Olivia
Online
Clodo / Fabrizio Carimati ᯅ
@Clodo76
XR/VR/AR, VPN, coding, net-neutrality, security, home-automation, IoT.
Italy - Misinto - Near Milano
Joined October 2009
488 Following
2.5K Followers
13.2K Posts
Pinned Tweet
My home VR setup "Holodeck" - Metaverse gaming/social/work - simracing/simflight
https://t.co/OZUnErVxVu
@heyhey_leo Do you know why all the other simulators support VR, but neither Forza does? Because they’re just arcade games.
@lastknight @schiva_questa Ci sarebbe anche da dire che c'e gente che può averla... e l'avrà esclusivamente perché è contestata. È un mondo bellissimo 😁
Parliamo di AI.
Henri Bergson, 1907, L'Évolution créatrice. C'è una vespa, la Sphex, che paralizza il bruco di cui si nutre la sua larva colpendolo con il pungiglione esattamente nei nove gangli nervosi giusti, in sequenza, senza margine di errore. Non ha mai studiato anatomia. Non ha studiato niente. Lo fa e basta, dalla prima volta, perfettamente, ogni volta.
Bergson si ferma su quel gesto e prova a rispondere a una domanda che oggi sembra cretina e invece è la più seria di tutte: di che cosa stiamo parlando, esattamente, quando una creatura compie un atto prodigioso senza sapere quello che fa? Lo chiama istinto, lo distingue dall'intelligenza, e mette in chiaro una cosa: se la vespa non sa, qualcosa sa attraverso di lei.
Però non abbiamo parlato di AI.
Who to follow
Cyber Saiyan | RomHack Conference, Training, Camp
@cybersaiyanIT
A community | RomHack Conference, Training and Camp - more info https://t.co/15V29skoWi
HackInBo® Infosec Security Conference & Training
@HackInBo
HackInBo® is the Biggest Conference on Computer Security in Italy. Since 2013
Andrea (Drego) Draghetti 👨🏻💻 🎣
@AndreaDraghetti
aka Drego. Head of Cyber Threat Intelligence at @D3LabIT! @PhishingArmy, #meioc is my projects and @backbox_org dev! My passions are #F1 and #Running!
@lastknight Azz spiace buona guarigione
@Pinperepette Veltroni avrebbe disquisito ore chiedendogli se sa cosa comporta quel "giuro che".
@Pinperepette Ti ho rubato la battuta, scritta in un gruppo di amici ove c'è un bot openclaw 😁
Nooooooooooooooo @Cloudflare; telling folks to store 2FA codes in their password manager defeats the purpose of 2FA!
@SkarredGhost I use Cursor with Opus, and it can write OpenXR Godot out of the box.
@Pinperepette Immagino sia una combo, ha trovato vulnerabilità su cose che erano già state testate fuzzy.
La realtà sta nel mezzo immagino: AI che guardando codice determina fuzzy più mirati
Let's shift focus and explain why the #EU #AgeVerification concept is fundamentally flawed.
Assume:
1. The production app is released.
2. It's 100% secure, 100% private (fantasy land, but stick with me)
3. It cryptographically challenges every step, including hardware attestation which requires a physical device.
4. Every single other attack vector in the surrounding environment is somehow magically patched.
aka - it's working exactly as intended/designed.
It does not protect against a relay attack.
This is a threat they considered and somewhat addressed here: https://t.co/9sYkz8voCF
With the current design, there's nothing preventing someone running a verification-as-a-service; a remote Android device which returns a valid attestation. Remember, it's not returning "I am over 18", it returns "someone is over 18". Neither the verifier, nor the app has any way to link the session ID to a physical device.
Their own docs state this clearly:
Remote Cross-Device Presentation:
"Note that the Wallet Instance does not see any difference between the cross-device flow and the same-device flow. In both cases, it receives an OpenID4VP-compliant presentation request over the Wallet Instance-platform API described in the previous section."
This is a known & well-understood attack vector in all remote credential presentation models; it's just not mitigated in this one... primarily because they can't. CTAP 2.2 won't work with all app flows, hardware attestation doesn't mitigate relay attacks, on-demand liveness detection would be too intrusive & potentially privacy-invasive & timing calculations don't reveal anything useful... all the available options to resolve this break the core design; completely anonymous age verification.
The Architecture & Reference Framework (ARF) is technically sound in some respects. They considered external threat actors and discussed solutions to mitigate them, including ZKP. However, the EC applied the wrong threat model, thus arriving at the wrong conclusion.
Yes, you need to protect against malicious verifiers, phishing sites, session hijacks, data brokers et al... but that's addressing external threats, it doesn't protect the architecture from the user itself.
In virtually every other scenario, the user and system's interests are aligned; protect my biometric asset at all costs.
Specifically for age verification, most users do not want to present ID simply to access a website, so whilst the system may adequately protect from external threats, if the user wants to bypass the system, they can... and the architecture doesn't consider this.
Every single applied mitigation assumes the user is the protected party, not the threat actor.
To those people claiming "it requires physical access to the device and root, this is BS/hyperbole", you too applied the wrong threat model & completely missed the point. These disclosures demonstrate that you, the user, are the threat actor they haven't considered.
You have your device.
You can root your device.
You can create a chrome extension, just as I did.
Ironically, it's precisely those under 18 who can't pass verification who are motivated to bypass it.
So where does that leave us?
A system which replaces "I am over 18" with "someone is over 18", with absolutely no guarantee that it's true... which is the entire purpose of the app.
‼️🇪🇺 The EU's new Age Verification app was hacked with little to no effort.
When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened.
It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.
Hacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.
1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.
🛡️ La nuova app #UE per la verifica dell'età dei minori è un colabrodo: dati biometrici esposti, sistema aggirabile troppo facilmente.
Un progetto pensato per proteggere i giovani che non riesce a proteggere nemmeno sé stesso.
👉 https://t.co/Eh9hoPl9sN
#privacy #techpolicy
VR devs should take note
@SadlyItsBradley And OpenXR/CloudXR on AVP support XR_ENVIRONMENT_BLEND_MODE_ALPHA_BLEND. I'm working on a patch for DolphinXR 😁
@Vrified_Games OpenVR or OpenXR? Controllers or gamepad?
@SadlyItsBradley I made a prototype of a desktop viewer, Duplication API in OpenXr Godot that work with AVP with ClearXR.
Thinking about it, i have data and connection, need 'only' a mod to bind game camera
@lastknight Avranno nel db un flag che differenzia un big come nvidia da un minore come la7, e una regola da 'prima volta che" non mi pare un'assurdità. O un'AI che classifica casi strani da scalare a umano.. vabbè, era solo per dire che io qualche colpa anche al sistema ContentID la darei.
@JShodanVR @WalkaboutMG Because the above was made with a patched version of OpenComposite, a tool that translate old OpenVR to OpenXR (like the old Revive for translate Oculus to OpenVR)
Last Seen Users on Sotwe
@Prettyboy3922
Seen from Thailand
Thiên đường trai đẹp
Seen from Vietnam
Romantic Grandmother 
Seen from Indonesia
keju
Seen from Canada
Just sex.
Seen from Turkey
Gottin megan👸🏼🖤
Seen from United States
Singed mom
Seen from Vietnam
🫧ゼオ二ア🫧
Seen from Singapore
sıradanbiri
Seen from Pakistan
Pak D
Seen from Indonesia
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers