>Just get your shots. Stop being pricks about it, it's not a big deal.
Since fucking when do we need to build mass surveillance systems to encourage people to vaccinate?
Why does it need to be a big deal? I don’t give a shit about vaccines (had my 2 shots as soon as they were available), but I genuinely believe that people pushing for pervasive vaccine passes do not deserve to live. Fucking develop technology to test if I actually had the vaccine, don’t try to use this as an excuse to check my documents.
You need a passport to leave your country. You need a drivers license to drive a car.
It's illegal to employ people without a work visa.
Relax. Don't pretend this is something new or the end of the world. This is how civilization works, through society making decisions on whats acceptable and what isn't.
There's all sorts of sensible restrictions already and this is another one that makes sense.
There's no point in reasoning with you, if you believe that someone's private health information is a blanket reason to completely ruin their livelihood.
Would be lovely if you were put in a position where it's something you don't want to (or can't) do, or your own government takes away your entire livelihood. But it would be fine, because that's how civilisation works, through society making decisions on whats acceptable and what isn't. There's all sorts of sensible.
I would have a sweet, sweet "I told you so" moment, but I would still stand up for your rights.
That "private health information" is them attempting to ruin other people's livelihoods. This isn't some personal issue like high blood pressure, this is a highly infectious disease.
Stop pretending this is some kind of principled stand, it's just people wanting to be inconsiderate assholes and other people not wanting them to be.
Unvaccinated people aren't runing anyone's livelihood, except for taking a bigger risk on themselves.
It is a principled stand. I'm all for vaccination and I'm vaccinated myself, I don't care who's vaccinated and who's not. Making it illegal to employ unvaccinated people is inexcuseable.
This would be true if vaccines offered perfect 100% protection. Since they don't, individual protection is the product of the protection of everyone you interact with.
As such, unvaccinated people are a health risk to the vaccinated individual.
We don't allow all sorts of other health risks in the workplace, you can't be a drunk crane operator for example, so this is not some special new thing.
* you can easily get a non-covid passport to leave the country
* you need a driver's license to prove skill
* it's illegal to enter a country illegally. Working without a visa isn't an issue because you're not allowed there to begin with.
But with covid, we've removed fundamental rights. Driving is not a right. Leaving your country and working (in your country) are rights... but not if you're a skeptic.
But about your examples, these things are now illegal but have never been:
* Australia doesn't allow you to leave the country even if you have a passport.
* In Romania you're not allowed to go outside without a mask and you're not allowed to go outside at night AT ALL if you're not vaccinated.
Even worse:
* France debated removing voting rights for non vaccinated people.
> Ceausescu declared a national curfew on December 20 1989.
And then 5 days later the Ceausescus were sentenced to death and executed by a firing squad, the same fate that the proponents of covid passports deserve. I suppose that was your point.
I have no problem with the vaccines, I just don’t think it’s a reasonable excuse for anyone to ask my ID.
Don't know if this is whst the OP has in mind, but the first thing that comes to my mind is the backdoor that many states want to impose on all encrypted communications. That would create a single point of attack, so even assuming competence, it makes the system significantly weaker. And this episode if confirmed makes competence a strong assumption.
78 governments have ICAO private keys, and most have done so for >10 years now. If what "we all know" is true, then you should be able to find a leaked key easily. Try googling.
Or you might fall back to claiming that while governments evidently can hold on to ICAO private keys, they can't hold on to this other kind of private key, because...
Might be a matter of issuing bodies per country. Most countries have 1 passport issuing authority that’s used to thinking about security 1st, while they can have many covid certificate issuers. And many clinical authorities are not security 1st.
That's one option. The other is to regard the initial statement (that "We all know the government can’t hold on to keys") is false. Pick a test you believe to distinguish between the two. Say, whether the access keys for at least one database in a country that has >100 has leaked. Then google to see whether you can find such a leak.
The system's designers did, which is why key revocation is built into the system. The practical effects of this leak will be the people who refused the app and don't read the news will be surprised when their paper certificates are rejected.
As far as I'm aware there was no technical solution for key revocation when the EU Covid Certificate was first launched in July. The only possibility I saw for revocation was to revoke the whole CA, instead of e.g CRL check.
Can you elaborate what makes you think that key revocation is built into the system?
My understanding was that each node in a certificate tree/list consists of a key pair (public/private), and the entity metadata which needs to be verified. eg. the root CA has a private key that it uses to sign CAs, and those CAs have their own private key that it used to sign individual leaf node certificates.
Meanwhile, revocations are distributed as a separate CRL - certificate revocation list - which contains a list of certificates whose signees are no longer to be trusted. I'm not very clear on how this process works, but in any case I don't think keys can be revoked.
Nobody verified my code so far, they just eyeball the app. So the practical impact of such a leak is probably small, since people will fall for dumb forgeries already.
I had it verified constantly, both in airports and (on a trip to Italy) on pretty much every restaurant or bar I went to. I think it was only once that they were fine with showing it, all the others had scanners.
Same here. Only when entering a non-EU country after flying there, they checked with a scanner. Nowhere else. Not that I do a lot of risky activities at the moment, though, so perhaps I've just gotten unlucky with the places where it should have been checked.
Some places have no checks at all; other places you need to show one of {show the QR code, use the Luca contact tracking site, fill out a paper form}; at least one needs the QR code and a valid ID card (not sure what, but excluding the health insurance cards despite those being photo ID).
They didn’t scan the QR codes in the places I’ve been to, they just looked at them. This isn’t the first time I’ve seen cargo-cult attitudes to how the content of mobile or tablet screens relates to security.
I don’t go out a lot, but I’ve had no verification in 2 restaurants and one bar so far. Just a check that it’s scrollable in one case, otherwise just that the name sounds like it could be mine. No scanning of the QR code, no ID check.
And I’m not even using the official app for Germany, but the "Corona Tracing" fork.
My experience was very mixed with my (limited) travel I did this year. In Austria they just eyeball your certificate. In Italy everyone used an app to verify the qr code (although I've still only gotten my ID checked once).
Honestly feels completely back to normal here, streets and bars are full of people again, definitely only about 30% still wearing masks.
Not endorsing it either way, just surprised how quickly everyone gave up on it here when places in Europe are still implementing passports and requiring scans to enter stores/restaurants.
There continues to be a dominant mainstream view that whatever Europe does, "we" have to do the opposite because "we" know better. The results are very clear in the infection numbers, with transmission ratio back to 1 and above.
No there isn't. England has been mostly doing the same as neighbouring countries so far.
It hasn't implemented COVID passes yet because they're pointless. As BoJo pointed out just a few days ago, the pass is meaningless. Vaccinated people get infected and pass it on, and do so at the same rate as unvaccinated people (actually a higher rate in the UK at the moment).
> England has been mostly doing the same as neighbouring countries
Except it hasn't - on the mainland masks are still compulsory in loads of places, just to start. Look at the infection rates and tell me there is no obvious discrepancy with a straight face.
> COVID passes yet because they're pointless
They are not a medical instrument, they are a policy instrument. They are effectively a push to force the obtuse and obstinate novax constituency, which is still over 15%-20% all over, to get the jab, by forcing them to choose between daily invasive tests and a one-off vaccination. It's basically compulsory vaccination by the backdoor, so that they can hit 90%-95% vax rates.
> Vaccinated people get infected and pass it on,
Not if they keep using masks and hanging around with other vaxed people only. That's why the transmission rates on the continent are where we would expect them to be, and here they are out of control. If you give up all efforts like we've done, of course the virus spreads with or without passes.
Your beliefs about infection and transmission rates are wrong. The UK does vastly more testing than most European countries. Normalize by testing rate and the UK is no different to anywhere else. Here's an example query for you:
At any rate, I'm curious why you still believe infection rates are linked to policy. There are so many counter-examples by now: for the UK specifically, after it had it's "Freedom Day" and removed masking requirements and other measures cases fell significantly and immediately. Florida got rid of all measures and now has one of the lowest rates in the USA. Studies have been done to measure the correlation between various types of policies and outcomes, always with a null result. Infection rates and policy just don't seem to be linked at all, sad though it is to say.
"They are not a medical instrument, they are a policy instrument"
And the UK already has very high vaccination rates. Well above the levels originally claimed to be needed, especially over 90% amongst the vulnerable, meaning they're pointless both on their face and if you treat them as a form of extra-judicial punishment.
I agree with you that they're actually the latter, but they're presented as a medical instrument by governments. Hence why testing and recovery gets you a certificate. If you view them as in reality being mandates that circumvent the judicial system then Europe - a continent that spent much of the 20th century as a basket case overrun with dictators and fascists - is once again lying to its people in the name of totalitarian control. Why on earth should England follow them down that road? It's one that's been walked before, always with horrific ends.
"Not if they keep using masks and hanging around with other vaxed people only"
I think you're just making things up now. No data indicates this that I'm aware of, transmission rates aren't "out of control" once you correct for testing rates and if vaccinated people only stop being infectious when wearing masks (lol) then it's not the vaccines stopping transmission, is it?
