FTP -- the "file transfer protocol" -- is a long-supplanted Unix tool for transferring files between computers, once standard but now considered to be too insecure to use; so it's alarming that it's running on the voting information systems that will be used in elections in Wisconsin and Kentucky tomorrow.
The FBI has warned that "criminal actors" use FTP in targeting US voting systems. The Wisconsin Elections Commission and DHS have reported hacker attacks on Wisconsin voting machines in the 2016 elections.
Propublica portscanned the voting information systems in Kentucky and Wisconsin, which are connected to the fucking internet, and found FTP services being advertised by servers on the machines.
Kentucky's voting information systems did not require a password to access their FTP servers.
As of late Wednesday, Kentucky’s voter-registration server still allowed users to browse a list of files without a password. Even the names of the files contained clues that could conceivably help an intruder. For example, they indicated that Kentucky may use driver’s licenses on file in its motor vehicle software to verify voters’ identities.
Bradford Queen, a spokesman for Kentucky’s secretary of state, declined to say if running an FTP server was problematic. “We are constantly guarding against foreign and domestic bad actors and have confidence in the security measures deployed to protect our infrastructure,” he said.
“ProPublica’s claims regarding Kentucky’s website lack a complete understanding of the commonwealth’s full approach to security, which is multi-layered. Defenses exist within each layer to determine and block offending traffic.”
File-Sharing Software on State Election Servers Could Expose Them to Intruders [Jack Gillum and Jeff Kao/Propublica]
Investigative tech journalist Joseph Menn's (previously) next book is a history of the Cult of the Dead Cow (previously) the legendary hacker/prankster group that is considered to be "America's oldest hacking group."
Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to "replay attacks" that allowed the researchers to bypass the encryption.
"Letterlocking" is a term coined by MIT Libraries conservator Jana Dambrogio after she discovered a trove of letters while spelunking in the conservation lab of the Vatican Secret Archives; the letters had been ingeniously folded and sealed so that they couldn't be opened and re-closed without revealing that they had been read. Some even contained […]
Seems like drones are doing a lot of jobs these days, from reconnaissance to delivery. Now, we can add “keeping the Death Star safe” to that list. Whether you’re a drone enthusiast or a Star Wars fan, these Star Wars Propel Drones are undeniably the coolest toy around. Yes, that’s a fully functional drone replica […]
It’s spring clearance time for the Boing Boing Store, when some of the best deals from the holidays return even cheaper than before. From top-rated apps to educational software to the cutest record player of all time, they’re all back with a little extra incentive. Shop your heart out before tax season wraps up! Use […]
Big companies want automation on a big scale. Doing that means diving into the tricky world of machine learning and data science. And no matter what platform you’ll be implementing it on, you can learn how with the Machine Learning & Data Science Certification Training Bundle. In 48 hours and through eight courses, this bundle […]