Dailydave mailing list archives

Re: Voting Village at Defcon

From: Chris Eng <ceng () Veracode com>
Date: Thu, 23 Aug 2018 18:12:15 +0000

What even is the point of setting up “replica websites” that are only replicas in the sense that they ostensibly 
perform the same function as the real sites, but otherwise do not share common code/technology and are essentially 
known sacrificial sites with security bugs intentionally placed in them?

We know how much of the media operates.  Did this coverage surprise anybody?  Especially with quotes like this:

“These websites are so easy to hack we couldn’t give them to adult hackers — they’d be laughed off the stage,” said 
Jake Braun, a former White House liaison for the Department of Homeland Security.

Is he talking about the replicas and got quoted out of context?  Or is he playing up the insecurity of the actual sites 
– without evidence – for a good sound bite?  I know my guess.

Again why put these “replica websites” in the village to begin with when the reporting is inevitably going to be 
alarmist and needs to be walked back?

Last year we saw similar headlines about voting machines, wherein “hacked” turned out to mean someone ran a Nessus scan 
and they weren’t fully patched.



From: Dailydave <dailydave-bounces () lists immunityinc com> On Behalf Of Kevin T. Neely
Sent: Thursday, August 16, 2018 12:48 PM
To: dave.aitel () gmail com
Cc: dailydave () lists immunityinc com
Subject: Re: [Dailydave] Voting Village at Defcon

Sure, it's SQLi, but I'm not sure why you'd minimize her effort.  According to the village's Twitter account, she 
changed the vote tallys from a replica of the site.  
https://twitter.com/VotingVillageDC<https://twitter.com/VotingVillageDC>  It would be nice if the media reported on the 
recommendations that come from the findings, but we all know that's not how the media operates.

K

On Mon, Aug 13, 2018 at 12:34 PM Dave Aitel <dave.aitel () gmail com<mailto:dave.aitel () gmail com>> wrote:
https://www.usatoday.com/story/tech/nation-now/2018/08/13/11-year-old-hacks-replica-florida-election-site-changes-results/975121002/<https://www.usatoday.com/story/tech/nation-now/2018/08/13/11-year-old-hacks-replica-florida-election-site-changes-results/975121002/>

So I don't know a ton about the details of voting machines, but I'm pretty sure what happened at the DEFCON voting 
village is not being represented at all accurately in the media, and I'm curious why nobody in the community is pushing 
back on it, specifically I think we have a duty not to be used as a bludgeon in various uncouth political wars.

I don't think an 11yo hacked into anything close to a replica of the Florida Election site. I think they followed a 
script to hit up a sample vulnerable web page with SQLi.

Does anyone have more information on what exactly went down?
-dave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com<mailto:Dailydave () lists immunityinc com>
https://lists.immunityinc.com/mailman/listinfo/dailydave<https://lists.immunityinc.com/mailman/listinfo/dailydave>


--
In Vino Veritas

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Voting Village at Defcon Dave Aitel (Aug 13)
- Re: Voting Village at Defcon Kevin T. Neely (Aug 23)
  - Re: Voting Village at Defcon Chris Eng (Aug 23)
    - Re: Voting Village at Defcon Dave Aitel (Aug 25)