
Vietnam's contact tracing app broadcasting a fixed ID - cryptbe
https://vnhacker.blogspot.com/2020/04/vietnams-contact-tracing-app_26.html
======
lihop
The app is open source now: [https://github.com/BluezoneGlobal/bluezone-
app](https://github.com/BluezoneGlobal/bluezone-app). The id generation code
is in this library: [https://github.com/BluezoneGlobal/react-native-bluetooth-
sca...](https://github.com/BluezoneGlobal/react-native-bluetooth-scan)

------
meotimdihia
Vietnamese here, no one in Vietnam cares about this app. Hence the creator
also doesn't care about app security.

~~~
cryptbe
In less than a week, 77K people have installed the app, according to the
official tally published by the developer.

The growth rate is 2x-3x every day, faster than COVID-19.

------
serf
deleted in the interest of a fellow hacker.

~~~
cryptbe
I wrote the article. I agreed. It's a bad joke. I have no intention causing
harm to this system.

~~~
serf
>I have no intention causing harm to this system.

I took that intent from the article, but 'professionals' aren't always as kind
in their reading of things like that.

Interesting article.

~~~
cryptbe
Thanks.

I have no strong evidence, but it seems that Force 47 is actively monitoring
my blog [1]. I've never got so many personal attacks and smear comments like I
did since I published my findings. I bet one of them will cite your comment as
an evidence of my "immaturity".

[1]
[https://en.wikipedia.org/wiki/Public_opinion_brigades](https://en.wikipedia.org/wiki/Public_opinion_brigades)

~~~
serf
>I bet one of them will cite your comment as an evidence of my "immaturity".

I have no clue whether or not your hunch is valid, but in the interest of good
will I edited the comment; too late for a delete from me.

Good luck, I hope your voice gets heard.

~~~
cryptbe
Thanks, appreciate it! Check out this comment:
[https://news.ycombinator.com/item?id=22991028](https://news.ycombinator.com/item?id=22991028).

------
dkdk8283
Contract tracing is a disaster. I’ve secured a forensic RF shielding bag for
my phone. I refuse to participate

~~~
jariel
That's fine, then stay at home. You're a liability to the rest of us. It's
fair if you don't want to use it, but then you cannot go anywhere near any
other person, because you're putting everyone at risk.

~~~
Avamander
By going out you're already putting people at risk, tracker or no tracker
attached. You and people like you, thinking this is a perfect solution, are
actually a bigger liability to public health.

~~~
jariel
"By going out you're already putting people at risk, tracker or no tracker
attached"

This is completely false because, with contact tracing, we can
probabilistically determine who has likely to have had contact and therefore
be infected, which is a proven technique for the suppression of COVID.

Korea has implemented this solution, it works, and their economy is open.

By venturing outside _without_ contact-tracing - we know the results: Italy,
Spain etc..

Just the opposite ... it's the 'privacy fanatics' who are having difficulty
grasping a situation that hits at their preconceived sensitivities.

'Just go outside' will kill is quickly.

'Shelter in place' will kill us slowly.

'Contact tracing policy - (followup, quarantine for those affected) means we
can go about our business roughly as normal with only the slight inconvenience
of having an 'app' on our phones and possibly wearing masks.

I'm sorry but it's the anti-contact tracing people that are the tip of the
anti-science community right now.

Anti contact tracing people are the new 'anti-vaxxers'.

~~~
Avamander
> suppression of COVID.

Exactly __suppression __, not prevention. If you 're immunocompromised, old or
in a risk group, which most americans are, you're s* out of luck, even with
the app, you can't really go outside.

People thinking contact tracing is the silver bullet are just delusional or
outright dangerous. Especially if those people also think contact tracing
can't be done privacy-friendly.

~~~
jariel
"People thinking contact tracing is the silver bullet are just delusional or
outright dangerous."

Your ad-hominems are inappropriate, especially since you are misreading the
point and inventing your own interpretation.

Nobody is indicating that 'contact tracing' is a 'silver bullet' and nobody is
indicating that 'people won't' die - obviously, dangers exist.

However, here are the results of the 'contact tracing' policy here: [1] are
extremely effective.

There are less than 250 deaths in South Korea a population of 24 Million - and
they do _not_ have 'shelter in place' orders.

This is very clear scientific evidence of an outstandingly effective solution
against COVID, by far the best approach for those nations that cannot hope to
eradicate it / keep it out like Taiwan.

America has 10's of thousands dead and an economy that is hurling towards
death with millions unemployed, trillions in bailouts, the worst existential
calamity since WW2, and everyone is locked in their homes.

The Koreans have very effectively dealt with the problem, kept harm way down
their economy is mostly functional.

Privacy is obviously a concern but it's nowhere near the threshold for
contemplating existential collapse.

Given the choice between 'stay at home' and 'contact tracing' \- over 99% of
people would choose 'contact tracing'.

[1] [https://www.worldometers.info/coronavirus/country/south-
kore...](https://www.worldometers.info/coronavirus/country/south-korea/)

------
moneysake
Very interesting

------
cryptbe
Author here. One interesting aspect that I've learned is the tactics,
techniques, and procedures (TTPs) of public opinion brigades, aka Force 47.

They tried hard to discrete me. My initial report had an error, that is I
didn't know that Bluetooth on Android needs ACCESS_FINE_LOCATION permission. A
person pointed this out in a comment -- he posted and rewrote it three times.
I said thank you and thought that's that, but then he and a bunch of new
people commented that since I made that basic mistake I'm immature and
inexperienced, therefore the rest of my findings have no merit.

Someone then posted a super long comment, raising a lot of questions about my
credibility and intention. The interesting thing is they claimed that they're
a student, haven't installed the app, have no intention to do so, but care a
lot about privacy. Essentially they want to show that they're merely an
underdog bystander standing up against my wrongdoings. I thought this is a
very subtle psychological trick, aiming to amplify their attacks.

Other attacks are more direct. For example, a person pointed out that since I
don't have many followers on Twitter, I'm not a good engineer. They said I
didn't really contribute anything to my public research, but I just took
credit from my coauthors. That I am only cleaning toilet at Google, there's
nothing proud about that.

After I posted a rebuttal to the developers' rebuttal, a guy [2] dropped this
one-line comment:

>cái vụ này bắt đầu thấy nhảm rồi. Lập luận của anh Thái cũng không còn chặt
chẽ như trước nữa.

Which translates to "This is getting nonsense. Thai's argument is not as
strict as before".

The title of the guy's blog [3] is, I kid you not, "There's always only one
truth: Communist Party of Vietnam.

[1]
[https://en.wikipedia.org/wiki/Public_opinion_brigades](https://en.wikipedia.org/wiki/Public_opinion_brigades)

[2]
[https://www.blogger.com/profile/17567201928186857755](https://www.blogger.com/profile/17567201928186857755)

[3] [http://phichnuocnong.blogspot.com/](http://phichnuocnong.blogspot.com/)

~~~
makomk
If I remember rightly, requiring ACCESS_FINE_LOCATION for certain uses of
Bluetooth on Android is a relatively new thing and the two used to be
completely independent of each other, so it's not even that surprising a
mistake to make.

