No, no, no, fucking no. IT person here. Man this site is going to shit.
No password does NOT mean that anyone can alter the data. No password simply means that the voting machines can get on the Internet without providing a password to connect to Wi-Fi. These are two completely different things; first being access to the Internet and the second being access to the information system in order to alter votes.
Should the voting machines have access to the Internet? Questionable.
Can the voting machines have their own encryption methods and access control methods, YES!
If you don’t know, please ask when it comes to IT as this is flat out stupid.
These Machines were being managed by a Win10 system certified in March 2020 using an image deployed in February. Not a single asset was updated past August 2020.
Wifi access is not the same as Direct Access unless you’re claiming a vulnerability enables an attacker access that they would not otherwise have remotely.
IT (over three decades). You are Flat Out Wrong about “unless you have physical access” and you should know once you get into a system via the internet, you can control it. That means “manipulate and/or delete data”. This is not brain surgery - it’s SOP. I hope you just misunderstood the context, because otherwise ....
Access to the information system exactly how? It doesn’t matter if you can see the traffic flowing across the network if the traffic is encrypted at the application/session layer. You have no access to it. It doesn’t matter if your network access to the voting machine means that the voting machine refuses to accept admin connections from your IP address. Access control of management ports is STANDARD practice.
Please describe EXACTLY how you intend to gain access to a voting machine over the Internet that refuses to answer from your source IP address.
No password means no encryption over WiFi. So the question that remains is how any data, if at all, was transferred over said WiFi; and what kind of services/ports were open on the systems.
If the transfer of data was encrypted using VPN/HTTPS/TLS or anything, and also using decent set of standards, only then your argument (and you did mention that part) is fully correct. But that question goes rather conveniently unanswered.
My POV: The issue here isn't about WiFi being secure or not. But you should immediately start asking why WiFi was even allowed in this case. Go to any security event such as DefCon and you'll know why visitors disable their WiFi.
Edit: I'm also wondering right now if they were using channel isolation. Ever connected to WiFi in a hotel and seen someone else's Chromecast? I have, and that basically means you can view what someone else is watching. (And so much more)
I'm not sure of the validity of this e-mail, but if the machines were connected to the internet that is a crime in itself. I am pretty sure of that. And if it isn't it should be.
Sensitive information passes across the Internet ALL the time. The question is the degree of cryptography and testing of the cryptographic module (such as FIPS 140-2) that is used. I honestly don’t know if Internet connectivity of voting systems is allowed or not. I’m just pissed off at how reckless this post is.
I'm looking at this from a simpler point of view. Just the fact that it was even connected to the internet is the problem. All they need is a backdoor to log into to do anything they want. No need to try and sniff or alter anything when it's designed to give shitheads around the world intentional access.
I agree with that. I was simply trying to say that the mere fact that it could connect to the Internet without a password to get on Wi-Fi does not necessarily mean mean that the voting machine is wide open to manipulation.
I see no good reason whatsoever for a voting machine to be connected to the Internet. The mere connection is enough to call into question the veracity of votes collected by the machine.
Why can’t people hold more than one thought in their heads at the same time?
I'm pretty sure it isn't but I'll have to look it up later. I'm too busy looking at this obviously staged Boulder shooting and just trying to play some videogames to distract myself from the non-sense. Keep in mind, we had foreign countries hacking our entire government UNDETECTED for many months, revealed in the solarwinds hack information. If it's not illegal for voting machines to be connected to the internet, it's only because Democrat/crooked Republican politicians allowed this kind of filth to be passed because they intend to cheat elections. That's facts.
So, the defense computers that control our nuclear deterrence aren't connected to the internet in any way because .gov knows it could be hacked into, but the same couldn't happen to a voting machine connected to a wifi network without a password even? Seems dubious
No, no, no, fucking no. IT person here. Man this site is going to shit.
No password does NOT mean that anyone can alter the data. No password simply means that the voting machines can get on the Internet without providing a password to connect to Wi-Fi. These are two completely different things; first being access to the Internet and the second being access to the information system in order to alter votes.
Should the voting machines have access to the Internet? Questionable.
Can the voting machines have their own encryption methods and access control methods, YES!
If you don’t know, please ask when it comes to IT as this is flat out stupid.
Actual IT guy here.
Physical Access is all access.
If this Machine was left on an unsecured network I would have direct access.
Less than two hours worth of YouTube videos could teach the average adult all they need to be able to quickly compromise these Machines.
You would have nothing unless you have physical access to the voting machines themselves. That is NOT what this post was declaring.
Is physical access “game over”. I agree for the most part. (unless the target is encrypted, etc.). But that is NOT was this post was declaring.
I have 20 years of IT experience. Don’t claim to be an “Actual IT guy”.
Wifi Access is the same as Direct Access.
These Machines were being managed by a Win10 system certified in March 2020 using an image deployed in February. Not a single asset was updated past August 2020.
That took me 2 minutes.
Wifi access is not the same as Direct Access unless you’re claiming a vulnerability enables an attacker access that they would not otherwise have remotely.
IT (over three decades). You are Flat Out Wrong about “unless you have physical access” and you should know once you get into a system via the internet, you can control it. That means “manipulate and/or delete data”. This is not brain surgery - it’s SOP. I hope you just misunderstood the context, because otherwise ....
Access to the information system exactly how? It doesn’t matter if you can see the traffic flowing across the network if the traffic is encrypted at the application/session layer. You have no access to it. It doesn’t matter if your network access to the voting machine means that the voting machine refuses to accept admin connections from your IP address. Access control of management ports is STANDARD practice.
Please describe EXACTLY how you intend to gain access to a voting machine over the Internet that refuses to answer from your source IP address.
No password means no encryption over WiFi. So the question that remains is how any data, if at all, was transferred over said WiFi; and what kind of services/ports were open on the systems. If the transfer of data was encrypted using VPN/HTTPS/TLS or anything, and also using decent set of standards, only then your argument (and you did mention that part) is fully correct. But that question goes rather conveniently unanswered.
My POV: The issue here isn't about WiFi being secure or not. But you should immediately start asking why WiFi was even allowed in this case. Go to any security event such as DefCon and you'll know why visitors disable their WiFi.
Edit: I'm also wondering right now if they were using channel isolation. Ever connected to WiFi in a hotel and seen someone else's Chromecast? I have, and that basically means you can view what someone else is watching. (And so much more)
I'm not sure of the validity of this e-mail, but if the machines were connected to the internet that is a crime in itself. I am pretty sure of that. And if it isn't it should be.
Sensitive information passes across the Internet ALL the time. The question is the degree of cryptography and testing of the cryptographic module (such as FIPS 140-2) that is used. I honestly don’t know if Internet connectivity of voting systems is allowed or not. I’m just pissed off at how reckless this post is.
I'm looking at this from a simpler point of view. Just the fact that it was even connected to the internet is the problem. All they need is a backdoor to log into to do anything they want. No need to try and sniff or alter anything when it's designed to give shitheads around the world intentional access.
I agree with that. I was simply trying to say that the mere fact that it could connect to the Internet without a password to get on Wi-Fi does not necessarily mean mean that the voting machine is wide open to manipulation.
I see no good reason whatsoever for a voting machine to be connected to the Internet. The mere connection is enough to call into question the veracity of votes collected by the machine.
Why can’t people hold more than one thought in their heads at the same time?
I'm pretty sure it isn't but I'll have to look it up later. I'm too busy looking at this obviously staged Boulder shooting and just trying to play some videogames to distract myself from the non-sense. Keep in mind, we had foreign countries hacking our entire government UNDETECTED for many months, revealed in the solarwinds hack information. If it's not illegal for voting machines to be connected to the internet, it's only because Democrat/crooked Republican politicians allowed this kind of filth to be passed because they intend to cheat elections. That's facts.
So, the defense computers that control our nuclear deterrence aren't connected to the internet in any way because .gov knows it could be hacked into, but the same couldn't happen to a voting machine connected to a wifi network without a password even? Seems dubious
Agreed. I’m not here to crap on voting methods. I’m here to say that the premise of the post is dead wrong.