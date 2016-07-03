"The security firm, Recorded Future, was monitoring underground electronic markets where hackers buy and sell wares and discovered someone offering log-on credentials for access to computers at the U.S. Election Assistance Commission, company executives said.
Posing as a potential buyer, the researchers engaged in a conversation with the hacker..."
Sounds like somebody found a vuln in probably a creaky lowest-bid government contractor website and wanted to monetize.
I've never heard of this "Election Assistance Commission" agency before but it sounds like they exist to help US states implement a law from 2002 called the Help America Vote Act (HAVA.)
I'm not at all comfortable with all these infiltrations, but this "American Election Commission" has done a pretty awful job, hacked or not.
The fact that voter fraud/suppression shenanigans exist or that there's any ambiguity about how votes gets counted indicates to me they're assisting a pretty screwball election system.
As we all know, electronic voting machines aren't so hot and in my personal opinion, the EAC hasn't done much very effectively and has been under fairly regular attack in congress and under (maybe toothless) threat of being shut down.
I don't think they have any actual power over much of anything in elections because that power is distributed to the the state level secretary of state's, so their role is more advisory at best and also is disjoint from the more powerful FEC.
How is SQL vulnerabilities like this still happening to systems that need to be secure?
They don't think of it as "executable code" because of the limited and monotonous nature of CRUD operations typically associated with data persistence.
They just think of it as yet another inconvenient form of declaritive data already at rest. Perhaps akin to mark-up. Raw data, like XML.
With JSON, some developers innately clue themselves in, because JavaScript, but they don't honestly understand the root of the hazard. They're just thinking FIRE BAD! Then they hack some JSONP into place because it's fun to do that sort of thing.
Most novice developers (my younger self included, tisk tisk) strongly resist protections against even HTML injection, until they see a massacre play itself out in the real world, when someone drops the ball.
I find it akin to hiring a librarian who cannot read. Either because they're cheap, or they have the right friends.
People would start to confuse "your" and "you're" or "its" and "it's".
Quite a scary thought.
I am genuinely trying to determine if this is a joke. :) People already do confuse those! I have unfortunately seen many arguments on Facebook over the correct usage.
1. Incompetent contractors
2. Well-meaning non-technical hiring managers with slim budgets
3. Talent that's not lining up to work for the gov't because it's most definitely awful compared to the opportunities available
The story of the US gov't dismal IT infrastructure. In 2017, IT budget is projected to be 90 billion.
https://www.whitehouse.gov/sites/default/files/omb/budget/fy...
How much of that do you estimate is wasteful?
It'd sure be nice to register to vote/get healthcare/etc on my phone.
- Outsourcing offshore to lower costs through a 3PP
- Junior developers with inadequate training
- Sheer incompetence
Incompetence can be extended to management - i.e. a lack of policies and auditing to undertake due diligence.
Sometimes SQLi isn't always obvious even if they are aware of the attack vector if the developer is not thinking defensively. For example inputs from a cookie or HTTP headers such as HTTP referer etc.
Pretty simple: 100% of the time use prepared statements, NEVER build an SQL query yourself.
Tada, 0% SQLi.
The problem isn't that some people are idiots. The problem is that we, as an industry, don't have great security solutions.
Process that could help mitigate this bugs -
- Security / safe coding training
- Code audits
- Testing - static and dynamic
- Policies that are communicated such as "Always use prepared statements" or "use X framework"
[1] https://www.schneier.com/crypto-gram/archives/2000/0515.html
If something "needs to be secure" then IT is likely up to its ears in reams of policies and reports, Cisco firewalls, VLANs, Group Policies, Symantec antivirus products, Websense, and password complexity regimes. It seems only elite tech companies and the military/intelligence community are making serious steps towards "How can I choose and commission software that is not so likely to contain serious vulnerabilities?" Even obvious ones.
Mainstream IT security practices can, at best, put up a perimeter around the steaming pile of garbage fresh from the lowest bidder so that it can't infect anything else, and only insiders can exploit it, and maybe there will even be a record of them doing things that look like exploit attempts.
Aside from that? It should just be expected that any system that uses a structured query language and can receive user input is vulnerable to injection.
One is that mysql (opposed to oracle or pgsql) is kind of unusual in allowing quotes indiscriminately for all column types, so in order to do this right you have to only do it for string type columns and prevent injection on different types some other way.
Another is that most of the APIs around the more sprintf-style quoting (eg: `query("SELECT * FROM table WHERE x = %", someStr);`) are tied into prepared statements, which carry their own problems that also differ per engine.
It's actually not as simple as you might think. On top of that, php used to have the whole automatic quoting thing that just made a hash out of things.
https://youtu.be/w3_0x6oaDmI
I think most people here would have a difficult time saying our voting system is secure from tampering.
Because even if there are hand counted votes, if humans use computers to tally, communicate, or check the vote then that will certainly be open to vector of attack that use personal credentials (the easiest to lose).
There is no escape from a desperate need for competent electronic voting and comprehensive government security in every department.
I am appalled at how candidates from the same party - e.g. Hillary and Sanders, Hillary and Obama, Trump and who-ever - first criticise each other a lot, raking muck, raising FUD, casting aspersions, indulge in a lot of rabble-rousing - just to win some popularity contest. If the candidates stoop so low for their own party, then how much lower they must stoop to "defeat" the candidates of the opposing parties.
The world has been seeing regular evidence of how easy it is to tamper with the voting machines, with the votes, and what-not. Does this call for a special situation where the elections are held again but with such concerns addressed?
Otherwise, this farce of elections would simply continue, and the world would continue to be in a worse situation.
> Does this call for a special situation where the elections are held again but with such concerns addressed?
No.
https://www.youtube.com/watch?v=LBvK-Rb681I at 48:30 President Obama says "I can assure the public that there was not the kind of tampering with the voting process that was a concern. The votes that were cast were counted and they were counted appropriately, we have not seen evidence of machines being tampered with. That assurance I can provide. "
A lot of news outlets from ABC to BBC news show "Russians hack election" in their article's titles to get more clicks, then further down into their articles state the DNC was hacked. "DNC emails stolen" does NOT equal "USA presidential election hacked". Revealing damaging information on a candidate is interfering with an election but not "hacking the election", which makes it sound like the russians cast fraudulent votes using hacked machines. Plus the recount in Detroit revealed this: http://www.detroitnews.com/story/news/politics/2016/12/05/re...
Plus, didn't democratic candidate Hillary Clinton win the popular vote anyway?
https://www.crowdstrike.com/blog/bears-midst-intrusion-democ...
http://arstechnica.com/security/2016/12/the-public-evidence-...
Do you demand the same level of proof that the emails are genuine?
Obama telling Putin to "cut it out" isn't enough. No matter what is happening behind the scenes. Our next president might not even go that far.
1. The DNC coordinating with the Clinton campaign to ensure victory over Bernie in the primary.
2. Collusion between the media and the Clinton campaign (giving questions ahead of debates) to favor Clinton over Bernie
3. Signs of pay for play or general corruption of the Clinton foundation through foreign government donations.
To the hackers, I say: Thank you very much! Thank you for releasing information on the Democratic party that we would never have been told otherwise (certainly not by the mainstream media).
And you want to fight a nuclear war over this? Ridiculous. Utterly ridiculous.
It strikes me as profoundly foolish to not react here just because you happen to be happy that this particular set of information was released. (As well as, by the way, reams of email with no value to the public whatsoever.)
And of course nobody is suggesting we fight a nuclear war. There's clearly plenty of space between GP's suggestion that we do more than tell them to 'cut it out' and nuclear warfare.
I don't know what country you're from, but our laws in America are supposed to protect whistleblowers––not prosecute them.
Not to mention that the emails they kept might be used for blackmail in the future.
Publications like the Washington Post have made some ridiculous claims (clickbait headlines) with zero evidence, and it's been cited heavily for more Fake News.
It doesn't help that the new NDAA bill includes the "Countering Foreign Propaganda and Disinformation Act" which allows the US government to propogandize the American people. https://noagendaplayer.com/listen/885/1-30-59
The American population is absolutely ignorant.
https://amp.theguardian.com/us-news/2016/dec/10/cia-conclude...
>"A secret CIA assessment...the Washington Post reported, citing officials briefed on the matter."
If it's a secret assessment, how did WaPo get a hold of it? How does the CIA not disclose this information to US Congress, who has oversight over the CIA, when they're asked to testify re: this new information?
Please see the first link in my previous post.
Nearly every single one of these "Russia did it!" stories cites the Washington Post article[1]. Interestingly, the article itself says:
>a senior U.S. official said there were minor disagreements among intelligence officials about the agency’s assessment, in part because some questions remain unanswered.
and
>For example, intelligence agencies do not have specific intelligence showing officials in the Kremlin “directing” the identified individuals to pass the Democratic emails to WikiLeaks, a second senior U.S. official said.
As mentioned elsewhere, there's is zero coverage on the contents of the emails leaked & the blatent corruption that should make people mad. CNN even said it was illegal for anyone other than CNN to look at the Clinton Email leaks.
Why is the media so afraid?
The CIA and mainstream news is clearly lying to American people to trigger war.
They seem to have no control over PEOTUS, who is shutting down Military contracts via Twitter -- how can the military industrial complex survive without endless war!?
https://www.washingtonpost.com/world/national-security/obama...
And unsurprisingly, almost everyone who wants to dismiss any thought of retaliation or of even investigating the matter seems to be either a Republican or Trump supporter.
You can view it as not that big of a deal, or unavoidable by the nature of employing biased pundits at a news organization that carries out the debates. Whatever. But it happened.
My larger view is that none of these things were overall that significant of factors to a huge portion of the electorate.
More significant were the economic uncertainties of midwest states who viewed Trump's ideas as appealing... while the Democratic candidate failed to campaign in many of these states (Minnesota (she barely won it), Michigan, Wisconsin, Pennsylvania). Hillary Clinton was a terrible candidate. She almost won, and should have. But I don't think she can blame Russia for her failures.
Not blaming Russia for Hillary's failures, of course, just pointing out that even intelligent people are super confused by the disinformation that happened this year.
She was employed at CNN. If she acted alone, then maybe you can argue it wasn't "the media" but one person. But how was she able to view the questions ahead of time? She was a known Clinton supporter, no?
https://www.washingtonpost.com/lifestyle/style/cnn-drops-don...
"From time to time, I get the questions in advance."
"I'll send a few more."
- Donna Brazile to John Podesta
Wikileaks references:
https://wikileaks.org/podesta-emails/emailid/38478
https://wikileaks.org/podesta-emails/emailid/39807
No, that's part of the problem. She was a mover and shaker behind the scenes but had not formally and publicly declared an allegiance (of course, it was obvious from the way she talked on CNN). She was an ostensibly unaffiliated commentator who had a secret allegiance.
It's an excellent case study of why news agencies and networks should not have paid political operators (hacks) on their payroll and the fact that it went wrong is entirely predictable.
We should have an open government, but it doesn't work properly if only one party's dirty laundry which is aired.
While I'm also interested in an open government, I think it's reasonable for both of those groups to expect to operate with some degree of privacy and autonomy.
More details here: http://www.nytimes.com/2016/12/09/us/obama-russia-election-h...
Hopefully something informative comes out of the investigation Obama ordered to be delivered before he leaves office.
So for anyone who wants third party options, start pushing for their states to allow for ranked-choice voting in state wide elections.
As far as I know, that isn't the plan, and retaliation is planned. Do you know otherwise?
People instinctively want a strong, immediate response in kind. From what I understand, that's actually the wrong way to respond. Here are a couple of points to consider, based on reading a lot of experts (I'm not one myself):
* 'The task of international relations is to prevent C level problems from becoming A level problems.' (I forget where I read that.) Escalation rarely is desirable. That doesn't mean that you don't respond, but that you need to respond in a way that doesn't escalate and put your adversary in a political position where they must re-escalate (e.g., because their populations are angry and demand it). That's how wars begin, often despite the intentions of leaders. Threading that needle is difficult, but that's what the situation demands. For example, after some bad behavior by North Korea, the U.S. responded by flying one or two nuclear capable bombers in an exercise over S. Korea; the point was made but not in a way that required re-escalation by the North.
* "the threat of asymmetric punishment - striking wherever, whenever, and with flexible means rather than retaliation-in-kind in a theater of operations chosen by an adversary - can be an effective instrument of deterrence". [0] If you respond immediately and in the same way your opponent attacked you, you are letting them manipulate you and the situation: They decide when, where, and how you act and the battle takes place (assuredly they will chose situations to their advantage).
Based on the above, a good response has to be smartly chosen to effectively send a message but not invite escalation, and should be at a time, place, and manner of your choosing.
----
[0] Toward a New Offset Strategy: Exploiting U.S. Long-term Advantages To Restore U.S. Global Power Projection Capability by Robert Martinage, Center for Strategic and Budgetary Assessments [a leading defense think tank]
http://csbaonline.org/research/publications/toward-a-new-off...
Source?
https://www.google.com/amp/s/amp.theguardian.com/us-news/201...
US has a LOOOOONG history of meddling with other countries with some heavy-handed manner (like sending a carrier group to Brazil in 1964 to ensure a coup, bombing Chile to install Pinochet, attempt to assassinate Castro 60+ times or so, and so on...)
If US even HINTS in considering a minor hack of sorts as an act of war and attacks Russia over it, it could very well spark the entire world to attack US back.
US can be the most powerful country of earth, but I am very sure US vs all other countries US meddled with would mean US destruction (and maybe the other countries wouldn't survive it either...)
People shouldn't even joke about going to war over the "election hack", what should be done is fix your own security and redo the elections if the hack was proven.
What's fair is fair.
so we should do it [hack other countries' elections] and then be pissed when it happens to us ?
I'm incredibly tired of hearing false dichotomies here. It is imperative to maintaining a democracy that it not be hindered. We've done a disservice to democracy by tampering in elections, as have the hackers here.
"The World" would not. I don't know what people think they gain by using the term "the world".
Notice how you don't hear too much about "Chinese hackers" anymore? There's all sorts of brinksmanship and politics involved here.
The US have even publicly acknowledged this stuff. In 1982 pirated software (I think IBM mainframe stuff iirc) was modified, stuxnet-style to cause one of the largest non-nuclear explosions of some sort of gas refinery ever. God knows what's been done since then.
Probably didn't happen though. There was definitely a big pipeline explosion at the time, though Reed's fact checking misses the location, and somewhat more importantly, the fact that Russian control systems weren't software-based at the time.
Although it was a fun legend, it probably started as a game of telephone (a/o paranoia).
https://en.wikipedia.org/wiki/At_the_Abyss
https://en.wikipedia.org/wiki/Paranoia_(role-playing_game)
Now, with the internet, we're at the beginning of another such monumental shift in information access. The cynic in me finds it likely that shit gets worse before we, as a species, find a new balance point. I mean, either we learn to live with all varieties of each other in peace (which is what I think you're saying), or we end up blasting ourselves into extinction. No?
I don't think it's really possible without a major change to cognitive capabilities. The human biological system and the resultant communities aren't built to handle truth.
Which is to say, the brain equates beliefs to truths, which is an extremely difficult-to-overcome fallacy. (And, I suspect, therein lies the solution, if there is one.) Paradoxically, of course, life also wouldn't really be all that practical to live out if our brains didn't make such an overly simplistic jump.
So, yea, not really disagreeing with you on the cognitive capabilities part. But I'm also not convinced there's no such belief structure out there that isn't capable of solving this pickle. Implementing and spreading said system of beliefs - if it exists and without starting a bunch of wars in the process, of course - is the harder part.
In fact this construct is the basis for the illusion of the self - so it's inextricably linked to the human experience. The idea of an unbroken consciousness relies on a forward projection of a "future self" that is consistent with past experience. Practically, this construct is incompatible with objective experience because of our limitations for recall and "objective" evaluation of experience.
But I'm also not convinced there's no such belief structure out there that isn't capable of solving this pickle.
I don't think it's a belief structure that is needed - it's deeper than we can manifest so we need something to augment our limited capability.
[edit] On your first point: we can't ever really know The Truth (about any big meta issues)
I think that's true from an epistemic perspective, but I think we can reduce the uncertainty of variability around truth with enough inputs about causal factors in whatever event/issue is being evaluated.
If legal or other changes were made to do what you suggest, most of the juicy stuff would be destroyed... more to cover the asses of the people involved than anything else.
I feel I've been pretty consistent about this as opposed to being partisan; I had a minor spat with Assange over his choices about his approach to editorial framing back when WL was first revealing helicopter footage from Iraq. Wl is a new kind of publishing outlet, but no more neutral or disinterested than the more traditional kind.
Regardless, there is a non-zero chance that the result of unknown secrets being exposed could be anarchy instead of a better-functioning democracy.
Remember this is 2016, not 1916. Revelation and escalation don't lead to a mere slaughter of soldiers, but potentially destruction of civilization as we know it.
Hackers try to breach everyone and everything. Every state does it, criminals do it, researchers do it.
Suggesting Obama start shit without solid evidence that it was the Russian state is reckless.
As if no state actor could possibly be crafty enough to act like they're trying to sell the data to misdirect from their true intentions.
> Suggesting Obama start shit without solid evidence that it was the Russian state is reckless.
You don't have any idea what evidence Obama is privy to.
While I agree with you, I'm also reminded of how all the war triggered by "discoveries of weapons of mass destruction" started. That war only resulted in lots of casualties across the Middle East and of a lot of American soldiers, while Bush and others have got away having to answer to nobody about their lies.
As has been shown, it's a lot easier to hack voters themselves with targeted information, misinformation and outright fantasy. We've also learned something amazing this cycle: a key tactic anyone will replicate in the future:
When you run negative political ads, don't let anyone outside of the laser focused target demo you want to reach see it until it's too late. The "super predator" ads were crazy damaging to HRC in swing states, but even to this day most people haven't seen them. There's no way to respond to political attacks you aren't even aware of.
Heh. We call those elections, and this is nothing new.
In Hillary's case it's even more absurd to claim that they could have known nothing -- many of the voters targeted and flip flopping were union guys and easy to get intel out of. End of the day, the campaign fucked up.
I come from New York, where we had easily manipulatable, gear-driven mechanical machines for decades. (It was pretty trivial to jam them up, and the historical over representation of the number 9 in results validated that) The major parties understood the margin of error and used absentee balloting to cover that risk.
The only solution we have is to depend on systems that are more secure. As far as voting is concerned that means paper ballots.
If in the end we can't secure vital computer systems, well, I remember reading an article about the FSB buying a bunch of electric typewriters to create sensitive documents. It's not because they don't have sendmail figured out.
The article states, "Eventually they discovered that the Russian-speaking hacker..." I'd like to see more than a Russian-speaking hacker before attributing this to the Russian government.
I'll trust the CIA over the FSB/GRU any day of the week.
Perhaps, but that's irrelevant to the issue of attribution at this point.
https://4thgenwar.wordpress.com/2016/07/03/trump-meets-man-w...
We know now that nothing will come of it unless Trump does an about-face come January 21st.
Should we honestly hold the head of state responsible for the actions of its private citizens?
“We don’t think he actually works for any government or is super sophisticated,” Barysevich said.
Trying to get to the bottom of that one where we know who was affected and the IP addresses trace back to another government agency is even more maddening, why won't the Feds cooperate?
https://news.ycombinator.com/newsguidelines.html
We detached this comment from https://news.ycombinator.com/item?id=13252669 and marked it off-topic.
And I imagine I am not remotely the first one to realize this.
(Edit) My goodness but this is earning a lot of down votes. How very odd.
We detached this subthread from https://news.ycombinator.com/item?id=13252882 and marked it off-topic.
The Democrats were unhappy embarrassing information they hid from voters was leaked to voters. They have no one to blame but themselves. If they didn't do the things talked about in the emails, there would be nothing to leak. How many people even viewed the emails, anyways?
I think both: [0] the info in the emails was bad and
[1] not that many people knew about it, or needed the Wikileaks info to not want to vote for Hillary Clinton.
I think she just lost.
This didn't just damage Hillary, although the media you so deprecate made it into just that. The hack also serves to de-legitimatize Trump. It is also causing Trump to fight with and denounce all the intelligence agencies critical to US functioning. Beside refusing their intelligence, the demoralization affect alone is huge (who will risk their life for a president who calls them a liar?). It has also thrown the whole electoral process into doubt. etc.
And they hacked the RNC too. You can bet that will be used to to maximum damage at some point.
It is no doubt that most damaging and successful attack on the US in decades.
But even more shocking is that it is condoned because it furthers certain parties political ends. What happens if both political parties start using acts by hostile nations to help them win elections?
Yes the article doesn't say this (of course the hacker is Russian, which isn't out of the ordinary). But your average person won't read that far or even past the headline and when it gets republished those parts will disappear.
That's my read.
