Hacker News new | past | comments | ask | show | jobs | submit login

It seems almost a given that these election software companies will have an access configuration snafu that leaves them compromised in way similar to Capital One or Equifax. But the article makes the case that the software makers and county officials are confused as to the basic definition of "air gap" (among other things):

> “There’s nothing connected to the firewall that is exposed to the internet,” Gary Weber, vice president of software development and engineering for ES&S, told Motherboard. “Our [election-management system] is not pingable or addressable from the public internet.” This makes them invisible to bad actors or unauthorized users, he said.

> But Skoglund said this “misrepresents the facts.” Anyone who finds the firewall online also finds the election-management system connected to it.

> “It is not air-gapped. The EMS is connected to the internet but is behind a firewall,” Skoglund said. “The firewall configuration [that determines what can go in and out of the firewall]… is the only thing that segments the EMS from the internet.”

I mean, it may very well be that the firewall setup is secure (at least in theory). But to insist that it represents an air-gapped system, as if "air-gapped" was just a marketing buzzword with no actual meaning, is a whole other level of incompetence.

(of course, the quoted VP may actually be maliciously deceptive, but I'd argue that for all intents and purposes, the difference between malice and gross ignorance is relatively negligible when it comes down to the county official enduser)

For context, Kevin Skoglund is “an independent security consultant who conducted the research with nine others, all of them long-time security professionals and academics with expertise in election security.”

The VP is speaking in layman’s terms to bolster the image of his company.

Even though the researchers are not allowed to probe beyond the firewall, others will not be subject to these constraints.

The federal govmt needs to step in to protect these systems as a matter of national security. Require the vendor to undergo third party security audits and not allow its use unless vulnerabilities are mitigated.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact