The routers can reveal how the network in that building was configured. They can also keep a history of commands and changes that were done on the physical router.
It would show if there was VLANs or firewalls that were properly or improperly setup to prevent or allow network traffic from coming in or going out from specific internal subnetworks that all the election stuff was allegedly connected to. I think they know the election stuff was connected to the LAN, they just need proof that stuff on that LAN could potentially access the outside world
However, logwise the physical routers alone probably would not have any usable logs as too much time has elapsed - routers don't tend to be setup to store logs (they don't have massive storage space). Logs are usually setup to goto a syslog server and I am unsure if that was also in the scope of the subpoena.
The other stuff they had asked for in the subpoena like splunk logs and etc I can't speak on.
I'm not a techie, but I suspect the Senate made legal demand for the routers for two reasons:
It would be nice to have them, for the complete picture, but the physical routers are not crucial to proving the crime.
Good chance the county board would refuse to turn them over. Why? Only one reason explains why: withholding evidence of a crime. Withholding evidence of a crime is also a crime.
By making the demand, either they get additional evidence of the crime (even though other evidence already proves it), or they allow the criminal co-conspirators on the board to commit an additional crime.
Either way, the Senate has a no-lose position by making the demand. This agreement also has the county board dropping their bogus lawsuit, which would only waste time and money anyway.
One thing nobody is talking about: The Maricopa County board CAVED when the AG withheld money to their board, and not one second before.
The only question left at this point: Is the appointed Special Master going to provide for a real investigation, or will he also become a criminal co-conspirator?
The legal angle sounds logical. As this was a forensic audit afterall. If the machines were connected to the local network LAN (also maybe mobile WAN but thats another issue) then if you want to forensically trace all aspects of the election the network equipment used needs to be inspected. Wires, routers, switches, wireless repeaters, firewalls.
Anything and everything to see if there was an intrusion of any kind that would affect that network the machines were connected to.
Specifically what the routers will show are routing tables, and quite possibly vpn tunnels. Routers typically sit behind the firewall in a network. The default command history on most Cisco routers is 10 commands, so unless configured differently, that wouldn't be much help, you log in and do an enable, then any show command and you have just burned up 3 history slots.
The routing table will show a few things that are important.
1.) They will show where specific traffic goes, such as possible routes out of country or to very unusual destinations. For example why would the MCSO have the need for a router to be connected to anything not government related.
2.) VPN tunnels to places that shouldn't be connected.
3.) If these were connected to jump box or a central modem for the voting machines, the route to that device will be in there.
There is more but no need to get overly complicated here.
So the router does store some logs? Let’s say that the router was designated specifically for election cycles it should still have that information unless it was overwritten? I would hope they don’t use the router to watch YouTube after an election. I assume it falls under some umbrella as sensitive material.
Yep routers can store logs. There are many types of logs and log levels. One type of log is the command log. If any one is familiar with a command line it is the same concept (you can press the up arrow to call back issued commands).
In more advanced routers a command can be issued to see that command buffer. That buffer itself usually has a default number of "history" and in some cases can be configured to "remember" more or less commands. I know with cisco routers there are a few ways to clear/purge/delete/reset the command history.
Network traffic logs, over time, take up a considerable amount of space - obviously the more traffic there is the more logs are generated. Routers don't typically have a large storage space for logs (they certainly can store network traffic logs if configured to do so). Also having one router handle all logging is bad practice as it is a single point of failure. It is better to configure the router to send all logs to a log server that can easily be mirrored/replicated and backed up on a regular basis.
I doubt that the router was specifically deployed for the election. The router(s) in question I believe are for the local county government. So it is just part of the normal local government network that runs all the day to day things county wide. From the tax assessor to the sheriff etc.
When the election happened allegedly election equipment was connected to the LAN (Local Area Network) of whatever building they held the election equipment in. That LAN would have been connected to the county wide network and could potentially have access to the outside world. Once they have some one look at the router(s), they would be able to see how they were configured and be able to determine if network traffic would have been able to flow from election equipment to the outside world. (if there was mobile data involved that is a whole 'nother can of worms)
Depending on the skill of the person doing the changing and the degree of the operation they would be pulling off of course it would be possible. Sometimes things don't need to be hacked to get changed nor does it necessarily need to be malicious in nature. For example, an IT guy could get a work order to change a config or run some commands or upgrade the firmware, heck even swap a device out.
You can have threat scenarios from in person infiltration all the way up to remote execution, it all depends on the amount of resources you want to throw at one network closet in Arizona.
That's why its good to have good backups, monitoring and logging (and understand how to read them) of all network infrastructure regardless if its a small home business or a large government agency.
The routers can reveal how the network in that building was configured. They can also keep a history of commands and changes that were done on the physical router.
It would show if there was VLANs or firewalls that were properly or improperly setup to prevent or allow network traffic from coming in or going out from specific internal subnetworks that all the election stuff was allegedly connected to. I think they know the election stuff was connected to the LAN, they just need proof that stuff on that LAN could potentially access the outside world
However, logwise the physical routers alone probably would not have any usable logs as too much time has elapsed - routers don't tend to be setup to store logs (they don't have massive storage space). Logs are usually setup to goto a syslog server and I am unsure if that was also in the scope of the subpoena.
The other stuff they had asked for in the subpoena like splunk logs and etc I can't speak on.
I'm not a techie, but I suspect the Senate made legal demand for the routers for two reasons:
It would be nice to have them, for the complete picture, but the physical routers are not crucial to proving the crime.
Good chance the county board would refuse to turn them over. Why? Only one reason explains why: withholding evidence of a crime. Withholding evidence of a crime is also a crime.
By making the demand, either they get additional evidence of the crime (even though other evidence already proves it), or they allow the criminal co-conspirators on the board to commit an additional crime.
Either way, the Senate has a no-lose position by making the demand. This agreement also has the county board dropping their bogus lawsuit, which would only waste time and money anyway.
One thing nobody is talking about: The Maricopa County board CAVED when the AG withheld money to their board, and not one second before.
The only question left at this point: Is the appointed Special Master going to provide for a real investigation, or will he also become a criminal co-conspirator?
Great reminder:
The legal angle sounds logical. As this was a forensic audit afterall. If the machines were connected to the local network LAN (also maybe mobile WAN but thats another issue) then if you want to forensically trace all aspects of the election the network equipment used needs to be inspected. Wires, routers, switches, wireless repeaters, firewalls.
Anything and everything to see if there was an intrusion of any kind that would affect that network the machines were connected to.
Specifically what the routers will show are routing tables, and quite possibly vpn tunnels. Routers typically sit behind the firewall in a network. The default command history on most Cisco routers is 10 commands, so unless configured differently, that wouldn't be much help, you log in and do an enable, then any show command and you have just burned up 3 history slots.
The routing table will show a few things that are important.
1.) They will show where specific traffic goes, such as possible routes out of country or to very unusual destinations. For example why would the MCSO have the need for a router to be connected to anything not government related.
2.) VPN tunnels to places that shouldn't be connected.
3.) If these were connected to jump box or a central modem for the voting machines, the route to that device will be in there.
There is more but no need to get overly complicated here.
So the router does store some logs? Let’s say that the router was designated specifically for election cycles it should still have that information unless it was overwritten? I would hope they don’t use the router to watch YouTube after an election. I assume it falls under some umbrella as sensitive material.
Yep routers can store logs. There are many types of logs and log levels. One type of log is the command log. If any one is familiar with a command line it is the same concept (you can press the up arrow to call back issued commands).
In more advanced routers a command can be issued to see that command buffer. That buffer itself usually has a default number of "history" and in some cases can be configured to "remember" more or less commands. I know with cisco routers there are a few ways to clear/purge/delete/reset the command history.
Network traffic logs, over time, take up a considerable amount of space - obviously the more traffic there is the more logs are generated. Routers don't typically have a large storage space for logs (they certainly can store network traffic logs if configured to do so). Also having one router handle all logging is bad practice as it is a single point of failure. It is better to configure the router to send all logs to a log server that can easily be mirrored/replicated and backed up on a regular basis.
I doubt that the router was specifically deployed for the election. The router(s) in question I believe are for the local county government. So it is just part of the normal local government network that runs all the day to day things county wide. From the tax assessor to the sheriff etc.
When the election happened allegedly election equipment was connected to the LAN (Local Area Network) of whatever building they held the election equipment in. That LAN would have been connected to the county wide network and could potentially have access to the outside world. Once they have some one look at the router(s), they would be able to see how they were configured and be able to determine if network traffic would have been able to flow from election equipment to the outside world. (if there was mobile data involved that is a whole 'nother can of worms)
Interesting, thanks for the run down. Would the configurations for the router be able to be changed without a previous footprint?
Depending on the skill of the person doing the changing and the degree of the operation they would be pulling off of course it would be possible. Sometimes things don't need to be hacked to get changed nor does it necessarily need to be malicious in nature. For example, an IT guy could get a work order to change a config or run some commands or upgrade the firmware, heck even swap a device out.
You can have threat scenarios from in person infiltration all the way up to remote execution, it all depends on the amount of resources you want to throw at one network closet in Arizona.
That's why its good to have good backups, monitoring and logging (and understand how to read them) of all network infrastructure regardless if its a small home business or a large government agency.