Kata Saya

I had received some questions about President @realDonaldTrump's recent posts, and here are my thoughts: I do not believe President Trump would knowingly depict himself as Jesus Christ—that would certainly be inappropriate. I’m thankful the President has made it very clear that this was not at all what he thought the AI-generated image was representing—he thought it was a doctor helping someone, and when he learned of the concerns, he immediately removed the post. When I looked at the illustration, I didn’t jump to the same conclusion as some. There were no spiritual references—no halo, there were no crosses, no angels. It was a flag, soldiers, a nurse, fighter planes, eagles, the Statue of Liberty, and I think this is a lot to do about nothing. There is so much ill-intended speculation. I think his enemies are always foaming at the mouth at any possible opportunity to make him look bad. And the illustration from someone else he reposted on Truth Social yesterday, I must say that I like the fact that this is a picture of Jesus whispering in his ear, or at least His hand on his shoulder, guiding him. We all need that—we all need to be listening to Jesus. Again, I think there is an attempt to spin this into something that it isn’t. Remember, President Trump didn’t draw this, he didn’t create it, he reposted it on his social media because he thought it was nice—I would have to agree. I’m not a Catholic, I’m an evangelical, but I appreciate how President Trump has defended religious freedom for people of all faiths, including millions of evangelicals and Catholics in the U.S. and around the world. He is the most pro-Christian, pro-life president in my lifetime, and he doesn’t shy away from it. I would hope that the President and Pope Leo can meet at some point, and that the Pope would have the opportunity to thank the President for his efforts to protect religious liberty for Catholics and people of all faiths.

We've tested more than 40 antivirus utilities to help you pick the best protection. pcmag.com/picks/the-best…

Bypassing #EU #AgeVerification using their own infrastructure. I've ported the Android app logic to a Chrome extension - stripping out the pesky step of handing over biometric data which they can leak... and pass verification instantly. Step 1: Install the extension Step 2: Register an identity (just once) Step 3: Continue using the web as normal The extension detects the QR code, generates a cryptographically identical payload and tells the verifier I'm over 18, which it "fully trusts". This isn't a bug... it's a fundamental design flaw they can't solve without irrevocably tying a key to you personally; which then allows tracking/monitoring. Of course, I could skip the enrolment process entirely and hard-code the credentials into the extension... and the verifier would never know.

.@POTUS: "I have nothing against the Pope... If the Pope looked at the 42,000 people that were killed over the last two or three months, as [protesters] with no weapons, no nothing... I have a right to disagree with the Pope."

Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.

.@vonderleyen "The European #AgeVerification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..." I did. It didn't take long to find what looks like a serious #privacy issue. The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well. But, the source image used to collect that data is written to disk without encryption and not deleted correctly. For NFC biometric data: It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them. For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them. This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary. From a #GDPR standpoint: Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach. youtube.com/watch?v=4VRRri…