So my gmail account got hacked. Yes, painful, but also very instructive. Firstly, I still do not know exactly how it got hacked. I don’t use any public computer. In fact, I haven’t used any other machine besides my own laptop (Mac) and my iPhone in a very very long time. I don’t sign up for any offers on the internet, and do not install any crap software. Besides, isn’t the Mac supposed to be very safe?

Anyhow, I got hacked and that’s that. The hacker then started sending emails from my account to everyone I have ever communicated with asking for money. The amazing thing about this story is that all the emails sent are very very impersonal, don’t salute the recipient in any way, and are full of grammatical and spelling errors. Yet, the content matter is so sensational (being robbed at gunpoint in some foreign country), that everyone gets worried about my safety. If I received a similar letter, I wouldn’t sit and analyze this, and would fall for it as well. So far, they have preyed on the emotions of their victims through me as the medium.

During the course of trying to get my account back, I ran into some of the issues and got a sneak peak about exactly how these hackers then try to exploit the system, GMail in particular. I had my Yahoo account set up as the secondary email in case of emergencies, or verification. The hacker was quick to change the secondary account first. Gmail has a system of sending verification to a mobile device. This too got changed quickly to some mobile number in Nigeria. During this time, I tried in vain to gain control by asking Gmail to reset my password and send me the password reset code. Gmail only shows that they sent the reset code to xxxx@yahoo.com, but not the username at the yahoo.com address. So while I was waiting for my password reset code to arrive at my yahoo.com address, the hacker was seeing password reset requests come in to the temporary yahoo address he had set up. I am sure he was laughing at my stupidity and the fact that I sent in multiple requests when the first one failed.

Ok, I was baffled. So I went through the GMail system to report that my account has been compromised. I had to fill in multiple details, including when my account was first started, and the invitation code I used to join (if at all). Obviously, I didnt have any of these, but I made best guesses, and lo and behold, GMail returned my account back to me. I was able to reset my password, and rejoice.

Alas, too soon!

After proclaiming victory, I tried to send a few emails, etc. and it all worked fine. I promptly sent emails to a huge list of people warning them that I had been hacked, and to ignore requests from me for money. There were a few people in the list that I wouldnt have minded getting some money from, but this had to be done.

The hacker, during this time, had very smartly set up a forwarding rule so that he was getting all the emails that I was receiving on my account. This, by itself, is not much. But here comes the most amazing part of how Google engineers missed seeing this as a threat, but these hackers have managed to exploit it. Before I explain what the flaw is, a little diversion into the background.

GMail allows one account to send emails while masquerading as another account. This was designed primarily so that I can have multiple gmail accounts (including Google Apps email accounts like I have a @gmail.com and a @gigzee.com account), and still be able to use one primary account and send emails from it for all the different accounts. Great idea, and I love it. All this takes to set up is a simple verification email. So, say you have a1@gmail.com and b2@gmail.com. If you want b2@gmail.com to be able to send emails and still show up as a1@gmail.com, you can go to your settings, set up another email address and this will send a verification email to a1@gmail.com. After clicking on the verification link and entering the code, b2@gmail.com can now send as a1@gmail.com. If you delete the verification email from the a1 account, there is NOTHING in the settings or account panel of a1@gmail.com that shows that b2 is still sending emails as a1.

This is exactly what the hacker has done. He has set up another gmail account, and is sending emails on behalf of my gmail account. During this time, he is also receiving the auto-forwarded emails of my account. So even though I have changed my password, and declared victory, he can still receive and send emails just as if he were in full control.

So, step 1, I removed the forwarding rule. Ok, now he cannot get any emails sent to me. Yayyy!
What about his ability to send emails? Turns out that there isn’t any additional verification after the initial verification. What’s more, there is no indication anywhere on my account settings that shows me how many other people can send emails as me. This is terrible. So while I have full control with brand new passwords, the hacker can simply keep sending emails to anyone he likes pretending to be me, ruining my reputation in the process.

GMail – I am not sure how you could have missed this in one of your threat model analyses. But please add an option in account settings where I can control who all can send emails pretending to be me. Meanwhile, the hacker has a field day in sending emails from my account, and can do so as and when he pleases. I am writing a letter to GMail as well so that they can fix this, but if you get any email from me asking for money (personal or not), please don’t wire it to somewhere in Europe. Now, if you want to hand over some cash to me in person, feel free to give me a call!

So, I have been very interested in buying some gold for investment purposes since the last year. Gold has been rallying like a crazy bull for the past year, with no correction in sight. Partly, this has been because the US dollar has been devaluing, mostly because speculators worldwide are involved in the dollar carry trade, replacing the yen carry trade. However, despite this, the price of gold has been going on up in currencies which are not pegged to the dollar, for example, the euro and the yen. Only the Australian dollar has appreciated in value respective to gold, but this is primarily because the US dollar carry trade is happening with Australian dollars (the Australians are leading the recovery and have had to increase their interest rates).

The chart below shows the price of gold in US dollars. The period before 1967 is not of interest, as the dollar was on the gold standard, thus the price of gold didn’t fluctuate much. In fact, the price of gold remained constant from 1893 to 1918 (world war I).

The real question, of course, is whether this is a good time to invest in gold. I am not looking for a short-term play, but my motivation is primarily to protect myself and the family savings from another round of redistribution of wealth that will be brought upon by another round of recession, inflation or devaluation of the currency. So, I decided to compute the buying power of gold, and how that has changed in the last 30 years. For this, I compute the price of 1 lb of flour, needed to make bread. Computing the 1oz gold/1 lb flour ratio, we can see how many lbs of flour would be bought by 1 oz of gold. Luckily, we have this data for the last 30 years, but not much more. Of course, gold had surged in price following the stagflation of the 70s, so 1980 marks the highest point of this ratio, but we seem to be inching our way to those levels now. Thus, the real buying power of gold has gone up significantly, more than anything in the past 3 decades.

Credit: Gold prices from Kitco, and flour prices from FoodTimeline.org

This is a real pickle. On one hand, this signifies that we are going to see inflation, in which case, the price of flour will increase, but so will the price of gold in terms of US dollars. The other side of the coin is that gold is overpriced, as the gold/flour ratio should be relatively constant. However, examining the lows of the ratio in 2001 gives some sense of why gold has appreciated like a raging bull in the past decade. Another fact that is not captured in the graphs is the confidence of the rest of the world in US dollars. As confidence in the dollars increases, people prefer to hold dollars as opposed to gold. A reversal in that sentiment will drive the price of gold higher. This is the reason that we are seeing central banks in India and other emerging countries emptying the gold reserves of the IMF by selling their dollars and hoarding gold instead.

Typical investment strategy says that we should invest at least 10% in gold, to protect from devaluation of the paper currency. What do you think? I would love to know in the comments.

Usually, I try to write about information problems, and what we can do to better parse from the myriad of information. I have been involved in gigzee, which is built in Ruby on Rails, and like everyone else, we upgraded to Rails 2.3 a few weeks ago. We also use a customized version of the acts_as_favorite plugin internally to track which artists, gigs and venues people like. So, it was very disconcerting when after the upgrade the acts_as_favorite plugin stopped working for us. Worse, since user favorites is a central theme of our website, it pretty much brought down our entire system.

After lot of looking around the web, and poking around on our servers, we figured out the problem, and are posting our solution so that other people can find it useful. The problem, as we found, is that the acts_as_favorite overloads method_missing to extend the methods for the base class, say the User model. This way, it is able to provide new methods to that class, for example user.favorite_blogs.

Unfortunately, in rails 2.3.4, the file /Library/Ruby/Gems/1.8/gems/activerecord-2.3.4/lib/active_record/associations/association_proxy.rb got changed, to include the highlighted lines. These end up raising a NoMethodError before the overloaded method_missing is called for the @target.

def method_missing(method, *args)
  if load_target
    unless @target.respond_to?(method)
      message = "undefined method `#{method.to_s}' for \"#{@target}\":#{@target.class.to_s}"
      raise NoMethodError, message
    end

    if block_given?
      @target.send(method, *args)  { |*block_args| yield(*block_args) }
    else
      @target.send(method, *args)
    end
  end
end

Instead of messing with the gem itself, and breaking who-knows-what-else, we decided to simply overload the respond_to? method for the user class.Our code (in app/models/user.rb):

def respond_to?(method_sym)
  if method_sym.to_s =~ Regexp.new("^favorite_(\\w+)")
    return true
  elsif method_sym.to_s =~ Regexp.new("^old_favorite_(\\w+)")
    return true
  elsif method_sym.to_s =~ Regexp.new("^has_favorite_(\\w+)\\?")
    return true
  elsif method_sym.to_s =~ Regexp.new("^has_old_favorite_(\\w+)\\?")
    return true
  else
    super
  end
rescue
  super
end

This essentially goes around the problem by telling ActiveRecord that these methods do exist for the User model, and then the method_missing from the acts_as_favorite plugin is called.

