Category Archives: Others

2014 in review

The stats helper monkeys prepared a 2014 annual report for this blog.

Here’s an excerpt:

A San Francisco cable car holds 60 people. This blog was viewed about 2,400 times in 2014. If it were a cable car, it would take about 40 trips to carry that many people.

Click here to see the complete report.


How should a 22-year-old invest his/her money?

Answer by Ching Ho:

For the 22-year old, this is a boring yet tried-and-true investment method that will make you rich over time, richer than most rappers who'll blow their money on cocaine and other stupid shit. Allow me to start with a simple Excel illustration, entitled “How to Make $10 Million Dollars":

*For illustration purposes only, and like every other method of wealth creation, is subject to tax and inflation. Simply stated (and assuming a decent job), 20% savings smartly invested at a 10% interest rate will get you to the $10MM mark.

My recommendation: 60% stocks 20% bonds 20% real estate.  Bonds & real estate provide necessary diversification, limited downside risk and a continuous stream of dividends. For example, I know that my two-family real estate investments (purchased at a discount, fixed up & rented out) will yield a stable 12% year after year and will probably outperform the stock market.

Some may believe 10% to be an unreasonable rate of return, but 10% is the average return over the entire history of the US stock market – a market that has weathered world war, depression, and hyperinflation.  There is no reason to expect otherwise over a long-term 40-year period (for reference, the most recent 40-year period 1973-2013 yielded 11.43%). Although I may just be lucky, here are four examples of my own personal investments that have more than doubled the S&P-500 benchmark over the past five years (ticker SPY 5% over 5-years).
Some insight into how I chose these investments:

RSP Rydex Equal Weight S&P 500 (7% five-year return): the neglected issue with traditional S&P index funds is that large companies like Apple & Exxon take up 8% of the fund. With an equal 0.2% weight given to each of the 500 companies, you’ll get true diversification & outperformance.

HSCSX Homestead Small Company Stock (13%): I inherently favor small companies and this contrarian fund concentrates on out of favor firms ready to turn around.

FNMIX Fidelity New Markets Income (11% with a 4% yield): as international stocks often don't outperform those from the USA, I focus my international exposure on high-yielding dollar-denominated emerging market bonds.

FBIOX Fidelity Select Biotechnology (19%): I often invest in sectors I believe to be promising.  Billions of overpopulation? Fat Westerners prone to diabetes? Possible bird flu pandemic?  Genetic sequencing & new drug therapies?  This fund is my #1 performer but possibly overvalued now.

The single most important thing is to invest in yourself.  Be financially literate and learn new skills such as the Excel modeling and asset allocation strategies detailed herein. Be the very best at whatever you do. Continuous education & aggressive professional diligence. (And by education, I don’t mean going $150,000 into debt for an art history degree. Let me be one of few to emphasize that the education industry is quickly turning into a fool's scam and unless you’re attending a top-20 school, skip it – you’re better off working or going to a decent state subsidized college where you'll get the same education at 1/4 the price.)
Now assuming you ain’t no scrub – you’re investing in yourself, saving 20% of your professional income, working hard, and learning to be an astute investor, I now revise my Excel and entitle it – “How to Make $20 Million Dollars”:

* Want an extra $5,000,000?  Save 25% instead of 20%!

Finally, DON’T LOSE MONEY.  Wealthy investors understand this concept better than most which is why you sometimes see sharp overcorrections in the market from options & algorithms that automatically trigger a "sell" – they would rather liquidate in advance of a truly scary situation than risk losing a large percentage of their capital:

1) Market crash & asset bubbles, roughly every 10 years:  If an asset class inflated by credit does not generate enough cash to service the debt, divest. Even I had good enough sense to recognize the pig that was the housing bubble and liquidated every single stock investment a year before that crash. I constantly listen to CNBC and Bloomberg when driving (it annoys my girlfriend, she loves the Kesha).
2) Dumb ass investments – wanna build a restaurant to “entertain your friends?”  Did you hide your money in Cyprus or some equally bad socialist European nation? As soon as you made some money, did you buy a yacht or Porsche  to show others you've "made it?” 
3) A bad marriage or catastrophic illness – divorce or bad partnerships will wipe out half your net worth. Doing such a thing twice will decimate even a $10 million fortune. Choose wisely, and stay healthy. Don’t race trains and avoid all AIDS situations.

I'm really tempted to model another Excel illustrating how riding market bubbles (bitcoin, anyone?), a fun night in Bangkok and a 50% shave from a bad divorce will affect your net worth. But in this scenario, AIDS will strike you down before I reach line 65… so my advice, which took me 90 minutes to formulate, would be wasted. Anyways, I hope I have been of assistance – thank you for listening and please comment!

View Answer on Quora

What exactly is the coding error that is responsible for the Heartbleed bug in OpenSSL?

Answer by Samuel Jones:

I am not an expert (by any means) in network security, but it looks like the actual bug here is pretty easy to understand.

The Heartbleed bug is in OpenSSL's TLS heartbeat implementation. Generally, the goal of this heartbeat is to be able to verify that a connection is still open by sending some sort of arbitrary message and expecting a response to it.

When a TLS heartbeat is sent, it comes with a couple notable pieces of information:

  • some arbitrary payload data. This is intended to be repeated back to the sender so the sender can verify the connection is still alive and the right data is being transmitted through the communication channel.
  • the length of that data, in bytes (16 bit unsigned int). We'll call it len_payload.

The OpenSSL implementation used to do the following in a nutshell, best as I can tell (leaving out non-relevant steps):

  • Allocate a heartbeat response, using len_payload as the intended payload size
  • memcpy() len_payload bytes from the payload into the response.
  • Send the heartbeat response (with all len_payload bytes) happily back to the original sender.

The problem is that the OpenSSL implementation never bothered to check that len_payload is actually correct, and that the request actually has that many bytes of payload. So, a malicious person could send a heartbeat request indicating a payload length of up to 2^16 (65536), but actually send a shorter payload. What happens in this case is that memcpy ends up copying beyond the bounds of the payload into the response, giving up to 64k of OpenSSL's memory contents to an attacker.

It appears that this never actually segfaults because, for whatever reason, OpenSSL has a custom implementation of malloc that is enabled by default. So, the next memory addresses out of bounds of the received request are likely part of a big chunk of memory that custom memory allocator is managing and thus would never be caught by the OS as a segmentation violation. (I could be a bit off here, as I haven't looked at SSL's memory allocator.)

What's in this extra 64k memory? It depends. You could get nothing useful on any one faked heartbeat. However, nothing stops you from sending as many fake heartbeats as your (fake) heart desires. People have demonstrated that you can get unencrypted network traffic (including passwords), private security keys, and other things that people depend upon for security.

The fix ( Git – openssl.git/commitdiff) as linked in Jelle's answer implements checking on the length of the payload, and silently fails (sends no response) if len_payload is incorrect or out-of-spec. This makes sense, as if a valid heartbeat was sent and an invalid one was received, you should assume that some data was corrupted/lost along the way, that the connection is no good, and thus not send a heartbeat response.

View Answer on Quora

Is the engineering field a dead-end career in Singapore? Why?

Answer by Anonymous:

I, too, will answer this in the capacity of software engineering (and maybe even to the extent of electrical and computer engineering) as that's what I'm most familiar with. Also, I am making the assumption that you are referring to software engineering as well since the other engineering fields like civil and environmental engineering, mechanical engineering, etc, are generally not perceived to be as dead-end as software engineering is in Singapore.

I would argue that software engineering in Singapore, at this point in time, is a dead-end career.

Singaporeans' Perception Of Software Engineering

Derrick Ko at Kicksend wrote a great blog post (…) about the state of engineering in Singapore. In that blog post, there was a quote from a post made by Member of Paliament Sim Ann and a reference to said post. The comments in that post were rather interesting. I quote Chen Chee Keong:

Programming is largely a tradeable job. It is almost impossible to protect the Singaporean programmers against competition from other programmers from lower cost countries. So we have to be realistic how much the company can offer.

The thing is, programming is not. The fact that this comment was made merely reiterates the backward mentality and perception Singaporeans still have towards software engineering. Never before has software been so pervasive in our lives. So what makes or breaks a company is the product itself and that is made by engineers, not managers, business people in suits who spout buzzwords, etc. A good product is engineer driven, with everyone else in support. Silicon Valley companies value that and it works for many companies (I might be generalizing a bit too much). If software engineering is still seen as something that can be outsourced, it implies that it is still a blue-collar job. That means that salaries will be comparable to that of blue-collar workers. Hardly prestigious as that in the Valley. With ever increasing year-on-year inflation and suppressed wages, it's no wonder people would rather enter management, finance or move out of Singapore to pursue software engineering. This brings me to my next point.


This is an interesting situation. Singapore does have the talent to build a vibrant startup environment. As stated by this recent TechCrunch article (…), we're very well poised in terms of regulations for startups but are rated poorly in the talent aspect. I would argue that we do have the talent but our talent pool is very poorly managed.

I'm currently a scholar studying Computer Science in America and I have to return to serve a bond in administrative work. That is something I loathe doing. I'm a builder, a creator, I want to help people by building software, not writing proposals and having unproductive meetings. Some of the brilliant engineers I know who are Olympiad champions and obtained scholarships to study abroad end up in the same situation as me, some even more so. After 5-6 years of serving our bond, we potentially get too settled into our careers and our career in software engineering ended the moment we left college. That is sad. The government has to realize that we do have the talent and that scholars can and should serve their bonds in other ways that are more relevant to their skill sets. A friend of mine, after learning CS and ECE at a prestigious technical university, and winning a few competitive programming prizes at ACM-ICPC, ends up in DSTA writing shell script. Such a waste of immense talent.

As for our homegrown talent in our local universities, I'm proud to say that we produce some of the best, and creative engineers I've ever seen. The most recent example is when a Singaporean team won first place at the 2012 hackathon (…). The team, mostly made up of NUS graduates, impressed Silicon Valley moguls with their app OMGHelp. While I'm extremely happy for them in their successful engineering careers, it saddens me to see that none of them are working in Singapore. They do not have the bond which scholars have and so are free to pursue their careers at greener pastures. I don't blame them as the Valley pays engineers a lot better than in Singapore (I've alluded to this point earlier in the post).

So where does this leave us? The government's scholarship system kills off engineering careers for many scholars whereas those that are not bonded leave the country in search of better career prospects. If we want engineering to not be a dead-end career, there has to be some success stories. Singapore needs it's own Mark Zuckerberg. Someone has to step up and spark a revolution and get every child who spends hours on their computer hacking instead of wasting their youth playing MapleStory. There has to be an ecosystem of some sorts that grows organically, by engineers, for engineers. I can now pirouette elegantly into my last point.

Ecosystem? What ecosystem?

Singapore is constantly chasing trends. We did that in manufacturing, then biotech, and now we're doing the same in tech. We're investing in startups in the Valley, enticing them to come over and set up offices in Singapore. You might argue, "But there is a Google office, Microsoft office, etc, in Singapore!" Yes, there is, but they are mostly sales and operations headquarters for Asia Pacific. Development is purely restricted to America. Nothing for engineers here, please come back another time.

Where are the engineering jobs? What about us? What about our people? If Singapore is serious about engineering or the tech industry, pursuing the FDI strategy is too short-sighted. We have to stop chasing the next big thing but leverage our talents and grow organically from there. It might not be startups, or biotech, or whatever, but maybe we should focus on what makes us Singapore and pursue that as a drive of economic growth. Korea and Japan did that with science and technology, Germany did that with engineering. I recall from my secondary school days (social studies, hurrah!) that Singapore adopted a diversification strategy when it came to the economy. It all seems like a "spray and pray" strategy to me right now. All the aforementioned countries played to their cultural strengths and succeeded in a particular area, I think we should hold up, take a look around, stop playing with economic indicators, and fix the economy in a practical way.

But, I digress.

A lot of us engineers want to pursue exciting careers in engineering in Singapore, startup great companies, be the next big IPO, change the world. We can create our own jobs for our own people. We don't have to rely constantly on Foreign Direct Investment, something which is detrimental to our economy in the long run. So, going back to software engineering (it can apply in any field, really), we should have an organic ecosystem, growing our homegrown talent, encouraging our engineering scholars to actually have some influence rather than have them do things that they are overqualified or uninterested in doing. We do have a small and growing group of tech entrepreneurs and hacker groups sprouting up but they need more support from the government, not just the occasional mention in The Straits Times. I can only see the country benefiting from this because we are utilizing our most precious resource, our people, in the best possible way.

Unfortunately, at the moment, we are not. We don't have best practices in place. A well known defense and aerospace engineering company has its engineers zip  source code, and email it to the next engineer who is working on that code. Only one person can work on that code at anyone time. Yes, that is how source control happens in Singapore. It's not even SVN (the horror!). My friend, during his internship there, suggested to his supervisor to set up a git server (duh, right?). You can guess what happened next. The supervisor rejected his proposal because he would have to obtain clearance from the higher ups to set up a server and that it would be too troublesome. D'oh. Stopped at the first level of bureaucracy.

Marc Andreessen said, software is eating the world, but Singapore would eat it first with all this red tape and silly backwards thinking. How can an ecosystem grow like this? I have no easy answer and I don't see this changing anytime soon.

I believe I have rambled enough. At this point in time, software engineering is a dead-end because of the same perceptions, mindsets and policies we have since 20 years ago. Nothing's changed. We can still outsource programming, no biggie. Without a solid, organic ecosystem, no jobs are created, our talent leaves, and the way people perceive engineering remain unchanged. It's a vicious cycle. I strongly believe software engineering and the tech industry can improve the lives of Singaporeans, create new jobs and potentially solve some of our economic problems, just as how the tech industry is keeping the American economy afloat, and it pains me to see Singapore miss this boat.

TL;DR: Yes. Because Singapore.

View Answer on Quora

How do top students study?

Answer by Jessica Su:

I am an above-average student at Caltech.  I don't think I study particularly hard, but I do

  1. Get 8-9 hours of sleep a night.  This allows me to go to class well-rested and do my problem sets with greater efficiency.
  2. Always go to class.  Even if the lectures are not useful, they serve to structure my day.  Having lots of free time creates diminishing returns for me – three hours isn't too different from four hours, but having one block of three hours and one block of one hour is significantly better.
  3. Spend a lot of time working on my problem sets before I ask others for help.  I like to think that all my time spent getting nowhere on problem sets gives me a deeper understanding of the material.  And I don't know about you, but I find it way easier to concentrate when there's no one else in the room.
  4. Start my sets the day they come out (at least for the first few weeks!).  You'll probably spend more time on them, but being ahead will boost your morale.  Plus you'll have time to go to office hours and you won't feel pressured to pull an all-nighter on the last day.
  5. For some classes, I read the book before going to lecture.  Try and have a schedule for reading the book so you don't slack off.  Also, you won't have time to read the book for all your classes, so choose wisely.
  6. Use the Mac app SelfControl to block Quora, Facebook, and other distractions during the day.  I promise I'll turn it on after this answer!

Oh, and for math classes, you really have to read the proofs.  Don't be one of those students who skips over them because they have no relevance to the problem sets.  Reading the proofs will build up your mathematical maturity, just like lifting weights builds your muscles.

View Answer on Quora

New Poll!

Poll Image