Yesterday was Election Day in the US. That means hundreds of millions of citizens braved the elements, long lines, voter suppression attempts, flaky voting machines, and other challenges to exercise our Constitutional right to choose our leaders. After waiting for about 3 hours in 2008, I got smart and voted early this year. It took me about 45 minutes and it was done.

Luckily I don’t live in a swing state, so I think I saw maybe 1 or 2 political ads throughout the cycle when I was traveling. I know folks that have been pummeled by non-stop robocalls, TV ads, radio blitzes, and annoying canvassers knocking on their doors will appreciate the relative silence they’ll hear tomorrow. But that’s all part of the process. US presidential candidates have the most sophisticated targeting and marketing machines in existence. Think about it. Each candidate probably spent $1B on the campaign, funded largely by big donors, and spent largely over the past 3-4 months. That’s a similar spend to what a Fortune 500 consumer products company spends on marketing, if not more.

And all that marketing is to influence the “story” told by the mass media. Trying to manipulate press coverage to portray momentum, define story lines about candidates, and ultimately rile up the base and depress the competition. Amazingly enough, it’s very effective. Talking heads (many on the payrolls of political parties or specific candidates) appear daily to talk about how everything is rosy in their world, how their candidate has the momentum and will win in a landslide. There really is no unbiased view of a campaign.

Then there are the polls. Hundreds of polls. Every day. With different results, all seemingly within the margin of error. And the polling numbers spun however they want. Let’s be clear about polls. They are biased because they take a statistical sample and apply certain voter turnout estimates to derive their numbers. That’s why some polls are consistently skewed towards one party or the other. But what happens if you average all the polls, build a big-ass model, and apply defensible algorithms to eliminate perceived poll bias for a decent estimate of the current state of the race?

You get a predictive model of a likely outcome of the election. Which is exactly what Nate Silver has built. He was a former baseball analyst who built sophisticated models to estimate baseball player performance, and then applied his sabermetric kung fu to politics. His website was acquired by the NY Times a few years ago, and his accuracy has been uncanny. He called 49 out of 50 states in the 2008 presidential election and did well in 2010 as well. Could it be luck? Maybe, but probably not. Not if you believe in math, as opposed to punditry and hope.

Since early in the Spring he’s shown the incumbent President as a solid favorite to be re-elected. Turns out he was right. Absolutely, totally right. Of course, throughout the campaign he became a target of folks on the other side of the aisle. Similar to the Salem witch hunts, folks who understand math have had to convince luddites that he isn’t a witch. What these folks don’t understand is that Nate Silver may have a specific ideological bent, but that’s not what his model is about. The data says what it says, and he reports a likelihood of victory. Not a projection. Not a guarantee. A likelihood.

Models don’t lend themselves to exact precision. Nate would be the first to say there is a likelihood that his model was wrong and the election could have gone to the other candidate. That would have given his detractors the ability to put him and his models in a box. But it didn’t happen. Math won because math works. Models get better over time. They are never exact – not on complex systems anyway. Silver’s a numbers guy, which means he will continue to refine the model in every subsequent election. But it’s pretty close now, and that’s very impressive.

The baseball pundits hated it when the math guys showed up and proved there is something to quantitative analysis. Now all the other sports are embracing the concepts. And yes, the politicians will pay more attention to quantitative methods over time as well. Anecdote is fine. Qualitative research has a place. But over time math wins. Which scares a lot of people because then pundits and other qualitative windbags have a lot less to talk about.

When math wins, we all are winners… Especially guys like Rob Graham, who understand the models and how to game them for fun and profit.


