site banner
PaperclipPerfector  6mo ago (text post)   34905 thread views

Culture War Roundup for the week of October 28, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

6
Top Bottom Old Controversial Comments
Jump in the discussion.

No email address required.

Colorado Department of State has put out a press-release on a whoopsie:

The Colorado Department of State is aware that a spreadsheet located on the Department’s website improperly included a hidden tab including partial passwords to certain components of Colorado voting systems.

The Colorado Public Radio elaborates on what kind of passwords these were, and to which machines:

The Colorado Secretary of State’s office says a spreadsheet on the department’s website improperly included a tab with partial passwords to certain components of Colorado voting systems, known as BIOS passwords.

The Colorado Department of State calls these "partial" passwords and says no worries re election integrity:

“This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted,” wrote a spokesman for the office, Jack Todd, in a statement Tuesday. ... “There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system,” he wrote.

The BIOS passwords, that were stored unencrypted on an Excel spreadsheet that was up on the department's website (but in a hidden tap!), are "partial" in a sense that one needs another password to access "every election component".

I am not a certified IT geek, so I asked Claude for top three security concerns if a hacker got my computer's BIOS password:

Evil Maid Attack: They could modify boot settings to load malicious software before your operating system starts, potentially bypassing your OS security measures. This could allow them to install rootkits or keyloggers that are very difficult to detect.

Hardware Security Bypass: They could disable security features like Secure Boot or TPM (Trusted Platform Module), making your system more vulnerable to other attacks and potentially compromising disk encryption.

Data Theft: By changing boot order to external devices, they could boot into a different operating system to potentially access your hard drive data, even bypassing some OS-level password protections.

Those sound serious. That's OK, though, because I need my usual password to get into my account, so the BIOS password for my computer is just "partial", right? Claude patiently replies "Nope":

With BIOS access, an attacker can bypass your Windows password in several ways... [gives several examples of what one can do when booting from an external drive]. Think of it this way: Your Windows password is like a lock on your house's front door, but BIOS access is like having keys to all the windows and back doors. No matter how strong your front door lock is, if someone can get in another way, it won't help.

The Colorado Department of State, in their press release, give a paragraph describing why one shouldn't worry that this may compromise the voting equipment:

Colorado elections include many layers of security. There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system. Under Colorado law, voting equipment must be stored in secure rooms that require a secure ID badge to access. That ID badge creates an access log that tracks who enters a secure area and when. There is 24/7 video camera recording on all election equipment. Clerks are required to maintain restricted access to secure ballot areas, and may only share access information with background-checked individuals. No person may be present in a secure area unless they are authorized to do so or are supervised by an authorized and background-checked employee. There are also strict chain of custody requirements that track when a voting systems component has been accessed and by whom. It is a felony to access voting equipment without authorization.

I have highlighted all that impressive-sounding security: secure rooms, secure ID badge, secure area... So with all that carefully thought-out security protocol, how the F*@& did the BIOS passwords got stored unencrypted on a Microsoft Excel spreadsheet in the first place? Let alone how that Excel file got onto the Department of state website? According to the Colorado Secretary of State Jena Griswold:

Griswold said the mistake was made by a “civil servant” in the Secretary of State’s Office, who no longer works there. “Ultimately, a civil servant made a serious mistake and we're actively working to address it,” Griswold said. “Humans make mistakes.”

Which mistake, Secretary Griswold? The act of compiling of the unencrypted BIOS passwords onto a Microsoft Excel spreadsheet? The act of hiding that tab and leaving it on a Microsoft Excel document meant for sharing with broader audience? The act of uploading that document to the Department's website, free to download to anyone on the web? I am far more interested in answers to that first question, because it says quite a lot about the level of professionalism that underlies the security system of Colorado voting equipment.

What is the job of the Colorado Secretary of State?

The basic mission of the Department of State is to collect, secure, and make accessible a wide variety of public records, ensure the integrity of elections, and enhance commerce.

The Colorado GOP, therefore, wants to know if Secretary Griswold will resign. Her response:

[Republicans in the state House] are the same folks who have spread conspiracies and lies about our election systems over and over and over again," Griswold told Colorado Public Radio. "Ultimately, a civil servant made a serious mistake and we're actively working to address it," Griswold said, adding, "I have faced conspiracy theories from elected Republicans in this state, and I have not been stopped by any of their efforts and I'm going to keep on doing my job."

So that's a no, then. Plus, a nice implication that this whoopsie is also part and parcel of the "conspiracies and lies about our election system".

Is it too late to switch to that system we had the Iraqis use, with the ink-on-the-finger that stains the skin for the following week?

As long as the machines use disk encryption, having the BIOS password doesn’t allow you to log in or tamper with the data. It would allow an attacker to completely blow away the data a little quicker than they could otherwise. No idea if they do use disk encryption. If they don’t that would be a bigger scandal in my book.

Setting a BIOS password would allow an attacker to install a modified version of the loader that performs decryption (which is not, itself, encrypted, because obviously). The attack would then have to leave the machine, let it be used at least once by the legitimate owner (thus entering the correct password) and then return again to harvest whatever they wanted.

This is a well-studied attack pattern.

Yeah, that’s true, though I think TPMs might be able to prevent that since they will check the boot image and are involved in data decryption. I’m not sure if having the BIOS password allows you to subvert that though. I think the way it works is that the key or part of the key is registered with the TPM and then it asserts about the boot image hash before releasing that key, so it is only possibly to use known good boot images to decrypt your data. Maybe having the BIOS password would allow you to reset the TPM, but I think there is no way to do that without clobbering the key it stores.

No idea if these machines have that set up though.

Owning the BIOS/UEFI means you get to feed the CPU the microcode update on boot, it also means you get SMM (Ring -2 access), which is so game over it's not even funny.

That doesn’t matter with a correctly configured TPM though. The decryption process for the disk includes a key stored in the TPM, which is never revealed, and the TPM itself verifies the boot image (which is the thing responsible for decrypting the data).

You can definitely boot whatever you want, and even trick the user into inputting their password, but if that password is only half the decryption key, you can’t actually go in and tamper with any of the data. You could still replace it wholesale or send the password somewhere else for further attacks, so it’s not nothing, but it’s also not as bad as if the TPM was not set up to do boot attestation.

https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation

the TPM itself verifies the boot image

You don't comprehend the degree of breach UEFI/bios can cause do you? The TPM itself can't verify diddly squat even over DMA if the motherboard MCU, CPU have their microcode compromised. In the worst possible scenario the implanted compromised code will simply wait for the machine to boot then start exfiltrating or altering data. And there's NOTHING you can do about it. The Intel ME is a separate processor with unrestricted access to main memory, all the registers of the processor, dma, the hdd, everything. There isn't an attestation mechanism possible for you to inspect and verify what the hell is going on in that thing if the firmware uploaded to the cpu on boot was compromised. As you'd expect from a nation state tier adversary they would have the keys to sign their own microcode patch for intel/amd.

What is this place?

This website is a place for people who want to move past shady thinking and test their ideas in a court of people who don't all share the same biases. Our goal is to optimize for light, not heat; this is a group effort, and all commentators are asked to do their part.

The weekly Culture War threads host the most controversial topics and are the most visible aspect of The Motte. However, many other topics are appropriate here. We encourage people to post anything related to science, politics, or philosophy; if in doubt, post!

Check out The Vault for an archive of old quality posts. You are encouraged to crosspost these elsewhere.


Why are you called The Motte?

A motte is a stone keep on a raised earthwork common in early medieval fortifications. More pertinently, it's an element in a rhetorical move called a "Motte-and-Bailey", originally identified by philosopher Nicholas Shackel. It describes the tendency in discourse for people to move from a controversial but high value claim to a defensible but less exciting one upon any resistance to the former. He likens this to the medieval fortification, where a desirable land (the bailey) is abandoned when in danger for the more easily defended motte. In Shackel's words, "The Motte represents the defensible but undesired propositions to which one retreats when hard pressed."

On The Motte, always attempt to remain inside your defensible territory, even if you are not being pressed.


New post guidelines

If you're posting something that isn't related to the culture war, we encourage you to post a thread for it. A submission statement is highly appreciated, but isn't necessary for text posts or links to largely-text posts such as blogs or news articles; if we're unsure of the value of your post, we might remove it until you add a submission statement. A submission statement is required for non-text sources (videos, podcasts, images).

Culture war posts go in the culture war thread; all links must either include a submission statement or significant commentary. Bare links without those will be removed.

If in doubt, please post it!


Rules


Recommended Posts And Communities

Recommended Realtime Chats