Calling bullshit

By 0x7df, Sat 20 May 2017, modified Sat 20 May 2017, in category Misc

I've been watching the really great online lecture series Calling Bullshit in the Age of Big Data from the University of Washington Information School:

So when I saw this tweet:

If you're worried / surprised by the NHS still running Windows XP, the good news is our nuclear submarines are all on XP too #nhscyberattack

— ben goldacre (@bengoldacre) 13 May 2017

in the aftermath of the WCry attack which badly hit the NHS, it struck me as: 'too bad to be true'. We're often wary of things that are too good to be true (although surely still not often enough), but the course authors point out that the opposite case should also invite our scepticism. We first need to eschew the possibility that the large numbers of people involved in developing, procuring, maintaining and protecting IT systems for nuclear deterrent submarines are all inherently evil, and don't care if the world accidentally ends in a conflagration, because that would be an example of the fundamental attribution error . Then what remains, the proposition that there's such a gaping whole in the security infrastructure of a nation state's nuclear arsenal, should strike us as unlikely enough to want to dig in a bit.

Before we do, we should note that within hours there was a follow-up tweet that provided some balance:

I can believe there are safe ways to still run Windows XP given resources effort and attentiveness

— ben goldacre (@bengoldacre) 13 May 2017

but comparing these two tweets gives us a nice illustration of one of the most important properties of bullshit pointed out by the course authors. It's become known as Brandolino's Law or Brandolino's Asymmetry Principle:

The bullshit asimmetry: the amount of energy needed to refute bullshit is an order of magnitude bigger than to produce it.

— Alberto Brandolini (@ziobrando) 11 January 2013

To evidence that, the original tweet was retweeted and liked 1.1K and 668 times respectively, versus 12 retweets and 27 likes on the follow-up tweet.

I call bullshit

So let's look closer.


First, the tweet is a retweet of one that links to an article in Popular Mechanics, which itself is pretty much just a rehash of a slightly earlier Guardian article.

Now, another well-respected debunker of bullshit, Ben Goldacre (the name should be familiar), wrote in his book I think you'll find it's a bit more complicated than that:

Why Don't Journalists Link to Primary Sources?

Whether it's a press release, an academic journal article, a formal report, or even the full transcript of an interview, the primary source contains more information for interested readers: it shows your working, and it allows people to check whether what you wrote is true.

Now I appreciate that the tweet, even though made by a journalist, isn't journalism - it's just a tweet - but a well-known journalist has an 'institutional credibility' that gives his output weight, so perhaps linking to primary sources still matters in this case too. More importantly:

... There is a bigger fish here: if we had a culture of linking to primary sources - if they were always just a click away - then shame alone would probably have stopped it going online. [My italics.]

That culture, if we're to protect against bullshit when we get much of our news from Twitter and Facebook, needs to be ubiquitous and not just the purview of professional journalists when doing their day jobs.

So now we know the 'original' source of the story, we might slightly update our Bayesian priors for the story being true, because we know the Guardian has political leanings that could mean it's more inclined to be against nuclear weapons. In fact the Guardian article is largely about how Trident is obsolete ('Trident is old technology': the brave new world of cyber warfare). We might reasonably expect a platform called Popular Mechanics to be more neutral, so by referring us to this, we're not only one unecessary step removed from the 'original', but also deprived of some important information about the possible interests and agenda of the originator. Calling Bullshit's guide to spotting bullshit urges us always to ask: Who is telling me this? and What's in it for them?. We need the primary source to do this.

Spotting bullshit

Weasel words

In any case, I refer to the Guardian article as the 'primary source' or 'original' in only the loosest sense. In fact it simply says:

Critics point in particular to the Royal Navy’s decision to install a variant of Windows XP as the operating system on its missile-carrying Vanguard-class submarines. It was cheaper than the alternatives, but Windows for Submarines, as it is called, is also more vulnerable to malware as it comes off-the- shelf. This also means there are more bugs in circulation that could affect it, and every time a submarine comes to port and gets a software patch, it is newly vulnerable.

Over and above the apparent technical solecism of suggesting that patching an operating system is what makes it vulnerable, the article uses weasel words, citing anonynous 'critics' without giving any indication of how credible they might be, or how to verify them.

Missing information

On further Googling, the story seems to originate with a Register article , which says:

Initial reports as the programme developed suggested that the OS in question would be Windows 2000, but those who have worked on it have since informed the Reg that in fact it is mostly based on XP.

This is slightly better than the Guardian's weasel words because at least the assertion that XP is being used is attributed to people who have worked on the installation of the system. However it's still pretty weak.

The Register article though, isn't actually critical of the system:

Many in the software community have viewed the Royal Navy's wholesale move to Windows-based command systems with concern [and note here that it's actally the use of Windows-based systems overall that is criticised, not the use of XP specifically]... we'd go relatively easy on submarine worries - even the Trident boats - as sub command LANs are by their nature very isolated and physically secure, and submarines almost never need to give their command systems autonomous firing authority.

Not only this, but this article is from 2008, six years before support for XP ended, and there is no information about what might have happened since then - it's perfectly plausible that the systems were upgraded, or a support contract was negotiated like the one the US Navy is reported to have (by Popular Mechanics again), which involves:

paying for extra security and updates while it transitions to more modern operating systems. A $9 million dollar tech support deal it cut with Microsoft is good until July 2016, with an option to extend for another year for $31 million.

So the news article is really reporting, not that we know Trident submarines run an obsolete operating system, but that back in 2008, there was a hint that Trident ran an operating system, which didn't become obsolete for a further six years.


Add comment