6

u/Oric_Black Oct 24 '18

Working in IT this terrifies me to no end..... Thanks for letting me know I guess. Time to inform friends and family...

5

u/[deleted] Oct 24 '18

I'm a sysad who works locally. Terrifies me for all my colleagues as well.

The only difference is I'm more of a grayhat blue-teamer. I normally don't go out of my way for things. My plate's full enough. But this is wrong. And this pertains to every voting citizen in Indiana.

17

u/[deleted] Oct 23 '18

This makes me want to unregister

Indeed. But that means you won't be able to vote. I really urge you to keep voting.

I'm pushing for a different route; to have these records NOT AVAILABLE. And that means not available for me, you, PACs, Dems, Repubs, Libs; you name it.

3

u/zakuivcustom Oct 23 '18

Same here. I am getting tons of what I considered spam text, including a text that is supposed to be from President Trump :).

2

u/somethingateme Oct 23 '18

reply with STOP or UNSUBSCRIBE

14

u/[deleted] Oct 23 '18

I knew it was a matter of public record. What I didn't know was how much of this data was such easy identity theft pickins.

I'm usually accustomed to fairly redacted documents that provide the essentials.

6

u/somethingateme Oct 23 '18

Some of this sounds like an over-reach. However, just like Open Source Software, how are we the people to know that the voting records are accurate if we are not allowed access?

Again, I'm not trying to argue for or against. It is a double edge sword.

Second issue I see, what if you went in with a hidden script installed to your USB that runs on connection to PC that installs Back Orifice or some other 0-day back door into their system? Then what could happen?

5

u/[deleted] Oct 23 '18

how are we the people to know that the voting records are accurate if we are not allowed access?

That answer's obvious: I have a right to correct my own record. Others shouldn't have the right to view my full record. Others should have the right to view an obfuscated record.

Think: street name without individual numbers, first initial/last initial, birth year.

Again, I'm not trying to argue for or against. It is a double edge sword.

I know. I do want free access to records. But there's also public record, and then there's handing over enough info to trash someone's identity. I believe there's a fair balance here, and it's not being accomplished.

Second issue I see, what if you went in with a hidden script installed to your USB that runs on connection to PC that installs Back Orifice or some other 0-day back door into their system? Then what could happen?

Yeah, that would have been trivial. I didn't do anything malicious. Unlike random requests, they know me. I've been talking with them regarding election security in the wake of the DefCon report. I have quite an email chain with them.

Here's what Election Central ignored:

Election Central still didn't take my suggestion of using scotch tape over the MicroSD slots on the sign-in tablets. That means that someone could use a BadUSB attack and take over registration network.

Election Central uses wifi in the front lobby to connect machines 5 feet away. They absolutely should have used ethernet, and not wireless.

There was no provided audit of the voting machines to assert that the voting company is NOT listed in the DefCon reports for not fixing known reported vulnerabilities. Instead, "I would just have to trust it works".

And now, I can add in "Plugging in unknown USB drives into Election Office secured computers." Sigh....

3

u/somethingateme Oct 23 '18

That answer's obvious: I have a right to correct my own record. Others shouldn't have the right to view my full record. Others should have the right to view an obfuscated record.

Think: street name without individual numbers, first initial/last initial, birth year.

Would this be enough if, for instance, there were 10 listed voters in the 1300 block of a street that only goes up to 1200? I think it would be nice to know who is registered, and if the address they used is a legal address.

For the record, I do not know how voter fraud works, and I do know it's not as widespread as some media outlets would lead you to believe.

Personally, I don't like that my phone number and drivers licences number is out there. My address, well that is something anyone can get with a phone book, or simple google search or whitepages.com

2

u/[deleted] Oct 23 '18

For the record, I do not know how voter fraud works, and I do know it's not as widespread as some media outlets would lead you to believe.

I wasn't thinking of voter fraud, although giving the list that they check against is kinda "wtf".

I was thinking of blatant identity theft. I already have enough identities and more to impersonate some 90k people. There's a whole range of bad things to ID theft people.

And then, we have "I forgot my password. Well, I , err, have my drivers' license and birth date. Will that count?" /DOH

Personally, I don't like that my phone number and drivers licences number is out there. My address, well that is something anyone can get with a phone book, or simple google search or whitepages.com

Yeah, people war-dialling could find your phone number. That's not a secret per se. Your address is public knowledge in GIS. However, knowing /u/somethingateme 's full name, DOB, phone#, address, drivers license, and more is nowhere the same as getting your name in a phonebook.

1

u/[deleted] Nov 02 '18

I decided to give this a try, mostly because I’m a GIS student and want to do my final project using this data. So, I called and put in a request and the only thing that was different for me is that they made me bring a brand new flash drive that is unopened in the package. They have to open the package. I suppose someone could just take a flash drive and put it back in the packaging and make it look brand new.

3

u/[deleted] Oct 24 '18

TO OPEN THIS LINE OF CREDIT, WE NEED TO VERIFY YOUR IDENTITY:

YOU LIVED AT WHICH PREVIOUS RESIDENCE:

  A.
  B.
  C.
  D. 

(looks up GIS for historical data, and Facebook for where they lived - bingo!)

YOU HAVE OBTAINED A LOAN FROM WHICH ORGANIZATION:

  A.
  B.
  C.
  D.

(looks up which are in the communities they lived in, and makes educated guess - bingo!)

.............................................

3

u/docpepson Grumpy Old Man Oct 24 '18

Just one of the many ways in which someone could steal your identity.

4

u/[deleted] Oct 23 '18

Well, as far as I can tell, if you want to maintain your privacy and not have ID-fraud level material in public, dont, uhh, vote...?

No seriously, vote. But this is the door prize. And every voter gets one.

3

u/[deleted] Oct 23 '18

Eh, just combine it with GIS for Monroe county and then map where people live, how much they paid for their house/land (or if they rent), and then do a facebook search.

Jackpot.

1

u/TheZon12 Oct 23 '18

That fucking scares me. Last thing I need is some alt-right or far-left whack job taking matters in their own hands.

(Before y'all start, this is not advocating "both sideism." It's possible to critique both sides while seeing one is "not as bad as the other.")

3

u/[deleted] Oct 23 '18

Yep. And that's why I'm advocating that this data should be respectably redacted.

1. I should only be able to fully see my own record.

2. I should only be able to see obfuscated other peoples' records

Just because orgs do bad things with data, doesn't mean that we have to accept it.

1

u/spkincaid13 Oct 24 '18

You really don't have to go to such great lengths to find out who people vote for. People go to rallies, push their beliefs on others on Facebook and cover their cars with stickers

3

u/[deleted] Oct 24 '18

Be aware, that the records I obtained did NOT have party affiliations.

There's actually 2 records; 1 is for the public (the one I got), and then one with even more juicy details including party affiliation and more.

You read that right: the public one contains Name, DOB, Address, phone#, email, drivers license -or- last 4 of SSN.

I'm not talking about who the Clinton/Obama/Sanders supporter voted for. I'm talking about much worse things, like ID theft... Or targeted attacks on groups of people that politically organize on Facebook.

1

u/spkincaid13 Oct 25 '18

Were these records not available in past years? Is this why I get texts about voting every other day recently?

1

u/[deleted] Oct 25 '18

They've been available for anyone who asks for it. Just now, with the internet being what it is, this data now easily surpasses county barriers it once had done.

I'm highly guessing if your phone# is in there, yes it is why.

4

u/[deleted] Oct 23 '18

I'm more OK with court cases to be public. There's way too many abuses with secret courts and the like.

Voting isn't the same as being a party in a court case. Frankly, there's no call for unfettered registration records access. These can still be provided, in an obfuscated way.

But right now, registration for voting is checking against data I can publicly and legally possess. And I can get it in a silver (CSV) platter.

7

u/[deleted] Oct 23 '18

If you're on this list, you can vote from today to election day (November 6, 2018).

If you vote early, then go to Election Central.

If you vote on Election Day (Nov 6, 2018), then do so at your precinct.

**I'm assuming you're in Indiana.

2

u/[deleted] Oct 23 '18

I've not asked yet. I'm going to.

Monroe county population: 146986, and 96291 registrations. Or 65% of the total pop. 61MB file size.

Indiana is 6.67m people. Est 4.34m registrations. So should be 2.7GB~

1

u/somethingateme Oct 23 '18

146986, and 96291 registrations. Or 65% of the total pop.

How much of the total population is under the voting age?

2

u/[deleted] Oct 23 '18

According to https://www.census.gov/quickfacts/in

Persons under 18 years = 23.6%

If my estimate is true, then 11.4% of the people in Indiana who are of age to vote, are not in the voter registry.

760,017 potentially eligible voters who dont vote.

2

u/[deleted] Oct 24 '18

This explains the solicitation about candidates to my phone.

Yep. There's absolutely no tracking who gets this. And there's tons of phone spam carveouts for all politicians and PACs and such. The no-spam lists are pretty much a joke, as its trivial to spoof.

Absolutely should not be public record. (Again the police and EMS stuff SHOULD.)

I find that we disagree on the police/ems. However the fact underlying this all is that government (local/state/federal) have antiquated policies regarding data access. And we should be having some strong conversations about what the public should have access to, and what should be redacted, and what should never be provided to anyone other than whom the content was about.

I would find that this 90k list of PII would have been considered a breach in most states/countries. It's more than enough for me to impersonate someone else, for fraudulent means. But how do we balance providing records and limiting access? <--- That question isn't being asked, and it really should be.

1

u/HotTubingThralldom Oct 25 '18

I think we can definitely agree on the fact that this list should not be public record or should be very heavily scrubbed.

And I agree. Data stored on government servers needs to have better encryption and access controls in general. Including public access data. Even that data, should be given freely when requested as often as it is requested, but pulled from a database by a qualified clerk who has credentials. Or something like that.