This is more of a technical question than an invitation to a political argument. :) But with all the talk over the last couple of days about the government FORCING their tracking app onto everyone's phone (since recanted) I was wondering how they would accomplish such a feat. Could they technically install an app on our phones without us knowing about it or will they force us to do it ourselves by using threats?
Cheers
m u r d o c h
No shit they'll say it's non mandatory to begin with. For once I'm hoping the ignorant (such as yourself) are correct.
thanks ignoramus
Ignoramus means in Latin “we are ignorant”. Agreed
Using force would just make a market for phones without these capabilities. Not all phones have the capabilities to install apps, and certainly not all phone manufacturers would be subservient to the Australian government demands for such capabilities to be put onto phones.
Ya, Windows Phone nuked their app store in December. :)
Its possible to do the same thing for your iPhone and Android devices. I personally use an iPhone 6s that is jailbroken and only uses the Cydia store.
@capslock janitor: They not forcing. Its voluntary.
But they should make it that if you want that 1.5k per fortnite jobseeker then you need to participate.
@Bryanalves: So those that still have jobs get a free $1500 if they download the app? Great, where do we sign up?
@whooah1979: No. I think @Bryanalves is saying only people on jobseeker can spread coronavirus. No need for the rest of the population.
@mooney: Im saying that the government cant force us to get the app. But they can tie incentives to it. Since they doing the job seeker scheme anyway. Its free for them to tie the condition of installing the app to it.
@Bryanalves: Yeah, gotta keep track on those bloody dole bludging scum! God forbid one of them comes near me!!!!!!!
/s
Cydia store, that takes me back to 2010
they didn't allow carriers to install their own apps anyway
It's voluntary use, and the source code will be made public:
https://www.theguardian.com/world/live/2020/apr/18/australia…
Minister's statement:
"Nobody will be forced to use it. It is absolutely voluntary. There is no question I will be the first one to download it, probably after the prime minister, and we will be encouraging everybody to download it. I will be encouraging corporate Australia, not-for-profits, to actually download it. It is a big moment for Australia."
PM said if we dont get 40% uptake it will be forced.
He changed his mind this morning about the forcing part…for now.
Lets see.. hope so :/
Funnily enough, Turnbull's memoirs out today specifically accuse Morrison of leaking policies to media to see how people will react before finalising anything.
I think it could be done via existing apps, like mygov, centrelink etc.
Only about 20% of ozbargainers are willing to download the app.
If the app came with a $10 menulog/ubereats voucher, we could easily increase that figure to 60%. Problem solved!
Or a free Eneloop when you use it.
@AdosHouse: A lamb kebab with extra garlic sauce is $10 pickup at my local Kebab place. Order on menulog, use the voucher, walk the 400m to collect it and eat on the way back. Yummo! Don't even have to share with the fam.😁
Maybe the app usually costs $20, but they have a special ozbargin deal for $5 with $5 cashback
@Tonyh87: I won't install the app until it comes with some kind of free vouchers.
you know, because it's usually a better deal for new users.
A free app! That's got to be a bargain! 😂
I wonder if there will be ads or IAP…pay to win… I mean stay secure
No he didn’t. He just didn’t rule it out. I don’t think it will come to that.
They could do it like health data opt-out and then save the people that didnt opt out.
I can spoof my Bluetooth address regardless of the source being open, it has no relevance. Care to elaborate?
OK, what is the foreign ID that is stored, if you claim to know already? Are you claiming it's encrypted BT MAC address before the source is released? Singapore requests your phone number: "a random anonymised User ID that is linked to your mobile number. The security level of this server is as high as those servers that store other official information." They claim decentralised local storage but elsewhere say "This is the only personal data that MOH will hold about you, and it is stored in a highly secured server together with a random anonymised User ID that is linked to your mobile number. The security level of this server is as high as those servers that store other official information."
"Mobile numbers are not revealed to other TraceTogether users. Only temporary IDs, generated by encrypting the User ID with a private key that is held by MOH, are exchanged between phones."
For you to know already what is exchanged is remarkable. :) Amazing. Do tell. What are the Australian server TCP addresses/URLs, if you claim to know already?
PS What's the connection logging memory size limit, given you claim to know these things in advance. How will the client security check the incoming foreign hashed phone number? What is the supported OS and handset list? Thanks in advance.
@[Deactivated]: You went off on a tangent that has nothing to do with the other persons comment. Spoofing a BT mac address is not particularly difficult and has zero to do with your attempt at confusing the other person with your "iamsosmart" jargon.
@sheepdog: Who said address? Why are you only including headers? That's right, it was tren's presumption. What's your beef with OSI?
You only got involved as moral support, knowing tren can't answer.
@[Deactivated]: "if you claim to know already"
"Given that I claim to know these things".
Please show me where I've claimed to know these things.
Talk about having a huge intellectual ego. You're so full of yourself you viewed my question as an attack on your intellect. Calm down champ.
@[Deactivated]: You decided what is and isn't relevant without knowing things. :p Take your participation ribbon. Elaborate away!
What have you got against payloads? Payload would be my Top Gun callsign, and no, you couldn't be my wingman, any time.
@[Deactivated]: Okay, I have an idea regarding the negs limitation… what if all the upvotes in correspondence with those begging for a neg can be reduced from their tally? Thus a + for someone else translates to a - for the other??
Just a thought coz I'm out of negs again.
@SlickMick: During the 2000 dotcom boom there was quite a lot of creative accountancy in the +/- department. We called them validation quotients. If you want to artificially boost page traffic, give the users a spurious feedback mechanism.
They tried to introduce the growth factor on Channel 2 for Covid. It died because the feedback loop was too long. It couldn't hold the attention of suckers.
https://www.abc.net.au/news/2020-04-10/coronavirus-data-aust…
Maybe we should all have a live growth factor widget on our phones.
This is correct. The source code being made public has no bearing on how difficult it is to spoof BT. It can easily be done with or without access to the source code.
@DarkTurtle: OK, what encryption is being used for the ID? Why the payload denialism? You can even quote the Singaporean system, if you like.
Which full 5.1 and 5.2 devices or chipsets have you tested the ease factor on?
@[Deactivated]: Listening to you I'm wavering between 'he's got some expert level knowledge' and 'he's somewhat schizophrenic'. I can't decide.
@bmerigan: At least there is wavering. Say, with user morebunnings, it's pretty clear.
morebunnings - "Making sure the app is running in the background while the phone is in your pocket"
TraceTogether (ios) - "If it is in the background, even if Bluetooth is on, TraceTogether is unable to scan for other TraceTogether phones."
Might be nice. Trust this guy!
@bmerigan: It’s definitely not expert level knowledge. It’s jargon bingo with an aggressive attitude to beat people into submission. Having it open source is generally good for security. Aus government may make modifications but Singapore you authenticate to Google Firebase with your phone number and OTP. They provide a public key, and store the private key server side. The exchanges use a temp ID which is derived from your account ID and then encrypted with the public key. Only the server has the private keys to make the association from encrypted temp ID to phone number.
I’m personally more than happy to install, and I hope most people do.
@[Deactivated]: Nah, it's more an OzBargain tall poppy meme theory test and you passed with flying colours.
What stops someone filling your contact tracing ID list with whatever they want?
Nothing -> I win.
Have to check the source -> I win
@[Deactivated]: Hey guys, let's all make wild suppositions and assertions about the technical implementation of code we haven't read (and are criticising the publication of), and when people call us on our bulls**t let's just disregard it out of hand and spout more, claiming victory on the way!
@phyaran: I've been taking a straw poll of how many bother to read the OpenTrace/BlueTace code that has been available for weeks now, versus people who comment blindly trying to cold read a forum. You clearly bandwagoned without ever even looking at OpenTrace, trying to bluff. What were you hoping for? Farming 3 lynchmob upvotes despite the fact that you weren't even interested enough to have looked at what source is already available? It's also p#ss funny drawing lurkers like you out from the bushes. Ever notice the extraordinary ratio of wallflowers and shrinking violets I attract? People whose single, only comment is technically bereft tall poppying? You aren't interested enough to have read OpenTrace. You aren't committed enough to comment technically or constructively, but you just can't resist an opportunistic snipe. Well, here is your chance to put up. Don't get stage fright, now.
I call your bluff. Show that you actually are interested and not simply trying a cold read. What noobish URL was left in the early OpenTrace sourcecode?
@[Deactivated]: Agreed. From what i've heard they aren't tracking location, so when installing as long as it doesn't ask or require that permission i'll be fine with it. Also, shouldn't ask me for access to my contacts/sms's like every other torch app seems to want (no I don't use/install them).
@[Deactivated]: LOL.
"ABC News can also reveal the Government has plans to store the decryption keys for the data in the same cloud as the data itself [Amazon]— a practice frowned upon within the industry for such a sensitive cache of public information."
https://www.abc.net.au/news/2020-04-24/amazon-to-provide-clo…
Christoffal: "Only the server has the private keys to make the association from encrypted temp ID to phone number."
Yeah, only the Amazon server will have the private keys and it's even legally unclear which countries can access the data.
"Issuing the contract to Amazon may also mean the Australian data is obtainable by US law enforcement under a 2018 law that allows them to obtain information held by US-registered data companies no matter where in the world that information is held."
“ What guarantees this client is only used by the government and not someone else faking?”
Doesn’t this just fall under downloading apps from reputable app stores and app developers? E.g. Apple App Store, Google Play, and ensure that the app published is from a government related account? This same issue happens with fake banking apps to steal your credentials.
Also, if you want to ensure that the app published on app stores matches the public source code, you could use code signing to accomplish this.
Downloading apps uses SSL TCP/IP, which is more secure than this. Bluetooth can make your local connections on this app relatively safe, but there is no security as to who or what you are connecting to. This app is designed to share your encrypted ID promiscuously. Could this this be brute forced to retrieve your phone number? Probably. Could anyone else, not the government, use your app to track you using their own hardware. Probably. Could someone fill your phone list with junk for giggles? I think so!
@[Deactivated]: Maybe I have misunderstood what you have said.
From my understanding, I thought you were talking about someone taking the source code, making some changes to track you instead of the government, and publish the app posing as the offical one by the government?
Could this this be brute forced to retrieve your phone number? Probably
Not probably, it’s absolutely possible. However the algorithm to encrypt IDs should be strong enough so that it is technically not feasible for someone to do this.
Could anyone else, not the government use your app to track you using their own hardware. Probably.
This is why the source code needs to be published to be reviewed by independent parties not related to the Australian government.
@DarkTurtle: 'This client' and BT seems to have the correct context. I didn't mention a phishing client. The only dispute (with others) is pointing out to the payload deniers that packets are more than just headers. Spoofing can apply to the whole packet, not just the header. Plenty of devices barely make the distinction at the hardware level, Espressif ESP32 and Nordic springing to mind.
I don't understand how open sourcing the code would make any difference. Making the apps source code available would allow developers to confirm it is doing what the gov says it is, and nothing else. How would that make spoofing Bluetooth signals any different, or able for anyone to track you?
The app will just log Bluetooth devices near itself, but not actually connect to the Bluetooth devices it sees. The govt. can then correlate who was in contact with what devices.
You fall into the brigade that thinks just a simple BT MAC is being logged, having not even looked into it.
Why do you think your own phone number is entered at the start? How do you think contact tracing occurs? By everyone else polling? The people who will be sick running the app? I'm going to bet it will be push.
You fall into the brigade that thinks just a simple BT MAC is being logged, having not even looked into it.
Why do you think your own phone number is entered at the start? How do you think contact tracing occurs? By everyone else polling? The people who will be sick running the app? I'm going to bet it will be push.
This has nothing to do with your assertion that the app being open source makes it "easier for anyone to spoof the BT and track you too".
@morebunnings: Is there an application level CRC or checksum?
People seem to have bunched their shorts over the definition of spoofing despite RFID spoofing having been around for years, and the definition expanded years ago. TCP/IP spoofing and RFID spoofing are not the same thing.
@[Deactivated]: CRC/Checksum of the application? I'm unsure how this would affect spoofing data.
The assumption is that every so often, the App will use your phones Bluetooth to scan and see Bluetooth RFIDs that are in the close vicinity (not connecting to them, only recording visible devices), and then send those RFIDs + Your phones App ID to a gov owned DB using a standard internet connection (TCP/IP), which will be encrypted with SSL.
