Renewed Warnings from CISA regarding Denial of Service attacks set the stage for report that emphasizes Dominion voting machine vulnerabilities to hacking. But is it Russia and election integrity lawsuits that are the enemy, or perhaps the paper registrations and ballots themselves?
New on Cultural Courage
Dar Leaf
Leaf is a self-proclaimed constitutional sheriff who made national news in his efforts to investigate the 2020 election for fraud
The results are a sign that many local voters in more conservative areas of Michigan don’t consider it disqualifying for local elected officials to spread conspiracy theories or interfere with elections to advance the narrative that the 2020 election was stolen from then-President Donald Trump.
Those false claims have now been repeatedly debunked, but when reached Thursday, Randy Bishop — who identified himself as the candidate’s campaign manager — said they weren’t theories at all. He insisted he had evidence that proved deeper wrongdoing in the 2020 election. He declined to share it, instead saying he would offer it to anyone in Antrim County who wanted it.
Are We Baited With Fakes?
Is this a way of directing us to something that then is used later to “demonstrate” a bias towards conspiracy?
Bluecrest and Signature Verification – Accessible Via Internet
I have not confirmed this, but given the confirmation of the lax standards in Georgia and Michigan this warrants investigation. And not by hand selected experts by those in power.
Bluecrest mail ballot sorters are implemented in almost every swing state, to sort mail in ballots. Some of the sorters have Parascript software installed in them to automatically verify signatures ( technology never before researched for voting purposes) Parascript is… pic.twitter.com/REoXmeb5Qo
— Leah Hoopes (@hoopes_leah) August 8, 2024
If the mail-in ballots are sent out automatically based on automatic registrations of paroled prisoners, what signature are they comparing?
https://www.bluecrestinc.com/blog/automatic-signature-verification-for-mail-ballots/
Arizona Paper Chase
And here it is,
— 🇺🇸RealRobert🇺🇸 (@Real_RobN) August 8, 2024
The Arizona Senate AUDIT of the 2020 General Election CONFIRMS,
BEYOND THE SHADOW OF A DOUBT,
DIRTY VOTER ROLLS + MAIL-IN-BALLOTS + ILLEGAL ALIENS = TWO CRIMINALS
Katie Hobbs and Adrian Fontes inserted 74, 243 MAIL-IN-BALLOTS into the Nov 3, 2020 election… pic.twitter.com/R9cWQ1Gz2J
2017 Election Fraud REALLY Important
CISA Report
https://www.usenix.org/system/files/sec22-halderman.pdf
Main Findings
Russia
The ICX BMDs are not sufficiently secured against technical compromise to withstand vote-altering attacks by bad actors who are likely to attack future elections in Georgia. Adversaries with the necessary sophistication and resources to carry out attacks like those I have shown to be possible include hostile foreign governments such as Russia—which has targeted Georgia’s election system in the past [49]—and domestic political actors whose close associates have recently acquired access to the same Dominion equipment that Georgia uses through audits and litigation in other jurisdictions.
The ICX’s vulnerabilities also make it possible for an attacker to compromise the auditability of the ballots, by altering both the QR codes and the human readable text. Such cheating could not be detected by an RLA or a hand count, since all records of the voter’s intent would be wrong. The only practical way to discover such an attack would be if enough voters reviewed their ballots, noticed the errors, and alerted election officials, and election officials identified the problem as a systemic hack or malfunction; but human-factors studies show that most voters do not review their ballots carefully enough, and election officials likely would consider such reports the product of voter error.
The critical vulnerabilities in the ICX—and the wide variety of lesser but still serious security issues—indicate that it was developed without sufficient attention to security during design, software engineering, and testing. The resulting system architecture is brittle; small mistakes can lead to complete exploitation. Likewise, previous security testing efforts as part of federal and state certification processes appear not to have uncovered the critical
problems I found.
My technical findings leave Georgia voters with greatly diminished grounds to be confident that the votes they cast on the ICX BMD are secured, that their votes will be counted correctly, or that any future elections conducted using Georgia’s universal-BMD system will be reasonably secure from attack and produce the correct results. No grand conspiracies would be necessary to commit large-scale fraud, but rather only moderate technical skills of the kind that attackers who are likely to target Georgia’s elections already possess. Unfortunately, even if such an attack never comes, the fact that Georgia’s BMDs are so vulnerable is all but certain to be exploited by partisan actors to suppress voter participation and cast doubt on the legitimacy of election results.
For example, contractors have been given unsupervised access to ICX and
ICP equipment in Maricopa County, Arizona, in the context of a controversial
forensic audit of the November election [14, 43]. The audit is being led by a cybersecurity firm called Cyber Ninjas, whose owner is said to promote baseless conspiracy theories that the 2020 Presidential election was hacked to defeat Donald Trump [26]. The proliferation of access to the equipment by possibly untrustworthy and politically-motivated actors and their associates has greatly increased the risk that information sufficient to attack Georgia’s election system will fall into the wrong hands.
Altering Votes via QR Code
Attackers could cause the BMDs to print QR codes that differ from voters’ selections while leaving the human-readable text of the ballot unchanged. Since voters cannot read QR codes unaided, they would be unable to detect the alterations, but, since the QR code is the only part of the ballot the scanners count, the impact would be a change to the tabulation of those ndividual votes affected and potentially to the election results. The only known safeguard that can rule out such an attack is to compare the human-readable text on every voted ballot to the QR codes, which Georgia has never done in any election and which does not appear to
be required or anticipated for future elections.
Attackers could cause the BMDs to print QR codes that differ from voters’ selections while leaving the human-readable text of the ballot unchanged. Since voters cannot read QR codes unaided, they would be unable to detect the alterations, but, since the QR code is the only part of the ballot the scanners count, the impact would be a change to the tabulation of those individual votes affected and potentially to the election results. The only known safeguard that can rule out such an attack is to compare the human-readable text on every voted ballot to the QR codes, which Georgia has never done in any election and which does not appear to be required or anticipated for future elections.
PG 20
Dominion’s documentation claims that the QR codes are encrypted [19, § 2.6.1.1], and, at least as recently as January 2021, Secretary of State Chief Operating Officer Gabriel Sterling has repeated this claim to the media as a security feature of Georgia’s voting system [91]. In actuality, as I testified last year, no part of the QR codes is encrypted [40, ¶ 37–40]. While voters have no practical way to read or verify the votes encoded in the QR codes, they can be decoded by attackers and can be replaced or manipulated to steal voters’ votes.
Pg 23
Despite this use of a MAC, attackers can manipulate ICX QR codes through several means to alter recorded votes or cast fraudulent votes. The ICX QR code design as used in Georgia has a serious weakness: the codes do not contain a serial number or other unique identifier, so, for a given ballot design, all QR codes that contain identical votes are indistinguishable, including having identical MACs. As a consequence, there is no mechanism for detecting duplicate QR codes. This enables two important attacks:
Figure 4: Demonstration Malicious Hardware. I developed a hardware-based
attack that modifies data sent from the ICX to the printer, altering ballot QR
codes to change recorded votes. The attack device (the two red modules seen in
the right photo) is completely hidden inside the printer’s plastic housing. Similar
malicious hardware could be added in the supply-chain or while in storage.
PG 48 – All Data Definitions Are Contained in One File For
Structure and Encryption
My testing shows that ICX election definition files are Zip archives that are encrypted using the AES (a.k.a. Rijndael) algorithm. The filename can vary, but I will refer to it as “ICX.dat”. The Zip archive contains a SQLite database (electiondata.db3) that defines the ballot designs and election-specific settings. It also contains assorted graphic files, audio files, and language translation files that are used for presenting the ballots to voters.
I analyzed county election data from the November 2020 and January 2021 elections produced by State Defendants. The data shows that, under current Georgia practice, all BMDs within a county are loaded with the same ICX.dat file, which provides every local ballot design used in the county. Moreover, all scanners and BMDs within each county use the same encryption key and initialization vector (IV) during a particular election. Given access to the county EMS or
Election Package, the key and IV can be retrieved from the election project
Pg 56 – Ballot Scanners
Georgia uses special “security” paper stock for official ballots, including those printed by BMDs [32, 35]. However, when I tested the Fulton County ICP using ballots printed on normal copier paper, it accepted and counted them normally. I also tested scanning photocopies of BMD-printed ballots, and the ICP again accepted and counted them normally.
As Section 3.2 explains, the message authentication codes in the QR codes
do not allow the scanners to distinguish between original and duplicate ballots, so, absent a check on the physical paper stock, the scanners cannot detect photocopied ballots.
Use of security paper is potentially valuable during a risk-limiting audit or a hand recount. Assuming access to such paper is carefully controlled, ballots printed on non-official paper could be detected during the auditing process. However, I note once again that Georgia requires risk-limiting audits of only once race in November elections of even numbered years, leaving other contests and elections potentially unprotected.
The ICP stores a complete digital image of every scanned ballot on its removable memory card, and these images are returned to the EMS for possible later review or adjudication. On the Fulton County scanner I tested, the ballot images were not encrypted, and I could easily extract them. Moreover, my testing shows that the unencrypted ballot images are stored in the order in which they were cast, potentially deanonymizing the secret ballots.
Encrypting ballot images appears to be a configuration option that jurisdictions can enable. That option was not enabled in the ICP I tested, which was purportedly configured in the same way as the scanners used during Georgia elections. In any event, even if jurisdictions were to enable this encryption option, the county-wide encryption keys can be be extracted from any ICX Poll Worker Card, given brief access to the card and PIN (see Section 6.1).
Storing the ballots in voted-order raises serious risks to ballot secrecy. A dishonest poll worker could observe voters as they used the scanner and secretly note their names, in order. If, after voting was finished, the poll worker had brief access to the scanner memory card, they could read its contents with an inexpensive and widely available Compact Flash card reader, then use a program like mine to view all the ballots and associate each with the voter’s identity.
Tamper Proof Seal
Installed Tamper-Evident Seal could be Bypassed or Defeated
Issue: The ICP modem port door is incompletely closed when sealed, allowing access to connectors inside.
Issue: The tamper-evident seal on the ICP tested was improperly installed, leaving it easily defeated.
The Fulton County ICP was delivered to Plaintiffs with only one tamper-evident seal installed. On the right side of the ICP, a plunger-style security seal was affixed to a small plastic door that the ICP User Guide refers to as the “Modem Port” [21, p. 11], which covers an RJ45 Ethernet port and a USB Type-A port. The seal, Intab part number 03-1366 [50], consists of a braided wire that passes through a metal loop in the machine’s case, preventing the door from
being full opened. The sealed door, as we received it, is shown in Figure 14a.
One problem with this sealing arrangement is that, by applying tension to the door, it can be opened several millimeters without removing the seal. As shown in the figure, this is sufficient access to see both ports, and an attacker could almost certainly attach electronic equipment to either port by inserting conductive probes through the gap in the door. The problem could have been avoided by using a different kind of seal. Dominion’s manual states that “[a] lock, tamper evident label, or tamper evident tie wrap should be placed on the door lock loop” [21, p. 49], but the seal that was installed is a wire seal, which is thinner and more flexible than a typical tie wrap, allowing more play.
Pg 54 Audit Logs
Issue: ICX audit logs and protective counters are stored in regular files with no protection beyond filesystem permissions, which can be easily bypassed.
Issue: The ICX does not provide any mechanism to verify the integrity of exported audit logs.
PG 50 – BMD Executable Code Can Be Introduced Because Directories are Accessible
Arbitrary Code Execution as Root
The BMD runs code with root privileges from a file that is writable by the ICX App. When combined with the directory-traversal vulnerability, this allows a malicious election definition file to execute arbitrary code as root.
The Android OS employs access control and privilege separation to limit what files an app can modify. These defenses normally prevent an app from accessing another app’s data, changing its own APK, or installing a new app. However, I find that weaknesses in the ICX software allow attackers to circumvent these defenses. A malicious election definition file can cause attacker-supplied code to be executed with “root” privileges—complete control of the device’s software, including the ability to override all file access restrictions and install malware.
Pretending To Know About Rent Control
How Michigan can break down barriers to safe, affordable housing
That could all soon change given that legislation (Senate Bills 205–207 and House Bills 4062 and 4063) is currently in the Michigan Legislature that would make it illegal for landlords to reject tenants who plan to make rent payments using federal Housing Choice Vouchers (HCVs) or other non-wage sources of income, such as social security and veteran’s benefits.
HCVs are a proven tool that have helped more than 65,000 Michigan households afford a safe place to live by offsetting the cost of the rent they pay to private landlords. Nearly two-thirds of these households have incomes under $15,000 a year, 4 in 10 of these households include children and 1 in 4 of these households include a person with a disability.
While the legislation currently being considered by the Michigan Legislature won’t address the HCV program’s funding shortages, it will put a stop to the discrimination that families are facing simply for the way they plan to pay their rent. People think of housing discrimination as a part of our history, but it is very much alive and well when landlords can reject potential tenants based solely on their method of rent payment.