And what if it was a screenshot? What's wrong with a screenshot?
I'm alway taking screenshot of my qr code for boarding pass and things like that so I don't have to keep the airline app open and it works without network.
I've had mine scanned a few times now, only when eating in. I'm in Ottawa FWIW, people seem to be doing it mostly right here.
Kind of annoying that I have to show my ID too, but luckily they accept an OHIP card as ID, saves having to find my passport.
The only place that really checks with the app in my world is a sweaty dance club in Prague. This is actually very appropriate. They even match with my ID.
Exactly my experience. Not a fan of a vaccine pass, but I did show it at a restaurant they didn't even know what to do with it. Looked at it a bit confused, said 'yes, yes' and that was it. No check whatsoever. I don't mind that at all to be honest.
The alternate seems to be actually more popular (22 pts vs 6 pts), but I suppose that the HN algorithm seems to rate it down due to pointing to GitHub?
Apparently the leaked keys have already been blacklisted. So all certificates signed with the leaked keys will need to be reissued. FWIW, it wasn't the Italian key that was leaked.
Very anecdotally I spent three weeks in Italy this summer and my (UK) covid pass wasn't checked even once (In fact I also had to spend 5 days or something in isolation and nobody ever bothered to check or followup). I understand that compliance is very location specific.
They got strict in the last month; now if you can't present a pass you might even be refused your salary. There have been demonstrations about this, as you might expect.
I agree that the tracing this summer was less than perfunctory, my brother had your same experience (his girlfriend wasn't even "declared", and nobody checked), and there was no Green Pass at all. Everyone wanted the tourists back so badly that the overall approach was to basically tick checkboxes and leave it at that. They got serious when it became clear the virus would be around all winter because of the Delta variant.
(Italian here) AFAIK Italy implemented the logic to be valid for 9 months, which wasn't ideal and it shows its limit in situations like this since we don't have a short expiry date.
Dunno if in the end they also put in place some kind of blacklisting for leaked certificates
Similar here. I use the app since it doesn't do anything invasive, but I also have a paper backup (I don't always carry it) because it's a bit too important to be dependent on a phone only. I bet I'd first find out about my certificate being revoked at some check point where my phone isn't working and I can't easily get a new one...
It tells the difference by looking up the test results in a database. At least that's how it works in Portugal. You can also use the app to look up other health related information.
It's definitely a solution when you have an app (assuming you have a 3rd party source of identification of users), but since it's a French key, a sizeable portion of people, mostly elderly, are not using the "official" app but a paper printed QR code that was given to them at the time of the second injection (or a picture of said code).
Since the French app is pretty terrible (it used to be the barely functional contact tracing app that didn't want to use Google/Apple's API, so there's a pretty strong popular stigma against it), even a sizeable portion of smartphone users use an alternative too (I personally have my QR code in Apple's Wallet, but there are other 3rd party solutions).
Depending on when that key was in use, this may be an epic bureaucratic mess to solve here in France if they have to reissue many.
Edit : I'll quickly add that while there's a database of vaccinated people handled by CNAM (the single payer social security administration), it doesn't seem extremely accurate : my best friend and one of his collegues were vaccinated, issued a QR code, but they weren't added to said database and had a terrible time getting the situation fixed. In the end, a pharmacist reissued a "vaccination" for them to "get them in the system". So that database is probably at best incomplete (for the process of reissuing).
Does carrying just a QR code work fine for you? My experience from Germany is that nobody scans the code, they just scroll to details to see there's two vaccinations recorded. This far my QR code has only actually been scanned at the airport.
So I haven't had an issue yet and having the QR code is definitely sufficient in France (and always attempted to check when appropriate in my personal experience, no ID check though as that was deemed illegal).
There is however a prevalent issue with QR code scanning that I noticed twice personally (and friends reported the same experiences at other places), which is that most restaurants use a super cheap phone/tablet with a terrible camera that usually is unable to focus on a smartphone screen correctly.
Once, the person was honest about it and explained they kept having issues with it, and I tried to help him focus correctly his device (QR code size + luminosity seems to be the issue from what I saw).
The second one tried a couple of time, didn't manage to focus and told me "all ok" despite it's device not having scanned me (I could see the screen).
If I had to travel though, I'd definitely take the paper certificate on top of it, as, at least here in France, that's considered for better of for worse the source of truth.
My experience in Italy is evenly split between these two cases:
1. Scan the code with the app every time.
2. Ask if I have the pass, maybe look at it once, hopefully remember me the next times.
There is also a small percentage of cases of no questions asked, ever.
By the way, I'm using a printed copy of the pass. It never runs out of battery, I don't mind if it falls on the floor when I'm using it, it works even if I'm using the phone for something else. Cons: it needs to be replaced if its key gets revoked.
In France it was scanned a lot when I was there in August.
In Ireland it’s hit and miss. About 60% of the time had to produce it, but very few places want to see ID as well, which is needed to prevent people just using someone else’s pass.
I’m all for it so I’d love to see better enforcement.
> Since the French app is pretty terrible (it used to be the barely functional contact tracing app that didn't want to use Google/Apple's API, so there's a pretty strong popular stigma against it)
Yeah the UK very wisely put the passports and the contract tracing in separate apps (helps that the NHS already had an app pre-pandemic). Not sure if it was intentional, but it certainly sidesteps this issue!
It is also wrong for one other funny reason. I have been a security officer for a credit card acquiring business and have been designing cryptographic infrastructure for credit card payment systems. I have also implemented a complete credit card terminal application with magstripe, chip&pin and contactless. I know (or at least known at some point in time) pretty much everything practical there is to know about certificates and I have even been able to parse TLV of X.509 by looking at the hex dump of it.
I'm not aware of how the COVID certs work, but the way that's solved in TLS certificates (used for https) is that when signing, you have to use an approved timestamping authority. A timestamping authority will basically say "Yes, this action was taken at exactly this time". See [0].
Timestamping does exist but it isn't used in the Web PKI (what you're calling "TLS certificates")
Both backdating and forward dating have been done in the Web PKI for various reasons, both legitimate (e.g. historically if you couldn't randomise serial numbers enough it was acceptable to randomise the notBefore time parameters slightly, this is no longer allowed) and illegitimate (we have pretty good circumstantial evidence that StartCom issued SHA-1 certificates long after such issuance was forbidden, probably for $$$ from companies that realised they should have bought one before the cut-off) but there is no inclination to insist upon timestamping to try to prevent that.
The most likely place you'll see timestamping in arguably publicly trusted certificates is code signing.
Something that is currently being used (sort of widely) is X509 OCSP. As the Cert gets signed, the CA also embeds an OCSP URL which clients can later use on the fly to determine if a cert is revoked.
In case of a leaked private key where the actual PKI wasn't breached, they still have authority over the CA itself and can therefore determine which certs are valid and which are fake.
This retains validity of the known issued certificates, but invalidates fraudulently issued certificates. The downside is that its an optional check and that every client needs an online connection in order to validate the cert.
Anyway, the COVID certificates don't seem to be actual X.509 certificates and are rather just a signed message, so this isn't something that could be utilized right now.
> In case of a leaked private key where the actual PKI wasn't breached, they still have authority over the CA itself and can therefore determine which certs are valid and which are fake.
In a very important sense the private key is the CA.
The OCSP responses are not encrypted (you'll notice that URL you mentioned is HTTP, you can't use HTTPS for this) but they are signed documents. They're signed by the issuer using its Private Key.
So, somebody who has the Private Key can mint bogus OCSP responses signed with that key too.
The recovery from losing a signing key is to revoke the entire tree under that key. This will usually involve pushing out software changes e.g. a Firefox or Chrome gets fresh data from the vendor saying "This CA is no longer trustworthy, disregard it".
This disaster scenario is why the root keys aren't (must not be) online. If you break into the computer systems of a famous but competent CA and seize total control of everything, you could perhaps (it should be difficult because they're using HSMs but if you've really got control of everything it may be possible) steal the private keys for the online intermediates. But their root is physically locked in somebody's safe, so, you can't steal that by this route for the same reason you can't steal gold bars from Fort Knox by hacking the Pentagon's web site.
I checked the Hitler code with apps from Latvia, Switzerland, Luxembourg, Iceland and France.
The apps for Latvia, Luxembourg and Switzerland say OK, the one for France says "OK but fraudulent", the one for Iceland says no. From the article it looks like the Italian app also says no.
Not revoked everywhere it seems. Also, the French app seems to check against a blacklist, so it is possible that only the Hitler code is considered invalid and not the signing key.
It has the green check mark, like a valid certificate because the vaccination scheme is right. But under it is a warning that the pass is fraudulent (blacklisted).
It is a weird UI choice but making the distinction between an invalid pass (ex: partial vaccination) and a fraudulent one is useful.
Nobody on this forum provided any kind of verification that they own the private key. It is way more likely that a rogue doctor sells certificates to unvaccinated people (which we know happens) than that the private key leaked, so let's not jump into conclusions here.
I think that's absolutely the most likely. And it's not hundreds, it's probably more like tens of thousands (or more). For example, when I got mine issued in Germany, I just went to a pharmacy, gave them my ID and (paper) vaccination record, and the pharmacist came back in a couple of minutes with my QR code.
The interesting thing to watch, over the coming days, is this: will the public policy response do the technically correct thing, and make sure that you need all your original documentation (signed records from the doctor's office, etc.) to get your new covpass issued? Or will they do something incorrect (but easy), like let people come in with their now-invalid pass plus a government ID to get a new one issued?
I am not sure how the key management works, maybe they are just issuing private keys to each pharmacy, and if any pharmacy just went rogue, it should be extremely easy to know which one the certificate is coming from.
Also, it is easy to get a valid vaccination code anyways, for example, I took a friend of mine, who was vaccinated out of EU, to a pharmacy and nicely asked if he can have a certificate for travel. They just glanced at the his vaccination dates and gave us qr codes, no questions asked. The yellow booklet is easy to forge as well.
> maybe they are just issuing private keys to each pharmacy
That seems too complicated for every single pharmacy in Europe. I bet they just punch in some data to a web app and it does the actual cryptographic signing.
> I took a friend of mine, who was vaccinated out of EU, to a pharmacy and nicely asked if he can have a certificate for travel. They just glanced at the his vaccination dates and gave us qr codes, no questions asked.
This seems no different than Joe pharmacist punching in Hitler. It's still a big problem, but it's not nearly as bad as leaking the actual private key.
> That seems too complicated for every single pharmacy in Europe. I bet they just punch in some data to a web app and it does the actual cryptographic signing.
Yeah, but if they provide an web app that can create CSRs and automatically get them signed certificates, which then can be used to create QR codes, it is easy to provide traceable individual private keys for each pharmacy. E.g. when the pharmacy logs in, they just click "Generate Credentials" button, and they are done!
These QR codes are the most obvious things to make, but they're also least useful as proof you've got the keys.
Certainly if you have a private key and you want to prove that you know the key, you can trivially make documents that only somebody with the key could make, that aren't documents any system would give people who don't have the key and yet also aren't useful fictitious documents if you're acting as a whistleblower.
That's what was done when a certificate reseller emailed the private keys of their customers to the CA they were reselling - for some reason that's unclear. The CA minted CSRs that showed they now knew the private key, without revealing what it is, and so we could all see that yup, somebody sent this CA the private keys, game over for those certificates.
[ PSA: They're called private keys, not secret keys or shared keys for a reason. Where possible you should choose your own private keys randomly and never reveal them to anybody ]
Given it is the same "poorly implemented digital identity platform" that has been in use for the last 40 years, and secures basically every form of non in person communication you conduct, I am expecting that to continue for a bit longer.
It's a shame the comment of throwawayfear has been flagged/censored as it is a valid discussion about the oppressive nature of these passports (and apparently the discussion about it).
In the Netherlands: As an unvaccinated individual you have to show a recent negative test before being able to enter a club/restaurant. So very low risk of unvaccinated people spreading Covid19. Yet, vaccinated individuals are allowed in, even when tested positive and feeling ill. There are numerous [0] cases of vaccinated individuals causing major outbreaks, resulting in the temporary closure of clubs and restaurants.
It's hard to believe these passports are about reducing hospital admissions or the public health especially in light of increased breakthrough cases [1].
These tyrants would love to hold on to these these digital “covid passports” because it gives them complete control over who can participate in society. They’d be able to exclude people who don’t comply with increasingly invasive protocols. It’s about power. The pandemic technically should already be considered endemic. For example in the USA the vast majority of the population has antibodies, in a significantly higher number than the 60 to 70 percent threshold that Fauci and other public servants claimed as the target over the last year.
More than 80% of Americans have coronavirus antibodies acquired through infection or vaccination, according to a new study of over 1.4 million blood donations across the U.S.
"Had COVID? You’ll probably make antibodies for a lifetime"
On the exact terms given to us by Fauci and other public servants, there is no more reason for these covid mandates to exist. Should be optional across the board, including in EU countries where the threshold has been reached. Then there’s no more need to secure these keys.
> More than 80% of Americans have coronavirus antibodies acquired through infection or vaccination, according to a new study of over 1.4 million blood donations across the U.S. [0]
Just to add some additional detail: The article explains that 83% had antibodies as of May 2021, and that number should be expected to have increased based on additional vaccinations and delta wave infections. Their research will continue until December 2021.
I agree with you that the response of many governments to this does not appear to be following the science.
Actually getting COVID can cause permanent damage to the heart, lungs and blood vessels of some people, which is thought to be the cause of so-called "long covid" which some people experience.
One of the things I learned during this pandemic was how often viruses cause myocarditis (heart swelling). Apparently it's not uncommon that viruses, which attack various organs, damage the heart, lungs, and brain. This can even occur in mild cases. Usually the damage is temporary, typically lasting days or weeks, but sometimes months, and can be fatal.
I don't know that covid is different than other viruses in this regard. It's new, so nobody has childhood antibodies yet like happens with many other viruses, and a lot of people are being exposed for the first time while older and more vulnerable.
> 60 to 70 percent threshold that Fauci and other public servants claimed as the target over the last year.
That number changed because the delta variant is far more infectious now. It's closer to 90 %. But you already knew that, which is why you mentioned the time frame of those statements. If I know that you're making disingenuous arguments, and you know that you're making disingenuous arguments, the healthy reaction would be to change your position until you know longer have to walk around compartmentalizing schizophrenic beliefs.
As for that meaning the pandemic has ended: it just hasn't. 1,400 people died every day over the last two week (https://www.nytimes.com/interactive/2021/us/covid-cases.html). Now I don't necessarily care about the death of people who themselves don't care, although even idiots don't deserve to die for their stupidity. But the toll on HCWs is something I would rather avoid.
Your response is very emotional. I didn't think that the facts in the arguments you replied to were disingenuous or schizophrenic.
Headlines often are fear-mongering. Politicians are not always following the science. There's a lot of research and data to look at, and not all pointing consistently in the same direction as some might believe. Things like mask effectiveness compared to ventilation and isolation, the fatalities concentrated in obese and aged populations, breakthrough infections, and even the danger that the vaccines are exerting evolutionary pressure towards changes outside the targeted spike portion of the virus, which worst case would mean we get to do this again.
Even the 90% number you mentioned involves quite a bit of uncertainty, given that we are probably already there (based on the study showing 83% in May, before additional vaccinations and all the people exposed during the entire delta wave).
The idea that populations can mask and vaccinate to stop this does not appear to be working out (breakthrough infections). It appears this will end up like the other existing common cold coronaviruses, where children of the future catch it and shake it off no big deal then have antibodies, annoying many and killing a few. The experts predicted just that as a likely outcome at the beginning of the pandemic.
The current U.S. death toll from covid amounts to 1 out of every 492 people, overwhelmingly the old and unhealthy. That doesn't strike me as a lot, certainly not worth the significant and still ongoing disruptions to economies and peoples lives. Worldwide this is comparable to the per-capita 1968 Hong Kong flu death toll. These things happen. We are better than ever at keeping unhealthy and old people alive, until something unusual comes along.
In fact our whole complex modern world - hospitals, factories, shipping, mass media, bureaucracy, many individuals, etc - doesn't seem to cope well with the out of the ordinary. In many ways we have grown complacent. Nature reminds us that she's in charge.
I know that some people feel different about that 1 in 492 number. I understand that opinions vary. In a democracy we should respect each other and work it out, not shout others down as some kind of heretics.
It seems like the Keys of one of the issuers got leaked, not the root keys so it looks like the fallout might be confined the the people who got their cert from that issuer (seems to be a french one). Or am I missing something?
This QR code proves Adolf Hitler has received 2 doses of Pfizer vaccine. At the moment you can still use the Estonian app to verify this (https://kontroll.digilugu.ee). Probably this specific cert will be revoked soon in all the apps.
But the cat is out of the bag. Everyone's grandparents will need to do the certificate retrieval dance again, which is another confusion that we did not need at this critical junction.
Someone out there has a serious problem with ethics. Or someone really screwed up to the point where it was obvious that a responsible disclosure was already a moot point. In my experience, CERT-EU is normally very competent and would have handled it professionally.
One would assume, but unfortunately as another comment in this thread illustrated, there is no bottom when probing the depth of the depravity inspired by ignorant hatred.
Sometimes it doesn't really feel like parents think too hard about their child's well-being when naming them. They actually publish the list of names that were rejected because of Finnish naming laws and while the list doesn't say if it was a parent seeking a name for a child, or an adult for themselves, I imagine there are many that are seeking them for a child. For example, "Decepticon", "Marihuana", "Sukka" (literally means "sock").
And as a famous example from across the pond, Elon Musk comes to mind.
There's no actual written law on this, but the relevant authority (Standesamt) has to take the child's welfare into account when accepting names, and may reject them as a matter of common law.
(I suppose it's possible this would be under the purview of the Verbotsgesetz as well, but it wouldn't get that far due to the name being rejected.)
The law on giving names in Germany is not passed through legislation but is instead the result of customary law and legal precedent/judgements. Exceptions are for example in changing of the given name(s) involving adoption or in the application of §1 TSG ("transsexual law").
After the birth of a child its first name is decided by their parents (or the singular legal guardian) although there are certain guidelines for the naming.
The first name...
- ... has to be recognizable as a first name
- ... can be of neutral gender (had to be obviously male or female until 2008)
- ... must not be damaging to the child, for example inviting ridicule or making a connection to "Evil", e.g. "Judas" or "Kain" ("Cain" in English). The first name Adolf despite its tainting through the dictator could potentially be legal depending on the parents' motives
- ... must not be damaging to the religious feelings of other people in society, for example "Christus", in the past also "Jesus" which has since been declared legal by a court
- ... must not be a well known name for a place/town/city or a trademark
- ... must not be a family name, with some exceptions
- ... must not contain a title like "Lord" or "Princess"
- ... must be given within a month of the birth.
A person can have multiple, but has to have at least one first name. The local can also intervene in the giving of too many first names if that would otherwise come to harm the child (one ruling made it so a mother could not give her child twelve but only a maximum of five first names). When given multiple first names the one most often used to address the person is called the "Rufname" (approximate English equivalent "nickname"). The arrangement of the first names is not a ranking. Following a German supreme court decision (1959) a person is free to choose from their official first names by which they'd like to be addressed, the "nickname" is thus not set permanently.
A child's first names have to differ from their siblings', if there are multiple first names, one can be the same as a sibling's. Three first names must not be connected by dashes (e.g. "Jan-Marius-Severin").
- snip, long paragraph on the history of the requirement for an obvious gender of the first name(s), important part to follow - Following a supreme court decision in 2008, there is no such requirement in the law, the earlier "requirement" came from an official directive given to the registrar's offices ("Standesämter"). Thus the name-giving by the parents continues to only be restricted by the "no harm to the child" or if "there is no possible way for the child to identify their sex/gender [1] from the name".
In Germany, exceptions allow for the later change of one's own first name(s). For example immigrants have the option to "Germanize" their names or, if that's impossible, choose new first names. Furthermore there's the option to change one's first name(s) if the person has always been called by a different name or if they can't deal with their "exotic" first name.
In addition trans people have the option to change their first name to fall in line with their gender identity (for which on German identity documents the options are "male", "female" or "diverse").
[1]: don't know which is meant here, "Geschlecht" is (colloquially) used for both words in German
A friend from Montenegro, living in Germany, gave a name to his son ending in "a". At first it was rejected because in German all names ending in "a" are female. Had to bring an official paper from his embassy to prove that chosen name is in deed a male one. I think it was before 2008, as mentioned above.
"Maria" is a name which is mostly used for girls, but in Germany it can be used as a middle name for boys too. So names ending with an "a" only for girls is not a hard rule.
So yes, there are some hurdles to name your child whatever you want and I think this is good for the child. But usually these hurdles are not unconquerable.
A family in New Jersey USA had their children taken away from them after naming one of their kids that. They attracted attention by ordering a birthday cake with the then 3yo’s name on it.
I have a friend whose older brother is named Adolf, born in Berlin in the early 1940s and still lives there. I’ve always wanted to ask why he didn’t change his name but what an awkward question.
I am surprised Dolf Lundgren didn’t choose a completely different stage name (though he’s Swedish).
>I am surprised Dolf Lundgren didn’t choose a completely different stage name (though he’s Swedish).
Isn't his name Dolph? And I would've never actually thought about "Adolf" when seeing his name, so I don't really see that he would've needed to do that.
Your medical record is private, but if a job has a requirement they can ask for proof of vaccine. It is up to you to provide it, and it is up to them to how to interpret it if you don't provide and how to handle it.
For example even before the pandemic it was a job requirement of you were in a medical field.
That's fine but I didn't have to show my vaccination record to my current employer. I literally sit at home and stare at a computer screen all day. That's different than a nurse at a hospital.
My sister works at Pfizer in clinical trials, her last day is next week. She literally had to submit negative test results every week since around May. She works remotely, doesn't live in the same state as Pfizer headquarters and sits in front of a computer all day. Tell me how that makes sense?
So do the COVID vaccine mandates, frankly. Relatively short lived (~months) protection against infection, which itself comes at the cost of encouraging vaccine escape variants to become the dominant strain.
Furthermore while protection against infection/transmission wanes incredibly quickly compared to natural immunity, the protection against severe disease/hospitalization does much less so. Therefore it is quite silly for a vaccinated person with a functioning immune system to be afraid of catching COVID. (This is usually the point in the discussion where people start saying "what about this one super rare immunocompromised person who the vaccine doesn't work well for"...)
So the whole idea of population-level vaccination to stop the spread is absurd on its face. And the real world data only further underscores that (mass vaccination did not stop the 2021 waves, and if anything it seems like vaccination helped briefly prevent some people from acquiring natural immunity due to briefly protection them against infection, which just made the vaccinated population even better substrate when Delta came roaring).
If someone's concerned about COVID, they need to get vaccinated and stop trying to control everyone around them. It's really quite simple. The collectivist benefit of vaccination is poor at best, and has a lot of theoretical concerns associated with it such as https://journals.plos.org/plosbiology/article?id=10.1371/jou.... Whereas the individual benefit wrt mortality&morbidity is a much stronger argument.
Mass vaccination did not stop the waves in 2021 because vaccination numbers were too low.
Your whole argument is that vaccination wasn't effective on a population level... because the population was not vaccinated enough. With delta we need to reach 90% (https://www.businessinsider.com/delta-variant-herd-immunity-...), but we got nowhere near that thanks to people wanting to treat a collective problem like an individual one.
Reduction of infection/transmission is only one endpoint to consider. We also need to consider the overall effect on the quality of healthcare we can expect to receive in a situation where low vaccination rates causes hospitals to be overrun. This is where the line between personal health decisions on whether to get vaccinated or not and what is fair to society as a whole gets blurry.
People tend to argue "but what about $arbitrary_unhealthy_habit, we don't regulate that!" when someone mentions this, but $arbitrary_unhealthy_habit has been accounted for in terms of resources required to treat people (assuming a working healthcare system), whereas a once-in-a-century-level pandemic hasn't, so it's not a valid comparison.
That's a fine argument, but I've never seen a proper quantitative assessement of the risk of hospital over-run with respect to vaccination rates (or in general, frankly). The vast majority of COVID infections are mild or completely asymptomatic, so something like 90% of the hospitalization burden is being caused by 10% of infections. Mandating that some random 20-something year old get vaccinated does not move the needle (no pun intended) whatsoever.
The at-risk populations can be vaccinated. Let's get them (voluntarily) vaccinated and be done with it. Enough of these mandates which serve more to enrich giant pharmaceutical companies than they do to improve public health.
BTW, while mortality isn't the only outcome of concern, I'd be remiss if I didn't mention that Pfizer's 6 month RCT - the highest quality data we have of this kind, period - showed no improvement in all-cause mortality in the 20,000+ people they vaccinated compared to the control: https://www.medrxiv.org/content/10.1101/2021.07.28.21261159v...
> During the blinded, controlled period, 15 BNT162b2 and 14 placebo recipients died; during the
open-label period, 3 BNT162b2 and 2 original placebo recipients who received BNT162b2 after
unblinding died. None of these deaths were considered related to BNT162b2 by investigators.
So the highest quality evidence indicates that vaccinating a similar population will make no difference in net deaths. (One possible counterargument would be to argue that transmission was unusually low during the study period, but AFAICT that's simply not the case)
--
Back to your comment:
> People tend to argue "but what about $arbitrary_unhealthy_habit, we don't regulate that!" when someone mentions this, but $arbitrary_unhealthy_habit has been accounted for in terms of resources required to treat people (assuming a working healthcare system), whereas a once-in-a-century-level pandemic hasn't, so it's not a valid comparison.
I won't make that argument, but I did want to mention that - while unrelated to mandates per se - we basically scaled down our healthcare capacity across 2020, at least in the US, due to all the furloughs and the like from the missed medical appointments, as well as (in many places) suspension of "elective" surgeries. And more relevant to the vaccines, a small but real number of healthcare workers have been or are in the process of being fired for non-compliance with the mandate, regardless of their prior infection history etc
Parent was not so much asking about mortality as about health care management. Do you imply all the data that shows unvaccinated are much more likely to require hospitalization, is flawed or fake?
A lot of it is statistical fuckery. The set of people hospitalized who are unvaccinated is not the same as the set of unvaccinated people who end up getting hospitalized.
But some of it is certainly true. Vaccination makes a very significant difference in hospitalization among the very at-risk subset of the population. But in the healthier demographics, vaccination status is irrelevant to "net hospitalization" because in those demographics COVID itself is irrelevant to hospitalization when compared to other causes of hospitalization.
Since I didn't mention it explicitly, I mentioned all-cause mortality because that's going to be very correlated to all-cause hospitalization as well (and the fact that mortality itself is something we should care about).
There are so many half truths in your arguments it would take far too long to refute them all. It’s hard to believe you’re not acting in bad faith, either that or completely indulging your confirmation biases.
Wait what? I mean, seriously either
1) you believe the vaccine works: in that case YOU are safe if you're vaccinated, regardless of others.
2) you believe the vaccine doesn't work: it doesn't matter.
The reality is neither of those. The vaccine works, but not perfectly. As such, the protection is the product of the protections of everyone you come in contact with.
Yes there can be a short-lived infection with covid even when you're vaccinated. It's going to be very short lived and not dangerous, and I believe I once read a study that claims humans face some 50 short-lived infections daily. Mostly not covid, not even a virus at all: mostly bacterial ones.
Lots of people die effectively from pneumonia ("natural causes", but pneumonia is the drop that overflows the bucket). And if you turn out to be one of them, you know where the bacteria that's going to kill you currently is? It's on your skin. Right now. Best to take no chances and burn your skin off, because you're sure as hell not going to get it off with any less serious measures.
If you think a simple shot that in the worst case has you feeling kind of off for a few days is comparable to ... taking off your skin, then frankly you are a lunatic.
It's also not as much about my risk if I were to get infected, but me transmitting it to somebody else.
Like say my grandma. She's vaccinated, but she's also 80. In that age group, vaccines might not be enough. Look at Colin Powell. Vaccinated twice, still dead from Covid.
I'm tired of inconsiderate assholes making up elaborate excuses to continue being a risk to everyone cause they don't want the inconvenience of a needle
The biggest thing you can do is get vaccinated and lose like 50 lbs. My grandpa is 85, he got it and it was nothing. He's also not carrying any extra weight and still works and repairs watches. He got Covid at work. I think there's mental aspect and physical aspect. Obviously an anecdote but I think there's few things to take a way.
Almost no vaccines work that way. They’re not magic shields.
In reality protection is slightly variable depending on a host of factors including age & immune response, but on a _population_ level they work to bring the disease under control.
The polio vaccine ended that disease’s existence in most of the world, but it’s not perfect. If you’re vaccinated with the regular schedule and go to a polio-endemic area you may still get it. That’s why people who may be exposed to it in places where it’s endemic or in labs need additional booster shots according to CDC guidelines.
It's irrelevant whether other people have been vaccinated or not, for a vaccine that works. The claims to the contrary are all extremely weak that look strongly like working backwards from the desired conclusion (collective action) to something that sounds vaguely scientific (the passes).
The system therefore has no legitimacy and opposing it is ethically correct.
You should not trust even paper certs. At least in Russia, too many of them are bought by anti-vaxxers. I.e., some doctors responsible for vaccination, given some extra money, do everything they need to do, except the actual injection.
P.S. My re-vaccination attempt failed on October 22nd. 270 people in the queue before me, some are sneezing, no social distancing at all, so I decided not to risk. I still have a valid certificate from March 18th.
Mostly yes. E.g. in Germany there’s often no speed limits. I also support laws like “you’re responsible for not speeding” so if you crash and hurt someone, you could be guilty, but not if you’re speeding on a completely straight & empty motorway.
I'm not sure I would say often. The no speed limit stretches are much more limited than people outside of the country seem to think, and often are temporarily limited when needed, times of higher traffic, road work, near cities or on/off ramps, weather conditions, etc. It is not as much of a free for all as you make it out to be.
We already have laws that make people responsible if they are speeding and crash and hurt someone, and people still do it. The problem with your logic of "there should be no rule unless someone does something to hurt someone" is that people are not always rational, and once someone is hurt or killed it is too late. It is better to try and discourage the behaviour that hurts someone before it happens, rather than after.
The two are not comparable. You don't need a car to live. But in some countries you're cut off from essential services in the name of politicized science.
Completely agree with you but that opinion is based on understanding that covid was created in a lab, and the vaccines are a power and money grab or worse.
If you are wondering about Vaccine QR codes, see this article that explains how the "shc" (SMART Health Card) protocol is used to generate and decode the QR.
What I read was they were seeing fake certificates - but these could be created by compromising the vax registration application and certificate download process.
It could be done by compromising a vaccine clinic tablet and issuing new records into the main WHO CoVAX record database under arbitrary names, and then collecting the fake passport image from the web interface citizens use.
I don't think you need to compromise the root certificate or signing keys to do this, there are easier ways. (But if I could put in a request for a Josef K., and an A. Solzhenitsyn novelty certificate, it would be a nice to have on my phone.)
Based on the information I've received, the private keys for all European countries have been leaked. There appears to be a centralised EU system where they all are stored.
Just wonder, how any of you vaccine masterminds would explain how vax scanners for PEOPLE are comming and how will they detect if you really had the shot? How would that be possible without some magnetic stuff in you blood?
Now you know why is so "important" to let go on the green pass, cause you ganna be a walking magnet for simple metal detectors, presented as state of the art new science.
Not sure why downvoted. This is a legitimate point. In Romania it's possible to get "sink vaccinated". That is, the doctor squirts the syringe into a sink instead of in you, and you get 100 % valid papers to show your local wannabe Arstotzka agent.
Having a covid passport proves nothing. They'll have to scan your blood like in Gattaca.
For all practical everyday use, this doesn't matter. Nobody has ever even checked my ID card has the same name as in the app, let alone scanned the QR code to verify. They just glance and that gives them though plausible deniability to let me in.
Turns out there's no certificate or keys leaked, but there was an exposed unsecured web service to generate GP from Poland. It has since been fixed, but apparently there's a couple more still around (Vietnam and such it seems).
213 comments
[ 2.8 ms ] story [ 255 ms ] threadJust get your shots. Stop being pricks about it, it's not a big deal.
You said it yourself:
>Just get your shots. Stop being pricks about it, it's not a big deal.
Since fucking when do we need to build mass surveillance systems to encourage people to vaccinate?
Why does it need to be a big deal? I don’t give a shit about vaccines (had my 2 shots as soon as they were available), but I genuinely believe that people pushing for pervasive vaccine passes do not deserve to live. Fucking develop technology to test if I actually had the vaccine, don’t try to use this as an excuse to check my documents.
Leaked private keys are liberation.
They already can't enter supermarkets or access any "non-essential" services.
"simple health measure", you literally need that + a form of ID to leave the home. And I cannot support that.
Relax. Don't pretend this is something new or the end of the world. This is how civilization works, through society making decisions on whats acceptable and what isn't. There's all sorts of sensible restrictions already and this is another one that makes sense.
Would be lovely if you were put in a position where it's something you don't want to (or can't) do, or your own government takes away your entire livelihood. But it would be fine, because that's how civilisation works, through society making decisions on whats acceptable and what isn't. There's all sorts of sensible.
I would have a sweet, sweet "I told you so" moment, but I would still stand up for your rights.
Stop pretending this is some kind of principled stand, it's just people wanting to be inconsiderate assholes and other people not wanting them to be.
It is a principled stand. I'm all for vaccination and I'm vaccinated myself, I don't care who's vaccinated and who's not. Making it illegal to employ unvaccinated people is inexcuseable.
As such, unvaccinated people are a health risk to the vaccinated individual.
We don't allow all sorts of other health risks in the workplace, you can't be a drunk crane operator for example, so this is not some special new thing.
* you can easily get a non-covid passport to leave the country * you need a driver's license to prove skill * it's illegal to enter a country illegally. Working without a visa isn't an issue because you're not allowed there to begin with.
But with covid, we've removed fundamental rights. Driving is not a right. Leaving your country and working (in your country) are rights... but not if you're a skeptic.
But about your examples, these things are now illegal but have never been:
* Australia doesn't allow you to leave the country even if you have a passport.
* In Romania you're not allowed to go outside without a mask and you're not allowed to go outside at night AT ALL if you're not vaccinated.
Even worse:
* France debated removing voting rights for non vaccinated people.
> This is how civilization works
You know which other people invoked civilization?
Just like you need a vaccine certificate to prove vaccination :)
> Leaving your country and working (in your country) are rights
Says who? Who defines those rights?
> these things are now illegal but have never been: [...]
> In Romania you're not allowed to go outside without a mask and you're not allowed to go outside at night AT ALL if you're not vaccinated.
Ceausescu declared a national curfew on December 20 1989.
> Australia doesn't allow you to leave the country even if you have a passport
Australia literally was a prison colony. You know, prisons, the things where people can't leave?
Both of these "unprecedented" things have precedent. You're over-exaggerating in your hysteria.
> You know which other people invoked civilization?
Please, enlighten me.
> Says who? Who defines those rights?
UN Universal Declaration of Human Rights.
> > Australia doesn't allow you to leave the country even if you have a passport
> Australia literally was a prison colony. You know, prisons, the things where people can't leave?
Ok, I'm now fairly confident you're just trolling.
Why would you think I'm trolling? I demonstrated both examples you gave were invalid and all you did was try to derail the conversation.
