I've never called a representative before, and I've never liked calling people in general. But the move that my great state just made pushed me over the line and I decided that I didn't have a choice anymore. I told them that they were allowing the voices of their constituents to be heard and that I greatly support them taking up this lawsuit.
Fellow Texans, I encourage you to do the same—light up their lines. Other states, call your Attorney Generals and ask them to get on board this lawsuit. Let's finish this!
A random thought occurred to me regarding the Georgia runoff. Notice that, if the GOP loses both seats, the Senate will have a 50/50 tie for party majority. That means that for any contested legislation, the Vice President breaks that tie, and this includes Supreme Court appointments. Everyone is aware that Joe Biden intends to pack the Supreme Court and has stated as much. Everyone is also aware that the Democrat Party votes in a bloc.
Historically speaking, the Supreme Court's number one fear has always been court packing, and will do everything in their power to avoid it. Because of the runoffs, we're in a situation where SCOTUS has no assurance that the Democrat Party will not completely control the Senate and the White House, meaning that all of their power is at stake, including that of the liberal judges. As a result (assuming they're cognizant of this information), all justices have a personal interest in ensuring a Joe Biden presidency does not occur.
In addition, the runoff isn't until January, meaning we don't actually have to lose the seats to acquire this leverage. I'm curious as to what anyone else thinks about that possibility.
As a preface, I'm in the information security (infosec, cyber security, pick your poison) industry, and the affidavit I'm looking at is this one here. This affidavit details foreign interference in the United States election by Iranian and Chinese actors. I'm going to try to go through this from as unbiased a perspective as possible whether it's the smoking gun we wanted or not. I'll also readily admit that my specialty is in threat emulation rather than forensics, but I'm more than familiar with the techniques present in this affidavit, having performed several of them myself.
The first thing our witness points out is that passwords are available for Dominion employees, both in plaintext and in hashed form. Hashes are a tool to permanently scramble a piece of information one way. They cannot be reversed. The only way to figure out the original piece of data is to take a guess (several times) and go through the scrambling process again ("cracking" the password). This is fairly common among companies.
The next thing he points out is a registered subdomain for Belgrade, the capital of Serbia. Subdomains are used to create a distinction between services connected to a domain (www is a subdomain commonly used for web traffic). This indicates that they did something in Serbia, which could range from consulting to election services. This doesn't tell us anything about our election, but it does tell us that the team did something in Serbia.
The Edison Research connection is one I'm torn on. There is a "similar domain" connection between edisonresearch.com and edisonresearch.<iranianText>.ir. It's curious that there's a mix between English text and Iranian text, but domain owners can name subdomains anything they want. I could go out and create an edisonresearch subdomain for a site that I own if I wanted to. So while it may be an artifact of me not being familiar with Robtex's interface, it is not a hard link in and of itself.
The next section is interesting, but it isn't clear. Is the IP address linked to the edisonresearch.com domain, or the edisonresearch.<iranianText>.com domain? I have no good way of looking up Iranian text, so I can't verify either case.
As for the VPS, I don't consider this a meaningful connection. VPSs host several websites at once on the same server (often with the same IP address). If you're familiar with Amazon Web Services (AWS), this is effectively the same idea. While it's curious if this is happening in Iran, I don't think it's immediately a red flag if two services are hosted on the same server. Forensics experts, feel free to clarify on my behalf.
dominionvotingsystems.com did indeed point to dominionvoting.com in 2011 through 2014, (2011 is shown in the affidavit). While anyone can point a domain at any other domain, this would strongly suggest that they owned the domain at this time. However, this redirect is no longer present on the Wayback Machine snapshot taken on October 9th, 2014. This happens to coincide with the domain being dropped on October 3rd, 2014 and re-registered on October 6th. (source and source). With paid records, I could obtain a more extensive look at the domain's ownership history, but for now, this seems to be sufficient.
From that point on, the domain appears to be inactive until the snapshot taken on July 27th, 2018. The site in this state appears to be a spam site and is clearly unrelated to Dominion itself. This registration is dropped again on January 31st, 2019 and is re-registered on March 10th, 2019. On May 8th of the same year, a website for Heshi Guanya Sports Equipment Co., Ltd. goes up on the domain. This registration was dropped on April 9th of this year and was re-registered on May 27th of this year. There is no snapshot of the site since re-registration, but I believe the site has been down since that point. I scanned the server the domain points to myself and it does not respond on any port.
Unfortunately, I believe dominionvotingsystems.com as relates to US foreign adversaries is too many steps removed to be considered a significant, modern link to Dominion Voting.
I'm moving on to item 11 at this point. I'll take for granted right now that the Iranian server is relevant to Dominion, despite some shaky foundation. The IP they searched, 195.20.45.232, does indeed appear to be a server in the Netherlands with a ton of garbage domains pointing to it upon a cursory lookup. I'll also buy that it's connected to Advanced Persistent Threat groups. However, the affidavit doesn't make it clear to me how this server is connected to the Iranian server. Perhaps, again, forensics experts could clarify this for me.
I assume indivisible.org was referenced as a result of some prior knowledge. scorecard.indivisible.org does indeed exist, but it seems to be comparing the positions of Joe Biden and President Donald Trump rather than the implied "Hammer and Scorecard" system. In fact, you can visit it yourself at https://scorecard.indivisible.org/. While anything is possible, there are no non-web services running on any port (i.e. it's just a website), and I highly doubt that there is a nefarious control center hosted on this subdomain.
dvscorp.com is listed as a domain being cohosted from the same server as dominionvoting.com. As previously mentioned, being present at the same server does not guarantee a connection. I also performed a name system lookup and discovered that dvscorp.com does not currently point to the same server as dominionvoting.com. All further analysis will be performed with the assumption that they were once hosted on the same server. I do find the name relation (dvs corp = dominion voting systems corporation) interesting. I do not know what it is referring to when it discusses the auto-discover feature.
The affidavit states that typo derivations (specifically for dvscorp.com) are used to catch failed URLs or as honeypots. While this can be the case, they are often used by malicious actors in attacks known as "typosquatting," in which connection to foreign adversaries is to be expected. I do not find the mistyped domain "dvscopr.com" to be a meaningful connection as-is.
It further goes on to illustrate the connection between other subdomains labeled dvscopr.<domain>.<topLevelDomain> (top level domains are the last bit of a URL including .com, .net, .cn, .ir, .win, .ninja, and so on). As stated previously, anybody can create a subdomain with any name, and this is not a meaningful connection to dvscorp, and subdomains are not useful as typocatchers either. At best, they're useful as a poor-man's typosquatting attack.
It seems that Dominion used their patents as collateral in a loan from China, but I'm not a financial expert or a patent lawyer, so I'll take these at face value. I do agree that it is disturbing that a voting system company might be receiving financial backing from China.
I'll accept the connection to Scytl at face value. The Scytl repository JSeats appears to be an unmodified fork of https://github.com/pau-minoves/jseats, the latter of which has since been updated. This is not software that Scytl has written or publicly modified, but it's possible that they used it.
I don't know why CTCL was relevant to the case or what it proves. It seems factual at first glance.
CONCLUSIONS
I wrote the opening paragraph before diving into this, and I hate to be the person to say it, but I disagree with the opinion that this affidavit is evidence of the claim that China and/or Iran accessed Dominion systems in this election or at any point in the past. Most connections in this vast web are incidental at best, and it is my (unhappy) professional opinion that it does not meaningfully contribute to Powell's case. I recognize that it's not the news that people want to hear, especially for what was intended to be a bombshell affidavit. I've been a diehard supporter for over four years now, and I want a smoking gun as much or more than anyone else. I'm not willing to allow that to blind the truth. That's not to say that China and Iran didn't play a part or that Dominion didn't do anything sketchy. It is also not to say that the witness in this case is lying. All it means is that the evidence provided in this affidavit does not support the conclusions being drawn.
I hope that Sidney Powell reconsiders including this in her case. I have no way of meaningfully reaching out to her, but if she would like any help verifying technological evidence in the future, I would be more than glad to offer my services for free.
As a preface, I'm in the information security (infosec, cyber security, pick your poison) industry, and I'm posting this again because I believe that it's important for our case. The reported bombshell affidavit I'm looking at is this one here. This affidavit details foreign interference in the United States election by Iranian and Chinese actors. I'm going to try to go through this from as unbiased a perspective as possible whether it's the smoking gun we wanted or not. I'll also readily admit that my specialty is in threat emulation rather than forensics, but I'm more than familiar with the techniques present in this affidavit, having performed several of them myself.
The first thing our witness points out is that passwords are available for Dominion employees, both in plaintext and in hashed form. Hashes are a tool to permanently scramble a piece of information one way. They cannot be reversed. The only way to figure out the original piece of data is to take a guess (several times) and go through the scrambling process again ("cracking" the password). This is fairly common among companies.
The next thing he points out is a registered subdomain for Belgrade, the capital of Serbia. Subdomains are used to create a distinction between services connected to a domain (www is a subdomain commonly used for web traffic). This indicates that they did something in Serbia, which could range from consulting to election services. This doesn't tell us anything about our election, but it does tell us that the team did something in Serbia.
The Edison Research connection is one I'm torn on. There is a "similar domain" connection between edisonresearch.com and edisonresearch.<iranianText>.ir. It's curious that there's a mix between English text and Iranian text, but domain owners can name subdomains anything they want. I could go out and create an edisonresearch subdomain for a site that I own if I wanted to. So while it may be an artifact of me not being familiar with Robtex's interface, it is not a hard link in and of itself.
The next section is interesting, but it isn't clear. Is the IP address linked to the edisonresearch.com domain, or the edisonresearch.<iranianText>.com domain? I have no good way of looking up Iranian text, so I can't verify either case.
As for the VPS, I don't consider this a meaningful connection. VPSs host several websites at once on the same server (often with the same IP address). If you're familiar with Amazon Web Services (AWS), this is effectively the same idea. While it's curious if this is happening in Iran, I don't think it's immediately a red flag if two services are hosted on the same server. Forensics experts, feel free to clarify on my behalf.
dominionvotingsystems.com did indeed point to dominionvoting.com in 2011 through 2014, (2011 is shown in the affidavit). While anyone can point a domain at any other domain, this would strongly suggest that they owned the domain at this time. However, this redirect is no longer present on the Wayback Machine snapshot taken on October 9th, 2014. This happens to coincide with the domain being dropped on October 3rd, 2014 and re-registered on October 6th. (source and source). With paid records, I could obtain a more extensive look at the domain's ownership history, but for now, this seems to be sufficient.
From that point on, the domain appears to be inactive until the snapshot taken on July 27th, 2018. The site in this state appears to be a spam site and is clearly unrelated to Dominion itself. This registration is dropped again on January 31st, 2019 and is re-registered on March 10th, 2019. On May 8th of the same year, a website for Heshi Guanya Sports Equipment Co., Ltd. goes up on the domain. This registration was dropped on April 9th of this year and was re-registered on May 27th of this year. There is no snapshot of the site since re-registration, but I believe the site has been down since that point. I scanned the server the domain points to myself and it does not respond on any port.
Unfortunately, I believe dominionvotingsystems.com as relates to US foreign adversaries is too many steps removed to be considered a significant, modern link to Dominion Voting.
I'm moving on to item 11 at this point. I'll take for granted right now that the Iranian server is relevant to Dominion, despite some shaky foundation. The IP they searched, 195.20.45.232, does indeed appear to be a server in the Netherlands with a ton of garbage domains pointing to it upon a cursory lookup. I'll also buy that it's connected to Advanced Persistent Threat groups. However, the affidavit doesn't make it clear to me how this server is connected to the Iranian server. Perhaps, again, forensics experts could clarify this for me.
I assume indivisible.org was referenced as a result of some prior knowledge. scorecard.indivisible.org does indeed exist, but it seems to be comparing the positions of Joe Biden and President Donald Trump rather than the implied "Hammer and Scorecard" system. In fact, you can visit it yourself at https://scorecard.indivisible.org/. While anything is possible, there are no non-web services running on any port (i.e. it's just a website), and I highly doubt that there is a nefarious control center hosted on this subdomain.
dvscorp.com is listed as a domain being cohosted from the same server as dominionvoting.com. As previously mentioned, being present at the same server does not guarantee a connection. I also performed a name system lookup and discovered that dvscorp.com does not currently point to the same server as dominionvoting.com. All further analysis will be performed with the assumption that they were once hosted on the same server. I do find the name relation (dvs corp = dominion voting systems corporation) interesting. I do not know what it is referring to when it discusses the auto-discover feature.
The affidavit states that typo derivations (specifically for dvscorp.com) are used to catch failed URLs or as honeypots. While this can be the case, they are often used by malicious actors in attacks known as "typosquatting," in which connection to foreign adversaries is to be expected. I do not find the mistyped domain "dvscopr.com" to be a meaningful connection as-is.
It further goes on to illustrate the connection between other subdomains labeled dvscopr.<domain>.<topLevelDomain> (top level domains are the last bit of a URL including .com, .net, .cn, .ir, .win, .ninja, and so on). As stated previously, anybody can create a subdomain with any name, and this is not a meaningful connection to dvscorp, and subdomains are not useful as typocatchers either. At best, they're useful as a poor-man's typosquatting attack.
It seems that Dominion used their patents as collateral in a loan from China, but I'm not a financial expert or a patent lawyer, so I'll take these at face value. I do agree that it is disturbing that a voting system company might be receiving financial backing from China.
I'll accept the connection to Scytl at face value. The Scytl repository JSeats appears to be an unmodified fork of https://github.com/pau-minoves/jseats, the latter of which has since been updated. This is not software that Scytl has written or publicly modified, but it's possible that they used it.
I don't know why CTCL was relevant to the case or what it proves. It seems factual at first glance.
CONCLUSIONS
I wrote the opening paragraph before diving into this, and I hate to be the person to say it, but I disagree with the opinion that this affidavit is evidence of the claim that China and/or Iran accessed Dominion systems in this election or at any point in the past. Most connections in this vast web are incidental at best, and it is my (unhappy) professional opinion that it does not meaningfully contribute to Powell's case. I recognize that it's not the news that people want to hear, especially for what was intended to be a bombshell affidavit. I've been a diehard supporter for over four years now, and I want a smoking gun as much or more than anyone else. I'm not willing to allow that to blind the truth. That's not to say that China and Iran didn't play a part or that Dominion didn't do anything sketchy. It is also not to say that the witness in this case is lying. All it means is that the evidence provided in this affidavit does not support the conclusions being drawn.
I hope that Sidney Powell reconsiders including this in her case. I have no way of meaningfully reaching out to her, but if she would like any help verifying technological evidence in the future, I would be more than glad to offer my services for free.
As a preface, I'm in the information security (infosec, cyber security, pick your poison) industry. And the affidavit I'm looking at is this one here. This affidavit details foreign interference in the United States election by Iranian and Chinese actors. I'm going to try to go through this from as unbiased a perspective as possible whether it's the smoking gun we wanted or not. I'll also readily admit that my specialty is in threat emulation rather than forensics, but I'm more than familiar with the techniques present in this affidavit, having performed several of them myself.
The first thing our witness points out is that passwords are available for Dominion employees, both in plaintext and in hashed form. Hashes are a tool to permanently scramble a piece of information one way. They cannot be reversed. The only way to figure out the original piece of data is to take a guess (several times) and go through the scrambling process again ("cracking" the password). This is fairly common among companies.
The next thing he points out is a registered subdomain for Belgrade, the capital of Serbia. Subdomains are used to create a distinction between services connected to a domain (www is a subdomain commonly used for web traffic). This indicates that they did something in Serbia, which could range from consulting to election services. This doesn't tell us anything about our election, but it does tell us that the team did something in Serbia.
The Edison Research connection is one I'm torn on. There is a "similar domain" connection between edisonresearch.com and edisonresearch.<iranianText>.ir. It's curious that there's a mix between English text and Iranian text, but domain owners can name subdomains anything they want. I could go out and create an edisonresearch subdomain for a site that I own if I wanted to. So while it may be an artifact of me not being familiar with Robtex's interface, it is not a hard link in and of itself.
The next section is interesting, but it isn't clear. Is the IP address linked to the edisonresearch.com domain, or the edisonresearch.<iranianText>.com domain? I have no good way of looking up Iranian text, so I can't verify either case.
As for the VPS, I don't consider this a meaningful connection. VPSs host several websites at once on the same server (often with the same IP address). If you're familiar with Amazon Web Services (AWS), this is effectively the same idea. While it's curious if this is happening in Iran, I don't think it's immediately a red flag if two services are hosted on the same server. Forensics experts, feel free to clarify on my behalf.
dominionvotingsystems.com did indeed point to dominionvoting.com in 2011 through 2014, (2011 is shown in the affidavit). While anyone can point a domain at any other domain, this would strongly suggest that they owned the domain at this time. However, this redirect is no longer present on the Wayback Machine snapshot taken on October 9th, 2014. This happens to coincide with the domain being dropped on October 3rd, 2014 and re-registered on October 6th. (source and source). With paid records, I could obtain a more extensive look at the domain's ownership history, but for now, this seems to be sufficient.
From that point on, the domain appears to be inactive until the snapshot taken on July 27th, 2018. The site in this state appears to be a spam site and is clearly unrelated to Dominion itself. This registration is dropped again on January 31st, 2019 and is re-registered on March 10th, 2019. On May 8th of the same year, a website for Heshi Guanya Sports Equipment Co., Ltd. goes up on the domain. This registration was dropped on April 9th of this year and was re-registered on May 27th of this year. There is no snapshot of the site since re-registration, but I believe the site has been down since that point. I scanned the server the domain points to myself and it does not respond on any port.
Unfortunately, I believe dominionvotingsystems.com as relates to US foreign adversaries is too many steps removed to be considered a significant, modern link to Dominion Voting.
I'm moving on to item 11 at this point. I'll take for granted right now that the Iranian server is relevant to Dominion, despite some shaky foundation. The IP they searched, 195.20.45.232, does indeed appear to be a server in the Netherlands with a ton of garbage domains pointing to it upon a cursory lookup. I'll also buy that it's connected to Advanced Persistent Threat groups. However, the affidavit doesn't make it clear to me how this server is connected to the Iranian server. Perhaps, again, forensics experts could clarify this for me.
I assume indivisible.org was referenced as a result of some prior knowledge. scorecard.indivisible.org does indeed exist, but it seems to be comparing the positions of Joe Biden and President Donald Trump rather than the implied "Hammer and Scorecard" system. In fact, you can visit it yourself at https://scorecard.indivisible.org/. While anything is possible, there are no non-web services running on any port (i.e. it's just a website), and I highly doubt that there is a nefarious control center hosted on this subdomain.
dvscorp.com is listed as a domain being cohosted from the same server as dominionvoting.com. As previously mentioned, being present at the same server does not guarantee a connection. I also performed a name system lookup and discovered that dvscorp.com does not currently point to the same server as dominionvoting.com. All further analysis will be performed with the assumption that they were once hosted on the same server. I do find the name relation (dvs corp = dominion voting systems corporation) interesting. I do not know what it is referring to when it discusses the auto-discover feature.
The affidavit states that typo derivations (specifically for dvscorp.com) are used to catch failed URLs or as honeypots. While this can be the case, they are often used by malicious actors in attacks known as "typosquatting," in which connection to foreign adversaries is to be expected. I do not find the mistyped domain "dvscopr.com" to be a meaningful connection as-is.
It further goes on to illustrate the connection between other subdomains labeled dvscopr.<domain>.<topLevelDomain> (top level domains are the last bit of a URL including .com, .net, .cn, .ir, .win, .ninja, and so on). As stated previously, anybody can create a subdomain with any name, and this is not a meaningful connection to dvscorp, and subdomains are not useful as typocatchers either. At best, they're useful as a poor-man's phishing attack.
It seems that Dominion used their patents as collateral in a loan from China, but I'm not a financial expert or a patent lawyer, so I'll take these at face value. I do agree that it is disturbing that a voting system company might be receiving financial backing from China.
I'll accept the connection to Scytl at face value. The Scytl repository JSeats appears to be an unmodified fork of https://github.com/pau-minoves/jseats, the latter of which has since been updated. This is not software that Scytl has written or publicly modified, but it's possible that they used it.
I don't know why CTCL was relevant to the case or what it proves. It seems factual at first glance.
CONCLUSIONS
I wrote the opening paragraph before diving into this, and I hate to be the person to say it, but I disagree with the opinion that this affidavit is evidence of the claim that China and/or Iran accessed Dominion systems in this election or at any point in the past. Most connections in this vast web are incidental at best, and it is my (unhappy) professional opinion that it does not meaningfully contribute to Powell's case. I recognize that it's not the news that people want to hear, especially for what was intended to be a bombshell affidavit. I've been a diehard supporter for over four years now, and I want a smoking gun as much or more than anyone else. I'm not willing to allow that to blind the truth. That's not to say that China and Iran didn't play a part or that Dominion didn't do anything sketchy. It is also not to say that the witness in this case is lying. All it means is that the evidence provided in this affidavit does not support the conclusions being drawn.
I hope that Sidney Powell reconsiders including this in her case. I have no way of meaningfully reaching out to her, but if she would like any help verifying technological evidence in the future, I would be more than glad to offer my services for free.
When it looks like the hero has been defeated, a rallying cry from his friends and loved ones gives him the energy he needs to rise up and defeat the enemy once and for all.
