Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.

The statement [indicates that previous comments they offered on this subject were outright lies. For example] in February …a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. “None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the spokesperson said.

…ES&S is the top voting machine maker in the country, a position it held in the years 2000-2006 when it was installing pcAnywhere on its systems. The company’s machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems. 

…Election-management systems are not the voting terminals that voters use to cast their ballots, but are just as critical: they sit in county election offices and contain software that in some counties is used to program all the voting machines used in the county; the systems also tabulate final results aggregated from voting machines.

Software like pcAnywhere is used by system administrators to access and control systems from a remote location to conduct maintenance or upgrade or alter software. But election-management systems and voting machines are supposed to be air-gapped for security reasons—that is, disconnected from the internet and from any other systems that are connected to the internet.

…The presence of such software makes a system more vulnerable to attack from hackers, especially if the remote-access software itself contains security vulnerabilities. If an attacker can gain remote access to an election-management system through the modem and take control of it using the pcAnywhere software installed on it, he can introduce malicious code that gets passed to voting machines to disrupt an election or alter results.

[Sen. Ron] Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”

…Security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password. And other researchers with the security firm Rapid7 scanned the internet for any computers that were online and had pcAnywhere installed on them and found nearly 150,000 were configured in a way that would allow direct access to them.

Although Wyden’s office asked ES&S to identify which of its customers were sold systems with pcAnywhere installed, the company did not respond.

“ES&S needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” [Wyden]e told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cyber security questions, you have to ask what it is hiding.”

Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States – Motherboard

Grrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

Advertisements

How Comey intervened to kill WikiLeaks’ immunity deal

“Subject to adequate and binding protections, including but not limited to an acceptable immunity and safe passage agreement, Mr. Assange welcomes the opportunity to discuss with the U.S. government risk mitigation approaches relating to CIA documents in WikiLeaks’ possession or control, such as the redaction of agency personnel in hostile jurisdictions and foreign espionage risks to WikiLeaks staff,” Waldman wrote Laufman on March 28, 2017.

Not included in the written proffer was an additional offer from Assange: He was willing to discuss technical evidence ruling out certain parties in the controversial leak of Democratic Party emails to WikiLeaks during the 2016 election. The U.S. government believes those emails were hacked by Russia; Assange insists they did not come from Moscow.

“Mr. Assange offered to provide technical evidence and discussion regarding who did not engage in the DNC releases,” Waldman told me. “Finally, he offered his technical expertise to the U.S. government to help address what he perceived as clear flaws in security systems that led to the loss of the U.S. cyber weapons program.”

…Waldman couldn’t believe a U.S. senator and the FBI chief were sending a different signal, so he went back to Laufman, who assured him the negotiations were still on. “What Laufman said to me after he heard I was told to ‘stand down’ by Warner and Comey was, ‘That’s bullshit. You are not standing down and neither am I,’” Waldman recalled.

…Multiple sources tell me the FBI’s counterintelligence team was aware and engaged in the Justice Department’s strategy but could not explain what motivated Comey to send a different message around the negotiations through Warner. A lawyer for Comey did not immediately return calls seeking comment.

…Soon, the rare opportunity to engage Assange in a dialogue over redactions, a more responsible way to release information, and how the infamous DNC hacks occurred was lost — likely forever.

How Comey intervened to kill WikiLeaks’ immunity deal | TheHill

More Comey interference in things related to the outcome of the 2016 election. Huh.

Facebook accused of conducting mass surveillance through its apps

Facebook used its apps to gather information about users and their friends, including some who had not signed up to the social network, reading their text messages, tracking their locations and accessing photos on their phones, a court case in California alleges.

The claims of what would amount to mass surveillance are part of a lawsuit brought against the company by the former startup Six4Three, listed in legal documents filed at the superior court in San Mateo as part of a court case that has been ongoing for more than two years.

…Documents filed in the court last week draw upon extensive confidential emails and messages between Facebook senior executives, which are currently sealed.

…The allegations about surveillance appear in a January filing, the fifth amended complaint made by Six4Three. It alleges that Facebook used a range of methods, some adapted to the different phones that users carried, to collect information it could use for commercial purposes.

“Facebook continued to explore and implement ways to track users’ location, to track and read their texts, to access and record their microphones on their phones, to track and monitor their usage of competitive apps on their phones, and to track and monitor their calls,” one court document says.

…It claims the social media company lured developers and investors on to the platform by intentionally misleading them about data controls and privacy settings. As part of the January filing, it claims Facebook tracked users extensively, sometimes without consent.

On Android phones, the company was able to collect metadata and content from text messages, the lawsuit alleges. On iPhones it could access most photos, including those that had not been uploaded to Facebook, Six4Three claims.

Other alleged projects included one to remotely activate Bluetooth, allowing the company to pinpoint a user’s location without them explicitly agreeing to it. Another involved the development of privacy settings with an early end date that was not flagged to users, letting them expire without notice, the court documents claim.

…It also collected information sent by non-subscribers to friends or contacts who had Facebook apps installed on their phones, the court documents claim. Because these people would not have been Facebook users, it would have been impossible for them to have consented to Facebook’s collection of their data.

…Facebook has not fully disclosed the manner in which it pre-processes photos on the iOS camera roll, meaning if a user has any Facebook app installed on their iPhone, then Facebook accesses and analyses the photos the user takes and/or stores on the iPhone, the complainant alleges.

Facebook accused of conducting mass surveillance through its apps | Technology | The Guardian

hmmmm