Superconductor

The exhibit hall of the RSA Conference was open for a couple of hours last night, so I got a chance to walk around and see what vendors were talking about this year. I have to say that I was not impressed in lots of cases - some vendors seemed to actually be moving backwards instead of forwards. It almost reminded me of the horror novella Miranda by John R. Little that won the 2008 Bram Stoker Award for Best Long Fiction. (No - this book has nothing to do with the planet Miranda from the movie Serenity.)

The protagonist of Miranda is a man who moves backwards through time instead of forwards. The book opens with him returning to life in a hospital at age 65 and ends, well, I'd hate to ruin a truly excellent book, so I'll just let you use your imagination. 

The entire book reinforces this backward-through-time theme. It starts with chapter 15 and counts down to chapter 1, for example, and the pages are also numbered in the reverse order. For me, this produced a particularly chilling effect because you could tell exactly how many pages were left of the protagonist's life. You can easily look at the last page of a book to see how many pages are left before the story is going to end, but that doesn't seem to provide the same effect that the reverse page numbering in Miranda does.

In any event, the parallel between a man moving backwards through time and the vendors who seemed to be moving backwards instead of forwards definitely struck me when I made my first circuit through the expo hall of the RSA Conference this year. I doubt that the vendors that I saw yesterday will suffer the same horrific end that the protagonist of Miranda did, but I doubt that things are going to work out well for them in the long run.

Last year I decided to keep track of the books that I read using a Google documents spreadsheet. Looking at this list, it looks like a plurality of the books were actually mysteries, and all of these were actually from small specialty publisher Crippen and Landru. It looks like I read of total of 37 of their books last year. It was definitely time well spent.

Crippen and Landru specializes in printing or reprinting classic detective stories. They seem to emphasize the type of story in which the reader is shown all of the relevant clues before the story's protagonist solves the puzzle. I prefer those type of detective stories over the stuff that's popular these days that I'd say is better classified as crime fiction instead of detective fiction.

In any event, Crippen and Landru publish two lines of limited edition books: Lost Classics and their regular line. The Lost Classics line reprints material that's fairly good, but not widely known. Examples of this are detective stories by Rafael Sabatini, who's better known for writing Captain Blood, or detective stories by western pulp writer Max Brand.

The regular line collects short stories from contemporary writers and its books include all sorts of interesting extra stuff. Some of the books include a page from the original typescripts for one of the stories in the book. Others include a short pamphlet that contains a story written by the author just for inclusion with the Crippen and Landru limited edition. All of them are signed by the author, and they'll probably be fairly valuable one day. Every one of these has been extremely good.

I still have quite a few Crippen and Landru books that are still unread. But since they're easily outnumbered by the stacks of unread books that don't contain any mysteries at all, there's no guarantee that my list of books read in 2010 will have the same bias.

It's a vestige of the old superstitious Dark Ages when nobody knew anything and the whole world was sinking deeper and deeper into filth and disease and poverty and ignorance. It is one of those delusions that isn't called insane only because there are so many people involved.

Robert Pirsig, Lila

There seems to be a trend in education where material that's cutting-edge research first gets taught in graduate-level classes and then, several years later, in undergraduate classes. Some even makes it into high-school classes. When my father went to college, for example, quantum mechanics hadn't made it into undergraduate classes yet, buy the time I was in high-school it had worked its way into the chemistry class that I had. I may have come across an even more extreme example of this last week.

I noticed that the book Special Relativity, part of the MIT Introductory Physics Series, is listed on Amazon.com as being written at a level suitable for "young adults." That's the same audience that The Hobbit is apparently suitable for. Or Brian Jacques' Redwall series.

If special relativity is now suitable for young adults, I'd hate to guess where they're teaching quantum mechanics these days. Or cryptography.

A few people have asked me about me creating a hardcopy book from the contents of this blog. Trying to find things to do other than look for errors in a math-heavy standards document, I recently tried out a couple of the available services that let you do this to see how hard it is and what's involved in doing it. I was stunned by how bad the available options were.

In one case, the first few posts were loaded into the book-making software with no problems, but the rest after that ended up badly garbled. That made that particular offering totally useless.

The next one I tried couldn't handle subscripts and superscripts, among other things, so it ended up being useless also.

I doubt that I'm the only person who does things like indenting text or using superscripts. Why can't the current versions of blog-to-book software handle the use of these things?

I recently came across "Cinema Fiction vs Physics Reality: Ghosts, Vampires and Zombies," by Costas Efthimiou and Sohang Gandhi. This paper discusses how ghosts, vampires and zombies are portrayed in books and movies and looks at what's actually possible and what's not.

Ghosts have lots of problems with physics at a very basic level. They can't both be incorporeal and do the things that they are shown to do in books and movies. That should be fairly obvious.

Vampires have problems with the exponential growth of the vampire population that they would cause. I hadn't thought that before, but when you hear it, it's fairly obvious. Suppose that a vampire needs a single victim each year and that this victim then turns into a vampire. After one year, you have two vampires. Each of these two creates two more the next year. Each of these four then create four more the next year, etc. This growth quickly gets out of control and leaves the entire world populated by vampires. So the fact that people exist is proof that vampires don't exist, at least not vampires as they're portrayed in books and movies. (This analysis might not be quite accurate because it doesn't account for the ability of people like Kristy Swanson to keep the vampire population in check, but it's probably close enough.)

It turns out that there's actually a factual basis for zombies. Maybe this is why Brian Keene's zombie books are so popular. I'm personally more fond of zombie stories like Robert Bloch's "Maternal Instinct," but I seem to be in the minority in this particular case. Much like people who think that reading papers about the physics of ghosts, vampires and zombies is interesting.

And it's apparently not just physicists who worry about zombies. Lucy Snyder, the wife of Gary Braunbeck, one of the best horror writers in the world, has written a book Installing Linux on a Dead Badger and Other Oddities that tells why people in the corporate IT world should worry about them.

Here's what this fine book has to offer:

• "Installing Linux on a Dead Badger"
• "Authorities Concerned Over Rise of Teen Linux Gangs"
• "Your Corporate Network And The Forces Of Darkness"
• "Faery Cats: The Cutest Killers"
• "Graveyard Shift"
• "Dead Men Don't Need Coffee Breaks"
• "Business Insourcing Offers Life After Death"
• "Corporate Vampires Sink Teeth Into Business World"
• "Unemployed Playing Dead To Find Work"
• "Trolls Gone Wild"
• "The Great Vüdü Linux Teen Zombie Massacree"
• "Wake Up Naked Monkey You're Going To Die"
• "In The Shadow of the Fryolator"

There's also a book coming out soon that tells how Dante Alighieri was inspired to write the Divine Comedy, at least the Inferno part of it, by seeing the results of a zombie infestation. My copy should be arriving next week.

I'm sure that there's some way to make this relevant to information security, but I don't see it right now.

The government’s current approach to cyber-security isn’t working. The government has apparently acknowledged this, and last week, held the National Cyber Leap Year Summit, a meeting that was sponsored by the White House Office of Science and Technology Policy (OSTP) and the Federal Networking and Information Technology Research and Development Program (NITRD).

This event was designed to bring together experts from academia, industry and government to find “game-changing” ideas and ways to implement them. I was one of the people from industry who were invited to participate in this event, so I spent last week at the Crystal Gateway Marriott in Arlington, Virginia, talking about how to change the government’s approach to cyber-security.

I was one of very few representatives from security vendors at the meeting, and I’m not sure how to interpret this. There were industry representatives, like people from the big government contractors, but including people like that isn’t really the same thing as including security vendors.

From one point of view, it’s good to see that Voltage is being recognized as being a thought leader in the area of cyber-security. We’ve certainly created our share of innovations and continue to do so. On the other hand, it was also a bit puzzling that more security vendors weren’t invited. Even vendors that aren’t known for lots of innovation have a solid understanding of the security market, what the current threats are and how their customers are dealing with them, and we definitely could have used more of this point of view at the meeting to balance the views of academics and government people.

We talked about five main areas at this meeting:

• Cyber-economics, or how to create the right incentives and disincentives that we need for cyber-security to succeed
• Digital provenance, or how to base trust decisions on verified assertions
• Health-inspired network defense, or how to move from forensics to real-time diagnosis of security problems
• Moving-target defense, or how to ensure that attacks work only once, if at all
• Hardware-enabled trust, or how to leverage hardware security to create a more secure computing environment

I’m not a big fan of management fads, so for me, the biggest downside to the meeting was the fact that the organizers tried to use the “colored hats” framework that Edward de Bono describes in his book Six Thinking Hats. Even this didn’t work out to badly, however.

