The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 81

Friday 8 May 2020


U.S. government plans to urge states to resist ‘high-risk’ Internet voting
Kim Zetter
Trading computer can't handle negative numbers
Henry Baker
Nearly 20,000 Georgia Teens Are Issued Driver's Licenses Without a Road Test
Risk of Misinterpreting Hydrogen Peroxide Indicator Colors for Vapor Sterilization: Letter to Health Care Providers
GitHub Takes Aim at Open Source Software Vulnerabilities
Snake ransomware targeting healthcare now claims to steal unencrypted files before encrypting computers on a network (BleepingComputer]
China's Military Is Tied to Debilitating New Cyberattack Tool
Coronavirus Proves Only Structural Changes Can Avert Climate Apocalypse
Which COVID-19 models should we use to make policy decisions?
COVID SW model is a steaming pile …
Whistleblower via Henry Baker
German contact-tracing app to be rolled out in mid-June
Digital immunity passport is ‘the lesser of two evils’
Flu vs. COVID-19
geoff goodfellow
Re: Visualization shows droplets from one cough on an airplane
Amos Shapir
Re: What the Coronavirus Crisis Reveals…
Chris Drewe
Info on RISKS (comp.risks)

U.S. government plans to urge states to resist ‘high-risk’ Internet voting (Kim Zetter)

“Peter G. Neumann” <>
Fri, 8 May 2020 10:55:09 PDT

(Kim Zetter in The Guardian [always an incisive reporter. PGN]

Added note: The Guardian has published the entire DHS document. PGN]

Trading computer can't handle negative numbers

Henry Baker <>
Fri, 08 May 2020 15:16:59 -0700

I know it's hard to believe after all of the Y2K hoopla, but here we are again.

Trading computer software can't handle negative oil prices; it costs firm at least $100 million.

Next up: I would imagine that negative interest rates would blow U.S. financial customer accounts sky high (EU customers have already seen negative interest rates).

BTW, square roots crop up in some trading calculations—e.g., option pricing. How long until we read about trading computers blowing up with complex numbers?

Matthew Leising Updated 8 May 2020, 12:16 PM EDT Oil Crash Busted Broker's Computers and Inflicted Big Losses

Interactive Brokers users couldn't trade when oil broke zero Incident will cost firm more than $100 million, chairman says

Syed Shah usually buys and sells stocks and currencies through his Interactive Brokers account, but he couldn't resist trying his hand at some oil trading on April 20, the day prices plunged below zero for the first time ever. The day trader, working from his house in a Toronto suburb, figured he couldn't lose as he spent $2,400 snapping up crude at $3.30 a barrel, and then 50 cents. Then came what looked like the deal of a lifetime: buying 212 futures contracts on West Texas Intermediate for an astonishing penny each.

What he didn't know was oil's first trip into negative pricing had broken Interactive Brokers Group Inc. Its software couldn't cope with that pesky minus sign, even though it was always technically possible—though this was an outlandish idea before the pandemic—for the crude market to go upside down. Crude was actually around negative $3.70 a barrel when Shah's screen had it at 1 cent. Interactive Brokers never displayed a subzero price to him as oil kept diving to end the day at minus $37.63 a barrel.

At midnight, Shah got the devastating news: he owed Interactive Brokers $9 million. He'd started the day with $77,000 in his account.

“I was in shock,” the 30-year-old said in a phone interview. “I felt like everything was going to be taken from me, all my assets.”

To be clear, investors who were long those oil contracts had a brutal day, regardless of what brokerage they had their account in. What set Interactive Brokers apart, though, is that its customers were flying blind, unable to see that prices had turned negative, or in other cases locked into their investments and blocked from trading. Compounding the problem, and a big reason why Shah lost an unbelievable amount in a few hours, is that the negative numbers also blew up the model Interactive Brokers used to calculate the amount of margin—aka collateral—that customers needed to secure their accounts.

Thomas Peterffy, the chairman and founder of Interactive Brokers, says the journey into negative territory exposed bugs in the company's software. “It's a $113 million mistake on our part,” the 75-year-old billionaire said in an interview Wednesday. Since then, his firm revised its maximum loss estimate to $109.3 million. It's been a moving target from the start; on April 21, Interactive Brokers figured it was down $88 million from the incident.

Customers will be made whole, Peterffy said. “We will rebate from our own funds to our customers who were locked in with a long position during the time the price was negative any losses they suffered below zero.”

That could help Shah. The day trader in Mississauga, Canada, bought his first five contracts for $3.30 each at 1:19 p.m. that historic Monday. Over the next 40 minutes or so he bought 21 more, the last for 50 cents. He tried to put an order in for a negative price, but the Interactive Brokers system rejected it, so he became more convinced that it wasn't possible for oil to go below zero. At 2:11 p.m., he placed that dream-turned-nightmare trade at a penny.

It was only later that night that he saw on the news that oil had plunged to the never-before-seen price of negative $37.63 per barrel. What did that mean for the hundreds of contracts he'd bought? He frantically tried to contact support at the firm, but no one could help him. Then that late-night statement arrived with a loss so big it was expressed with an exponent.

The problem wasn't confined to North America. Thousands of miles away, Interactive Brokers customer Manfred Koller ran into trouble similar to what Shah faced. Koller, who lives near Frankfurt and trades from his home computer on behalf of two friends, also didn't realize oil prices could go negative.

He'd bought contracts for his friends on Interactive Brokers that day at $11 and between $4 and $5. Just after 2 p.m. New York time, his trading screen froze. “The price feed went black, there were no bids or offers anymore,” he said in an interview. Yet as far as he knew at this point, according to his Interactive Brokers account, he didn't have anything to worry about as trading closed for the day.

Following the carnage, Interactive Brokers sent him notice that he owed $110,000. His friends were completely wiped out. “This is definitely not what you want to do, lose all your money in 20 minutes,” Koller said.

Besides locking up because of negative prices, a second issue concerned the amount of money Interactive Brokers required its customers to have on hand in order to trade. Known as margin, it's a vital risk measure to ensure traders don't lose more than they can afford. For the 212 oil contracts Shah bought for 1 cent each, the broker only required his account to have $30 of margin per contract. It was as if Interactive Brokers thought the potential loss of buying at one cent was one cent, rather than the almost unlimited downside that negative prices imply, he said.

“It seems like they didn't know it could happen,” Shah said.

But it was known industry-wide that CME Group Inc.'s benchmark oil contracts could go negative. Five days before the mayhem, the owner of the New York Mercantile Exchange, where the trading took place, sent a notice to all its clearing-member firms advising them that they could test their systems using negative prices. “Effective immediately, firms wishing to test such negative futures and/or strike prices in their systems may utilize CME's ‘New Release’ testing environments” for crude oil, the exchange said.

Interactive Brokers got that notice, Peterffy said. But he doesn't feel five days was enough time to upgrade his company's trading platform.

“Five days, including the weekend, with the coronavirus going on and a complex system where we have to make many changes, was not a sufficient amount of time,” he said. “The idea we could have bugs is not, in my mind, a surprise.” He also acknowledged the error in the margin model Interactive Brokers used that day.

According to Peterffy, its customers were long 563 oil contracts on Nymex, as well as 2,448 related contracts listed at another company, Intercontinental Exchange Inc. Interactive Brokers foresees refunding $18,815 for the Nymex ones and $37,630 for ICE's, according to a spokesman.

To give a sense of how far off the Interactive Brokers margin model was that day, similar trades to what Shah placed would have required $6,930 per trade in margin if he placed them at Intercontinental Exchange. That's 231 times the $30 Interactive Brokers charged.

“I realized after the fact the margin for those contracts is very high and these trades should never have been processed,” he said. He didn't sleep for three nights after getting the $9 million margin call, he said.

Peterffy accepted blame, but said there was little market liquidity after prices went negative, which could've prevented customers from exiting their trades anyway. He also laid responsibility on the exchanges and said the company had been in touch with the industry's regulator, the U.S. Commodity Futures Trading Commission.

“We have called the CFTC and complained bitterly,” Peterffy said. “It appears the exchanges are going scot-free.”

Representatives of CME and Intercontinental Exchange declined to comment. A CFTC spokesman didn't immediately return a request for comment.

Peterffy said there's a problem with how exchanges design their contracts because the trading dries up as they near expiration. The May oil futures contract—the one that went negative—expired the day after the historic plunge, so most of the market had moved to trading the June contract, which expires May 19 and currently trades around $24 a barrel.

“That's how it's possible for these contracts to go absolutely crazy and close at a price that has no economic justification,” Peterffy said. “The issue is whose responsibility is this?”

— With assistance by Melinda Grenier

(Adds details of June contract in penultimate paragraph. A previous version of this story was corrected because Interactive Brokers gave the wrong estimated refund for the Nymex contracts in the 18th paragraph.)

Nearly 20,000 Georgia Teens Are Issued Driver's Licenses Without a Road Test (NYTimes)

Monty Solomon <>
Fri, 8 May 2020 11:56:54 -0400

Gov. Brian Kemp suspended the requirement that most Georgians pass a behind-the-wheel test when applying for licenses last month.

Risk of Misinterpreting Hydrogen Peroxide Indicator Colors for Vapor Sterilization: Letter to Health Care Providers (FDA)

Monty Solomon <>
Thu, 7 May 2020 15:21:20 -0400

The U.S. Food and Drug Administration (FDA) has become aware of the potential for health-care facility staff that reprocess and sterilize medical devices to misinterpret the indicators used to validate the sterilization of medical devices because there is no standard indicator color to indicate a sterilized device. […]

GitHub Takes Aim at Open Source Software Vulnerabilities (WiReD)

Gabe Goldberg <>
Thu, 7 May 2020 23:58:07 -0400

GitHub Advanced Security will help automatically spot potential security problems in the world's biggest open source platform.

Snake ransomware targeting healthcare now claims to steal unencrypted files before encrypting computers on a network

geoff goodfellow <>
Thu, 7 May 2020 13:40:22 -1000

The operators of the Snake Ransomware have launched a worldwide campaign of cyberattacks that have infected numerous businesses and at least one health care organization over the last few days.

This past January, BleepingComputer reported on the new Snake ransomware that was targeting enterprise networks. <>

Since then, the ransomware operators have been relatively quiet, with little to no new infections being detected in the wild.

This lack of activity all changed on May 4th, when the ransomware operators conducted a massive campaign that targeted organizations throughout the world and across all verticals.

Starting on May 4th, ransomware identification site, ID Ransomware, showed a massive jump in submissions after seeing a few here and there over the last couple of months. <>

According to security reporter Brian Krebs, one of the victims allegedly hit by the Snake Ransomware in this campaign is Fresenius Group, Europe's largest hospital provider.

“Fresenius, Europe's largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues,” Krebs reported. <>

BleepingComputer has since been able to independently confirm that the Snake Ransomware attacked Fresenius on May 4th.

This same source told us that numerous other companies were hit, including an architectural firm in France and a prepaid debit card company. Snake claims to now steal files before encrypting

As has now become routine with ransomware, Snake now claims to steal unencrypted files before encrypting computers on a network.

As noted by MalwareHunterTeam, in the ransom note named ‘Decrypt-Your-Files.txt’ from this week's attacks, the Snake operators have added text stating that they will publish stolen databases and document if not paid within 48 hours. […] <>

China's Military Is Tied to Debilitating New Cyberattack Tool (NYTimes)

Monty Solomon <>
Thu, 7 May 2020 08:10:04 -0400

An Israeli security company said the hacking software, called Aria-body, had been deployed against governments and state-owned companies in Australia and Southeast Asia.

Coronavirus Proves Only Structural Changes Can Avert Climate Apocalypse (IEA)

the keyboard of geoff goodfellow <>
Wed, 6 May 2020 15:01:33 -1000

We are still screwed if we do not permanently alter how we produce and consume energy as a civilization

A new International Energy Agency report warns that while 2020 may see the largest CO2 emissions drop on record because of the coronavirus pandemic, there is still cause for concern. <>

The IEA anticipates carbon emissions will drop almost 8 percent—six times larger than the previous record caused by the 2008 global financial crisis and twice as large as the sum total of every reduction since the end of World War II. Global energy demand will fall 6 percent, which is seven times larger than the decline from the 2008 global financial crisis and equivalent to losing the entire energy demand of India. Renewables are the only energy source expected to see any growth in use (1.5 percent) or generation (3 percent), while oil demand will drop by 9 percent, coal by 8 percent, and natural gas by 5 percent.

All these numbers are staggering, but they are also inadequate. Despite the 70 year lows for each of these carbon energy sources and the IEA's estimation that 50 percent of all global energy use is exposed to these global containment measures, we're far from the reductions needed to avert climate catastrophe. Moreover, these reductions are inequitable and have come at a tragic personal cost to many. Structural changes <> (e.g., an internationalist Green New Deal that favors the working class) are necessary if we are to have any hope.

As Vox's David Roberts writes, limiting climate change to 1.5 degrees Celsius—our only shot at avoiding hundreds of millions of deaths and widespread ecological collapse—means “emissions would need to fall off a cliff, falling by 15% a year every year, starting in 2020, until they hit zero.” In fact, the emissions reduction we are on track to experience may yield no durable environmental benefits that last beyond the lockdowns as urban pollution, for example, will quickly return. <> <>

This insufficient but historic reduction is thanks to travel restrictions and economic lockdowns that have caused spikes in unemployment dwarfing those of the Great Recession and approaching Great Depression levels. In the United States alone, a country where nearly half of the population lives paycheck to paycheck, far more than the reported 30 million people have likely lost their jobs and a perpetual rent strike is developing as a growing plurality of tenants are simply unable to make ends meet. The full human cost of this pandemic has yet to emerge—its immediate death toll may be underreported, but it has obvious for months that the pandemic would make plain that our country views its most vulnerable populations as disposable. […] <> <> <> <> <> <>

Which COVID-19 models should we use to make policy decisions? (MedixlXpress)

Dave Farber <>
Fri, 8 May 2020 08:53:39 +0900

Which COVID-19 models should we use to make policy decisions? Pennsylvania State University <>

A new process to evaluate multiple disease models will help identify which intervention measures may be most successful during an outbreak. Shown here, the entry process for students at Lanzhou University in China involves scanning a university ID, which is associated with the student's body temperature history, travel history, and other information, while a machine detects current body temperature. Credit: Shouli Li, Lanzhou University With so many COVID-19 models being developed, how do policymakers know which ones to use? A new process to harness multiple disease models for outbreak management has been developed by an international team of researchers. The team describes the process in a paper appearing May 8 in the journal Science and was awarded a Grant for Rapid Response Research (RAPID) from the National Science Foundation to immediately implement the process to help inform policy decisions for the COVID-19 outbreak.

During a disease outbreak <>, many research groups independently generate models, for example projecting how the disease will spread, which groups will be impacted most severely, or how implementing a particular management action might affect these dynamics. These models help inform public health policy for managing the outbreak.

“While most models have strong scientific underpinnings, they often differ greatly in their projections and policy recommendation,” said Katriona Shea, professor of biology and Alumni Professor in the Biological Sciences, Penn State. “This means that policymakers are forced to rely on consensus when it appears, or on a single trusted source of advice, without confidence that their decisions will be the best possible.”

At the onset of an outbreak, particularly for a new disease, a large amount of information is often unavailable or unknown, and researchers must make decisions about how to incorporate this uncertainty into their models, leading to differing projections. For the COVID-19 outbreak, for example, uncertainty is present in a wide range of areas, from infection rate to details of transmission to the capacity of health care systems. The designers of each model < their own perspective and approach to address these uncertainties.

A new process to evaluate multiple disease outbreak models will help inform public health policy decisions for managing the outbreak. The process is currently being applied to the current COVID-19 outbreak. Credit: Will Probert, University of Oxford “In order to improve modeling and analysis of epidemic disease, it is essential to develop protocols that deliberately generate and evaluate valuable individual ideas from across the modeling community,” said Michael Runge, a research ecologist at the U.S. Geological Survey's Patuxent Wildlife Research Center who specializes in decision analysis for wildlife management. “We have identified best practices < allow the synthesis and evaluation of input from multiple modeling groups in an efficient and timely manner.”

In the three-part process, multiple research groups first create models for specified management scenarios, for example, addressing how caseload would be affected if social isolation measures were lifted this summer, or how the duration of the outbreak would change if students return to school in the fall. The research groups work independently during this step to encourage a wide range of ideas without prematurely conforming to a certain way of thinking. Then, the modeling groups formally discuss their models with each other—an important addition to previous multiple model methods—which allows them to examine why their models might disagree. Finally, the groups work independently again to refine their models, based on the insights from the discussion and comparison stage.

After group discussion and individual model refinement, the models are combined into an overall projection for each management strategy, which can be used to help guide risk analysis and policy deliberation. At this stage, methods from the field of decision analysis can allow the decision maker, for example a public health agency, to understand the merits of different management options in the face of the existing uncertainty.

Additionally, the combined results can help identify which uncertainty — what pieces of missing information—are most critical to learn about in order to improve models and thus improve decision making, providing a way to prioritize research directions.

“This process allows us to embrace uncertainty, rather than hastening to a premature consensus that could derail or deflect management efforts,” said Shea. “The process encourages a healthy conversation between scientists and decision makers, enabling policy agencies to more effectively achieve their management goals.”

Even after initial decisions are made, the process can continue as new information about the outbreak and management becomes available. This “adaptive management” strategy can allow researchers to refine their models and make new predictions as the outbreak progresses. For COVID-19, this process might inform how and when isolation and travel bans are lifted, and if these or other measures might be necessary again in the future.

The research team plans to implement this process immediately for COVID-19. By taking advantage of the many research groups already producing models for the current outbreak, the strategy should be easy to implement while producing more robust results from the existing process. The team will share results with the U.S. Centers for Disease Control and Prevention as they are generated.

“We hope this process actively feeds into policy for the COVID-19 response in the United States,” said Shea. “It also provides a framework for future outbreak settings, including emerging diseases and agricultural pest species, and management of endemic infectious diseases, including vaccination strategies and disease surveillance.”

Explore further

Models of coronavirus underestimate the epidemic's peak and overestimate its duration <>

More information: K. Shea el al., “Harnessing multiple models for outbreak management,” Science (2020). <> Provided by Pennsylvania State University < <>

COVID SW model is a steaming pile … (Whistleblower)

Henry Baker <>
Fri, 08 May 2020 10:52:17 -0700

Apparently, Ferguson's COVID computer model, on which basis several trillion-dollar quarantining decisions have been made, is a steaming pile of crap software code.

This case is a perfect example of why we need fully open source computer code for any accepted scientific results.

Briefly, the Ferguson model is a ‘Monte Carlo’ simulation of a complex networked system which is fed by a pseudo-random number generator (“PRNG”) to enable the ‘Monte Carlo’ aspect of the simulation.

Normally, such a PRNG generates a random number sequence determined by its initial “seed”: the sequence is identical if and only if the seed is identical. Since the behavior of the model is determined by the random number sequence, the behavior of the model is identical if and only if the seed is identical.

Ferguson's model does not have this behavior—it has non-deterministic behavior over and above that introduced by the PRNG—some due perhaps to the non-determinism in the parallel scheduling algorithms. Worse, this non-determinism produces dramatically different results (not entirely unexpected due to the exponential behavior of positive feedback loops).

What Ferguson has done isn't science, but witchcraft. Sometimes the witch doctor produces a correct answer by the miracle of coincidence, but science does not progress by standing on the shoulders of witch doctors.

With apologies to Max Planck, “science is here progressing funeral by needless funeral”.

Trillion dollar decisions cannot be based upon software of this poor quality.

Code Review of Ferguson's Model
Sue Denim (not the author's real name)

Imperial finally released a derivative of Ferguson's code. I figured I'd do a review of it and send you some of the things I noticed. I don't know your background so apologies if some of this is pitched at the wrong level.

My background. I wrote software for 30 years. I worked at Google between 2006 and 2014, where I was a senior software engineer working on Maps, Gmail and account security. I spent the last five years at a US/UK firm where I designed the company's database product, amongst other jobs and projects. I was also an independent consultant for a couple of years. Obviously I'm giving only my own professional opinion and not speaking for my current employer.

The code. It isn't the code Ferguson ran to produce his famous Report 9. What's been released on GitHub is a heavily modified derivative of it, after having been upgraded for over a month by a team from Microsoft and others. This revised codebase is split into multiple files for legibility and written in C++, whereas the original program was “a single 15,000 line file that had been worked on for a decade” (this is considered extremely poor practice). A request for the original code was made 8 days ago but ignored, and it will probably take some kind of legal compulsion to make them release it. Clearly, Imperial are too embarrassed by the state of it ever to release it of their own free will, which is unacceptable given that it was paid for by the taxpayer and belongs to them.

The model. What it's doing is best described as “SimCity without the graphics”. It attempts to simulate households, schools, offices, people and their movements, etc. I won't go further into the underlying assumptions, since that's well explored elsewhere.

Non-deterministic outputs. Due to bugs, the code can produce very different results given identical inputs. They routinely act as if this is unimportant.

This problem makes the code unusable for scientific purposes, given that a key part of the scientific method is the ability to replicate results. Without replication, the findings might not be real at all—as the field of psychology has been finding out to its cost. Even if their original code was released, it's apparent that the same numbers as in Report 9 might not come out of it.

Non-deterministic outputs may take some explanation, as it's not something anyone previously floated as a possibility.

The documentation says:

The model is stochastic. Multiple runs with different seeds should be undertaken to see average behaviour.

“Stochastic” is just a scientific-sounding word for “random”. That's not a problem if the randomness is intentional pseudo-randomness, i.e. the randomness is derived from a starting “seed” which is iterated to produce the random numbers. Such randomness is often used in Monte Carlo techniques. It's safe because the seed can be recorded and the same (pseudo-)random numbers produced from it in future. Any kid who's played Minecraft is familiar with pseudo-randomness because Minecraft gives you the seeds it uses to generate the random worlds, so by sharing seeds you can share worlds.

Clearly, the documentation wants us to think that, given a starting seed, the model will always produce the same results.

Investigation reveals the truth: the code produces critically different results, even for identical starting seeds and parameters.

I'll illustrate with a few bugs. In issue 116 a UK “red team” at Edinburgh University reports that they tried to use a mode that stores data tables in a more efficient format for faster loading, and discovered—to their surprise—that the resulting predictions varied by around 80,000 deaths after 80 days:

That mode doesn't change anything about the world being simulated, so this was obviously a bug.

The Imperial team's response is that it doesn't matter: they are “aware of some small non-determinisms”, but “this has historically been considered acceptable because of the general stochastic nature of the model”. Note the phrasing here: Imperial know their code has such bugs, but act as if it's some inherent randomness of the universe, rather than a result of amateur coding. Apparently, in epidemiology, a difference of 80,000 deaths is “a small non-determinism”.

Imperial advised Edinburgh that the problem goes away if you run the model in single-threaded mode, like they do. This means they suggest using only a single CPU core rather than the many cores that any video game would successfully use. For a simulation of a country, using only a single CPU core is obviously a dire problem—as far from supercomputing as you can get. Nonetheless, that's how Imperial use the code: they know it breaks when they try to run it faster. It's clear from reading the code that in 2014 Imperial tried to make the code use multiple CPUs to speed it up, but never made it work reliably. This sort of programming is known to be difficult and usually requires senior, experienced engineers to get good results. Results that randomly change from run to run are a common consequence of thread-safety bugs. More colloquially, these are known as “Heisenbugs”.

But Edinburgh came back and reported that—even in single-threaded mode — they still see the problem. So Imperial's understanding of the issue is wrong. Finally, Imperial admit there's a bug by referencing a code change they've made that fixes it. The explanation given is “It looks like historically the second pair of seeds had been used at this point, to make the runs identical regardless of how the network was made, but that this had been changed when seed-resetting was implemented”. In other words, in the process of changing the model they made it non-replicable and never noticed.

Why didn't they notice? Because their code is so deeply riddled with similar bugs and they struggled so much to fix them that they got into the habit of simply averaging the results of multiple runs to cover it up… and eventually this behaviour became normalised within the team.

In issue #30, someone reports that the model produces different outputs depending on what kind of computer it's run on (regardless of the number of CPUs). Again, the explanation is that although this new problem “will just add to the issues” … “This isn't a problem running the model in full as it is stochastic anyway”.

Although the academic on those threads isn't Neil Ferguson, he is well aware that the code is filled with bugs that create random results. In change #107 he authored he comments: “It includes fixes to InitModel to ensure deterministic runs with holidays enabled”. In change #158 he describes the change only as “A lot of small changes, some critical to determinacy”.

Imperial are trying to have their cake and eat it. Reports of random results are dismissed with responses like “that's not a problem, just run it a lot of times and take the average”, but at the same time, they're fixing such bugs when they find them. They know their code can't withstand scrutiny, so they hid it until professionals had a chance to fix it, but the damage from over a decade of amateur hobby programming is so extensive that even Microsoft were unable to make it run right.

No tests. In the discussion of the fix for the first bug, Imperial state the code used to be deterministic in that place but they broke it without noticing when changing the code.

Regressions like that are common when working on a complex piece of software, which is why industrial software-engineering teams write automated regression tests. These are programs that run the program with varying inputs and then check the outputs are what's expected. Every proposed change is run against every test and if any tests fail, the change may not be made.

The Imperial code doesn't seem to have working regression tests. They tried, but the extent of the random behaviour in their code left them defeated. On 4th April they said: “However, we haven't had the time to work out a scalable and maintainable way of running the regression test in a way that allows a small amount of variation, but doesn't let the figures drift over time.”

Beyond the apparently unsalvageable nature of this specific codebase, testing model predictions faces a fundamental problem, in that the authors don't know what the “correct” answer is until long after the fact, and by then the code has changed again anyway, thus changing the set of bugs in it. So it's unclear what regression tests really mean for models like this — even if they had some that worked.

Undocumented equations. Much of the code consists of formulas for which no purpose is given. John Carmack (a legendary video-game programmer) surmised that some of the code might have been automatically translated from FORTRAN some years ago.

For example, on line 510 of SetupModel.cpp there is a loop over all the “places” the simulation knows about. This code appears to be trying to calculate R0 for “places”. Hotels are excluded during this pass, without explanation.

This bit of code highlights an issue Caswell Bligh has discussed in your site's comments: R0 isn't a real characteristic of the virus. R0 is both an input to and an output of these models, and is routinely adjusted for different environments and situations. Models that consume their own outputs as inputs is problem well known to the private sector—it can lead to rapid divergence and incorrect prediction. There's a discussion of this problem in section 2.2 of the Google paper, “Machine learning: the high interest credit card of technical debt”.

Continuing development. Despite being aware of the severe problems in their code that they “haven't had time” to fix, the Imperial team continue to add new features; for instance, the model attempts to simulate the impact of digital contact tracing apps.

Adding new features to a codebase with this many quality problems will just compound them and make them worse. If I saw this in a company I was consulting for I'd immediately advise them to halt new feature development until thorough regression testing was in place and code quality had been improved.

Conclusions. All papers based on this code should be retracted immediately. Imperial's modeling efforts should be reset with a new team that isn't under Professor Ferguson, and which has a commitment to replicable results with published code from day one.

On a personal level, I'd go further and suggest that all academic epidemiology be defunded. This sort of work is best done by the insurance sector. Insurers employ modelers and data scientists, but also employ managers whose job is to decide whether a model is accurate enough for real world usage and professional software engineers to ensure model software is properly tested, understandable and so on. Academic efforts don't have these people, and the results speak for themselves.

My identity. Sue Denim isn't a real person (read it out). I've chosen to remain anonymous partly because of the intense fighting that surrounds lockdown, but there's also a deeper reason. This situation has come about due to rampant credentialism and I'm tired of it. As the widespread dismay by programmers demonstrates, if anyone in SAGE or the Government had shown the code to a working software engineer they happened to know, alarm bells would have been rung immediately. Instead, the Government is dominated by academics who apparently felt unable to question anything done by a fellow professor. Meanwhile, average citizens like myself are told we should never question “expertise”. Although I've proven my Google employment to Toby, this mentality is damaging and needs to end: please, evaluate the claims I've made for yourself, or ask a programmer you know and trust to evaluate them for you.

German contact-tracing app to be rolled out in mid-June (Politico)

“Peter G. Neumann” <>
Thu, 7 May 2019 19:18:07 -0800

Janosch Delcker, Politico, 7 May 2020 German contact-tracing app to be rolled out in mid-June

BERLIN—Germany will roll out its national smartphone application tracing potential coronavirus infections in mid-June, according to high-ranking officials involved in developing it. The launch will be flanked by a broad advertising campaign aimed at convincing as many Germans as possible to use the voluntary app, the officials said.

The underlying software, which is built by German technology companies SAP and Deutsche Telekom, analyzes Bluetooth signals between mobile phones to alert people who have been close enough to infect each other. It is based on what's known as a decentralized software architecture, with information about interactions saved only on users' phones for up to three weeks—an approach championed by both privacy advocates and U.S. tech giants Apple and Google.

After initially favouring a different architecture where information would have been stored on a central server, German Chancellor Angela Merkel's government changed course in late April and said it would adopt such a decentralized approach, following an announcement by Apple and Google to unlock their smartphones' Bluetooth capabilities to allow outside developers to build interoperable apps.

The first version of the German app expected for mid-June, which will be available for both iOS and Android operating systems, will trace interactions even while running in the background of other applications, according to the officials.

An updated version, set to be launched later this year, will also offer a voluntary option of donating the information that is collected to Germany's national disease control center for research purposes.

Digital immunity passport is ‘the lesser of two evils’ (Politico)

“Peter G. Neumann” <>
Thu, 7 May 2019 18:12:21 -0800

Vincent Manancourt, Politico, 7 May, 2020

Millennial founder of tech firm Onfido is in talks with the UK government about system that could help ease lockdown restrictions—but admits the idea is controversial.

As the U.K. rolls out a coronavirus contact-tracing app, its government is already considering another technological tool to help loosen lockdown restrictions—the immunity passport.

The idea behind so-called digital passports is that they would allow people who have recovered from the coronavirus to signal their immunity and thus move around freely, enabling economies to open up.

But there are fears such a system, which is at a preliminary stage of discussion with the developer, could lead to discrimination, create perverse incentives to get infected, and violate privacy.

The scheme also relies on reliable antibody testing and enough kits for large-scale testing—neither of which exist, yet. Not to mention the fact that health experts don't know whether immunity to the coronavirus even exists and, if it does, how long it lasts. In late April, the World Health Organisation (WHO) warned against a passport scheme on the basis that “there is currently no evidence that people who have recovered from Covid-19 and have antibodies are protected from a second infection.”

But governments are facing pressure to unshackle their economies, and any ideas that allow them to do so without endangering public health are up for discussion. Immunity passports—however pie in the sky at this stage — fit the bill.

One firm that is proffering its expertise to help the U.K. government design such a scheme is British start-up Onfido, which last month secured $100 million in funding in part to help it develop its health certificate offering.

The company usually helps businesses like banks and car rental firms verify identity digitally, but is now turning its tech to the fight against the virus.

“Our approach is to bind your digital identity to your test results at the outset, and help you prove it on an ongoing basis,” says the start-up's millennial founder Husayn Kassai on a video call with Politico.

Onfido submitted proposals to the U.K. parliament just over a week ago, and is now in the brainstorming stage with the government, according to Kassai.

“The first area of focus for everyone is very much test kits, that comes first, and then there are a range of options that the governments and other governments want to have. So this health or immunity passport is just one of them that's being explored,” Kassai said.

A U.K. government official told Politico that though there is interest in the idea of introducing some form of immunity verification, there is no formal plan yet due to the ongoing uncertainty around immunity.

Onfido's technology would work by first verifying someone's identity—by comparing a picture or video of their face against a picture of their identity card—and then linking that to a coronavirus test result. People would then be able to bring up a QR code on an app or a browser signaling their immunity status just by taking a picture of their face.

The advantage of a digital system, says Kassai, is that it is continuous and live, and can be adjusted as new evidence over immunity comes to light.

“The problem with a physical health pass is, if after six months it transpires that [immunity] may only last for six months it's hard to go back and recall those passes. Whereas if it's digital, if in January I'm tested [and] I've proven that I've recovered from the virus and in March, it suddenly transpires that immunity was only for three months, then every time the test result is called upon the results can suddenly be switched from green to an amber for instance.”

If the scheme ever does see the light of day, Kassai envisages that it is most likely that it will first be used in the workplace.

‘Extremely high risks’

While the technology promises reprieve for economies hard hit by the lockdown, it does not come without controversy.

A report last month by the AI research body the Ada Lovelace Institute said immunity passports would “pose extremely high risks in terms of social cohesion, discrimination, exclusion and vulnerability.”

Speaking to Politico at the time, the institute's director Carly Kind said that using such a scheme would raise difficult questions about how it is used to allow access to spaces.

“In some way, we can imagine a world in which immunity becomes a protected characteristic like ethnicity or race, and we need to think about how to put in place a structure to ensure that discrimination on the basis of that characteristic isn't enabled,” Kind said.

There are also fears an immunity passport scheme could create incentives to become infected, and that it poses risks to privacy and data protection.

The European Data Protection Supervisor Wojciech Wiewi=F3rowski called the idea extreme, and he has repeatedly expressed alarm at the idea during online webinars. “Even the name disgusts me a little bit,” he said at one.

For Onfido's San Francisco-based founder, mitigating concerns is a matter of “proceeding with caution.”

“The fact of the matter is, there's no two-tier system that would be different to what we have already. We already have two categories of people Category A and Category B. Category A have had the virus and have recovered, Category B have not had the virus yet. So the question becomes, how are they able to signal it?” Kassai says.

The fact that immunity passports may encourage people to become infected to get back to work is “very much a risk. So you're weighing two risks. And this is a lesser of two evils, not to want to call it that. Group A and Group B exists and that is just a fact. Some have now recovered and others have never had the virus—Group A are able to effectively signal that they have a period of immunity and Group B are not yet immune, is there an incentive or risk for Group B to want to become Group A,” he says.

As to privacy, Kassai says data in Onfido's system would be stored on “a private server for an individual,” [which] can only be accessed with the user's face.

“No private business, no government should really be, there's no need for them to hold your personal data. You as a consumer should,” he says.

Janosch Delcker and Jack Blanchard contributed reporting.

Flu vs. COVID-19

geoff goodfellow <>
Thu, 7 May 2020 13:41:19 -1000

“34,157 Americans died from influenza last year. 35,361 Americans died from COVID-19 in the last 18 days.

61,000 Americans died from the worst influenza in the last 50 years. 60,939 Americans died from COVID-19 in the last 30 days.”

Re: Visualization shows droplets from one cough on an airplane infecting large number of passengers (RISKS-31.80)

Amos Shapir <>
Thu, 7 May 2020 12:04:03 +0300

The visualisation provided by Fox News was made for a study by Purdue University of the 2003 SARS virus. The caption says “The model is based on the assumption that the 2003 SARS virus was airborne.”

But recent studies of the current COVID-19 corona virus shows that it is not so airborne. The WHO site states about its transmission by cough drops: “These droplets are relatively heavy, do not travel far and quickly sink to the ground”.

IOW, the Purdue model does not fit what is known about the newer virus.

Re: What the Coronavirus Crisis Reveals… (RISKS-31.79)

Chris Drewe <>
Thu, 07 May 2020 22:10:42 +0100

This reminded me of a similar example—this may have been mentioned before. A few winters ago in Britain, there were worries about the threat of an outbreak of severe influenza. This was just the regular winter type, nothing like Covid-19; as I understand it, this is only a health threat to the very young, the very old, or those with existing health problems, otherwise it leaves people feeling terrible for a week or two but is no big deal apart from them being temporarily incapacitated. The main threat was not streets full of dead bodies, but lots of “Tesco's truck drivers” suddenly being off sick (Tesco being the country's major supermarket chain, though many industries would be affected).

Like many businesses, the grocery trade runs on a just-in-time basis like the vehicle parts supplies mentioned in the RISKS article. Obviously the trucking industry has resources for normal sickness and vacation absences, but suddenly having many drivers out of action would cause major supply problems, especially severe for groceries where many food items have short shelf lives (few days) so little opportunity for building stockpiles; not only would supermarkets quickly run out of stock for the shelves, but food suppliers may have problems in dealing with items ready for despatching to stores. (In Europe we also have the complication of foods having ‘best by’, ‘use before’, ‘sell by’, etc. date markings.)

In the UK, gaining a Heavy Goods Vehicle driver's licence requires a rigorous training and testing session (no idea what exactly it entails, but as far as I know not a quick process, and trainers and test examiners have to be available too), and then rookie drivers would need to familiarise themselves with the individual supermarkets' transport systems so would not be fully effective straight away. By the time that this has happened, the original influenza outbreak would probably be over anyway.

In the end, the dreaded influenza outbreak never happened and pharmacies were left with huge stocks of unused vaccine, but obviously something similar could happen again. Not sure what lessons to learn; as ever, it's a balancing act between efficiency and having costly back-up resources lying idle in reserve.

Please report problems with the web pages to the maintainer