Hatemail 2020-10-22: No, the 4chan Ballot ‘Hack’ Doesn't Work (We Tested it On Ourselves)
Newsletter and intel from the LaBac Hacker Collective
Last Sunday, a 4chan user claimed to have exploited a “major bug” in Oregon’s and Washington state’s online voter registration systems that allegedly allowed hackers to change registrations and cancel ballots with only the voter’s name and date of birth.
The 4chan posts quickly spread to Twitter, and right-wing fringe media sources (such as Gateway Pundit) quickly picked up the story. The claim, of course, was false — voter registration could not be changed without a state ID number, though it appears that PII and other voting information was easily accessible.
Naturally, 4chan users chose Washington state resident Jeff Bezos as their example of how to “exploit” the state’s voting system (for Oregon they chose the mayor of Portland, Ted Wheeler). Using only Bezos’ name and birthdate, 4chan users were able to obtain Bezos’ current address, create a generic Bezos ballot, and learn that Bezos did not request to vote by mail this year. (A collective member investigated further and, using this same method, was able to learn which elections Bezos has voted in and the last four digits of his phone number).
Notably, the original 4chan claim was that fraudsters could easily invalidate or change election ballots in Washington, Oregon, and other states using the same voter registration system (including Alaska and Broward County, Fla.). Though voter.votewa.gov cautions that if you view a printable ballot online, “a ballot previously mailed to you will be cancelled,” this appears not to be true.
We had a collective member test this claim on their own registration, specifically the claim that a message would appear cautioning that a registerer’s mailed ballot would be cancelled if the ‘continue’ button was hit. Turns out doing so also leads to another generic voter lookup page.
Our member then called Washington state and King County, Wash., reps for clarification about the caution message, and to see if they really cancelled their mail ballot. They received mixed messages: One person said that clicking the ‘continue’ button would suspend the ballot previously mailed to them, another said they would have to download the pdf ballot, and a third said the pdf ballot would have to be printed and cast to invalidate the original ballot, which turned out to be the real answer. Interestingly, since the series of calls made by our member, the caution message was changed to read “a ballot previously mailed to you will be placed on hold.”
In the case of Bezos, in order for voter fraud to actually occur, the 4chan wannabe fraudster would likely have to submit the printable Bezos ballot and sign it with Bezos’ signature. Every ballot in Washington is checked against the signature on the voter’s state ID by an election official trained in voter verification by the Washington State Patrol, though as one 4chan user pointed out, a version of Bezos’ signature is available online.
While the 4chan users did not actually expose voter fraud, their exploits did raise a few questions. First, how accurate is signature verification? If twenty 4chan users send in Bezos’ ballot, it would likely be difficult for an election official to verify the legitimate one. An election official would then have to contact Bezos and confirm with him which ballot was his.
Second, though voter fraud is unlikely via this online voting portal, could an entity overburden a Washington county’s election board with generic ballots, even if those ballots don’t have a shot at being counted?
It would be difficult, and any potential nefarious entity would have to work to cover their tracks. (Plus the entity would have to physically mail generic ballots, which itself leaves a trail). A King County, Wash., election official did tell our member that they reach out to voters if they receive multiple ballots under their identity. So maybe this ‘exploit’ is a moot point and (Mr. Bezos aside) is unlikely to be tried at scale.
Third: Though name, address, voter precinct, and which elections you voted in are considered public information under Washington state law, maybe the voter registration portal could add a bit of additional security to login. And fourth, even if the 4chan users were completely wrong, which they mostly were, their posts were used as misinformation on Twitter and caused quite a bit of excitement among the far-right. It’s concerning to ask this in the context of our election infrastructure, but does the truth matter once the lie is spread?
