PSA: Vaccine certificate QR code contains easily decoded personal information - don't post it on social media

hj007

Expert Member
Joined
Aug 30, 2006
Messages
1,326
So how trivial is it to create a fake one then? Aren't they just checking that id from scanning QR code matches your id book?
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,109
Wait. Will we have to produce our ID alongside the vaccine certificate???(Otherwise how will they know we are who we say we are?)
I’ve lived in this era before and it did not end well)
That's exactly what nobody is addressing. It may work at places like an airport but nobody is going to bother checking if the person with the certificate is the person who's details are in the certificate. That's if anyone even bothers checking if the certificate is real. Other countries have shown how completely ineffective this is and they have way better technical expertise and policing.

Then there's the potential POPI nightmare as well.
 

shearder

Senior Member
Joined
Aug 22, 2007
Messages
988
Luckily I won't be needing that shackle. That's only for subjects and slaves not free citizens.
Kry vir jou and enjoy the prison it puts you it
 

konfab

Honorary Master
Joined
Jun 23, 2008
Messages
30,214
So how trivial is it to create a fake one then? Aren't they just checking that id from scanning QR code matches your id book?
They will need to have a webservice which will allow the scanner to validate it to do that. But like masks and the temperature scanning business, the government just wants the theatre of doing something, so I doubt they would ever set it up.
 

hj007

Expert Member
Joined
Aug 30, 2006
Messages
1,326
They will need to have a webservice which will allow the scanner to validate it to do that. But like masks and the temperature scanning business, the government just wants the theatre of doing something, so I doubt they would ever set it up.
I thought the webservice wasn't happening? That they were just scanning the QR code with no link back to the database itself?
 

konfab

Honorary Master
Joined
Jun 23, 2008
Messages
30,214
I thought the webservice wasn't happening? That they were just scanning the QR code with no link back to the database itself?
Well if that is the case, then anyone can generate a fake certificate.
 

hj007

Expert Member
Joined
Aug 30, 2006
Messages
1,326
Well if that is the case, then anyone can generate a fake certificate.
I say that, not because I know, but because .... well have you ever tried getting something from the gov and you get the response "the system is down"?
 
  • Like
Reactions: Swa

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
44,925
Odd that when I brought concerns like this up into discussion here that some peeps wanted to take a swing.

“The QR code will have cryptographic signature linked to public key infrastructure (PKI) to prevent any fraudulent production of vaccination cards,” explained Wolmarans.

yeah...
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
44,925
Well if that is the case, then anyone can generate a fake certificate.

There is the odd scenario where, say someone has a good idea about how this is being implemented, can brute their way into 'bricking' the system. I am sure several penetration attacks will be launched at this system, though within a lab environment. Hashes are hashes, computers are computers.
 

hj007

Expert Member
Joined
Aug 30, 2006
Messages
1,326
There is the odd scenario where, say someone has a good idea about how this is being implemented, can brute their way into 'bricking' the system. I am sure several penetration attacks will be launched at this system, though within a lab environment. Hashes are hashes, computers are computers.
Eskom is Eskom.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
44,925
Eskom is Eskom.

Mentioning this, in order to authenticate the user document against the EVDS database, an internet connection will be required...

Because,


6. Data transfer

Anonymised data will be transferred to the NDOH database for reporting. No personal data will be transferred from the EVDS, without the required legislative provisions to do so.

so this would also require EVDS to always be available and accessible.

The system is already buckling under multiple queries, think about this being introduced where multiple events are being held, many at the same time, where people are proactively being scanned into the public/private venue.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,109
Incorrect. There's actually nothing stopping you from crossing the road and cars are even expected to stop for you. You can ride a car without a license. You have to pay to use public transport but don't need a pass, passes ended with apartheid. You can enter any private property where the owner gives you permission but the state is trying to dictate against that now. Actually not having restriction wrt private property would go against individual freedoms. Guess what though, universities are not private property unless it's Sol-Tech as they are state funded. The constitution applies and the constitution is against forced medical procedures so I look forward to the :popcorn: regarding the court cases.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,109
Well if that is the case, then anyone can generate a fake certificate.
You don't need one. Everyone knows someone that's been vaccinated so just use theirs. This is even better as you can keep downloading a new one once you have their details.

But it won't come to that. In order to validate this you'll need a data connection and few places will bother with setting that up. You also won't have your ID checked in everyday life. Just like with temp scanning they will not bother implementing it correctly and instead scan on your arm to get a "correct" temp. The idea is stillborn.
 
Top