SoylentNews is people
SoylentNews
Locked iPhones rendered almost useless in Australia's COVIDSafe tracking efforts:
Software engineer Richard Nelson, who was part of a team of researchers that found other bugs in COVIDSafe, has detailed a bug affecting iPhone users, rendering their device basically useless when it comes to tracking efforts.
A locked iPhone with an expired ID cannot generate a new ID. Without an ID, Nelson said the device will record other devices around it, but cannot be recorded by others.
"A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged," he wrote.
"One could imagine Alice packing her bag, putting her iPhone in and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted."
[...] Nelson told ZDNet that if the iPhone user was to unlock their phone, but not necessarily open the COVIDSafe app, a new ID would be fetched.
"If Alice's device was locked and had an expired token, and Alice then unlocks her device to check email, for example, and if Bob's device then scans and picks up Alice's device, Bob will be able to read Alice's ID," Nelson added.
But if the device is locked again first, it won't be read.
(Score: 2) by c0lo on Tuesday June 16 2020, @11:22AM (2 children)
Keep all Alice-s who use iPhone in lockdown until the pandemic is over.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by leon_the_cat on Tuesday June 16 2020, @12:14PM (1 child)
One of these days Bob is just going to ask her out on a date rather than stalk her.
(Score: 2) by c0lo on Tuesday June 16 2020, @12:21PM
Charlie wouldn't let that happen.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Funny) by SomeGuy on Tuesday June 16 2020, @12:53PM (28 children)
Uh, iPhones are already useless :P
I forget which story it was, but there was a story the other day going on about how ONLY 3 states in the US were using cell phone contact tracing. In fact, that is 3 states too many using it.
This shit is useless, starting with the #1 bad assumption that EVERYONE HAS A FUCKING SMART PHONE! (followed by by the assumptions that they have it with them, it is on, yada, yada, yada)
Not everyone on this planet wants or needs a stupid smart phone. Despite popular belief perpetuated by advertising, it is possible to get along fine without.
(Score: 2, Troll) by leon_the_cat on Tuesday June 16 2020, @01:11PM (19 children)
IMHO the whole contact tracing app scene is a complete scam. Some people will get rich off it. I'm very doubtful about it actually helping.
(Score: 2, Flamebait) by c0lo on Tuesday June 16 2020, @01:26PM (17 children)
Done correctly, it may help and can't hurt.
Or, for you, if it's not Nirvana [wikipedia.org] is shit?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @01:59PM (8 children)
>> ...and can't hurt.
It can't hurt until the government shows up at your door for attending a meeting of the wrong political party. You have three minute to pack your bags, please leave your valuables in this box on your way out.
(Score: 2) by c0lo on Tuesday June 16 2020, @02:10PM
Then you didn't do the application the correct way.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0, Insightful) by Anonymous Coward on Tuesday June 16 2020, @02:11PM (2 children)
Good. Please let me know when that happens. Until then it may help and you're making shit up. Thanks.
(Score: -1, Troll) by Anonymous Coward on Tuesday June 16 2020, @02:26PM (1 child)
Found the Democrat!
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @02:45PM
Yeah, that rabid Democrat [vox.com] really fucked us over.
Idiot.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @02:14PM
They're holding you wrong.
(Score: -1, Troll) by Anonymous Coward on Tuesday June 16 2020, @02:41PM (2 children)
If that's a real concern for you*, move out of whatever shithole you live in.
*Criminal gangs [wikipedia.org] aren't political parties, so if that's what you're referring to, go get some more tattoos on your face, I'm sure you'll feel right at home in prison. I understand there's lots of violent, hate-filled extremists like you there. But hey, it's three hots and a cot, plus free clothes and healthcare. And you don't even need to rob banks or beat/kill darkies, jews and homos. Good times!
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @04:05PM (1 child)
Adjust your medication.
(Score: -1, Troll) by Anonymous Coward on Tuesday June 16 2020, @04:32PM
Are you suggesting that doing different drugs make me more tolerant of violent hate-filled thugs?
(Score: 3, Touché) by leon_the_cat on Tuesday June 16 2020, @02:37PM (7 children)
"can't hurt" i disagree, I think it adds an extra layer of normality to government tracking.
(Score: 2) by c0lo on Tuesday June 16 2020, @03:06PM (6 children)
Look on the source code [github.com] and come with arguments based on that.
Maybe, we'll then talk more about reality and less about paranoia.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0, Troll) by Anonymous Coward on Tuesday June 16 2020, @04:07PM
Enjoy the ride down the slippery slope, sheep person.
(Score: 3, Interesting) by Immerman on Tuesday June 16 2020, @04:35PM
If they can contact Alice when she's been exposed, rather than Alice having to check in the public "infected lists" to see for herself if she's recorded any contacts with people on it, then it's definitely mass-surveillance infrastructure.
And from a quick read into the particulars it sounds like that is indeed how it works. There are (supposedly) some institutional limits on who can access the tracking data, and it sounds like the implementation doesn't make it as useful for mass surveillance as it could be, but it absolutely can still be used for the purpose.
(Score: -1, Troll) by Anonymous Coward on Tuesday June 16 2020, @06:36PM
aussies will do anything "the authorities" tell them to. sad state of affairs. i saw a gun review where the aussie reviewer said they have gun storage laws that state that one has to remove the bolt while storing a rifle. fucking pitiful.
(Score: 0) by Anonymous Coward on Wednesday June 17 2020, @08:41AM (2 children)
How about giving an example of government helping me before I wade through some code that is useless to me ...
(Score: 3, Touché) by c0lo on Wednesday June 17 2020, @09:07AM
How about you don't move the goal posts and stick to a concrete proof that this app contributes to the "oh noes, the govt tracks me"?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by c0lo on Wednesday June 17 2020, @09:10AM
Also, I hope that you are living in Australia, mate, I won't be bothered to search how the A/C's government is helping the A/C.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Touché) by Anonymous Coward on Tuesday June 16 2020, @04:33PM
Yeah! Like all those billionaire "climate scientists."
(Score: 2) by lentilla on Tuesday June 16 2020, @01:34PM (3 children)
Everyone in Australia has a smartphone.
Apparently it's only 69% [wikipedia.org] but I don't believe that. You would really have to go out of your way to buy a non-smartphone.
(Score: 4, Interesting) by Immerman on Tuesday June 16 2020, @04:46PM (2 children)
So nobody has land-lines anymore? Meanwhile here in the U.S. I know a whole lot of people who do in fact go out of their way to get non-smartphones, for any of several reasons including:
They're considerably cheaper both to buy and to operate (smartphone plans can easily cost several times more per month. I paid $4/month for years on my flip phone)
Their battery life is so much better it's not even funny (charge it every few weeks)
And they tend to work a LOT better as a phone - with better reception, better sound quality, and a more comfortable form factor.
(Score: 4, Interesting) by lentilla on Tuesday June 16 2020, @06:16PM (1 child)
Yes, landlines exist. Of course, households that have a landline also have a mobile for each adult and teen. As I alluded above, it would be considered highly unusual not to have a mobile, and also highly unusual for it not to be a smartphone.
The distribution is dependent of the age of householders and their location. Assuming we are talking urban population, the majority of householders over fifty-five will [also] have a landline. Household under the age of forty and it would be unusual to see a landline in use. In rural areas it depends on reception - but don't underestimate the value to a farmer being able to take a call whilst sitting in the tractor.
You mentioned cost as a factor. The government monopoly telecoms provider (Telstra) was privatised in the 1990s - but since they own most of the copper they effectively set the price for landline access. AUD$40 per month just for access. If you needed ADSL (Internet), that was on top of (or bundled with) landline access. So a large portion of urban Australians started the transition twenty years ago, especially those with access to cable Internet or "Naked DSL" (ADSL running over copper telephone lines without an attached telephone service), and particularly younger adults who moved every so often. Then came the National Broadband Network (NBN) which is in the process of kicking everyone off copper - and people are once again reassessing if the landline has any value.
I checked the latest Telstra catalogue that arrived in the letterbox this week, and of the twelve phones advertised there was one non-smartphone. For AUD$9. (!! OK, it's locked to the Telstra network, but just wow.) Or you could buy the entry-level smartphone for AUD$39. Unless you buy a flagship model the price of the access/calls quickly outweigh the cost of the handset.
Another little tidbit of Australiana in passing: "burner" phones don't exist unless you can find a patsy to register the number - when you get a telephone number it has to be tied to some official ID.
Calling costs were another consideration (remember that Australians only pay for originating the call, not for receiving). If you have an all-you-can-eat mobile plan (which most urban dweller under the age of fifty-five have) calling landlines or mobiles is essentially "free" (bundled into the monthly cost). On the other hand, calling a mobile from a landline can sting. So we end up with a odd pricing structure where it is cheaper to call a mobile on the other side of the planet (from a mobile) than it was to place a landline-to-landline call next door.
Unwanted calls to landlines were also a major pest prior to COVID. One could easily get five calls per day. They seem to have abated and the couple a week are now robocalls. "Why don't you check the CallerID?" I hear you ask! The answer: Telstra wanted another $120 per year for that privilege.
So yes, landlines exist, they just tend to take a back-seat to mobiles. Australians really did take to mobiles like ducks to water. The appearance of smartphones in 2007 happened overnight - at the beginning of the year you'd get on the bus and people would be reading newspapers and books. By the end of the year, every face was bathed in the ethereal glow of screens. Most younger urban Australians (that would be 86% [wikipedia.org] of the population) have had a mobile for the last two decades - and those young adults of the year 2000 aren't exactly that young any longer!
For what it is worth; single data-point and all; I know not one single person over the age of thirteen who does not have a smartphone. (I was the last hold-out. I stuck to my beloved hand-me-down Nokia 6300 candy bar until they turned the network off.)
(Score: 2, Interesting) by Acabatag on Tuesday June 16 2020, @07:19PM
I deal with farmers on the phone almost every day using their cell phone. OMG! Take those things away from them. It's common to not be able to make out a word they are saying.
(Score: 2, Touché) by c0lo on Tuesday June 16 2020, @01:35PM
Disagree. If it helps a bit and it doesn't hurt more than it helps then there is some value in using it.
Because it can't help each and everyone but only some, does it make it useless?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1) by AHuxley on Tuesday June 16 2020, @11:45PM
Thats why normal nations use the telco data sets.
If the device is connecting to a telco, its got time and location data.
No need for apps, OS, no need to code for some US consumer hardware brands OS.
Use the access any nation has to its own telco systems.
Do a Taiwan, South Korea.
Any device, OS gets location data kept.
(Score: 2) by sjames on Wednesday June 17 2020, @01:48AM
Even Amish people have smartphones these days. It's not that uncommon for young children to have smartphones. You make it sound like it's 1 in a thousand.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @05:03PM
Pretty much everyone does. The smart ones disable the sim and use open free wireless with a VPN
Good luck tracking them.
(Score: 2) by FatPhil on Tuesday June 16 2020, @01:16PM (6 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Tuesday June 16 2020, @01:18PM
To err is human, to waver cosine.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 5, Informative) by c0lo on Tuesday June 16 2020, @01:42PM (4 children)
TFA have some details:
Seems like a bug based on programmer's incomplete knowledge or faulty assumption. Don't be so hasty to judge, nobody has long term immunity to mistakes.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by FatPhil on Tuesday June 16 2020, @01:58PM (3 children)
But yes, it looks like a shitily-written piece of code, I recommend everyone installs it on their derpphones. Everyone but me.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Insightful) by lentilla on Tuesday June 16 2020, @02:30PM (2 children)
No, I suspect the programmers were trying to do the right thing - they just came unstuck when the API behaved in an unexpected way. Every smart programmer knows not to roll their own cryptography, so (and this is pure conjecture here) they tried to use a crypto-API to generate a properly salted hash (the TempID). Unfortunately, Apple's version refuses to work when the phone is locked (an easily defensible, smart design decision). Unfortunately for all concerned, the functional tests didn't cover that edge case.
(Score: 3, Funny) by FatPhil on Tuesday June 16 2020, @03:42PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Insightful) by Anonymous Coward on Tuesday June 16 2020, @07:55PM
Being pinged, while locked, and having an expired session ID.
Not saying it shouldn't have been caught by test, but don't pretend it is JUST about being locked.
