Drew Springall

Update: 20+ leading experts in cybersecurity and elections just wrote to @MITREcorp CEO Jason Providakes urging him to retract MITRE's dangerously mistaken report. dropbox.com/s/kujr9uqchwcf… Signers include @RonRivest @schneierblog @matthew_d_green @ejsebes @robertgraham @philipbstark

@jhalderm 5/5 If written today, we would include references to later-events (Coffee Co GA, Mesa Co CO, others' public discoveries, etc) plus our further-improved understanding of the vulns/weaknesses/etc. @jhalderm and I will be updating and submitting for peer-review later this summer.

@jhalderm 4/5 the report you see is ~2 years old (filed Jul2021) and reflects understanding/knowledge at that time but everything is still valid and correct. We asked the vendor to point-out any technical inaccuracies or misunderstandings over a year and a half ago and have heard nothing.

1/5 The report @jhalderm and I wrote after discovering/PoC-ing the many exploitable vulnerabilities in the Dominion Voting Systems' ImageCast X system is now public. storage.courtlistener.com/recap/gov.usco…

Great work protecting everyone from "offensive content" there @twitter.

@GabrielSterling @MITREcorp @jhalderm @realMikeLindell @MarilynRMarks1

Court unseals @MITREcorp report that completely debunks Election deniers’ @jhalderm @realmikelindell @MarilynRMarks1 claims of voting machine hacks: “proposed attacks were assessed to be operationally infeasible.” sos.ga.gov/news/raffenspe…

@umbernhard @braden_crimmins I don't see how it could be viewed as an unrealistic threat. There's an open-world of possibilities for obtaining identity. Could be small-scale (counter allows few before/after) or large-scale (all-day surveillance footage allows entire polling place).

Ben’s perspective here is worth addressing. I wanted to take some time to respond to the points he makes.

1/ Colleagues and I have found a serious privacy flaw that affects Dominion ICP and ICE ballot scanners. We've already informed Dominion, CISA, EAC, and state officials, and we've created a site to help officials and the public understand the issue: DVSorder.org

4/4 We'd be excited to work with election officials to see whether other systems have similar vulns and how to best defend. Many people have made many claims about election security and the best way to sort true from false is to perform serious technical analysis.

3/ We only tested two software versions of a single EAC-certified system (as part of a pre-2020 lawsuit in GA). The vendor didn't give us or CISA access to test other versions or their claimed fixes. It also hasn't publicly stated what other versions share these vulns (if any).

1/4 @jhalderm and I investigated the security of the Dominion ImageCast X BMD used in Georgia and our findings aren't pretty. @CISAgov just published an advisory about vulnerabilities we found and I hope the full report we sent them will be available soon. cisa.gov/uscert/ics/adv…

Well that looks...not good. Someone might wanna check on the @hbomax integration testing infrastructure.

Here's my analysis of what happened in Antrim County, Michigan, during the November election: michigan.gov/sos/0,4670,7-1… Full report: michigan.gov/documents/sos/…

@matthew_d_green @jiceman What if it was explicitly and knowingly turned-on for COVID contact tracing via ENS? I can envision Android <11 users not checking whether History was already on (?History-only doesn't report?). support.google.com/android/answer… support.google.com/accounts/answe…

@jiceman I don’t know. If someone tells me this person explicitly and knowingly activated features that caused their phone to record this info I’d be less horrified.

It’s pretty insane that your phone OS not only routinely collects your precise location but sends it up to a server to be persistently logged. I know we’re used to this, but this shouldn’t be happening.

@0xfraq Absolutely. If everything's good, just hit me up here, in the Slack, or at aaspring@auburn.edu.

@_aaspring_ Hey, this may or may not work out. Let me talk with Dr. Green and see if there is any conflict first.

If you know golang or like writing frontends, I've got a small, fun project for you! My DMs open as well