Evan A. Sultanik, Ph.D.

Evan's First Name @ Sultanik .com

Computer Security Researcher
Trail of Bits

Adjunkta Instruisto
Universitato Drexel Colegio de Komputanta kaj Informa Teknologio
Departemento de Komputscienco

Recent Content:

On the Economics of Higher Education

In which I apply flimsy math and hand-waving to justify the time I’ve wasted in school.

There has been much “messaging on twitter” [sic] and “posting to blogs” [sic] of late regarding the economic benefit of pursuing a graduate degree in Computer Science. For example, there are claims, among other things, that a masters degree will require 10 years to earn back the income lost during study. A Ph.D. will require a staggering 50 years. Most everything I’ve read cites this article based upon Dr. Norman Matloff’s testimony to the U.S. House Judiciary Committee Subcommittee on Immigration. Curiously, the article everyone seems to cite does not itself have a bibliography. It does, however, credit “a highly biased pro-industry National Research Council committee” for calculating these numbers. Five to ten minutes of “searching on Google” [sic] and I was unable to find a report from the National Research Council corroborating such a claim. Can anyone point me to a link?

I do not dispute that these numbers may be correct; the purpose of this blog entry is to point out that, at least in the case of most with whom I’ve matriculated, it is flat out false.

Here is my (admittedly simple) mathematical model:

$n=\frac{t ( E[s_w] + c )}{E[s_a]-E[s_w]},$
  • $t$ is the number of years spent in school;
  • $E[s_w]$ is the expected salary one would have earned if one did not attend school;
  • $c$ is the net monetary cost of attending school per year, such as tuition paid, books purchased, &c. This value should also take into account any income earned during a school year (e.g., one’s stipend) and in many cases will be a negative number;
  • $E[s_a]$ one’s expected salary after graduating school; and
  • $n$ is the number of years one would have to work after graduating to make up for lost income.

Note that this model does not take attrition into account.

As an example, let’s say John is a Ph.D. student who, through a research assistantship, receives tuition remission and a stipend of $20,000 a year. This is quite reasonable (and actually a bit conservative according to this study). If John had not chosen to pursue a Ph.D. he would have been hired in a $65k entry level position, which is slightly on the high end. Once he has graduated (in the quite average term of five years), he expects to receive a salary of $85k which, according to this survey is on the low end. We also, however, have to account for taxes! From my own experience and from consulting virtually every graduate student I know, John will receive a refund for practically all of the money taxed from his income. Without going to school, John would be in the 25% tax bracket, with a normalized income of about $52k (taking the tiered bracketing system into account). After earning his Ph.D. John would have a normalized income of about $67k. Plugging these values into the model we get:

$n=\frac{5 \times ( 52 + (-20) )}{67-52} \approx 11.$
Therefore, John will require about 11 years to recoup the income lost during school.

I think I was relatively conservative with my income estimates, and that’s still a lot less time than 50 years! I plugged in my own stats/estimates into the model and I project that I will need fewer than five years (and I don’t even make as much as some other students I know)! Furthermore, with a Ph.D., John has theoretically more potential for advancement/promotion. Once the 11 years are over, he will have much more earning potential than a degreeless John (assuming the market for Ph.D.s remains strong, which I don’t think is a huge assumption given the lack of domestic technical/science Ph.D.s in the US right now).

Computer Science

An Introduction

People often ask me what I do or about what I am studying. Many have certain misconceptions and stereotypes that render the simple answer of “Computer Science” insufficient. For example, the vast majority of non-technical people with whom I’ve talked seem to think that learning new programming languages and writing programs are the primary areas of study for computer-related university majors. That’s like believing literature majors go to university to learn the intricacies of using pens and typewriters. In the ~7 years—and counting (gasp!)—in which I’ve been in higher education, I haven’t been taught a single programming language.

The following is an attempt on my part to answer these questions, in the hopes that I can hereafter simply refer people to this page instead of having to explain this for the thousandth time.

Hacking the Law

Thought Experiments Testing the Limits of the Law


First of all, I am neither a lawyer nor a trained ethicist. The following are a list of thought experiments related to “hacking” (i.e., testing the limits of) the law. Unless otherwise noted, I have not done any research to confirm whether or not the questions posted herein are either novel or have already been answered. Although the following contains some material related to computers, I have tried my best to write it in such a way as to be accessible to the widest audience.

Copyrighting a Number

Is it legal?

It is obviously legal to copyright an artistic work, like a digital photo. A digital photo, however, is really stored on a computer’s hard drive as a sequence of numbers, each representing the color of a dot in the picture. This sequence of numbers could be summed such that it amounts to a single, unique number. Would it be legal for one to give that number—which uniquely represents the copyrighted image—to a friend? The friend could then divide that number back into its sequence on the hard drive, thus reconstructing the original copyrighted picture. If copyrighting numbers is not legal, then I do not see why what I just described would not be legal.

The issue is actually a bit more complicated than it seems.

It is entirely possible that the method used to convert the digital picture to a single number could be slightly modified (e.g., by adding 1 to the resulting number). If the recipient of the number does not know that this was done then the resulting reconstructed picture will look like noise. If the recipient knows to subtract 1 from the number before reconstructing the picture, however, the picture will be exactly the same as the copyrighted picture.

To add even more complication, it is entirely possible that, by adding 1 to the number, the improperly decoded picture might in fact become a completely different copyrighted picture.


  1. Person X has a copyrighted picture, called picture A, that he/she legally owns.
  2. X converts the picture to a number, $n$.
  3. X sends the number $n+1$ to person Y.

Case 1:

  • Y converts the number $n-1$ back to a picture, resulting in picture A.

Case 2:

  • Y converts the number $n$ to a picture, resulting in a completely different picture B.
  • Picture B turns out to be copyrighted by person Z.
  • Neither person X nor person Y have ever even seen picture B before.

At what point is copyright lost?

Related to copyrighting a number is the following.

When the picture is represented as a sequence of numbers (representing the colors of the individual dots in the picture), it is possible to increment each of the colors of the individual dots. For example, let’s say the dot in the upper left corner of picture A is currently black. We could iteratively increment the color of that dot so that it eventually becomes white (going through a sequence of lightening grays in the process). We could even increment all of the dots in the picture at the same time.

Now, let’s say picture A is a photo of the Mona Lisa of which we do not own the copyright. Picture B is a photo of the Empire State Building that you took and of which therefore own the copyright. Both of the pictures have the same dimensions; therefore each dot in picture A has a corresponding dot in picture B.

Now, we iteratively increment the dots in A such that they all move toward the color of their corresponding dot in picture B. Let’s call the result of this picture C. At the beginning, C will look exactly like picture A. At the end, C will look exactly like picture B. In the middle of the process, C will look like a linear combination of A and B.

Question 1

At what point during the “morph” from A to B will the “copyright” of picture C transition from that of picture A to picture B?

Question 2

Is there any point during the process that picture C might not be protected by either picture A or picture B’s copyrights?

Celebrating 200 Poetic Years

In which Rob and I embark on yet another crazy trip.

Rob Lass and I have shared many an adventure. We have embarked on a number of multi-day cycling trips. He accompanied me on a crazy U-Haul road trip to the Canadian border to retrieve a 1.5 tonne pallet of IBM servers I had acquired. We have masqueraded as lawyerly fat-cats at whiskey festivals. We both share an unnatural fascination with the life and works of Leslie Lamport. We were once collectively mooned and subsequently chided by Jello Biafra. Yet another time, we shared drinks in the hotel bar of a Holiday Inn in Monmouth, NJ, sitting next to Ron Jeremy. We have also shared a number of moments in close proximity to RMS (an activity which, incidentally, I recommend only in moderation).

I was not in the least surprised, then, when Rob approached me about going down to Baltimore for the bicentennial anniversary of Edgar Allan Poe’s birth, followed by a stakeout of Poe’s grave to catch the Poe Toaster. The intervening hours were to be filled at The Horse You Came In On Saloon, which was supposedly one of Poe’s favorite hangouts, and is said to be the last place he was seen before his death. I heartily endorsed this plan.

The first matter of business was to make our two hour road trip as pleasant as possible. This obviously entailed gratuitous electronics.

How We Roll

Upon our arrival at Westminster Hall (the location of the bicentennial ceremony), we first set out to examine Poe’s grave in what remained of the daylight.

Rob and Evan at Poe's Grave
Please ignore the two fops and focus your attention on the fence in the background: this is the one over which we suspect the toaster makes his entrance. The building behind the fence is the Law Library of the University of Maryland. The courtyard between the fence and the building is secured and only accessible from either the interior of the library or by scaling two consecutive fences in an adjacent alley (more on this below).

Charm City Cakes (of Ace of Cakes fame) created a cake for the event.

Charm City Poe Cake
The cake was raffled off to the guests, and I am sorry to report that neither of us won.

I’d also like to report that many Poe fans are certified weirdos. Some also have extreme dedication.

Extreme Dedication
In this particular case, however, to what the dedication is I am not sure (the ceremony overlapped with the Baltimore Ravens’ unsuccessful bid at the Super Bowl).

The celebration as a whole, however, was quite fun, including a number of very good performances. Rob and I also got to get to know John Astin, which turned out to be somewhat of a letdown. But he’s ancient, so it’s okay.

The View from Inside Westminster Hall

Afterward we got a bite to eat and caught the tail end of said Ravens game at The Horse You Came In On.

The Horse You Came In On
I learned four things from this experience:
  1. Yuengling seems to be as popular in Baltimore as it is in Philly;
  2. in Baltimore, Yuengling is not pronounced “lager;”
  3. despite the fact that Baltimore lost to the Pittsburgh Steelers and my car has a PA license plate, no one mistook my car for that of a Steelers fan and flipped it over in a riot (as would undoubtedly have been the case if Baltimore were populated by Philadelphia sports fans); and
  4. the “frat” scene seems to descend on The Horse You Came In On immediately after the completion of sports games.

The gate closest to the monument.

We got back to the graveyard around 00:30 on the 19th to find a crowd of about 60 people. We really didn’t know what to expect; apparently neither did anyone else, as wild rumors started to fly. One rumor claimed that the toaster often made rounds to the fences surrounding the graveyard to say hi (and undoubtedly sign countless autographs and pose for pictures). Another rumor claimed that the toaster was none other than Poe House curator Jeff Jerome himself. This is all complicated by the fact that Poe actually has two graves (he was exhumed in the late 19th century to make way for his monument and re-buried in the back of the graveyard—a location not visible from the sidewalk/gates). The grave in the back is the one in which Rob and I were photoed above. Some people thought the toaster visited the monument (which is visible from the street), while others thought that he visited the grave in the back. There were therefore two groups of people each clustered around the gate closest to one of the graves. The “monument” group seemed to be a mix of the aforementioned weirdos with a healthy dose of hipsters. They spent their time reading poetry. The group at the other gate (closest to the back grave) was decidedly more hardcore; spirits flowed from many a hip flask.

The gate closest to the rear grave (where the toaster usually goes).

At this latter gate, Rob and I met up with a guy who had actually attended this thing before; in fact, he claimed to have attended every year since 1983. He and his son (a teenager) come every year to try and get a picture of the toaster, most likely to sell to a magazine (there is only one known photo of the toaster from a 1990 issue of Life magazine reproduced here). He said that the toaster almost always goes to the back grave. The toaster gets no cooperation from any authorities; neither the Westminster Burial Grounds nor the UMD Law Library provide him with any assistance. Jeff Jerome camps out in the church every year to simply confirm that the toaster is the same person as the year before (i.e., there is not an impostor) and also to ensure the identity of the toaster remains secret (because if his identity were ever revealed the magic of the tradition might be lost). Jerome does not know who exactly the toaster is, however, and he does not want to know. Once the toaster arrives, does is toast, and makes his exit, Jerome goes into the graveyard, collects the bottle of liquor, flowers, and any notes the toaster may have left, puts them in the church, and leaves. It is Jerome’s exit that cues the hordes of weirdos, hipsters, alcoholics, and amateur journalists that the toaster has come and done his deed.

The alley next to the graveyard.

At around 01:30, the man’s teenage son came up to his father saying that he had been surveiling the alley adjacent to the graveyard that I mentioned above. Three guys had gone in, but he only saw two of them come out. Rob immediately walked down to the alley and I followed close behind. Rob got there first and apparently saw two guys on the other side of the two fences (one fence of which was about 10 feet tall). One fellow jumped over the brick wall to the graveyard. The other hid behind a small half wall, peeked his head out to look at Rob, and then sprinted over the wall to follow his companion. About five minutes later, camera flashes could be seen reflecting off of the walls of the law library, seeming to emanate from the area of the back grave. We assumed this was the Poe Toaster having pictures taken for his own record. We waited for another hour or so but nothing happened. It was cold, and the toaster had likely already come and gone, so we drove home.

All in all, it was an awesome adventure.

You can read Rob’s account of it here.

Walking to the Horizon

or, A Mathematical Argument for a Gastronomical Visit to Stockholm

I am subscribed to David Horvitz’s new project entitled IDEA SUBSCRIPTION in which he posts almost-daily simple instructions. Yesterday’s instructions read as follows:

I do not profess to have spent much time researching this in the past, but I had never heard of this approximation before. The approximation is so concise that I was curious as to its error. The approximation is obviously incorrect for very tall heights since it is unbounded:
$\lim_{h \rightarrow \infty} \sqrt{1.5 h} = \infty,$
vi&., in actuality an enormously tall person (whose eyes were almost an infinite distance away from the surface of the Earth) would only be able to see a quarter of the Earth’s circumference in front!

I therefore spent the last 5 minutes formalizing a bound on the error of this approximation. The results, which follow, were quite surprising.

Cycle Junkie Shirt

An esoteric shirt inspired by a slightly less esoteric conference.

In late July of 2006, Rob Lass and I decided to attend the HOPE conference in New York City. We were both living in Philadelphia at the time, being conveniently a little over 100 miles (~160km) from NYC. Earlier that year we had successfully piloted our bicycles from Philadelphia to Reston, Virginia, averaging over 100 miles each day. Therefore, we set upon to ride up to New York in one day.

The HOPE conference is attended, in large part, by geeks, mostly of the computer variety. From our interactions with the then burgeoning bicycle subculture in Philadelphia, we had noticed a large overlap with the computer geek subculture. An idea was thus born: We were to design and print a t-shirt—de facto uniform of bike- and computer-geeks alike—that would marry the two subcultures. We would then sell the t-shirts at HOPE to help fund our expedition.

Here is the design up with which I came:

There are three “cycles” referenced in the design:

  1. a bicycle (obviously);
  2. a CPU cycle; and
  3. a graph cycle.

The term “cycle junkie” was coined by Bill Gosper.

Although I am almost sold out of the first printing, if there is enough interest I might organize a second printing of the shirts. Contact me if you’re interested.

Leĝo de Sultanik pri Aaŭtoroj de Vikipedio

Rezultato: Troloj ĉiam superforti.

$$\lim_{t \rightarrow \infty}P(a = \mbox{Eksperto} \vee a = \mbox{Trolo}) = 1.0,$$

en kio $t$ estas tempo kaj $a$ estas la aŭtoro de nova artikolo en Vikipedio.

Plia maniero diri: kiam tempo progresas, ke aŭtoroj de novaj artikoloj en Vikipedio estos ĉu ekspertoj aŭ troloj fariĝas pli kaj pli facton.

Only π more hours to go…

In which I am trolled by a software utility.

This evening I finally got around to doing some forensic data recovery from a broken (i.e., horribly clicking) hard drive. Most of the data I had backed up, but there are a couple non-vital files for which it would be nice to recover. That, and I've never done something like this before and it's quite fun. It's especially fun that the partition I'd like to recover was formatted in ReiserFS, for which no free and few commercial recovery tools exist.

The first step to data recovery is making an image of the faulty disk on a healthy hard drive. The disk image can then be repaired and diagnosed without having to worry about hardware failures (i.e., the dreaded clicking). The tool of choice for this is ddrescue. For those that are familiar with the *NIX command dd, ddrescue works similarly except it skips over bad sectors. Once all of the good sectors are copied, it then goes back to all of the bad sectors and tries to read them again (in case the hardware malfunction is stochastic).

ddrescue prints out a handy list of statistics, including the average transfer rate. My rate is currently at 7120 kB/s (it's so slow because I am copying the image to my network file server over 100BaseT to a Pentium-III box running software raid). The hard drive I am recovering is 76.8 GB in size. I did some quick calculations to figure out how long I'd have to wait before this thing finishes.

$\frac{76.8\ \mbox{GB}}{7120\ \mbox{kB/s}} \approx 3.141\ \mbox{hours} \approx \pi.$


In which I blatantly offend yet another group of people.

I’d like to begin with a simple analogy that expresses my feelings on the subject at hand:

aborted llama fœti : Perestroika :: Flexitarianism : this analogy.

In other words, flexitarianism makes as much sense as grooming one’s pubic hair with a rusty vegetable peeler. I fail to see how flexitarianism is any different than, oh, say, being an omnivore. “I am a vegetarian… except for when consumption of animal products is required socially, nutritionally, culturally, or pragmatically.” STFU. In other words, you’re a normal omnivore who cannot always stomach eating meat for some reason, most likely due to moral dissonance. I have no problem with vegetarianism—or any other diet, for that matter—as long as its practitioners do not proselytize. I don’t care if you deprive yourself of certain foods on moral, religious, or nutritional grounds. What does offend me is the addition of a new word to our vernacular that adds little or nothing semantically. Also, it is concerning that those in moral conflict about eating meat are given a new term to legitimize their ethical limbo, thus postponing their decision about whether or not to give up being an omnivore.

I only drink to excess when it is socially acceptable.

The flexoholic.

I only cheat on my spouse pragmatically.

The flexadulterer.

Dictionary and Thesaurus Lookup in Emacs

Or, adding a feature to a piece of software that already has too many features.

Emacs is my preferred tool for editing LATEX documents. A few years ago I got tired of switching back and forth to a terminal or web browser every time I wanted to look up a word in the dictionary or thesaurus. To remedy this, I wrote a simple, 100-line Emacs Lisp plugin to look up words using the DICT protocol.

One can simply cut/paste this into their .emacs file or make it a separate file in their elisp directory.

; -*-Emacs-Lisp-*-
; File:         dict.el
; Description:  Dict access functions
; Author:       Evan Sultanik
; Created:      Sun Aug 14 15:44:57 2005
; Modified:     Thu Nov 15 08:45:48 2007
; Language:     Emacs-Lisp
; Package:      N/A
;; *******************************************************
;; ***** THIS IS AN ALPHA TEST VERSION (Version 0.2) *****
;; *******************************************************
;; dict.el
;; Copyright (C) 2005 Evan Sultanik (http://www.sultanik.com/)
;; This program is free software; you can redistribute it and/or modify
;; it under the terms of the GNU General Public License as published by
;; the Free Software Foundation; either version 1, or (at your option)
;; any later version.
;; This program is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; GNU General Public License for more details.
;; You should have received a copy of the GNU General Public License
;; along with this program; if not, write to the Free Software
;; Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

(defvar dict-protocol-client “dict”
  “This is the name and/or path to the local copy of the DICT protocol client.”)

(defconst dict-scratch-buffer-name “*dict*”
  “This is the name of the buffer in which the dict output is displayed.”)

(defun dict-extract-word ()
  “From the current buffer, extract and return the word under the cursor.”
  (let (start word)
      (forward-char 1)
      (backward-word 1)
      (setq start (point))
      (forward-char 1)
      (if (not (re-search-forward “\\b”))
	  (error “Can’t find end of word”))
      (buffer-substring start (point))

(defun dict-lookup-word (word dict)
  “Look up the word WORD using the client, given by
`dict-protocol-client’.  The results will be displayed in the buffer
given by `dict-scratch-buffer-name’.  If DICT is nil, WORD is looked
up from a thesaurus only.”
  (interactive “sWord to lookup? \nP”)
  (let ((dict-buffer (get-buffer-create dict-scratch-buffer-name)))
      (buffer-disable-undo (set-buffer dict-buffer))
      (setq buffer-read-only nil)
      (setq disable-point-adjustment t)
      (display-buffer dict-buffer)
      (if (null dict)
	  (call-process dict-protocol-client
			nil ;; no infile
			t   ;; put output in the current buffer
			t   ;; re-display as we get more output
			“-P” “-” “-d” “moby-thes” word)
	  (call-process dict-protocol-client
			nil ;; no infile
			t   ;; put output in the current buffer
			t   ;; re-display as we get more output
			“-P” “-” word)
      (setq buffer-read-only t)
      (goto-char (point-min))

(defun thesaurus-lookup-word (word)
  (dict-lookup-word word nil))

(defun dictionary-lookup-word (word)
  (dict-lookup-word word t))

(defun thesaurus-lookup-word-in-text (exact)
  “Like `dict-lookup-word’, but uses the word under the cursor.”
  (interactive “P”)
  (thesaurus-lookup-word (dict-extract-word)))

(defun dictionary-lookup-word-in-text (exact)
  “Like `dict-lookup-word’, but uses the word under the cursor.”
  (interactive “P”)
  (dictionary-lookup-word (dict-extract-word)))

This code assumes that you have the command dict available.

You can set a keyboard shortcut as follows:

(global-set-key (quote [f7]) ‘thesaurus-lookup-word-in-text)
(global-set-key (quote [f8]) ‘dictionary-lookup-word-in-text)

Pressing the F7 and F8 keys will then look up the word under the cursor in the thesaurus or dictionary, respectively.