Olivia
Online
Marcel Körtgen
@mkoertg
Developer. Open Source Enthusiast. Life long learner. Loves Lean, Agile, TTD, XP & Doing t̶h̶i̶n̶g̶s̶ ̶„̶r̶i̶g̶h̶t̶“̶ the "right things". Works at @colen_io
North Rhine-Westphalia
Joined January 2015
1.1K Following
484 Followers
4.1K Posts
Is AI Profitable Yet? https://t.co/bfVlXslCOr
- Red Numbers everywhere (except for NVIDIA)
OWASP Dependency-Track 5.0 Is Now Generally Available https://t.co/9BnR066k57
Red-Hat-Infostealer kommt auf mehr als 100.000 Downloads https://t.co/Bkcwlbmtij
The Engineer Atlassian Laid Off Who Responded with a 38-Minute Documentary: What Every Leader Must Learn https://t.co/ege5UI9T3m
Video: https://t.co/9C5lcgZ6A3
Who to follow
AgileTrailblazers
@agiletbz
Blazing your path to Continuous Business Value Delivery
@mariuskarma
@mariuskarma
Technology improve the world! Use efficiently #ML &DL #BigData #Analytics #AI #BI #Raspberry_PI #Python #ETH #tensorflow #web #api #BTC #Dapps #blockchain
Jamie Phillips
@EagleAgile
agile believer. scrum master. collaboration transparency experimentation . just say no to best practices. #agilemindset
I'm genuinely stunned by how many people push back on the #EU #ageVerification issues with "it's a demo, it's not a production app... don't you understand?!"
When the President of the EC publicly states it's "technically ready, reaches the highest standard of privacy and go check the code"... it shouldn't come as a surprise when someone does just that.
There's a growing number of people screaming "it's protected by Android, this is a non-issue".
I don't know about you... but I'd rather have a few layers of substantial security to protect my biometric data than rely on a 3rd-party layer which may fail or have bugs/flaws of its own. This app was supposed to set a standard, not fall back to one.
Let's shift focus and explain why the #EU #AgeVerification concept is fundamentally flawed.
Assume:
1. The production app is released.
2. It's 100% secure, 100% private (fantasy land, but stick with me)
3. It cryptographically challenges every step, including hardware attestation which requires a physical device.
4. Every single other attack vector in the surrounding environment is somehow magically patched.
aka - it's working exactly as intended/designed.
It does not protect against a relay attack.
This is a threat they considered and somewhat addressed here: https://t.co/9sYkz8voCF
With the current design, there's nothing preventing someone running a verification-as-a-service; a remote Android device which returns a valid attestation. Remember, it's not returning "I am over 18", it returns "someone is over 18". Neither the verifier, nor the app has any way to link the session ID to a physical device.
Their own docs state this clearly:
Remote Cross-Device Presentation:
"Note that the Wallet Instance does not see any difference between the cross-device flow and the same-device flow. In both cases, it receives an OpenID4VP-compliant presentation request over the Wallet Instance-platform API described in the previous section."
This is a known & well-understood attack vector in all remote credential presentation models; it's just not mitigated in this one... primarily because they can't. CTAP 2.2 won't work with all app flows, hardware attestation doesn't mitigate relay attacks, on-demand liveness detection would be too intrusive & potentially privacy-invasive & timing calculations don't reveal anything useful... all the available options to resolve this break the core design; completely anonymous age verification.
The Architecture & Reference Framework (ARF) is technically sound in some respects. They considered external threat actors and discussed solutions to mitigate them, including ZKP. However, the EC applied the wrong threat model, thus arriving at the wrong conclusion.
Yes, you need to protect against malicious verifiers, phishing sites, session hijacks, data brokers et al... but that's addressing external threats, it doesn't protect the architecture from the user itself.
In virtually every other scenario, the user and system's interests are aligned; protect my biometric asset at all costs.
Specifically for age verification, most users do not want to present ID simply to access a website, so whilst the system may adequately protect from external threats, if the user wants to bypass the system, they can... and the architecture doesn't consider this.
