Readit News logoReadit News
micaksica commented on Voting system to be used in West Virginia elections is vulnerable   twitter.com/GossiTheDog/s... · Posted by u/grey-area
jlarocco · 7 years ago
> If there is one thing I fail to understand it is the impulse to electronic-ify our elections.

Not that I'm disagreeing with you, but why would you expect anything different? As a layperson, why would I treat computerized voting any differently than online shopping or ordering an Uber or something like that?

The software engineering community deserves more blame for this type of thing. It's unreasonable to expect laypeople to be experts on every technology they use, and this crappy voting system didn't exactly write itself.

micaksica · 7 years ago
> This crappy voting system didn't write itself.

One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this. The best you can do is refuse to hire people that worked on these or similar systems, and I'm sure they will find jobs somewhere within the government-contractor software engineering space.

micaksica commented on Voting system to be used in West Virginia elections is vulnerable   twitter.com/GossiTheDog/s... · Posted by u/grey-area
wnevets · 7 years ago
Its almost if there is a group of folks who want elections to be easily hacked and manipulated.
micaksica · 7 years ago
IMO Occam's razor ends up here. Electronic voting systems do two things very well: obfuscate the system in a way that is relatively incomprehensible to a layman, and provide plausible deniability in the case of manipulation. Even if manipulation is discovered, you can chalk it up to a "bug" and re-run the manipulated election again. People are stupid, and most ordinary people only want to believe there's malice involved when they've run out of more pleasing cognitive options.

I believe that if this site enumerated all the ways that you can maliciously use computerized vs. paper voting systems, we would show a hell of a lot more benefits to a manipulator than a voter.

micaksica commented on Health Insurers Are Vacuuming Up Details About Customers   propublica.org/article/he... · Posted by u/marchenko
ryandrake · 7 years ago
The major problem with that is there is no price transparency. If I go see a doctor, I have no idea if I will end up with a $40, $400, $4000, or $40,000 bill until the bill comes months later and I have to pay it.

I’m relying on insurance because going to the doctor is such a financially risky gamble.

micaksica · 7 years ago
> If I go see a doctor, I have no idea if I will end up with a $40, $400, $4000, or $40,000 bill until the bill comes months later and I have to pay it. NO IDEA.

This is what's really strange about the American healthcare system. For everything else in America you can either get a price up front or an estimate of total costs up front. Why should going to the doctor be any different than going to a mechanic? Pay advertised flat rates for issue diagnosis, and get estimates for the problem.

Yes, in cases of emergency you can't really shop around too much, but the majority of the time you're going to a doctor, you could at least call and get estimates of how much things will cost. It's not even possible to do this with most healthcare organizations. If you call your doctor's reception and ask "how much will it cost for this visit?" they'll tell you they don't do billing and they won't know until it's processed by insurance.

Price transparency in the healthcare market - or at least some decent estimate of it - would be a great thing to see. American healthcare is ridiculously inefficient because it appears wholly designed to be byzantine.

micaksica commented on Timehop Security Incident, July 4th, 2018   timehop.com/security... · Posted by u/robbiet480
Yhippa · 7 years ago
> The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.

Wow. Unbelievable that these companies take security for their prized assets way less seriously than I do. And I have much less at stake comparatively.

micaksica · 7 years ago
> Unbelievable that these companies take security for their prized assets way less seriously than I do.

A lot of engineering teams unfortunately see strong security as a hurdle to fast development, and/or security is put as a lower priority to feature development or other deadlines. A lot of business units see security as a cost sink and have the "there's only so much we can do to protect ourselves, if they want it they can get it" or "it won't happen to us" mentality.

On the other hand, some companies have security built deeply into their lifecycle, and really care.

Deleted Comment

micaksica commented on A tool that lets you hear both Yanny and Laurel   nytimes.com/interactive/2... · Posted by u/collinmanderson
dogruck · 7 years ago
Am I alone in being able to hear both Yanny and Laurel in the sound?
micaksica · 7 years ago
No. I hear both simultaneously as well.

Deleted Comment

micaksica commented on Robinhood replaced “call” and “put” with “up” and “down”   twitter.com/AustenAllred/... · Posted by u/tejasmanohar
hn_throwaway_99 · 7 years ago
Honestly, this doesn't surprise me at all. The interface in Robinhood makes me think it can only be useful for people that have 0 idea what they are doing. Case in point: their graphs (at least on Android) have no labled Y axis! Seriously, WTF.
micaksica · 7 years ago
> their graphs (at least on Android) have no labled Y axis!

It's the same on iOS.

I can't say I'm happy with Robinhood. It's dumbing down something that can get you into a world of financial pain if you don't know what you're doing.

If they want to target people that don't understand what they are playing with, they shouldn't be giving away options/crypto access/margin buying to people that don't understand those concepts. Expect a lot of people to lose a lot of money. /r/stupidfinance has some pretty great posts in which people were left in the cold after playing with fire in RH.

micaksica commented on Kottke.org is 20 years old today   kottke.org/18/03/twenty... · Posted by u/artsandsci
dualogy · 7 years ago
> I was 24 years old and dumb as a brick. Oh sure, I’d had lots of book learning and was quick with ideas, but I knew shockingly little

Take note, fledglings! That was him, me, and with any luck, future you speaking.

micaksica · 7 years ago
So far, that's been me at every n+5 years or so.
micaksica commented on Npm operational incident, 6 Jan 2018   blog.npmjs.org/post/16943... · Posted by u/bradleyboy
tedivm · 8 years ago
> Unfortunately, the process was complicated by well-meaning members of the npm community who believed that a malicious actor or security breach was to blame and independently attempted to publish their own replacements for these packages. Ensuring the integrity of the affected packages required additional steps and time.

That is such a bad response to this.

The problem isn't that "well-meaning members of the community" decided to upload packages. The problem is that when their system decides that a package shouldn't be up it completely removes the package, as if it never existed, and allows the namespace to be reused immediately. Those "well-meaning members" should not even be able to hijack packages this way, as it means the people who aren't "well-meaning" can also do it.

What should happen is that they block downloads of the package while they investigate. That way people who attempt to download the packages get a meaningful error and people are unable to hijack the package name.

micaksica · 8 years ago
It's been literally years since node-forward got its talk about signing packages [1] with a lot of pushback from the npm team. Every time a new typosquatting article shows up, there's some more waffling by npm. left-pad happened to much consternation. Now this.

I used to really care about trying to harden the Node ecosystem, and last year it was one of my main goals. I tried to send multiple vulnerability reports, do mass static analysis of npm packages, and wanted to contribute more to the ecosystem, but the consistent ambivalent reactions of much of the community that I talked to turned me off of the project entirely. If npm wants to continue to be a security dumpster fire, let it burn. Node is a waste of security researchers' time and an honest goldmine for black hats looking to compromise relatively powerful novice webdev hardware.

I don't see it changing anytime soon. npm is a business that isn't focused on security. These things keep coming up, and yet npm install metrics I'm sure aren't decreasing. Until they face meaningful competition and/or the rest of the Node community begins to give even half a care to security outside of this forum, there will be no incentive for anyone to do anything about it. It's easier to play PR, give a little lip service to it and dodge the problem than it is to add any friction to their potential growth.

[1] https://github.com/node-forward/discussions/issues/29

m

u/micaksica

KarmaCake day1719January 26, 2016
About
i work on web application security.

american west coast / singapore / 東京

the opinions expressed here are my own and not the opinions of my employer. they might not even be my own professional opinions. they are also subject to a lot of change, as they have through the years.

View Original