RISKS-LIST: Risks-Forum Digest Friday 31 May 2019 Volume 31 : Issue 27
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/31.27>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Russia hacked us: We made it far too easy -- and still do (Jeremy Epstein)
On a Pacific island, a nuclear dome left behind by the US begins to crack
(The Times of Israel)
Passengers stranded as Air Canada technical outage stymies airport
operations, check-ins (CBC)
GM Gives All Its Vehicles a New Soul (WiReD)
NSA's EternalBlue: Mustard Gas for the 21st Century (NYTimes)
Fake cryptocurrency apps on Google Play try to profit on bitcoin price surge
(Ars Technica)
Huawei Ban Threatens Wireless Service in Rural Areas (NYTimes)
False assumptions by programmers (John Harper)
Your smartphone is not listening to you, but your 'free' apps are
definitely spying on you
'Dr. Frankenstein Of Teslas' Aims To Fill Electric Car Giant's
Repair Void (Here and Now)
Apple vs. Apple (WashPost)
"Employees not the target of encryption laws: Home Affairs" (ZDNet)
New York tenants fight as landlords embrace facial recognition
cameras (The Guardian)
Snapchat internal tools abused to spy on users and pillage data (ZDNet)
737 MAX: Boeing dodges responsibility, with help from the FAA
(Chuck Karish)
Re: "It's time to press delete on Europe's failed data protection
(Chris Drew)
Re: OECD AI Principles (Amos Shapir)
Re: Martin Ward's post in RISKS-31.25 (Martin Ward)
Re: Facebook to create new cryptocurrency (Matthew Kruk)
Re: RBC customer out of pocket after fraud (Keith Medcalf, Gabe Goldberg,
Jose Maria Mateos)
I have no sympathy *at all* ... (Rob Slade)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 29 May 2019 20:30:59 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Russia hacked us: We made it far too easy -- and still do
(Jeremy Epstein)
https://thehill.com/opinion/cybersecurity/445746-russia-hacked-us-we-made-it-far-too-easy-and-still-do
------------------------------
Date: Mon, 27 May 2019 13:43:15 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: On a Pacific island, a nuclear dome left behind by the US begins to
crack (The Times of Israel)
The coffin is leaking its poison into the surrounding environment,’ warns local official, amid growing fears of radioactive disaster.
https://www.timesofisrael.com/on-a-pacific-island-a-nuclear-dome-left-behind-by-the-us-begins-to-crack/
Infrastructure? What's that?
------------------------------
Date: Tue, 28 May 2019 23:46:03 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Passengers stranded as Air Canada technical outage stymies airport
operations, check-ins (CBC)
https://www.cbc.ca/news/canada/toronto/passengers-stranded-as-air-canada-technical-outage-stymies-airport-operations-check-ins-1.5153669
------------------------------
Date: Mon, 27 May 2019 13:36:48 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: GM Gives All Its Vehicles a New Soul (WiReD)
In terms of both bandwidth and compute power, the new setup is five times
more capable than the system underpinning GM's current cars, the rough equivalent of going from the original iPhone to the iPhone 7. And so more
cars will get Cadillac's Super Cruise semiautonomous driving system and
other active safety features. GM will now be able to issue over-the-air software updates, improving how its engines run or how its suspensions
handle bumpy roads, even years after a car has been sold. (This idea is old hat for smartphone users and Tesla drivers, but still new to most
automakers.) More processing power allows for better resolution on
screens. Smarter battery management systems can squeeze more miles out of electric cars' batteries.
https://www.wired.com/story/gm-gives-vehicles-new-soul/
Over-the-air software updates. Minimal discussion of security. What could go wrong?
------------------------------
Date: Sun, 26 May 2019 17:15:12 -0700
From: Henry Baker <
hbaker1@pipeline.com>
Subject: NSA's EternalBlue: Mustard Gas for the 21st Century (NYTimes)
The ancient Lydian king Croesus -- yes, THAT rich king Croesus -- "turned to the Delphic oracle and the oracle of Amphiaraus to inquire whether he should pursue this campaign [against Persia] and whether he should also seek an alliance. The oracles answered, with typical ambiguity, that if Croesus attacked the Persians, he would destroy a great empire -- this would become
one of the most famous oracular statements from Delphi [after Croesus was defeated."[1]
[1]
https://en.wikipedia.org/wiki/Croesus
Mustard gas and other poisonous gasses were used to devastating effect in
WWI, although outlawed by multiple conventions both before and since. The subsequent use of poisonous gasses has since been vastly reduced -- not due
so much to the effectiveness of these international treaties, but to the
fact that the gasses are indiscriminate, and have a tendency to "blow back"
on those using them as weapons.
[2]
https://en.wikipedia.org/wiki/Chemical_weapons_in_World_War_I
Computer scientists have been warning for quite a while about "blowback"
("CIA internal coinage denoting the unintended, harmful consequences -- to friendly populations and military forces -- when a given weapon is used
beyond its purpose as intended by the party supplying it" [3]) from cyberweapons such as STUXNET. Unlike most "kinetic" weapons, which leave little trace after their use, the core problem with cyberweapons is that in
the overwhelming percentage of uses, the digital pieces of the cyberweapon continue to exist after the attack, and can be repurposed for
counter-attacks. In this way, cyberweapons are like poison gas, which isn't instantly neutered after achieving its killing purpose, but remains toxic to non-combatants as well as to the original users.
[3]
https://en.wikipedia.org/wiki/Blowback_(intelligence
The billion-dollar blowback from EternalBlue continues [3] without any apologies from the NSA, which developed it ("Adm. Michael S. Rogers, who was director of the NSA during the Shadow Brokers leak [including EternalBlue], suggested in unusually candid remarks that the agency should not be blamed
for the long trail of damage." [4]). Yet the FBI and the Five Eyes around
the world continue their push for "back doors" in encryption, completely clueless about the even greater repercussions possible in the form of
blowback from the compromise of such encryption backdoors.
Dona NOBUS Pacem, indeed!
[4]
https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html
In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc
Nicole Perlroth and Scott Shane, The New York Times, 25 May 2019
https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html
For nearly three weeks, Baltimore has struggled with a cyberattack by
digital extortionists that has frozen thousands of computers, shut down
email and disrupted real estate sales, water bills, health alerts and many other services.
But here is what frustrated city employees and residents do not know:
A key component of the malware that cybercriminals used in the attack
was developed at taxpayer expense a short drive down the Baltimore-
Washington Parkway at the National Security Agency, according to
security experts briefed on the case.
Since 2017, when the NSA lost control of the tool, EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China,
to cut a path of destruction around the world, leaving billions of dollars
in damage. But over the past year, the cyberweapon has boomeranged back and
is now showing up in the NSA's own backyard.
It is not just in Baltimore. Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American
towns and cities, from Pennsylvania to Texas, paralyzing local governments
and driving up costs.
The NSA connection to the attacks on American cities has not been previously reported, in part because the agency has refused to discuss or even
acknowledge the loss of its cyberweapon, dumped online in April 2017 by a still-unidentified group calling itself the Shadow Brokers. Years later,
the agency and the Federal Bureau of Investigation still do not know whether the Shadow Brokers are foreign spies or disgruntled insiders.
Thomas Rid, a cybersecurity expert at Johns Hopkins University, called the Shadow Brokers episode "the most destructive and costly NSA breach in
history," more damaging than the better-known leak in 2013 from Edward
Snowden, the former NSA contractor.
"The government has refused to take responsibility, or even to answer
the most basic questions," Mr. Rid said. "Congressional oversight
appears to be failing. The American people deserve an answer."
The NSA and FBI declined to comment.
Since that leak, foreign intelligence agencies and rogue actors have used EternalBlue to spread malware that has paralyzed hospitals, airports, rail
and shipping operators, ATM's and factories that produce critical vaccines.
Now the tool is hitting the United States where it is most vulnerable, in
local governments with aging digital infrastructure and fewer resources to defend themselves.
Before it leaked, EternalBlue was one of the most useful exploits in the
NSA's cyberarsenal. According to three former NSA operators who spoke on
the condition of anonymity, analysts spent almost a year finding a flaw in Microsoft's software and writing the code to target it. Initially, they referred to it as EternalBluescreen because it often crashed computers -- a risk that could tip off their targets. But it went on to become a reliable tool used in countless intelligence-gathering and counterterrorism missions.
EternalBlue was so valuable, former NSA employees said, that the agency
never seriously considered alerting Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand.
The Baltimore attack, on 7 May, was a classic ransomware assault. City workers' screens suddenly locked, and a message in flawed English demanded about $100,000 in Bitcoin to free their files: "We've watching you for
days," said the message, obtained by The Baltimore Sun. "We won't talk
more, all we know is MONEY! Hurry up!"
Today, Baltimore remains handicapped as city officials refuse to pay,
though workarounds have restored some services. Without EternalBlue,
the damage would not have been so vast, experts said. The tool
exploits a vulnerability in unpatched software that allows hackers to
spread their malware faster and farther than they otherwise could.
North Korea was the first nation to co-opt the tool, for an attack in
2017 -- called WannaCry -- that paralyzed the British health care
system, German railroads and some 200,000 organizations around the
world. Next was Russia, which used the weapon in an attack -- called
NotPetya -- that was aimed at Ukraine but spread across major
companies doing business in the country. The assault cost FedEx more
than $400 million and Merck, the pharmaceutical giant, $670 million.
The damage didn't stop there. In the past year, the same Russian
hackers who targeted the 2016 American presidential election used
EternalBlue to compromise hotel Wi-Fi networks. Iranian hackers have
used it to spread ransomware and hack airlines in the Middle East,
according to researchers at the security firms Symantec and FireEye.
"It's incredible that a tool which was used by intelligence services
is now publicly available and so widely used," said Vikram Thakur,
Symantec's director of security response.
One month before the Shadow Brokers began dumping the agency's tools
online in 2017, the NSA -- aware of the breach -- reached out to
Microsoft and other tech companies to inform them of their software
flaws. Microsoft released a patch, but hundreds of thousands of
computers worldwide remain unprotected.
Hackers seem to have found a sweet spot in Baltimore, Allentown, Pa.,
San Antonio and other local, American governments, where public
employees oversee tangled networks that often use out-of-date
software. Last July, the Department of Homeland Security issued a
dire warning that state and local governments were getting hit by
particularly destructive malware that now, security researchers say,
has started relying on EternalBlue to spread.
Microsoft, which tracks the use of EternalBlue, would not name the
cities and towns affected, citing customer privacy. But other experts
briefed on the attacks in Baltimore, Allentown and San Antonio
confirmed the hackers used EternalBlue. Security responders said they
were seeing EternalBlue pop up in attacks almost every day.
Amit Serper, head of security research at Cybereason, said his firm
had responded to EternalBlue attacks at three different American
universities, and found vulnerable servers in major cities like
Dallas, Los Angeles and New York.
The costs can be hard for local governments to bear. The Allentown
attack, in February last year, disrupted city services for weeks and
cost about $1 million to remedy -- plus another $420,000 a year for
new defenses, said Matthew Leibert, the city's chief information
officer.
He described the package of dangerous computer code that hit Allentown
as "commodity malware," sold on the dark web and used by criminals who
don't have specific targets in mind. "There are warehouses of kids
overseas firing off phishing emails," Mr. Leibert said, like thugs
shooting military-grade weapons at random targets.
The malware that hit San Antonio last September infected a computer
inside Bexar County sheriff's office and tried to spread across the
network using EternalBlue, according to two people briefed on the
attack.
This past week, researchers at the security firm Palo Alto Networks
discovered that a Chinese state group, Emissary Panda, had hacked into
Middle Eastern governments using EternalBlue.
