1/n In two days, they'll present the Maricopa audit live at 4pm Eastern. I plan on live tweeting it, as responses to this tweet, so you can bookmark this and check back Friday.
I'm certain there will be no value to my tweets, so you probably shouldn't.
2/n The report leaked early, so naturally I read it and wrote up a response discussing the cybersecurity bits.
blog.erratasec.com/2021/09/check-…
3/n Most of the news about the Cyber Ninjas is concerned about whether the results come out right (Biden vs. Trump). This is probably the most important part.
But my expertise is in the cybersecurity parts.
azcentral.com/story/news/pol…
4/n Can I just tell you jerks who leaked the draft how much I hate you forcing me to stay up until 4am? Couldn't you have waited until the morning??
5/ Current status. Don't watch. It'll be a waste of time and just get your blood pressure roiling.
player.invintus.com/?clientID=6361…
6/ Yes, polls say voters don't trust elections.
But it's because politicians are fanning the flames of doubt. They are obviously dishonest in saying they are merely responding to voter desires -- they are the ones creating them.
7/ Dr. Shiva, the fraud who continues to claim to have "invented email" despite clear evidence that email predated his "invention" by many years. One easy proof is early Internet (Arpanet) standards.
datatracker.ietf.org/doc/html/rfc561
8/ Anybody can see that this looks like an email from years before his "invention". It's not just email where he is a fraud, but all sorts of other things, like alternative medicine.
9/ Shameless: "Inventor of Email" among his qualifications.
10/ Dr. Shiva is going through a list of "anomalies". It's important to distinguish that these anomalies are he can't explain (because he's not competent or didn't look enough).
These are not things he does understand that he knows indicates something bad happened.
11/ Here's an example of how there are explanations for things Dr. Shiva doesn't understand. He sees "duplicates" happen in a spike after an election. But there's reasons for this.
12/ Here's another example of the "anomalies" pointed out by Dr. Shiva being debunked in real time.
13/ After Dr. Shiva's presentation they gave him a chance to verbally list all his qualifications. He said "I invented email in 1978".
Note: the Queen of England sent her first email in 1976.
14/ Now we have Doug Logan. He's a CISSP!!
15/ The reason CISSP is problematic is situations like this. It shows you know enough to find the "router" configuration in Windows, but not enough to know that just because they configured a router doesn't mean the router exists -- that it's not used for purely local Ethernet.
16/ Logan is currently on the Section 6 ballot issues, I'm just hanging around until the Section 7 cybersecurity issues. In this section I pay attention to people like @HarriHursti who knows an impressive amount about ballots.
17/ Now for the parts I do understand, Ben Cotton's testimony. He also has a CISSP. He also has various certifications from his own company.
18/ Note that unlike Dr. Shiva, Both Logan and Cotton are somewhat competent. What we see is a partisan driven effort to search for dirt on the 2020 election, which leads to overstretch and making mistakes. These mistakes don't mean they are incompetent.
19/ Ah, yes, he talking about 192.168.100.1 which according to his expertise existed on the network.
He's confused. A single local segment Ethernet doesn't use the local router. But they still need a router to be configured. So a router that doesn't exist is configured.
20/ As I debunk in my blogpost, this entire slide is garbage.
blog.erratasec.com/2021/09/check-…
21/ The fundamental flaw is trying to apply generic, non-specific cybersecurity requirements to air gapped networks. This is inappropriate.
23/ He's now pointing out to discovering .exe files after the certification date. As I explained in my blogpost, .exe's get created all the time. Maybe they have an actual issue, but the way they describe the issue doesn't show understanding of these alternate explainations.
24/ He's now claiming the "preservation" laws/regulations mean that the Windows operating-system security logs must be retained. Nobody I know agrees, and they haven't sufficiently made their claim that the law covers this.
25/ They found a system with a second hard-drive and get all excited by the anomalies.
There's actually nothing wrong here.
26/ Files are supposed to be deleted from the C: drive from an "EMS Server".
Everything that's supposed to be preserved is supposed to be copied to the D: drive.
27/ It's the D: drive that's important. He finds deleted files there, too.
But are these files covered by the data preservation laws? He doesn't say.
Moreover, it's common to backup to external drive.
28/ This "file deletion" argument is big among Trumpists, so he creates very large number of deleted files.
But nowhere does he actually show that any rules/laws were broken or that they weren't properly preserved. Absolute zero evidence.
29/ The next biggest argument among Trumpists is that "Windows operating-system logs" are required to preserved in that 22 month federal mandate.
Nobody I talk to agrees that system logs are covered by that mandate. It's some new interpretation by the auditors and Trumpists.
30/ He's now trying to argue there's a conspiracy to overflow the logs. This is meaningless.
If the logs were covered by preservation laws, they'd be copied off to the D: drive, and wouldn't left to rot on the C: drive.
31/ His audience is clapping, as if they believe this unproven allegation of a conspiracy to overflow the logs.
32/ Again, more data missing that they can't explain.
Remember: These audit results are not about what they found. Instead, it's listing all the things they couldn't find -- which Trumpists point to as where their proof is.
33/ "Without access to the router data, network data, I cannot tell if this is a legitimate access or an malicious access".
First, they aren't anomalous, there's not reason to suspect foul play, it's just that he's not enough of an expert to understand them.
....
34/ Second, no, the network data wouldn't do anything to explain them. The issues aren't related. He is lying.
35/ This is actually pretty normal to find ports you can't explain.
36/ It's normal for a computer to reach out to the Internet even if it's on an isolated network.
If these remote connections succeeded, this would be a big thing. But no such finding was made.
37/ He's not clear where this information came from.
Processes attempt communication all the time. He doesn't tell us how he determined it succeeded.
38/ You can't see it, but the last line says "m_nework_wireless.html". He claims this means WiFi existed when it wasn't supposed to.
That's stupid. Computers have WiFi functionality throughout the system in case you want to use it. It's still around even if you don't.
39/ This is the first slide which I'd agree shows Internet connection.
But at the same time time, this isn't one of the air gapped systems. There's no claim it shouldn't have been connected.
40/ I'm making a leap here, but it sounds like a "registration" server that's supposed to exposed to the Internet to accept registration information.
41/ His final summation, expressed in my own words, is that these are woefully behind the sorts of things you'd expect from corporate networks. And he's absolutely right.
But it's exactly what you'd expect from industrial/health networks.
42/ We can certainly debate a lot about how to improve security, but "make it look more like the typical corporate networks I analyze" is very much the WRONG answer.
43/ I can't find this document they are claiming, "CISA Guidelines for Election Systems and Equipment".
I sounds like the document says stupid things like "patch".
44/ This says in their words a point I've been trying to stress here. The auditors keeping point to their failings to explain things they should be competent to explain as "something suspicious". This is objectively bad.
45/ I agree they weren't given enough information to confidently confirm/refute whether air gapped systems were connected to the network.
But that's primarily their own fault for making demands for this data unreasonable, rather than making reasonable requests.
46/ Logan ends his testimony with recommendations going forward. It's all reasonable sounding stuff, but a lot of it is still based upon misunderstandings, like the paper used in ballots.
47/ There are bunch of things here I need to look at more, such as the claim that dns.exe (the DNS server) had two listening ports rather than one, the normal port 53 and a high port.
My knee jerk response is THIS IS TOTALLY NORMAL....
48/ DNS servers often ask as resolvers. This means they make requests. When they make a request, they open a high numbered port in order to listen for the response. It's ephemeral, it'll go away in a few minutes. But it's normal to see dns.exe listening on many ports.
49/ But I don't know exactly how Dominion uses the DNS server, so I'd have to actually investigate it before I could make a more explanation.
I just know it's not as abnormal as Cotton says.
50/ Ah! this is the explanation.
The one computer which he could actually show was connected to the Internet wasn't an election system.
51/ Dominion uses "role-based security" with individual accounts, so that's not a problem.
The fact they didn't change the passwords actually is a good finding.
52/ Closing remarks she says all the reports are here:
azsenaterepublicans.com
53/ I can't find them, but maybe her twitter account will post them.
@FannKfann
54/54
We are ajourned!!! This thread is now over! Time to stand up and get some exercise.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.