Dominion Machine Statistical Problems

This whole Twitter thread. It’s another, completely-independent way of looking at the voting data, like The 2020 Election, Benford’s Law, and Twitter, and it’s another smoking gun that indicates that the voting machines — in precisely the places that needed help — have been tampered with. Again — and I can’t stress this enough — the courts need a protagonist. You can’t just prove this by math. You have to show that some person hacked the machines, and you will never be able to do that. There’s too much obfuscation and redirection. So I’m more and more convinced that the election was stolen, but that Biden got away with it clean. This has been done so well, that I’m convinced “dissidents” in one of the three-letter agencies — with experience in this sort of thing in other countries — had to have been involved.

If the election was really, truly hacked, then Republicans in Congress have to do something about it, lest they lose another election because of it. The real question — the only question, at this point — is what they will do about it. The real story will get around, whispered in the back rooms of Washington office buildings. The people who could do something about this will eventually know what really happened here. The thing to watch is what happens to voting machines before the next election. That will be the last piece of this puzzle.

 

Some Video Gaming Company Got Hacked

Yesterday evening, I got over a dozen notifications that my Apple Credit Card got hit with fraudulent charges, and their automated detection missed a few. Except for a couple of pizza places, several hundred miles from where I live, the charges were all from video gaming-related sites. So I’m guessing that one of the gaming companies got hacked. I can only think of 2 that have this card: Steam and Sony. I’m going to be watching for an announcement from Brian Krebs. It’s sorely tempting to reactivate my Twitter account to check the traffic on this…

How 4 Chinese Hackers Allegedly Took Down Equifax | WIRED

While the operation had a certain degree of complexity, Equifax itself made their job much easier than it should have. It should have patched that initial Apache Struts vulnerability, for starters. And an FTC complaint from last summer also found that the company stored administrative credentials in an unsecured file in plaintext. It kept 145 million Social Security numbers and other consumer data in plaintext as well, rather than encrypting them. It failed to segment the databases, which would have limited the fallout. It lacked appropriate file integrity monitoring and used long-expired security certificates. The list goes on. Equifax didn’t just let the alleged Chinese hackers into the vault; it left the skeleton key for every safe deposit box in plain sight.

Source: How 4 Chinese Hackers Allegedly Took Down Equifax | WIRED

This whole incident deeply offends me. I don’t like that our capitalistic society has given these credit-reporting companies so much control over our lives. I don’t like that they seem to be completely unaccountable for being so integral to so much of our economy. I don’t like that they hold all the information you would need to ruin someone’s life by impersonating them online. I don’t like that they are not being prosecuted for being so flippant with personally-identifying data.

I don’t like the fact that a sovereign foreign power committed industrial espionage on a critical part of our economy. I don’t like that they already did basically the same thing to a government personnel database the year before. I don’t like that China’s government exists to begin with, given their treatment of their own people, Hong Kong, and the Uighers. I also don’t like that China has been committing wholesale intellectual property theft for many decades. I don’t like the fact that we all know it, and nothing seems to be getting done to stop it.

The initial vulnerability the attackers leveraged was a problem in Apache Struts, which implies that Equifax’s web application uses Java. Using Java for a web application in 2017 is like driving a Model T in 1950. Sure, it was a reliable means of transportation, and revolutionary when it was introduced, but it’s 20 years out of date. It requires an inordinate amount of maintenance, spare parts are more difficult to find. Mechanics can be lazy, because they know they have the owner of the car over a barrel, and they can charge a premium for service, and take their time. There are many better options available, which start quicker, go faster, have safety features built in, and are far more comfortable.

Not all applications require encrypted this, and sharded that, and intrusion detection systems, and real-time monitoring, and everything else, but if any application needed these sorts of treatments, it would have been this one. Also, if any application needed its owners to stay on top of CVE disclosure reports, and fix affected layers of their stack, as appropriate, it would have been this one.

In sort, there’s literally no good news here. Nothing will happen to China, its government, or the actual individuals named in the indictment. The punishment to Equifax is a slap on the wrist. Everyone jumped on the settlement, and now no one will get anything. Everything about this is wrong, and nothing good will come of it.