The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 27

Friday 31 May 2019

Contents

Russia hacked us: We made it far too easy—and still do
Jeremy Epstein
On a Pacific island, a nuclear dome left behind by the US begins to crack
The Times of Israel
Passengers stranded as Air Canada technical outage stymies airport operations, check-ins
CBC
GM Gives All Its Vehicles a New Soul
WiReD
NSA's EternalBlue: Mustard Gas for the 21st Century
NYTimes
Fake cryptocurrency apps on Google Play try to profit on bitcoin price surge
Ars Technica
Huawei Ban Threatens Wireless Service in Rural Areas
NYTimes
False assumptions by programmers
John Harper
Your smartphone is not listening to you, but your 'free' apps are definitely spying on you
????
'Dr. Frankenstein Of Teslas' Aims To Fill Electric Car Giant's Repair Void
Here and Now
Apple vs. Apple
WashPost
"Employees not the target of encryption laws: Home Affairs"
ZDNet
New York tenants fight as landlords embrace facial recognition cameras
The Guardian
Snapchat internal tools abused to spy on users and pillage data
ZDNet
737 MAX: Boeing dodges responsibility, with help from the FAA
Chuck Karish
Re: "It's time to press delete on Europe's failed data protection
Chris Drew
Re: OECD AI Principles
Amos Shapir
Re: Martin Ward's post in RISKS-31.25
Martin Ward
Re: Facebook to create new cryptocurrency
Matthew Kruk
Re: RBC customer out of pocket after fraud
Keith Medcalf
Gabe Goldberg
Jose Maria Mateos
I have no sympathy *at all* ...
Rob Slade
Info on RISKS (comp.risks)

Russia hacked us: We made it far too easy—and still do (Jeremy Epstein)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 29 May 2019 20:30:59 PDT
https://thehill.com/opinion/cybersecurity/445746-russia-hacked-us-we-made-it-far-too-easy-and-still-do


On a Pacific island, a nuclear dome left behind by the US begins to crack (The Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Mon, 27 May 2019 13:43:15 -0400
The coffin is leaking its poison into the surrounding environment,' warns
local official, amid growing fears of radioactive disaster.

https://www.timesofisrael.com/on-a-pacific-island-a-nuclear-dome-left-behind-by-the-us-begins-to-crack/

Infrastructure? What's that?


Passengers stranded as Air Canada technical outage stymies airport operations, check-ins (CBC)

Monty Solomon <monty@roscom.com>
Tue, 28 May 2019 23:46:03 -0400
https://www.cbc.ca/news/canada/toronto/passengers-stranded-as-air-canada-technical-outage-stymies-airport-operations-check-ins-1.5153669


GM Gives All Its Vehicles a New Soul (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 27 May 2019 13:36:48 -0400
In terms of both bandwidth and compute power, the new setup is five times
more capable than the system underpinning GM's current cars, the rough
equivalent of going from the original iPhone to the iPhone 7. And so more
cars will get Cadillac's Super Cruise semiautonomous driving system and
other active safety features. GM will now be able to issue over-the-air
software updates, improving how its engines run or how its suspensions
handle bumpy roads, even years after a car has been sold.  (This idea is old
hat for smartphone users and Tesla drivers, but still new to most
automakers.) More processing power allows for better resolution on
screens. Smarter battery management systems can squeeze more miles out of
electric cars' batteries.

https://www.wired.com/story/gm-gives-vehicles-new-soul/

Over-the-air software updates. Minimal discussion of security. What could go
wrong?


NSA's EternalBlue: Mustard Gas for the 21st Century (NYTimes)

Henry Baker <hbaker1@pipeline.com>
Sun, 26 May 2019 17:15:12 -0700
The ancient Lydian king Croesus—yes, THAT rich king Croesus—"turned to
the Delphic oracle and the oracle of Amphiaraus to inquire whether he should
pursue this campaign [against Persia] and whether he should also seek an
alliance.  The oracles answered, with typical ambiguity, that if Croesus
attacked the Persians, he would destroy a great empire—this would become
one of the most famous oracular statements from Delphi [after Croesus was
defeated."[1]

[1] https://en.wikipedia.org/wiki/Croesus

Mustard gas and other poisonous gasses were used to devastating effect in
WWI, although outlawed by multiple conventions both before and since.  The
subsequent use of poisonous gasses has since been vastly reduced—not due
so much to the effectiveness of these international treaties, but to the
fact that the gasses are indiscriminate, and have a tendency to "blow back"
on those using them as weapons.

[2] https://en.wikipedia.org/wiki/Chemical_weapons_in_World_War_I

Computer scientists have been warning for quite a while about "blowback"
("CIA internal coinage denoting the unintended, harmful consequences—to
friendly populations and military forces—when a given weapon is used
beyond its purpose as intended by the party supplying it" [3]) from
cyberweapons such as STUXNET.  Unlike most "kinetic" weapons, which leave
little trace after their use, the core problem with cyberweapons is that in
the overwhelming percentage of uses, the digital pieces of the cyberweapon
continue to exist after the attack, and can be repurposed for
counter-attacks.  In this way, cyberweapons are like poison gas, which isn't
instantly neutered after achieving its killing purpose, but remains toxic to
non-combatants as well as to the original users.

[3] https://en.wikipedia.org/wiki/Blowback_(intelligence)

The billion-dollar blowback from EternalBlue continues [3] without any
apologies from the NSA, which developed it ("Adm. Michael S. Rogers, who was
director of the NSA during the Shadow Brokers leak [including EternalBlue],
suggested in unusually candid remarks that the agency should not be blamed
for the long trail of damage." [4]).  Yet the FBI and the Five Eyes around
the world continue their push for "back doors" in encryption, completely
clueless about the even greater repercussions possible in the form of
blowback from the compromise of such encryption backdoors.

Dona NOBUS Pacem, indeed!

[4] https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html

In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc

Nicole Perlroth and Scott Shane, The New York Times, 25 May 2019
https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html

For nearly three weeks, Baltimore has struggled with a cyberattack by
digital extortionists that has frozen thousands of computers, shut down
email and disrupted real estate sales, water bills, health alerts and many
other services.

But here is what frustrated city employees and residents do not know:
A key component of the malware that cybercriminals used in the attack
was developed at taxpayer expense a short drive down the Baltimore-
Washington Parkway at the National Security Agency, according to
security experts briefed on the case.

Since 2017, when the NSA lost control of the tool, EternalBlue, it has been
picked up by state hackers in North Korea, Russia and, more recently, China,
to cut a path of destruction around the world, leaving billions of dollars
in damage.  But over the past year, the cyberweapon has boomeranged back and
is now showing up in the NSA's own backyard.

It is not just in Baltimore.  Security experts say EternalBlue attacks have
reached a high, and cybercriminals are zeroing in on vulnerable American
towns and cities, from Pennsylvania to Texas, paralyzing local governments
and driving up costs.

The NSA connection to the attacks on American cities has not been previously
reported, in part because the agency has refused to discuss or even
acknowledge the loss of its cyberweapon, dumped online in April 2017 by a
still-unidentified group calling itself the Shadow Brokers.  Years later,
the agency and the Federal Bureau of Investigation still do not know whether
the Shadow Brokers are foreign spies or disgruntled insiders.

Thomas Rid, a cybersecurity expert at Johns Hopkins University, called the
Shadow Brokers episode "the most destructive and costly NSA breach in
history," more damaging than the better-known leak in 2013 from Edward
Snowden, the former NSA contractor.

"The government has refused to take responsibility, or even to answer
the most basic questions," Mr. Rid said.  "Congressional oversight
appears to be failing.  The American people deserve an answer."

The NSA and FBI declined to comment.

Since that leak, foreign intelligence agencies and rogue actors have used
EternalBlue to spread malware that has paralyzed hospitals, airports, rail
and shipping operators, ATM's and factories that produce critical vaccines.
Now the tool is hitting the United States where it is most vulnerable, in
local governments with aging digital infrastructure and fewer resources to
defend themselves.

Before it leaked, EternalBlue was one of the most useful exploits in the
NSA's cyberarsenal.  According to three former NSA operators who spoke on
the condition of anonymity, analysts spent almost a year finding a flaw in
Microsoft's software and writing the code to target it.  Initially, they
referred to it as EternalBluescreen because it often crashed computers—a
risk that could tip off their targets.  But it went on to become a reliable
tool used in countless intelligence-gathering and counterterrorism missions.

EternalBlue was so valuable, former NSA employees said, that the agency
never seriously considered alerting Microsoft about the vulnerabilities, and
held on to it for more than five years before the breach forced its hand.

The Baltimore attack, on 7 May, was a classic ransomware assault.  City
workers' screens suddenly locked, and a message in flawed English demanded
about $100,000 in Bitcoin to free their files: "We've watching you for
days," said the message, obtained by The Baltimore Sun.  "We won't talk
more, all we know is MONEY! Hurry up!"

Today, Baltimore remains handicapped as city officials refuse to pay,
though workarounds have restored some services.  Without EternalBlue,
the damage would not have been so vast, experts said.  The tool
exploits a vulnerability in unpatched software that allows hackers to
spread their malware faster and farther than they otherwise could.

North Korea was the first nation to co-opt the tool, for an attack in
2017—called WannaCry—that paralyzed the British health care
system, German railroads and some 200,000 organizations around the
world.  Next was Russia, which used the weapon in an attack—called
NotPetya—that was aimed at Ukraine but spread across major
companies doing business in the country.  The assault cost FedEx more
than $400 million and Merck, the pharmaceutical giant, $670 million.

The damage didn't stop there.  In the past year, the same Russian
hackers who targeted the 2016 American presidential election used
EternalBlue to compromise hotel Wi-Fi networks.  Iranian hackers have
used it to spread ransomware and hack airlines in the Middle East,
according to researchers at the security firms Symantec and FireEye.

"It's incredible that a tool which was used by intelligence services
is now publicly available and so widely used," said Vikram Thakur,
Symantec's director of security response.

One month before the Shadow Brokers began dumping the agency's tools
online in 2017, the NSA—aware of the breach—reached out to
Microsoft and other tech companies to inform them of their software
flaws.  Microsoft released a patch, but hundreds of thousands of
computers worldwide remain unprotected.

Hackers seem to have found a sweet spot in Baltimore, Allentown, Pa.,
San Antonio and other local, American governments, where public
employees oversee tangled networks that often use out-of-date
software.  Last July, the Department of Homeland Security issued a
dire warning that state and local governments were getting hit by
particularly destructive malware that now, security researchers say,
has started relying on EternalBlue to spread.

Microsoft, which tracks the use of EternalBlue, would not name the
cities and towns affected, citing customer privacy.  But other experts
briefed on the attacks in Baltimore, Allentown and San Antonio
confirmed the hackers used EternalBlue.  Security responders said they
were seeing EternalBlue pop up in attacks almost every day.

Amit Serper, head of security research at Cybereason, said his firm
had responded to EternalBlue attacks at three different American
universities, and found vulnerable servers in major cities like
Dallas, Los Angeles and New York.

The costs can be hard for local governments to bear.  The Allentown
attack, in February last year, disrupted city services for weeks and
cost about $1 million to remedy—plus another $420,000 a year for
new defenses, said Matthew Leibert, the city's chief information
officer.

He described the package of dangerous computer code that hit Allentown
as "commodity malware," sold on the dark web and used by criminals who
don't have specific targets in mind.  "There are warehouses of kids
overseas firing off phishing emails," Mr. Leibert said, like thugs
shooting military-grade weapons at random targets.

The malware that hit San Antonio last September infected a computer
inside Bexar County sheriff's office and tried to spread across the
network using EternalBlue, according to two people briefed on the
attack.

This past week, researchers at the security firm Palo Alto Networks
discovered that a Chinese state group, Emissary Panda, had hacked into
Middle Eastern governments using EternalBlue.

"You can't hope that once the initial wave of attacks is over, it will
go away," said Jen Miller-Osborn, a deputy director of threat
intelligence at Palo Alto Networks.  "We expect EternalBlue will be
used almost forever, because if attackers find a system that isn't
patched, it is so useful."

Until a decade or so ago, the most powerful cyberweapons belonged
almost exclusively to intelligence agencies—NSA officials used the
term "NOBUS," for "nobody but us," for vulnerabilities only the agency
had the sophistication to exploit.  But that advantage has hugely
eroded, not only because of the leaks, but because anyone can grab a
cyberweapon's code once it's used in the wild.

Some FBI and Homeland Security officials, speaking privately, said
more accountability at the NSA was needed.  A former FBI official
likened the situation to a government failing to lock up a warehouse
of automatic weapons.

In an interview in March, Adm. Michael S. Rogers, who was director of
the NSA during the Shadow Brokers leak, suggested in unusually candid
remarks that the agency should not be blamed for the long trail of
damage.

"If Toyota makes pickup trucks and someone takes a pickup truck, welds
an explosive device onto the front, crashes it through a perimeter and
into a crowd of people, is that Toyota's responsibility?" he asked.
"The NSA wrote an exploit that was never designed to do what was
done."

At Microsoft's headquarters in Redmond, Wash., where thousands of
security engineers have found themselves on the front lines of these
attacks, executives reject that analogy.

"I disagree completely," said Tom Burt, the corporate vice president
of consumer trust, insisting that cyberweapons could not be compared
to pickup trucks.  "These exploits are developed and kept secret by
governments for the express purpose of using them as weapons or
espionage tools.  They're inherently dangerous.  When someone takes
that, they're not strapping a bomb to it.  It's already a bomb."

Brad Smith, Microsoft's president, has called for a "Digital Geneva
Convention" to govern cyberspace, including a pledge by governments to
report vulnerabilities to vendors, rather than keeping them secret to
exploit for espionage or attacks.

Last year, Microsoft, along with Google and Facebook, joined 50
countries in signing on to a similar call by French President Emmanuel
Macron—the Paris Call for Trust and Security in Cyberspace—to
end "malicious cyber-activities in peacetime."

Notably absent from the signatories were the world's most aggressive
cyberactors: China, Iran, Israel, North Korea, Russia—and the
United States.

A version of this article appears in print on Page A1 of the New
York edition with the headline: Cities Hijacked By Tool Stolen From
the NSA.


Fake cryptocurrency apps on Google Play try to profit on bitcoin price surge (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 24 May 2019 19:45:04 -0400
https://arstechnica.com/information-technology/2019/05/fake-cryptocurrency-apps-on-google-play-try-to-profit-on-bitcoin-price-surge/


Huawei Ban Threatens Wireless Service in Rural Areas (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 25 May 2019 12:42:31 -0400
https://www.nytimes.com/2019/05/25/technology/huawei-rural-wireless-service.html

Many small carriers depend on inexpensive equipment from the Chinese
company. Now they must rethink expansion plans, and perhaps replace existing
gear.


False assumptions by programmers

John Harper <harper@msor.vuw.ac.nz>
Mon, 27 May 2019 12:06:40 +1200
One false assumption that some programmers make is that zip codes everywhere
are like American ones. Years ago my American bank's web site insisted on
being given my 5-digit zip code. But NZ "zip codes", called postcodes here,
have only 4 digits. So do Australian ones. That made the web site unusable,
and was my first proof that the bank didn't care about its foreign
customers.

School of Mathematics and Statistics, Victoria Univ. of Wellington, PO Box
600, Wellington 6140, New Zealand.


Your smartphone is not listening to you, but your 'free' apps are definitely spying on you

the keyboard of geoff goodfellow <geoff@iconia.com>
Wed, 29 May 2019 17:34:17 -0700
If you own a smart phone, this has probably happened to you: you're talking
to someone about a product or activity-- and ads for it start popping up on
your social media.

You may think it's a coincidence—or you're paranoid—but experts say
it's neither.

If you have a smartphone, it's hard to hide. There is a privacy feature
that lets you turn off certain apps that are tracking your location. But
that doesn't keep them from seeing other information.

“You get apps, and they're free, and there has to be a cost because the app
developer has to make money,'' Special Agent Steven Foster with the GBI
Cyber-Unit said.

The cost? Your privacy...

https://www.wrdw.com/nbc26/content/news/No-your-smartphone-is-not-listening-to-you-but-the-free-apps-youre-downloading-are-tracking-your-every-move-510559571.html


'Dr. Frankenstein Of Teslas' Aims To Fill Electric Car Giant's Repair Void (Here and Now)

Gabe Goldberg <gabe@gabegold.com>
Thu, 30 May 2019 13:52:12 -0400
The electric car company Tesla admits it has been lacking in servicing its
vehicles. One man in Massachusetts has taken to restoring and fixing Teslas
<https://www.wbur.org/bostonomix/2019/04/08/with-blowtorches-and-spare-parts-massachusetts-man-fills-teslas-repair-void
But getting parts ” and Tesla's support ” has not been easy. WBUR's Quincy
Walters https://www.wbur.org/hereandnow/2019/05/28/tesla-repair-service


Apple vs. Apple (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Wed, 29 May 2019 14:31:15 -0400
It's the middle of the night. Do you know who your iPhone is talking to?

Apple says, "What happens on your iPhone stays on your iPhone." Our privacy
experiment showed 5,400 hidden app trackers guzzled our data -” in a single
week.

https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/

And (way too long and WAY too cheery):

Inside Apple's top secret testing facilities where iPhone defences are
forged in temperatures of -40C

https://www.independent.co.uk/life-style/gadgets-and-tech/features/apple-iphone-privacy-security-park-interview-federighi-a8925291.html


"Employees not the target of encryption laws: Home Affairs" (ZDNet)

Gene Wirchenko <gene@shaw.ca>
Fri, 31 May 2019 10:35:58 -0700
Stilgherrian for The Full Tilt | 30 May 2019
https://www.zdnet.com/article/employees-not-the-target-of-encryption-laws-home-affairs/
Australian developers really do need to relax. Cops and spooks are being
told very clearly that the Assistance and Access Act isn't for dragooning
you into deceiving your bosses.

  [Relax?  With security?]

[selected text]

This reinforces expert views that the laws are "highly unlikely" to force
employees to deceive their bosses, while also stating the intention of the
DHA staffer who drafted the laws.

       ["highly unlikely" is not terribly reassuring.]

"It is important to note outright that these new measures cannot be used in
a manner that would jeopardise the cybersecurity of innocent parties for the
sake of facilitating greater government access to communications content and
data."

      [I smell a confusion between "cannot" and "should not".]

Much of the controversy has been triggered by the Act's vague definitions,
and not just that "designated communications provider" is a three-page list
of everyone from a major telco down to the operator of a personal website.

The guide says that it's an "interim step while more comprehensive guidance"
is developed.


New York tenants fight as landlords embrace facial recognition cameras (The Guardian)

José María Mateos <chema@rinzewind.org>
Fri, 31 May 2019 15:13:46 -0400
https://www.theguardian.com/cities/2019/may/29/new-york-facial-recognition-cameras-apartment-complex

Tenants in a New York City apartment complex are fighting their landlord's
effort to install a facial recognition system to access parts of the
buildings, calling it an affront to their privacy rights.

[...] At Atlantic Plaza Towers in the Brownsville neighborhood of Brooklyn,
the landlord, Nelson Management Group, is moving to install a new system to
control entry into the buildings. It would use facial recognition to open
the front door for recognized tenants rather than traditional keys or
electronic key fobs.

More than 130 tenants have, however, filed a formal complaint with the state
seeking to block the application.

"We do not want to be tagged like animals," said Icemae Downes, who has
lived at Atlantic Plaza Towers since it opened 51 years ago. "We are not
animals. We should be able to freely come in and out of our development
without you tracking every movement."


Snapchat internal tools abused to spy on users and pillage data (ZDNet)

Gene Wirchenko <gene@shaw.ca>
Fri, 31 May 2019 10:25:45 -0700
Charlie Osborne for Zero Day | 24 May 2019
Staff members have allegedly abused their positions to spy on Snapchat users.
https://www.zdnet.com/article/snapchat-internal-tools-used-to-spy-on-users-pillage-their-data/

Snapchat has internal tools dedicated to accessing consumer data and these
same tools have been subject to abuse by employees.

According to a report published by Motherboard, "multiple" members of staff
have abused their positions and used their privileges to access these tools
and spy on users.


737 MAX: Boeing dodges responsibility, with help from the FAA

Chuck Karish <chuck.karish@gmail.com>
Wed, 29 May 2019 10:48:53 -0700
On May 5 Boeing issued a press release about the significance of the AOA
Disagree alert on 737 MAX airplanes.

https://boeing.mediaroom.com/news-releases-statements?item=130431

It says:

"Neither the angle of attack indicator nor the AOA Disagree alert are
necessary for the safe operation of the airplane."

This misrepresents the situation. Once the MCAS takes control of the
airplane away from the pilots, the single AOA sensor that the MCAS chooses
to use must function correctly for the airplane to function safely. Since
MCAS doesn't use the airplane's two AOA sensors in a redundant mode, the AOA
Disagree alert is a vital indication to the pilots that MCAS is
malfunctioning and that corrective action is needed.

When the acting head of the FAA testified before the House Transportation
Committee a week and a half later, he said he thought Boeing should have
explained MCAS more completely, he implicitly supported Boeing's claim that
MCAS is not a safety-critical system, then he blamed the flight crews for
the crashes.

https://www.nytimes.com/2019/05/15/us/politics/boeing-faa-congress.html

Self certification is especially troublesome when it's linked with
regulatory capture.


Re: "It's time to press delete on Europe's failed data protection rules" (The Telegraph)

Chris Drewe <e767pmk@yahoo.co.uk>
Sun, 26 May 2019 22:16:19 +0100
Probably not news to RISKS readers, but there was a critique of the EU's
General Data Protection Regulation in this weekend's newspaper—web
article behind a paywall, summary follows:

https://www.telegraph.co.uk/business/2019/05/24/time-press-delete-europes-failed-data-protection-rules/

> It's time to press delete on Europe's failed data protection rules
> *The Telegraph*, 24 May 2019
>
> One year on from the introduction of the massively expensive GDPR
> legislation across Europe presumably we have far better control over the
> Internet and technology is serving society rather than the other way around.
> After all, it has cost somewhere between $10bn (8bn pounds) and $20bn to
> implement, so it should have achieved something.
>
> Except, it doesn't quite look like that. Instead, venture capital
> investment has been crippled, the existing web giants are more dominant...

As ever, it appears that lawmakers' attempts to legislate for an ideal world
have tiny or negative benefits at great expense.

https://www.avg.com


Re: OECD AI Principles (RISKS-31.26)

Amos Shapir <amos083@gmail.com>
Sun, 26 May 2019 18:27:03 +0300
"those developing or deploying AI should be held accountable for their
actions"

But what if an AI system is developed and/or deployed by another AI system?

For example, an AI system which analyses security needs for an organization
or a government, and recommends which one to deploy, may decide to deploy a
face recognition system and connect it to a database of criminals—or
dissidents.

It is already possible by current technology that deployment, and even part
of the design, might be carried out without human intervention; and soon,
even without human awareness.


Re: Martin Ward's post in RISKS-31.25

Martin Ward <martin@gkc.org.uk>
Wed, 29 May 2019 13:58:35 +0100
PGN, I rather wish that you hadn't run the message :-(

I think what happened is that I stashed to post away as something
interesting to be followed up later, then found it again later and assumed
that I had already checked out the references!  I will take care to
double-check references in future posts.

I apologise to everyone concerned.

Fortunately, the self-correcting element in comp.risks has done its job.

Unfortunately, this part of the story has detracted from my main point: that
for-profit healthcare is generally less efficient and less effective than
universal healthcare.

International comparison of health systems (using OECD data):

https://en.wikipedia.org/wiki/Health_system#International_comparisons
https://upload.wikimedia.org/wikipedia/commons/f/f8/HC-Graph.jpg

The Commonwealth Fund, in its annual survey, "Mirror, Mirror on the Wall",
compares the performance of the health systems in Australia, New Zealand,
the United Kingdom, Germany, Canada and the United States.  Its 2007 study
found that, although the United States system is the most expensive, it
consistently underperforms compared to the other countries. A major
difference between the United States and the other countries in the study is
that the United States is the only country without universal health care.

Comparing the average values for Australia, Canada, France, Germany, Italy,
Japan, Norway, Sweden and the UK against the USA:

Life Expectancy:  82.4 vs 78.7
Infant Mortality:  3.6 vs 5.9
Preventable deaths: 66 vs 96
Spending:       $4,885 vs $7,437

(See the wikipedia page above detailed figures)

A survey in 2013 found that only 4% of people in the UK experienced
cost-related barriers to accessing health care, compared to 37% in the USA.
(Commonwealth Fund International Health Policy Survey 2013).

  [I have had other messages on this subject, but I think it os far enough
  out of the RISKS mainstream(s) that I am closing the thread.  I also think
  it would have been better had I rejected Martin's original post.  PGN]


RE: Facebook to create new cryptocurrency (BBC)

"Matthew Kruk" <mkrukg@gmail.com>
Sun, 26 May 2019 13:00:25 -0600
GlobalCoin? Nah, call it Facebuck.


Re: RBC customer out of pocket after fraud (R-31.26)

"Keith Medcalf" <kmedcalf@dessus.com>
Sat, 25 May 2019 21:48:12 -0600
So let me get this straight.  This Fearnley woman withdrew money from the
bank (as in cash from an ATM) and put in in an envelope and mailed it to her
buddy.  Someone took the envelope containing the cash from her buddies
mailbox.

How does this have anything whatsoever to do with RBC or Interac?  Obviously
the problem is sending cash through the mail.  The fact that it was
electronic cash sent via electronic mail is irrelevant—it was still cash
in the mail.

The Risks are obvious but I guess people are just dumb.


Re: RBC customer out of pocket after fraud (R-31.26)

Gabe Goldberg <gabe@gabegold.com>
Sun, 19 May 2019 13:31:40 -0400
The bank blamed the theft on Fearnley's email security.

Hoover's security question to her friend was: "Who is my favourite Beatle?"

The fraudster would have had a one in four chance of getting it right ”-
John, Paul, George or Ringo. In a test of RBC's Interac system, Go Public
was given four chances to answer the security question correctly.

https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-e-transfer-fraud-1.5128114


Re: RBC customer out of pocket after fraud (R-31.26)

José María Mateos <chema@rinzewind.org>
Sun, 26 May 2019 10:36:53 -0400
Coming from Europe (Spain), I am amazed at the really convoluted way people
transfer money here in Canada.

Back at home: give me you account number, I'll do the transfer from my bank
for free.

Here: give me your e-mail address, I'll add it do my bank's Interac system,
then I will send you N dollars as we agreed on, so you will receive an
e-mail with a link you have to click, then you have to log into your bank
and know the answer to the "security question" I have set, which is
something only you and me should know, and the money will be
deposited. Easy!

I used to pay my rent by check (yay 21st Century!) until my bank gave me two
free Interac transfers per month. More than that, and it's $1 each.

Having phishing scams here in Canada using this kind of links is quite
common. See for instance:

https://ottawacitizen.com/news/local-news/fraud-alert-interac-warns-customers-about-fake-e-transfer-emails

https://www.ctvnews.ca/business/canada-revenue-agency-warns-of-text-message-phishing-scam-1.2296220


I have no sympathy *at all* ...

Rob Slade <rmslade@shaw.ca>
Tue, 28 May 2019 09:05:47 -0700
OK, bear with me.  I *will* get to the security part.)  (It may not be worth
it, but ...)

I've been burying my aunt over the weekend.  It was expected, she'd had a
good innings (she was awarded "Citizen of the Century," among other things),
and it was great to swap stories with others who knew and loved her.

Number One Daughter has recently moved fairly close to that area, so we
stayed with her.  Beautiful place, built on a slope, *way* too many stairs
for us to live there.  For complicated reasons they have two dogs: Marley,
who is very old and now has arthritis among other things; and Fera, who is
young, high-strung, somewhat nervous, and *extremely* high energy.  Despite
disparate ages and temperaments "the pack" has a great relationship.

Marley doesn't do stairs any better than we do.  She has developed a weird
front- legs-together-back-legs-together double bounce method of getting
*down* stairs, but can't get back up.  But when she gets to the bottom of
the house, she can get out onto the deck, then down more stairs, then up the
slope (which is steep but at least not stairs) to the front door.

The house came with an alert system for the front door.  A motion sensor
triggers a camera and sends a picture to Number One Daughter's cell phone.

However, most of the time this is unnecessary.  Fera, noting that Marley is
at the front door, will run down through the house, out the back, up the
slope, check with Marley, then race back down the slope, and up through the
house until she finds Number One Daughter.  Aside from the specificity of
this activity, it's easy to tell that this is about Marley, because Fera
gets a very distinct look on her face.  (It's all a very "What Lassie? Timmy
hasn't fallen down the well, but is hiding out from aliens who want to
abduct him, while running away from a dinosaur that Farmer Jones created
from old DNA that was lying around the barn?" type situation.)  Fera's alert
usually comes before the high tech door system.

Thing is, this is one of those cheap "security" systems that have wretched
security themselves, and are probably sending data back to China.  Which
means that, somewhere in some monitoring station in China, someone keeps
getting, and having to pay attention to, alerts about Marley needing to get
in the front door.  And the system behind it has to commit bandwidth,
storage, and processing for it.

I have *absolutely* no sympathy for those people at all ...

Please report problems with the web pages to the maintainer

Top