The RISKS Digest
Volume 31 Issue 90

Thursday, 28th May 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator


Let's fix 'em before they break—or are broken
Lali-Larrauri via PGN
Sorry, media: You're not victims no matter how much abuse you take— Did you know that?
Concerns as rise of connected cars coincides with sharp increase in cyber-attacks
Auto Express
How Automated Background Checks Freeze Out Renters
Riding the State Unemployment Fraud Wave
Election Integrity in RISKS
We Don’t Even Have a COVID-19 Vaccine, and Yet the Conspiracies Are Here
The Atlantic
Re: The Pandemic Is Exposing the Limits of Science
Bob Wilson
Risk of Polarisation
Anthony Thorn
Re: Ioannidis
Martin Ward
Re: misinformation
Dmitri Maziuk Henry Baker
More on the Tweeter and the Tweetee
PGN-pruned from LW and retitled
Re: Vitamin C
David Broadbeck
Info on RISKS (comp.risks)

Let's fix 'em before they break—or are broken

“Peter G. Neumann” <>
Thu, 28 May 2020 14:22:08 PDT

An op-ed in The New York Times by Upmanu Lali and Paulina Concha Larrauri, 28 May 2020, is titled “Dam Failures Are a Warning”. RISKS for years might have more generally written “Damn Failures are a Warning.”

After two recent dam failures, this article notes that “about 25,000 dams are considered high or significant hazards if they failed.” The final paragraph is pithy, and very relevant here:

“We need a real plan and real money, and we need them soon. The coronavirus pandemic, which we are spending billions to battle, should at least remind us that a little bit of prevention can avert an enormous amount of anguish.”

This is pervisive advice, and should also apply to aging bridges, buildings, roads, manufacturing plants, and even computer software and networks.

Sorry, media: You're not victims no matter how much abuse you take—Did you know that?

geoff goodfellow <>
Thu, 28 May 2020 05:53:00 -1000

President John Adams signed a law making it a crime to criticize the government; 20 newspaper editors were imprisoned. Andrew Jackson not only had his own paper, edited by a member of his cabinet, but it got government subsidies. […]

Concerns as rise of connected cars coincides with sharp increase in cyber-attacks (Auto Express)

geoff goodfellow <>
Thu, 28 May 2020 05:54:00 -1000

Cyber-attacks on connected cars rose by 700 per cent between 2010 and 2019, according to new analysis, prompting experts to warn that drivers should clear all personal data from their cars before selling them.

Some 67 per cent of new cars registered in the UK are ‘connected’, meaning they transmit data to their manufacturer via the Internet. By 2026, it's thought that every single new car will be connected, according to research by energy comparison site Uswitch.

The 700 per cent rise in cyber attacks on connected cars is shown by data from security firm Upstream. In its most recent report on the subject, the company analysed 367 global data-breach incidents between 2010 and 2019 involving cars, 155 of which took place in 2019 alone - a growth of 99 per cent over the previous year.

One incident in October 2019 saw a mobile phone app Mercedes drivers could use to locate and unlock their cars sometimes showed other people's accounts and vehicle information. The previous month, thieves were caught on camera stealing a Tesla in under 30 seconds using a keyless entry hack. July 2019 saw an exposed database at Honda allowing anyone to see which of its systems had security vulnerabilities, risking 134 million rows of employee data.

Earlier in the year, Toyota suffered two separate cyber attacks in the space of five weeks, with the offenders accessing servers that held sales information related to 3.1 million customers. […]

How automated background checks freeze out renters (NYTimes)

Monty Solomon <>
Thu, 28 May 2020 14:44:24 -0400

Algorithms that scan everything from terror watch lists to eviction records spit out flawed tenant screening reports. And almost nobody is watching.

Riding the State Unemployment Fraud Wave (Krebs)

geoff goodfellow <>
Thu, 28 May 2020 05:51:00 -1000

When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that's exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens' personal data from the very websites the unemployment scammers are using to file bogus claims.

Last week, the U.S. Secret Service warned of massive fraud against state unemployment insurance programs <>, noting that false filings from a well-organized Nigerian crime ring could end up costing the states and federal government hundreds of millions of dollars in losses.

Since then, various online crime forums and Telegram chat channels focused on financial fraud have been littered with posts from people selling tutorials on how to siphon unemployment insurance funds from different states. […]

Election Integrity in RISKS

“Peter G. Neumann” <>
Thu, 28 May 2020 14:22:08 PDT

I finally decided to update a subsection of my very out-of-date summary of RISKS issues, and have now created a version that summarizes all of the RISKS items relating to Election Integrity. It is 16 pages two-columned in fine print, which should give you an idea of how relevant this topic has been in past issues of RISKS:

We Don’t Even Have a COVID-19 Vaccine, and Yet the Conspiracies Are Here (The Atlantic)

Monty Solomon <>
Thu, 28 May 2020 17:45:16 -0400

Even as vaccines for the disease are being held up as the last hope for a return to normalcy, misinformation about them is spreading.

Re: The Pandemic Is Exposing the Limits of Science (Bloomberg)

Bob Wilson <>
Thu, 28 May 2020 13:37:03 -0500

In recent decades people seem to have adopted a terribly simplified, rather lazy, version of science. Consider the word's Latin roots, meaning just “knowledge”, not something miraculous. One good read is /Failure/, by Stuart Forestein, subtitled “Why Science is so Successful”.

The scientific method hopes to approach truth, but not usually in a continuous way or by sudden understanding of everything that really matters. As a discrete process, it can't quite be described as asymptotic. But laymen (or women, we need a new word!) have come to expect that scientists have perfect knowledge: The workers themselves generally see many things in their results that need to be improved. Think of Newton's theory of gravity, and his /Principia/, which were and still are marvelous accomplishments: By the late 19th century it was widely recognized that his version of gravity was not quite right, and Einstein in both special relativity and then (another step forward) general relativity, took care of much of what had been worried about. We certainly accept Newton as accurately describing what happens if we drop a rock from our hands, but NASA needs Einstein's improvements if calculating orbits, engine burn data, etc. And nowadays there are discussions about how Einstein's world is still not quite right.

In our current crisis we have tried to collapse the time scale to zero. The amount of work and the knowledge gained have both been amazing. But it is unreasonable to expect that complete and accurate results would be found by now! The population at large has been led to believe that any technology that requires you to think is thereby shown to be flawed. I would hope that /Risks/ participants would understand how this works and how we need to think and learn rather than to expect impossible payoffs! We can pray/hope/wish/… for results quickly, but those don't come with guarantees, and the answers probably won't be simple!

My own field is mathematics, where it might be easier to decide that a result is really right than in some of the messier parts of our world that have to deal with outside facts. But it is really sad to see people who should know better seeming to misunderstand the whole way science works.

Risk of Polarisation (Re: Maziuk and Ladkin)

Anthony Thorn <>
Thu, 28 May 2020 09:33:12 +0200

Regarding the contributions from Mssrs Maziuk and Ladkin; I do hope that the polarisation and associated symptoms which we are seeing in U.S. and UK politics will not infect RISKS!

I do not think Prof. Ferguson needs defending, but I was under the impression that the “250'000 deaths” estimate, was based on the assumption that NO lockdown measures were introduced.

“Coronavirus: UK changes course amid death toll fears”

If this forecast contributed to the decision to implement the lockdown it certainly saved many lives.

Re: Ioannidis (re: Baker)

Martin Ward <>
Thu, 28 May 2020 11:44:44 +0100

Back on 17th March John P.A. Ioannidis wrote:

> In the absence of data, prepare-for-the-worst reasoning leads to extreme > measures of social distancing and lockdowns. Unfortunately, we do not know > if these measures work.

I don't know why this ten week old piece was included in comp.risks: as if it contained current and up-to-date information.

The current situation is that we do know which measures work to contain the virus! Currently, 45 countries from around the world are winning: with the number new cases per day dropping towards zero. 27 countries are “nearly there”, while 52 countries (including the UK and the USA) need to take action.

The data is here:

Back in November 2019 the USA and the UK were determined to be the two countries best prepared for a pandemic. Both countries knew that the pandemic was coming in mid February, both decided to take little or no action. As as result, these two countries now have the highest death tolls of all.

The USA and South Korea recorded their first cases on the same day: South Korea immediately introduced a range of effective measures including lockdown, extensive testing, contact tracing and isolation. As a result the virus was contained with a total number of deaths, as of today, of just 269.

By contrast, the USA has just passed over 100,000 deaths in the same time period, and is planning to ease the lockdown while in 20 states the number of new cases per day is still increasing.

It is estimated that over 30,000 deaths in the UK could have been avoided by starting the lockdown a week earlier: such is the power of unconstrained exponential growth.

(In searching for the above article I also discovered that more than 130,000 deaths in the UK since 2012 could have been prevented if improvements in public health policy had not stalled as a direct result of austerity cuts. Life is cheap in the UK:

Re: misinformation (RISKS-31.89)

dmaziuk <>
Thu, 28 May 2020 11:59:03 -0500

“I cry wolf because I have an overly sophisticated pile of computer code that sometimes indicate a wolf may come”

Perhaps we the experts should wake up and stop calling spade a small-scale manual earth moving implement before the sentiment becomes universal and the mob reaches for torches and pitchforks.

Re: Misinformation (Ladkin, RISKS-31.84-89)

Henry Baker <>
Thu, 28 May 2020 10:41:19 -0700

I think that most experts are all in violent agreement that these epidemiological models are ‘ill-conditioned’, hence any noise in the input can be dramatically amplified in such a way that it can often overwhelm any ‘answer’. Analogy: those screeching noises that are often heard from audio public address systems that have positive feedback; the screeches often overwhelm the person speaking.

Re: network-simulation Monte Carlo models, e.g., the Imperial model:

Monte Carlo models require enough iterations/runs in order to average out the sampling noise (so that the ‘result’ is independent of the particular random samples used), which requires fully “exploring” the nether/tail regions of the particular probability density function.

The most trivial Monte Carlo model is that of estimating the mean of a distribution by computing statistics from N samples. How many samples are required in order to assure a reasonable estimate of the mean, where by ‘reasonable’ I mean an answer good to the first digit or so, irrespective of the random choices made (one of the most substantial criticisms of the Imperial model) ? Answer: N ~ O(distribution variance).

OK. Let's take an oversimplified ‘superspreader’ model for R0: 99% of the time, R0=2, and 1% of the time, R0=98. The mathematical mean of this bimodal distribution is 2.96, and the mathematical variance of this distribution is ~91. But I just ran this Monte Carlo model and it takes at least 15,000 random samples of this distribution just to get a reasonable approximation to just one number—its mean!

The reason why so many samples are required is that the relatively rare event where R0=98 has to occur often enough to average out against the vastly more probable R0=2 events.

But we're only getting started. R0 appears as the base of an exponential in various epidemic models—e.g., (R0)^(a*t), for some constant a.

But what if we have to sample, e.g., (R0)^10, i.e., a*t=10—to compute its mean? How many samples will we need to get a decent approximation ? (Note that this is the 10-fold product of independently chosen R0's, so we can't simply average numbers like sample^(1/10).)

So I ran another Monte Carlo experiment to compute the mean of the product of 10 samples from our bimodal distribution from above. Even after sampling 1 billion such products, I still could not converge to even one decimal digit of the mean, and the population variance was trending to O(10^15). (Note that the worst case product has value 98^10 ~ 10^20, but also probability (1/100)^10 = 10^(-20).)

How can we better to understand the probabilities of exponentials? Often elementary statistics classes don't deal with products of random variables, much less exponentials of random variables. One simple way to understand such products and exponentials utilizes lognormal distributions, which are not bimodal, and have heavy but not fat tails, and are tractable. If X=L(m,v) is a lognormal distribution with parameters m,v, then the distribution for the exponential X^n is L(n*m,n*v).

The mean of L(n*m,n*v) is exp(m+v/2)^n; the variance of L(n*m,n*v) is exp(2*m+v)^n*(exp(v)^n-1). If we choose m,v to match the mean and variance of our bimodal distribution above, then m~-0.1322 and v~2.4348, so the mean of X^n is (2.96)^n and the variance of X^n is (2.96)^(2n)*(11.414^n-1) ~ 100^n.

Since the variance of our lognormal (R0)^10 is ~100^10 = 10 billion, it could take O(10 billion) random samples to get a reasonable approximation to the mean of (R0)^10. I'd be willing to bet that the Imperial model was not run 10 billion times, much less 10^15 times (for our bimodal distribution).

But this is merely one positive feedback loop in such a Monte Carlo network simulation. What happens when there are multiple positive feedback loops ? How many runs might then be required ?

The problem here is that our samples have to explore an incredibly wide and incredibly shallow distribution, and then accumulate enough weight for each sample to guarantee some reasonable accuracy for our result. But even if we performed such a computation, what would it mean when the variance of the distribution is so wide—hence the weight of any particular value is so tiny—of what practical use is any particular value—e.g., the “mean”?

This is the reason why “R0” models make no sense in the presence of superspreaders—there is no single ‘R0’ that captures any useful aspect of the behavior of the epidemic.

More on the Tweeter and the Tweetee [PGN-pruned and retitled]

Lauren Weinstein <>
Wed, 27 May 2020 20:21:22 -0700

On FOX News, Zuckerberg Criticizes Twitter For Fact-Checking Trump Tweets (Forbes)

A CNN item:

An excellent analysis of this text is online from Daphne Keller of Stanford CIS (Center for Internet and Society), at:*Hz2b7K-CMUUUEnDU7P0tIA#

Defying Trump, Twitter Doubles Down on Labeling Tweets

Trump's Proposed Order on Social Media Could Harm One Person in Particular: Trump (The NYTimes)

Re: Vitamin C

David Broadbeck <>
Thu, 28 May 2020 15:22:52 -07David00

The idea that megadoses of Vitamin C can prevent or cure disease is one of those zombie ideas that just keeps popping up, in spite of being refuted over and over. Maybe this is because it was originally pushed by Linus Pauling, or maybe it's because Vitamin C generally doesn't do any harm. Still, it's disappointing to see RISKS pushing this myth.

While there aren't many studies yet of Vitamin C and COVID-19, for obvious reasons, there are lots testing its effect on the common cold. This is a pretty representative one: No statistical difference was found, with the placebo group actually showing slightly better outcomes than the one that got the C megadoses.

The FDA has repeatedly warned companies against making outlandish claims about Vitamin C's abilities to cure tuberculosis, cancer, Ebola, etc.:

Just because it's “natural” doesn't mean it's better.

Please report problems with the web pages to the maintainer