Discussion:
[Dailydave] Voting Village at Defcon
Dave Aitel
2018-08-13 19:32:49 UTC
Permalink
https://www.usatoday.com/story/tech/nation-now/2018/08/13/11-year-old-hacks-replica-florida-election-site-changes-results/975121002/

So I don't know a ton about the details of voting machines, but I'm pretty
sure what happened at the DEFCON voting village is not being represented at
all accurately in the media, and I'm curious why nobody in the community is
pushing back on it, specifically I think we have a duty not to be used as a
bludgeon in various uncouth political wars.

I don't think an 11yo hacked into anything close to a replica of the
Florida Election site. I think they followed a script to hit up a sample
vulnerable web page with SQLi.

Does anyone have more information on what exactly went down?
-dave
Kevin T. Neely
2018-08-16 16:47:53 UTC
Permalink
Sure, it's SQLi, but I'm not sure why you'd minimize her effort. According
to the village's Twitter account, she changed the vote tallys from a
replica of the site. https://twitter.com/VotingVillageDC It would be nice
if the media reported on the recommendations that come from the findings,
but we all know that's not how the media operates.

K
Post by Dave Aitel
https://www.usatoday.com/story/tech/nation-now/2018/08/13/11-year-old-hacks-replica-florida-election-site-changes-results/975121002/
So I don't know a ton about the details of voting machines, but I'm pretty
sure what happened at the DEFCON voting village is not being represented at
all accurately in the media, and I'm curious why nobody in the community is
pushing back on it, specifically I think we have a duty not to be used as a
bludgeon in various uncouth political wars.
I don't think an 11yo hacked into anything close to a replica of the
Florida Election site. I think they followed a script to hit up a sample
vulnerable web page with SQLi.
Does anyone have more information on what exactly went down?
-dave
_______________________________________________
Dailydave mailing list
https://lists.immunityinc.com/mailman/listinfo/dailydave
--
In Vino Veritas
Chris Eng
2018-08-23 18:12:15 UTC
Permalink
What even is the point of setting up “replica websites” that are only replicas in the sense that they ostensibly perform the same function as the real sites, but otherwise do not share common code/technology and are essentially known sacrificial sites with security bugs intentionally placed in them?

We know how much of the media operates. Did this coverage surprise anybody? Especially with quotes like this:

“These websites are so easy to hack we couldn’t give them to adult hackers — they’d be laughed off the stage,” said Jake Braun, a former White House liaison for the Department of Homeland Security.

Is he talking about the replicas and got quoted out of context? Or is he playing up the insecurity of the actual sites – without evidence – for a good sound bite? I know my guess.

Again why put these “replica websites” in the village to begin with when the reporting is inevitably going to be alarmist and needs to be walked back?

Last year we saw similar headlines about voting machines, wherein “hacked” turned out to mean someone ran a Nessus scan and they weren’t fully patched.



From: Dailydave <dailydave-***@lists.immunityinc.com> On Behalf Of Kevin T. Neely
Sent: Thursday, August 16, 2018 12:48 PM
To: ***@gmail.com
Cc: ***@lists.immunityinc.com
Subject: Re: [Dailydave] Voting Village at Defcon

Sure, it's SQLi, but I'm not sure why you'd minimize her effort. According to the village's Twitter account, she changed the vote tallys from a replica of the site. https://twitter.com/VotingVillageDC<https://twitter.com/VotingVillageDC> It would be nice if the media reported on the recommendations that come from the findings, but we all know that's not how the media operates.

K

On Mon, Aug 13, 2018 at 12:34 PM Dave Aitel <***@gmail.com<mailto:***@gmail.com>> wrote:
https://www.usatoday.com/story/tech/nation-now/2018/08/13/11-year-old-hacks-replica-florida-election-site-changes-results/975121002/<https://www.usatoday.com/story/tech/nation-now/2018/08/13/11-year-old-hacks-replica-florida-election-site-changes-results/975121002/>

So I don't know a ton about the details of voting machines, but I'm pretty sure what happened at the DEFCON voting village is not being represented at all accurately in the media, and I'm curious why nobody in the community is pushing back on it, specifically I think we have a duty not to be used as a bludgeon in various uncouth political wars.

I don't think an 11yo hacked into anything close to a replica of the Florida Election site. I think they followed a script to hit up a sample vulnerable web page with SQLi.

Does anyone have more information on what exactly went down?
-dave



_______________________________________________
Dailydave mailing list
***@lists.immunityinc.com<mailto:***@lists.immunityinc.com>
https://lists.immunityinc.com/mailman/listinfo/dailydave<https://lists.immunityinc.com/mailman/listinfo/dailydave>
--
In Vino Veritas
Dave Aitel
2018-08-25 11:41:03 UTC
Permalink
https://www.propublica.org/article/defcon-teen-did-not-hack-a-state-election

The whole thing was a sham. I know darktangent is on this list. Something
to think about for next year ...

-dave
Post by Chris Eng
What even is the point of setting up “replica websites” that are only
replicas in the sense that they ostensibly perform the same function as the
real sites, but otherwise do not share common code/technology and are
essentially known sacrificial sites with security bugs intentionally placed
in them?
We know how much of the media operates. Did this coverage surprise
“These websites are so easy to hack we couldn’t give them to adult hackers
— they’d be laughed off the stage,” said Jake Braun, a former White House
liaison for the Department of Homeland Security.
Is he talking about the replicas and got quoted out of context? Or is he
playing up the insecurity of the actual sites – without evidence – for a
good sound bite? I know my guess.
Again why put these “replica websites” in the village to begin with when
the reporting is inevitably going to be alarmist and needs to be walked
back?
Last year we saw similar headlines about voting machines, wherein “hacked”
turned out to mean someone ran a Nessus scan and they weren’t fully patched.
*Kevin T. Neely
*Sent:* Thursday, August 16, 2018 12:48 PM
*Subject:* Re: [Dailydave] Voting Village at Defcon
Sure, it's SQLi, but I'm not sure why you'd minimize her effort.
According to the village's Twitter account, she changed the vote tallys
from a replica of the site. https://twitter.com/VotingVillageDC It
would be nice if the media reported on the recommendations that come from
the findings, but we all know that's not how the media operates.
K
https://www.usatoday.com/story/tech/nation-now/2018/08/13/11-year-old-hacks-replica-florida-election-site-changes-results/975121002/
So I don't know a ton about the details of voting machines, but I'm pretty
sure what happened at the DEFCON voting village is not being represented at
all accurately in the media, and I'm curious why nobody in the community is
pushing back on it, specifically I think we have a duty not to be used as a
bludgeon in various uncouth political wars.
I don't think an 11yo hacked into anything close to a replica of the
Florida Election site. I think they followed a script to hit up a sample
vulnerable web page with SQLi.
Does anyone have more information on what exactly went down?
-dave
_______________________________________________
Dailydave mailing list
https://lists.immunityinc.com/mailman/listinfo/dailydave
--
In Vino Veritas
Loading...