Thursday, September 29, 2011

The Other Binomial Expansion

From this collection of creative exam answers.


Monday, September 26, 2011

SHA post as SPAM magnet

Don’t ask me why but a lot of SPAM has accrued, and keeps accruing, at this May 2009 post on SHA-1. Apart from the common penis enlargement references, some of the other SPAM is quite long and seems to be playing on some quirk of SEO. Fine.

Sunday, September 25, 2011

Fibonacci Pigeons

This just made me laugh.

image (7275)

Thursday, September 22, 2011

These aren’t the key management systems you are looking for

This is a nice presentation on enterprise key management issues from Anthony Stieber given at the 2nd IEEE (KMS 2010) Key Management Summit. The main message is that KMS is tricky and don’t roll your own. By the way if you are looking for examples of Powerpoint that breaks all the rules for good presentations, then you will find them here.


Also there is a very polished and informative presentation from Chris Kostick of E & Y on an enterprise key management maturity model, and below is a comprehensive diagram on the life-cycle management of keys.


Liability for Risk Decisions

imageI am currently in-between positions, somewhat happily, and are casting my net of interest a bit wider than my traditional roles in IT Security and Risk. One position that caught my eye from a global reinsurer in town was the role of Earthquake Expert within their Natural Catastrophe department (or Nat Cat in insurance lingo). I really don’t have any specific background in this area but I sometimes entertain the idea that I can transfer hard-learnt crypto math skills into a numerate role like this one which calls for extensive modeling and prediction. You also think that this might be a nice and cozy niche area to ply your trade as a specialist, holding something of a privileged position.

Well I was disabused of any such notion this week when I read this week of six Italian scientists and a former government official are being put on trial for the alleged manslaughter of the 309 people who died in the 2009 L'Aquila earthquake in Italy.

The seven defendants were members of a government panel, called the Serious Risks Commission (seriously), who were asked to give an opinion (or risk statement) on the likelihood that  L'Aquila would be struck by a major earthquake, based on an analysis of the smaller tremors that the city was experiencing over the previous few months. The panel verdict delivered in March stated that there was "no reason to believe that a series of low-level tremors was a precursor to a larger event". A week later the city suffered an earthquake of magnitude 6.3 on the Richter Scale, denoting a “strong quake”.

The crux of the case against the scientists is that they did not predict the strong quake coming to L'Aquila to allow a proper evacuation of its inhabitants. The defense rebuttal is simply that such a prediction is impossible, and they cannot be held accountable for this unreasonable expectation. The scientists cannot be expected to function as a reliable advanced warning system. The international scientific community has weighed in to support the defendants with a one-page letter from the American Association for the Advancement of Science, which supported the scientists by saying that there is no reliable scientific process for earthquake prediction, and they should not be treated as criminals for adhering to the accepted practices of their field.

Recently people were evacuated from New York City as precaution to the impact of Hurricane Irene. The hurricane passed by New York causing far less extensive damage than expected, and yet there were still complaints from residents about being asked to leave their homes “unnecessarily”. It seems that authorities cannot win in these matters unless they can predict the future accurately.

Wednesday, September 14, 2011

PageRank Increment for No Tricks


Every now and again I run this blog through the free Website Grader tool which measures your site on a variety of criteria, hoping to lure you for a more thorough paid analysis. The tool used to report a PageRank value, and No Tricks seemed to be stuck at 3 for quite a few years. The site now uses there own page ranking metric, which reported a value higher than 3. I was overjoyed and eagerly confirmed that the “true” PageRank metric had also increased from 3 to 4, representing some form of “exponential” improvement since the scale is logarithmic. I can now claim that the No Tricks site has gone from being of “low importance” to being of “medium importance”. Fine, I’ll take it.

Incidentally, I wrote a short introduction to the mathematics of PageRank a few years back, with a security spin.

Jesus and spending a trillion dollars

Amit Agarwal at Digital Inspiration has put together some information on just how big the number one trillion actually is, in human-sized terms. We have heard a lot about trillions of dollars in the context of credit crisis and, more recently, in the debate over the US budget deficit. Not to mention that Facebook recently reported that their total number of page views has passed the one trillion mark.

Agarwal started by reporting the following Biblical metaphor

If you start spending a million dollars every single day since Jesus was born, you still wouldn't have spent a trillion dollars by today.

