A good first step in cyber self defense

The recent data breach at Equifax makes it clear that it is critical to use strong passwords for all online accounts. According to Equifax, the data breach happened between mid-May and July. The hack was discovered on July 29, but Equifax did not inform the public until September 7. Sensitive personal information such as Social Security numbers, date of birth, addresses was stolen from Equifax, affecting one in two adults in the United States (see here).

How to create strong passwords? Obviously the longer a password, the stronger it is. The issue is that of laziness. There may be a long list of accounts, e.g. financial accounts (banks and credit cards), social media accounts and other accounts. There may be ten or more such accounts to manage. Some people get lazy and use the same password. Using different passwords that are long enough and random enough across many accounts would indeed pose a huge management challenge – how to remember, store and update the passwords.

It turns out that it is not difficult to create strong passwords that are easy to remember. The idea is to come up with a phrase that is memorable only to you. For example, a college student may come up with the following phrase.

    My weakest subject is Chemistry. I will go to Tutoring Center 5 days a week this semester to get Help!

The resulting password would be “MwsiC.IwgtTC5dawtstgH!“. This is a 22-character password that includes upper case letters, lower case letters, numeric characters and special characters. Another plus is that it contains no dictionary words. If the information about chemistry subject is important and meaningful to the creator of the password, then it is easy to remember.

The string MwsiC.IwgtTC5dawtstgH! appears random. Yet there is a high level piece of information behind it that is known to no one except the creator of the passwords.

The college student in question can change the password by using another memorable phrase after the semester is over. So this idea is flexible and the possible pool of passwords is limitless.

For each account, create a memorable phrase associated with that account. Managing these passwords still requires effort. However the information to remember is at a high level (and memorable and personally meaningful). It is not about memorizing a random string of characters. In light of the Equifax data breach, the effort is the least we can do to help defend ourselves.

Any discussion of safe and strong passwords is a good pivot to talking about large numbers. Having an appreciation of large numbers help us appreciate the passwords such as MwsiC.IwgtTC5dawtstgH!.

For example, how many possible 22-character strings are there? To get a sense of how big this number is, let’s assume that the 22-character string consists of only lower case English letters. Then there would be 26^{22} possible strings. How big is this number? It is 1.3474 \times 10^{31}. To simplify, let’s say it is 1 \times 10^{31}, the number 1 followed by 31 zeros. Note that a billion is one followed by 9 zeros. A trillion is one followed by 12 zeros.

The number 1 \times 10^{24} only includes lower case letters. If we include upper case letters as well as numeric characters and special characters ($, ?, ! etc), then the universe of potential passwords is greatly expanded.

To appreciate how big 1 \times 10^{24} is, let’s compare it with the age of the universe, which is about 13.8 \times 10^{9} years (13.8 billion years). Converted to seconds, the age of the universe is approximately 4.35 \times 10^{17} seconds, which is less than 1 \times 10^{24}. Guessing at the password at the rate of one per second, the entire age of the universe is not enough time to cover the possible choices within the number 1 \times 10^{24}. This is assuming upper case letters and numeric and special characters are not in the mix!

It is believed that the sun can burn for another 5 billion years. So guessing at the password at a fast rate would mean that there is not enough time to cover all the possible choices.

Using the “memorable phrase” approach for password management is a good first step in cyber self defense. This approach can help keep your bank accounts safe. So it is a good first step in financial self defense as well.

Here’s a peculiar way to find strong passwords. This scheme is to produce 26-letter passwords such that every letter is known and is fixed! In fact, the first letter of the password is the first letter in the English alphabets, the second letter of the password is the second letter of the English alphabets and so on. The length of the password is long but every letter is fixed. This scheme is discussed in this blog post. This universe of passwords is not as big as the one for the 22-character passwords discussed above. But it is a big enough collection of possibilities that it is all but impossible to hack without computer help. There are 67,108,864 many different possibilities (over 67 million). How does this scheme work? Why is it that every letter is known but the passwords can be strong?

Curious? Think about it or go to this blog post. This particular scheme is a way to learn the concept of binomial distribution. Any one who understands this scheme understands binomial distribution.

\text{ }

\text{ }

\text{ }

\copyright 2017 – Dan Ma


Siege of Leningrad

A picture can tell a thousand words. Sometimes a number can give a good picture. In the example discussed here, a picture and a number can be combined to make history come alive.

I recently watched a World War II news reels on YouTube called FRONTLINE WWII: Germans Advance into Russia (720p). The video describes the operation called Operation Barbarossa, which was the code name for Nazi Germany’s invasion of the Soviet Union during World War II and was launched on Sunday 22 June 1941. One of the three strategic objectives for the operation was to capture the city of Leningrad, now called Saint Petersburg. The German laid siege to the city for 872 days from September 8, 1941 to January 27, 1944.

Early on in the war, the Germans believed that Leningrad would be taken easily. In fact, it has been reported that Adolf Hitler was so confident of capturing Leningrad that he had invitations printed with the victory celebration party to be held in the city’s Hotel Astoria. Later Hitler made the strategic decision to divert resources to other fronts. The plan for Leningrad was changed from direct attack and capture to a siege with the goal of starving the city into submission.

The siege of Leningrad was one of the longest and most destructive sieges in world history. The destructive impact on the city is detailed in the Wikepedia entry on the siege of Leningrad and in countless other sources. When I watched the YouTube video, one number stands out. During the siege, each soldier or worker doing critical work received 8 ounces of bread a day (and nothing else). The other residents of the city received daily ration of 4 ounces of bread. It did not matter if a resident was young or old, healthy or sick. If the person was not fighting, he or she only had 4 ounces of bread per day for sustenance.

To get an idea how much food is an 8-ounce piece of bread, the following is a picture of a loaf of bread that is found in any grocery store in United States.


The loaf pictured is a 24-ounce loaf. That means that the a Soviet soldier defending Leningrad received about one third of a loaf of bread for an entire day. Here’s the math: 24 oz x 1/3 = 8 oz. But that is only in terms of weight. The quality of the bread that a soldier received could not be compared with the loaf pictured above. The bread during the siege was made up of sawdust and other inedible ingredients (50 to 60%).

The loaf pictured above has 18 slices (you can actually count the slices). The daily ration is then 6 slices of bread for a soldier and 3 slices for everyone else (children and the elderly). Here’s the math: 18 x 1/3 = 6 slices. So a child or an old person subsisted on 3 thin slices of bread that was half saw dust!

The picture was indeed grim. The deaths in Leningrad peaked at 100,000 a month in early 1942, mostly from starvation. Due to the lack of fuel, the trolley service ceased to work for most of the siege. Just to get the meager 4-ounce ration of bread, people would need to walk to a distribution kiosk. In a typical winter in Leningrad, the temperature can drop to minus 30 Celsius (minus 22 Fahrenheit). For many people, the walk to a distribution kiosk would be an insurmountable obstacle.

The Nazi siege of Leningrad that began in 1941 and ended in 1944 was one of the most gruesome episodes of World War II. Nearly three million people endured it. Altogether, the siege lasted nearly 900 days and resulted in the deaths of more than 1 million civilians. The siege of Leningrad was an epic story of sufferings and destruction and ultimately triumph. If the daily ration of bread piques your interest, there are many places to read more. Here’s some links.


Why Write about Numbers

This is a blog about making sense of numbers. The loaf of bread example shows that sometimes it is the other ways round – finding just the right numerical examples to help us understand a complex story or a complex phenomenon. Please feel free to browse the articles in this blog. Here’s are some articles that may be of interest.

Here are two posts on number sense. The first one is on stealth price increases. Some manufacturers do not raise prices but give you less. For example, a pack of peanut may have 16 ounces before and now weights 14 ounces but is charged the same price as a 16-oz pack. This post shows how to calculate the price increase. This post is a plug on quantitative literacy after an encounter with a store clerk.

I had written on lottery, especially how small the odds are. Buying lottery tickets as entertainment is one thing. Anyone buying them as investment or as quick ways to get rich should know that it will take buying thousands of tickets each week since the time of Christ to have a realistic chance of winning the Powerball lottery. The following are some of the most popular posts in this blog.

A Periodic Look at the California Lottery

What are the odds of winning the California Lottery? I am talking about the winning of $1 million or more (the kind of winning that is a game changer in one’s personal life). How often are these million-dollar tickets won? Ten months ago I estimated that the odds of winning $1 million or more in the California Lottery were one in 36 million (see Taking another look at the California Lottery). The data were based on data from California Lottery that I obtained in November 2010 (see Shining a light on the California Lottery). Nothing happened in the last ten months indicates that the odds of winning has fundamentally changed.

Just to confirm, I count the number of winning million-dollar winning tickets as of today (August 30, 2011). This is done at the website of the California Lottery. The data are not readily available. I have to search at this site. I count the tickets by searching one county at a time (there are 58 counties in the state). The result: since the inception of the California Lottery in 1985, there are only 257 tickets that paid out $1 million or more (an increase of 10 winning tickets over 10 months ago). So in its 26-year history, there are only about 260 winning tickets, about 10 per year. The increase of 10 tickets in the last 10 months also confirms the average of 10 winning tickets per year.

With the increase of 10 more winning tickets, the odds are actually a little higher, about one in 36.7 million, but still not fundamentally different from 1 in 36 million.

The mantra of many lotto players is that you have to buy a ticket in order to win. That is so true. You have to get in the game to have a chance to win, even though the chance of winning is infinitesimally small. On average it takes the purchase of about 36 million tickets to support one winning ticket. Still dreaming of winning big?

Wrong Side of the Road, Wrong Side of the Law

Jessica Lynn Shekell was a 21-year old and a sociology major at California State University at Fullerton in 2009. In the wee hours of October 26th of that year, she was driving in the wrong direction on a stretch of the 91 freeway in Anaheim. Shekell’s Toyota pick-up truck crashed head-on into a Chevy’s pick-up truck. The results: Sally Miguel and Patricia Miguel (two sisters in the front of the Chevy’s pickup truck) were dead and their two young nieces (Mary Miguel and Sara Miguel) suffered permanent internal injuries. The lessons? Avoid being on the wrong side of the road and being on the wrong side of the law. With drinking and driving, only do one of them. Some actions in life have grave consequences. Alcohol imparied driving is one of them.

Approximately 45 minutes after the crash, Shekell’s blood alcohol content (BAC) was 0.26 percent, three times over the legal limit (0.08 percent in all 50 states). This meant that the BAC at the time of crash would be higher. According to the BAC calculator of the Police Department of the University of Oklahoma, for someone weighing 120 pounds, two hours after drinking eight 8-oz beers, the estimated BAC is only 0.21 percent (Shekell’s weight was 115 pounds at the time of the crash). The same calculator estimates that drinking eight margarita will result in a BAC of 0.24 percent. Shekell likely had many more drinks than eight. On the night of the DUI crash, Shekell and her friends were drinking at two bars in Placentia, California for several hours.

Shekell was sentenced on Wednesday March 9 to six years for the DUI crash. The prosection asked for 13 years. The defense asked for probation (nice try). Orange County Superior Court Judge Robert Fitzgerald picked the middle point. Is the justice served? In my view, a stiffer sentence is called for.

Interestingly, on the night of the crash, Shekell was not yet 21 years of age (less than two months away from her 21st birthday on December 12). So she was not of legal drinking. According to the prosecutor Susan Price, Shekell was also cited for underage drinking in 2009.

Prior to sentencing, Judge Robert Fitzgerald sent Shekell to a 90-day diagnostic program operated by the state Department of Corrections and Rehabilitation, during which she denied being an alcoholic. When the program was over, officials recommended she be sent to prison. Was it that Shekell was not showing remorse to the the satisfaction of the officials in the diagnostic program? It seems clear that she denied she had an alcohol problem.

Two lives were snuffed out by someone who denied having an alcohol problem. Six years do not seem fair to the victims’ family. Both nieces of the victims suffered permanent injuries in their bodies, having to deal with gaping physical and emotional wounds for the rest of their lives.

Another lesson from this crash is that wearing seatbelt can save lives. The victims in this crash did not wear seatbelts. In my view, this does not lessen the gravity of the crime committed by Shekell. On the other hand, even with wearing seatbelts, the victims would still sustain serious and likely debilitating injuries. With or without seatbelts, it is a no win situation for the victims.

If Shekell has any shred of decency in her bones, she will have to deal with the weight of this tragedy for the rest of her life. At least she will be out of prison before her 30th birthday. Sally and Patricia Miguel are gone forever. In comparison, Shekell’s prospect seems quite good.

Justice aside, it is also not a good situation for Shekell. She was hospitalized for facial trauma and fractures to both arms. Any normal person will have to grapple with the enormous guilt from murdering two people. Though she got a light sentence, she still have to spend six years in a state prison, which could be put to other productive uses. She could finish school and start a career. Any plans she had before the crash will have to wait until she turns 30. Shekell surely had put her family through much anguish. Think of the legal costs her family had to shell out.

For all those who drink and drive, think about this. If you do not care about the victims, you ought to at least care about your future and your family. I sure do hope that the drinking buddies of Shekell on the night of October 26, 2009 had learned this lesson too.

It is really simple. If you get plastered, do not get behind the wheel.

How many lottery winners are there in a year?

I have been wanting to answer the questions in the title. I found that statistics on lottery winning is hard to come by. Even when the state lottery commissions are required by law to made the information public, they tend to bury the information and you have to do work to dig it up. I have strong indication that on an annual basis, winning tickets that pay out one million dollars or more only number in the hundreds. In contrast, there were 37,261 people killed in motor vehicle crashes in 2008 in the United States (see the report from the National Highway Traffic Satety Administration). So if you are passionate about winning various state lotteries, it makes sense to be passionate about not winning the negative lottery of fatality in a motor vehicle crash too.

As of November 2010, there were only 247 winning tickets paying one million dollars or more (see the previous post with this discussion). To get this information, I had to look up the winning tickets in each of the 58 California counties in the official site of CalLottery. So about 10 people are made millionaires by CalLottery each year (since its inception 25 years ago).

The state of Iowa is more forthcoming. The official site of the Iowa Lottery actually had a press release listing out the stats. The number of Iowa Lottery tickets that have won prizes of $1 million or more (through August 2010) is 110. Once again in the 25 years history of the Iowa Lottery, only 110 people were made millionaires, on average 4.4 per year. For the Iowa Lottery, the odds for winning $100,000 or more are better for sure (1089 winnings so far in 25 years) but the odds are still small.

The state lotteries are in the business of selling dreams. I suspect that they do not want to provide a picture reflecting the true odds of winning big. With all the state lottery commisions across the United States combined, I cannot see how the number of winning tickets ($1 million or more in each one) in one year can be in the thousands. If someone is forking over hard earned cash each week to play the lottery in the hope of winning big, it also makes sense to pay attention to traffic safety in the hope of not winning the negative lottery of death in a car crash.

Governor Brown wants to take your cell phone

No, this is not a government seizure of private cell phones. Jerry Brown wants your cell phone only if it was issued by the California state government. Even then, the chance of it having to turn it in is only 50%. The newly installed Governor Brown is only proposing to take away government paid cell phones from certain California state employees in an effort to save money. The potential saving is to the tune of $20 million. Trying to close a budget gap in the California state government that is expected to be about $28 billion, the governor needs to find money anywhere he can.

On the way to work this morning, I heard a report on the radio about the proposal from Governor Brown (here’s one link). The gist of the report is:

  1. Governor Brown does not want all the cell phones back. He just wants half of them back. The total number of phones to be turned in by June 1: about 48,000.
  2. The state government currently foots the cell phone bills for about 40% of its workforce. The total number of state employees with free cell phones: about 90,000.
  3. The state government is currently paying on average $36 a month per cell phone.
  4. Governor Brown’s proposed cell phone reduction order should save the state $20 million.
  5. Even with the proposed saving, one fifth of the state workers will still use state-funded cell phones.

After I heard this report on the radio, I jotted down the nummbers and I found that these numbers are internally consistent and for the most part accurate. The numbers seem to hang together quite well. Definitely there is no glaring errors. In this one instance of budget cutting at least, Governor Brown and his staff got the numbers right.

Here’s how I looked at these numbers. I am going to discuss each of the points listed above.

  1. Currently there are about 96,000 state-funded cell phones in the hands of California state givernment employees. Half of these phones are to be turned in by June 1. That leaves 48,000 cell phones still being in the hands of state employees.
  2. About 90,000 state employees have government cell phones. The count of 90,000 is about 40% of the total state workforce. This means there are currently about 225,000 state employees (see note 1 below).
  3. The average monthly bill per cell phone is $36, making the average annual bill per cell phone $432.
  4. The total annual expense for the 48,000 cell phones being cut would be $20,736,000 (see note 2). This amount is slightly over $20 million and is thus in line with the $20 million being reported.
  5. Even with the proposed saving, one fifth of the state workers will still use state-funded cell phones. One fifth of 225,000 (from point 2) is 45,000. From point 1, about 48,000 government paid cells phones will still be used by state employees. Though the 45,000 is less than 48,000 by 3,000, the difference is not large.

The only external number that I had to find is the total number of state employees in California. The number I obtained from the California State Controller’s Office is 237,576 (as of October 2010). The estimate obtained from the radio report is 225,000 (point 2 above). Overall, the numbers hang together well.

The proposed cut makes sense. According to Governor Brown, some agency heads and managers need to be in touch with employees 24/7. But most state employees do not. However, not the entire amount of proposed saving will be realized this year since some of the cell phones may be under contract with cell carriers. I hope the savings will work out as planned.

Note 1
To find 40% of 225,000, we multiply 225,000 by 0.40.

225000 \times 0.40=90000

But in the radio report, the number 90,000 is given instead. To derive 225,000, we need to do the opposite, i.e. divide 90,000 by 0.40.

\displaystyle \frac{90000}{0.40}=225,000

Note 2

432 \times 48000=20,736,000.

Hope there will be no lottery winners this New Year’s Eve

According to a report in npr.org called Road Fatalities Dip Thanks To Safer Cars, Economy, an array of factors are making the road safer. According to a study by the Department of Transportation, the overall number of fatality on American roads has dropped dramatically, fallen by over 20% in the last few years. Two likely reasons for this dramatic drop are safer cars and a slower economy. However, even with the over 20% drop in fatality on the road, there is still one death every 15 minutes on the road.

I always think of dying from a crash involving a drunk driver is a lottery. It is a negative lottery for sure since no one would want to win it. In a previous post (The lottery of drunk driving fatality), I discussed the statistic of one drunk driving fatality every 45 minutes. By comparison, the number of deaths on the roads due to all causes is three times higher than just deaths from drunk driving (in the lottery analogy it is three times more likely to win)! I hope in this holiday season, no one will win this negative lottery.

Be safe on the road. Between drinking and driving, only do one of them!

Now the quantitative stuff. As reported in Road Fatalities Dip Thanks To Safer Cars, Economy, there were almost 44,000 road-related deaths in 2005. In 2009, there were about 34,000 deaths. This is a 22% decrease. There are two ways to see this.

One is to calculate the number of reduction in deaths, which is 44000-34000=10000. Then divide 10000 by 44000. We have:

\displaystyle \frac{10000}{44000}=0.2273, which is 22.73%.

Another way to derive the 22.73% is to calculate the following ratio:

\displaystyle \frac{34000}{44000}=0.7727

Then subtract one from this ratio and obtain 0.7727-1=-0.2273, which indicates a 22.73% decrease in road-related deaths.

The 2009 figure for the number of road-related deaths is 34,000. This comes out to be one death every 15 minutes. To derive this rate, we need to calculate the total number of minutes in a year. There are 365 x 24 x 60 = 525,600 minutes in a year. Then divide 525,600 by 44,000 to obtain 15.46 minutes. Then round the answer to 15 minutes.

We can get a perspective of this calculation by looking at an example of taking an exam. For example, if you have two hours (120 minutes) to take an exam and the exam has 10 problems, then on average you have 12 minutes to work one problem. Thus if you can work one problem per 12 minutes, you can expect to finish the exam in the allotted time.

Back to the calculation at hand, there are 525,600 minutes in a year and there are 34,000 events. Thus on average there are 15 minutes allotted for each event.

\displaystyle \frac{365 \times 24 \times 60}{34000}=15.46=15

The hope is that the denominator in the above ratio will keep getting smaller in the years to come. From 2005 to 2009, the denominator shrank from 44,000 to 34,000. I have a thought. Supose that in the next 5 years (2009 to 2013), there will be the same percent decrease in the road-related deaths as in the 5-year period from 2005 to 2009. What will be the value of the denominator? In other words, according to the same trend line, what will be the number of road-related deaths in 2013?

The answer to the above question is obtained by reducing the 34,000 deaths in 2009 by 22.73%. Try the following:

\displaystyle 34000 \times (1-0.2273) = 34000 \times 0.7727=26271.8

If the same trend that played out between 2005 and 2009 holds, the projection for 2013 would be about 26,000. Whether this is a realistic projection or not, I do not know. I will leave this to the experts who study traffic fatality. Let’s hope that the improvement will be as least no worse than this projection.