no longer limited by external conditions, I had no excuse for not knowing everything there is to know. I could neither sleep nor eat. All I could do was wander through the database. Now I can rest.”

Looking back at the dot-com era, it might be no coincidence that this parable was called "The Navigator."

It looks there's a book out called The Cthulhu Encryption. Here's the publisher's description of it:

The Shoggoths attack: "They had been so horrible before that I dare not say that they were any MORE horrible when they came again.... They were still unspeakable, still unthinkable--but whether I could speak or think of them or not, they were HERE." Auguste Dupin is one of the few persons who can identify the rare Cthulhu Encryption etched in the flesh of a dying woman. The Comte de Saint-Germain owns a companion cryptogram that he believes is the key to finding a fabulous treasure buried by the pirate Levasseur. Harassed by Shoggoths and tracked by Saint-Germain, Dupin must find the key to the complex puzzle. Can the might of Cthulhu be held at bay? And even if he finds an answer, can he and his friends escape with their lives? A riveting horror novel.

The author, Brian Stableford, is apparently an established science-fiction author, but I have to say that I'm very skeptical of anything related to H. P. Lovecraft's Cthulhu mythos. When it comes to that particular sub-genre, Sturgeon was an optimist: it seems to attract the worst writing that people are capable of. So unless I find someone who's actually read this book who can vouch for its quality, this is one that I probably won't be reading. Even if it does contain both supernatural elements and encryption.

In a previous post, I described how to use the ever-changing structure of large organizations to create a good source of random numbers. One obvious abbreviation for this approach is "OB-PRNG," for "organization-based pseudo-random number generation."

If you're a fan of Brian Keene's zombie stories, you might find the reference to Ob particularly appropriate in the context of working for large organizations. If you're not a fan, Ob is the powerful supernatural being that's behind the world being destroyed by zombies in The Rising.

 
 

The fact that "When Zombies Attack!: Mathematical Modelling of an Outbreak of a Zombie Infection" was recently published in Infectious Disease Modelling Progress seems to tell us that zombies are good for more that just entertainment. Here's the abstract of this paper, which should give you a good idea whether or not you'd be interested in reading the full version: 

Zombies are a popular figure in pop culture/entertainment and they are usually portrayed as being brought about through an outbreak or epidemic. Consequently, we model a zombie attack, using biological assumptions based on popular zombie movies. We introduce a basic model for zombie infection, determine equilibria and their stability, and illustrate the outcome with numerical solutions. We then refine the model to introduce a latent period of zombification, whereby humans are infected, but not infectious, before becoming undead. We then modify the model to include the effects of possible quarantine or a cure. Finally, we examine the impact of regular, impulsive reductions in the number of zombies and derive conditions under which eradication can occur. We show that only quick, aggressive attacks can stave off the doomsday scenario: the collapse of society as zombies overtake us all.

This paper even includes MATLAB code that finds solutions to the system of ODEs that the paper proposes for modelling zombie outbreaks, so you can try different parameters and see how they affect the chances of the human race surviving.

And it turns out that this particular model has been cited elsewhere. It's an example used in Numerical Methods for Ordinary Differential Equations and it was also referenced in Theories of International Politics and Zombies and What's So Austrian about Austrian Economics? as well as in The Proper Care and Feeding of Zombies: A Completely Scientific Guide to the Undead, The Open Laboratory 2009 and the Proceedings of the 5th International 2010 Fun with Algorithms Conference.

That's a lot of exposure for a paper about zombies.

Suppose that you're a cryptanalyst. To do your job of cracking encryption, it's very useful to know what the underlying plaintext looks like. In English, for example, the letter "e" occurs more often than any other letter, and you can often make good use of that fact if you're trying to crack some encryption schemes. There are estimates for how frequently the letters of the alphabet appear in English words, but do those estimates hold in just a few cases, or are they fairly good in most cases?

I recently came across my elctronic copy of Neil Gaiman's Neverwhere, which, if my shell script worked correctly, has the following distribution of letters in it:

That's not too far from what you'd expect from English words, which is something like this:

And here's what the two distributions look side by side. There doesn't look like there's that much difference between them. The extra occurrences of the letters "d" and "h" in Neverwhere are probably from the frequent uses of the name of the protagonist (Richard).

I'll have to try a few more examples some day to see how much the source of the words affects the distribution. I seem to recall that the "usual" distribution for English letters is based on text from some newspaper (perhaps the New York Times?), and it's actually a bit surprising that we see roughly the same distribution in a work of fiction like Neverwhere. (OK, newspapers can also be works of fiction, but most people don't think of them as being that way.)

 

Peter Gutmann's book Engineering Security (PDF) is one of the best single books that I've found on the topic of information security. It collects all sorts of information that's both useful and interesting, and it seems to be the only place where this type of information is collected. If you read a chapter of this book, you're able to amaze and astound people with the fascinating information security knowledge that you have.

My memory's not as good as it used to be, so for me, this effect wears off after a couple of weeks. But for those couple of weeks, I look much smarter than I really am.

I don't know if this book has found a publisher yet, but it's definitely the sort of book that deserves to be printed.

Nathan Carter's book Visual Group Theory tries to help you understand group theory through a set of pictures. Some of these made sense to me while others didn't. Here's the illustration of the structure of dihedral groups from a presentation that Carter gave before the book was available. That seems to show their structure in a very useful way.

 

Carter's book runs 297 pages, many of which are illustrations like this one. It's a book that I would have found very useful back when I was taking classes in group theory. It would have definitely helped to make some concepts clearer. If you're interested in group theory, this is probably a book that you'll want to have a copy of.

Carter has also developed software that lets you create visualizations of groups. This is Group Explorer, and it's something that I wish I had time to actually try. Maybe I'll do that on Voltage's next Jack Bauer Day.

It's Friday, and I had so much fun using Many Eyes yesterday that I spent a few minutes this morning using it to create visualizations of a few works of literature. Some are probably better known than others.

Here's Animal Farm by George Orwell.

 

Here's The Call of Cthulhu by H. P. Lovecraft. 

 

Here's The Phoenix on the Sword by Robert E. Howard,

 

Here's The Raven by Edgar Allen Poe.  

  

I suspect that I'll find this to be a very useful tool in the future.

Crypto appears in literature every so often, it's not a rare occurrence. Recently I ran into an instance in a book I can recommend. It's "Fatal Lies" by Frank Tallis.

This book is the third in a series of murder mysteries that take place in Vienna, Austria at the turn of the 20th century. The heroes are Dr. Max Liebermann, a psychiatrist with the General Hospital of Vienna, and Detective Oskar Reinhardt of the Austrian Security Office. In "Fatal Lies" a boy is found dead at a military school. In the investigation, Reinhardt examines the boy's lesson books (books in which the student writes assignments), and finds an odd series of numbers in the margins of the math book. The numbers appear to have been written by the teacher.

Reinhardt thinks this might be a code so hands the number list to a couple of people who try to crack it. They have no luck. Eventually, Dr. Liebermann figures it out.

If you have experience in crypto, you'll probably recognize immediately what the cipher is. I have left out the important detail that makes it easy to see. I won't divulge it here in case you want to read it. As you read more, it becomes obvious how to crack it. If you don't have experience in crypto, the solution is probably not so obvious. The numbers themselves are never given, so the reader has no way of actually breaking the code.

So if you want to test your crypto knowledge, or just want to see if you have the mind of a cryptanalyst, try this book.

I liked that the crypto was real, yet was believable given the characters. My only quibble is that a particular character (another member of the Security Office) didn't figure out the cipher. Yes, it was 1900, so he would not have had the same amount of crypto research available today, but he would certainly have had the knowledge to break the given code (even in 1900 it was not exactly a new cipher).

