Georgia Election Server Mysteriously Wiped Clean After Lawsuit Highlights Major Vulnerabilities

from the yeah-whoops-a-daisy dept

For as long as Techdirt has existed, we've highlighted how most implementations of electronic voting simply aren't safe or secure. The Diebold disaster in 2006, Sequoia's security scandal in 2008, and a rotating flood of similar stories since, have driven this point home time, and time, and time again. And despite these warnings neither the companies that make these machines, nor the election commissions or local governments tasked with overseeing them, have done enough (or, in many cases, much of anything) to ensure that our Democratic process is secure.

The latest example of just how not under control this problem is comes out of Georgia, where reports indicate that somebody managed to completely wipe a server integral to a lawsuit against Georgia election officials. The lawsuit, filed by a coalition of election reform advocates, is attempting to force Georgia to retire antiquated and heavily-criticized election technology that has been under fire in the media since June, after security researchers indicated that the touch-screen machines could be easily tampered with without leaving much of a trace:

A misconfigured server, Logan Lamb discovered last August, had left Georgia’s 6.7 million voter records and other sensitive files exposed to hackers. And it may have been left unfixed for seven months. The vulnerability might have allowed attackers to plant malware and possibly rig votes or wreak chaos with voter rolls by deleting or altering records — a major concern amid heightened sensitivity to state-sponsored Russian election hacking.

Shortly after the lawsuit was filed, the servers of interest in the case were mysteriously wiped by technicians at the Center for Elections Systems at Kennesaw State University, which oversees the state’s election system. The Associated Press only discovered the wipe after obtaining an email from an assistant state attorney general to plaintiffs in the case. Efforts to determine who requested that the server be wiped clean have so far gone nowhere:

The Kennesaw election center answers to Georgia’s secretary of state, Brian Kemp, a Republican who is running for governor in 2018 and is the main defendant in the suit. A spokeswoman for the secretary of state’s office said Wednesday that “we did not have anything to do with this decision,” adding that the office also had no advance warning of the move. The center’s director, Michael Barnes, referred questions to the university’s press office, which declined comment.

Plaintiffs in the case have argued that data from last November’s election and a special June 20th congressional runoff cannot be trusted due to the unresolved flaws in the machines. And while the election server would have gone a long way toward answering that concern, it was wiped clean on July 7 -- just four days after the lawsuit was filed. Two backup servers were subsequently wiped clean on August 9, just as the case was moving to federal court.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 26 Oct 2017 @ 12:04pm

    Yes, so mysterious

    What could have happened, I wonder? Perhaps the neighbor's dog ate the server?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Oct 2017 @ 12:06pm

    But, but Russians

    reply to this | link to this | view in chronology ]

  • icon
    TechDescartes (profile), 26 Oct 2017 @ 12:08pm

    So all of Georgia's politicians weren't elected and have to go home?

    That's the best news I've heard all day.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Oct 2017 @ 12:14pm

    What about the backups? Why are there never backups?

    reply to this | link to this | view in chronology ]

    • identicon
      Chris Brand, 26 Oct 2017 @ 12:18pm

      Re:

      Try reading all the way to the end of the article - the final sentence answers your question.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Oct 2017 @ 12:39pm

        Re: Re:

        Try reading all the way to the end of the article - the final sentence answers your question.

        Except it doesn't. The final sentence says "Two backup servers were subsequently wiped clean". To me, a backup server is an alternate that could be used instead of the primary, whether for hot failover, quick disaster recovery, etc. Grandparent is asking about backups, in particular off-site backup archives, which are not whole servers on their own, but could reasonably be used for forensics if the master server from which the backup was created was unavailable. Organizations should have backup archives for everything they might need to replace, and should have backup servers for things that need to be replaced quickly. Backup servers provide quick recovery; backup archives for slower, cheaper, and deeper recovery. Storing a spare backup server once a week, with backups going back a year (or more) becomes expensive quickly. Storing backup archives once a week is comparatively cheap - it's just disk space, not all the incidental computer components. It gets cheaper still with some basic use of incrementals, such that each backup is just a delta recording changes since the last full backup.

        reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 26 Oct 2017 @ 12:17pm

    Paper Ballots

    Georgia Election Server Mysteriously Wiped Clean After Lawsuit Highlights Major Vulnerabilities

    A two part paper ballot system can provide an auditable paper trail for every vote cast that can not be wiped clean. Each voter would keep the 1st part of the ballot in their personal possession with the second part of the ballot stored by the local election commission.

    Ensuring the sanctity of the democratic process is worth the added time and inconvenience of using paper ballots.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 26 Oct 2017 @ 12:33pm

      Re: Paper Ballots

      At least until the warehouse they are stored in gets up close and personal with a lit match. Maybe even both warehouses if they are smart and store them separately.

