

Argentinean programmer's house raided after he found a security breach - santiagobasulto
https://twitter.com/_joac/status/617152001504378880

======
santiagobasulto
Some context: He found a security breach in the public voting system of Buenos
Aires city, Argentina (elections are tomorrow). He brought it to awareness
yesterday: [http://www.lanacion.com.ar/1807352-denuncian-un-agujero-
de-s...](http://www.lanacion.com.ar/1807352-denuncian-un-agujero-de-seguridad-
en-el-sistema-de-votacion-electronica-que-se-usara-el-proximo-domingo)

The tweet reads:

After finding a vulnerability in the voting system they're raiding my house,
people from computer forensics.

------
r721
Broad summary of what's been going on the last few days in Buenos Aires,
Argentina (by /u/sebadoom):

[https://gist.githubusercontent.com/sebadoom/f0eedcba2f39e3e0...](https://gist.githubusercontent.com/sebadoom/f0eedcba2f39e3e07a1c/raw/c168b48210bf7f85029545743891e7e4f8c95df4/gistfile1.txt)

------
demian
There are several bugs in the system reported by local engineers, like being
able to add multiple votes to a sigle voter's RFID chip.

This is a scandal and a complete failure at several levels, not only for the
local city goverment but for respected institutions like the University of
Buenos Aires which got _paid_ to audit the system.

And this is all happening in the same day as the America Cup (Copa America)
Final between Chile and Argentina, so people are numb to most of this news.

------
alvare
He is accused of leaking the private information of 2000 people involved in
the electoral operation.

That's why he was raided. Not because of the alleged vulneravilities he found.

~~~
wmt
That would sound more reasonable, do you have a source for that or is that
just heresay?

~~~
alvare
[https://twitter.com/fraudevotar](https://twitter.com/fraudevotar)

[http://justpaste.it/votarleaks6](http://justpaste.it/votarleaks6)

------
embik
What kind of people orders such a raid? What's the mindset behind that
decision? Their own team wasn't good enough to catch the breach (hell, the
whole thing sounds like a train wreck) and now they try to silence people who
reveal their incompetence?

~~~
jamra
The same administration that just assassinated a prosecutor that had written
out an arrest warrant against her.

~~~
demian
Wrong.

The federal goverment is from a different political party, they are NOT the
same people that are running the local city goverment. The police that raided
this guy's house was the metropolitan police (BA city police), not the federal
police.

~~~
hobarrera
Important correction: the "metropolitan police" is _not_ the city police.
Legally speaking, it's more of a private army that only answer to the
executive branch of the city's government. Yes, it's incredibly amazing that
such a thing exists.

"Police" it just a word in the name of the institution.

~~~
demian
Thanks for the correction, I didn't knew.

------
hobarrera
He posted the same on the python argentina mailing list last night.
Unbelievable; he merely published security holes on publicly available code.

Nothing wrong (nor legally, nor morally) there. It's not the first hole to get
published recently either.

~~~
threeseed
It IS legally and morally wrong to reveal security holes before there has been
an opportunity for it to be fixed though. Security researchers almost always
do the "right thing" before potentially unleashing mayhem.

Not saying he didn't do this just that it isn't a black/white issue.

~~~
madaxe_again
If it's less than 24 hours before the election, it's absolutely right to go
public.

Or are you in favour of electoral fraud? Republican, perchance? Work for
diebold?

~~~
DanBC
He should have disclosed it to the regulators before going public.

~~~
NickNameNick
The debate between 'responsible disclosure' and public or 'full disclosure'
has been argued ad nauseum elsewhere. but it really comes down to trust.

If you don't trust the people you are responsibly disclosing to, to actually
fix the problem, or worse to not sue you or attempt to get you charged as a
criminal (the CFAA is particularly abusable), then full, public disclosure may
be your only option to force the vendor to fix their product or service.

Remember, it's already broken, and you may not be the first person to have
noticed.

