[ptyyy]

> Such a test from DHS’ Cybersecurity and Infrastructure Security Agency would have focused on security and not the performance issue that Wolf said was most likely responsible for the failure. Still, Wolf said this was a “concerning event” given the amount of scrutiny around elections security after Russians targeted the 2016 presidential election.

> “We don’t see any malicious cyber activity going on,” Wolf said. “No one hacked into it -- so this is more of a stress or load issue as well as a reporting issue that we’re seeing in Iowa.”

> The Iowa Democratic Party has said there was no evidence of hacking in the much-delayed results, merely human error.

DHS wouldn't be the one to do performance testing. Sure they should have had security scans but the issue at hand is not related.

[scohesc]

You'd think that a lot of the allegations of foreign interference in the 2016 election would have been recalled in the past couple of months and the Iowa Democratic Party would have openly welcomed the DHS' security testing of the app to ensure minimal foreign meddling.

[eropple]

I think that the folks handling this software project screwed up plenty, but I also don't know if I'd fault them for not going anywhere near DHS. Given the way the current administration has shamelessly attempted to corrupt pretty much every institution it touches I think the political compromise of DHS is something that opposing parties should be factoring into their threat models.

Architecture, performance, and security reviews? Definitely should've happened. DHS? Ehh.

[GVIrish]

Recent history has proven out time and time again that all sorts of organizations that should know better about securing their applications and data, absolutely don't. Just look at the Equifax breach or the OPM breach for examples.

For whatever reason, many, many people in positions of leadership have a hard time properly evaluating and mitigating risk when it comes to cybersecurity. Even when it's obvious that risk can absolutely destroy their organization.

[jandrese]

It's clearly not an overloading issue. If the outage was a couple of hours sure, maybe it's a load issue. But it's after noon on the following day and the system is still broken.

Plus, it doesn't make sense that it would be overloaded. They should have known exactly how much load to expect based on the number of caucuses held across the state. Also, Iowa isn't a populous state so the total number of datapoints is not going to be all that big. This should not have been a hard problem. The DNC is looking like a bunch of idiots this morning.

[vatueil]

Perhaps the statement was referring to the telephone hotline, used as a backup means of reporting results, which was apparently overloaded with calls.

[jandrese]

The statement was about people waiting for hours for the app to respond when they tried to upload the results, and some giving up and going to bed after it failed repeatedly.

[gnicholas]

Yep, the phone line was apparently overloaded, but that still doesn't answer the question of what happened with the app?

[aaomidi]

Load handling is part of a normal security check.

DoSing can be as dangerous as an RCE bug if your goal is to cause delays and chaos.

[macinjosh]

Security testing, indeed, would not have helped find a bug but do we actually know it was a performance/load issue?

I haven't seen any reporting stating that clearly. At this point tt could've been any sort of bug. My money is on an AWS misconfiguration.

[dsfyu404ed]

Even the most cursory security review for a "client software communicates with server software over the public internet" type of app should include determining whether or not the app will be easy for a script kiddie who knows the app's endpoint to DOS it. At the very least they would have noted that it ran like crap when they fired up some automated testing tool and promptly bogged down the app.

[duxup]

Is that what happened?

[dsfyu404ed]

My understanding is that their back end could not handle the traffic volume. That is functionally equivalent to being DOS'd. Regardless of whether or not the people making the requests want them to be served or just want to waste your resources the legitimate requests were not served. Down is down.

[duxup]

A DOS attack isn't exactly a good way of doing a back end stress test. You could survive that by hiding behind cloudflare or something ... still have your back end buckle with legitimate traffic.

[salawat]

A staged DOS is exactly how you perform a back end stress test actually. This is industry standard. It's what testers do every time we want to know when our systems give up and fall over. The key is doing it on a prod like environment before going live.

Your "legitimate traffic" for a finite population of intended users should by definition not be capable of compromising the capacity of your system to operate if you have allocated your resources correctly unless your fundamental implementation is unsound.

Any excess traffic beyond a modest multiple of your expected turnout (I.e. worst case scenario where every citizen of Iowa decides to attend the primary) would by definition be either potential tampering via fuzzing by unintended actors trying to inundate servers to drown out or frustrate your expected userbase,or the most accident/mistake prone gaggle of users ever.

Not saying that happened or that I've seen anything that says it did, I just find your assertion odd that you'd think that a staged DOS in the testing phase against your infrastructure isn't how performance testing works.

[duxup]

>a staged DOS in the testing phase against your infrastructure isn't how performance testing works.

That's exactly what I'm saying... that's not a good test for performance.

It's a good test to see how your DOS mitigation plans work, but it's not a good test for production traffic performance.

[dsfyu404ed]

True, there's many ways to stop a DOS that can't be used to survive legitimate traffic but in any case a well rounded security test for an application that's uptime sensitive will probably determine performance bounds for the application. You kind of need to do that in order to cover your ass when the client inevitable installs it in a different kind of black box than tested it for.

[duxup]

I'm not really sure DHS was offering anything like that though.