Superconductor

I just came across an interesting study by the Congressional Budget Office. According to the CBO, it looks like most government employees are indeed paid too much. Oddly enough, the amount of being overpaid seems to be inversely related to education - the less education government employees have, the more they're overpaid.

Government employees with no more than a high-school education make about 21 percent more in wages alone than their private-sector counterparts and a full 72 percent more in benefits. On the high end, however, people with professional degrees and PhDs actually make less working for the government than they would in the private sector: 23 percent less in wages alone and roughly the same level of benefits.

Perhaps this explains, at least in part, how recent research (PDF) has shown that the government actually has no problem at all in finding qualified information security workers.

What information consumes in rather obvious: it consumes the attention of its recipients. Hence a wealth of information creates a poverty of attention, and a need to allocate that attention efficiently among the overabundance of information sources that might consume it.

Herbert A. Simon, "Designing Organizations for an Information-Rich World," Computers, Communication and the Public Interest (1971)

Note the date of this. It's well before the rise of the Internet. But it was apparently just as true back then as it is today.

I was recently talking to someone who had a complaint about my use of the sucks/rocks meter to measure the relative popularity of various things related to information security. He essentially said, "Can't you find less relevant things to look at?"

This seemed like a odd request. But the person who made it works for a company that's a big customer of Voltage's, so here's my attempt at this.

What could be less relevant than the relative popularity of Myers-Briggs personality types?

Note that the type that people in the information security industry tend to have (INTJ) is the most popular of the introverted types and the third most popular type overall.

What about the relative popularity of letters of the alphabet?

Why is the letter "I" so unpopular? Could it be that some people just don't feel comfortable with square roots of negative numbers?

And what about the relative popularity of the magic words from the classic interactive fiction game Adventure?

Why do people dislike the word "plugh" so much? If you're trying to get from inside the small brick building to Y2, that's the easiest way to do it. 

In a previous post I described a possible way to use a math joke in interviews to help select high-quality employees. An alert reader suggested that this particular joke could also be used to select high-quality employers. He suggested telling it in an interview and not working for anyone who didn't understand it.

This could lead to an interesting conversation.

"Do you have any questions that you want me to answer?"

"Actually, yes. I know a particular joke. It's proven to be very useful to help screen potential employers."

"But what does that have to do with this particular job?"

"Well, it's just as relevant as some of things that you've asked me in the past hour or so - like explaining why manhole covers are round. If these questions were designed to give you an idea of how I think and how I solve problems, why shouldn't I evaluate you guys in the same way?"

A while ago I told of how I had an annoying encounter with a government bureaucrat who tried to insist that I needed to sign some paperwork with a BLACK pen instead of a BLUE pen. An alert reader just pointed me to a government regulation that might explain why this particular person eventually decided to accept my paperwork, even though I had signed it with a BLUE pen.

This regulation is AR 25-50 (PDF), "Preparing and Managing Correspondence." Its Section 1-21 (Ink color) says:

Use black or blue ink to sign correspondence.

This doesn't prove that BLACK ink is allowed on all government paperwork, of course, but it seems to be fairly strong evidence in favor of it.

As I've mentioned in the past, I'm a big fan of the on-line game Progress Quest, a parody of MMORPGs in which you don't have to actually have to do anything to get your character to increase in level. If you really want to, you can watch the progress bar for your character slowly move towards 100 percent completion, but since that can actually take a few months at the higher levels, that's probably something that only government employees will be able to find the time for.

It seems that someone has taken the idea of a progress bar and applied it to another situation that many people might find useful: counting down to the end of their working day. The application that does this is My Progress Bar. Here's a screen shot of this fine application in operation.

It even has a "Disguise" setting, which labels the application's window as "Critical Patch Installation" instead of the default "Work Day Progress." Here's what that looks like.

If your company's security policy allows it, this is definitely the sort of application that you should consider installing and running.

Anyone who's submitted anything for publication knows how stressful waiting to get feedback on your submission can be. Even after you've been published over 100 times, when you hit "Send" to make a submission, you still feel like a 13-year old boy asking a girl out on a date for the first time, feeling fairly sure that she's going to laugh at you and then tell all of her friends what an idiot you were.

