Risks Digest 31.81

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Friday 8 May 2020  Volume 31 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.81>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
U.S. government plans to urge states to resist 'high-risk' Internet voting
  (Kim Zetter)
Trading computer can't handle negative numbers (Henry Baker)
Nearly 20,000 Georgia Teens Are Issued Driver's Licenses Without a Road Test
  (NYTimes)
Risk of Misinterpreting Hydrogen Peroxide Indicator Colors for Vapor
  Sterilization: Letter to Health Care Providers (FDA)
GitHub Takes Aim at Open Source Software Vulnerabilities (WiReD)
Snake ransomware targeting healthcare now claims to steal unencrypted files
  before encrypting computers on a network (BleepingComputer]
China's Military Is Tied to Debilitating New Cyberattack Tool (NYTimes)
Coronavirus Proves Only Structural Changes Can Avert Climate Apocalypse
  (IEA)
Which COVID-19 models should we use to make policy decisions? (MedixlXpress)
COVID SW model is a steaming pile ... (Whistleblower via Henry Baker)
German contact-tracing app to be rolled out in mid-June (Politico)
Digital immunity passport is `the lesser of two evils' (Politico)
Flu vs. COVID-19 (geoff goodfellow)
Re: Visualization shows droplets from one cough on an airplane (Amos Shapir)
Re: What the Coronavirus Crisis Reveals... (Chris Drewe)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 8 May 2020 10:55:09 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: U.S. government plans to urge states to resist 'high-risk' Internet
  voting (Kim Zetter)

 (Kim Zetter in *The Guardian* [always an incisive reporter.  PGN]

https://www.theguardian.com/us-news/2020/may/08/us-government-internet-voting-department-of-homeland-security

Added note: *The Guardian has published the entire DHS document.  PGN]
https://www.scribd.com/document/460491458/CISA-Guidelines-on-Internet-Voting

------------------------------

Date: Fri, 08 May 2020 15:16:59 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Trading computer can't handle negative numbers

I know it's hard to believe after all of the Y2K hoopla, but here we are
again.

Trading computer software can't handle negative oil prices; it costs firm at
least $100 million.

Next up: I would imagine that negative interest rates would blow
U.S. financial customer accounts sky high (EU customers have already seen
negative interest rates).

BTW, square roots crop up in some trading calculations -- e.g., option
pricing.  How long until we read about trading computers blowing up with
complex numbers?

https://www.bloomberg.com/news/articles/2020-05-08/oil-crash-busted-a-broker-s-computers-and-inflicted-huge-losses?srnd=premium

Matthew Leising  Updated 8 May 2020, 12:16 PM EDT
Oil Crash Busted Broker's Computers and Inflicted Big Losses

  Interactive Brokers users couldn't trade when oil broke zero Incident will
  cost firm more than $100 million, chairman says

Syed Shah usually buys and sells stocks and currencies through his
Interactive Brokers account, but he couldn't resist trying his hand at some
oil trading on April 20, the day prices plunged below zero for the first
time ever. The day trader, working from his house in a Toronto suburb,
figured he couldn't lose as he spent $2,400 snapping up crude at $3.30 a
barrel, and then 50 cents. Then came what looked like the deal of a
lifetime: buying 212 futures contracts on West Texas Intermediate for an
astonishing penny each.

What he didn't know was oil's first trip into negative pricing had broken
Interactive Brokers Group Inc. Its software couldn't cope with that pesky
minus sign, even though it was always technically possible -- though this
was an outlandish idea before the pandemic -- for the crude market to go
upside down. Crude was actually around negative $3.70 a barrel when Shah's
screen had it at 1 cent. Interactive Brokers never displayed a subzero price
to him as oil kept diving to end the day at minus $37.63 a barrel.

At midnight, Shah got the devastating news: he owed Interactive Brokers $9
million. He'd started the day with $77,000 in his account.

"I was in shock," the 30-year-old said in a phone interview. "I felt like
everything was going to be taken from me, all my assets."

To be clear, investors who were long those oil contracts had a brutal day,
regardless of what brokerage they had their account in. What set Interactive
Brokers apart, though, is that its customers were flying blind, unable to
see that prices had turned negative, or in other cases locked into their
investments and blocked from trading.  Compounding the problem, and a big
reason why Shah lost an unbelievable amount in a few hours, is that the
negative numbers also blew up the model Interactive Brokers used to
calculate the amount of margin -- aka collateral -- that customers needed to
secure their accounts.

Thomas Peterffy, the chairman and founder of Interactive Brokers, says the
journey into negative territory exposed bugs in the company's
software. "It's a $113 million mistake on our part," the 75-year-old
billionaire said in an interview Wednesday. Since then, his firm revised its
maximum loss estimate to $109.3 million. It's been a moving target from the
start; on April 21, Interactive Brokers figured it was down $88 million from
the incident.

Customers will be made whole, Peterffy said. "We will rebate from our own
funds to our customers who were locked in with a long position during the
time the price was negative any losses they suffered below zero."

That could help Shah. The day trader in Mississauga, Canada, bought his
first five contracts for $3.30 each at 1:19 p.m. that historic Monday. Over
the next 40 minutes or so he bought 21 more, the last for 50 cents. He tried
to put an order in for a negative price, but the Interactive Brokers system
rejected it, so he became more convinced that it wasn't possible for oil to
go below zero. At 2:11 p.m., he placed that dream-turned-nightmare trade at
a penny.

