Risks Digest 31.97

risks logo
mailing list archives

Risks Digest 31.97

From: RISKS List Owner

Date: Tue, 9 Jun 2020 13: 08: 59 PDT

RISKS-LIST: Risks-Forum Digest  Tuesday 9 June 2020  Volume 31 : Issue 97

Peter G. Neumann, founder and still moderator

See last item for further information, disclaimers, caveats, etc. This issue is archived at <http://www.risks.org> as
The current issue can also be found at

Democracy Live Internet voting: unsurprisingly insecure, and surprisingly
  insecure (Specter and Halderman, with Andrew Appel's comments via PGN)
More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo)
Report Details New Cyber Threats to Elections From Covid-19 (Maggie Miller)
IBM ends all facial recognition business as CEO calls out bias and
  inequality (TechCrunch)
Cox slows an entire neighborhood's Internet after one person's'excessive
  use' (Engadget)
Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. (NYTimes)
Big brands bring the fight to Big Tech (Politico)
System Security Integration Through Hardware and Firmware (DARPA via
  Richard Stein))
2018 War Game Scenario has Gen Z Revolting (Skullcap SaVant via goodfellow)
A Million-Mile Battery From China Could Power Your Electric Car (Bloomberg)
I wrote this law to protect free speech.   Now Trump wants to revoke it.
  (Ron Wyden via CNN)
Programming 'language': Brain scans reveal coding uses same regions as
  speech (Medical Express)
Cisco's Warning: Critical Flaw in IOS Routers Allows 'Complete System
  Compromise' (Liam Tung)
False Negative Tests for SARS-CoV-2 Infection -- Challenges and Implications
Re: Just Stop the Superspreading (Atilla, Wol, Amos Shapir, Rob Slade)
Abridged info on RISKS (comp.risks)


Date: Tue, 9 Jun 2020 10: 29: 39 PDT
From: "Peter G. Neumann" 
Subject: Democracy Live Internet voting: unsurprisingly insecure, and
  surprisingly insecure (Specter and Halderman, with Andrew Appel's
  comments via PGN)

A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan)
demonstrates that the OmniBallot Internet voting system from Democracy Live
<https://democracylive.com/> is fatally insecure. That by itself is not
surprising, as *no known technologycould make it secure. What is
surprising is all the /unexpected/ insecurities that Democracy Live crammed
into OmniBallot -- and the way that Democracy Live skims so much of the
voter's private information.


Andrew Appel  has posted an extremely relevant article
in Freedom-to-Tinker: https://freedom-to-tinker.com/author/appel/

  The OmniBallot Internet voting system from Democracy Live finds surprising
  new ways to be insecure, in addition to the usual (severe, fatal)
  insecurities common to all Internet voting systems.

  There's a very clear scientific consensus that ``the Internet should not
  be used for the return of marked ballots'' because ``no known technology
  guarantees the secrecy, security, and verifiability of a marked ballot
  transmitted over the Internet.''  That's from the National Academies 2018
  consensus study report <https://doi.org/10.17226/25120>, consistent with
  the May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA.

  [Please read the entire paper and Andrew's commentary.  They are very
  revealing, and devastating for those persons who believe that Internet
  voting can be made secure.  Every known attempt seems to have been easily
  defeated: Washington DC 2010, Estonia 2014, Australia 2015, Scytl in
  Switzerland 2019, Voatz in West Virginia 2020, OmniBallot now.  Insiders
  at any of four private companies (Democracy Live, Google, Amazon,
  Cloudflare), or any hackers who manage to hack into these companies, can
  steal votes: Democracy Live doesn't run its own servers.  PGN-excerpted]


Date: Tue, 9 Jun 2020 10: 11: 57 PDT
From: "Peter G. Neumann" 
Subject: More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo)

Swiss Post set to relaunch its e-voting system | Sonia Fenazzi/SwissInfo
The controversial issue of e-voting is back: Swiss Post, which had halted
the development of a project in July 2019, has bought a Spanish-owned system
and plans to propose a platform ready for testing by 2021.

Opposition to the plans of Swiss Post remains strong.  The purchase was
reported on May 17 by the SonntagsBlick newspaper, who wrote that the deal
between Swiss Post and Spanish firm Scytl had been settled for an
unspecified amount.

The deal follows the bankruptcy of the Spanish company, with whom Swiss Post
had been working on a system until flaws discovered last year sparked a
political debate, which ended in the government dropping e-voting plans for
the time being.

Swiss Post spokesperson Oliver Fl=C3=BCeler confirmed to swissinfo.ch that
last summer, despite the opposition, his company decided to continue
developing a system on its own, and ``after several months of negotiations''
it secured the rights to the source code from Scytl.

The aim is now to propose an e-vote system by 2021 that ``takes into account
various federal particularities'' and ``responds even better to the high and
specific requirements of a Swiss electronic voting system'', Fl=C3=BCeler

He added that Swiss Post takes public concerns about security and the role
of foreign suppliers very seriously, but insisted that it doesn't plan to go
it completely alone.

``In future, Swiss Post will increasingly cooperate with Swiss universities
of applied sciences, other higher education institutions and encryption
experts,'' he said. And ``to guarantee maximum security at all times, Swiss
Post ``will reissue the new improved source code so that independent
national and international experts can verify any weaknesses''.


E-voting was first introduced in Switzerland on a limited basis in 2003, as
part of ongoing tests. However, political opposition and skepticism over the
safety of such a voting channel has been a constant over the years, and
again with this latest twist, not everyone is happy.

Franz Gr=C3=BCter, a right-wing parliamentarian who also heads a people's
initiative calling for a moratorium on e-voting projects in Switzerland,
criticised the Swiss Post move and called for a parliamentary inquiry.

``There are good reasons to check whether Swiss Post -- a state-controlled
company -- acted correctly and paid a fair price, because the whole thing
seems to lack transparency,'' he said.

The parliamentarian and IT entrepreneur added: ``It's hard to believe that
Swiss Post has paid an undisclosed price for a system which we already know
doesn't work properly. In other countries, too, Scytl systems have
experienced major problems. Perhaps that's precisely why the company went

He said Swiss Post should have started from scratch and developed an
entirely new system, ``which could have restored trust and therefore
considerably reduced opposition to e-voting'' -- an opposition that is
widespread in Swiss political circles.  [PGN truncated for RISKS]


Date: Mon, 8 Jun 2020 12: 04: 29 -0400 (EDT)
From: ACM TechNews 
Subject: Report Details New Cyber Threats to Elections From Covid-19
  (Maggie Miller)

Maggie Miller, *The Hill*, 5 Jun 2020 via ACM TechNews, Monday, June 8, 2020

A report compiled by New York University's Brennan Center for Justice
outlines a wide range of cyber threats stemming from voting changes prompted
by Covid-19. Such threats include attempts to target election officials
working on unsecured networks at home, recovering from voter registration
system outages, and securing online ballot request systems. Report co-author
Lawrence Norden said election officials already dealing with cyber threats
now face additional challenges due to the pandemic. Election-security
upgrades come with funding challenges because of Covid-19 disruptions, and
the Brennan Center calculates $4 billion must be appropriated to make needed
changes. Said Norden, "There is no question that what Congress can do, and
really has to do very soon, is provide more money to states and localities
so they can invest in election security over the next few months."


Date: Mon, 8 Jun 2020 18: 54: 33 -0700
From: Lauren Weinstein 
Subject: IBM ends all facial recognition business as CEO calls out bias and
  inequality (TechCrunch)



Date: Tue, 9 Jun 2020 10: 44: 34 -0700
From: Lauren Weinstein 
Subject: Cox slows an entire neighborhood's Internet after one person's
  'excessive use' (Engadget)



Date: Tue, 9 Jun 2020 09: 53: 48 -0400
From: Monty Solomon 
Subject: Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them.

Federal prosecutors in Manhattan are investigating a global hacker-for-hire
operation that sent phishing emails to environmental groups, journalists and



Date: Tue, 9 Jun 2020 17: 28: 19 +0800
From: Richard Stein 
Subject: Big brands bring the fight to Big Tech (Politico)


The EU's Digital Services Act proposes platform rules to suppress and
prevent counterfeit IP sales, such as fraudulent-branded women's accessories
(handbags, shoes, etc.), that appear for sale on Amazon.com, Facebook,

The platforms now practice voluntary fraud prevention efforts: "Amazon said
the company invested 'over $500 million in 2019 and has more than 8,000
employees protecting [their] store from fraud and abuse.'"

"Despite these efforts, "it's still like comparing Chernobyl with [the Three
Mile Island nuclear accident in] Harrisburg,' Pennsylvania, Daniel
Wellington's Sj�strand said."

Policing (inspecting and certifying) platform supplier bona fides, and the
authenticity of brand-name sale items is time-consuming, difficult to
fulfill, slows inventory turnover in warehouses, etc. The platforms have
instituted policing for personnel protective equipment during the COVID-19
Pandemic. Why not continue this practice for less vital goods?

The affected consumer brands (Nike, LVMH, Coach, Kate Spade, etc.)
hemorrhage profits from an escalating sales velocity of highly desirable,
and apparently good enough, knock-offs. One business' profit is another
business' expense.

Counterfeit consumer item sales liability will be challenging to resolve and
enforce internationally.

Counterfeit internet sales is big business for the ethically-challenged and
the criminally-inclined.
https://en.wikipedia.org/wiki/Counterfeit_consumer_goods estimates the tab
at US$ 1.77T in 2015 and growing. Millions of jobs at risk, stock prices
gutted, salaries and bonuses cut, reputations risked, etc.


Date: Tue, 9 Jun 2020 10: 05: 53 +0800
From: Richard Stein 
Subject: System Security Integration Through Hardware and Firmware (DARPA)


"Electronic system security has become an increasingly critical area of
concern for the DoD and more broadly for security of the U.S. as a whole.
Current efforts to provide electronic security largely rely on robust
software development and integration. Present responses to hardware
vulnerability attacks typically consist of developing and deploying patches
to the software firewall without identifying or addressing the underlying
hardware vulnerability. As a result, while a specific attack or
vulnerability instance is defeated, creative programmers can develop new
methods to exploit the remaining hardware vulnerability and a continuous
cycle of exploitation, patching, and subsequent exploitations ensues.

"The System Security Integration Through Hardware and Firmware (SSITH)
program seeks to break this cycle of vulnerability exploitation by
developing hardware security architectures and associated design tools to
protect systems against classes of hardware vulnerabilities exploited
through software, not just vulnerability instances. Areas of exploration
that are targeted by SSITH include anomalous state detection, meta-data
tagging, and churning of the electronic attack surface. The goal of the
program is to develop ideas and design tools that will enable system-on-chip
(SoC) designers to safeguard hardware against all known classes of hardware
vulnerabilities that can be exploited through software, such as exploitation
of permissions and privilege in the system architectures, memory errors,
information leakage, and code injection. To accomplish its goal, SSITH seeks
to encourage collaboration between research teams, commercial teams, and
traditional DoD performers to provide robust and flexible solutions
applicable to both DoD and commercial electronic systems."

  Constructive to subdue microcode-enabled exploits. Formal methods (FM)
  (see https://en.wikipedia.org/wiki/Formal_methods#Applications) have been
  applied in some cases.

  During the 1980s, I seem to recall the INMOS transputer applied FM to
  demonstrate IEEE-754 floating-point verification compliance.

  Once implemented, will the IP comprising the tools and their test cases be
  immunized against unauthorized access or from theft?

    [A paper on formal proofs of security-critical properties of the CHERI
    hardware instruction-set architecture being developed under one of the
    SSITH projects appeared last month in the IEEE Symposium on Security and

      Kyndylan Nienhuis, Alexandre Joannou, Thomas Bauereiss, Anthony Fox,
      Michael Roe, Brian Campbell, Matthew Naylor, Robert M. Norton, Simon
      W. Moore, Peter G. Neumann, Ian Stark, Robert N. M. Watson, Peter
      Sewell, Rigorous Engineering for Hardware Security: Formal Modelling
      and Proof in the CHERI Design and Implementation Process, 2020 IEEE
      Symposium on Security and Privacy, pp. 1007-1024.



Date: Mon, Jun 8, 2020 at 7: 14 AM
From: Skullcap SaVant 
Subject: 2018 War Game Scenario has Gen Z Revolting

  (Sent via geoff goodfellow.  PGN)

This article is a wonderful piece of sleuthing. This news outlet received
(via FOIA request) documents detailing a war game scenario that was
conducted in 2018 which forecasted a future of revolution by 2025, that
would be conducted by GEN Z. The scenario's trigger points are SPOT ON with
the current unrest in the world, but sped up by 5 years because of the
"unknown unknown" of COVID.

The scenario includes GEN Z educating each other on how to use the dark web
and thus teaching them to be a generation of "Cyber Punks" which know how to
hack and cover their tracks. The wargame plays out with corporations being
the most vulnerable, as GEN Z will enact their own form of vigilante justice
by siphoning the digital bank accounts of the largest companies and convert
it to *bitcoin... *only to be redistributed to the masses "Robin Hood"

*Pentagon War Game Includes Scenario for Military Response to Domestic Gen
Z RebellionEXCERPT:

In the face of protests composed largely of young people, the presence of
America's military on the streets of major cities has been a controversial
development. But this isn't the first time that Generation Z -- those born
after 1996 -- has popped up on the Pentagon's radar.

Documents obtained by The Intercept via the Freedom of Information Act
reveal that a Pentagon war game, called the 2018 Joint Land, Air and Sea
Strategic Special Program, or JLASS, offered a scenario in which members of
Generation Z, driven by malaise and discontent, launch a ``Zbellion'' in
America in the mid-2020s.

The Zbellion plot was a small part of JLASS 2018, which also featured
scenarios involving Islamist militants in Africa, anti-capitalist
extremists, and ISIS successors. The war game was conducted by students and
faculty from the U.S. military's war colleges, the training grounds for
prospective generals and admirals. While it is explicitly not a national
intelligence estimate, the war game, which covers the future through early
2028, is ``intended to reflect a plausible depiction of major trends and
influences in the world regions,'' according to the more than 200 pages of

According to the scenario, many members of Gen Z -- psychologically scarred
in their youth by 9/11 and the Great Recession, crushed by college debt,
and disenchanted with their employment options -- have given up on their
hopes for a good life and believe the system is rigged against them. Here's
how the origins of the uprising are described: [...]


Date: Mon, 8 Jun 2020 09: 38: 21 -1000
From: geoff goodfellow 
Subject: A Million-Mile Battery From China Could Power Your Electric Car

CATL ready to sell pack that lasts 16 years, chairman saysMilestone
could bring EV ownership costs down, boost demandThe Chinese behemoth that makes electric-car batteries for Tesla Inc. and
Volkswagen AG developed a power pack that lasts more than a million miles --
an industry landmark and a potential boon for automakers trying to sway
drivers to their EV models.

Contemporary Amperex Technology Co. Ltd. is ready to produce a battery that
lasts 16 years and 2 million kilometers (1.24 million miles), Chairman Zeng
Yuqun said in an interview at company headquarters in Ningde, southeastern
China. Warranties on batteries currently used in electric cars cover about
150,000 miles or eight years, according to BloombergNEF.

Extending that lifespan is viewed as a key advance because the pack could
be reused in a second vehicle. That would lower the expense of owning an
electric vehicle, a positive for an industry that's seeking to recover
sales momentum lost to the coronavirus outbreak and the slumping oil prices
that made gas guzzlers more competitive. [...]


  [This reminds me of The Man in the White Suit, Alec Guiness and the suit
  that never needed washing or ironing, and what it would to the clothing
  industry.  However, I suppose the Chinese battery would be a very
  substantial part of the cost of the car, so that you could throw away the
  car at some point, and reuse the battery in your next car purchase.  PGN]


Date: Tue, 9 Jun 2020 10: 47: 57 -0700
From: Lauren Weinstein 
Subject: Ron Wyden: I wrote this law to protect free speech.   Now Trump
  wants to revoke it.  (CNN)



Date: Mon, 8 Jun 2020 13: 56: 22 +0900
From: Dave Farber 
Subject: Programming 'language': Brain scans reveal coding uses same regions
  as speech (Medical Express)


  [See my book chapter on the need for left-right-brain synergy,
  relationships to music, and more:
    Peter G. Neumann, Psychosocial Implications of Computer Software
    Development and Use: Zen and the Art of Computing,
    Theory and Practice of Software Technology,
    (D. Ferrari, M. Bolognani, and J. Goguen (editors). North-Holland,
    Pages 221--232, 1983.


Date: Mon, 8 Jun 2020 12: 04: 29 -0400 (EDT)
From: ACM TechNews 
Subject: Cisco's Warning: Critical Flaw in IOS Routers Allows 'Complete
  System Compromise' (Liam Tung)

Liam Tung, ZDNet, 4 Jun 2020 via ACM TechNews, Monday, June 8, 2020

Cisco has released information on four security flaws impacting router
equipment that uses its IOS XE and IOS networking software. One flaw
involves the authorization controls for the Cisco IOx application hosting
infrastructure in Cisco IOS XE, which could allow a non-credentialed remote
attacker to execute Cisco IOx application-programming-interface commands
without proper authorization. Another flaw is a command-injection bug in
Cisco's implementation of the inter-virtual machine (VM) channel of Cisco
IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers
and Cisco 1000 Series Connected Grid Routers. The software inadequately
validates signaling packets routed to the Virtual Device Server (VDS), which
could allow attackers to send malware to an affected device, hijack VDS, and
completely compromise the system. The two remaining bugs involve a
vulnerability in Cisco's 800 Series industrial routers, through which
hackers could remotely execute arbitrary code or cause it to crash and
reload. Cisco says it has delivered updates to address the critical flaws
affecting its industrial routers.


Date: June 8, 2020 at 22: 22: 54 GMT+9
From: Dewayne Hendricks 
Subject: False Negative Tests for SARS-CoV-2 Infection -- Challenges and
  Implications (NEJM)

  [Note:  This item comes from friend David Rosenthal.  DLH]

False Negative Tests for SARS-CoV-2 Infection -- Challenges and Implications
By Steven Woloshin, M.D., Neeraj Patel, B.A., and Aaron S. Kesselheim, M.D., J.D., M.P.H.
Jun 5 2020

There is broad consensus that widespread SARS-CoV-2 testing is essential to
safely reopening the United States. A big concern has been test
availability, but test accuracy may prove a larger long-term problem.

While debate has focused on the accuracy of antibody tests, which identify
prior infection, diagnostic testing, which identifies current infection, has
received less attention. But inaccurate diagnostic tests undermine efforts
at containment of the pandemic.

Diagnostic tests (typically involving a nasopharyngeal swab) can be
inaccurate in two ways. A false positive result erroneously labels a person
infected, with consequences including unnecessary quarantine and contact
tracing. False negative results are more consequential, because infected
persons -- who might be asymptomatic -- may not be isolated and can infect

Given the need to know how well diagnostic tests rule out infection, it's
important to review assessment of test accuracy by the Food and Drug
Administration (FDA) and clinical researchers, as well as interpretation of
test results in a pandemic.

The FDA has granted Emergency Use Authorizations (EUAs) to commercial test
manufacturers and issued guidance on test validation.1 The agency requires
measurement of analytic and clinical test performance. Analytic sensitivity
indicates the likelihood that the test will be positive for material
containing any virus strains and the minimum concentration the test can
detect. Analytic specificity indicates the likelihood that the test will be
negative for material containing pathogens other than the target virus.

Clinical evaluations, assessing performance of a test on patient specimens,
vary among manufacturers. The FDA prefers the use of ``natural clinical
specimens'' but has permitted the use of ``contrived specimens'' produced by
adding viral RNA or inactivated virus to leftover clinical
material. Ordinarily, test-performance studies entail having patients
undergo an index test and a ``reference standard'' test determining their
true state. Clinical sensitivity is the proportion of positive index tests
in patients who in fact have the disease in question. Sensitivity, and its
measurement, may vary with the clinical setting. For a sick person, the
reference-standard test is likely to be a clinical diagnosis, ideally
established by an independent adjudication panel whose members are unaware
of the index-test results. For SARS-CoV-2, it is unclear whether the
sensitivity of any FDA-authorized commercial test has been assessed in this
way. Under the EUAs, the FDA does allow companies to demonstrate clinical
test performance by establishing the new test's agreement with an authorized
reverse-transcriptase-polymerase-chain-reaction (RT-PCR) test in known
positive material from symptomatic people or contrived specimens. Use of
either known positive or contrived samples may lead to overestimates of test
sensitivity, since swabs may miss infected material in practice.1

Designing a reference standard for measuring the sensitivity of SARS-CoV-2
tests in asymptomatic people is an unsolved problem that needs urgent
attention to increase confidence in test results for contact-tracing or
screening purposes. Simply following people for the subsequent development
of symptoms may be inadequate, since they may remain asymptomatic yet be
infectious. Assessment of clinical sensitivity in asymptomatic people had
not been reported for any commercial test as of June 1, 2020.

Two studies from Wuhan Province, China, arouse concern about false negative
RT-PCR tests in patients with apparent Covid-19 illness. In a preprint, Yang
et al. described 213 patients hospitalized with Covid-19, of whom 37 were
critically ill.2 They collected 205 throat swabs, 490 nasal swabs, and 142
sputum samples (median, 3 per patient) and used an RT-PCR test approved by
the Chinese regulator. In days 1 through 7 after onset of illness, 11% of
sputum, 27% of nasal, and 40% of throat samples were deemed falsely
negative. Zhao et al. studied 173 hospitalized patients with acute
respiratory symptoms and a chest CT ``typical'' of Covid-19, or SARS-CoV-2
detected in at least one respiratory specimen. Antibody seroconversion was
observed in 93%.3 RT-PCR testing of respiratory samples taken on days 1
through 7 of hospitalization were SARS-CoV-23 positive in at least one
sample from 67% of patients. Neither study reported using an independent
panel, unaware of index-test results, to establish a final diagnosis of
Covid-19 illness, which may have biased the researchers toward
overestimating sensitivity.

In a preprint systematic review of five studies (not including the Yang and
Zhao studies), involving 957 patients (``under suspicion of Covid-19'' or
with ``confirmed cases''), false negatives ranged from 2 to 29%.4 However,
the certainty of the evidence was considered very low because of the
heterogeneity of sensitivity estimates among the studies, lack of blinding
to index-test results in establishing diagnoses, and failure to report key
RT-PCR characteristics.4Taken as a whole, the evidence, while limited,
raises concern about frequent false negative RT-PCR results.

If SARS-CoV-2 diagnostic tests were perfect, a positive test would mean that
someone carries the virus and a negative test that they do not. With
imperfect tests, a negative result means only that a person is less likely
to be infected. To calculate how likely, one can use Bayes' theorem, which
incorporates information about both the person and the accuracy of the test
(recently reviewed5). For a negative test, there are two key inputs: pretest
probability -- an estimate, before testing, of the person's chance of being
infected -- and test sensitivity. Pretest probability might depend on local
Covid-19 prevalence, SARS-CoV-2 exposure history, and symptoms. Ideally,
clinical sensitivity and specificity of each test would be measured in
various clinically relevant real-life situations (e.g., varied specimen
sources, timing, and illness severity).

Assume that an RT-PCR test was perfectly specific (always negative in people
not infected with SARS-CoV-2) and that the pretest probability for someone
who, say, was feeling sick after close contact with someone with Covid-19
was 20%. If the test sensitivity were 95% (95% of infected people test
positive), the post-test probability of infection with a negative test would
be 1%, which might be low enough to consider someone uninfected and may
provide them assurance in visiting high-risk relatives. The post-test
probability would remain below 5% even if the pretest probability were as
high as 50%, a more reasonable estimate for someone with recent exposure and
early symptoms in a ``hot spot'' area.

But sensitivity for many available tests appears to be substantially lower:
the studies cited above suggest that 70% is probably a reasonable
estimate. At this sensitivity level, with a pretest probability of 50%, the
post-test probability with a negative test would be 23% -- far too high to
safely assume someone is uninfected.


From: Attila the Hun 
Date: Mon, 8 Jun 2020 12: 46: 57 +0100
Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96)

In Just Stop the Superspreading (Arthur T., RISKS-31.95), Henry
Baker attributes the statement: "If you think education is expensive, try
ignorance", to Derek Bok, a President of Harvard University.

Although, in 1978, Ann Landers credited Bok with saying this, in 1998 she
wrote that Bok had contacted her and disclaimed authorship of the quotation.

A source of the statement might well be a 1902 advertisement for a
Conservatory of Music in Ottumwa, Iowa, which included: ``Education is
expensive but ignorance is more so.''  Who amended it to the form more
commonly known appears to be unknown.


Date: Mon, 8 Jun 2020 17: 50: 08 +0100
From: Wol 
Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96)

I'll give you that -- the general public -- or rather journalists -- love to
talk about the average (the *mean*) but apply where it doesn't make sense.

And this is where your argument falls apart (and I lose patience with
you). If you're going to slag other people off for poor science, DON'T DO IT

You have just defined all "normal" distributions as the Bell Curve, which
itself is NOT a normal distribution. It's rather rare in nature, which is
why it's a bloody nuisance as being the easiest to understand but at the
same time the least relevant to reality.

For (ab)normal distributions, mean/median/mode can vary widely from one
another, or may not even exist -- e.g., the pathological, but not unusual,
'Cauchy' distribution ("applications of the Cauchy distribution ... can be
found in fields working with exponential growth" [Wikipedia]), which has
neither a*mean/expected value*, nor a*variance*, nor a *standard
deviation*, thus for the Cauchy distribution (and many other commonly
occurring distributions) Arthur's phrase "the size of the standard
deviation" is nonsensical.
I think the rule here is "know your distribution", and don't apply the rules
for one when the numbers are a different one. It's like the chi-squared test
-- it's tempting to use it more than you should because it seems good, but
it's actually totally inappropriate under most circumstances.

Takeaway: when some distribution is not 'normal', then our INTUITION FAILS
Let me rephrase that -- when the distribution is not a Bell Curve, then the
General Public will completely misunderstand it.

The sign on an abnormal distribution should read: "Abandon all
intuition, ye who enter here".  Something is dreadfully wrong when the
variance/standard deviation or even the mean/expected value does not exist.
Even when the mean/'expected value' does exist for such an abnormal
distribution, it is almost always misleading and/or useless.  Perhaps it
would be more appropriate to call such a mean 'the SUSpected value'!:-)
I think you think you are talking about pretty much anything outside of a
Bell Curve. But other distributions are also well understood (by

For example, your beloved (ab)normal SuperSpreader distribution is just a
normal skewed distribution -- the same distribution and maths associated
with salaries, actually -- and I would think that is well understood!

(And while I would not claim to be a statistician, having studied
Statistics, Relativity and Quantum Mechanics at Uni, I can at least spot a
bullshit argument relatively  easily.)


Date: Tue, 9 Jun 2020 11: 24: 37 +0300
From: Amos Shapir 
Subject: Re: Just Stop the Superspreading (Baker, Risks 31.96)

The way I've heard it, when one asks "Why do models use the normal
distribution?", statisticians say "We don't know, the mathematicians tell us
it's easier to calculate that way", and mathematicians say "We don't know,
the statisticians tell us this is what happens in the real world".


Date: Tue, 9 Jun 2020 08: 25: 06 -0700
From: Rob Slade 
Subject: Re: Just Stop the Superspreading (Baker, RISKS-31.96)

and with Avagadro's number of 'independent' variables
Does that mean we have a mole influencing our decisions?


Date: Mon, 1 Jun 2020 11: 11: 11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 31.97

  By Date  
  By Thread  

Current thread:

  • Risks Digest 31.97 RISKS List Owner (Jun 09)

Read More