The Blogg

Amazing, xkcd just wrote about something I’ve intended to do for some time: the longer than 24-hour day. (For those unaware, xkcd is by far the greatest webcomic ever devised.) In fact, I first wrote about it more than a year ago.

My intention has been a 26-hour day rather than 28, but the idea is basically the same. I have a terrible time falling asleep at night and waking up in the morning; my body always wants to remain awake longer than it should and remain asleep longer than it should. I presume there must be a limit to this, however. Even without any external pressure, I will eventually become tired when awake or wake up when asleep. If I could reschedule my days and nights to correspond to this schedule, I might actually feel rested. My intention for some time has been to, when I have few temporal commitments (can you tell I’m writing this during a lunch break at ICAPS?) and my wife is away for an extended period of time, try this out. I would start with simply falling asleep and waking up both when I feel like it, but I suspected that within a few weeks it would reach an equilibrium of about 17 hours awake followed by 9 hours asleep. If I ever get the chance to test this hypothesis, I will be sure to report on it.

Worse Than Failure, aka The Daily WTF, is a humorous and occasionally educational look at stupidity manifested in the Information Technology field. Today they ran an article on one of my biggest online pet peeves — “secret questions”. For those unfamiliar, these are questions posed by a website when you are creating an account. The purpose is that the answer will be stored and the user required to provide it at a later time to prove their identity. Most typically, the answers are required when a user has forgotten his password and needs to have it reset (reasonable) or given to him (very stupid). In other cases, the answer will be required in addition to the password at each login.

I absolutely despise this practice, for a number of reasons:

• If used to gain access to a password, this reduces the strength of the password to the strength of the secret question.
• Most provided questions could be answered by anyone who knows the user well or has access to public records, such as place of birth, mother’s maiden name, high school mascot, etc.
• Even when the answer is not known, answers are typically quite weak against dictionary attacks.
• The correct answer to a question might not be long enough or might be equally expressible in many ways, making it impossible to remember exactly what you wrote.

Thus, I typically answer these questions with a random string of characters. The chance that I will forget my password is low enough that I am willing to risk needing to go through a more significant hassle if it happens. (It hasn’t yet.)

While I am on the subject of stupid security measures that are actually counterproductive and certainly annoying, I also strongly dislike the password policies of many organizations, including my university. Forcing people to change their passwords on a regular basis has two potential benefits that I can think of. First, it decreases the length of time during which a compromised password is useful. Second, it somewhat limits the effectiveness of long-running brute-force attacks. Neither of these are particularly significant. It also has the major drawback that, to prevent forgetting their them, users will either choose very insecure passwords or commit other vulnerabilities such as writing their passwords on the proverbial post-it note on the monitor or under the keyboard. In my opinion, the drawback significantly outweighs the benefits.

The varying requirements for passwords used by different organizations is also a major source of frustration. Requiring a minimum number of characters that do not spell a common word is reasonable and wise, given that most users are ignorant of good security practices. The problem comes with those sites that have an unreasonably low maximum number of characters, and those that disallow certain characters. I have some passwords that must consist of exactly 4 digits, others that may consist of up to 8 alphanumeric characters, others that allow plenty of characters but no non-alphanumeric characters, some that allow numbers but not punctuation, ones that allow different punctuation marks, and of course some that require various combinations of these. A reasonable password hashing and storage mechanism should allow at least 32 characters and be able to accept nearly any printable ASCII character. The result is that any person who uses a variety of sites has dozens of different passwords with no good way to remember which ones go where or even what the requirements were that a given site imposed on them at account creation.

My work-around for this problem is a highly encrypted file containing a database of websites, usernames, and descriptions of which of my base passwords is used for each, as well as the modifications necessary for that particular site. The file doesn’t explicitly say what any of the passwords are, so I feel reasonably secure that even if my master file were compromised, the attacker would only know how to convert a known password for one site into one for another. Whenever I access a site that I don’t use frequently, I need to look up my password in this file because there is no way I will remember.

Of course I have no great security solution to propose, but I think everyone’s life would be a bit easier and perhaps even a bit more secure if these three practices were abandoned. Let us hope.

I spent 4 days last week working for Vince’s Cheesesteaks at The Great Allentown Fair. During my dinner break on my last working day, I was watching a nearby carnival stand where players could choose a digit and, if a wheel split into 10 even slices landed on the selected number, win candy. I first started paying attention because I thought it interesting that this business is condoned by the city, but I highly doubt someone would be allowed to set up a roulette table without getting shut down.

I then tried to calculate how bad of a deal the game was. Obviously, if you select 1 digit, you have a .1 chance of winning. The section of the wheel for each digit, however, is further subdivided to determine how significant of a prize is won. I believe there were 16 chances to win 2 candy bars, 2 chances to win 4 candy bars, and 1 chance to win an entire box, for each winner. Thus, the probability of winning 2 candy bars (retail value roughly $1) is .1 * 16/19 = .0842, the probability of winning 4 candy bars (retail value roughly $2) is .1 * 2/19 = .0105, and the probability of winning a box (retail value roughly $25) is .1 * 1/19 = .0053. The expected value of a play is then .0842 * $1 + .0105 * $2 + .0053 * $25 = .0842 + .0210 + .1325 = $0.16. Since each play costs one quarter, the payout is pretty close to 60% of invested money. The payout on the presumably banned roulette game is much fairer at 94.7% (for an even-money bet; others are reasonably close).

After thinking about this for a time, I found myself very much desiring some candy. Because I could not buy any, I thought I might wager the $2 in my pocket in this game. At this point, I briefly fell into a fallacy that I believe is quite common. Essentially, I thought “I just need to play 10 times to win.” The implication is that the probability of at least one win after playing 10 times is essentially 1. When expressed mathematically this is obviously false, but it seems plausible initially. (Note that it would be true in the case of selection without replacement, where each number wins exactly once each 10 plays.) Because each play is an independent event, we can calculate the probability that none of 10 consecutive plays wins as .9^10 = 0.349. Thus, the probability that at least 1 of the 10 plays wins is 1 – 0.349 = 0.651, just under 2/3.

How many times would we need to play to have a 90% probability of at least one win? We can calculate this as 1 – 0.9 = .9^x. Unfortunately, I don’t know of an analytical method to solve this equation. A bit of numerical analysis suggests that x, the number of plays required, should be between 22 and 23 times. To achieve 95% probability of at least one win would require around 28 plays

Of course, the odds go up if you play more than one number at a time. If, for example, you chose 4 numbers at a time, you would have a .4 probability of winning on each play. To achieve a 90% probability of at least one win using this method, only between 4 and 5 plays would be necessary, for 16 or 20 quarters used.

I could only reach about 4 numbers, so I tried those numbers twice. I had a 0.4 probability of winning with each spin, and 0.64 probability of winning with at least one of them. Sadly, mathematics betrayed me, and I returned to my shift with an empty wallet and an unsatisfied sweet tooth.

My second draft this year was on Saturday. This one utilized the traditional “snake”-style selection process, rather than an auction. Unfortunately, the randomly-drawn draft order but me at 12 of 12, the weakest position. I had some difficulty determining the best draft strategy to take. With my high pick, I had no chance at one of the best running backs. I would probably have a crack at getting a top-tier quarterback or wide receiver, but it would put me in the nearly untenable position of having a terrible second running back. Thus, I resolved to start by taking the best two running backs available, then continuing to fill my roster, taking needed players from positions where good ones were becoming scarcest. When possible, I hoped to take players with a strong upside, since I should need a bit of luck to have a shot at the championship.

The first 11 picks before me were mostly predictable: LaDanian Tomlinson, Steven Jackson, Willis McGahee, Larry Johnson, Shaun Alexander, Frank Gore, Joseph Addai, Brian Westbrook, Laurence Maroney, Rudi Johnson, and Willie Parker. I would have chosen them in a bit of a different order, but the only unexplainable choice was McGahee. These 11 selections included the 8 running backs predicted to score the most points by our league settings. The predicted 9th highest scoring back was Edgerrin James, but I just don’t trust him after a fairly awful season last year with the Cardinals. Thus, I took the predicted 10th (Brandon Jacobs) and 11th (Reggie Bush) predicted players. I would have preferred any of those selected before them (other than McGahee), but I feel pretty good about these selections. As a backup last year, Jacobs was phenomenal. If he can perform as well in the role of every-down back, he will definitely be top-10 this year. Reggie Bush was good in his rookie year, and conventional wisdom would expect him to be even better this year. Also, the way the Saints use him is especially congruent with the points-per-reception scoring used by our league.

I now had to wait an agonizing 22 selections before my next pick. In that time, 9 more of the best running backs disappeared, as well as 8 of the best wide receivers, 4 of the best quarterbacks, and the best tight end. The best tight end, Antonio Gates, went on the very last of these picks, dashing my hopes of pulling in the best player at some position. There was only one top-tier quarterback left, so I selected Donovan McNabb with my third selection. I then took who I considered the best wide receiver left on the board, T. J. Houshmandzadeh.

The next 22 selections included 6 running backs, 12 wide receivers, 3 quarterbacks, and another tight end. The pool of receivers was rapidly receding, so I took Laveranues Coles, who should have a good year if Chad Pennington can manage a good year. For my 6th pick, I was feeling pretty good. I had my starting running backs, wide receivers, and quarterback selected. I still needed a tight end, running back or wide receiver as my flex spot, kicker, team defense, defensive player, and backups. By now there was not a great deal of difference between the best remaining backs and receivers and the 20-th best ones. I was considering a tight end, but felt I would be able to get a fairly good one later. Thus, I decided to reach for a team defense. Fantasy football experts would generally argue that taking a defense at the beginning of the 6th round is foolish, but there is some serious separation between the Ravens’ predicted point total and the other teams. Based on this, I selected them.

I took a tight end, Heath Miller, in the 7th round. To start the 8th, I wanted to fill my flex spot. There were no good choices remaining at running back, so I took Julius Jones. There seems to be consensus among football experts everywhere that he is inferior to the other Dallas running back, Marion Barber III, but he should be getting roughly half of the carries and is only one injury away from being a featured back.

The rest of picks were wide receiver Devery Henderson, running back Vernand Morencey, wide receiver Marty Booker, running back Sammy Morris, running back Ron Dayne, kicker Stephen Gostkowski, middle linebacker Brian Urlacher, and quarterback Alex Smith. Hopefully, none of those other than the kicker and defensive player will ever need to actually count. (Actually, they will have to fill in during bye weeks.)

It’s going to be quite difficult to compete with the likes of Ettore, the lucky first drafter, who has a quarterback who equals mine, better wide receivers, a much better first running back, a somewhat worse second running back, and a better tight end. Then again, they say it’s better to be lucky than good, and with injuries and whimsical coaches, luck can have a very significant impact in this game.