It was only later that night that he saw on the news that oil had plunged to
the never-before-seen price of negative $37.63 per barrel.  What did that
mean for the hundreds of contracts he'd bought?  He frantically tried to
contact support at the firm, but no one could help him. Then that late-night
statement arrived with a loss so big it was expressed with an exponent.

The problem wasn't confined to North America. Thousands of miles away,
Interactive Brokers customer Manfred Koller ran into trouble similar to what
Shah faced. Koller, who lives near Frankfurt and trades from his home
computer on behalf of two friends, also didn't realize oil prices could go
negative.

He'd bought contracts for his friends on Interactive Brokers that day at $11
and between $4 and $5. Just after 2 p.m. New York time, his trading screen
froze. "The price feed went black, there were no bids or offers anymore," he
said in an interview. Yet as far as he knew at this point, according to his
Interactive Brokers account, he didn't have anything to worry about as
trading closed for the day.

Following the carnage, Interactive Brokers sent him notice that he owed
$110,000. His friends were completely wiped out. "This is definitely not
what you want to do, lose all your money in 20 minutes," Koller said.

Besides locking up because of negative prices, a second issue concerned the
amount of money Interactive Brokers required its customers to have on hand
in order to trade. Known as margin, it's a vital risk measure to ensure
traders don't lose more than they can afford. For the 212 oil contracts Shah
bought for 1 cent each, the broker only required his account to have $30 of
margin per contract.  It was as if Interactive Brokers thought the potential
loss of buying at one cent was one cent, rather than the almost unlimited
downside that negative prices imply, he said.

"It seems like they didn't know it could happen," Shah said.

But it was known industry-wide that CME Group Inc.'s benchmark oil contracts
could go negative. Five days before the mayhem, the owner of the New York
Mercantile Exchange, where the trading took place, sent a notice to all its
clearing-member firms advising them that they could test their systems using
negative prices. "Effective immediately, firms wishing to test such negative
futures and/or strike prices in their systems may utilize CME's ‘New
Release' testing environments" for crude oil, the exchange said.

Interactive Brokers got that notice, Peterffy said. But he doesn't feel five
days was enough time to upgrade his company's trading platform.

"Five days, including the weekend, with the coronavirus going on and a
complex system where we have to make many changes, was not a sufficient
amount of time," he said. "The idea we could have bugs is not, in my mind, a
surprise." He also acknowledged the error in the margin model Interactive
Brokers used that day.

According to Peterffy, its customers were long 563 oil contracts on Nymex,
as well as 2,448 related contracts listed at another company,
Intercontinental Exchange Inc. Interactive Brokers foresees refunding
$18,815 for the Nymex ones and $37,630 for ICE's, according to a spokesman.

To give a sense of how far off the Interactive Brokers margin model was that
day, similar trades to what Shah placed would have required $6,930 per trade
in margin if he placed them at Intercontinental Exchange. That's 231 times
the $30 Interactive Brokers charged.

"I realized after the fact the margin for those contracts is very high and
these trades should never have been processed," he said. He didn't sleep for
three nights after getting the $9 million margin call, he said.

Peterffy accepted blame, but said there was little market liquidity after
prices went negative, which could've prevented customers from exiting their
trades anyway. He also laid responsibility on the exchanges and said the
company had been in touch with the industry's regulator, the U.S. Commodity
Futures Trading Commission.

"We have called the CFTC and complained bitterly," Peterffy said. "It
appears the exchanges are going scot-free."

Representatives of CME and Intercontinental Exchange declined to comment. A
CFTC spokesman didn't immediately return a request for comment.

Peterffy said there's a problem with how exchanges design their contracts
because the trading dries up as they near expiration. The May oil futures
contract -- the one that went negative -- expired the day after the historic
plunge, so most of the market had moved to trading the June contract, which
expires May 19 and currently trades around $24 a barrel.

"That's how it's possible for these contracts to go absolutely crazy and
close at a price that has no economic justification," Peterffy said. "The
issue is whose responsibility is this?"

-- With assistance by Melinda Grenier

(Adds details of June contract in penultimate paragraph. A previous version
of this story was corrected because Interactive Brokers gave the wrong
estimated refund for the Nymex contracts in the 18th paragraph.)

------------------------------

Date: Fri, 8 May 2020 11:56:54 -0400
From: Monty Solomon <monty () roscom com>
Subject: Nearly 20,000 Georgia Teens Are Issued Driver's Licenses Without a
  Road Test (NYTimes)

Gov. Brian Kemp suspended the requirement that most Georgians pass a
behind-the-wheel test when applying for licenses last month.

https://www.nytimes.com/2020/05/07/us/georgia-teen-driving-test-coronavirus.html

------------------------------

Date: Thu, 7 May 2020 15:21:20 -0400
From: Monty Solomon <monty () roscom com>
Subject: Risk of Misinterpreting Hydrogen Peroxide Indicator Colors for
   Vapor Sterilization: Letter to Health Care Providers (FDA)

The U.S. Food and Drug Administration (FDA) has become aware of the
potential for health-care facility staff that reprocess and sterilize
medical devices to misinterpret the indicators used to validate the
sterilization of medical devices because there is no standard indicator
color to indicate a sterilized device.  [...]

https://www.fda.gov/medical-devices/letters-health-care-providers/risk-misinterpreting-hydrogen-peroxide-indicator-colors-vapor-sterilization-letter-health-care

------------------------------

Date: Thu, 7 May 2020 23:58:07 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: GitHub Takes Aim at Open Source Software Vulnerabilities (WiReD)

GitHub Advanced Security will help automatically spot potential security
problems in the world's biggest open source platform.

https://www.wired.com/story/github-advanced-security-open-source/

------------------------------

Date: Thu, 7 May 2020 13:40:22 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Snake ransomware targeting healthcare now claims to steal
  unencrypted files before encrypting computers on a network
  (BleepingComputer]

The operators of the Snake Ransomware have launched a worldwide campaign of
cyberattacks that have infected numerous businesses and at least one health
care organization over the last few days.

This past January, BleepingComputer reported on the new Snake ransomware
that was targeting enterprise networks.
<https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/>

Since then, the ransomware operators have been relatively quiet, with
little to no new infections being detected in the wild.

This lack of activity all changed on May 4th, when the ransomware operators
conducted a massive campaign that targeted organizations throughout the
world and across all verticals.

Starting on May 4th, ransomware identification site, ID Ransomware, showed a
massive jump in submissions after seeing a few here and there over the last
couple of months.
<https://id-ransomware.malwarehunterteam.com/>

According to security reporter Brian Krebs, one of the victims allegedly hit
by the Snake Ransomware in this campaign is Fresenius Group, Europe's
largest hospital provider.

"Fresenius, Europe's largest private hospital operator and a major provider
of dialysis products and services that are in such high demand thanks to the
COVID-19 pandemic, has been hit in a ransomware cyber attack on its
technology systems. The company said the incident has limited some of its
operations, but that patient care continues," Krebs reported.
<http://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/>

BleepingComputer has since been able to independently confirm that the Snake
Ransomware attacked Fresenius on May 4th.

This same source told us that numerous other companies were hit, including
an architectural firm in France and a prepaid debit card company.  Snake
claims to now steal files before encrypting

*As has now become routine with ransomware, Snake now claims to steal
unencrypted files before encrypting computers on a network.*

*As noted by MalwareHunterTeam, in the ransom note named
'Decrypt-Your-Files.txt' from this week's attacks, the Snake operators have
added text stating that they will publish stolen databases and document if
not paid within 48 hours*.  [...]
<https://twitter.com/malwrhunterteam/status/1258080951101468673>

https://www.bleepingcomputer.com/news/security/large-scale-snake-ransomware-campaign-targets-healthcare-more/

------------------------------

Date: Thu, 7 May 2020 08:10:04 -0400
From: Monty Solomon <monty () roscom com>
Subject: China's Military Is Tied to Debilitating New Cyberattack Tool
  (NYTimes)

An Israeli security company said the hacking software, called Aria-body, had
been deployed against governments and state-owned companies in Australia and
Southeast Asia.

https://www.nytimes.com/2020/05/07/world/asia/china-hacking-military-aria.html

------------------------------

Date: Wed, 6 May 2020 15:01:33 -1000
From: the keyboard of geoff goodfellow <geoff () iconia com>
Subject: Coronavirus Proves Only Structural Changes Can Avert Climate
  Apocalypse (IEA)

We are still screwed if we do not permanently alter how we produce and
consume energy as a civilization

A new International Energy Agency report warns that while 2020 may see the
largest CO2 emissions drop on record because of the coronavirus pandemic,
there is still cause for concern.
<https://www.iea.org/reports/global-energy-review-2020>

The IEA anticipates carbon emissions will drop almost 8 percent -- six times
larger than the previous record caused by the 2008 global financial crisis
and twice as large as the sum total of every reduction since the end of
World War II. Global energy demand will fall 6 percent, which is seven
times larger than the decline from the 2008 global financial crisis and
equivalent to losing the entire energy demand of India. Renewables are the
only energy source expected to see any growth in use (1.5 percent) or
generation (3 percent), while oil demand will drop by 9 percent, coal by 8
percent, and natural gas by 5 percent.

All these numbers are staggering, but they are also inadequate. Despite the
70 year lows for each of these carbon energy sources and the IEA's
estimation that 50 percent of all global energy use is exposed to these
global containment measures, we're far from the reductions needed to avert
climate catastrophe. Moreover, these reductions are inequitable and have
come at a tragic personal cost to many. Structural changes
<https://lareviewofbooks.org/article/climate-commonwealth-and-the-green-new-deal-a-conversation-with-alyssa-battistoni-and-jedediah-britton-purdy/>
(e.g., an internationalist Green New Deal that favors the working class) are
necessary if we are to have any hope.

As Vox's David Roberts writes, limiting climate change to 1.5 degrees
Celsius -- our only shot at avoiding hundreds of millions of deaths and
widespread ecological collapse -- means "emissions would need to fall off a
cliff, falling by 15% a year every year, starting in 2020, until they hit
zero." In fact, the emissions reduction we are on track to experience may
yield no durable environmental benefits that last beyond the lockdowns as
urban pollution, for example, will quickly return.
<https://www.vox.com/energy-and-environment/2020/1/3/21045263/climate-change-1-5-degrees-celsius-target-ipcc>
<https://www.vice.com/en_ca/article/7kzqja/coronavirus-emissions-climate-science>

This insufficient but historic reduction is thanks to travel restrictions
and economic lockdowns that have caused spikes in unemployment dwarfing
those of the Great Recession and approaching Great Depression levels. In the
United States alone, a country where nearly half of the population lives
paycheck to paycheck, far more than the reported 30 million people have
likely lost their jobs and a perpetual rent strike is developing as a
growing plurality of tenants are simply unable to make ends meet. The full
human cost of this pandemic has yet to emerge -- its immediate death toll
may be underreported, but it has obvious for months that the pandemic would
make plain that our country views its most vulnerable populations as
disposable.  [...]
<https://www.theatlantic.com/magazine/archive/2016/05/my-secret-shame/476415/>
<https://www.businessinsider.com/us-unemployment-likely-higher-than-jobless-claims-show-coronavirus-jobs-2020-5>
<https://newrepublic.com/article/157462/era-endless-rent-strike>
<https://www.nytimes.com/interactive/2020/04/28/us/coronavirus-death-toll-total.html>
<https://www.vox.com/2020/2/7/21126758/coronavirus-xenophobia-racism-china-asians>
<http://bostonreview.net/class-inequality-race-politics/shaun-ossei-owusu-coronavirus-and-politics-disposability>
https://www.vice.com/en_us/article/n7wjwz/coronavirus-proves-only-structural-changes-can-avert-climate-apocalypse

------------------------------

Date: Fri, 8 May 2020 08:53:39 +0900
From: Dave Farber <farber () gmail com>
Subject: Which COVID-19 models should we use to make policy decisions?
  (MedixlXpress)

https://medicalxpress.com/news/2020-05-covid-policy-decisions.html

Which COVID-19 models should we use to make policy decisions?  Pennsylvania
State University <http://www.psu.edu/>

A new process to evaluate multiple disease models will help identify which
intervention measures may be most successful during an outbreak. Shown here,
the entry process for students at Lanzhou University in China involves
scanning a university ID, which is associated with the student's body
temperature history, travel history, and other information, while a machine
detects current body temperature. Credit: Shouli Li, Lanzhou University With
so many COVID-19 models being developed, how do policymakers know which ones
to use? A new process to harness multiple disease models for outbreak
management has been developed by an international team of researchers. The
team describes the process in a paper appearing May 8 in the journal Science
and was awarded a Grant for Rapid Response Research (RAPID) from the
National Science Foundation to immediately implement the process to help
inform policy decisions for the COVID-19 outbreak.

During a disease outbreak <https://medicalxpress.com/tags/outbreak/>, many
research groups independently generate models, for example projecting how
the disease will spread, which groups will be impacted most severely, or how
implementing a particular management action might affect these
dynamics. These models help inform public health policy for managing the
outbreak.

"While most models have strong scientific underpinnings, they often differ
greatly in their projections and policy recommendation," said Katriona Shea,
professor of biology and Alumni Professor in the Biological Sciences, Penn
State. "This means that policymakers are forced to rely on consensus when it
appears, or on a single trusted source of advice, without confidence that
their decisions will be the best possible."

At the onset of an outbreak, particularly for a new disease, a large amount
of information is often unavailable or unknown, and researchers must make
decisions about how to incorporate this uncertainty into their models,
leading to differing projections. For the COVID-19 outbreak, for example,
uncertainty is present in a wide range of areas, from infection rate to
details of transmission to the capacity of health care systems. The
designers of each model <https://medicalxpress.com/tags/model/bring their
own perspective and approach to address these uncertainties.

A new process to evaluate multiple disease outbreak models will help inform
public health policy decisions for managing the outbreak. The process is
currently being applied to the current COVID-19 outbreak. Credit: Will
Probert, University of Oxford "In order to improve modeling and analysis of
epidemic disease, it is essential to develop protocols that deliberately
generate and evaluate valuable individual ideas from across the modeling
community," said Michael Runge, a research ecologist at the U.S. Geological
Survey's Patuxent Wildlife Research Center who specializes in decision
analysis for wildlife management. "We have identified best practices
<https://medicalxpress.com/tags/best+practices/that allow the synthesis and
evaluation of input from multiple modeling groups in an efficient and timely
manner."

In the three-part process, multiple research groups first create models for
specified management scenarios, for example, addressing how caseload would
be affected if social isolation measures were lifted this summer, or how the
duration of the outbreak would change if students return to school in the
fall. The research groups work independently during this step to encourage a
wide range of ideas without prematurely conforming to a certain way of
thinking. Then, the modeling groups formally discuss their models with each
other -- an important addition to previous multiple model methods -- which
allows them to examine why their models might disagree. Finally, the groups
work independently again to refine their models, based on the insights from
the discussion and comparison stage.

After group discussion and individual model refinement, the models are
combined into an overall projection for each management strategy, which can
be used to help guide risk analysis and policy deliberation. At this stage,
methods from the field of decision analysis can allow the decision maker,
for example a public health agency, to understand the merits of different
management options in the face of the existing uncertainty.

Additionally, the combined results can help identify which uncertainty --
what pieces of missing information -- are most critical to learn about in
order to improve models and thus improve decision making, providing a way to
prioritize research directions.

"This process allows us to embrace uncertainty, rather than hastening to a
premature consensus that could derail or deflect management efforts," said
Shea. "The process encourages a healthy conversation between scientists and
decision makers, enabling policy agencies to more effectively achieve their
management goals."

Even after initial decisions are made, the process can continue as new
information about the outbreak and management becomes available. This
"adaptive management" strategy can allow researchers to refine their models
and make new predictions as the outbreak progresses. For COVID-19, this
process might inform how and when isolation and travel bans are lifted, and
if these or other measures might be necessary again in the future.

The research team plans to implement this process immediately for
COVID-19. By taking advantage of the many research groups already producing
models for the current outbreak, the strategy should be easy to implement
while producing more robust results from the existing process. The team will
share results with the U.S. Centers for Disease Control and Prevention as
they are generated.

"We hope this process actively feeds into policy for the COVID-19 response
in the United States," said Shea. "It also provides a framework for future
outbreak settings, including emerging diseases and agricultural pest
species, and management of endemic infectious diseases, including
vaccination strategies and disease surveillance."

Explore further

Models of coronavirus underestimate the epidemic's peak and overestimate its
duration
<https://medicalxpress.com/news/2020-04-coronavirus-underestimate-epidemic-peak-overestimate.html>

More information: K. Shea el al., "Harnessing multiple models for outbreak
management," Science (2020).
<https://science.sciencemag.org/cgi/doi/10.1126/science.abb9934>
Provided by Pennsylvania State University
<https://medicalxpress.com/partners/pennsylvania-state-university/
<http://www.psu.edu/>

------------------------------

Date: Fri, 08 May 2020 10:52:17 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: COVID SW model is a steaming pile ... (Whistleblower)

  [lockdown item also noted by Steven J. Greenwald.  PGN]

Apparently, Ferguson's COVID computer model, on which basis several
trillion-dollar quarantining decisions have been made, is a steaming pile of
crap software code.

This case is a perfect example of why we need fully *open source* computer
code for any accepted scientific results.

Briefly, the Ferguson model is a 'Monte Carlo' simulation of a complex
networked system which is fed by a pseudo-random number generator ("PRNG")
to enable the 'Monte Carlo' aspect of the simulation.

Normally, such a PRNG generates a random number sequence determined by its
initial "seed": the sequence is identical if and only if the seed is
identical.  Since the behavior of the model is determined by the random
number sequence, the behavior of the model is identical if and only if the
seed is identical.

Ferguson's model does *not* have this behavior -- it has non-deterministic
behavior over and above that introduced by the PRNG -- some due perhaps to
the non-determinism in the parallel scheduling algorithms.  Worse, this
non-determinism produces dramatically different results (not entirely
unexpected due to the exponential behavior of positive feedback loops).

What Ferguson has done isn't science, but *witchcraft*.  Sometimes the witch
doctor produces a correct answer by the miracle of coincidence, but science
does not progress by standing on the shoulders of witch doctors.

With apologies to Max Planck, "science is here progressing funeral by
needless funeral".

Trillion dollar decisions cannot be based upon software of this poor
quality.

https://lockdownsceptics.org/code-review-of-fergusons-model/

Code Review of Ferguson's Model
Sue Denim (not the author's real name)

Imperial finally released a derivative of Ferguson's code. I figured I'd do
a review of it and send you some of the things I noticed. I don't know your
background so apologies if some of this is pitched at the wrong level.

My background. I wrote software for 30 years. I worked at Google between
2006 and 2014, where I was a senior software engineer working on Maps, Gmail
and account security. I spent the last five years at a US/UK firm where I
designed the company's database product, amongst other jobs and projects. I
was also an independent consultant for a couple of years. Obviously I'm
giving only my own professional opinion and not speaking for my current
employer.

The code. It isn't the code Ferguson ran to produce his famous Report
9. What's been released on GitHub is a heavily modified derivative of it,
after having been upgraded for over a month by a team from Microsoft and
others. This revised codebase is split into multiple files for legibility
and written in C++, whereas the original program was "a single 15,000 line
file that had been worked on for a decade" (this is considered extremely
poor practice). A request for the original code was made 8 days ago but
ignored, and it will probably take some kind of legal compulsion to make
them release it.  Clearly, Imperial are too embarrassed by the state of it
ever to release it of their own free will, which is unacceptable given that
it was paid for by the taxpayer and belongs to them.

https://github.com/mrc-ide/covid-sim

https://github.com/mrc-ide/covid-sim/issues/144

The model.  What it's doing is best described as "SimCity without the
graphics". It attempts to simulate households, schools, offices, people and
their movements, etc. I won't go further into the underlying assumptions,
since that's well explored elsewhere.

Non-deterministic outputs. Due to bugs, the code can produce very different
results given identical inputs. They routinely act as if this is
unimportant.

This problem makes the code unusable for scientific purposes, given that a
key part of the scientific method is the ability to replicate
results. Without replication, the findings might not be real at all -- as
the field of psychology has been finding out to its cost. Even if their
original code was released, it's apparent that the same numbers as in Report
9 might not come out of it.

Non-deterministic outputs may take some explanation, as it's not something
anyone previously floated as a possibility.

The documentation says:

    The model is stochastic. Multiple runs with different seeds should
    be undertaken to see average behaviour.

"Stochastic" is just a scientific-sounding word for "random". That's not a
problem if the randomness is intentional pseudo-randomness, i.e. the
randomness is derived from a starting "seed" which is iterated to produce
the random numbers. Such randomness is often used in Monte Carlo
techniques. It's safe because the seed can be recorded and the same
(pseudo-)random numbers produced from it in future. Any kid who's played
Minecraft is familiar with pseudo-randomness because Minecraft gives you the
seeds it uses to generate the random worlds, so by sharing seeds you can
share worlds.

Clearly, the documentation wants us to think that, given a starting seed,
the model will always produce the same results.

Investigation reveals the truth: the code produces critically different
results, even for identical starting seeds and parameters.

I'll illustrate with a few bugs. In issue 116 a UK "red team" at Edinburgh
University reports that they tried to use a mode that stores data tables in
a more efficient format for faster loading, and discovered -- to their
surprise -- that the resulting predictions varied by around 80,000 deaths
after 80 days:

https://lockdownsceptics.org/wp-content/uploads/2020/05/image.png

That mode doesn't change anything about the world being simulated, so this
was obviously a bug.

The Imperial team's response is that it doesn't matter: they are "aware of
some small non-determinisms", but "this has historically been considered
acceptable because of the general stochastic nature of the model". Note the
phrasing here: Imperial know their code has such bugs, but act as if it's
some inherent randomness of the universe, rather than a result of amateur
coding. Apparently, in epidemiology, a difference of 80,000 deaths is "a
small non-determinism".

https://github.com/mrc-ide/covid-sim/issues/116#issuecomment-617304550

Imperial advised Edinburgh that the problem goes away if you run the model
in single-threaded mode, like they do. This means they suggest using only a
single CPU core rather than the many cores that any video game would
successfully use. For a simulation of a country, using only a single CPU
core is obviously a dire problem -- as far from supercomputing as you can
get. Nonetheless, that's how Imperial use the code: they know it breaks when
they try to run it faster. It's clear from reading the code that in 2014
Imperial tried to make the code use multiple CPUs to speed it up, but never
made it work reliably. This sort of programming is known to be difficult and
usually requires senior, experienced engineers to get good results.  Results
that randomly change from run to run are a common consequence of
thread-safety bugs. More colloquially, these are known as "Heisenbugs".

But Edinburgh came back and reported that -- even in single-threaded mode --
they still see the problem. So Imperial's understanding of the issue is
wrong.  Finally, Imperial admit there's a bug by referencing a code change
they've made that fixes it. The explanation given is "It looks like
historically the second pair of seeds had been used at this point, to make
the runs identical regardless of how the network was made, but that this had
been changed when seed-resetting was implemented".  In other words, in the
process of changing the model they made it non-replicable and never noticed.

Why didn't they notice? Because their code is so deeply riddled with similar
bugs and they struggled so much to fix them that they got into the habit of
simply averaging the results of multiple runs to cover it up... and
eventually this behaviour became normalised within the team.

In issue #30, someone reports that the model produces different outputs
depending on what kind of computer it's run on (regardless of the number of
CPUs). Again, the explanation is that although this new problem "will just
add to the issues" ...  "This isn't a problem running the model in full as
it is stochastic anyway".

Although the academic on those threads isn't Neil Ferguson, he is well aware
that the code is filled with bugs that create random results. In change #107
he authored he comments: "It includes fixes to InitModel to ensure
deterministic runs with holidays enabled".  In change #158 he describes the
change only as "A lot of small changes, some critical to determinacy".

Imperial are trying to have their cake and eat it.  Reports of random
results are dismissed with responses like "that's not a problem, just run it
a lot of times and take the average", but at the same time, they're fixing
such bugs when they find them. They know their code can't withstand
scrutiny, so they hid it until professionals had a chance to fix it, but the
damage from over a decade of amateur hobby programming is so extensive that
even Microsoft were unable to make it run right.

No tests. In the discussion of the fix for the first bug, Imperial state the
code used to be deterministic in that place but they broke it without
noticing when changing the code.

Regressions like that are common when working on a complex piece of
software, which is why industrial software-engineering teams write automated
regression tests. These are programs that run the program with varying
inputs and then check the outputs are what's expected. Every proposed change
is run against every test and if any tests fail, the change may not be made.

The Imperial code doesn't seem to have working regression tests. They tried,
but the extent of the random behaviour in their code left them defeated. On
4th April they said: "However, we haven't had the time to work out a
scalable and maintainable way of running the regression test in a way that
allows a small amount of variation, but doesn't let the figures drift over
time."

Beyond the apparently unsalvageable nature of this specific codebase,
testing model predictions faces a fundamental problem, in that the authors
don't know what the "correct" answer is until long after the fact, and by
then the code has changed again anyway, thus changing the set of bugs in
it. So it's unclear what regression tests really mean for models like this
-- even if they had some that worked.

Undocumented equations. Much of the code consists of formulas for which no
purpose is given. John Carmack (a legendary video-game programmer) surmised
that some of the code might have been automatically translated from FORTRAN
some years ago.

For example, on line 510 of SetupModel.cpp there is a loop over all the
"places" the simulation knows about. This code appears to be trying to
calculate R0 for "places". Hotels are excluded during this pass, without
explanation.

This bit of code highlights an issue Caswell Bligh has discussed in your
site's comments: R0 isn't a real characteristic of the virus. R0 is both an
input to and an output of these models, and is routinely adjusted for
different environments and situations. Models that consume their own outputs
as inputs is problem well known to the private sector -- it can lead to
rapid divergence and incorrect prediction. There's a discussion of this
problem in section 2.2 of the Google paper, "Machine learning: the high
interest credit card of technical debt".

Continuing development. Despite being aware of the severe problems in their
code that they "haven't had time" to fix, the Imperial team continue to add
new features; for instance, the model attempts to simulate the impact of
digital contact tracing apps.

Adding new features to a codebase with this many quality problems will just
compound them and make them worse. If I saw this in a company I was
consulting for I'd immediately advise them to halt new feature development
until thorough regression testing was in place and code quality had been
improved.

Conclusions. All papers based on this code should be retracted immediately.
Imperial's modeling efforts should be reset with a new team that isn't under
Professor Ferguson, and which has a commitment to replicable results with
published code from day one.

On a personal level, I'd go further and suggest that all academic
epidemiology be defunded. This sort of work is best done by the insurance
sector. Insurers employ modelers and data scientists, but also employ
managers whose job is to decide whether a model is accurate enough for real
world usage and professional software engineers to ensure model software is
properly tested, understandable and so on. Academic efforts don't have these
people, and the results speak for themselves.

My identity. Sue Denim isn't a real person (read it out). I've chosen to
remain anonymous partly because of the intense fighting that surrounds
lockdown, but there's also a deeper reason. This situation has come about
due to rampant credentialism and I'm tired of it. As the widespread dismay
by programmers demonstrates, if anyone in SAGE or the Government had shown
the code to a working software engineer they happened to know, alarm bells
would have been rung immediately.  Instead, the Government is dominated by
academics who apparently felt unable to question anything done by a fellow
professor. Meanwhile, average citizens like myself are told we should never
question "expertise". Although I've proven my Google employment to Toby,
this mentality is damaging and needs to end: please, evaluate the claims
I've made for yourself, or ask a programmer you know and trust to evaluate
them for you.

------------------------------

Date: Thu, 7 May 2019 19:18:07 -0800
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: German contact-tracing app to be rolled out in mid-June (Politico)

Janosch Delcker, Politico, 7 May 2020
German contact-tracing app to be rolled out in mid-June

BERLIN -- Germany will roll out its national smartphone application tracing
potential coronavirus infections in mid-June, according to high-ranking
officials involved in developing it. The launch will be flanked by a broad
advertising campaign aimed at convincing as many Germans as possible to use
the voluntary app, the officials said.

The underlying software, which is built by German technology companies SAP
and Deutsche Telekom, analyzes Bluetooth signals between mobile phones to
alert people who have been close enough to infect each other. It is based on
what's known as a decentralized software architecture, with information
about interactions saved only on users' phones for up to three weeks -- an
approach championed by both privacy advocates and U.S. tech giants Apple and
Google.

After initially favouring a different architecture where information would
have been stored on a central server, German Chancellor Angela Merkel's
government changed course in late April and said it would adopt such a
decentralized approach, following an announcement by Apple and Google to
unlock their smartphones' Bluetooth capabilities to allow outside
developers to build interoperable apps.

The first version of the German app expected for mid-June, which will be
available for both iOS and Android operating systems, will trace
interactions even while running in the background of other applications,
according to the officials.

An updated version, set to be launched later this year, will also offer a
voluntary option of donating the information that is collected to
Germany's national disease control center for research purposes.

------------------------------

Date: Thu, 7 May 2019 18:12:21 -0800
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Digital immunity passport is `the lesser of two evils' (Politico)

Vincent Manancourt, Politico, 7 May, 2020

Millennial founder of tech firm Onfido is in talks with the UK government
about system that could help ease lockdown restrictions -- but admits the
idea is controversial.

As the U.K. rolls out a coronavirus contact-tracing app, its government is
already considering another technological tool to help loosen lockdown
restrictions -- the immunity passport.

The idea behind so-called digital passports is that they would allow people
who have recovered from the coronavirus to signal their immunity and thus
move around freely, enabling economies to open up.

But there are fears such a system, which is at a preliminary stage of
discussion with the developer, could lead to discrimination, create perverse
incentives to get infected, and violate privacy.

The scheme also relies on reliable antibody testing and enough kits for
large-scale testing -- neither of which exist, yet. Not to mention the fact
that health experts don't know whether immunity to the coronavirus even
exists and, if it does, how long it lasts. In late April, the World Health
Organisation (WHO) warned against a passport scheme on the basis that
``there is currently no evidence that people who have recovered from
Covid-19 and have antibodies are protected from a second infection.''

But governments are facing pressure to unshackle their economies, and any
ideas that allow them to do so without endangering public health are up for
discussion. Immunity passports -- however pie in the sky at this stage --
fit the bill.

One firm that is proffering its expertise to help the U.K. government design
such a scheme is British start-up Onfido, which last month secured $100
million in funding in part to help it develop its health certificate
offering.

The company usually helps businesses like banks and car rental firms verify
identity digitally, but is now turning its tech to the fight against the
virus.

``Our approach is to bind your digital identity to your test results at the
outset, and help you prove it on an ongoing basis,'' says the start-up's
millennial founder Husayn Kassai on a video call with Politico.

Onfido submitted proposals to the U.K. parliament just over a week ago, and
is now in the brainstorming stage with the government, according to Kassai.

``The first area of focus for everyone is very much test kits, that comes
first, and then there are a range of options that the governments and other
governments want to have. So this health or immunity passport is just one of
them that's being explored,'' Kassai said.

A U.K. government official told Politico that though there is interest in
the idea of introducing some form of immunity verification, there is no
formal plan yet due to the ongoing uncertainty around immunity.

Onfido's technology would work by first verifying someone's identity -- by
comparing a picture or video of their face against a picture of their
identity card -- and then linking that to a coronavirus test result. People
would then be able to bring up a QR code on an app or a browser signaling
their immunity status just by taking a picture of their face.

The advantage of a digital system, says Kassai, is that it is continuous and
live, and can be adjusted as new evidence over immunity comes to light.

``The problem with a physical health pass is, if after six months it
transpires that [immunity] may only last for six months it's hard to go back
and recall those passes. Whereas if it's digital, if in January I'm tested
[and] I've proven that I've recovered from the virus and in March, it
suddenly transpires that immunity was only for three months, then every time
the test result is called upon the results can suddenly be switched from
green to an amber for instance.''

If the scheme ever does see the light of day, Kassai envisages that it is
most likely that it will first be used in the workplace.

`Extremely high risks'

While the technology promises reprieve for economies hard hit by the
lockdown, it does not come without controversy.

A report last month by the AI research body the Ada Lovelace Institute said
immunity passports would ``pose extremely high risks in terms of social
cohesion, discrimination, exclusion and vulnerability.''

Speaking to Politico at the time, the institute's director Carly Kind said
that using such a scheme would raise difficult questions about how it is
used to allow access to spaces.

``In some way, we can imagine a world in which immunity becomes a protected
characteristic like ethnicity or race, and we need to think about how to put
in place a structure to ensure that discrimination on the basis of that
characteristic isn't enabled,'' Kind said.

There are also fears an immunity passport scheme could create incentives to
become infected, and that it poses risks to privacy and data protection.

The European Data Protection Supervisor Wojciech Wiewi=F3rowski called the
idea extreme, and he has repeatedly expressed alarm at the idea during
online webinars. ``Even the name disgusts me a little bit,'' he said at one.

For Onfido's San Francisco-based founder, mitigating concerns is a matter of
``proceeding with caution.''

``The fact of the matter is, there's no two-tier system that would be
different to what we have already. We already have two categories of people
Category A and Category B. Category A have had the virus and have recovered,
Category B have not had the virus yet. So the question becomes, how are they
able to signal it?'' Kassai says.

The fact that immunity passports may encourage people to become infected to
get back to work is ``very much a risk.  So you're weighing two risks. And
this is a lesser of two evils, not to want to call it that. Group A and
Group B exists and that is just a fact. Some have now recovered and others
have never had the virus -- Group A are able to effectively signal that they
have a period of immunity and Group B are not yet immune, is there an
incentive or risk for Group B to want to become Group A,'' he says.

As to privacy, Kassai says data in Onfido's system would be stored on ``a
private server for an individual,'' [which] can only be accessed with the
user's face.

``No private business, no government should really be, there's no need for
them to hold your personal data. You as a consumer should,'' he says.

Janosch Delcker and Jack Blanchard contributed reporting.

------------------------------

Date: Thu, 7 May 2020 13:41:19 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Flu vs. COVID-19

"34,157 Americans died from influenza last year.
35,361 Americans died from COVID-19 in the last 18 days.

61,000 Americans died from the worst influenza in the last 50 years.
60,939 Americans died from COVID-19 in the last 30 days."

https://twitter.com/numbers_truth/status/1258525261672284160

------------------------------

Date: Thu, 7 May 2020 12:04:03 +0300
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Visualization shows droplets from one cough on an airplane
  infecting large number of passengers (RISKS-31.80)

The visualisation provided by Fox News was made for a study by Purdue
University of the 2003 SARS virus.  The caption says "The model is based on
the assumption that the 2003 SARS virus was airborne."

But recent studies of the current COVID-19 corona virus shows that it is not
so airborne.  The WHO site states about its transmission by cough drops:
"These droplets are relatively heavy, do not travel far and quickly sink to
the ground".

https://www.who.int/emergencies/diseases/novel-coronavirus-2019/question-and-answers-hub/q-a-detail/q-a-coronaviruses

IOW, the Purdue model does not fit what is known about the newer virus.

------------------------------

Date: Thu, 07 May 2020 22:10:42 +0100
From: Chris Drewe <e767pmk () yahoo co uk>
Subject: Re: What the Coronavirus Crisis Reveals... (RISKS-31.79)

This reminded me of a similar example -- this may have been mentioned
before.  A few winters ago in Britain, there were worries about the threat
of an outbreak of severe influenza.  This was just the regular winter type,
nothing like Covid-19; as I understand it, this is only a health threat to
the very young, the very old, or those with existing health problems,
otherwise it leaves people feeling terrible for a week or two but is no big
deal apart from them being temporarily incapacitated.  The main threat was
not streets full of dead bodies, but lots of "Tesco's truck drivers"
suddenly being off sick (Tesco being the country's major supermarket chain,
though many industries would be affected).

Like many businesses, the grocery trade runs on a just-in-time basis like
the vehicle parts supplies mentioned in the RISKS article.  Obviously the
trucking industry has resources for normal sickness and vacation absences,
but suddenly having many drivers out of action would cause major supply
problems, especially severe for groceries where many food items have short
shelf lives (few days) so little opportunity for building stockpiles; not
only would supermarkets quickly run out of stock for the shelves, but food
suppliers may have problems in dealing with items ready for despatching to
stores.  (In Europe we also have the complication of foods having 'best by',
'use before', 'sell by', etc. date markings.)

In the UK, gaining a Heavy Goods Vehicle driver's licence requires a
rigorous training and testing session (no idea what exactly it entails, but
as far as I know not a quick process, and trainers and test examiners have
to be available too), and then rookie drivers would need to familiarise
themselves with the individual supermarkets' transport systems so would not
be fully effective straight away.  By the time that this has happened, the
original influenza outbreak would probably be over anyway.

In the end, the dreaded influenza outbreak never happened and pharmacies
were left with huge stocks of unused vaccine, but obviously something
similar could happen again.  Not sure what lessons to learn; as ever, it's a
balancing act between efficiency and having costly back-up resources lying
idle in reserve.

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.81
************************