snailspace
Loves Spam
- Joined
- Jul 27, 2022
- Posts
- 2,332
Tom Fitton
@TomFitton
Subscribe
ALERT: A federal court in Northern District of Georgia (Atlanta Division) will allow plaintiffs to proceed to trial after they presented expert evidence which found 7 core vulnerabilities in the Dominion voting system:"
1. Attackers can alter the QR codes on printed ballots to modify voters’ selections;
2. Anyone with brief physical access to the BMD (ballot marking device) machines can install malware onto the machines;
3. Attackers can forge or manipulate the smart cards that a BMD uses to authenticate technicians, poll workers, and voters, which could then be used by anyone with physical access to the machines toinstall malware onto the BMDs;
4. Attackers can execute arbitrary code with supervisory privileges and then exploit it to spread malware to all BMDs across a countyor state;
5. Attackers can alter the BMD’s audit logs;6. Attackers with brief access to a single BMD or a single Poll Worker Card and PIN can obtain the county-wide cryptographic keys, which are used for authentication and to protect election results onscanner memory cards; and
7. A dishonest election worker with just brief access to the ICP scanner’s memory card could determine how individual voters voted."The main conclusions of the expert analysis of the Georgia computerized Dominion voting systems, as described by the Court:"•
The ICX BMDs [Dominion's ballot marking devices] are not sufficiently secured against technical compromise to withstand vote-altering attacks by bad actors who are likely to attack future elections in Georgia. . . • The ICX BMDs can be compromised to the same extent and as or more easily than the AccuVote TS and TS-X DREs they replaced. . . .• Despite the addition of a paper trail, ICX malware can still change individual votes and most election outcomes without detection . . . Although outcome-changing fraud conducted in this manner could be detected by a risk-limiting audit, Georgia requires a risk-limiting audit of only one contest every two years,27 so the vast majority of elections and contests have no such assurance. And even the most robust risk-limiting audit can only assess an election outcome; it cannot evaluate whether individual votes counted as intended. . . .• The ICX’s vulnerabilities also make it possible for anattacker to compromise the auditability of the ballots,by altering both the QR codes and the human readable text. Such cheating could not be detected by an [risk-limiting audit] or a hand count, since all records of the voter’s intent would be wrong. . . .• Using vulnerable ICX BMDs for all in-person voters, as Georgia does, greatly magnifies the security riskscompared to jurisdictions that use hand-marked paper ballots but provide BMDs to voter upon request. . . .• The critical vulnerabilities in the ICX — and the wide variety of lesser but still serious security issues — indicate that it was developed without sufficient attention to security during design, software engineering, and testing. . . . t would be extremely difficult to retrofit security into a system that was not initially produced with such a process."What can the court do if the plaintiffs succeed in trial?"Plaintiffs carry a heavy burden to establish a constitutional violation connected to Georgia’s BMD electronic voting system, whether in the manner inwhich the State Defendants have implemented the voting system — i.e., that it imposes serious security voting risks and burdens impacting Plaintiffs’ votingrights — or otherwise. If Plaintiffs prevail at trial on one or more of their claims, there are pragmatic, sound remedial policy measures that could be ordered or agreed upon by the parties, such as (1) providing for the use of printed ballots for vote counting without the use of QR codes, (2) administering a broader scope and number of election audits to address vote count accuracy and other related issues, and (3) implementing other essential cybersecurity measures and policies
recommended by the nation’s leading cybersecurity experts and firms, including the Department of Homeland Security’s CISA."
@TomFitton
Subscribe
ALERT: A federal court in Northern District of Georgia (Atlanta Division) will allow plaintiffs to proceed to trial after they presented expert evidence which found 7 core vulnerabilities in the Dominion voting system:"
1. Attackers can alter the QR codes on printed ballots to modify voters’ selections;
2. Anyone with brief physical access to the BMD (ballot marking device) machines can install malware onto the machines;
3. Attackers can forge or manipulate the smart cards that a BMD uses to authenticate technicians, poll workers, and voters, which could then be used by anyone with physical access to the machines toinstall malware onto the BMDs;
4. Attackers can execute arbitrary code with supervisory privileges and then exploit it to spread malware to all BMDs across a countyor state;
5. Attackers can alter the BMD’s audit logs;6. Attackers with brief access to a single BMD or a single Poll Worker Card and PIN can obtain the county-wide cryptographic keys, which are used for authentication and to protect election results onscanner memory cards; and
7. A dishonest election worker with just brief access to the ICP scanner’s memory card could determine how individual voters voted."The main conclusions of the expert analysis of the Georgia computerized Dominion voting systems, as described by the Court:"•
The ICX BMDs [Dominion's ballot marking devices] are not sufficiently secured against technical compromise to withstand vote-altering attacks by bad actors who are likely to attack future elections in Georgia. . . • The ICX BMDs can be compromised to the same extent and as or more easily than the AccuVote TS and TS-X DREs they replaced. . . .• Despite the addition of a paper trail, ICX malware can still change individual votes and most election outcomes without detection . . . Although outcome-changing fraud conducted in this manner could be detected by a risk-limiting audit, Georgia requires a risk-limiting audit of only one contest every two years,27 so the vast majority of elections and contests have no such assurance. And even the most robust risk-limiting audit can only assess an election outcome; it cannot evaluate whether individual votes counted as intended. . . .• The ICX’s vulnerabilities also make it possible for anattacker to compromise the auditability of the ballots,by altering both the QR codes and the human readable text. Such cheating could not be detected by an [risk-limiting audit] or a hand count, since all records of the voter’s intent would be wrong. . . .• Using vulnerable ICX BMDs for all in-person voters, as Georgia does, greatly magnifies the security riskscompared to jurisdictions that use hand-marked paper ballots but provide BMDs to voter upon request. . . .• The critical vulnerabilities in the ICX — and the wide variety of lesser but still serious security issues — indicate that it was developed without sufficient attention to security during design, software engineering, and testing. . . . t would be extremely difficult to retrofit security into a system that was not initially produced with such a process."What can the court do if the plaintiffs succeed in trial?"Plaintiffs carry a heavy burden to establish a constitutional violation connected to Georgia’s BMD electronic voting system, whether in the manner inwhich the State Defendants have implemented the voting system — i.e., that it imposes serious security voting risks and burdens impacting Plaintiffs’ votingrights — or otherwise. If Plaintiffs prevail at trial on one or more of their claims, there are pragmatic, sound remedial policy measures that could be ordered or agreed upon by the parties, such as (1) providing for the use of printed ballots for vote counting without the use of QR codes, (2) administering a broader scope and number of election audits to address vote count accuracy and other related issues, and (3) implementing other essential cybersecurity measures and policies
recommended by the nation’s leading cybersecurity experts and firms, including the Department of Homeland Security’s CISA."
Last edited:
