This week there has been news on problems with high profile mobile apps for politics and aviation.
Iowa has already won the worst IT rollout award of 2020: Rap for crap caucus app chaps in vote zap flap
Untested tech, no training, last-minute rollout, buggy code – sound familiar?
https://www.theregister.co.uk/2020/02/04/iowa_caucus_software/
‘We Feel Really Terrible,’ Says CEO Whose App Roiled Iowa Caucus
https://www.bloomberg.com/news/articles/2020-02-05/-we-feel-really-terrible-says-ceo-whose-app-roiled-iowa-caucus
The chief executive of the technology company whose app threw the Iowa caucuses into disarray Monday night defended his company but apologized for a technological glitch that angered candidates, left voters baffled and upended the opening act of the 2020 Democratic presidential primary.
After reading those articles, it looks like it was the usual in the IT industry: incompetent programmers and management. Bugs in the app. Insufficient training and testing for the users for the login process. Test our code? Why, it works… Due always tight dead-line we’re going straight to production.
Maybe they should habe used DevSecOps or other process that slightly reduces the possibility of complete failure on launch day.
Also most airports seem to have many potentially serious problems with their mobile apps and web sites. But fortunately Finland was one of few that did OK.
“100 percent of the mobile apps contain at least two vulnerabilities.”
Only three of the Top 100 international airports pass basic (cyber) security checks
https://www.zdnet.com/article/only-three-of-the-top-100-international-airports-pass-basic-security-checks/
The three are the Amsterdam Schiphol Airport in the Netherlands, the Helsinki Vantaa Airport in Finland, and the Dublin International Airport in Ireland.
Tests involved scanning public websites, mobile apps, and exposures of sensitive airport data on public code repositories and the dark web.
According to ImmuniWeb, these three “may serve a laudable example not just to the aviation industry but to all other industries as well.”
Cybersecurity lacking at most of the world’s major airports
https://www.scmagazine.com/home/security-news/cybersecurity-lacking-at-most-of-the-worlds-major-airports/
When it comes to cybersecurity Amsterdam, Helsinki and Dublin were ranked the three safest airports by Immuniweb, but overall these facilities fared poorly when it came to protecting their websites, mobile platforms and systems. The study found 97 of the world’s 100 largest airports have have security risks related to vulnerable web and mobile applications, misconfigured public cloud, dark web exposure or code repositories leaks.
17 Comments
Tomi Engdahl says:
Iowa:
I keep hearing they were using free versions of platforms to run their shit. Sounds more like incompetence and/or inexperience to me.
Tomi Engdahl says:
Someone making fun of this at
https://www.facebook.com/groups/2600net/permalink/2639078039648638/
and
https://www.facebook.com/groups/majordomo/permalink/10158419303069522/
Tomi Engdahl says:
Motherboard Publishes ‘Shadow’ App That Blew Up the Iowa Caucus
https://tech.slashdot.org/story/20/02/05/2332208/motherboard-publishes-shadow-app-that-blew-up-the-iowa-caucus?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Motherboard has chosen to publish the app used to tabulate early voting results in Iowa’s Democratic Presidential primary. According to editor-in-chief Jason Koebler, “Trust and transparency are core to the U.S. electoral process,” and “that’s why Motherboard is publishing the app that malfunctioned in Iowa.
Here Is a Link to the App that Blew Up the Iowa Caucus
Trust and transparency are core to the U.S. electoral process. That’s why Motherboard is publishing the app that malfunctioned in Iowa.
https://www.vice.com/en_us/article/z3b3g9/here-is-a-link-to-the-shadow-inc-app-that-blew-up-the-iowa-caucus
In the run-up to the primary, the Iowa Democratic Party (IDP) declined to name Shadow as the company that developed the app. The IDP reportedly declined an offer by the Department of Homeland Security to test the app in advance.
Tomi Engdahl says:
DHS chief says offer to vet Iowa caucus app was declined
https://thehill.com/policy/cybersecurity/481409-dhs-chief-says-offer-to-vet-iowa-caucus-app-was-declined
An ‘Off-the-Shelf, Skeleton Project’: Experts Analyze the App That Broke Iowa
Multiple experts analyzed Shadow Inc.’s Iowa caucus app. They found all kinds of problems.
https://www.vice.com/en_us/article/3a8ajj/an-off-the-shelf-skeleton-project-experts-analyze-the-app-that-broke-iowa
Tomi Engdahl says:
How a Bad App Plunged Iowa Into Chaos
https://politics.slashdot.org/story/20/02/05/1343254/how-a-bad-app-plunged-iowa-into-chaos
The morning after caucus-goers filed into high-school gyms across Iowa, the state’s Democratic Party is still unable to produce results. The app it developed for precisely this purpose seems to have crashed. The party was questioned before by experts about the wisdom of using a secretive app that would be deployed at a crucial juncture, but the concerns were brushed away. Troy Price, the state party’s chairman, claimed that if anything went wrong with the app, staffers would be ready “with a backup and a backup to that backup and a backup to the backup to the backup.” And yet, more than 12 hours after the end of the caucus, they are unable to produce results. Last night, some precinct officials even waited on hold for an hour to report the results — and got hung up on. It appears that the Iowa Democrats nixed the plan to have precincts call in their results, and instead hired a for-profit tech firm, aptly named Shadow, to tally the caucus results. The party paid Shadow $60,000 to develop an app that would tally the results, but gave the company only two months to do it. Worried about Russian hacking, the party addressed security in all the wrong ways: It did not open up the app to outside testing or challenge by independent security experts.
This method is sometimes dubbed “security through obscurity,” and while there are instances for which it might be appropriate, it is a fragile method, especially unsuited to anything public on the internet that might invite an attack.
Iowa Caucus Debacle is One of the Most Stunning Tech Failures Ever
https://politics.slashdot.org/story/20/02/04/1835228/iowa-caucus-debacle-is-one-of-the-most-stunning-tech-failures-ever
Tomi Engdahl says:
Who Needs the Russians?
Don’t blame shadowy foreign hackers for the chaos in Iowa. Blame Shadow’s caucus app.
https://www.theatlantic.com/technology/archive/2020/02/bad-app-not-russians-plunged-iowa-into-chaos/606052/
You may be wondering if the Iowa caucus chaos is a hit job by election-meddling Russians. The morning after caucus-goers filed into high-school gyms across Iowa, the state’s Democratic Party is still unable to produce results. The app it developed for precisely this purpose seems to have crashed. The party was questioned before by experts about the wisdom of using a secretive app that would be deployed at a crucial juncture, but the concerns were brushed away. Troy Price, the state party’s chairman, claimed that if anything went wrong with the app, staffers would be ready “with a backup and a backup to that backup and a backup to the backup to the backup.” And yet, more than 12 hours after the end of the caucus, they are unable to produce results. Last night, some precinct officials even waited on hold for an hour to report the results—and got hung up on.
If the Russians were responsible for this confusion and disarray, that might be a relatively easy problem to fix. This is worse.
Iowa caucus official on hold for over an hour to report results. They hung up on him on live TV.
https://eu.usatoday.com/story/news/politics/2020/02/04/2020-iowa-democratic-caucus-official-hung-up-while-live-cnn/4653203002
Tomi Engdahl says:
Here Is a Link to the App that Blew Up the Iowa Caucus
Trust and transparency are core to the U.S. electoral process. That’s why Motherboard is publishing the app that malfunctioned in Iowa.
https://www.vice.com/en_us/article/z3b3g9/here-is-a-link-to-the-shadow-inc-app-that-blew-up-the-iowa-caucus
Motherboard is publishing the app used to tabulate early voting results in Iowa’s Democratic Presidential primary.
The app, called IowaReporter, ultimately won’t affect the vote totals of the Iowa caucuses, which are being recounted with paper ballots and other hard documentation. But the app’s failure—and the widespread attention this failure has received—spurred chaos on election night, followed by speculation, conspiracy theories, and political jockeying.
To try to combat that misinformation, it’s necessary to offer complete transparency on what the app is, what it can and cannot do, and why it failed.
Election tech companies and the media are pushing for faster ways of reporting vote totals using apps like IowaReporter, which was developed by a company called Shadow Inc. But experts still agree that the most reliable, secure method of tallying votes is by using an offline solution that has a paper backup. In Iowa, the app was only intended for early vote reporting, which is used to disseminate results to the media. Once the app began failing on Monday night, Iowa abandoned it. The DNC confirmed to Motherboard that the app won’t be used again in any subsequent primary election, and Shadow Inc. told Motherboard that the app’s back-end servers have been completely disconnected.
Companies like Facebook, Google, and Apple use bug bounty programs to secure software by having a wide range of security experts test for vulnerabilities that are then patched. Tech companies also increasingly use open source software, and penetration testing is now one of the cybersecurity world’s largest sectors.
In the run-up to the primary, the Iowa Democratic Party (IDP) declined to name Shadow as the company that developed the app. The IDP reportedly declined an offer by the Department of Homeland Security to test the app in advance.
“The app was sound, the data that came out of the app was sound, the math that was done on the app was sound,” Gerard Niemira, CEO of Shadow Inc., told Motherboard. “All the the results we collected on the app were sound and have been verified as such,” but he did acknowledge that, when caucus data was being moved to an IDP validation server for verification, a data formatting problem resulted in an error that caused some of Monday’s problems.
Motherboard obtained a copy of the app. By decompiling and analyzing it, it’s possible to learn more about how the app was built and what might have gone wrong during the Iowa caucus. We reached out to several security researchers and asked them to analyze it for us, and have published an article about their findings.
Motherboard waited to publish the app until Shadow, which controls the app’s back-end servers and accounts, confirmed that it had been taken offline.
What we are publishing is an inert app that is no longer being used for an election, that the DNC has stated will not be used in future elections, and that is no longer connected to backend servers or services.
We are publishing the Android .apk file on our website.
https://vice-sundry-assets-cdn.vice.com/sites/iowa-caucus-app/iowa-caucus-app.apk
Tomi Engdahl says:
An ‘Off-the-Shelf, Skeleton Project’: Experts Analyze the App That Broke Iowa
Multiple experts analyzed Shadow Inc.’s Iowa caucus app. They found all kinds of problems.
https://www.vice.com/en_us/article/3a8ajj/an-off-the-shelf-skeleton-project-experts-analyze-the-app-that-broke-iowa
The app, called IowaReporterApp and developed by a company called Shadow Inc., malfunctioned during the caucus, causing mass chaos and delaying the public reporting of results until Tuesday evening. The app was designed to rapidly report early results, not tabulate final vote counts. That means its failure will not result in the election result being altered.
“Honestly, the biggest thing is—I don’t want to throw it under the bus—but the app was clearly done by someone following a tutorial. It’s similar to projects I do with my mentees who are learning how to code,” Rahjerdi said. “They started with a starter package and they just added things on top of it. I get deja vu from my classes because the code looks like someone Googled things like ‘how to add authentication to React Native App’ and followed the instructions,” Rahjerdi said.
“The mobile app looks hastily thrown together,” Dan Guido, CEO of cybersecurity consulting firm Trail of Bits, told Motherboard.
IowaReporterApp had a few basic functions, according to the experts who analyzed it:
Once a precinct chair logged in using a precinct identifier number, PIN code, and two-factor authentication, they were run through some basic information about how to run a caucus.
Precinct chairs were asked to enter the total number of attendees at a caucus.
Precinct chairs were then asked to enter vote totals for the first round of the caucus and the second round of the caucus. The app was then supposed to calculate how many delegates each candidate was supposed to be awarded.
The app was supposed to then send these results to a Google Cloud Functions backend. That backend was controlled by Shadow.
In an interview with Motherboard, Shadow CEO Gerard Niemira said that the app was simple by design.
Tomi Engdahl says:
Cyber experts weigh in on the app that crashed the Iowa caucus
https://m.youtube.com/watch?feature=share&v=YbZ8zLH6T1A
Julkaistu 5.2.2020
Glitches with a newly-designed app caused a major delay in the release of the Iowa caucus results. CNET senior producer Dan Patterson spoke with cyber experts about why the launch backfired, as he takes a look inside the latest vote-tallying technology.
Tomi Engdahl says:
How Did Iowa Get So Thoroughly Caucus Blocked?
https://m.youtube.com/watch?v=tQgohRj5tOs
Julkaistu 5.2.2020
On the first day of official voting in the 2020 Democratic primary, new reporting procedures failed and paralyzed the counting of votes in the Iowa caucus. #Colbert #Comedy #IowaCaucus
Tomi Engdahl says:
“According to numerous reports since the app malfunctioned on the night of the Iowa Caucuses, the software was hastily put together by people lacking adequate technical experience and rushed out the door in less than two months time…numerous perspectives and analysis from tech and security professionals… said the software looks basically like an app built by a student learning how to program and following online tutorials”
https://www.vice.com/en_us/article/3a8ajj/an-off-the-shelf-skeleton-project-experts-analyze-the-app-that-broke-iowa
Tomi Engdahl says:
Joe Biden flopped in Iowa. And so did the Democratic party’s reputation
https://www.theguardian.com/commentisfree/2020/feb/04/joe-biden-flopped-badly-iowa
Tomi Engdahl says:
The Iowa caucuses just died forever
https://www.cnn.com/2020/02/04/politics/future-of-iowa-caucuses/index.html
An hours-long delay in reporting results from the Iowa caucuses raised serious questions about the process.
It was not immediately clear exactly why Iowa Democrats were slow to report the results — they said in a statement they were checking for accuracy after finding inconsistencies
Tomi Engdahl says:
Nevada Democrats Will No Longer Use App That Failed During The Iowa Caucuses
https://www.forbes.com/sites/rachelsandler/2020/02/04/nevada-democrats-will-no-longer-use-app-that-failed-during-iowa-caucuses/
Tomi Engdahl says:
Iowa’s caucus app was a disaster waiting to happen
https://techcrunch.com/2020/02/04/iowa-caucus-app-disaster/
A smartphone app designed to help announce the results of the Iowa caucus ended up crapping out and causing a massive delay by almost an entire day.
The Iowa caucus traditionally uses gatherings of people in counties across the state to determine which candidates they want to back for the presidential nomination. They use a paper trail as a way of auditing the results. While Iowa may have only 41 delegates needed out of 1,990 to nominate a Democratic candidate, the results are nevertheless seen as a nationwide barometer for who might be named to the ticket.
Tomi Engdahl says:
VOTE WATCH
‘Clog the lines’: Internet trolls deliberately disrupted the Iowa caucuses hotline for reporting results
https://www.nbcnews.com/tech/security/clog-lines-iowa-caucus-hotline-posted-online-encouragement-disrupt-results-n1131521
Several officials at caucuses attended by NBC News reporters struggled with lengthy hold times that made it impossible for them to report results over the phone.
The phone number to report Iowa caucus results was posted on a fringe internet message board on Monday night along with encouragement to “clog the lines,” an indication that jammed phone lines that left some caucus managers on hold for hours may have in part been due to prank calls.
Tomi Engdahl says:
New Details Show How Deeply Iowa Caucus App Developer Was Embedded in Democratic Establishment
https://theintercept.com/2020/02/04/iowa-caucus-app-shadow-acronym/
DEMOCRATIC OPERATIVE Tara McGowan is denying that her high-profile liberal firm ACRONYM played a role in the Monday evening caucus debacle, claiming that her firm was merely an investor in the company Shadow Inc., which developed the app at the center of the controversy. But internal company documents, a source close to the firms, and public records show a close and intertwined relationship between Acronym and Shadow.
In addition, ahead of the caucuses, questions swirled inside Shadow over the company’s ability to deliver a quality product, and there was concern from at least one staff member that senior leaders of Shadow and Acronym — both of which were launched as a new Democratic bulwark against President Donald Trump — have been far from neutral in the Democratic primary.