پن کیا گیا ٹویٹ
The Collective Sensemaking Project
3.3K posts
The Collective Sensemaking Project
@csmproject
Firm believer that society needs better solutions to process the ever increasing flood of information. YouTube: https://t.co/U0O3Wmnwnq
شامل ہوئے Temmuz 2023
441 فالونگ334 فالوورز
@Aufdecker Worin bestand dieser vermeintliche Fall des Missbrauchs?
Deutsch
Eben habe ich von einer Stimme aus dem
Inneren der Landesärztekammer Hessen herausgekitzelt, wer dafür verantwortlich ist, dass das Video von der Veranstaltung der Bad Nauheimer Gespräche „Warum
haben wir uns das angetan?“ über die Coronazeit: Der Präsident der Landesärztekammer Hessen Edgar Pinkowski hat die Sperrung des Videos „wegen Mißbrauchspotentials“ veranlasst und dies sei „in einem Fall auch schon passiert“, sagte mir mein Kontakt.
Christian Haffner@Aufdecker
Jetzt ist es eindeutig: die Aufzeichnung von der Veranstaltung der Bad Nauheimer Gespräche über die Corona-Zeit: „warum haben wir uns das angetan?“ , wurde von der Landesärztekammer Hessen zensiert. Das Video, das nach langem Vorlauf von sechs Wochen kurz vor Weihnachten dann doch online ging, wurde bereits Anfang Januar wieder auf privat gestellt und kann seitdem nicht mehr angesehen werden, weil, so hörte ich, Beifall von der falschen Seite kam. Ich bin ein absoluter Freund der Meinungsfreiheit und verlinke dieses Video hier zum Download als einen weiteren Beitrag von mir zur Aufarbeitung der Coronazeit und gegen Zensur: my.hidrive.com/lnk/W6d6OPKQP
Deutsch
@csmproject @Paul_Reviews Unfortunately that's correct.
The kind of intellectual lazyness which comes from prosperity. Untill it's all lost, which is when the excuse will be "Wir haben es nicht gewusst."
Correct. They didn't know, because they didn't WANT to know. But they could have known. Infuriating.
English
I'm genuinely stunned by how many people push back on the #EU #ageVerification issues with "it's a demo, it's not a production app... don't you understand?!"
When the President of the EC publicly states it's "technically ready, reaches the highest standard of privacy and go check the code"... it shouldn't come as a surprise when someone does just that.
There's a growing number of people screaming "it's protected by Android, this is a non-issue".
I don't know about you... but I'd rather have a few layers of substantial security to protect my biometric data than rely on a 3rd-party layer which may fail or have bugs/flaws of its own. This app was supposed to set a standard, not fall back to one.
GIF
English
@r_hartman @Paul_Reviews What do they have to gain from questioning their own behaviour? Easier just to believe everything was fine and move on.
English
@csmproject @Paul_Reviews Apparently that didn't make a change for a lot of people. Go figure.
English
@UlrichVosgerau Ich fasse das mal so zusammen: Fakten sind irrelevant wenn die erwünschte Wirkung erzielt wird.
Deutsch
Die Radiosendung ist jetzt da. Ihr Inhalt ist – mal wieder – Quatsch, aber im Ergebnis beruhigend: denn es wird deutlich, daß "Correctiv" und dessen mediales Unterstützerumfeld sich nunmehr darauf vorbereiten, alle noch laufenden Verfahren vollumfänglich zu verlieren.
Inhalt der Sendung nämlich: Es sei doch ganz egal, was in Potsdam nun besprochen oder nicht besprochen worden ist! Das interessiere "nur Juristen". Relevant sei einzig und allein, ob "die Gesellschaft" (heißt: die Linke Szene in mehrfacher Vergrößerung durch den ÖRR!) sich über "Remigration" aufgeregt habe! Habe "die Gesellschaft" sich aufgeregt, habe "Correctiv" eben Recht gehabt!
Und dann kommt, zuverlässig wie Kai aus der Kiste, auch noch der ewige Kronzeuge Krah und sagt: Ja, die Gesellschaft hat sich aufgeregt! Remigration ist Mist! Correctiv hat Recht!
So einfach ist das alles. Der Rest interessiert eben "nur Juristen". Und dafür zahlen wir Rundfunkbeiträge!
gabor halasz@gaborhalasz1
Wir haben zwei sehr unterschiedliche Urteile gründlich gelesen und mit allen Seiten gesprochen. Ergebnis gibt es morgen online und im Radio.
Deutsch
Three institutions that I know nothing about that get to decide what laws I have to comply with.
European Parliament@Europarl_EN
How are EU laws made? Three key players work together to come up with a plan, discuss, tweak and finally pass a law ✅ Find out how ↓
English
@irisma8 Vorratsdatenspeicherung. Yay... 🥳
Deutsch
Keine Klarnamenpflicht, aber…
Legal Tribune Online (LTO)@lto_de
Neue Details zum zivilrechtlichen Teil des Gesetzes gegen "digitale Gewalt": Gerichte sollen die Anonymität im Internet aufheben lassen können und auch die Vorratsdatenspeicherung soll eine Rolle spielen. Von @markus_sehl. buff.ly/om4TA5z
Deutsch
The cost of the "Babyglück" that German media are currently congratulating a certain politician over. He bought a baby abroad, because doing so in Germany is illegal.
Billboard Chris 🌎@BillboardChris
A woman was legally required to kill her baby in the third trimester because the “commissioning parents” for the surrogacy demanded it, and threatened a lawsuit. The baby was missing two fingers, so the people purchasing this precious child demanded it be aborted, per their contract. This is eugenics. It’s murder. It’s a baby trade, and it needs to be criminalized.
English
The replies to this are worth reading. Mixed in their verdict, but certain in their viewpoint.
Keep in mind each person has come to their own conclusion through their own means.
PeterSweden@PeterSweden7
Jag har en fråga till dig. Om du hade vetat allt om covid vaccinet som vi gör idag, hade du fortfarande tagit det?
English
@LibertyHannes In Düsseldrof scheint man aber auch nicht sonerlich tolerant zu sein. Wer sich da im mittleren Alter endlich selbst entdeckt und als Frau identifiziert, der wird gleich verdächtigt, sich bessere Karrierechancen aneignen zu wollen.
apollo-news.net/verwaltungsger…
Deutsch
Entweder Transfrauen sind Frauen oder Transfrauen sind Männer.
Im Moment ist die Rechtslage: für die Bundeswehr sind Transfrauen Männer.
Für alle anderen gilt: wenn Du sagst eine Transfrau ist ein Mann, dann kommt der Staatsanwalt.
Deutsch
@TitiBoure @Paul_Reviews Now there's a motivational boost!
English
@csmproject @Paul_Reviews Anyway it's better than beeing paranoïd, it's worthless to believe that the worst is coming when you know that nothing can stop it too 😉
English
@JoanaCotar @zeitonline Looks like their intern got into the booze cabinet again...
English
@zeitonline Zwischen Fahrschein und Führerschein gibt es einen Unterschied, werte Zeit.
Deutsch
Wer ohne gültigen Führerschein in öffentlichen Verkehrsmitteln fährt, begeht gesetzlich eine Straftat. Ein Vorstoß, das zu ändern, ist im Bundestag gescheitert. trib.al/YN7lCp4
Deutsch
We entered 2020 in the Conditioning Society. The Ruling Class has set up a series of Skinner boxes and locked us inside them to imprint conditioned reflexes on us that suit their purposes. With so-called age-verification apps, we’re moving on to the next stage: coercion. The next stage will involve punishments.
English
Hacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.
1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.
Paul Moore - Security Consultant @Paul_Reviews
.@vonderleyen "The European #AgeVerification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..." I did. It didn't take long to find what looks like a serious #privacy issue. The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well. But, the source image used to collect that data is written to disk without encryption and not deleted correctly. For NFC biometric data: It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them. For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them. This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary. From a #GDPR standpoint: Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach. youtube.com/watch?v=4VRRri…
English
@olivergorus Ich überlege langsam, ob ich mir eine Stelle irgendwo beim Staat suchen soll. Man scheint ja Geld für allen möglichen Mist zu haben, und was Ordentliches muss am Ende auch nicht unbedingt bei rauskommen.
Deutsch
Der Staat hat‘s echt drauf. Und der Superstaat erst!
Ceterum censeo Unionem Europaeam esse delendam@PeterPilz3
Die gesamte Hackerszene ist wie ein Schwarm Piranhas über die neue Altersverifizierungs-App der EU hergefallen und hat sie bereits vollkommen zerlegt. Ich frage mich wie viele hundert Millionen hier verblasen wurden.
Deutsch
@aggunak @Paul_Reviews "You have to give up a tiny bit of freedom for your and your kid's safety. Barely an inconvenience."
"We have to tighten things up a bit. For more safety."
"We can't just have people act freely like that. They might do something dangerous."
"There is no right to do X"
English
@csmproject @Paul_Reviews Most likely, at its core, this isn't about age verification. It's about authorization, which can be revoked.
English
@TitiBoure @Paul_Reviews I was naive then. I thought surely reasonable and responsible people will handle their disagreements reasonably and responsible and the truth always prevails.
Then I learned that the truth always has to fight an uphill battle.
Then Covid came.
English
@csmproject @Paul_Reviews 😳
Surely I was too pessimistic and paranoïd, it seemed to me that we were just running right to his dystopia 😁
And far beyond now
English
@Paul_Reviews And create pointless friction for everyone in the process.
Kids will figure things out. My parents won't. They might just stop using the internet instead.
English
@csmproject In a nutshell, yes... though an adult could bypass it to.
Essentially, it does nothing meaningful but expose everyone to mass identity theft.
English
Let's shift focus and explain why the #EU #AgeVerification concept is fundamentally flawed.
Assume:
1. The production app is released.
2. It's 100% secure, 100% private (fantasy land, but stick with me)
3. It cryptographically challenges every step, including hardware attestation which requires a physical device.
4. Every single other attack vector in the surrounding environment is somehow magically patched.
aka - it's working exactly as intended/designed.
It does not protect against a relay attack.
This is a threat they considered and somewhat addressed here: github.com/eu-digital-ide…
With the current design, there's nothing preventing someone running a verification-as-a-service; a remote Android device which returns a valid attestation. Remember, it's not returning "I am over 18", it returns "someone is over 18". Neither the verifier, nor the app has any way to link the session ID to a physical device.
Their own docs state this clearly:
Remote Cross-Device Presentation:
"Note that the Wallet Instance does not see any difference between the cross-device flow and the same-device flow. In both cases, it receives an OpenID4VP-compliant presentation request over the Wallet Instance-platform API described in the previous section."
This is a known & well-understood attack vector in all remote credential presentation models; it's just not mitigated in this one... primarily because they can't. CTAP 2.2 won't work with all app flows, hardware attestation doesn't mitigate relay attacks, on-demand liveness detection would be too intrusive & potentially privacy-invasive & timing calculations don't reveal anything useful... all the available options to resolve this break the core design; completely anonymous age verification.
The Architecture & Reference Framework (ARF) is technically sound in some respects. They considered external threat actors and discussed solutions to mitigate them, including ZKP. However, the EC applied the wrong threat model, thus arriving at the wrong conclusion.
Yes, you need to protect against malicious verifiers, phishing sites, session hijacks, data brokers et al... but that's addressing external threats, it doesn't protect the architecture from the user itself.
In virtually every other scenario, the user and system's interests are aligned; protect my biometric asset at all costs.
Specifically for age verification, most users do not want to present ID simply to access a website, so whilst the system may adequately protect from external threats, if the user wants to bypass the system, they can... and the architecture doesn't consider this.
Every single applied mitigation assumes the user is the protected party, not the threat actor.
To those people claiming "it requires physical access to the device and root, this is BS/hyperbole", you too applied the wrong threat model & completely missed the point. These disclosures demonstrate that you, the user, are the threat actor they haven't considered.
You have your device.
You can root your device.
You can create a chrome extension, just as I did.
Ironically, it's precisely those under 18 who can't pass verification who are motivated to bypass it.
So where does that leave us?
A system which replaces "I am over 18" with "someone is over 18", with absolutely no guarantee that it's true... which is the entire purpose of the app.
Paul Moore - Security Consultant @Paul_Reviews
Bypassing #EU #AgeVerification using their own infrastructure. I've ported the Android app logic to a Chrome extension - stripping out the pesky step of handing over biometric data which they can leak... and pass verification instantly. Step 1: Install the extension Step 2: Register an identity (just once) Step 3: Continue using the web as normal The extension detects the QR code, generates a cryptographically identical payload and tells the verifier I'm over 18, which it "fully trusts". This isn't a bug... it's a fundamental design flaw they can't solve without irrevocably tying a key to you personally; which then allows tracking/monitoring. Of course, I could skip the enrolment process entirely and hard-code the credentials into the extension... and the verifier would never know.
English
@TitiBoure @Paul_Reviews You know I've been fascinated with that book ever since reading it some 30 years ago. Still, I grew up believing that society was somehow past the dangers and mechanisms described in that book.
English
@csmproject @Paul_Reviews 1984 hasn't been written yesterday 😉
And Orwell was far to imagine the numeric tools they have today 😒
English
English
@PrebenTjemsland @Paul_Reviews I'm not sure I find the word "likely" entirely sufficient.
Also, services can easily be required to recheck verification with a later amendment of whatever rule they come up to begin with.
English
@csmproject @Paul_Reviews Services are allowed to store the response ei. "over_18=true" and never ask again. So most services with a user will likely do that
English