98
Scytl raid analysis - likelihood it actually happened and review of what we know
posted ago by brainphreeze ago by brainphreeze +99 / -1

So in the following, I'm going to use some basic technical analysis, critique some of Scytl's "fact checks", as well as analyse the likelihood of whether or not Scytl were raided in Germany.

Let's start with some basics:

Taken from their "Election fact checking" page:

We do not have servers or offices in Frankfurt

https://scytl.us/scytls-role-in-2020-us-general-election/

It's clear to anyone here on td.win, that when you see the term "fact check", you're in for lawyer speak and technicalities to feed you misdirection.

Okay, so they may not have their own servers, but they very much were using AWS servers at some point. They also seem to have attempted a hasty shut down of services some time in the past week or so. They definitely did have a presence in Frankfurt as of last week, I know this because some or many of the following hosts were up and resolvable, with live services running:

  • mysite.scytl.com18.196.162.197
  • ppm.scytl.com18.196.162.197
  • demo.scytl.com18.196.162.197
  • test.scytl.com18.196.162.197
  • scytl.com18.196.162.197
  • bck.scytl.com18.196.162.197
  • mysitepre.scytl.com18.196.162.197
  • owasppre.scytl.com18.196.162.197
  • owasp.scytl.com18.196.162.197
  • alm.scytl.com18.196.162.197
  • edemocracy-experience.scytl.com18.196.162.197
  • agm.scytl.com18.196.162.197
  • mail3.scytl.com18.196.162.197
  • inside.scytl.com18.196.162.197
  • hrm.scytl.com18.196.162.197
  • ots.scytl.com18.196.162.197
  • owa.scytl.com18.196.162.197
  • dmspre.scytl.com18.196.162.197
  • mielectionspro2014.scytl.com18.196.162.197

18.196.162.197

CityFrankfurt am Main

ISPAmazon.com

ContinentEurope

Country CodeGermany

Let's also confirm that the IP listed above is owned by AWS:

Easy, confirmed (18.196.162.197 falls within the 18.196.0.0/15 subnet)

I'm kicking myself for not documenting these hosts as being active and hosting services at the time, however, I can assure you that before the 13 November, many of these hosts were UP.

The wayback machine confirms this:

Note that both snapshots were taken November 08, 2020.

The Scytl "fact check" also links to an AP news fact check, another shining beacon of freedom and democracy: https://apnews.com/article/fact-checking-9754011363

In the statement Scytl said: “We do not have servers or offices in Frankfurt” and “The US army has not seized anything from Scytl in Barcelona, Frankfurt or anywhere else.” It also says Scytl does not “tabulate, tally or count votes in the US.”

At the time of the statement, it may be correct, as a quick scan shows that the servers are definitely not live anymore. This happened some time between November 08 and November 15.

"Scytl does not tabulate, tally or count votes in the US." Okay sure, this one might be correct, but look at the wording. They may be tabulating, tallying or counting the votes from the US, in another country (Barcelona or Frankfurt). To be honest, in a country that is worried about the security of their election, they SHOULD tabulate, tally or count votes in the US (or whatever country the election is held in).

Another point to make is, sure, Scytl might not be doing this tabulating or whatever themselves or using their own employees, however, their software is almost certainly being used to do this. One irrefutable example:

The second link, redirects to SCYTL US - scytl.us

These are results from Georgia, 2020 November.

The next quote, from their president and GM for their US DIVISION:

Jonathan Brill, the president and general manager for Scytl’s U.S. division, told the AP that the company had a temporary connection to Frankfurt last year. “Backup servers in Frankfurt were used for a specific project for the European Parliament in 2019,” Brill said. “These back-up servers were closed in September 2019.”

Now, this is a very important distinction. Anyone familiar with lawyer speak and the lefts "fact checking" methodology know that wording and technicalities are extremely important. Scytl's U.S. division technically can be considered it's own entity, depending from which viewpoint you are assessing it. Also note how he claims the back-up servers were closed in September 2019.

WRONG. Now, back-up servers for that particular project may have been closed then, who knows, but they absolutely had an AWS presence in Frankfurt as late as last week.

Now to move on to the raid itself.

"The U.S. military, either good or bad actors, seized Scytl hardware in Germany"

I've seen this a few times now. So this one is much harder to assess with facts, unless we were CNN and given a heads up and were sat outside the AWS Data Centre 15 mins before the raid. So we need to answer two questions, if we assume a raid did take place:

  • What was raided?
  • Who did the raiding?

So from what I can find, Scytl don't have any satellite offices or physical presence in Frankfurt (besides AWS). I could be wrong, and happy for pedes to further investigate or link me to evidence. This is one possibility of what was "raided".

So what else could have been raided? Well obviously, the AWS servers that hosted Scytl's services. Now for those of you who have an understanding of Amazon's AWS, you know that you can either use:

  • virtualised networks and services, using shared hardware (with other AWS customers)
  • hardware dedicated to single tenant customers (dedicated servers+storage for Scytl)

This is where we have to start making assumptions:

  • We have to assume Amazon are not friendly to the Trump government. Take one look at Jeff Bezos to know this to be true (Amazon CEO and Washington Compost owner)
  • Amazon do not freely hand over data or hardware, unless by government/legal mandate. Even then, I'd imagine there would be roadblocks and difficulties. This was also on German soil, further muddying the waters.
  • Confiscation of a single tenant's services that is running on SHARED hardware, in a logical separation model, is extremely difficult. It may be possible with Amazon's assistance, however, remember that we are assuming Amazon are not friendly to the Trump government.
  • Dedicated hardware is most certainly something that Amazon can identify within their data centers. This is an assumption, however, due to regulations and legal requirements, clients want to know where there physical data resides and will audit AWS, to ensure that their data is physically separated from others in the same facility.

Conclusions:

So this leads me to believe that, IF the raids actually did take place, which they very well could have:

  • If it were Scytl's AWS presence, they must have been operating on dedicated hardware
  • It is highly likely that it was either Scytl themselves, or an associate or someone friendly with either Scytl, and/or Amazon

The odds of this being a Trump government led effort to seize assets on foreign soil is highly unlikely, given the roadblocks Amazon would and could put in place, as well as the clear lack of technical and security allies he seems to have (take one look at the DHS cyber division to know it is riddled with TDS, Chris Krebs being a prime example).

TLDR:

  • Scytl's fact checks are typically in line with the same rubbish fact checking practices we've seen for four years - propaganda and lies.
  • They may or may not have been raided, but the likelihood of it being a Trump backed raid is quite low.
  • Scytl did had a presence in Frankfurt, but attempted to close up shop shortly after the election took place.
16 comments
16 comments share save hide report block hide child comments
Comments (16)
sorted by:
You're viewing a single comment thread. View all comments, or full comment thread.
3
Zefside 3 points ago +3 / -0

Thanks for the analysis and nice work. I think you have proved in my mind that they did have servers in frankfurt, but its hard to say whats happened since then.

permalink save report block reply