And then 5 days later the Ceausescus were sentenced to death and executed by a firing squad, the same fate that the proponents of covid passports deserve. I suppose that was your point.
I have no problem with the vaccines, I just don’t think it’s a reasonable excuse for anyone to ask my ID.
I fear this will be used as an excuse to make the passport system even more centralized.
But yeah yeah, you can point to more than a few failures in the massive sample pool of “the government” so “government can’t hold keys.”
Or you might fall back to claiming that while governments evidently can hold on to ICAO private keys, they can't hold on to this other kind of private key, because...
The system's designers did, which is why key revocation is built into the system. The practical effects of this leak will be the people who refused the app and don't read the news will be surprised when their paper certificates are rejected.
Can you elaborate what makes you think that key revocation is built into the system?
My understanding was that each node in a certificate tree/list consists of a key pair (public/private), and the entity metadata which needs to be verified. eg. the root CA has a private key that it uses to sign CAs, and those CAs have their own private key that it used to sign individual leaf node certificates.
Meanwhile, revocations are distributed as a separate CRL - certificate revocation list - which contains a list of certificates whose signees are no longer to be trusted. I'm not very clear on how this process works, but in any case I don't think keys can be revoked.
Some places have no checks at all; other places you need to show one of {show the QR code, use the Luca contact tracking site, fill out a paper form}; at least one needs the QR code and a valid ID card (not sure what, but excluding the health insurance cards despite those being photo ID).
They didn’t scan the QR codes in the places I’ve been to, they just looked at them. This isn’t the first time I’ve seen cargo-cult attitudes to how the content of mobile or tablet screens relates to security.
And I’m not even using the official app for Germany, but the "Corona Tracing" fork.
* Germany: usually quick glance at the QR code
* France: usually properly scanned
* Sweden: not even planned to be used
* Italy: usually properly scanned
Not endorsing it either way, just surprised how quickly everyone gave up on it here when places in Europe are still implementing passports and requiring scans to enter stores/restaurants.
It will be a long winter.
It hasn't implemented COVID passes yet because they're pointless. As BoJo pointed out just a few days ago, the pass is meaningless. Vaccinated people get infected and pass it on, and do so at the same rate as unvaccinated people (actually a higher rate in the UK at the moment).
Except it hasn't - on the mainland masks are still compulsory in loads of places, just to start. Look at the infection rates and tell me there is no obvious discrepancy with a straight face.
> COVID passes yet because they're pointless
They are not a medical instrument, they are a policy instrument. They are effectively a push to force the obtuse and obstinate novax constituency, which is still over 15%-20% all over, to get the jab, by forcing them to choose between daily invasive tests and a one-off vaccination. It's basically compulsory vaccination by the backdoor, so that they can hit 90%-95% vax rates.
> Vaccinated people get infected and pass it on,
Not if they keep using masks and hanging around with other vaxed people only. That's why the transmission rates on the continent are where we would expect them to be, and here they are out of control. If you give up all efforts like we've done, of course the virus spreads with or without passes.
https://ourworldindata.org/explorers/coronavirus-data-explor...
At any rate, I'm curious why you still believe infection rates are linked to policy. There are so many counter-examples by now: for the UK specifically, after it had it's "Freedom Day" and removed masking requirements and other measures cases fell significantly and immediately. Florida got rid of all measures and now has one of the lowest rates in the USA. Studies have been done to measure the correlation between various types of policies and outcomes, always with a null result. Infection rates and policy just don't seem to be linked at all, sad though it is to say.
"They are not a medical instrument, they are a policy instrument"
And the UK already has very high vaccination rates. Well above the levels originally claimed to be needed, especially over 90% amongst the vulnerable, meaning they're pointless both on their face and if you treat them as a form of extra-judicial punishment.
I agree with you that they're actually the latter, but they're presented as a medical instrument by governments. Hence why testing and recovery gets you a certificate. If you view them as in reality being mandates that circumvent the judicial system then Europe - a continent that spent much of the 20th century as a basket case overrun with dictators and fascists - is once again lying to its people in the name of totalitarian control. Why on earth should England follow them down that road? It's one that's been walked before, always with horrific ends.
"Not if they keep using masks and hanging around with other vaxed people only"
I think you're just making things up now. No data indicates this that I'm aware of, transmission rates aren't "out of control" once you correct for testing rates and if vaccinated people only stop being infectious when wearing masks (lol) then it's not the vaccines stopping transmission, is it?
* Switzerland: Usually, but not always, scanned
(Obviously anecdotal.)
I'm alway taking screenshot of my qr code for boarding pass and things like that so I don't have to keep the airline app open and it works without network.
Of course that's trivial to detect by interacting with it or scanning the QR code (which won't match the photoshopped name).
Airports check it, but other than that...
Discussion: https://news.ycombinator.com/item?id=29011537 (1 comment)
The alternate seems to be actually more popular (22 pts vs 6 pts), but I suppose that the HN algorithm seems to rate it down due to pointing to GitHub?
I agree that the tracing this summer was less than perfunctory, my brother had your same experience (his girlfriend wasn't even "declared", and nobody checked), and there was no Green Pass at all. Everyone wanted the tourists back so badly that the overall approach was to basically tick checkboxes and leave it at that. They got serious when it became clear the virus would be around all winter because of the Delta variant.
Dunno if in the end they also put in place some kind of blacklisting for leaked certificates
Actual source seems to be here: https://rfmirror.com/Thread-TRADING-make-EU-green-pass?page=...
The certificate I am using is printed on a piece of paper I carry with me.
Just out of curiosity, is that for privacy reasons or ? Seems rather strange for a smartphone ?
Since the French app is pretty terrible (it used to be the barely functional contact tracing app that didn't want to use Google/Apple's API, so there's a pretty strong popular stigma against it), even a sizeable portion of smartphone users use an alternative too (I personally have my QR code in Apple's Wallet, but there are other 3rd party solutions).
Depending on when that key was in use, this may be an epic bureaucratic mess to solve here in France if they have to reissue many.
Edit : I'll quickly add that while there's a database of vaccinated people handled by CNAM (the single payer social security administration), it doesn't seem extremely accurate : my best friend and one of his collegues were vaccinated, issued a QR code, but they weren't added to said database and had a terrible time getting the situation fixed. In the end, a pharmacist reissued a "vaccination" for them to "get them in the system". So that database is probably at best incomplete (for the process of reissuing).
There is however a prevalent issue with QR code scanning that I noticed twice personally (and friends reported the same experiences at other places), which is that most restaurants use a super cheap phone/tablet with a terrible camera that usually is unable to focus on a smartphone screen correctly.
Once, the person was honest about it and explained they kept having issues with it, and I tried to help him focus correctly his device (QR code size + luminosity seems to be the issue from what I saw).
The second one tried a couple of time, didn't manage to focus and told me "all ok" despite it's device not having scanned me (I could see the screen).
If I had to travel though, I'd definitely take the paper certificate on top of it, as, at least here in France, that's considered for better of for worse the source of truth.
1. Scan the code with the app every time.
2. Ask if I have the pass, maybe look at it once, hopefully remember me the next times.
There is also a small percentage of cases of no questions asked, ever.
By the way, I'm using a printed copy of the pass. It never runs out of battery, I don't mind if it falls on the floor when I'm using it, it works even if I'm using the phone for something else. Cons: it needs to be replaced if its key gets revoked.
In Ireland it’s hit and miss. About 60% of the time had to produce it, but very few places want to see ID as well, which is needed to prevent people just using someone else’s pass.
I’m all for it so I’d love to see better enforcement.
Yeah the UK very wisely put the passports and the contract tracing in separate apps (helps that the NHS already had an app pre-pandemic). Not sure if it was intentional, but it certainly sidesteps this issue!
So that was pretty poor shot at me.
[0]: https://en.wikipedia.org/wiki/Trusted_timestamping
Both backdating and forward dating have been done in the Web PKI for various reasons, both legitimate (e.g. historically if you couldn't randomise serial numbers enough it was acceptable to randomise the notBefore time parameters slightly, this is no longer allowed) and illegitimate (we have pretty good circumstantial evidence that StartCom issued SHA-1 certificates long after such issuance was forbidden, probably for $$$ from companies that realised they should have bought one before the cut-off) but there is no inclination to insist upon timestamping to try to prevent that.
The most likely place you'll see timestamping in arguably publicly trusted certificates is code signing.
In case of a leaked private key where the actual PKI wasn't breached, they still have authority over the CA itself and can therefore determine which certs are valid and which are fake.
This retains validity of the known issued certificates, but invalidates fraudulently issued certificates. The downside is that its an optional check and that every client needs an online connection in order to validate the cert.
Anyway, the COVID certificates don't seem to be actual X.509 certificates and are rather just a signed message, so this isn't something that could be utilized right now.
In a very important sense the private key is the CA.
The OCSP responses are not encrypted (you'll notice that URL you mentioned is HTTP, you can't use HTTPS for this) but they are signed documents. They're signed by the issuer using its Private Key.
