AndreasChris's recent activity

  1. Comment on I am looking for 100% ad-free apps for older adults with dementia. Things like jigsaw puzzles, coloring and the like. Paid is fine. in ~life

    AndreasChris
    (edited )
    Link Parent
    There are actually 9 different apps by Cracking the Cryptic. The content is paid for, but it's great content. The Sudokus are hand picked and created by actual human setters, not simply...

    There are actually 9 different apps by Cracking the Cryptic. The content is paid for, but it's great content. The Sudokus are hand picked and created by actual human setters, not simply autogenerated like many of the ones in daily newspapers. Simon and Mark just have an eye for beautiful logic.
    Personally I'd prefer it if they had just kept all variants in one App with newly released sudoku packs becoming available via in-app purchases, but installing many apps instead of one is just a minor inconveniemce.
    Note that the more advanced puzzles do require some complex logical thinking to solve properly. I'm not sure if those are a particularly good fit for cognitively impaired elderly people.

    4 votes
  2. Comment on James Webb Space Telescope finds stunning evidence for alternate theory of gravity in ~space

    AndreasChris
    Link Parent
    Fun Fact: 'Mond' is the german word for 'moon'. So I was very confused for a second when I did a quick scroll through the comments before reading the article. :D The Acronym is disambiguatd in the...

    Fun Fact: 'Mond' is the german word for 'moon'. So I was very confused for a second when I did a quick scroll through the comments before reading the article. :D
    The Acronym is disambiguatd in the first paragraph of the article (Modified Newtonian Dynamics), but I agree that adding the acronym would only be useful to a very small subset of people.

    1 vote
  3. Comment on German government coalition collapses as Olaf Scholz sacks Finance Minister Christian Lindner in ~society

    AndreasChris
    Link Parent
    Also the CDU moving even further to the right into AfD territory in order to win back voters is a questionable trend/strategy I'm afraid we'll see more of in the upcoming months.

    Also the CDU moving even further to the right into AfD territory in order to win back voters is a questionable trend/strategy I'm afraid we'll see more of in the upcoming months.

    5 votes
  4. Comment on German government coalition collapses as Olaf Scholz sacks Finance Minister Christian Lindner in ~society

    AndreasChris
    (edited )
    Link Parent
    It won't automatically trigger an election though and it'll be some time until it actually takes place. For now Olaf Scholz remains chancellor until he asks the parliament to vote on their trust...

    It won't automatically trigger an election though and it'll be some time until it actually takes place. For now Olaf Scholz remains chancellor until he asks the parliament to vote on their trust in him. Only if the result is that they don't (which is to be expected in this scenario) he will suggest to the president to dissolve the parliament within 21 days, which will in turn trigger an election within 60 days.

    As things stand right now, the remaining members of the government (who remain in their positions for now) plan to let the parliament vote on some legislation they consider absolutely necessary throughout december. We'll see how that pans out. Only in the week of January 15 will Olaf Scholz have them vote on their trust in him, which will trigger the abovementioned events.

    There are some other alternatives (such as forming a government with a different constellation of parties that have a majority in parliament), but they are rather unlikely.

    This means the election will only take place in March 2025, which is quite some time for majorities to shift. But if an election were to be held today, polls suggest the conservative center-right CDU would be the strongest party with 34% of votes. Unfortunately the far-right AfD is also polling at around 17% at the moment. The center-left SPD (of which Olaf Scholz is a member) currently holds at around 16%, the Green party (their coalition party) at 11%, and the FDP (of which Christian Lindner is a member) at only 4% - which would mean FDP would actually drop out of parliament with this result, which may be one of the reasons they lately refused almost everything the other two wanted to do in a not overly constructive manner.

    All in all I'm not overly optimistic (- for the record, I'm no fan of CDU and FDP, but the comparatively strong AfD is the most concerning thing about the current polls), but as I said above, history has shown that 4 months can change a quite a bit with regards to polls, especially if party leadership changes in the meantime.

    Edit: initially got the date in january slightly wrong. its 15, not 6.

    10 votes
  5. Comment on Can/should Tildes pull out of search engine results? in ~tildes

    AndreasChris
    Link
    No. I don't think search engines should be blocked in any way. What good does it do if people voice constructive arguments with regards to a variety of topics, but no one randomly researching that...

    No. I don't think search engines should be blocked in any way. What good does it do if people voice constructive arguments with regards to a variety of topics, but no one randomly researching that topic outside of tildes can find them. Tildes is already invite only and maintains an invite tree to regulate spam. I believe that's enough. The platform itself is and should be public by design. Private/Restricted information that should not be accessible to everyone should not be posted here in the first place.

    Reddit just recently struck a deal with google, resulting in all other search engines effectively no longer being able/allowed to scrape the platform. I remember the good old days when you could google on a searchengine of your choice, append inurl:reddir.com to it, and find active solution oriented threads foe most issues. It's sad those days are over, and reddit has become a arbitrarily restricted mess full of fluffy content without substance.

    Let's not go down the path of creating an isolated tildes filter bubble that can't even be found from the outside world without insider knowledge. I for one want public posts to be as easily accessible for everyone. If all constructive discussions were hidden in some manner, how would anyone find anything anymore. That's not how freedom of information works.

    14 votes
  6. Comment on Valorant is winning the war against PC gaming cheaters in ~games

    AndreasChris
    (edited )
    Link Parent
    You are partially correct. I still stand by my claim that virtual address spaces of different user space processes cannot be directly accessed by another user level process (without requesting...

    My friend, I just downloaded System Informer (portable), opened it with no admin access, and told it to dumps the strings from my Firefox process. I can clear as day see the browsing history of various pages I had open.

    You are partially correct. I still stand by my claim that virtual address spaces of different user space processes cannot be directly accessed by another user level process (without requesting help from the OS). However, Windows does provide a ReadProcessMemory and WriteProcessMemory debug API. With this API another process can access the memory of a different process of the same privilege level AND the same user, as long as security features such as PPL are not enabled for the process at hand. Arguably it would be nicer to have strict process isolation enabled by default and have the user explicitly confirm usage of the abovementioned API for a given process.

    The important difference between using the API and directly accessing the memory as a kernel space application is, that the API has well-defined behaviour controlled by the operating system and can be subject to a number of security restrictions (although some aspects of the default security model of windows may need to be rethought), whereas an application in kernel space can circumvent any OS imposed restriction whatsoever.

    Maybe the question why game companies want to use kernel level access in the first place is a good question to ask. They want to be able to scan the memory and monitor the behaviour of arbitrary applications. Why would they need kernel level access in the first place if this were possible in an unrestricted manmer for userspace applications?

    But your comment about Wayland is the future I’d desire.

    Note that my comment regarding Wayland may be a bit misleading. Wayland does consider any application untrusted, and thus isolates them against each other on the level it is operating at. Wayland is however just a communication protocol for UIs and does not consider the lower OS levels. The default security model of linux systems is user-based. So any process with the same UID is in principle considered trusted. There are additional isolation mechanisms (namespaces, cgroups, ACLs), but those may need to be explicitly configured to model a more restrictive security model all the way down to the lowest level.

    Better isolation, no kernel-level access for anyone.

    Yes, I agree, better isolation is absolutely desirable, and kernel access is something that should not be used lightly.
    But personally I do also believe in user agency in so far that a system administrator should be able to make an informed decision to have something run at an arbitrarily high privilege level, but it should never happen implicitly, unnecessarily, or by default. The reason I say this is that I've seen the other extreme way to often as well: Companies using security as an excuse to enforce policies that create a monopoly for them in some area by hindering competition or directly extorting money. Things like 'you have to use my store to install any software at all, and by the way if you sell something via an application installed via my store you have to give me 30% even if the sold thing is completely unrelated to the software and the user may as well subscribe to your service or buy your product via your website without any additional fees at all.'
    I guess what I'm saying is don't give kernel level access to software if not absolutely necesaary, but don't make the operating system vendor enforce that policy - just make the admin jump through reasonably many hurdles before arriving there.

    3 votes
  7. Comment on Valorant is winning the war against PC gaming cheaters in ~games

    AndreasChris
    Link Parent
    And where do you store the memory encryption key for that encrypted memory? I highly doubt that most password managers manage that key via a TPM or use some kind of secure enclave such as Intel...

    As mentioned elsewhere, it is true that password managers decrypt into encrypted memory

    And where do you store the memory encryption key for that encrypted memory? I highly doubt that most password managers manage that key via a TPM or use some kind of secure enclave such as Intel SGX (which is deprecated anyway).
    As for keyloggers - yes, there are better solutions than how windows handles it. Wayland is for example much better at isolating keystrokes so that only the current window can access them.

    Cookies are stored in AppData on Windows.

    Sure, accessing AppData can be done without running in kernel space, but there are file permissions under windows that are managed via access control lists. So some degree of isolation is still possible in user space, which doesn't hold true for kernel space software. Furthermore Browsers under Windows usually use the Windows Data Protection API to encrypt the cookies they store on disk with the current user's credidentials. It is however true, that a process running as the same user could access those files with the default settings unchanged.

    I don't believe Chrome decrypts everything into protected memory, so I'd be very surprised if you needed kernel-level elevation to steal memory from it.

    There's a difference between accessing files (as in stuff on your harddrive) created by a different process, and accessing an active processes memory (as in RAM content). It would be highly questionable if one userspace application could read/write from a different userspace application's address space without some kind of exploit. A kernel space application can easily do that. There's not just application data but also other stuff (e.g. various encryption keys) in memory that is never written to any file. The only way to protect your memory against passive introspection with complete read access to a machines physical RAM would be some kind of secure enclave that is implemented in hardware, encrypts the relevant memory regions, handles the encryption keys internally, and only runs authenticated code/commands.

    Also one huge point that you're disregarding is the case of significantly increased attack surface. Each bug in a kernel module comes with an increased risk of enabling RCE in kernel space allowing for a complete remote takeover of your machine by a third party without a malicious software author. And as the focus of Anticheat developers is a lot different than that of OS developers, so negligence with regards to security is much more likely to occur. And its not like there've been no instances of kernel space anticheat solutions being buggy in the recent past.

    And finally a kernel module rolled out across billions of devices due to every casual player having it makes it a VERY attractive target for malicious actors. It's just unnecessary risk imo.

    15 votes
  8. Comment on Valorant is winning the war against PC gaming cheaters in ~games

    AndreasChris
    (edited )
    Link Parent
    Oh yes it does. A piece of software that runs in kernel mode has the highest privileges any software on your system can have. This means if it wants to it can literally extract anything from other...

    I do not believe that the kernel-level access significantly changes the level of risk presented to my personal data. The risk is already significant by installing their user-mode game client.

    Oh yes it does. A piece of software that runs in kernel mode has the highest privileges any software on your system can have. This means if it wants to it can literally extract anything from other programs memory it wants to, intercept and record any communication with any device, (in theory) hide any piece of software in your system in a way that cannot even be detected by the operating system, or even modify you operating system in any way it pleases. Ever heard of rootkits?

    Any software based sandboxing simply becomes impossible when you're dealing with kernel mode software. A normal piece of software could for example never look into your active browser sessions. A software running in kernel mode can easily extract anything from your browser's memory - for example any data of any website you visit (even if the communication is encrypted) including stuff like session cookies that allow for easy account takeover if forwarded to someone else. Or have your passsord manager unlocked? Congratulations - your anticheat can now read your password.

    So any malicious piece of code introduced into a software with kernel level access voluntarily (e.g. for data collection), forced (e.g. by a state actor), or without the knowledge of the software's author (e.g. supply chain attack à la xzutils) is much bigger problem than it would be in usermode.

    And that's only the perspective of malicious-by-design code. There's also the accidental perspective:
    Even your operating system doesn't run most stuff in kernel mode. Because every little bug in a kernel level piece of code allows for easy takeover of your entire os. Suddenly running stuff for a f'ing game in kernel mode greatly increases your attack surface. And given recent incidents of some script kiddies abusing little bugs in kernel mode anti cheat we've seen recently, I don't have great confidence in the quality of those systems. The level of security auditing and public scrutiny is nowhere near that of your usual os kernel, and the focus of gaming companies is simply to get as much control over your system as possible to ensure you're doing nothing to interfere with their game. Security is not something they focus on during the development of such engines, only preventing you from doing things that could lead to them making less money from their game at all cost.

    On another note:
    One of the simplest solutions to escape cheaters ruining the fun for casual gamers would be to host private servers for your friends or some otherwise restricted group. I really miss games that easily allowed for that. Unfortunately game companies don't do that anymore to keep control and extort axditonal money via subscription/cosmetics/microtransactions. :(
    I'm sure kernel mode antocheat systems have their place in a competitive e-sports setting, but for casual gamers it's just overkill.

    Also the way I've seen compliance rules set up in many places a lot of people could lose their job due to negligence if they were to log into some work related account on a computer with kernel mode anticheat installed. I don't think most people actively realize that.

    35 votes
  9. Comment on Millions of people are using abusive AI ‘Nudify’ bots on Telegram in ~tech

    AndreasChris
    (edited )
    Link Parent
    Ah yes, classic. On a related note I present to you: https://www.youtube.com/watch?v=fuCK-q03KWo https://www.youtube.com/watch?v=fUCK-3oliyo https://www.youtube.com/watch?v=FUCK-8D3Mhw (Video...

    Ah yes, classic.
    On a related note I present to you:

    (Video conten is irrelevant)

    It's a fun little game to look for random words in these sometimes.
    As for the odds of a randomly selected youtube URL beginning with 4 specific non-case-sensitive letters: If I didn't miscalculate it's 1 in 1048576.

    7 votes
  10. Comment on Passwords have problems, but passkeys have more in ~tech

    AndreasChris
    (edited )
    Link Parent
    That's what I meant by requiring a trusted client application. Your browser is responsible for attaching origin information in order to prevent simple forwarding attacks. But this only works as...

    That's what I meant by requiring a trusted client application. Your browser is responsible for attaching origin information in order to prevent simple forwarding attacks. But this only works as long as the browser can be trusted to attach the correct information about the website its interacting with. So yes, you're correct that the application facilitating the communication needs to be compromised, but if that's the case it's sufficient to get you to attempt to log in to some random low security account to gain access to other more important ones. At least that's how I remember the CTAP2 protocol.

    Consider the following scenario: You have a low security zoom account and a high security bank account. You get an invitation to an important meeting on zoom.scam. When you click the link it doesn't work in the browser, so you click on the button to download the new fancy zoom client. When you open the client it prompts you to sign into your zoom account. You connect your YubiKey and tap the button. Unfortunately the 'zoom client' connects to attackerserver.evil in the background, which in turn connects to your bank. Your bank sends a challenge to attackerserver.evil which forwards the challenge together with the banks TLS certificate to the 'zoom client'. The malicious client forwards the request together with the banks TLS certificate to the YubiKey. (A legit browser would attach the wrong certificate here, since its talking to attackerserver.evil.) The YubiKey gladly answers the challenge and communicates it back to attackerserver.evil, which forwards it to the bank. Now the attacker has access to your bank account. Had you used your low-security zoom password instead the attacker would now have access to your Zoom account, but your bank account would still be safe.

    Or consider a malicious, overcontrolling employer that wants to spy on your private email account. They could access it using the same idea without you ever logging in to your private mail account on your work computer. It always boils down to the YubiKey being incapable of telling you what authentication request you're authorizing. Of course it requires a different setup than simply phishing passwords, but its a reasonable attack vector nonetheless.

    Note that your zoom account and your bank account in the scenario above use two completely different sets of keys behind the scenes, but the method authorizing their use is the same from the user's perspective. Also note that completely sandboxing the malicious application to prevent keylogging or similar spying activities, and running the application with fine granular rights management and minimal privileges doesn't help here either, as the app doesn't actually interact with any local resource it shouldn't interact with.

    2 votes
  11. Comment on Passwords have problems, but passkeys have more in ~tech

    AndreasChris
    Link Parent
    Are you sure about that? I would argue that getting people to tap a blinking YubiKey is easier than getting them to enter an application specific password. I do realize that CTAP2 allows for...

    Can complicatedly/interactively be phished
    Hardware token - No

    Are you sure about that? I would argue that getting people to tap a blinking YubiKey is easier than getting them to enter an application specific password. I do realize that CTAP2 allows for access to a specific private key to be tied to some origin information (e.g. a TLS certificate), but that requires a trusted client application (e.g. Browser) to accurately provide such information to the hardware token. The issue here is, that the YubiKey just blinks. It doesn't tell you what it's authorizing, it just tells you that some operation needs to be authorized by tapping it. Wether that operation is an authentication request for the service you think you're interacting with, an authentication request for some other site, an enrollment request, or some other thing entirely - you don't know from the blinking alone.

    Can be stolen from third party and reused
    Harfware token - No

    Well, true. All you could do with the keys stolen from the service side is emulate the service and get signed challenges from a hardware token you're actively interacting with. (Although the service side is arguably the second party, so I'm not quite sure what you mean by third party with regards to password stealing. Stealing from someone that's already stolen it? An authentication service that gives a third party access to your password hashes in a legit scenario is kinda problematic by design.)

    What's missing from your table is 'Can be stolen from first party'. It's much easier to steal your hardware token, than it is to steal your passwords, if you have physical access. And setting a PIN for FIDO2 operations is actually optional and up to the service provider to require. I wouldn't want anyone who finds my YubiKey on my desk to be able to login to many of my accounts without any additional knowledge. Hence your hardware token is a great second factor, but should not be your only factor in my opinion.

    4 votes
  12. Comment on Passwords have problems, but passkeys have more in ~tech

    AndreasChris
    Link Parent
    Authentication via FIDO tokens simply opens up a different class of attack vectors. You exchange the factor knowledge for ownership. Left your YubiKey on your desk somewhere? Anyone who finds it...

    Authentication via FIDO tokens simply opens up a different class of attack vectors. You exchange the factor knowledge for ownership.

    Left your YubiKey on your desk somewhere? Anyone who finds it may now be able now sign into your accounts, if the serviceprovider doesn't mandate a pin being set on the key. (Turns out FIDO2 can be used without mandatory PIN requirements.)
    Have a PIN set on your key? While CTAP2 sets up a new public-private key pair for each service, the PIN to authorize its usage is still the same for every service. Your plugged-in YubiKey is blinking and you tap it out of habit? Well you just athorized an authentication - there's no indicator what exactly you just authorized.
    Using passkeys on my phone? Don't want anyone with access to my phone to be able to log into arbitrary accounts of mine I'm not already logged in to.

    Sure, with CTAP2 or similar protocols you ensure that the actual authentication is based on a non-bruteforcable, randomly generated public-private key pair. On the upside you hence don't have any issues with bad, user-selected passwords that may be easily bruteforcable. On the downside you still need some non-circumventable way of authorizing the use of your private keys - an attractive attack surfcae. This method may simply be the physical ownership of the device that manages the private keys for you, it may require a button press, or you may even need to enter a PIN code. But in the end this only shifts the type of hurdle an attacker needs to overcome from obtaining a password to obtaining control over a specific device (or the keys therein). And with regards to social engineering it may arguably be easier to get a user to press an application-independent button than to enter an applicatio-specific password.

    In the end different authentication factors protect against different types of attackers. Requiring both factors (knowledge and ownership) will always be more secure than requiring one or the other. Suddenly teaching people that passwords are bad, but that that fancy new authentication method is much better, may even be counterproductive, as a false sense of security settles in and new attack vectors get overlooked. People are already used to passwords. If you truly want logins to become more secure, our collective energy should be put into getting people to use passkeys as a >second< factor in addition to passwords, not as a replacement for them.

    5 votes
  13. Comment on Passwords have problems, but passkeys have more in ~tech

    AndreasChris
    Link
    Honestly, I'm all for people using hardware FIDO tokens or similar (i.e. passkeys on their phones) as a second factor. I just don't think it's a good idea to use them as the only factor. Why...

    Honestly, I'm all for people using hardware FIDO tokens or similar (i.e. passkeys on their phones) as a second factor. I just don't think it's a good idea to use them as the only factor. Why replace passwords and not just supplement them?

    I for one use a hardware security token as a second factor wherever possible, but I'm very reluctant to use it to sign in without any password whatsoever.

    6 votes
  14. Comment on You're running for office on a somewhat petty, yet univerally-understood single issue. What is it? in ~talk

    AndreasChris
    Link Parent
    Meh, I'm not sure I agree. As long as it's clearly communicated as an efficiency measure and not a preferential treatment thing that shouldn't be an issue. The problem only arises once people...

    Meh, I'm not sure I agree. As long as it's clearly communicated as an efficiency measure and not a preferential treatment thing that shouldn't be an issue. The problem only arises once people perceive it as the latter. Even letting people enter the airplane randomly is on average more efficient than back-to-front entry. The random method would also lead to some people walking past others, but why would anyone get mad if they knew it was just a matter of chance?

    The real problem is airlines actively presenting boarding groups as some great benefit that premium customers receive in order to be able to charge money for it. In the end boarding group membership is a rather arbitrary metric anyway, since the plane isn't leaving without everyone on board anyway. I could as well imagine a world where 'privileged' customers could pay for being let onto the airplane last in order to spend as little time as possible in there. ¯\_(ツ)_/¯

    4 votes
  15. Comment on You're running for office on a somewhat petty, yet univerally-understood single issue. What is it? in ~talk

    AndreasChris
    Link Parent
    That's a symptom of Aldi being a German supermarket chain I suppose. They simply took their whole concept, form how they manage their supply chain to how they design their stores, and exported it...

    That's a symptom of Aldi being a German supermarket chain I suppose. They simply took their whole concept, form how they manage their supply chain to how they design their stores, and exported it to the US. I've been to the US east coast for a few weeks a few years ago, and I was very surprised how familiar everything seemed when I stumbled across an Aldi store.

    (On a related note it was also the only US supermarket I visited with reasonably priced, high quality cheese. Besides dark bread and unchlorinated tap water, good cheese was one of the major things I missed during my stay in the US.)

    3 votes
  16. Comment on You're running for office on a somewhat petty, yet univerally-understood single issue. What is it? in ~talk

    AndreasChris
    Link Parent
    Back-to-front isn't the best one though. May I point you to this CGP Grey classic for reference: https://www.youtube.com/watch?v=oAHbLRjF0vo

    Back-to-front isn't the best one though. May I point you to this CGP Grey classic for reference: https://www.youtube.com/watch?v=oAHbLRjF0vo

    10 votes
  17. Comment on You're running for office on a somewhat petty, yet univerally-understood single issue. What is it? in ~talk

    AndreasChris
    Link Parent
    In many european supermarkets you have to insert a coin into the shopping cart to release a chain tying it to the cart in front of it. Once you return the cart and reinsert the chain the coin pops...

    In many european supermarkets you have to insert a coin into the shopping cart to release a chain tying it to the cart in front of it. Once you return the cart and reinsert the chain the coin pops out again. It's a pretty good incentive for returning the cart for most people, and for the rest there's still the social pressure of everyone else returning their cart.

    7 votes
  18. Comment on Disney seeking dismissal of Raglan Road death lawsuit because victim was Disney+ subscriber in ~misc

    AndreasChris
    Link Parent
    I am not a lawyer, but I believe there are laws that regulate the scope of what can be specified in Terms of Service. Of course over here in Europe we have more rigid consumer protection...

    I am not a lawyer, but I believe there are laws that regulate the scope of what can be specified in Terms of Service. Of course over here in Europe we have more rigid consumer protection regulations than our capitalistic friends across the pond, but as far as I know some limitations still exist. Basically a contract that's negotiated on an individual basis can be much more extensive than a contract that's a boilerplate agreement for a large number of people. As for the specifuc regional laws for this specific case I would have to look it up, but in Germany, Austria, and most other European countries a claim like that would almost certainly be out of scope.

    17 votes
  19. Comment on Taylor Swift cancels Eras Tour concerts in Vienna after terrorist plot thwarted and arrests made in ~music

    AndreasChris
    Link Parent
    The chemicals have initially been reported as 'Vorläuferstoffe von Wasserstoffperoxid' which translates to 'precursors of hydrogen peroxide'. Not every detail has been made public yet, but I've...

    Can you clarify a bit on this?

    The chemicals have initially been reported as 'Vorläuferstoffe von Wasserstoffperoxid' which translates to 'precursors of hydrogen peroxide'. Not every detail has been made public yet, but I've since read something about 12% concention. They also found fuses, instructions on how to build a bomb, and other related stuff.

    4 votes
  20. Comment on Taylor Swift cancels Eras Tour concerts in Vienna after terrorist plot thwarted and arrests made in ~music

    AndreasChris
    (edited )
    Link Parent
    No, the statement that it was local authorities who cancelled the event is incorrect. The local authorities did not cancel the event. They did communicate information regarding the concerts being...
    • Exemplary

    No, the statement that it was local authorities who cancelled the event is incorrect. The local authorities did not cancel the event. They did communicate information regarding the concerts being the target of a planned attack to the organizers (Barracuda Music) and Taylor Swift's Management, who then decided to cancel the concert, despite assurances that the risk had been minimized.

    I have been following this rather closely (and have actually watched the live press conferences by local authorities), as (1) my brother had Tickets for one of the concerts, (2) I am from around here, and (3) there are federal elections in Austria this fall, so all official communication in this matter should be considered with this context.

    So what happened is, that yesterday morning a few hundred people were evacuated in a small Austrian city called Ternitz, and an arrest was made following a tip from a foreign intelligence service. Initially everyone was kept in the dark about what had actually happened for 12 hours or so. Media only reported that something was going on, but police didn't clarify why exactly everyone was asked to leave. So it was already pretty big story before around here before it was revealed what exactly had happened.

    In the late afternoon police held a press conference, where they revealed that two people (19 and 17 years old) had been arrested and another person (15 years old) had been detained, because they were planning an islamistically motivated terrorist attack at big events in or around vienna, specifically the Taylor Swift concerts. They also found several knifes and chemicals to create hydrogen peroxide to build bombs. They also stated, that they do not believe further unknown perpetrators were on the loose, and that the risk had been minimized. When specifically asked wether they would order or recommend to cancel the concerts, they stated that they would not give any recommendations, but increase security measures and provide information. A cancellation would be up to the organizers.

    Investigators further found out that at least one of the perpetrators had secured a job with a facility management company hired for the concert. Police hence conducted a search of the stadium grounds where the concert was to be held while the information embargo was still in place, in case something had been deposited there, but nothing of interest was found. This information and several additional details that were only disclosed publicly today were already communicated to the concert organizers yesterday. Swift's management considered these infos and decided to cancel the concert.

    Of course especially parties on the right of the political spectrum are doing their best to carefully craft the communication in the aftermath of this incident in order to convert fear of terrorists into political gains, as the Austrian federal election is only a few months away. Unfortunately it looks like the decision to cancel the concerts will greatly help the extremely right (currently opposition) party FPÖ in the upcoming election, as a lot of people were directly affected by this and keeping the attention on fear of terrorist attacks and redirecting that fear to ethnic and religious minorities has just become a lot easier. Simultanously the conservative party ÖVP (which is part of the current government) is also trying to use the situation for their advantage, by communicating how an attack has successfully been prevented, and lobbying for more surveillance powers for law enforcement. Ironically I've also already read several comments from sources close to FPÖ, complaining about how it is a disgrace that a hint from a foreign intelligence agency was needed to make the arrests, which completely disregards that just a few years ago, when FPÖ was briefly part of the austrian government, their officials were the ones to initiate a politically motivated raid of an austrian intelligence agency, effectively dismantelling them and greatly damaging their international relationships with other agencies.

    Edit: I just realized, that it's around midnight already (local time that is). So just to clarify - when I said 'yesterday' I meant Wednesday 7 Aug.

    24 votes