The biggest problem was that even though the meetings went from roughly 8 am to 10 pm each day, that still wasn’t enough time to discuss any ideas in much detail. Because of this, many good ideas didn’t really get the attention that they deserve, and I hope that the organizers of the event will find a way to deal with this.

Over the next few days, I’ll be talking about some of the things that I learned at this meeting.

The Buck Rogers comic that ran in American newspapers from 1929 to 1965 is probably responsible for creating, or at least popularizing, many ideas that are taken for granted in today's science-fiction. Things like rocket ships, anti-gravity technology, traveling to other planets, and dealing with their non-human inhabitants that find human women irresistible. I was recently reading a collection of these classic comics when I noticed another element of advanced technology that appeared in the Buck Rogers comics, and that's paying by credit.

In comic number 694 from 1931, Buck Rogers and Wilma Deering have made it to the legendary undersea world of Atlantis. When they're shown the technological marvels that make it such an advanced place, universal payment by credit is one of these. Apparently, in 1931, paying by credit was one of those things that seemed an advanced idea that might become true at some point in the future, and had enough of a "wow factor" to justify its mention in the comic.

I don't know if people in 1931 read Buck Rogers and marveled at what it would be like if you could buy anything that you need using credit, but it seems that that's one of the few things from Buck Rogers that has actually come to be. We don't have flying belts or rocket ships, and we haven't met any aliens who have an unexplained attraction to Earth women, but we certainly have credit cards that are accepted more places than they're not. Maybe we'll have the others some day, too.

The Internet is good for some things. It certainly makes some types of research much easier than they once were. You once had to look up reference materials in a card catalog, find the material on your library's shelves, and then read through it to see if it contained the information you were looking for. This often took quite a while. It certainly took more time than just typing a few words into Google and clicking on "Google Search."

The Internet is also very useful when you start teaching your kids about logical fallacies. Pick almost any blog that discusses politics and you'll see more examples of logical fallacies than you used to see in your entire life in the pre-Internet days. When I stumble across examples of these fallacies, I often feel the urge to post things like "This is a good example of what's often called a 'false dilemma' or 'bifurcation fallacy.' Please refer to your college textbook on logic for more information, or click on this link to learn why your argument makes no sense whatsoever."

Maybe I'll actually do it some day.

One of the common logical fallacies is the so-called genetic fallacy, which says that an idea shouldn't be accepted or rejected based on its origin instead of on its merit. I suspect that a careful analysis of this particular fallacy would show that it's not really a fallacy, and this is because of the connection  to Bayesian reasoning.

As I've mentioned before, Bayesian reasoning leads us to weighing peoples' opinions based on what we know (or think that we know) about them. Liberals are likely to misrepresent and distort the facts when talking about conservatives and their points of view and conservatives are likely to misrepresent and distort the facts when talking about liberals and their points of view, for example. Because of this, we know that we can't trust what we hear, so the reasonable thing to do is use Bayesian reasoning that evaluates the chances of what we hear being true given everything else that we know (or think that we know). This means that the genetic fallacy is really nothing more than Bayesian reasoning at work.

Now it seems that Bayesian reasoning is a generalization of the usual Aristotelian logic that reduces to it in the special case that the hypotheses are either true or false. There's even an interesting book by E. T Jaynes, Probability Theory: The Logic of Science, that describes exactly how this works. So if Bayesian reasoning is consistent with logic and the genetic fallacy is consistent with Bayesian reasoning, I'm inclined to believe that the genetic fallacy isn't really a fallacy after all. A logical fallacy, after all, is an error in reasoning, and it looks to me like the genetic fallacy really isn't an error. Instead, it's just taking advantage of all the available information to put new information into a useful context.

That just means that I won't feel compelled to point out a small fraction of the logical fallacies that I see on the Internet. Luckily, there are still enough others out there to keep me entertained for the foreseeable future.

As every individual, therefore, endeavours as much as he can both to employ his capital in the support of domestic industry, and so to direct that industry that its produce may be of the greatest value; every individual necessarily labours to render the annual revenue of the society as great as he can. He generally, indeed, neither intends to promote the public interest, nor knows how much he is promoting it. By preferring the support of domestic to that of foreign industry, he intends only his own security; and by directing that industry in such a manner as its produce may be of the greatest value, he intends only his own gain, and he is in this, as in many other cases, led by an invisible hand to promote an end which was no part of his intention.

Adam Smith, An Inquiry into the Nature and Causes of the Wealth of Nations

It's not hard to create a plausible economic model that explains why open-source software exists. One argument is that enterprise software has a minimum cost associated with developing and marketing it. These costs include the engineers that write the software, the people that test it, the sales engineers that install it at customer sites, the sales people who help customers through the sales cycle, the marketing people who let customers know what's available to solve their problems, etc. The total cost of all of these isn't cheap, so if a particular application isn't worth more than that fixed cost, it can't be the basis for a profitable business.

But if there's a demand for something at a lower cost, someone will probably find a way to make it happen. It's much like minimum-wage laws. There are some jobs that just aren't worth the minimum wage, and when this is the case, people find ways to get those low-value jobs done, even if it involves breaking the law. They might hire illegal immigrants for less than the minimum wage. Or they might agree to pay someone cash to avoid the taxes that, from the point of view of the employer, are also part of their cost of labor.

On the other hand, an argument like this only describes market forces, Adam Smith's invisible hand that makes things happen. It might explain why open-source software exists, but doesn't really tell us why any particular person would make a decision to work on open-source software. That may require a different explanation. Here's one, and it's based on modeling contributing to open-source software as a tournament. It's much like the model that Stephen Levitt and Stephen J. Dubner used in their book Freakonomics to explain why so many drug dealers earn roughly the equivalent of the minimum wage.

It turns out that almost all drug dealers don't make very much money. These are the ones that actually sell the drugs on the streets. The real money is in managing an organization of drug dealers, and Levitt and Dubner describe how the entry-level drug dealers tolerate the low pay because they hope to eventually become one of the managers. In this sense, drug dealing can be modeled as a tournament that selects the most fit drug dealers and promotes the winners into the more lucrative jobs.

Maybe this model also applies to open-source software. After all, being a recognized contributor to a big, successful open-source project is also a good way to get a high-paying programming job. So it might be the case that the programmers who donate their time to open-source projects do this in the hope of becoming an open-source superstar one day. This doesn't sound obviously false, and it does give you a good way to start a conversation: "Did you know that open-source programmers are like drug dealers?"

Owen Wister's 1902 novel The Virginian was one of the first books that might be called a "western." It essentially defined the western genre and established many of what are now its clichés. One of my favorite parts of this book is when the Virginian ends an uprising by disgruntled cowboys by beating their leader in a tall tales contest. I'm often reminded of this showdown when I hear claims made by the marketing departments of security vendors, and it's entertaining to think of how a similar epic battle might take place today.

Imagine we're at next year's RSA Conference, drinking the free beer that some generous vendor has provided. A CISO from a big company is here. He's never been to the show before doesn't realize that he'll be swarmed by vendors if he attends an event like this one. To get his attention, the sales and marketing people from lots of security vendors make more and more outlandish claims about their technology.

There's someone there from a vendor that makes products that are designed to counter the insider threat. After a beer or two, the people at the party have forgotten that there's absolutely no basis for the claims that most attacks come from insiders, so they listen to him. He quotes some statistics from analyst reports that nobody has heard of and ends up with the estimate that over 150 percent of attacks come from insiders.

People are impressed, but take a quick break to get another beer. Surely someone can do better than that.

Next is someone from a tokenization vendor who claims that tokenization is actually more secure than encryption. Encryption is hard to understand when you've had a good night's sleep and a couple cups of coffee, and the free beer has made sure that nobody at the party is able to even come close to understanding it now. The lone cryptographer who's at the party is impressed by the daring that it took to make that claim, even to a room full of people drinking free beer, so he doesn't challenge it.

Unable to think of a way to one-up this, the other vendors gradually walk away, leaving the tokenization vendor alone with the CISO.

It turns out that you can now get this blog on your Kindle e-book for only $1.99 a month. Other items that Amazon.com sells aren't quite as cheap. I stumbled across a textbook today that actually sells for $7,790. This is Nuclear Energy, by many contributors.

Here's the product description:

The three volumes VIII/3A, B, C of Energy Technologies should primarily serve scientists, engineers, and students to gain information on physical, chemical, and technical properties of all technologies to provide, convert, distribute, store, and finally use energy. They are supplemented with economic background information and with specific concepts, to allow the reader a proper comparison of different energy technologies. In this way these volumes on energy technologies should help human society pave the way towards sufficient and environmentally safe provision and use of energy. The various contributions have been written by experts from all around the globe working in universities, public research institutions, and private industrial companies.

One of the targets is students, but how many students can afford a book that costs $7,790?

On the bright side, you definitely qualify for free shipping if you buy this book. Or you could save 20%, or $1558, if you decide to read Nuclear Energy on your Kindle instead of getting a printed copy. At least it's not as bad as Mrs. Skagg's Husbands, which you can't get for anything less than $7.6 million. That's not available for the Kindle yet, though.

Back on March 7, 1999, "A reader from Upper Volta, Uzbekistan" posted the following review of the book The Story of Ping on Amazon.com. The Story of Ping is a children's book about the adventures of a duck named Ping who lives in China. Here's what the reader from Uzbekistan said about this book. This was even mentioned on the web page of Mike Muuss, the person who wrote the first version of the UNIX utility ping.

Excellent, heart-warming tale of exploration and discovery. Using deft allegory, the authors have provided an insightful and intuitive explanation of one of Unix's most venerable networking utilities. Even more stunning is that they were clearly working with a very early beta of the program, as their book first appeared in 1933, years (decades!) before the operating system and network infrastructure were finalized.

The book describes networking in terms even a child could understand, choosing to anthropomorphize the underlying packet structure. The ping packet is described as a duck, who, with other packets (more ducks), spends a certain period of time on the host machine (the wise-eyed boat). At the same time each day (I suspect this is scheduled under cron), the little packets (ducks) exit the host (boat) by way of a bridge (a bridge). From the bridge, the packets travel onto the internet (here embodied by the Yangtze River).

The title character -- er, packet, is called Ping. Ping meanders around the river before being received by another host (another boat). He spends a brief time on the other boat, but eventually returns to his original host machine (the wise-eyed boat) somewhat the worse for wear.

The book avoids many of the cliches one might expect. For example, with a story set on a river, the authors might have sunk to using that tired old plot device: the flood ping. The authors deftly avoid this.

Who Should Buy This Book

If you need a good, high-level overview of the ping utility, this is the book. I can't recommend it for most managers, as the technical aspects may be too overwhelming and the basic concepts too daunting.

Problems With This Book

As good as it is, The Story About Ping is not without its faults. There is no index, and though the ping(8) man pages cover the command line options well enough, some review of them seems to be in order. Likewise, in a book solely about Ping, I would have expected a more detailed overview of the ICMP packet structure.

But even with these problems, The Story About Ping has earned a place on my bookshelf, right between Stevens' Advanced Programming in the Unix Environment, and my dog-eared copy of Dante's seminal work on MS Windows, Inferno. Who can read that passage on the Windows API ("Obscure, profound it was, and nebulous, So that by fixing on its depths my sight -- Nothing whatever I discerned therein."), without shaking their head with deep understanding. But I digress.  

Someone at Amazon.com, probably one of those managers who were overwhelmed by the technical aspects of the book, apparently decided that this review wasn't serious enough and removed it. Fortunately, this review is back, although under the name of a different reviewer. It's now actually rated as the most helpful review.

The Post Office lost yet another package of mine. This happens at least once per year and it's always for the same reason. The letter carrier scans the delivery confirmation bar code of a package while they are sitting in their truck but forget to actually carry the package to my house. The package then gets returned to the Post Office, where it sits in limbo until I can convince the Post Office to track it down. They usually don't want to do this because the package shows as being delivered in their system even though it wasn't actually delivered.

I finally realized why this happens. It's easier to tell the story of how this came to be instead of giving the precise details, so here's "Going Postal."

Come to think of it, this might actually explain more than my missing packages.

Going Postal

When the doorbell for Shocker Books rang at precisely 10 am, Larry Schwartz knew that it had to be the mailman. Other visitors to his store were very rare these days. Although he still had a brick-and-mortar store that housed his inventory of rare and expensive horror books, almost all of his sales were now orders that he took over the Internet and shipped to his customers.

This made the Post Office an important part of his business, but because the Post Office was one of the most efficient and well-run organizations in the world, he had complete confidence in the white-uniformed mailmen that called twice a day to make deliveries from publishers and to pick up his shipments to his customers. Larry’s business was booming, and the Post Office was an important part of its success.

When the doorbell rang again about an hour later, Larry was surprised to see Mike Campbell at the door. Mike was an old friend from college who he hadn’t seen for quite a while. While Larry had followed his dream of opening a bookstore, Mike had gone into the army and had fought in the Gulf War back in 1991. After catching up on the events of the past few years, Mike showed Larry the antique, leather-bound book written Arabic script that he was carrying and explained how he was interested in selling it.

“I’ve had it in storage in a safe deposit box at my bank for the past few years,” said Mike. “I picked this up in Iraq and held onto it, hoping to sell it one day. You’re the expert on this stuff, and I was hoping that you could take a look at it and tell me if it’s worth anything.”

They agreed to meet again in a few days after Larry had had time to look at the book and assess its value, and Mike left Larry to his processing the huge backlog of orders that he had.

Later that day Larry started to get paranoid. It might just have been his imagination getting the better of him, but he was sure that he had seen suspicious figures lurking outside his store ever since Mike left. Following the example of Sam Spade in The Maltese Falcon, Larry decided to mail Mike’s book to himself to avoid the possibility of it being stolen that night. There was still time to get it into the 5 pm mail pickup, so he carefully packaged the book in bubble wrap, put it in a box addressed to himself, and gave it to the mailman when he came later that day.

That night, Larry received a panicked phone call from his friend.

“Be careful with that book,” said Mike. “I’ve learned that it’s a copy of the Al Azif by an Arab named Abdul Alhazred. It’s related to the occult in some way and it’s evil. Very evil. It’ll corrupt everything that it comes in contact with, so keep it away from your expensive books. Don't worry - I’ll come by tomorrow to pick it up.”

Larry made his living dealing in books that told stories with supernatural elements, but didn’t actually believe in the supernatural himself. This made it easy to write off his friend’s concerns, but he would still be glad to be rid of the book and the irrational fears that it seemed to cause.

Next morning was fairly leisurely. Few orders had come overnight, so Larry actually had time to enjoy his morning coffee and read one of the books in his inventory. Time passed so quickly that Larry didn’t even notice that it was afternoon before the mailman came. The sound of the damaged box being thrown to the ground outside his door caught his attention, as did the blue uniform that he saw on the mailman as he walked away.

Mike was right.

Albert Mehrabian’s 7-38-55 rule is almost always misinterpreted. These misinterpretations probably aren’t too far from the truth, however, and they can probably explain why the Internet is such an obstacle to communicating effectively. Mehrabian’s 7-38-55 rule actually says that when we communicate face-to-face, how well we like the person that we’re communicating with depends on three factors: the words used, the tone of voice used, and the body language used. He first described this in his 1971 book Silent Messages, where he estimated that 7 percent of the overall level is due to the words used, 38 percent is due to the tone of voice used, and 55 percent due to the body language used. 

This is often generalized to saying that in any face-to-face communication that 7 percent of the information that we send is verbal, 38 percent is sent in our tone of voice and 55 percent is sent through body language. Mehrabian’s research doesn’t actually support this generalized result, but that hasn’t stopped people from calling this conjecture “Mehrabian’s rule,” or inaccurately attributing the generalized result to Mehrabian.

It’s probably the case that most communication is non-verbal, even if it doesn’t follow the 7-38-55 rule, and that’s why the Internet causes so many problems. Even if the exact fraction of the information that’s lost when we communicate on-line isn’t exactly 93 percent, it’s probably a significant part of it, and this causes many more misunderstandings than you would ever get face to face. Here’s an example of how this recently affected me.

There are now three IETF RFCs that describe identity-based encryption and how to use it in secure email. While getting one of these standards through the IETF bureaucracy I had to get three new media types defined for the types of data that get transported over HTTP when IBE is used: IBE public parameters, an IBE private key request and the IBE key that a of key server returns to a user.

There’s a mailing list where you propose new media types and other list subscribers get to critique your proposal. In my case, we had a heated debate over my proposal that turned out to be just over a slight misunderstanding in how one particular parameter was defined. If we were sitting down face to face, this misunderstanding would have been obvious almost immediately. But because we were only communication over email, lots of information was lost. Maybe it wasn’t exactly 93 percent of it, but it was a significant amount. This led to wasting several days in a debate that wouldn’t have taken more than a few minutes to settle face to face.

Lots of communications over the Internet seem to be plagued by the same problem, and because there’s no easy way to indicate tone of voice or body language over the Internet, we’re probably stuck with the imperfect communication that it allows. I suppose that you could write an IETF standard of some sort that might help fill the gaps in communication that the Internet creates, tags like <humor> and </humor> that you could use to indicate where you’re not being serious. But because you’d have to develop this standard over the Internet, it would be much harder to do than it needs to be.

I just finished reading The Winchester Horror, by William F. Nolan, the writer who's probably most famous for Logan's Run. The Winchester Horror is a novella that tells the story of a ghost that haunts the Winchester mansion in San Jose, California. If you don't have much time to read, novellas are great. They let you trick yourself into thinking that you're reading more than you really are because they're much shorter than most other books. Between January 1, 2009 and March 1, 2009, I actually managed to read 18 books. This may sound impressive, but when you consider the fact that that time includes part of my Christmas vacation and that most of the 18 books are actually novellas, it actually turns out to be much less impressive.

The Winchester mansion was built by Sara Winchester from 1884 to 1922 at a cost of roughly $5.5 million. Apparently, she was concerned that the ghosts of people killed by Winchester firearms would kill her if she stopped construction of the unusual building. The result of this 38-year project is a 160-room house that's truly bizarre. It has only 17 chimneys for its 47 fireplaces. It has stairs that lead to the ceiling. It has cupboards that open onto brick walls. It even has a door on one of the upper floors that opens onto a drop straight to the ground below. Much of it doesn't make any sense at all. It seems to have built without much planning, and it was fairly expensive. In other words, it's just like today's computer networks.

Much like the Winchester mansion grew in an unplanned way into what's there today, today's networks have also evolved in a similar way. And just like it's hard to make sense of some parts of the Winchester mansion, it's also hard to understand exactly how some networks could have ever got to the point where they are now. Nobody lives in the Winchester mansion today – it's now a tourist attraction. After Sara Winchester's death, it probably proved to be too annoying to actually live in. Unfortunately, it's not practical to just walk away from the networks that have grown over time into the unwieldy beasts that they are today. And although they may seem to be just as confusing as the Winchester mansion, it's unlikely that we'll be able to turn them into attractions that we can charge admission to, so we're stuck using them.

Because they've grown over time instead of being carefully planned, it's always very difficult to integrate two or more networks. Businesses often try to do this when they acquire other companies or try to work more closely with partners, and it's almost always much harder than you think it's going to be. You may have your version of the Winchester mansion, but the people that you want to integrate with have their own version, and it hasn't evolved in the same way that yours did. Your network may assume that all of your data is handled by the equivalent of the stairs that lead to the ceiling, and the other network may assume that all of its data gets handled by the equivalent of the cupboard that opens onto a brick wall. Getting these two networks to work together can be hard. Sometimes it's even impossible.

It's well known that most acquisitions don't out work very well. Incompatible corporate cultures are one big cause of this, but I have to wonder how many of these failures can be traced to the difficulties in getting different networks to work together.

A “frame story” is one in which the author uses some sort of meta-story to link together several shorter stories. This trick has been used for at least 3,000 years, going at least as far back as the Mahabharata, which was probably written starting in roughly the 8^th century BC. It worked so well that One Thousand and One Nights, also known as Arabian Nights, used it again several hundred years later.

Even later came the Decameron and The Canterbury Tales. In both of these, the meta-story explains why the characters who tell the shorter stories happen to be together. In the case of the Decameron, they’ve fled the city because of the plague. In The Canterbury Tales, they’re on a pilgrimage to Canterbury Cathedral. In both these cases, they tell stories to pass the time.

This trick has worked so well over the years that it might be time to make an updated version that reflects what more contemporary people might do to pass the time these days. You could easily have a meta-story in which a group of executives flee their corporate headquarters to an off-site meeting in Las Vegas and tell stories to pass the time until they return to work. That might not be feasible, however. These people talk about things like “leveraging core competencies to execute game-changing paradigm shifts.” It’s hard enough to translate the medieval Italian of the Decameron into modern English. Imagine how difficult it would be to try to translate those sorts of phrases into any modern language at all.

Maybe a better idea would be Silicon Valley Tales: while the executives are in Las Vegas trying to figure out how leverage their core competencies, the workers at a Web 2.0 start-up in Palo Alto pass the time by telling stories instead of working, and these stories make up this collection. You have an engineer, a sysadmin, a product manager, an executive assistant, a tech writer, a sales manager and a consultant. All the others have taken advantage of the executives’ absence and are working from home, leaving only these few in the corporate headquarters building. After a few hours of boredom, they all decide to go to Fry’s for lunch, and tell stories to pass the time as they're stuck in traffic on Highway 101. Maybe that’s not such a good idea. It would be tough to fit all seven people into a single car for this trip, so that particular meta-story might require more suspension of disbelief than most readers are willing to tolerate.

I'll start work on the engineer's tale as soon as I get some free time.

Epithets are common in classical Greek and Roman literature. These are a descriptive phrase that's commonly attached to the name of a person, place or thing. For example, in the Iliad, Hector is called "tamer of horses" 410 times. Achilles is often called "swift-footed." He's actually called "shepherd of the people" much more often, but "swift-footed" is the epithet that people seem to most often remember for him.

Epithets were useful in classical literature because it was often memorized instead of being written down, and having a stock phrase that's commonly used makes memorizing things easier. Works like the Iliad are also written in dactylic hexameter, so it was probably easier for the author to have a stock phrase that fit the meter that he could use again and again. Sort of an early version of object reuse.

So you might wonder what epithet would be used for more contemporary people in the unlikely event that an epic poem in classical Greek is written about them. Ronald Reagan might be the "fighter of the Cold War." You can probably think of all sort of clever epithets for other modern politicians. Most of these will strongly depend on whether or not you are a supporter or not. For some, it might even be appropriate to reuse the epithet of Theristes. He was a Greek soldier in the Trojan War who was often referred to in the Iliad as "loose tongued," which is sometimes translated as "of the endless speech."

If you really get carried away, you might even start to wonder what a suitable epithet for yourself might be. In my case, it could be based on my experience with getting Voltage's Common Criteria certification. This process involved overwhelming amounts of paperwork, so I might be one day known as the "slayer of trees." That almost sounds heroic, although it's certainly not in the same league as Odysseus, who was known as "sacker of cities," or "mastermind of war."

Writing software that works correctly is hard enough. Writing software that works securely is even harder, but the CERT Coding Standards at least provide a good checklist of things to do or not do if you’re programming in C, C++ or Java. Following these checklists won’t guarantee that you’ll avoid all security problems that software can have, but you’ll be much less likely to make the really common and obvious mistakes. Following these standards to write secure code isn't easy, however. The book that discusses just the standard for secure coding in C has 720 pages.

A non-generative information ecosystem advances the regulability of the Internet to a stage that goes beyond addressing discrete regulatory problems, instead allowing regulators to alter basic freedoms that previously needed no theoretical or practical defense.

J. Zittrain, The Future of the Internet and How to Stop It

I recently heard that Jonathan Zittrain's book The Future of the Internet and How To Stop It was worth reading. There are supposed to be interesting insights into information security in this book, along with a discussion of ways that it either will or will not work on the Internet. I started reading this book, over my recent Christmas vacation but had to give it up after a while. There may be useful insights in this book, but I couldn't understand exactly what it was trying to say in many places. The quote above is from one of those places.

I can't quite understand stuff that's written this way. That doesn't mean that it's a bad book; it just means that it's written in a way that's not suitable for me. You can even download a free copy of the book here if you want to take a closer look at it. If the style of the quote above doesn't bother you, you'll probably be able to find those useful insights that others have found in this book.

After I put down The Future of the Internet and How to Stop It, I picked up a copy of The Cellar by Richard Laymon, which I managed to finish in a few hours. The Cellar is a horror novel from the '80s in which you learn what's been killing unlucky visitors to a small town in California. It has absolutely nothing to do with information security, but that turns out to be OK every now and then.