48 comments

[ 3.4 ms ] story [ 102 ms ] thread
I'm curious as to why the assumption is that the keys were compromised rather than that ability to submit false patient data to be signed in the real system? Can anyone who looked at the fake certificates comment on whether anything about format or metadata indicates they weren't from the normal system?
My understanding is that health care professionals do not directly interact with the system generating certificates. Instead, they simply enter patient vaccination records in e-health system (or whatever it is called in each country). And then the certificate systems query patient's records and if appropriate information is found, generates a certificate. Clearly, there is no patient with such a name and date of birth which means that someone has tampered with the certificate generation system directly. Even if the keys are not stolen, someone might have an unauthorized access to the system at high level.
Germany, at least, doesn't have a central database on vaccinations and just relies on pharmacy staff to validate the yellow paper Vaccination Pass and government IDs.
In such a case any pharmacist can generate a factious certificate. I don't expect them to risk their licence with false data entry but given a big country and a sufficient number of disgruntled, nearly retired professionals...
You'd be surprised what people can do. Not in Germany, but in Cyprus which is issuing EU certificates with the same as well there is an active case of a doctor who allegedly was adding people to the system without actually vaccinating them because they were against vaccination but wanted to get a pass issued. He would then throw away the dose after entering the batch number in the system. The case broke out when one of the fake pass holders got sick and had to be intubated, at which point he told the doctors about the scum he was involved in.

https://cyprus-mail.com/2021/08/14/coronavirus-new-remand-fo...

This is really dependent on each country. For The Netherlands, I know there is a system healthcare professionals can use to manually generate DCCs: in case of problems with the link, patients not giving permission to share PHI to a central registry or in exceptional cases like (partly) vaccinated outside of the EU and such. Just the matter of entering all details and it'll spit out a valid DCC.

Source: had to use this procedure myself.

And what enables this is that there are people who will pay for the certificate instead of taking a free vaccine. Dumbest black market I've seen.
It's right up there with auto seatbeat alarm stoppers?
Forgot those were a thing. Can't agree more, since the real seat belt is free too.
To my understanding, the input of the patient data is tied to scanning a vaccine dose after use. That's a bit harder or riskier to do than randomly inputing someone's name in the system.
Manual input certainly exists. My own EU Covid pass is showing "US" as the member state, as I got my vaccines in the US and the data got transcribed by the French foreign affairs into the EU system.
I wonder why the private keys of these signing-certificates don't live exclusisvely in HSMs.

At least if they do, then the range of suspects should be pretty narrow.

(comment deleted)
They probably do, I expect that the keys aren't leaked but that a way to convince the real system into signing fake data was found, or one of the systems feeding data was compromised.
Seems to me like there is way too much effort being put in to covid related software that ends up not being useful before it’s even finished.

Australia spent millions on a contract tracing app that ended up not providing any value at all.

Do we really need digitally signed vaccine certificates when more than enough people have taken the vaccine for it to be widely effective.

> Do we really need digitally signed vaccine certificates when more than enough people have taken the vaccine for it to be widely effective.

No, but you get your answer right there.

With all the uncertainty created by new mutations, I'd say the certificate will be important since we'll likely need to be vaccinated every year.
That is agenda pushed by media. Probably payed by big pharma. They can afford it. It is btw basic pattern for accepting totalitarian system. Create enemy and then offer solution. With price.
> Australia spent millions on a contract tracing app that ended up not providing any value at all.

Who cares? Australia spends more than that amount on COVID tests every few days (possibly every day, actually). It’s a drop in the ocean.

It would be nice if we could ensure that by every cent was placed on a winning bet, but in the real world it’s ok to try and fail sometimes.

I wish Australia had spent a fraction of that money building quarantine facilities instead. :)
It is not drop in the ocean. It is simple business. Most of the tests are from China btw. And from plastic. When enviroalerters start to focus on this issue? There are also masks littering everywhere.
> Do we really need digitally signed vaccine certificates

Probably not. But once they exist and are widely accepted, we can repurpose them to other things. Safety passports, CO2 passports, you name it.

Not sure if we really need that either, I'd prefer to remain anonymous.
You may prefer it, but you are not. If by remaining anonymous you mean keeping the belief that you aren't tracked, that you may, ignorance and passivity received a great promotion recently.
I remember a time when people thought the social credit system was dystopic. Now it's just reality.
Exactly, once something exists in government it never goes away. We still take off our shoes in the airport even though no one will ever hijack a plane again. The only reason it even worked in the first place is because passengers were just following protocol for every hijacking that ever took place.

If someone tries to take over a plane with box cutter again they probably won't walk off.

Signed certificates are the reason why vaccination was eventually successful in my country.
It turns out that you can make people do anything if you destroy their livelihoods if they refuse.
We made obstinate people do a good thing and now society is better for it - good.

We already destroy people's livelihoods for all sorts of transgressions against society, theft, murder, etc etc. Why are you pretending to be shocked by us adding another measure for the common good?

I'm not quite sure what you're referring to. In my country's case, certified vaccination is required for in-doors entertainment (theatres, restaurants, bars). I don't know whose livelihood is being ruined there.

The only case I'm aware of where vaccination is mandatory for a job is that of healthcare workers. I won't waste my time arguing about that.

Can you sit back at the start of a pandemic and wait a year or two, and then slowly start pondering if a few million for a contact tracing app would be worth it? To put the number in context, "The Australian Government has invested over $8 billion in the national COVID-19 vaccine rollout. We have also invested over $350 million in vaccine research and development."
The UK is spending £37billion on "NHS test and trace" over two years. Roughly £700 per inhabitant of the UK.

To put that into perspective, it's about half the total spending on education for 2020, or over 3/4 of the defence budget.

As a species, we are yet to fully understand how viral transmission works. Spend it on schools instead.

So, how do I generate a fake certificate? Any ready to use scripts on GH?
Just get the damn vaccine.
Don't give people medical advice if you're not a doctor and you know their situation.
This was not medical advice. This was just me applying social pressure.
I got it in July, I'm not American
of wich of this i must put private key ?

1. CRED Credentials Private Key

2. EU HC1 Credentials P8 Private Key

3. BBS+ Credentials Private Key

4. EDDSA Credentials Private Key

5. DIVOC Credentials Private Key

6. Public Key

i think is 1."CRED Credentials Private Key" the private key wich must have to generate a valid certtification....right?