Archive for the ‘Technology’ Category

Monty Python Hall: A Monty Hall simulator in Python

March 25th, 2019


Public domain illustration from Wikipedia
 

The infamous Monty Hall problem goes something like this: Monty Hall, the host of TV game show “Let’s Make A Deal” shows a contestant three doors. Behind one door is a new car. If the contestant picks that door, they win the car.

The other two doors have a goat behind them, which are not prizes. I guess this puzzle falls apart if you for some reason find a goat more valuable than a car. Anyway, point is the door with the car behind it is the prize.

Once the contestant picks a door, the host Mr. Hall opens a second door to reveal a goat. Now Mr. Hall asks the contestant to select one of two options:

  1. Stay with the original door they picked
  2. Switch to a different door (the one remaining door that is not open)

Here’s where most of us get tripped up: it shouldn’t matter, right? There are only two remaining doors, one has a car behind it and the other a goat. Why does it matter if you stay or switch doors?
 

What’s going on?

As it turns out the odds in this situation are counterintuitively not 50%. When the contestant initially selected a door the odds they selected the prize door were one out of three. But this changes once Mr. Hall opens a door to reveal a goat using his prior knowledge. We know Mr. Hall will never open a door with a car behind it, and he will never open the same door the contestant initially selected.

The contestant’s initial choice remains fixed in time: one out of three. Now that a door revealing a goat has been opened the initial choice is still one out of three. But if the contestant switches doors, something unexpected happens — their new choice has a two out of three chance of winning.

If this problem sounds familiar you probably heard about it in Parade magazine back in the 90′s when columnist Marilyn vos Savant spent years covering this problem. It’s also been tested on Mythbusters. For a quick explanation check out AsapSCIENCE’s video on YouTube.
 

Another approach

Like many people, I often find probability mathematics baffling — and the Monty Hall problem is no exception.

When I was a kid I remember visiting The Exploratorium here in San Francisco and coming across a simple computer exhibit that simulated dice rolls. I’d never considered before that when you roll one six sided die the probability of landing on each side is equal, but when you roll two dice and add the numbers together, the probability of rolling any number between two and twelve are not equal. There’s only one way to roll a two or a twelve, but plenty of ways of getting, for example, an eight.

The exhibit drew a graph of the number of times it simulated a two-dice roll, with a bar for each possible outcome. After some number of rolls it always looked like a hill with most of the rolls in the middle range and fewer at the higher and lower numbers.

Since I was learning to program at the time, this idea of taking a mathematical problem and breaking it down into a computer simulation really appealed to me. In fact when I got home I wrote my own version of the dice roll simulator in QBasic. In only an hour or two I managed to put together a working dice roll simulator complete with a bar graph, just like the exhibit at The Exploratorium.

A computer simulation isn’t a mathematical proof of course, but it’s a good sanity check to validate a hypothesis.

Thinking about the Monty Hall problem again recently I thought I’d take that approach I’d learned as a kid and write a simple program to simulate it and tally up the results.
 

Monty Hall problem in Python

As a software engineer I mostly work in Python these days. It’s a fairly easy to understand language so I thought it’d be perfect for simulating the Monty Hall problem. That’s how I came up with “Monty Python Hall,” a Monty Hall problem simulator in Python. The idea is to run the Monty Hall three door problem any number of times and tally up the results at the end.

Once you’ve installed a Python interpreter on your system you can try out my Monty Hall simulator from the command line. Clone the repo, open the directory in a console and type “python run.py” and you’ll see an output like this:

Games run: 1000
Games won stayed: 351
Games won switched: 683

If you edit the source you can change the number of games run, but the result always comes out about the same: the contestant wins 2/3 of the time if they switch, and only 1/3 of the time if they stay.

I designed the program to prioritize simplicity over efficiency, so if you run it too many times it may be slower than you expect. For example look at the way the host selects a door:

while host_choice == player_choice or host_choice == car_at:
    host_choice = pick_random_door(num_doors)

This is more complex than it needs to be; the host’s choice is simulated randomly until it meets the required conditions.

