Technical details can be found here (in Hebrew) [0]
The gist is that, amazingly, the url "/get-admin-users" would return a list of all admin users with their plaintext passwords... And that this url appeared in the html source of the site's landing page.
Hanlon fails due to second order effects. For instance, I have a "really secure" voting app to make, I hire 3 interns and give them 4 months to do it. Of course they're trying their hardest to make the app, and they'll likely fail. But hey, I'm non the wiser.
This. I have started to think of this rejoinder to Hanlon after the Iowa app fiasco.
Stupidity may be a great cover for uncoordinated malice leading to widespread negligence. A bit like “chaos monkey” but by those who’d like to rearrange the pieces.
I'd describe it as a vicious cycle of incompetence and misunderstanding risk. They exacerbate each other. It all begins with someone trying to get something done as cheaply as possible in an area about which they are ignorant.
Whether they are a "corrupt cowboy" or "cost-efficient genius" mostly depends on whether the project is a success, and that depends on luck.
We don't have the exact details here yet but I'm willing to bet that a rather fat contract was given to someone affiliated with a Likud center member (equivalent to a US party boss) who then sought the cheapest provider while pocketing the difference or maybe handed it to their relative.
Except in this case the decisions were probably made by an underqualified codeling at the bottom who possibly could not even been expected to know better and not take the assignment, that's the immediate stupidity part - the malice is what led to this situation in the first place and saw the result rolled to production.
Absolutely. Malice is almost always the cause. That's why Hanlon's razor is absurd. It supposes a version of human nature that doesn't exist. Surely humans are generally stupid, but they are also scheming, lying, manipulating, violent, and definitely malicious way more than they are stupid. History shows us this over and over again.
A few years back, a Ha'aretz journalist had to flee the country for a few years to avoid being targeted by the Israeli Security Service (Shabak or Shin-Bet) for having received leaked documents from a whistle-blower in the military. This was the Anat Qam - Uri Blau case. It's actually a bit more complex than that, you can look up the details.
Remember, "journalists" have the rights of ordinary people. They aren't an elite class. Anyone who speaks about the world to another person is a journalist.
That's like saying "anyone who learns about the world is a scientist". Journalism is not only made of information or opinions, at least it shouldn't be.
Although all you need to be a scientist is to use the scientific method properly, most people believe that you also need to have a PhD or a job that requires a lab coat
I've always wondered if israel tech wasn't half genius half crook. They come up with fantastic technologies sometimes, but i feel like a lot of people there are just using this image of the "tech nation" to build scam or just lousy products.
As an example, i was extremely surprised when an israeli airline company sent me my existing password in clear text via mail. For a country that's at the forefront of fighting terrorism and always assessing airplanes security, it seemed like an incredible mistake.
"Israeli tech" is tens of thousands of engineering+IT people, and thousands of managers and entrepreneurs. They don't do anything altogether. So they're not half-X-and-half-Y, they're a relatively typical distribution of people and organizations.
I believe this can even be generalized to all relatively large sample of X'ish Y. Forgetting this is one of the main reason of systemic bias on many topics, including the usual suspects.
Living in israel feel exactly like this. Like el al planes have last gen missile detector embedded, but theirs websites have been only IE compatible until recently.
It's very similar to the US: extremely high tech in some respects and low tech in other respects. Both countries lagged heavily in Chip and Pin which would the most obvious thing to a visitor.
There's a real phenomenon where the top talent works mostly for FAANG / other big tech's local r&d centers / top local start-ups - or are founders; The second tier mostly work for smaller start-ups; And the third tier work for companies and outsourcing shops targeting the local market, which is very small and thus these companies pay less.
This leads to a situation where apps and websites facing the local market are usually sub par, apart from the rare case where a good start-up uses it as a dogfood playground for new tech.
Does it mean we get to extrapolate the competence of US tech from a certain app that recently disrupted election results, or one of the countless breaches eg. equifax ?
Israeli tech is generally good. The problem is only a very small subset of companies or state institutions use this tech. Political parties are not part of this subset, and more likely than not the application developer that got this "project" is somehow connected to the party. This is not a jab at Israeli democracy which I believe to be quite strong, just the way politics work (See the democratic primaries in Iowa for example).
