Comments by "TJ Marx" (@tjmarx) on "Another State-Run Website Made the Wrong Info Available to the Public" video.

  1. 3:45 "...and outlined in his letter to the newspaper exactly how he was able to access the system intended only for LAW ENFORCEMENT " Might I humbly suggest that what he was accessing is the page Hawaiian police use in the precinct and their cruisers when they're runnjng someone. That would explain why records go back 25 years and include SSN data and DMV information, along side all offences including parking tickets. Ie. The police offenders database. Assuming that's true, as it sounds it may well be, it doesn't really matter what vulnerability existed in the website that allowed him to access that part of the system. Because ultimately those kinds of systems should not be occupying the same server let alone part of the same system. They should be air gapped completely as separate services such that it's impossible for the two systems to ever be accessed from each other. Judiciary data should be transferred one way to the police database by a separate agnostic transport layer. 3:19 "Upon learning of the access to the governors records, the judiciary shut the system down, fixed the vulnerability and brought the system back online.." 4:38 "Chief staff attorney told the star advertiser there is no further vulnerability of the jeffs system like the one described by the attorney..." 4:48 "In a letter to him, the administrator and director of the courts wrote that the process he described to access the confidential information could not be discovered by a regular jeffs user..." These 3 statements do not go together. You can't fix a vulnerability that doesn't exist. If a 75 year old attorney can do these steps there's a very good chance any regular user can do the same. They may mean a regular user, using the system as intended and this is a SQL injection attack or some such. But even if that is the case, that still doesn't explain why the systems are connected to each other. Nor does it explain why this whistle blower should be liable for identifying these vulnerabilities. I don't understand why every government department doesn't have a bug bounty program for their online systems. They absolutely should, that's how they flush out vulnerability and create, secure systems that protect citizen data.
    1