Profile picture
Jake Williams @MalwareJake
, 6 tweets, 2 min read Read on Twitter
After initial claims of the site vulnerability, I looked at this as well and saw the numeric IDs. The presence of a numeric ID in a given URL is not the same as saying changing it provides you access to someone else's data. More work is needed here. 1/n
cbs46.com/news/democrati…
After the SB315 debacle earlier this year (also GA), you'd have to be insane (or sure your legal team could get you out of trouble and willing to deal with the hassle) to actually attempt to download additional data by changing URL parameters. For obvious reasons, I didn't try 2/
It's an interesting legal question to ask whether the guy who might have tried would be in trouble for doing so. You are definitely exceeding your intended access to the system. A prosecutor could argue that disclosing your attempt caused loss of confidence (e.g. damage). 3/n
We clearly need more public debate about how to handle this sort of issue. I don't believe for a minute that GA has adequately tested its election systems. I don't doubt that there are vulnerabilities. But I can't test them (even if I want to for free) without consequences. 4/n
Intent is impossible to quantify and my test looks a lot like a hack. Further, suppose the systems are vulnerable to SQL injection and you CAN update data. What if a well-meaning tester updates all voter records in the state to be his own by accident? 5/n
Suppose the state doesn't have good backups or they don't notice immediately (suppose the tester doesn't know this happened either). This could be a major, major issue. I don't want to advocate for vigilante testing for public resources, and yet we need more transparency. 6/6
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
Read 14 tweets
Profile picture
I certainly don't agree with everything in this thread, but it is very thought provoking nonetheless. I tell clients regularly that cyber security IS warfare if APT is in your threat model. We often fight nation state hackers with nearly infinite resources by deploying a CEH. 1/n
This obviously doesn't work. When you step back and look at resources that APT groups have, it's obvious they can comrpomise almost any organization. My favorite example is the China/Bit9 example. Picture being an attacker who can't get into a top tier target. 2/n
Now imagine that you think "Bit 9 is standing in our way, so we'll 'just' go comrpomise them." Um, that's a moonshot. Ask yourself:
1. What kind of organization dedicates resources to moonshots?
2. How many moonshots do we not know about?
3. How valuable was that target?
3/n
Read 7 tweets
Profile picture
I'm writing a new blog post but I need some help. We have a problem in the tech industry with consent vs. informed consent. Problems with confusing the two are not unique to infosec. Medicine has been practiced for millennia, but informed consent is at best ~50 years old. 1/n
Legalese terms of service can't be comprehended by a large percentage of a user base. Even if you understand what is being collected, do you understand how it will be used? A patient can't give informed consent without a discussion of risk. 2/n
Doctors don't routinely downplay risk in a procedure. This comes from two sources:
1. Liability
2. In most cases (electives are a counter-example), the doctor has a product (the procedure) the patient needs

These do not hold true in the technology field. 3/n
Read 7 tweets

Related threads

Profile picture
Since ginagawa na rin naman natin UP friends HAHAHAHAHA what's the most UP thing you've ever done lol mine was living off of Bread Pan & C2 or, on worse days, monay with cheese and refilling my water bottle sa Lola Lita's sa Shopping Center hahahahuhu ang tagal ng DOST stipend e!
Hoy bakit hindi ko alam 'to HAHAHAHA hindi kayo nagyayaya! :))
Read 101 tweets
Profile picture
True Confessions of a Humper and Humpee #TwitterAfterDark R18+
I stared out the window, as I sipped a cup of black coffee, damn! The coffee was good, if there was one thing my receptionist, aside being the best user of company WiFi and phone, she was good at brewing coffee.

The day was bright, and I had hopes that it would be a good one.
I took my seat behind my desk and checked my agenda for the day, I still had about two hours before the scheduled time for my first clients to show up. As I went through the file of the clients, my mind wandered far away, far far away to my country Nigeria.
Read 77 tweets
Profile picture
@Rachael_Swindon Dear .@EstherMcVey1 speaking as a seriously disabled person killing myself trying to care for my OH who is not only physically disabled but has dementia also, I can confirm that EVERYTHING @UKLabour says about YOU personally and the vile Tory Gvt is not only true but WORSE!
@Rachael_Swindon @EstherMcVey1 @UKLabour 2) You personally are a barefaced blatant liar, you lied when you were an underling to the vile hypocrite Iain Duncan-Smith and you are lying through your back teeth now while doing his old job, a job you were given by the PM a hapless hopeless incompetent liar like yourself. You
@Rachael_Swindon @EstherMcVey1 @UKLabour 3) were not given this job because you are talented or could do the job, you were given it because you were a woman and there was no one else who was desperate enough to take this job as #IDS had left the @DWP in a mess that will take Labour years to sort out. You are a PROVEN
Read 11 tweets
Profile picture
May 23rd – 2018
Part I – The FISA Court Grants The Authority, Not The Ability…
theconservativetreehouse.com/2018/05/23/par…

1) There is a meeting scheduled tomorrow between key congressional oversight committee heads (Nunes, Gowdy etc.) and leadership of the FBI (Director Wray),
2) DOJ (Edward O’Callaghan) and ODNI (Dan Coats). The meeting was set up by White House Chief of Staff John Kelly, and the purpose of the meeting is to come to some agreement on access to documents being withheld by the DOJ, DOJ-NSD and FBI.
3) However, amid the ongoing debate over spies & informants used by the CIA & FBI to conduct political surveillance, there’s an aspect of the ongoing investigation that seems to be entirely overlooked.

On January 7th, 2016 the Inspector General of the National Security Agency,
Read 25 tweets
Profile picture
Merry #sithmas! With luck, we will finish The Last Jedi today. Miscellaneous business first! (Too Many Tweets in These Tweets: A Star Wars Story) #sithmas
hELP #sithmas
A visual comparison of the ROTS Force push vs TLJ tug-of-war via @the_meghatron (I'm so proud that I guessed this back when we were watching the prequels) #sithmas
Read 102 tweets
Profile picture
Nicholas Quinn Rosenkranz, nominated to 2nd Circuit is a Beneficiary of #Cayman Fund
Nicholas Quinn Rosenkranz 2nd Circuit nominee and Billionaire Cayman Trust Fund Beneficiary abovethelaw.com/2017/08/the-ar…
Read 15 tweets

Trending hashtags

#Midterms2018 #Namibian #French #DogsOfTwitter #window #Germany #Beirut #GOP #RareDisease #transparency #cdnpoli #DisclosuresTribual #Damascus #allies #AmericanDream #Chain #MedicaidMatters #HealthCareVoter #siteci #Billionaire #Russian #defeat #FakeWood #ProtectOurCare #DisclosureTribunal

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!