Currently: @WhiteHouse OMB, with the Federal CIO. Formerly: @18F, Chrome Security, @congressfellows in the Senate, and @SunFoundation. Personal account. he/him.
Aug 7, 2021 • 5 tweets • 1 min read
In any system that attempts to balance surveillance of bad stuff against fundamental security and privacy guarantees, the most important attribute it needs to have is public auditability. 1/
Many of the things that might seem broken to you about the world — whether it's online data brokers, or unchecked surveillance, or organizations sweeping data breaches under the rug — all grew in a petri dish of unaccountability, until too much depended on them to just stop. 2/
Dec 19, 2020 • 11 tweets • 2 min read
1/ Unless the USG dramatically changes its approach to reviewing software, just doing more "vetting" of vendors will be 100% useless in catching issues like SolarWinds.
Currently, it's all designed to raise the "floor" and avoid table-stakes stuff.
2/ Agencies and FedRAMP review vendor-supplied documentation, scan results from generic tools, and attestations to various "best practices".
It's done using a maximalist, mindless checklist that NIST (and OMB, through FISMA metrics) inflicts upon federal agencies.
Nov 3, 2020 • 7 tweets • 2 min read
I spent 2019 immersed in election security work in the Senate, and have stayed involved in my personal capacity in 2020.
Here are a few things I learned, if they're helpful to you on this bright, sunny day:
1) The act of voting is getting more secure every cycle. We now have paper ballots across the vast majority of the United States, and post-election audits of those paper trails are becoming more routine.
Today, the NYT covered research by @mspecter, @jimmykoppel, and @djweitzner into the security of Voatz, a mobile app that's been used for online voting in US elections:
This found serious issues, but they're just some of the many problems with @Voatz. 1/
The researchers here reported these issues to @CISAgov, rather than @Voatz directly, out of concern for potential retaliation.
Their fear is well justified. In October, Voatz reported a student at U of Michigan to authorities for analyzing their app: 2/
