Posts

In early 2024, a team of researchers at the University of Michigan and Auburn University stumbled upon an overlooked flaw in Dominion’s Democracy Suite voting system. The flaw, astonishing in its simplicity, harked back to the 1970s: a rudimentary linear congruential generator for creating random numbers, a method already marked as insecure half a century ago. Yet there it lay, embedded in the heart of America’s election machinery. This flaw, known as DVSorder, allowed the order of ballots to be exposed, violating a voter’s sacred right to secrecy without needing inside access or privileged software.

Dominion Voting Systems responded, as companies often do, with carefully measured words—a single-page advisory noting that “best practices” and “legal advisors” could mitigate the flaw. A software update, Democracy Suite 5.17, was eventually rolled out, claiming to resolve the vulnerability. Yet this patch, touted as a “solution,” seemed only to deepen the questions surrounding Dominion’s response. Was it a fix, or merely a stopgap?

A Bureaucratic Response: The Slow March of Democracy Suite 5.17

The U.S. Election Assistance Commission granted its stamp of approval to Democracy Suite 5.17 in March 2023, seemingly content with its certification. But the rollout that followed revealed the entrenched and fragmented nature of America’s election infrastructure. Election officials, bound by local constraints, cited logistical challenges, costs, and the impending presidential election as reasons to delay. In the absence of federal urgency or clear guidance from the Cybersecurity and Infrastructure Security Agency (CISA), the vulnerability remained in effect, a silent threat from Georgia to California.

Even as researchers watched from the sidelines, Dominion and federal agencies moved cautiously, with state adoption of Democracy Suite 5.17 proceeding at a glacial pace. Some states, like Michigan and Minnesota, made efforts to upgrade, but others deferred, considering the patch a burden best shouldered after the election. Thus, the DVSorder vulnerability persisted, largely unresolved in precincts where patching was deemed too disruptive.

The Patchwork of Democracy Suite 5.17: A System in Pieces

As expected, Democracy Suite 5.17 encountered obstacles in deployment, emblematic of the fractured approach to American election security. States such as Michigan tried to sanitize data to safeguard voter privacy, but the result was incomplete; others attempted to shuffle ballots, a solution whose effectiveness remained dubious. The whole exercise appeared as a microcosm of America’s approach to its electoral machinery: decentralized, hesitant, and all too often compromised by cost and convenience.

A Sobering Reminder for Democracy’s Future

The DVSorder affair serves as a reminder that elections, despite their image of order, depend on fallible human governance and systems. In this case, a mere oversight in programming triggered a vulnerability that risked eroding voter privacy, a cornerstone of democracy itself. Dominion’s response, slow and bureaucratic, reveals the unsettling reality that our reliance on technology in elections opens doors to errors whose repercussions may be profound.

The researchers who exposed this flaw were not saboteurs but, in a sense, stewards of public trust. They brought to light a sobering truth: that in the age of digital democracy, even the smallest vulnerability can ripple outward, potentially undermining the promises of privacy and integrity on which the system stands.

As the dust settles, DVSorder may join the list of vulnerabilities patched and closed, yet a shadow lingers. With each election cycle, new threats and oversights emerge, casting a faint but persistent question over the future of American democracy. One wonders—will we be ready for the next vulnerability that arises? Who knows.

By Skeeter Wesinger

November 4, 2024

 

https://www.linkedin.com/pulse/dominion-voting-systems-dvsorder-affair-saga-american-wesinger-i4qoe

In the first half of 2024, the world witnessed a dramatic escalation in the methods and ambitions of cybercriminals, whose tactics have grown more sophisticated and ruthless with each passing year. No longer content with merely disrupting businesses, these actors turned their attention to critical infrastructure and public services, inflicting damage that rippled through entire economies and societies. The evolution of ransomware, which began as a mere threat of data encryption, now routinely involves what has been termed “double extortion.” In these schemes, criminals not only lock away valuable data but also steal it, holding both the integrity of the files and their potential exposure to the highest bidder, over the heads of their victims.

Whaling

Whaling

The reasons for this relentless onslaught are manifold. In part, it is due to the steady refinement of the tools of cybercrime—particularly the rise of ransomware-as-a-service (RaaS), where the means to carry out attacks are offered, for a price, to anyone with nefarious intent. No longer confined to the realm of expert hackers, these services have democratized cyberattacks, opening the floodgates to both opportunists and ideologues alike. Increasingly, attacks are driven not only by the pursuit of profit but by political or ideological motives, reflecting the charged and fractured state of global affairs.

Data theft has also become a more prominent feature of the digital battlefield. Sensitive personal and corporate information, once stolen, can fetch vast sums on the dark markets, or be used as leverage in extortion schemes that terrify individuals and businesses alike. The impacts of such thefts, already grievous, are compounded by the fear of exposure in an age where privacy has become a luxury few can afford.

A major contributing factor to the unchecked spread of these attacks is the interconnectedness of the modern world. The vulnerability of supply chains, in particular, has been laid bare. A single attack on a supplier can reverberate across industries, causing widespread disruption. Few industries remain untouched as companies rely on third-party providers whose weaknesses are easily exploited by attackers. Thus, an attack on one becomes an attack on all, with consequences magnified by the intricate web of dependencies that define the global economy.

Geopolitical tensions, too, have played a significant role. As states vie for power, the use of cyberattacks as instruments of warfare has increased in frequency and boldness. The world in 2024 is a battlefield, and its most vital infrastructure—financial systems, government agencies, and energy grids—has become the primary target. Particularly dangerous are the state-sponsored campaigns aimed at undermining not only economies but the trust the public places in its institutions. Chaos and disruption, once occasional hazards, have now become central tactics in the arsenal of cyber warfare.

Compounding all of this has been the rapid transformation of the workplace. Since the pandemic, the adoption of remote work and cloud technologies has left organizations exposed. Their hastily constructed digital environments, meant to provide convenience and adaptability, have proven to be fertile ground for cybercriminals. Attackers, seizing on these vulnerabilities, have exploited them with devastating success, leaving no corner of the digital world unscathed.

Whereas in previous years, cyberattacks were often contained and managed without much public notice, 2024 has shattered that illusion. The impacts are now visible and painful, disrupting the very services—healthcare, energy, communication—on which society depends. The scale and visibility of the attacks have eroded the sense of security that once prevailed, leaving the public with the unmistakable feeling that the storm is far from over.

By Skeeter Wesinger

October 14, 2024

https://www.linkedin.com/pulse/cybercrime-rise-skeeter-wesinger-wyl4e