Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday June 16 2020, @10:23AM   Printer-friendly
from the defeats-the-purpose dept.

Locked iPhones rendered almost useless in Australia's COVIDSafe tracking efforts:

Software engineer Richard Nelson, who was part of a team of researchers that found other bugs in COVIDSafe, has detailed a bug affecting iPhone users, rendering their device basically useless when it comes to tracking efforts.

A locked iPhone with an expired ID cannot generate a new ID. Without an ID, Nelson said the device will record other devices around it, but cannot be recorded by others.

"A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged," he wrote.

"One could imagine Alice packing her bag, putting her iPhone in and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted."

[...] Nelson told ZDNet that if the iPhone user was to unlock their phone, but not necessarily open the COVIDSafe app, a new ID would be fetched.

"If Alice's device was locked and had an expired token, and Alice then unlocks her device to check email, for example, and if Bob's device then scans and picks up Alice's device, Bob will be able to read Alice's ID," Nelson added.

But if the device is locked again first, it won't be read.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by lentilla on Tuesday June 16 2020, @01:56PM (7 children)

    by lentilla (1770) on Tuesday June 16 2020, @01:56PM (#1008623)

    I am impressed that the source code has been published. On the other hand, I am not impressed that they have chosen to roll-their-own [github.com] license. Clauses 2, 4, 5, 6 and 7 are objectionable. Clause 2 prohibits me from actually building the application, clause 4 is childish, clause 5 is limiting, clause 6 is unfair and clause 7 leaves one open to malicious claims.

    For the good of humanity, they could have simply released this under GPL, BSD, or; heavens forbid; public domain.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by FatPhil on Tuesday June 16 2020, @02:02PM (2 children)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday June 16 2020, @02:02PM (#1008629) Homepage
    I agree, that's a terrible licence. Egregiously terrible. Pluck my own eyes out while reading it terrible.

    However, there's nothing intrinsically wrong with the public domain.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 2) by All Your Lawn Are Belong To Us on Tuesday June 16 2020, @02:21PM (1 child)

      by All Your Lawn Are Belong To Us (6553) on Tuesday June 16 2020, @02:21PM (#1008641) Journal

      Wow. I thought surely y'all were exaggerating until I opened and read the license. Why would anyone, anywhere agree to these terms? It has unconscionable clauses IMO, though IANAL. And not even a, "if a court finds any part of this unenforceable the rest of the license remains in force," so if any provision is unlawful the entirety of the agreement fails.

      I applaud a sense of trying to make a license not worded in legalese, a worthy goal. But this definitely reads like they were their own lawyer on this, so that certainly colors how I feel about their client.

      --
      This sig for rent.
      • (Score: 0) by Anonymous Coward on Tuesday June 16 2020, @06:40PM

        by Anonymous Coward on Tuesday June 16 2020, @06:40PM (#1008792)

        And not even a, "if a court finds any part of this unenforceable the rest of the license remains in force," so if any provision is unlawful the entirety of the agreement fails.

        Such a clause is basically never needed because it is pretty much the default position worldwide. While details will depend somewhat on jurisdiction the general principle is that courts will try to uphold agreements made in good faith and if a valid contract remains after removing any problematic parts, then what remains can certainly still be enforced.

        Things can become unenforceable if removing the problematic parts means one of the elements of a contract is now missing (for example, if the consideration itself turns out to be illegal then after removing it there is no consideration and thus no contract). Adding such a clause still is pointless because it doesn't do anything to re-add the missing element of the contract.

  • (Score: 2) by c0lo on Tuesday June 16 2020, @02:28PM (3 children)

    by c0lo (156) Subscriber Badge on Tuesday June 16 2020, @02:28PM (#1008645) Journal

    I am impressed that the source code has been published.

    They did it to gain credibility that the application doesn't spy on you more than they promised, not for open source software purposes.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 2) by lentilla on Tuesday June 16 2020, @02:38PM (2 children)

      by lentilla (1770) on Tuesday June 16 2020, @02:38PM (#1008652)

      Amen to that - simply being able to read the code does inspire trust.

      This is probably the most benign application a smartphone will ever run. If I understand correctly, there is no network access. The app simply collects IDs of the other apps that have been in range. If a person falls sick, the phone is accessed manually (upon request) and contact tracing proceeds. All-in-all, an admirably light touch.

      I still think it is an idiot license, but your point is entirely valid.

      • (Score: 2) by Bot on Tuesday June 16 2020, @04:46PM (1 child)

        by Bot (3902) on Tuesday June 16 2020, @04:46PM (#1008722) Journal

        It doesn't matter how secure and well coded this app is, the system is open to abuse.
        People infected others for profit and malevolence during pandemies, here you need the cellphone of a declared positive and you can quarantine the coworker, the ex, the political adversaries before elections, take out enemies oppa fascist (and allied) squads style.

        --
        Account abandoned.
        • (Score: 3, Insightful) by lentilla on Tuesday June 16 2020, @06:45PM

          by lentilla (1770) on Tuesday June 16 2020, @06:45PM (#1008796)

          the system is open to abuse

          Well, yes, I suppose so. Any system - any thing - is open to abuse. Your sequence of events does seem pretty far-fetched and it's not even particularly evil - get flagged and you get to spend a single fortnight at home. That's no more inconvenient than the last few months. I am curious as to why you feel it important enough to bring up?

          About the most evil thing you could possibly do with this tool is "digitally infect" a bride a week before the Big Day. Now that would be pretty awesome catty evil! All the other suggestions? Inconvenient, but only slightly. Any election candidate worth their salt could spin this positive in the week prior to voting day.

          If there is any small probability that I am infectious I'd prefer to know and stay out of circulation. Two weeks sitting at home seems such a small price to pay.

          What would you suggest as a better alternative?