Voter Fraud Found

**Winehole23** · 11-05-2018

the investigation Brian Kemp just opened is based on vulnerabilities in the state election system pointed out by Democratic officials, to security experts:

From the reporting, it appears that the vulnerability is the kind of mistake that was common on the web two decades ago, that once you've logged in you can access anyone else's content just by changing the URL. Basically anyone with any degree of knowledge of online security learned to block such a vulnerability at least a decade or more ago. It is astounding that such a vulnerability might still exist online, let alone on something as vital and key to democracy as a state election system.

It appears that this is the basis of Kemp's new investigation.

https://www.techdirt.com/articles/20...n-system.shtml

**Winehole23** · 11-05-2018

A later story on WhoWhatWhy details that it wasn't the Democratic Party who had discovered the vulnerability in the first place, but rather someone else, who then contacted a lawyer for someone already suing Kemp over weaknesses in Georgia's election system:

A man who claims to be a Georgia resident said he stumbled upon files in his My Voter Page on the secretary of state’s website. He realized the files were accessible. That man then reached out to one of Cross’s clients, who then put the source and Cross in touch on Friday.

The next morning, Cross called John Salter, a lawyer who represents Kemp and the secretary of state’s office. Cross also notified the FBI.

As noted above, WhoWhatWhy reached out to multiple security experts who all confirmed the vulnerability -- and apparently all five of them noted that actually testing the vulnerability would be illegal. But all five of them were able to just look at the code on the site and confirm the vulnerability was real and could be used to alter voter information in the rolls, which is an especially big deal considering that one of Kemp's voter suppression methods was to insist that if any tiny bit of your information did not match what was in the rollbook, you couldn't vote.

The report further notes that the security researchers approached by WhoWhatWhy reached out to both US intelligence officials and the Coalition for Good Government, who also reached out to Kemp's own lawyers to alert him to the problems in the system:

Bruce Brown, a lawyer for the group, then reached out to Kemp’s attorneys to alert them of the problem. At 7:03 PM Saturday night, he emailed John Salter and Roy Barnes, former governor of Georgia, in their capacities as counsel to Secretary of State Kemp, to notify them of the serious potential cyber vulnerability in the registration files that had been discovered without any hacking at all, and that national intelligence officials had already been notified.
[....]

“What is particularly outrageous about this, is that I gave this information in confidence to Kemp’s lawyers so that something could be done about it without exposing the vulnerability to the public,” Brown told WhoWhatWhy. “Putting his own political agenda over the security of the election, Kemp is ignoring his responsibility to the people of Georgia.”

**Winehole23** · 11-05-2018

The first vulnerability identified in the email is on the My Voter Page, where voters can check their registration, the status of their mail-in or provisional ballots, or change their voter information. After following a commonly used link, one arrives at a page that is not secure. To view any file on the server that runs the My Voter Page nothing more is needed than typing any file name into the web browser, the experts said.

In addition to do ents, files include things like network configuration files, cryptographic keys, and possibly even code that could be used to break into the server.

Because it would be illegal to explore what is available on the site, the extent of the vulnerability is still not known.

“Holy ,” Duncan Buell told WhoWhatWhy when he logged onto the website. “Presumably, you could just hit the backspace button on the file, put in a new file name, and it would let you download that.”

Even if someone didn’t know the name of the do ent they were trying to access, they could instead find it by writing a code to probe the My Voter Page, said Buell, a computer science professor at the University of South Carolina and elections and voting technology expert.

https://whowhatwhy.org/2018/11/04/ke...curity-crisis/

**Winehole23** · 11-05-2018

The second vulnerability described in the email is found in the state’s online voter registration system.

In the code of the website — which anybody can access using their internet browser — there is a series of numbers that represent voters in a county. By changing a number in the web browser’s interface and then changing the county, it appears that anybody could download every single Georgia voter’s personally identifiable information and possibly modify voter data en masse.

In addition, voter history, absentee voting, and early voting data are all public record on the secretary of state’s website. If a bad actor wanted to target a certain voting group, all of the information needed is available for download.

“It’s so juvenile from an information security perspective that it’s crazy this is part of a live system,” Constable said.

same article

**Winehole23** · 11-05-2018

What’s more, there don’t seem to be any security measures that could detect these changes or trace them back to a source, according to several of the experts.

Worse yet, a bad actor could easily pretend to be someone else, according to Constable. “In theory you could copy and paste that session ID or cookie — that unique string — and put it in your browser to emulate that person,” Constable said. “So not only could you access that person’s information and act as that person, you could then make changes under that person’s iden y.”

**Winehole23** · 11-05-2018

essentially, Brian Kemp is investigating Georgia Democrats for pointing out egregious vulnerabilities in the elections system he oversees.

**boutons_deux** · 11-05-2018

red/slave state Repugs, Dedicated Guardians of the Mythical, Sacred Right To Vote

**Winehole23** · 11-05-2018

pattern of incompetence:

If the assessment of these vulnerabilities is accurate, it would be the fourth time in as many years that the private information of every voter in Georgia, as well as other information related to voting, has been exposed.

In 2015, an employee at the secretary of state’s office sent out personally identifiable information to 12 news media and political party organizations.

In August, 2016, computer researcher Logan Lamb, formerly of Oak Ridge National Laboratory, was able to access Georgia’s entire voter registration database, including all personally identifiable information. The system was not password protected and was vulnerable to being rewritten. He notified the state of the problem.

Then in February, 2017, Christopher Grayson — a Los Angeles-based security engineer — and Lamb found that the problem had not been fixed and that the same information was still unprotected.

**Winehole23** · 11-05-2018

**Winehole23** · 11-05-2018

during the same period, 637 people in the US were killed by lightning strikes

**boutons_deux** · 11-05-2018

Georgia Officials Quietly Patched Security Holes They Said Didn’t Exist

the state was busily fixing problems in its voter registration

hours after the office of Secretary of State Brian Kemp, the Republican candidate for governor,

had insisted the system was secure.

in the evening hours of Sunday, as the political storm raged, ProPublica found state officials quietly rewriting the website’s computer code.

https://talkingpointsmemo.com/news/g...+%28TPMNews%29

**Will Hunting** · 11-08-2018