Steve Kass

I guess it’s easier to write “the Stieltjesness of f” than “the fact that f has the Stieltjes property.” The jury seems to be out about whether to capitalize the word. Of the five instances Google finds, one is at the beginning of a sentence, and two are uncapitalized. Here’s to not resolving the issue.

A lot of people must wonder about the name of this place, and the school’s FAQs page answers the question “What does “Isothermal” mean?”:

In meteorological terms, the word “isotherm” refers to a line drawn on a weather map showing identical or even temperatures.  If something is isothermal, it is of equal or constant temperature with respect to either time or space. Research has shown that it is not uncommon for an isotherm to curve through the area of Rutherford and Polk Counties where Isothermal Community College is located.

When choosing a name for the college, the original Board of Trustees drew from this regional characteristic to create a name that described the area and represented the college in an inventive manner.  So now when someone breaks the ice by asking you about the name Isothermal, you’ll be able to pass on part of the school’s unique history!

Isotherms probably pass through most places most of the time. The isothermally distinctive places are places like Bullhead City, that frequently don’t lie on an isotherm.

DNSstuff.com follows a time-honored sleazy marketing model. They’ll run a free test of your domain and tell you you’ve got problems, but they won’t give you the details unless you sign up for a free trial of their $79/year tools. Their free test even reports critical errors on their own site. What’s the old line about cheating your own mother?

Humans can’t perceive detail and blue at the same time. Our eyes aren’t engineered for it.

We perceive detail at the center of our visual field. The eye’s light- and color-sensitive cells, called cones, are packed most densely at the fovea, the center of the retina. (The retina has more pixels per inch at its center, if you like.) We distinguish shades of blue wherever we have “blue” cones, the one of our three types of cones most selective for blue colors.

To read blue, we need to perceive detail and shades of blue at once. Except we can’t. There are no blue cones in the fovea.

If you can’t read the words below, there’s nothing wrong with you. You’re just human. If only the software and web designers understood.

From “A Glut of One-Bedroom Apartments” in today’s New York Times:

Brokers say that many people who bought their apartments at or near the top of the market and now must sell are often simply trying to avoid losing money on the deal.

In May 2007, John and Wendy Penn bought a one-bedroom on West 72nd Street for $650,000. The couple, whose main residence is on Long Island, wanted an office and a pied-à-terre in Manhattan to expand their insurance business.

They bought the apartment as a long-term investment and quickly completed about $30,000 in renovations, including the restoration of the apartment’s prewar details. But when Mr. Penn became an independent insurance agent, he no longer needed space in Manhattan.

So in February, the couple put the apartment up for sale, pricing it at $769,000. Three price cuts later, the apartment is listed at $725,000 and still has not sold.

It doesn’t sound like the Penns are “simply trying to avoid losing money.” They tried to sell their apartment nine months after they bought it for $119,000 more than they paid. Now they’re only asking $75,000 more, which should cover their renovations, the sales agent’s commission, and the property taxes they paid. Does the Times think a pied-à-terre in Manhattan (or any housing anywhere) is supposed to be free?

Under the headline “Rise in TB Is Linked to Loans From I.M.F.”, Nicholas Bakalar writes for the New York Times today that “The rapid rise in tuberculosis cases in Eastern Europe and the former Soviet Union is strongly associated with the receipt of loans from the International Monetary Fund, a new study has found.”

The study, led by Cambridge University researcher David Stuckler, was published in PLoS Medicine and is online at (URL may wrap):

http://medicine.plosjournals.org/perlserv/?request=get-document&doi=10.1371/journal.pmed.0050143&ct=1.

Cambridge, Schmambridge. First clue: the Times quotes Stuckler: “When you have one correlation, you raise an eyebrow,” Mr. Stuckler said. “But when you have more than 20 correlations pointing in the same direction, you start building a strong case for causality.”

In twenty post-communist countries, the variable “participated in an IMF loan program in year Y” was significantly negatively associated with “TB rate per 100000 people,” whether using rate of cases, of deaths, or of new cases.

After reading the paper and looking at much of the source data, I agree with William Murray, an IMF spokesman also quoted in the article: “This is just phony science.”

Why do I agree with Murray?

Take the supporting table below, for example. It shows all the TB mortality data from “did not participate in an IMF loan program” years: year-to-year percentage changes in TB mortality rates (based on Logs) [sic]. Among the 45 values are 31 0.00s and nothing else close to zero. Almost half the nonzero values are from Poland and Hungary, but—oddly—the change is nonzero in odd-numbered years and zero in even-numbered years. There are four -22.31s, two -18.23s, a 15.42 and a -15.42, a 13.35 and a -13.35, and four stray values, one of which is -69.31. Now I know -0.6931 from calculus (the natural log of ½), and I googled 0.2231: it’s the natural log of 0.8. (There were about four times as many “did participate” country-years, for a total of 200+ data points.)

If you haven’t guessed, the data here, which mostly express stable or declining TB mortality, and which found the entire study, and which the authors attribute significantly to non-participation in IMF loan programs, are 4-significant-digit percentage changes between logs of adjacent very small positive integers. The small integers are from the Global Tuberculosis Database, queryable here: http://www.who.int/globalatlas/dataQuery/default.asp. This WHO data is rounded to whole numbers and for the countries and years studied, ranged between 1 and 20.

While this data is crude, I don’t doubt the study’s main finding: among post-communist countries, “participated in an IMF loan program in year Y” was significantly negatively associated with “TB rate per 100000 people.” What I doubt is that the relationship has anything to do with the IMF loan program.

The timeframe studied was 1989 to 2003, and a quick look at the data reveals a pattern to which are the “in an IMF loan program” years for the countries studied. Most countries began participating in 1991, 1992, or 1993, and most countries continued their participation through 2003, the end of the study timeframe. During this time, TB was on the rise, and there’s no question the mid nineties were not a typical period.

While the authors mention many correction strategies and tests to avoid one or another kind of bias, they didn’t mention the way in which “in program” years were distributed as one potential confounder. I can’t see how they ruled it out. There data isn’t there. From 1994 to 1997, there are only 10 “not participating” data points, mostly from Czech Republic, Slovenia, and Poland, which countries were anomolous in having shown no increase in TB during their IMF years. Some countries, Bosnia for example, seem to have been omitted from this part of the analysis, despite having participated in an IMF loan program and data being available from WHO.

The countries studied included Russia, with 140,000,000 people, as well as Estonia, Latvia, Macedonia, Slovenia, Albania, Armenia, Bosnia, Lithuania, counted together having less than 20% of Russia’s population. The authors acknowledge the possibility of ecological fallacy with little investigation. Summary statistics, such as the mean and standard deviation of TB rate among the countries, are unweighted by population, and fail to reflect the real situation. Over one time period quoted, the number resulting from taking the average of each countries TB rate, unweighted for population, went up 30%, but the TB rate among the population under study in fact doubled. Whether this changes any interpretation, I can’t say, but it does make a difference.

Not only am I not a statistician, I’m not an economist, and I have no idea whether the IMF did great things or not in mid-nineties eastern europe and former Soviet Union. But Stuckler and colleagues haven’t convinced me of anything.

If you manage, write, visit, or otherwise have anything to do with a web app that connects to a SQL Server database, good guy and Microsoft Program Manager Buck Woody wants you to read this:

[copied with permission from here]

You might have read recently that there have been ongoing SQL injection attacks against vulnerable web applications occurring over the last few months.  These attacks have received recurring attention in the press as they pop up in various geographies around the world. These attacks do not leverage any SQL Server vulnerabilities or any un-patched vulnerabilities in any Microsoft product – the attack vector is vulnerable custom applications. In fact, SQL Injection is a coding issue that can attack any database system, so it’s a good idea to learn how to defend against them.

In order to help you respond to and defend yourself from these attacks, Microsoft has an authoritative blog including talking points and guidance.  You can find this at this Technet location. (Retype the underlying URL if you like. I only linked it this way because it wrapped.)

Ok, if you didn’t visit the Technet link, visit it before reading on.

Thanks. Now I’ll add another bit of advice:

There’s a non-SQL injection issue here as well. The risk in question starts when a web application incorporates part of the URL into SQL and executes it blindly (SQL injection), but the risk to end users only occurs because the web app commits “HTML
injection.” The web app unwittingly delivers a malicious bit of HTML that says “Hey browser, please run a script from this other web site.” That malicious bit of HTML won’t be sent to my browser if the web application doesn’t blindly incorporate table data (especially table data containing HTML tags) into the HTML pages it delivers.

Here’s an analogy. When you fill a prescription, you get instructions like “Take one pill twice a day for seven days.” Those instructions probably get printed out of some database. If the instructions say “Chew up all the pills and wash them down with a cup of bleach,” something’s wrong with the pharmacy’s database. Something’s also wrong with the pharmacy for not catching the bogus instructions before dispensing the prescription. And if you follow the instructions, something’s wrong with you.

The risk Buck is drawing our attention to is like this, and the Technet blog tells us to secure our database. Just as importantly, we should pay attention to what we dispense, and not just assume that if we’re dispensing our data, it’s good data. Browsers often render (and in the case of scripts, execute) whatever a trusted site sends them, and if trusted sites send HTML out without vetting it, well, they shouldn’t be trusted. If you’re a web developer and you want your site to be trusted, then vet what you deliver.

I don’t do web apps, but I don’t think a responsible web app should send me script tags that refer to third-party sites. In fact, the web app probably shouldn’t send me any table data without scrubbing it for tags, non-printing ASCII characters, etc.

Many years ago, we thought it was funny to email people BEL characters, and then someone figured out email shouldn’t be allowed to contain BEL. Years ago bulletin boards figured out they shouldn’t allow users to put any old HTML into their posts.
The threat then was still minor – jokers figured out they could mess up some bulletin board formatting by posting opening tags without closing them. Apparently this was only half fixed. Web apps typically scrub what comes in through the expected channels, but a lot of web apps (most?) apparently don’t scrub the HTML they send out. They should. In fact, they must, now that the bad guys have figured out how to exploit sloppy web apps to modify table data bypassing the expected route. The bad guys may soon find some more sloppy code and exploit it to mess with your data.

Just as it’s possible to scrub outgoing email for viruses, it should be possible (and routine) to scrub outgoing HTML for malicious content. While I don’t trust email attachments that have a “no viruses” sticker on them, and I wouldn’t trust a random site that tells me “this web page is safe,” I would trust Microsoft or another trustworthy source if they told me their web servers scrub all outgoing web pages for unexpected script tags.

http://finance.yahoo.com/q?s=VMMXX:

Strange. The HTML source for this page shows a yield of 2.39%, not 92,318.20%. In both IE7 and Firefox, 2.39% shows up as the yield when the page is first rendered, but changes immediately to 92,318.20%. The yield is getting its significant digits from the Assets value, but why is a mystery to me.

Andrew Gelman dreams of the day when a journalist (like Ezra Klein) asks “Why?” the items on a list (like Rob Goodspeed’s) are in alphabetical order.

This drew my attention to the items on Barack Obama’s issues page, which as of today are not in alphabetical order (despite first appearance and various journalists’ reports that they are).

“Why?” is always a good question. So is “Why not?” If “Why not?” is the right question, something interesting might explain why [not]. Translation from another language, for example. A friend name Winternitz was listed as the first author of many joint papers, even after the citations were translated from Russian to English.

Why aren’t the items on Barack Obama’s issues page in alphabetical order? I don’t have an answer, but I wonder: Was the “Seniors & Social Security” issue once the “Social Security” issue?