The DNC recently found a flaw in the Republican online organizing tool GOP.com (which I wrote about before) that exposed private information about individuals via their “precinct organizer” interface. The National Review published the press release.

I’m bothered a little that this security flaw existed. Whenever a site collects personal information it should take pains to protect that information. The thing that really bothers me was the nature of the DNC response. It appears from the date on the letter to the RNC and the date of the article on the National Review, they gave the RNC less than a day to fix the problem before announcing that the problem exists and giving a basic outline of how to exploit it.

The DNC response flouts accepted security etiquette. In the security community, when a vulnerability is discovered, it is common practice to first notify the affected party and give them time to repair the bug before announcing it to the public. By announcing this vulnerability essentially at the same time as reporting it to the RNC, it appears the DNC didn’t give them time to patch the bug. This gives other nefarious parties the ability to exploit the bug in the interim, increasing the risk of innappropriate use of that information.

Additionally, the DNC used the opportunity advertise their own platform and label it as “more secure.” This just comes across as smug and, as anyone who has worked on networked applications knows, you can never guarantee absolute security. The DNC effectively put a big target on their backs for partisan hackers to shoot at … not smart.

This entry was posted on Saturday, September 30th, 2006 at 1:42 pm and is filed under Politics. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.