Of course, it remains to be seen if this software uses them. And, you would need access to the key pair used to sign the XML or JSON to determine if the file had been modified (otherwise, someone could just regenerate the signature).
I mean, the software itself, if it has the ability to produce those signatures, may have an import feature for files that don't include those signatures, or an override to import them, or a feature to sign unsigned versions.
I spent a lot of years doing statistical analysis using Excel and other tools. I could alter thousands of lines of data in seconds to completely change the outcome.
That ACTUALLY makes perfect since! CSV = Comma Separated Value. Not entering a comma for a field that is numeric, that might be followed by a field that is text or has a character limitation would cause a SQL error when uploaded. There is a video of the election officials going over the video evidence from the hearing, and he described the server crash as an error with the SQL server.
These guys are morons for doing things manually. I could automate the process with just a little Python. I need to modify csv, json, and xml files so often in the code that I write that I have a collection of stock classes to call on that I have written over the years.
Pro tip: Base your code on libraries of generic base classes that are light on dependencies and easily testable. Specialize at the highest level possible. Those generic base classes can be reused. Chances are, if you need to solve a problem once, you need to solve it again.
I work with XML daily publishing research papers in JSON. You can't even fucking imagine what people do to my poor files as soon as they get their hands on them. Trying to parse them back to anything resembling XML when they come back is a fucking horrorshow. So no, not any hands, but anyone with basic knowledge sure thing. I mean there's way more security to a pornhub password than US elections, which seems kind of weird to me.
It really depends on the controls in place. Is the file itself encrypted at rest? Is the SHA256 checksum of the file stored in a tamper proof section of hardware with an audit trail? Is the file cryptographically signed using a secure PK?
While the controls in place almost certainly are not adequite that doesn't mean human readable formats are inherently unable to be secured. Most of the internet traffic has json bodies and it's encrypted via SSL.
Kneejerk techlets don't need to REEE when people rightly point out that security controls can and do exist for sensitive data. We need more information.
I would wager that it's not encrypted. based on the video of that douche pulling the data onto his thumb drive, opening it on his laptop in Excel, filtering it and bouncing? no way.
csv, xml, and json are all plain ASCII formats and can be human-edited with ease in any plain text editor. (And anyone who suggests MS Notepad as an example, should be taken out with Bill Gates and shot.)
Plenty of ways a text file can be checksummed, but if the checsum is in the file too, then it was intended only for detecting transmission errors, and is worthless for preventing deliberate alteration. Anyone altering the file can just generate a new checksum.
I'd bet anything there are no more secure checks, like origin authetication certificates implemented for Dominion voting machine input or output files.
In order to do this properly, each machine must have it's own public/private key pair. Then, when the XML/JSON is exported, the machine signs the exported file with its private key.
When importing the file elsewhere, the receiving machine would need all the public keys. When importing it, it would use the machine identifier (in the file, and therefore protected by the signature) to select the correct public key, then use that to confirm the file came from the specified machine, and that it had not been modified.
In order to protect the integrity of the process, a key management process must be created to segregate the private keys from the public keys, so that no one can circumvent the digital chain of custody.
It's not rocket science. This is all well-established technology. Open source software already exists to do it.
meanwhile customers are asking for options such as ballot weights for elections.
NO ONE should ever have that feature. If you want to skew votes so that there is a 1.3 weight for one candidate over the other, you can do that after the votes have been totaled and do it on the final results.
Instead this nonsense is baked in and then we have no idea if its enabled or not.
It should never have existed.
And don't get me started on how logs are proprietary info and the state agreed we shouldn't have access to it.
In order to do that, they have to disable certificate verification by the clients. An SSL cert is tied to the domain name of the server, and the only way you can use the same cert for multiple servers: a load-balancer precedes them.
Fact: could teach my 2 year old to alter any of those.
Im no programmer but even I know these can be changed in notepad 🙄
They can, but the specs for both XML and JSON include provisions for a digital signature. I posted links here:
https://thedonald.win/p/11QlFgNFTh/x/c/4DpMxRUuNxG
Of course, it remains to be seen if this software uses them. And, you would need access to the key pair used to sign the XML or JSON to determine if the file had been modified (otherwise, someone could just regenerate the signature).
I mean, the software itself, if it has the ability to produce those signatures, may have an import feature for files that don't include those signatures, or an override to import them, or a feature to sign unsigned versions.
I spent a lot of years doing statistical analysis using Excel and other tools. I could alter thousands of lines of data in seconds to completely change the outcome.
That ACTUALLY makes perfect since! CSV = Comma Separated Value. Not entering a comma for a field that is numeric, that might be followed by a field that is text or has a character limitation would cause a SQL error when uploaded. There is a video of the election officials going over the video evidence from the hearing, and he described the server crash as an error with the SQL server.
These guys are morons for doing things manually. I could automate the process with just a little Python. I need to modify csv, json, and xml files so often in the code that I write that I have a collection of stock classes to call on that I have written over the years.
Pro tip: Base your code on libraries of generic base classes that are light on dependencies and easily testable. Specialize at the highest level possible. Those generic base classes can be reused. Chances are, if you need to solve a problem once, you need to solve it again.
sanddance extension for VSCode plots out csv files with real easy gui
comma? A monkey could change this in Excel.
Copy Safe Version is totally legit. Xtreme Multi Layer is uncompromizable. and Just Say Omni Nothing is the epitome of secure.
In the right hands, very easy.
I work with XML daily publishing research papers in JSON. You can't even fucking imagine what people do to my poor files as soon as they get their hands on them. Trying to parse them back to anything resembling XML when they come back is a fucking horrorshow. So no, not any hands, but anyone with basic knowledge sure thing. I mean there's way more security to a pornhub password than US elections, which seems kind of weird to me.
I am a JSON guy myself. I see the same issues even with dealing with programmatic APIs...
That could be why there were so many "crashes"...bad comma, bad bracket, bad quote. I screw it up myself on a daily basis.
Yeah if you can click things in Excel and hit the save button.
On any computer from the last 35 years, by anyone, in seconds
It really depends on the controls in place. Is the file itself encrypted at rest? Is the SHA256 checksum of the file stored in a tamper proof section of hardware with an audit trail? Is the file cryptographically signed using a secure PK?
you forgot the s/
While the controls in place almost certainly are not adequite that doesn't mean human readable formats are inherently unable to be secured. Most of the internet traffic has json bodies and it's encrypted via SSL.
Kneejerk techlets don't need to REEE when people rightly point out that security controls can and do exist for sensitive data. We need more information.
I would wager that it's not encrypted. based on the video of that douche pulling the data onto his thumb drive, opening it on his laptop in Excel, filtering it and bouncing? no way.
Dominions million dollar systems are sounding more and more like the basic bitch version of windows pc.
csv, xml, and json are all plain ASCII formats and can be human-edited with ease in any plain text editor. (And anyone who suggests MS Notepad as an example, should be taken out with Bill Gates and shot.)
Plenty of ways a text file can be checksummed, but if the checsum is in the file too, then it was intended only for detecting transmission errors, and is worthless for preventing deliberate alteration. Anyone altering the file can just generate a new checksum.
I'd bet anything there are no more secure checks, like origin authetication certificates implemented for Dominion voting machine input or output files.
The XML spec supports a digital signature:
https://www.w3.org/TR/xmldsig-core/
There's also a spec for a JSON digital signature:
https://tools.ietf.org/html/rfc7515
CodeMonkey should know about these.
But, it remains to be seen if these signatures were used in the files generated by the voting machine.
Given everything else we have seen, I would seriously doubt security in any form was done for systems that literally have over a dozen exploits
Yup, I doubt it, too.
In order to do this properly, each machine must have it's own public/private key pair. Then, when the XML/JSON is exported, the machine signs the exported file with its private key.
When importing the file elsewhere, the receiving machine would need all the public keys. When importing it, it would use the machine identifier (in the file, and therefore protected by the signature) to select the correct public key, then use that to confirm the file came from the specified machine, and that it had not been modified.
In order to protect the integrity of the process, a key management process must be created to segregate the private keys from the public keys, so that no one can circumvent the digital chain of custody.
It's not rocket science. This is all well-established technology. Open source software already exists to do it.
meanwhile customers are asking for options such as ballot weights for elections.
NO ONE should ever have that feature. If you want to skew votes so that there is a 1.3 weight for one candidate over the other, you can do that after the votes have been totaled and do it on the final results.
Instead this nonsense is baked in and then we have no idea if its enabled or not.
It should never have existed.
And don't get me started on how logs are proprietary info and the state agreed we shouldn't have access to it.
Here is a little factoid. Most of the Dominion servers share the same SSL cert.
In order to do that, they have to disable certificate verification by the clients. An SSL cert is tied to the domain name of the server, and the only way you can use the same cert for multiple servers: a load-balancer precedes them.
Yes.
lol 2015 and 2013 zero chance this got implemented on these shit machines
Impossible to alter, that has been debunked weeks ago. Most secure file formats in US history.
Lol
no human could ever decode and alter CSV! It's more heavily encrypted than Bitcoin! Deboonked!
They are all text files. Easy to alter. They could have at least zipped them and encrypted them by default.
CVS can be pulled directly into excel changed and resaved in the same format.
WTF
Muh NOTEPAD.exe!
Of course they probably aren't saved a hash. Which is fucking rediculous. I can't believe we have to deal with this shit this year. My god
CNTRL SHIFT END. And it's all gone
CTL+A, CTL+C, CTL+V, CTL+V, CTL+V, CTL+V, CTL+V.
What's with all the special 2 key presses? No one is supposed to know about those.. Are you secretly the infamous hacker 4Chan?
shhhhhh! it's the konami code of the DNC
AND DELETE of course
Oh no, not Completely Secure Versions. That's what CSV stands for. I know because Wikipedia will tell me that.
all three can be altered ... Senior Security Engineer
CSV 👍👍
good thing that election hardware doesn't run windows OS!
that will be enough of your shell talk mister