The Collective Sensemaking Project

@r_hartman @Paul_Reviews What do they have to gain from questioning their own behaviour? Easier just to believe everything was fine and move on.

@csmproject @Paul_Reviews Apparently that didn't make a change for a lot of people. Go figure.

I'm genuinely stunned by how many people push back on the #EU #ageVerification issues with "it's a demo, it's not a production app... don't you understand?!" When the President of the EC publicly states it's "technically ready, reaches the highest standard of privacy and go check the code"... it shouldn't come as a surprise when someone does just that. There's a growing number of people screaming "it's protected by Android, this is a non-issue". I don't know about you... but I'd rather have a few layers of substantial security to protect my biometric data than rely on a 3rd-party layer which may fail or have bugs/flaws of its own. This app was supposed to set a standard, not fall back to one.

@UlrichVosgerau Ich fasse das mal so zusammen: Fakten sind irrelevant wenn die erwünschte Wirkung erzielt wird.

Die Radiosendung ist jetzt da. Ihr Inhalt ist – mal wieder – Quatsch, aber im Ergebnis beruhigend: denn es wird deutlich, daß "Correctiv" und dessen mediales Unterstützerumfeld sich nunmehr darauf vorbereiten, alle noch laufenden Verfahren vollumfänglich zu verlieren. Inhalt der Sendung nämlich: Es sei doch ganz egal, was in Potsdam nun besprochen oder nicht besprochen worden ist! Das interessiere "nur Juristen". Relevant sei einzig und allein, ob "die Gesellschaft" (heißt: die Linke Szene in mehrfacher Vergrößerung durch den ÖRR!) sich über "Remigration" aufgeregt habe! Habe "die Gesellschaft" sich aufgeregt, habe "Correctiv" eben Recht gehabt! Und dann kommt, zuverlässig wie Kai aus der Kiste, auch noch der ewige Kronzeuge Krah und sagt: Ja, die Gesellschaft hat sich aufgeregt! Remigration ist Mist! Correctiv hat Recht! So einfach ist das alles. Der Rest interessiert eben "nur Juristen". Und dafür zahlen wir Rundfunkbeiträge!

Three institutions that I know nothing about that get to decide what laws I have to comply with.

@irisma8 Vorratsdatenspeicherung. Yay... 🥳

Keine Klarnamenpflicht, aber…

The cost of the "Babyglück" that German media are currently congratulating a certain politician over. He bought a baby abroad, because doing so in Germany is illegal.

The replies to this are worth reading. Mixed in their verdict, but certain in their viewpoint. Keep in mind each person has come to their own conclusion through their own means.

@LibertyHannes In Düsseldrof scheint man aber auch nicht sonerlich tolerant zu sein. Wer sich da im mittleren Alter endlich selbst entdeckt und als Frau identifiziert, der wird gleich verdächtigt, sich bessere Karrierechancen aneignen zu wollen. apollo-news.net/verwaltungsger…

Entweder Transfrauen sind Frauen oder Transfrauen sind Männer. Im Moment ist die Rechtslage: für die Bundeswehr sind Transfrauen Männer. Für alle anderen gilt: wenn Du sagst eine Transfrau ist ein Mann, dann kommt der Staatsanwalt.

@TitiBoure @Paul_Reviews Now there's a motivational boost!

@csmproject @Paul_Reviews Anyway it's better than beeing paranoïd, it's worthless to believe that the worst is coming when you know that nothing can stop it too 😉

@JoanaCotar @zeitonline Looks like their intern got into the booze cabinet again...

@zeitonline Zwischen Fahrschein und Führerschein gibt es einen Unterschied, werte Zeit.

Wer ohne gültigen Führerschein in öffentlichen Verkehrsmitteln fährt, begeht gesetzlich eine Straftat. Ein Vorstoß, das zu ändern, ist im Bundestag gescheitert. trib.al/YN7lCp4

@aggunak @Paul_Reviews Bleak outlook...

We entered 2020 in the Conditioning Society. The Ruling Class has set up a series of Skinner boxes and locked us inside them to imprint conditioned reflexes on us that suit their purposes. With so-called age-verification apps, we’re moving on to the next stage: coercion. The next stage will involve punishments.

Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.

@olivergorus Ich überlege langsam, ob ich mir eine Stelle irgendwo beim Staat suchen soll. Man scheint ja Geld für allen möglichen Mist zu haben, und was Ordentliches muss am Ende auch nicht unbedingt bei rauskommen.

Der Staat hat‘s echt drauf. Und der Superstaat erst!

@aggunak @Paul_Reviews "You have to give up a tiny bit of freedom for your and your kid's safety. Barely an inconvenience." "We have to tighten things up a bit. For more safety." "We can't just have people act freely like that. They might do something dangerous." "There is no right to do X"

@csmproject @Paul_Reviews Most likely, at its core, this isn't about age verification. It's about authorization, which can be revoked.

@TitiBoure @Paul_Reviews I was naive then. I thought surely reasonable and responsible people will handle their disagreements reasonably and responsible and the truth always prevails. Then I learned that the truth always has to fight an uphill battle. Then Covid came.

@csmproject @Paul_Reviews 😳 Surely I was too pessimistic and paranoïd, it seemed to me that we were just running right to his dystopia 😁 And far beyond now

@Paul_Reviews And create pointless friction for everyone in the process. Kids will figure things out. My parents won't. They might just stop using the internet instead.

@csmproject In a nutshell, yes... though an adult could bypass it to. Essentially, it does nothing meaningful but expose everyone to mass identity theft.

Let's shift focus and explain why the #EU #AgeVerification concept is fundamentally flawed. Assume: 1. The production app is released. 2. It's 100% secure, 100% private (fantasy land, but stick with me) 3. It cryptographically challenges every step, including hardware attestation which requires a physical device. 4. Every single other attack vector in the surrounding environment is somehow magically patched. aka - it's working exactly as intended/designed. It does not protect against a relay attack. This is a threat they considered and somewhat addressed here: github.com/eu-digital-ide… With the current design, there's nothing preventing someone running a verification-as-a-service; a remote Android device which returns a valid attestation. Remember, it's not returning "I am over 18", it returns "someone is over 18". Neither the verifier, nor the app has any way to link the session ID to a physical device. Their own docs state this clearly: Remote Cross-Device Presentation: "Note that the Wallet Instance does not see any difference between the cross-device flow and the same-device flow. In both cases, it receives an OpenID4VP-compliant presentation request over the Wallet Instance-platform API described in the previous section." This is a known & well-understood attack vector in all remote credential presentation models; it's just not mitigated in this one... primarily because they can't. CTAP 2.2 won't work with all app flows, hardware attestation doesn't mitigate relay attacks, on-demand liveness detection would be too intrusive & potentially privacy-invasive & timing calculations don't reveal anything useful... all the available options to resolve this break the core design; completely anonymous age verification. The Architecture & Reference Framework (ARF) is technically sound in some respects. They considered external threat actors and discussed solutions to mitigate them, including ZKP. However, the EC applied the wrong threat model, thus arriving at the wrong conclusion. Yes, you need to protect against malicious verifiers, phishing sites, session hijacks, data brokers et al... but that's addressing external threats, it doesn't protect the architecture from the user itself. In virtually every other scenario, the user and system's interests are aligned; protect my biometric asset at all costs. Specifically for age verification, most users do not want to present ID simply to access a website, so whilst the system may adequately protect from external threats, if the user wants to bypass the system, they can... and the architecture doesn't consider this. Every single applied mitigation assumes the user is the protected party, not the threat actor. To those people claiming "it requires physical access to the device and root, this is BS/hyperbole", you too applied the wrong threat model & completely missed the point. These disclosures demonstrate that you, the user, are the threat actor they haven't considered. You have your device. You can root your device. You can create a chrome extension, just as I did. Ironically, it's precisely those under 18 who can't pass verification who are motivated to bypass it. So where does that leave us? A system which replaces "I am over 18" with "someone is over 18", with absolutely no guarantee that it's true... which is the entire purpose of the app.

@TitiBoure @Paul_Reviews You know I've been fascinated with that book ever since reading it some 30 years ago. Still, I grew up believing that society was somehow past the dangers and mechanisms described in that book.

@csmproject @Paul_Reviews 1984 hasn't been written yesterday 😉 And Orwell was far to imagine the numeric tools they have today 😒

@Koning_Marc @mr_username_2U @Paul_Reviews Or just plain old sarcasm?

@csmproject @mr_username_2U @Paul_Reviews Bait

@PrebenTjemsland @Paul_Reviews I'm not sure I find the word "likely" entirely sufficient. Also, services can easily be required to recheck verification with a later amendment of whatever rule they come up to begin with.

@csmproject @Paul_Reviews Services are allowed to store the response ei. "over_18=true" and never ask again. So most services with a user will likely do that

@itsmerob1990 @Paul_Reviews Indeed

@csmproject @Paul_Reviews Yeah this isn't about your age brother.

@0307San @evilpenguin0 @deforl @Paul_Reviews Never understood how "It's a different strain of virus." could be compensated by "Well, just take more of eat more frequently."

@evilpenguin0 @deforl @Paul_Reviews @csmproject Die Impfung hatte doch eh ein Ablaufdatum. Der angebliche Schutz wurde ja immer weiter verkürzt. Von "jahrzehntelang" ging's zu "nach 3 Monaten boostern". morgenpost.de/vermischtes/ar…