The topic of this thread is the policy of banning political comments for one week. I stated that the experiment should not be conducted at this time, due to the forthcoming appointment of a government official, which HN should discuss given yesterday's events. It was certainly relevant on this thread.
As my parting words from this site, I would ask that you please pay close attention to what is happening politically with regard to the laws which shape technology: the First Amendment, Fourth Amendment, Criminal Rule of Procedure 41, PATRIOT Act 215, FISA 702, and Executive Order 12333, but just as importantly, the individuals in the NSC, DNI, DCIA, DNSA and DIA/DCS leadership positions.
Community members, remember it is crucial for engineers, scientists, and entrepreneurs to have a voice in the forthcoming discussions of digital privacy, the extent of state power, and the policies that will be chosen. If you wish to conduct this experiment, perhaps a different time period would be better, as these officials are being chosen now, and the policies will be decided very soon.
Moderators, I ask you to use your power judiciously, and allow the maximum free discourse that you feel appropriate. Remember that you yourselves are not immune to the cognitive defects inherent in human nature. If you do adopt a more narrow curation policy, please guard against those passions carefully. Protect well this place you have built. It is more special than you realize.
Founders, design your technologies with an eye to how they shape public discourse, promote fact, and expose deception. Be better than my generation. Pursue ideals more noble than mere monetary profit. Don't just make something people want. Make something that matters.
Build the change you wish to see in the world. You did not risk everything to sell digital sugar water.
Others of greater tact than I will shape these discussions as they evolve here. But I myself will not abet censorship without objection, particularly at this moment in time. The time has come to vote with my feet. It has been a pleasure to know you all.
The community was asked whether there were specific concerns regarding the timing of the experiment. I expressed a particular, relevant, and time sensitive issue, which yes, happened to deal with a particular individual.
These issues can't be discussed in a vacuum. This is the person who is openly promoting a Muslim registry, and intends to use the technology we have built to do it. There is no ground to be apolitical in that context, particularly when you have just seen first hand evidence of the violence it portends.
I submit that, if people were firing assault rifles into pizza places in your neighborhood because of "politics," you might feel differently.
The controls on the usage of national security programs, as we know, are today largely governed by the discretion of the people in charge, much like your discretion governs comments here.
It's fine if you don't consider that acceptable discourse anymore. It's your sandbox. But if that's the case, I'm taking taking my toys and going home. I know what censorship looks like when I see it.
Worst of all dang, I though I could trust you guys to be better than this...
1. This experiment is directly harmful in that it is using living subjects, without ethics review.
2. The person who shot the gun was informed by Reddit, a company that had it's genesis here. The Y Combinator is a function that makes other functions.
The Internet is not like a blank canvas. The decisions we make about a platform, about news optimization, and about community structure affect our public discourse. If Twitter had set it's character limit at 280 characters, that would have had a profound effect on the marketplace of ideas in the public sphere.
3. The issue is that the particular forms of communication which enabled these thought-bubbles to exist were created by a handful of decisions by software developers.
4. HN is where I get my news about technology. Technology is a crucial area of political discussion, and right now the very basic freedoms of the internet are under direct threat from political forces.
Finally, how could anything be more crucial to technologists than discussion of those who will hold the reigns of the national security sector?
1. Any views expressed here or elsewhere on HN are purely my own and not representative of the United States government or any other entity.
2. This is not about one individual act of violence. It is symptomatic of a culture created by the types of technology we discuss and implement. I happen to know many people within various spheres that do read HN, and are influenced by it.
3. This comment was flagged, which seems contrary to the purpose of inviting a public discussion, particularly on the thread regarding the appropriateness of such discussions on this site.
If we can't even express dissent that we can't express dissent, that is a problem.
I live in Northwest Washington, D.C. I am a technologist, a government contractor, and an HN member for many years under various accounts since 2008.
I respectfully disagree.
Yesterday someone motivated by the "Pizzagate" story, spread and enabled by the social media systems we designed, fired multiple shots from a semi-automatic weapon into a crowded restaurant near my home.
My partner and I passed the crime scene shortly thereafter on our way back to our apartment.
The new National Security Advisor, Lt. Gen. Michael Flynn, endorsed the totally false rumors that led to this shooting. He will soon be empowered by the full force of the nation's intelligence agencies.
I want you to very carefully consider the implications of what he could do with access to that power, and the potential result of blocking discussion of such issues, particularly at this moment in time.
Amazon has the money to run the studies to prove whether it increases revenue. I suspect it wouldn't be too hard to both detect shoplifting and differentiate it from legitimate purposes using a modern high-end multisensor fusion machine learning system.
Better make sure to carefully balance the samples in your training set to avoid confounding variables though, or else your AI is going to get quite racist and sexist very quickly.
The deeper you look, the worse it gets. Those php issues are very trivial, first glance type stuff. Some need a bit of a twist to make exploitable, but another will strip the encryption right off the hidden network.
I have others I wish to disclose, but I can't seem to get them to respond to my requests for a PoC. Quite frankly, I'm shocked that I can't seem to get anyone to realize how serious the impact of an RCE vulnerability in a framework fielded that widely truly is.
If you find any of more serious things I'm talking about on your own, wait for the vendors to fix them. Please don't brick the world.
More importantly, where are they having this turkey?
In all seriousness though, if I were one of a handlful of people who understood a rising anonymous currency platform, I wouldn't want to be publicly exposed that way.
I have had four zero-days affecting 5.5 million devices sitting on a public code repository for two months now, for a project maintained by dozens of corporations employing high-end PHP programmers, who do write PHP for a living.
The fixes are code reviewed, but not merged, because the developers don't seem to understand PHP-into-C null string terminator vulnerabilities, or type juggling, or strict comparison, or... I could go on.
PHP is unsafe at any speed, because it almost invites arbitrary code execution through a number of vectors. It isn't inherently bad if used correctly, as most Facebook developers will tell you, but the language structure involves quite a number of insecure practices.
The iVotronics hacking part is very public. The legal aspect may not be as well-known.
The iVotronics vulnerabilities were documented in a lawsuit joined by the Commonwealth's own Deputy Commissioner of Elections. See Banfield v. Cortes [0]
The Election Code specifies that the Secretary of the Commonwealth shall certify electionic voting systems, and issue directives and instructions upon which such approval is conditioned, with which counties are required to comply.
§ 3031.5. Examination and approval of electronic voting systems by the Secretary of the Commonwealth
(a) The Secretary of the Commonwealth may issue directives or instructions for implementation of electronic voting procedures and for the operation of electronic voting systems....
The county board shall comply with the requirements for the use of the electronic voting system as set forth in the report by the Secretary of the Commonwealth...
(c) No electronic voting system not so approved shall be used at any election... [1]
The Secretary alone determines the method of certification.
While the Legislature mandated that an electronic voting system must comply with specific federal testing and performance standards and the requirements set forth in the Election Code, it does not prescribe a particular testing procedure to govern the manner in which the Secretary is to perform the examination, but ultimately left this discretion to the expertise of the Secretary, who is tasked with implementing the Election Code. [0]
However, counties must still comply with the implementation "directives and instructions" issued by the Secretary.
Section 1105-A of the Election Code, 25 P.S. § 3031.5 requires that the Secretary of the Commonwealth examine all electronic voting system used in any election in Pennsylvania and that the Secretary make and file a report stating whether, in her opinion, the electronic voting system can safely be used by voters and meets all of the applicable requirements of the Election Code...
The Secretary of the Commonwealth certifies the iVotronic Voting System in accordance with the conditions detailed in the reports... and the following conditions. [2]
The certification of the iVotronics system implemenation directives and instructions include a the specific provision that counties "must install the locking mechanism over the serial port and compact flash memory in a manner to prevent access to the compact flash card."
3. Pennsylvania counties using the iVotronic Voting System must install the locking mechanism over the serial port and compact flash memory in a manner to prevent access to the compact flash card. [ibid.]
As the construction of the locking mechanism itself renders the compact flash accessible regardless of the physical lock used, as determined by multiple audits in academia as well as other states, the iVotronics system in question was not certified in accordance with the requirements of the statute.
The Secretary put a caveat on the certification of the iVotronics with which the counties did not comply. This is physically analogous to requiring that a tenant "must install a lock on this door which prevents access to the inside of this room," but the door cannot latch no matter which lock is used. If instead of repairing the latching mechanism, the tenant merely replaces the lock, he would not be in compliance with the directive.
