66: AWS & Azure, 20-year-old Article on Amazon, Fred Liu, Sam Hinkie, Microsoft's Big Stick, 45m Medical Images, OnlyNerds for Semiconductors, and Countermeasure Flares

"everybody in charge of a big company or government agency puts IT security higher on the priority list"

In my lifetime, advanced civilization has gotten ahead faster than any century that existed before. Nothing else was even close. It's utterly without precedent in real terms.

It's unbelievable, I watched the whole damn thing quite literally because I've lived so long. It's been absolutely astounding.

—Charlie Munger a few days ago, via Tren Griffin

As the vaccines are starting to roll out, it’s probably a good time to revisit the impact of sleep on the immune response to vaccines. If you’re going to do something, get the most out of the experience (aka if you’re going to get stuck, you may as well have it stick).

I first heard about this from Matthew Walker. His 3-part interview with Peter Attia is great (I’ve listened to it at least 3 times, it changed my life for the better, and it’s better than his book — Part 1, part 2, part 3, and they did a follow up part 4 last summer).

The idea is that sleep, or lack of it, has an effect on the effectiveness of our immune system. This can mean that lack of sleep can make us more susceptible to all kinds of stuff, from the common cold to — possibly — cancer, but it can also mean that we get less of an immune reaction when we get a vaccine, and get less protection/immune memory out of it.

The book ‘Why We Sleep’ cites a 2002 study:

In the study, healthy young adults were separated into two groups: one had their sleep restricted to four hours a night for six nights, and the other group was allowed seven and a half to eight and a half hours of time in bed each night. At the end of the six days, everyone was given a flu shot. [...]

Those participants who obtained seven to nine hours’ sleep in the week before getting the flu shot generated a powerful antibody reaction, reflecting a robust, healthy immune system. In contrast, those in the sleep-restricted group mustered a paltry response, producing less than 50 percent of the immune reaction their well-slept counterparts were able to mobilize. Similar consequences of too little sleep have since been reported for the hepatitis A and B vaccines.

A quick search on Google Scholar reveals a bunch of studies on the impact of sleep on vaccination. Here’s a few:

I’ve found one study that seems to show that the long-term antibody count seems to be similar between the sleep-deprived and the control for one type of shot, but the sample wasn’t big, and in this case, the risk/reward is so asymmetric that the sane thing to do is to make sure to get good sleep before you get vaccinated. And the short-term matters here, since it’s when the risk of infection will be highest.

Worst case, you’ve had refreshing sleep, which is good for you in many other ways anyway, and had fewer hours to scroll Twitter, and best case, the vaccine you receive will be more effective and may save lives (if not yours, maybe some nice elderly person who would’ve been in a chain of transmission in which you’d be a link). No brainer.

❧ Starting yesterday, and until January 10, both my young kids will be home for a 24/7 Holiday Lockdown with no school or daycare. This is a heads up, in case you notice shorter or late editions and/or my progressive descent into madness over the coming weeks…


Investing & Business

Snow White, Her Twin Sister, and the Seven Dwarves

Source. h/t Jerry Capital

AWS Still in Court Over Pentagon’s $10bn JEDI Contract

Amazon Web Services Inc. unit argued Microsoft’s bid must be “invalidated.” It said the award was a “flawed and politically corrupted decision” that resulted from “systematic bias, bad faith and undue influence” it attributes to outgoing U.S. President Donald Trump. [...]

Microsoft is still unable to begin work on JEDI because of a temporary injunction that paused the contract earlier this year. That resulted from Amazon’s complaint that Microsoft’s bid contained a “host of errors” the DOD did not properly take into account. Judge Patricia E. Campbell Smith wrote in her ruling that AWS “likely is correct” that the Defense Department made an evaluation error when assessing Microsoft’s bid, adding the error was “quite likely” material.

In a statement issued today, AWS took issue with the DoD’s unwillingness to correct the many flaws that were outlined in AWS’s initial protest. “After the Court rejected the flawed initial JEDI evaluation, the DoD spent over four months attempting to revive Microsoft’s non-compliant bid and reaffirm that flawed and politically-biased decision,” an AWS spokesperson said. “As a result of the DoD fixing just one of many errors, the pricing differential swung substantially, with AWS now the lowest-priced bid by tens of millions of dollars.” (Source)

Oracle still sitting at the kids’ table, despite its shenanigans…

Hindsight is 20/20, Especially in 2020

Note that they quote the peak price of Amazon stock as $106 and 11/16th. What an uncivilized era it must’ve been before proper decimals…

Via Michael Mauboussin

Cyberpunk’ed

Sony Corp is pulling CD Projekt’s video game Cyberpunk 2077 from its PlayStation Store and offering full refunds after gamers complained it was rife with bugs (Source)

Reminder that the ideal situation is massive hype *after* your game comes out, not *before*. Managing expectations is an art.

The older gamers reading this may remember the sagas of Daikatana and Duke Nukem Forever

Interview: Fred Liu, Hayden Capital

Aaron Edelheit recently did a good interview with Fred Liu of Hayden Capital, who I mentioned in edition #34 after his fund reported being up 164% YTD.

They discuss a bunch of things, including how a lot of investors/funds don’t iterate and change over time and that leads to their doom, inflection points in consumer adoption and winner-take-all types of markets, Sea Limited, AfterPay, and the 80/20 rule for returns:

the power of the 80/20 rule. A handful of companies are going to drive the best performance of your portfolio. So, if you look at our Q4 2019 letter, I did a study of our historical holdings. We had made twenty-nine investments up until that point. But if you look at the top six investments, they are what drove like over one hundred percent of our returns up until that point. So, the other twenty-three investments basically netted out to zero. [...]

we have certain, like signposts for our thesis for what will get them to that point. And we're looking for indicators that our thesis is on track, you know, with typical venture funds that you may invest in a series A, but you're going to reserve some capital on the side for the companies that do work out, that are successful, that do gain traction with their customer base to be able to top it up on, say, on A on a series B on the C around on the ground and continually invest as it works [...]

if you do have arbitrary limits, you will never let a position grow over 15 percent of your portfolio or over twenty five percent, that basically kills that kind of power law dynamic early on. You want your rules to match with the way that your portfolio actually functions. You want to maximize the returns of the ones that are successful.

A promise that Liu makes to his LPs, to set expectations:

I also tell our partners, every single one of them, that I promise you one day your portfolio will be down 50 percent. Peak to trough I guarantee it to you.

Aaron has a newsletter called Mindset Value, check it out.

Interview: Sam Hinkie

I enjoyed this interview of Sam Hinkie by Patrick O’Shaugnessy. Here’s a link to the page for the interview on the new Colossus site (it includes a transcript):

Some highlights:

Hinkie: Thought hard about what other people are trying to accomplish and I tried to shape my language in a way they could hear it. That's half of what I talk to founders about. It's just that, how to build the API to the other person's brain. Doesn't matter what you say. It matters what they hear, and it matters how they feel. That's not a way to manipulate someone. It's a way to deeply understand their set of problems, and to the extent you have edge, and you won't always, to the extent you have edge, define it clearly in a way that aligns their incentives with that solution. That's mostly it.

I think this insight about being able to put yourself in the other’s shoes is very powerful. It applies if you’re writing a book or making a movie (how will the reader/audience perceive this moment, what are they likely to know about this, what associations is it likely to trigger, etc) or build a product (put yourself in the shoes of a first-time user of your product, what do you expect, what is confusing, how much value are you getting out of it, etc).

In this case, being able to have a good model of someone else’s position on something so that you can convey what you want to convey in a way that makes sense and makes obvious any alignment of interests.

Basically, you could have the same message delivered by two different people, and one would be effective, and the other would bury the lede, mask the important aspects behind filler, etc, and get nowhere.

This is all obvious stuff, but file under “simple but difficult”, like most of the other important stuff in life.

Patrick: [How] to create the right kind of serendipity in someone's trajectory[?]

Hinkie: Write, and put your thoughts out, particularly if you're proud of them, particularly if you want to make them better. This is something I've really only come to understand I think in the last several years, last couple of years, which is the returns to writing well, and the returns to getting better and better at writing.

Patrick : Basically what you're describing is a human making themselves legible to the internet. When you do that, weird, cool stuff just starts to happen.

Sam: Your people find you.

👋

Focus Matters, Edition #2,348


Science & Technology

24 Precious Hours — Who Do You Spend Them With?

This is a very important chart.

I recommend that you don’t just scan it in a second, but take the time to decode it and think about what it means, what you want out of life, and how to put yourself on the path to make your own personal version of that chart look the way you want it to.

Source.

Microsoft Pulls Big Daddy Move on SolarWinds Hackers

This week Microsoft took a series of dramatic steps against the recent SolarWinds supply chain attack. In the size, speed and scope of its actions, Microsoft has reminded the world that it can still muster firepower like no one else as a nearly-overwhelming force for good.

That’s a pretty badass paragraph. Always nice to see the white hats flex once in a while.

Through four steps over four days, Microsoft flexed the muscle of its legal team and its control of the Windows operating system to nearly obliterate the actions of some of the most sophisticated offensive hackers out there. In this case, the adversary is believed to be APT29, aka Cozy Bear, the group many believe to be associated with Russian intelligence, and best known for carrying out the 2016 hack against the Democratic National Committee (DNC). [...]

The speed, scope and scale of Microsoft’s response were unprecedented. Specifically, Microsoft did four things over the course of four days that effectively undid the work of the attackers.

  1. On Dec. 13, the day this became public, Microsoft announced that it removed the digital certificates that the Trojaned files used. These digital certificates allowed Microsoft Windows systems to believe that those compromised files were trustworthy. In this single act, Microsoft literally overnight told all Windows systems to stop trusting those compromised files which could stop them from being used.

  2. That same day, Microsoft announced that it was updating Microsoft Windows Defender, the antimalware capability built into Windows, to detect and alert if it found the Trojaned file on the system.

  3. Next, on Tuesday, Dec. 15, Microsoft and others moved to “sinkhole” one of the domains that the malware uses for command and control (C2): avsvmcloud[.]com. [...] In Sinkholing, an organization like Microsoft goes to court to wrest control of a domain being used for malicious purposes away from its current holder, the attacker. [...]

  4. Finally, today, Wednesday, Dec. 16, Microsoft basically changed its phasers from “stun” to “kill” by changing Windows Defender’s default action for Solorigate from “Alert” to “Quarantine,” a drastic action that could cause systems to crash but will effectively kill the malware when it finds it. (Source)

h/t Viet Q Nguyen & Jerry Capital

The more I learn about this series of hacks, the worse they seem. What worries me most is this:

The Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies [...]

They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE. (Source)

Four years of incompetence and mismanagement from the top probably didn’t help US cyber-security readiness stay ahead of attackers… Hell, remember in 2017 when this administration wanted to have a joint cyber-security unit with Russia?

Meanwhile, Crowdstrike stock is up almost 10%, as everybody in charge of a big company or government agency puts IT security higher on the priority list

OnlyNerds: ‘What Does RISC and CISC Mean in 2020?’

Like OnlyFans, but for CPU instruction set deep dives.

I thought this post by Erik Engheim was quite well written, and fairly accessible to the merely nerdy. It corrected a misconception that I had been carrying for many years (I fell for Intel’s disinformation, apparently), so I’m grateful for that.

Check it out if you’re interested by CPU design and have seen the acronyms CISC and RISC thrown around, but aren’t quite sure what they mean, and what the backstory is on each (which also helps explain the different trade-offs made by the current x86 and ARM CPU designs).

‘45M medical images found exposed online on unsecured servers’

Security analysts at CybelAngel found a crapload of insecure medical info with personal information that made it possible to identify who it belongs to:

CybelAngel tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images [including X-rays and CT scans] left exposed on over 2,140 unprotected servers across 67 countries including the US, UK and Germany.

The analysts found that openly available medical images, including up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances login portals accepted blank usernames and passwords.

“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” says David Sygula, Senior Cybersecurity Analyst at CybelAngel and author of the report. (Source)

🤯

There’s still a lot of investment to be made in security…

Semiconductor Wish

Just throwing it out there, probably won’t happen, but now would be the best time for it:

I wish Apple and Nvidia would burry the hatchet.

They’ve been fighting for too long… I think that now that Nvidia is buying ARM and Apple is moving its computers to ARM, it would be a perfect time to start working together again.

Apple does great silicon work these days, but they can’t do everything and can’t be the best at everything, and there’s plenty of Nvidia IP that would be great in Macs, if only in higher-end models like the iMac Pro and Mac Pro.


The Arts & History

Manhattan, 1931

Just a cool photo. Makes me wonder… You know these “before & after” photos of places like Dubai, where you see an empty desert and then a megalopolis?

What today will look like that in 50 or 75 years?

Where will the biggest changes take place, and I don’t just mean more buildings, but anything else that will totally change a place and it’s role in the world (ie. Taiwan’s semiconductor industry changed the place on so many dimensions).

Flares Can be Beautiful

If you’re not familiar, these are infrared countermeasures to try to “counter an infrared homing ("heat-seeking") surface-to-air missile or air-to-air missile.”

If you search Google Image for something like “Fighter jet flares”, there’s some really cool shots. This is a good one (“Angel flares” from a C-130), and this is a really unusual one showing a F-15 Eagle the moment right after flares separated while almost vertical (it’s currently my iPhone lock-screen wallpaper — I know, kind of weird). Via Archillect