      So, who stands to gain from this? Hmm... Are they about to be charged with destruction of evidence? Hmm...

      reply to this | link to this | view in chronology ]

      • identicon
        Personanongrata, 26 Oct 2017 @ 1:24pm

        Re: Re: Paper Ballots

        Re: Paper Ballots At least until the warehouse they are stored in gets up close and personal with a lit match. Maybe even both warehouses if they are smart and store them separately.

        The beauty of a two part paper ballot is the voter gets to retain the first part of the ballot as a receipt for their vote while the local election commission retains the second part of the ballot.

        There is no chance of both ballots burning up in a warehouse as the ballots are kept separately.

        reply to this | link to this | view in chronology ]

        • icon
          Hugo S Cunningham (profile), 26 Oct 2017 @ 7:29pm

          Re: Re: Re: Paper Ballots

          > The beauty of a two part paper ballot is the voter gets to retain the first part of the ballot as a receipt for their vote while the local election commission retains the second part of the ballot.

          Allowing the voter to take a copy of his ballot outside would make vote-buying (and vote-coercing) enforceable.

          reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 26 Oct 2017 @ 1:27pm

      Re: Paper Ballots

      cAN i ?
      cAN i, cAN i cAN i ASK????

      HOW do you verify a 2 part when I have 1/2 of it, and NEVER USE IT???
      WHEN in HELL do they ever ASK for that second part???

      HAVE you ever seen them CALL IN the second parts to verify, and WHO would be independent to EVALUATE IT..

      reply to this | link to this | view in chronology ]

      • identicon
        Personanongrata, 26 Oct 2017 @ 1:47pm

        Re: Re: Paper Ballots

        cAN i ? cAN i, cAN i cAN i ASK????

        You can, you can, you can.

        HOW do you verify a 2 part when I have 1/2 of it, and NEVER USE IT???

        Have you ever voted?

        In my local home town there is a voter registration log all voters sign into before casting their vote.

        Each voters two part paper ballot would have a identification number that ties the voter to the ballot and the ballot to the election at hand.

        WHEN in HELL do they ever ASK for that second part???

        The second part of the paper ballot could be used if the first part of the paper ballot were destroyed or to confirm the results of a tightly contested election.

        HAVE you ever seen them CALL IN the second parts to verify, and WHO would be independent to EVALUATE IT..

        Yes. Do the terms hanging and dimpled chads ring a bell?

        https://cseweb.ucsd.edu/~goguen/courses/275f00/abc-chads.html

        There are no fool-proof silver bullet solutions but a two part paper ballot that can be audited beats bits and bytes that can be easily exploited/erased.

        reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 26 Oct 2017 @ 4:06pm

        Re: Re: Paper Ballots

        THERE IS A WAY,,,
        Submit BOTH PARTS
        1 tot he election bureau..
        1 to an INDEPENDENT group..Even your church..

        If they are NOT CLOSE, its a reelection..

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Oct 2017 @ 1:50pm

      Re: Paper Ballots

      How does this improve the war on voting fraud (stipulating this is a real issue)? After an alleged fraud, everybody gonna show up some-damn-where and show their "receipt" to some-damn-body? 'Cuz we know how good people are about showin' up at the polls in the first place. Just imagine how reliable the keeping of "receipts" will be and how faithfully voters will take the extra time to taxi their "receipts" for a second pseudo-polling event and how much more trustworthy the tally of those "receipts" will be than the original "vote"?

      reply to this | link to this | view in chronology ]

      • identicon
        Personanongrata, 26 Oct 2017 @ 2:00pm

        Re: Re: Paper Ballots

        How does this improve the war on voting fraud (stipulating this is a real issue)? After an alleged fraud, everybody gonna show up some-damn-where and show their "receipt" to some-damn-body? 'Cuz we know how good people are about showin' up at the polls in the first place. Just imagine how reliable the keeping of "receipts" will be and how faithfully voters will take the extra time to taxi their "receipts" for a second pseudo-polling event and how much more trustworthy the tally of those "receipts" will be than the original "vote"?

        This is a problem that is inherent to all votes as it really isn't the voter that matters so much as the person(s) counting the votes.

        "As long as I count the votes, what are you going to do about it?" ~ William Magear Boss Tweed (aka Boss Tweed)

        https://en.wikipedia.org/wiki/William_M._Tweed

        reply to this | link to this | view in chronology ]

    • icon
      mhajicek (profile), 26 Oct 2017 @ 3:47pm

      Re: Paper Ballots

      Doesn't need to be paper, and paper would make it untenable. Just use a database, and issue a number that each voter can use to check their vote in the database. Use whatever encryption you like and maybe hash the vote number with the voter's name or something to make it very difficult to check someone else's vote without the issued number and knowing who it was issued to.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Oct 2017 @ 12:25pm

    is it can be adverse inference tiem pls?

    reply to this | link to this | view in chronology ]

  • icon
    Chris ODonnell (profile), 26 Oct 2017 @ 12:35pm

    But her emails!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Oct 2017 @ 1:22pm

    Wiped Clean

    Like with a cloth?

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 26 Oct 2017 @ 1:40pm

    IM SORRY, but..

    Iv been watching TONS of server violations in the last year...
    Databreaches.net

    ANd I have to say this...
    1. ANY ADMIN/operator in CHARGE of a server WILL UPDATE IT..
    SHOULD HAVE UP DATED IT..
    CHANGED THE SOFTWARE..
    in the last few years..
    2. ANY person responsible for DELICATE/IMPORTANT DATA DOES NOT ALLOW DIRECT ACCESS TO THE DATA...He is responsible for..

    3. ANYONE with a Good amount of Software and Hardware SHOULD be able to make an UNHACKABLE SYSTEM, from hardware..that Would NEED to be taken and HACKED other places then ON SITE..
    4. BACKUPS...require 3 copies, 1 internal, 1 away from system and 1 REMOTE...AND USE CURRENT BACKUP TECH...NOT FLOPPY DRIVES..magnetic data is VERY EASY to damage.. DVD, CD, BR should allow a HARD BACKUP...
    5. HOW IMPORTANT...1 backup per year? per month? PER WEEK?? DAY??

    Im sorry.
    I have to say this, and its relivent..
    1. HOW STUPID ARE WE??
    2. HOW STUPID ARE THEY??
    3. this is as bad as FORGETTING what pollution is, and removing ALL THE LAWS/REGULATIONS..
    4. Something is happening and its TRYING TO COVER ITSELF UP.. Something thats been here ALONG time and its trying to SURVIVE..
    5. HOW corrupt is this system?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Oct 2017 @ 2:39pm

    Well, it worked for Hillary, so... it's good practice for everyone else too, right? If it's ok for politicians to do it, we can too!

    I noticed they skipped the use of hammers to insure transparency, but you know, baby steps.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Oct 2017 @ 4:21pm

      Re:

      Now if only she was on an election commision that might have some relavence.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Oct 2017 @ 12:59am

        Re: Re:

        Wiping servers with potentially incriminating evidence before a legal proceeding not relevant? I mean, really? You don't see any similarities at *all*?

        Or is this an "ok for me but not for thee" kind of thing? Selective enforcement makes a mockery of the rule of law, but you'd have to be stupid not to use the "Clinton defense" nowadays if you can get away with it.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Oct 2017 @ 6:02am

          Re: Re: Re:

          Or is this an "ok for me but not for thee" kind of thing?

          I thought the big orange retard was going to lock her up?

          Yet another unfulfilled promise?

          reply to this | link to this | view in chronology ]

  • identicon
    stine, 26 Oct 2017 @ 2:49pm

    poor story

    How could you miss the fact that Sam Olens is president of KSU (Kennesaw State U)? Go back and contact them again, and this time FOI the emails between the him and the current governor and between him and the Republican party officials.

    I also suggest that the state AG send those machines off to a forensics company to have the disks recovered, since if they didn't prove the accusation, they would have been kept in a lockbox until the trial was over.

    Georgia, its like living in a trying-to-be-3rd-world country.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 26 Oct 2017 @ 3:49pm

    "I am shocked, shocked I say!"

    Primary server wiped clean four days after the lawsuit is filed.

    Two backup servers wiped clean just over a month later.

    If the judge isn't readying destruction of evidence charges against everyone involved then they might as well resign on the spot and officially get a job working for the ones being sued. At the very least the entire election results should be thrown out as useless, and a new election required, with the contract for running it handed to someone who isn't so 'accident' prone.

    I can't think of a better way to loudly proclaim, 'As bad as you think our actions were, they were so much worse' than to wipe three servers, so I can only imagine how damning the contents of those servers were, and hope the judge assumes the worst and acts accordingly.

    reply to this | link to this | view in chronology ]

    • identicon
      Daydream, 26 Oct 2017 @ 5:13pm

      Re: "I am shocked, shocked I say!"

      Eyup.

      Of course, the people responsible won't be charged with destruction of evidence concerning potential election fraud, oh no.

      What I suspect will happen instead, will be "the wiping of the servers was part of routine maintenance, and we had no reason to suspect that we should retain the information on the servers. Don't worry though, we have a backup backup! Just tell us what signs you use to identify election fraud and give us a couple of months, and we'll have the 'original' data for you, free of any evidence of corruption."

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Professor, 26 Oct 2017 @ 5:14pm

    I teach at Kennesaw State University where this server is housed. A republican DA with no university experience was secretly appointed as president last year. The last president "retired" after extensive fraud was discovered at KSU. The current president ex-DA would have been the one to prosecute this fraud but, of course, he is no longer in the position to do so. Go figure.

    This is not news to us at KSU.

    reply to this | link to this | view in chronology ]

  • icon
    Hugo S Cunningham (profile), 26 Oct 2017 @ 7:23pm

    Hand-recountable OCR cards are best approach

    OCR cards can be machine-read and reported immediately, and then held in case a hand-recount is required. Standard protocols should set secure storage requirements (eg for how long?), and method for hand-recounting.

    Even if no race is close enough for a recount, a small number of randomly generated precincts should be asked to conduct hand recounts, for auditing purposes.

    reply to this | link to this | view in chronology ]

    • icon
      R.H. (profile), 26 Oct 2017 @ 8:08pm

      Re: Hand-recountable OCR cards are best approach

      That's Michigan. We use paper ballots that are read by an optical scanner at the poll and, normally, just the data from the scanner is used. In November 2016 some of the Wayne County (Detroit) precincts had failing scanners so, those votes were hand countable and also, due to how close the Presidential election was, nearly all the votes ended up being hand counted.

      There are better ways to set up a voting system (cryptographic verification methods come to mind here) but, I like my state's voting method.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 27 Oct 2017 @ 1:12am

    hOW BAD..

    How bad does it need to be, to GET THINGS FIXED IN THIS NATION??

    Corps dont care about us, the Gov is WRECKED..and not letting the CHECKS AND BALANCE WORK..
    OVER PAID IDIOTS RUNNING THIS COUNTRY..

    EVERYONE REMEMBER THEY ARE EMPLOYEESS

    And 90% of this stuff is NOT in the newspapers..TV, ANyplace for the public View..

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Oct 2017 @ 5:14am

    So we're going to start paying attention to a problem we've been ignoring since Bush and Afghanistan, because Trump and Russia piss us off more?

    Well, I guess we have to start paying attention to these security problems some time, I just hate what it takes these days to get people to care. Bush went to war under false pretenses. Trump said some mean things on Twitter. Both were elected during and with the use of breakable EVMs.

    Also, why do we have to keep bringing up Russia? Trump won by electoral vote. Russia is accused of hacking the popular vote. You know, the vote Clinton actually won. Why is this always glossed over whenever Russian "election hacking" is brought up? Did I just happen to miss the article where they stand accused of hacking the electoral college?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Oct 2017 @ 6:05am

    Spoilation

    Georgia does in fact have a spoilation statute, so someone should have their toes held to the fire, so too speak, for this action.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Oct 2017 @ 8:16am

    https://www.youtube.com/watch?v=w3_0x6oaDmI

    Electronic voting is a really bad idea.

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 27 Oct 2017 @ 1:01pm

    The russians seem to be a scapegoat for everything these days.

    From georgia voting, to trump collusion with russia, to the clintons and obama colluding with the russians.

    We need a new bogeyman to blame stuff on. How about North Korea instead?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Oct 2017 @ 1:40pm

    Technicians and Brian Kemp: "We didn't do it. It was the computer."
    Judge: "M'kay."

    reply to this | link to this | view in chronology ]

  • identicon
    Richard Stallman, 29 Oct 2017 @ 11:35pm

    Misuse of term 'hacker'

    Please don't use the word "hackers" to mean people that maliciously break security. That's insulting to us hackers. For most of us, our hacking has nothing to do with security in any fashion. Please use the term "crackers" for people that break security.

    See https://stallman.org/articles/on-hacking.html.

    reply to this | link to this | view in chronology ]

    • icon
      The Wanderer (profile), 30 Oct 2017 @ 4:45am

      Re: Misuse of term 'hacker'

      While I agree with you, RMS, I'd also like to note that in this case, the term was used only in an excerpt quoted from another article; this article's author did not use the word incorrectly himself.

      IMO editing the quote to correct the usage would be more egregious an offense than the one being fixed thereby. (Although commenting in the article on the incorrect usage could also address the problem without going to that same extreme.)

      reply to this | link to this | view in chronology ]

      • icon
        The Wanderer (profile), 30 Oct 2017 @ 4:47am

        Re: Re: Misuse of term 'hacker'

        ...and after posting, it occurs to me that you may also have been addressing the commenters, some of whom have used related terms in the discussion.

        That's fine; never mind me, carry on.

        reply to this | link to this | view in chronology ]

    • icon
      Tanner Andrews (profile), 30 Oct 2017 @ 4:52am

      Re: Misuse of term 'hacker'

      use the term "crackers" for people that break security

      That's the thing with ignorance. It is of no use if you cannot show it off. So, congratulations on getting full value.

      The term cracker'' typically refers to people from a certain part of the south-eastern US. The term comes from the sounds of the whips used in driving the cattle across the state. Many counties still havecracker day'' festivals celebrating this part of their heritage.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.