Out of all the orgs involved in the Maricopa audit, I had assumed CyFir would be the most competent. The report that was just released by the county today blows that assertion into smithereens.
CyFir's conclusions demonstrate anything but competence.
See the screenshot for the CyFir finding (https://c692f527-da75-4c86-b5d1-8b3d5d4d5b43.filesusr.com/ugd/2f3470_d36cb5eaca56435d84171b4fe7ee6919.pdf).
Luckily for us, the county report includes screenshots.
Basically, Windows Event logs are noisy. And event names that sound suspicious typically have a reasonable explanation. This was obviously the case with the "ZOMG BLANK PASSWORD QUERYING HAX0R SCRIPT"
The cause, according to the county, was that the Dominion software utilized the "Microsoft Message Queue" service, which tends to generate these log messages as part of it's normal course of business.
For laypeople, MS event codes and subcodes may as well be hieroglyphics. That's why sites like this exist https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4797
And that site very clearly says that the event is not indicative of anything bad
- They weren't acting in good faith
- They have no fucking clue what they're doing