So, somebody who has the Private Key can mint bogus OCSP responses signed with that key too.
The recovery from losing a signing key is to revoke the entire tree under that key. This will usually involve pushing out software changes e.g. a Firefox or Chrome gets fresh data from the vendor saying "This CA is no longer trustworthy, disregard it".
This disaster scenario is why the root keys aren't (must not be) online. If you break into the computer systems of a famous but competent CA and seize total control of everything, you could perhaps (it should be difficult because they're using HSMs but if you've really got control of everything it may be possible) steal the private keys for the online intermediates. But their root is physically locked in somebody's safe, so, you can't steal that by this route for the same reason you can't steal gold bars from Fort Knox by hacking the Pentagon's web site.
The apps for Latvia, Luxembourg and Switzerland say OK, the one for France says "OK but fraudulent", the one for Iceland says no. From the article it looks like the Italian app also says no.
Not revoked everywhere it seems. Also, the French app seems to check against a blacklist, so it is possible that only the Hitler code is considered invalid and not the signing key.
What does that even mean?
It is a weird UI choice but making the distinction between an invalid pass (ex: partial vaccination) and a fraudulent one is useful.
I find it more likely there's an option to enter custom data for non-citizens and someone was just messing around.
The interesting thing to watch, over the coming days, is this: will the public policy response do the technically correct thing, and make sure that you need all your original documentation (signed records from the doctor's office, etc.) to get your new covpass issued? Or will they do something incorrect (but easy), like let people come in with their now-invalid pass plus a government ID to get a new one issued?
Also, it is easy to get a valid vaccination code anyways, for example, I took a friend of mine, who was vaccinated out of EU, to a pharmacy and nicely asked if he can have a certificate for travel. They just glanced at the his vaccination dates and gave us qr codes, no questions asked. The yellow booklet is easy to forge as well.
That seems too complicated for every single pharmacy in Europe. I bet they just punch in some data to a web app and it does the actual cryptographic signing.
> I took a friend of mine, who was vaccinated out of EU, to a pharmacy and nicely asked if he can have a certificate for travel. They just glanced at the his vaccination dates and gave us qr codes, no questions asked.
This seems no different than Joe pharmacist punching in Hitler. It's still a big problem, but it's not nearly as bad as leaking the actual private key.
Yeah, but if they provide an web app that can create CSRs and automatically get them signed certificates, which then can be used to create QR codes, it is easy to provide traceable individual private keys for each pharmacy. E.g. when the pharmacy logs in, they just click "Generate Credentials" button, and they are done!
So I expect each country’s national health service has been issued a key. But what mechanism for revocation might be there I’ve no idea.
Certainly if you have a private key and you want to prove that you know the key, you can trivially make documents that only somebody with the key could make, that aren't documents any system would give people who don't have the key and yet also aren't useful fictitious documents if you're acting as a whistleblower.
That's what was done when a certificate reseller emailed the private keys of their customers to the CA they were reselling - for some reason that's unclear. The CA minted CSRs that showed they now knew the private key, without revealing what it is, and so we could all see that yup, somebody sent this CA the private keys, game over for those certificates.
[ PSA: They're called private keys, not secret keys or shared keys for a reason. Where possible you should choose your own private keys randomly and never reveal them to anybody ]
In the Netherlands: As an unvaccinated individual you have to show a recent negative test before being able to enter a club/restaurant. So very low risk of unvaccinated people spreading Covid19. Yet, vaccinated individuals are allowed in, even when tested positive and feeling ill. There are numerous [0] cases of vaccinated individuals causing major outbreaks, resulting in the temporary closure of clubs and restaurants.
It's hard to believe these passports are about reducing hospital admissions or the public health especially in light of increased breakthrough cases [1].
[0] (Dutch) http://www.destentor.nl/zutphen/zutphens-cafe-camelot-weeken... https://www.rtvutrecht.nl/nieuws/3106637/ [1] https://www.nature.com/articles/s41591-021-01413-7
Go ahead.
More than 80% of Americans have coronavirus antibodies acquired through infection or vaccination, according to a new study of over 1.4 million blood donations across the U.S.
https://www.miamiherald.com/news/coronavirus/article25398704...
And as reported on by Bloomberg and other media, the antibodies from past infection confer protection equal to or greater than Pfizer.
https://www.bloomberg.com/news/articles/2021-08-27/previous-...
"Previous Covid Prevents Delta Infection Better Than Pfizer Shot"
And those are slated to last for decades. Source:
https://www.nature.com/ articles/d41586-021-01442-9
"Had COVID? You’ll probably make antibodies for a lifetime"
On the exact terms given to us by Fauci and other public servants, there is no more reason for these covid mandates to exist. Should be optional across the board, including in EU countries where the threshold has been reached. Then there’s no more need to secure these keys.
Just to add some additional detail: The article explains that 83% had antibodies as of May 2021, and that number should be expected to have increased based on additional vaccinations and delta wave infections. Their research will continue until December 2021.
I agree with you that the response of many governments to this does not appear to be following the science.
[0] https://www.miamiherald.com/news/coronavirus/article25398704...
I don't know that covid is different than other viruses in this regard. It's new, so nobody has childhood antibodies yet like happens with many other viruses, and a lot of people are being exposed for the first time while older and more vulnerable.
That number changed because the delta variant is far more infectious now. It's closer to 90 %. But you already knew that, which is why you mentioned the time frame of those statements. If I know that you're making disingenuous arguments, and you know that you're making disingenuous arguments, the healthy reaction would be to change your position until you know longer have to walk around compartmentalizing schizophrenic beliefs.
As for that meaning the pandemic has ended: it just hasn't. 1,400 people died every day over the last two week (https://www.nytimes.com/interactive/2021/us/covid-cases.html). Now I don't necessarily care about the death of people who themselves don't care, although even idiots don't deserve to die for their stupidity. But the toll on HCWs is something I would rather avoid.
Headlines often are fear-mongering. Politicians are not always following the science. There's a lot of research and data to look at, and not all pointing consistently in the same direction as some might believe. Things like mask effectiveness compared to ventilation and isolation, the fatalities concentrated in obese and aged populations, breakthrough infections, and even the danger that the vaccines are exerting evolutionary pressure towards changes outside the targeted spike portion of the virus, which worst case would mean we get to do this again.
Even the 90% number you mentioned involves quite a bit of uncertainty, given that we are probably already there (based on the study showing 83% in May, before additional vaccinations and all the people exposed during the entire delta wave).
The idea that populations can mask and vaccinate to stop this does not appear to be working out (breakthrough infections). It appears this will end up like the other existing common cold coronaviruses, where children of the future catch it and shake it off no big deal then have antibodies, annoying many and killing a few. The experts predicted just that as a likely outcome at the beginning of the pandemic.
The current U.S. death toll from covid amounts to 1 out of every 492 people, overwhelmingly the old and unhealthy. That doesn't strike me as a lot, certainly not worth the significant and still ongoing disruptions to economies and peoples lives. Worldwide this is comparable to the per-capita 1968 Hong Kong flu death toll. These things happen. We are better than ever at keeping unhealthy and old people alive, until something unusual comes along.
In fact our whole complex modern world - hospitals, factories, shipping, mass media, bureaucracy, many individuals, etc - doesn't seem to cope well with the out of the ordinary. In many ways we have grown complacent. Nature reminds us that she's in charge.
I know that some people feel different about that 1 in 492 number. I understand that opinions vary. In a democracy we should respect each other and work it out, not shout others down as some kind of heretics.
This QR code proves Adolf Hitler has received 2 doses of Pfizer vaccine. At the moment you can still use the Estonian app to verify this (https://kontroll.digilugu.ee). Probably this specific cert will be revoked soon in all the apps.
But the cat is out of the bag. Everyone's grandparents will need to do the certificate retrieval dance again, which is another confusion that we did not need at this critical junction.
Someone out there has a serious problem with ethics. Or someone really screwed up to the point where it was obvious that a responsible disclosure was already a moot point. In my experience, CERT-EU is normally very competent and would have handled it professionally.
Is it illegal to name a child Adolf Hitler in Germany? Serious question, not sarcasm.
And as a famous example from across the pond, Elon Musk comes to mind.
(I suppose it's possible this would be under the purview of the Verbotsgesetz as well, but it wouldn't get that far due to the name being rejected.)
Not necessarily (from https://de.wikipedia.org/wiki/Vorname_(Deutschland)#Rechtlic... , roughly translated into English):
The law on giving names in Germany is not passed through legislation but is instead the result of customary law and legal precedent/judgements. Exceptions are for example in changing of the given name(s) involving adoption or in the application of §1 TSG ("transsexual law").
After the birth of a child its first name is decided by their parents (or the singular legal guardian) although there are certain guidelines for the naming.
The first name...