But one great thing about the book's use of the cipher, was that the plot did not hinge on breaking the code. The protagonists were able to solve the mystery without knowing what the coded messages were. In fact, they guessed (correctly as it turned out) what the contents would be in general before cracking it. What was great, I thought, was that simply because the math teacher was communicating with the boy in code was significant evidence. When they did crack it, it was confirmation.

Why do I like that? Because it makes for a more well-rounded murder mystery when there is not one single thing that is the overwhelming key to the solution. I also like that the author represented the idea that if criminals use crypto to do bad things, it's not necessary for law enforcement to break the code to put them away. There will be other evidence. I think there are misconceptions about crypto and its power to aid the lawbreakers. So this is one more cultural nudge towards the notion that encryption won't be a foolproof way to protect the criminals.

Earlier today, Amazon announced that ebooks for their Kindle are now outselling printed books by about 105 to 100. The end of printed books is coming even faster that I had anticipated.  

 

Last year we saw two milestones in e-publishing. In July, Amazon announced that e-books were outselling hardback books. Three months later, in October, they announced that e-books were outselling all printed books. Before too long, the number of printed books will probably drop dramatically, essentially disappearing for good as consumers lose interest in them. This has already happened to small presses, many of which have lowered print runs of books from the 500 that they could sell a few years ago down to 100 or less today.

I find this a bit distressing, mainly because I collect books. But it also seems that the disappearance of printed books could be the first step towards the dystopian future that George Orwell described in 1984.

In particular, once information is digital instead of physical, it's much easier for a real-world equivalent of the Ministry of Truth to change history, or even the record of other facts, to fit their political needs. It would probably be difficult to change all electronic records, but in the Internet age you probably wouldn't need to change them all. Create a few faked references that look authentic, link to them on Wikipedia, and you're probably well on the way to altering the truth.  

I can't find the exact quote, but I believe it was Cyril Connolly who once said (roughly) that our libraries were not only our self-portraits, but also memorials to the person we would like to be. So if our libraries are becoming digital, that might tell us something about both how we see ourselves and what we'd like to become in the future, and I'm not sure that I like what that may tell us.

For Christmas this year I got a Kline bottle. Cliff Stoll, the same Cliff Stoll who described tracking down the hacker that had penetrated his system in The Cuckoo's Egg, now runs a business selling Kline bottles. (Cliff doesn't actually sell Kline bottles, of course. Instead he sells immersions of them into a three-dimensional space, but that's probably close enough for most people.) Here's Cliff modelling the Kline bottle that I got this year:  

 

Unless Christmas is approaching (like it is now), whenever you see something being given away, you should always ask yourself why it's being done. The free stuff that you get at trade shows, for example, is meant to make you feel good about the company whose name is on the free stuff. It's also meant to increase brand awareness. That can happen when your coworkers stop by your desk to try out the Yoyodyne Propulsion Systems-branded stress reducing toy that you brought back with you from that trade show in Las Vegas and end up noticing the Yoyodyne Propulsion Systems logo on it.

That's a cool toy, they might think, I'd better go buy a few million dollars of software from those guys, not realizing that Yoyodyne is really just a front for a group of Red Lectroids who all have "John" for their first name. Free t-shirts do the same thing.

So why does Baen books give away so many free ebooks? They're certainly not doing it to reduce their sales, are they? They've been doing it for a quite a while, so they must think that they're getting a good return on giving ebooks away.

It turns out that most books that are sold are sold in the first 90 days or so that a book is in print. After that, the sales taper off quickly. But Baen has found that by giving away free ebooks of the first book in a series, people who find that they like the book often go out and buy a printed copy of it. And then they often buy printed copies of the other books in the same series too, thereby increasing the sales of books that have been out a while from next to nothing to a significant level. The result has been a significant increase in their sales.

But Baen also puts CDs in some of their hardback books that contain freely-distributable, DRM-free copies of lots of their books. You can find copies of these CDs here, for example, and it's not easy to count how many books they've given away like that because they've given away so many of them. So why would they give away an entire series? Do they expect people to go out and buy printed copies of the whole series? Or is there another reason?

There are way too many books published these days for any one person to keep track of. Because of this, you need to find an easy way to reduce the number of books that you look at from the hundreds of thousands that are published down to a few that you might actually be interested in. Finding an author whose style you tend to like is a good way to do this, and I suspect that's why Baen gives away entire CDs of free ebooks: if you find that you like the work of a particular author, you're more likely to buy printed copies of that author's books the next time you're in a bookstore.

And by giving away free ebooks, Baen has definitely made lots of friends who would have only been customers otherwise. When I recently bought a Kindle I started looking at what sort of ebooks are available and soon came across the CDs of free ebooks that Baen gives away. I don't know how Baen accounts for the good will that giving those CDs away creates, but just based on my single data point (me), I'd guess that the good will that they gain is well worth the lost sales that the CDs cause.

In his recent talk "Cyber Warfare: Addressing the Challenge," Nick Harvey, the UK's Minister of State for the Armed Forces, was referring to Carl von Clausewitz's classic book On War when he said the following:

We must apply the same kind of logic Clausewitz applied to the conditions of his age, when looking to formulate approaches to the conditions of our age.

As Clausewitz showed, while the essential nature of conflict is unchanging, its character moves with the times.

Harvey seemed to say that the existing framework that we have for waging wars and deterring wars will also work for future cyber wars and he used a quote from Clausewitz to support this. I'm not sure that I agree with this, but Harvey's quoting of Clausewitz made me think for a minute or two about the nature of cyber wars and how they'll be either similar of different from more traditional ones.

In any case, there seems to be an interesting contrast between what led Clausewitz to write On War and today's cyber-warfare. In particular, one of the things that seemed to motivate Clausewitz to understand war was seeing how Napoleon's innovations were fairly unconnected with the technology and tactics used to wage war. Instead, they were more around the intangibles like morale and motivation.

On the other hand, it seems that cyber-warfare doesn't quite follow this same pattern: when it comes to cyber wars, innovative technologies may actually be more important than the motivations of the people using the technologies. So maybe we need a more modern book, On Cyber War, that will try to find fundamental principles that explain cyber war. There certainly seem to be enough differences to fill an entire book.

Not long after I noted what I thought was an unnecessary amount of hype in an article about a hacker using cloud computing to do a dictionary attack against short passwords, an alert reader pointed me to what he claimed was an even worse headline in a different news story. This one's about the work at CERN that just produced 38 atoms of anti-hydrogen that lasted for about 100 milliseconds.

This is very impressive work, but the headline "Antimatter Breakthrough Could Lead to Starships, Says Scientist" doesn't seem to really reflect the importance of CERN's success, or even give you an idea of what CERN actually did. It's almost like covering the story about scientists creating gold by bombarding mercury with neutrons, like they did back in 1941, and using the headline "Scientists Create Gold in Laboratory - Gold-based Currencies May Collapse and Cause the End of the World As We Know It."

It might be rambling too much off-topic, but these attempts to make things sound more important than they really are reminds me of the part of Moby Dick where Ishmael talks about how his plan to sign on as a sailor on a whaling ship might be recorded along with the bigger stories of the day:

And, doubtless, my going on this whaling voyage, formed part of the grand programme of Providence that was drawn up a long time ago. It came in as a sort of brief interlude and solo between more extensive performances. I take it that this part of the bill must have run something like this:

"GRAND CONTESTED ELECTION FOR THE PRESIDENCY OF THE UNITED STATES."

"WHALING VOYAGE BY ONE ISHMAEL."

"BLOODY BATTLE IN AFGHANISTAN."

(OK, maybe it's definitely too much off topic, but I suffered through all of those terribly inaccurate chapters about the natural history of whales in Moby Dick and I need some way to make sure that all of that time wasn't totally wasted. Understanding quotes from Moby Dick in Star Trek II: The Wrath of Khan wasn't enough to make reading those chapters worth the effort. Maybe it's paid off now.)

In any event, the headline for CERN's press release, "Antimatter atoms produced and trapped at CERN" seems to be perfectly adequate. I'd even say that it's better than the one that you can tell isn't really going to be an accurate reflection of the story that follows.

I ended up buying a Kindle recently because of a particularly long trip to the east coast of the US. I started printing out books for airplane reading a while ago and found that it worked fairly well. You can get all sorts of classic books for free at places like Project Gutenberg or Munseys, and what I'd so was print a book and then tear off and throw away the pages as I read them. For a trip from California to New York and back this works just fine, but if you're on a much longer trip then the pile of books that you're going to eventually throw away gets annoyingly big and because of this I picked up a Kindle.

Once I had a Kindle I downloaded a few ebooks for it. I first tried the free ones that you can get from Amazon.com, but it turns out that those try to combine books with social networking. In particular, these ebooks show passages that others have marked as being notable, sort of a version of highlighter for an ebook. I found the combination extremely annoying and quickly moved on to other sources for free ebooks.

I found ebooks to be very useful and found the Kindle to be well worth its price, but the combination with social networking just didn't work for me.

Cryptography is a very specialized field, which means that there probably aren't very many people who will buy and read books that cover advanced topics in the field. Apparently the market for some types of textiles doesn't suffer from the same limitation. I just noticed that the book The 2007 Report on Finished Weft Knit Fabrics Made of Broad Fabrics Measuring at Least 12 Inches Wide That Have Been Knit and Finished in the Same Establishment Excluding Hosiery: World Market Segmentation by City is available from Amazon.com.

It's price of $795 does seem to be a bit high, even if it does give you free shipping, but if you're really interested in the market for finished weft knit fabrics made of broad fabrics measuring at least 12 inches wide that have been knit and finished in the same establishment and aren't too interested in hosiery, there's probably no other book out there for you.

It looks like the fine people at Despair.com have come up with a truly innovative idea for a book: the Lose Your Own Adventure series. It's loosely based on the Choose Your Own Adventure books, a series of 185 paperbacks that were originally published by Bantam Books from 1979 to 1998 in which you decided the outcome of the story by choosing the protgonists actions at critical decision points.

The Despair.com twist on this is apparently that you never end up solving the puzzle no matter what you do. The first book in this series, Who Killed John F. Kennedy? involves investigating Kennedy's assassination, for example, and no matter what you do, you end up not learning who actually killed Kennedy.

I'm not sure what they'll do for the second book in this series, but I'm certainly looking forward to seeing it.

What do you get when you ask fantasy and science-fiction writers to tell a story based on a picture of someone who looks suspiciously like Wil Wheaton wearing a clown sweater and wielding a spear atop a unicorn-pegasus-kitten and attacking a green orc that looks suspiciously like John Scalzi? You get Clash of the Geeks, of course, a book that's actually free, although it's meant to get you to donate a few dollars to help the Lupus Alliance of America.

This book is actually absolutely hilarious. The last time that I laughed so loudly was when I recently reread some of P. G. Wodehouse's Jeeves stories. Or maybe it was Poetry for Cats. I'm not sure which one.

I can't really think of a connection to cryptography for this, but since it's Friday, maybe that's OK.

I was recently talking to some coworkers about how arcane cryptography is and how it's inaccessible to non-specialists. In this discussion, someone made a comment something like, "It's not that small a niche is is? It's not like it's something as specialized as romance novels that only feature NASCAR drivers."

A few hours later I received an email containing a link to Harlequin's NASCAR series- a series of romance novels that only feature NASCAR drivers.

Hmm.

There's already a series of comics that features cryptographers. Maybe it's time for a series of romance novels that do too.  

It took the US Postal Service quite a while to admit that email was affecting their First Class Mail business. It looks like publishers are admitting that e-books are affecting their business much faster.

If you walk into any of the big bookstores these days you'll see a fair number of horror books, but that won't be the case for long. The Leisure Books imprint of Dorchester Publishing, the only line of horror books from a US publisher, is officially moving to an e-book model. They'll no longer be publishing mass-market paperbacks. That particular niche of the publishing market is essentially gone and it's unlikely to return any time soon.

It's hard enough to make a living by being a fiction writer. It looks like it's going to get even harder in the future.

In one of the standards groups that we participate in there's now a big flame war going on over the meaning of the definition of "encryption." This is a particularly frustrating flame war because it's essentially over a mathematical definition and the people who don't quite understand this particular definition seem to think that if they just state their totally incorrect position loudly enough or often enough that it will somehow become true. I don't quite understand how people can argue about math like this, but the more I see of my high-school-aged son's textbooks, the more I understand how things like this can happen.

His state-of-California-approved writing textbook, for example, has a list of things that you should keep in mind as you read the book. One of these is essentially "How does reading this book make you feel?" When I pointed this out to my son he said, "I guess that this book makes me feel that this class is going to be a complete waste of time." In this particular case, I can't say that I disagree with him.

But there are even similar things in his other textbooks. Even the math book. I didn't ask my son how that particular book makes him feel, but it certainly makes me feel that there will be more flame wars in the future that are caused by people who didn't manage to actually learn much in their math classes.

It looks like that back in 2006 the determned people at Izanpe tried to get their root certificate added to the Mozilla browser. It took them four years to do this, and you can find the story of their adventure here.

At a bit over 14,000 words, this story should probably be called a novelette instead of a full novel, but that's probably not much of a consolation to the people at Izanpe. 

Software is notoriously behind schedule, but my experience with book publishers tells me that it's not just software that has this problem. Starting in 1999, for example, F. Paul Wilson wrote a series of five novellas about a future in which almost-human genetically-engineered beings called "Sims" exist and cause the usual moral complications and intrigue that you'd expect in a work of science-fiction. He eventually consolided these novellas into a single novel which came out in 2003. The fifth of these novellas ended up being delayed for some reason and was actually just published this year, at least seven years after it was completed.

Just like there's usually a good reason why software is delayed, I'm sure that there's a prefectly good reason why the fifth Sims novella was delayed that long. I can't think of what it could possibly be, but it's sort of reassuring to see that big, unexpected delays aren't just something that you see with software.  

What do digital certificates really mean? The best discussion of this may be the one that I recently read in Peter Gutmann's book Engineering Security. Here's how Peter describes this:

As a pure speech act, what a certificate is saying is that at some point some entity who may or may not be the one named in the certificate probably requested that another entity who may or may not be the one named elsewhere in the certificate took the public components of a private key that the first entity may or may not control and asked the second entity to sign it using a private key that they may or may not control. However once it’s gone through many, many layers of software this has changed to (for example) a statement that the user has definitely connected to a web site controlled by the named entity, and by the time it gets to the user it’s jumped even further to become an assurance that it’s safe to enter sensitive personal and financial information on the web site!

There's another bit of information in the CIA's book Psychology of Intelligence Analysis that seems particularly relevant to information security. This concerns how much information people need to make good decisions. Here's what Chapter 5, "Do You Really Need More Information?" says about this:

Key findings from this research are:

• Once an experienced analyst has the minimum information necessary to make an informed judgment, obtaining additional information generally does not improve the accuracy of his or her estimates. Additional information does, however, lead the analyst to become more confident in the judgment, to the point of overconfidence.
• Experienced analysts have an imperfect understanding of what information they actually use in making judgments. They are unaware of the extent to which their judgments are determined by a few dominant factors, rather than by the systematic integration of all available information. Analysts actually use much less of the available information than they think they do.

So maybe it's the case that information security professionals don't need as much information as we might think they do to make informed decisions and that too much information can actually be harmful instead of beneficial when it comes to this. And if security professionals are really using only some of the available information to help them make these decisions, I'd be very interested to learn exactly what information they do use. Hundreds of marketing people probably would also.

Understanding how often security breaches happen is important to understanding how many resources to allocate to preventing them. This can be tricky because there's not much reliable data about how often security breaches happen. People also don't estimate probabilities very well, so in the absence of good data we're likely to make mistakes that can lead to either too much or too little being spent. This problem isn't limited to just information security, of course. It also complicates things any time we don't have good estimates of probabilities.

I recently came across an interesting discussion of this in a book by the CIA: Psychology of Intelligence Analysis. Here's the book's summary of its Chapter 12, "Biases in Estimating Probabilities," and these comments seem to apply to information security just as well as it applies to intelligence analysis:

In making rough probability judgments, people commonly depend upon one of several simplified rules of thumb that greatly ease the burden of decision. Using the "availability" rule, people judge the probability of an event by the ease with which they can imagine relevant instances of similar events or the number of such events that they can easily remember. With the "anchoring" strategy, people pick some natural starting point for a first approximation and then adjust this figure based on the results of additional information or analysis. Typically, they do not adjust the initial judgment enough.

Expressions of probability, such as possible and probable, are a common source of ambiguity that make it easier for a reader to interpret a report as consistent with the reader's own preconceptions. The probability of a scenario is often miscalculated. Data on "prior probabilities" are commonly ignored unless they illuminate causal relationships.

So if you're interested in how people mis-estimate probabilities and ways to deal with this, this CIA book actually seems to have a fairly good discussion of it. And the price (free) is certainly right.

When you go to buy enterprise software, you never really expect to pay the list price. Businesses are now fairly good at manipulating software vendors, waiting until right before the end of the vendors' fiscal quarter or year, always waiting until they're ready to buy to get the "what if I commit to buy right now?" discount, etc. But things where there's really no way to negotiate prices, you expect prices to be set at what the business thinks that they can get for something. This is why I don't understand the prices of books that I see at various on-line stores.

When I went to Amazon.com just now to get some examples, I was surprised to find that prices advertised for the first book that I randomly picked ranged from a low of $16.47 to a high of almost $1,000. And that's for the same condition, etc. The next few books didn't have as dramatic a range, but the range was still surprisingly high: from $14.45 to $24.95 (a factor of 1.7 from low to high), from $18.95 to $87.56 (a factor of 4.6) and from $55 to $129.64 (a factor of  2.6).

Some people tell me that on-line book stores will often put a very high price on a particularly notable book just to advertise the fact that they have a copy, never expecting to actually sell it at that price. Apparently they think that this is an effective type of advertising. But with a book that lists for less that $20, I can't believe that that model works very well.

And if you're an on-line business who wants to set the prices for your books, wouldn't you check to see what the normal range of prices is for your books before setting your own prices? After all, if you set your prices higher than others have it's probably reasonable to assume that you are not going to sell your copy until all of the lower-priced alternatives have sold.

There's almost always a reasonable explanation for business' behavior, but it's not always obvious what that explanation is, and that's one of the big reasons that economists get paid to do what they do. Maybe this is the sort of thing that some economics graduate student can explain and write up in his dissertation.

The clever engineers at SciEngines now have an off-the-shelf computer, the RIVYERA S3-5000, that will crack DES in roughly one day. In the unlikely event that you're a hacker who needs to recover DES keys, this is definitely how you'll want to do it. A RIVYERA is roughly 20 times more cost-effective than the EFF's dot-com era DES Cracker.

These RIVYERA machines use 128 Xilinx XC3S5000 FPGAs to get the ability to test 292 billion DES keys per second. That's very impressive. I haven't been involved in building computers for a while, but unless things have changed a lot, it's probably still pretty much like Tracy Kidder describes in The Soul of a New Machine, although I have to wonder if engineers still quit their jobs from the stress of making faster computers, leaving behind only a note that says "I'm going to a commune in Vermont and will deal with no unit of time shorter than a season."

In any case, I'd love to hear the engineers at SciEngines tell the story of how the RIVYERA came to be.

To put things in perspective, however, even at the rate that a RIVYERA S3-5000 can crack DES, cracking a 3DES key will take essentially forever - roughly 200 trillion years. So I doubt that we'll see anything capable of cracking a 3DES key any time soon.

I just finished an interesting book, Stand on Zanzibar, by John Brunner. It's about a dystopian future in which the Earth's population grows to the point that governments take all sorts of extremely draconian measures to keep it in check. It was published in 1968 but is set in the year 2010, and it's interesting to see how accurate Brunner's predictions of the future were. Like in any other work of speculative fiction, he managed to get a few things right but he also got others totally wrong. In general, Brunner's vision of the year 2010 is very different from the real 2010. It may not be as different as George Orwell's vision of the year 1984 was from the real 1984, but it really didn't seem very close.

I also read this book because I managed to get a copy that was published in 2009 yet autographed by Brunner, who died in 1995. It seems that before he died he signed some signature pages for a book that never got published, and that the most recent publisher managed to get ahold of these and use them in their edition of Stand on Zanzibar.

It looked to me like Brunner totally missed the affects of IT on society. Or maybe he didn't. Brunner wrote Stand on Zanzibar to point out how overpopulation could end up being a problem. It wasn't meant to point out how the rise of IT could cause a dramatic decrease in privacy. I actually don't know of any books that focus on that particular angle, but I'd probably read one if someone wrote it.

I'm sure that it wouldn't be too hard to extrapolate from the dramatic loss of privacy that we've seen happen in the past decade to the point that it would make the basis for an interesting story. It's not clear to me, however, whether such a story would be better classified as science-fiction or as horror.

It looks like there's now a comic being pubished that stars cryptanalysts. It's Codebreakers from BOOM! Studios, the same people that are famous for, well, I've actually never heard of them before, but they're probably known for something.

Here's the summary of what happens in the first issue of this comic:

Busting foreign spies on domestic soil. Cracking the code on drug and human trafficking. Shutting down the mob. They are the elite Cryptanalysis Unit of the Federal Bureau of Investigation, examining manually encrypted documents and records of illegal enterprises, providing expert testimony, forensic assistance, and identification of terrorism, foreign intelligence, and criminal activities in support of federal, state, local, and international law enforcement investigations and prosecutions... Ciphers. Codes. Encryption. Passwords. Meet the best of the best at puzzling out the truth and protecting all of us from those that would steal information in ways that can shatter the global community and kill. But what happens to the Cryptanalysis unit when one of their own goes missing? Is it a puzzle the puzzle-solvers can't solve? And will this cipher reveal things about... themselves? In the mode of previous BOOM! series like POTTER'S FIELD, UNTHINKABLE, blockbusters like NATIONAL TREASURE and DAVINCI CODE, and espionage comics from our esteemed competition QUEEN AND COUNTRY and WHITEOUT!

I don't know how good this comic is, but I'd guess that my favorite depiction of cryptographers will still be The Amateur, the 1981 movie in which a mild-mannered CIA cryptographer blackmails the CIA into training him to hunt down and kill the terrorists that killed his girlfriend. Don't mess with cryptographers.

It turns out that encryption can turn up in places where you really don't expect it. The text of the story "Secret Message" in Jeff Strand's Gleefully Macabre Tales is actually printed encrypted, for example. Here's how this story begins:

Gzqudx eqnvmdc zr gd nodmdc sgd kdssdq. Otqd fhaadqhrg. Vgzs vzr sghr, z bncd?

Gd zkvzxr dminxdc rnkuhmf sgd czhkx bqxosnfqzl hm sgd mdvrozodq, ats gd'c mdudq gzc nmd lzhkdc sn ghl adenqd. Sgdqd vzr mn qdstqm zccqdrr nm sgd dmudknod, itrs z knbzk onrslzqj. Hs vzr oqnazakx nmd ne ghr atcchdr okzxhmf z injd.

If you want to read the rest of the story, you'll have to pick a copy of Gleefully Macabre Tales. The limited edition from Delirium Books is out of print and fairly expensive, but the paperback version from Dark Regions Press isn't.

According to Jeff, the cryptography team at Voltage actually provided the first known decryption of "Secret Message." Yet another first for us.

(I was actually planning to do a post about The Jack Kerouac School of Disembodied Poetics. It’s part of Naropa University, one of the few places where you can get a BA in Contemplative Psychology, an MA in Transpersonal Counseling Psychology or do hands-on work in a Consciousness Laboratory. I was going to do this in the style of Jack Kerouac, but it got way too ugly so I stuck to "Secret Message" instead.)

I recently read an interesting article in the Wall Street Journal about altering memories, and I don't mean the DRAM that your desktop computer uses. Apparently it's possible to permanently change your memories. This sounds like something that Phillip K. Dick might have used in one of his science-fiction stories like "We Can Remember It For You Wholesale," the story that the movie Total Recall was based upon. Or maybe it's more like something from Richard Condon's The Manchurian Candidate, the basis for the movie with the same name.

And although researchers claim that their work is only meant to replace traumatic memories, like those that combat veterans or crime victims might have, with less troubling ones, the possibility for other uses seems to be even more attractive. Imagine how intelligence agencies could use the ability to selectively alter memories, for example.

The ethical implications of that use alone makes me wonder whether this research is really something that really we ought to be doing. Like Douglas Quail in "We Can Remember It For You Wholesale," we might end up now knowing exactly what's real and what's not.

Over the past few weeks, I've been reading The Story of Spin, by Sin-itiro Tomonaga. This book tells the story of how physicists developed early versions of quantum mechanics, and it includes lots of interesting stories about how various physicists were working on ideas that turned out to be dead ends, which ideas ended up working, etc. When I learned physics, I just learned about the ideas that worked out and learned absolutely nothing about the ideas that didn't, so I found this to be fascinating.

I also found it interesting to see Tomonaga obviously in of awe of the abilities of people like Dirac, Heisenberg and Pauli. Tomonaga shared the 1965 Nobel Prize in Physics with Richard Feynman and Julian Schwinger for his role in the invention of quantum electrodynamics, so he was definitely an extremely smart guy. This might give you an idea of how clever the early inventors of quantum mechanics really were.

Reading The Story of Spin got me to spend a few minutes trying to work out the lyrics to a song about spinors set to the music from the "Toreador Song" from Carmen, much like Gilligan's Island did with Hamlet in episode 4 of season 3. (It sort of went downhill after "Neither a vector nor a tensor be, ...") It also made me wonder when someone is going to write a similar book about the history of cryptography.

It seems that most of the key people from the early years of cryptography are still around, so there's still a chance for one of them to write such a book. There have been lots of papers published about cryptography in the past 30 years or so, but these just tell you about the ideas that worked, at least to some degree. I'm sure that the original inventors of the technology still remember the mis-steps that they made as clearly as their successes, and it would be very interesting to hear the stories of these. If someone took the time to write down all of those stores, that would make a book that I'd definitely buy a copy of.

The exhibit hall of the RSA Conference was open for a couple of hours last night, so I got a chance to walk around and see what vendors were talking about this year. I have to say that I was not impressed in lots of cases - some vendors seemed to actually be moving backwards instead of forwards. It almost reminded me of the horror novella Miranda by John R. Little that won the 2008 Bram Stoker Award for Best Long Fiction. (No - this book has nothing to do with the planet Miranda from the movie Serenity.)

The protagonist of Miranda is a man who moves backwards through time instead of forwards. The book opens with him returning to life in a hospital at age 65 and ends, well, I'd hate to ruin a truly excellent book, so I'll just let you use your imagination. 

The entire book reinforces this backward-through-time theme. It starts with chapter 15 and counts down to chapter 1, for example, and the pages are also numbered in the reverse order. For me, this produced a particularly chilling effect because you could tell exactly how many pages were left of the protagonist's life. You can easily look at the last page of a book to see how many pages are left before the story is going to end, but that doesn't seem to provide the same effect that the reverse page numbering in Miranda does.

In any event, the parallel between a man moving backwards through time and the vendors who seemed to be moving backwards instead of forwards definitely struck me when I made my first circuit through the expo hall of the RSA Conference this year. I doubt that the vendors that I saw yesterday will suffer the same horrific end that the protagonist of Miranda did, but I doubt that things are going to work out well for them in the long run.

Last year I decided to keep track of the books that I read using a Google documents spreadsheet. Looking at this list, it looks like a plurality of the books were actually mysteries, and all of these were actually from small specialty publisher Crippen and Landru. It looks like I read of total of 37 of their books last year. It was definitely time well spent.

Crippen and Landru specializes in printing or reprinting classic detective stories. They seem to emphasize the type of story in which the reader is shown all of the relevant clues before the story's protagonist solves the puzzle. I prefer those type of detective stories over the stuff that's popular these days that I'd say is better classified as crime fiction instead of detective fiction.

In any event, Crippen and Landru publish two lines of limited edition books: Lost Classics and their regular line. The Lost Classics line reprints material that's fairly good, but not widely known. Examples of this are detective stories by Rafael Sabatini, who's better known for writing Captain Blood, or detective stories by western pulp writer Max Brand.

The regular line collects short stories from contemporary writers and its books include all sorts of interesting extra stuff. Some of the books include a page from the original typescripts for one of the stories in the book. Others include a short pamphlet that contains a story written by the author just for inclusion with the Crippen and Landru limited edition. All of them are signed by the author, and they'll probably be fairly valuable one day. Every one of these has been extremely good.

I still have quite a few Crippen and Landru books that are still unread. But since they're easily outnumbered by the stacks of unread books that don't contain any mysteries at all, there's no guarantee that my list of books read in 2010 will have the same bias.

It's a vestige of the old superstitious Dark Ages when nobody knew anything and the whole world was sinking deeper and deeper into filth and disease and poverty and ignorance. It is one of those delusions that isn't called insane only because there are so many people involved.

Robert Pirsig, Lila

There seems to be a trend in education where material that's cutting-edge research first gets taught in graduate-level classes and then, several years later, in undergraduate classes. Some even makes it into high-school classes. When my father went to college, for example, quantum mechanics hadn't made it into undergraduate classes yet, buy the time I was in high-school it had worked its way into the chemistry class that I had. I may have come across an even more extreme example of this last week.

I noticed that the book Special Relativity, part of the MIT Introductory Physics Series, is listed on Amazon.com as being written at a level suitable for "young adults." That's the same audience that The Hobbit is apparently suitable for. Or Brian Jacques' Redwall series.

If special relativity is now suitable for young adults, I'd hate to guess where they're teaching quantum mechanics these days. Or cryptography.

A few people have asked me about me creating a hardcopy book from the contents of this blog. Trying to find things to do other than look for errors in a math-heavy standards document, I recently tried out a couple of the available services that let you do this to see how hard it is and what's involved in doing it. I was stunned by how bad the available options were.

In one case, the first few posts were loaded into the book-making software with no problems, but the rest after that ended up badly garbled. That made that particular offering totally useless.

The next one I tried couldn't handle subscripts and superscripts, among other things, so it ended up being useless also.

I doubt that I'm the only person who does things like indenting text or using superscripts. Why can't the current versions of blog-to-book software handle the use of these things?

I recently came across "Cinema Fiction vs Physics Reality: Ghosts, Vampires and Zombies," by Costas Efthimiou and Sohang Gandhi. This paper discusses how ghosts, vampires and zombies are portrayed in books and movies and looks at what's actually possible and what's not.

Ghosts have lots of problems with physics at a very basic level. They can't both be incorporeal and do the things that they are shown to do in books and movies. That should be fairly obvious.

Vampires have problems with the exponential growth of the vampire population that they would cause. I hadn't thought that before, but when you hear it, it's fairly obvious. Suppose that a vampire needs a single victim each year and that this victim then turns into a vampire. After one year, you have two vampires. Each of these two creates two more the next year. Each of these four then create four more the next year, etc. This growth quickly gets out of control and leaves the entire world populated by vampires. So the fact that people exist is proof that vampires don't exist, at least not vampires as they're portrayed in books and movies. (This analysis might not be quite accurate because it doesn't account for the ability of people like Kristy Swanson to keep the vampire population in check, but it's probably close enough.)

It turns out that there's actually a factual basis for zombies. Maybe this is why Brian Keene's zombie books are so popular. I'm personally more fond of zombie stories like Robert Bloch's "Maternal Instinct," but I seem to be in the minority in this particular case. Much like people who think that reading papers about the physics of ghosts, vampires and zombies is interesting.

And it's apparently not just physicists who worry about zombies. Lucy Snyder, the wife of Gary Braunbeck, one of the best horror writers in the world, has written a book Installing Linux on a Dead Badger and Other Oddities that tells why people in the corporate IT world should worry about them.

Here's what this fine book has to offer:

• "Installing Linux on a Dead Badger"
• "Authorities Concerned Over Rise of Teen Linux Gangs"
• "Your Corporate Network And The Forces Of Darkness"
• "Faery Cats: The Cutest Killers"
• "Graveyard Shift"
• "Dead Men Don't Need Coffee Breaks"
• "Business Insourcing Offers Life After Death"
• "Corporate Vampires Sink Teeth Into Business World"
• "Unemployed Playing Dead To Find Work"
• "Trolls Gone Wild"
• "The Great Vüdü Linux Teen Zombie Massacree"
• "Wake Up Naked Monkey You're Going To Die"
• "In The Shadow of the Fryolator"

There's also a book coming out soon that tells how Dante Alighieri was inspired to write the Divine Comedy, at least the Inferno part of it, by seeing the results of a zombie infestation. My copy should be arriving next week.

I'm sure that there's some way to make this relevant to information security, but I don't see it right now.

The government’s current approach to cyber-security isn’t working. The government has apparently acknowledged this, and last week, held the National Cyber Leap Year Summit, a meeting that was sponsored by the White House Office of Science and Technology Policy (OSTP) and the Federal Networking and Information Technology Research and Development Program (NITRD).

This event was designed to bring together experts from academia, industry and government to find “game-changing” ideas and ways to implement them. I was one of the people from industry who were invited to participate in this event, so I spent last week at the Crystal Gateway Marriott in Arlington, Virginia, talking about how to change the government’s approach to cyber-security.

I was one of very few representatives from security vendors at the meeting, and I’m not sure how to interpret this. There were industry representatives, like people from the big government contractors, but including people like that isn’t really the same thing as including security vendors.

From one point of view, it’s good to see that Voltage is being recognized as being a thought leader in the area of cyber-security. We’ve certainly created our share of innovations and continue to do so. On the other hand, it was also a bit puzzling that more security vendors weren’t invited. Even vendors that aren’t known for lots of innovation have a solid understanding of the security market, what the current threats are and how their customers are dealing with them, and we definitely could have used more of this point of view at the meeting to balance the views of academics and government people.

We talked about five main areas at this meeting:

• Cyber-economics, or how to create the right incentives and disincentives that we need for cyber-security to succeed
• Digital provenance, or how to base trust decisions on verified assertions
• Health-inspired network defense, or how to move from forensics to real-time diagnosis of security problems
• Moving-target defense, or how to ensure that attacks work only once, if at all
• Hardware-enabled trust, or how to leverage hardware security to create a more secure computing environment

I’m not a big fan of management fads, so for me, the biggest downside to the meeting was the fact that the organizers tried to use the “colored hats” framework that Edward de Bono describes in his book Six Thinking Hats. Even this didn’t work out to badly, however.

The biggest problem was that even though the meetings went from roughly 8 am to 10 pm each day, that still wasn’t enough time to discuss any ideas in much detail. Because of this, many good ideas didn’t really get the attention that they deserve, and I hope that the organizers of the event will find a way to deal with this.

Over the next few days, I’ll be talking about some of the things that I learned at this meeting.

 

The Buck Rogers comic that ran in American newspapers from 1929 to 1965 is probably responsible for creating, or at least popularizing, many ideas that are taken for granted in today's science-fiction. Things like rocket ships, anti-gravity technology, traveling to other planets, and dealing with their non-human inhabitants that find human women irresistible. I was recently reading a collection of these classic comics when I noticed another element of advanced technology that appeared in the Buck Rogers comics, and that's paying by credit.

In comic number 694 from 1931, Buck Rogers and Wilma Deering have made it to the legendary undersea world of Atlantis. When they're shown the technological marvels that make it such an advanced place, universal payment by credit is one of these. Apparently, in 1931, paying by credit was one of those things that seemed an advanced idea that might become true at some point in the future, and had enough of a "wow factor" to justify its mention in the comic.

I don't know if people in 1931 read Buck Rogers and marveled at what it would be like if you could buy anything that you need using credit, but it seems that that's one of the few things from Buck Rogers that has actually come to be. We don't have flying belts or rocket ships, and we haven't met any aliens who have an unexplained attraction to Earth women, but we certainly have credit cards that are accepted more places than they're not. Maybe we'll have the others some day, too.

The Internet is good for some things. It certainly makes some types of research much easier than they once were. You once had to look up reference materials in a card catalog, find the material on your library's shelves, and then read through it to see if it contained the information you were looking for. This often took quite a while. It certainly took more time than just typing a few words into Google and clicking on "Google Search."

The Internet is also very useful when you start teaching your kids about logical fallacies. Pick almost any blog that discusses politics and you'll see more examples of logical fallacies than you used to see in your entire life in the pre-Internet days. When I stumble across examples of these fallacies, I often feel the urge to post things like "This is a good example of what's often called a 'false dilemma' or 'bifurcation fallacy.' Please refer to your college textbook on logic for more information, or click on this link to learn why your argument makes no sense whatsoever."

Maybe I'll actually do it some day.

One of the common logical fallacies is the so-called genetic fallacy, which says that an idea shouldn't be accepted or rejected based on its origin instead of on its merit. I suspect that a careful analysis of this particular fallacy would show that it's not really a fallacy, and this is because of the connection  to Bayesian reasoning.

As I've mentioned before, Bayesian reasoning leads us to weighing peoples' opinions based on what we know (or think that we know) about them. Liberals are likely to misrepresent and distort the facts when talking about conservatives and their points of view and conservatives are likely to misrepresent and distort the facts when talking about liberals and their points of view, for example. Because of this, we know that we can't trust what we hear, so the reasonable thing to do is use Bayesian reasoning that evaluates the chances of what we hear being true given everything else that we know (or think that we know). This means that the genetic fallacy is really nothing more than Bayesian reasoning at work.

Now it seems that Bayesian reasoning is a generalization of the usual Aristotelian logic that reduces to it in the special case that the hypotheses are either true or false. There's even an interesting book by E. T Jaynes, Probability Theory: The Logic of Science, that describes exactly how this works. So if Bayesian reasoning is consistent with logic and the genetic fallacy is consistent with Bayesian reasoning, I'm inclined to believe that the genetic fallacy isn't really a fallacy after all. A logical fallacy, after all, is an error in reasoning, and it looks to me like the genetic fallacy really isn't an error. Instead, it's just taking advantage of all the available information to put new information into a useful context.

That just means that I won't feel compelled to point out a small fraction of the logical fallacies that I see on the Internet. Luckily, there are still enough others out there to keep me entertained for the foreseeable future.

As every individual, therefore, endeavours as much as he can both to employ his capital in the support of domestic industry, and so to direct that industry that its produce may be of the greatest value; every individual necessarily labours to render the annual revenue of the society as great as he can. He generally, indeed, neither intends to promote the public interest, nor knows how much he is promoting it. By preferring the support of domestic to that of foreign industry, he intends only his own security; and by directing that industry in such a manner as its produce may be of the greatest value, he intends only his own gain, and he is in this, as in many other cases, led by an invisible hand to promote an end which was no part of his intention.

Adam Smith, An Inquiry into the Nature and Causes of the Wealth of Nations

It's not hard to create a plausible economic model that explains why open-source software exists. One argument is that enterprise software has a minimum cost associated with developing and marketing it. These costs include the engineers that write the software, the people that test it, the sales engineers that install it at customer sites, the sales people who help customers through the sales cycle, the marketing people who let customers know what's available to solve their problems, etc. The total cost of all of these isn't cheap, so if a particular application isn't worth more than that fixed cost, it can't be the basis for a profitable business.

But if there's a demand for something at a lower cost, someone will probably find a way to make it happen. It's much like minimum-wage laws. There are some jobs that just aren't worth the minimum wage, and when this is the case, people find ways to get those low-value jobs done, even if it involves breaking the law. They might hire illegal immigrants for less than the minimum wage. Or they might agree to pay someone cash to avoid the taxes that, from the point of view of the employer, are also part of their cost of labor.

On the other hand, an argument like this only describes market forces, Adam Smith's invisible hand that makes things happen. It might explain why open-source software exists, but doesn't really tell us why any particular person would make a decision to work on open-source software. That may require a different explanation. Here's one, and it's based on modeling contributing to open-source software as a tournament. It's much like the model that Stephen Levitt and Stephen J. Dubner used in their book Freakonomics to explain why so many drug dealers earn roughly the equivalent of the minimum wage.

It turns out that almost all drug dealers don't make very much money. These are the ones that actually sell the drugs on the streets. The real money is in managing an organization of drug dealers, and Levitt and Dubner describe how the entry-level drug dealers tolerate the low pay because they hope to eventually become one of the managers. In this sense, drug dealing can be modeled as a tournament that selects the most fit drug dealers and promotes the winners into the more lucrative jobs.

Maybe this model also applies to open-source software. After all, being a recognized contributor to a big, successful open-source project is also a good way to get a high-paying programming job. So it might be the case that the programmers who donate their time to open-source projects do this in the hope of becoming an open-source superstar one day. This doesn't sound obviously false, and it does give you a good way to start a conversation: "Did you know that open-source programmers are like drug dealers?"

Owen Wister's 1902 novel The Virginian was one of the first books that might be called a "western." It essentially defined the western genre and established many of what are now its clichés. One of my favorite parts of this book is when the Virginian ends an uprising by disgruntled cowboys by beating their leader in a tall tales contest. I'm often reminded of this showdown when I hear claims made by the marketing departments of security vendors, and it's entertaining to think of how a similar epic battle might take place today.

Imagine we're at next year's RSA Conference, drinking the free beer that some generous vendor has provided. A CISO from a big company is here. He's never been to the show before doesn't realize that he'll be swarmed by vendors if he attends an event like this one. To get his attention, the sales and marketing people from lots of security vendors make more and more outlandish claims about their technology.

There's someone there from a vendor that makes products that are designed to counter the insider threat. After a beer or two, the people at the party have forgotten that there's absolutely no basis for the claims that most attacks come from insiders, so they listen to him. He quotes some statistics from analyst reports that nobody has heard of and ends up with the estimate that over 150 percent of attacks come from insiders.

People are impressed, but take a quick break to get another beer. Surely someone can do better than that.

Next is someone from a tokenization vendor who claims that tokenization is actually more secure than encryption. Encryption is hard to understand when you've had a good night's sleep and a couple cups of coffee, and the free beer has made sure that nobody at the party is able to even come close to understanding it now. The lone cryptographer who's at the party is impressed by the daring that it took to make that claim, even to a room full of people drinking free beer, so he doesn't challenge it.

Unable to think of a way to one-up this, the other vendors gradually walk away, leaving the tokenization vendor alone with the CISO.

It turns out that you can now get this blog on your Kindle e-book for only $1.99 a month. Other items that Amazon.com sells aren't quite as cheap. I stumbled across a textbook today that actually sells for $7,790. This is Nuclear Energy, by many contributors.

Here's the product description:

The three volumes VIII/3A, B, C of Energy Technologies should primarily serve scientists, engineers, and students to gain information on physical, chemical, and technical properties of all technologies to provide, convert, distribute, store, and finally use energy. They are supplemented with economic background information and with specific concepts, to allow the reader a proper comparison of different energy technologies. In this way these volumes on energy technologies should help human society pave the way towards sufficient and environmentally safe provision and use of energy. The various contributions have been written by experts from all around the globe working in universities, public research institutions, and private industrial companies.

One of the targets is students, but how many students can afford a book that costs $7,790?

On the bright side, you definitely qualify for free shipping if you buy this book. Or you could save 20%, or $1558, if you decide to read Nuclear Energy on your Kindle instead of getting a printed copy. At least it's not as bad as Mrs. Skagg's Husbands, which you can't get for anything less than $7.6 million. That's not available for the Kindle yet, though.

Back on March 7, 1999, "A reader from Upper Volta, Uzbekistan" posted the following review of the book The Story of Ping on Amazon.com. The Story of Ping is a children's book about the adventures of a duck named Ping who lives in China. Here's what the reader from Uzbekistan said about this book. This was even mentioned on the web page of Mike Muuss, the person who wrote the first version of the UNIX utility ping.

Excellent, heart-warming tale of exploration and discovery. Using deft allegory, the authors have provided an insightful and intuitive explanation of one of Unix's most venerable networking utilities. Even more stunning is that they were clearly working with a very early beta of the program, as their book first appeared in 1933, years (decades!) before the operating system and network infrastructure were finalized.

The book describes networking in terms even a child could understand, choosing to anthropomorphize the underlying packet structure. The ping packet is described as a duck, who, with other packets (more ducks), spends a certain period of time on the host machine (the wise-eyed boat). At the same time each day (I suspect this is scheduled under cron), the little packets (ducks) exit the host (boat) by way of a bridge (a bridge). From the bridge, the packets travel onto the internet (here embodied by the Yangtze River).

The title character -- er, packet, is called Ping. Ping meanders around the river before being received by another host (another boat). He spends a brief time on the other boat, but eventually returns to his original host machine (the wise-eyed boat) somewhat the worse for wear.

The book avoids many of the cliches one might expect. For example, with a story set on a river, the authors might have sunk to using that tired old plot device: the flood ping. The authors deftly avoid this.

Who Should Buy This Book

If you need a good, high-level overview of the ping utility, this is the book. I can't recommend it for most managers, as the technical aspects may be too overwhelming and the basic concepts too daunting.

Problems With This Book

As good as it is, The Story About Ping is not without its faults. There is no index, and though the ping(8) man pages cover the command line options well enough, some review of them seems to be in order. Likewise, in a book solely about Ping, I would have expected a more detailed overview of the ICMP packet structure.

But even with these problems, The Story About Ping has earned a place on my bookshelf, right between Stevens' Advanced Programming in the Unix Environment, and my dog-eared copy of Dante's seminal work on MS Windows, Inferno. Who can read that passage on the Windows API ("Obscure, profound it was, and nebulous, So that by fixing on its depths my sight -- Nothing whatever I discerned therein."), without shaking their head with deep understanding. But I digress.  

Someone at Amazon.com, probably one of those managers who were overwhelmed by the technical aspects of the book, apparently decided that this review wasn't serious enough and removed it. Fortunately, this review is back, although under the name of a different reviewer. It's now actually rated as the most helpful review.

The Post Office lost yet another package of mine. This happens at least once per year and it's always for the same reason. The letter carrier scans the delivery confirmation bar code of a package while they are sitting in their truck but forget to actually carry the package to my house. The package then gets returned to the Post Office, where it sits in limbo until I can convince the Post Office to track it down. They usually don't want to do this because the package shows as being delivered in their system even though it wasn't actually delivered.

I finally realized why this happens. It's easier to tell the story of how this came to be instead of giving the precise details, so here's "Going Postal."

