[jonathanwallace]

I served in the Georgia legislature during a portion of a similar story. Without a doubt, the calculations throughout the story were political not technical.

In the Georgia version, the technical details of the exposed information in the Secretary of State's office were facepalmingly simple (misconfigured apache directives) yet the story dragged on politically for years.

Quickly, a hired security researcher for a corporate client found all registered voters info and instructional pdfs with credentials for the elections system publicly indexed by google. They responsibly disclosed. The apache configuration was updated to "use encryption" (moved from http to https) but still left the info indexed by google over https vs. http. Eventually, this information became public.

The state attempted to prosecute the security researcher but found no state statutes they could use. They then used this incident as a base to create a bill to criminalize the security researcher's actions.

As a state rep, I worked very hard to push back on a bad bill spawned by the incident that would've criminalized responsible disclosure.

Only due to bi-partisan efforts from technically versed people were we able to get the Governor at the time to veto the bill.

https://www.snopes.com/ap/2017/06/15/researcher-finds-georgi...

https://www.ajc.com/news/state--regional-govt--politics/comp...

[sour-taste]

That's insane, thank you for your work.

It reminds me of this story in Iowa, where pentesters were arrested and charged with felonies for breaking into a courthouse they were hired to infiltrate:

https://darknetdiaries.com/episode/59/

[tweetle_beetle]

I'm not an expert in this area, but was interested in that story when it happened. Reading commentary from others in the industry suggested that they were, at best, naive in their handling of that contract. Yes charging them was a political act to save face, but they put themselves in that position through ignorance. Quite a different situation from a reporter and responsible disclosure in my opinion.

[TheCondor]

Thank you for your service.

The other giant thread here made it more directly partisan, this just sounds crazy though. On what rational grounds do you attempt to prosecute or make such things illegal? Is it simply trying to save immediate expenditure of money in a myopic fashion? Or is it more akin to they don't believe it's the state's responsibility to put that data online in the first place so f-it-all-to-hell and everything around it? My constituents don't understand this so I'm just going to oppose my opponents actions, regardless?

In your opinion, is there a way to fix this sort of thing? It feels like we're watching it writ large with the January 6 committee.

[jonathanwallace]

I'll take your biggest question first.

> In your opinion, is there a way to fix this sort of thing?

Yes, it requires patient, reasonable, intelligent people operating in good faith to sacrifice personal comfort, etc. and get involved in politics.

Politics is literally a zero-sum game when it comes to voting as it is currently structured in most of the United States.*

But when people with the above characteristics get involved, it literally moderates the extremism that we decry. No matter the level (local, state, or federal), whether you decide to run for office, helps others run for office, get involved with a party, or find a particular issue, being involved makes a difference. You may not be able to easily quantify, but it does make an impact. You may also be bringing a critical perspective in short supply to the political process too.

> On what rational grounds do you attempt to prosecute or make such things illegal?

I heard four reasons for the 2017-2018 SB 315 bill.

1. To ensure the next time someone shared a vulnerability that made the state look bad, that a D.A. would have the choice to bring a criminal case (which would obviously color perception of the story). 2. To bring the law into parity with Federal criminal statutes. 3. To give the Attorney General a "tough on cyber crime" campaign plank. 4. The banks were asking for help prosecuting criminals.

Here's the final text of the bill that passed the legislature, https://www.legis.ga.gov/api/legislation/document/20172018/1.... The most relevant text are lines 12-14 and the subsection carve outs on line 16-20.

For further context, voter rolls were already public information and can be acquired via a request to the SoS office.

The larger red flags were the default usernames and passwords in the instructional pdfs for the election systems.

Both of these symptoms (and more) spoke to a woefully underfunded or poorly run office w/r/t to IT.

Getting more funds to have properly, well-secured systems takes political capital and there's not a lot of return of that type of political capital expenditure.

The current SoS has an engineering background and I've been seeing much better public facing systems put in place during their tenure.

*. Please, please, please can we get approval based voting?

[TheCondor]

Thank you and thanks again for your service.

[opwieurposiu]

Wow that is a great story. I am glad there was at least one rep (you) who understood apache configuration.

[jonathanwallace]

Heh, understanding apache configuration files just made me facepalm harder and wasn't really critical to seeing the impact on the cybersecurity industry if people aren't able to responsibly disclose.

The important thing was to take the time, speak to the bill's author, speak to my colleagues, build a coalition of lobbyists from industry (big companies, startups, etc.), and not stop fighting the bill even after it passed the legislature.