Wed Apr 14 19:32:56 +0000 2021

 · 3 min read
 · trapezoid of discovery

[tweet] [link]
Stumbled upon yet another connection between the Antrim election audit and Maricopa...looks like CyFir, one of the firms working with Doug Logan/Cyber Ninjas submitted an affidavit in Antrim (exh 8) - https://www.depernolaw.com/uploads/2/7/0/2/27029178/ex_5-10.pdf cc @Garrett_Archer @jeremyduda

[tweet] [link]
I'm actually really confused by that specific affidavit. The IP addresses and domains displayed in the screenshot line up very nicely with strings contained in a sample of Windows malware...but the Dominion ICX are Linux machines. (https://www.hybrid-analysis.com/sample/15eab49696a47d646429662cff0e28b4495c6eca41bc8596e27fc463ccbb87ff?environmentId=120)

[tweet] [link]
In fact, there are enough neighboring strings in that screenshot that indicate that what we're looking at is not evidence of communication to those IPs, but an actual compiled Windows binary - very similar to the one analyzed by hybrid-analysis.

[tweet] [link]
This is good in that it means it's unlikely the ICX communicated with those servers.

But it's also weird as hell that the binary ended up in the forensics. It could be that the ICX at one time was running Windows (bootstrapping?). Could also be a re-used hard drive.

[tweet] [link]
But bottom line is that a Windows executable - even if it's malware - can't run on a Linux system.

[tweet] [link]
To elaborate on this: @cyfir cannot responsibly say that what is shown in the screen shot is definitive proof of network comms. What is shown in the screenshot is a string table of a binary that matches a Windows malware sample that cannot run on Linux

[tweet] [link]
In the below screenshots, you'll see that most of the strings visible in the CyFir report are visible in this malware sample, which - again - was compiled for Windows.

It is weird that it showed up in the forensics.

It is not definitive proof of network activity.

[tweet] [link]
The CyFir report makes another (intentional?) mischaracterization: it points out that security updates haven't been applied since 2016, and even points to @jhalderm's report that states the same. However, it leaves out Halderman's explanation that updates have to be certified.

[tweet] [link]
Did Antrim have real security issues that need to be addressed? Yes.

Are the documents produced in support of Bill Bailey's case in Antrim accurately representing those issues? No.