- ... has to be recognizable as a first name
- ... can be of neutral gender (had to be obviously male or female until 2008)
- ... must not be damaging to the child, for example inviting ridicule or making a connection to "Evil", e.g. "Judas" or "Kain" ("Cain" in English). The first name Adolf despite its tainting through the dictator could potentially be legal depending on the parents' motives
- ... must not be damaging to the religious feelings of other people in society, for example "Christus", in the past also "Jesus" which has since been declared legal by a court
- ... must not be a well known name for a place/town/city or a trademark
- ... must not be a family name, with some exceptions
- ... must not contain a title like "Lord" or "Princess"
- ... must be given within a month of the birth.
A person can have multiple, but has to have at least one first name. The local can also intervene in the giving of too many first names if that would otherwise come to harm the child (one ruling made it so a mother could not give her child twelve but only a maximum of five first names). When given multiple first names the one most often used to address the person is called the "Rufname" (approximate English equivalent "nickname"). The arrangement of the first names is not a ranking. Following a German supreme court decision (1959) a person is free to choose from their official first names by which they'd like to be addressed, the "nickname" is thus not set permanently.
A child's first names have to differ from their siblings', if there are multiple first names, one can be the same as a sibling's. Three first names must not be connected by dashes (e.g. "Jan-Marius-Severin").
- snip, long paragraph on the history of the requirement for an obvious gender of the first name(s), important part to follow - Following a supreme court decision in 2008, there is no such requirement in the law, the earlier "requirement" came from an official directive given to the registrar's offices ("Standesämter"). Thus the name-giving by the parents continues to only be restricted by the "no harm to the child" or if "there is no possible way for the child to identify their sex/gender [1] from the name".
In Germany, exceptions allow for the later change of one's own first name(s). For example immigrants have the option to "Germanize" their names or, if that's impossible, choose new first names. Furthermore there's the option to change one's first name(s) if the person has always been called by a different name or if they can't deal with their "exotic" first name.
In addition trans people have the option to change their first name to fall in line with their gender identity (for which on German identity documents the options are "male", "female" or "diverse").
[1]: don't know which is meant here, "Geschlecht" is (colloquially) used for both words in German
So yes, there are some hurdles to name your child whatever you want and I think this is good for the child. But usually these hurdles are not unconquerable.
I have a friend whose older brother is named Adolf, born in Berlin in the early 1940s and still lives there. I’ve always wanted to ask why he didn’t change his name but what an awkward question.
I am surprised Dolf Lundgren didn’t choose a completely different stage name (though he’s Swedish).
The NJ situation: https://en.wikipedia.org/wiki/Heath_Hitler
Isn't his name Dolph? And I would've never actually thought about "Adolf" when seeing his name, so I don't really see that he would've needed to do that.
Or should we fallback to paper cert?
Your medical record is private, but if a job has a requirement they can ask for proof of vaccine. It is up to you to provide it, and it is up to them to how to interpret it if you don't provide and how to handle it.
For example even before the pandemic it was a job requirement of you were in a medical field.
My sister works at Pfizer in clinical trials, her last day is next week. She literally had to submit negative test results every week since around May. She works remotely, doesn't live in the same state as Pfizer headquarters and sits in front of a computer all day. Tell me how that makes sense?
Furthermore while protection against infection/transmission wanes incredibly quickly compared to natural immunity, the protection against severe disease/hospitalization does much less so. Therefore it is quite silly for a vaccinated person with a functioning immune system to be afraid of catching COVID. (This is usually the point in the discussion where people start saying "what about this one super rare immunocompromised person who the vaccine doesn't work well for"...)
So the whole idea of population-level vaccination to stop the spread is absurd on its face. And the real world data only further underscores that (mass vaccination did not stop the 2021 waves, and if anything it seems like vaccination helped briefly prevent some people from acquiring natural immunity due to briefly protection them against infection, which just made the vaccinated population even better substrate when Delta came roaring).
If someone's concerned about COVID, they need to get vaccinated and stop trying to control everyone around them. It's really quite simple. The collectivist benefit of vaccination is poor at best, and has a lot of theoretical concerns associated with it such as https://journals.plos.org/plosbiology/article?id=10.1371/jou.... Whereas the individual benefit wrt mortality&morbidity is a much stronger argument.
Your whole argument is that vaccination wasn't effective on a population level... because the population was not vaccinated enough. With delta we need to reach 90% (https://www.businessinsider.com/delta-variant-herd-immunity-...), but we got nowhere near that thanks to people wanting to treat a collective problem like an individual one.
People tend to argue "but what about $arbitrary_unhealthy_habit, we don't regulate that!" when someone mentions this, but $arbitrary_unhealthy_habit has been accounted for in terms of resources required to treat people (assuming a working healthcare system), whereas a once-in-a-century-level pandemic hasn't, so it's not a valid comparison.
The at-risk populations can be vaccinated. Let's get them (voluntarily) vaccinated and be done with it. Enough of these mandates which serve more to enrich giant pharmaceutical companies than they do to improve public health.
BTW, while mortality isn't the only outcome of concern, I'd be remiss if I didn't mention that Pfizer's 6 month RCT - the highest quality data we have of this kind, period - showed no improvement in all-cause mortality in the 20,000+ people they vaccinated compared to the control: https://www.medrxiv.org/content/10.1101/2021.07.28.21261159v...
> During the blinded, controlled period, 15 BNT162b2 and 14 placebo recipients died; during the open-label period, 3 BNT162b2 and 2 original placebo recipients who received BNT162b2 after unblinding died. None of these deaths were considered related to BNT162b2 by investigators.
So the highest quality evidence indicates that vaccinating a similar population will make no difference in net deaths. (One possible counterargument would be to argue that transmission was unusually low during the study period, but AFAICT that's simply not the case)
--
Back to your comment:
> People tend to argue "but what about $arbitrary_unhealthy_habit, we don't regulate that!" when someone mentions this, but $arbitrary_unhealthy_habit has been accounted for in terms of resources required to treat people (assuming a working healthcare system), whereas a once-in-a-century-level pandemic hasn't, so it's not a valid comparison.
I won't make that argument, but I did want to mention that - while unrelated to mandates per se - we basically scaled down our healthcare capacity across 2020, at least in the US, due to all the furloughs and the like from the missed medical appointments, as well as (in many places) suspension of "elective" surgeries. And more relevant to the vaccines, a small but real number of healthcare workers have been or are in the process of being fired for non-compliance with the mandate, regardless of their prior infection history etc
But some of it is certainly true. Vaccination makes a very significant difference in hospitalization among the very at-risk subset of the population. But in the healthier demographics, vaccination status is irrelevant to "net hospitalization" because in those demographics COVID itself is irrelevant to hospitalization when compared to other causes of hospitalization.
Since I didn't mention it explicitly, I mentioned all-cause mortality because that's going to be very correlated to all-cause hospitalization as well (and the fact that mortality itself is something we should care about).
So ... what? You don't believe either of those?
Lots of people die effectively from pneumonia ("natural causes", but pneumonia is the drop that overflows the bucket). And if you turn out to be one of them, you know where the bacteria that's going to kill you currently is? It's on your skin. Right now. Best to take no chances and burn your skin off, because you're sure as hell not going to get it off with any less serious measures.
It's also not as much about my risk if I were to get infected, but me transmitting it to somebody else.
Like say my grandma. She's vaccinated, but she's also 80. In that age group, vaccines might not be enough. Look at Colin Powell. Vaccinated twice, still dead from Covid.
I'm tired of inconsiderate assholes making up elaborate excuses to continue being a risk to everyone cause they don't want the inconvenience of a needle
In reality protection is slightly variable depending on a host of factors including age & immune response, but on a _population_ level they work to bring the disease under control.
The polio vaccine ended that disease’s existence in most of the world, but it’s not perfect. If you’re vaccinated with the regular schedule and go to a polio-endemic area you may still get it. That’s why people who may be exposed to it in places where it’s endemic or in labs need additional booster shots according to CDC guidelines.
The system therefore has no legitimacy and opposing it is ethically correct.
P.S. My re-vaccination attempt failed on October 22nd. 270 people in the queue before me, some are sneezing, no social distancing at all, so I decided not to risk. I still have a valid certificate from March 18th.
We already have laws that make people responsible if they are speeding and crash and hurt someone, and people still do it. The problem with your logic of "there should be no rule unless someone does something to hurt someone" is that people are not always rational, and once someone is hurt or killed it is too late. It is better to try and discourage the behaviour that hurts someone before it happens, rather than after.
it's very questionable whether this is true. revocation can be done many different ways, reissuing can be made more convenient too
https://greencheck.gv.at/
https://marcan2020.medium.com/reversing-smart-health-cards-e...
[0]: https://smarthealth.cards/ [1]: https://www.hc1.com/
It could be done by compromising a vaccine clinic tablet and issuing new records into the main WHO CoVAX record database under arbitrary names, and then collecting the fake passport image from the web interface citizens use.
I don't think you need to compromise the root certificate or signing keys to do this, there are easier ways. (But if I could put in a request for a Josef K., and an A. Solzhenitsyn novelty certificate, it would be a nice to have on my phone.)
Having a covid passport proves nothing. They'll have to scan your blood like in Gattaca.