RISKS-LIST: Risks-Forum Digest Thursday 28 May 2020 Volume 31 : Issue 90

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.90>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Let's fix 'em before they break -- or are broken (Lali-Larrauri via PGN)
Sorry, media: You're not victims no matter how much abuse you take --
Did you know that? (NYPost)
Concerns as rise of connected cars coincides with sharp increase in
cyber-attacks (Auto Express)
How Automated Background Checks Freeze Out Renters (NYTimes)
Riding the State Unemployment Fraud Wave (Krebs)
Election Integrity in RISKS (PGN)
We Don’t Even Have a COVID-19 Vaccine, and Yet the Conspiracies Are Here
(The Atlantic)
Re: The Pandemic Is Exposing the Limits of Science (Bob Wilson)
Risk of Polarisation (Anthony Thorn)
Re: Ioannidis (Martin Ward)
Re: misinformation (Dmitri Maziuk, Henry Baker)
More on the Tweeter and the Tweetee (PGN-pruned from LW and retitled)
Re: Vitamin C (David Broadbeck)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 28 May 2020 14:22:08 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Let's fix 'em before they break -- or are broken

An op-ed in *The New York Times* by Upmanu Lali and Paulina Concha Larrauri,
28 May 2020, is titled "Dam Failures Are a Warning". RISKS for years might have more generally written "Damn Failures are a Warning."

After two recent dam failures, this article notes that "about 25,000 dams
are considered high or significant hazards if they failed." The final paragraph is pithy, and very relevant here:

"We need a real plan and real money, and we need them soon. The
coronavirus pandemic, which we are spending billions to battle, should at
least remind us that a little bit of prevention can avert an enormous
amount of anguish."

This is pervisive advice, and should also apply to aging bridges, buildings, roads, manufacturing plants, and even computer software and networks.

------------------------------

Date: Thu, 28 May 2020 05:53:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Sorry, media: You're not victims no matter how much abuse you take
-- Did you know that?

President John Adams signed a law making it a crime to criticize the government; 20 newspaper editors were imprisoned. Andrew Jackson not only
had his own paper, edited by a member of his cabinet, but it got government subsidies. [...]

https://nypost.com/2020/05/25/sorry-media-youre-not-victims-no-matter-how-much-abuse-you-take/

------------------------------

Date: Thu, 28 May 2020 05:54:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Concerns as rise of connected cars coincides with sharp increase in
cyber-attacks (Auto Express)

Cyber-attacks on connected cars rose by 700 per cent between 2010 and 2019, according to new analysis, prompting experts to warn that drivers should
clear all personal data from their cars before selling them.

Some 67 per cent of new cars registered in the UK are `connected', meaning
they transmit data to their manufacturer via the Internet. By 2026, it's thought that every single new car will be connected, according to research
by energy comparison site Uswitch.

The 700 per cent rise in cyber attacks on connected cars is shown by data
from security firm Upstream. In its most recent report on the subject, the company analysed 367 global data-breach incidents between 2010 and 2019 involving cars, 155 of which took place in 2019 alone - a growth of 99 per
cent over the previous year.

One incident in October 2019 saw a mobile phone app Mercedes drivers could
use to locate and unlock their cars sometimes showed other people's
accounts and vehicle information. The previous month, thieves were caught
on camera stealing a Tesla in under 30 seconds using a keyless entry hack.
July 2019 saw an exposed database at Honda allowing anyone to see which of
its systems had security vulnerabilities, risking 134 million rows of
employee data.

Earlier in the year, Toyota suffered two separate cyber attacks in the
space of five weeks, with the offenders accessing servers that held sales information related to 3.1 million customers. [...]

https://www.autoexpress.co.uk/consumer-news/352378/concerns-rise-connected-cars-coincides-sharp-increase-cyber-attacks

------------------------------

Date: Thu, 28 May 2020 14:44:24 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How automated background checks freeze out renters (NYTimes)

Algorithms that scan everything from terror watch lists to eviction records spit out flawed tenant screening reports. And almost nobody is watching.

https://www.nytimes.com/2020/05/28/business/renters-background-checks.html

------------------------------

Date: Thu, 28 May 2020 05:51:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Riding the State Unemployment Fraud Wave (Krebs)

When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend
to light up with activity as more fraudsters pile on to claim their share.
And that's exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony *Pandemic Unemployment
Assistance* (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens' personal data from
the very websites the unemployment scammers are using to file bogus claims.

Last week, the U.S. Secret Service warned of *massive fraud* against state unemployment insurance programs <https://krebsonsecurity.com/2020/05/u-s-secret-service-massive-fraud-against-state-unemployment-insurance-programs/>,
noting that false filings from a well-organized Nigerian crime ring could
end up costing the states and federal government hundreds of millions of dollars in losses.

Since then, various online crime forums and Telegram chat channels focused
on financial fraud have been littered with posts from people selling
tutorials on how to siphon unemployment insurance funds from different
states. [...]

https://krebsonsecurity.com/2020/05/riding-the-state-unemployment-fraud-wave/

------------------------------

Date: Thu, 28 May 2020 14:22:08 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Election Integrity in RISKS

I finally decided to update a subsection of my very out-of-date http://www.csl.sri.com/neumann/illustrative.pdf summary of RISKS issues, and have now created a version that summarizes all of the RISKS items relating
to Election Integrity. It is 16 pages two-columned in fine print, which
should give you an idea of how relevant this topic has been in past issues
of RISKS:

http://www.csl.sri.com/neumann/risks-voting.pdf

------------------------------

Date: Thu, 28 May 2020 17:45:16 -0400
From: Monty Solomon <monty@roscom.com>
Subject: We Don’t Even Have a COVID-19 Vaccine, and Yet the Conspiracies Are
Here (The Atlantic)

Even as vaccines for the disease are being held up as the last hope for a return to normalcy, misinformation about them is spreading.

https://www.theatlantic.com/science/archive/2020/05/covid-19-vaccine-skeptics-conspiracies/611998/

------------------------------

Date: Thu, 28 May 2020 13:37:03 -0500
From: Bob Wilson <wilson@math.wisc.edu>
Subject: Re: The Pandemic Is Exposing the Limits of Science (Bloomberg)

In recent decades people seem to have adopted a terribly simplified, rather lazy, version of science. Consider the word's Latin roots, meaning just "knowledge", not something miraculous. One good read is /Failure/, by Stuart Forestein, subtitled "Why Science is so Successful".

The scientific method hopes to approach truth, but not usually in a
continuous way or by sudden understanding of everything that really matters.
As a discrete process, it can't quite be described as asymptotic. But
laymen (or women, we need a new word!) have come to expect that scientists
have perfect knowledge: The workers themselves generally see many things in their results that need to be improved. Think of Newton's theory of
gravity, and his /Principia/, which were and still are marvelous accomplishments: By the late 19th century it was widely recognized that his version of gravity was not quite right, and Einstein in both special
relativity and then (another step forward) general relativity, took care of much of what had been worried about. We certainly accept Newton as
accurately describing what happens if we drop a rock from our hands, but
NASA needs Einstein's improvements if calculating orbits, engine burn data, etc. And nowadays there are discussions about how Einstein's world is still
not quite right.

In our current crisis we have tried to collapse the time scale to zero. The amount of work and the knowledge gained have both been amazing. But it is unreasonable to expect that complete and accurate results would be found by now! The population at large has been led to believe that any technology
that requires you to think is thereby shown to be flawed. I would hope that /Risks/ participants would understand how this works and how we need to
think and learn rather than to expect impossible payoffs! We can pray/hope/wish/... for results quickly, but those don't come with
guarantees, and the answers probably won't be simple!

My own field is mathematics, where it might be easier to decide that a
result is really right than in some of the messier parts of our world that
have to deal with outside facts. But it is really sad to see people who
should know better seeming to misunderstand the whole way science works.

------------------------------

Date: Thu, 28 May 2020 09:33:12 +0200
From: Anthony Thorn <anthony.thorn@atss.ch>
Subject: Risk of Polarisation (Re: Maziuk and Ladkin)

Regarding the contributions from Mssrs Maziuk and Ladkin; I do hope that the polarisation and associated symptoms which we are seeing in U.S. and UK politics will not infect RISKS!

I do not think Prof. Ferguson needs defending, but I was under the
impression that the "250'000 deaths" estimate, was based on the assumption
that NO lockdown measures were introduced.

"Coronavirus: UK changes course amid death toll fears" https://www.bbc.com/news/health-51915302

If this forecast contributed to the decision to implement the lockdown it certainly saved many lives.

------------------------------

Date: Thu, 28 May 2020 11:44:44 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Ioannidis (re: Baker)

Back on 17th March John P.A. Ioannidis wrote:

In the absence of data, prepare-for-the-worst reasoning leads to extreme measures of social distancing and lockdowns. Unfortunately, we do not know
if these measures work.

I don't know why this ten week old piece was included in comp.risks: as if
it contained current and up-to-date information.

The *current* situation is that we *do* know which measures work to contain
the virus! Currently, 45 countries from around the world are winning: with
the number new cases per day dropping towards zero. 27 countries are
"nearly there", while 52 countries (including the UK and the USA) need to
take action.

The data is here:

https://www.endcoronavirus.org/countries

Back in November 2019 the USA and the UK were determined to be the two countries best prepared for a pandemic. https://www.weforum.org/agenda/2019/11/countries-preparedness-pandemics Both countries knew that the pandemic was coming in mid February, both decided to take little or no action. As as result, these two countries now have the highest death tolls of all.

The USA and South Korea recorded their first cases on the same day:
South Korea immediately introduced a range of effective measures
including lockdown, extensive testing, contact tracing and isolation.
As a result the virus was contained with a total number of deaths,
as of today, of just 269.

By contrast, the USA has just passed over 100,000 deaths in the same time period, and is planning to ease the lockdown while in 20 states the number
of new cases per day is still increasing.

It is estimated that over 30,000 deaths in the UK could have been avoided by starting the lockdown a week earlier: such is the power of unconstrained exponential growth.

https://www.telegraph.co.uk/global-health/science-and-disease/earlier-us-lockdown-could-have-saved-tens-thousands-lives/

(In searching for the above article I also discovered that more than 130,000 deaths in the UK since 2012 could have been prevented if improvements in
public health policy had not stalled as a direct result of austerity
cuts. Life is cheap in the UK: https://www.theguardian.com/politics/2019/jun/01/perfect-storm-austerity-behind-130000-deaths-uk-ippr-report)

------------------------------

Date: Thu, 28 May 2020 11:59:03 -0500
From: dmaziuk <dmitri.maziuk@gmail.com>
Subject: Re: misinformation (RISKS-31.89)

"I cry wolf because I have an overly sophisticated pile of computer code
that sometimes indicate a wolf may come"

Perhaps we the experts should wake up and stop calling spade a small-scale manual earth moving implement before the sentiment becomes universal and the mob reaches for torches and pitchforks.

------------------------------

Date: Thu, 28 May 2020 10:41:19 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: Misinformation (Ladkin, RISKS-31.84-89)

I think that most experts are all in violent agreement that these epidemiological models are 'ill-conditioned', hence *any* noise in the input can be dramatically *amplified* in such a way that it can often overwhelm
any 'answer'. Analogy: those screeching noises that are often heard from
audio public address systems that have positive feedback; the screeches
often overwhelm the person speaking.

Re: network-simulation Monte Carlo models, e.g., the Imperial model:

Monte Carlo models require enough iterations/runs in order to *average out*
the sampling noise (so that the 'result' is independent of the particular random samples used), *which requires fully "exploring" the nether/tail
regions of the particular probability density function*.

The most trivial Monte Carlo model is that of estimating the *mean* of a distribution by computing statistics from N samples. How many samples are required in order to assure a reasonable estimate of the mean, where by 'reasonable' I mean an answer good to the first digit or so, *irrespective
of the random choices made* (one of the most substantial criticisms of the Imperial model) ? Answer: N ~ O(distribution variance).

OK. Let's take an oversimplified 'superspreader' model for R0: 99% of the time, R0=2, and 1% of the time, R0=98. The mathematical mean of this
bimodal distribution is 2.96, and the mathematical variance of this distribution is ~91. But I just ran this Monte Carlo model and it takes at least 15,000 random samples of this distribution just to get a reasonable approximation to just one number -- its mean!

The reason why so many samples are required is that the relatively rare
event where R0=98 has to occur often enough to average out against the
vastly more probable R0=2 events.

But we're only getting started. R0 appears as the *base* of an exponential
in various epidemic models -- e.g., (R0)^(a*t), for some constant a.

But what if we have to sample, e.g., (R0)^10, i.e., a*t=10 -- to compute its mean ? How many samples will we need to get a decent approximation ? (Note that this is the 10-fold product of independently chosen R0's, so we can't simply average numbers like sample^(1/10).)

So I ran another Monte Carlo experiment to compute the mean of the product
of 10 samples from our bimodal distribution from above. Even after sampling
1 billion such products, I still could not converge to even *one* decimal
digit of the mean, and the population variance was trending to O(10^15).
(Note that the worst case product has value 98^10 ~ 10^20, but also
probability (1/100)^10 = 10^(-20).)

How can we better to understand the probabilities of exponentials? Often elementary statistics classes don't deal with *products* of random
variables, much less *exponentials* of random variables. One simple way to understand such products and exponentials utilizes *lognormal*
distributions, which are not bimodal, and have heavy but not fat tails, and
are tractable. If X=L(m,v) is a lognormal distribution with parameters m,v, then the distribution for the exponential X^n is L(n*m,n*v).

The mean of L(n*m,n*v) is exp(m+v/2)^n; the variance of L(n*m,n*v) is exp(2*m+v)^n*(exp(v)^n-1). If we choose m,v to match the mean and variance
of our bimodal distribution above, then m~-0.1322 and v~2.4348, so the mean
of X^n is (2.96)^n and the variance of X^n is (2.96)^(2n)*(11.414^n-1) ~
100^n.

Since the variance of our lognormal (R0)^10 is ~100^10 = 10 *billion*, it
could take O(10 billion) random samples to get a reasonable approximation to the mean of (R0)^10. I'd be willing to bet that the Imperial model was not
run 10 billion times, much less 10^15 times (for our bimodal distribution).

But this is merely one positive feedback loop in such a Monte Carlo network simulation. What happens when there are multiple positive feedback loops ?
How many runs might then be required ?

The problem here is that our samples have to explore an incredibly wide and incredibly shallow distribution, and then accumulate enough weight for each sample to guarantee some reasonable accuracy for our result. But even if we performed such a computation, what would it mean when the *variance* of the distribution is so wide -- hence the weight of any particular value is so
tiny -- of what practical use is *any* particular value -- e.g., the "mean"?

This is the reason why "R0" models make no sense in the presence of superspreaders -- there is no single 'R0' that captures any useful aspect of the behavior of the epidemic.

------------------------------

Date: Wed, 27 May 2020 20:21:22 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: More on the Tweeter and the Tweetee [PGN-pruned and retitled]

On FOX News, Zuckerberg Criticizes Twitter For Fact-Checking Trump Tweets
(Forbes) https://www.forbes.com/sites/rachelsandler/2020/05/27/zuckerberg-criticizes-twitter-for-fact-checking-trump-tweets/#7ffadc7c6f7a

A CNN item: https://www.cnn.com/2020/05/28/politics/trump-twitter-social-media-executive-order/index.html

An excellent analysis of this text is online from Daphne Keller of Stanford
CIS (Center for Internet and Society), at: https://docs.google.com/document/d/1JnK80wk4Smcu3lt4TCwajQNTk0_v1sNR-FGhnoMZyWM/preview?pru=AAABcn_S8qw*Hz2b7K-CMUUUEnDU7P0tIA#

Defying Trump, Twitter Doubles Down on Labeling Tweets https://www.nytimes.com/2020/05/28/technology/trump-twitter-fact-check.html

Trump's Proposed Order on Social Media Could Harm One Person in Particular:
Trump (The NYTimes) https://www.nytimes.com/2020/05/28/us/politics/trump-social-media-executive-order.html

------------------------------

Date: Thu, 28 May 2020 15:22:52 -07David00
From: David Broadbeck <david.m.brodbeck@gmail.com>
Subject: Re: Vitamin C

The idea that megadoses of Vitamin C can prevent or cure disease is one of those zombie ideas that just keeps popping up, in spite of being refuted
over and over. Maybe this is because it was originally pushed by Linus
Pauling, or maybe it's because Vitamin C generally doesn't do any harm.
Still, it's disappointing to see RISKS pushing this myth.

While there aren't many studies yet of Vitamin C and COVID-19, for obvious reasons, there are lots testing its effect on the common cold. This is a
pretty representative one: https://pubmed.ncbi.nlm.nih.gov/11700812/?dopt=Abstract No statistical difference was found, with the placebo group actually showing slightly
better outcomes than the one that got the C megadoses.

The FDA has repeatedly warned companies against making outlandish claims
about Vitamin C's abilities to cure tuberculosis, cancer, Ebola, etc.: https://quackwatch.org/cases/fdawarning/prod/fda-warning-letters-about-products-2017/fonorow/

Just because it's "natural" doesn't mean it's better.

[There's no point arguing with a total nonbeliever. However, since
you have goaded me, here are a few thoughts, that border on less relevance:
1. I have been told that Linus Pauling's notion of *large* doses of
Vitamin C was 1000 mg. It took 40 grams a day for Dr. Cathcart.
2. Many supplements are not providing what is on the label, and some
are laced with excipients that may be iatrogenic (such as
polyethelene glycol -- read the labels).
3. Who is claiming C is a CURE? Having a healthy immune system is
likely to be one of many *preventive* measures, and a good idea here
because of the next item.
4. The most serious cases of the novel corona virus seem to be targeting
people with already compromised immune systems.
5. Some in the medical communities are of course likely to be trashing
or ignoring many things that seem to have documented evidence of being
helpful, but are not high-priced pharmaceuticals. That is a long-time
battle. Not too long ago, there were many claims that there was no
connection between diet and health, no links between smoking and
health, and of course a former president who believed that ketchup was
a vegetable. Don't believe everything you hear.
PGN]

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.90
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)