Photo credits: Math Doesn’t Suck originally uploaded by John Baichtal

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Building an Early Warning System

Implementing and Managing Patch and Configuration Management

Understanding and Selecting a Key Manager

Understanding and Selecting Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Taking the path of least resistance: If I was a bad guy (and yes, I’m a bad guy, but I’m not a bad guy), I’d go after small business. Maybe that’s because I know too much. I know how much effort and money is spent by enterprises to protect themselves. They still stink, but they try. PCI guarantees that. But small business tends to spend far less and take security far less seriously. That means they are sitting ducks. And as Krebs shows time and time again, those ducks get slaughtered. This latest story is more of the same about a building security company who got looted via a fraudulent payroll run. Their machines got owned, money mules miraculously were entered into the payroll system, and that day got paychecks adding up to $180,000. The sad truth is that guys like us tend to deal with very advanced security topics, but those tactics are like quantum physics to most of the world. These folks can hardly wipe their proverbial backsides in terms of security, and it shows. – MR
  2. Bit flipping on software security: A couple years ago I did a Firestarter (you know, when we used to blog) on the Automation of Secure Software Development. The basis of my angst was Forrester researcher Chenxi Wang’s claim that (I am paraphrasing) coders suck at secure code development, and they will continue to suck at it – forever. Her position was we need to take security out of the application developer’s hands entirely and build it in with compilers and pre-compilers that take care of bad code automatically. So imagine my surprise to see Chenxi presenting the Forrester Software Security Risk Report (registration required), claiming The Road to Application Security Starts in Development. Ironic? You bet. Color me surprised. And as far as the Forrester report goes, it’s something I would have applauded in this Incite several years ago, but not now. Yes, application security needs to take a ‘holistic’ approach, but the missing ingredient in her report is the fact that security needs to be systemic to the app and application stacks. Cloud and mobile forced me to start thinking differently, but it was Big Data’s architecture and lack of built-in security features that made me realize developers can only do so much with the tools and technologies they have. And some architectures are not conducive to bolting stuff on, and we can’t expect developers to re-invent the wheel for every app – they won’t. Bolt-on technologies need to give way to built-in security capabilities to assist development staff. – AL
  3. Jobs available – only unicorns need apply: Here is a very good, succinct summary of one of the biggest issues facing us security folk on the carnal0wnage blog. It’s staffing. At a recent IANS Forum one of the biggest areas of concern among the CISOs participating in my sessions was finding, training, and retaining talented folks. Consulting firms have a hard enough time getting skilled enough folks to meet demand, and they pay well. Most enterprises have no shot. The answer is two-fold. If you want to compete, you need to pay better. Period. Sure, folks like to feel fulfilled and need a challenge. But offer them 40% of a competing offer and you’ll lose. If you have a decent sized staff, you also need to start building a farm team. That means establishing a training program to take talented n00bs (like sysadmins or network jockeys) and train them to be security folk. Accept the investment you make will pay off for someone else. Eventually another organization will pay your folks big bucks to do what you taught them to do. But that’s part of the game. – MR
  4. Don’t let the facts ruin a good story: I think it’s become obvious that an interesting story about a hack is just as good as a hack in this day and age. The page view whore mentality (Mike’s term) means the media reports first and fact checks later, maybe. Anonymous has claimed to have hacked PayPal and harvested 28k passwords in the process. PayPal denies the claim. Regardless of the truth, perception = reality, so the damage has already been done. Anonymous once again proves they are masters at PR and marketing. The interesting fallout in the security market is people are now using this as proof that regular password rotation will be helpful, and technologies like Password Splitting are now a solution to cover large firms in the event they are hacked. Anonymous has been so successful they can alter security programs with a fake hack. – AL
  5. Application control is a feature: Over the past year I have done a lot of research into endpoint security. Why most existing products stink, and why all companies continue to buy them. I have tried to keep my cynicism in check and focus on endpoint security management, as endpoint hygiene (patch/config, etc.) can make a marked difference in security posture. I have always conceptually been a fan of application whitelisting – a locked-down machine is much harder to compromise. The problem was that AWL dramatically impacted user experience, and not in a good way, so it was relegated to a niche technology, and niches don’t make markets. So seeing Lumension acquire the assets of CoreTrace was (unfortunately) not a surprise. Lumension had a product and CoreTrace gives them more of the (small) market and additional technical capabilities. But more importantly, you don’t see Lumension (or any application control vendor) talk about AWL as a standalone solution. It’s part of a bigger endpoint protection suite that includes old-school AV to keep the auditors happy. Mr. Market has spoken and AWL is a feature. – MR