I don't see how that's even relevant here. Most countries have a highly competent and knowledgeable nucleus of tech people but that's not really relevant to tech security in the public sector.
Sounds like a common theme when it comes to relatively young tech industries. You could easily say the same thing about Chinese tech companies. Their software/security due diligence on the part of investors just hasn't caught up yet.
This is not true for many products and services. For some, even a single-digit number of users is enough - if the product is critical for public utilities and infrastructure. For others, a potential base of a couple of Million of computer-users, or just consumers in general, is sufficiently large.
Outside the IDF, which is merely incompetent and overstaffed, this is mostly on purpose. The reigning Israeli government for the past ~10 years have been corrupt neoliberals of the most stereotypical kind.
They are at the forefront of occupation and colonization, not at "fighting terrorism". People fighting for their freedom and human rights are not terrorists.
Here is my experiment: ask any Israeli company you have the pleasure of performing due diligence on to send you the patent numbers of the patents they claim they have. (Any patent number, forget localised patent claims).
This is classic israeli tech. If you're not aware, some people like to say that the israeli tech industry is divided into two - There's a lot of good talent working for the big multinational companies/startups that are targeting US/EU/Asia, and the local market gets the scraps that remain.
This is how we end up with really shitty local apps and services, but export really good product to everyone else.
It sucks - the local market is too small to have real competition, so shitty apps gain a monopoly easily and never budge from their spot.
This is just another example of the talent working for local stuff being bad, it's not new and it's not surprising, although this time it's much bigger obviously.
I am pretty disgusted by this. First of all they basically leaked every single citizens who is of voting age PII. It sounds like the admin username and password was visible for all to see inside the HTML source.
Although I should be, I am not actually surprised by the lack of security in a political parties application.
What I don't understand is why the interior ministry is providing political parties with the entire voter registry, which includes PII.
I never gave my consent for this. It probably explains why I am getting spam SMS's from different parties on a daily basis(which is extremely annoying), but worse than that, soon we will all be forced to join the biometric database and I have zero confidence in the ability of the interior ministry to protect that.
Personally I am no fan of GDPR, but I am starting to see why it's necessary.
Israel may have a similar law but I don't speak Hebrew and I suspect any searches I do for this will get buried by the news of the leak, so I don't think I'll be successful in finding it.
Apparently, the parties voted themselves the right to that data when the election cycle starts (6 months or so before the actual elections, or something like that), under the promise that "they will keep it safe, and delete it afterwards, and only use it themselves". Needless to say, it has leaked out to marketers/private-investigators/bittorrent in basically every election cycle so far.
These are most of the details that you get asked on the phone when you are asked to verify yourself in a lot of contexts (not banking, but say getting medical records from your health provided over the phone, etc).
"Never gave my consent for this" - You do realize that the state does not govern by consent of the governed, right? ...
More specifically - did you ever give your consent for everybody's biometric data to start being collected as well? They went ahead with this despite the pilot having established there are security concerns and despite public outcry against it.
I should inform other readers about the icing on the cake as well: The Minister of the Interior is a convicted criminal - Arye Der'i - who served time for corruption in this exact position. He is also currently under criminal investigation for corrupt dealings involving embezzlement of charitable organization funds in favor of some real-estate purchases. He was also implicated in the "Bar'-On-Hebron" affair during his last trial, where he was trying to get a convenient attorney general appointed in exchange for agreeing on the army withdrawing from occupied Palestinian city Al-Khaleel/Hebron. He wasn't indicted on that one because he had supposedly "quit politics" and was in jail when the investigation concluded.
Even at the state level I should have to give my consent before they release my data to any third party. At a minimum I would expect all of those third parties to be audited regularly.
Don't get me started on Der'i..
This is the same in the UK. Pay a £5,000 registration free [as a political party] and you get a full and un-redacted copy of the electoral roll [for the ward you're standing in]. I only realised after trying to find out how UKIP were addressing marketing with my name on it.
edit: made it clear it was only on a per-ward basis.
UKIP would be allowed a copy for free, being a registered political party. Those entitled to a copy for money are limited, rather than just "anyone who pays five grand". OTOH, the open, edited register is more widely available, but it has been possible to remove yourself from that and has been for some years. https://ico.org.uk/your-data-matters/electoral-register/
Apologies for the confusion; I've edited my comment to make it more clear. My understanding is that it costs £5k to register as a political party which is then entitled a copy for free.
So no, you can't buy a copy of your local ward, but every few years you can spend a small amount of money and do a little paperwork to get a copy.
... which is not surprising, given that the Israeli law is still "We follow British laws of 1948 unless we've since overridden them; and if nothing in the new ones or British ones cover it, we defer to the Turkish ones of 1917" (which reflects the conqueror/occupier legacy)
> Personally I am no fan of GDPR, but I am starting to see why it's necessary.
Am not a fan either (but likely for different reasons), but would this be solved by Israel adopting GDPR? I'd assume they already have data privacy laws in place, and this still happens. I also don't think that it's a question of increased fines - those just become part of the business plan.
GDPR would have required the app provider to encrypt our personal data and in addition it would have required the government (or who ever is working with them) to make sure either through audit or legal agreement that this is happening. At a minimum it would guarantee legal consequences for those companies that are not protecting PII
The issue is that "requiring best practice" doesn't really help a lot when people/companies/institutions are simply breaking the law. If I understand correctly from the article: Political parties in Israel receive the information of Israeli voters before the elections and have to protect their privacy and cannot copy, erase or transfer the registry.
But they did, because reasons. It would be nice if they committed their extralegal activities with more care so they create less collateral damage, sure, but the issue is that people/companies/institutions who don't care about law ... don't care about the law.
> At a minimum it would guarantee legal consequences for those companies that are not protecting PII
I understand the sentiment, and I wish that was true. Alas, my experience is that it is not.
I don't think that's fair or equatable. Everyone deserves privacy and the protection of their identity, regardless of their government or defense force's questionable ethics.
Not that I'm excusing any of the developers or users of this Elector app...
I find it's sometimes an illuminating point of view, to see these sorts of egregious failures from the point of view that there is a range of possible outcomes of any effort, from complete entropic chaos to a perfect expression of the intent and specifications.
Efforts like these simply fail to approach the ideal closely enough to avoid the costs of the inherent chaos.
I don't think so much about trying to herd people toward the light of perfect code and process. I do think about ways to mitigate the cost of the chaos.
And then occasionally I get this vision of people who fail to consider the effects of breaches getting doxxed themselves, but that also seems vindictive, and as Tim Ferriss rightly pointed out just this week, can involve permanent damage to others.
am i correct in my understanding: in their attempt to intentionally leak voter PII to their canvassers they inadvertently leaked it to the whole internet?
EDIT: "Last week, Prime Minister Benjamin Netanyahu called on Likud supporters to download the application in order to help draft more supporters and voters."
Actually, Netanyahu is _continuing_ to push the use of the "Elector" application to the Likud party activists - even after the publication of how it is effectively a leak of all voters' personal data. So the "inadvertently" part is now in question.
Having said that - we need to differentiate between the intended use of the "Elector" app, which is individual record search, and the ability to obtain all records. The latter is due to a bug, and that's the leak. As for the former, I'm not sure exactly about its legality in the first place; perhaps others can comment on this.
Has the power company "intentionally leaked" PII if they mail their customers bills, and by so doing give their customers' names and addresses to the USPS?
Personally I would have said that is normal, legitimate processing; and any definition of "data leak" that included that would be so broad as to be meaningless.
Of course, the leak of the full register by a negligently designed website is another matter...
except addresses are effectively owned by the postal service. they are the primary users of it. the power company is merely using the postal service's addressing system
The gist is that, amazingly, the url "/get-admin-users" would return a list of all admin users with their plaintext passwords... And that this url appeared in the html source of the site's landing page.
[0] https://internet-israel.com/%d7%97%d7%93%d7%a9%d7%95%d7%aa-%...