Why? I think it’s more interesting to let people play around with the program, and the simpler the logic the easier it is to modify.

For example what if you change the number of doors? It needs to be at least three for the contestant and host’s choice to work. But what if there were ten doors? In my version of the program the host opens one door with a goat behind it no matter how many doors there are. But what if the host opens half the doors with goats behind them? Or all of the doors except the one that may hide a car?

My implementation of the Monty Hall simulator in Python is available under the free, open source MIT license. I encourage you to try it and modify it as you see fit.

If you find this useful in any way feel free to send me an email. I’d love to hear about it!
 

Find this project on Github

I received the laziest ransom email of all time

January 6th, 2019

Every now and then I check my email’s spam folder to see if something slipped through. Most of the time there’s little to see: lots of spam and the occasional newsletter I signed up for but immediately forgot about.

But today I found something that caught my eye immediately: the subject line was “Password” followed by a password I used to use years ago. Out of curiosity I opened and read the email. To be clear I don’t recommend opening unknown email unless you know what you’re doing.

Here’s the email as it appears with some minor redactions:

Subject: Password – [redacted password]
Sender: 196.181.140.173
To: [redacted password]
 

[redacted password] one of your pass word. Lets get directly to point. You don’t know me and you’re most likely wondering why you are getting this e mail? No-one has paid me to check about you.
 

In fact, I installed a software on the 18+ vids (porn material) web site and you know what, you visited this website to experience fun (you know what I mean). When you were viewing videos, your browser started operating as a Remote control Desktop with a key logger which provided me access to your display screen as well as web camera. Right after that, my software gathered your complete contacts from your Messenger, FB, as well as emailaccount. And then I created a double video. 1st part displays the video you were watching (you’ve got a good taste ; )), and 2nd part displays the recording of your cam, yeah it is u.
 

You do have 2 solutions. We will check out the possibilities in aspects:
 

1st choice is to ignore this message. Then, I most certainly will send out your video recording to every single one of your personal contacts and you can easily imagine about the awkwardness you experience. Not to forget in case you are in a committed relationship, exactly how it is going to affect?
 

Other option is to give me $991. I will call it a donation. Consequently, I most certainly will instantly discard your video footage. You can resume your way of life like this never occurred and you will never hear back again from me.
 

You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
 

BTC Address: [redacted Bitcoin address]
[CASE SENSITIVE, copy and paste it]
 

If you have been thinking about going to the law, good, this email cannot be traced back to me. I have taken care of my moves. I am not looking to ask you for money so much, I just like to be paid.
 

You have one day to make the payment. I have a special pixel within this mail, and right now I know that you have read this email message. If I do not receive the BitCoins, I will definitely send out your video to all of your contacts including friends and family, co-workers, and so on. Having said that, if I receive the payment, I’ll destroy the video immediately. If you really want proof, reply Yes! then I definitely will send your video to your 10 contacts. It is a nonnegotiable offer that being said don’t waste my time and yours by replying to this email.

So it’s a ransom attempt and Gmail flagged it as spam. Normally I’d think of spam as a Nigerian prince who wants to make me rich rather than extortion. At first glance this looks personal, but diving in there’s less to see here than meets the eye.

 
Breaking it down

Before I get into the technical details let’s go over this email line by line, shall we?

[redacted password] one of your pass word. Lets get directly to point. You don’t know me and you’re most likely wondering why you are getting this e mail? No-one has paid me to check about you.

Yeah, I’m not really wondering. That was my password on a few sites back in the day, including a major one that got hacked. Someone managed to get the email address and password I used on that site — admittedly over a decade later — and is now sending a spam message to everyone in that database.

Given that the password isn’t easily guessable and appears here in plain text, I’m pretty sure I know which database hack it came from.