The other functionality of the app would be receiving a notification from the Gov that you have been in contact with someone who is infected (note they would not give you anyone's RFID or app data, just a notification)
The only thing you could achieve with spoofing is:
RFID spoofing: hackers would be spoofing RFIDs around your device so you would be sending fake data to the Gov servers.
TCP/IP spoofing (v1): Sending junk data to the gov servers (DOS attack) with fake RFIDs and App IDs.
None of these attacks seem very useful in the context of this app & spoofing network IDs.
If you are talking about CRC/Checksum data in the context of making a fake app and getting people to download that instead of the real version of this app, then this is a whole different scenario and again has nothing to do with spoofing Network IDs. Having the source code also would not matter (you'd just need to create a similar interface by looking at some screen shots of the app).
If you are saying that there is more data being sent from the app which hackers could get access to (eg. location info), then again the software being open source would help us by showing the government is full of shit.
@morebunnings: Simple question. You claim the source would be no help at all. When the IDs are exchanged between devices, is there a checksum? I would check the source. You would have to dump packets and reverse. Who would find out first? Source will have the encryption method and how the phone number is used to form the ID. To say source is of no use is ridiculous. Anyone who wants can quite easily fill your phone ID list with whatever they want. Do you 100% guarantee no buffer overflow possibility? WhatsApp had a big buffer overflow vulnerability in both IOS and Android last year.
When the IDs are exchanged between devices, is there a checksum? I would check the source.
Unsure what you mean by this. Devices would not be exchanging IDs, as they are not communicating with each other.
This is the same as if you view Wifi networks on your phone. You can see & write down the ID of the wireless networks you see, but there is no exchange of data taking place unless you attempt to login/connect to the wireless networks, that is when a data exchange happens. This does not happen between between devices with the app.
I would check the source. You would have to dump packets and reverse. Who would find out first?
There are no packets being dumped between devices to check, as network scanning does not
Source will have the encryption method and how the phone number is used to form the ID. To say source is of no use is ridiculous. Anyone who wants can quite easily fill your phone ID list with whatever they want.
Do you 100% guarantee no buffer overflow possibility? WhatsApp had a big buffer overflow vulnerability in both IOS and Android last year.
If there is a buffer overflow vulnerability with scanning Bluetooth devices would be an OS level vulnerability. The app will be using a built in OS function to get Bluetooth network IDs. If you are going to take advantage of a buffer overflow vulnerability in Android/IOS, then that is an OS level hack, which would affect any app that runs on the affected OS.
I'm sorry Frugal Rock. I can't see any way the that the app being open source makes it "easier for anyone to spoof the BT and track you too". The app is advertised as not actively communicating with other phones, so there are no data packets to create and spoof. If it is actively communicating with other phones, then as I said before, the software being open source would help us by showing the government is full of shit.
@morebunnings: "Devices would not be exchanging IDs, as they are not communicating with each other."
Sorry, but you have no idea. You haven't even read the Singapore app recommendations and instruct others to run the app in the background and this latest installment of yours is even more ridiculous. I'm quite happy leaving this one here for posterity. Get Christoffal to see if you are on the right track. ;) Go on the record for how many bytes you think the ID is and can be advertised using BT 4.0.
Here's a cartoon to make the understanding easier:
https://ncase.me/contact-tracing/
Basically says that there's no personal info about you.
How does your rabbit cartoon protect you from buffer overruns by someone spamming your ID storage?
They talk about messages as being random, lol. Do you understand basic computer science enough to know that is a lie?
Threat. I.e. you will be fined if caught without app or phone.
They could take it further and make you show it on store entry to woolies etc.
Red/amber/green me thinks.
That would make not having a phone illegal and would be one of the largest over-reaches in Australian government history.
where we currently sit is without a doubt already the largest over-reach in Australian government history. What makes you think they will draw a line?
The same Australian government that used to take away Aboriginal kids from their families by force and send them to religious re-education?
Nah mate, we're just being asked to stay home to stop a virus, nowhere near the same league.
Over time democratic governments become more powerful and totalitarian inclined, and overreach becomes the norm. Governments may start out small, but soon turn into behemoths. They can get away with anyhting they want; they have a monopoly on force and don't hesitate to use police or military against independent minded citizens.
Oh yeah great could you imagine the massive shit storm of a rental security guard stopping someone shopping for food, there would be ‘incidents’
That is pretty much China's system, though their system is using a QR code that you check into to show your location.
Ah yes, following China’s footsteps. Let’s start jailing everyone we disagree with for starters.
The LNP+AFP are way ahead of you on that
Anyone see the minister Stuart Robert giving a press conference today saying that everybody already has 30 background apps using bluetooth? Flat out lie designed to fool the public.
I did see that… but I did find it interesting and positive that they announced it would be open-source. I was in the 'no' app camp until that conference, but if they will truly allow external sources to audit the code and it all comes back clean, I'd probably download it.
What did you think about the 1.5m proximity claim? I have 60-100m BT modules and newer BT specs promote higher output features. His technical information was garbage. It's actually quite interesting that the BT 5.1 spec has some very cool added features but phone manufacturers cut production costs and haven't widely adopted the better bluetooth specs.
What was the 1.5m claim? I must have missed that one.
@ngengerous: His claim was contacts are only logged if within 1.5m for 15 minutes. According to the press conference, a 5 minute elevator ride wouldn't be logged or traceable using the app.
@[Deactivated]: Hmmm, not too sure how they'll be implementing that. From my limited knowledge I would assume it'd be based off signal strength, but then you run into the issue you're describing, if you have higher-output devices mixing with lower-output devices. You'd think this would result in a few false-positives…
@[Deactivated]: Yes, I saw this and thought that it makes the app less useful. We’d certainly learn a lot more about how the virus spreads if the threshold was lower. Irrespective of people’s privacy concerns, if this is the case seems like a missed opportunity to me.
I believe most phones have Class 2 BT, based on its transmission power, it's rated at 10m. Class 1 has a higher transmission power and is 100m. There are a few ways of judging distance, like signal strength, round trip time, I think a few others, these get less accurate when obstacles are in the way. In this application though, this might work, because even if technically you are 1m from someone, if there is a wall between you, it's pretty unlikely you'll catch the virus from them, and the app will judge that you are 2m or something away from them.
My guess on this, with limited knowledge of this stuff (-:
@sacah: Most (high-end?) phones are actually class 1 (100m-ish upper limit), though that might only be for active connections… beacons are likely lower power.
I've tested a couple of Samsung, LG and Sony flagships with a class 1 headset out to 60m.
Signal strength wouldn't work without making too many assumptions about different phones. RTT would be very dependent on the latency of the BT stack on different OSes and phone specs. About the only thing they could do is length of contact; I can't think of any way they could even semi-reliably check distance.
@elusive: That's cool, I've only used Class 1 devices with a PC.
As for signal strength, I've previously researched a library that asked people to calibrate new devices at known distances and then submit the results, they used that table in the library to estimate, I looked up the library to paste a link and noticed they also say "Covid Contact Tracing Beacon Support"
https://altbeacon.github.io/android-beacon-library/
Has a Google/Apple defined white paper about it too, though I haven't looked at it.
They are also saying they are up to 16k apps using the library, including some big names, so that may have helped the device database keep up to date.
Edit:
Just out of interest I popped onto the Samsung support chat and they said all Samsung phones are Class 2, meaning 10m without obstructions.
I remember Stuart Robert - Assistant Treasurer Stuart Robert pays back $38,000 to cover internet bills charged to taxpayers
I also remember him claiming that Services Australia's website was hit by a DDOS attack and not excess demand…
Wouldn't trust as far as I could throw him
Stuart Robert is a terrible MP. Behind robodebt. Tanking the NDIS.
I would recommend not installing this.
I would consider downloading the app if it were on a open source Dapp blockchain.
It's going to be open-source, no word on blockchain though.
just wait while I go buy some more eth
How would data being stored in a Blockchain help in this case?
Users may be able to use the addresses to track other users.
But the users can't access the data. It's encrypted and is handed to the government once you have covid who then unencrypt it and contact the other users.
[Deactivated] on 18/04/2020 - 13:35 Comment score below threshold.
