Shocking

Three events that almost equally shock the world these days:

• Arab world protests: ~11 000 dead, 200 000 homeless
• Japan earth quake, tsunami and nuclear fallout: ~10 000 dead, 17 000 missing, 590 000 homeless
• Knut: 1 dead polar bear

-- Birgit

Nuclear Roulette

I don't give a damn about the average risk of nuclear power as long as you don't tell me the variability.

-- Birgit

Bad hack

Reading your old code comments -- always a source of fun:

// Bad hack, n.: A piece of code that arguably

// fulfills its purpose, but does so in a very

// crude, inefficient and/or instable way, usually

// due to having been written with great haste or

// little care.

// An example of a bad hack:

Women and/or technical skills

Many people believe that women are on average less skilled in technical matters than men. Let me tell you a secret about that prejudice:

It's true!

Why yes! It totally is!

The only problem is that people frequently get the interpretation wrong of what that means.

Because you know, it's all about that nasty conditional probability thing once again. Bayes' theorem. Why "the safest way to fly is to take a bomb with you, because it's damn unlikely that there are two bombs on the same plane" doesn't work. Something closely related to and even less understood than the Monty Hall problem, which is why it has deserved to be also demonstrated with three doors.

Well, let me try to enlighten you with some very basic mathematical insights.

Starting directly with that problem would make the discussion rather abstract and theoretical and you would end up not believing me. Let's therefore stick with the lipstick example for starters. Or, since wearing lipstick is a rather binary decision -- you do or you don't --, let's generalize it to wearing make-up. Also, let's restrict it to typical western countries.

Have a look at the following diagram:

(The x-axis gives the amount of make-up usage, and the y-axis gives the number of people for each position on the x-axis.)

There is a small but not insignificant amount of women who would rather die than wear make-up. There is a small but not insignificant amount of men who plaster their faces with make-up as if it could fall apart without. But on average, women still do wear more make-up than men.

So given two random persons about whom we have no information other than one being female and the other male, which person is more likely to be wearing make-up? Answer: Quite clearly the female one.

Let's further assume that the more make-up people wear, the more they know about make-up. Which of the two persons above is therefore more likely to know a lot about make-up? Answer: Again the female one.

Let's take a third person into consideration now. We have no information about that new person other than that he or she likes wearing tons of make-up. Which of the three persons is most likely to know a lot about make-up now? Answer: Obviously the third one. Independently of whether he or she is male or female. Why? Because while we assume that the male person is probably in the lower half of the range and the female person is probably in the upper half, we know the third person to be in the very top few percent and thus, on average, better than either of the other two.

Now that we are already busy introducing new persons, let's introduce two more of them. Person D is female and wears tons of make-up. Person E is male and wears tons of make-up. Who is more likely to have a lot of knowledge about make-up now, person D or person E? Answer: Well, at this point it's pretty much 50:50.

Why is that?

Let's have another look at that diagram. We know that both persons wear [too] much make-up, which means we are only considering persons in the very right part of the diagram any more:

What can we tell about that small subset of the population?

• They all know a lot about make-up. (Keep in mind that make-up usage and thus (by our assumption) knowledge is measured by the position on the left-right axis. All persons in question are on the very right edge of that graph.)
• There are more females than males in that range. (I.e., there are more females than males who really know a lot about make-up.)
• A male and a female person being both within that range are pretty much equally likely to win a make-up knowledge quiz against each other. In this particular graph, it's even slightly more likely for the male, i.e. person E, to know more about make-up. Why? We know about person D that she is female and within the highlighted range. Amongst the females in that range, there are more towards the lower end (at the left) than at the upper end, so the average female from within this range is slightly below the center of the range. Amongst the few males in that range on the other hand, all positions are pretty much equally (un)likely, so the average male from within this range is quite exactly at the center of this range. Therefore, in this graph person E is actually an itsy bitsy tiny bit more likely to know a lot than person D. It's a damn close call though, so with sufficient approximation we can say that they are equally likely to be more knowledgeable about make-up.

(Bonus question: Remember person three from above? We only know that this person wears a lot of make-up. Is person three more likely to be male or female?)

Now let me just re-label and re-colour that graph and we'll transfer our findings to the original problem in no time.

I know that it's extremely unpopular these days to claim that women have on average less technical competence than men, but for the sake of argument, let's assume it's true:

Now let's only look at those people who are successful in technical careers. With few exceptions, people in technical careers are people with high technical skills, and vice versa. (There might be the occasional technically skilled person who still chooses to study medicine, or the occasional person who has no clue about technical matters but got hired into daddy's company anyways, but for simplicity we ignore those for now.) People with technical careers therefore mostly correspond to the right-most part of the diagram:

And now, the same conclusions apply:

• All persons who are successful in technical careers have high technical competence.
• There are more males than females who have high technical skills.
• Males and females from within the shown range are pretty much evenly matched, i.e., given two persons of whom one is a female technician and the other a male technician, it's hard to tell which one does probably know more about technical matters.

In short: It's less likely for women to go for a technical career, but those who do are quite evenly matched with their male colleagues.


What do we learn from that?

Given an entirely random male person and an entirely random female person, it's absolutely fair to assume that the male person has more technical competence. Let's assume you are at a quiz show, are given a question about the inner workings of a car engine, have no idea about the correct answer, and are allowed to use a phone joker. You can only choose whether the person to be called is female or male, and the quiz team will then pick a random (male or female) name from a phone book and call that person. Then it's very reasonable to go for a male helper.

Let's, in contrast, assume that your car broke down with a flat tyre and you don't know how to change a tyre yourself. A second car stops, a young woman gets out and offers you to change the tyre for you. Here, "You can't do that, you're a girl." is a wrong answer. (Not to mention that it's impolite.) Why? Because she already indicated to you that she can. She gave you some extra information about herself, which means that all conclusions you drew before that aren't valid any more. Your conclusions were made at a point where you had to take the entire range into consideration. Now however this new information significantly restricted the range. Therefore, take the new information and re-evaluate.

There's a very similar scenario, and it seems to happen so frequently that I'm willing to dedicate another diagram to it:

So, assume you call the tech hotline of whatever company to get help with a technical problem. A woman picks up. Again, "No, I want to speak to a man." is the wrong reaction. The person works at the tech hotline, so you can assume that she went through job interviews and technical training. It's also very likely that most employees at that tech hotline are roughly within the same skill range. In short, whether male of female, you will get to speak with an averagely skilled technician. (Good technicians usually get better jobs than working at tech hotlines, just for your information.)

This can be generalized to any job, by the way: While on average over the entire population women might be less technically skilled than men, there is virtually no difference between men and women working in the same job.


The moral of the story? There's nothing bad about prejudices. Just remain open to trashing them as soon as you get additional information about a person.

After all, while it's true that only around 20% percent of all people own a dog, there's no point in insisting that someone most likely doesn't have one once you've seen them taking it for a walk.

-- Birgit


P.S.: I admit to having shamelessly simplified away a lot of potentially important facts and factors.

Proudly Presenting: Serene Logician

Over the last years, I've spent quite some time thinking about security and, in particular, social engineering. It's something that fascinates me for the same reasons that I like mathematics and stage magic: All those things are about finding missing links in an alleged chain of evidence.

In mathematics, a missing link in a chain of evidence simply means that a proof is incomplete.

In stage magic, a missing link is what allows a magician to produce an illusion of actual magic, by demonstrating to the audience in 20 ways how he has no chance of manipulating something -- while he manipulates it in the 21st way. Indeed, stage magic is often just about providing so much proof that the audience doesn't notice any more that the chain of proof still didn't go from one end to the other. (Rest assured that whenever a stage magician says "Now I put this here so that you can make sure that I don't exchange it", he has already exchanged it long ago. And then proceeds to demonstrate in spectacular ways how he really does not exchange it again.)

What a social engineer does is not much different, and again, the crux is that somewhere in the chain of evidence there must be a missing link. Just think of a fake plumber in front of your door who can show you an ID with his photo and the name of "his" company. You can verify that the photo and his face match. You can verify that the name and his name tag match. You can verify that the hologram on the ID card is real. You can verify that the company exists. You can verify that the phone number on the ID card matches the real phone number of the company. You can phone the company and verify that they have an employee of that name. Maybe they can even confirm that he is supposed to come to you today. And still that man in front of your door has never ever worked for that company. Where's the missing link?

Anyways, I have a thing for finding such missing links, and obviously also a certain skill for it. And given that I'm planning to write about those more frequently now, I've decided to dedicate a blog to them.

Proudly presenting:

Serene Logician

You can expect some presenting of basic principles, and a lot of ranting about the daily security lunacies. Posting frequency will vary and I'm not committing myself to any schedule, but there are some postings already in planning, and from experience I run across a post-worthy example every few weeks.

I'd also like to express my sincere apologies to those of you who are already reading my other blogs (plural) for adding another one to the list. On the upside, it's a public one so you can just add it to Google Reader and don't have to open yet another tab for it.

-- Birgit

P.S.: The missing link is the ID card. There's no way to prove that it's genuine, since you most probably have no idea how an ID card of that company is supposed to look like.

The company's confirmation that this employee is really scheduled to visit you can be achieved by calling the company beforehand, pretending to be you (i.e., the visited person) and really requesting the real employee of that name to come to you. When this appointment is then canceled last-minute, chances are high that the secretary at the company isn't notified about the cancellation yet when you call her, and will confirm the appointment.

A cheer to freeware

(Zur deutschen Version.)

Every time I re-setup my computer I realize that more and more freeware is running on it. In former times, setting up a computer meant inserting 20 CD-ROMs one after another -- MS Windows, MS Word, MS Office, Paint Shop Pro, ... --, today setting up means to me: First installing Windows, then downloading the most recent versions of all other programs.

Therefore, a cheer to freeware -- which by the way is according to certain sources in the USA a very communist construct ;) --, thanks to which I by now use hardly any proprietary software any more except for Windows.

Here's a list of great freeware programs (or in some cases shareware or demo versions) that are usually installed on my computers:



Basics:

Acrobat Reader / Foxit Reader

Reading .pdf files

GhostView / GhostScript

Reading .ps files

PDF24 Creator

Creating and editing of .pdf files

pdf995

Creating .pdf files by a printer driver

TortoiseSVN

Version control with SVN

CDBurnerXP

Burning CDs and DVDs

7-Zip

File compression program for (almost) all formats

cygwin

Linux emulator

DOSBox

DOS emulator

Creating and editing of documents:

nodepad++

Text editor and source code editor

LibreOffice

Office programs: Text editing, spreadsheet processing, presentations, ...

MikTeX

Compilation of LaTeX documents

WinShell

LaTeX editor

Asymptote

Programming language and compiler for creation of vector graphics

GeoGebra / Euklid DynaGeo

Creation and editing of interactive geometry sketches

Programming:

eclipse

Development environment

Java JDK

Java (development kit and Virtual Machine)

Visual C++ Express

C++ (development environment and compiler)

Python

Python

SWI Prolog

Prolog (development environment and compiler)

Graphics:

IrfanView

Display of image files

Gimp

Image editing

Paint.net

Image editing

Inkscape

Editor for vector graphics

autostitch

Assembling large images from multiple photos (image stitching)

Music and multimedia:

iTunes

Music playback, download and playback of podcasts, managing of files on an iPod

VLC Media Player

Playback of videos and DVDs

Winamp

Music playback

Amarok

Music playback

VirtualDub

Video recording and editing

NoteWorthy Composer (Demo)

Creation of sheets of music

Internet:

Firefox

Browser

Chrome

Browser

Thunderbird

Email and newsgroup client

IMAPSize

Backup of IMAP email accounts

PuTTY

SSH and Telnet client

WinSCP

FTP and SFTP client with GUI

pidgin / qip

Instant messenger (for ICQ, AIM, ...)

ChatZilla

IRC client

Skype

Skype client (for internet telephony)

Apache

Webserver (for local testing of homepages)

Vuze

client for peer-to-peer filesharing

Antivirus:

Avira AntiVir

Anti-virus software

Spybot

Anti-spyware program

Datenbanken:

MySQL

MySQL data base system

NaviCat Lite

GUI for MySQL

lG Birgit


Edit (2011-02-18): Add Foxit Reader and PDF24 Creator.

Edit (2011-02-24): Update OpenOffice.org to LibreOffice.

Personenschaden

Ich hatte schon vor Ewigkeiten angekündigt, wie sehr ich es liebe, mich über Euphemismen auszulassen, und heute ist endlich ein passender Anlass dafür. Und weil's so schön ist, beginne ich gleich mit einem von meiner persönlichen Top-10-Liste der schönsten Euphemismen.

Das Wort des Tages lautet: "Personenschaden".

"Personenschaden" ist ein Wort, das unwillkürlich an "Wildschaden" erinnert, und auch genau so verwendet wird: Nämlich dann, wenn eine Person vor einen fahrenden Zug gelaufen ist. Meist vorsätzlich.

"Der Zug hat Verspätung wegen Personenschaden" heißt daher meist so viel wie: "Der Zug hat Verspätung, weil jemand vor den Zug gesprungen ist und wir gerade dabei sind, seine Überreste mit dem Hochdruckreiniger aus dem Fahrwerk zu sprühen."

Nahe verwandt übrigens: "Sie ist vor den Zug gegangen." Was eine ungleich harmlosere Beschreibung ist als "Sie hat beschlossen, ihrem Leben ein Ende zu setzen, und dabei noch einen unschuldigen Zugfahrer zu traumatisieren, indem sie ihm bei voller Fahrt vor den Zug gesprungen ist."

Zu den nennenswerten Zahlen und Fakten: Allein in Deutschland finden im Durchschnitt jede Woche 15 Schienensuizide statt, mit einer leichten Häufung im April und September sowie an Montagen und Dienstagen. Im Laufe seiner Dienstzeit erlebt ein durchschnittlicher deutscher Lokführer 2 bis 3 Suizide. Etwa jeder elfte Zugführer macht ein Mal im Leben eine schwere posttraumatische Belastungsstörung durch, ein Drittel davon bleibt dauerhaft arbeitsunfähig. Die Deutsche Bahn unterhält ein eigenes Sanatorium für Lokführer, die durch Schienensuizide traumatisiert wurden.

Den Euphemismus gibt es übrigens aus demselben Grund, aus dem man auch trotz der erschreckend hohen Anzahl solcher Fälle so selten davon hört: Weil aus Angst vor Nachahmungen bewusst nicht darüber berichtet wird -- siehe Werther-Effekt.

Nicht, dass die Euphemismen-Tretmühle nicht ohnehin schon längst zugeschlagen hätte. Der neue Begriff lautet daher jetzt "Notarzteinsatz am Gleis". Und bedeutet immer noch "Zusammenkratzen von Leichenteilen".