[ad_1]
Has everything just been stolen? This is how the anti-corona application “Luca” was created
“Of course miracles are not expected”
Smudo from Fantastischen Vier co-developed the contact tracker app “Luca”. Mecklenburg-Western Pomerania is the first federal state to use it. In the WELT conversation, the musician explains how the application can help fight the pandemic.
More and more federal states rely on Corona’s “Luca” warning app. Now the creators have revealed how the show came about. Many components were simply copied together. The creators’ hasty apology leaves crucial questions unanswered.
SUBWAYMecklenburg Western Pomerania is already using it, also Berlin, Brandenburg, Baden-Württemberg, Hesse, Lower Saxony and Thuringia are planning the introduction: the contact-tracking app Corona Luca from the Berlin start-up Culture4life has celebrated some sales successes in the last weeks.
All federal states rely on the app for its openness concepts, which aims to enable health authorities to quickly and safely follow up contacts in case of infections without paper forms at events, restaurants and stores.
The app had received a lot of media attention because it was advertised by cultural workers, including German rapper Smudo, bourgeois Michael Schmidt. Smudo co-financed the project and began promoting it.
But at the same time, the app’s creators have received increasing criticism from various sides in recent weeks: Until now, it has not been revealed how exactly the Luca app processes user data securely, wrote Anke Domscheit-Berg. , member of the Bundestag (Die Linke). On twitter.
Security experts warned against implementing user data encryption in the application. How exactly the server processes user data has not yet been revealed.
The conference of independent data protectionists from the federal and state governments clearly criticized the app’s underlying concept in a statement: All users’ data would be stored encrypted, but centrally on an operator’s server.
Mockery and mockery of the developers.
All health authorities would also have “the same keys to decipher the contact information” in hand. “This carries the avoidable risk that spying or misuse of these keys could lead to unauthorized access to a large amount of data centrally managed by the system,” warn those responsible for data protection. “Therefore, a successful attack on the systems of Culture4life GmbH can jeopardize the security of the entire system.”
On Tuesday, after Culture4life was able to book the deals with the federal states itself in recent weeks, the creators revealed the application’s source code for review, quickly earning contempt and ridicule. As the programmers discovered, Luca’s creators had made use of open source program modules, but by doing so, without further ado, they removed the necessary license and copyright notices in their program’s third-party code – a step. absolutely false among developers.
Several experts publicly pointed out the copyright infringement. Hacker group “Zerforschung” revealed in an initial analysis that Luca may have violated the license conditions by unceremoniously publishing the copied code with his own significantly more restrictive license.
Only after a clear criticism, Philipp Berger, CTO of software developer Nexenio, who is behind Luca and Culture4life, was quick to apologize. At the same time, Luca’s makers subsequently adjusted the license for their program code on Wednesday morning and switched to a common GPLv3 license. If the creators had continued to violate the license terms of the third-party code they used, the Luca app would have threatened to be banned from Apple’s app store, among other things.
display
Buy Antigen Self Tests Online Now
Take a nasal swab, read the result on the test strip within 15 minutes, and find out if you have Covid-19.
No response from the CTO
Luca had also anchored specifications in his terms of use that do not conform at all to the concept of open source: the creators prohibited, among other things, any form of analysis of weak points, and analysis of the source code should also be prohibited.
Anyone who wants to ensure that their own application meets self-asserted high security standards does not prohibit such analyzes, on the contrary: it is more common in the industry to invite experts to open tests and reward any weaknesses found.
It is still questionable how secure the application is designed on the server side, because so far Luca’s programmers have not released any server code yet. This must first be “prepared,” says CTO Berger on the Gitlab site. Berger did not respond, despite criticism from other developers, why the code could not simply be released immediately, as required by federal and state data protectionists.
Schwesig and rapper Smudo explain how to use the Luca app
Mecklenburg-Western Pomerania was the first federal state to acquire a license for the Luca app, which is supported by rapper Smudo, among others. Prime Minister Schwesig and Smudo explain here exactly how contact tracing should work.
