cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vt100
Community Champion

Information Security and Politics

There is a tendency in our industry to remain "professional" by divorcing ourselves from politics. Well, looks like it is becoming more difficult to keep doing that in light of current developments. Today, US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency unequivocally took a stand against disinformation: https://arstechnica.com/tech-policy/2020/11/report-white-house-pressuring-cisa-to-stop-debunking-ele...

 

"White House officials have asked for content to be edited or removed which pushed back against numerous false claims about the election, including that Democrats are behind a mass election fraud scheme. CISA officials have chosen not to delete accurate information."

 

Since we are bound to protect society, I find CISA's decision commendable (they treat disinformation generated by either side equally).

The scope of the Information Systems should probably be expanded to include the information provenance and accuracy before we can talk about preservation of its confidentiality, integrity and availability.

16 Replies
CISOScott
Community Champion


@vt100 wrote:

@CISOScottRespectfully, I disagree with that logic: It is akin to say that unless you know everything that is false, you should not flag anything you know for a fact to be false. We all are now living with the unintended consequences of the 1st Amendment that are being misused and abused by the media and social platforms. Unless there are consequences for generation and proliferation of either false or incomplete information, there is no stopping the catastrophic consequences of those actions.

The only way I see that happening is if we stop the real-time social media postings altogether (until verification and clarification is done by moderators) and if the conventional media channels are to be held liable for any incomplete or false data they are disseminating. Baring that we'll reap chaos. 


@vt100 Where did I say that unless you know everything that is false, you should not flag anything you know for a fact to be false? I try to stay away from absolute words. In a court that can get your case killed quicker than anything else because all they have to do is prove one instance where it doesn't line up and your argument is done. I do know that the system in question failed 3 cybersecurity audits in one state. I also have heard that the system in question sends the data outside the US to be "tabulated" and then sent back into the US. How hard is it to add up votes in the country they originated in? I know we live in a cloud world but this is simple 2+2=4 stuff. As someone who has been trained to investigate fraud I see lots of policy/procedural failures in the systems I mentioned above. I don't have to know everything before I make a statement that I think an investigation should be started. If that were the case, no court cases could ever go to trial. You will never know everything. Just like in cyber security investigations, you gather enough evidence to make a case, make sure your evidence is the best it can be, and present your case in the best manner and live with the results. In this case one side is trying hard to say since there is no widespread evidence, we shouldn't look for any evidence since it is not widespread. Hint: using absolute words to indicate since it isn't everywhere, it isn't anywhere, is a bad logical argument. It is also ususally used by people trying to hide something. That would be akin to saying well since we only have 3 people looking at child pornography in this company of 10,000, there is no widespread child pornography viewing so we should not keep investigating the 3 people we currently have under investigation. We don't have widespread bank robberies in the US so are they saying we don't have any bank robberies in the US? I can easily prove that false.

 

Like in cybersecurity investigations, there are red flags or triggers that would put people on my radar. I would average about 20-30 people a month on the watch list. Once they triggered a flag or trip wire, they were monitored to see if this was a one-off incident, persistent misuse, or borderline activity. Sometimes other people would ask us to investigate someone. We made sure they went through the appropriate channels, i.e HR and legal, before we started an investigation to ensure that it wasn't being done out of retaliation or other suspicious motivation.  If it was more than a one-off incident and was borderline activity we usually give a warning to the user to stop the suspicious activity. If it was a hard rule break, certain automatic investigation starter activities, or continued after the warning (and yes we had a few of those) then we started an investigation. We gathered our evidence, presented our case and went to trial. I have been lucky that my evidence has been successful enough for each trial and I/we got the result we wanted. However; there were plenty of times I started an investigation and never went to trial because either the evidence didn't match the accusation or there just wasn't enough evidence to support the investigation trigger, but we still investigated! It doesn't mean I/we didn't investigate the claims because it wasn't widespread enough. Yes, we even had false accusations that we had to investigate and disprove. When we did this we informed the accuser to please make sure they had good reasons to suspect misuse/abuse and to ensure that they were treating all of their staff with the same investigative eye. Here we did use an absolute word of all to ensure fairness for all. In this case fairness is something that should be afforded to all people, not just a selective few. Usually the people most afraid of the investigatory eye are the ones who had something to hide or lose. Also another way to lose in court is to have someone be targeted and treated despairingly in relations to other employees in the same unit.

 

In the situation I laid out above in my previous post, I see enough red flags, procedural/policy issues, and other anomalous behavior to believe that a full investigation is warranted until the time that either the evidence does not bear out to continue the investigation or it is found to be of good evidentiary standards. If there is truly no widespread violations, the people being investigated should not have a problem being inspected. If any of the violations/accusations turn out to be true, even if not widespread (and who gets to determine the threshold for widespread?????) then action should be taken to remedy the found violations. However, it may be found that when you start looking for one things you find others. Yes, I/we had some investigations that were started because of something we found while investigating something else. Also, how do you know it is not widespread if you haven't looked to see if it is happening at all? In order for it to be widespread you have to find the first case, then the next, and the next and start to see a pattern in order for it to be widespread, but you will never know until you investigate.

 

My question to you is "Why are they so afraid of any investigations if they are so sure that there is no widespread fraud?"

vt100
Community Champion

@CISOScottI am not sure if my concerns were accurately voiced or if they were misinterpreted. When you state that " You say moving to Parler will force us into a China-like draconian lockdown by moving to an uncontrolled platform, so people just shouldn't move on from FB/Twitter and just accept the censorship we have, rather than being forced into censorship later. Wouldn't this be the same thing as a China-style draconian lockdown?" 

 

You are absolutely correct. This is a Chicken and Egg problem that different societies attempt to address in different fashion. We, in US, attempt to advocate free speech and subsequent "Fact Checking."

China attempts to filter the information at egress and by channeling it into tightly controlled distribution platforms.

 

So either suppress (mis)information and forego free speech or have free speech and be flooded with it until it is indistinguishable from noise.

 

We may argue that our way of dealing with it is better in principal, but not in fact: i.e. we cannot presume that the new communication platforms popping-up due to dissatisfaction with FB/Twitter will become self-balancing entities, equally representing views of the population.

 

In all likelihood, the extreme opinions on either/all sides will find the outlet that reflects their worldview better and  will only occasionally venture into forays on other platforms.

 

This, in turn, will amplify an imbalance of information and opinions until no common ground could be reached and no place for constructive dialogue remain.

 

Unless we have a common TRUSTED source of information that is beyond reproach and completely stripped of political opinions, we are lost in the fog. But there is no money in it and thus it is unlikely to happen.

 

Unbiased reporting also necessitates research and verification, which take time and thus cannot be the first to publish, making it even less attractive for financing as well as from consumption point of view. Imagine that you have a real-time sources with 90% accuracy vs. delayed sources with 99% accuracy.

 

If, I came across as a proponent of the FB/Twitter, it is only from perspective of their technical capabilities of stopping misinformation, incitements to violence or digital abuse, not from their execution. I personally loath the way they are handling it and am no longer an active user of either platform.

CISOScott
Community Champion

@vt100 In the hearing yesterday Jack Dorsey of Twitter admitted that he is not an expert on voter fraud but yet he allows his organization to "fact check" voter fraud. Is that really what we want? Someone who is not an expert pretending to be just because they have the power to do so? One of the easiest ways to get a case thrown out, cause doubt in the testimony, or win in a jury trial is to  prove that the person making the accusation is not an expert. Then the defense can spend all day attacking the so-called "expert" instead of the actual accusation. He even admitted that their "fact checkers" got it wrong when they censored an American Newspaper from tweeting their own story. But the damage was already done. A true story was suppressed. You want to trust that? They were, and still are, acting as a partisan censor. I don't trust that.

 

Have you seen the video clip of Nancy Pelosi talking about how to run an effective smear campaign? She admits that you make something up, have a newspaper or other media outlet "publish" it, then you go on the media outlets and say "See it was published so it must have some validity to it!". Then, even if the original publisher retracts or corrects the story, the damage has already been done. Then you can continue to make the claim as valid. I know that you will say that this logic supports your argument; however right now FB/Twitter/TicTok are already doing this in a one-sided manner to help a particular section of government that they agree with. And you say that you trust them but not Parler/other media outlets.

 

I don't trust Twitter or Facebook. I don't trust Parler. I see them for what they are. Do you trust TicTok? They delete content, ban users and other things if a user posts pictures or videos that have a gun in them. Not even pointing it at anyone, just present in them. Why would they do that? A Chinese company doesn't want their people to see Americans having guns. It might  give the appearance of freedom, which is something they despise and control. 

 

I want to commend you, @vt100 for the valid, respectful, and robust dialogue we have had and continue to have. THIS! This, is what free speech is all about. Having two, or more people, engaged in a glorious display of respectful dialogue and presenting points of logic from both sides and letting the readers make their own informed decisions. Or if they are still undecided, to do more research from others having opinions about the same or similar topics. So I am not going to dismiss Parler, or other social media apps that pop up, as echo chambers or dangerous thought areas, until they have been around long enough to have the evidence prove themselves as one. I also will not blindly trust the controllers of FB/Twitter who have admitted they are not experts in the content they are monitoring, are prone to mistakes, and do not have a stellar track record of consistency of keeping their products free of misinformation.

 

Perhaps it is my history of experience with criminals and their psychological needs for control that drive them to take advantage of situations and manipulate "facts" to fit their narrative, that cause me to be cynical and distrustful of people in power. Perhaps it is my knowledge that those who control information can control what is purveyed as "truth". Perhaps I have seen what censorship and book burning leads to, what demonizing one group leads to, what cancel culture is currently doing and has done in the past, and what danger lies in allowing just one or two parties to "control" and "fact check" what is being said. So I say, let Parler and others grow, and be yet another beacon of free speech. To not be shutdown before people have had their opinions, whether right or wrong, have had the chance to at least speak them in support of free speech. Which at the end of the day, I think, is something we both can agree on.

tmekelburg1
Community Champion


@CISOScott wrote:

@vt100 In the hearing yesterday Jack Dorsey of Twitter admitted that he is not an expert on voter fraud but yet he allows his organization to "fact check" voter fraud. Is that really what we want?


Can you clarify this statement? If taking this at face value, I read it as Twitter not allowed to fact check Tweets that Jack is not an expert in. I'd expect him to be an expert in business acumen with his current role and for him to hire experts in researching information across different mediums for his fact checkers. I'm not defending him for his lack of knowledge or how his hearing went, just curious on your opinion.

vt100
Community Champion

@CISOScottThank you for the acknowledgement of my efforts to have a constructive dialog. I am a firm believer in intelligent discourse resulting in solutions acceptable to all participants.

 No doubt, our personal experiences influencing our biases and that's perfectly normal and as it should be.

 

What I am seeing we are both in agreement of, is that we distrust the communication channels and are forced to form opinions on either false or partial information.

 

You are probably familiar with the saying "Data is new oil." I would expand on that with "Accurate data is new gold."

 

We got used to it being served refined for our consumption for many years. Looks like we are now forced to individually mine our own.

CISOScott
Community Champion


@tmekelburg1 wrote:

@CISOScott wrote:

@vt100 In the hearing yesterday Jack Dorsey of Twitter admitted that he is not an expert on voter fraud but yet he allows his organization to "fact check" voter fraud. Is that really what we want?


Can you clarify this statement? If taking this at face value, I read it as Twitter not allowed to fact check Tweets that Jack is not an expert in. I'd expect him to be an expert in business acumen with his current role and for him to hire experts in researching information across different mediums for his fact checkers. I'm not defending him for his lack of knowledge or how his hearing went, just curious on your opinion.


I agree with you. I would expect the leader to hire the best people to handle parts that they do not know. The problem I have is with one sided "fact-checking". As evidence of this I have seen multiple posts by several individuals that had NOTHING TO DO WITH VOTING, slapped with a "There is no voter fraud" or "US elections are and always have been, fair and legal." type warnings. This tells me that the platform is less inclined to be unbiased and just want to tag every comment from certain individuals with the narrative they want to push. I want it to be clear what happened. If there is fraud, then expose and fix the system. If it is fairly investigated, and no fraud is found, then I can and will accept the results. I also want fair and open free speech. That is my problem with what is going on. I wish the social media platforms spent as much time fixing the spam and fake account problems as they have done with this "fact-checking" they have been doing. 

 

As an information security professional I want to see honest fact checking. I want to see honest procedures. I want to have the cyber security problems identified this cycle taken care of and fixed so that we don't have to go through this again. I want the vulnerabilities identified, remediated, and secured for the future. That should be the big thing that we are all upset about. That there are problems that are not being fixed. There are auditing items that need to be resolved to ensure auditability. There are broken procedural processes. This could be a good use of bit chain technology. Let me explain just one of the process failures. I will do this without getting into one side or the other, let's just look at the process and let me know if you, as an information security professional, would be good with this process at your place of employment.

 

We currently have a problem with absentee ballots. Absentee ballots were designed to be used if you could not make it to a voting place on election day. You are supposed to request it, and then be sent it. This year, these were sent out in a large batch by the millions, unrequested. Some people received ballots for people no longer living at that address. Some people received ballots for dead people who had died, but whose names were still on the voter registration roles. Some people received ballots for their PETS!. Yes somehow the senders of these unrequested ballots had gotten hold of mailing lists where people had registered their pets instead of themselves to avoid receiving junk mail. Some people received ballots and went and voted in person as well. Some places have a process to prevent this, but some places do not. Some people went in to vote in person, but were told that they had already voted through an absentee ballot, even though they never submitted one (so someone else voted for them).

 

A hacker would look for fraud points or places where fraud could be inserted so they can insert their will.

 

SO one problem. Voter roles not updated or verified (Fraud Point 1). This becomes magnified when the process becomes abused. There is supposed to be a signature match from the signature on the ballot against the voter registration card that was submitted when the person registered to vote. Some places did this and some did not (Fraud Point 2). Some relied on AI and machine matching but then set the threshold for mismatch to a low threshold as to minimize the rejection ratios (Fraud Point 3). Some voting places have voter identification and some do not (Fraud Point 4). So anyone could walk in off the street, claim a name and address, and get to vote, unverified. Can you start to see the problems with the current process? Would you allow a person to logon to your network if their password was only 40% correct? Some people are fortunate enough to own properties in several states and can therefore, although illegal, register to vote in multiple states. There is no state to state verification of voter registrations so this part of the process can be manipulated (Fraud Point 5). In some states ballot harvesting is allowed. Ballot harvesting is where one individual can go around and collect these absentee ballots and "assist" the person in filling them out (Fraud Point 6), watch the person fill them out (thus knowing who the person voted for and possibly spoil or destroy the ballot) (Fraud Point 7), or just gather them up that have not been filled out yet (and potentially fill them out for their chosen candidates) (Fraud Point 8). Then, in some states absentee ballots have to be received by election day. Some can arrive up to 12 days AFTER election day. (Fraud Point 9) The date the ballot is received by the post office is supposed to be stamped on the outer envelope. However; this can be done by machine OR by hand. It is possible for someone to backdate the date received (Fraud Point 10).  The ballot is supposed to be sealed in a security envelope and then placed in the outside mailer. The outside mailer is what is date stamped. When the outside mailer is opened and the inside "security" envelope is removed, they are not linked (Fraud Point 11). Separating them at this point removes when the ballot was received. Then the "security" envelope is opened and the ballot removed (Fraud Point 12). The person opening the envelope stamps that the ballot was received in time and is therefore valid, or they can reject it, AFTER seeing who the ballot was cast for (Fraud Point 13).  If it has not been filled out they can alter the ballot (Fraud Point 14). They are also supposed to perform a signature verification at this point and make sure that all of the required info has been filled out, by the submitter, not the envelope opener (Fraud Point 15). Then the ballot is forever separated from both envelopes (Fraud Point 16). So it is impossible to separate this ballot from another ballot if audited. If this ballot was illegal, it would be impossible to invalidate it once mixed in with legal votes. There are voter watchers that are allowed various degrees of success to view this process and challenge any perceived errors. It is not applied universally across states so in some places these observers were close enough to see if the ballot was potentially invalid, in other places they were over 100 feet away and told to use binoculars to view the action. Even if they saw an impropriety they would not be able to alert an official to remedy it before the ballot was mixed in with the legal pile (Fraud Point 17). Some observers were asked to leave (Fraud Point 18). Some absentee ballots arrived in an unsecure manner (in boxes, in bags, in large groups, etc. ) (Fraud Point 19). Some ballots had only a mark for one candidate, and while technically possible, it is highly unlikely. So you can see, there are multiple places for fraud to exist and be inserted into the system.

 

As INFOSEC professionals we look for hackers who attempt to break in or break the process. One of the easiest hacks is to attack the weak points in the system. So if you came across a business where

1) user authentication was flawed in multiple places (no ID match, only required 20-40% password match, login location not restricted, some locations had stronger or weaker protections than others, the login servers (or IT staff) could use their own biases to allow or deny access, in some cases the password doesn't matter and isn't even checked and just is accepted)

2) user accounts could be manipulated (intercepted like MITM, deleted, reviving old accounts, etc.)

3) user activity was not monitored centrally (could log in multiple times from multiple locations, one person or group could control multiple user accounts and the activity of those accounts)

4) user accounts were not maintained or even checked for existence (ex-employees could still log in, accounts who were not even legal employees of the company or didn't exist could log in)

5) user activity could be destroyed or spoiled

6) The audit process was severely flawed and varied from location to location. No centralized standards for auditing. Auditors were not allowed to watch the key places where fraud COULD be detected. Actions were taken to actively obstruct auditors. Irregularities were observed. Auditors were sent home after being told the activity was being stopped, but then the activity continued in secret, out of the eyes of the auditors,

7) The security around delivery of user activity is non-existent in several places, user activity is found on thumb drives, CD's, DVD's, floppy disks, hard copy, email accounts, network storage, etc. and there is no way to verify if this activity is legitimate, duplicated, or fabricated.

8 ) Anomalous activity was detected that was outside of norms and could not be explained or was even audited to see why it was anomalous. 

AND there were at least 19 points where fraud could be inserted in a very key process, would you be comfortable certifying that everything was OK and secure at that company and with that process? Would you say that no fraud existed or was even possible? I think not.....

tmekelburg1
Community Champion

We're just going to have to wait and see when States conduct their own investigations. I'm sure they'll find some incidents of fraud in each State but not wide sweeping enough to change the results. I'd chalk most of it up to mistakes rather than intentional fraud.

 

As far as fact checking goes, it's a Tech company located in California. Right leaning posts/articles will always be under more scrutiny when looking for mis/disinformation. I'd expect Parler to do the same for left leaning posts.