As reported by whowhatwhy.org/…, WaPo and Josh Marshall, the backstory to Brian Kemp’s accusation against the Georgia Democratic party of hacking the state’s voter registration system is quite insidious.
Apparently, a voter found a security vulnerability in the software used by the state’s voter registration system on Saturday
The voter alerted an attorney for the plaintiffs in one of the on-going lawsuits against Kemp’s office.
That lawyer (David Cross) alerted the FBI and attorneys for Kemp’s office.
Separately, someone not affiliated with the Democratic party flagged the security vulnerability to a Democratic party volunteer.
The volunteer forwarded the email to the party’s voter protection director, who shared it with cyber-security experts, who then alerted a national intelligence agency and reached out to the Coalition for Good Governance, an election security advocacy group.
Bruce Brown, a lawyer for the group then alerted Kemp’s office.
Kemp then put out a press release accusing the state Democratic party of trying to hack the state system.
Instead of addressing the security issues, Kemp’s office put out the statement Sunday saying he had opened an investigation that targets Democrats for hacking, without providing any evidence or details. There was no mention of the letters and information sent to the SoS office and to the FBI by Democrats, alerting them of the problem.
The “hack” in this case is really simple — by typing the appropriate URL, any user can access any file on the server, including voter registration records, network configuration files and cryptographic keys. Files can also be modified. The security features of this software are extremely immature. Georgia’s system has not been audited, so who knows how many other security holes are there.
