Hacker News new | past | comments | ask | show | jobs | submit login

It's like gov system don't even have test cases. They should, and they should be public. Why aren't these softwares for the public open source?

See also: employment security sites, cannabis track and trace, driving license, etc.

Some of these bugs cause direct financial harm to citizens and this one is much worse!

Show me the test cases! Show me the code!!




If my tax $ goes to it, it should have source available (excepting natsec). it would be nice to get some value out of it. If it's well written, I could learn how a large scale project works. If not, I can have something to petition and voice my concerns about, inform about vulns, etc.


You exempt national security, and suddenly everything is national security. Look at the FISA “courts”.

Not arguing against it. State secrets are needed in some instances. Just pointing out that if you exempt something, there’ll be people who’ll construe as much as they can under than exemption. Is there any solution to that?


I suppose a congressional committee separate from the intelligence community that can (hopefully) objectively decide whether something will directly damage our national security.

I agree though, it's a tough problem I haven't fully thought through. I can see an argument saying "well if a vulnerability was found and a violent felon/terrorist was released early, that would be _bad!_". Hell, a DMV appointment software could have a vulnerability allowing a drivers license to someone who then commits a terrorist act. I wouldn't put that past a politician to claim under "national security". Of course, as mentioned below, these vulnerabilities would probably be limited in scope if the devices are airgapped (which it better be!). But something tells me they likely aren't all airgapped.

But I genuinely hope that if such a thing were to happen, there would be more good eyes on it than bad ones. Personally I'd look at whatever was in my preferred language. Granted, it would be to learn from it, not to find vulnerabilities, but something tells me there are vulnerabilities in gov't systems even I know are bad.


At some point you need to hold people accountable when they defy the intent of the law.

That something must be kept secret does not mean the rationale for why it must be kept secret must also be. For example you don't need to tell me any secrets about how nuclear weapons are designed to convince me that nuclear weapon design software should not be open source. Even in cases where the devil is in the details and the discussion of whether something should be secret requires an understanding of those secrets, independent auditors with the proper qualifications and clearances can be appointed to validate the need for secrecy, and either they or the officials who appointed them can be publicly scrutinized.

Every system complicated enough to require decision making is open to potential abuse by the decision makers. The entire purpose of democratically elected leaders is to make sure those who would commit such abuses don't have the opportunity to do so for very long. If no one suffers any consequences for skirting a law, why even have laws to begin with?


Well, I can't show you the test cases and code, but the available requirements are pretty tough to go through:

https://www.azleg.gov/ARStitle/


I think there is still a genuine concern that open-source software allows bad people to find loopholes before the good people do. The last thing you want is someone finding a bug that allows a murderer to get released because the computer said-so.

I think it can be managed but it is a genuine concern nonetheless.


Restrict access. Why does a prison management system need to be connected to a public network and be accessible to more than 20 or so authorized users? I worked on plenty of government systems using insecure software galore but it didn't really matter because we were air gapped and you needed to get through Fort Knox level physical security to get physical access to a terminal.

Granted, that doesn't make attack impossible, but it does make it very hard, especially when you disable all the USB ports and optical drives and socialize extreme consequences to any employees not following ITSEC rules.


I would much rather error on the side of releasing someone early, instead of holding people longer.


In best cases, the test cases are good and pass... and yet such errors will still abound.

Why? Because the spec for which the tests where written didn't include some contingency, for example with software that rigidly require certain steps to happen and doesn't provide a human-controlled override.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: