Saturday, November 26, 2011

Random Thoughts

Richard Feynman is one of my heroes, as much for his brilliance and creativity as for his sense of humor, his matter-of-fact view of the world, and his unassuming and, well, human personality. Years ago, as I read his autobiography, Surely You're Joking, Mr. Feynman, I couldn't help thinking I would have loved to work with him. Maybe, just maybe, I might have absorbed some of the Feynman genius (or at least some of the Feynman humor) through osmosis. But I also wonder if he'd approve of my curiosity and quirky thoughts, or if he'd just shake his head and wonder if I'd ever get it right. The first chapter of his autobiography is titled "He Fixes Radios by Thinking!" But my version, one of the highlights of my career, might've been called "He Fixed a Critical Product Flaw by Accident."

I was an engineer at a tiny company, building a family of devices that still make me proud. Before most people had even heard of the Internet, our appliances let our customers connect their computers over the telephone or a network to their remote electronic equipment: the PBXes that ran their telephone systems, their network switches and routers, their alarm systems, you name it. If you could talk to it electronically, we'd figure out how to connect you to it. Better still, we could program our devices to monitor that equipment, diagnose any faults, and page a technician if we couldn't fix the problem automatically. Then the technician could access our device with his computer, connect through it to his own equipment, and fix it without leaving home!

Of course, we didn't want to open the proverbial barn door to anyone with a computer, so we built some heavy-duty security into all of our products, many of which are still considered state-of-the-art. The details were too complicated for our average customer, so we tucked them inside a fairly simple, friendly interface. So simple, in fact, that we often taught our computer-savvy customers how to write their own programs to make our devices do almost anything they could want. Seriously: anything that involved communication, monitoring, and alarming. One customer bolted them to cell phone towers. Why? You've seen the flashing red lights on top of those towers, the ones that warn pilots to keep their aircraft a safe distance away? Well, this customer wanted to monitor the lights, start a diesel generator if the power failed, and page a technician any time a light stopped working. We did that.

One particular training was held at our office during the holiday season. I sat in, partly to meet the customers, partly to see how our products were used "for real," and partly because it's an absolute treat to be in one of Mike's classes. One of the company's founders, Mike is among the smartest and most entertaining people on the planet. He's done engineering, programming, training, tech support, tech writing, sales, ... and there are only a handful of people who can do any one of those jobs as well as he did. He also has a wonderful sense of play and humor.

To start the class, Mike showed us how to write a program to turn the lights on the device on and off. First we turned them all on, then all off. Then we lit them in sequence, in pairs, and in reverse order. Since it was close to the holidays (and because we wanted to demonstrate our random number generator), he suggested we flash them randomly, like the lights on a Christmas tree.

That was when I unwittingly started channeling Feynman.

I asked innocently, "What does random mean?" Which sparked a rather animated discussion: one customer suggested that each light should turn on and off the same number of times as every other one. "If we flash the first light 3 times, then the second one 3 times, and so on, is that random?" We agreed there's something more to randomness, but after a few minutes we still hadn't satisfied ourselves with a working definition. Seizing what to this day has still been my only opportunity to use the math I'd learned in graduate school, I explained that a sequence is random if no part of it "looks like" any other part, and that we can actually measure randomness with a function called an autocorrelation. (If you follow the link, don't let the fancy math symbols fool you: it's not nearly that complicated. You just write the sequence, then write it again starting with the second number. Then you multiply the pairs of numbers together and take their average. Repeat the process starting with the third number, and then the fourth, and so on, shifting it by one more number each time. The lower the averages are, the "more random" the sequence.)

That's when Mike told us that our devices actually had two random number generators. The first is your ordinary, run-of-the-mill random number generator. The second starts with an "ordinary" random number and then encrypts it, the idea being that the encryption makes it "more random." But we couldn't verify the theory because no one knew how to test it. Until now. I ran back to my desk during an aptly timed break and returned shortly with two graphs. And, indeed, the encrypted random number generator produced an autocorrelation with averages that were far lower than the "normal" generator. Except for a single point on the graph, which spiked far too high. Hmm.... That can't be right.

What's that? Mike asked me.

I ran it several times, I answered, and the spike is always there. That's a bug in our code.

Really? Where?

I have no idea. But I'll let you know before the end of the class.

Sure enough, after a bit of digging, I found a variable in one of the encryption routines that hadn't been initialized properly. Instead of starting off at 0, it was left with whatever value happened to be in its particular location in memory when the program ran. Mike asked me what effect the bug would have on the operation of the device. I told him that, since the routine ran only when a user logged in, and the variable could hold 256 possible values, then one time in 256 you'd type the correct password and be denied access.

Mike told me that, over the course of a decade, he was absolutely certain it had happened to him twice.

I promised that it would never happen again.

at No comments:

Sunday, October 9, 2011

Stealth Education

A post stolen from one of my comments on this discussion from a LinkedIn group called The Math Connection.

My kids and I play games all the time. Not the formal, "official" kind, but little impromptu ones that present themselves throughout the day. We try to make words from the letters on license plates. We make up new lyrics to songs. We may very well be responsible for the Worst. Puns. Ever.

 We play "what if" all the time, which leads to fascinating discussions!

  • What if nobody ever died?"

We talked about what it might be like to get older and older, and whether our bodies would age.We talked about all the things we could learn if our lives lasted forever. We even wondered if people would ever learn to get along peacefully, knowing they'd have to live with each other forever. And what would we do when the world filled up with people?

  • What if ice were heavier than water?

We talked about lakes freezing from the bottom up, instead of from the top down, and how fish and the other plants and animals would need to adapt to survive freezing. We talked about ice cubes sitting at the bottom of a glass. We talked about carrying ice from place to place if it were much heavier than water, which is already really heavy.

We ask silly questions.

  • How did Mommy and I know your name when you were born? Maybe we were wrong and your name is really Sandy.
  • Aren't we lucky that the family dog understands English? What if he only understood German?

We ask questions about the way the world works.

  • Why do we ask you to clean up your toys?

We talked about safety. We talked about the importance (and convenience!) of being able to find things when you want or need them. We talked a little about inventory, and how it's hard to know what you have if it's disorganized.

  • Why does it cost more money to have a mortgage than to just pay for a house, and why is it worth it?

We talked about how expensive houses are, compared to salaries. We talked about investing, and about the time value of money. We talked about whether they'd pay a little extra for a toy if it meant they could have it sooner.

We play all sorts of math games.

One of us will pick a number and the others will try to guess it. We'll estimate the number of cars that travel on a highway in a day, or the amount of water we drink in a year. We figure out how long it will take to save up for a new toy.

My wife and I share the belief that learning is—and should be—fun, and our kids have never known differently. To them, learning is just another game.

One day I was trying to show them that they can multiply in their heads. 3 × 1 was easy, as was 3 × 5 when they remembered they have 5 fingers on each hand and 5 toes on each foot. But 3 × 100 baffled them. So I asked, "What's 3 times a hot dog?" They answered, "3 hot dogs!" Then I tried, "What's 3 times a giraffe?" Getting the hang of it, they yelled, "3 giraffes!" "Right. What's 3 times your sister?" Silence for a moment, then, "A big pain in the neck."

at No comments:

Saturday, January 22, 2011

Ubarn Leendgs, Selpling, and Why Yuo’ll Bleivee Antyhnig

This has been going around the Internet:

AOCDRNDICG TO RSCHEEARCH AT CMABRIGDE UINERVTISY, IT DSENO'T MTAETR WAHT OERDR THE LTTERES IN A WROD ARE, THE OLNY IPROAMTNT TIHNG IS TAHT THE FRSIT AND LSAT LTTEER BE IN THE RGHIT PCLAE. TIHS IS BCUSEAE THE HUAMN MNID DEOS NOT RAED ERVEY LTETER BY ISTLEF, BUT THE WROD AS A WLOHE. IF YOU CAN RAED TIHS, PSOT IT TO YUOR WLAL.... OLNY 55% OF PLEPOE CAN.

After looking at the words more carefully, it started to dawn on me that something wasn't quite right. Here's my initial response to the person who posted the fascinating tidbit:

Vrey cevelr, but lkie the mairtjoy of uabrn leendgs, tllaoty irconcert. It semes to be ptetry esay wvnheeer the wrods are sroht, or wehn you cosohe the "ionccerrt" oderr of toshe ltreets emertlexy clefaurly. But as you can see, all it teaks is a few leongr wrods, or a lses convirted onderirg, and it bemoecs fartsnurtig and ducliffit to utsandnerd.

Like so many of the "facts" we find on the Internet, this one simply isn't true. Anyone who wants to "prove" an idea can invent studies and statistics, and it's usually not too difficult to create a supporting example or two. The time invested in the hoax pays off when it goes "viral" because people who find it interesting can spread the misinformation immediately and virtually effortlessly. My counter-example took a bit of work, and I'm not completely sure I caught all the typos, but I'm still snickering at fartsnurtig, ducliffit, and utsandnerd.

I won't go into all of the telltale signs of a hoax, but two glaring give-aways are a very vague citation of a reputable authority (Cambridge University, here) and an amazing statistic that makes you feel special or superior but simply doesn't make sense if you think about it:

Wait: if the oerdr of the ltteres doens't mtater, then why can olny 55% of plepoe raed it? Does taht maen the oethr 45% are illeritate? Or is it poorf that 87.6% of all statistics are mdae up on the sopt?

One of my favorite quotations of late is David Comins' observation that "People will accept your idea much more readily if you tell them Benjamin Franklin said it first."  It's even more true if you butter them up and they trust you.

This is one of the simplest forms of social engineering: a technique for gaining control of something by cajoling or fooling the people responsible for it. Social engineering is disturbingly effective; it's behind phishing scams, identity thefts, credit card frauds, and corporate information leaks. We're bombarded every day by so much "information" that we can't possibly verify it all... and in most cases there's no reason to do so because it doesn't matter very much. But it's a good habit to "filter" the things you read or hear by asking yourself two questions:

  1. Does this make sense?
  2. What does the "informer" stand to gain if you accept the information as fact?

I almost closed this note by telling you that social engineering costs $3 billion in the US alone, and that 45% of corporate losses are due to some form of social engineering. But that wouldn't have been fair because you might have believed me, and I just made up those statistics. So, pelase, keep yuor eeys and yuor mnid oepn!

And remember: "Don't believe everything you read on the Internet." – Abraham Lincoln

at No comments:
Subscribe to: Posts (Atom)