Discover more from Rixstep NSA
Alex, Ed, & Tucker
And the Fox chyron guy.
Just a reminder: if you're one of those sorry souls stuck on an Apple desktop/laptop, you can get out from under a lot of that 'politically correct' BS by getting at least our free Keymaster Solo. We've had occasion recently to review a bit of the weeping and gnashing ot teeth going at least as far back as 2021. It's not pretty to see how clueless some people are. We trust you are not. As we continue our search for a viable alternative, as you do too, Keymaster Solo might be your best solution.
Of course, if you really feel for it, go for the whole package. There are no strings, it's not a subscription, there are no hidden fees, it's for life - including any and all updates we come with, including new software.
Alex, Ed, & Tucker
Frankly, we didn't know what to make of the 2020/22 election scandals in the US, other than noticing quite clearly that something was very wrong. It wasn't until last night, thanks to Jewels Jones, that we finally got to see what the commotion was all about.
Here's the conundrum. Trying to explain puter stuff to outsiders is impossible. More than 99% of everyone in the computer industry is full of shit anyway. Two people who definitely are not full of shit are Alex Halderman and Ed Felten. We've known of them for a long time.
It's been years since we've wandered those paths, but who could ever forget? The copy-protection scheme Sony bought for their CDs for $700,000 that could be defeated by simply holding down a shift key - which simultaneously proved the perfect hiding place for malware? Or the trick of preventing copying which was defeated by simply running a pencil eraser around the edges of the medium?
Alex Halderman came out with a paper on 1 July 2021. It's devastating. Alex is, for starters, a PhD from Princeton, and you may remember other prominent scientists who worked there. Alex has that rare ability to combine the precise mind of an academic with the slanted POV of the hacker - the ability to look just a bit askance at things to see what's really possible.
Back through the mists of time. To my first real programming job ever, years ago. We were all given one month to write and successfully complete a training program. We were to write our own test data and verify that our program actually worked. We were given one month.
I finished the program the first day before lunch.
After lunch, I thought about my future. My immediate future. I wasn't going to have anything to do for an entire month! And the following day was a holiday, so I'd effectively work only one day - and then be off again! (I hate holidays - they always interfered with my work.) So what was I going to do for the rest of the day?
That test data thing for our training program: it bugged me. What were we really testing? Ten posts, written to work, with nothing provided that intentionally did not work? What kind of testing was that?
[See the hacker POV there?]
So I designed and completed another program by the end of that first work day, and it's still part of the archives. A program called 'Juggler'. What Juggler did was take paradigms for correct posts, then fiddle with those paradigms to create posts that were intentionally 'out of bounds' as it's called. And the program spit out as many posts as you liked, not the paltry 10 as recommended.
One of the key parts of this design was randomisation. As you may know, there are two elements to random number generation. One of the elements is assuring you get an 'even spread'. You want the numbers evenly distributed over the spectrum, whatever you'd decided. The other part is called the 'seed'. That's the really random part. You want a number that is truly random, to start it all off.
But the in-house routines there had no provisions for seeding. I called in the two chaps from the so-called 'Methodology Group' to my office. I also had two colleagues sitting with me at the time.
I began by explaining the quandary. That when I generated random numbers with their routines, one always got the same numbers!
The one of them - kid you not - answered:
'But that's the way things work with random numbers!'
'Then WHY', I asked, raising my voice, 'do you call them RANDOM?'
That elicited laughter from my colleagues. It was truly a hysterical moment. And neither of the guys from Methodology had an answer. Honest Injun. They did not know.
That's the difference. No one on the outside has a clue, and few on the inside do either, as most of them - I'd estimate over 99% - are just full of shit, bullshitting to get by, as the pay is good. What they do is pick up on all the buzzwords and learn how to sound erudite when they drop them into conversations. They never know if the other guy is bullshitting either.
We had 150 programmers in that group. Aside from my core group. Of the 150 remaining, all did work primarily on our IBM MVS mainframe. Of those 150, 148.5 were full-time COBOL. 1.5 of them worked in MVS assembler. That '.5' was because one of them was supposed to divide his time equally between COBOL and MVS assembler.
If you've never seen COBOL, here's a clue. Any 4yo could master it. I learned it completely in one afternoon by reading one book at a cafeteria in downtown Stockholm. The whole language. MVS assembler is of course another matter.
Here's the thing. Those 1.5 programmers were responsible for a walloping 1/6 of all routines that ran daily in that mainframe. With millions upon millions of financial transactions. The 148.5 held onto the remaining 5/6.
Guess whose routines ran and whose crashed?
The COBOL routines crashed all the time. So the operator would run it again and again until it made it through. The MVS assembler routines never crashed.
Steve Jobs once said that it's not true that excellent programmers are 2 or 3 times better than average programmers - they're 200 to 300 times better. And he's right. And realising that is a key to better understanding how the computer industry works (and does not work). And things do not have to be as expensive as they are either.
Back to Halderman
OK, keeping all that in mind, let's look at Halderman's paper from 2021. It's available here.