In fact, I installed a software on the 18+ vids (porn material) web site and you know what, you visited this website to experience fun (you know what I mean). When you were viewing videos, your browser started operating as a Remote control Desktop with a key logger which provided me access to your display screen as well as web camera. Right after that, my software gathered your complete contacts from your Messenger, FB, as well as emailaccount. And then I created a double video. 1st part displays the video you were watching (you’ve got a good taste ; )), and 2nd part displays the recording of your cam, yeah it is u.

These are some pretty wild claims. Based on the email address and password I used a long time ago, this person installed some kind of hack on an unspecified porn video website that allowed them to control not only my computer, but also hack into my Facebook and email accounts. That sounds like something the NSA might be able to do — in a bad movie. The line “yeah it is u” is a little tricky to believe since so far they haven’t used even my first name in this message, how could they possibly identify me from a video?

Some other minor problems: I don’t tend to watch porn videos, or worse — use Facebook.

You do have 2 solutions. We will check out the possibilities in aspects:

The classic sales technique of limiting the options! Oooooh, I can’t wait to find out what the options are.

1st choice is to ignore this message. Then, I most certainly will send out your video recording to every single one of your personal contacts and you can easily imagine about the awkwardness you experience. Not to forget in case you are in a committed relationship, exactly how it is going to affect?

A couple tips:

  • If you’re going to make a threat it should be very specific. Name the target’s personal contacts, and brush up if they’re in a relationship or not in advance.
  • It’s hard to take a threat seriously with such poor grammar. Proofreading is important.

Other option is to give me $991. I will call it a donation. Consequently, I most certainly will instantly discard your video footage. You can resume your way of life like this never occurred and you will never hear back again from me.

A donation? Nice, so not only with this threat go away, but I can write this off on my taxes. And thanks for making it $991, what a bargain. If it were $1,000 I’d have second thoughts about making the payment.

You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
 

BTC Address: [redacted Bitcoin address]
[CASE SENSITIVE, copy and paste it]

Bitcoin? We all know that’s a huge pain to use, right? I have better things to do, maybe just send everyone the videos already.

If you have been thinking about going to the law, good, this email cannot be traced back to me. I have taken care of my moves. I am not looking to ask you for money so much, I just like to be paid.

“Hello, Internet Police? I’ve got a half-hearted ransom scam email to report.”

You have one day to make the payment. I have a special pixel within this mail, and right now I know that you have read this email message. If I do not receive the BitCoins, I will definitely send out your video to all of your contacts including friends and family, co-workers, and so on. Having said that, if I receive the payment, I’ll destroy the video immediately. If you really want proof, reply Yes! then I definitely will send your video to your 10 contacts. It is a nonnegotiable offer that being said don’t waste my time and yours by replying to this email.

Sounds like there’s a tracking pixel in the email (a surprisingly common trick/hack for read verification) and asking for proof of anything said here will have negative consequences.

Wonder who those 10 contacts are… can’t even name one of them?

 
Technical details

Gmail flagged this email as spam. It’s unclear why as Google’s spam filter is proprietary, but this email presumably set off some red flags. Namely there’s a lot of common text between this and other emails, the sender is a seemingly fake IP address, and it was sent over an insecure connection.

But it gets worse. The headers show the email allegedly came from the email server at mixedthings.net. This domains is known for sending spam according to a quick web search. Reports include similar ransom emails going through the same email server.

If there’s a theme here it’s laziness. The email was easily flagged as spam and contained so little personal information I doubt the sender even had a full database dump.

The saddest part though is the tracking pixel. The email was sent as base64 encoded text. Decoding base64 text is trivial — otherwise we wouldn’t be able to even read the email — but the resulting HTML text is the most telling aspect.

A tracking pixel is an image linked from an HTML email (traditionally a 1×1 pixel image, hence the name) containing a secret identifier linking the sender to the individual reading the email. This is used in advertising all the time to determine if someone opened an email. The HTML in this ransom request did not contain a tracking pixel; not even a fake one. Would a lazy scammer bother? Apparently not. Gmail’s web interface blocks all images from loading if an email is marked as spam so it’s a moot point here anyway.

Then again, why would a ransom request come through email at all?

