
An Electronic Voting Firm Exposes 1.8M Chicagoans - mcone
https://www.upguard.com/breaches/cloud-leak-chicago-voters
======
danso
Source blog post (and free of CNN's obnoxious autoplay video):
[https://www.upguard.com/breaches/cloud-leak-chicago-
voters](https://www.upguard.com/breaches/cloud-leak-chicago-voters)

As soon as I read the headline, I immediately thought "AWS misconfiguration".
A few recent massive government-data breaches (by contractors) have fallen
into that category:

June 2017: [http://gizmodo.com/gop-data-firm-accidentally-leaks-
personal...](http://gizmodo.com/gop-data-firm-accidentally-leaks-personal-
details-of-ne-1796211612)

May 2017: [http://gizmodo.com/top-defense-contractor-left-sensitive-
pen...](http://gizmodo.com/top-defense-contractor-left-sensitive-pentagon-
files-on-1795669632)

Note that all of these breach reports (including this Chicago one) come from
Upguard, which seems to have a method for scanning/crawling public S3 buckets.

~~~
ckinnan
Amazon just launched a service to help scan, categorize, and protect data
[https://aws.amazon.com/macie/](https://aws.amazon.com/macie/)

~~~
dark_shadow
Don't you have to pay for that?

~~~
lazyant
One click away:
[https://aws.amazon.com/macie/pricing/](https://aws.amazon.com/macie/pricing/)

"No charge for the first 1 GB processed by the content classification engine
After first GB, $5 per GB processed by the content classification engine"

~~~
flyGuyOnTheSly
Wow that seems pricey. $5 just to look over a Gig of data with a fancy
algorithm?

...data that's already on their servers, to boot!

------
SamuelAdams
Isn't this considered public data anyways? Illinois (and I believe every other
US state) requires that certain voter data be publicly accessible. To access
it in bulk, you'll have to pay a small fee, but anyone can get this.

A misconfigured AWS instance is always an issue. I'm not trying to downplay
that. Only that this data being released to the public isn't anything new -
the public already had access to it.

[https://www.elections.il.gov/votinginformation/computerizedv...](https://www.elections.il.gov/votinginformation/computerizedvoterdata.aspx)

~~~
mcone
No. The Chicago Tribune [0] reported on the type of data exposed:

> The files included names, addresses, dates of birth, the last four digits of
> many voters' Social Security numbers, driver's license and state ID numbers
> for the 1.8 million who are registered to vote in Chicago.

[0] [http://www.chicagotribune.com/news/local/politics/ct-
chicago...](http://www.chicagotribune.com/news/local/politics/ct-chicago-
voter-data-cloud-met-0818-20170817-story.html)

~~~
SamuelAdams
So the question becomes - what types of data is available using legal
channels?

~~~
mcone
According to Forbes [0]:

\- Name

\- Street address

\- Party affiliation

\- Elections in which you did (or did not) vote

\- Phone number

\- Email address

[0] [https://www.forbes.com/sites/metabrown/2015/12/28/voter-
data...](https://www.forbes.com/sites/metabrown/2015/12/28/voter-data-whats-
public-whats-private/#76f45d481591)

~~~
GauntletWizard
Last four of social is so abused it shouldn't count, and date of birth is in
nearly every company's loyalty database. That leaves drivers license and state
ID number as the leaked data. I'm honestly not sure how important or secure
those are.

~~~
pgroves
Illinois is one of the states where driver's license numbers are computed from
all the other information:
[http://www.highprogrammer.com/alan/numbers/dl_us_shared.html](http://www.highprogrammer.com/alan/numbers/dl_us_shared.html)

~~~
marpstar
wow. I had no idea about this, but it correctly calculated my DL number.

------
verytrivial
So, what, now somehow a group of people impacted by this potential identity
theft vector will need to rally together under some keen prosecutor to
personally sue? Why aren't the vendors auto-summoned to court by the
government when these breaches occur?</rhetoricalQuestion>

Hooray for the free market .. ?

~~~
chronic6h2
> Hooray for the free market

The free market says they don't care. I've had my identity stolen from a data
breach. Could I have sued? Yes. Could I have led a class action lawsuit? Yes.

Did I? No. Why? I'm fine now and just like billions of other humans, I'm lazy
and simply just don't care enough.

------
kyle-rb
Recently, I got an email from AWS notifying my that one of my S3 buckets was
publicly accessible (intentionally, for a static site). They really try to
make sure that people can't screw this up.

~~~
rayboy1995
Yes not only that, they have changed the UI so much that it explicitly
confirms that you want to make this data public.

------
colinyoung
As both a Chicagoan and (obviously) an Illinois resident, this means my voter
info has been exposed twice this year alone.

Amazon sent out warning emails for owners of misconfigured boxes about 60 days
ago. Why didn't the firm in question take action? I am an engineer and
literally had to do that same task at work at that time. Easy as 2 clicks.

~~~
monksy
The ticket wasn't a high enough priority. Or the PO didn't want to prioritize
it in the sprint.

~~~
komali2
"It was in the backlog!"

~~~
monksy
Tech debt "we'll get to it."

------
shazzy
Slightly off-topic, but a great video on why Electronic Voting could be a bad
idea:
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

I've wondered before why the UK doesn't have e-voting, and after watching it
is sort of seems obvious. With traditional voting, it can easily be changed on
a small scale, but is very hard to do in a meaningful way. Whilst with
e-voting, its almost just as much effort to change on a small scale as a
bigger scale, with much fewer people being involved.

I particularly like the idea that the reason we use pencils is as a protection
against somebody replacing pens with ones with invisible ink. Not sure if this
is true though.

------
sneak
T-Mobile uses the last4 of the account holder's SSN as a phone support
authentication string.

This is a trove.

~~~
ams6110
And they're certainly not the only one. Last 4 of SSN is a _very_ common
authentication question.

~~~
unclebucknasty
Which is inane.

We have to get away from this idea of having "secret" numbers that, if simply
discovered, can cause so much damage.

That includes credit card numbers, SSN, etc.

~~~
Bartweiss
It's worth noting that SSN is _far_ worse than a credit card number.

"Something you know" isn't a great standard as the entirety of auth, but it'll
probably stay common for practical reasons. But "something you know and can
never change if breached" is absolutely idiotic, and there are plenty of good
alternatives already in existence.

~~~
kevin_thibedeau
"Improper use of this card and/or number by the number holder or any other
person is punishable by fine, imprisonment or both."

We could start by exacting real consequences for those who abuse SSNs.

~~~
freeone3000
Currently it's between 48 months and 27 years (see federal sentencing
guidelines) if caught. What sort of real consequences would you like to see? I
don't think making the numbers above bigger would make that much of a
difference.

~~~
Bartweiss
Sorry, could you source that?

I just looked around and only found 42 U.S. Code § 408, which offers a maximum
penalty of five years (higher for Social Security workers or medical
professionals engaged in fraud).

Also, the vast majority of the text concerns misuse of an SSN to defraud of
mislead the government, particularly by claiming benefits. (8) does read
"discloses, uses, or compels the disclosure of the social security number of
any person in violation of the laws of the United States", but at a quick look
I only see prosecutions where that was tied to benefit fraud.

I don't think 5 years is an insufficient sentence, and I think the urge to
raise sentences as a deterred is usually counterproductive. But I do think
there's room for progress here.

Most SSN abuse as identification appears to be prosecuted as simple identity
theft, not SSN fraud. Adding the secondary charge specifically for SSN abuse
might encourage thieves to rely on other, less permanent information like
passwords.

More broadly, I'd rather see the government concede that SSNs have become a
standard form of identification, and make the renewal process less heinous.
Right now you have to show grievous hardship over an extended period, can't
appeal a bad decision, and will still lose your credit history when the new
one is issued. That's simply not a reasonable system for a number people are
expected to give out so often.

------
shostack
How far fetched would it be for this data to make it's way into Cambridge
Analtyica-type targeting for future election advertising?

Putting on my tinfoil hat for a moment, I have this nagging feeling in my guy
that these issues are a little too coincidental.

So how can we make sure all this data isn't used to tamper with voter rolls or
uploaded to FB, etc. to create Custom Audiences based on voting history and
district?

~~~
jdmichal
I can tell you that campaigns have much of this information already, often
provided directly by the state as public information. The idea that campaigns
don't already "create Custom Audiences based on voting history and district"
is laughable at best. Communications are often targeted in exactly this way.

Here's Florida's relevant information:

[http://dos.myflorida.com/elections/for-voters/voter-
registra...](http://dos.myflorida.com/elections/for-voters/voter-
registration/voter-information-as-a-public-record/)

"Voter registration information is public record in Florida with a few
exceptions. Information such as your social security number, driver’s license
number, and the source of your voter registration application cannot be
released or disclosed to the public under any circumstances. Your signature
can be viewed, but not copied. Other information such as your name, address,
date of birth, party affiliation, and when you voted is public information."

~~~
shostack
Most of this info is public, but not who you voted for, or your email address.

~~~
jdmichal
I don't see anything in this article that indicates that the Chicago database
had these pieces of information either.

------
ams6110
Cool, now let's match them up against death records and see how many of the
dead really do vote in Chicago ;)

~~~
neuronexmachina
The data is for registrations, not who actually voted. There's probably quite
a few people who are deceased or moved who are probably still in the
registration db.

------
incongruity
Is there any way for one to know if their info has been exposed? I had been
registered to vote in Chicago ~6+ years ago but have since moved. Knowing
Chicago, I'd bet I was still on the rolls (and probably having ballots cast
for me ;)

~~~
incongruity
Not sure why my original question has been down-voted. I think it's a
legitimate issue – when things like this make the news, there's often an
interest for potential victims to find out if they've been put at risk. Many
companies go out of their way to protect their customers/users with offers of
identity monitoring/credit monitoring, etc – will the city of Chicago do the
same?

------
aanet
Is there any way to find one's (personal) details were in the data that was
exposed??

------
cozzyd
I wonder if Obama's info was leaked (mine almost certainly was was :( )

------
lpa22
This is EXACTLY the reason I don't vote

~~~
knieveltech
Choosing to abdicate your civic responsibility is certainly your right but
this is easily the most bullshit rationale I've heard offered to support the
choice. I'm guessing you also don't shop at Target or Amazon?