Yes, Scribd totally sucks, but bear with it just this once. Thanks.
Again, that evening driving through Research Triangle Park. And hearing that announcement on the radio that US elections were moving to machines from Diebold running WINDOWS 98. Not 98SE but 98. Un-fucking-believable.
Our quandary today has been that we know they're today running Android, so how are they still insecure? Wonder no longer. Grab a flight bag if you have one handy.
A report by Alex Halderman should be the 'gold standard'. It's not just that he and his teams are so brilliant - this going back many years - but that he makes everyone else look so stupid.
'That Fulton County election workers selected an inappropriate seal and failed to properly install it - on a scanner they knew would be subjected to security testing - suggests that Georgia security seal practices are insufficient to reliably protect the state's election equipment from undetected physical access.'
This is another matter. Check these redactions.
The Cablegate files from WikiLeaks did it right. This does not do it right. Hidden fields must always be of the same length. It's easy for someone to figure out what's hidden. Give any decent hacker a day with this document and he'll have Hunter winning an election in Namibia.
'The BMD runs code with root privileges from a file that is writable by the ICX App. When combined with the directory-traversal vulnerability, this allows a malicious election definition file to execute arbitrary code as root.'
You get into the machine - which is child's play - and then, to escalate to root, you simply tick a box.
'I have described several methods by which attackers can install malware with only brief physical access to an ICX. Although these are severe vulnerabilities, the ICX is also vulnerable to an even more dangerous method of malware installation. By modifying the election definition files that election workers copy to the BMDs before each election, attackers can spread malware to them remotely, with no physical access to the individual machines.'
This is what they did in Arizona.
They discussed this a year earlier. They were having a field day. All those GOP voters, all those 'patriots', hold election day in reverence. Talk about opening for a sucker punch. Then Gates and Richer come out and announce they're going to do a last-minute check of all the equipment just to make sure it's all running right - this is like Brandon telling everyone openly how he's firing a prosecutor in the Ukraine in the name of a fight against corruption. Gates, Richer, and Hobbs must have really enjoyed themselves on election day. We saw it indirectly through the live feed from Charlie Kirk. Total chaos. Anthem. Kari in a panic. She and her family guess right and go voting in a blue district, and it works, then she heads back to red districts with a megaphone to encourage people, to get them to stay in line. Gates, Richer, and Hobbs could have even got a bit tipsy that day. And laughing a lot too.
Alex wields something called a 'Bash Bunny'. It's likely named after 'bash', or 'Bourne Again Shell', which is a mod of Stephen Bourne's original 'sh' for Unix. Common shells other than the original include csh, ksh, tcsh, and the current favourite zsh. The interchangeability of Unix shells is one of the things that sets Unix apart.
Here's a revealing quote.
'The Terminal Emulator user can easily obtain supervisory (“root”) access privileges by simply selecting “Allow” at an on-screen prompt, shown in Figure 11. With root privileges, terminal commands can completely bypass the Android operating system’s access control restrictions and make arbitrary changes to the device’s data and software.'
Thanks, Alex. That's enough. This system was designed by either Bill Gates or a congenital moron who thinks (doesn't think) like him.
8.3 Accessing a Root Shell via the Built-In Terminal App
'The ICX is configured such that the Terminal Emulator user can easily obtain supervisory ("root') access privileges by simply selecting “Allow” at an on-screen prompt, shown in Figure 11.'
'With root privileges, terminal commands can completely bypass the Android operating system's access control restrictions and make arbitrary changes to the device's data and software.'
And that's how you do it.
Alex gives a detailed look at how you manually install malware, how you do this in an actual voting locale so as not to be detected, and how you automate the process.
If you want your country to go first-class to hell in a hand-basket, fine - just make sure the vote count is correct. You can't use electronic machines. End of.
This is an extensive paper and really deserves attention. Unfortunately, as suggested earlier, this not something people will readily understand. And that's a nightmare.
That brings us to our last point this time around.
Tucker on Twitter. #4. Just days/hours after #3.
Tucker can post whenever he wants. He's not limited by formats or schedules, certainly not by even a hint of disapproval or latent censorship. Perhaps you noticed, in that final Fox month, how he went on about how he 'just wasn't going to lie anymore', hinting that alcohol had something to do with DC's cavalier attitude to the truth. Transmitting from what seems to be a pool room, Tucker levels off with his trademark sarcasm as only he can.
And here's the thing. Tucker doesn't have to wait a week. He can get up on his pulpit whenever he likes.
Tucker's the MSG that Fox and the Deep State didn't factor in.
Also in Florida
These two look more as a given than ever.
Here she is with her, as she calls him, 'designated stud muffin' off the coast of Florida, otherwise visiting you-know-who.
That 'you-know-who' just raised another $7 million. Tara Reade, who has now found shelter from Brandon in Moscow, described the Democratic Party as a 'death cult'. Jewels and Catturd, everyone's best friends online, are neither Republican nor Democrat but will instead be voting MAGA. As that's the only path to peace for this planet, perhaps that's the path all US voters should take.
PS. The Fox chyron guy's a hero.