Think about it — if someone really hacked your computer to demand a ransom, would they email you or lock you out of the computer until you paid? The later is called ransomware and it does happen from time to time. Some people unfortunately (though understandably) do pay the ransom to restore access to their computer.

This lazy email is not ransomware; just an empty threat.
 

Summary

As technology gets easier it also becomes easier to abuse. A few takeaways:

  • Email security is important. Even if you reuse other passwords the password to your email is the key to the kingdom. Email can remotely reset passwords to other websites.
  • Likewise, your computers/phones/devices should use a different password from your email. This is especially important if you use a cloud account (Google, Microsoft, Apple, etc.) to sign in to your devices.
  • On other websites your best bet is a password manager — and to only use that password manager on trusted devices. NEVER use your password manager on someone else’s computer.

Carl Sagan once said “Extraordinary claims require extraordinary evidence.” Isn’t a ransom claim extraordinary?

This scam is simply so lazy it’s embarrassing. That said unless people learn their lesson future ransom emails will only become more sophisticated.

Sandbox VR

October 25th, 2018

Sandbox VR Sandbox VR
 

This week I got to try Sandbox VR, a shared virtual reality experience for a group of people in the same room.

Currently Sandbox VR has only two locations in the United States, a local one in “San Francisco” (actually at the Hillsdale Mall in San Mateo) and the other in Los Angeles. All their VR content is created by the company in Hong Kong so you won’t find it elsewhere.

My team wasn’t totally on board with their horror game option “Deadwood Mansion,” so we went with the zombie pirate themed “The Curse of Davy Jones” instead. The suit up process took about 20 minutes for our group of six. Everyone wears a motion tracker on each wrist and ankle, a haptic feedback vest, a PC backpack, and an Vive Pro virtual reality headset. The room is painted green with tracking cameras on the ceiling as well as fans to simulate wind effects.

Once they switched it on we could see each other in VR as glowing blue apparitions, able to wave to one another and dance around a little. A brief tutorial focuses on the gameplay area, shown in a red outline on the floor, which is important since you can’t actually see the walls of the room with the headsets obstructing your view. If you get too close to a wall, a red grid will appear in front of it.

After selecting our characters and weapons the game started. I don’t want to spoil too much here but it’s mostly a combination of shooting and/or dodging monsters. Due to the limited field of view the dodging part felt more challenging to me than the shooting aspect.

When you “die” in the game your field of view becomes black and white and everyone else sees you in red. There’s of course nothing to stop you from moving when you’re dead, which is a little counterintuitive if you’re used to multiplayer games. Dead players can be revived by a living player touching their shoulder for a second or two.

I wouldn’t describe the gameplay as particularly deep, it’s like cooperative laser tag basically. But it was great trying out a multiplayer VR game in realtime with everyone in the same room, able to walk around freely.

That said it does have a few limitations, both in the bedroom-sized gameplay area and the capability of the motion tracking. We definitely bumped into one another a few times since the character models in the screen can’t accurately represent where everyone’s body parts are really located with the current technology.

From a technical perspective I have a couple minor gripes. The haptic feedback vest felt barely noticable and didn’t offer enough motion tracking to give me a sense of where a monster who snuck up on me was actually attacking from. I also wasn’t too impressed by the way the microphones on the headsets were used. There was no feedback of how loud I was speaking, and if someone spoke loud enough I didn’t really need to hear their voice through my headset anyway.

In the future like to see more gameplay types offered — stealth, puzzle, and adventure games jump to mind. Sandbox VR says they’re working on new games as well as other types of VR experiences. In the near future I could see shared virtual and/or augmented reality experiences taking over large retail spaces recently vacated by Toys ‘R’ Us, Sears, and K-Mart. For now limited gameplay styles in a small room in a mall will have to suffice.

 
My recommendation: At around $40 per person it’s a solid half hour of fun with high end VR gear. To me it makes more sense than buying your own VR rig at home — it’s like paying to go on a ride at an amusement park with your friends vs. building a roller coaster in your backyard. If you’re interested and know a few others who may be as well, give it a shot.

This cat is fine

September 26th, 2018

This cat is fine
Spotted at 2nd and Howard
 

A flyer for an open source account breach alert service from Mozilla parodies a typical “lost pet” flyer you’d expect to see taped to a utility pole like this.

You can sign up for Firefox Monitor here, and they’ll let you know if your email address appears in any new breaches reported in the Have I Been Pwned database. There’s no guarantee that every breach will show up in their database of course.

So while I can’t vouch for the Firefox Monitor service being perfect I can say that the flyer was capturing people’s attention. In the 30 seconds or so I waited for the stoplight to turn green, at least two other people went up and snapped a photo of it.

Robot barista cafe expands to second location

January 24th, 2018

Cafe X at Market and Second
Cafe X at Market and Second Cafe X at Market and Second

A while back I visited Cafe X in San Francisco’s Metreon only to find its robot barista charged me for health care.

I thought for sure the novelty would wear off quickly, but it seems every time I’m at the Metreon there’s still a bunch of people gawking at the robot arm shuffling cups around. I’ve even ordered a couple more times myself when I was too desperate for coffee to wait in Blue Bottle’s notoriously long line.

But still, I never expected to see another Cafe X robot barista. Well, I was wrong.

Last night as I headed home I noticed something unexpected: a new Cafe X location at a small storefront on Market Street near Second Street. Despite walking by frequently somehow I hadn’t noticed the signs going up. I peered in the window and sure enough, there was the robot, sitting still, waiting for an order to be placed. A paper sign on the window indicated the grand opening was the following day.

Fast forward to this morning and I decided to stop by and grab a coffee on the way to work. The place was busy, but I breezed through the gawking crowds, fired up the Cafe X app on my phone, and ordered a cappuccino. A few moments later the robot arm gave me my coffee and I headed to the office.

Yes, yet again a robot charged me for health care. Perhaps it’s time to embrace our future of robots and spurious surcharges.

Why the new Firefox logo looks wrong, yet oddly familiar

January 14th, 2018

Back in November Mozilla released Firefox 57, aka “Quantum.” It was the first major change to Firefox in many years with a new look, new extension system, and significantly faster performance. While it did break some of my favorite extensions this was a temporary problem, and despite a few bumps the upgrade was ultimately a huge win in my book. Finally, Firefox became as performant as Chrome while retaining most of its customization options.

There was another change though that didn’t seem quite right — the logo.

Sure the new logo isn’t that different than the old one. It’s just a few visual tweaks here and there, and the colors were modified slightly. No big deal, right? Shouldn’t be, but something looked off and I couldn’t quite put my finger on what bugged me about it.

Then in a moment of realization I figured it out: the new Firefox logo bears a stunning resemblance to Trump’s infamously bad hairstyle:


 

Unfortunately once I saw this I couldn’t unsee it. Enjoy!

A robot barista charged me for health care

August 9th, 2017

Robot health insurance
Screenshot of the receipt
 

Robots are handling food everywhere these days. Whether delivering falafel or attempting to scoop ice cream, there’s no escape from food robots in the Bay Area. All of which is fine with me: I, for one, welcome our new robot food service overlords.

What I’m not fine with, however, are spurious surcharges. So imagine my surprise when I paid a visit to Cafe X, the robot coffee machine at the Metreon, and found a small surcharge on my bill for health care.

While it’s not uncommon for San Francisco restaurants to add a surcharge for Healthy SF, a local subsidized medical care program for those without health insurance, this is the first time a machine has charged me such a fee.

Yes, I realize human employees maintain this robot. But if you think about it, Cafe X is nothing more than a fanciful vending machine. You put money in, make a selection, and a product comes out — that’s it. All vending machines require humans to restock it, clean it, etc. but when was the last time you went to buy a Coca-Cola from one only to find that your 99 cent beverage actually cost $1.10 because of a surcharge? Never, that’s when.

