mailing list archives
Risks Digest 31.97
From: RISKS List Owner
Date: Tue, 9 Jun 2020 13: 08: 59 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 9 June 2020 Volume 31 : Issue 97 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator See last item for further information, disclaimers, caveats, etc. This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.97> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Democracy Live Internet voting: unsurprisingly insecure, and surprisingly insecure (Specter and Halderman, with Andrew Appel's comments via PGN) More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo) Report Details New Cyber Threats to Elections From Covid-19 (Maggie Miller) IBM ends all facial recognition business as CEO calls out bias and inequality (TechCrunch) Cox slows an entire neighborhood's Internet after one person's'excessive use' (Engadget) Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. (NYTimes) Big brands bring the fight to Big Tech (Politico) System Security Integration Through Hardware and Firmware (DARPA via Richard Stein)) 2018 War Game Scenario has Gen Z Revolting (Skullcap SaVant via goodfellow) A Million-Mile Battery From China Could Power Your Electric Car (Bloomberg) I wrote this law to protect free speech. Now Trump wants to revoke it. (Ron Wyden via CNN) Programming 'language': Brain scans reveal coding uses same regions as speech (Medical Express) Cisco's Warning: Critical Flaw in IOS Routers Allows 'Complete System Compromise' (Liam Tung) False Negative Tests for SARS-CoV-2 Infection -- Challenges and Implications (NEJM) Re: Just Stop the Superspreading (Atilla, Wol, Amos Shapir, Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 9 Jun 2020 10: 29: 39 PDT From: "Peter G. Neumann"
Subject: Democracy Live Internet voting: unsurprisingly insecure, and surprisingly insecure (Specter and Halderman, with Andrew Appel's comments via PGN) A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan) <https://internetpolicy.mit.edu/wp-content/uploads/2020/06/OmniBallot.pdf> demonstrates that the OmniBallot Internet voting system from Democracy Live <https://democracylive.com/> is fatally insecure. That by itself is not surprising, as *no known technologycould make it secure. What is surprising is all the /unexpected/ insecurities that Democracy Live crammed into OmniBallot -- and the way that Democracy Live skims so much of the voter's private information. https://freedom-to-tinker.com/2020/06/08/democracy-live-internet-voting-unsurprisingly-insecure-and-surprisingly-insecure/ Andrew Appel has posted an extremely relevant article in Freedom-to-Tinker: https://freedom-to-tinker.com/author/appel/ The OmniBallot Internet voting system from Democracy Live finds surprising new ways to be insecure, in addition to the usual (severe, fatal) insecurities common to all Internet voting systems. There's a very clear scientific consensus that ``the Internet should not be used for the return of marked ballots'' because ``no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.'' That's from the National Academies 2018 consensus study report <https://doi.org/10.17226/25120>, consistent with the May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA. <http://s3.amazonaws.com/ftt-uploads/wp-content/uploads/2020/06/07210015/Final_-Risk_Management_for_Electronic-Ballot_05082020-1.pdf> [Please read the entire paper and Andrew's commentary. They are very revealing, and devastating for those persons who believe that Internet voting can be made secure. Every known attempt seems to have been easily defeated: Washington DC 2010, Estonia 2014, Australia 2015, Scytl in Switzerland 2019, Voatz in West Virginia 2020, OmniBallot now. Insiders at any of four private companies (Democracy Live, Google, Amazon, Cloudflare), or any hackers who manage to hack into these companies, can steal votes: Democracy Live doesn't run its own servers. PGN-excerpted] ------------------------------ Date: Tue, 9 Jun 2020 10: 11: 57 PDT From: "Peter G. Neumann" Subject: More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo) Swiss Post set to relaunch its e-voting system | Sonia Fenazzi/SwissInfo <https://www.swissinfo.ch/eng/swiss-post-set-to-relaunch-its-e-voting-system/45820842> The controversial issue of e-voting is back: Swiss Post, which had halted the development of a project in July 2019, has bought a Spanish-owned system and plans to propose a platform ready for testing by 2021. Opposition to the plans of Swiss Post remains strong. The purchase was reported on May 17 by the SonntagsBlick newspaper, who wrote that the deal between Swiss Post and Spanish firm Scytl had been settled for an unspecified amount. The deal follows the bankruptcy of the Spanish company, with whom Swiss Post had been working on a system until flaws discovered last year sparked a political debate, which ended in the government dropping e-voting plans for the time being. Swiss Post spokesperson Oliver Fl=C3=BCeler confirmed to swissinfo.ch that last summer, despite the opposition, his company decided to continue developing a system on its own, and ``after several months of negotiations'' it secured the rights to the source code from Scytl. The aim is now to propose an e-vote system by 2021 that ``takes into account various federal particularities'' and ``responds even better to the high and specific requirements of a Swiss electronic voting system'', Fl=C3=BCeler said. He added that Swiss Post takes public concerns about security and the role of foreign suppliers very seriously, but insisted that it doesn't plan to go it completely alone. ``In future, Swiss Post will increasingly cooperate with Swiss universities of applied sciences, other higher education institutions and encryption experts,'' he said. And ``to guarantee maximum security at all times, Swiss Post ``will reissue the new improved source code so that independent national and international experts can verify any weaknesses''. Opposition E-voting was first introduced in Switzerland on a limited basis in 2003, as part of ongoing tests. However, political opposition and skepticism over the safety of such a voting channel has been a constant over the years, and again with this latest twist, not everyone is happy. Franz Gr=C3=BCter, a right-wing parliamentarian who also heads a people's initiative calling for a moratorium on e-voting projects in Switzerland, criticised the Swiss Post move and called for a parliamentary inquiry. ``There are good reasons to check whether Swiss Post -- a state-controlled company -- acted correctly and paid a fair price, because the whole thing seems to lack transparency,'' he said. The parliamentarian and IT entrepreneur added: ``It's hard to believe that Swiss Post has paid an undisclosed price for a system which we already know doesn't work properly. In other countries, too, Scytl systems have experienced major problems. Perhaps that's precisely why the company went bankrupt''. He said Swiss Post should have started from scratch and developed an entirely new system, ``which could have restored trust and therefore considerably reduced opposition to e-voting'' -- an opposition that is widespread in Swiss political circles. [PGN truncated for RISKS] ------------------------------ Date: Mon, 8 Jun 2020 12: 04: 29 -0400 (EDT) From: ACM TechNews Subject: Report Details New Cyber Threats to Elections From Covid-19 (Maggie Miller) Maggie Miller, *The Hill*, 5 Jun 2020 via ACM TechNews, Monday, June 8, 2020 A report compiled by New York University's Brennan Center for Justice outlines a wide range of cyber threats stemming from voting changes prompted by Covid-19. Such threats include attempts to target election officials working on unsecured networks at home, recovering from voter registration system outages, and securing online ballot request systems. Report co-author Lawrence Norden said election officials already dealing with cyber threats now face additional challenges due to the pandemic. Election-security upgrades come with funding challenges because of Covid-19 disruptions, and the Brennan Center calculates $4 billion must be appropriated to make needed changes. Said Norden, "There is no question that what Congress can do, and really has to do very soon, is provide more money to states and localities so they can invest in election security over the next few months." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25818x222c47x066802& ------------------------------ Date: Mon, 8 Jun 2020 18: 54: 33 -0700 From: Lauren Weinstein Subject: IBM ends all facial recognition business as CEO calls out bias and inequality (TechCrunch) https://techcrunch.com/2020/06/08/ibm-ends-all-facial-recognition-work-as-ceo-calls-out-bias-and-inequality/ ------------------------------ Date: Tue, 9 Jun 2020 10: 44: 34 -0700 From: Lauren Weinstein Subject: Cox slows an entire neighborhood's Internet after one person's 'excessive use' (Engadget) https://www.engadget.com/cox-slows-entire-neighborhoods-internet-after-one-persons-excessive-use-165844542.html ------------------------------ Date: Tue, 9 Jun 2020 09: 53: 48 -0400 From: Monty Solomon Subject: Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. (NYTimes) Federal prosecutors in Manhattan are investigating a global hacker-for-hire operation that sent phishing emails to environmental groups, journalists and others. https://www.nytimes.com/2020/06/09/nyregion/exxon-mobil-hackers-greenpeace.html ------------------------------ Date: Tue, 9 Jun 2020 17: 28: 19 +0800 From: Richard Stein Subject: Big brands bring the fight to Big Tech (Politico) https://www.politico.eu/article/how-big-brands-chanel-canon-louis-vuitton-nike-are-taking-on-big-tech-silicon-valley-at-last/ The EU's Digital Services Act proposes platform rules to suppress and prevent counterfeit IP sales, such as fraudulent-branded women's accessories (handbags, shoes, etc.), that appear for sale on Amazon.com, Facebook, Alibaba. (https://www.digitaleurope.org/resources/towards-a-more-responsible-and-innovative-internet-digital-services-act-position-paper/) The platforms now practice voluntary fraud prevention efforts: "Amazon said the company invested 'over $500 million in 2019 and has more than 8,000 employees protecting [their] store from fraud and abuse.'" "Despite these efforts, "it's still like comparing Chernobyl with [the Three Mile Island nuclear accident in] Harrisburg,' Pennsylvania, Daniel Wellington's Sj�strand said." Policing (inspecting and certifying) platform supplier bona fides, and the authenticity of brand-name sale items is time-consuming, difficult to fulfill, slows inventory turnover in warehouses, etc. The platforms have instituted policing for personnel protective equipment during the COVID-19 Pandemic. Why not continue this practice for less vital goods? The affected consumer brands (Nike, LVMH, Coach, Kate Spade, etc.) hemorrhage profits from an escalating sales velocity of highly desirable, and apparently good enough, knock-offs. One business' profit is another business' expense. Counterfeit consumer item sales liability will be challenging to resolve and enforce internationally. Counterfeit internet sales is big business for the ethically-challenged and the criminally-inclined. https://en.wikipedia.org/wiki/Counterfeit_consumer_goods estimates the tab at US$ 1.77T in 2015 and growing. Millions of jobs at risk, stock prices gutted, salaries and bonuses cut, reputations risked, etc. ------------------------------ Date: Tue, 9 Jun 2020 10: 05: 53 +0800 From: Richard Stein Subject: System Security Integration Through Hardware and Firmware (DARPA) https://www.darpa.mil/program/ssith "Electronic system security has become an increasingly critical area of concern for the DoD and more broadly for security of the U.S. as a whole. Current efforts to provide electronic security largely rely on robust software development and integration. Present responses to hardware vulnerability attacks typically consist of developing and deploying patches to the software firewall without identifying or addressing the underlying hardware vulnerability. As a result, while a specific attack or vulnerability instance is defeated, creative programmers can develop new methods to exploit the remaining hardware vulnerability and a continuous cycle of exploitation, patching, and subsequent exploitations ensues. "The System Security Integration Through Hardware and Firmware (SSITH) program seeks to break this cycle of vulnerability exploitation by developing hardware security architectures and associated design tools to protect systems against classes of hardware vulnerabilities exploited through software, not just vulnerability instances. Areas of exploration that are targeted by SSITH include anomalous state detection, meta-data tagging, and churning of the electronic attack surface. The goal of the program is to develop ideas and design tools that will enable system-on-chip (SoC) designers to safeguard hardware against all known classes of hardware vulnerabilities that can be exploited through software, such as exploitation of permissions and privilege in the system architectures, memory errors, information leakage, and code injection. To accomplish its goal, SSITH seeks to encourage collaboration between research teams, commercial teams, and traditional DoD performers to provide robust and flexible solutions applicable to both DoD and commercial electronic systems." Constructive to subdue microcode-enabled exploits. Formal methods (FM) (see https://en.wikipedia.org/wiki/Formal_methods#Applications) have been applied in some cases. During the 1980s, I seem to recall the INMOS transputer applied FM to demonstrate IEEE-754 floating-point verification compliance. Once implemented, will the IP comprising the tools and their test cases be immunized against unauthorized access or from theft? [A paper on formal proofs of security-critical properties of the CHERI hardware instruction-set architecture being developed under one of the SSITH projects appeared last month in the IEEE Symposium on Security and Privacy: Kyndylan Nienhuis, Alexandre Joannou, Thomas Bauereiss, Anthony Fox, Michael Roe, Brian Campbell, Matthew Naylor, Robert M. Norton, Simon W. Moore, Peter G. Neumann, Ian Stark, Robert N. M. Watson, Peter Sewell, Rigorous Engineering for Hardware Security: Formal Modelling and Proof in the CHERI Design and Implementation Process, 2020 IEEE Symposium on Security and Privacy, pp. 1007-1024. https://oakland20.seclab.cs.ucsb.edu/hotcrp/paper/344?cap=0344aslGK4u9GrOs PGN] ------------------------------ Date: Mon, Jun 8, 2020 at 7: 14 AM From: Skullcap SaVant Subject: 2018 War Game Scenario has Gen Z Revolting (Sent via geoff goodfellow. PGN) This article is a wonderful piece of sleuthing. This news outlet received (via FOIA request) documents detailing a war game scenario that was conducted in 2018 which forecasted a future of revolution by 2025, that would be conducted by GEN Z. The scenario's trigger points are SPOT ON with the current unrest in the world, but sped up by 5 years because of the "unknown unknown" of COVID. The scenario includes GEN Z educating each other on how to use the dark web and thus teaching them to be a generation of "Cyber Punks" which know how to hack and cover their tracks. The wargame plays out with corporations being the most vulnerable, as GEN Z will enact their own form of vigilante justice by siphoning the digital bank accounts of the largest companies and convert it to *bitcoin... *only to be redistributed to the masses "Robin Hood" style. *Pentagon War Game Includes Scenario for Military Response to Domestic Gen Z RebellionEXCERPT: In the face of protests composed largely of young people, the presence of America's military on the streets of major cities has been a controversial <https://www.newsweek.com/gop-senator-urges-trump-deploy-us-military-against-violent-protests-no-quarter-rioters-1507918> development. But this isn't the first time that Generation Z -- those born after 1996 -- has popped up on the Pentagon's radar. Documents obtained by The Intercept via the Freedom of Information Act reveal that a Pentagon war game, called the 2018 Joint Land, Air and Sea Strategic Special Program, or JLASS, offered a scenario in which members of Generation Z, driven by malaise and discontent, launch a ``Zbellion'' in America in the mid-2020s. The Zbellion plot was a small part of JLASS 2018, which also featured scenarios involving Islamist militants in Africa, anti-capitalist extremists, and ISIS successors. The war game was conducted by students and faculty from the U.S. military's war colleges, the training grounds for prospective generals and admirals. While it is explicitly not a national intelligence estimate, the war game, which covers the future through early 2028, is ``intended to reflect a plausible depiction of major trends and influences in the world regions,'' according to the more than 200 pages of documents. According to the scenario, many members of Gen Z -- psychologically scarred in their youth by 9/11 and the Great Recession, crushed by college debt, and disenchanted with their employment options -- have given up on their hopes for a good life and believe the system is rigged against them. Here's how the origins of the uprising are described: [...] https://theintercept.com/2020/06/05/pentagon-war-game-gen-z/ ------------------------------ Date: Mon, 8 Jun 2020 09: 38: 21 -1000 From: geoff goodfellow Subject: A Million-Mile Battery From China Could Power Your Electric Car (Bloomberg) CATL ready to sell pack that lasts 16 years, chairman saysMilestone could bring EV ownership costs down, boost demandThe Chinese behemoth that makes electric-car batteries for Tesla Inc. and Volkswagen AG developed a power pack that lasts more than a million miles -- an industry landmark and a potential boon for automakers trying to sway drivers to their EV models. Contemporary Amperex Technology Co. Ltd. is ready to produce a battery that lasts 16 years and 2 million kilometers (1.24 million miles), Chairman Zeng Yuqun said in an interview at company headquarters in Ningde, southeastern China. Warranties on batteries currently used in electric cars cover about 150,000 miles or eight years, according to BloombergNEF. Extending that lifespan is viewed as a key advance because the pack could be reused in a second vehicle. That would lower the expense of owning an electric vehicle, a positive for an industry that's seeking to recover sales momentum lost to the coronavirus outbreak and the slumping oil prices that made gas guzzlers more competitive. [...] https://www.bloomberg.com/news/articles/2020-06-07/a-million-mile-battery-from-china-could-power-your-electric-car https://www.msn.com/en-us/finance/companies/a-million-mile-battery-from-china-could-power-your-electric-car/ar-BB15ahq8 [This reminds me of The Man in the White Suit, Alec Guiness and the suit that never needed washing or ironing, and what it would to the clothing industry. However, I suppose the Chinese battery would be a very substantial part of the cost of the car, so that you could throw away the car at some point, and reuse the battery in your next car purchase. PGN] ------------------------------ Date: Tue, 9 Jun 2020 10: 47: 57 -0700 From: Lauren Weinstein Subject: Ron Wyden: I wrote this law to protect free speech. Now Trump wants to revoke it. (CNN) https://www.cnn.com/2020/06/09/perspectives/ron-wyden-section-230/index.html ------------------------------ Date: Mon, 8 Jun 2020 13: 56: 22 +0900 From: Dave Farber Subject: Programming 'language': Brain scans reveal coding uses same regions as speech (Medical Express) https://medicalxpress.com/news/2020-06-language-brain-scans-reveal-coding.html [See my book chapter on the need for left-right-brain synergy, relationships to music, and more: Peter G. Neumann, Psychosocial Implications of Computer Software Development and Use: Zen and the Art of Computing, Theory and Practice of Software Technology, (D. Ferrari, M. Bolognani, and J. Goguen (editors). North-Holland, Pages 221--232, 1983. PGN] ------------------------------ Date: Mon, 8 Jun 2020 12: 04: 29 -0400 (EDT) From: ACM TechNews Subject: Cisco's Warning: Critical Flaw in IOS Routers Allows 'Complete System Compromise' (Liam Tung) Liam Tung, ZDNet, 4 Jun 2020 via ACM TechNews, Monday, June 8, 2020 Cisco has released information on four security flaws impacting router equipment that uses its IOS XE and IOS networking software. One flaw involves the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE, which could allow a non-credentialed remote attacker to execute Cisco IOx application-programming-interface commands without proper authorization. Another flaw is a command-injection bug in Cisco's implementation of the inter-virtual machine (VM) channel of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers and Cisco 1000 Series Connected Grid Routers. The software inadequately validates signaling packets routed to the Virtual Device Server (VDS), which could allow attackers to send malware to an affected device, hijack VDS, and completely compromise the system. The two remaining bugs involve a vulnerability in Cisco's 800 Series industrial routers, through which hackers could remotely execute arbitrary code or cause it to crash and reload. Cisco says it has delivered updates to address the critical flaws affecting its industrial routers. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25818x222c4bx066802& ------------------------------ Date: June 8, 2020 at 22: 22: 54 GMT+9 From: Dewayne Hendricks Subject: False Negative Tests for SARS-CoV-2 Infection -- Challenges and Implications (NEJM) [Note: This item comes from friend David Rosenthal. DLH] False Negative Tests for SARS-CoV-2 Infection -- Challenges and Implications By Steven Woloshin, M.D., Neeraj Patel, B.A., and Aaron S. Kesselheim, M.D., J.D., M.P.H. Jun 5 2020 <https://www.nejm.org/doi/full/10.1056/NEJMp2015897> There is broad consensus that widespread SARS-CoV-2 testing is essential to safely reopening the United States. A big concern has been test availability, but test accuracy may prove a larger long-term problem. While debate has focused on the accuracy of antibody tests, which identify prior infection, diagnostic testing, which identifies current infection, has received less attention. But inaccurate diagnostic tests undermine efforts at containment of the pandemic. Diagnostic tests (typically involving a nasopharyngeal swab) can be inaccurate in two ways. A false positive result erroneously labels a person infected, with consequences including unnecessary quarantine and contact tracing. False negative results are more consequential, because infected persons -- who might be asymptomatic -- may not be isolated and can infect others. Given the need to know how well diagnostic tests rule out infection, it's important to review assessment of test accuracy by the Food and Drug Administration (FDA) and clinical researchers, as well as interpretation of test results in a pandemic. The FDA has granted Emergency Use Authorizations (EUAs) to commercial test manufacturers and issued guidance on test validation.1 The agency requires measurement of analytic and clinical test performance. Analytic sensitivity indicates the likelihood that the test will be positive for material containing any virus strains and the minimum concentration the test can detect. Analytic specificity indicates the likelihood that the test will be negative for material containing pathogens other than the target virus. Clinical evaluations, assessing performance of a test on patient specimens, vary among manufacturers. The FDA prefers the use of ``natural clinical specimens'' but has permitted the use of ``contrived specimens'' produced by adding viral RNA or inactivated virus to leftover clinical material. Ordinarily, test-performance studies entail having patients undergo an index test and a ``reference standard'' test determining their true state. Clinical sensitivity is the proportion of positive index tests in patients who in fact have the disease in question. Sensitivity, and its measurement, may vary with the clinical setting. For a sick person, the reference-standard test is likely to be a clinical diagnosis, ideally established by an independent adjudication panel whose members are unaware of the index-test results. For SARS-CoV-2, it is unclear whether the sensitivity of any FDA-authorized commercial test has been assessed in this way. Under the EUAs, the FDA does allow companies to demonstrate clinical test performance by establishing the new test's agreement with an authorized reverse-transcriptase-polymerase-chain-reaction (RT-PCR) test in known positive material from symptomatic people or contrived specimens. Use of either known positive or contrived samples may lead to overestimates of test sensitivity, since swabs may miss infected material in practice.1 Designing a reference standard for measuring the sensitivity of SARS-CoV-2 tests in asymptomatic people is an unsolved problem that needs urgent attention to increase confidence in test results for contact-tracing or screening purposes. Simply following people for the subsequent development of symptoms may be inadequate, since they may remain asymptomatic yet be infectious. Assessment of clinical sensitivity in asymptomatic people had not been reported for any commercial test as of June 1, 2020. Two studies from Wuhan Province, China, arouse concern about false negative RT-PCR tests in patients with apparent Covid-19 illness. In a preprint, Yang et al. described 213 patients hospitalized with Covid-19, of whom 37 were critically ill.2 They collected 205 throat swabs, 490 nasal swabs, and 142 sputum samples (median, 3 per patient) and used an RT-PCR test approved by the Chinese regulator. In days 1 through 7 after onset of illness, 11% of sputum, 27% of nasal, and 40% of throat samples were deemed falsely negative. Zhao et al. studied 173 hospitalized patients with acute respiratory symptoms and a chest CT ``typical'' of Covid-19, or SARS-CoV-2 detected in at least one respiratory specimen. Antibody seroconversion was observed in 93%.3 RT-PCR testing of respiratory samples taken on days 1 through 7 of hospitalization were SARS-CoV-23 positive in at least one sample from 67% of patients. Neither study reported using an independent panel, unaware of index-test results, to establish a final diagnosis of Covid-19 illness, which may have biased the researchers toward overestimating sensitivity. In a preprint systematic review of five studies (not including the Yang and Zhao studies), involving 957 patients (``under suspicion of Covid-19'' or with ``confirmed cases''), false negatives ranged from 2 to 29%.4 However, the certainty of the evidence was considered very low because of the heterogeneity of sensitivity estimates among the studies, lack of blinding to index-test results in establishing diagnoses, and failure to report key RT-PCR characteristics.4Taken as a whole, the evidence, while limited, raises concern about frequent false negative RT-PCR results. If SARS-CoV-2 diagnostic tests were perfect, a positive test would mean that someone carries the virus and a negative test that they do not. With imperfect tests, a negative result means only that a person is less likely to be infected. To calculate how likely, one can use Bayes' theorem, which incorporates information about both the person and the accuracy of the test (recently reviewed5). For a negative test, there are two key inputs: pretest probability -- an estimate, before testing, of the person's chance of being infected -- and test sensitivity. Pretest probability might depend on local Covid-19 prevalence, SARS-CoV-2 exposure history, and symptoms. Ideally, clinical sensitivity and specificity of each test would be measured in various clinically relevant real-life situations (e.g., varied specimen sources, timing, and illness severity). Assume that an RT-PCR test was perfectly specific (always negative in people not infected with SARS-CoV-2) and that the pretest probability for someone who, say, was feeling sick after close contact with someone with Covid-19 was 20%. If the test sensitivity were 95% (95% of infected people test positive), the post-test probability of infection with a negative test would be 1%, which might be low enough to consider someone uninfected and may provide them assurance in visiting high-risk relatives. The post-test probability would remain below 5% even if the pretest probability were as high as 50%, a more reasonable estimate for someone with recent exposure and early symptoms in a ``hot spot'' area. But sensitivity for many available tests appears to be substantially lower: the studies cited above suggest that 70% is probably a reasonable estimate. At this sensitivity level, with a pretest probability of 50%, the post-test probability with a negative test would be 23% -- far too high to safely assume someone is uninfected. ------------------------------ From: Attila the Hun Date: Mon, 8 Jun 2020 12: 46: 57 +0100 Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96) In Just Stop the Superspreading (Arthur T., RISKS-31.95), Henry Baker attributes the statement: "If you think education is expensive, try ignorance", to Derek Bok, a President of Harvard University. Although, in 1978, Ann Landers credited Bok with saying this, in 1998 she wrote that Bok had contacted her and disclaimed authorship of the quotation. A source of the statement might well be a 1902 advertisement for a Conservatory of Music in Ottumwa, Iowa, which included: ``Education is expensive but ignorance is more so.'' Who amended it to the form more commonly known appears to be unknown. ------------------------------ Date: Mon, 8 Jun 2020 17: 50: 08 +0100 From: Wol Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96) I'll give you that -- the general public -- or rather journalists -- love to talk about the average (the *mean*) but apply where it doesn't make sense. And this is where your argument falls apart (and I lose patience with you). If you're going to slag other people off for poor science, DON'T DO IT YOURSELF. You have just defined all "normal" distributions as the Bell Curve, which itself is NOT a normal distribution. It's rather rare in nature, which is why it's a bloody nuisance as being the easiest to understand but at the same time the least relevant to reality.
For (ab)normal distributions, mean/median/mode can vary widely from one another, or may not even exist -- e.g., the pathological, but not unusual, 'Cauchy' distribution ("applications of the Cauchy distribution ... can be found in fields working with exponential growth" [Wikipedia]), which has neither a*mean/expected value*, nor a*variance*, nor a *standard deviation*, thus for the Cauchy distribution (and many other commonly occurring distributions) Arthur's phrase "the size of the standard deviation" is nonsensical.
I think the rule here is "know your distribution", and don't apply the rules for one when the numbers are a different one. It's like the chi-squared test -- it's tempting to use it more than you should because it seems good, but it's actually totally inappropriate under most circumstances.
Takeaway: when some distribution is not 'normal', then our INTUITION FAILS US.
Let me rephrase that -- when the distribution is not a Bell Curve, then the General Public will completely misunderstand it.
The sign on an abnormal distribution should read: "Abandon all intuition, ye who enter here". Something is dreadfully wrong when the variance/standard deviation or even the mean/expected value does not exist. Even when the mean/'expected value' does exist for such an abnormal distribution, it is almost always misleading and/or useless. Perhaps it would be more appropriate to call such a mean 'the SUSpected value'!:-)
I think you think you are talking about pretty much anything outside of a Bell Curve. But other distributions are also well understood (by statisticians). For example, your beloved (ab)normal SuperSpreader distribution is just a normal skewed distribution -- the same distribution and maths associated with salaries, actually -- and I would think that is well understood! (And while I would not claim to be a statistician, having studied Statistics, Relativity and Quantum Mechanics at Uni, I can at least spot a bullshit argument relatively
easily.) ------------------------------ Date: Tue, 9 Jun 2020 11: 24: 37 +0300 From: Amos Shapir Subject: Re: Just Stop the Superspreading (Baker, Risks 31.96) The way I've heard it, when one asks "Why do models use the normal distribution?", statisticians say "We don't know, the mathematicians tell us it's easier to calculate that way", and mathematicians say "We don't know, the statisticians tell us this is what happens in the real world". ------------------------------ Date: Tue, 9 Jun 2020 08: 25: 06 -0700 From: Rob Slade Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96)
and with Avagadro's number of 'independent' variables
Does that mean we have a mole influencing our decisions? ------------------------------ Date: Mon, 1 Jun 2020 11: 11: 11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.97
- Risks Digest 31.97 RISKS List Owner (Jun 09)