It turns out that there's a journal that can help eliminate that stress. They don't guarantee acceptance. Instead, they guarantee rejection. Somewhat appropriately, this publication is called the Journal of Universal Rejection. Here's how the publication's web site describes it:

The founding principle of the Journal of Universal Rejection (JofUR) is rejection. Universal rejection. That is to say, all submissions, regardless of quality, will be rejected. Despite that apparent drawback, here are a number of reasons you may choose to submit to the JofUR:

You can send your manuscript here without suffering waves of anxiety regarding the eventual fate of your submission. You know with 100% certainty that it will not be accepted for publication.

There are no page-fees.

You may claim to have submitted to the most prestigious journal (judged by acceptance rate).

The JofUR is one-of-a-kind. Merely submitting work to it may be considered a badge of honor.

You retain complete rights to your work, and are free to resubmit to other journals even before our review process is complete.

Decisions are often (though not always) rendered within hours of submission.

This almost sounds too good to be true.

Imagine the thousands of product managers who can use this journal to (honestly) tell their VP of Marketing, "Yes, I submitted that extremely biased article on why our technology is the greatest thing since the invention of sliced bread, but I'm afraid that it was rejected."

And the best part is that they can now do this without having to spend lots of time writing and editing a 3,000-word draft that includes lots of fancy graphics. Instead, a much shorter version is also guaranteed to get rejected.

And if this idea sounds like the sort of thing worth encouraging, you can even buy JofUR-branded stuff at their Care Press store. When I find myself with $25 and no better use for it, I might even buy of their t-shirts, but that seems unlikely to happen any tim soon.

An alert reader pointed out that we might want to call today "Free to Swim Day" because today's the day when it's legal again to go swimming in King County, Washington, without wearing a life jacket. This had banned for through October 31 by King County Ordinance 17124, which required the following:

All persons who are on or in major rivers in King County shall wear a personal flotation device at all times. A person is on a major river if that person is floating in or upon any type of buoyant device, including but not limited to any boat, raft, log raft, vessel, watercraft, air mattress, inner tube, surfboard, sail board, canoe or kayak, on the waters of any major river as defined in this title. A person is in a major river if that person is swimming or wading more than five feet from shore, or in water more than four feet in depth and that person is not within the boundares [sic] of a designated public swimming area, engaging in skin diving as defined and regulated by this title or is a person over eighteen years of age and is an angler fishing while wading in the river.

So it's not just in the field of IT security where it's getting harder and harder to comply with all of the laws and regulations that tell you what you can and can't do.

I got some more unexpected Google ads recently, this time for phlebotomy (drawing blood samples) certification classes. This seemed particularly strange because I got this particular ad while reading a Gmail message about when the next meeting of a particular key management standards group was going to meet.

I'm fairly sure that I haven't received any Gmail messages even remotely related to phlebotomy recently, so I had to wonder exactly what words the phlebotomy trainers used to target their ads. Do people who work on key management standards often decide give up key management and try a career in phlebotomy instead? Or is there a better explanation for this?

I learned something interesting on the Internet today - that lots of people worry about "ad homonym" attacks. These are apparently frowned upon by some people, although the term probably doesn't mean what they think it means. To clarify things, here's my definition of it:

Ad homonym attack: something that sounds like a personal attack but really isn't

I just noticed that 2600 is now the number 11 best-selling magazine for the Kindle. That's more popular than PC Magazine, Harvard Business Review or National Geographic. I don't know how many readers that actually represents, but it's probably a lot.

I just learned that Google provides a way to explore and visualilze lots of public data about the state of the world. There's not much information about information security in the data that's available to look at, but there are some things that are closely related. In some cases you need to look carefully at what the data is really telling you.

Here's a graph that I made using this service that compares the number of Internet users in the US and China. Note that this particular graph doesn't tell you the units for the vertical axis. It turns out that that's the number of Internet users per 100 population, but I had to follow a few links to the original data set to find that.

Most of the data sets seemed to do a better job of displaying what the units of the data are. Here's an example that shows this. In this case it's clearer what the units on the data are.

There's lots of other data out there that could benefit from a similar web interface. There's lots of data at the US government's data.gov web site, for example, but data.gov doesn't provide an easy way to visualize the data that it provides.

If you're interested in how the US economy's doing, the best place to get reliable data is probably the US Federal Reserve. It turns out that you can even get the Fed's FRED data  on your iPhone now. (I assume that "FRED" stands for "Federal Reserve Economic Data," but  I'm too lazy to check to see if that's right right now.)

This won't make me go out and buy an iOS device, but it'll probably get me to download the app to one of the devices that my wife or sons have. And then borrow their devices on a regular basis.

More fascinating data from the US Federal Reserve about the state of the finanical sector. This time it's the delinquency rate for loans. Here's how things looks:

I found two things in that data that I didn't expect to see. First, the current delinquency rate really isn't dramatically higher than it was back in the late '80s to early '90s. I also didn't expect to see the rate elevated for so long during that same time period.

An alert reader pointed out that there's a song by soul music legend Otis Redding called "Security." I'm a bit surprised that I haven't heard this at any information security trade shows.

Here's the song on YouTube.

I just received another of those invitations to contribute a paper to a journal of questionable value. This one seemed even more questionable than usual. This journal's goal is "to provide a forum for scientists and social workers to present and discuss issues in wireless engineering and technology."

Scientists and social workers?

Maybe they couldn't get enough contributions for either a scientific journal or one on social work and decided to merge the two together. Or is there a better explanation?

From what you read or hear in the news, you might think that banks have essentially stopped making loans in the past few years.

But is this really true?

Here's data from the US Federal Reserve for the average loan volume of US banks over the past couple of decades.

So it looks like the amount of loans has indeed decreased recently, it certainly hasn't stopped. There's definitely more volatility than we've seen recently, however.

On a recent trip I got out of a meeting fairly late one night and had to drive another five hours to my hotel. When I woke up the next morning, my left elbow was badly skinned, my left thigh was very sore, and I had no memory how I got this way. (And no, I was not drinking.)

Now if I was a character in a movie, here's how things would go. Over the next few weeks I'd start to remember more and more about what really happened. I'd have disturbing dreams about being strapped to a stainless steel table under bright lights and surrounded by tall, thin humanoid beings with oddly triangular heads and abnormally big eyes.

And then I'd realize that they were coming back for me. There would be a bright light outside my house one night that would somehow make everything inside shake violently. Then the aliens themselves would appear at the door and...

So if real life is anything at all like Hollywood depicts it, I may not be around much longer.

After seeing the graphs of projective elliptic and hyperelliptic curves in previous posts, some people asked if I could get t-shirts or other things made with those pictures on them.

Unfortunately, the pictures that POV-Ray creates seem to be too small to be used on t-shirts. On the other hand, they seem just fine for other things like coffee mugs, etc. So if anyone's interested in getting one of those, let me know and I'll get CafePress set to make them.

When you're working with potential customers of information security products you often come across people who really don't understand the technology. And there's nothing at all wrong with that at all. Information security is a fairly arcane area, and encryption is probably the most arcane part of this arcane field. But you meet people now and then who don't know what they don't know, and it can be tricky to work with people like that. A former coworker recently told me a story about he dealt with one of these people.

At one particular customer, the story went, there was a person who always had to ask questions about something. Many of these were about things that he know absolutely nothing about. Many of them were also totally irrelevant to the solution that was being discussed. In the middle of a presentation, this person suddenly became interested in how a particular bit of data was encrypted.

"We just use Rot13 twice," said the annoyed sales engineer.

"Oh, OK," said the potential customer.

Apparently some of the other people understood what this meant because they snickered silently behind their coworker's back. But the answer was apparently good enough, because the deal was eventually closed, showing that even Rot13 applied twice can sometimes be good enough.

Here's how the charge-off rate for US banks changed over the past few years. It looks like the worst is now behind them.

  1111111         000000000           000000000           000000000    
 1::::::1       00:::::::::00       00:::::::::00       00:::::::::00  
1:::::::1     00:::::::::::::00   00:::::::::::::00   00:::::::::::::00
111:::::1    0:::::::000:::::::0 0:::::::000:::::::0 0:::::::000:::::::0
   1::::1    0::::::0   0::::::0 0::::::0   0::::::0 0::::::0   0::::::0
   1::::1    0:::::0     0:::::0 0:::::0     0:::::0 0:::::0     0:::::0
   1::::1    0:::::0     0:::::0 0:::::0     0:::::0 0:::::0     0:::::0
   1::::l    0:::::0     0:::::0 0:::::0     0:::::0 0:::::0     0:::::0
   1::::l    0:::::0     0:::::0 0:::::0     0:::::0 0:::::0     0:::::0
   1::::l    0:::::0     0:::::0 0:::::0     0:::::0 0:::::0     0:::::0
   1::::l    0:::::0     0:::::0 0:::::0     0:::::0 0:::::0     0:::::0
   1::::l    0::::::0   0::::::0 0::::::0   0::::::0 0::::::0   0::::::0
111::::::111 0:::::::000:::::::0 0:::::::000:::::::0 0:::::::000:::::::0
1::::::::::1  00:::::::::::::00   00:::::::::::::00   00:::::::::::::00
1::::::::::1    00:::::::::00       00:::::::::00       00:::::::::00  
111111111111      000000000           000000000           000000000     

It looks like the states with the highest mortgage foreclosure rates also have some of the highest rates of identity theft. Here are the five states with the highest foreclosure rates along with their corresponding identity theft ranking (with one being the worst out of all 50 states, etc.).

It's the Friday before a holiday weekend yet again, so it must be time to listen to the song "Crypto" by Bob Rivers today.

The recent news about Apple temporarily becoming the world's most valuable company apparently didn't consider Microsoft. Here's part of a screenshot from one of the lead generation tools that one of our sales people was using earlier today. I'm not sure where the information came from, but this seems to indicate that Microsoft has roughly $55,122,000,000,000,000,000,000,000,000 in revenue. Maybe they should just use some of that money to buy Apple. And Exxon. And IBM.

This probably doesn't technically count as a Freudian slip, but I've noticed that I've started to misread "privacy" as "piracy" a lot recently. So I've ended up wondering why we sites have piracy statements or why my insurance company is mailing me their new piracy statement. I haven't had to do any government paperwork recently, but if I had, I'd probably have ended up wondering why the government felt compelled to cite the piracy act on every one of their forms.

An alert reader who came across my picture of my dot-com-era Palm Pilot reminded me that we had an early version of this device in the army back in the Cold War. Here's an example of one of these being used for temporary storage of PII.

I just received an interesting email from LinkedIn: apparently over 13 percent of my LinkedIn connections started a new job in the first half of 2011.

At that rate, I can expect about 25 percent of my connections to start a new job at some point in 2011.

That's a much higher rate that the typical labor turnover rate, which, according to the Bureau of Labor Statistics, is more like 3 percent per year.

So even if you don't want to avoid being one of my connections on LinkedIn, that might be something that employers would want to encourage you to do.

OK, enough of this worrying about what sort of patterns we can find for data breaches. What about more interesting things - like whether there's a correlation between children swallowing coins and the stock market? Well, it turns out that that's already been done. Three doctors at Harvard Medical School collected data for three years on this very topic. Here's the abstract from the article they published that described their findings:

Objective To examine the relation between coins ingested by children and the Dow Jones Industrial Average.

Design Observational study.

Main outcome measures Total value of coins ingested and number of incidents of coins versus other objects swallowed, measured before and after the stock market crash of October 2008.

Results Eighteen objects, including 11 coins, were ingested (NASDAQ (numismatic and sundry detritus acquired) composite of 18). The total value of the 11 coins swallowed was $1.03 (FTSE 100 (fraction of the US$ or 100 cents) index of 103). The pecuniary extraction ratio (PE ratio) was 0.57 (9/16). Comparing values for a period before and after October 2008, the mean monthly NASDAQ composite (0.41 (SD 0.67) v 0.5 (0.85), P=0.75), FTSE 100 index in cents (2.3 (6.8) v 3.1 (7.8), P=0.77), and PE ratio (0.54 (0.52) v 0.66 (0.29), P=0.50) did not change. The mean end-of-month closing value of the Dow Jones, however, decreased significantly (12 537 (841.4) v 8388 (699.8), P<0.001)

Conclusion There was no detectable difference in the total value of coins ingested, or ratio of coins to other objects swallowed, before or after a massive stock market crash.

I'm not sure that's as interesting as what we can learn about data breaches. Not as useful, either.

According to the Freedom on the Net 2011 report from advocacy group Freedom House, Internet users are the most free in Estonia and the least free in Iran. The US came in at second place, followed by Germany, Australia, the United Kindom, Italy, South Africa and Brazil. And only those seven countries were actually considered "Free." The rest of the world was either "Partly Free" or "Not Free."

A while ago I noted how one of the people who works for a security vendor made some puzzling comments on LinkedIn about how one of their products used a 320-bit key. An alert reader sent me the above image and suggested that this might be the patented encryption technology that the vendor will only tell you about if you sign an NDA. 

Encryption devices like the one shown in this picture are apparently available in gumball machines, at least in the state of Texas, where this particular comment came from.

I suppose that it's possible to get 320 bits of strength from this device, perhaps by using some sort of polyalphabetic substitution like a Vigenère cipher, but I doubt that that's how this particular vendor does their encryption.

Can regulatory compliance be funny? According to the Wall Street Journal, headhunter Howard-Sloan recently organized a search for America's Funniest Compliance Officer, perhaps to answer this very question.

Unlike similar contests for accountants which usually get hundreds of entries, this contest only received a total of 15, six of which were deemed good enough to get a chance to perform. Here are some highlights of the performances of these top six.

It's Friday, and I had so much fun using Many Eyes yesterday that I spent a few minutes this morning using it to create visualizations of a few works of literature. Some are probably better known than others.

Here's Animal Farm by George Orwell.

Here's The Call of Cthulhu by H. P. Lovecraft. 

Here's The Phoenix on the Sword by Robert E. Howard,

Here's The Raven by Edgar Allen Poe.  

I suspect that I'll find this to be a very useful tool in the future.

It turns out that you can create interesting visualizations of more than numerical data. Here's an example of a "word cloud" that you can get when you put one of my old blog posts into IBM's Many Eyes data visualization tool. You can also get another visualization of this here. That one uses Wordle, which Many Eye's visualizations of text seem to be based on.

I'm not sure that that's as useful as the bubble chart of 2010 data breaches, but it does seem to convey some useful information. And I'd also say that seeing a picture like this probably gives you a fairly good idea whether or not you'd be interested in reading the full post, for example.

And here's what Many Eyes gets from a paper that I once wrote. You can probably tell from this picture that the topic was something to do with both economics and information security. A picture lilke that would actually be a useful replacement for the abstract of a paper, wouldn't it?

Over the years in my career, I have had to attend plenty of training courses. Sometimes they are very relevant and "hard nosed" such as "Advanced Java Programming," or "Intermediate Threading," or even "How to Be a Better Public Speaker." Sometimes, though, they are a bit more "squishy", such as "How to Get Along With Your Coworkers," or "Personality Types: How to Recognize and Interact," or "Maximizing Your Potential." (These are not the real titles.)

There's nothing inherently wrong with the squishy programs, we can all use improvement. But here are some of the things I've noticed they seem to have in common.

1. Material that could be covered in 5 or 6 hours is spread out over 2 or 3 days. This is understandable, the companies promoting these classes have to make money. You make more money offering a 2- or 3-day class, rather than three or four presentations.

2. At the beginning the message is "You have to find your own way, you discover the answers on your own. You make the program fit you." But they never really mean it. In the past, I've found a way or discovered an answer the presenters didn't agree with, and they've told me I'm wrong. Then they tell me the "correct" answer and send me back to work on it some more and come back when I have a new answer. What they really mean is, "We've reached some conclusions. Take this course to reach your own conclusions, so long as your conclusions are the ones we want you to reach."

3. Dissent or criticism is a shock. I suspect the vast majority of people attending don't really engage and just want to get it over with, so there's no dissent. However, I've always felt that if I have to spend two days in this program, I'm going to try to get as much out of it as I can. So I dive in, I try to really listen and think about what is presented, really do something in the exercises, then try to discuss the issues. Sometimes I ask more-than-superficial questions, other times I point out what seem to me to be inconsistencies or contradictions. I've even offered some dissent and criticism. I try to be decent about it because I believe this is how we can come to better conclusions. But most of the times the presenters are surprised and don't know how to handle it.

4. Participants are asked to evaluate the program but questions are designed to allow only positive feedback. At the end, the feedback questionaire asks, "What did you learn?" or "How will you take this material and apply it to your job?" or "How did this course help you grow?" There's no place to put the comment, "I liked the part on X, but I just can't get behind all that talk about Y."

Some of the squishy programs have some valuable information, there really are things I can apply to my job and I hope I have grown. Some of it is a waste of time. But a program can improve if it accepts negative comments and listens to criticism. If you do something and never listen to the critics, you will never change. Maybe what you're doing is perfect or at least as good as it can be and there's no need to improve. But if you listen to some dissenting comments, maybe you will find that they are valid and you can make your program better.

On a recent trip, I was apparently mistaken for a salesman. I had just finished a five-hour drive and was being checked into my hotel by a very perky and cheerful young woman. When she asked how I was doing, I said something about being tired from the long drive that I had just finished.

"Being a traveling salesman can be tough," she said.

"Yes," I said, "and the worst part is that the seats of rental cars are so NP-hard."

"What?"

"Oh, never mind."

On the postcards from the pug bus web site, there's a fake news story about a college student who was arrested for stealing his own identity. This is clearly labelled as a hoax. Here's what the the bottom of the hoax's web page says:

The fine print: the editorial content on this page is fictional. It is presented for entertainment purposes only. We cannot be held responsible for the actions of anyone who takes this sort of s*** seriously.

But that didn't stop this incident from being reported as true by other web sites and then copied to even more web sites. So don't believe everything that you read. Unless it's the fine print telling you that what's above isn't really true.

I was discussing industry certifications with a former coworker yesterday when the topic of obsolete certifications came up. This was one area in which I was clearly superior by virtue of having at least four certifications that nobody gets anymore and even fewer people care about. These are:

Certified Internet Security Engineer, a pre-dot-com era certification offered by NetGuru Technologies, a company that hasn't been around for many years.

GTE CyberTrust Certified Engineer, a certification on one of the first PKI products to become a casualty of the dot-com crash, although they did manage to win one of the first high-profile national PKI deals - the Hongkong Post PKI.

VeriSign Certified Engineer, a certification on the venerable OnSite PKI.

Entrust Certified Consultant, as it sounds, a certification on the Entrust PKI.

I only got the first of these because my pre-dot-com era employer put me through the training to get it. And I only got the other three because my dot-com-era employer organized the classes for them. But for a while there, maybe 1999 to 2001 or so, I could certainly make it look (at least on paper) like I was an expert on PKI. I actually learned a lot about TCP/IP in the CISE class. The PKI product classes weren't as useful.

I actually had classes on the Xcert and Baltimore PKI products too, but I can't find anything about certifications on them in the box in my closet where I keep this stuff. That's too bad. Having certifications on FIVE obsolete PKI products would be even more impressive that just having THREE of them, wouldn't it?

So here's the challenge: can anyone top that list of obsolete and useless certifications?

I was reading McAfee's recent report Unsecured Economies: Protecting Vital Information, when I came across a claim that looked extremely suspicious. It seemed so inaccurate that I wanted to say that it was just plain wrong. This wasn't this report's estimates that cyber-crime costs the world about $1 trillion per year. I started reading this report to see how they got that estimate, but I came across something that struck me as being probably wrong well before I got to that.

Here's what this report says, quoting Tim Shimeall of Carnegie Mellon University, who was talking about how rich the Russian mafia is when he said:

They have immense resources and proved to be ruthless. It is stated that eight percent of the the world's deposits is owned by them. With resources like that, the mafia can build its own communication infrastructure.

The claim that the Russian mafia owns eight percent of the world's deposits struck me as being obviously false, so I looked around for some reasonable accurate data on how much money is actually in the world's banks. From what I could find, it looks like the money supply of Germany is a bit less that eight percent of the world's money supply. Does the Russian mafia really have more money than the entire country of Germany does? I doubt it. So although I'm sure that the Russian mafia has lots of money, I'm also fairly confident that it's not even close to eight percent of the world's deposits.

Because Voltage recently moved, we all had to pack up the random stuff that's accumulated on our desks so that it could be moved to our new offices. Some of this stuff I hadn't seen in years, like my dot-com era Palm Pilot, which was cutting-edge technology at the time. I don't recall much about using this particular device for anything other than trying to generate a few 1,024-bit RSA keys (it didn't work very well at all), but I do remember thinking that the device seem to bring out the worst in some people.

In particular, I remember people walking around the RSA Conference with their Palm Pilots and wanting to beam you their contact information instead of just giving you a business card. If you didn't have a Palm Pilot that they could beam their information to, they'd shake their heads in disgust and walk away.

I remember thinking to myself that these people were jerks. I didn't actually think that, of course, but that's the version that I can say here.

In any event, here's what my dot-com-era Palm Pilot looks like, complete with its third-party clear case.

It's not just air fares that are impossible to understand. It looks like other parts of the airline industry are just as puzzling. I just had to plan a trip to Washington, DC for January, and it's always best to avoid traveling through northern hubs like Chicago that time of year. Going through Houston's a good bet in January, so that's what I tried to find.

When I checked for possible flights at some of the on-line travel sites they didn't list any such flights, but when I went to the airline's own web site the flights were indeed listed. I found this a bit surprising, and it made me wonder what other information you're not getting when you look for things on-line.

I may have stumbled upon the first use of the term "internet." This might have been in RFC 871, "Perspective on the ARPANET Reference Model," that was written by M. A. Padlipsky back in 1982. Here's what the introducation to RFC 871 says:

Despite the fact that "the ARPANET" stands as the proof-of-concept of intercomputer networking and, as discussed in more detail below, introduced such fundamental notions as Layering and Virtualizing to the literature, the wide availability of material which appeals to the International Standards Organization's Reference Model for Open System Interconnection (ISORM) has prompted many new- comers to the field to overlook the fact that, even though it was largely tacit, the designers of the ARPANET protocol suite have had a reference model of their own all the long.  That is, since well before ISO even took an interest in "networking", workers in the ARPA-sponsored research community have been going about their business of doing research and development in intercomputer networking with a particular frame of reference in mind.  They have, unfortunately, either been so busy with their work or were perhaps somehow unsuited temperamentally to do learned papers on abstract topics when there are interesting things to be said on specific topics, that it is only in very recent times that there has been much awareness in the research community of the impact of the ISORM on the lay mind.  When the author is asked to review solemn memoranda comparing such things as the ARPANET treatment of "internetting" with that of CCITT employing the ISORM "as the frame of reference," however, the time has clearly come to attempt to enunciate the ARPANET Reference Model (ARM) publicly--for such comparisons are painfully close to comparing an orange with an apple using redness and smoothness as the dominant criteria, given the philosophical closeness of the CCITT and ISO models and their mutual disparities from the ARPANET model.

 In any event, I had never heard that "internet" was short for "intercomputer networking," but RFC 871 seems to tell us that that's the origin of the term.  

Measuring the ROI for information security projects is one of those things that people can argue about forever.

I wasn't reading the full title of the paper too carefully, so I was interested to see a link to the paper "mVideoCast: Mobile, real time ROI detection and streaming."

That could be interesting, I thought, real time ROI detection.

It turns out that "ROI" is also used to abbreviate "region of interest" in addition to "return on investment."

D'oh!

I was recently looking at FIPS 74, the old standard from 1981 that defined how to use the DES encryption algorithm. Section 5 of this document is "USING DES TO MAP A CHARACTER SET ONTO ITSELF," which seems to indicate that the idea of format-preserving encryption has been interesting to people since at least 1981. FIPS 74 may also be one of the first attempts to bypass spam filters.

In particular, FIPS 74 (at least in the version that's on the NIST web site) section 5 is called "IMPLEMENTATlON OF THE A1GOR1THM," which has the letters "L" and "I" replaced with a "1." The first spam email was actually sent in 1978, so 1981 is definitely within the Age of Spam.

I don't recall email discussions of encryption algorithms being particularly overwhelming back in 1981, but could the title of section 5 of FIPS 74 have been an early attempt by NIST to sneak their DES standard past spam filters, sort of like people do when they try to sell you "V!@gra" today?

I recently got stuck manning our booth at a security trade show. It was the end of the quarter and all of the sales people who would normally do that sort of thing were off selling things and they couldn’t spare the time to man the booth, so I ended up doing it. They actually ended up closing lots of deals, so it was probably for the best that I ended up doing this.

Now the most important thing to do at trade shows is to collect lots of free stuff and everyone at this show spent the first day of the show doing this very thing. The next day, one of the most common topics of conversation concerned one of the giveaways that people got the first day, but probably not in the way that the marketing people who supplied the giveaways intended.

It seems that one particular vendor was giving away USB memory sticks. These particular sticks were fairly flashy, having a very distinctive shiny metal cover, etc. But they only had 256 MB of memory. That’s the sort of thing you’d have expected to have picked up for free at a trade show four or five years ago, but you’d probably expect a bigger capacity device today. Perhaps even much bigger. And that was the thing that I heard talked about the most on the second day of the show – “I can’t believe XXXXX gave away such tiny memory sticks. What were they thinking?”

I believe that Oscar Wilde said something along the lines of the only thing worse than being talked about is not being talked about. I’m not sure that this saying applies to marketing, however, and what I saw at this particular trade show may be a good example of when it doesn’t apply.

"It is most important," he once remarked to me, "habitually to pursue a definite train of thought, and to pursue it to a finish, instead of flitting indolently from one uncompleted topic to another, as the newspaper reader is so apt to do. Still, there is no harm in a daily paper - so long as you don't read it."

R. Austin Freeman, John Thorndyke's Cases

Every now and then I come across quotes that seem to apply to other things just as well as their original topic, and the above quote from R. Austin Freeman seemed to do just that. In particular, it seems to apply fairly well to the way in which many people use the Internet today. Many people seem to spend lots of time randomly following links from web page to web page, much like the newspaper readers that Freeman talked about back in 1909.

For Christmas this year I got a Kline bottle. Cliff Stoll, the same Cliff Stoll who described tracking down the hacker that had penetrated his system in The Cuckoo's Egg, now runs a business selling Kline bottles. (Cliff doesn't actually sell Kline bottles, of course. Instead he sells immersions of them into a three-dimensional space, but that's probably close enough for most people.) Here's Cliff modelling the Kline bottle that I got this year:  

I'm not a big user of social networking web sites, and when I was recently trying to explain why I'm not to someone they managed to summarize what I was saying in one sentence.

"So what you're saying is that people are really connecting to the Internet instead of to each other?"

"Pretty much, yes."

In a previous post I noted how the sizes of data breaches seem follow Benford’s law. It’s not too hard to imagine that hackers penetrating one or more layers of security can lead to a multiplication in their success for each layer he penetrates. And because data that’s created by exponential growth or some sort of multiplicative process tends to follow Benford’s law, we shouldn’t be too surprised when we see that the size of data breaches follow it.

Accountants sometimes use Benford’s law to find fraudulent accounting data. This is based on the observation that lots of real accounting data follows this law while numbers that are fraudulently created often don’t, so that if you’re an auditor and you find accounting data that violates Benford’s law too badly that might an indication that you’ve discovered some sort of fraud.

But why would you expect accounting data to follow Benford’s law?

I recently asked several accountants who’ve worked in internal audit groups why they think that accounting data should follow this law and none of them could think of any good reason. So when I recently had some time to kill while waiting for a flight from Houston to San Jose, I thought about this for a few minutes and I came to the conclusion that this probably happens because of inflation. Inflation is an example of exponential growth, and that’s the very sort of process that tends to lead to data that follows Benford’s law.

That seems to be as good as any other explanation that I’ve heard of, but then those have all been along the lines of “well, we really don’t know.”

Yesterday I described how some college students go out of their way to get psychology research to produce puzzling results. This sort of behavior probably isn't limited to just college students. I also remember seeing similar behavior when I was in the Army.

The US Army used to have a facility at Ft. McClellan, the Chemical Decontamination Training Facility, where you could train with live chemical agents. I knew some of the people who were in the first few groups to use the CDTF, and they told me how they went out of their way to affect one of the studies done of it.

It seems that there was some sort of study done on the first few groups through the CDTF to see how stressful people found training with live nerve agents. As part of this study, some people had to wear some sort of device on their wrist that monitored their vital signs for a few days after they went through the training. The people that I knew went through the CDTF on a Friday and spent the following Saturday and Sunday riding roller coasters, hoping that the roller coaster rides would provide some interesting data for the monitoring devices that they had to wear.

So there's probably some study out there that claims that training with live nerve agents can cause more stress than either Airborne School or Ranger School, and this claim is probably based on data that was meant to give this bizarre result.