Thu Jul 15 17:04:07 +0000 2021

_{[tweet] [link]}
Thread on the Maricopa hearing.

Fann starts by saying they thought it would be "quite easy"

which..what?

_{[tweet] [link]}
Logan's touting his CISSP, GWAPT and GCIH certs none of which will qualify you to audit an election.

_{[tweet] [link]}
Logan says that it "his team" that helped assist DePerno with findings in Antrim.

_{[tweet] [link]}
Logan also claims that because he specializes in application security, that qualifies him to audit voting systems. Again, no. No it doesn't.

Signed, An application security specialist

_{[tweet] [link]}
Cyber Ninja's has put together a video detailing what they've done at the audit. This should be interesting.

_{[tweet] [link]}
Holy shit, the video is not simply detailing what Cyber Ninja's did during the audit, it opens with someone praising how well run the audit was.

Again, the auditors have produced a video praising the audit that they themselves are conducting.

_{[tweet] [link]}
I thought that they were supposed to source volunteers solely from Arizona, but the video dives into the many non-Arizona states that volunteers came in from.

_{[tweet] [link]}
"Buzzwords were often including "Integrity""

...Yeah ok buddy.

_{[tweet] [link]}
Incredible that they've produced this film praising their audit operation without mentioning that they did not invite anyone from the AZ SoS' observation team to report on the many mistakes they observed on auditing floor https://azsos.gov/about-office/media-center/documents/coliseum-observer-notes-2021

_{[tweet] [link]}
Logan: "I think this [the video] gave a good overview"

Me: It did not.

_{[tweet] [link]}
Logan: 1,500 people were involved in the audit process, many were volunteers. Over 80k man hours.

_{[tweet] [link]}
Logan: Only thing left is the "last bits of aggregation to make sure these numbers are perfect because we totally understand how much focus is on us right now"

_{[tweet] [link]}
Here's the Youtube chat when Fann said this was not about reinstating Trump

_{[tweet] [link]}
Bennet: The ballots were in locked cages that were kept secure 24/7

AZ SoS Observers:

_{[tweet] [link]}
I lost the thread a bit as Bennet's been speaking because I had to step away. @Garrett_Archer's been covering it all very closely, so check out his feed to catch up.

_{[tweet] [link]}
Petersen asking Cotton what's digital forensics work has been done so far. Cotton's going to walk through that process.

_{[tweet] [link]}
Cotton: "As part of the imaging process - chain of custody is important - upon recv'g each of the digital devices, they filled out an evidence acquisition form that started the chain of custody. They recorded all serial #'s and used a write block device - https://en.wikipedia.org/wiki/Forensic_disk_controller

_{[tweet] [link]}
Cotton: "We then took a bit-for-bit forensic copy for each of the digital devices. At the end of the copy, they applied an MD5 hash to the acquisition. If any bit of data in the forensic image is changed, the MD5 hash will not match"

_{[tweet] [link]}
Cotton: "We then took the digital copies, and maintained 1 as primary evidence. It was locked away in a GSA approved safe. They then created exam copies that were used for determination of the 'cyber security status' and other aspects of those systems"

_{[tweet] [link]}
Me: So far that's all standard DFIR operations.

_{[tweet] [link]}
Petersen: "Mr. Cotton, so you're saying with this process that the machines you reviewed were not altered or modified in any way"

Cotton: "This is correct"

_{[tweet] [link]}
Me: We have to take their word for this. There would have been nothing stopping them from being tampered with prior to their imaging of the devices. Not saying they did - but since the process wasn't observed by non-partisan observers, we can't verify they weren't

_{[tweet] [link]}
Me: If Maricopa County had performed their own imaging of the machines prior to handing them over, they would be able to verify whether the machines were tampered with.

_{[tweet] [link]}
Cotton: "The position that they must replace all of the voting equipment is at odds with the statements that were made by the Maricopa County officials after the audits were conducted earlier this year"

_{[tweet] [link]}
Me: The big difference is that the prior auditors were EAC certified. CyFir was not.

_{[tweet] [link]}
Cotton: "We recvd 11 images of various hard drives from the county. Those images were not taken in a forensically safe way, so their imaging process modified timestamps"

Me: The county should have used a write-block device.

_{[tweet] [link]}
Cotton: "We've conducted key word searches across the devices looking for anomalous activity and malware. "

_{[tweet] [link]}
Cotton: "We have not recvd the router configuration files, or the router data. County officials agreed to provide virtual access to this data, as well as Splunk netflow data for 90 days prior to and 60 days after the election."

_{[tweet] [link]}
Cotton: "We have not received that due to the May response by the county that handing it over would compromise law enforcement data and PII"

_{[tweet] [link]}
Petersen: "Why do you need to look at this data? What's the significance?" Cotton: "It's critically important to substantiate some findings we've observed through the keyword searching"

_{[tweet] [link]}
Cotton: "For example, we know that an element of the election system was compromised in November 2020. The registration server that was public facing did have unauthorized access. We know that the county has accepted that as an unauthorized breach, because they notified voters"

_{[tweet] [link]}
Cotton: "The 2nd item: There are severe cybersecurity problems with the way the EMS system and network was maintained. For example: If you walk into an average home computer, you will find that the antivirus definitions have been updated. "

_{[tweet] [link]}
Cotton: "You will find that the system is patched is that the the AV systems is up to date. We have not observed this with the Maricopa county election system. The last time they were updated was 08/2019"

_{[tweet] [link]}
Me: This same exact thing was called out in Antrim. Halderman addressed this. https://s3.documentcloud.org/documents/20702935/halderman-report-antrim.pdf

_{[tweet] [link]}
Petersen: "Are the counties concerns about the router valid to you?" Cotton: "They're not. Think of a router as a mail carrier. You write a letter, put an address on it, and the mail carrier routes it to the destination. Routers are similar."

