Georgia Scrambles To Patch Massive Vulnerabilities In Its Voter Registration System After Insisting It Was Totally Secure

from the so-about-that-voting-system... dept

Yesterday we had a rather incredible story about Georgia's Secretary of State, Brian Kemp, who, despite the conflict of interest, is both running for Governor and in charge of making sure Georgia's elections are fair. Over the weekend, Kemp had made a highly questionable claim that his opponents in the Democratic Party of Georgia had attempted to hack the voter registration system, and he was opening an investigation. As we noted, what appears to have actually happened was that an independent security researcher had discovered massive, stunning, gaping security flaws in Georgia's voter registration system, that would potentially allow anyone to access anyone else's information and even modify it. That's an especially big deal in Georgia, where the very same Secretary of State Brian Kemp had pushed for laws that meant that if any of your ID information was different from what was in the voter system, you didn't get to vote.

Incredibly, despite multiple security experts pointing out some fairly basic flaws, Kemp's office insisted the site was secure. According to press secretary Candice Broce:

“We can also confirm that no personal data was breached and our system remains secure.”

Elsewhere the Secretary of State's Office insisted there were no problems with the site. However, as ProPublica is now reporting, late Sunday night, after it had insisted there was nothing wrong, it appeared that someone behind the scenes was scrambling to patch the vulnerabilities:

ProPublica’s review of the state’s voter system followed a detailed recipe created by the tipster, who was described as having IT experience and alerted Democrats to the possible security problems. Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.

ProPublica found the website was returning information in such a way that it revealed hidden locations on the file system. Computer security experts had said that revelation could give an intruder access to a range of information, including personal data about other voters and sensitive operating system details.

ProPublica’s attempt to take the next step — to poke around the concealed files and the innards of the operating system — was blocked by software fixes made that evening.

The same Candice Broce who had insisted that there was absolutely nothing wrong with the site then told ProPublica two obviously bullshit claims. First, that the setup that allowed users to see exactly where files were stored was standard practice, and so was making last minute changes to a voter registration website two days before an election:

Broce said the ability to see where files were stored was “common” across many websites, and she said it was not an inherent vulnerability. She did not deny that the website’s code was rewritten and would not say whether changes were made as a result of the possible security holes.

“We make changes to our website all the time,” Broce said. “We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.” By Monday afternoon, the page did not appear to be static in the way Broce described, and she did not respond to a request to provide evidence of the change.

Of course, as anyone who has done any serious website building in, let's say, the last 10 to 15 years, knows well, that is not at all standard practice. But, let's see the quote from an expert anyway:

Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., disputed that visibility into file storage was common. “It’s definitely not best practice,” he said. He said it appeared the state had made the change in response to being notified of the problem and could see no reason why officials would otherwise make such a change ahead of Election Day.

Security experts frown on making such seemingly ad hoc changes close to major events, such as an election, because they can create unforeseen problems when made so quickly.

Basically, it appears that Kemp and the Secretary of State's office are betting on voters in Georgia being totally ignorant. Meanwhile, this is the same office that just a couple months ago made the following bold statement:

“There has never been a breach in the Secretary of State’s office. We have never been hacked, and according to President Trump and the Department Of Homeland Security, we have never been targeted. Georgia has secure, accessible, and fair elections because Kemp has leveraged private sector solutions for robust cyber security, well before any of those options were offered by the federal government.”

I don't care what side of the partisan divide you fall on, but Kemp's actions in failing to protect the system, overseeing the voting in his own election, then attacking the messenger for pointing out his own vulnerability, denying the vulnerability, and then scrambling to fix the vulnerability at the last minute without telling anyone, should disqualify him from running a Burger King, let alone being Governor of the state of Georgia.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: brian kemp, computer security, election, georgia, voter registration, vulnerability


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 6 Nov 2018 @ 6:24am

    'We're not incompetent, just extremely suspicious.'

    They really did not think that excuse out very well. If that sort of setup is normal and nothing to be concerned about then why are they patching it this close to the election? Their own argument shoots itself in the foot.

    If it is a bad setup(and it is), then patching it makes perfect sense, even if that patch is well overdue.

    (Also well overdue: a public apology for blaming the opposition for trying to inform those running the election of a major security flaw, and an admission that the original claim of them 'hacking' the system was wrong.)

    If it's not a bad setup, then they should have no reason to be making changes to it, and doing so raises the question as to why one of those running in the election is fiddling with the voting system just prior to it.

    Even taking them at their word and assuming they were right they still come out looking bad/suspect.

    link to this | view in thread ]

  2. icon
    DannyB (profile), 6 Nov 2018 @ 6:41am

    Voting systems hopelessly insecure

    Eeyore is my role model. Ever the realist.

    Since voting is hopelessly insecure, the president should simply decree (by executive odor?) the outcome of the election. It would save a massive amount of human time spent voting. It would save all of the costs of operating elections.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 6 Nov 2018 @ 6:45am

    We will fix this promptly!

    "In order to patch the security holes and fix any vulnerability, we will need to take offline all democrat leaning and minority-heavy polling locations. The locations should be fixed no earlier than 19:00 tonight.

    Secretary of State Kemp will not be extending voting hours for those locations. Anyone wishing to vote in an affected precinct may do so by requesting an absentee ballot prior to the absentee mail-in deadline."

    link to this | view in thread ]

  4. icon
    Anonymous Anonymous Coward (profile), 6 Nov 2018 @ 6:53am

    Technologist Trump

    “There has never been a breach in the Secretary of State’s office. We have never been hacked, and according to President Trump and the Department Of Homeland Security, we have never been targeted."

    Now there's the most technologically adept reference I've ever heard! /s

    How many phones does Trump have? How much security do they carry? Does Trump's staff feel good about the security of Trump's phones? Do foreign powers appreciate the security of Trump's phones?

    link to this | view in thread ]

  5. identicon
    Dustin, 6 Nov 2018 @ 7:00am

    Dynamic-to-static

    I completely agree with the sentiment of this article, but I just wanted to point out that moving dynamic web sites to a static version ahead of expected high volume actually *is* a pretty common thing to do.

    link to this | view in thread ]

  6. identicon
    bob, 6 Nov 2018 @ 7:11am

    Re: Dynamic-to-static

    True but as stated in the article, the web page is not being static in the way that the office claims.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 6 Nov 2018 @ 7:14am

    Okay, we changed the URL

    There. Fixed.
    /s

    link to this | view in thread ]

  8. identicon
    I.T. Guy, 6 Nov 2018 @ 7:16am

    I worked for a major online and on-air retailer and we froze ALL production changes 3 months before Christmas.

    Dustin... 2 days before the election? No way. That is not common at all. A week...2, maybe. Then you need to QA the changes. They are hiding the fact that they are scrambling to secure the system.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 6 Nov 2018 @ 7:17am

    Re: Technologist Trump

    according to President Trump...

    Then it must be true!
    /s

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 6 Nov 2018 @ 7:23am

    and then scrambling to fix the vulnerability at the last minute without telling anyone, should disqualify him from running a Burger King

    Is he capable of running a bath without flooding the bathroom?

    link to this | view in thread ]

  11. identicon
    David, 6 Nov 2018 @ 7:56am

    Cough cough

    Basically, it appears that Kemp and the Secretary of State's office are betting on voters in Georgia being totally ignorant.

    Don't they all?

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 6 Nov 2018 @ 8:15am

    Re: Voting systems hopelessly insecure

    When you're a celebrity, they let you do that.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 6 Nov 2018 @ 8:20am

    Re:

    He would have to find an old one. Because the government mandated an overflow drain in new tubs, those basturds!

    link to this | view in thread ]

  14. icon
    ShadowNinja (profile), 6 Nov 2018 @ 8:32am

    Re: We will fix this promptly!

    You joke, but there's some states with rules nearly that bad.

    My dad didn't get to vote one year because he had a last minute trip scheduled to visit a client. It was after the deadline to get an absentee ballot, and it was a state with no early voting (even today it still has no early voting).

    Oh and the worst part of that state's rules? It's illegal to vote by absentee ballot if you'll be home that day and able to show up at the polls. You have to sign under penalty of perjury that you'll be out of the state on the election day in order to get an absentee ballot.

    (The state is Pennsylvania)

    link to this | view in thread ]

  15. identicon
    ryuugami, 6 Nov 2018 @ 8:34am

    There has never been a breach in the Secretary of State’s office. We have never been hacked

    IIRC, the previous article mentioned they don't keep any logs, so I'd be very interested to know where they get that confidence from.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 6 Nov 2018 @ 8:56am

    Re:

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 6 Nov 2018 @ 8:59am

    Re: Re: We will fix this promptly!

    Those are abysmal rules. Hopefulyl one day they will get fixed.

    But sadly the way the GOP run states are going, if they do loose the House today, I expect laws just to get more rediculous.

    - Fewer polling locations
    - Reduced early voting hours
    - Stricter voter exact match ID laws
    - Forced disenfranchisement for debt or tax issues ("can't pay taxes or your debts on time? Can't vote!)

    Anything to stay in power.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 6 Nov 2018 @ 8:59am

    Re: Re: We will fix this promptly!

    It's illegal to vote by absentee ballot if you'll be home that day and able to show up at the polls.

    That isn't unusual, 20 states have those laws.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 6 Nov 2018 @ 9:01am

    Re: Re:

    Just fill to the overflow and get in the bath with taps still running, lots of water outside the bath every time you move and cause a wave.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 6 Nov 2018 @ 9:19am

    Re: Re: Re: We will fix this promptly!

    Everybody is doing it

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 6 Nov 2018 @ 9:19am

    Re: Re: Technologist Trump

    He would never lie

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 6 Nov 2018 @ 9:27am

    Re: Re: Re: Re: We will fix this promptly!

    Well not everybody. There are 29 other states that don't.

    link to this | view in thread ]

  23. identicon
    bob, 6 Nov 2018 @ 9:57am

    Re: Re: Re:

    Or just plug the overflow drain. Protection only works if people use it, doesn't matter if government mandated.

    link to this | view in thread ]

  24. identicon
    Billy Bob, 6 Nov 2018 @ 10:57am

    Re: Re: Re: Re:

    And them gubmint regulaterz figur'd they outsmarted us stable geniuses.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 6 Nov 2018 @ 11:00am

    Re:

    If a hacker gains root in a server farm and no one is around to log it, liars can claim it didn't happen.

    link to this | view in thread ]

  26. identicon
    Citizen, 6 Nov 2018 @ 11:07am

    There has to be a body of impartial observers supervising this election. This guy's arrogant sense of self entitlement, including his insistence on presiding as the secretary of state during his own candidacy, let alone his effort to purge legitimate voters, indicates he has every intention of cheating if he can get away with it.

    link to this | view in thread ]

  27. icon
    discordian_eris (profile), 6 Nov 2018 @ 11:17am

    One word describes voting in GA, and has for the last several decades. Diebold. And amazingly, all of the fuckups with Diebold equipment benefited one party. The same one doing everything they can to screw over everyone now. Again.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 6 Nov 2018 @ 11:19am

    Re: Re: Re: Re: Re: We will fix this promptly!

    I'd be interested to see the breakdown of R:D majorities in the states that do vs the states that don't....

    link to this | view in thread ]

  29. icon
    got_runs? (profile), 6 Nov 2018 @ 11:23am

    Need to go back to paper ballots.

    link to this | view in thread ]

  30. icon
    R.H. (profile), 6 Nov 2018 @ 12:09pm

    Re: Re: We will fix this promptly!

    Yeah, that's the law here in Michigan too. Fortunately, there's a proposition on the ballot today to change that. Hopefully, it'll pass.

    link to this | view in thread ]

  31. icon
    R.H. (profile), 6 Nov 2018 @ 12:13pm

    Re:

    Don't forget, the largest ballot failure in recent American history was using paper ballots (hanging chads anyone?) They may be better but, they aren't a panacea.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 6 Nov 2018 @ 12:26pm

    Re: Re:

    afaik, there are more than one type of paper ballot.
    Some of them so not have punch out "chads".

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 6 Nov 2018 @ 12:33pm

    Re: Re: Re:

    Correct. Even in the same state. The ballots in my district were not the chad type but the "connect these two lines to make an arrow" type.

    link to this | view in thread ]

  34. icon
    Get off my cyber-lawn! (profile), 6 Nov 2018 @ 1:25pm

    We have never been hacked...

    and just as soon as I'm elected, my people will show you the proof that we weren't hacked....unless I'm not elected and then we were definitely hacked and I'll get to the bottom of that too!

    link to this | view in thread ]

  35. icon
    Get off my cyber-lawn! (profile), 6 Nov 2018 @ 1:48pm

    Re: Re: Dynamic-to-static

    "You keep using that word. I do not think it means what you think it means." - Inigo Montoya

    link to this | view in thread ]

  36. icon
    Get off my cyber-lawn! (profile), 6 Nov 2018 @ 1:51pm

    Re:

    There is! I just read that Russia is sending observers! How helpful of them.

    link to this | view in thread ]

  37. icon
    Thad (profile), 6 Nov 2018 @ 1:59pm

    Re: Re:

    If only there existed some other way to put a mark on a piece of paper besides punching a hole in it.

    link to this | view in thread ]

  38. identicon
    Anonymous Coward, 6 Nov 2018 @ 6:11pm

    Re: Re: Re: Re: Re: Re: We will fix this promptly!

    From the 2014 Presidential election (considering 20 states which require an excuse for absentee voting, 27 states which do not, and ignoring 3 states which only vote by mail):

    The average R:D for all 47 states was 51.2 to 43.2

    For the 20 states in which absentee voting required an excuse, the average R:D was 52.9 to 42.7

    For the 27 states in which absentee voting did not require an excuse, the average R:D was 48.2 to 42.0

    Make of that what you will

    link to this | view in thread ]

  39. icon
    The Wanderer (profile), 7 Nov 2018 @ 4:42am

    Re: Re: Re: Re: Re: Re: Re: We will fix this promptly!

    Er, 2014 wasn't a Presidential election year. Did you mean 2012, 2016, or the 2014 midterm?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.