HackerTrans
TopNewTrendsCommentsPastAskShowJobs

PossiblyDog

no profile record

comments

PossiblyDog
·5 lat temu·discuss
Why do you think this was too late?

14 days is the the CDC's window for contact tracing and self-isolation, based on how long it takes symptoms to show up after exposure. This seems in line with that.
PossiblyDog
·5 lat temu·discuss
The identifiers are ephemeral.

About 10 minutes for a given RPI (what gets broadcast over Bluetooth), 1 day for a TEK, and 14 days of local TEK history. The generated RPIs aren't retained, and the TEKs - which can be used to re-derive the RPIs - never leave the device unless you choose to report a diagnosis. All of this is destroyed after 14 days. This report doesn't change any of this.

I recommend reading the GAEN cryptography spec: https://blog.google/documents/69/Exposure_Notification_-_Cry...

The issue here is that privileged apps that are bundled with the OS could snoop on the system log to capture new RPIs when they're generated in real-time. Which isn't great... but privileged apps can already do much worse. If one of these apps is malicious, they could just log your GPS position directly (for example).

Heck, an application with root could just read the 14-day TEK history directly off disk. Once we're talking privileged apps and processes running as root, all bets are off. You need to be able to trust the device's firmware.