_{[tweet] [link]}
Cotton's basically saying that since they only want netflow data - which shows traffic direction, source and destination IP addresses and ports, as well the protocol, packet size, and MAC address (on the recvd side of the traffic)

_{[tweet] [link]}
Cotton's accurate in that Netflow data should not present a security concern as far as data leakage or PII.

_{[tweet] [link]}
Fann: "Why are the routers shared between the election system and law enforcement?" Cotton: "What the counties told the republic is drastically different from how they responded to the subpoena. They stated that the election system was closed, and did not touch the internet"

_{[tweet] [link]}
Cotton: "The fact that they've responded back to an official subpoena that traffic was comingled with other networks is an indication that they were maybe not honest in what they told the American public"

_{[tweet] [link]}
Cotton: "Part of the challenge we have, is that with the EMS, the Windows Event Log, actually only goes back to the 5th of Feb of 2021. We need this [Splunk data] to help fill in the blanks between the election and and Feb."

_{[tweet] [link]}
Cotton: "The security log was configured to retain 20MB of data. This operates on a first-in-first-out basis" (AKA, oldest data is rolled out as new data is rolled in)

_{[tweet] [link]}
Cotton: "When we took a look at this, in March, there were 37k queries for a blank password. On a system that only contained 8 accounts. The script was executed by user EMSAdmin. What we don't have, because of the lack of logs, is where that script came from"

_{[tweet] [link]}
Browser crashed, and I missed a minute or two. Cotton's talking about trying to determine whether the Dominion ICP's have ever communicated with the internet.

_{[tweet] [link]}
Cotton and Petersen are re-iterating that Dominion seemed to have more access to the ICP machines than the county.

_{[tweet] [link]}
Cotton: "We have found that all administrative accounts shared the same password. The password was established the same time the Dominion software installed on the systems in 2019"

Me: Cotton's right - this is poor hygiene.

_{[tweet] [link]}
Cotton: "Because these are shared passwords, we can not attribute actions to specific individuals" Petersen: "Which password is this?" Cotton: "EMSAdmin [Windows] password, the adjudication password."

_{[tweet] [link]}
Cotton: "When you login to Windows with the EMSAdmin password, you have access to the EMS" Petersen: "So you have the EMS admin passwords, but not the tabulators?" Cotton: "We have the tabulator admin password too, but we're missing the 2-factor fob"

_{[tweet] [link]}
Cotton: "Another reason we need Splunk logs: Anonymous logins are a common part of Windows activity. When you access an SMB share it shows up in logs first as an anonymous login, then with a username. We're seeing anonymous logins at the system level that do not fit that pattern"

_{[tweet] [link]}
Me: Cotton's correct in his assertion about anonymous logins being present in Event logs being normal, as part of access to things like SMB shares. Sounds like they've seen other anonymous logins in the event logs that aren't due to that type of activity.

_{[tweet] [link]}
Onto Logan talking about ballot counting.

_{[tweet] [link]}
Logan: "We utilized kinematic artifact detection"

DRINK!

_{[tweet] [link]}
It's Jovan's time to shine

_{[tweet] [link]}
It sounds like the kinematic artifact detection is not looking at paper folds, but instead the ballot alignment marks..

_{[tweet] [link]}
It seems to be measuring how far outside the allowable alignment range the actual printed alignment marks are.

_{[tweet] [link]}
DePerno included a report about this in one of the Antrim filings.

https://www.thegatewaypundit.com/2021/04/exclusive-voting-machine-systems-banned-us-elections-highly-suspect-adjudication-process-defined-corrected/?fbclid=IwAR1ntE7KeTHgNtfEEKuqHUX8qozvEeePeBmMmeYBh59-Z9SznquAHv0xrc4

_{[tweet] [link]}
Fann: "What would cause the the alignment to be so far off?" Logan: "Likely printer calibration." Fann: "Who printed these?" Logan: "The ballots we've seen printed by Runbeck have been pretty much spot on. The majority of alignment issues have been with ballots printed on demand"

_{[tweet] [link]}
Me: Runbeck has been one of Ron Watkins' favorite boogeymen as of late. Logan just poked a whole in that a bit by noting that Runbeck's printing has been accurate.

_{[tweet] [link]}
Fann gets a barb in that the proposed audit canvassing was called out while the Biden administration said they will go door-to-door on the vaccination campaign.

Of course, voting and vaccines are very different.

_{[tweet] [link]}
Logan is "strongly recommending" that they perform canvassing.

_{[tweet] [link]}
Meanwhile, Joe Flynn is pumping out propaganda. Again, he's referring to something that was reported on last December, and did not affect votes. https://www.forbes.com/sites/thomasbrewster/2020/12/04/exclusive-the-fbi-is-investigating-voter-data-theft-in-this-key-2020-election-battleground/?sh=3d9df05c34a4

Tweet of JosephJFlynn1/1415735085534531587

_{[tweet] [link]}
More falsehoods: The logs were NOT erased. That implies someone intentionally removed them. They were rotated. Log rotation is absolutely normal, and happens automatically once a certain threshold (usually date, file size, or both) is reached.

Tweet of JosephJFlynn1/1415737386668015616

_{[tweet] [link]}
Nothing of the sort was said during this hearing.

Tweet of JosephJFlynn1/1415742728462348293

_{[tweet] [link]}
Have to step away for a few minutes. Follow @Garrett_Archer @JMShumway @ben_giles @jeremyduda for updates in the meantime