Simple fix, and I hope it can save other people a lot of headache too.

When I was in graduate school, one of my roommates asserted that he planned to go through life without getting a speeding ticket. I met him a couple of months ago, and I asked him how he was doing on that plan. He had got one speeding ticket! Amazingly, even though I had never made my intentions public, I also planned to go through life without getting a parking ticket. Yet, despite my best intentions, I too got a ticket a few years ago.

I know what you are thinking. Clearly, both my friend and I should have been more careful sticking to the posted signs on the limits. And for the most part, we do. The trouble is that there is no well-defined boundary about where we are breaking the law. It is more like a gray area. If the posted speed limit is 60 mph, then the boundary lies at 60mph. If you go faster than 60mph, you are speeding and must get a parking ticket. The trouble is that most of the traffic travels at a speed greater than 60 (typically somewhere between 65 and 70mph – the “accepted” 5-10mph above the limit), making it an illegal-but-acceptable zone of 5-10mph.

This zone exists for a variety of reasons. First and foremost is the technicality of the margin of error of speed checking guns or various other devices, the calibration errors. etc. Smart lawyers try to get their clients off based on such technicalities. So, the police try to catch people outside this range of error. But this is not always so. Sometimes, the cops will catch you even if you are going only 4 mph above the posted limit (say 64 in a 60 zone). Why this discrepancy?

One way to deal with this is to always follow the posted speed limit. If the general traffic is going faster, then not only will you be the slowest car on the road, but you might also be holding up some traffic, thereby causing a more potentially dangerous situation. Furthermore, if you were following the posted limit, why should you be the one to be punished by having to spend more time for the same task that everyone else does in a shorter period of time? Law-abiding citizens should be rewarded, and not disadvantaged. If someone is traveling above the posted limit, it is the duty of the police officer in charge to issue a ticket. Every time the police officer neglects to perform his duty, he is abetting a misdoing.

I have been asking all my friends who have been driving for more than 5 years, and so far, every single one has got a speeding ticket. Some people are habitual speeders, but even the more cautious, gentler drivers have managed to be caught speeding at least once.

Do you know anyone who has been driving for a long time without ever getting a speeding ticket? Please add it in the comments, I would love to know.

Ever since tools like wordpress and other blogging engines have become popular on the web, a lot of people have started writing. It is phenomenal that people, including myself, have discovered that they really wanted to write and be read. I guess there is some vanity in that, as well as pride when other people ‘follow’ one’s blog. But it seems that the majority of such writings are really not much more than a commentary on what’s going on in the world anyway. I come across a plethora of blogs that started with the intention of the author to examine a particular subject in depth, but somehow lost their focus. Instead, they turned to writing about the current news, and their opinions of the news. What is interesting is that their opinions are still not surfaced. In a majority of the cases, they simply report the news, and link to some other reporter’s original blog. However, there is a mad rush among such blogs to jump on a news item quickly.

What is striking though, is that this still instills in the authors a sense of achievement, even though they are neither responsible for the news, nor for the opinions, or even the breaking of the news itself. But if even 200 people read their blogs, it makes the author of such blogs feel a certain amount of pride. This is the result that most blogs turn away from a specific topic, and instead talk more about the various things of interest to the author. This is neither a good, nor a bad thing. The striking point here is that the author assumes that the topics of interest to himself will also be of interest to other people. And it is! As there is more and more power in the hand of the consumer, those consumers tend to go for the things of interest to them. Thus, if the blogger enjoys gardening, celtic music, and packers football, there is a great chance that someone else who is interested in gardening, but not in football will still follow the blog. In doing so, the reader is actually introduced to newer ways of looking at football, as well as a sense of belonging since someone with similar interests in gardening is also interested in football. In this sense, the blog certainly brings the world closer.

Whether authors write original opinions or commentary, there is a lot of information out there. What was considered news earlier is nothing more than opinions, either structured or unstructured. Current trends suggest that both have a place in the act of dissemination of information. However, the real challenge will be in how we can filter information effectively for a specific purpose.

The internet is primarily designed, and has evolved, to solve information problems. The internet cannot yet deliver experiences, except where the experience itself comprises entirely of information. The internet can only deliver information for the senses of hearing and seeing through pictures, text and video. Thus, any experience that comprises wholly of stimuli to these senses can be delivered, such as games. However, the internet cannot deliver information for the senses of touch, taste and smell. Thus, for us to experience stimuli to those senses, we must experience it in the ‘real’ world. All the internet can do is to deliver the information about those stimuli through text, and therefore, understanding. What it really means is that we receive an account of what the stimuli will comprise of, and in our minds we try to experience it. This exactly what online reviews are, and why they are becoming increasingly popular.

Everyday I come across different websites with a 5-star rating for reviews of something or the other. Even the most popular sites with reviews (yelp, youtube, etc.) do not provide a whole lot of value from the reviews, as more and more people add reviews. I am not saying that reviews are completely meaningless, but only that they do not completely encapsulate the information that they are supposed to.

However, the value of the reviews is measured by how accurately we feel those sensations that we expect to feel, when we actually do go and have that experience. Any time there is a gap between the expectation that we form in our mind versus the experience we have, the value of that information becomes suspect, and the source of that information gets discredited. In this context, the value of information can really be measured by this experience – expectation gap. It is worthwhile to note here that if that gap is positive (meaning that we end up having a better experience than expected), we are pleasantly surprised, while a negative gap induces disappointment.

Of course, this brings us to another problem, which is how to measure this difference between expectation and experience. Theoretically, the experience is captured in the description of the review, thereby contributing to the expectation. However, not all people are the same, and though the expectation from the same piece of information might be different for different people, what is more troubling is that the experience of different people varies a lot as well. An inherent assumption in the review model is that all reviewers are equal and that the set of reviewers is large enough to statistically represent the vagaries of human nature accurately. Thus, each reviewer gets an equal amount of voting power, while votes get averaged over many reviewers.

The upshot of this is that even though the amount of information contained in different reviews is different, it gets averaged over reviews to provide a more or less consistent amount of average information, which is enough to form a sort of personalized average expectation in the mind. For the present state of the internet, this is considered a fair system mostly because of a lack of a better automated and scalable system. This is the reason, however, why the average expectation for most “average” items (be it restaurants for yelp, or videos for youtube) tend to converge to ~3.5-4. The outliers are the superb (4.5-5) and the horrible (<3 stars). For the express purpose of classifying the item in one of these 3 buckets, the current review system is fine. But there is no real benefit from having the granular system of 5 stars, as the discrepancy between reviews is great. That is the reason we see a lot of websites today switching to the easier and simpler vote up/down system.

However, the truth still remains that the amount of information contained in each review is different, based upon the prior experiences and nature of the person generating the information itself. If we are able to capture this difference in a meaningful way, then the amount of information contained in a single unit of transport mechanism will greatly increase.

Like most other engineers, I have prided myself as being super-analytical. We engineers keep throwing words like analytical around with a matter of pride. I have often wondered how exactly analytical I am. As per the definition, analytical means “skilled in or using analysis especially in thinking or reasoning”. Now isn’t that a confusing definition, since it means that an analytical person is skilled in using analysis. However, in general, we all seem to agree that it means ‘having to do with careful examination; good at examining things.’ Analysis then is really our ability to examine things carefully. Usually, it requires us to break a complex issue down into multiple smaller issues, which tend to be much simpler. Whether we are solving a complex problem, or simply examining an argument, the same theory applies. However, how do we actually solve these smaller, simpler problems?

To be completely analytical would mean that we must continue to break down the problem into its smaller simpler sub-parts, and so on. At some point, however, we must know the answer to solve the smallest unit of our problem. More likely than not, we know this answer either through experience, or through knowledge. Thus, as our own knowledge grows, we can then jump to the correct answers much faster with only a minor break-down of complex problems, trying to attain a goal of zero breakdown. This practice is evident in the game revered to be the most analytical of them all – chess. A novice chess player (like myself) needs to break down each move into the exact effect it will have on every possible square on the board, and I need to calculate the various combinations of my and my opponent’s moves. A chess grandmaster, on the other hand, is easily able to recognize patterns and ‘feel’ the position on a board, even though he might never have seen the exact same position ever before. Thus, the grandmaster is reaching into the reserves of his knowledge and drawing a parallel to a situation he has experienced, and applying it to the more complex problem at hand.

This then suggests that as we become more and more knowledgeable or experienced in solving more and more complex problems, we become less and less analytical. In fact, we start becoming more and more analogical. As per the dictionary, ‘analogy’ means ‘Similarity in some respects between things that are otherwise dissimilar’. As an example, I used chess in the above paragraph to illustrate a point which would have been way more laborious for me to get to without the use of the analogy. Personally, I have found that even for small problems, we rely so much on our own knowledge of how things work, that we constantly apply it to other similar (but new) problems all the time, irrespective of their difficulty. Maybe there is more pride in being analogical than analytical.