When I Did Social Engineering without Recognizing It

I planned to read something about history this summer.

Then I picked the history of hacking. My favorite was Kevin Mitnick’s autobiography – the very definition of a page-turner.

The book is free of hardcore technical jargon and written for geeks and lay audience alike. Readers are introduced to the spirit of a hacker in the older sense of the word: Mitnick’s hacks were motivated by the thrill of exploring systems but he never gained financially.

Kevin Mitnick successfully obtained the latest source code of cell phones,

reports on security vulnerabilities in operating systems, and legitimately looking birth certificates of deceased children to setup new identity – due to his combination of technical skills and mastery of social engineering. He got people to reveal corporate information they should not. Pieces of information are seemingly innocuous in their own rights – a name of server, a corporate directory of employees – but it helps the social engineer to learn the lingo and pose as a trusted insider.


I adhere to the conventions re hackneyed images (Wikimedia).

I often had been called way too honest – and thus not getting anywhere in life, professionally. So I was asking myself:

Could I con people into breaking rules? The intuitive answer was of course No.

But then the following anecdote emerged from a dark corner of my mind.

A long time ago I had worked as an IT Infrastructure Manager – responsible for quite a colorful IT environment run partly by subversive non-official admins. I actually transitioned into that role from supporting some of the latter. One of the less delightful duties was to keep those subversive elements from building rogue websites and circumvent the bureaucratic corporate content management system – by purchasing internet domains like super-fancy-product-name.com and hosting these services where they figured I would not find it.

I also had to clean up legacy mess.

One time we had to migrate an internet domain hosted on behalf of an Another Very Important Organization to one of their servers. Routine stuff, had the domain been under our control. But it was tied to a subversive website a department had once set up, working with an external marketing consultancy. The consulting company was – as per the whois records – the official owner of the domain.

Actually the owner listed was not even that company was a person employed by that company but not working for them anymore. I consulted with the corporate lawyers in it would have been a legal knot hard to disentangle.

However, I had to transfer the stuff right now. Internet domains have a legal owner and an administrative and a technical contact. The person able to do the transfer is the latter but he or she must not do it unless instructed to do so.

I tracked down and the technical contact and called him up. The tech-c’s phone number is public information, very easy to find back then – nowadays you might need a tiny bit of social engineering to obtain it.

I explained the whole case to him – the whole truth in all details. He was a helpful network administrator working for a small internet provider. Having to deal with a typical network admin’s predicament immediately built a kind of bond. This is one of the things that makes working in IT infrastructure management enjoyable – in a job you are only noticed if something goes wrong. (The rest of the time you are scolded for needing too much money and employing too much personnel).

The result was that the domain was technically transferred to the intended target organization’s server immediately. But: If somebody asks you how this has been done – it wasn’t me!

This is the same concluding remark uttered by an admin in another telco later – whom I had convinced to provide me some password of a company. Also that inquiry of mine and reasons given were true and legitimate as I was doing it on behalf of a client – the password owner.

In both cases there was a third party, a client or colleague or employer, who was quite happy with the results.

But there weren’t any formal checks involved – people did not ask me for a verifiable phone number to call me back or wanted to talk to my boss or to the client. If I just had fabricated the stories I would have managed to get a domain transferred and obtain a hosting customer’s password.

Rusty and Crusty PadlockThe psychologically interesting part of my job was that I didn’t have real power to tell departments what they must or must not do. I could just persuade them.

I think this is an aspect very common to many corporate jobs today – jobs with with grand titles but just a bunch of feeble dotted lines to the rest of the corporate universe and its peripheral contractors’ satellites – some of which you never meet face-to-face.

Combine that with an intricate tangle of corporate guidelines and rules – many of them set up to enforce security and compliance. In some environments people hardly get their jobs done without breaking or bending a subset of those rules.

Social engineering in some sense is probably what makes companies still being able to function at all.

I Picked the Right Blogging Platform! (Book Review: The Year without Pants)

Before starting this blog I compared blogging tools in 2011. These two facts about WordPress and Automattic did win me over:

Now I have read the book on Automattic’s corporate culture:

The Year without Pants: WordPress.com and the Future of Work by Scott Berkun

Scott is a former Microsoft manager and long-term author and speaker. He has been hired my Automattic’s founder Matt Mullenweg to help introducing the first tier of middle-managers ever to Automattic’s so far flat hierarchy. Scott accepted, provided he can write a book about his experience. For him it was a test: Will he still be able to do the work of management and not only write and speak about it?

The book is a blend of personal essay and reflection of work and management in the tech world, and palpable anecdotes from a very peculiar workplace.

He did his duty in the trenches as a Happiness Engineer:

You get access to real tools and work on real things. If you do well, you’re offered a job. If you don’t, you’re not. The many phony parts of hiring, from inflated résumés to trying to say what you think the other party wants to hear, disappear.

At the end of this stint in support Scott admits how much easier work of a writer is – in contrast to the relentless never-ending flow of clients’ tickets:

This pressure made me feel like a wimp for complaining about writing deadlines or tough lecture audiences.

I guess skeptics would say a venture such as WordPress can hardly work – hadn’t they been successful for years now:

The business is firmly grounded in Open Source software. In 2002 18-year old Matt Mullenweg forked the copylefted software used for his own photoblog as its lead developer had left. In August 2003 there were over 10.000 blogs running on WordPress. For an extensive account of WP’s history see this.

The central values of the organically growing WP culture were: Transparency of discussions, meritocracy of authority earned – not granted, and the longevity of the project – which should live forever even if Matt himself would once give it up.

There is free WordPress.org for self-hosters, the service WordPress.com and other products by Automattic – according to Scott the business model was difficult to explain at times.

Based even on my own anecdotal experience of using WordPress.com I can say that it works – I pay for the Custom Design Upgrade for two blogs and think it is a fair deal.

Employees are fiercely independent, curious, and funny individuals, working at locations all over the world.

Many of them are former independent WordPress designers and developers – so probably people who don’t like to be (micro-)managed, who are fine with being paid for results and not for office face time or hours put in.

They do meet in person occasionally, and costs of meetings in real live compensate for savings due to lack of offices.

Matt Mullenweg – whom Scott describes as a renaissance mind with an epicurean desire to understand basically anything – has written down a creed:

I will never stop learning. I won’t just work on things that are assigned to me. I know there’s no such thing as a status quo. I will build our business sustainably through passionate and loyal customers. I will never pass up an opportunity to help out a colleague, and I’ll remember the days before I knew everything. I am more motivated by impact than money, and I know that Open Source is one of the most powerful ideas of our generation. I will communicate as much as possible, because it’s the oxygen of a distributed company. I am in a marathon, not a sprint, and no matter how far away the goal is, the only way to get there is by putting one foot in front of another every day. Given time, there is no problem that’s insurmountable.

Using colorful anecdotes and funny screenshots of WP-internal communications Scott demonstrates which key factors are important to make this work:

Mastery of asynchronous, written communication

Chat-like message exchange is preferred over audio or video calls, and tracking and discussion of work items is done using a blog called P2 (named after the theme used).

The reason for the first is probably surprising – and it might even sound discomforting to those who are stressed out by the constant stream of popups brought up by corporate instant communication tools: WP employees’ communications is based on the assumption that anybody else is working on some items in parallel or having some Windows open. It is not expected that people respond instantly to chat requests and some lag is allowed for – in contrast to the all-encompassing nature of calls.

Everyone understands it’s just a window on the screen and that you may be focusing on other things.

You could discuss pro’s and con’s of online meetings endlessly but I think Scott perfectly nails it:

Most people doubt online meetings can work, but they somehow overlook that most in-person meetings don’t work either.

P2 communications is reminiscent of those legendary nested e-mail threads – I answer inline in redI answer in greenI answer again in blue… I praise collaborators to the skies who are capable of following and processing such nested communications – you can literally do whole projects by asynchronous e-mails.

Everybody at Automattic can on principle read every P2 conversation. This, I guess, provides for self-regulation, and it limits the tactical use of communication tool, such as subtle hints by picking CC recipients etc.

WordPress people compensate for lack of cues in face-to-face communications by letting personality shine through written communications. Scott says that WP internal communications is refreshingly free of corporate world jargon:

No “deprioritized action items” or “catalyzing of cross functional objectives.” People wrote plainly, without pretense and with great charm.

From my few but pleasant encounters with WP’s support team I can attest to that.

WordPress’ culture seems to be positively self-selecting for people who fit in.

Insider humor

Sharing a common sense of humor is in my opinion the single best indicator of how well you will get along – and work! – with somebody. It is even more indispensable in this distant working environment.

Laughter leads to running jokes, and running jokes lead to a shared history, and a shared history is culture. What is a friend, a brother or sister, or a partner but someone you share important stories with?

Also the title of the book is a running joke. For a reason no one could explain later the prompt above the comment box on Scott’s teams’ P2 site turned from What’s on your mind? into

Do you know where your pants are?

No incentives

It was my conviction ever since that any sort of company-internal competition and incentives for individuals or teams will not do overall goals any good. The dissipation of energy invested in facing competition will outweigh the benefits of challenging individuals to go for stretch goals.

So I was delighted to read this:

How do you know if you’re doing a good job? They all shrugged simultaneously and I laughed. Unlike most corporations that emphasize performance evaluations, none of them were particularly concerned. … It seemed to them like an odd question to even ask. … It was not a promotion-oriented culture. Instead they cared mostly about how much value they were getting out of the work.

Frequent shipping of features

Against mantras of quality control and change management new features are rolled out all the time. I believe the reason why this has worked great so far is that risk management best practices are applied in an intuitive way: Features to be shipped are small, or their dependence on other features can be cut down. The overall risk of breaking anything major is negligible – and glitches be fixed quickly based on feedback in the production environment.

I think that all those controls in larger organizations rather prevent people from taking personal accountability – and Scott confirms this:

A major reason it works at Automattic is belief in a counterintuitive philosophy: safeguards don’t make you safe; they make you lazy. People drive faster, not more slowly, in cars with antilock brakes. American football players take more risks, not fewer, because of their padding.

Geeky, but end-user-centric

Probably my impression is due to the fact that Scott has led Team Social that dealt with building features like WordPress JetPack that adds WP.com features on top of the self-hosted version.The team used some funny ‘socialist’ hammer and sickle symbols for their internal site.

His team put in many hours in trying to understand the experience of normal users WordPress wanted to serve – and I think this spirit and the idea to democratize internet publishing can be felt when working with WP. They tried to feel what a user feel who struggles with getting his or her first posting done – as astonishingly:

50 percent of all blogs never publish a single post.

A tricks that help are writing an internal launch announcement for a feature long before it had been launched – forcing you to focus on the value of this feature.

Tame the bureaucrats and policy enforcers

Another pet peeve of mine – I remember myself in a job role that theoretically had demanded of me to chide entrepreneurial small departments that they don’t adhere to corporate standard IT hardware procurement guidelines or that their website they didn’t comply with ‘CI rules’.

The volunteer culture Automattic inherited from WordPress, where contributors were under no obligation to participate, defined a landscape that granted wide autonomy to employees. Schneider and Mullenweg went to great lengths to keep support roles, like legal, human resources, and even IT, from infringing on the autonomy of creative roles like engineering and design. The most striking expression of this is that management is seen as a support role.

T-shaped employees

This means having some very deep skills in a specific area but in addition the abilities to quickly become fairly knowledgeable in other fields – and applying that skills hands-on as needed, just as any in sort of start-up environment.

This is counter the culture (in ‘mature’ corporation) of denying to do X because you are not qualified, it is beneath you, it has not been included in your shop description, or nobody commanded you to do it.


The book provides is a much needed real-live positive example of a company who has ‘got it’ – among cheerful analyses of a New World of Work and gloomy critique of debatable implementations (The documentary Work Hard – Play Hard having being one of the finest).

But Scott  warns against trying to copy WP’s culture and tack it on an existing one – e.g. by scheduling company meetings in open space style without and agenda, hoping that employees will simple start working together spontaneously – as they did in Seaside, the artificial settlement that served as the set of one of my favorite movies, The Truman Show. It was a company meeting that

looked more like a party at a very nice but geeky college dorm.

Chances are that in a different culture such experiments would be loathed just as other team morale events or the casual Friday, or any socializing event moderated by external psychologically trained moderators with a questionable agenda.


It is not only possible but beneficial to work on serious and sensitive stuff in remotely dispersed teams of self-motivated individuals. Scott’s account is convincing – he often emphasizes that he had been skeptical: He had considered his earlier success as a manager critically dependent on being in the same room with people and looking them into the eye.

The importance on a common culture and humor cannot be overstated. The most daunting crisis morphs into legends soon to be told by the fireside, if you are still able throw on some Douglas Adams’ or Monty Python quotes or give your test servers funny names such as panic.com.

I don’t think this is an IT / geek thing only – geekiness might help as there is this globally available template of a culture (42!) that fosters common humor. But I don’t see a reason it cannot be applied to other work that is in essence based on shuffling data – and communicating in an asynchronous way already:

The very idea of working remotely seems strange to most people until they consider how much time at traditional workplaces is spent working purely through computers. If 50 percent of your interaction with coworkers is online, perhaps through e-mail and web browsers, you’re not far from what WordPress.com does.

Many stories about famous start-ups are written when they have grown up – when they have scaled.

I am a small business owner by choice and I often ask myself – probably based on bias – does anything good have to scale? Scott answers this question confidently with No:

…greatness rarely scales, and that’s part of what made it great in the first place.

So in summary I consider it a great book, highly recommended if you use Automattic’s products are are just curious, or if you are an ‘office worker’ or a manager of those and thinking about the best way to work as a team.

It is an honest and entertaining manifesto:

The most dangerous tradition we hold about work is that it must be serious and meaningless. We believe that we’re paid money to compensate us for work not worthwhile on its own.

Communist heart

Honoring ‘Team Social’ (Wikimedia)

Career Advice – Borrowing Wise Words from a Sailing Hacker

On researching SSL-related hacks, I have stumbled upon the website of notable security researcher Moxie Marlinspike.

Marlinspike is also a sailor and working on diverse projects, such as Audio Anarchy – a project for transcribing anarchist books into audio format. On his About page he says:

I like computer security and software development, particularly in the areas of secure protocols, cryptography, privacy, and anonymity. But I also secretly hate technology, am partially horrified with the direction “geek” culture has gone.


In general, I hope to contribute to a world where we value skills and relationships over careers and money, where we know better than to trust cops or politicians, and where we’re passionate about building and creating things in a self-motivated and self-directed way.

I call myself Subversive El(k)ement, Security Consultant, Search Term Poet, and Luddite in Disguise … how could I not relate

So it was not a surprise that I found myself in total agreement with his career advice.

Moxie’s post starts with

What I want to say, more often than not, is something along the lines of don’t do it;

This is reminiscent of Via Negativa I learned about from Nassim Taleb’s writings. I have also  found it more helpful to state what I don’t like instead of phrasing so-called SMART goals. When planning positively you try to target a small point in the vast space of options – likely to be missed – in contrast to the negative approach of avoiding a subset of options and keeping a considerable part of them in reach.

From the famous Stanford Prison experiment Moxie draws a simpler lesson as an individual – and it seems more palpable to me than that grand discussions about morals and free will:

 … just be careful what job you take, because your job will change you.

You should look at the people working in a certain environment or industry sector and think twice if you want to become like them. This is not self-evident: At times I was dead set to break into a world whose representatives were anti-role-models – but of course I wanted to revolutionize the whole sector. Finally I have found out that it is more rewarding to go where the people are to whom you can relate with.

Moxie talks about choices we all make, and how the first of those, early in our careers, are defined by supporting structures like family, school, or university:

When we arrive at the ends of these funnels, it’s possible that the direction we’re facing is more a reflection of those structures than it is a reflection of ourselves. Self-determination in a moment like that can’t simply be about making a choice, it has to start with transforming the conditions that constitute our choices. It requires challenging the “self” in “self-determination” by stepping as far outside of those supporting structures as possible, for as long as possible.

It is silly to attempt at rushing through our lives, taking conscious decisions as early as possible and trying to cast your perfect CV in stone, as

There’s no rush to get started early on a never-ending task.

Moxie concludes that in relation to the inquiries about career advice, he is:

… likely to respond with something like “if I were you, I’d hitchhike to Alaska this summer instead.”

He advocates

… doing the absolute minimum amount of work necessary to prevent starvation, and then doing something that’s not about money, completely outside of supporting structures, and not simply a matter of “consuming experience”

I can anticipate objections, and you can also find them in the comments on his Moxie’s post. How to pay the bills? How to feed the kids?

Actually I have re-written this post several times because of this – but, alas, I will not be able to avoid all ambiguity. All I want to say is that Moxie’s post struck a chord with me. Though targeted to students it is this classical advice to the younger self that exactly that self might not like. It took me ~20 years to come to that conclusion and act accordingly.

I think the primary target group of articles like this are people who arguably have choices but don’t use them – people who err on the side of caution. I don’t want to downplay the predicament of the single mum working two jobs but rather speak to the unhappy Head Chief Architect Officer of Something Sounding Really Impressive But Actually Doing Unnerving Grunt Work That Just Happens To Be Extremely Well Paid.

I am also not at all trying to evangelize among those who wholeheartedly enjoy their stressful jobs. There is this subtle dance of intriguing yet stressful work and inspiration that makes it enjoyable nonetheless. The big caveat here is that you need to find out on your own what exactly stresses you out in a fatal way – and this is not necessarily straight-forward. It is to be experienced, not to be determined by theorizing.

Based on my experience, anecdotal as it is, I dare hypothesize that there is an impressive percentage of respected middle-class corporate employees who do ponder about an alternative life as that iconic free sailor. My job role had been that of a technical consultant ever since but I had become more of a project psychologist at times. I was to hear surprising confessions – after we had left the formalities of the professional negotiations behind and people started philosophizing over coffee.

Generally speaking, I believe that most of us living in stable democracies are freer than we think. I am saying this as the inhabitant of a country whose primary mentality is not exactly shaped by entrepreneurial spirit and daring. I know how the collective submission to alleged obligations work.

As for using kids as a main counter-argument to a ‘free’ life-style, I was reminded of that most recent controversy about adventurous parents living and rising their kids on boats. – an impossible life for most people. Considering their life-styles too risky gives proof of how warped our sense of risks and probabilities is, and how over-valued spectacular risks of The Uncommon are in comparison to the dull, but near certain health risks of the accepted, sedentary living in a modern civilization.

We do make choices all the way, and be it just choosing the life expected from us by those supporting structures. When we are grown up we don’t have much excuses for not taking accountability – and this does not at all mean a perfectly streamlined career plan.

Quoting Moxie again:

Be careful not to discover a career before you’ve discovered yourself.

The best advice is not to follow any advice (incl. this one), question everything, and decide for yourself.

Still from Kon-Tiki movie

From a documentary about Kon-Tiki (Wikimedia) – not sure if it is the new movie.

This post will be filed under Life – a collection that recently struck me as much too serious and solemn.

In any case – if that happened again, I would just like everybody to know that I have never been happier; and I am weighing my words carefully.

Diffusion of iTechnology in Corporations (or: Certificates for iPhones)

[Jump to technical stuff]

Some clichés are true. One I found confirmed often is about how technologies are adopted within organizations: One manager meets another manager at a conference / business meeting / CIO event. Manager X show off the latest gadget and/or brags about presents a case-study of successful implementation of Y.

Another manager becomes jealous inspired, and after returning home he immediately calls upon his poor subordinates and have them implement Y – absolutely, positively, ASAP.

I suspect that this is the preferred diffusion mechanism for implementing SAP at any kind of organization or for the outsourcing hype (probably also the insourcing-again movement that followed it).

And I definitely know this works that way for iSomething such as iPhones and iPads. Even if iSomething might be not the officially supported standard. But no matter how standardized IT and processes are – there is always something like VIP support. I do remember vividly how I was one told that we (the IT guys) should not be so overly obliging when helping users –  unless I (the top manager) needs something.

So trying to help those managers is the root cause for having to solve a nice puzzle: iThings need to have access to the network and thus often need digital certificates. Don’t tell me that certificates might not be the perfect solution – I know that. But working in some sort of corporate setting you are often not in the position to bring up these deep philosophical questions again and again, so let’s focus on solving the puzzle:

[Technical stuff – I am trying a new format to serve different audiences here]

Certificates for Apple iPhone 802.1x / EAP-TLS WLAN Logon

The following is an environment you would encounter rather frequently: Computer and user accounts are managed in Microsoft Active Directory – providing both Kerberos authentication infrastructure and LDAP directory. Access to Wireless LAN is handled by RADIUS authentication using Windows Network Protection Server, and client certificates are mandatory as per RADIUS policies.

You could require 802.1x to be done by either user accounts and/or machine accounts (though it is a common misunderstanding that in this way you can enforce a logon by 1) the computer account and then 2) the user account at the same machine.) I am now assuming that computers (only) are authenticated. This the iDevice needs to present itself as a computer to the logon servers.

Certificates contain lots of fields and standards either don’t enforce clearly what should go into those fields and/or applications interpret standards in weird ways. Thus the pragmatic approach is to tinker and test.

This is the certificate design that works for iPhones according to my experience:

  • We need a ‘shadow account’ in Active Directory whose properties will match fields in the certificates. Two LDAP attributes needto be set
    1. dnsHostName: machine.domain.com
      This is going to be mapped onto the DNS name in the Subject Alternative Name of the certificate.
    2. servicePrincipalNames: HOST/machine.domain.com
      This makes the shadow account a happy member of the Kerberos realm.

    According to my tests, the creation of an additional name mapping – as recommended here – is not required. We are using Active Directory default mapping here – DNS machine names work just as user’s UPNs (User Principal Name – the logon name in user@dmain syntax. See e.g. Figure 21 – Certificate Processing Logic – in this white paper for details.)

  • Extensions and fields in the certificate
    1. Subject Alternative Name: machine.domain.com (mapped to the DNS name dnsHostName in AD)
    2. Subject CN: host/machine.domain.com. This is different from Windows computers – as far as I understood what’s going on from RADIUS logging the Apple 802.1x client sends the string just as it appears in the CN. Windows clients would add the prefix host/ automatically.
    3. If this is a Windows Enterprise PKI: Copy the default template Workstation Authentication, and configure the Subject Name as to be submitted with the Request. The CA needs to accept custom SANs via enabling the  EDITF_ATTRIBUTESUBJECTALTNAME2 flag. Keys need to be configured as exportable to carry them over to the iDevice.
  • Create the key, request and certificate on a dedicated enrollment machine. Note that this should be done in the context of the user rather than the local machine. Certificates/key could be transported to another machines as PKCS#12 (PFX files).
  • Import the key and certificate to the iPhone using the iPhone Configuration Manager – this tools allows for exporting directly from the current user’s store. So if the user does not enroll for those certificates himself (which makes sense as the enrollment procedure is somewhat special, given the custom names), the PFX files would be first imported to the user’s store and then exported from there to the iPhone.

The point I like to stress in relation to certificates is that logon against AD is based on matching strings – containing the DNS names – not on a binary comparison of a file presented by the client versus a certificate file in the directory.

I have encountered that misconception often as there is an attribute in AD – userCertificate – that is actually designed for holding users’ (or machines’) certificates. But this is more of a Alice-tries-to-get-Bob’s-public-key-phonebook-style attribute, and it is not intended to be used for authentication but rather for encryption – Outlook is searching for S/MIME e-mail recipients’ public keys there. Disclaimer: I cannot vouch for any custom application that may exist.

Authentication is secure nonetheless as the issuing CA’s certificate needs to be present in a special LDAP object, the so-called NTAuth object in Active Directory’s Configuration Container, and per default it can only be edited by Enterprise Admins – the ‘root admins’ of AD. In addition you have to configure the CA for accepting arbitrary SANs in requests.

IPhone Fashion Valley

Happy iPhone users with their iPhones, when the product was released in 2007. I have never owned any iThing so I need to borrow an image from Wikimedia (user 1DmkIIN).

In Praise of Textbooks with Tons of Formulas (or: The Joy of Firefighting)

I know. I am repeating myself.

Maurice Barry has not only recommended Kahneman’s Thinking, Fast and Slow to me, but he also runs an interesting series of posts on his eLearning blog.

These got mixed and entangled in my mind, and I cannot help but returning to that pet topic of mine. First, some statistically irrelevant facts of my personal observations – probably an example of narrative fallacy or mistaking correlation for causation:

As you know I had planned to reconnect to my roots as a physicist for a long time despite working crazy schedules as a so-called corporate knowledge worker. Besides making the domain subversiv.at mine and populating it with content similar to the weirdest in this blog I invented my personal therapy to deflect menacing burn-out: I started reading or better working with my old physics textbooks. Due to time constraints I sometimes had to do this very early in the morning – and I am not a lark. I have read three books on sleep research recently – I know that both my sleep duration as well as my midsleep are above average and I lived in a severely sleep-deprived state most of my adult life.

Anyway, the point was: Physics textbooks gave me some rehash of things I had forgotten and prepared me to e.g. work with the heat transfer equation again. But what was more important was: These books transformed my mind in unexpected ways. Neither entertaining science-is-cool pop-sci books nor philosophical / psychological books about life, the universe and everything could do this for me at that level. (For the records: I tried these to, and I am not shy to admit I picked some self-help books also. Dale Carnegie, no less.)

There were at least two positive effects – I try to describe them in my armchair psychologist’s language. Better interpretations welcome!

Concentrating and abstract reasoning seems to be effective in stopping or overruling the internal over-thinking machine that runs in circles if you feel trapped in your life or career. Probably people like me try to over-analyze what has to be decided intuitively anyway. Keeping the thinking engine busy lets the intuitive part do its work. Whatever it was – it was pleasant, and despite the additional strain on sleep and schedule it left me more energetic, more optimistic, and above all more motivated and passionate about that non-physics work.

I also found that my work related results – the deliverables as we say – improved. I have been the utmost perfectionist ever since and my ability to create extensive documentation in parallel to doing the equivalent of cardiac surgery to IT systems is legendary (so she says in her modest manner). Nevertheless, plowing through tensor calculus and field equations helps to hone these skills even more. For those who aren’t familiar with that biotope: The mantra of other Clint-Eastwood-like firefighters is rather: Real experts don’t provide documentation!

I would lie if I would describe troubleshooting issues with digital certificates as closely related to theoretical physics. You can make some remote connections between skills that sort of related such as cryptography is math after all, but I am not operating at that deep mathematical level most of the time. I rather believe that anything rigorous and mathy puts your mind – or better its analytical subsystem – in a advanced state. Advanced refers to the better prepration to tackle a specific class of problems. The caveat is that you lose this ability if you stop reading textbooks at 4:00 AM.

Using Kahneman’s terminology (mentioned briefly in my previous post) I consider mathy science the ultimate training for system 2 – your typically slow rational decision making engine. It takes hard work and dedication at the beginning to make system 2 work effortless in some domains. In my very first lecture at the university ever the math professor stated that mathematics will purge and accelerate your brain – and right he was.

Hence I am so skeptical about joyful learning and using that science-is-cool-look-at-that-great-geeky-video-of-blackholes-and-curved-space approach. There is no simple and easy shortcut and you absolutely, positively have to love the so-called tedious work you need to put in. You are rewarded later with that grand view from the top of the mountain. The ‘trick’ is that you don’t consider it tedious work.

Kahneman is critical of so-called intuition – effortless intuitive system 1 at work – and he gives convincing accounts of cold-hearted algorithms beating humans, e.g. in picking the best candidate for a job. However, he describes his struggles with another school of thought of psychologists who are wary of algorithms. I have scathed dumb HR-acronym-checking-bots at this blog, too. But Kahneman finally reached an agreement with algorithm haters as he acknowledged that there is a specific type of expert intuition that appears like magic to outsiders. His examples: Firefighters and nurses who feel what is wrong – and act accordingly – before they can articulate it. He still believes that picking stocks or picking job applicants is not a skill and positive results don’t correlate at with skill but are completely random.

I absolutely love the example of firefighters as I can literally relate to it. Kahneman demystifies their magic abilities though as he states that this is basically pattern recognition – you have gathered similar experience, and after many years of exposure system 1 can draw from that wealth of patterns unconsciously.

Returning to my statistically irrelevant narrative this does still not explain completely why exposure to theoretical physics should make me better at analyzing faulty security protocols. Physics textbooks make you an expert in solving physics textbook problems, this is: in recognizing patterns and provide you with ideas of that type of out-of-the-box idea you sometimes need to find a clever mathematical proof. You might get better in solving that physics puzzles people enjoy sharing on social media.

But probably the relation to troubleshooting tech problems is very simple and boils down to the fact that you love to tackle formal, technical problems again and again even if many attempts are in vain. The motivation and the challenge is in looking at the problem as a black box and trying to find a clever way to get in. Every time you fail you learn something nonetheless, and that learning is a pleasure in its own right.

DOD mobile aircraft firefighting training device

Using Social Media in Bursts. Is. Just. Normal.

I have seen lots of turkey pictures last week and this has reminded me of an anniversary: When I saw those last time I have just started using Twitter, Google+ and Facebook.

So a review is overdue, and I also owe an update to my Time-Out from social networks this summer. (If you don’t have time to read further – the headline says it all.)

I am not at all an internet denier. Actually, I had crafted my first website in 1997 and had pseudo-blogged since 2002. I made these pages – not blogs in the technical sense, but content-wise – the subject of last year’s Website Resurrection Project.

There have been two reasons for my denial of modern interactive platforms, both are weird:

  1. Territory Anxiety: It made me uncomfortable to have my own site entangled with somebody else’s via comments, reshares and the like. I prefer platforms that allow me to make them mine. Facebook and Google+ require you to ‘fill in form’ and put you at the mercy of their designers.
  2. Always-On and Traceability: For many years my job was concerned with firefighting – an inherent feature of working with digital certificates that have their end of validity embedded cryptographically. I considered it odd if panicking clients would see me sharing geeky memes while they are waiting for my more substantial responses. Notifications by corporate online communication tools conditioned me to loath any piece of technology that tried to start a conversation via flashing pop-ups.

These two reasons haven’t been invalidated completely – I think I just care less. Social media is an ongoing experiment in communications.

I am using social media in the following way: (This is not at all advice for using social media properly, but an observation.)

  • If I use a network, I want to use it actively. I don’t use anything as a sole channel for announcements, such as tweeting all new blog postings (only), and I don’t use automation. I don’t replicate all content on different networks or at least there should be enough non-overlap. Each network has its own culture, target group, style of conversation.

A detailed analysis of the unique culture of each network remains maybe subject to a future post. But I cannot resist sharing my recently started collection of articled on the characteristics of the most hated most analyzed network:

How to overcome facebook status anxiety
7 Ways to Be Insufferable on Facebook
Does Facebook CAUSE narcissism?

I became a Google+ fan, actually.

  • The only ‘strategic tool’ I use is a simple text file I paste interesting URLs to – in case I stumble upon too many interesting things which would result in quite a spammy tsunamis of posts or tweets. This is in line with my life-long denial of sophisticated time-management tools and methodologies as Getting Things Done (which is less down-to-earth than it sounds). I don’t believe in the idea of getting mundane things out of your head to free up capacity for the real thing. I want to keep appointments, tasks, the really important items on the to do list, and thing to be posted in my mind.
  • Using social networks must not feel like work – like having to submit your entries to the time-tracking tool. I said often that my so-called business blog, Facebook site, Google+ site can hardly be recognized as such. (Remember, I said this is not perfect marketing advice.)
  • I don’ care about the alleged ideal time for posting and about posting regularly. It is all about game theory: What if everybody adhered to that grand advice that you should, say, tweet funny stuff in the afternoon or business stuff on Tuesday morning? My social media engagement is burst-like, and I think this is natural. This is maybe the most important result of my time-out experiment:
  • Irregularity is key. It is human and normal. I don’t plan to take every summer off from social media. I will rather allow for breaks of arbitrary length when I feel like that.

And I have found scientific confirmation through this scientific paper: The origin of bursts and heavy tails in human dynamics by renowned researcher on network dynamics, Albert-László Barabási.

The abstract reads (highlights mine):

The dynamics of many social, technological and economic phenomena are driven by individual human actions, turning the quantitative understanding of human behaviour into a central question of modern science. Current models of human dynamics, used from risk assessment to communications, assume that human actions are randomly distributed in time and thus well approximated by Poisson processes. In contrast, there is increasing evidence that the timing of many human activities, ranging from communication to entertainment and work patterns, follow non-Poisson statistics, characterized by bursts of rapidly occurring events separated by long periods of inactivity. Here I show that the bursty nature of human behaviour is a consequence of a decision-based queuing process: when individuals execute tasks based on some perceived priority, the timing of the tasks will be heavy tailed, with most tasks being rapidly executed, whereas a few experience very long waiting times. In contrast, random or priority blind execution is well approximated by uniform inter-event statistics.

Poisson statistics is used to describe, for example, radioactive decay. I learned now that it can also be applied to traffic flow or queues of calls in a call center – basically queues handled by unbiased recipients. The probability to measure a certain time between two consecutive decays or phone calls taken decreases exponentially with time elapsed. Thus very long waiting times are extremely unlikely.

The exponential dependence is another way to view the probably familiar exponential law of decay – by finding the probability of no decay in a certain time via the percentage of not yet decayed atoms. Richard Feynman gives the derivation here for collisions of molecules in a gas.

Radioactive Decay Law Decay Constants

Radioactive decay – the number of non-decayed nuclei over time for different decay rates (half-lives). This could also be read as the probability for a specific nucleus not to decay for a certain time (Wikimedia)

Thus plotting probability over measured inter-e-mail time should give you a straight line in a log-linear plot.

However, the distribution of the time interval between e-mails has empirically been determined to follow a power law which can quickly be identified by a straight line in a log-log-plot: In this case probability for a certain time interval goes approximately with 1 over the time elapsed (power of minus 1).

Power-law distribution, showing the yellow heavy or fat tail. This function goes to zero much slower than the exponential function.

A power function allows for much higher probabilities for very long waiting times (‘Fat tails’).

Such patterns were also found…

…in the timing of job submissions on a supercomputer directory listing and file transfers (FTP request) initiated by individual users, or the timing of printing jobs submitted by users were also reported to display non-Poisson features. Similar patterns emerge in economic transactions, describing the time interval distributions between individual trades in currency futures. Finally, heavy-tailed distributions characterize entertainment-related events, such as the time intervals between consecutive online games played by the same user.

We so-called knowledge workers process our task lists, e-mails, or other kinds of queued up input neither in First-In-First-Out-style (FIFO) or randomly, but we assign priorities in this way:

…high-priority tasks will be executed soon after their addition to the list, whereas low-priority items will have to wait until all higher-priority tasks are cleared, forcing them to stay on the list for considerable time intervals. Below, I show that this selection mechanism, practiced by humans on a daily basis, is the probable source of the fat tails observed in human-initiated processes.

Barabási’s model is perfectly in line with what I had observed in deadline-driven environments all the time. When your manager pings you – you will jump through any hoop presented to you, provided it has been tagged as super-urgent:

This simple model ignores the possibility that the agent occasionally selects a low-priority item for execution before all higher-priority items are done common, for example, for tasks with deadlines.

It gets even better as this model is even more suited to dealing with competing tasks – such as your manager pinging your while you ought have to respond to that urgent Facebook post, too:

Although I have illustrated the queuing process for e-mails, in general the model is better suited to capture the competition between different kinds of activities an individual is engaged in; that is, the switching between various work, entertainment and communication events. Indeed, most data sets displaying heavy-tailed inter-event times in a specific activity reflect the outcome of the competition between tasks of different nature.

Poisson processes and the resulting exponential distribution are due to the fact that events occur truly random: The number of particles emitted due to radioactive decays or the number of request served by a web server is proportional to the time interval multiplied by a constant. This constant is characteristic of the system: an average rate of decay or the average number of customers calling. Call center agents just process calls in FIFO mode.

Power-law behavior, on the other hand, is the result of assigning different priorities to tasks using a distribution function. Agents are biased.

Barabási is very cautious is stating the universal validity of the power-law. He also discusses refinements of the model, such as taking into account the size of an e-mail message and required processing time, and he emphasizes the dependence of the calculated probability on the details of the priorities of tasks. Yet, the so-called fat tails in the probabilities of task execution seem to be a universal feature irrespective of the details of the distribution function.

He has also shown that these bursty patterns are not tied to modern technology and e-mail clients: Darwin and Einstein prioritized their replies to letters in the same way that people rate their e-mails today.

Considering a normal (typically crazy) working day you may have wondered why you could model that without taking into account other things that need to be done in addition to responding to e-mail. And indeed Barabási stresses the role of different competing tasks:

Finally, heavy tails have been observed in the foraging patterns of birds as well, raising the intriguing possibility that animals also use some evolutionarily encoded priority-based queuing mechanisms to decide between competing tasks, such as caring for offspring, gathering food, or fighting off predators.

Thus we might even seem evolutionary hard-wired to process challenging tasks in this way.

I am asking myself: Is this the reason why I find automated posts on social media feel staged? Why I find very regular blogging / posting intervals artificial? Why I don’t like the advice (by social media professionals) that you need to prepare posts in advance for the time you will be on vacation? What happens next – program the automation to act in a bursty fashion?

I planned to connect my Time-Out experience with Barabási’s Bursts for a long time. But now this burst of my writing it down may finally have been triggered by this conversation on an earlier post of mine.

I enjoyed Barabási’s popular-science book Linked: How Everything Is Connected to Everything Else and What It Means for Business, Science, and Everyday Life on the dynamics of scale-free networks.

There is also a popular version related to his research on bursts: Bursts: The Hidden Patterns Behind Everything We Do, from Your E-mail to Bloody Crusades. Bursts is a fascinating book as well, and Barabási illustrates the underlying theories using very diverse examples. But you should better be interested in history in its own right and don’t read the book for the science/modelling part only. Reading Bursts for the first time, I came to similar conclusions as this reviewer. It is probably one of the books you should read more than once, re-calibrating your expectations.

Further reading: Website of Barabási’s research lab.

Barabasi Albert 1000nodes

So-called scale-free networks. The distribution of the number of connections per node also follows a power-law. Scale-free networks are characterized by ongoing growth and ‘winner-take-all’ behavior (Wikimedia, user Keiichiro Ono)

What Entrepreneurs Need to Have

Chances are that many readers had to do one of those things as corporate employees or as members of any large organization that asks management consultants for help: brainstorm on a vision, formulate a mission statement, create a business plan. As an aspiring start-up business owner  you cannot escape trainers who tell you need a have a logo designed by professionals, hire MBAs as CFOs, hire more professionals to dream up a great marketing strategy, and execute That Great Plan based on Your Sincere Belief in That Great Singular Idea.

This does not resonate with my experiences as an entrepreneur though. You might expect correctly that I would rather go for antifragile ‘dilettante’ tinkering – and all those buzz words make me remember that eerie documentary of brave new corporate world.

It is refreshing to find confirmation by a very successful founder of start-ups. I have linked Frank Levinson’s Top 10 Things You Must Have to Start a Business so often – it deserves a dedicated post. As usual I cannot resist pointing out some resemblance with Nassim Taleb‘s ideas.

Note to readers who might miss the physics in this post: Frank Levinson is a physics PhD and self-educated programmer. He has given an extensive interview about his career to the Center for History of Physics of the American Institute of Physics – the transcript can be found here. I was most impressed by his ability to deal with failure – he founded his successful venture Finisar after he had been fired as a CEO of a company he had founded himself. Levinson called it Finisar as he hadn’t finished anything before.

You Need Comfortable, Cheap Furniture – It doesn’t matter how you look but what you do.

This is in contrast to all that advice about branding and (online) reputation. Customers should not be jealous of your Porsche company car or suspect that those high rates they are charged for go into hiring designers that tweak your corporate identity every month.

Remember the coconuts!

The German title of Monty Python and the Holy Grail is: Knights of the Coconut. Horses were replaced by coconuts for budget reasons and this joke has gone viral. Monthy Python were creative and innovative because of constraints and necessities.

Levinson believes that therefore entrepreneurs need not enough money. In addition, the best money you can use is customer’s money – found the company on an existing revenue stream – or literally use your own money.

After all, it is about what Nassim Taleb would call Skin in the Game.

Pride of a Fat Baby and 1000 Ideas

Which pride does a fat baby have? Exactly: None.  In contrast to Focus on Your Core Business and Go for that Great Idea (probably accompanied by Follow Your Passion) Levinson advocates accepting project requests appearing as tangential to your aspired core business. His company did contract engineering for some years, then delivered bad products we considered good ones and finally manufactured really good products.

This is Taleb’s Optionality. Those seemingly odd projects allow for interaction with real customers, collection of feedback from the real world. Levinson also advises to love your tough customers – those who complain about the product – because they are really interested.

Non-core-business projects might give you new ideas and turn change your so-called business plan based. Actually, you should be generous with ideas and give away 1000s of ideas (for money), e.g. in contract engineering, rather than believing you have stumbled upon that singular idea – knowing exactly what the world really needs, based on your impeccable market studies.

“Common Sense”: You Need Customers

Sounds trivial, but isn’t. Frank Levinson’s key message is that customers are people who place an order and pay for services or product received. Customers are not: People who like your idea, would love to get free samples, and do co-development.

It is so simply but yet it cannot be overstated when you read it ten times a day in articles tweeted how important it is to grow your network, exchange ideas, find partners.

It resonates with my experience: The most enjoyable business relationships start with a client really in need what I offer – I do it – the client is happy and pays in due time. Actually it always was those business relationship that naturally morph into friendships. But the alleged friendships with people who want to discuss market potential over a coffee hardly ever turn into business.

Sure, customers need to know you exist. But as Levinson I feel that advice for start-ups over-emphasizes the importance of marketing to the point of replacing the requirement of having a very product with sophisticated marketing! Professional marketing, business plans, Vice Presidents (suits) should materialize very late in the company’s growth process – before an IPO, thus probably never if you decide to remain a small privately owned business.

Social media can help to connect with potential clients – your mileage may vary depending on the very nature of your business. Yet I believe Levinson is still right in being wary about the significance of a website as engineers are shy and hope to replace face-to-face customer contact by virtual online communications.

But watch the video yourself – 19 minutes well spent: