[liberationtech] An ‘Off-the-Shelf, Skeleton Project’: Experts Analyze the App That Broke Iowa

Thomas Delrue thomas at epistulae.net
Sat Feb 8 22:26:50 CET 2020 

Let's also not forget about the systemic issues that lead to the
symptoms as described in the article. The problem is not the symptoms,
the problem is why those symptoms are there in the first place...

I don't remember where I found this, but this is very apt (and while I
do not condone all viewpoints in this blurb, the gist of it, I think is
accurate):

---BEGIN---
And that is the direction programming has taken since Day 1. As the old
saying goes, there's never enough money to do it right, but there's
always money to do it over.

Once upon a time programmers were engineers. With a degree. From a
proper university. Nowadays, programmers are anyone with a keyboard.
That might be good from a diversity point of view, but the downside is
that those who can properly analyze a project and write good code are
drowned in the masses of rent-a-suit shops and shipped-in-from-overseas
keyboard mashers who may or may not have the chops but whose main
quality is being cheap.

Let me put this another way : my wife is fanatical about shoes. She has
upwards of sixty pairs and, every time we stroll the streets of a new
town or city we've never been to before, she can't help but be
magnetically attracted to any store front that has pairs on display.
After 15 years of marriage (that was already a good while back), she
surprised me one day when, out of the blue, she declared that she was
fed up with buying cheap shoes. She stated, and I quote : "I'd rather
have one or two good pairs a year than buy a pair every month that won't
last more than 8 months". I lit a candle that day.

There is a market for cheap shoes, throwaway items that won't last, and
that's fine. There is also a market for quality items that people need,
items that will endure and give pride and pleasure to their owners for a
long time.

DevOps is the cheap throwaway market. Everything is described to make
everyone believe that whatever issues exist will be solved by the next
iteration, so they are not important.

Sorry, but programming is not cheap. Programming is the very lifeblood
of companies today, and there are some unavoidable medical practices and
costs when it comes to dealing with lifeblood. The slew of hacking
issues of last year (2017) demonstrate clearly that security is not
something you just pay lip service to.

I would like the industry to take a step back and realize that nothing
that has ever been made in a rush has ever lasted or performed as expected.

I would also like to win the lottery.

I know which has a better chance of happening.

----END----

On 2/8/20 11:10, Yosem Companys wrote:
> Excerpts:
> 
>     Rahjerdi said that the app contains default React Native metadata
>     and that it comes off as a "very very off the shelf skeleton project
>     plus add your own code kind of thing. Honestly, the biggest thing
>     is—I don’t want to throw it under the bus—but the app was clearly
>     done by someone following a tutorial. It’s similar to projects I do
>     with my mentees who are learning how to code," Rahjerdi said. "They
>     started with a starter package and they just added things on top of
>     it. I get deja vu from my classes because the code looks like
>     someone Googled things like 'how to add authentication to React
>     Native App' and followed the instructions," Rahjerdi said.
> 
>      
> 
>     A team of researchers at Stanford University, including former
>     Facebook chief security officer Alex Stamos and students Jack Cable,
>     Pierce Lowary, and Alex Zaheer, said that while analyzing the app,
>     they found potentially concerning code within it, including
>     hard-coded API keys. Motherboard decompiled the app and verified the
>     presence of an API key. Stamos' concern was that a hacker could
>     potentially change or reset data on the servers. Stamos added that
>     he was not comfortable probing the company's backend without its
>     permission. Shadow insisted that the app was configured correctly.
> 
> 
> Preview image
> <https://links99.mixmaxusercontent.com/5e196044087550002eab97f3/l/RKeHi70KtyeN2JRYg?messageId=CNZQ5xKAuEa09tJPI&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>
> 
> 
> 	
> An ‘Off-the-Shelf, Skeleton Project’: Experts Analyze the App That Broke
> Iowa
> <https://links910.mixmaxusercontent.com/5e196044087550002eab97f3/l/oKWlT4vnNWCzNPuoL?messageId=CNZQ5xKAuEa09tJPI&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>
> 
> Multiple experts analyzed Shadow Inc.’s Iowa caucus app. They found all
> kinds of problems.
> <https://links910.mixmaxusercontent.com/5e196044087550002eab97f3/l/dRVqGp2tefPuworV3?messageId=CNZQ5xKAuEa09tJPI&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>
> 
> 
> vice.com
> <https://links910.mixmaxusercontent.com/5e196044087550002eab97f3/l/orOjZspFb3y4DYPOF?messageId=CNZQ5xKAuEa09tJPI&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>
> 	Mixmax <https://mixmax.com/r/5e196044087550002eab97f3?ref=Website preview>
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200208/6da18733/attachment-0001.sig>

More information about the LT mailing list