Context: I worked in IAM (computer security) at a past job.
In computer security, we don’t wait to get proof that a vulnerability was exploited. We have to operate under the assumption that any vulnerability was immediately exploited, and take immediate action to fix it and limit the impact. Doubly so when the stakes are high.
We need popular support to get real security experts to investigate these claims. If there was even a single path that could have led to a vulnerability of this scale, we need to completely secure these systems and do an immediate recount/re-vote.
I’ll also say, I was surprised to learn that these voting systems and their specs are not fully public and open source. That alone makes me very uncomfortable. Security through obscurity is not security at all.
Context: I worked in IAM (computer security) at a past job.
In computer security, we don’t wait to get proof that a vulnerability was exploited. We have to operate under the assumption that any vulnerability was immediately exploited, and take immediate action to fix it and limit the impact. Doubly so when the stakes are high.
We need popular support to get real security experts to investigate these claims. If there was even a single path that could have led to a vulnerability of this scale, we need to completely secure these systems and do an immediate recount/re-vote.
I’ll also say, I was surprised to learn that these voting systems and their specs are not fully public and open source. That alone makes me very uncomfortable. Security through obscurity is not security at all.