(C) Daily Kos
This story was originally published by Daily Kos and is unaltered.
. . . . . . . . . .



Questions Unasked [1]

['This Content Is Not Subject To Review Daily Kos Staff Prior To Publication.']

Date: 2023-08-19

It's hard for me to even think about Donald Trump, and his various craptastic election fraud maneuvers. But, when I do, my world rapidly turns into a throbbing sea of anger. Sure, I am most angry at Trump and his inane clown posse, but there's enough to go around.

My anger gets so profound, sometimes, that I simply cannot bear to think about certain things, because I'll just go around in a funk, muttering curses at the obviousness and stupidity of everything. I've had to stop listening entirely to some of my former favorite podcasts, because my anger and contempt at the stupidity of the media also leaves me breathlessly sitting in my chair, twitching my fingers at thin air as if typing on a nonexistent keyboard.

Some background may be necessary. I was, once, one of the world's top computer security consultants. I'm not going to bother with false modesty. I solved interesting problems, sometimes under intense time pressure, for a variety of clients. It's a safe bet that you've heard about at least two of the incident responses I was involved in, or used a product based on one of my designs from the 90s, or used a system I consulted on regarding how to improve its overall security. For example, TASER was one of my clients; I helped design and reviewed the design of a tamperproof back-haul system that would ensure cop-cam data got safely from the camera to a cloud server without any cop having a chance to see it, or alter it. Surprisingly many of my recommendations did not make the major police departments happy and I don't know if they were implemented. I did data and security audits for Intuit, looking at their process whereby users were re-authenticated if they dropped offline for a while or change an email address and a residence address at the same time. A lot of those recommendations evolved into the many mechanisms you are doubtless familiar with, for re-establishing identity or changing a password. I taught system audit process for years, at a small company called Arthur Andersen, before losing that client to its own hubris. One of my most interesting cases involved the website of the US' largest retailer, which went down at Christmas time - the IT department claimed it was a denial of service attack by hackers, but I did some creative (and if I may say, fascinating) data analysis on the log files, and demonstrated conclusively that the crashes were a result of peak system load causing an unexpected interaction that would have been caught and corrected had the IT department invested some time in system performance analysis. As a psych major, and a former UNIX system performance tuner at Digital 1985-1987, I was uniquely positioned for this problem thanks to several semesters of statistics and years of digging through kernel performance profiles. My report was read at a board of directors meeting, and everyone on the systems side of the IT department got let go, and I was contracted to interview their replacements. I also served as a non-testifying expert in a number of patent cases, in which I was responsible for digging out the meat of the situation (infringing, or not...?) and aligning it with a claim-chart, explaining it to lawyers, and teaching the lawyers how to explain it to a judge. This is not a minor feat, teaching a lawyer how to explain to a jury what a translation lookaside buffer is, and why it's important - well, it's a job. Anyhow, in retrospect, I suppose I was having the time of my life, though often it seemed painful and exacting because basically everything I did had to be perfect because if I recommended the wrong thing, and my client took my advice and it blew up on them, well, it would have ended my career. Someone like me would have written a memo to the CEO and board of directors recommending that I be blacklisted, and then I'd have been free of my career, able to pursue the life of a starving artist. I was a consultant from 1995 until 2018, and I don't think you could find anyone who'd ever say I fucked up a project.

The reason all of that is relevant is because I learned a couple of things:

1) Question things relentlessly. You want to understand how all the stuff works, and why it works and for whom at all times.

2) Do your research. Asking someone to explain stuff to you is all well and good, but you don't learn much that way. The way to learn is to have someone explain it to you, then read the design documents, then the code, and then go back and have them explain the gaps. When I was working a project, I lived in data centers - literally - during one incident response I slept for 3 days on a pile of closed-cell foam from workstation boxes, because I could not stop staring at the log data I was rummaging through. In the course of those sorts of projects, it seemed that obssessively digging into things always paid off in the end, so I did that. Besides, doing your research is absolutely crucial if/when someone tries to bullshit you, and you open your notebook and start quoting actual measurements from actual results that contradict their theory. And that is relevant to this posting.

3) There is no such thing as useless knowledge. There is only knowledge you have not used, yet. I don't believe in an afterlife, naturally, but if I did, I'd have an eternity in hell to lecture people about 4.2BSD kernel internals and filesystem design, the history of the Napoleonic wars, and how to make blades.

So, imagine my surprise when someone made a few comments over at Daily Kos about election machine interference, and I did something I have not done for ages: I thought about election system security. Well, I was a consultant for Diebold, one year, regarding automatic teller machines, while my old friend Avi Rubin was working for them on the voting machines, and smeared egg all over their faces. [The ATMs are pretty good, except for one major flaw, which was considered a design choice] [I still do not agree with that choice, 20 years later, because they are still paying for it] I've also stood by and poured tequila shots and coca-cola chasers while watching the hackers at DEFCON tear apart voting machines. That always frustrated me, because the flaws that were found were usually the result of poor design choices forced upon the manufacturer by customers with unrealistic requirements. I.e.: "we don't want it on a network, but we want the data to move over a network" nyuk, nyuk, nyuk. Having any system connected to a network means a) it is much more useful b) it is much more vulnerable, and now we are arguing about how to mitigate risks that have been taken on in the system as a consequence of the design choice. What if the network is isolated, encrypted, firewalled, and uses a value-added network instead of the public internet? Good question! Now we are into the weeds of details. This is an example of system analysis - arguing details about VANs and VPNs and SSL is risk mitigation, the tactics of computer security, whereas security by design is the strategy of how to mitigate whole categories of risks by not running them in the first place.

Now, I'd actually already thought through how to do secure transactions over untrusted networks [I taught a class on how to do this, at USENIX, for 2 years in the 90s] and as the internet began seeing a welter of malware, I got involved in detecting, then breaking and spoofing, malware command and control. Building a stealthy command/control channel is a seriously difficult technical trick and mostly entails figuring out how to hide communications within other communications. But, once you know the communication is happening, it's relatively easy to pick it out - after all, it's got to be predictable because that's how command/control works. I'd developed tools for detecting this sort of stuff and concluded that making it hard is easy, but making it undetectable may be impossible. [ranum, dilley]

That is why I immediately ignored Sidney Powell as a mere crank, because there was all this nonsensical talk about Hugo Chavez and Dominion and Italy and I basically ignored it all because nobody was talking about command and control. "Call me when you've got something." Also, I ignored it all as crankery because nobody credible was even being asked to look at something something that might indicate something. If Powell had said, "Bruce Schneier and Avi Rubin are leading a team of consultants who are reverse-engineering the command/control of a mysterious undocumented process that is running on Dominion voting machines..." I would have, well, I'd have waited - because calling Bruce would just get me "you know I can't discuss any of this." The kind of analysis I'd expect to eventually get would be something akin to Kaspersky Labs' excellent dissection of Equation Group"'s malware.[kaspersky] Equation Group is the NSA's Tailored Access Operations (TAO). [Yes, I taught at NSA, too] Anyhow, if someone was remote controlling voting machines, where was the evidence? There would be evidence. Even NSA gets caught. Besides, if Hugo Chavez had hired someone to put mojo backdoors in voting machines, they would have hired ... who? Building cyberweapons is kind of a niche skill, like disassembling cyberweapons is. But the fingerprints of a cyberweapon are absolutely clear, once you know it is there and can find its command/control, and demonstrate its function. I would be prepared to believe that there was an NSA-built command/control stack in a voting machine - since Dominion machines use Commercial Off The Shelf (COTS) hardware, I assume that means there are Intel processors in there, therefore if the CPU was made after 2012 it has a backdoor in it - called "Intel Management Engine" (IME) [intel] - unmistakeable fingerprints, like I said - it's on the silicon. [hardware backdoors in X86 silicon] None of that stuff is Venezuelan. If you're a US taxpayer, you helped fund it, not Hugo Chavez.

As soon as the republicans started talking about the vote machines being rigged, I knew I was listening to crankery for the simple reason that not all voting machines are created equal. In fact, its down to the state, and then down to the jurisdiction. When I vote at my polling place (Morrisdale Grange) we're pretty low-throughput and use a system that has a touch interface which spits out a printed card of your choices, which are logged electronically and the printed cards are saved in case there is an audit. Sure, there are some cities where there are networked voting machines that are managed locally, but in some districts it's one machine, in another it's another, and there's paper trails on all of them - that's how the recounts/audits are done. I also talked to some of the locals, including our postmistress at our zip code (who believed the election was fraudulent) and asked, "would you not notice if you started having lots of vote by mail registrations sent through here to people who are dead?" See what I mean about questions unasked? It's an obvious, simple question that anyone who was asserting ballot stuffing would have to be able to answer because it's a prerequisite for ballot stuffing. Nobody appears to fucking think about this stuff at all, which is why it angers me so much - the questions ought to practically ask themselves:

"Excuse me, Mr Giuliani, if there were votes being injected into the voting machines electronically, why did they not register as a large discrepancy when there was a bi-partisan manual recount? If I added 10,000 votes electronically, there would be 10,000 missing paper cards. And, the voter rolls would be audited and the 10,000 additional votes would stick out like a sore thumb. There are probably 3,000 voters in my district and it'd be a huge discrepancy if one year my district cast 3,000 votes and suddenly the next year cast 13,000"

This is why I am pissed off at the whole US, right now: the media also failed horribly by not asking those rather obvious questions.

"Do you have any packet captures of the command/control that this alleged backdoor was using? Can you give us a description of how it functioned? Who do you have looking at it?"

Again, Bruce Schneier exists. All of us in security know of Bruce. If you google "computer security expert" it is more likely to pop up Bruce than anyone else (including me!) - did all the journalists in the USA get so dim-witted that they never thought to call Bruce or Avi on background? Now, I'm tempted to pick up a phone, myself, "Hey Avi, did any journalists call you about the whole Chavez thing?" but, I just emailed instead. I'll update in the comments if I have any feedback from Bruce or Avi, I am genuinely curious.

But those are complicated technical questions that one cannot expect a former prosecutor, or a high-paid lawyer to be able to answer, or to have done the slightest bit of thinking about before starting their press conference. Here's a simpler one: Rudi Giuliani made some manifestly false statements about Ruby Freeman and Shay Moss, and nobody cross-checked him about the obvious stuff:

Rudy: Freeman and Moss were “passing around USB ports like they were vials of heroin or cocaine.”

No Journalist Ever: "Mr Giuliani, a USB port is a fixed interface screwed into the back or motherboard of a computer - one does not 'pass around' a USB port. Did you perhaps mean a USB thumb drive?"

That's the sound of the trap being cocked. This is what it sounds like being triggered:

No Journalist Ever: "Because, the voting machines in use in that jurisdiction are Dominion's product, and the system architecture of the Dominion machines is published [here] and the Dominion systems run either Linux or Android/Linux. Ruby Freeman and Shay Moss would have had to be expert hackers, and they would have had to be using some kind of a live hack, or rebooting the system after reconfiguring the BIOS boot sequence, which - according to Dominion - is controlled and boot-locked. Can you tell us anything about Ruby Freeman and Shay Moss' status among the international elite of hackers?"

There are other things that the journalists, mighty truth-seeking homing missiles they, forgot to ask about - voting machines go through a pretty impressive certification process including extremely careful configuration management. Stuff like system reboots are all logged. So, by the way, are USB drive insertions. All operating systems worth their salt record that kind of stuff. Here's a screenie I borrowed from [techrepublic]

Even Windows manages to not fail at this truly basic stuff. Linux and BSD variants do it, too: [ubuntu]

May 25 07:31:25 tardis-w520 kernel: [ 161.469096] usb 1-1.5.5: new high-speed USB device number 8 using ehci_hcd

May 25 07:31:25 tardis-w520 mtp-probe: checking bus 1, device 8: "/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.5/1-1.5.5"

May 25 07:31:25 tardis-w520 kernel: [ 161.658587] scsi6 : usb-storage 1-1.5.5:1.0

May 25 07:31:25 tardis-w520 kernel: [ 161.658685] usbcore: registered new interface driver usb-storage

May 25 07:31:25 tardis-w520 kernel: [ 161.795563] usbcore: registered new interface driver uas

"New high speed USB device" isn't super clear, but you can also see it's manifesting as as a SCSI pseudo-device, i.e.: a hard drive. Again, no journalist appears to have asked, "did anyone do a forensic analysis on those machines?"

I'm going to guess that no journalist appears to have asked that because journalists appear to generally be lazy, ignorant hacks who don't do their basic research. A little more basic research would show that there's a pretty well thought-out process for validating the integrity of election machines. Who'd'a thunk!? Sure, this is Canadian, but the US has similar processes (we tend not to put such details on the web, since it could become a roadmap for attempting to compromise the system or process) [ca]

Oh, look! Someone photoshopped some highlights onto this screenshot from the compliance review:

Can you imagine the "burning Hindenburg performance" that Giuliani or Powell would have made if some awake and aware clued-in journalist had started bulldogging questions like, "how do you hypothesize they defeated the configuration controls documented in the device?"

Here's some system architecture stuff from Dominion [dominion]

I'm just including that pro forma - any security analyst worth a pinch of sand would have been looking at the audit capabilities of the system, and wouldn't it have been a fine thing indeed if some journalist had said:

Journalist: "Mr Giuliani, the voting machines you are talking about - all the vendors are required to meet certain audit trail capabilities, as part of the jurisdiction's purchasing decision to use a particular voting machine for federal offices. Are you claiming that a couple of election workers were able to tamper undetectably with an audit trail that is, by definition, designed to make tampering detectable?"

I am aware that I am flogging a dead horse, here. Giuliani has since admitted that he outright made up that stuff about USB ports being passed around, and Powell has since admitted more or less to being a complete wackaloon - or, at least, meeting or exceeding the minimal amount of wackaloonery to be considered a wackaloon. Giuliani and Powell are going to wind up broke and derelict, given the huge amount of damage their knowing lies inflicted on voting volunteers, voting machine vendors, and the cost of many re-counts that they knew would not find anything.

What bothers me more than that a couple of loose nut has-beens have sunk themselves, is that the media couldn't be arsed to do some basic research and shut that shit down. If you think back to the reporting about all the election chicanery, most of what we got was: "another Trump lawsuit was dismissed by ${Judge}" and that's ... it? What questions did the judge ask? What expertise did the judge bring to the table? Who did the research for the judge? If I can get a bee in my bonnet and dig up the Dominion system architecture in less than 10 minutes, and understand it in under 45 minutes, why couldn't one of the media darlings' assistants be arsed to do likewise? If I were a "journalist" I'd ask a rhetorical question like, "can it be possible that today's journalists are a bunch of ignoramuses who think that reading and copy/pasting from Twitter is the whole of 'journalism'?" The whole thing is a shameful shit-show and that's why I haven't been able to think about it. A plague on all their houses.

[This is cross-posted from my regular blog over at freethoughtblogs where we don’t have “rules of the road” that require us to pretend to be nice.]

Also: I built a custom sled for my table saw and bolted the Dell computer to it, then sawed through both sides (power supply hard drives, everything!) at the precise, desired, angle. Wow, was that loud! even wearing hearing protection and a face-shield, it was quite a process. Then, the pieces were carefully hung on very thin stainless steel threads, from the ceiling of my studio. The rest was just setting up lights and a motion trigger, then doing a few cuts through where the PC used to be.

[END]
---
[1] Url: https://www.dailykos.com/stories/2023/8/19/2188367/-Questions-Unasked

Published and (C) by Daily Kos
Content appears here under this condition or license: Site content may be used for any purpose without permission unless otherwise specified.

via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/dailykos/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.