Either their methods work, and of course they should be secret, or their methods don't work, and it's unproductive to help them shorten the list of attack methods they try.
In this case, my guess would be fear that people would start distrusting these voting machines and, eventually, the election as a whole. Elections only work when everyone agrees the results are fair.
That said, I think that's an important story here. The infrastructure around these machines seems sloppy. The fact that there's no source code to read means they are black boxes we have to trust.
In 2003-2004 I had a non-SSL IRC server in a German datacenter and found that something between my server and large British ISPs was rewriting all "ISON <nickname>" strings in TCP streams to "PRIVMSG <nickname> :!kapa". I moved the IRC server to another IP address and never had this problem again.
I think that GCHQ was monitoring the network traffic and had a bug in their IRC protocol implementation.
There's edge cases for nearly all of FTPs failings but none of them are employed as part of the default standard protocol. Which means nearly everyone ends up falling back to the lowest common denominator.
These domains belong to someone. Someone who likely hasn't agreed. It's deeply troubling when a CA says: "We'll just issue some test certs for domains that sound like we could use them for testing - no matter whom they belong to and if they agree to that."
It's quite simple: Don't issue certs unless the owner of that domain has asked you for it.
But if you look closer at Andrew's mail: There were a bunch of other certs for all kinds of domains.
It's not about these particular certificates, it's about the fact that Symantec issued obviously bogus certificates at all, and then that they either didn't catch it or they caught it and decided to try not to tell us about it.
Even at best this is further evidence of incompetence, and incompetence certainly does threaten the integrity of the encrypted Web.
Ask yourself, if Symantec's "security" systems can issue for example.com without getting consent from the owner of example.com and Symantec don't notice, why not for your domain, or mine, or a big bank?
I meant in this particular case it would be weird, because it would mean that the perpetrators are somehow blocking mobile data but neglected to block SMS.
I think a state actor could filter at will, since they could MITM the connection and pass stuff through selectively. Not that I can see why they would bother. Although I can't see why they would take this action at all, which is why I don't believe the story in the first place.
