brian kemp – Techdirt (original) (raw)
DNC Sues Georgia Governor Over His Bullshit Claims Democrats Hacked The State's Voter Registration System
from the hope-you've-got-a-20-on-you,-Kempster dept
The never-ending amount of election related litigation keeps on coming. The Trump campaign is still heavily invested in lawsuits — a practice it started before the election and it hasn’t scaled back now that its boy has been handed an L.
Georgia remains a hotly contested state, thanks in part to pressure applied by the outbound President and his many minions. It will recount all five million votes, which Trump appears to believe will reverse Biden’s 14,000-vote lead.
Georgia has long been a victim of its Governor, dating back to his days as the Secretary of State. During Brian Kemp’s tenure as an elected official, voting in Georgia has been little more than his political plaything. Issues with the state’s voting tech were ignored in favor of Kemp’s indulgence in wild speculation, culminating with his baseless claims the Democratic National Committee had hacked the state’s voter registration system. A Georgia Bureau of Investigation investigation found no evidence supporting Kemp’s ridiculous assertions.
Now, as Courthouse News reports, the DNC is suing Kemp over his election related bullshit. This isn’t a defamation suit, even though it’s possible to see that claim being raised. Instead, the DNC alleges the then Secretary of State violated federal election laws with his claims of DNC hacking and his decision to air his speculation hours before the polls opened in 2018.
The lawsuit [PDF] opens with this stinging sentence, which highlights one the many problems with allowing Brian Kemp to oversee the 2018 election.
Kemp was also a candidate in the governor’s election that year. He claimed, however, that he could fairly manage an election at the same time as was running in it.
And how did he “manage” it? Like this:
Two days before the election, Kemp worked with others to release a statement on the Secretary of State’s website that said in all capital letters: “AFTER FAILED HACKING ATTEMPT, SOS LAUNCHES INVESTIGATION INTO GEORGIA DEMOCRATIC PARTY.”
The statement further claimed to “confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes,” and noted that the FBI and Department of Homeland Security had been alerted.
The DNC never hacked the voter registration system. Instead, a private citizen reported security flaws in the Secretary of State’s website to a DC election lawyer. This report later made its way to the DNC local branch in Georgia. Eventually, news made its way back to Brian Kemp — via the DNC, FBI, and the DC election lawyer. It was this information Kemp spun into a fantastic tale of DNC hackery.
The lawsuit recounts Brian Kemp’s ineffectual run as Secretary of State, an era marked by multiple reports of serious flaws in the voting system he was supposed to be overseeing. Then, as he was running for a new post, he decided to broadcast unsupported claims about Democratic Party interference in the very election he was interfering with. This included Kemp’s bizarre anger over DHS penetration testing — testing he had apparently asked the DHS to perform.
He converted both of his fantasies into last-minute electioneering for his governor run, sending out emails to supporters claiming he had “intercepted” the Democrats’ “fourth quarter Hail Mary pass” and would be holding these “power-hungry radicals” accountable for their “criminal behavior.”
The lawsuit says many people and entities were informed about security flaws in the voting system, but Kemp chose a single target to attack with baseless claims of criminal behavior.
The DNC accuses Kemp of violating federal law by falsely targeting it with these accusations. It alleges this was done in retaliation for its efforts to unseat Kemp and support its own candidates.
Here, Defendant Kemp has shown a pattern of falsely accusing Democratic administrations and Democratic parties of “hacking.” In 2016, he accused President Obama’s Department of Homeland Security of a “large attack on our system.” Unsatisfied with the DHS explanation for why there was no attack, Defendant Kemp asked the incoming Trump administration to investigate further. Later, he conceded that there had never been any hacking.
[…]
Defendants accused the Democratic Party of Georgia even though the Democratic Party of Georgia’s only involvement was to (1) receive information from Richard Wright on a voter security hotline; (2) forward that information to two experts at Georgia Tech; and (3) inform the Secretary of State’s office.
[…]
Defendants conspired to accuse the Democratic Party of Georgia of cyber crimes without any basis.
[…]
Defendants’ choice to maintain the public statements on the Secretary of State website even after they found out that the Democratic Party of Georgia was not the source of the vulnerability information was and is an ongoing substantial step in furtherance of the conspiracy.
Defendants’ choice not to remove the public statements on the Secretary of State website even after they found out that the supposed “intrusion” was the Department of Homeland Security acting at the request of the Secretary of State was and is an ongoing substantial step in furtherance of the conspiracy.
That’s one potential federal law violation. There’s another one listed in the lawsuit. Section 11(b) of the Voting Rights Act forbids anyone from intimidating voters or coercing votes. The DNC alleges Kemp’s actions and statements were meant to intimidate the DNC and divert its resources towards responding to baseless accusations during the final days of the state election.
The DNC isn’t asking for much. The damage request is limited to $20.00. But it does want an injunction in place requiring the removal of Kemp’s disproven accusations from the state’s Secretary of State website.
This lawsuit is one of what will likely be several postscripts appended to the 2020 elections. Claims of hacking, fraud, and other voting related misconduct have been delivered by a number of Republicans over the past several weeks. But baseless claims of election malfeasance aren’t a recent development.
They’ve been a permanent fixture of the Republican party since Trump took office — urged on by a president who lost the popular vote in 2016 but ended up with the most Electoral College votes. Ever since then, the Republican Party has waged war on the democratic process, having realized allowing the voting process to go unfucked could possibly result in fewer Republicans being elected.
Filed Under: brian kemp, elections, georgia, voting, voting machines
Companies: dnc
Georgia Governor Passes Law Granting Cops Protected Status For 'Bias-Based' Crimes
from the saving-the-protectors-from-the-protected dept
Georgia governor Brian Kemp — last seen here trying to turn his own election security problems into a Democrat-lead conspiracy — has just proven he’s unable to read the room. The governor can’t read the room in his own state, much less the current state of the nation. Less than a month after the killing of George Floyd in Minneapolis triggered nationwide protests against police violence, officers in Atlanta were involved in a controversial killing of a Black man in a fast food restaurant parking lot.
The state of the nation is pretty much the same as it is in Georgia. Now is not the time to be offering police officers even more legal protections, considering how much they’ve abused the ones they already have. Idiotic bills touted by legislators saying stupid things like “blue lives matter” come and go. Mostly they go, since they’re either redundant or unworkable. These laws try to turn a person’s career choice into an immutable characteristic, converting some of the most powerful people in the nation into a class that deserves protection from the public these officers are sworn to serve.
It’s now possible to commit a hate crime against a cop in Georgia, thanks to Kemp and his party-line voters.
Gov. Brian Kemp signed a proposal into law Wednesday that Republicans pushed to grant police new protections despite stiff opposition from critics who said it creates a messy tangle of legal problems. […]
_In a statement, Kemp said he took action because he has attended the funerals of too many law enforcement officers killed in the line of duty, and he called the measure a “step forward as we work to protect those who are risking their lives to protect us._”
“While some vilify, target and attack our men and women in uniform for personal or political gain, this legislation is a clear reminder that Georgia is a state that unapologetically backs the blue,” Kemp said.
The standalone bill was a concession to state Republicans, who refused to help pass an actual hate crime bill without being able to give more protections to already-very well-protected police officers. Not only does the law make it a crime to engage in “bias motivated intimidation” of police officers and first responders, it gives them a way to exact revenge on anyone they believe has wronged them. From the bill [PDF]:
A peace officer shall have the right to bring a civil suit against any person, group of persons, organization, or corporation, or the head of an organization or corporation, for damages, either pecuniary or otherwise, suffered during the officer’s performance of official duties, for abridgment of the officer’s civil rights arising out of the officer’s performance of official duties, or for filing a complaint against the officer which the person knew was false when it was filed.
Critics of the bill believe this addition to state law would give officers a way to sue anti-police protesters for whatever harms officers feel they’ve suffered while policing demonstrations. And it would affect more than protesters. Anyone interacting with a police officer runs the risk of being sued because “damages suffered” is limited only by the officer’s imagination and the court’s tolerance. Even if the suit is baseless, the defendant still has to show up and defend themselves, using their own money while officers play litigation roulette with the taxpayers’ bankroll.
Then there’s the heart of the law, which makes certain acts hate crimes:
A person commits the offense of bias motivated intimidation when such person maliciously and with the specific intent to intimidate, harass, or terrorize another person because of that person’s actual or perceived employment as a first responder:
(1) Causes death or serious bodily harm to another person; or
(2) Causes damage to or destroys any real or personal property of a person because of actual or perceived employment as a first responder without permission and the amount of the damage exceeds 500.00orthevalueofthepropertydestroyedexceeds500.00 or the value of the property destroyed exceeds 500.00orthevalueofthepropertydestroyedexceeds500.00.
Those acts are punishable by five years and/or a $5,000 fine. And the acts described are already crimes. Doubling down on crimes to make cops feel special may actually make things more ridiculous, as the ACLU has explained.
According to the bill, anyone found guilty of the death, serious bodily harm or destruction of more than 500worthofpropertyofafirstresponder,specificallybecauseofhisorheroccupation,wouldfacebetweenoneandfiveyearsinprisonand/orafineupto500 worth of property of a first responder, specifically because of his or her occupation, would face between one and five years in prison and/or a fine up to 500worthofpropertyofafirstresponder,specificallybecauseofhisorheroccupation,wouldfacebetweenoneandfiveyearsinprisonand/orafineupto5,000.
Currently, the punishment for murder includes death, life in prison without the possibility of parole or life in prison.
Since the targeted killing of a police officer could be considered “bias motivated intimidation” of a first responder, the ACLU says a legal argument called the “rule of lenity” requires courts to pursue the charge that is the most favorable to a defendant.
And the most lenient charge is the new law, which calls for only a five-year sentence (maximum) for killing a cop if the crime appears to have been motivated by anti-cop bias. Prosecutors who want to do the most damage to cop-killers won’t be pursuing bias charges. They’ll ignore the new law completely. Legislators were apparently made aware of this conflict prior to the bill’s passage but apparently figured it would sort itself out once it became law.
Senate Judiciary Committee Chairman Jesse Stone, a Waynesboro Republican and attorney, said he was made aware of a potential problem with the legislation late Friday.
_“I think if they were charged with bias motivated (intimidation), that might be a concern,” said Stone, who voted for HB 838 and is retiring this year. “I haven’t studied it, but I think it’s something that should be looked into._”
Yes, the best time to look into potential problems with legislative proposals is after they’ve become law. Everything about this new law is terrible, including its path to the governor’s desk. It passed with one vote, divided entirely along party lines. And it shows one party is far more concerned with pandering to its powerful law enforcement voter base than protecting citizens from their public servants.
Filed Under: 1st amendment, blue lives matter, brian kemp, georgia, hate crime, police, police rights
Investigation Shows Governor's Claims That Democrats Tried To Hack The Georgia Election Were Bullshit
from the another-unforced-error-by-Brian-Kemp dept
Georgia Governor Brian Kemp is very involved with the electorate. Well, perhaps not that involved with the residents of the state, but he does seem to keep a very close — and very partisan — eye on election security. Election security is important, especially as more states move to electronic ballots, but Kemp has spent most of the last four years using election security as a political football to score points with.
When President Obama was still leading the nation, Kemp (while still Georgia’s Secretary of State) claimed the DHS had breached his office’s firewall during its security testing — something he had directly asked it not to do. Kemp claimed his state had already implemented the DHS’s recommendations and had asked to be left out of this nationwide testing. The DHS apparently ignored that, resulting in Kemp making lots of noise about an overreaching federal agency.
Kemp’s tune changed once Trump was elected. While running for the job of governor against Democrat Stacey Abrams, Kemp — a Republican — generated a lot of bad press for himself by allegedly engaging in voter suppression efforts. He capped this off with a bad judgment two-fer.
First, he insisted the Democratic Party was trying to hack the voter registration system. The only evidence Kemp had for this is that a hacking attempt had been made. He responded to this by opening an investigation into the Democratic Party based on apparently nothing more than his animosity towards it. This was capped off a few days later when Kemp released a ton of absentee voting info, including names, addresses, and the reason they voted absentee.
Two years later, ProPublica — using documents obtained from the Georgia Bureau of Investigation (GBI) — has published the investigation’s findings. No surprise, GBI’s conclusions don’t agree with Kemp’s baseless and partisan assertions.
“The investigation by the GBI revealed no evidence of damage to (the secretary of state’s office’s) network or computers, and no evidence of theft, damage, or loss of data,” according to a March 2 memo from a senior assistant attorney general recommending that the case be closed.
Unlike Kemp’s 2016 assertion about DHS meddling (which was later shown to be routine checks of the state’s firearm database by law enforcement) where it wasn’t asked to, the alleged “failed hacking attempt” seen by Brian Kemp’s office was actually the DHS doing something the state had asked it to do.
The internet activity that Kemp’s staff described as hacking attempts was actually scans by the U.S. Department of Homeland Security that the secretary of state’s office had agreed to, according to the GBI. Kemp’s chief information officer signed off on the DHS scans three months beforehand.
Kemp continues to be wrong about election security — something that only seems to concern him when it can be leveraged to (incorrectly in every case) target political opponents. The state’s election system still has security issues. The article points out the site where voters can check their information still contains a “significant vulnerability” that Kemp has been notified of, but refused to acknowledge.
All the bluster worked, though. Kemp was elected governor in 2018 and now has an even bigger platform to be wrong about election security issues. And he — and his former office — were completely wrong about this one. The other alleged hacking his office thought it was witnessing — other than the DHS’s pentest traffic — was nothing more than someone doing what anyone could do: altering site URLs to view other voters’ data.
That’s not hacking. That’s what anyone who knows how websites work can do at any time with zero skill or additional tools. And from that, an entire conspiracy theory was erected by Kemp’s office, resulting in thousands of tax dollars being wasted to pursue Kemp’s politically motivated accusations. There’s some hackery going on here, but it’s only of the partisan variety.
Filed Under: brian kemp, dhs, e-voting, georgia, hacking, politics, voting machines, voting security
Revolving Doors And Regulatory Capture Are Ensuring E-Voting Remains An Insecure Mess
from the we're-from-the-government-and-we're-here-to-secure-corporate-boardroom-p dept
Despite the long list of bad news generated by electronic voting machines, their market share only continues to grow. Rather than consider them the attack vectors they are, state and county legislators have decided to toss caution and paper ballots to the wind. The future is now. And it’s riddled with vulnerabilities.
Maybe there shouldn’t be a rush to digitize the democratic process, at least not while manufacturers are still shipping machines pre-loaded with security flaws and inadequate software. The push for e-voting machine deployment isn’t organic, of course. It’s an organized push that starts with the machines’ manufacturers and ends in regulatory capture.
Sue Halpern has exposed the paper trail connect voting machine manufacturers to ill-advised rollouts in her article for the New Yorker. The heaviest pushes target legislatures that make purchasing calls for the entire state. Most states allow the decision to be made at the county level, which decreases the chance the entire state will be affected by voting machine hacking or malfunctions. But in states like Georgia and Delaware, a successful pitch to the state legislature can mean hundreds of millions of dollars in sales.
The pay-for-play begins in the usual way: paid junkets that take state advisory boards to major cities for the usual wine/dine/schmooze-fests with all expenses paid. An investigation by McClatchy showed the Governor Brian Kemp’s chief of staff, David Dove, attended an event held by voting machine manufacturer ES&S (Election Systems & Software) — timed impeccably to capture the state’s $100 million voting machine market. To the surprise of no one, the state’s election commission decided to award ES&S this contract. But it had to do so over the voices of non-purchased stakeholders who saw nothing good in replacing one faulty e-voting machine with a similarly faulty product.
In doing so, the panel rejected the advice of computer scientists and election-integrity advocates, who consider hand-marked ballots to be the “most reliable record of voter intent,” and also the National Academies of Sciences, Engineering, and Medicine, which recommended that all states adopt paper ballots and conduct post-election audits.
This continued the proud Georgia tradition of voting machine vendor cross-pollination in the state legislature, which kicked off almost a two decades ago. In 2002, Diebold secured a $54 million contract to provide the state with voting machines. Diebold’s lobbyist was a former Georgia state official. When problems developed, ES&S stepped in, killing off legislation addressing election integrity issues and capturing a very key demographic.
In 2006, a bill requiring a verifiable paper record of each ballot, introduced in the Georgia legislature at the urging of election-integrity advocates, failed after the state’s elections director, Kathy Rogers, opposed it. Rogers, of course, later went to work for E.S. & S.
Another legislator took an extended trip through the lawmaker/lobbyist revolving door. Charles Harper went from sod farmer to state rep to lobbyist for ES&S before ending up as the deputy chief of staff in Governor Brian Kemp’s office. Brian Kemp, of course, spent the last election hastily patching voting machine vulnerabilities following the exposure of flaws, blaming the Democratic Party for the alleged hack, doxxing absentee voters, and, finally, overseeing voting integrity operations of an election he participated in.
Congress has tried to fix this problem… multiple times. It opened this year’s session with a 571-page bill full of reforms and paper ballot mandates. The problem is previous attempts to install these reforms have failed after receiving pushback from state officials. Voting machine vendors are focusing on states and counties, where the decisions (and purchases) are made. And it’s working.
Last year, the Democratic congressman Bennie Thompson, of Mississippi, proposed the Election Security Act; a year before, the Republican Mark Meadows, the chair of the right-wing House Freedom Caucus, introduced the Paper Act, which was endorsed by the former Department of Homeland Security Secretary Michael Chertoff and by Grover Norquist, the president of the conservative organization Americans for Tax Reform. The Senate’s attempt to reform election practices, last year’s Secure Elections Act, had bipartisan support, too, but was killed by the White House before it got out of committee.
You can’t remove money from politics and you can’t banish lobbyists from petitioning on the behalf of the causes and corporations they represent. But you can oust politicians who prefer corporations to constituents. Changes can be made and it all starts with those who serve their own interests rather than the public’s. Shining a light on regulatory capture is the first step.
Filed Under: brian kemp, e-voting, georgia, lobbying, regulatory capture
Georgia's Brian Kemp Decides To Dox Absentee Voters, Revealing Why They All Voted Absentee
from the voting-irregularities dept
Kind of a key part of the American election setup is the concept of a secret ballot for hopefully obvious reasons. We haven’t gone quite so far as eliminating that, but down in Georgia, Secretary of State Brian Kemp (who was running for governor at the same time as he was overseeing the integrity of the election and also putting in place a bunch of attempts at voter suppression) has doxxed hundreds of thousands (291,164 to be exact) of absentee voters by posting an Excel file on the state’s website listing out the names, addresses and reasons why they voted absentee.
In typical spokesperson Candice Broce fashion (see her previous nonsensical quotes defending her boss), Broce/Kemp denied that there’s anything wrong with this at all. The systems, they are all working perfectly:
When reached, Georgia secretary of state?s press secretary Candice Broce told TechCrunch that all of the data ?is clearly designated as public information under state law,? and denied that the data was ?confidential or sensitive.?
?State law requires the public availability of voter lists, including names and address of registered voters,? she said in an email.
While it is true that voter name and address info is required to be made available, it is usually not made available in aggregate for anyone to just download without restrictions. And, it’s especially concerning that they released the reasons for voting absentee just a day or so after the election — as people pointed out that this could be quite useful info for criminals looking for who might be away from their homes.
More concerning, of course, is the idea that this could scare off future voters as well who don’t want such info being released in such a manner.
Either way, the idea that the Secretary of State, who kept insisting how wonderful his electronic voting systems were, would then release a giant Excel spreadsheet should again raise questions about the technological skills of whoever set up the system, let alone Kemp for overseeing such a system.
Filed Under: absentee voters, brian kemp, doxxing, elections, georgia, voter suppression
Georgia Scrambles To Patch Massive Vulnerabilities In Its Voter Registration System After Insisting It Was Totally Secure
from the so-about-that-voting-system... dept
Yesterday we had a rather incredible story about Georgia’s Secretary of State, Brian Kemp, who, despite the conflict of interest, is both running for Governor and in charge of making sure Georgia’s elections are fair. Over the weekend, Kemp had made a highly questionable claim that his opponents in the Democratic Party of Georgia had attempted to hack the voter registration system, and he was opening an investigation. As we noted, what appears to have actually happened was that an independent security researcher had discovered massive, stunning, gaping security flaws in Georgia’s voter registration system, that would potentially allow anyone to access anyone else’s information and even modify it. That’s an especially big deal in Georgia, where the very same Secretary of State Brian Kemp had pushed for laws that meant that if any of your ID information was different from what was in the voter system, you didn’t get to vote.
Incredibly, despite multiple security experts pointing out some fairly basic flaws, Kemp’s office insisted the site was secure. According to press secretary Candice Broce:
?We can also confirm that no personal data was breached and our system remains secure.?
Elsewhere the Secretary of State’s Office insisted there were no problems with the site. However, as ProPublica is now reporting, late Sunday night, after it had insisted there was nothing wrong, it appeared that someone behind the scenes was scrambling to patch the vulnerabilities:
ProPublica?s review of the state?s voter system followed a detailed recipe created by the tipster, who was described as having IT experience and alerted Democrats to the possible security problems. Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.
ProPublica found the website was returning information in such a way that it revealed hidden locations on the file system. Computer security experts had said that revelation could give an intruder access to a range of information, including personal data about other voters and sensitive operating system details.
ProPublica?s attempt to take the next step ? to poke around the concealed files and the innards of the operating system ? was blocked by software fixes made that evening.
The same Candice Broce who had insisted that there was absolutely nothing wrong with the site then told ProPublica two obviously bullshit claims. First, that the setup that allowed users to see exactly where files were stored was standard practice, and so was making last minute changes to a voter registration website two days before an election:
Broce said the ability to see where files were stored was ?common? across many websites, and she said it was not an inherent vulnerability. She did not deny that the website?s code was rewritten and would not say whether changes were made as a result of the possible security holes.
?We make changes to our website all the time,? Broce said. ?We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.? By Monday afternoon, the page did not appear to be static in the way Broce described, and she did not respond to a request to provide evidence of the change.
Of course, as anyone who has done any serious website building in, let’s say, the last 10 to 15 years, knows well, that is not at all standard practice. But, let’s see the quote from an expert anyway:
Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., disputed that visibility into file storage was common. ?It?s definitely not best practice,? he said. He said it appeared the state had made the change in response to being notified of the problem and could see no reason why officials would otherwise make such a change ahead of Election Day.
Security experts frown on making such seemingly ad hoc changes close to major events, such as an election, because they can create unforeseen problems when made so quickly.
Basically, it appears that Kemp and the Secretary of State’s office are betting on voters in Georgia being totally ignorant. Meanwhile, this is the same office that just a couple months ago made the following bold statement:
?There has never been a breach in the Secretary of State?s office. We have never been hacked, and according to President Trump and the Department Of Homeland Security, we have never been targeted. Georgia has secure, accessible, and fair elections because Kemp has leveraged private sector solutions for robust cyber security, well before any of those options were offered by the federal government.?
I don’t care what side of the partisan divide you fall on, but Kemp’s actions in failing to protect the system, overseeing the voting in his own election, then attacking the messenger for pointing out his own vulnerability, denying the vulnerability, and then scrambling to fix the vulnerability at the last minute without telling anyone, should disqualify him from running a Burger King, let alone being Governor of the state of Georgia.
Filed Under: brian kemp, computer security, election, georgia, voter registration, vulnerability
Georgia's Brian Kemp And The No Good, Very Bad Claim That Democrats Were Hacking Voter Registration System
from the can-we-not? dept
Okay, let’s start with this. Can we all agree — no matter what your party, ideological, or candidate preference — that in any election where you are up for one of the offices, that you shouldn’t be the one in charge of safeguarding the integrity of the election? This seems like a fairly basic point concerning democracy, that if you’re a candidate for office, you should recuse yourself from anything involving election integrity. However, that’s not the way things work around here, apparently. In at least three key elections this year, current secretaries of state, who are in charge of election integrity, are running for higher office while being in charge of counting their own votes. It just so happens that this year all three of those cases involve Republicans (and all three of those Republicans have a long and fairly detailed history of voter suppression tactics), but the issue applies equally to Democrats who might be in the same position. No one who is in charge of election integrity should ever be in the position of running for office at the same time.
But let’s focus in on just one of the three individuals in that situation this year: Republican Brian Kemp, Georgia’s Secretary of State, who is in a very heated campaign to be Governor of Georgia, campaigning against Democrat Stacey Abrams. As you may know, our stated policy on Techdirt is that we tend not to name the party affiliation of any politician, unless it truly matters to the story. That’s because in this age of red team/blue team insanity, many people determine what they agree or disagree with depending on the color of the uniform. However, in this story, the party affiliations matter, not for which one is which (we could have posted an identical story with the party’s changed), but because the dispute here clearly involves partisan politics.
As you may have heard, on Sunday, just two days before the election, Kemp (who’s been getting hit with a bunch of bad headlines around his failed attempts at voter suppression in that state) announced that he had opened an investigation into an alleged “failed attempt to hack the state’s voter registration system” by the Democratic Party of Georgia. Most of the headlines about this correctly noted that Kemp’s office provided basically zero details to support this claim. Indeed, the entire announcement was two very short paragraphs long:
After a failed attempt to hack the state’s voter registration system, the Secretary of State’s office opened an investigation into the Democratic Party of Georgia on the evening of Saturday, November 3, 2018. Federal partners, including the Department of Homeland Security and Federal Bureau of Investigation, were immediately alerted.
“While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes,” said Candice Broce, Press Secretary. “We can also confirm that no personal data was breached and our system remains secure.”
Before we dig into what appears to have happened, it’s time to take a little jump back in time. You see, back in 2016, Georgia Secretary of State Kemp also raised the alarm about what he claimed was an attempt by the US Department of Homeland Security to “breach” his office’s firewall. Kemp sent an angry letter to then DHS boss Jeh Johnson, insisting that this was a sneaky attempt by DHS to do penetration testing and test the security of Georgia’s election systems without permission.
Except… none of that was accurate. Six months later, the investigation revealed that Kemp misinterpreted someone from DHS checking an openly accessible database on the Secretary of State’s site to check firearms licenses.
An earlier, internal DHS investigation into the reported incident showed that the “attempt to penetrate the Georgia Secretary of State’s firewall” was actually residual traffic from a Federal Law Enforcement Training Center employee checking the Georgia firearms license database. That employee said he was doing due diligence on private security contractors for the facility.
That traffic, the first report determined, was caused by the employee cutting and pasting data from the database to Microsoft Excel, which sent light traffic to the Georgia server while parsing the data. That traffic would have been in no way abnormal.
The DHS inspector general, which operates independently from the DHS chain of command, conducted a second investigation. It validated the first report’s results
That report further noted that “the DHS internet addresses that contacted the Georgia systems could not be used to attack those systems in the way Kemp described.”
And, as you’ll see, this article is already so long that we won’t bother with more other than a link to another story about how Kemp has been credibly accused of destroying evidence in a still ongoing lawsuit about whether or not Georgia’s voting system was hacked.
So, Kemp already has some credibility problems with “crying wolf” about supposed hacks of his computer systems before. And those should only increase given what appears to have lead to yesterday’s claim of an “investigation.” The small, but respected investigative journalism site WhoWhatWhy has a fairly detailed look at what happened and it looks really, really bad for Kemp. You see, on Saturday, the Democratic Party of Georgia had discovered massive vulnerabilities in the voter registration system overseen by Kemp, and had passed those details on to security experts… and then someone passed them along to WhoWhatWhy.
Just before noon on Saturday, a third party provided WhoWhatWhy with an email and document, sent from the Democratic Party of Georgia to election security experts, that highlights ?massive? vulnerabilities within the state?s My Voter Page and its online voter registration system.
According to the document, it would not be difficult for almost anyone with minimal computer expertise to access millions of people?s private information and potentially make changes to their voter registration ? including canceling it.
The publication spoke to a bunch of security experts, who all noted (correctly) that actually testing the vulnerabilities would be illegal, but…
…several logged onto the My Voter Page to look at the code used to build the site ? something any Georgian voter could do with a little instruction ? and confirmed the voter registration system?s vulnerabilities.
They all agreed with the assessment that the data of voters could easily be accessed and changed.
?For such an easy and low hanging vulnerability to exist, it gives me zero confidence in the capabilities of the system administrator, software developer, and the data custodian,? Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy. ?They should not be trusted with personally identifiable information again. They have showed incompetence in proper privacy-protecting data custodian capabilities.?
From the reporting, it appears that the vulnerability is the kind of mistake that was common on the web two decades ago, that once you’ve logged in you can access anyone else’s content just by changing the URL. Basically anyone with any degree of knowledge of online security learned to block such a vulnerability at least a decade or more ago. It is astounding that such a vulnerability might still exist online, let alone on something as vital and key to democracy as a state election system.
It appears that this is the basis of Kemp’s new investigation. The Democratic Party had discovered just how poorly Kemp’s own team had built its online voter registration system, and his response is to blame the messenger. Of course, we see this kind of thing all the time in writing about vulnerabilities reporting, and we’ve always pointed out how ridiculous it is. But here, it’s been taken to a new level, because beyond the usual dynamic, here we have the Republican running for Governor overseeing the insecure voting registration system, and it’s the opposing candidate’s party who discovered the vulnerability. This is beyond “blame the messenger.” It’s “blame the messenger who not only showed my own incompetence, but is also running against me for my shot at the big time.”
A later story on WhoWhatWhy details that it wasn’t the Democratic Party who had discovered the vulnerability in the first place, but rather someone else, who then contacted a lawyer for someone already suing Kemp over weaknesses in Georgia’s election system:
A man who claims to be a Georgia resident said he stumbled upon files in his My Voter Page on the secretary of state?s website. He realized the files were accessible. That man then reached out to one of Cross?s clients, who then put the source and Cross in touch on Friday.
The next morning, Cross called John Salter, a lawyer who represents Kemp and the secretary of state?s office. Cross also notified the FBI.
As noted above, WhoWhatWhy reached out to multiple security experts who all confirmed the vulnerability — and apparently all five of them noted that actually testing the vulnerability would be illegal. But all five of them were able to just look at the code on the site and confirm the vulnerability was real and could be used to alter voter information in the rolls, which is an especially big deal considering that one of Kemp’s voter suppression methods was to insist that if any tiny bit of your information did not match what was in the rollbook, you couldn’t vote.
The report further notes that the security researchers approached by WhoWhatWhy reached out to both US intelligence officials and the Coalition for Good Government, who also reached out to Kemp’s own lawyers to alert him to the problems in the system:
Bruce Brown, a lawyer for the group, then reached out to Kemp?s attorneys to alert them of the problem. At 7:03 PM Saturday night, he emailed John Salter and Roy Barnes, former governor of Georgia, in their capacities as counsel to Secretary of State Kemp, to notify them of the serious potential cyber vulnerability in the registration files that had been discovered without any hacking at all, and that national intelligence officials had already been notified.
[….]
?What is particularly outrageous about this, is that I gave this information in confidence to Kemp?s lawyers so that something could be done about it without exposing the vulnerability to the public,? Brown told WhoWhatWhy. ?Putting his own political agenda over the security of the election, Kemp is ignoring his responsibility to the people of Georgia.?
You really should read the entire WhoWhatWhy article (or, actually, both of the ones I’ve linked to here) because it goes into much more detail than I’ve described here, and all of it is mind-bogglingly stupid. Just to give you a taste, the report details not just one, but multiple vulnerabilities, including this:
In the code of the website ? which anybody can access using their internet browser ? there is a series of numbers that represent voters in a county. By changing a number in the web browser?s interface and then changing the county, it appears that anybody could download every single Georgia voter?s personally identifiable information and possibly modify voter data en masse.
In addition, voter history, absentee voting, and early voting data are all public record on the secretary of state?s website. If a bad actor wanted to target a certain voting group, all of the information needed is available for download.
?It?s so juvenile from an information security perspective that it?s crazy this is part of a live system,? Constable said.
Oh, and then there’s this: while Kemp’s office insist what they are misleadingly calling a hack from the Democratic Party “failed,” according to the various security experts WhoWhatWhy spoke to, there didn’t appear to be any logging, meaning there wouldn’t necessarily be a way to see if anyone had actually changed the information. It goes on and on like this.
And, rather than admitting a fuck up of colossal proportions for a voting system, Kemp is claiming the Democratic Party of Georgia hacked the election system. Again, no matter who you support as a candidate, can we at least all agree that something is rotten in the state of Georgia when it comes to how they manage their election systems?
Filed Under: brian kemp, democratic party, election systems, georgia, hacking, politics, stacey abrams, voter suppression, vulnerabilities
Georgia Secretary Of State Accuses DHS Of Breaching His Office's Firewall
from the we-meant-to-knock-but-we-were-already-inside dept
The DHS finally got serious about protecting election infrastructure from hackers by appointing a bunch of career politicians to its “working group.” With all this tech expertise on board, there could be little doubt the 2016 election would be the securest of all.
Following in the wake of Donald Trump’s surprise electoral college victory came the news that President Obama wanted a full-scale investigation into alleged Russian hacking that may have affected the outcome of the election. Voting machines remained as insecure as ever though, and no one really seemed to have a problem with that.
The DHS — caretakers of the non-hacked election — did whatever the hell it was doing with a handful of Secretaries of State in charge. Presumably, this was limited to making a mockery of the term “paperless office.” However, it appears it did actually do some sort of cybersecurity stuff. And, as it is prone to do, the federal government angered others by doing it. (via Slashdot)
Georgia’s secretary of state has claimed the Department of Homeland Security tried to breach his office’s firewall and has issued a letter to Homeland Security Secretary Jeh Johnson asking for an explanation.
Brian Kemp issued a letter to Johnson on Thursday after the state’s third-party cybersecurity provider detected an IP address from the agency’s Southwest D.C. office trying to penetrate the state’s firewall. According to the letter, the attempt was unsuccessful.
Kemp is a member of the DHS’s election security working group. He has also spent a fair amount of time issuing combative statements about the federal government’s meddling in states’ election processes.
Kemp reminds the DHS of his position on the task force in his letter [PDF] demanding answers for the unwanted intrusion.
At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network. Moreover, your Department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network. This is especially odd and concerning since I serve on the Election Cyber Security Working Group that your office created.
[…]
Georgia was one of the only few states that did not seek DHS assistance with cyber hygiene scans or penetration testing before this year’s election. We declined this assistance due to having already implemented the security measures suggested by DHS.
What more could one ask for? Kemp specifically told the DHS “no” and yet the federal agency apparently decided to push up against his office’s protections without notification or permission.
Then again, Kemp has already made several comments expressing his displeasure with perceived federal government intrusions, so it’s quite possible this is him making grandstands out of mole hills. The DHS, meanwhile, has promised to look into Kemp’s allegations and get back to him.
If the DHS did ignore the wishes of two states which expressly told it to back off, that is a problem. A federal government can’t ask states to partner up with it if it’s just going to ignore those who decline the offer. It’s the sort of “team building” exercise that’s bound to fail, because while you’re falling over backward on the office cafeteria floor, your federal partner is back inside the office trying to guess the admin account password.
Kemp may be right, but that doesn’t make him much less of a blowhard. His objections to federal government intrusion have been mostly partisan attacks, rather than more neutral complaints.
It may be discovered at the end of the DHS’s “looking into it” that it was just one of those things that happens when 48 states agree to have the election systems tested and only two don’t. It could be the DHS’s contractor ran down the list in alphabetical order, looking for state orifices to insert the fed’s penetration tester into and simply failed to bypass Georgia.
Whatever the truth is, it’s not a good look for the DHS or the federal government. Unfortunately, even if Georgia’s direct request was ignored by the DHS, the most that will come out of this will be a rug to sweep everything under, embroidered with the words “issuing new guidelines.”
Filed Under: brian kemp, cybersecurity, dhs, georgia