Saturday, January 4, 2020

Interchangeable Words? (Part 2: Honesty vs. Integrity)

This is an extract from an article I wrote for the Marine Corps Gazette about when it's okay to lie. Part 1 of this post addresses data vs. information.

Honesty and integrity are frequently used interchangeably – but these two words have a nuanced, yet important difference.

Honesty deals with the past.
Integrity deals with the future.


Honesty means making your words fit reality. More specifically, it's speaking the objective truth about the past without any intention to deceive.

For example, George Washington's father asks him, "George, did you cut down that cherry tree?"

"Father, I cannot tell a lie. Yes, I cut that cherry tree," replies George Washington.

In this example, at least according to fable, George Washington's words fit reality; therefore, his response was an honest one.


Integrity means making reality fit your words. Simply put, it means that you do what you say you are going to do.

George Washington's father tells George, "George, as part of your chores, today, I want you to cut down that cherry tree."

George replies, "Yes, father, I shall cut down that cherry tree."

At the end of the day if George has cut down the tree then he had the integrity to make it happen. In other words, he got results. Integrity is the ability to do what you say you're going to do. It's about executing on your plan.

Interchangeable Words? (Part 1: Data vs. Information)

Part 2 of this post addresses data vs. information.

Some words are used interchangeably, such as prediction vs. forecast. I like to think of a prediction as when we take historical observations and apply it to the future (winters are cold, summers are hot). But that doesn't tell us the weather for tomorrow. For that, we need a forecast where we apply a system of equations to process data for trend analysis.

Data vs Information

Information is processed data. Recording the average temperature, every day, gives us data. Examining that data (processing it) yields the information that summers are hot and winters are cold. In turn, that information can become data in yet another system. 

Wednesday, January 1, 2020

Happy 2020! It's Good to be Alive!

Sometimes it's good to be "unremarkable."
As I labored through my sunset run, today, I recalled the military axiom, "Pain's a good thing, it means you're not dead.” Which reminded me that 20 years ago I had just finished my final round of chemotherapy for late-stage, widespread cancer (stage 4 Hodgkin’s lymphoma).

My last chemo treatment was in December 1999 and, after five years of checkups, my prognosis was cured --- not remission, but fully cured --- to the point that I went back on active duty in the Marines in 2003 and deployed with them to East Africa in 2005. Today, it’s literally like I was never sick. I am lucky.

Human Being, Not Human Doing

Cancer, and my father's unexpected death in 2007, gave me a deeper insight and perspective on life. At that point, I realized I could take two or three years off from corporate America. But I didn't expect a few years to turn into more than a decade of retirement.

People ask me, "What did you do during all that time off?"

My answer's simple, "Nothing," followed up with, "What do you do on weekends? That's what I did most everyday."

Looking back, from one mile high. 
Looking back on all that time off, I see that I learned how to be a human being instead of a human doing. While I did focus on my own personal projects like learning to fly, creative writing, and volunteering, it was my ability to be fulfilled while not accomplishing a single task, in a day. Some might call that lazy; I call it the simple life. La dolce vita.

While the pursuit of happiness is our unalienable right, it does require more than that to be fulfilled. It requires meaning and here's how to make meaning.

Carpe diem and live the dash.

Update: Something I completely failed to mention was I always knew my retirement wouldn't be permanent. Sooner or later, I'd have to return to full time work which I just did in August, and I'm loving it. 

Sunday, December 29, 2019

Copy & Paste Screen Shot Info

I recently received a screenshot of a USPS tracking number. It was well over 20 digits and I found it extremely burdensome, on my phone, to go back-and-forth to copy the numbers from the screenshot to the website. So, I tried something different and it worked...

I said to my HomePod, "Hey, Siri, remind me to 638373947374..." and then a reminder appeared on my To Do list of only the digits which I could easily copy and paste into the post office tracking website.

VoilĂ !

I'm sure this will work equally well with other smart speakers.    

Friday, December 13, 2019


I tried cryotherapy for the first time, today. It's basically the opposite of a sauna. Instead of extreme heat, it's extreme cold.

How cold? About -225°F. Yup, two hundred twenty-five degrees below zero for three minutes.

If pain's a good thing because it means you're not dead then I felt very alive at the end of my three minutes. The hairs on my legs were frosty brittle. I don't know if it had any health benefits – but what are the health benefits of a sauna or steam room? If heat is relaxing, then cold is invigorating.

Three minutes cost $25 and, without an appointment, I was in and out in less than 15 minutes. I only wore my underwear, gloves, and flip flops with socks (not exactly a fashion statement).

The woman administering my treatment, who coincidentally had the same last name as me, chatted with me throughout my session. Probably to make sure I didn't pass out. It was chilly.

Wednesday, December 11, 2019

Investment Litmus Test

I had a discussion about timeshare vacations properties, today. Timeshare sales seminars are notoriously high pressure. They're pitched as an investment... but, even though they can be real property, they're a liability.

The litmus test for an investment is simple. If you buy something, today then you can sell it tomorrow for the same price, less a small amount of fees or commission then it's an investment. Real estate (fee simple) and stocks can be bought today and sold tomorrow for virtually the same price. Gold also falls into this category as an investment. However, cars, jewelry (i.e. diamonds, rubies), and timeshares most certainly do not.

Thursday, November 7, 2019

USPS Informed Delivery

I just signed up for the US Post Office's Informed Delivery which e-mails you a scan of that day's inbound mail. It's very handy and works as advertised.

The USPS started this service as a pilot in 2014 and a few years later they rolled it out to most of the country with more than 15 million. Give it a try – it's free, a bargain at twice the price.

Tuesday, October 15, 2019

Can't Send E-mail More Than 500 Miles

I do love great storytelling...


From: Trey Harris

Here's a problem that sounded impossible... I almost regret posting the story to a wide audience, because it makes a great tale over drinks at a conference. :-) The story is slightly altered in order to protect the guilty, elide over irrelevant and boring details, and generally make the whole thing more entertaining.

I was working in a job running the campus email system some years ago when I got a call from the chairman of the statistics department.

"We're having a problem sending email out of the department."

"What's the problem?" I asked.

"We can't send mail more than 500 miles," the chairman explained.

I choked on my latte. "Come again?"

"We can't send mail farther than 500 miles from here," he repeated. "A little bit more, actually. Call it 520 miles. But no farther."

"Um... Email really doesn't work that way, generally," I said, trying to keep panic out of my voice. One doesn't display panic when speaking to a department chairman, even of a relatively impoverished department like statistics. "What makes you think you can't send mail more than 500 miles?"

"It's not what I think," the chairman replied testily. "You see, when we first noticed this happening, a few days ago--"

"You waited a few DAYS?" I interrupted, a tremor tinging my voice. "And you couldn't send email this whole time?"

"We could send email. Just not more than--"

"--500 miles, yes," I finished for him, "I got that. But why didn't
you call earlier?"

"Well, we hadn't collected enough data to be sure of what was going on until just now." Right. This is the chairman of statistics. "Anyway, I asked one of the geostatisticians to look into it--"


"--yes, and she's produced a map showing the radius within which we can send email to be slightly more than 500 miles. There are a number of destinations within that radius that we can't reach, either, or reach sporadically, but we can never email farther than this radius."

"I see," I said, and put my head in my hands. "When did this start A few days ago, you said, but did anything change in your systems at that time?"

"Well, the consultant came in and patched our server and rebooted it. But I called him, and he said he didn't touch the mail system."

"Okay, let me take a look, and I'll call you back," I said, scarcely believing that I was playing along. It wasn't April Fool's Day. I
tried to remember if someone owed me a practical joke.

I logged into their department's server, and sent a few test mails. This was in the Research Triangle of North Carolina, and a test mail to my own account was delivered without a hitch. Ditto for one sent to Richmond, and Atlanta, and Washington. Another to Princeton (400 miles) worked.