Rather than work with the manufacturers to create a locking mechanism that complied with the Secretary's directive (changing the latch), the counties merely changed the locks used. These locks do not prevent access to the compact flash card, and thus Secretary's implementation requirements were not met by the counties which used them. The counties failure to meet these directives was not due to lack of ability, as the requirements of the iVotronics maintenance contracts include modifications necessary to comply with state law, or lack of knowledge, as they were disclosed during Banfield, cited by the certification report itself.
The counties simply failed to ensure that the locking mechanisms were updated subsequent to the Secretary's report. Each county board is required to submit their vote totals to the Commonwealth in accordance with the Election Code. As the Election Code requires counties to comply with the Election Code, a county's failure to meet the Secretary's certification requirements disqualifies its reported vote totals.
It's pretty telling about the seriousness of the recount effort that nobody has even bothered to sue a county that used these machines. The Commonwealth's Election Code is not a mere recommendation to the county. Its provisions regarding DREs are specifically intended to punish counties that do not comply with the Secretary's requirements for certification, which many did not.
But please don't cross post me. You won't accomplish anything, except maybe landing me in DHS lockup for ten days for no reason.
That's silly. It's the same logic that got us criminal sentences in the DMCA for copyright violations, since movies, music, and television are a massive part of the American economy.
Federal sentences for bank robbery are 5-10 years.
The Android device in use is the EA Tablet. The certification tests are listed in "EA TABLET FOR ANDROID WITH JELLYBEAN 4.2.1 ELECTRONIC Test Report," dating from 2013.
To be fair, it's probably the best of the horrible lot in security, but that ain't saying much.
For example, the iVotronic systems contain a readily accessible compact flash card right on the top, which stores the election returns. Demonstration machines are set up in each county, so I went to see one in person. Unsurprisingly, the demo machine's card wasn't even covered with a tamper-evident seal.
The devices, including the compact flash cards and the PEBs, are reused from year to year because the legally required certification for the device is very narrow. As the demo machine compact flash cards and PEBs are re-used in each election, at any time prior to the election, infecting the demo machine can be used as a vector to attack the entire county voting total.
Since the demo machine is not sealed, its compact flash can be accessed. If the compact flash card is compromised, the system can be quickly owned. From there, the malware can spread rather trivially to the PEB unit used as a secure token by the election workers, and from there to the county's Unity system at Election Central, allowing the entire county's vote to be altered. So instead of the 4,500 machine compromises PA is claiming would be necessary to influence a state election, it would probably only take 6-7 people any time in the past ten years planting their malware in a few key counties.
All one would need to do to untraceably change the vote totals would be walk in to the county election commission, swap the compact flash out for your malware, and leave. If you do this at any point prior to the election, the malware can spread from the demo machine, to a live voting machine, and finally, when the compact flash cards are entered into the Unity system for final tally, the malware can compromise the whole lot. Then the malware would self-delete, leaving no reliable paper audit record.
Interestingly, from a legal perspective, the Secretary of the Commonwealth's certification for these machines is contingent upon the locking mechanism preventing access to the compact flash card. The machine that I saw, the most common model in use in the state, physically could not be secured that way. The plastic cover mechanism to which the lock is affixed simply doesn't cover the flash card slot well enough.
Under the PA election code, if a specific requirement of the Secretary's certification is not met, the law would invalidate the votes cast through all the iVotronics as a matter of law. As the machines were not configured as approved, they aren't approved for casting ballots, which would throw the PA recount into chaos. It's probably the only judicial avenue left to sue for a state-wide recount that might actually have a chance of being considered.
Nobody tell Jill Stein. In all liklihood, the PA legislature would just send the current electors anyway, as is their prerogative.
The race for the smart home "IoT" is in full swing, and once again Amazon is ready to sell Levis to the prospectors. They don't even need to win, so long as they can make themselves the most convenient backend solution.
Right now, Google has no credible open competitor to Android, and not for lack of trying. If Android wants to be the Windows to iPhone's Mac, it will have to get serious about security, or be swept away by the competitors which will inevitably emerge.
I also want to say that voting machines run unsupported Android builds. If Google is derelict in that duty... well, that's a much bigger deal than some compromised Google accounts.
Well, yes. If you're saying anything important at all, make sure to say it multiple times from opposing viewpoints. Your best argument will carry the day anyway.
Of course this is a "break glass in case of emergency" type countermeasure, probably most useful in a nominally liberal state that starts to drift away from civil rights.