20+ years in IT, including network engineering. I still don’t know what the routers will prove unless they’re intact with their configurations which might include what they’re connecting to like China, Germany, etc.
And as another poster said, it’s Splunk, not spunk.
This makes a shitton more sense than the PDW post.
They wanted the routers to find out where the netflow and syslogs were being sent so they could grab the SIEM, which would have had records of the through-the-box dataflows and admin access logs.
Since they got the Splunk (SIEM) data, then IDGAF about the routers.
Mutual TLS is only going to protect the syslog data in flight, not at rest in the Splunk DB.
I contend that going after the netflow is the way- if the syslog were tampered with, the netflow would prove or refute those admin connections noted by syslog. Flows coming from the machines can be uniquely fingerprinted, router or not, to prove their origin.
If the netflow were tampered with, there would either be obvious gaps, or anomalies pointed out by what they already know from the machines.
Agreed, routers don't have enough storage to retain enough useful information dating back to the elections. If the routers retained the full security logs and configuration changes dating back, they could show configuration changes to open ACLs to IP ranges that may include source IPs in other countries. That doesn't really mean much as a hacker could run everything in VMs hosted in AWS and source IPs from US-West.
I have some experience with Splunk and it's a very powerful tool, tracks everything with rules and such. Basically a software version of a router but with logs.
My experience is somewhat limited but I know it's really powerful and if Cyber Ninjas have the logs that can prove wrongdoings, then yeah we've won.
No. Splunk is not a router. It is a logger. With Splunk Enterprise Security or writing your own rules it can be a SIEM. We have two implementations of Splunk. I manage our security engineering team.
I know that. Guess I probably said it wrong but when I was doing Splunk, it felt like I was configuring a router. I'm not saying it's a router of any kind, I'm just saying it felt like the same as setting up a router like Cisco with IOS, because of rules, exceptions and more.
Like I said, my experience with Splunk is limited because I make do with what I can at home and obviously not at the enterprise level. Been trying to find a job but apparently no one is interested in hiring a deaf person like myself with experience working with computers, has a I.T. degree with a couple of certs, concentrating in Sys admin, networking and cyber security.
Trying to understand this one. MAC addresses are only locally significant, although they are unique. Re-framing packets is how a router moves packets from one router interface to the another router interface in order to forward packets. (MAC address is in the frames.)
Still, the MAC addresses act as a “fingerprint” of sorts as they are unique and if they can be correlated with other traffic data as you say they might mean something. I’m still scratching my head.
The AZ Senate statement is being spun by both sides I think. Former Congressman John Shadegg will act as a Special Master to work with tech experts to get answers to the questions the Senate has about the routers and logs.
The best that can come out of this is that the routers were tampered with. After all this time, there's going to be nothing there. Even if there was, regular people aren't going to understand any of it. The fact that they withheld the routers in defiance of a subpoena for months is enough. The fact that a Maricopa county official had a fire at his farm where ballots were found is enough. The fact that there are hundreds of thousands of ballots missing is enough. There's always been enough.
20+ years in IT, including network engineering. I still don’t know what the routers will prove unless they’re intact with their configurations which might include what they’re connecting to like China, Germany, etc.
And as another poster said, it’s Splunk, not spunk.
This makes a shitton more sense than the PDW post.
They wanted the routers to find out where the netflow and syslogs were being sent so they could grab the SIEM, which would have had records of the through-the-box dataflows and admin access logs.
Since they got the Splunk (SIEM) data, then IDGAF about the routers.
Now this here makes tons of sense provided they haven’t fucked with the configs.
Splunks log are not enough for one very simple reason: authenticity. Anyone can say that a very compromised Splunk log is fake.
If the white hats are really in control and know what they are doing, they were using syslog with mutual tls.
This way, with routers in hand, you can prove that that log actually came from that router.
Mutual TLS is only going to protect the syslog data in flight, not at rest in the Splunk DB.
I contend that going after the netflow is the way- if the syslog were tampered with, the netflow would prove or refute those admin connections noted by syslog. Flows coming from the machines can be uniquely fingerprinted, router or not, to prove their origin.
If the netflow were tampered with, there would either be obvious gaps, or anomalies pointed out by what they already know from the machines.
Agreed, routers don't have enough storage to retain enough useful information dating back to the elections. If the routers retained the full security logs and configuration changes dating back, they could show configuration changes to open ACLs to IP ranges that may include source IPs in other countries. That doesn't really mean much as a hacker could run everything in VMs hosted in AWS and source IPs from US-West.
I have some experience with Splunk and it's a very powerful tool, tracks everything with rules and such. Basically a software version of a router but with logs.
My experience is somewhat limited but I know it's really powerful and if Cyber Ninjas have the logs that can prove wrongdoings, then yeah we've won.
No. Splunk is not a router. It is a logger. With Splunk Enterprise Security or writing your own rules it can be a SIEM. We have two implementations of Splunk. I manage our security engineering team.
I know that. Guess I probably said it wrong but when I was doing Splunk, it felt like I was configuring a router. I'm not saying it's a router of any kind, I'm just saying it felt like the same as setting up a router like Cisco with IOS, because of rules, exceptions and more.
Like I said, my experience with Splunk is limited because I make do with what I can at home and obviously not at the enterprise level. Been trying to find a job but apparently no one is interested in hiring a deaf person like myself with experience working with computers, has a I.T. degree with a couple of certs, concentrating in Sys admin, networking and cyber security.
Router MAC addresses to coincide with the traffic data? Just throwing it out there.
Trying to understand this one. MAC addresses are only locally significant, although they are unique. Re-framing packets is how a router moves packets from one router interface to the another router interface in order to forward packets. (MAC address is in the frames.)
Still, the MAC addresses act as a “fingerprint” of sorts as they are unique and if they can be correlated with other traffic data as you say they might mean something. I’m still scratching my head.
I think she meant "Splunk" not "Spunk".
Uh huh. Suuuure....
The AZ Senate statement is being spun by both sides I think. Former Congressman John Shadegg will act as a Special Master to work with tech experts to get answers to the questions the Senate has about the routers and logs.
Here's the statement.
https://twitter.com/AZSenateGOP/status/1439035033428185089?s=20
Hey guys, I'm confused. Multiple conflicting reports flying around. https://patriots.win/new?from=13zMipNghh Gonna go do some digging.
Yep Maricopa co is saying it ensured they'll never get them. I'm so confused. Definitely conflicting reports
Two more weeks
That means they probably bleached and hammered every last chip and processor they could.
WHAT IN THE FUCK..................i'M SO SICK OF THIS FUCKING SHIT
FUCK THE GOP
FUCK VOTING
and if I read this wrong.....eat me......i'm drunkd
You read it wrong.
Plus he's marinated already, that's why he drank. So he can be more tender.
The best that can come out of this is that the routers were tampered with. After all this time, there's going to be nothing there. Even if there was, regular people aren't going to understand any of it. The fact that they withheld the routers in defiance of a subpoena for months is enough. The fact that a Maricopa county official had a fire at his farm where ballots were found is enough. The fact that there are hundreds of thousands of ballots missing is enough. There's always been enough.
spunk logs? a freudian slip, me thinks.
Why is a John McCain RINO in charge of the routers?
https://twitter.com/real_pronoun/status/1439067208106323972