But then I tried to send an email to Memphis (600 miles). It failed. Boston, failed. Detroit, failed. I got out my address book and started trying to narrow this down. New York (420 miles) worked, but Providence (580 miles) failed.

I was beginning to wonder if I had lost my sanity. I tried emailing a friend who lived in North Carolina, but whose ISP was in Seattle. Thankfully, it failed. If the problem had had to do with the geography of the human recipient and not his mail server, I think I would have broken down in tears.

Having established that -- unbelievably -- the problem as reported was true, and repeatable, I took a look at the file. It looked fairly normal. In fact, it looked familiar.

I diffed it against the in my home directory. It hadn't been altered -- it was a I had written. And I was fairly certain I hadn't enabled the "FAIL_MAIL_OVER_500_MILES" option. At a loss, I telnetted into the SMTP port. The server happily responded with a SunOS sendmail banner.

Wait a minute... a SunOS sendmail banner? At the time, Sun was still shipping Sendmail 5 with its operating system, even though Sendmail 8 was fairly mature. Being a good system administrator, I had standardized on Sendmail 8. And also being a good system administrator, I had written a that used the nice long self-documenting option and variable names available in Sendmail 8 rather than the cryptic punctuation-mark codes that had been used in Sendmail 5.

The pieces fell into place, all at once, and I again choked on the dregs of my now-cold latte. When the consultant had "patched the server," he had apparently upgraded the version of SunOS, and in so doing downgraded Sendmail. The upgrade helpfully left the alone, even though it was now the wrong version.

It so happens that Sendmail 5 -- at least, the version that Sun shipped, which had some tweaks -- could deal with the Sendmail 8, as most of the rules had at that point remained unaltered. But the new long configuration options -- those it saw as junk, and skipped. And the sendmail binary had no defaults compiled in for most of these, so, finding no suitable settings in the file, they were set to zero.

One of the settings that was set to zero was the timeout to connect to the remote SMTP server. Some experimentation established that on this particular machine with its typical load, a zero timeout would abort a connect call in slightly over three milliseconds.

An odd feature of our campus network at the time was that it was 100% switched. An outgoing packet wouldn't incur a router delay until hitting the POP and reaching a router on the far side. So time to connect to a lightly-loaded remote host on a nearby network would actually largely be governed by the speed of light distance to the destination rather than by incidental router delays.

Feeling slightly giddy, I typed into my shell:

$ units
1311 units, 63 prefixes

You have: 3 millilightseconds
You want: miles
    * 558.84719
    / 0.0017893979

"500 miles, or a little bit more."

Saturday, October 5, 2019

Tiny House: The Story Behind the Story

This past Tuesday, I was tickled when a local news TV station asked me to share my thoughts about a 200 sq ft furnish shed which was being offered for rent for more than $1,000/month.

Throughout this week, my interview was syndicated to about 100 news outlets. Friends and colleagues, some of whom I hadn't had contact with for many years, reached out to me to say that they saw it on CNN or San Jose Mercury News to name a few.

The Story Behind the Story

About six years ago, I learned that the story, behind the story, is sometimes as interesting as the story itself. Friends who contacted me wanted to know how I ended up on the news. Unlike last time, I did not contact the news. I was simply walking home from a local bakery, with some fresh bread, when I saw a guy recording himself on a video camera. Initially, since he was standing in front of a house with a "For Sale" post, I thought he was a real estate agent.

As I walked by, he asked me if I knew about the shed that was being offered for rent for more than $1,000/month. I told him that I heard about it, a day earlier, when the posting went viral on Reddit. He then introduced himself and asked if he could interview me for his story. Of course, I said yes. He placed a mic on my shirt, turned on the camera, and stood next to it while we had a casual conversation. And then, viola, I was on the Channel 10 Six O'Clock News.

Monday, September 30, 2019

Security Quotes

My favorite security quotes from Bruce Schneier.

Security, when it is working, is often invisible not only to those being protected, but to those who plan, implement, and monitor security systems.
Every one of us, every day of our lives, makes security trade-offs. Even when we’re not thinking of threats or dangers or attacks, we live almost our entire lives making judgments about security, assessments of security, assumptions regarding security, and choices about security.
Security is both a feeling and a reality. We’re secure when we feel protected from harm, free from dangers, and safe from attack. In this way, security is merely a state of mind. But there’s the reality of security as well, a reality that has nothing to do with how we feel. We’re secure when we actually are protected.
Security is always a trade-off, and to ignore or deny those trade-offs is to risk losing basic freedoms and ways of life we now take for granted.
Perfect security is impractical because the costs are simply too high; we would have to treat the whole world as a threatening place and all the people in it as evildoers, when in fact the real threats are not nearly so pervasive. We’d have to create an extremely oppressive regime. But freedom is security. Openness is security. If you want proof, look around you. The world’s liberal democracies are the safest societies on the planet. Countries like the former Soviet Union, the former East Germany, [former] Iraq, North Korea, and China tried to implement large-scale security systems across their entire populaces. Would anyone willingly trade the dangerous openness of the U.S. or most countries in Europe for the security of a police state or totalitarian government?
All security is, in someway, about prevention.
Security is about preventing adverse consequences from the intentional and unwarranted actions of others.
Protecting assets from unintentional actions is safety, not security.
Technology is generally an enabler, allowing people to do things. Security is the opposite: It tries to prevent something from happening, or prevent people from from doing something, in the face of someone actively trying to defeat it.
Five step process to analyze and evaluate security systems, technologies, and practices.
1. What assets are you trying to protect?
2. What are the risks to these assets?
3. How well does the security solution mitigate those risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security solution impose?
A threat is a potential way an attacker can attack a system.
Risk[: to] take into consideration both the likelihood of the threat and the seriousness of a successful attack.
Risk management is about playing the odds. It’s figuring out which attacks are worth worrying about and which ones can be ignored.
Threats determine the risks, and the risks determine the countermeasures.
Insurance ... allows a store to take its risk and, for a fee, pass it off to someone else. It allows the store to convert a variable-cost risk into a fixed-cost expense.
People underestimate risks they willingly take and overestimate risks in situations they can’t control.
In America, automobiles cause 40,000 deaths every year; that’s the equivalent of a full 727 crashing every day and a half - 225 total in a year. As a society, we effectively say that the risk of dying in a car crash is worth the benefits of driving around town. But, if those same 40,000 people died each year in fiery 727 crashes instead of automobile accidents, you can be sure there would be significant changes in the air passengers systems.
People make security decisions based on perceived risks instead of actual risks.
More people are killed every year by pigs than sharks, which shows you how good we are at evaluating risk.
Security systems are never value-neutral; they move power in varying degrees to one set of players from another.
Sometimes it seems those in charge - of governments, of companies - need to do something in reaction to a security problem. Most people are comforted by action, whether good or bad.
At the most basic level, a system is a collection of simpler components that interact to form a greater whole. A machine is is a simple thing, even though it may have different pieces. A hammer is a machine; a table saw is a system. A pulley is a machine; an elevator is a system. A tomahawk is a machine; a Tomahawk cruise missile is a complex system.
The only reliable way to measure security is to examine how it fails - in the context of the assets and functionality it is protecting.
If you can think about security systems in terms of how individual failures affect the whole, you’ll have gone a long way to understanding how security works.
Security usually fails at the seams - at the points where two systems interact - seams between security systems and other systems, seams between parts of a security system.
Security systems can fail in two completely difference ways. The first way is that they can fail in the face of an attack. The door lock fails to keep the burglar out, the airport face-scanner fails to identify the terrorist, or the car alarm is bypassed by a thief. These are passive failures. The system fails to take action when it should. A security system can also fail by doing what it’s suppose to do, but at the wrong time. The door lock successfully keeps the legitimate homeowner out, the airport face-scanner incorrectly identifies an honest citizen as a terrorist, or the car alarm rings when no one is trying to steal the car. These are active failures: The system fails by taking action when it shouldn’t.
The most common security mistake of all is to expend considerable effort combating outsiders while ignoring the insider threat.
A terrorist is someone who employs physical or psychological violence against noncombatants in an attempt to coerce, control, or simply change a political situation by causing terror in the general populace.
The U.S. government has tried to address it [the 9/11 Attacks] by demanding (and largely receiving) new powers of surveillance and data collection. This completely misses the point. The problem isn’t obtaining data, it’s deciding which data is worth analyzing and then interpreting it. So much data is collected - organizations like the NSA suck up an almost unimaginable quantity of electronic communications, the FBI gets innumerable leads and tips, and U.S. allies pass along all sorts of information - that intelligence organization can’t possibly analyze it all.
Basically, there are three ways to authenticate someone: by something he knows, by something he has, and by something he is. All these ways have been used from prehistory until the present day, and they all have different security properties and trade-offs.
When the city of London began putting up house numbers and street signs in the 1760s, people rioted because they didn’t want strangers to be able to navigate through their neighborhoods.
A security protocol is a series of steps that some trusted person carries out, steps designed to enforce some sort of security rules.
Like protocols, procedures are steps that a trusted person carries out. But in security lingo, procedures are exceptions; they’re the things that people do when a security event occurs.
Protocols are the routines trusted people follow day to day; procedure are what they do in response to an anomaly.
Sensible security does not result from fear. Just because anomalies happen doesn’t mean security has failed. The risk of a terrorist attack before 9/11 wasn’t appreciable smaller than the risk of a terrorist attack after 9/11. Before 9/11, European countries mostly had an accurate assessment of their risks. In the U.S., the risks were largely underestimated; many people thought it couldn’t happen there.
To summarize: Prevention is impossible. Mitigation is important. Intelligence and counterattack are critical. And none of this is as effective as addressing the root causes of terrorism.
Spending more money on intelligence and investigation is far more cost-effective, because it targets the attackers, rather than waiting for the attackers to come to the defensive systems.
When you examine the details, only two effective antiterrorism countermeasures were taken in the wake of 9/11: strengthening cockpit doors and passengers learning they need to fight back. Everything else - let me repeat that:  everything else - was only minimally effective, at best, and not worth the trade-offs.
The color-coded threat alerts issued by the Department of Homeland Security are useless today, but may become useful in the future. The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is that the DEFCON system is tied to particular procedures; military units have specific actions they need to perform every time the DEFCON level goes up or down. The color-alert system, on the other hand, is not tied to any specific actions. People are left to worry, or are given nonsensical instructions to buy plastic sheeting and duct tape.
There’s no way to prevent all future terrorist attacks.
Ironically, the the two years since 9/11, we’ve got the security level mostly right but the costs wildly wrong. The security we’re getting against terrorism is largely ineffective, although it’s probably commensurate with the minimal level of risk that actually exists.
Pundit after pundit has talked about the balance between privacy and security, discussing whether various increases of security are worth the privacy and civil liberty losses. The discussion seems odd to me, because linking the two is just plain wrong.
Security and privacy, or security and liberty, are not two sides of a teeter-totter.
Arming pilots, reinforcing cockpit doors, and teaching flight attendants karate are all examples of security measures that have no effect on individual privacy or liberties.
Unfortunately, the Department of Homeland Security is far more likely to increase the country’s vulnerability to terrorism. Centralizing security responsibility will create a commonality of approach and a uniformity of thinking; security will become more brittle. Unless the new department distributes security responsibility even as it centralizes coordination, it won’t improve the nation’s security.
The dual requirements that security decisions need to be made as close to the problem as possible, and that security analysis needs to happen as far away from the sources as possible make the problem subtle. Security works better if it is centrally coordinated but implemented in a distributed manner.

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.