topic Re: Information Security and Politics in Industry News

Information Security and Politics

vt100 — Fri, 13 Nov 2020 04:40:23 GMT

There is a tendency in our industry to remain "professional" by divorcing ourselves from politics. Well, looks like it is becoming more difficult to keep doing that in light of current developments. Today, US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency unequivocally took a stand against disinformation: https://arstechnica.com/tech-policy/2020/11/report-white-house-pressuring-cisa-to-stop-debunking-election-nonsense/

"White House officials have asked for content to be edited or removed which pushed back against numerous false claims about the election, including that Democrats are behind a mass election fraud scheme. CISA officials have chosen not to delete accurate information."

Since we are bound to protect society, I find CISA's decision commendable (they treat disinformation generated by either side equally).

The scope of the Information Systems should probably be expanded to include the information provenance and accuracy before we can talk about preservation of its confidentiality, integrity and availability.

Re: Information Security and Politics

CISOScott — Fri, 13 Nov 2020 13:57:22 GMT

Can they address the other censoring that is going on too? Can they address the one-sideness of the American media as well? I think not and think that they should stay out of it or truly address both sides. There is a reason people hide what they do in the darkness.

Re: Information Security and Politics

jmikesmith — Fri, 13 Nov 2020 14:07:44 GMT

We cannot and should not "divorce" ourselves from politics. Politics requires the participation of technology professionals to inform policy decisions. See https://public-interest-tech.com/.

Mike Smith

Re: Information Security and Politics

CISOScott — Fri, 13 Nov 2020 15:34:27 GMT

I know we are supposed to keep politics off of the site so let's look at this scenario from an information security point of view and the parallels to cyber security.

So in information security when we see abnormalities it causes us to be suspicious. When we see numerous instances of any of these things it really rises above the normal expected behavior and any good cyber security professional would become suspicious and support a full investigation. If you were asked to perform a security assessment of a company and you saw all of these things below, what would be your assessment?

If we see a spike in activity that rises above the norms, we suspect wrongdoing. So normal would be, let's say a turnout of 50-60%, but in certain areas it is 90-110%. Yes, some areas above 100%. Nothing suspicious there. There might be a valid reason, like same day registration, but why only in certain areas? Wouldn't we expect this behavior to be normalized? If these spike only occurred in certain areas where one group had control wouldn't that make it more suspicious? Fox guarding the henhouse paradigm?

If we see people minimizing down their computer screens when security walks in, we suspect wrongdoing. Why would you be nervous when security walks into the room? Or why would you prevent someone from watching your activities?

If we see people closing doors and hiding their activities, we suspect wrongdoing. Again, what could you be hiding?

If we see a group of employees going out of their legal authority to help one group, but not another group, we would be suspicious and suspect wrongdoing.

If we see people trying very hard to make it harder for monitors/auditors to perform their job, we suspect wrongdoing. Why would you purposely prejudice the work of the auditors or monitors? What could you be hiding?

When you do not require 100% user identification and it is very easy for people to pretend to be other people and succeed at impersonating that user, you would be suspicious and suspect wrongdoing.

If we see a process that is easily manipulated and is hard to be verified afterwards, we suspect potential for wrongdoing. No upfront verification of people being sent ballots, multiple ballots received at the same address, dead people receiving ballots, or worse than that, dead people REQUESTING ballots?

If we see machines that have been rejected by one entity for insecure cyber security configuration THREE times, but then are used by others, we suspect the potential for wrongdoing.

If we know that a process can be manipulated so that verification of fraud can be almost impossible to detect, after a certain event takes place like separating the mailing envelope with the postmark on it, signature required for verification, etc., AND you have that event happening while the auditors/monitors are being excluded, you would become suspicious and suspect wrongdoing is going on. Oh, AND once the unverified for legality votes are mixed in with the "legal" votes it becomes almost impossible to desegregate them later, you understand why an insider threat might want to delay/obstruct monitoring/auditing for a certain amount of time.

When you have a process that allows for anyone to go around and gather votes and potentially change them before submitting them in certain areas, you have a process that is ripe for fraud and abuse. You would have a right to be suspicious.

When you have auditors/monitors being told to go home as no more counting would be happening that night, and after they leave, counting resumes, you would be suspicious and suspect wrongdoing.

Then when you have a Public Relations campaign using absolute words like "Widespread" in order to minimize the suspicious behavior and try to say that no improper behavior is happening because it is not widespread; you become suspicious and suspect wrongdoing.

If these events were happening during a cybersecurity assessment you would write a very bad report on the company involved, wouldn't you? You would write up failures in policy, in oversight, in auditing, and management. You would start investigations, possibly criminal in nature, on employees. You would recommend such policy changes as address verification before sending out ballots, death notice updates to voter roles, voter removal for address changes, preventing ballot harvesting, and require 100% identification verification. You would suggest auditing and monitoring changes be made so that auditors/monitors could not be excluded from their oversight responsibilities. You would require that no counting be done without monitors present. You would not allow mysterious shipments of ballots to arrive during the night. You would have secure methods for transporting the ballots and not just have them showing up in boxes, bags, etc. You would even suggest the termination of several of the officials involved for impartial treatment. You would recommend that the company come up with national standards that affected all of their corporate locations to eliminate corruption in a few places, even if the corruption was not "widespread".

It amazes me to see how people can change their view on legality or morality to fit their narrative when they want to win. It gives credence to the adage "Power has the ability to corrupt." It is also amazing to see how certain people in high positions can get away with what would put you and I in jail.

I remember my first encounter with voting fraud was in high school. They had passed out ballots to vote for homecoming King and Queen. A few of the popular kids went around and collected the ballots. On the way to class I saw them in a side hallway erasing votes and checking who they wanted to be King and Queen. And it turned out just how they wanted.

Re: Information Security and Politics

tmekelburg1 — Fri, 13 Nov 2020 16:09:37 GMT

@vt100 wrote:
There is a tendency in our industry to remain "professional" by divorcing ourselves from politics.

I always found this silly. You can remain professional and still have an opinion on a particular side. The professional part comes into play when trying to see from their perspective and agreeing to disagree if need be. Politics is ingrained into our everyday lives, whether it's office politics or professional. But if people want to waste their time and effort to avoid it, go right ahead.

Today, US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency unequivocally took a stand against disinformation

Personally, I think it should be a civic responsibility for everyone to fight against disinformation. I'm glad CISA decided to do this. I'd expect them to do the same thing if a foreign country was the source of the disinformation as well.

Re: Information Security and Politics

vt100 — Fri, 13 Nov 2020 18:47:54 GMT

@CISOScott There is no question in my mind, that we can do with some serious improvements in the voting process, specifically, by implementing a country-wide practices and controls.

That being said, I am not a fan of unsubstantiated allegations by either party. If there is a proof, I want to see it documented, presented to the courts unsealed and be able to monitor the proceedings.

In terms of media, I have never seen such a horrible job being perpetrated (not an accidental choice of a word), as it was during last 8 years. There are no longer news, just opinions with snippets of the information advancing each side's agenda.

Up until recently, I could at least trust WSJ to be unbiased, but the opinions they are lately running are decidedly swinging further from the center.

I am not taking a stab at any one party in particular, but the birth of the unmonitored echo chambers like Parler, we are in danger of exponential proliferation of misinformation. What this will result in is implementation of China-like draconian clamp-down on communications unless we are willing to let these platforms that, whatever stripes they are, be easily subjected to manipulation by foreign adversaries. Whatever faults Twitter and FB have, at least they have means of countering these threats, even if they have done awful job of it in the past.

Re: Information Security and Politics

vt100 — Fri, 13 Nov 2020 17:55:53 GMT

@CISOScottRespectfully, I disagree with that logic: It is akin to say that unless you know everything that is false, you should not flag anything you know for a fact to be false. We all are now living with the unintended consequences of the 1st Amendment that are being misused and abused by the media and social platforms. Unless there are consequences for generation and proliferation of either false or incomplete information, there is no stopping the catastrophic consequences of those actions.

The only way I see that happening is if we stop the real-time social media postings altogether (until verification and clarification is done by moderators) and if the conventional media channels are to be held liable for any incomplete or false data they are disseminating. Baring that we'll reap chaos.

Re: Information Security and Politics

AndreaMoore — Fri, 13 Nov 2020 20:58:45 GMT

Thank you for keeping this conversation civil and focused on the ethical implications for cybersecurity professionals (note our Monday keynote at Security Congress will be Bruce Schneier discussing the topic of Public Interest Technologist).

While our community guidelines generally discourage political discussions, we thank you for the respectful exchange so far. We will keep an eye on this discussion, and will not lock or remove it while it remains professional and constructive.

Re: Information Security and Politics

vt100 — Fri, 13 Nov 2020 23:51:30 GMT

@AndreaMooreThank you Andrea. I am looking forward to the input of the community focused on our responsibilities in these unprecedented times and under current and future circumstances. We tend to focus on cybersecurity vs. information security, but to recognize the difference is to remain relevant. Otherwise, the technical analogy of our efforts is the functionality of IPS without HTTPS/TLS inspection and OCSP.

Re: Information Security and Politics

CISOScott — Mon, 16 Nov 2020 15:10:12 GMT

@vt100 wrote:
@CISOScott There is no question in my mind, that we can do with some serious improvements in the voting process, specifically, by implementing a country-wide practices and controls.
That being said, I am not a fan of unsubstantiated allegations by either party. If there is a proof, I want to see it documented, presented to the courts unsealed and be able to monitor the proceedings.
In terms of media, I have never seen such a horrible job being perpetrated (not an accidental choice of a word), as it was during last 8 years. There are no longer news, just opinions with snippets of the information advancing each side's agenda.
Up until recently, I could at least trust WSJ to be unbiased, but the opinions they are lately running are decidedly swinging further from the center.
I am not taking a stab at any one party in particular, but the birth of the unmonitored echo chambers like Parler, we are in danger of exponential proliferation of misinformation. What this will result in is implementation of China-like draconian clamp-down on communications unless we are willing to let these platforms that, whatever stripes they are, be easily subjected to manipulation by foreign adversaries. Whatever faults Twitter and FB have, at least they have means of countering these threats, even if they have done awful job of it in the past.

@vt100 And I will respectfully disagree with you on your views of Parler and FB/Twitter. I am going to disagree with you and try to use my logic but will not attack you personally. There is a huge bias campaign going on and in the US, 6 companies control 90% of the media and there is HUGE groupthink going on. Even the so-called "fact checkers" are biased. I am surprised anyone would be against free speech and Parler. So what if people spread misinformation on it? I see tons of misinformation on FB/Twitter that goes unchallenged because it either doesn't directly go against it's narrative or it increases traffic that it can use to claim their awesomeness in size. Lots of fake accounts using clever misspellings to link to malware sites that Twitter/FB can't seem to or just won't clean up. Tons of scams that FB/twitter let spread rampantly, but if someone even speaks about voting issues, whether for or against, they get slapped with one-sided "fact checking". I even got put into Twitter jail for 3 days just for liking some posts that I agreed with that were against the WHO current opinion at the time (back in February 2020). I DIDN'T post anything, I was just liking posts that shared my same sentiments. None of the posts I liked expressed any hate or things you would expect that violate "community standards". Wouldn't journalistic integrity WANT to know how many people were feeling the same way about an issue so if there was enough interest they could actually investigate instead of being fed talking points of conformity?

So, I also recognize that FB/Twitter own their platforms and can censor/"inform"/misinform who and what they like. They have that right, but don't tell me that if folks get tired of being censored and wish to move to another platform that they are not being censored on, that they don't have that right and label it an "echo chamber". That is dishonest if someone truly believes in free speech. You say moving to Parler will force us into a China-like draconian lockdown by moving to an uncontrolled platform, so people just shouldn't move on from FB/Twitter and just accept the censorship we have, rather than being forced into censorship later. Wouldn't this be the same thing as a China-style draconian lockdown?

Isn't free speech supposed to allow people to speak freely? Look, every society has it's share of idiots and "wackos". Having studied psychology I also know that there are people with serious mental health issues (and I wish we could remove the stigma of going to mental health professionals as being weak or crazy). We should monitor and take appropriate action if they go too far with their thoughts and they start advocating violence. Having worked for a US major law enforcement agency I have seen the "tin foil brigade" and conspiracy people as well. But don't they have a right to have their views? Now I am not saying their views may be 100% right and even wrong people are entitled to their views, but to force them to be shutdown because they do not agree with your views (or whomever is the thought police at the moment) is wrong. If we force people to hide their views or not report activity that is harmful to others for fear of being either not believed or labeled as wackos, then we risk losing the ability to audit ourselves as human beings. I have seen plenty of stuff that goes unpunished because someone had money, fame, knew how to play the system against itself or were in control of the system of justice. If their behavior is allowed to be hidden because information is controlled then again we lose the ability for justice.

I am against white supremacy and other hate groups as I see their views as hate filled and wrong. And really, if they would go for some psychological help they could resolve the issues that are causing them to be filled with hate, but I digress. But I still allow them to have them, I just counter them with logic. When they turn violent or suggest violence then I feel law enforcement should monitor them and step in and break them up/prosecute them as needed. Again I would like to see them forced to go seek mental counseling to see if they can understand the reason why they are filled with hate or have a need to belong to a group filled with other like minded individuals. And I am not talking about a Clockwork Orange style forced re-education style program.

It is amazing to see how one rather large group of people is upset about the rapid emergence of Parler and their constant barrage of how it is "dangerous" to allow people to congregate and share ideas in an app/platform that is not controlled by the 6 companies that currently dominates the information market. That to me seems like a draconian style of control.

Re: Information Security and Politics

CISOScott — Mon, 16 Nov 2020 15:51:38 GMT

@vt100 wrote:
@CISOScottRespectfully, I disagree with that logic: It is akin to say that unless you know everything that is false, you should not flag anything you know for a fact to be false. We all are now living with the unintended consequences of the 1st Amendment that are being misused and abused by the media and social platforms. Unless there are consequences for generation and proliferation of either false or incomplete information, there is no stopping the catastrophic consequences of those actions.
The only way I see that happening is if we stop the real-time social media postings altogether (until verification and clarification is done by moderators) and if the conventional media channels are to be held liable for any incomplete or false data they are disseminating. Baring that we'll reap chaos.

@vt100 Where did I say that unless you know everything that is false, you should not flag anything you know for a fact to be false? I try to stay away from absolute words. In a court that can get your case killed quicker than anything else because all they have to do is prove one instance where it doesn't line up and your argument is done. I do know that the system in question failed 3 cybersecurity audits in one state. I also have heard that the system in question sends the data outside the US to be "tabulated" and then sent back into the US. How hard is it to add up votes in the country they originated in? I know we live in a cloud world but this is simple 2+2=4 stuff. As someone who has been trained to investigate fraud I see lots of policy/procedural failures in the systems I mentioned above. I don't have to know everything before I make a statement that I think an investigation should be started. If that were the case, no court cases could ever go to trial. You will never know everything. Just like in cyber security investigations, you gather enough evidence to make a case, make sure your evidence is the best it can be, and present your case in the best manner and live with the results. In this case one side is trying hard to say since there is no widespread evidence, we shouldn't look for any evidence since it is not widespread. Hint: using absolute words to indicate since it isn't everywhere, it isn't anywhere, is a bad logical argument. It is also ususally used by people trying to hide something. That would be akin to saying well since we only have 3 people looking at child pornography in this company of 10,000, there is no widespread child pornography viewing so we should not keep investigating the 3 people we currently have under investigation. We don't have widespread bank robberies in the US so are they saying we don't have any bank robberies in the US? I can easily prove that false.

Like in cybersecurity investigations, there are red flags or triggers that would put people on my radar. I would average about 20-30 people a month on the watch list. Once they triggered a flag or trip wire, they were monitored to see if this was a one-off incident, persistent misuse, or borderline activity. Sometimes other people would ask us to investigate someone. We made sure they went through the appropriate channels, i.e HR and legal, before we started an investigation to ensure that it wasn't being done out of retaliation or other suspicious motivation. If it was more than a one-off incident and was borderline activity we usually give a warning to the user to stop the suspicious activity. If it was a hard rule break, certain automatic investigation starter activities, or continued after the warning (and yes we had a few of those) then we started an investigation. We gathered our evidence, presented our case and went to trial. I have been lucky that my evidence has been successful enough for each trial and I/we got the result we wanted. However; there were plenty of times I started an investigation and never went to trial because either the evidence didn't match the accusation or there just wasn't enough evidence to support the investigation trigger, but we still investigated! It doesn't mean I/we didn't investigate the claims because it wasn't widespread enough. Yes, we even had false accusations that we had to investigate and disprove. When we did this we informed the accuser to please make sure they had good reasons to suspect misuse/abuse and to ensure that they were treating all of their staff with the same investigative eye. Here we did use an absolute word of all to ensure fairness for all. In this case fairness is something that should be afforded to all people, not just a selective few. Usually the people most afraid of the investigatory eye are the ones who had something to hide or lose. Also another way to lose in court is to have someone be targeted and treated despairingly in relations to other employees in the same unit.

In the situation I laid out above in my previous post, I see enough red flags, procedural/policy issues, and other anomalous behavior to believe that a full investigation is warranted until the time that either the evidence does not bear out to continue the investigation or it is found to be of good evidentiary standards. If there is truly no widespread violations, the people being investigated should not have a problem being inspected. If any of the violations/accusations turn out to be true, even if not widespread (and who gets to determine the threshold for widespread?????) then action should be taken to remedy the found violations. However, it may be found that when you start looking for one things you find others. Yes, I/we had some investigations that were started because of something we found while investigating something else. Also, how do you know it is not widespread if you haven't looked to see if it is happening at all? In order for it to be widespread you have to find the first case, then the next, and the next and start to see a pattern in order for it to be widespread, but you will never know until you investigate.

My question to you is "Why are they so afraid of any investigations if they are so sure that there is no widespread fraud?"

Re: Information Security and Politics

vt100 — Tue, 17 Nov 2020 20:20:41 GMT

@CISOScottI am not sure if my concerns were accurately voiced or if they were misinterpreted. When you state that " You say moving to Parler will force us into a China-like draconian lockdown by moving to an uncontrolled platform, so people just shouldn't move on from FB/Twitter and just accept the censorship we have, rather than being forced into censorship later. Wouldn't this be the same thing as a China-style draconian lockdown?"

You are absolutely correct. This is a Chicken and Egg problem that different societies attempt to address in different fashion. We, in US, attempt to advocate free speech and subsequent "Fact Checking."

China attempts to filter the information at egress and by channeling it into tightly controlled distribution platforms.

So either suppress (mis)information and forego free speech or have free speech and be flooded with it until it is indistinguishable from noise.

We may argue that our way of dealing with it is better in principal, but not in fact: i.e. we cannot presume that the new communication platforms popping-up due to dissatisfaction with FB/Twitter will become self-balancing entities, equally representing views of the population.

In all likelihood, the extreme opinions on either/all sides will find the outlet that reflects their worldview better and will only occasionally venture into forays on other platforms.

This, in turn, will amplify an imbalance of information and opinions until no common ground could be reached and no place for constructive dialogue remain.

Unless we have a common TRUSTED source of information that is beyond reproach and completely stripped of political opinions, we are lost in the fog. But there is no money in it and thus it is unlikely to happen.

Unbiased reporting also necessitates research and verification, which take time and thus cannot be the first to publish, making it even less attractive for financing as well as from consumption point of view. Imagine that you have a real-time sources with 90% accuracy vs. delayed sources with 99% accuracy.

If, I came across as a proponent of the FB/Twitter, it is only from perspective of their technical capabilities of stopping misinformation, incitements to violence or digital abuse, not from their execution. I personally loath the way they are handling it and am no longer an active user of either platform.

Re: Information Security and Politics

CISOScott — Wed, 18 Nov 2020 13:23:36 GMT

@vt100 In the hearing yesterday Jack Dorsey of Twitter admitted that he is not an expert on voter fraud but yet he allows his organization to "fact check" voter fraud. Is that really what we want? Someone who is not an expert pretending to be just because they have the power to do so? One of the easiest ways to get a case thrown out, cause doubt in the testimony, or win in a jury trial is to prove that the person making the accusation is not an expert. Then the defense can spend all day attacking the so-called "expert" instead of the actual accusation. He even admitted that their "fact checkers" got it wrong when they censored an American Newspaper from tweeting their own story. But the damage was already done. A true story was suppressed. You want to trust that? They were, and still are, acting as a partisan censor. I don't trust that.

Have you seen the video clip of Nancy Pelosi talking about how to run an effective smear campaign? She admits that you make something up, have a newspaper or other media outlet "publish" it, then you go on the media outlets and say "See it was published so it must have some validity to it!". Then, even if the original publisher retracts or corrects the story, the damage has already been done. Then you can continue to make the claim as valid. I know that you will say that this logic supports your argument; however right now FB/Twitter/TicTok are already doing this in a one-sided manner to help a particular section of government that they agree with. And you say that you trust them but not Parler/other media outlets.

I don't trust Twitter or Facebook. I don't trust Parler. I see them for what they are. Do you trust TicTok? They delete content, ban users and other things if a user posts pictures or videos that have a gun in them. Not even pointing it at anyone, just present in them. Why would they do that? A Chinese company doesn't want their people to see Americans having guns. It might give the appearance of freedom, which is something they despise and control.

I want to commend you, @vt100 for the valid, respectful, and robust dialogue we have had and continue to have. THIS! This, is what free speech is all about. Having two, or more people, engaged in a glorious display of respectful dialogue and presenting points of logic from both sides and letting the readers make their own informed decisions. Or if they are still undecided, to do more research from others having opinions about the same or similar topics. So I am not going to dismiss Parler, or other social media apps that pop up, as echo chambers or dangerous thought areas, until they have been around long enough to have the evidence prove themselves as one. I also will not blindly trust the controllers of FB/Twitter who have admitted they are not experts in the content they are monitoring, are prone to mistakes, and do not have a stellar track record of consistency of keeping their products free of misinformation.

Perhaps it is my history of experience with criminals and their psychological needs for control that drive them to take advantage of situations and manipulate "facts" to fit their narrative, that cause me to be cynical and distrustful of people in power. Perhaps it is my knowledge that those who control information can control what is purveyed as "truth". Perhaps I have seen what censorship and book burning leads to, what demonizing one group leads to, what cancel culture is currently doing and has done in the past, and what danger lies in allowing just one or two parties to "control" and "fact check" what is being said. So I say, let Parler and others grow, and be yet another beacon of free speech. To not be shutdown before people have had their opinions, whether right or wrong, have had the chance to at least speak them in support of free speech. Which at the end of the day, I think, is something we both can agree on.

Re: Information Security and Politics

tmekelburg1 — Wed, 18 Nov 2020 18:00:14 GMT

@CISOScott wrote:
@vt100 In the hearing yesterday Jack Dorsey of Twitter admitted that he is not an expert on voter fraud but yet he allows his organization to "fact check" voter fraud. Is that really what we want?

Can you clarify this statement? If taking this at face value, I read it as Twitter not allowed to fact check Tweets that Jack is not an expert in. I'd expect him to be an expert in business acumen with his current role and for him to hire experts in researching information across different mediums for his fact checkers. I'm not defending him for his lack of knowledge or how his hearing went, just curious on your opinion.

Re: Information Security and Politics

vt100 — Wed, 18 Nov 2020 22:22:06 GMT

@CISOScottThank you for the acknowledgement of my efforts to have a constructive dialog. I am a firm believer in intelligent discourse resulting in solutions acceptable to all participants.

No doubt, our personal experiences influencing our biases and that's perfectly normal and as it should be.

What I am seeing we are both in agreement of, is that we distrust the communication channels and are forced to form opinions on either false or partial information.

You are probably familiar with the saying "Data is new oil." I would expand on that with "Accurate data is new gold."

We got used to it being served refined for our consumption for many years. Looks like we are now forced to individually mine our own.

Re: Information Security and Politics

CISOScott — Tue, 24 Nov 2020 14:52:20 GMT

@tmekelburg1 wrote:
@CISOScott wrote:
@vt100 In the hearing yesterday Jack Dorsey of Twitter admitted that he is not an expert on voter fraud but yet he allows his organization to "fact check" voter fraud. Is that really what we want?
Can you clarify this statement? If taking this at face value, I read it as Twitter not allowed to fact check Tweets that Jack is not an expert in. I'd expect him to be an expert in business acumen with his current role and for him to hire experts in researching information across different mediums for his fact checkers. I'm not defending him for his lack of knowledge or how his hearing went, just curious on your opinion.

I agree with you. I would expect the leader to hire the best people to handle parts that they do not know. The problem I have is with one sided "fact-checking". As evidence of this I have seen multiple posts by several individuals that had NOTHING TO DO WITH VOTING, slapped with a "There is no voter fraud" or "US elections are and always have been, fair and legal." type warnings. This tells me that the platform is less inclined to be unbiased and just want to tag every comment from certain individuals with the narrative they want to push. I want it to be clear what happened. If there is fraud, then expose and fix the system. If it is fairly investigated, and no fraud is found, then I can and will accept the results. I also want fair and open free speech. That is my problem with what is going on. I wish the social media platforms spent as much time fixing the spam and fake account problems as they have done with this "fact-checking" they have been doing.

As an information security professional I want to see honest fact checking. I want to see honest procedures. I want to have the cyber security problems identified this cycle taken care of and fixed so that we don't have to go through this again. I want the vulnerabilities identified, remediated, and secured for the future. That should be the big thing that we are all upset about. That there are problems that are not being fixed. There are auditing items that need to be resolved to ensure auditability. There are broken procedural processes. This could be a good use of bit chain technology. Let me explain just one of the process failures. I will do this without getting into one side or the other, let's just look at the process and let me know if you, as an information security professional, would be good with this process at your place of employment.

We currently have a problem with absentee ballots. Absentee ballots were designed to be used if you could not make it to a voting place on election day. You are supposed to request it, and then be sent it. This year, these were sent out in a large batch by the millions, unrequested. Some people received ballots for people no longer living at that address. Some people received ballots for dead people who had died, but whose names were still on the voter registration roles. Some people received ballots for their PETS!. Yes somehow the senders of these unrequested ballots had gotten hold of mailing lists where people had registered their pets instead of themselves to avoid receiving junk mail. Some people received ballots and went and voted in person as well. Some places have a process to prevent this, but some places do not. Some people went in to vote in person, but were told that they had already voted through an absentee ballot, even though they never submitted one (so someone else voted for them).

A hacker would look for fraud points or places where fraud could be inserted so they can insert their will.

SO one problem. Voter roles not updated or verified (Fraud Point 1). This becomes magnified when the process becomes abused. There is supposed to be a signature match from the signature on the ballot against the voter registration card that was submitted when the person registered to vote. Some places did this and some did not (Fraud Point 2). Some relied on AI and machine matching but then set the threshold for mismatch to a low threshold as to minimize the rejection ratios (Fraud Point 3). Some voting places have voter identification and some do not (Fraud Point 4). So anyone could walk in off the street, claim a name and address, and get to vote, unverified. Can you start to see the problems with the current process? Would you allow a person to logon to your network if their password was only 40% correct? Some people are fortunate enough to own properties in several states and can therefore, although illegal, register to vote in multiple states. There is no state to state verification of voter registrations so this part of the process can be manipulated (Fraud Point 5). In some states ballot harvesting is allowed. Ballot harvesting is where one individual can go around and collect these absentee ballots and "assist" the person in filling them out (Fraud Point 6), watch the person fill them out (thus knowing who the person voted for and possibly spoil or destroy the ballot) (Fraud Point 7), or just gather them up that have not been filled out yet (and potentially fill them out for their chosen candidates) (Fraud Point 8). Then, in some states absentee ballots have to be received by election day. Some can arrive up to 12 days AFTER election day. (Fraud Point 9) The date the ballot is received by the post office is supposed to be stamped on the outer envelope. However; this can be done by machine OR by hand. It is possible for someone to backdate the date received (Fraud Point 10). The ballot is supposed to be sealed in a security envelope and then placed in the outside mailer. The outside mailer is what is date stamped. When the outside mailer is opened and the inside "security" envelope is removed, they are not linked (Fraud Point 11). Separating them at this point removes when the ballot was received. Then the "security" envelope is opened and the ballot removed (Fraud Point 12). The person opening the envelope stamps that the ballot was received in time and is therefore valid, or they can reject it, AFTER seeing who the ballot was cast for (Fraud Point 13). If it has not been filled out they can alter the ballot (Fraud Point 14). They are also supposed to perform a signature verification at this point and make sure that all of the required info has been filled out, by the submitter, not the envelope opener (Fraud Point 15). Then the ballot is forever separated from both envelopes (Fraud Point 16). So it is impossible to separate this ballot from another ballot if audited. If this ballot was illegal, it would be impossible to invalidate it once mixed in with legal votes. There are voter watchers that are allowed various degrees of success to view this process and challenge any perceived errors. It is not applied universally across states so in some places these observers were close enough to see if the ballot was potentially invalid, in other places they were over 100 feet away and told to use binoculars to view the action. Even if they saw an impropriety they would not be able to alert an official to remedy it before the ballot was mixed in with the legal pile (Fraud Point 17). Some observers were asked to leave (Fraud Point 18). Some absentee ballots arrived in an unsecure manner (in boxes, in bags, in large groups, etc. ) (Fraud Point 19). Some ballots had only a mark for one candidate, and while technically possible, it is highly unlikely. So you can see, there are multiple places for fraud to exist and be inserted into the system.

As INFOSEC professionals we look for hackers who attempt to break in or break the process. One of the easiest hacks is to attack the weak points in the system. So if you came across a business where

1) user authentication was flawed in multiple places (no ID match, only required 20-40% password match, login location not restricted, some locations had stronger or weaker protections than others, the login servers (or IT staff) could use their own biases to allow or deny access, in some cases the password doesn't matter and isn't even checked and just is accepted)

2) user accounts could be manipulated (intercepted like MITM, deleted, reviving old accounts, etc.)

3) user activity was not monitored centrally (could log in multiple times from multiple locations, one person or group could control multiple user accounts and the activity of those accounts)

4) user accounts were not maintained or even checked for existence (ex-employees could still log in, accounts who were not even legal employees of the company or didn't exist could log in)

5) user activity could be destroyed or spoiled

6) The audit process was severely flawed and varied from location to location. No centralized standards for auditing. Auditors were not allowed to watch the key places where fraud COULD be detected. Actions were taken to actively obstruct auditors. Irregularities were observed. Auditors were sent home after being told the activity was being stopped, but then the activity continued in secret, out of the eyes of the auditors,

7) The security around delivery of user activity is non-existent in several places, user activity is found on thumb drives, CD's, DVD's, floppy disks, hard copy, email accounts, network storage, etc. and there is no way to verify if this activity is legitimate, duplicated, or fabricated.

8 ) Anomalous activity was detected that was outside of norms and could not be explained or was even audited to see why it was anomalous.

AND there were at least 19 points where fraud could be inserted in a very key process, would you be comfortable certifying that everything was OK and secure at that company and with that process? Would you say that no fraud existed or was even possible? I think not.....

Re: Information Security and Politics

tmekelburg1 — Wed, 25 Nov 2020 17:24:03 GMT

We're just going to have to wait and see when States conduct their own investigations. I'm sure they'll find some incidents of fraud in each State but not wide sweeping enough to change the results. I'd chalk most of it up to mistakes rather than intentional fraud.

As far as fact checking goes, it's a Tech company located in California. Right leaning posts/articles will always be under more scrutiny when looking for mis/disinformation. I'd expect Parler to do the same for left leaning posts.