Superconductor

The title of the article says it all: "The generation of random numbers is too important to be left to chance," (Robert R. Coveyou, Studies in Applied Mathematics, Vol. 3, 1969, pp. 70-111).

Before I came to Voltage I did mergers and acquisitions consulting. This can be very frustrating work because you put in lots of hard work and most M&A deals end up not closing. You typically have 90 days to do all of your due diligence for a deal, but you lose a week or two up front when you're getting organized and you lose a week or two at the end when you have to write reports and give presentations on what you learned. This means that you really have more like 60 days to learn everything, and that can mean lots of 20-hour days.

Fortunately, the work's interesting enough and the pay's high enough that you tend to not really mind that. On the other hand, it's very frustrating to see all of that work be for nothing when deals don't work out, and most of them don't.

I was having lunch with a former co-worker recently and was reminiscing about this particular frustration when it was pointed out to me that big IT projects have the same problem: most of them fail. The Standish Group has been tracking the success of IT projects for quite a while, at least since 1995, and here's what they had to say about how things are going now: 

"This year's results show a marked decrease in project success rates, with 32% of all projects succeeding which are delivered on time, on budget, with required features and functions" says Jim Johnson, chairman of The Standish Group," 44% were challenged which are late, over budget, and/or with less than the required features and functions and 24% failed which are cancelled prior to completion or delivered and never used."

"These numbers represent a downtick in the success rates from the previous study, as well as a significant increase in the number of failures", says Jim Crear, Standish Group CIO, "They are low point in the last five study periods. This year's results represent the highest failure rate in over a decade"

So IT projects, which have always been challenging in the past, have apparently gotten worse recently. I don't follow the Standish Group's CHAOS reports, their annual reports on the state of IT project management, like I used to, but I seem to recall that the trend was moving in the right direction in the past. Maybe cutting project management and risk management overhead due to the recent recession is responsible for this trend.

A reader recently commented that he'd heard that the charge-off rates (the fraction that banks write off as bad debt) for credit card loans are typically around 4 percent, but hadn't seen a reference to that fact. Here’s a graph of the data from the Federal Reserve that shows the charge-off rates on credit card loans since 1985. Until recently, the rate hovered around 4 percent. It’s jumped to roughly 10 percent in the past year or two, but I’d expect it to go back down to about 4 percent again in the next year or two.

I know lots of people who are big fans of horror fiction. Many of them tell me that they read horror fiction because they like the way it makes them feel. Many of them apparently like the uneasy feeling that they get from reading it, even the really over-the-top stuff that does its best to make you feel the desperate need to take a shower after you finish it.

It seems to me that information security is also a bit like this - it also deals with lots of bad things happening, many which are really out of your control. Having an exploitable buffer overflow vulnerability discovered in your web server probably isn't as bad as the end of the world in which some sort of out-of-control secret government experiment leads to us all being eaten by zombies, for example, but it's not the sort of thing that you can really do much about, and neither one of these possibilities is really very appealing. 

There probably aren't many people why stay awake at night worrying about being eaten by zombies while there are people who stay awake at night worrying about the possibility of their web server having an exploitable vulnerability, so that's probably not the best example. But if there are people who like the feeling that they get from reading horror novels, I wouldn't be too surprised if there are also people who like thinking about information security for very similar reasons. If I remember to, I'll have to ask people about this at one of the vendor-sponsored parties at next year's RSA Conference.

I've been writing articles for various magazines for a while, and one trend that I've noticed is that the length of articles that editors ask for has dropped dramatically in the past few years. About five years ago, it seems that the most commonly requested length for magazine articles was between 2,000 and 2,500 words. More recently, this average has dropped to a much shorter length. Now it's more like 750 to 1,000 words.

It's no coincidence that that's roughly how much will fit on a single magazine page. Editors that I've talked to recently tell me that the typical reader doesn't read past the first page of an article, so it may be the case that editors are shortening the articles in their publications to deal with that reality.

I recently had another credit card compromised. I only use this particular card at two on-line bookstores, so I'm fairly sure how it was compromised.

