Friday, October 7, 2011

Crypto from Tesco

You can now order the new Block Cipher Companion book from Tesco’s, just published this month. I have seen an earlier draft and the text is very detailed and comprehensive, as you would expect from authors of this caliber.

Tuesday, October 4, 2011

Xobni becomes Smartr

I recently posted about the reads on my Scribd collection, and one of the most frequently read is the master’s thesis by the founder of Xobni (inbox spelt backwards) called How to Organize Email. There is a new version of this software called Smartr for Gmail and you can watch a video on its features.

Sunday, October 2, 2011

Yoda Pie Chart - there is no Try

Love it, from Flowing Data.


150,000 reads of my Scribd documents

I have uploaded about 200 documents to Scribd over the last few years and the number of reads has just passed 150,000. You can see the categories here. The top 5 documents, each with over 3000 reads each are

Thursday, September 29, 2011

The Other Binomial Expansion

From this collection of creative exam answers.


Monday, September 26, 2011

SHA post as SPAM magnet

Don’t ask me why but a lot of SPAM has accrued, and keeps accruing, at this May 2009 post on SHA-1. Apart from the common penis enlargement references, some of the other SPAM is quite long and seems to be playing on some quirk of SEO. Fine.

Sunday, September 25, 2011

Fibonacci Pigeons

This just made me laugh.

image (7275)

Thursday, September 22, 2011

These aren’t the key management systems you are looking for

This is a nice presentation on enterprise key management issues from Anthony Stieber given at the 2nd IEEE (KMS 2010) Key Management Summit. The main message is that KMS is tricky and don’t roll your own. By the way if you are looking for examples of Powerpoint that breaks all the rules for good presentations, then you will find them here.


Also there is a very polished and informative presentation from Chris Kostick of E & Y on an enterprise key management maturity model, and below is a comprehensive diagram on the life-cycle management of keys.


Liability for Risk Decisions

imageI am currently in-between positions, somewhat happily, and are casting my net of interest a bit wider than my traditional roles in IT Security and Risk. One position that caught my eye from a global reinsurer in town was the role of Earthquake Expert within their Natural Catastrophe department (or Nat Cat in insurance lingo). I really don’t have any specific background in this area but I sometimes entertain the idea that I can transfer hard-learnt crypto math skills into a numerate role like this one which calls for extensive modeling and prediction. You also think that this might be a nice and cozy niche area to ply your trade as a specialist, holding something of a privileged position.

Well I was disabused of any such notion this week when I read this week of six Italian scientists and a former government official are being put on trial for the alleged manslaughter of the 309 people who died in the 2009 L'Aquila earthquake in Italy.

The seven defendants were members of a government panel, called the Serious Risks Commission (seriously), who were asked to give an opinion (or risk statement) on the likelihood that  L'Aquila would be struck by a major earthquake, based on an analysis of the smaller tremors that the city was experiencing over the previous few months. The panel verdict delivered in March stated that there was "no reason to believe that a series of low-level tremors was a precursor to a larger event". A week later the city suffered an earthquake of magnitude 6.3 on the Richter Scale, denoting a “strong quake”.

The crux of the case against the scientists is that they did not predict the strong quake coming to L'Aquila to allow a proper evacuation of its inhabitants. The defense rebuttal is simply that such a prediction is impossible, and they cannot be held accountable for this unreasonable expectation. The scientists cannot be expected to function as a reliable advanced warning system. The international scientific community has weighed in to support the defendants with a one-page letter from the American Association for the Advancement of Science, which supported the scientists by saying that there is no reliable scientific process for earthquake prediction, and they should not be treated as criminals for adhering to the accepted practices of their field.

Recently people were evacuated from New York City as precaution to the impact of Hurricane Irene. The hurricane passed by New York causing far less extensive damage than expected, and yet there were still complaints from residents about being asked to leave their homes “unnecessarily”. It seems that authorities cannot win in these matters unless they can predict the future accurately.

Wednesday, September 14, 2011

PageRank Increment for No Tricks


Every now and again I run this blog through the free Website Grader tool which measures your site on a variety of criteria, hoping to lure you for a more thorough paid analysis. The tool used to report a PageRank value, and No Tricks seemed to be stuck at 3 for quite a few years. The site now uses there own page ranking metric, which reported a value higher than 3. I was overjoyed and eagerly confirmed that the “true” PageRank metric had also increased from 3 to 4, representing some form of “exponential” improvement since the scale is logarithmic. I can now claim that the No Tricks site has gone from being of “low importance” to being of “medium importance”. Fine, I’ll take it.

Incidentally, I wrote a short introduction to the mathematics of PageRank a few years back, with a security spin.

Jesus and spending a trillion dollars

Amit Agarwal at Digital Inspiration has put together some information on just how big the number one trillion actually is, in human-sized terms. We have heard a lot about trillions of dollars in the context of credit crisis and, more recently, in the debate over the US budget deficit. Not to mention that Facebook recently reported that their total number of page views has passed the one trillion mark.

Agarwal started by reporting the following Biblical metaphor

If you start spending a million dollars every single day since Jesus was born, you still wouldn't have spent a trillion dollars by today.

And in terms of a diagram, Agarwal starts with takes a single 100 dollar US bill, and represents larger values as


Extending further, a trillion dollars then requires a football field of space, as shown below, with our human-sized man dwarfed in the bottom left corner.


Can you win the lottery too many times?

Last year I posted on The Fabled 25 Sigma Event, referring to a quote from David Viniar, then CFO of Goldman Sachs, who was attempting to describe the magnitude of the movements in the financial markets. Mr. Viniar probably did not fully understand the implications of what he was saying, since a 25 sigma event translates into a phenomenon occurring once every 10^{135} years - a period of time that we have yet to see even a fraction of. Several researchers at the business school of the University College Dublin gave another interpretation of how unlikely this event was by stating that it equates to winning the UK lottery more than 20 times in a row.

Winning the lottery 20 times does seem very unlikely. Recently a woman won the Texas lottery for the fourth time in the last 10 years or so, accumulating prize money of  just over 20 million USD, and is being scrutinized by the press for potential fraud. There is a lot of suspicion about the luck of Joan Ginther (pictured below) and her winning streak. Googling on “4 time lottery winner” produces pages of articles on Ginther’s supposed luck.


Nathaniel Rich ran an interesting 4-page story in the August issue of Harper’s magazine, where he visits the small Texas town of Bishop to look at the lone town store where three of the winning tickets were purchased. Rich spoke to enough mathematics professors beforehand to determine that the odds of an individual winning four times by pure luck are extremely low indeed, about 10^{-24}, or a practical impossibility (still “far more likely” than a 25 sigma event though). The alternate scenarios are (1) an inside job potentially amongst the state lotteries and their suppliers (2) cracking the parameters of the psuedo-random number generator for selecting the winners, and (3) dumb luck, or increasing your odds of winning by buying many tickets. The most likely answer seems to be a combination of (2) and (3).

The local town people are going with scenario 3 or just ascribing it to pure luck outright, as there is a strong (American) belief that everyone can be a winner. Getting back to those 25 sigma events, it seems then that no one would actually be able to win the UK lottery over 20 times as they would be suspected of foul play, and likely to find themselves arrested way before that many wins. Perhaps Mr. Viniar should have been arrested for his remarks.

Tuesday, September 13, 2011

An unexpected business model for Angry Birds

Rovio, the company that developed Angry Birds, recently announced at the Techcrunch Disrupt conference that they are now selling more than one million Angry Birds T-shirts and toys each month. That’s after 350 million downloads of the game. What a business model, if they were intending it, and a movie deal is apparently in the works as well. Oh yes, and a theme park. So it seems it is possible to use a mobile game as the basis to leverage the creation of real world profits.

All Eyes on Facebook

A recent social media report from Nielsen’s shows, amongst other things, that Facebook dominates our attention on the Internet, larger in terms of minutes of face time than the four next most popular social media sites. Business Insider produced the following chart based on Nielsen’s data


It was recently (and widely) reported that the number of page views on Facebook passed the 1 trillion mark, but that figure has been disputed. In any case, all internet path seems to lead to Facebook one way or the other.

Sunday, September 11, 2011

A short touching remark on 9/11

I am stepping out more of late, meeting new people and doing new things, which has seen more doing far less blogging over the last year. One of the site I use to find things to do is Meetup in the Zurich locality. I received the following email from the founder today who relates how the origin of the service was 9/11, and his intention was to “use the internet to get people off the internet”,

Fellow Meetuppers,
I don't write to our whole community often, but this week is
special because it's the 10th anniversary of 9/11 and many
people don't know that Meetup is a 9/11 baby.
Let me tell you the Meetup story. I was living a couple miles
from the Twin Towers, and I was the kind of person who thought
local community doesn't matter much if we've got the internet
and tv. The only time I thought about my neighbors was when I
hoped they wouldn't bother me.

When the towers fell, I found myself talking to more neighbors
in the days after 9/11 than ever before. People said hello to
neighbors (next-door and across the city) who they'd normally
ignore. People were looking after each other, helping each
other, and meeting up with each other. You know, being

A lot of people were thinking that maybe 9/11 could bring
people together in a lasting way. So the idea for Meetup was
born: Could we use the internet to get off the internet -- and
grow local communities?

We didn't know if it would work. Most people thought it was a
crazy idea -- especially because terrorism is designed to make
people distrust one another.
A small team came together, and we launched Meetup 9 months
after 9/11.

Today, almost 10 years and 10 million Meetuppers later, it's
working. Every day, thousands of Meetups happen. Moms Meetups,
Small Business Meetups, Fitness Meetups... a wild variety of
100,000 Meetup Groups with not much in common -- except one

Every Meetup starts with people simply saying hello to
neighbors. And what often happens next is still amazing to me.
They grow businesses and bands together, they teach and
motivate each other, they babysit each other's kids and find
other ways to work together. They have fun and find solace
together. They make friends and form powerful community. It's
powerful stuff.

It's a wonderful revolution in local community, and it's thanks
to everyone who shows up.
Meetups aren't about 9/11, but they may not be happening if it
weren't for 9/11.

9/11 didn't make us too scared to go outside or talk to
strangers. 9/11 didn't rip us apart. No, we're building new
community together!!!!

The towers fell, but we rise up. And we're just getting started
with these Meetups.

Scott Heiferman (on behalf of 80 people at Meetup HQ)
Co-Founder & CEO, Meetup
New York City
September 2011

Saturday, September 10, 2011

The “Half-life” of a bitly link is about 3 hours

Hilary Mason, Chief Scientist at, a large link shortening service, has done an analysis on some of their link data to get an idea of how long links remain “alive” or “popular”. The measure was to look at 1,000 links and graph the number of hits that a link receives over 80,000 seconds (almost a day), and then determine the point over that period where half of the total number of hits were received. From the post

So we looked at the half life of 1,000 popular bitly links and the results were surprisingly similar. The mean half life of a link on twitter is 2.8 hours, on facebook it’s 3.2 hours and via ‘direct’ sources (like email or IM clients) it’s 3.4 hours. So you can expect, on average, an extra 24 minutes of attention if you post on facebook than if you post on twitter.

Running the data yielded the following graph, showing a strong power law for Facebook, Twitter and direct links (links shared via email, and instant messengers), but a delayed curve for YouTube.


What Mason computed would more accurately be called the median rather than the half-life, since she is interested in the first point in time that divides the total number of hits for the period into two roughly equal sets. More discussion on this point is given in the comments to the post. The conclusion from the post

In general, the half life of a bitly link is about 3 hours, unless you publish your links on youtube, where you can expect about 7 hours worth of attention. Many links last a lot less than 2 hours; other more sticky links last longer than 11 hours over all the referrers. This leads us to believe that the lifespan of your link is connected more to what content it points to than on where you post it: on the social web it’s all about what you share, not where you share it!

A while back I posted on the half-life of patching vulnerabilities being 30 days and there we probably have confusion with the sample median as well. I also noted the attrition for my own links in Shark Fin posts.

Friday, September 9, 2011

Two victories for Randomness

I recently came across two smallish examples of where randomness was the solution to two perplexing problems. That is, rolling the dice seems to help you out of a situation where a planned method was not giving you what you wanted.

The first issue is the problem of how to board passengers on a plane. Finding the best way to board people is actually a well-studied problem, both theoretically and in practice, and you can see some of the work here. At the top of the same page there is a nice simulation program which shows you how different boarding strategies play out, and random boarding (just calling out people to board at random) is better than the usual front-to-back boarding that most of us are familiar with.


The reason is that random boarding gives a better utilization of the space in the plane whereas front-to-back boarding piles people into one part of the plane, eventually causing jams in the aisles. The full set of strategies examined are

  • Back-to-front
  • Rotating-zone
  • Random
  • Block
  • Outisde-in
  • Reverse-pyramid

On another topic, a Freakonomics blog post describes how researchers in South Africa are using a randomness trick to get truthful answers from farmers who are suspected of illegally killing leopards and hyenas. The method is called randomized response surveying, where when the farmers are asked potentially incriminating questions they first flip a coin, and based on the result give a yes or no answer to either the incriminating question if it was heads, or a harmless question (do you think the Springboks will win the RWC?) if it was tails. The farmers actually used a die, taking specific actions on which value from 1 to 6 was thrown, but the principle is the same as I have described it.

The trick here is that the person asking the question cannot tell which question the farmer is answering, but the farmer’s answer can be recorded. Statistical methods can then be used to determine the distribution of answers for the two questions, and actually make inferences about the proportion of positive answers to the incriminating question. This method was devised in the 60’s, and by the early 80’s it was being taught at my undergraduate university as part of a first year course.

Sunday, August 7, 2011

Green IT Swiss Data Center presentation

Here is a short presentation on a relatively new data center in the west of Zurich that is designed to be green and secure.  More information at, and the language can be changed to English in the upper right corner.

US Grade Inflation Study

A recent study has examined the prevalence of grade inflation at US universities over the last 100 years or so, and has found some identifiable patterns. The chart below shows the increase in grades between various types of schools in the primary colors, with the grey representing (unnamed individual schools).


What is clear is that there was a huge increase in grade in crease in the 60’s and then a steady increase over  the last 30 years of so. From the study

The rise in grades in the 1960s correlates with the social upheavals of the Vietnam War. It was followed by a decade
period of static to falling grades. The cause of the renewal of grade inflation, which began in the 1980s and has yet to
end, is subject to debate, but it is difficult to ascribe this rise in grades to increases in student achievement. Students’ entrance test scores have not increased (College Board, 2007), students are increasingly disengaged from their studies (Saenz et al., 2007), and the literacy of graduates has declined (Kutner et al., 2006). A likely influence is the emergence of the now common practice of requiring student-based evaluations of college teachers. Whatever the cause, colleges and universities are on average grading easier than ever before.

Further science and engineering students are graded more harshly than their fellow students in liberal arts degrees.

A 10% Tipping Point Threshold

Scientists at Rensselaer Polytechnic Institute have recently published research into social networks which indicates  that when just 10 percent of a network steadfastly holds a given belief, then that belief will eventually be adopted by the majority of the society. These group of 10% “believers” are referred to as a committed minority.

Even though the research has produced quite a bit of press (see here and here for example) it is a little difficult to say how the result was arrived at. The abstract of the paper states that

We show how the prevailing majority opinion in a population can be rapidly reversed by a small fraction p of randomly distributed committed agents who consistently proselytize the opposing opinion and are immune to influence. Specifically, we show that when the committed fraction grows beyond a critical value pc≈10%, there is a dramatic decrease in the time Tc taken for the entire population to adopt the committed opinion. In particular, for complete graphs we show that when p<pc, Tc~exp[α(p)N], whereas for p>pc, Tc~lnN. We conclude with simulation results for Erdős-Rényi random graphs and scale-free networks which show qualitatively similar behavior.

It seems that they are using a model for the spread of opinion overlayed on various network topologies, starting with the complete graph (everyone knows everyone), then scale free, and a simulation of a random graph process. The results are strengthened by finding the 10% threshold present in each topology. Even so, the following graph was not that informative for me.


I think I will have to wait get a copy of the paper to make full sense of the result. Reported in Freakanomics.

Friday, August 5, 2011

iPhone Passcode Bias

An informal study from collecting just over 204,000 iPhone passcodes, produced the graphic below on the top ten most common passcodes


The author concludes that

Formulaic passwords are never a good idea, yet 15% of all passcode sets were represented by only 10 different passcodes (out of a possible 10,000). The implication? A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock--even more if the intruder knows the users’ years of birth, relationship status, etc.

DIPK Graphic

From Flowing Data

Mark Johnstone uses a cake metaphor to represent data, presentation, and what you gain.

Don’t like the last shot for knowledge. Perhaps lots of smaller cakes?


Monday, June 6, 2011

Block Cipher Bible coming

There is a new and authoritative block cipher book soon to be published, by my good friend Lars Knudsen and my respected colleague Matt Robshaw. These are two of the top experts in the field – both veterans of the AES selection process and long time contributors to understanding why and what makes a good - or simply not a bad - block cipher. The book will be available this year and you can pre-order from Amazon right now.


A Loch Ness Month

The graph below from Google Analytics shows the reading “humps” of my blog with unusual clarity. Typically readership tapers off on the weekend and picks up as the work week commences. You can see the peaks and valleys for the weekends quite clearly below, and it reminded my of those famous Loch Ness humps. Thanks to the 2000+ visitors in May, even when I am struggling to find the time for meaningful posts.


Monday, May 2, 2011

ISACA Risk Assessment Guidelines

I uploaded a 15 page guideline from ISACA for audit risk assessments to my Scribd collections. The document gives a reasonable overview of how a standard IT audit assessment can be enhanced from a risk perspective, taking into account additional factors beyond controls and their gaps.

Thursday, April 14, 2011

No Tricks recently passed 50,000 visitors

Just a short note to say that the number of visitors to the No Tricks blog recently passed the 50,000 mark, which was very satisfying for me. The blog has been running since September 2008, starting out with just a few posts but then building open slowly to around 250 now. You can see the monthly increase in visitors below, and some other statistics from Google Analytics.


Tuesday, April 5, 2011

How many users does Twitter have?

A nice power law looking graph from Business Insider on the properties of Twitter users, and about 175 million Twitter accounts have been registered to date. But how many of those accounts are actually active and being used? Hard to say it seems. The article reports on digging into the Twitter API and finding that

Using data that is now just one month old, he found out that…

  • There were 119 million Twitter accounts following one or more other accounts.
  • There were 85 million accounts with one ore more followers.

With these figures, and Twitter's claim of 175 million accounts, a little subtraction shows us that there are 56 million Twitter accounts following zero other accounts, and 90 million Twitter accounts with zero followers.


Saturday, March 26, 2011

Freehaven papers on Anonymity

I have not looked at the Freehaven site for some time, but just a reminder that there is a huge collection of research papers sourced, tracing the history of anonymity systems, MIXES and other PETs. The collection was well-attended to up till the end of last year but is missing updates for 2011 so far. I am sure that they will come. BibTeX references for the papers as well.

Trust and security in the cloud

The Register has published a new 16-page whitepaper on trust and security in cloud computing, with the key findings being

  • Many companies could do much better when it comes to in-house security
  • SaaS adoption is limited currently, but there is increasing interest from the business
  • The biggest impediment to SaaS adoption is a perception of security issues
  • Companies with experience of SaaS are positive about provider security
  • SaaS is likely to help with shortcomings of on-premise security capabilities

The whitepaper was written from data gathered in an online survey with over 500 participants. Amongst the many tabulated responses to the survey there is an interesting list of the ways data can exit from corporate boundaries.


Saturday, March 12, 2011

iPad Competition is Toast

Business Insider recently reported that the iPad is outselling the competition about 4-to-1. So as security professionals the iPad is the platform to focus on for risk assessments.


An example of redundancy in English

After I apologized too often for my bad typing, my sister-in-law sent me the following text to demonstrate that our brain can understand words even if only the first and last letters are correct
Yet aoccdrnig to a sudty at Cmabrigde Uinervtisy, it deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a ttoal mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.
Apparently this text is well-known to language people!

Saturday, January 29, 2011

24 minutes with Bill Gates on career choices

In April last year Bill Gates addressed a collection of students at Harvard for 24 minutes on the topic of where to devote your talents. It is well-known that Gates dropped out of Harvard in the mid 70’s to develop his fledgling software company. He was returning as a philanthropist on this occasion, armed with the following question “Are the brightest minds working on the most important problems?”. And clearly he does not think so, as it appears many of top minds in the US are going into sports, entertainment or finance. In fact, “The allocation of IQ to Wall Street is higher than it should be.” You can find the video of the talk here.