(Score: 5, Interesting) by lentilla on Tuesday June 16 2020, @01:56PM (7 children)
I am impressed that the source code has been published. On the other hand, I am not impressed that they have chosen to roll-their-own [github.com] license. Clauses 2, 4, 5, 6 and 7 are objectionable. Clause 2 prohibits me from actually building the application, clause 4 is childish, clause 5 is limiting, clause 6 is unfair and clause 7 leaves one open to malicious claims.
For the good of humanity, they could have simply released this under GPL, BSD, or; heavens forbid; public domain.
(Score: 2) by FatPhil on Tuesday June 16 2020, @02:02PM (2 children)
However, there's nothing intrinsically wrong with the public domain.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday June 16 2020, @02:21PM (1 child)
Wow. I thought surely y'all were exaggerating until I opened and read the license. Why would anyone, anywhere agree to these terms? It has unconscionable clauses IMO, though IANAL. And not even a, "if a court finds any part of this unenforceable the rest of the license remains in force," so if any provision is unlawful the entirety of the agreement fails.
I applaud a sense of trying to make a license not worded in legalese, a worthy goal. But this definitely reads like they were their own lawyer on this, so that certainly colors how I feel about their client.
This sig for rent.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @06:40PM
Such a clause is basically never needed because it is pretty much the default position worldwide. While details will depend somewhat on jurisdiction the general principle is that courts will try to uphold agreements made in good faith and if a valid contract remains after removing any problematic parts, then what remains can certainly still be enforced.
Things can become unenforceable if removing the problematic parts means one of the elements of a contract is now missing (for example, if the consideration itself turns out to be illegal then after removing it there is no consideration and thus no contract). Adding such a clause still is pointless because it doesn't do anything to re-add the missing element of the contract.
(Score: 2) by c0lo on Tuesday June 16 2020, @02:28PM (3 children)
They did it to gain credibility that the application doesn't spy on you more than they promised, not for open source software purposes.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by lentilla on Tuesday June 16 2020, @02:38PM (2 children)
Amen to that - simply being able to read the code does inspire trust.
This is probably the most benign application a smartphone will ever run. If I understand correctly, there is no network access. The app simply collects IDs of the other apps that have been in range. If a person falls sick, the phone is accessed manually (upon request) and contact tracing proceeds. All-in-all, an admirably light touch.
I still think it is an idiot license, but your point is entirely valid.
(Score: 2) by Bot on Tuesday June 16 2020, @04:46PM (1 child)
It doesn't matter how secure and well coded this app is, the system is open to abuse.
People infected others for profit and malevolence during pandemies, here you need the cellphone of a declared positive and you can quarantine the coworker, the ex, the political adversaries before elections, take out enemies oppa fascist (and allied) squads style.
Account abandoned.
(Score: 3, Insightful) by lentilla on Tuesday June 16 2020, @06:45PM
Well, yes, I suppose so. Any system - any thing - is open to abuse. Your sequence of events does seem pretty far-fetched and it's not even particularly evil - get flagged and you get to spend a single fortnight at home. That's no more inconvenient than the last few months. I am curious as to why you feel it important enough to bring up?
About the most evil thing you could possibly do with this tool is "digitally infect" a bride a week before the Big Day. Now that would be pretty awesome catty evil! All the other suggestions? Inconvenient, but only slightly. Any election candidate worth their salt could spin this positive in the week prior to voting day.
If there is any small probability that I am infectious I'd prefer to know and stay out of circulation. Two weeks sitting at home seems such a small price to pay.
What would you suggest as a better alternative?
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @01:59PM (7 children)
That means that you're tracking EVERYPLACE that Alice has been, in great detail. No wonder the app is pushing this shit. This is backward for what any individual would want.
Instead, make the app record all tokens that it sees, and where. Individuals' tokens change hourly or whenever. The individual's phone keeps track of what tokens have been used, and it doesn't even matter where. Then, later, if another individual tests positive for the virus, it can flag an alert (minus some days) for all of the tokens that it has used in that time period, and in which zip codes. Other users check a list of positive-flagged tokens against their list of seen tokens. Any matches?
If you're tracking tokens you've seen, no privacy lost. If a central server is tracking all of your tokens, time, and exact location, and notifying you, then it was only ever about marketing anyway.
No wonder the latest survey said 70% of people won't use these apps because it's only about marketing anyway.
(Score: 2) by c0lo on Tuesday June 16 2020, @02:33PM (1 child)
No, the application is tracking who was in the proximity of who (for more than 15 mins, in the last 3 weeks), not the place where you've been.
See the part that you've left out, the "With her device in this state, nobody else will record her presence, "
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0, Disagree) by Anonymous Coward on Tuesday June 16 2020, @06:39PM
yeah, so it's way more dangerous.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @03:22PM (3 children)
At a minimum, your cellular provider is doing so. If you don't turn off GPS/Location services, etc. Google/Apple are doing so too.
Don't want to be tracked? Don't carry your phone (and I don't mean just smartphones) or, if it's possible, remove the battery and take it with you.
If you're doing either of those things, you have nothing to worry about WRT apps of this type. If not, why are you complaining about this particular app when others have already been tracking your every move? And if you're in the US, you're subject to the Third-party Doctrine. [wikipedia.org]
You fucking whingers make me sick. Pissing and moaning about 'muh privacy!' while your cellular provider, ISP, Google and Apple (and to a less pervasive extent, Facebook, et al.) have inserted themselves deeply up your ass. Without even the courtesy of a reach-around [wiktionary.org].
Stop blaming others for *your* lack of care in protecting *your* privacy.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @07:05PM
In an old smarphone with removable battery there was a hidden extra battery. I imagine they've done the same with all new phones.
(Score: 2) by lentilla on Tuesday June 16 2020, @07:20PM (1 child)
I like having a device in my pocket that makes calls and can look up information. I don't want to live behind shuttered windows, and to only do cash-in-hand jobs simply to hide from The Man. It's OK to want freedom, convenience, and an active place in modern society. It's also OK to inform our governments that this is what they will be providing.
The specific difference between general phone tracking and this app is that this time we got to say "and... we refuse to be tracked". We kind of missed the boat with mobiles because they appeared prior to social understanding of widespread tracking, and the subsequent will to reign it in via legal mechanisms.
Better to complain than to remain silent - especially at times like these when people are more receptive to arguments.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @09:43PM
AC you replied to here. I agree. I do carry my phone (a smartphone -- powered on) with me most of the time myself. I even have (*gasp*) bank accounts and credit cards.
I do so because it makes a big difference in convenience. I will say that I disable GPS and location tracking on my phone, have an email address not directly associated with me configured on my phone, don't *ever* use that email address, and use cash for some purchases as well.
It's not perfect. Hell, it's not even good. But I am cognizant of the issues and have accepted that there are trade-offs betgween security and convenience.
And I do so with the full knowledge that my bank and my cell provider have detailed information about what I buy and where I go. I accept that trade-off, well aware that should the government wish to obtain that information, they can do so [wikipedia.org].
But it's not the government that's doing the tracking I mentioned, even though (at least in the US) they have access to that data with a warrant (Third-party Doctrine, as I mentioned). My point wasn't that people shouldn't complain, my point was that if you wish to have privacy, especially in this day and age, you need to *proactively* protect it yourself.
A person complaining that others should be responsible for their privacy is pretty dumb IMHO.
Too many people aren't concerned and don't even think about the fact that they are *already* being tracked.
And when they install all manner of insecure apps and store boatloads of sensitive information on their device, they think nothing of it.
So when folks complain about some new shiny (in this case the contact tracing app) and scream bloody murder that someone is tracking them, it makes pretty much *no* sense at all.
That's what makes me sick. My apologies if I wasn't clearer in my initial post.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @08:02PM
You see, the issue was actually in the part of the code that made this invasiveness of tracking harder (I assume intentionally).
It seems that the system keeps a temporary ID, which it shares with those around it. If a person is found to be COVID-positive, they can see which IDs the person has been around (and when).
Now I am making assumptions, but I assume this list then is publicly published, and users (or more likely, the program automatically) read this list of ID and times, and checks it for any ID that they have had, and checks if they had it at that time. If so, the user is alerted that they have been in contact with a COVID-positive person, and should take appropriate steps.
The temporaryness of the ID (which was the key issue causing this bug) is the very feature that keeps this system from being a permanent record of a user.