My take: we've been repeatedly told no voting machines were connected to the internet. This is one more piece of evidence showing otherwise, and frankly, that should be enough.
Does "sensitive machine" = "voting machine"? Not necessarily... but what else is there that would be considered sensitive? Perhaps the computers with voter role and signature matching info?
If so, that's just as bad, IMO. Registration and signature fraud is as much a part of this as vote count changes, and unlike count changes which could happen just as easily on a remote server post-upload, meaningful manipulation would have to occur onsite during the matching and adjudication.
As for the password-less Wi-Fi, what does that mean? I'm more into the app development side of things rather than system infrastructure, so I have some knowledge gaps here, but...
A wifi network without a password does not encrypt the traffic going between the wifi access point and the machine.
This does not necessarily mean that everything being sent is readable or manipulable, because the voting software itself could be doing its own encryption before it sends info over the network.
It does point to two issues here, though. First, they are using an unbroadcasted wifi name, meaning you would have to know the name and type the name in manually to connect.
This is relying on something called "security through obscurity", which is bad practice. It's essentially like a hide-a-key: you are relying on an attacker NOT knowing that you hid your key under a rock by your front door. Most attackers will know to look under the rock to find the key, and therefore you might as well not have a lock at all.
In this case, the "hide a key" is the name of the network, being shared only to a select group, but this name "2020vote" is very easily guessed.
Second, emails are not a secure way to share information like this. Any security-focused business will have policies in place against sharing passwords via email, because email is not secure and may pass through many servers outside your control once sent.
That's 2 best practices violated.
So what can someone do once connected? Again, depends.
Is the PC running Windows? If so, there are MANY possible remote admin tools, some built in, that an attacker could have access to if not properly locked down.
Even if the PC is running a minimal Linux install, the admins could have installed any number of remote admin management tools that could give full unfettered remote access to the PC to do anything you could do if physically in front of it.
But, the PCs could also be perfectly well configured and locked down, all remote admin tools disabled or properly protected. The voting software itself could have its own access control, could be wide open, or somewhere in between.
Web servers like when you visit Amazon or Google, by design, are designed to be connected to the internet AND allow the public at large to connect to them, but they are tightly controlled to only allow you to access what you are allowed to access (if properly configured and without bugs).
Is that the case here?
We just don't know. But we know several aspects were already done against best practices (i.e. sloppy) and in a court case could likely be used to argue a general trend of insecurity and poor decision making.
FINALLY, it's worth noting that it appears that Hyatt and their IT team is directly involved in setting this up. Are they allowed to be privy to this? Who might they have shared this info with? These are people that are NOT Dominion, NOT election officials, and would have full access to anything on the day of voting.
And, while this is all interesting... none of it matters, IMO.
Why? Because none of us (last I checked) are accusing outside hackers of manipulating the results, but instead are accusing states, election officials, and Dominion of manipulating the results.
Which means even if this thing were locked down like Fort Knox or the Capitol in DC, the people doing the dirty were people who would have been allowed to get in there in the first place! They don't need open networks or misconfigured remote admin tools if they already know all of their own passwords and have added themselves to their own access lists!
Anyhoo, that's my 2 cents, and I guess tldr; "everyone's kind of right about this, but also even if this is a nothingburger it doesn't actually change anything".
It doesn't. As I explained, it calls them "sensitive machines".
So... let's examine and brainstorm a little.
First... what would be considered "sensitive" during vote counting? Well... voting machines are the obvious one.
Another would be signature verification machines. Or registration machines. Or anything else needed for adjudicating ballots.
Finally, it could just mean "a couple of VIPs who want to connect their laptops to a separate network to watch YouTube videos". Possible... but (a) use of the word "machine" feels like it's specifically targeting a limited-purpose computer involved in the official process, not general purpose personal computers, and (b) why would VIPs want an unprotected but unlisted network for their personal PCs? They wouldn't.
Which brings us to... if it's not a voting machine, what else would it be? And if it's one of the "other" things like signature matching, how is that any better?
Unless you're suggesting this email was regarding some unrelated event entirely... which... I mean, on October 30th, a "Nov 3rd event", and email address of "voteathome.org"? C'mon, man!
As a tech person I'm already horrified these systems run Windows in the first place
Windows is only windows, look at SSIDs and "password". Even trained monkey could hack it with ease. I wouldn't advise such things even for electing animal overseer in ZOO. Come on,as Polish I would say "Polish electorial calculator" (https://what.thedailywtf.com/topic/13836/polish-electorial-calculator/2
) from 2014 was probably quite advanced and who knows - maybe even more secure comparing to this shit.
No evidence it was compromised ? Ok,but evidence elections shall be repeated because it was able to be hacked by trained monkey or at best by 8 years old kid for sure.
"The KI Convention Center at Green Bay’s Hyatt Regency was where the election team decided to locate the city’s Central Count and where the absentee ballots were stored":
This does add light to how these were set up.
So what does this mean?
My take: we've been repeatedly told no voting machines were connected to the internet. This is one more piece of evidence showing otherwise, and frankly, that should be enough.
Does "sensitive machine" = "voting machine"? Not necessarily... but what else is there that would be considered sensitive? Perhaps the computers with voter role and signature matching info?
If so, that's just as bad, IMO. Registration and signature fraud is as much a part of this as vote count changes, and unlike count changes which could happen just as easily on a remote server post-upload, meaningful manipulation would have to occur onsite during the matching and adjudication.
As for the password-less Wi-Fi, what does that mean? I'm more into the app development side of things rather than system infrastructure, so I have some knowledge gaps here, but...
A wifi network without a password does not encrypt the traffic going between the wifi access point and the machine.
This does not necessarily mean that everything being sent is readable or manipulable, because the voting software itself could be doing its own encryption before it sends info over the network.
It does point to two issues here, though. First, they are using an unbroadcasted wifi name, meaning you would have to know the name and type the name in manually to connect.
This is relying on something called "security through obscurity", which is bad practice. It's essentially like a hide-a-key: you are relying on an attacker NOT knowing that you hid your key under a rock by your front door. Most attackers will know to look under the rock to find the key, and therefore you might as well not have a lock at all.
In this case, the "hide a key" is the name of the network, being shared only to a select group, but this name "2020vote" is very easily guessed.
Second, emails are not a secure way to share information like this. Any security-focused business will have policies in place against sharing passwords via email, because email is not secure and may pass through many servers outside your control once sent.
That's 2 best practices violated.
So what can someone do once connected? Again, depends.
Is the PC running Windows? If so, there are MANY possible remote admin tools, some built in, that an attacker could have access to if not properly locked down.
Even if the PC is running a minimal Linux install, the admins could have installed any number of remote admin management tools that could give full unfettered remote access to the PC to do anything you could do if physically in front of it.
But, the PCs could also be perfectly well configured and locked down, all remote admin tools disabled or properly protected. The voting software itself could have its own access control, could be wide open, or somewhere in between.
Web servers like when you visit Amazon or Google, by design, are designed to be connected to the internet AND allow the public at large to connect to them, but they are tightly controlled to only allow you to access what you are allowed to access (if properly configured and without bugs).
Is that the case here?
We just don't know. But we know several aspects were already done against best practices (i.e. sloppy) and in a court case could likely be used to argue a general trend of insecurity and poor decision making.
FINALLY, it's worth noting that it appears that Hyatt and their IT team is directly involved in setting this up. Are they allowed to be privy to this? Who might they have shared this info with? These are people that are NOT Dominion, NOT election officials, and would have full access to anything on the day of voting.
And, while this is all interesting... none of it matters, IMO.
Why? Because none of us (last I checked) are accusing outside hackers of manipulating the results, but instead are accusing states, election officials, and Dominion of manipulating the results.
Which means even if this thing were locked down like Fort Knox or the Capitol in DC, the people doing the dirty were people who would have been allowed to get in there in the first place! They don't need open networks or misconfigured remote admin tools if they already know all of their own passwords and have added themselves to their own access lists!
Anyhoo, that's my 2 cents, and I guess tldr; "everyone's kind of right about this, but also even if this is a nothingburger it doesn't actually change anything".
It doesn't. As I explained, it calls them "sensitive machines".
So... let's examine and brainstorm a little.
First... what would be considered "sensitive" during vote counting? Well... voting machines are the obvious one.
Another would be signature verification machines. Or registration machines. Or anything else needed for adjudicating ballots.
Finally, it could just mean "a couple of VIPs who want to connect their laptops to a separate network to watch YouTube videos". Possible... but (a) use of the word "machine" feels like it's specifically targeting a limited-purpose computer involved in the official process, not general purpose personal computers, and (b) why would VIPs want an unprotected but unlisted network for their personal PCs? They wouldn't.
Which brings us to... if it's not a voting machine, what else would it be? And if it's one of the "other" things like signature matching, how is that any better?
Unless you're suggesting this email was regarding some unrelated event entirely... which... I mean, on October 30th, a "Nov 3rd event", and email address of "voteathome.org"? C'mon, man!
Windows is only windows, look at SSIDs and "password". Even trained monkey could hack it with ease. I wouldn't advise such things even for electing animal overseer in ZOO. Come on,as Polish I would say "Polish electorial calculator" (https://what.thedailywtf.com/topic/13836/polish-electorial-calculator/2 ) from 2014 was probably quite advanced and who knows - maybe even more secure comparing to this shit.
No evidence it was compromised ? Ok,but evidence elections shall be repeated because it was able to be hacked by trained monkey or at best by 8 years old kid for sure.
There was no voting or vote counting at the Hyatt Regency in Green Bay, WI look it up yourself.
Numerous references on different sources say otherwise.
Are these wrong? Where were the Green Bay counting centers if not the KI Convention Center?
"That count is being held at KI Convention Center": (Nov 3rd)
https://wtaq.com/2020/11/03/186078/
"Green Bay's central count facility for absentee ballots": (March 11)
https://upnorthnewswi.com/2021/03/11/gop-elections-hearing-held-to-accuse-green-bay-of-what-exactly/
"The KI Convention Center at Green Bay’s Hyatt Regency was where the election team decided to locate the city’s Central Count and where the absentee ballots were stored":
https://thefederalist.com/2021/03/10/how-mark-zuckerbergs-election-money-helped-an-out-of-state-democrat-get-his-hands-on-wisconsins-2020-vote/