Friday, July 23, 2021

The obvious and predictable failure of QR code vaccin evidence

 I haven't written in a long time, and it is Friday with plenty of subjects to explore!


I have given a few interviews about the QR code idea that the government was floating and that has now become reality.  I called it from the start, the government was going to mess it up to the max.

PREUVE VACCINALE ET CODE QR (FRENCH)



Well, guess what folks, the government didn't just deliver the Hindenburg, some are actually surprised that people are faking the QR codes !

Holy shit folks, the children running the country are surprised that the system they delivered with ZERO security and ZERO controls to prevent abuse is being abused !

https://globalnews.ca/news/8039873/winnipeg-restaurant-phony-vaccine-qr-code/




CONCLUSION: The entire process that they put in place is irresponsible and foolish.


A QR code that actually has confidential information imbedded in the code was a bad idea from the start.

A QR code that will basically allow a business owner to scan and display the persons name and other "pertinent information" without a means of validating the information was building on a terrible foundation.


This means that the business owner would have to ask you for government issued ID to attempt to match the QR code data to the person that stands in front of them.   

What could go wrong with deputizing the business owner, entrusting them with sensitive information and imposing that they start asking for ID at the door!


The solution was actually so much easier, at least in Quebec.  Not sur about all the other provinces, but in Quebec the QR system is based on your medicare card number.  Which miraculously is attached to a photo they have on file!  

How simple would it have been to generate a fully random QR code with no sensitive data, and when this code is scanned using the government approved application.... the central system pops your photo up on the screen.   The business owner looks at your ugly face and looks at the photo... if both are as repulsive... it must be a match and all is good.  Simple.


But there is no money in simple... and more money in complexe and pointless systems.  Where is version 2.0 ! 


I know some critics will whine and cry that not everyone has a medicare card or not everyone has a photo on file (such as young children).   And you my friend are part of the problem that imposes terrible systems because of exceptions.  There are concrete ways to manage exceptions that would work.  But instead, the gouvernement spent our tax dollars on a system that was doomed right from the start.  A system that has no security, and that actually exposes sensitive information for no valid or functional reason.


Any descent first year security student would have assembled a more robust and worthy ecosystem.


As seems to always be the case with IT and government projects.... a big bravo is in order.


Other positive news this week:


KASEYA FINDS DECRYPTION KEY UNDER A REDISH ROCK IN THE NEVADA DESERT

https://www.databreachtoday.com/kaseya-obtains-decryption-tool-after-revil-ransomware-hit-a-17129

Check out the guys face, he hasn't slept in a while ;-)

Their press release stipulates that they cannot deny or confirm if they paid the ransom.  Either way.... a key is now miraculously available!   Great news!


INTERNET GOES DARK FOR 2 HOURS

Banks, airlines, cloud services, all went dark for a few hours due to a minor issue at Akamai. Seems someone used their thumb instead the their fingers and made a small mistake.

https://www.cbc.ca/news/business/akamai-internet-outage-1.6112954

How is this good news you ask?  Simple, if this had an impact on your operations, it identified key systems that you have in place that should not have been placed in the cloud on services that call the issue minor if it was critical to you.  Great news again!


I'm off to the restaurant with my newly printed QR code.


Have a great weekend !


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies




www.eva-technologies.com

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...