Thursday, October 29 (1pm ET) - Webinar, “Social Media’s Role in the US Election” featuring Dipayan Ghosh, co-director of the Digital Platforms & Democracy Project at the Harvard Kennedy School and former public policy advisor at Facebook, and Vera Zakem, Senior Policy and Technology Advisor for the Institute for Security and Technology and former strategy and research at Twitter. [All Tech Is Human]
Security and Disinformation Threats Ahead of Election
[Vice] [The Washington Post] On Tuesday, Democratic voters in Florida and Alaska received threatening emails urging them to change their party affiliation to Republican and vote for Trump “or else.” The emails were spoofed to look like they came from the far-right group the Proud Boys (though the Proud Boys have denied any involvement). On Wednesday evening, a top intelligence official accused Iran of having sent the emails in an effort to intimidate U.S. voters. At least one recipient of the emails was also sent a video which contained the personal information of some voters.
[ABC News] On Monday, the Justice Department announced charges against six Russian GRU military officers allegedly involved in a series of hacking and malware operations targeting election infrastructures in other countries. The DOJ described the operations as “the most destructive and costly cyber-attacks in history” during the announcement.
[The Verge] A story published by the New York Post about Hunter Biden came under scrutiny last week, as well as the following decisions by Facebook and Twitter to curb the spread of the story on their platforms. Adi Robertson (@thedextriarchy) for the Verge writes on what the reaction around the Hunter Biden story says about the changing landscape of political discourse and information on social media.
[First Draft] This new dashboard by First Draft, a nonprofit coalition fighting disinformation, offers daily insights and creates a snapshot of what their investigative research team is looking at.
Closer Look: Disinformation Targeting Latinx communities
[FiveThirtyEight] Kaleigh Rogers (@KaleighRogers) and Jaime Longoria (@jailongo) take a deep dive into a network of disinformation sites first reported on by Politico that was created by YouTuber and gamer Sean Reynolds to target Latinx Americans.
[New York Times] Misinformation first gains traction online and then spreads to networks and chats on WhatsApp, which is particularly popular among Latinx immigrants.
[Politico] Online, magazolanos (Venezuelan Trump supports) paint a picture of impending doom if Trump loses — and they sometimes promote conspiracies to further that narrative.
[NBC News] Experts warn of election disinformation aimed at Black and Latinx voters. NBC News talked with voters about their experiences with election disinformation.
White Supremacy and Police
[The Intercept] Dataminr markets itself as a tech-run public safety tool, but those familiar with the company’s work claim that its surveillance services are “nothing more than garden-variety racial profiling” powered by teams of “experts” that primarily rely on their own judgements when assessing threats.
[New York Times] A recent report released by the nonprofit Upturn found that at least 2,000 law enforcement agencies have access to tools that can unlock encrypted smartphones. And, the report also found that police are breaking into phones way more regularly than previously thought.
[Bloomberg] Geographer and professor Alexander Reid Ross has documented and mapped over 800 incidents of right-wing violence — and has found that incidents are declining in frequency but growing in to be more violent.
[New York Times] Activists from all over the world are developing tools and facial recognition software that can be used to identify members of law enforcement if they try to hide their identity while on the job.
On Our Radar…
[Forbes] Unfortunately, LaBac followers may find familiarity in this story: A popular bot on Telegram is using a commonly-known machine learning model to unclothe photos of women without their knowledge. So far, the bot has generated fake nudes of over 100,000 women.
[Southern Poverty Law Center] SPLC announced that they are collapsing their “Black Separatist” listing. While they will continue to monitor these groups, their classification will be transferred to hate ideologies (such as anti-semitism, for example) that “better describe the harm their rhetoric inflicts.”
[New York Times] While small local newsrooms shut down all over the country, Republican groups and corporate P.R. firms have grown an operation of 1,000 “local” media outlets that publish coverage in their favor.
Hate speech website: Rapeable[.]com
Who hosts: Cogent, Endurance International Group
Today’s site is rapeable[.]com. The site hosts memes and media pertaining to far-right views, racism, and sexual exploitation. Rapeable uses known shady datacenters Cogent Communications and Endurance International Group to protect and host their infrastructure. While their site seems to be under attack as of this moment, we have previously observed the website to be hosted on IP 66.96.149[.]20.