Computer Security: The Ultimate Inside Trader

I went to a talk on computer security. A few interesting case studies were brought up by the lead engineer of the server access and virtualization group at Cisco. Two case studies stuck out to me.

Someone suspected that there was an issue between two electronic trading centers between Asia and the USA, he wouldn’t say exactly where in the US and Asia, or who their client was. Anyway, they did some research in fact they called in their physicists to calculate the curvature of the Earth between the two continents to figure out how fast the data transfer rate should be, then they had their EEs look at the transmission line characteristics. Initially the IT engineer for the trading company told them, that the transfer rate should be 1.5 * the speed of light.

Cisco Engineer: What do you mean that the transfer rate is 1.5 * the speed of light, that’s physically impossible, it defies the laws of physics.
IT engineer: Well, I guess we must have a very robust router.
CE: Your are an idiot.

Eventually, they found that the transactions between one of the servers was being delayed by milliseconds, the packets sent were being slowed down. So, they did some more research, turns out that data connection between the two continents were over a undersea cable (there are a lot of undersea data cables between continent to continent that’s how we transfer data usually, please see attachment). Sidenote: Investment advice buy land in Africa, where the cable interconnect is routed from Asia.

They did more research, and discovered a man-in-the-middle attack, someone actually got access to the undersea cable as it was routed through French Polyonesia in the Pacific Ocean. As a result, the person could intercept the data being transmitted, see what types of trades were being placed (all he needed was those millisecond delays) and have an algorithm to decide whether to buy or sell shares based on what types of trades were being executed. All I have to say for the criminals brilliant, but illegal.

Second thing, power supplies. We often think of computer security in terms of protecting the data inputs and outputs of the computer/system, but what about the power inputs? What happens when Vcc(the input voltage) is not equal to what it’s suppose to be weird stuff starts happening at the logic level. The system might spit out a incorrect calculation, or spill out too much info with over or under voltage. Basically, he said it was very hard to design power supplies that are intolerant to slight signal variations.

In high school physics and basic college electromagnetics, we learn that AC signals are sinusoidal, with some constant amplitude, and when you convert from AC to DC with the use of a transformer and bridge diode rectifier (I’ve attached an oversimplified circuit found on google), you get a constant DC output. As a power professor I had once pointed out, what a fairy tale. For one in real life power is outputted in three phases (not just 1 sinusoidal signal), and two as shown in the plot from wikipedia, you superposition all the waves, then rectify it, no way are you going to get a perfectly constant DC output. You get close, but not close enough. So in short he argued that any input voltage signal variation should be logged no matter how small.

Problems as Solutions

Technology moves at such a rapid pace as Gordon Moore postulated back in 1965 in his now famous paper, “Cramming more components onto integrated circuits,” the number of components in integrated circuits double roughly every 18 months. This pattern continues to drive the growth and diversification of the electronics industry. One of the primary questions on every technologists mind (including mine) is how can we continue to be innovative in such an environment that moves so rapidly. The question prompted me to read, “Where do Good Ideas come from,” by Steve Johnson.

Johnson does a good job explaining that most innovative ideas do not come from Eureka moments but rather are slow hunches that build up into substantive ideas over time. He also talks about how the Internet has also changed the pace of innovation where the traditional development of a product took 10 years and adoption took another 10 years. With the rise of APIs (Application Programming Interface) web development now only takes about 1 year and about 1 year for adoption due to the widespread available of an application almost immediately. When we examine websites that have seemingly pop-up overnight such as twitter and facebook both are using tools from a platform that already exist.

So the question is how do we technologists keep up? The short answer is to be innovative, well-read and make problems opportunities. What do I mean by making problems opportunities? At work I’m faced with new electrical and material science related problems arising from the unique integration of different polymers, metals, and films that are used to synthesize complex integrated circuits (or chips). Immediately, our first concern is of course figure how we fix the problem that is compromising the expected performance. In parallel, while trying to fix the problem at hand we might think about how this problem might actually be ideal in another scenario. This lateral thinking helps us generate new ideas and solutions that might be used in future applications.

The Limits of Memory

Like many people I attend a lot of meetings, events, and I still attend lecture for classes I’m currently enrolled in at the University of Vermont. In these environments a large volume of information is presented and retaining that information is sometime hard. Scientific research has a good explanation why retaining information is so difficult. A psychological phenomenon known as change blindness dictates that humans can hold onto visual information for about a fractional of a second. For sounds, humans can remember about three seconds worth of information using their auditory loop, a type of memory. [1]

In his book, “Smarter Thinking” Art Markman introduces a concept known as the Role of Three which stipulates that we remember about three distinct and independent pieces of information about an event. He uses a baseball game as an example, when we go to a baseball came (which I coincidental did a few weeks ago) we remember about three things from the game. In my case I remembered the two rain delays, people being excited when the camera panned on them, and the organ player.

Markman gave three tips for making effective presentations, so people remember what you want them to:

  1. Start all presentations with an outline and try to limit the outline to three main items, if you can’t group similar items
  2. During the presentation try and stay focused on the three main items, so people remember the message you are trying to convey
  3. At the end of the presentation, summarize your three key points

[1] Smarter Thinking, Art Markman, Penguin Group 2012

Statistical Misinterpretations

Often in literature summary statistics are used to support the author’s claims, with numbers to quantify the arguments made, the reader feels more confident in accepting the conclusion the author is attempting to draw. However, due to the author’s misinterpretation of statistical data the reader can be lead into believing facts that are grossly incorrect.

Here is an example: In a research study performed, it estimated the probability a subject would be referred for cardiac catheterization was 0.906 for whites and 0.847 for blacks. An Associated Press story describing the study stated, “Doctors were only 60% as likely to order cardiac catheterization for blacks as for whites.”

At first glance the reader might seem to believe that this procedure was overwhelming recommended for White patients. Applying some statistical interpretation to this it is apparent the paper has described the odds ratio rather than the relative risk.The odds ratio is the ratio of the odds of an event occurring in one group to the odds of it occurring in another group. The relative risk (RR) is defined as the ratio of the probability of the event occurring in the exposed group versus a non-exposed group.

Calculating the Odds Ratio

odds1 = π2/(1-π2) = 5.53
odds2 = π1/(1-π1) = 9.63

θ = odds1/odds2 = 0.5742, which was rounded up and multiplied by 100 to get to 60% incorrectly. This should be interpreted as the odds of success in row 1 are 0.5742 times the odds of success in row2, or equivalently 1/0.5742 = 1.74 times as high in row 2 as row 1.

Lets calculate the relative risk instead:

Let p1=π1=0.906, and p1=π2=0.847

RR  = p1/p2 = 0.906/0.847, leading us to the conclusion that Doctors are 6.9% more likely to order cardiac catheterization for White patients than Black patients, this is substantially
smaller than the 60% previously stated. In general when stating results to the general public it is better to use the relatively risk than the odds ratio.

Ref: An Introduction to Categorical Data Analysis, Second Edition, Alan Agresti