Stompy: the Future of Rescue?

In just over 10 days Project Hexapod on Kickstarter was able to raise $65,000. Their goal?

An open-source, 18ft wide, 4,000 pound, 6-legged hydraulic robot that you can ride.


When they say open source, they mean it. They are willing to build and then give away all the details of the project to help encourage others to build the same or better.

Once we finish this robot, we’re releasing our plans, our CAD, our diagrams, the presentations from all the lectures we gave in class, our lists of materials and parts, everything. The construction and control techniques we’re using will drop the cost of controlled hydraulics by an order of magnitude or two from where they are now, and will make giant robots affordable to small groups of enthusiasts everywhere.

Today they are a little over $80,000 and headed towards the next phase of funding before the September 2nd deadline.

At $95,000, we’ll drop in what we call the “Performance Upgrade”. We’ll integrate a number of new sensors that will let us more accurately detect and respond to rough terrain, allowing for a smooth ride over a much greater variety of terrain. We’ll upgrade our hydraulic powerplant to allow for a higher ground speed. We’ll also add sensors that will allow for some amount of autonomy, for future robot development.

The project owners provide a nice video about the passion and curiosity behind their project.

They talk a little about utility but here is the part of the project proposal that really caught my attention:

Stompy (and the technology it represents) could easily reach people who can’t be reached by any other means in a natural disaster.

Bingo! This fits perfectly with big news of recent emergency operations in Colorado. As you may have noticed there is a growing “14er” trend in Colorado where people try to walk to the top of mountains that have peaks above 14,000 ft. The popularity of the mountains combined with some incredibly rough terrain means it is inevitable that authorities will get a call for rescue.

Here’s just one example: On August 5th a dog was brought by its owner up a 14er rated as Class 3 (e.g. “steepness and extreme terrain” too difficult for dogs) on a day with storms (e.g. high danger for human ascent). The dog became incapacitated at 13,000 ft from injuries, as should have been predicted, but then the owner made the unbelievable decision to abandon it. A 100 lb german shepard lay bleeding near the rocky summit of the mountain, hungry and alone.

Seven days later, around August 11th, other hikers discovered the abandoned dog and immediately set about planing a rescue attempt. The authorities were contacted and assistance was requested; those requests were turned down.

“We can’t specifically send a rescue effort for a dog,” [Clear Creek County Sheriff’s Sgt. Rick] Safe said. “We have a designated rescue team. In the last two weeks we have had six rescues, one a day on the weekends, for people. It is tough terrain out there.”

Sgt. Safe is obviously resource constrained in his current setup. I am certain he would have helped if he could afford to add dogs to the list of rescue operations (nevermind the fact that he could have taken the initiative to use social network technology to organize a community rescue effort). This is where Stompy comes in.


Reducing cost and time for rescue operations has a clear benefit. Current technology such as automobiles and aircraft are often unable to assist in rough terrain and unstable weather. Even the most expensive options are limited. Rescue teams with an inexpensive/commodity robot in comparison could scale the 14er faster and handle far more load than humans. And then a hybrid effort (e.g. use a helicopter or vehicle to place the robot at 11,000 ft) would be even faster and still reduce overall cost of operation. Save money, save time and save lives…Stompy makes a lot of sense.

The project owners mention giant natural disasters as a use-case as I pointed out above, but my amendment to this point is that they don’t have to wait for another hurricane or earthquake to test their robot and work on improvements. Stompy every week could be used to make a difference between life and death in many parts of the world. The state of Colorado may want to consider sponsorship and taking a robot on trial-runs ASAP.

Alas, back to the story, there is not yet a Stompy option. The hikers who found the dog gave up on authorities and turned to social networking (the 14ers site). They posted a notice to summon a community rescue team. Moving on their own initiative a group of seven strangers then teamed up and risked their lives to ascend the mountain and save the dog. The seven spent nine hours, including hiking through blizzard conditions, to climb up and carry her down from 13,000ft.

Missy Rescue
Source: Getty Image from Examiner

The dog survived and the owner now has been charged by officials with a class 1 misdemeanor (6-18 months in county jail and/or $500-5,000 fine) under Colorado’s cruelty to animals statutes.