And in terms of a diagram, Agarwal starts with takes a single 100 dollar US bill, and represents larger values as


Extending further, a trillion dollars then requires a football field of space, as shown below, with our human-sized man dwarfed in the bottom left corner.


Can you win the lottery too many times?

Last year I posted on The Fabled 25 Sigma Event, referring to a quote from David Viniar, then CFO of Goldman Sachs, who was attempting to describe the magnitude of the movements in the financial markets. Mr. Viniar probably did not fully understand the implications of what he was saying, since a 25 sigma event translates into a phenomenon occurring once every 10^{135} years - a period of time that we have yet to see even a fraction of. Several researchers at the business school of the University College Dublin gave another interpretation of how unlikely this event was by stating that it equates to winning the UK lottery more than 20 times in a row.

Winning the lottery 20 times does seem very unlikely. Recently a woman won the Texas lottery for the fourth time in the last 10 years or so, accumulating prize money of  just over 20 million USD, and is being scrutinized by the press for potential fraud. There is a lot of suspicion about the luck of Joan Ginther (pictured below) and her winning streak. Googling on “4 time lottery winner” produces pages of articles on Ginther’s supposed luck.


Nathaniel Rich ran an interesting 4-page story in the August issue of Harper’s magazine, where he visits the small Texas town of Bishop to look at the lone town store where three of the winning tickets were purchased. Rich spoke to enough mathematics professors beforehand to determine that the odds of an individual winning four times by pure luck are extremely low indeed, about 10^{-24}, or a practical impossibility (still “far more likely” than a 25 sigma event though). The alternate scenarios are (1) an inside job potentially amongst the state lotteries and their suppliers (2) cracking the parameters of the psuedo-random number generator for selecting the winners, and (3) dumb luck, or increasing your odds of winning by buying many tickets. The most likely answer seems to be a combination of (2) and (3).

The local town people are going with scenario 3 or just ascribing it to pure luck outright, as there is a strong (American) belief that everyone can be a winner. Getting back to those 25 sigma events, it seems then that no one would actually be able to win the UK lottery over 20 times as they would be suspected of foul play, and likely to find themselves arrested way before that many wins. Perhaps Mr. Viniar should have been arrested for his remarks.

Tuesday, September 13, 2011

An unexpected business model for Angry Birds

Rovio, the company that developed Angry Birds, recently announced at the Techcrunch Disrupt conference that they are now selling more than one million Angry Birds T-shirts and toys each month. That’s after 350 million downloads of the game. What a business model, if they were intending it, and a movie deal is apparently in the works as well. Oh yes, and a theme park. So it seems it is possible to use a mobile game as the basis to leverage the creation of real world profits.

All Eyes on Facebook

A recent social media report from Nielsen’s shows, amongst other things, that Facebook dominates our attention on the Internet, larger in terms of minutes of face time than the four next most popular social media sites. Business Insider produced the following chart based on Nielsen’s data


It was recently (and widely) reported that the number of page views on Facebook passed the 1 trillion mark, but that figure has been disputed. In any case, all internet path seems to lead to Facebook one way or the other.

Sunday, September 11, 2011

A short touching remark on 9/11

I am stepping out more of late, meeting new people and doing new things, which has seen more doing far less blogging over the last year. One of the site I use to find things to do is Meetup in the Zurich locality. I received the following email from the founder today who relates how the origin of the service was 9/11, and his intention was to “use the internet to get people off the internet”,

Fellow Meetuppers,
I don't write to our whole community often, but this week is
special because it's the 10th anniversary of 9/11 and many
people don't know that Meetup is a 9/11 baby.
Let me tell you the Meetup story. I was living a couple miles
from the Twin Towers, and I was the kind of person who thought
local community doesn't matter much if we've got the internet
and tv. The only time I thought about my neighbors was when I
hoped they wouldn't bother me.

When the towers fell, I found myself talking to more neighbors
in the days after 9/11 than ever before. People said hello to
neighbors (next-door and across the city) who they'd normally
ignore. People were looking after each other, helping each
other, and meeting up with each other. You know, being

A lot of people were thinking that maybe 9/11 could bring
people together in a lasting way. So the idea for Meetup was
born: Could we use the internet to get off the internet -- and
grow local communities?

We didn't know if it would work. Most people thought it was a
crazy idea -- especially because terrorism is designed to make
people distrust one another.
A small team came together, and we launched Meetup 9 months
after 9/11.

Today, almost 10 years and 10 million Meetuppers later, it's
working. Every day, thousands of Meetups happen. Moms Meetups,
Small Business Meetups, Fitness Meetups... a wild variety of
100,000 Meetup Groups with not much in common -- except one

Every Meetup starts with people simply saying hello to
neighbors. And what often happens next is still amazing to me.
They grow businesses and bands together, they teach and
motivate each other, they babysit each other's kids and find
other ways to work together. They have fun and find solace
together. They make friends and form powerful community. It's
powerful stuff.

It's a wonderful revolution in local community, and it's thanks
to everyone who shows up.
Meetups aren't about 9/11, but they may not be happening if it
weren't for 9/11.

9/11 didn't make us too scared to go outside or talk to
strangers. 9/11 didn't rip us apart. No, we're building new
community together!!!!

The towers fell, but we rise up. And we're just getting started
with these Meetups.

Scott Heiferman (on behalf of 80 people at Meetup HQ)
Co-Founder & CEO, Meetup
New York City
September 2011

Saturday, September 10, 2011

The “Half-life” of a bitly link is about 3 hours

Hilary Mason, Chief Scientist at, a large link shortening service, has done an analysis on some of their link data to get an idea of how long links remain “alive” or “popular”. The measure was to look at 1,000 links and graph the number of hits that a link receives over 80,000 seconds (almost a day), and then determine the point over that period where half of the total number of hits were received. From the post

So we looked at the half life of 1,000 popular bitly links and the results were surprisingly similar. The mean half life of a link on twitter is 2.8 hours, on facebook it’s 3.2 hours and via ‘direct’ sources (like email or IM clients) it’s 3.4 hours. So you can expect, on average, an extra 24 minutes of attention if you post on facebook than if you post on twitter.

Running the data yielded the following graph, showing a strong power law for Facebook, Twitter and direct links (links shared via email, and instant messengers), but a delayed curve for YouTube.


What Mason computed would more accurately be called the median rather than the half-life, since she is interested in the first point in time that divides the total number of hits for the period into two roughly equal sets. More discussion on this point is given in the comments to the post. The conclusion from the post

In general, the half life of a bitly link is about 3 hours, unless you publish your links on youtube, where you can expect about 7 hours worth of attention. Many links last a lot less than 2 hours; other more sticky links last longer than 11 hours over all the referrers. This leads us to believe that the lifespan of your link is connected more to what content it points to than on where you post it: on the social web it’s all about what you share, not where you share it!

A while back I posted on the half-life of patching vulnerabilities being 30 days and there we probably have confusion with the sample median as well. I also noted the attrition for my own links in Shark Fin posts.

Friday, September 9, 2011

Two victories for Randomness

I recently came across two smallish examples of where randomness was the solution to two perplexing problems. That is, rolling the dice seems to help you out of a situation where a planned method was not giving you what you wanted.

The first issue is the problem of how to board passengers on a plane. Finding the best way to board people is actually a well-studied problem, both theoretically and in practice, and you can see some of the work here. At the top of the same page there is a nice simulation program which shows you how different boarding strategies play out, and random boarding (just calling out people to board at random) is better than the usual front-to-back boarding that most of us are familiar with.


The reason is that random boarding gives a better utilization of the space in the plane whereas front-to-back boarding piles people into one part of the plane, eventually causing jams in the aisles. The full set of strategies examined are

  • Back-to-front
  • Rotating-zone
  • Random
  • Block
  • Outisde-in
  • Reverse-pyramid

On another topic, a Freakonomics blog post describes how researchers in South Africa are using a randomness trick to get truthful answers from farmers who are suspected of illegally killing leopards and hyenas. The method is called randomized response surveying, where when the farmers are asked potentially incriminating questions they first flip a coin, and based on the result give a yes or no answer to either the incriminating question if it was heads, or a harmless question (do you think the Springboks will win the RWC?) if it was tails. The farmers actually used a die, taking specific actions on which value from 1 to 6 was thrown, but the principle is the same as I have described it.

The trick here is that the person asking the question cannot tell which question the farmer is answering, but the farmer’s answer can be recorded. Statistical methods can then be used to determine the distribution of answers for the two questions, and actually make inferences about the proportion of positive answers to the incriminating question. This method was devised in the 60’s, and by the early 80’s it was being taught at my undergraduate university as part of a first year course.