[News] CSEC's acceptable proof of vaccination for Saddledome games

[Bring_Back_Shantz]

Quote:

Originally Posted by tvp2003

In case anyone was wondering, they had scanners at the game last night and were able to scan the provincial QR codes (despite earlier information stating they would not be doing so, at least right away). Had no issues; did have to show photo ID though.

I also note that the Flames website no longer appears to make any reference to PortPass. https://www.nhl.com/flames/fans/vaccination-policy

Yeah I tried using my QR code last night (had just the QR code).
The kid who did the scanning told me I need to show him the card with the dates of my vaccinations, because "The QR only tells me if it's valid".
I decided not to go full Karen and just showed him my paper copy (I did tell him, "No, the whole point of the QR is that I only need to show it, when it scans as valid, that's my proof of vaccination.")
I know it wasn't his fault, he was just some kid, but come on CSEC, get your **** together on this and give these folks the information they need to succeed here.

[Northendzone]

so out of curiousity, how did getting into the dome go? was it much slower than the good old days

[CSharp]

Quote:

Originally Posted by Bring_Back_Shantz

Yeah I tried using my QR code last night (had just the QR code).
The kid who did the scanning told me I need to show him the card with the dates of my vaccinations, because "The QR only tells me if it's valid".
I decided not to go full Karen and just showed him my paper copy (I did tell him, "No, the whole point of the QR is that I only need to show it, when it scans as valid, that's my proof of vaccination.")
I know it wasn't his fault, he was just some kid, but come on CSEC, get your **** together on this and give these folks the information they need to succeed here.

It's good that the kid is actually doing his job. He should get a raise!

[CSharp]

Quote:

Originally Posted by Pellanor

Okay, let's see if I can explain this better.

Here is a token
It contains your vaccine info
along with some other techincal info, and finally a signature that can be used to verify that the information is correct. It's stored in this format, rather than the easier to read format, so you can easily stick it in a link for an app on your phone to open.


On the government servers, they have your vaccine information, along with a Private Key. This key is what they use to generate signatures, and involves a bunch of complex math. Basically Data + Private Key = Signature. Though it's important to note that you can't use the data + signature to calculate the private key.
When you got your QR code from the governemtn site, they use your data, sign it with the private key, and encode the whole token into the QR code.

On the app used by whoever is verifying your vaccine intormation is a Public Key. This key was generated by the government based on their private key and can be used to verify signatures. Given Data + Public Key + Signature and some complex math you can calculate if the data is valid. The public key is never enough to sign something, it's only ever able to verify a signature. For this reason its safe for the government to give out.

So somebody scans your QR code with their fancy app, they get the token, and the app uses their public key to verify that the data matches the signature. If the data was altered, but not the signature, they get an error because the signature doesn't match the data. If somebody alters the data and signs it with their own private key, then you still get an error because the public key can't verify signatures made with different private keys.



The website I linked, jwt.io, is basically a sandbox for playing with and testing these types of tokens. It's how I was able to generate the example so easily. Since this is an open standard that a lot of the web runs on, there are a lot of libraries out there that do all the heavy lifting an complex math for you. I can go get whatever library that google or facebook uses, give it my user data and private key, and it will create the token for me. On my app I can use the same library and my public key to verify the data. There's more to it than just that for a proper and secure implementation, for example you need a good way to store your private keys so not everybody at your organization has access to them, but the government is likely to have most of that infrastructure in place all ready. So just generating some signed QR codes would be pretty straight forward.

Of course this is just one way that the data could be signed and verified. It's the one I'm most familiar with, and quite popular, but there are plenty of other formats as well.

Oh FFS! this can be decoded with Base64 decryption. You don't even need a key to see most of the content! What a joke!

[Weitz]

Quote:

Originally Posted by Northendzone

so out of curiousity, how did getting into the dome go? was it much slower than the good old days

Was real quick and easy. In fact the ticket scanners were so lackadaisical that we went in without our tickets getting scanned...

[Bring_Back_Shantz]

Quote:

Originally Posted by CSharp

It's good that the kid is actually doing his job. He should get a raise!

I mean, he told me that my secure/valid proof of vaccine was no good and insisted I show him an insecure piece of paper, while I was specifically in the line to use the QR code.

So sure, he was doing his job, but he wasn't doing it properly.
I'm not mad at him. I think it's been pretty clear through all of this that CSEC has done a terrible job managing the proof of vaccination requirement (see Portpass), and equipping their staff with the tools/information to deal with it (Not training the kid on what the QR Code is for, and the form responses to season ticket holders about Portpass).

CSEC hasn't done a lot to give me confidence that they are doing a good job with the whole proof of vaccination policy.

[GioforPM]

The kids at the movie theatre just looked at my QR code. Didn’t scan it. Just looked. LOLOL

[chedder]

Quote:

Originally Posted by GioforPM

The kids at the movie theatre just looked at my QR code. Didn’t scan it. Just looked. LOLOL

This whole thing is grinding down. Look in the saddledome. Barely any mask compliance. I was in two stores and a post office this morning where several people had no masks on. The only thing that's going to end this is keeping the uptick in vaccinations going and, dare I say it, herd immunity from the morons (and hope for no worse variants).

[tvp2003]

Quote:

Originally Posted by Northendzone

so out of curiousity, how did getting into the dome go? was it much slower than the good old days

Been to a Stamps game (no scanner, just visual verification) and now a Flames game (scanned QR code) and both times it was quite easy (you do the vaccine verification separate from the person scanning your ticket so it doesn't really add much additional time since people still have to go through the metal scanners, etc).

[ZedMan]

Quote:

Originally Posted by CSharp

Oh FFS! this can be decoded with Base64 decryption. You don't even need a key to see most of the content! What a joke!

Technically that's decoding, not decrypting. It's not encrypted. It contains the same information as the paper record. If you wanted to encrypt it you would either have to distribute the encryption key in the app (rendering the encryption useless) or set up a an external validation service, making the app require an internet connection at all times and introducing a single point of failure to the whole verification system.

[Inglewood Jack]

hey guys remember PortPass? new and improved updates to Blockchain and AI released this week!

https://www.cbc.ca/news/canada/calga...date-1.6229034

Quote:

CBC News contacted Portpass CEO Zak Hussein on Monday about the unsecured data. He agreed to an interview on Tuesday evening, in which he said he had no idea the users' records were still accessible.

"I was unaware of that," Hussein said. "That's crazy."

At that point, Hussein said he was considering pulling the plug on Portpass, especially considering that provincial governments in Alberta and Ontario have since launched their own proof-of-vaccination apps.

"Maybe we need to just take down this app, because there's just all this going on and it's not worth it," he said. "I mean, I haven't even made a dollar on this."

Hussein said he needed to talk to his software developer about next steps.

"I'm just going to tell them to turn off the app," he said.

CBC News agreed to give Hussein a day to sort that out, and not publish anything about the ongoing data exposure in the meantime, in order to limit potential risk to users whose personal information remained unsecured.

Hussein did not take the app down, however, and instead updated the software.

The iOS version of Portpass shows an update was released on Wednesday, with the note: "Improved security of the app."

As of Thursday afternoon, however, user data remained available online, albeit through a different method than before.

"This update essentially does nothing," said Rida F'kih, a Calgary-based software developer who noticed the vulnerabilities in the Portpass app.

"The user data is still completely accessible."

[Fuzz]

CSEC should sue them out of existence. Though they would then have to admit they got hoodwinked by this guy, and did zero due diligence before flogging it to their customers as a necessary thing.

[GordonBlue]

Quote:

Originally Posted by Fuzz

CSEC should sue them out of existence. Though they would then have to admit they got hoodwinked by this guy, and did zero due diligence before flogging it to their customers as a necessary thing.

hopefully this exposed him enough that it's much harder for him on his next grift.

[Fire]

Quote:

Originally Posted by Fuzz

CSEC should sue them out of existence. Though they would then have to admit they got hoodwinked by this guy, and did zero due diligence before flogging it to their customers as a necessary thing.

CSEC should feel lucky they haven't been sued yet.

[rohara66]

My ticket rep responded to me the other day regarding their 'investigation'.

Quote:

I spoke with my manager and the update is that the independent audits did not find any breeches within PORTPass. Their company will be releasing more information in the coming weeks, we are not sure what day that will be coming out though.

Due to the new Alberta Health QR Code that has been released we are moving towards that form of authentication for attending games and events at the Saddledome, and moving away from PORTPass.

If you have any other questions please let me know.

Kind regards,

And yes, they're lucking they haven't been sued yet.

[klikitiklik]

So it was noted in anther thread, by several posters, that the Flames are a class act when it comes to dealing with issues the right way. Remember Bill Peters? Thats how you do it.

So why have they not handled this issue. I'm still pissed about this and am wondering what happened to the data that was compromised? Where is that data? What happened to another public comment? What did your investigation reveal? Why were customers directed to these crooks?

Who has been fired and how have you made the situation right?

Flames wont answer.

We can't let this be forgotten because we've won some games.

[tvp2003]

I’m wondering if the guys that can apparently access this data can go ahead and hack the site in order to shut it down. Or at the very least delete the information that they have stored.

Because it’s clear that the CEO here is either too stubborn or too dense (perhaps both?) to do it himself.

[Inglewood Jack]

Quote:

Originally Posted by rohara66

My ticket rep responded to me the other day regarding their 'investigation'.





And yes, they're lucking they haven't been sued yet.

oh are they referring to PortPass's own press release this week?

https://portpass.ca/press-releases/l...tober-25-2021/

it's hilarious that this was posted while CBC has been gleefully hacking away at the site and continuing to download sample data for their article the next day.

[OmegaV4]

So...just to clarify...


If I'm heading to the game in the near future...do I still need this unsecure PortPass app, or can I just show my Alberta QR code and my ID?

[TorqueDog]

Use your Alberta Health QR code. In the meanwhile, e-mail support@portpass.ca and demand they delete your data and your account from their service at once.

Quote:

Per the PORTPass Privacy Policy, “5. Choices and Rights over your Personal Data”, I am formally notifying PORTPass of the following:

1. All my ([your name], youraccount@email.address) personal data is to be deleted from the Service immediately.
2. I immediately withdraw consent for all of my personal data that was previously granted to PORTPass. Consider this the written request per the Privacy Policy needed to revoke such permissions previously granted.
3. Upon deletion of all personal information stored on the Service and in care of PORTPass, my PORTPass account is to be closed and deleted.
Please notify immediately once the above has been acknowledged and completed.