Surprise! Voting app maker roasted by computer boffins for poor security now begs US courts to limit flaw finding

Re: Voatz meet the Streisand Effect.

Ah, but it's not the discussion that they mind. If people investigate a system to find that it's a hideous mass of holes, they're violating the trust of the organization that put out the hideous mass of holes. It's important that we respect the rights of places that don't bother doing their own security testing and choose to use untrustworthy and unsafe code to store and process our information to make money. More than that, we must protect those who don't want to bother making good products from people who shamelessly figure out whether something will become a safety risk and, these people have no scruples, have the gall to tell the public about it after they tell the company who doesn't fix it. Consider how you would feel if someone researched the safety of cars and told people about the ones that blow up so you couldn't purchase one of those. Consider how you would feel if there was someone with the audacity to check if the claims of other product's advertisements were true and call out the selfless manufacturers when they were found to be lying through their teeth. These people must be stopped today.

Re: Voatz meet the Streisand Effect.

"And the harder you try to bury the truth the more the internet will keep bringing it to the front of searches on what all the fuss is about."

I was thinking along similar lines. If the law stops unauthorised security researchers looking at stuff then the respected security researchers just have to produce regular press releases stating which companies and systems they have been refused authorisation for. If the have nothing to hide, they have nothing to fear :-)

Security of voting machines

Is hardly the biggest problem with voting in the US. If you have a paper trail for every vote then I say who cares if the software running the machines is open source. Just have a requirement to conduct random hand recounts of a statistically significant percentage to verify the totals and you know the machines are counting accurately.

The real problem that needs to be fixed is access to the polls. In Georgia in 2018 the republican secretary of state, who is by law responsible for the election, was running for governor. He used his authority as SOS to order the closing of a bunch of polling places in majority black precincts. As a result, the average wait time to vote in majority white precincts was 6 minutes. The average wait time to vote in majority black precincts was 51 minutes. That is what voter suppression looks like, and is a far greater concern that whether source code for the election machines is publicly available.

Re: Real Life Superheroes

"In my book security researchers/reverse engineers are like real-life modern day Superheroes."

Which is exactly where the problems come from. Superheroes are (usually) vigilantes operating outside the law. Their actions are often overlooked because they help people with problems that can't be addressed by the authorities using normal means. But even then they still frequently have trouble with the law, and often require some forgiving authority figure to look the other way or actively cover up for them, because even though their actions may seem right they are still technically illegal. And of course, it's often difficult to draw a line between a hero is forced into a difficult choice, a hero who regularly breaks the rules a bit more than normal, an anti-hero who doesn't care about the rules, and an outright villain.

All sounds rather like security researchers really. The good ones are usually doing work that is morally right but often legally questionable, and there is often not a clear line between those genuinely acting for good and those who happen to expose bad practices while only doing the hacking for fun, or being otherwise actively malicious. This is why people like Snowden and Assange, for example, aren't exactly universally loved - just because they exposed some bad stuff doesn't mean they're actually good themselves. And similarly the likes of the research groups listed above mostly do seem to be acting for good, but may well be breaking the law in doing so, and since opinions on what is actually good vary they're not universally loved either.

And as with superheroes, the big problem is that they're all dealing with things that the law can't actually handle. Just as superpowers aren't handled very well by the legal system, laws developed decades or centuries ago don't handle computers and the internet very well. Everyone has an opinion on when vigilantism should or shouldn't be allowed, but even agreeing on whether something does or doesn't break the law is difficult enough before you even start asking about should.

So yes, security researchers are very much like superheroes. Without them, the internet would be a much less safe place. But relying on vigilantes operating in legal grey areas is far from the best way to deal with real world issues, especially given how difficult it can be to tell the heroes and villains apart, and when they can swap roles from comic to comic.

Re: Real Life Superhero's

Your words remind of the Grenfell fire

The parallels are uncanny

Replace shitty mobile app developer with shitty company designing flammable building materials

And also replace security researchers with firefighters

Re: 'Cause spys respect EULAs, right?

Better to have real criminals find and exploit the bugs than white hats who simply warn you and don't tell the criminals. Which one provides the most motivation? Clearly when your system is under heavy attack by criminals you are more inclined to fix bugs.

I get that you're trying to be conciliatory, but that approach is extremely unacceptable. They shouldn't just be liable after their travesty causes massive problems. That way would help, but it's a lot like saying that I'm responsible after my non-IAEA approved nuclear reactor spreads radioactive waste over the local area. When things are this important, they need to be responsible before anything happens. That means that, when there are sufficient amounts of consumer information involved, when the government is going to use it, or when a malfunction could cause injury or death, the law should require that they do testing with independent testers and they should either have to implement the fixes to any bugs the testers find or appeal the decision not to. Having researchers who test systems simply helps this process and makes it cheaper. We require it of people making medicines or medical devices. We require it of people making cars and aircraft. We require it of people growing or manufacturing food. We can require it of people using the public's data, too.

On the hook for consequences?

So if the product gets hacked by someone in another country and a president is elected who should not have won based on the true vote count, how would even the most extreme penalty of being able to bankrupt the company with a big fine and execute its management come close to compensating the populace for that?

The only remedy is to have enough checks and balances that it is completely impossible for software bugs or hacks to change the result. There is simply no room AT ALL for trusting ANYONE in something this important to a democracy.