18-9-202(1)(b) Any person who intentionally abandons a dog or cat commits the offense of cruelty to animals.

A volunteer rescue operation is an awesome testament to humans but think about the cost and complexity to notify, assemble, debrief and plan, equip and deploy six people…versus firing up a robot with two people (from notify to deploy in one step). If you want to find out more and help fund Stompy, go to their Kickstarter page.

Updated to add (8/21): “New role for drones — wildlife, eco conservation

Paul Ryan and the Great Irish Potato Famine

John Kelly, author of “The Graves Are Walking: The Great Famine and the Saga of the Irish People“, has posted a fascinating look at VP candidate Paul Ryan’s policy on public welfare by looking back at the Irish Famine.

It started in 1845 and before it was over more than one million men, women, and children would die and another two million would flee the country. Measured in terms of mortality, the Great Irish Potato Famine was the worst disasters in the nineteenth century—it claimed twice as many lives as the American Civil War.

Kelly points out that Ryan claims a direct Irish heritage, yet the VP candidate’s views are diametrically opposed to his own family’s story of survival. Ryan is compared with British who wanted to decimate the poor during famine.

…between 1845 and 1850, repeated crop failures reduced the population of Ireland by a third. But crop failure wasn’t what caused the worst of it: a government economic philosophy called “Moralism” and speeches made in Parliament that are almost word-for-word like Ryan’s own speeches about his Republican budget are what made the famine catastrophic, causing needless deaths.

Kelly later manages to drive the comparison home by bringing up widely and easily discredited Ayn Rand, Ryan’s choice of favorite author.

Back in mid-19th century Parliament, [Charles Trevelyan, the British official who oversaw famine relief] wasn’t alone, just as Ryan and Romney aren’t now. Sir Randoph Routh, the head of the Irish Relief Commission, was such a fervent crusader for the free market that not even mass starvation and mass death failed to shake his belief. When a starving delegation from famine-struck County Mayo visited Routh’s office, he presented his guests not with food— but instead with a copy of Edmund Burke’s pamphlet Details on Scarcity, in which Burke explains how market forces deliver food more efficiently than the government. In Routh’s enthusiastic gifting of Burke’s book are shades of Ryan’s fervent profferings, for years, of the works of Ayn Rand. (To be fair, Ryan didn’t give copies of Atlas Shrugged to any starving peasants.)

Just as well that Ryan didn’t hand out Ayn Rand’s work since it turns out her views actually contradict his stated religious beliefs.

Memorial in Dublin, Ireland to victims of the Famine:

Famine Memorial
Photo Source: Society of Environmental Journalists, 3rd Place, Outstanding Photography — National Geographic, Jim Richardson

AC45 World Series Comes to SF

Recently the NYT described some of the reasons the America’s Cup has changed.

Two years ago the officials who run the America’s Cup made an important decision: they were going to change professional sailing into a sport that was actually fun to watch.

That has meant bringing Big Data, surveillance and real-time analysis into the picture.

Honey’s team has to measure the position of every boat to within an inch at all times, while also measuring the position and angle of every helicopter-mounted television camera. The team is also collecting data on wind and water conditions, which play heavily into sailing strategy, and looking for ways to incorporate that into the television display.

By collecting this data, Honey’s team has ended up changing how the races operate. Race officials now watch the sailing on monitors from a control room on the shore, and any decision that relies on the objective knowledge of a boat’s position is made using the same positional data used to create the graphics.


The America’s Cup is designing an augmented reality smartphone app, which will allow spectators on shore to hold their phones up to the water and get the type of information available on television.

Obviously another change to the sport has been to bring the thrill of racing within view of people on shore. The big boats used to disappear and sail in light wind and steady seas, where only a few could see, but now everyone can enjoy watching in city-front weather conditions.

We’ve had some windy days recently and the forecast is starting to look like 10-20 mph through next week. Inside Bay Area gives an exciting prediction of the event.

“Hold on for dear life!”

That’s the warning from sailors aboard the 45-foot racing catamarans that you’ll see slicing through whitecaps next week, when the America’s Cup World Series brings the thrills and spills of the world’s most exciting racing to San Francisco Bay.

Imagine a white-knuckle drag race on the back of a bucking bronco — with winds whipping up at nearly 20 mph and a fire hose of salt water battering over the bow. The signature America’s Cup races are still a year away, but 11 catamarans from eight countries will be on the bay next week offering a taste of the drama that’s to come.


Four Olympic medalists fresh from London will compete next week, including four-time gold medalist Ben Ainslie, who carried the British flag into closing ceremonies. His credentials are impressive, but his experience on the temperamental AC45 is limited.

“I think he’ll be a little bit scared,” said Kimball Livingston, an editor-at-large for Sail Magazine. “I think all these guys as they get into it are a little bit scared — and for good reason. You can hurt yourself.”

They’re not just scared of being hurt, they’re scared of losing control. Ainslie won his gold medals by sailing a 1949 design called the Finn that plods along at about 7 mph. The AC45 will give him a state-of-the-art racing machine that tops out around 30 mph.

It’s like the difference between driving a 1950s Studebaker at 50 mph versus racing a 2012 LeMans race car at 200 mph. You can get hurt in either. Doing everything four times faster than ever before is the real issue, which is why they’re scared. After racing for a while at higher speed they become used to it and stop feeling scared, despite the risk of being hurt.

Does 30 mph sound slow to you? It actually is about the fastest a sailboat can go using current technology. The AC72, which will be far more powerful than the AC45, is expected to go only about 40 mph. For reference, driving a car over 30 mph usually requires a very smooth surface. These boats are bigger than a bus, navigating a very rough and unpredictable surface (waves), with no brakes and balancing one hull up in the air. Personally, I think it’s the best feeling in the world.

Photo:(c)2011 Gilles Martin-Raget,

With only a few days before things start there have been numerous helicopters flying overhead, presumably to help prepare the races and to take photos like those found on SF Gate.

As you can see the races will be held in front of the Marina Green, giving land spectators an easy and free view of everything. The America’s Cup Village opens Tuesday the 21st at 10am.

Another Mispresentation of new DoE Cybersecurity Model

Earlier I pointed out some misrepresentations of the new DoE Model.

I read the DoE report, called “Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.0,” and I did not find very strong language about a senior executive. In fact, the term CISO (or CSO) does not appear anywhere in the document. […] Likewise the term vice president is only mentioned as a side-bar within the 92 page document.

I can imagine why someone might try to treat the side-bar example as a call for executive leadership in security but that’s not really a fair represenation of the document. It’s a minor and passive point compared with everything else put forward in nearly 100 pages.

But I just found the misrepresentation happening again, this time on in “Cybersecurity Becoming No. 1 Concern for GCs and Directors”

…the Department of Energy is encouraging electric-power companies to adopt a separate board altogether that’s just devoted to cyber-risk governance, as Network World reports. Under the recommendation, outlined in new guidance [PDF], a “cybersecurity governance board” would “develop a cybersecurity strategy for the utility and recruit a new vice president of cybersecurity to implement a program based on the strategy.”

The quote used by is from a side-bar to the document clearly labelled “example”. While it may illustrate a model it is neither a requirement a recommendation or encouragement. The actual statement of the model is this:

A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.

I rank the phrase “may benefit” somewhere below encouragement and definitely below recommendation.

The DoE obviously has left open the possibility that implementation of the program with an enterprise viewpoint also may not benefit the organization…

I don’t necessarily agree with the DoE’s language, but I also don’t want to misrepresent it and overshadow the rest of the document.

This Day in History: 1863 Quantrill Raid on Lawrence

Quantrill's raid on Lawrence
Painting of William Clarke Quantrill’s 1863 “offensive defense” raid from Missouri on Lawrence, Kansas that targeted civilians. Some say it was in retaliation to anti-slavery/abolitionist Jayhawkers

General Thomas Ewing, commander of the District of the Border, issued General Order No. 11 after Quantrill’s raid, which sent soldiers into four counties of western Missouri to impose order on the population and destroy the “bushwhacker” network (support for militant rebels, either for or against slavery).

Quantrill was known for surprise attacks, fraud, disregard for authority and targeting civilians. He led men like Jesse James on ruthless campaigns in Texas and “Bleeding” Kansas until Confederate forces had no choice but to try and detain him. He escaped arrest through corruption and sympathy. Eventually he was shot by Union special forces in 1865 while threatening to kill the President and died in hospital. I’ll post more details later this year.

Android is Winning (Still)

First, in terms of disclosure, let me just get out of the way that I don’t prefer Android or iOS. They’re both too centrally managed for my taste. Call me a deviant hacking anti-communist if you must but I’m a fan of Linux on my handset, which is why I keep buying the awesome Nokia N9 and building/flashing it on my own.

Going to South Korea? Well pop a local South Korean telcom firmware on your N9 and look like a native with all those cool feature “defaults”. When you get home replace it with a Northern European vanilla firmware that’s as clean and clear as the icy waters of Trondheim. That’s the N9. Unlocked as unlocked can be, by default.

The closest thing on Android is the Cyanogenmod. A while ago I made a small business out of buying and reselling Android phones that wiped, replaced the firmware and opened up. It wasn’t for the money but rather for the liberation of the phones and their users (for comparison I also used to pull bicycles out of dumpsters, refurbish them and then leave them on the street to get more people riding). The Motorola Defy was my favorite to set free but even Cyanogenmod didn’t feel big and open enough compared to straight Linux.

At least Cyanogenmod exists. Liberating an Apple phone has been a sordid and messy game that has little upside other than showmanship and to refute Jobs. The Apple icon shifted from admitting to being a fan of stealing ideas to viciously threatening anyone who tried to “steal” his. It’s odd, especially when you consider that his highly-successful OSX is a BSD variant.

That being said, it wasn’t hard for me to predict that Android would eat Apple in the market. Earlier this year I mentioned “iOS struggles against Linux phones” but here’s what I said in October of 2010 when it looked clear that Google would rocket past Apple

iPhone losing OS fight

Today, here’s what TC says the real experts think.

The latest numbers are in: Android is on top, followed by iOS in a distant second.

This word comes from Gartner, a top research firm for these sorts of things. Overall, within the last quarter, Android outsold iOS devices nearly three to one while capturing 64% of the worldwide market share. Samsung was the top dog accounting for 90M handset sales.

There is no denying Android’s dominance anymore. There is no way even the most rabid Apple fanboy can deny that iOS is in second place now. Android is winning.

While so many others were talking about how iOS made them “feel” special the platform was just too proprietary to be a long-term bet. People may as well been telling me that the iSeries and OS400 were going to take over the world. Microsoft Windows and all that. Battle impact? Yes, of course. QSECOFR was a great thing. Long-term war victory? No.

The fact is that economics and politics in history indicate the majority of people eventually choose freedom over specific functionality. As much as some apologize for and say this or that “brilliant” dictatorship could have kept going (e.g. Mussolini made the trains run on time)…information likes to be free and Android at least allows for commodity hardware, which is far more free than iOS. And yes, RIP RIM.

Kirby Ferguson explains better than I ever have (or probably ever will) some of the dynamics behind why Android is winning…

Updated to add Aug 15, 2012: Even though Apple’s iOS lags in the market behind Android, Imperva reports that it is far more discussed by attackers (as reported in The Reg).

Hacker Growth

Updated to add Oct 25, 2015: Current phone Unix install base by version shows this blog wasn’t far off in its prediction of Android dominance.

Mobile Phone Unix Install Base

A side consideration here is that China committed to a universal accessory standard for phones to tamper down landfill growth (e.g. charger upgrade because different connector). That would obviously sway them towards open because better for the environment. Now ask me why Tesla opened all their patents when China was looking for electric vehicle platforms (e.g. chargers) for the world’s largest fleets.

IBM Opens African “Smart City” Research Center

This description is found in the IBM press release, on PR Newswire:

The single biggest challenge facing African cities is improving access to and quality of city services such as water and transportation. IBM, in collaboration with government, industry and academia, plans to develop Intelligent Operation Centers for African cities — integrated command centers — that can encompass social and mobile computing, geo-spatial and visual analytics, and information models to enable smarter ways of managing city services. The initial focus will be on smarter water systems and traffic management solutions for the region.

It sounds like a bold statement and move by IBM. Usually the top challenges in Africa are said to be internecine conflict, corruption and bureaucracy, which tend to keep businesses away.

If infrastructure development now has manageable risks then the stage could finally be set for explosive growth by business investment in areas without legacy systems to get in the way. That seems somewhat optimistic, though, given Kenya’s ongoing corruption problems.

Another possible explanation for IBM’s confidence in this venture is related to rising U.S. State Department interest in strategic influence over communication and information systems of Africa (Kenya ranks 3rd on the Net Index).

It will be interesting to see how Kenya handles the risks and liabilities that come from a foreign entity building big data repositories for them and a “smarter” critical infrastructure. The U.S. military has made it pretty clear they tend to want to predict movements of certain people on the Horn of Africa, especially when FBI are on the ground in Somalia. Military, intel and business objectives have an obvious overlap in the IBM proposal to build “command centers” and “traffic management solutions for the region”.

Human Predictability Paper Wins Nokia Mobile Data Challenge

“Interdependence and Predictability of Human Mobility and Social Interactions” by Manlio De Domenico, Antonio Lima, and Mirco Musolesi of the University of Birmingham, UK has been awarded the best entry in the Open category of the Mobile Data Challenge.

In brief, the paper shows how analysis of your mobile phone data correlated with social connections can predict your movements into the next day to a high degree of accuracy.

…we have shown that it is possible to exploit the correlation between movement data and social interactions in order to improve the accuracy of forecasting of the future geographic position of a user. In particular, mobility correlation, measured by means of mutual information, and the presence of social ties can be used to improve movement forecasting by exploiting mobility data of friends. Moreover, this correlation can be used as an indicator of potential existence of physical or distant social interactions and vice versa.

Predictability from mobile data should come as little surprise given that since 2008 a physics research team has suggested they can generate a very high accuracy rate.

Human behavior is 93 percent predictable, a group of leading Northeastern University network scientists recently found. Distinguished Professor of Physics Albert-László Barabási and his team studied the mobility patterns of anonymous cell-phone users and concluded that, despite the common perception that our actions are random and unpredictable, human mobility follows surprisingly regular patterns.

The new study, however, suggests that by watching the movements of mobile phones that are related by social network to the target mobile phone that the accuracy of prediction can be even higher. In other words it can even predict the rare variance to a pattern by monitoring relationship influences.

Forbes points out that the new study results were based only on monitoring 25 volunteers in Switzerland but will now be applied to “larger data sets that he will soon be getting from Nokia.”

Malte Spitz: Your phone company is watching

Attack Source Location in Large Networks

Three researchers at the École polytechnique fédérale de Lausanne (EPFL) — Pedro C. Pinto, Patrick Thiran, and Martin Vetterli — have published a paper called “Locating the Source of Diffusion in Large-Scale Networks” that echoes the principle I presented on six months ago at RSA USA 2012:

How can we localize the source of diffusion in a complex network? Due to the tremendous size of many real networks — such as the Internet or the human social graph — it is usually infeasible to observe the state of all nodes in a network. We show that it is fundamentally possible to estimate the location of the source from measurements collected by sparsely-placed observers. We present a strategy that is optimal for arbitrary trees, achieving maximum probability of correct localization.

Following a common model in nature and science, with a nod to epidemiology as I suggested in my presentation, the authors propose an algorithm for using a highly reduced set of nodes in order to calculate source. In other words we don’t need to wait for data from every single end-point (100% infection) to find the source of an attack.

Here is the slide from my presentation at RSA Conference USA 2012Message in a Bottle – Finding Hope in a Sea of Security Breach Data

As I explained at RSA we can easily leverage the insight of Dr. John Snow’s map-based spatial analysis and algorithm (voronoi diagram) to find the source of attackers.

Measuring relationships (and the lack of relationships) creates clarity in finding sources. Steven Johnson, author of The Ghost Map, tells a colorful story of how it happened in the 1843 epidemic.

Back to the map itself and some fun math, Plus Magazine offers the following explanation of how a Voronoi Diagram/Thiessen Polygon can be used find influence of a specific point.

[Dr. Snow’s] next ingenious step was to represent the time it took to travel to the Broad Street pump on his map and to calculate who was most likely to use each water pump in the area. Snow drew a curve on the map that marked the points where the Broad Street pump was at equal walking distance from neighbouring water pumps. If you live inside this curve the Broad Street pump is your nearest source of water. Almost all the deaths marked on the map lay inside this curve and anecdotal evidence explained the few cases that did not.

Snow's Varoni Map

Michael Friendly offers this animated version of the map, which ends with the bright blue lines of a Voroni Diagram.

Snow Animation

Of course Snow’s work is a major and well-known influence in all areas of science. However, in my extensive research from 2008-2011 on breach data and source location, I did not find any prior presentation or publication that suggested using Snow’s approach to solve attack source location in network security. That was exactly my point in presenting it in early 2012 and trying to draw attention in the RSA audience to solutions we can build based on a study of risk characteristics, causes and influences (epidemiology).

For comparison, here is a figure from the CLEP paper that was just released, which shows an estimated attack source location based on nearby yet “sparse” observations:

You could read that map as red for the water pump and green for each person infected by contaminated water. They say they are focused on “inferring the original source of diffusion, given the infection data gathered at some of the nodes in the network”. That sounds like Dr. Snow.

Moreover, their paper actually references a modern cholera outbreak to illustrate their theory; a figure in the paper is of “infected nodes” among “associated water reservoirs” almost exactly like the methods pioneered by Dr. Snow.

With all the obvious similarities, however, they make no mention of my RSA presentation regarding investigation of security breaches and even more shocking is an absence of any reference to the legacy of Dr. Snow.

Please note I will give an updated version of my presentation at the end of this month at RSA China 2012. Here’s a highly abridged version of my presentation produced by the RSA Conference last February:

Do US Power Companies Need a CISO?

IT World reports that the Department of Energy has released a new document that advocates for a senior security executive of security in power companies.

It calls for electric-power companies to appoint a senior executive for cybersecurity that will report to the companys board.

The IT World report also provdes the following analysis.

Senior management doesnt have a very good understanding of their security posture, says Andy Bochman, whose job as IBMs Energy Sector Leader in the IBM Security Systems Division grants him insight into how the whole U.S. power grid works.

Unlike other types of enterprises, many utilities today –whether its their enterprise business side or their industrial-controls systems side–do not have a chief information security officer (CISO) or a chief security officer (CSO) at all, says Bochman. But the evolution of the electric grid, especially as the so-called smart grid takes shape with more interactive information collection and management with consumers, means they need a CISO or CSO more than ever. He says they need an individual acting as a vice president of security who can report directly to the company CEO or board of directors. He adds its better here not to report directly to the CIO but go directly to the top of the company.

That sounds very strongly worded. I read the DoE report, called “Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.0,” and I did not find very strong language about a senior executive. In fact, the term CISO (or CSO) does not appear anywhere in the document. This sentence on page 43, for example, is about the closest thing to advocating for a senior role.

A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.

“…enterprise viewpoint may benefit the organization…”

Likewise the term vice president is only mentioned as a side-bar within the 92 page document. You will find it in the “Example: Cybersecurity Program Management” section on page 44.

Anywhere Power decided to establish an enterprise cybersecurity program. To begin, it has formed a board with representation from each of the functional areas. This cybersecurity governance board will develop a cybersecurity strategy for the utility and recruit a new vice president of cybersecurity to implement a program based on the strategy. The vice president will also report to the board of directors and will work across the enterprise to engage business and technical management and personnel to address cybersecurity.

It’s a nice example, but only an example and not a requirement or even recommendation.
And then we have other examples like Google that keep security at the Director level (no VP, CISO or CSO) and do not even mention security on their Management team page.

the poetry of information security