🧵A lot of people here on X, in the media, in courtrooms, etc., don't seem to know what the fuck they're talking about, so let me help:
1. Griswold's CO voting system BIOS password breach was SERIOUS, and it is unmitigated.
2. It went on for four months without them noticing.
1. Griswold's CO voting system BIOS password breach was SERIOUS, and it is unmitigated.
2. It went on for four months without them noticing.
3. The public posting isn't the only problem:
- They maintained unencrypted passwords in an unencrypted Excel spreadsheet
- Stored (apparently) on their network drives
- The passwords violated CISA (gov lead for election system security) password guidance known since 2009
- They maintained unencrypted passwords in an unencrypted Excel spreadsheet
- Stored (apparently) on their network drives
- The passwords violated CISA (gov lead for election system security) password guidance known since 2009
4. Contrary to all their initial bullshit, DepSecState Beall admitted it affected more than half the counties in CO.
5. If you compromise BIOS passwords on a critical infrastructure computer for 24hrs, you MUST assume that system has been exploited unless you can prove otherwise.
5. If you compromise BIOS passwords on a critical infrastructure computer for 24hrs, you MUST assume that system has been exploited unless you can prove otherwise.
6. When you compromise the integrity of a voting system component, you must also assume that any component connected to it (by LAN cable, e.g., or HDMI cable, or by bridge of "airgap" w/removable media) is compromised.
7. Again, CISA is gov lead for election infrastructure sec., including standards/proc./reporting (Hence, Griswold's "Well I reported it!!!" (not to CO election officials or citizens, though...)). See Page 6, Fig 1 ()for an appropriate incident response. tinyurl.com/Grizfail
8. Griftwold's process:
Day 1:
- Find out (vendor?).🚨
- Pull .xlsx file from web after 4 MONTHS.📅
- Report to CISA.🏆
- Tell ZERO election officials/citizens about 🏴☠️voting sys.💩
Day 6:
- Shit. COGOP knows. 🚨🚨
- Tell MEDIA, still don't tell election officials.
Day 7:...
Day 1:
- Find out (vendor?).🚨
- Pull .xlsx file from web after 4 MONTHS.📅
- Report to CISA.🏆
- Tell ZERO election officials/citizens about 🏴☠️voting sys.💩
Day 6:
- Shit. COGOP knows. 🚨🚨
- Tell MEDIA, still don't tell election officials.
Day 7:...
Day 7:
- Don't admit how many counties affected.
- Still letting citizens use potentially compromised voting systems - let ~citizens? vote on them.
- Send a couple people out to change a couple passwords.
- Get absolutely justifiably wrecked in media/social media
Day 8:...
- Don't admit how many counties affected.
- Still letting citizens use potentially compromised voting systems - let ~citizens? vote on them.
- Send a couple people out to change a couple passwords.
- Get absolutely justifiably wrecked in media/social media
Day 8:...
Day 9:
- Media/social media wreckage makes yesterdays seem gentle. Lost Kyle Clark, FFS...
- Get upstaged by Polis, who insisted on much broader "blitzkrieg" of also completely ineffective, inadequate response, ensuring password change in affected counties, but with helicopters.
- Media/social media wreckage makes yesterdays seem gentle. Lost Kyle Clark, FFS...
- Get upstaged by Polis, who insisted on much broader "blitzkrieg" of also completely ineffective, inadequate response, ensuring password change in affected counties, but with helicopters.
Day 9, continued:
- STILL letting citizens? use machines, and letting election officials tabulate w/affected systems.
- STILL no deployment of actual competent cyber forensic examiners or incident response teams to do anything even remotely approaching adequacy, e.g.:
- STILL letting citizens? use machines, and letting election officials tabulate w/affected systems.
- STILL no deployment of actual competent cyber forensic examiners or incident response teams to do anything even remotely approaching adequacy, e.g.:
The FIRST thing that should have happened:
- STOP using a machine/system with unknown security/integrity/functionality
The SECOND thing that should have happened:
- Image all affected machines and the components in their systems to collect/preserve data to enable tech analysis
- STOP using a machine/system with unknown security/integrity/functionality
The SECOND thing that should have happened:
- Image all affected machines and the components in their systems to collect/preserve data to enable tech analysis
The THIRD thing that should have happened:
- Tech analysis by qualified cyber forensic examiners to determine WHETHER compromise occurred, and EXTENT, TIMING, and IMPACT of compromise
- Tech analysis by qualified cyber forensic examiners to determine WHETHER compromise occurred, and EXTENT, TIMING, and IMPACT of compromise
(TIMING/IMPACT is REALLY IMPORTANT, b/c the breach was active DURING the CO Primary Election - could have affected Primary results)
- If you cannot RULE OUT impact to current election project, ballots, scanning, database, configs, etc., then you START OVER w/the paper ballots
- If you cannot RULE OUT impact to current election project, ballots, scanning, database, configs, etc., then you START OVER w/the paper ballots
And even THAT may not be enough, b/c less than 10% of voters on Ballot Marking Devices actually check their printed ballots, and BMD compromises due to EMS compromises could affect all those BMD ballots.
The FOURTH thing that should have happened:
- Removal/Containment of any compromise, IF YOU CAN (may not be possible, and it sure as hell isn't just changing passwords - you have to verify unaltered configuration of BIOS, iDRAC, MINIX OS (on Intel chipset), ALL memory/storage...
- Removal/Containment of any compromise, IF YOU CAN (may not be possible, and it sure as hell isn't just changing passwords - you have to verify unaltered configuration of BIOS, iDRAC, MINIX OS (on Intel chipset), ALL memory/storage...
And FIFTH, ONLY IF you can confirm containment/removal of any compromise, restore/recover system and resume use.
None of that shit happened. CO basically did:
a. Detect, lie.
b. Delay, lie.
c. Pretend password changes are good enough.
d. Lie.
All without interrupting use.
None of that shit happened. CO basically did:
a. Detect, lie.
b. Delay, lie.
c. Pretend password changes are good enough.
d. Lie.
All without interrupting use.
So, to be clear:
Anyone telling you CO voting systems are "secure" and Coloradans' votes can be or were "counted fairly and accurately" because of Griswold's/Polis' "swift action" is either obliteratingly stupid or humping a false narrative.
Hope that helps.
Anyone telling you CO voting systems are "secure" and Coloradans' votes can be or were "counted fairly and accurately" because of Griswold's/Polis' "swift action" is either obliteratingly stupid or humping a false narrative.
Hope that helps.
* I forgot; Day 12:
- Send COAG, who knows FUCK-ALL re: cyber/voting systems, to court to argue @ParikhClay, who tested voting systems for 9 YRS, isn't an expert b/c he "doesn't know 'CO voting systems' "
It's like arguing that a banana expert "isn't an expert in 'CO' bananas."
- Send COAG, who knows FUCK-ALL re: cyber/voting systems, to court to argue @ParikhClay, who tested voting systems for 9 YRS, isn't an expert b/c he "doesn't know 'CO voting systems' "
It's like arguing that a banana expert "isn't an expert in 'CO' bananas."
• • •
Missing some Tweet in this thread? You can try to
force a refresh
