Category Archives: Sailing

#HeavyD and the Evil Hostess Principle

July 20, 2013 Davi Ottenheimer Leave a comment

At this year’s ISACA-SF conference I will present how to stop malicious attacks against data mining and machine learning.

First, the title of the talk uses the tag #HeavyD. Let me explain why I think this is more than just a reference to the hiphop artist or nuclear physics.

The Late Great Heavy D

Credit for the term goes to @RSnake and @joshcorman. It came up as we were standing on a boat and bantering about the need for better terms than “Big Data”. At first it was a joke and then I realized we had come upon a more fun way to describe the weight of big data security.

What is weight?

Way back in 2006 Gill gave me a very tiny and light racing life-jacket. I noted it was not USCG Type III certified (65+ newtons). It seemed odd to get race equipment that wasn’t certified, since USCG certification is required to race in US Sailing events. Then I found out the Europeans believe survival of sailors requires about 5 fewer newtons than the US authorities.

Awesome Race Equipment, but Not USCG Approved

That’s a tangent but perhaps it helps frame a new discussion. We think often about controls to protect data sets of a certain size, which implies a measure at rest. Collecting every DB we can and putting it in a central hadoop, that’s large.

If we think about protecting large amounts of data relative to movement then newton units come to mind. Think of measuring “large” in terms of a control or countermeasure — the force required to make one kilogram of mass go faster at a rate of one meter per second:

$Newtons$

Hold onto that thought for a minute.

Second, I will present on areas of security research related to improving data quality. I hinted at this on Jul 15 when I tweeted about a quote I saw in darkreading.

argh! no, no, no. GIGO… security researcher claims “the more data that you throw at [data security], the better”.

After a brief discussion with that researcher, @alexcpsec, he suggested instead of calling it a “Twinkies flaw” (my first reaction) we could call it the Hostess Principle. Great idea! I updated it to the Evil Hostess Principle — the more bad ingredients you throw at your stomach, the worse. You are prone to “bad failure” if you don’t watch what you eat.

I said “bad failure” because failure is not always bad. It is vital to understand the difference between a plain “more” approach versus a “healthy” approach to ingestion. Most “secrets of success” stories mention that reaction speed to failure is what differentiates winners from losers. That means our failures can actually have very positive results.

Professional athletes, for example are said to be the quickest at recovery. They learn and react far faster to failure than average. This Honda video interviews people about failure and they say things like: “I like to see the improvement and with racing it is very obvious…you can fail 100 times if you can succeed 1”

So (a) it is important to know the acceptable measure of failure. How much bad data are we able to ingest before we aren’t learning anymore — when do we stop floating? Why is 100:1 the right number?

And (b) an important consideration is how we define “improvement” versus just change. Adding ever more bad data (more weight), as we try to go faster and be lighter, could just be a recipe for disaster.

Given these two, #HeavyD is a presentation meant to explain and explore the many ways attackers are able to defeat highly-scalable systems that were designed to improve. It is a technical look at how we might setup positive failure paths (fail-safe countermeasures) if we intend to dig meaning out of data with untrusted origin.

Who do you trust?

Fast analysis of data could be hampered by slow processes to prepare the data. Using bad data could render analysis useless. Projects I’ve seen lately have added weeks to get source material ready for ingestion; decrease duplication, increase completeness and work towards some ground rule of accurate and present value. Already I’m seeing entire practices and consulting built around data normalization and cleaning.

Not only is this a losing proposition (e.g. we learned this already with SIEM), the very definition of big data makes this type of cleaning effort a curious goal. Access to unbounded volumes with unknown variety at increasing velocity…do you want to budget to “clean” it? Big data and the promise of ingesting raw source material seems antithetical to someone charging for complicated ground-rule routines and large cleaning projects.

So we are searching for a new approach. Better risk management perhaps should be based on finding a measure of data linked to improvement, like Newtons required for a life-jacket or healthy ingredients required from Hostess.

Look forward to seeing you there.

Energy, History, Sailing, Security

Sailing Safely after the America’s Cup Death

June 27, 2013 Davi Ottenheimer Leave a comment

I would like to write about the America’s Cup as I have not yet found a good source of information on recent events.

I am by no means an insider although I admit I’ve been racing high-performance catamarans for over a decade that are similar to AC boat designs and I work in risk management.

Perhaps there’s someone out there who can provide a more authoritative perspective, but in the meantime here’s my amateur and unqualified opinion on what recent accidents may mean for sailing in America.

It is too easy to say loss of life is a reality in high-risk events. Likewise it is too easy to say precautions are the obvious answer. The difficult question is whether the America’s Cup authority, known for bias and gerrymandering for self-serving victories, should be trusted with assessment and decision on risk.

Are multi-hulls dangerous?

For as long as I can remember sailors in the Bay have discussed that multi-hulls capsize ungracefully and permanently. Trimarans and Catamarans were banned in some of the large coastal races I’ve done (Monterey Bay) specifically because event sponsors and support wanted to minimize risk. Believe me, I would have sailed a multi-hull if the option were allowed; we would have cut our race time in half and less time on the water is arguably more safe. Subsequently, over the past three years at least, there has been discussion of whether someone will die when a 72ft carbon platform flips over.

Don’t get too worked up about multi-hulls, however. Speed is an essential ingredient in survival (boats can run from danger) and amateurs on multis in heavy weather have proven they can fare better than monohulls. We also have to admit boats with one hull are statistically more deadly. There are many, many years of data on monohulls involved in tragic and fatal accidents; not least of all was the recent and local Farrallones Tragedy.

Mining the data on events like the 1979 Fastnet disaster (15 deaths, 69 monohulls retired) and the 1998 Sydney-Hobart disaster (5 boats sank, 66 boats retired from the race, 6 sailors died, and 55 sailors were taken off their yachts, most by helicopter) has taught us a lot about risk.

One lesson is that chances of survival in difficult weather are significantly higher for boats over 35 feet long. This is related to the engineering. Larger boats are typically made to handle off-shore conditions and more continuous use than day-sailors.

If we dig a little deeper into lesson one, we find lesson two: pushing boats into heavy weather conditions creates unfair or at least unintended competition. Survival conditions impose a completely new set of criteria for success. Sailors of any experience know this well. I can think of at least a dozen hair-raising experiences I have had on boats and even some near-death moments. Here are a few relevant examples:

In 2003 a storm blew through Louisiana that decimated the A-Class Catamaran North American Championships. It was my first major race on a new boat and suddenly I found myself sitting among the top ten competitors in America. Why? I had grown up sailing so it was natural for me to drop into survival mode — get my boat across the line and to shore in one piece. It was sad for me to watch far better sailors, even Olympic medalists, crash and burn. They pushed on with their prior competition as I pulled back, sailing through an asteroid field of broken boats. Only 11 of us finished among more than 40 boats. It was a victory I didn’t want.

Similarly, I found myself crossing the finish line in 17th place at the 2005 A-Class Catamaran World Championships after the wind disappeared. Nearly 100 boats drifted. Again I switched into survival mode, pegged a line of breeze and swooped to a bitter-sweet victory over sailors usually far better than me. Although very exciting to be just seconds from top 15 in the world, it still was not a wanted victory.

Me sailing an International A-Class Catamaran in light wind

I have many more examples but in 2012 I took a different role. I rode a rescue jet ski at the A-Class Catamaran North American Championships. I could barely operate the jet ski the sea state was so rough. Within just a few hours I had I rescued one of the best sailors in the world, who had become separated from his boat, as well as towed four capsized, dismasted and exhausted top-tier international competitors to shore. From this experience I wrote a detailed explanation on how to use tow lines and a power-boat to carefully rescue turtled (upside-down) high-performance catamarans.

Perhaps you can see why I want to articulate my thoughts on what is happening after the Artemis catamaran disaster. I’ve been thinking about multihull risk management for a long time.

Why does baseball stop when it rains?

Sailing has weather guidelines. Don’t sail when it’s too windy, don’t sail when it’s not windy. It should be as simple as canceling a tennis match or a baseball game. Instead it’s a complicated debate about who can “handle” risky conditions.

People talk about the Artemis accident in terms of boat sea-worthiness yet that’s not the correct focus of inquiry.

Here’s what I believe to be the real story on the America’s Cup accident. Team Artemis made a critical risk calculation error early in their campaign related to structural design. The boat was compromised when they tried to work around the rules. This led to an eventual critical failure and death.

What was the error? AC rules specify a limited number of days sailing on the water for the first 72 foot platform. This could in theory reduce research and design costs. Instead it created control evasion as teams wanted to source design data.

To get around the “sailing” rule Artemis put their AC72 “big red” on the water without a wing attached. They set out to accumulate data on hulls. Although this avoided using up precious days “on water” it required a different power source. Powerboats were attached by line to pull the platform at speed.

Preparation and study of load is where things went awry; the design of the boat was for wing strain, not arbitrary tow lines. As some might have expected the introduction of intense power loads damaged big red’s structure — the main beam that was designed to sit beneath a wing was cracked. The ultimate failure of “big red” on its last day on the water was related to the main beam failing…again.

Thus I think the Artemis accident should be seen as an unfortunate design failure, but not directly related to sailing. It was a failure to anticipate tow line strain coupled with continuing to sail on a damaged structure. It had nothing to do with abilities of any sailor on board (unlike the Oracle capsize, which was the result of pilot error during extremely difficult weather).

In fact it is easy to see how a wing, due to stiffness and subsequent efficiencies, actually puts less load on the structure than the cloth sails we used to use. So I hope people see why it is important to see that beam damage from being under tow should not be misrepresented as wing load risk or even foiling risk.

If we want to avoid a structural failure risk in future we must consider the Artemis disaster in terms of load edge-cases. Whether it is a tow line or a force 10 gale, applying unanticipated amounts of stress on untested structure is a recipe for surprise. You could say the same for airplanes or any structure. A massive storm, a line tied to the end of a wing…these are dangers to face outside normal operating conditions.

Tragedy and leverage

This leads me to the most controversial aspect of what has happened since the incident. There is a conflict of interest with a competition authority that is paid by the defending competitor. When they rule on design changes we have to ask if they are making decisions based on competitive advantage.

Plus we know that Oracle has been playing catch-up with their design. Their boat clearly was not designed to foil above the water. That is my guess why every time you see Oracle 17 in pictures they’re flying a hull, yet the other AC boats are flying level. If you’re foiling you don’t need to sail at any angle, right? You already have your hulls out of the water.

Oracle Hulls Unbalanced

ETNZ Hulls Balanced

This is not to say the Oracle design team is entirely off target. I see some design innovation advantages (i.e. the giant pod beneath the mast assists with flow, effectively extending the force of the wing). The fact remains, however, that a defender playing catch-up to challengers is going to be under pressure to eliminate the gaps. Oracle already has demonstrated they are not above cheating to catch up.

It appears to me at first look that findings, supposedly related to safety, are aimed at eliminating challenger technology that Oracle sees as a threat to their victory. Safety is in danger of being used as an excuse to help the defender win instead of directly addressing real risks.

If Oracle plays a corruption card to win they deserve not only to lose the cup, they should be ashamed for doing exactly what they promised would end with their leadership. The cup has been steeped in a history of cheating and spying for advantage. Using the Artemis tragedy and safety for competitive leverage will take us to a new low.

The burden therefore is upon the defender and their race authority to transparently and clearly explain any required changes in terms of real risk. This is a critical moment of big data analysis of risk for Oracle; it can help or seriously hurt American sailing. I hope they use it wisely.

Energy, Sailing, Security

It’s the Googles! North Korea Edition

January 21, 2013 Davi Ottenheimer Leave a comment

Sophie Google’s new blog post, ahem, whoops I mean to say Sophie Schmidt‘s new blog post on her trip to North Korea is a fantastic study in culture clash. What a great opportunity she had to travel into a country few Americans get to see.

“In the land of the blind, close one eye” — my Mother

As an aside, I don’t understand why it’s ok for everyone to refer to Sophie as Eric Schmidt’s daughter. Must we put her in that shadow?

In comparison, have you noticed that NO ONE one ever mentions that Audax Health’s CEO (Grant Verstandig), a 23 yr old given $21 million to socialize healthcare, is the well-heeled son of Republican politician (Lee Verstandig)?

Served in the Administration of President Ronald Reagan as Assistant Secretary for Government Affairs at the Dept. of Transportation; Acting Administrator of the Environment Protection Agency; Assistant to the President for Intergovernmental Affairs; Under Secretary at the Dept.of Housing and Urban Development; and Chief of Staff to the First Lady.

That Verstanding power and money connection seems more than just a little bit relevant yet NO ONE ever mentions it. However EVERYONE qualifies poor Sophie as the daughter of Eric.

The only Verstandig reference I have seen is this: “the son of two government employees“.

Why the vague “son of two gov’t employees” statement? I don’t unverstandig.

Does the family have some reason to hide or downplay the rather obvious father-son link related to US national policy? You probably know where I’m going with this…

Kim Jong-un, the “son of a government employee”

But back to the Googles…Sophie’s perspective is totally fascinating to me. She starts off boldly telling us she is sorry that we may have problems and that she’s not doing anything about it:

…blame Google Sites (and this two-column structure idea of mine) for limited functionality…Apologies to folks with f’d up layouts

I could just end my blog post right here. You probably know where I’m going with this…

Kim Jong-un says “…blame my father…Apologies to folks with f’d up experiences”

That’s the short version. But I can’t just leave it there.

When Sophie apologies for Google I feel better about the “limited functionality” delivered to me. In fact, I feel downright lucky to have anything at all so I guess I will just put up with whatever I can get from them. Hey, after all it’s cloud, right? You don’t get to be picky…

And here really begins our journey together with her into North Korea.

While top information security professionals in the US rant about how unsafe it is to take anything into China, Sophie says she was advised to not only take her technology to China but to leave it there to keep it safe:

We left our phones and laptops behind in China, since we were warned they’d be confiscated in NK, and probably infected with lord knows what malware.

North Korea gets bashed for being so far behind, back in the dark ages, that Google is worrying about “lord knows what malware” being placed on the most advanced mobile devices? Nah, no way. More like the US would WANT the North Koreans to put some malware on a device so we can bring it home and study it.

There is little you can really do with a mobile device in North Korea, right? No connectivity means it probably wouldn’t get pulled out of its bag. Hopefully it doesn’t have anything sensitive on it anyway. Other than writing a blog post about how much you hate it there…what would you use it for? So it’s not really a risk of infection that leads one to leave behind mobile devices in this scenario. Confiscation and/or loss of IP are the true risk. Don’t bring anything you do not want to be forced to leave behind in North Korea or expose to them.

On the flip side do not leave behind in China anything you do not want read by various spies from the Americas, Europe, Middle East, and Asia who float around. After all, China does not exactly protect you from being spied on by agents of foreign countries when you are in China.

I find few people realize the ironic reality-twist that US citizens in foreign countries are spied on by US agents because protection from surveillance is reduced compared to back home; it’s something to seriously consider when you’re a US citizen out for a non-sanctioned and very public jaunt into North Korea.

Those devices you left in China? Potentially bugged by agents of the US, for your own good of course.

Back to the story, Sophie gives us a quick summary of how things felt…well, in-authentic:

Our trip was a mixture of highly staged encounters, tightly-orchestrated viewings and what seemed like genuine human moments.

This, in a nutshell, is the ultimate insult by American standards. To be real, to be authentic is to achieve maximum value in our culture; an in-authentic experience is the opposite of what many of us want. That’s why it’s so easy to bash the hipster. How can you trust someone walking today in downtown Mountain View who dresses like a 1890s steam train engineer?

New hires at orientation, Google 2013

When I read Sophie’s summary of her trip I see a giant warning shot fired across our bow:

Prepare for fake. Prepare to be disappointed. North Korea trips are full of stuff that is not real. The horror.

It was only due to the instruction/vision/guidance of Our Marshall/the Respected Leader/ Awesome-O wunderkid Kim Jong Un that we were able to successfully __________ (insert achievement here: launch a ballistic rocket, build complicated computer software, negotiate around US sanctions, etc.). Reminded me of the “We’re Not Worthy” bit from Wayne’s World. Just another example of the reality distortion field we routinely encountered in North Korea, just frequently enough to remind us how irrational the whole system really is.

In other words you have to suspend belief if you are going to follow the story you supposed to be watching. You want rational? Come to America.

After all we have the Kardashian phenomenon, Disneyland, and the fact that the US leads the world in total cosmetic procedures performed. Yeah! Take that you North Korean distortion fielders.

Although we Americans are quick to look at others from the outside and criticise their foolish lack of authenticity, we also love to show off with our fake and highly staged encounters, tightly-orchestrated viewings…

Nothing unusual here. Nothing staged or tightly-orchestrated. Not at all.

The difference in who can be most inauthentic and get away with it, of course, is relative to power.

Kim Jong-un, like Lance Armstrong, makes use of extraordinary power and direct influence to keep an inauthentic story running even after people stop believing and want to talk openly and express their doubts or challenge his story.

Power to shut down naysayers and disbelievers is a very real problem in political science, which I don’t want to minimize here. My point is that if you realize America also has a lot of problems from inauthenticity relative to power, you are one step closer to finding the authenticity even in places that try hard to keep you from seeing it. It’s a problem very, very familiar to auditors, let alone anthropologists.

Perhaps I’m being too indirect and this could go on forever, given the material Sophie provides, so let me cut to the chase.

Sophie displays a very strong cultural bias in her perspective but no awareness or caution of that bias.

Why do we need an alarm clock to wake up? Why do we need soft beds and rugs? Why do we need to heat every room of every building? What is wrong with empty spaces? Why do we need street lights? Seriously, street lights are stupid abominations of sailing codes (starboard and port, green and red) never meant for roads that give engines a wasteful and unfair advantage over other forms of transportation. We need a better system. Now tell me again how strange it is to see streets without signals for sailboats.

Here’s an example of how things were said in Sophie’s perspective:

My father’s reaction to staying in a bugged luxury socialist guesthouse was to simply leave his door open.

And here is how they might be said if she had looked at it from a more North Korean view:

No need to lock your door. Simply leave it open. There’s no crime risk.

Incidentally (pun not intended) if you’ve ever been to the Google campus headquarters you may know that they spent many years and a lot of money to cover the outside and inside with surveillance, and yet they STILL do not leave their doors open. Eric apparently feels safer in North Korea than within his own castle. (Full disclosure: I’ve been inside the Google SOC several times and it’s very impressive. North Korea probably would be jealous.)

If we play her blog post from an outsiders view, in other words, it could be read like this:

America is great because it is crowded, polluted, wasteful, unhealthy, unsafe and people looked stressed/busy all the time.

Doesn’t it sound strange when you use an inverse of her criticism of North Korea to describe America? With this different perspective in mind take another look at what she presents us with:

North Korea is empty, clean, efficient and people are fit, safe and have idle time.

Perhaps somewhere in-bewteen is a truly authentic experience and a hint as to why closing one eye in the land of the blind is sound advice.

History, Poetry, Sailing, Security