It also makes me wonder if the economics of this robot food service industry are really working out. The “robot” part of Cafe X is an off-the-shelf robot arm custom programmed to move cups around, the coffee beverages themselves are prepared by off-the-shelf automatic espresso machines. If Cafe X has to nickle and dime customers to the point where the prices are in line with Blue Bottle, why wouldn’t I go to Blue Bottle instead? It’s barely a block away, and to be honest their humans not only make better coffee, but they don’t charge an extra fee for health care.

Mini Strandbeest

August 4th, 2016

Mini Strandbeest
 

I received an unexpected gift at work today; a Mini Strandbeest kit. Like a wildly complex Ikea furniture set, there’s dozens of parts to stick together, but it doesn’t take terribly long if you follow the directions.

If you’ve been stuck under a rock for the past few decades and are unfamiliar with Strandbeests, check out the Wikipedia page on the artist who created them.

This particular tiny Strandbeest is powered by wind, with a small windmill and two reduction gears. Like its peers you can also just push it along with your hands, but it’s far more entertaining to blow on the windmill and watch it spring into action.

Want to see it walk? I placed it on the floor and pointed a fan at it. Here’s a short video of the result, complete with silly music to complete the effect:

 

How (not) to think like a product manager

July 27th, 2016

A Medium post titled Clouseau: A Postmortem has been making its rounds on the internet today. While the title isn’t particularly revealing, the subtitle gives you the gist of the story: “How I vetted and dumped a startup idea in ~20 hours and for under $1000.”

For those who haven’t read the article, here’s a quick summary:

  • A product manager from Google went on a vacation in Europe and stayed in some fancy hotels
  • Those fancy hotels did a poor job of providing rooms dark enough to sleep in
  • The product manager spent time and money investigating a business plan around measuring light levels in hotel rooms
  • This data would be offered as a service and would be a “natural monopoly” in the industry
  • Two light meters were purchased and a logo was commissioned for the project
  • This plan failed because hotels don’t let people barge into their rooms to measure light levels without reserving the room, which was cost-prohibitive

What this unintentionally illustrates is classic “product manager thinking:” marching ahead with a pre-conceived solution set in mind despite having given little or no thought to the problem space as a whole. Instead, they limit themselves to areas where they have existing domain knowledge and try to build a solution around that. In this case, that involved coming up with a data-driven approach built around a technological solution.

But just because someone has a pre-existing toolkit for solving problems doesn’t mean that toolkit is always going to be the best method — or even an adequate method — to solve every problem. As the saying goes, to the man with a hammer, everything looks like a nail.

As a software engineer I’ve witnessed this type of thinking in every product manager I’ve ever encountered. No matter what the problem, somehow software was going to be the answer, because that’s what they had to work with. Is the toilet broken? Great! Since the problem is broken toilets, we’ll build an app that lets you hire a plumber. Problem solved… sort of.

So I don’t mean to single out this particular product manager when I point out that his “rapid prototype” was an unnecessary waste of time. If anything that’s the industry norm.

Instead, if he’d only taken a couple minutes to ask someone who travels frequently — or even someone who lives in a neighborhood with a lot of nightlife — he’d know that this was a solved problem. In fact, it was solved so long ago that the solution is offered in thousands of stores from dozens of different companies:

Yup. A humble sleep mask will block out light. And for good measure, buy a couple sets of earplugs. Believe me, if you travel a lot, you’re going to wind up in some loud, bright hotel rooms where you’ll need both.

The message I want to leave you with is to avoid this pitfall. Yes, sometimes gathering data and offering it as a service is a sensible solution to a problem. Or maybe some other type of technology. But unless you’ve fully explored the alternatives, don’t limit yourself with a hammer/nail mentality.

Microsoft Windows Enterprise Edition

June 30th, 2016

The other day I got to thinking: what would happen if the Starship Enterprise from Star Trek: The Next Generation was built with modern software? If it ran on Microsoft Windows, its own operating system might be bigger a danger to the crew than the Borg. Here’s how I suspect it would play out.
 

 
…and roll credits: