Lee's Laws

John William Lee

1. Cloud Computing is Dangerous

2. Danger in Cloud Computing
3. The Cloud Isn't Safe?!
4. A Hidden Danger in Cloud Computing
5. Danger in the Clouds – The Dark Side of Cloud Computing

Of course cloud computing is dangerous. It would have been dangerous in a blue sky as well. The
only good thing is you may hide yourself in a cloud and would not be found as easily as last year.

IT-Designs follow Evolutionary Laws

IT-business has always been dangerous to data losses. IT works with electronic devices which have
been unreliable from the very beginning, but in fact any technology will always be designed to
work at the borderline of barely acceptable unreliability. Of course this borderline had to be named
Lee's Limit as defined in Lee's Law #1.
In fact nature's evolutionary laws are really simple. If a predator reaches a speed of 100 miles / hour
the healthy prey will have to optimize its muscles and legs to make at least 5% more than that. This
principle will also be applied to design IT-equipment or nuclear plants, which may be documented
in Lee's Law #5:
In a test-environment engineers are used to design turn-off switches to allow operators to
quickly override control signals. Basically these ideas to turn-off the safety control systems
may even have been originated from a rudimentary safety management.
If tsunamis have been registered to generate altitudes of 29 meters the engineers will be
allowed to protect the plant up to 30 meter waves.
At Chernobyl the operators switched off the security shut-down of the system. Why had the shut-
down been designed with a turn-off switch anyway? A removable security must be considered as
more dangerous than an absent security system.
The nuclear Fukushima plants had not been designed to cope tsunamis at all. The designers merely
copied the American drawings, which guaranteed functionality, but did not cover the safety
precautions for tsunamis.
This essay describes Lee's Laws and their impact on IT-systems and technology.

Cloud computing
Cloud computing has not been designed for security, but for functionality. Designers will always
optimize visible functionality first and invisible security just as far as it is needed. Who cares about
crashes, data recovery and security? Well, preventive measures costs money and no customer is
paying for invisible options.
By no means these basic predetermined breaking points of security have been restricted to IT-
systems. IT-systems however will be found in all modern equipment, in organizations and
companies. The overwhelming use of vulnerable electronics will inflict all security systems and
organisations.
Of course the quality of electronic devices increases by improvements and technological progress.
Improved quality however cannot compensate the growing risks by increased complexity and the
growing numbers of installed systems. Each year the sum of potential hazards is growing by the
sheer number of installed devices.

Careless Users need Careless Designers & Operators

Users do not want to back up their data. Instead they expect an automatic backup system 1. They do
no need a backup system until something goes wrong.
A clever IT-user will never store his genuine sources in a cloud's data-storage. Only copies and
derived data are to be transferred to insecure media.
Especially if your financial position depends on IT-data a crash may ruin your lifestyle. It would be
absurd to use insecure media to manage the fundamental data for your lifestyle2.

Careless IT-operators
Hazards will especially hit the newest, fast growing technologies such as cloud computing. Today
most of the errors are not caused by hackers or criminals but by careless IT-operators of services 3. I
don't wonder about that practice. Especially in cloud computing it's cheaper to leave the testing to
the customers.

Password protection
Most of the password protection systems are unprotected, obsolete fossils from archaic software,
which should have been shredded ages ago4. Someone forgot to replace them by a modern with
longer keys, which provide much more protection.

Encryption
Virtual machines need genuine random numbers to properly encrypt data, but virtual machines don't
provide real random roots to generate security keys. I remember these generators used some
physical environment parameters, but virtual machines do not provide us with true physical objects.
"The security of these cloud-based infrastructure services is like Windows in 1999. It's
being widely used and nothing tremendously bad has happened yet. But it's just in early
stages of getting exposed to the Internet, and you know bad things are coming.5"

Backup Systems
Backup systems for large data volumes are expensive. Growing data volumes may quickly
outperform the backup systems and make it obsolete. An obsolete backup system may be neglected
or even switched off without notice to the owner or system's manager. At regular intervals backups
and other security systems need to be tested like a fire alarm. These tests will only be planned if the
customer will ask and pay for these services, but normally the customer does not even think of these
matters.
1 Cloud Computing is Dangerous
2 Danger in Cloud Computing
3 A Hidden Danger in Cloud Computing
4 The Cloud Isn't Safe?!
5 Quotation by John Pescatore of Gartner in the Financial Times.
 Intro Cloud

A cloud is a cloud -
it may start wikileaking rain
and some day it may simply disappear.
Who expects a cloud to be waterproof?
Leaking rain will bring fertility
to grow a few crops
and tons of bad weeds...

Cloud-computing is reported
to be unreliable and unsafe?
I beg you pardon.
What is safety and what is reliability?
Life is safe and reliable – it always ends deadly...
That's what I call
a predictable system.

Cloud computing follows Lee's Laws,

in which the number of severe errors
remains constant at a rate of
once a year...

Cloud computing
is just another
of these global designs
in which security costs
have been restricted
to maximal 10%
of the profits...
 Lee's Laws
Lee's Law #1
Technology will always be designed
to work at the borderline of barely acceptable unreliability.
This borderline is named Lee's Limit.
In commercial business the bulk profit will be made
at the expense of safety, and
in military business the bulk profit will be made
at the expense of XXX6.

Lee's Law #2
Global systems will always
restrict costs for security
to acceptable levels such as e.g.
one global, nuclear disaster in 25 years,
one global financial breakdown pro decade
one global cloud computing incident pro year
and three airport hassles each year.

Lee's Law #3
The failure rate for solid-state equipment is proportional
to the clock rate, the number of solid-state devices
the number of wired connections
and the software's number of bytes.

Lee's Law #4
Singular solid-state devices can reach
growing safety levels of 99,9999...%,
but used in large, expanding numbers
they will produce error levels
up one severe catastrophe pro year.

Lee's Law #5
If tsunamis have been registered
to generate altitudes of 29 meters
the engineers will be allowed
to protect the plant up to 30 meter waves.

6 Skipped by the censor-department

 The Fifties: 1 Solid-state Device

Computing started with bipolar,

unsolid-state devices.

The first solid-state device was the "cat's whisker" detector.

I've been working with those detectors when I was young.
Those days our cat Ronalda just ran away
as soon as she saw me coming...

But what is so solid in a "cat's whisker"

being scratched for hours over the fool's gold?
Yes the solidity came from the mythical gold,
but I had to scratch the whisker for hours
to hear any kind of artificial sound
and the fool must have been me...

The first solid-state devices I created around 1959

more or less looked like the Corn cob pipe radio
I found in a magazine printed around 1922

Fig. 1: Solid-state corn cob pipe

radio (1922)

Designed by F.E. Wilson, Detroit,

Popular Science, Sept. 1922
public domain
 The Sixties: Solid-state Transistors

The next generation of solid-state devices

was unreliable and unstable as well.
I started working with transistors
carrying funny names
like OC 13, OC14 and OC44.
If they worked at all
they were noisy and sensitive
to temperature changes.

Solid-state electronics are those circuits or devices

built entirely from solid materials.
These materials aren't solid at all.
They are not really conducting, but merely
semi-conducting our bits and bytes...

Conducted bits are one and non-conducted ones are zero,

but the semi-conducted bits behave like Schrödinger's cat
- a whiskered cat - which might be alive or dead,
depending on an earlier random event.

According to Schrödinger,
the cat remains both alive and dead
(to the universe outside the box)
until the box is opened.

As for me nothing has changed

since these days.
In Cloud Computing
your data will remain both alive and dead
(to the users and the data owners)
until someone is opening the window...

Windows themselves however

are in an unsolid-state.
Working randomly
semi-conducting
our bits and your bytes...

One day you will open your windows

and find the box empty
or worse: filled with the garbage
you previously dumped in your dustbin.
 The Sixties: My first Six Transistor Radio
In the early sixties
I bought a six transistor radio,
portable and all that stuff,
but soon I learned
the basic laws
of commerce and technology.

The radio operated on two transistors,

the other four devices
soldered at some extra spare pads
and easily disposed
in a customer's portable device
carried around for years.

And we will have to remember

that in a perfectly working device
merely one third
of the Germanium transistors
were operable.
The rest of these must be considered
as semi-conducting
garbage and waste.

Nothing really changed.

They are still selling
six transistor devices
in which one third is working...
 The Seventies: IT-business
You can't earn a day's living
with Schrödinger's cat
or any of his cat's whiskers.
That's why I went into IT-business.
I've seen lots of breakdowns,
crashes and data-losses.
Of course there are bad IT-systems
and bad IT-people.
There are bad bankers
and bad politicians too.

My first contact to technology

taught me to accept unreliability
as a technological standard
and to accept inaccurate
linguistic as well as
bad technical definitions
as a way of life...

Who expects reliability,

stability, solidity and linguistic accuracy
from technology
especially from IT-technology?

Not me.
I have been checking
my memory
at weekly rates
for hours
with my Checkerboard-program.

The dedicated layout system

to layout printed circuit boards
built around a NOVA-minicomputer
had been designed
to regularly crash
by hardware errors
at a rate of at least
one crash a day.
There was nothing I could do
to prevent these crashes
than to redesign the system...
Fig. 2: Detailed Photograph of singular cores in a core-memory

From an 8kByte RAM-storage for a Data-General's Nova-Computer

at a printed circuit board of 155 x 135 mm
Traveler USB-Mikroskop (60 x)

If my memory serves me well

I remember the four steps
in the boot-loader
for the NOVA-Machine:

• 000376 examine
• 060120 deposit (for a Start from Disk)
• 000377 deposit next
• 000376 examine
• start

Whenever that machine crashed

experienced operators
perfectly knew
what had happened.
(The others started
a core-dump
and started a
one-week long
error-analysis)
 The Eighties: Windows
The first versions
of Windows
had to be considered
as too unreliable
to be tested
for qualified
production processes.

My first text-processor
named Open Access
had no access at all
to external devices.
You might choose to open
a file from 10MB-disk
or from a 360kB-floppy.

I have been running around

undeleting files
for all the innocent
and unknowing
worst-case
dumbest of all users,
who couldn't resist
to confirm “Yes”
after an
“Are you really sure?”
 Today: Cloud Computing

I kept on running I guess

and in my dreams
I still I feel
I'm running
to help others
to install badly supported
and incredibly badly documented software,
to repair crashed disks
from non-existing backup files,
restoring overpaid internet access
for the 80-years old greyhounds
and the 90-years old girls.

I've seen many a cloud

passing by
or vanishing
and I am convinced:

Cloud Computing
is just another evolutionary step
balancing
at the borderline
of barely acceptable
unreliability.