Comments (14)
sorted by:
You're viewing a single comment thread. View all comments, or full comment thread.
Brabarian714 6 points ago +7 / -1

In the AZ hearing yesterday, the auditor explained how 32,000 hits/Queries on the system will have virtually erased a ton of the info they might have found on the routers. The packet captures will be the only way to prove that the machines were in fact online.

Choctaw 3 points ago +4 / -1

That isn't correct. There is a lot of confusion here and I will try to clarify things, zero insult intended.

There are logs and configuration files here. First, the logs. Most every computer/server has a service or daemon, that writes out to a file what happened, there are typically seven levels of information that can be written, and depending on the OS or the application, the are called different things. Using the cisco syntax, they are:

0 —emergency: System unusable

1 —alert: Immediate action needed

2 —critical: Critical condition—default level

3 —error: Error condition

4 —warning: Warning condition

5 —notification: Normal but significant condition

6 —informational: Informational message only

7 —debugging: Appears during debugging only

All of these logging levels can be turned off and on, depending on what information you need to track. Take #6 for example, it logs mundane things, system events, just everyday normal operation things, and depending on the system usage it can over time produce a good amount of data. Now if you have a busy system, it can produce a metric shit ton of log data, and if you have all the levels turned on you could run yourself out of disk space if not for a certain mechanism namely log rotation. Log rotation is where a logging file has a set file size, lets say 50 Mb for the sake of conversation. Imagine an open paper roll of quarters, you can only fit so many in there before they start coming out. Now say the quarter roll can only be filled from one direction. Add a quarter, drop a quarter, the first quarter pushed in the roll will be the first pushed out. This is how log rotation works, logs are written with the newest line always at the top with a timestamp, as your file hits that 50Mb mark, the older lines are dropped as the new ones are written. Now you can always increase the log size, or make sure the log is saved and compressed to be stored elsewhere, in which case a new file is created and written to.

What happened with the voting machines is that someone knew there was no rotation set up and how big the log file was supposed to be, then from the outside(which shouldn't have been allowed) ran a script that caused whatever was being done during the voting hours to be knocked off the log by having the logging service literally write it off. This way they can always claim there were logs, just not what was supposed to be there.

The second thing that has garnered a bit of confusion is the routers. Most every commercial router stores little to no logs by default. You can however change that so a minimum is stored, but typically that file size is small as most routers do not have a ton of storage space. What can be done is configure the router to send it's logging data to a server that does have storage, and typically will be set up to parse the logs for specified things to trigger an alarm, or you can analyze the traffic with say ELK. In this case, there are probably zero logs stored elsewhere, BUT what is important to obtain is the configuration files of the router itself. In the configuration there is no doubt to me, a few things of significant value. There is either A) vpn tunnel set up to someplace that shouldn't be and/or B) static routes set up to someplace that shouldn't be. The combination of the two is more worrisome. B is bad enough, what this means is that data sent to and from the voting machines was intentionally directed to a specific machine/firewall. Having A thrown into the mix means a couple things, the data was encrypted so no one could watch them cheat, it also means there is a possibility that some foreign bad guy could theoretically have access to the maricopa sherrifs dept network(think about that for a minute), if said router was configured or compromised to do so. Network packets are like snail mail in a way. You have an address for the sender and the receiver. The mail doesn't always take the most direct route to where you want. You could be in Blackwell, KS sending a letter to Kentucky and it gets thrown in a bag that gets there via St. Louis, Indiana then down to the destination. Where as a first class envelope is going to be sent almost directly to Kentucky. Static routes set packets to specific routers to reach the endpoint and unless there is a physical reason the packet can't take that route, they ALWAYS take that path.

cody17 [S] 2 points ago +2 / -0

I believe that was only to wipeout the 5mb of cached user login data so that when the fraud is found they won’t know who signed on and committed the fraud