In any event, someone got my card information and charged a few months of membership at Skype India. When I pointed out these charges to my bank they immediately took care of the fraudulent charges, but I was still left with $0.36 in foreign transaction fees that I was charged for the fraudulent charges because they were made outside the US. The fraud people explained that I would have to talk to a different division to take care of those charges and gave me the number to call to take care of the problem.

After calling the second number, I was transferred around a bit and then put on hold. After being on hold for a couple of minutes I just gave up and decided to pay the $0.36 in fees instead of waiting on hold even longer.

After thinking about this for a while, I realized that I just provided a way to estimate how much my time is worth. If I'm willing to pay a $0.36 fee after 3 minutes, that seems to say that my time is worth about $0.12/min or about $7.20/hr, which is slightly less than the minimum wage in California.

Over the recent holiday I had time to catch up on some reading that I've meant to do for a while, and I noticed a pattern that's probably obvious to people in touch with literary trends. In particular, it seems to me that a big motivator for lots of the science fiction of the '50s and '60s was the Cold War mindset that started in the '40s and that a big motivator for the horror fiction of the '70s and '80s were the social and political trends of the '60s.

The terrorism that we're dealing with today seems to be something that we might see in future genre fiction. Maybe identity theft is also. Data breaches are certainly big news these days and the losses due to identity theft seem to be growing at an alarming rate. Maybe we'll see identity theft featured prominently in genre fiction of the next decade or two.

The cyberpunk sub-genre of science fiction, which I really don't know much about, seems to be where this might first appear, although there may be enough material there to create an entire new sub-genre.

In a previous post I described how the USPS might have been corrupted by transporting a copy of the Necronomicon, a fictional book of ancient and forbidden knowledge that appears in some of H. P. Lovecraft's stories. In this I suggested that the Necronomicon had been brought to the US by a soldier who somehow came across it in the Gulf War.

Several people have asked me to tell the story of exactly how this happened, so I started working on this last week when a short layover in the Atlanta airport turned into an unplanned overnight stay there. The working title for this was "War Story."

More than one person who later saw that title thought that I was writing something about what goes on at standards meetings.

Next year will mark the five-year anniversary of Waterfall 2006, the premiere conference on the benefits of sequential development processes. Maybe it's time to organize the next one. I'm sure that we've learned lots of interesting things about how to manage software development since then.

I recently read "Social Media and FINRA: Twitter and LinkedIn Considerations," a report from the Burton Group that talks about the regulatory issues that businesses may run into when their employees use either Twitter or LinkedIn. These issues are all related to FINRA's Regulatory Notice 10-06, "Guidance on Blogs and Social Networking Web Sites."

I'm certainly not an expert on the details of FINRA's guidance, but some of the conclusions of this report made me question whether or not some of the ways in which securities firms are regulated really make sense.

According to this report, for example, a securities firm may get into trouble with regulators if one of their employees has selected "Business deals" as one of the things that they're open to receiving messages about through LinkedIn. Providing recommendations for other people on LinkedIn can also apparently get you in trouble with regulators. The report lists several other examples, none of which made any sense to me at all.

So it if assume that the Burton Group's analysis is correct, which seems like a reasonable assumption, it certainly seems to me that the way in which the securities industry is regulated doesn't make much sense. And because it looks like we'll probably see more regulation of that industry in the future, I'd expect things to get much worse before they get any better

When you go to buy enterprise software, you never really expect to pay the list price. Businesses are now fairly good at manipulating software vendors, waiting until right before the end of the vendors' fiscal quarter or year, always waiting until they're ready to buy to get the "what if I commit to buy right now?" discount, etc. But things where there's really no way to negotiate prices, you expect prices to be set at what the business thinks that they can get for something. This is why I don't understand the prices of books that I see at various on-line stores.

When I went to Amazon.com just now to get some examples, I was surprised to find that prices advertised for the first book that I randomly picked ranged from a low of $16.47 to a high of almost $1,000. And that's for the same condition, etc. The next few books didn't have as dramatic a range, but the range was still surprisingly high: from $14.45 to $24.95 (a factor of 1.7 from low to high), from $18.95 to $87.56 (a factor of 4.6) and from $55 to $129.64 (a factor of  2.6).

Some people tell me that on-line book stores will often put a very high price on a particularly notable book just to advertise the fact that they have a copy, never expecting to actually sell it at that price. Apparently they think that this is an effective type of advertising. But with a book that lists for less that $20, I can't believe that that model works very well.

And if you're an on-line business who wants to set the prices for your books, wouldn't you check to see what the normal range of prices is for your books before setting your own prices? After all, if you set your prices higher than others have it's probably reasonable to assume that you are not going to sell your copy until all of the lower-priced alternatives have sold.

There's almost always a reasonable explanation for business' behavior, but it's not always obvious what that explanation is, and that's one of the big reasons that economists get paid to do what they do. Maybe this is the sort of thing that some economics graduate student can explain and write up in his dissertation.

After you've been involved in software development for a while you get fairly good at estimating how long it will take to do various things - adding features, correcting bugs, etc. You tend to get better at this with practice. Curiously, I didn't have the quite same experience when it came to writing.

When your write things, you're often given an approximate number of words that the editor is looking for on a partiucular topic. Sometimes this can be fairly vague, like between 2,000 to 3,000 words. Sometimes you're given more precise requirements. One editor once asked for between 720 and 730 words on a particular topic, for example.

After a while you get a rough idea of how much detail you can fit into 500 words, 1,000 words, etc. But while you tend to to get better at scoping software development projects after not too long, I'm still sometimes way off from what I think needs to be written. I'll agree to write something like 2,000 words on a particular topic, for example, but after I think about the topic for a while I find that there's really not that much to say about it. (I'm actually trying to figure out how to stretch 500 words to 1,200 words right now...)

Maybe I just don't think the right way about writing yet.

The first time that you get something published, it’s great. You walk around thinking to yourself I’m a published author now. That’s incredibly cool. That feeling definitely makes it worth the time and effort that it takes. The next time, however, the coolness drops to roughly 70 percent of the first time, and this trend seems to continue for quite a while, so that each time you get something published is about 70 percent as cool as the previous time. 

Here’s a graph of what 0.7^x looks like:

 
So after the 15^th time or so that you get something published, essentially all of the coolness is gone – you’re down to less that one-half of one percent of the original level of coolness. At that point it’s just work.

So I’d guess the bottom line is that everyone should take the time and effort to get something published at least once, but don’t be surprised if your perspective on it changes after you’ve been doing it for a while. If this model's accurate, you might actually get tired of it fairly quickly.

There’s apparently a doctor out there with the same name as me. I say this because I often get requests for permission to reprint various medical articles as weall as spam from biomedical companies. One of these recent spams advertised a product that identifies proteins by using mass spectrometry.

That made me wonder if it would be possible to invent a device that could automate the identification of the books on my desk. Maybe this machine would burn one of these books and determine from the ash whether the content of the book was number theory, algebraic geometry, elliptic curves, etc. Such a machine, of course, would be called a "math spectrometer." 

At the recent Key Management Summit I was talking with some of the people who had really come for the IEEE Symposium on Massive Storage Systems and Technology about some of the more spectacular security incidents that have affected the Internet. These included things like the Morris worm, the SQL Slammer, and other high-profile incidents. One of the people that I talked to works for CERN, and he told me about a type of incident that they apparently deal with on a routine basis that's a bit more spectacular than any of these security incidents.

In big particle accelerators you apparently get an event called a "magnet quench" now and then. These start when one of the superconducting magnets that controls the accelerator's particle beam develops a glitch. Maybe one of the magnet's superconducting coils gets hit by stray high-energy particles, for example. This can heat the coil to the point where it loses its superconductivity.

These coils can have tens of thousands of Amps running through them. This is OK when they're superconducting, but causes problems when they're not. When the coils lose their superconductivity, resistive heating from the huge amount of current flowing through them makes them even hotter. All of this heat then boils the liquid helium that's cooling the coils, which then vents through the equipment's pressure relief valves in a spectacular way.

Those superconducting coils probably aren't cheap, but I'd guess that the economic damage caused by any of the high-profile security incidents is greater than the cost of repairing the damage from a magnet quench in a big particle accelerator. I'll bet that the magnet quench is more impressive to watch, though.

I came across an interesting old (1964) computer recently - an analog device (slide rule) designed to help reliability engineers calculate the cumulative binomial distribution. Here's what the package for this computer and its manual looks like:

Here are its instructions:

 
And here's what one side of the actual computer looks like:

They just don't make them like that any more, do they?   
 
 

It looks like I'm not alone in thinking that elliptic curves are interesting. The collective wisdom of the Internet seems to feel the same way. Here's proof: a perfect 10 out of 10 on the sucks/rocks meter. Who ever would have thought?

 The next time that I hear people who tend to adopt new technologies before others do as "early adapters" instead of "early adopters," I may have to do some sort of Internet version of screaming loudly. This seems to be one of those hideous marketing-isms that have been created recently, much like "flushing" things out instead of "fleshing" them out.

Ack!

As I've noted before, it certainly seems like it's only native speakers of English that make blunders like these. Odd.

Some people out there seem to be extremely desperate for LinkedIn connections. I say this because lots of the Voltage email addresses that don't actually correspond to a real person (sales@voltage.com, etc.)  are now getting requests to connect on LinkedIn. But because Sales (maybe it's actually Mr. Sales) doesn't actually know any of these people, Sales isn't accepting their requests to connect.

Maybe that's not such a good idea. If we had Sales sign up to LinkedIn, maybe they could leave annoying recommendations for people there. That might be fun.

According to a web site traffic ranking web site that I came across today, the most common upstream web site for Voltage's corporate web site is actually an on-line dating site. That made me wonder exactly who is coming to Voltage's web site and why. (It also made me question the accuracy of the rankings, of course.) I would have thought that people would come to our site to learn about either Voltage's technologies or products, but I appear to be wrong in this particular case.

An alternative explanation is that there are lots of single, attractive men and women who work at Voltage, and people who view their on-line dating profiles want to learn more about who their employer is. If that's the case, our marketing people might be able to use this slogan as the basis for a campaign of some sort:

Voltage: it's not just our technology that's hot.

After the spam message that invited me to submit a paper to The 14th World Multi-Conference on Systemics, Cybernetics and Informatics, the conference that's probably most  famous for accepting a computer-generated paper, I received another similar message. This one was from the same people who organize WMCSI 14, and it turns out that they're also organizing the 2nd International Conference on Peer Reviewing. Here's an interesting blurb from the ICPR web site:

Empirical studies have shown that assessments made by independent reviewers of papers submitted to journals and abstracts submitted to conferences are no [sic] reproducible, i.e. agreement between reviewers is about what is expected by chance alone. Rothwell and Martyn (2000), for example, analyzed the statistical correlations among reviewers' recommendations (made to two journals and two conferences) by analysis of variance and found out that for one journal "was not significantly greater than that expected by chance" and, in general, agreement between reviewers "was little greater than would be expected by chance alone."

The Rothwell and Martyn (2000) reference is available here, and the ICPR blurb seems to be an accurate summary of its findings. It looks like your ability to flip a coin and have it come up "heads" is just as good a predictor of whether or not a reviewer will like your paper as any other indicator is. That's not entirely encouraging, is it?

I recently came across an interesting blog post that talked about teaching writing. Here's what its author, Art Scheck, had to say about this:

Here's my biggest problem with teaching composition: I have no idea where good sentences come from. Most of the time, strings of words just appear in my noggin. When I'm stuck for a word, phrase, or clause, I wait awhile, and what I need floats up from my subconscious. I don't know what's happening while I wait for words. Somewhere, scads of neurons are working hard, but I can't see that work going on. The genesis of sentences remains a perfect mystery to me.

When I read that I thought That's exactly right! Where do the words come from? I don't know either.

It's probably fair to say that I've done a fair amount of writing - maybe not be as much as the real pros write, but definitely more than the average guy on the street does. Despite this, I still don't know where the words come from, and there's nothing more frustrating than having a deadline approaching and for those strings of words to not mysteriously appear in your head.

Scheck went on to say this:

None of that means that writing is easy for me. I write slowly, I revise a lot, and my brain is tuckered out when I stop.

Another case of That's exactly right! My rule of thumb is that for each hour I spend writing I spend at least five hours editing, and it's definitely hard work. It's good to see that it's not just me who feels this way.

My recent attempt to create a good spin-themed song (as briefly mentioned here) reminded me of a crypto-themed song by Bob Rivers. Oddly enough, I don't recall ever hearing this song being blasted from a crypto vendor's booth at any trade show.

There's a theorem from mathematical physics that may have an application in the workplace. This is the virial theorem, and its workplace analogy may explain why every job has its annoying parts.

One version of the virial theorem roughly says that for a finite collection of point particles interacting gravitationally, the time average of the kinetic energy is half the time average of the potential energy, or

<K> = - <U> / 2

The virial theorem is useful to astronomers because you can use it get a good idea of masses of distant objects, which you can't really observe, from their kinetic energy, which you can observe. The reason that we think that dark matter exists is basically from observations like those plus the virial theorem.

Driving in to work today, I had the thought that an appropriate analogy for the virial theorem the workplace might be that the bad parts of a job are always proportional to the good parts of a job. In my experience, this seems to have always been true.You probably have some relationship like this, for example:

<Bad> = - <Good> / 2

When I was an officer in the US Army, there were lots of good aspects of the job. There's nothing in the world as rewarding as working with soldiers, for example, and getting paid to work with explosives and fire guns is also lots of fun. To make up for this, however, there's also the fact that the military is really part of the government, so you're really part of a large, mind-numbingly bureaucratic organization.

Or when I used to do what's probably best called applied physics research, it was great fun working with things like lasers and electron microscopes. To make up for this, however, there's the never-ending battle that you have to fight to get funding for those expensive gadgets.

Or when I did mergers and acquisitions consulting, it was great fun getting a look inside lots of different companies in lots of different industries and seeing how they worked. The pay wasn't bad, either. To make up for this, however, there were the 20-hour days and the backstabbing from other consultants (particularly the lawyers) involved in the M&A projects that you had to keep a constant eye out for.

So although I'm not sure that you can write down a set of assumptions that lets you rigorously prove an analogy for virial theorem for the workplace, it certainly seems to be true. If there's a job out there for which it doesn't hold, I'd definitely like to hear about it.

If the number or size of the parties put on by vendors at this year's RSA Conference is any indication, the information security industry has fully recovered from any affects of the recent recession. Luckily, I recently saw an episode of Mythbusters that made surviving these parties much easier than it was in previous years.

The Mythbusters episode that I saw compared the hangover caused by drinking from beer to the hangover caused by drinking liquor. Somewhat surprisingly, they found that beer causes a much worse hangovers.

Armed with this research, I developed a strategy to deal with the numerous parties at this year's RSA Conference: stick to martinis and drink no beer. Drinking martinis also helps in another way. Martinis taste terrible so you're much less likely to drink too many of them. After a single sip from a martini, you're usually more than happy to wait a long time before taking another sip. Beer, on the other hand, doesn't have this built-in rate-limiting feature, so you're more likely to drink too much of it.

This strategy worked perfectly. By sticking to martinis I was easily able to keep my blood alcohol content well within the limits allowed for driving, and the next morning I felt no obvious effects from the parties at the RSA Conference the previous night.  

When I recently logged in to the ISSA web site, I was surprised to see that the web site apparently thinks that I'm in rural Libya somewhere. Here's what its map showed for my location:

Based on this, the 10 closest ISSA chapters to me are Italy, Abuja, Egypt, Spain, Switzerland, Istanbul, France, Romania, Israel and Lagos. Voltage often supplies speakers for ISSA meetings, but I don't think that we've sent anyone to any of these locations yet, even though they're apparently fairly close to us.

I didn't know that there are actually two chapters in Nigeria (Abuja and Lagos). Maybe keeping one step ahead of all of the spammers requires lots of security professionals. Maybe there's a different reason. The population of Nigeria is roughly 150 million, or about half the size of the US, so there must be lots of businesses there that need information security people.

I recently came across "Cinema Fiction vs Physics Reality: Ghosts, Vampires and Zombies," by Costas Efthimiou and Sohang Gandhi. This paper discusses how ghosts, vampires and zombies are portrayed in books and movies and looks at what's actually possible and what's not.

Ghosts have lots of problems with physics at a very basic level. They can't both be incorporeal and do the things that they are shown to do in books and movies. That should be fairly obvious.

Vampires have problems with the exponential growth of the vampire population that they would cause. I hadn't thought that before, but when you hear it, it's fairly obvious. Suppose that a vampire needs a single victim each year and that this victim then turns into a vampire. After one year, you have two vampires. Each of these two creates two more the next year. Each of these four then create four more the next year, etc. This growth quickly gets out of control and leaves the entire world populated by vampires. So the fact that people exist is proof that vampires don't exist, at least not vampires as they're portrayed in books and movies. (This analysis might not be quite accurate because it doesn't account for the ability of people like Kristy Swanson to keep the vampire population in check, but it's probably close enough.)

It turns out that there's actually a factual basis for zombies. Maybe this is why Brian Keene's zombie books are so popular. I'm personally more fond of zombie stories like Robert Bloch's "Maternal Instinct," but I seem to be in the minority in this particular case. Much like people who think that reading papers about the physics of ghosts, vampires and zombies is interesting.

And it's apparently not just physicists who worry about zombies. Lucy Snyder, the wife of Gary Braunbeck, one of the best horror writers in the world, has written a book Installing Linux on a Dead Badger and Other Oddities that tells why people in the corporate IT world should worry about them.

Here's what this fine book has to offer:

• "Installing Linux on a Dead Badger"
• "Authorities Concerned Over Rise of Teen Linux Gangs"
• "Your Corporate Network And The Forces Of Darkness"
• "Faery Cats: The Cutest Killers"
• "Graveyard Shift"
• "Dead Men Don't Need Coffee Breaks"
• "Business Insourcing Offers Life After Death"
• "Corporate Vampires Sink Teeth Into Business World"
• "Unemployed Playing Dead To Find Work"
• "Trolls Gone Wild"
• "The Great Vüdü Linux Teen Zombie Massacree"
• "Wake Up Naked Monkey You're Going To Die"
• "In The Shadow of the Fryolator"

There's also a book coming out soon that tells how Dante Alighieri was inspired to write the Divine Comedy, at least the Inferno part of it, by seeing the results of a zombie infestation. My copy should be arriving next week.

I'm sure that there's some way to make this relevant to information security, but I don't see it right now.

While editing a standards document this morning, I was reminded of an e-mail exchange that I had a few years ago on the mailing list for an entirely different standard. On this particular list, someone was discussing what bad things an administrator of a certificate authority could do if they abused their administrator rights. They called this a "rouge CA," and really didn't seem to understand why that particular term didn't mean what they thought it meant.

Apparently, people have been confusing the words "rogue" and "rouge" for quite a while. Some people tell me that this confusion became the most obvious in 1987, when people were discussing the game Rogue Trader, inadvertently turning it into a game in which players tried to make a killing trading in either cosmetics or other red-colored commodities.

In any event, after some discussion of the dangers of "rouge CAs," I had to add a comment or two to the discussion that didn't really relate to the security issues that were being discussed. I said that I hadn't heard of a "rouge CA," and asked if these were discussed in a standards document that I hadn't "red." I also made some comment about how I was skeptical about the very idea of "rouge CAs," and speculated that it really wasn't the kind of idea that a reasonable person would "make up."

This may not actually have been as funnny as I think it was.

The replies to my less-than-helpful comments showed that many people on this particular list really didn't understand the difference between "rouge" and "rogue." Based on the additional comments that tried to connect cosmetics and certificate authorities in some clever way, it seemed that one or two other people did, but most didn't.

Oddly enough, the people who were confusing "rogue" and "rouge" all seemed to be native speakers of English. People who had learned English as a second language didn't seem to confuse these two words at all. I wouldn't be surprised if similar mistakes, like marketing people talking about "flushing out" details instead of "fleshing out" details are also generally limited to native speakers of English, but that's a rant for another post.