Going to throw this out here again. Dear DTA. We want to help you. We have been saying this from day 0. Those findings that we privately disclosed may soon be public by people not part of our community. In the "pending-disclosure_ room there's a semi consenus to wait 1 sprint /1 pic.twitter.com/ZmJGwZFdi5
— geoffrey huntley (@GeoffreyHuntley) May 3, 2020
I'm [still] in shock that a serious invasion of privacy and a violation of the privacy policy was de-prioritised in the software development sprint over shipping a new coat of paint. pic.twitter.com/ppxgwhG0lW
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
In private I tried numerous times contacting the DTA, the minister of Services Australia and the media/privacy departments and the Australian Signals Directorate to pickup the phone.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
I was not the only researcher who experienced these problems. pic.twitter.com/jHNZcFGWAG
In fact. I even recorded this personal video and sent it to all of them. pic.twitter.com/6c9acrETE3
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
I tried support@covidsafe.gov.au and have yet to get a reply back.https://t.co/EWys2wF5Mn
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
So what does any researcher that's being ignored do? Reach out to @isobelroe and invite her to dump your brains/feelings and concerns.https://t.co/JoAHDtJ3WO
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
This went to air at 7am this morning on @RNBreakfast.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
The other software engineers mentioned in this recording are
- Richard is @wabzqem
- Jim is @jim_mussared
Follow themhttps://t.co/3j2Sz804kM
As a result of @RNBreakfast's broadcast and @isobelroe's help the DTA finally picked up the phone and called us. We have a mobile phone number, email address and name of a public servant that we can speak directly with if we need to escalate (eg security research that's wormable)
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
We have found four privacy issues.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
"But one of the things we've found in there will require every country that has used the Bluetooth implementation from Singapore to update their privacy policies and release new versions of the application." pic.twitter.com/H2YY65u0pd
And by we, I mean Jim Mussared @jim_mussared. This guy is an absolute legend. I have loved working with you every moment Jim. Let's grab a six-pack when Iso is over eh? pic.twitter.com/KFblKjUUdh
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
Here is @jim_mussared's work.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
Again, there is no responsible disclosure program, nor industry best practices like @bugcrowd. If the code had been open sourced, there would be a clear mechanism for how the community could raise (and even fix) the bugs.https://t.co/frnlUU1aAE pic.twitter.com/24g0SpVFER
Again. Some of these problems are quite serious from a privacy perspective. If your countries government used the Singapore code in their contact tracing apps then you will need to bring it to their attention. We won't be doing it. We are all volunteers here giving up $$$ to help pic.twitter.com/WOw2XiPPDr
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
Here's a demonstration of Issue #4 in action. The notification is injected into the app, but the data is not. Both the Z2 and this device are on the latest versions of COVIDSafe. pic.twitter.com/17nszAoHNr
— Richard Nelson (@wabzqem) May 5, 2020
https://www.theregister.co.uk/2020/05/07/covidsafe_australia_contact_tracing_app_issues/