Come to think of it, this might actually explain more than my missing packages.

Going Postal

When the doorbell for Shocker Books rang at precisely 10 am, Larry Schwartz knew that it had to be the mailman. Other visitors to his store were very rare these days. Although he still had a brick-and-mortar store that housed his inventory of rare and expensive horror books, almost all of his sales were now orders that he took over the Internet and shipped to his customers.

This made the Post Office an important part of his business, but because the Post Office was one of the most efficient and well-run organizations in the world, he had complete confidence in the white-uniformed mailmen that called twice a day to make deliveries from publishers and to pick up his shipments to his customers. Larry’s business was booming, and the Post Office was an important part of its success.

When the doorbell rang again about an hour later, Larry was surprised to see Mike Campbell at the door. Mike was an old friend from college who he hadn’t seen for quite a while. While Larry had followed his dream of opening a bookstore, Mike had gone into the army and had fought in the Gulf War back in 1991. After catching up on the events of the past few years, Mike showed Larry the antique, leather-bound book written Arabic script that he was carrying and explained how he was interested in selling it.

“I’ve had it in storage in a safe deposit box at my bank for the past few years,” said Mike. “I picked this up in Iraq and held onto it, hoping to sell it one day. You’re the expert on this stuff, and I was hoping that you could take a look at it and tell me if it’s worth anything.”

They agreed to meet again in a few days after Larry had had time to look at the book and assess its value, and Mike left Larry to his processing the huge backlog of orders that he had.

Later that day Larry started to get paranoid. It might just have been his imagination getting the better of him, but he was sure that he had seen suspicious figures lurking outside his store ever since Mike left. Following the example of Sam Spade in The Maltese Falcon, Larry decided to mail Mike’s book to himself to avoid the possibility of it being stolen that night. There was still time to get it into the 5 pm mail pickup, so he carefully packaged the book in bubble wrap, put it in a box addressed to himself, and gave it to the mailman when he came later that day.

That night, Larry received a panicked phone call from his friend.

“Be careful with that book,” said Mike. “I’ve learned that it’s a copy of the Al Azif by an Arab named Abdul Alhazred. It’s related to the occult in some way and it’s evil. Very evil. It’ll corrupt everything that it comes in contact with, so keep it away from your expensive books. Don't worry - I’ll come by tomorrow to pick it up.”

Larry made his living dealing in books that told stories with supernatural elements, but didn’t actually believe in the supernatural himself. This made it easy to write off his friend’s concerns, but he would still be glad to be rid of the book and the irrational fears that it seemed to cause.

Next morning was fairly leisurely. Few orders had come overnight, so Larry actually had time to enjoy his morning coffee and read one of the books in his inventory. Time passed so quickly that Larry didn’t even notice that it was afternoon before the mailman came. The sound of the damaged box being thrown to the ground outside his door caught his attention, as did the blue uniform that he saw on the mailman as he walked away.

Mike was right.

Albert Mehrabian’s 7-38-55 rule is almost always misinterpreted. These misinterpretations probably aren’t too far from the truth, however, and they can probably explain why the Internet is such an obstacle to communicating effectively. Mehrabian’s 7-38-55 rule actually says that when we communicate face-to-face, how well we like the person that we’re communicating with depends on three factors: the words used, the tone of voice used, and the body language used. He first described this in his 1971 book Silent Messages, where he estimated that 7 percent of the overall level is due to the words used, 38 percent is due to the tone of voice used, and 55 percent due to the body language used. 

This is often generalized to saying that in any face-to-face communication that 7 percent of the information that we send is verbal, 38 percent is sent in our tone of voice and 55 percent is sent through body language. Mehrabian’s research doesn’t actually support this generalized result, but that hasn’t stopped people from calling this conjecture “Mehrabian’s rule,” or inaccurately attributing the generalized result to Mehrabian.

It’s probably the case that most communication is non-verbal, even if it doesn’t follow the 7-38-55 rule, and that’s why the Internet causes so many problems. Even if the exact fraction of the information that’s lost when we communicate on-line isn’t exactly 93 percent, it’s probably a significant part of it, and this causes many more misunderstandings than you would ever get face to face. Here’s an example of how this recently affected me.

There are now three IETF RFCs that describe identity-based encryption and how to use it in secure email. While getting one of these standards through the IETF bureaucracy I had to get three new media types defined for the types of data that get transported over HTTP when IBE is used: IBE public parameters, an IBE private key request and the IBE key that a of key server returns to a user.

There’s a mailing list where you propose new media types and other list subscribers get to critique your proposal. In my case, we had a heated debate over my proposal that turned out to be just over a slight misunderstanding in how one particular parameter was defined. If we were sitting down face to face, this misunderstanding would have been obvious almost immediately. But because we were only communication over email, lots of information was lost. Maybe it wasn’t exactly 93 percent of it, but it was a significant amount. This led to wasting several days in a debate that wouldn’t have taken more than a few minutes to settle face to face.

Lots of communications over the Internet seem to be plagued by the same problem, and because there’s no easy way to indicate tone of voice or body language over the Internet, we’re probably stuck with the imperfect communication that it allows. I suppose that you could write an IETF standard of some sort that might help fill the gaps in communication that the Internet creates, tags like <humor> and </humor> that you could use to indicate where you’re not being serious. But because you’d have to develop this standard over the Internet, it would be much harder to do than it needs to be.

I just finished reading The Winchester Horror, by William F. Nolan, the writer who's probably most famous for Logan's Run. The Winchester Horror is a novella that tells the story of a ghost that haunts the Winchester mansion in San Jose, California. If you don't have much time to read, novellas are great. They let you trick yourself into thinking that you're reading more than you really are because they're much shorter than most other books. Between January 1, 2009 and March 1, 2009, I actually managed to read 18 books. This may sound impressive, but when you consider the fact that that time includes part of my Christmas vacation and that most of the 18 books are actually novellas, it actually turns out to be much less impressive.

The Winchester mansion was built by Sara Winchester from 1884 to 1922 at a cost of roughly $5.5 million. Apparently, she was concerned that the ghosts of people killed by Winchester firearms would kill her if she stopped construction of the unusual building. The result of this 38-year project is a 160-room house that's truly bizarre. It has only 17 chimneys for its 47 fireplaces. It has stairs that lead to the ceiling. It has cupboards that open onto brick walls. It even has a door on one of the upper floors that opens onto a drop straight to the ground below. Much of it doesn't make any sense at all. It seems to have built without much planning, and it was fairly expensive. In other words, it's just like today's computer networks.

Much like the Winchester mansion grew in an unplanned way into what's there today, today's networks have also evolved in a similar way. And just like it's hard to make sense of some parts of the Winchester mansion, it's also hard to understand exactly how some networks could have ever got to the point where they are now. Nobody lives in the Winchester mansion today – it's now a tourist attraction. After Sara Winchester's death, it probably proved to be too annoying to actually live in. Unfortunately, it's not practical to just walk away from the networks that have grown over time into the unwieldy beasts that they are today. And although they may seem to be just as confusing as the Winchester mansion, it's unlikely that we'll be able to turn them into attractions that we can charge admission to, so we're stuck using them.

Because they've grown over time instead of being carefully planned, it's always very difficult to integrate two or more networks. Businesses often try to do this when they acquire other companies or try to work more closely with partners, and it's almost always much harder than you think it's going to be. You may have your version of the Winchester mansion, but the people that you want to integrate with have their own version, and it hasn't evolved in the same way that yours did. Your network may assume that all of your data is handled by the equivalent of the stairs that lead to the ceiling, and the other network may assume that all of its data gets handled by the equivalent of the cupboard that opens onto a brick wall. Getting these two networks to work together can be hard. Sometimes it's even impossible.

It's well known that most acquisitions don't out work very well. Incompatible corporate cultures are one big cause of this, but I have to wonder how many of these failures can be traced to the difficulties in getting different networks to work together.