"You can't hope that once the initial wave of attacks is over, it will
go away," said Jen Miller-Osborn, a deputy director of threat
intelligence at Palo Alto Networks. "We expect EternalBlue will be
used almost forever, because if attackers find a system that isn't
patched, it is so useful."
Until a decade or so ago, the most powerful cyberweapons belonged
almost exclusively to intelligence agencies -- NSA officials used the
term "NOBUS," for "nobody but us," for vulnerabilities only the agency
had the sophistication to exploit. But that advantage has hugely
eroded, not only because of the leaks, but because anyone can grab a cyberweapon's code once it's used in the wild.
Some FBI and Homeland Security officials, speaking privately, said
more accountability at the NSA was needed. A former FBI official
likened the situation to a government failing to lock up a warehouse
of automatic weapons.
In an interview in March, Adm. Michael S. Rogers, who was director of
the NSA during the Shadow Brokers leak, suggested in unusually candid
remarks that the agency should not be blamed for the long trail of
damage.
"If Toyota makes pickup trucks and someone takes a pickup truck, welds
an explosive device onto the front, crashes it through a perimeter and
into a crowd of people, is that Toyota's responsibility?" he asked.
"The NSA wrote an exploit that was never designed to do what was
done."
At Microsoft's headquarters in Redmond, Wash., where thousands of
security engineers have found themselves on the front lines of these
attacks, executives reject that analogy.
"I disagree completely," said Tom Burt, the corporate vice president
of consumer trust, insisting that cyberweapons could not be compared
to pickup trucks. "These exploits are developed and kept secret by
governments for the express purpose of using them as weapons or
espionage tools. They're inherently dangerous. When someone takes
that, they're not strapping a bomb to it. It's already a bomb."
Brad Smith, Microsoft's president, has called for a "Digital Geneva
Convention" to govern cyberspace, including a pledge by governments to
report vulnerabilities to vendors, rather than keeping them secret to
exploit for espionage or attacks.
Last year, Microsoft, along with Google and Facebook, joined 50
countries in signing on to a similar call by French President Emmanuel
Macron -- the Paris Call for Trust and Security in Cyberspace -- to
end "malicious cyber-activities in peacetime."
Notably absent from the signatories were the world's most aggressive cyberactors: China, Iran, Israel, North Korea, Russia -- and the
United States.
A version of this article appears in print on Page A1 of the New
York edition with the headline: Cities Hijacked By Tool Stolen From
the NSA.
------------------------------
Date: Fri, 24 May 2019 19:45:04 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Fake cryptocurrency apps on Google Play try to profit on bitcoin
price surge (Ars Technica)
https://arstechnica.com/information-technology/2019/05/fake-cryptocurrency-apps-on-google-play-try-to-profit-on-bitcoin-price-surge/
------------------------------
Date: Sat, 25 May 2019 12:42:31 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Huawei Ban Threatens Wireless Service in Rural Areas (NYTimes)
https://www.nytimes.com/2019/05/25/technology/huawei-rural-wireless-service.html
Many small carriers depend on inexpensive equipment from the Chinese
company. Now they must rethink expansion plans, and perhaps replace existing gear.
------------------------------
Date: Mon, 27 May 2019 12:06:40 +1200
From: John Harper <
harper@msor.vuw.ac.nz>
Subject: False assumptions by programmers
One false assumption that some programmers make is that zip codes everywhere are like American ones. Years ago my American bank's web site insisted on
being given my 5-digit zip code. But NZ "zip codes", called postcodes here, have only 4 digits. So do Australian ones. That made the web site unusable,
and was my first proof that the bank didn't care about its foreign
customers.
School of Mathematics and Statistics, Victoria Univ. of Wellington, PO Box
600, Wellington 6140, New Zealand.
------------------------------
Date: Wed, 29 May 2019 17:34:17 -0700
From: the keyboard of geoff goodfellow <
geoff@iconia.com>
Subject: Your smartphone is not listening to you, but your 'free' apps are
definitely spying on you
If you own a smart phone, this has probably happened to you: you're talking
to someone about a product or activity-- and ads for it start popping up on your social media.
You may think it's a coincidence -- or you're paranoid -- but experts say
it's neither.
If you have a smartphone, it's hard to hide. There is a privacy feature
that lets you turn off certain apps that are tracking your location. But
that doesn't keep them from seeing other information.
``You get apps, and they're free, and there has to be a cost because the app developer has to make money,'' Special Agent Steven Foster with the GBI Cyber-Unit said.
The cost? Your privacy...
https://www.wrdw.com/nbc26/content/news/No-your-smartphone-is-not-listening-to-you-but-the-free-apps-youre-downloading-are-tracking-your-every-move-510559571.html
------------------------------
Date: Thu, 30 May 2019 13:52:12 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: 'Dr. Frankenstein Of Teslas' Aims To Fill Electric Car Giant's
Repair Void (Here and Now)
The electric car company Tesla admits it has been lacking in servicing its vehicles. One man in Massachusetts has taken to restoring and fixing Teslas <
https://www.wbur.org/bostonomix/2019/04/08/with-blowtorches-and-spare-parts-massachusetts-man-fills-teslas-repair-void
But getting parts — and Tesla's support — has not been easy. WBUR's Quincy Walters
https://www.wbur.org/hereandnow/2019/05/28/tesla-repair-service
------------------------------
Date: Wed, 29 May 2019 14:31:15 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Apple vs. Apple (WashPost)
It’s the middle of the night. Do you know who your iPhone is talking to?
Apple says, “What happens on your iPhone stays on your iPhone.” Our privacy experiment showed 5,400 hidden app trackers guzzled our data -— in a single week.
https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/
And (way too long and WAY too cheery):
Inside Apple's top secret testing facilities where iPhone defences are
forged in temperatures of -40C
https://www.independent.co.uk/life-style/gadgets-and-tech/features/apple-iphone-privacy-security-park-interview-federighi-a8925291.html
------------------------------
Date: Fri, 31 May 2019 10:35:58 -0700
From: Gene Wirchenko <
gene@shaw.ca>
Subject: "Employees not the target of encryption laws: Home Affairs" (ZDNet)
Stilgherrian for The Full Tilt | 30 May 2019
https://www.zdnet.com/article/employees-not-the-target-of-encryption-laws-home-affairs/
Australian developers really do need to relax. Cops and spooks are being
told very clearly that the Assistance and Access Act isn't for dragooning
you into deceiving your bosses.
[Relax? With security?]
[selected text]
This reinforces expert views that the laws are "highly unlikely" to force employees to deceive their bosses, while also stating the intention of the
DHA staffer who drafted the laws.
["highly unlikely" is not terribly reassuring.]
"It is important to note outright that these new measures cannot be used in
a manner that would jeopardise the cybersecurity of innocent parties for the sake of facilitating greater government access to communications content and data."
[I smell a confusion between "cannot" and "should not".]
Much of the controversy has been triggered by the Act's vague definitions,
and not just that "designated communications provider" is a three-page list
of everyone from a major telco down to the operator of a personal website.
The guide says that it's an "interim step while more comprehensive guidance"
is developed.
------------------------------
Date: Fri, 31 May 2019 15:13:46 -0400
From: =?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <
chema@rinzewind.org>
Subject: New York tenants fight as landlords embrace facial recognition
cameras (The Guardian)
https://www.theguardian.com/cities/2019/may/29/new-york-facial-recognition-cameras-apartment-complex
Tenants in a New York City apartment complex are fighting their landlord's effort to install a facial recognition system to access parts of the
buildings, calling it an affront to their privacy rights.
[...] At Atlantic Plaza Towers in the Brownsville neighborhood of Brooklyn,
the landlord, Nelson Management Group, is moving to install a new system to control entry into the buildings. It would use facial recognition to open
the front door for recognized tenants rather than traditional keys or electronic key fobs.
More than 130 tenants have, however, filed a formal complaint with the state seeking to block the application.
“We do not want to be tagged like animals,” said Icemae Downes, who has lived at Atlantic Plaza Towers since it opened 51 years ago. “We are not animals. We should be able to freely come in and out of our development
without you tracking every movement.”
------------------------------
Date: Fri, 31 May 2019 10:25:45 -0700
From: Gene Wirchenko <
gene@shaw.ca>
Subject: Snapchat internal tools abused to spy on users and pillage data
(ZDNet)
Charlie Osborne for Zero Day | 24 May 2019
Staff members have allegedly abused their positions to spy on Snapchat users.
https://www.zdnet.com/article/snapchat-internal-tools-used-to-spy-on-users-pillage-their-data/
Snapchat has internal tools dedicated to accessing consumer data and these
same tools have been subject to abuse by employees.
According to a report published by Motherboard, "multiple" members of staff have abused their positions and used their privileges to access these tools
and spy on users.
------------------------------
Date: Wed, 29 May 2019 10:48:53 -0700
From: Chuck Karish <
chuck.karish@gmail.com>
Subject: 737 MAX: Boeing dodges responsibility, with help from the FAA
On May 5 Boeing issued a press release about the significance of the AOA Disagree alert on 737 MAX airplanes.
https://boeing.mediaroom.com/news-releases-statements%3Fitem%3D130431
It says:
"Neither the angle of attack indicator nor the AOA Disagree alert are
necessary for the safe operation of the airplane."
This misrepresents the situation. Once the MCAS takes control of the
airplane away from the pilots, the single AOA sensor that the MCAS chooses
to use must function correctly for the airplane to function safely. Since
MCAS doesn't use the airplane's two AOA sensors in a redundant mode, the AOA Disagree alert is a vital indication to the pilots that MCAS is
malfunctioning and that corrective action is needed.
When the acting head of the FAA testified before the House Transportation Committee a week and a half later, he said he thought Boeing should have explained MCAS more completely, he implicitly supported Boeing's claim that MCAS is not a safety-critical system, then he blamed the flight crews for
the crashes.
https://www.nytimes.com/2019/05/15/us/politics/boeing-faa-congress.html
Self certification is especially troublesome when it's linked with
regulatory capture.
------------------------------
Date: Sun, 26 May 2019 22:16:19 +0100
From: Chris Drewe <
e767pmk@yahoo.co.uk>
Subject: Re: "It's time to press delete on Europe's failed data protection
rules" (The Telegraph)
Probably not news to RISKS readers, but there was a critique of the EU's General Data Protection Regulation in this weekend's newspaper -- web
article behind a paywall, summary follows:
https://www.telegraph.co.uk/business/2019/05/24/time-press-delete-europes-failed-data-protection-rules/
It's time to press delete on Europe's failed data protection rules
*The Telegraph*, 24 May 2019
One year on from the introduction of the massively expensive GDPR
legislation across Europe presumably we have far better control over the Internet and technology is serving society rather than the other way around. After all, it has cost somewhere between $10bn (8bn pounds) and $20bn to implement, so it should have achieved something.
Except, it doesn't quite look like that. Instead, venture capital
investment has been crippled, the existing web giants are more dominant...
As ever, it appears that lawmakers' attempts to legislate for an ideal world have tiny or negative benefits at great expense.
https://www.avg.com
------------------------------
Date: Sun, 26 May 2019 18:27:03 +0300
From: Amos Shapir <
amos083@gmail.com>
Subject: Re: OECD AI Principles (RISKS-31.26)
"those developing or deploying AI should be held accountable for their
actions"
But what if an AI system is developed and/or deployed by another AI system?
For example, an AI system which analyses security needs for an organization
or a government, and recommends which one to deploy, may decide to deploy a face recognition system and connect it to a database of criminals -- or dissidents.
It is already possible by current technology that deployment, and even part
of the design, might be carried out without human intervention; and soon,
even without human awareness.
------------------------------
Date: Wed, 29 May 2019 13:58:35 +0100
From: Martin Ward <
martin@gkc.org.uk>
Subject: Re: Martin Ward's post in RISKS-31.25
PGN, I rather wish that you hadn't run the message :-(
I think what happened is that I stashed to post away as something
interesting to be followed up later, then found it again later and assumed
that I had already checked out the references! I will take care to double-check references in future posts.
I apologise to everyone concerned.
Fortunately, the self-correcting element in comp.risks has done its job.
Unfortunately, this part of the story has detracted from my main point: that for-profit healthcare is generally less efficient and less effective than universal healthcare.
International comparison of health systems (using OECD data):
https://en.wikipedia.org/wiki/Health_system%23International_comparisons https://upload.wikimedia.org/wikipedia/commons/f/f8/HC-Graph.jpg
The Commonwealth Fund, in its annual survey, "Mirror, Mirror on the Wall", compares the performance of the health systems in Australia, New Zealand,
the United Kingdom, Germany, Canada and the United States. Its 2007 study found that, although the United States system is the most expensive, it consistently underperforms compared to the other countries. A major
difference between the United States and the other countries in the study is that the United States is the only country without universal health care.
Comparing the average values for Australia, Canada, France, Germany, Italy, Japan, Norway, Sweden and the UK against the USA:
Life Expectancy: 82.4 vs 78.7
Infant Mortality: 3.6 vs 5.9
Preventable deaths: 66 vs 96
Spending: $4,885 vs $7,437
(See the wikipedia page above detailed figures)
A survey in 2013 found that only 4% of people in the UK experienced cost-related barriers to accessing health care, compared to 37% in the USA. (Commonwealth Fund International Health Policy Survey 2013).
[I have had other messages on this subject, but I think it os far enough
out of the RISKS mainstream(s) that I am closing the thread. I also think
it would have been better had I rejected Martin's original post. PGN]
------------------------------
Date: Sun, 26 May 2019 13:00:25 -0600
From: "Matthew Kruk" <
mkrukg@gmail.com>
Subject: RE: Facebook to create new cryptocurrency (BBC)
GlobalCoin? Nah, call it Facebuck.
------------------------------
Date: Sat, 25 May 2019 21:48:12 -0600
From: "Keith Medcalf" <
kmedcalf@dessus.com>
Subject: Re: RBC customer out of pocket after fraud (R-31.26)
So let me get this straight. This Fearnley woman withdrew money from the
bank (as in cash from an ATM) and put in in an envelope and mailed it to her buddy. Someone took the envelope containing the cash from her buddies
mailbox.
How does this have anything whatsoever to do with RBC or Interac? Obviously the problem is sending cash through the mail. The fact that it was
electronic cash sent via electronic mail is irrelevant -- it was still cash
in the mail.
The Risks are obvious but I guess people are just dumb.
------------------------------
Date: Sun, 19 May 2019 13:31:40 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Re: RBC customer out of pocket after fraud (R-31.26)
The bank blamed the theft on Fearnley's email security.
Hoover's security question to her friend was: "Who is my favourite Beatle?"
The fraudster would have had a one in four chance of getting it right —- John, Paul, George or Ringo. In a test of RBC's Interac system, Go Public
was given four chances to answer the security question correctly.
https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-e-transfer-fraud-1.5128114
------------------------------
Date: Sun, 26 May 2019 10:36:53 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <
chema@rinzewind.org>
Subject: Re: RBC customer out of pocket after fraud (R-31.26)
Coming from Europe (Spain), I am amazed at the really convoluted way people transfer money here in Canada.
Back at home: give me you account number, I'll do the transfer from my bank
for free.
Here: give me your e-mail address, I'll add it do my bank's Interac system, then I will send you N dollars as we agreed on, so you will receive an
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)