Every single applied mitigation assumes the user is the protected party, not the threat actor.
To those people claiming "it requires physical access to the device and root, this is BS/hyperbole", you too applied the wrong threat model & completely missed the point. These disclosures demonstrate that you, the user, are the threat actor they haven't considered.
You have your device.
You can root your device.
You can create a chrome extension, just as I did.
Ironically, it's precisely those under 18 who can't pass verification who are motivated to bypass it.
So where does that leave us?
A system which replaces "I am over 18" with "someone is over 18", with absolutely no guarantee that it's true... which is the entire purpose of the app.
Ingress-nginx End-of-Life: What cert-manager Supports Today and What's Coming https://t.co/rOUlPREx6g
The End of kubernetes/ingress-nginx: Your March 2026 Migration Playbook https://t.co/AlAJuCie2J
If you’re serious about system design this year,
learn these 12 concepts:
1. How JWT Works
↳ https://t.co/Kuv7DAj6B9
2. Idempotency in API Design
↳ https://t.co/2sItwlz1oe
3. ACID vs BASE
↳ https://t.co/a7nOyylUxk
4. How Observability Turns Alerts Into Insight
↳ https://t.co/VjfECfyB9d
5. Rate Limiting Explained
↳ https://t.co/wr0UAh4sJm
6. Message Queues Explained
↳ https://t.co/7Tz5sevNA8
7. Change Data Capture (CDC)
↳ https://t.co/tgwwoTitCA
8. Connection Pooling
↳ https://t.co/39SsEo4kk3
9. How Consistent Hashing Works
↳ https://t.co/8d8o74EsaS
10. SQL vs NoSQL
↳ https://t.co/oDTRpsnQUn
11. Health Checks vs Heartbeats
↳ https://t.co/r5SalP6CCh
12. API Protocols
↳ https://t.co/2CEu4Wnhsv
What other concepts should be on this list?
--
👋 PS: Want my 𝗦𝘆𝘀𝘁𝗲𝗺 𝗗𝗲𝘀𝗶𝗴𝗻 𝗛𝗮𝗻𝗱𝗯𝗼𝗼𝗸 𝗳𝗼𝗿 𝗳𝗿𝗲𝗲?
Want my 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝗣𝗮𝘁𝘁𝗲𝗿𝗻𝘀 𝗣𝗹𝗮𝘆𝗯𝗼𝗼𝗸 𝗳𝗼𝗿 𝗳𝗿𝗲𝗲?
Join my newsletter with 26,501+ software engineers: https://t.co/OQtXb4zMoe
--
🔖 Save for later.
♻️ Repost to help others learn system design.
➕ Follow Nikki Siapno + turn on notifications.
Supercharge Your Test Coverage with GitHub Copilot Testing for .NET - .NET Blog https://t.co/AVI0fOIqXo
Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines https://t.co/M03KEtzLPD
Kritische Infrastruktur: Bundestag verabschiedet NIS2-Gesetz https://t.co/o4xYKFwRIN
Security Advisory: CVE-2025-49844 | Redis https://t.co/plb82nH3xw
New Features in Java 25 | Baeldung https://t.co/VPrvVnJAEv
The History of Core Web Vitals https://t.co/O2aJEoKqmy
Introducing Safe Chain: Stopping Malicious npm Packages Before They Wreck Your Project https://t.co/4hzveVVwcT
make container images smaller and more secure with slimtoolkit
npm debug and chalk packages compromised https://t.co/965bzYmUmD
DocumentDB joins the Linux Foundation - Microsoft Open Source Blog https://t.co/04wJ6WWrOs
Why Data Sovereignty Is Driving Hybrid Cloud Adoption https://t.co/gtP04jgRph
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.5M followers
Lady Gaga
@ladygaga
73M followers
Virat Kohli
@imvkohli
69.8M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.9M followers
Neymar Jr
@neymarjr
62.6M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers