site banner

Culture War Roundup for the week of October 28, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

6
Jump in the discussion.

No email address required.

Colorado Department of State has put out a press-release on a whoopsie:

The Colorado Department of State is aware that a spreadsheet located on the Department’s website improperly included a hidden tab including partial passwords to certain components of Colorado voting systems.

The Colorado Public Radio elaborates on what kind of passwords these were, and to which machines:

The Colorado Secretary of State’s office says a spreadsheet on the department’s website improperly included a tab with partial passwords to certain components of Colorado voting systems, known as BIOS passwords.

The Colorado Department of State calls these "partial" passwords and says no worries re election integrity:

“This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted,” wrote a spokesman for the office, Jack Todd, in a statement Tuesday. ... “There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system,” he wrote.

The BIOS passwords, that were stored unencrypted on an Excel spreadsheet that was up on the department's website (but in a hidden tap!), are "partial" in a sense that one needs another password to access "every election component".

I am not a certified IT geek, so I asked Claude for top three security concerns if a hacker got my computer's BIOS password:

Evil Maid Attack: They could modify boot settings to load malicious software before your operating system starts, potentially bypassing your OS security measures. This could allow them to install rootkits or keyloggers that are very difficult to detect.

Hardware Security Bypass: They could disable security features like Secure Boot or TPM (Trusted Platform Module), making your system more vulnerable to other attacks and potentially compromising disk encryption.

Data Theft: By changing boot order to external devices, they could boot into a different operating system to potentially access your hard drive data, even bypassing some OS-level password protections.

Those sound serious. That's OK, though, because I need my usual password to get into my account, so the BIOS password for my computer is just "partial", right? Claude patiently replies "Nope":

With BIOS access, an attacker can bypass your Windows password in several ways... [gives several examples of what one can do when booting from an external drive]. Think of it this way: Your Windows password is like a lock on your house's front door, but BIOS access is like having keys to all the windows and back doors. No matter how strong your front door lock is, if someone can get in another way, it won't help.

The Colorado Department of State, in their press release, give a paragraph describing why one shouldn't worry that this may compromise the voting equipment:

Colorado elections include many layers of security. There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system. Under Colorado law, voting equipment must be stored in secure rooms that require a secure ID badge to access. That ID badge creates an access log that tracks who enters a secure area and when. There is 24/7 video camera recording on all election equipment. Clerks are required to maintain restricted access to secure ballot areas, and may only share access information with background-checked individuals. No person may be present in a secure area unless they are authorized to do so or are supervised by an authorized and background-checked employee. There are also strict chain of custody requirements that track when a voting systems component has been accessed and by whom. It is a felony to access voting equipment without authorization.

I have highlighted all that impressive-sounding security: secure rooms, secure ID badge, secure area... So with all that carefully thought-out security protocol, how the F*@& did the BIOS passwords got stored unencrypted on a Microsoft Excel spreadsheet in the first place? Let alone how that Excel file got onto the Department of state website? According to the Colorado Secretary of State Jena Griswold:

Griswold said the mistake was made by a “civil servant” in the Secretary of State’s Office, who no longer works there. “Ultimately, a civil servant made a serious mistake and we're actively working to address it,” Griswold said. “Humans make mistakes.”

Which mistake, Secretary Griswold? The act of compiling of the unencrypted BIOS passwords onto a Microsoft Excel spreadsheet? The act of hiding that tab and leaving it on a Microsoft Excel document meant for sharing with broader audience? The act of uploading that document to the Department's website, free to download to anyone on the web? I am far more interested in answers to that first question, because it says quite a lot about the level of professionalism that underlies the security system of Colorado voting equipment.

What is the job of the Colorado Secretary of State?

The basic mission of the Department of State is to collect, secure, and make accessible a wide variety of public records, ensure the integrity of elections, and enhance commerce.

The Colorado GOP, therefore, wants to know if Secretary Griswold will resign. Her response:

[Republicans in the state House] are the same folks who have spread conspiracies and lies about our election systems over and over and over again," Griswold told Colorado Public Radio. "Ultimately, a civil servant made a serious mistake and we're actively working to address it," Griswold said, adding, "I have faced conspiracy theories from elected Republicans in this state, and I have not been stopped by any of their efforts and I'm going to keep on doing my job."

So that's a no, then. Plus, a nice implication that this whoopsie is also part and parcel of the "conspiracies and lies about our election system".

Is it too late to switch to that system we had the Iraqis use, with the ink-on-the-finger that stains the skin for the following week?

Mods, can we get a moratorium on using chatbots to pad out one's word-count?

This does not seem like "padding out the word count". I use AI in this same way when I need an expert-ish opinion on something. I won't always post the exact text of the AI, but it seems fine to do that, especially if you are just gonna ape the conclusions anyways. This was a responsible use of AI.

I'd much rather people wrote thier own inexpert understanding than open the can of worms that is giving people the opportunity to pull an "I didn't say that, Claude did" but it looks like i am in the minority.

If someone says what claude says, they said it. If claude was wrong, they failed to check the claims and they were wrong. If people want to become extensions of their AIs that's fine. But they're still accountable for what they post.

This just seems 1:1 equivalent to a citation.

I find it annoying when people just cite LLM output, but the alternative is they still post LLM blather and lie about it being their own writing, so i will take the minor annoyance instead of the large integrity violation.

I'd still hold people accountable for any rulebreaking that the AI does at their behest. Its certainly not a get out of jail free card. But they aren't going to stop using a useful tool. "I spoke to an AI about security systems" becomes instead "I spoke to a knowledgeable friend about security systems". And then we are just having either less honest conversations, or dumber ones if they don't do the research in the first place.

This isn't padding, though? What's the difference between asking Claude for a technical answer as done here, or summarizing one's own inexpert googling?

I will happily go along with the community norms on the matter, once such become clear. My objective is to be completely upfront where I got the info, and I tried to include only the parts that are relevant to my point. I also put them in block-quote mode, so that they are easy to skip.

It’s already against the rules. Report it if that’s what you suspect.

The OP contains a section explicitly using a chatbot to get a "default answer" to a technical question. That seems like a legitimate use of AI to me, not "padding out the word-count", but apparently @TequilaMockingbird disagrees.

Personally I'm surprised by it not because of any rules about word count or padding, but confusion about why you would trust a chatbot about any information about the real world to begin with. I would never assume that anything an AI tells me about a real world matter is true - not without first checking it myself, or asking a human expert. AIs are just too unreliable.

There has been a lot written about hallucination because some people want chatbots to be worse than they are. With experience you can generally tell when you are asking a question that a LLM will hallucinate about.

The information environment is fraught, and time and effort are not unlimited. It doesn't seem all that different from using wikipedia to me; you're trading hallucination risk for deliberate deceit risk. It's a way of getting a provisional "normie" answer from which to proceed. It looks to me like the information was reasonably accurate, and if it isn't, we can generally rely on Cunningham's Law to secure a correction.

People tend to get banned for that when it's caught / suspected, the problem is that it's hard to detect, and prove objectively. What made you think that this is what happened here?

"I asked Claude" "Claude patiently replies"

Claude is an AI chat bot built by Anthropic.

The OP didn’t hide it, used it to summarise information, which the bot has done correctly as far as I can tell (except maybe the user applied answers about home pc bioses to voter machines)

As long as the machines use disk encryption, having the BIOS password doesn’t allow you to log in or tamper with the data. It would allow an attacker to completely blow away the data a little quicker than they could otherwise. No idea if they do use disk encryption. If they don’t that would be a bigger scandal in my book.

Setting a BIOS password would allow an attacker to install a modified version of the loader that performs decryption (which is not, itself, encrypted, because obviously). The attack would then have to leave the machine, let it be used at least once by the legitimate owner (thus entering the correct password) and then return again to harvest whatever they wanted.

This is a well-studied attack pattern.

Yeah, that’s true, though I think TPMs might be able to prevent that since they will check the boot image and are involved in data decryption. I’m not sure if having the BIOS password allows you to subvert that though. I think the way it works is that the key or part of the key is registered with the TPM and then it asserts about the boot image hash before releasing that key, so it is only possibly to use known good boot images to decrypt your data. Maybe having the BIOS password would allow you to reset the TPM, but I think there is no way to do that without clobbering the key it stores.

No idea if these machines have that set up though.

Owning the BIOS/UEFI means you get to feed the CPU the microcode update on boot, it also means you get SMM (Ring -2 access), which is so game over it's not even funny.

That doesn’t matter with a correctly configured TPM though. The decryption process for the disk includes a key stored in the TPM, which is never revealed, and the TPM itself verifies the boot image (which is the thing responsible for decrypting the data).

You can definitely boot whatever you want, and even trick the user into inputting their password, but if that password is only half the decryption key, you can’t actually go in and tamper with any of the data. You could still replace it wholesale or send the password somewhere else for further attacks, so it’s not nothing, but it’s also not as bad as if the TPM was not set up to do boot attestation.

https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation

the TPM itself verifies the boot image

You don't comprehend the degree of breach UEFI/bios can cause do you? The TPM itself can't verify diddly squat even over DMA if the motherboard MCU, CPU have their microcode compromised. In the worst possible scenario the implanted compromised code will simply wait for the machine to boot then start exfiltrating or altering data. And there's NOTHING you can do about it. The Intel ME is a separate processor with unrestricted access to main memory, all the registers of the processor, dma, the hdd, everything. There isn't an attestation mechanism possible for you to inspect and verify what the hell is going on in that thing if the firmware uploaded to the cpu on boot was compromised. As you'd expect from a nation state tier adversary they would have the keys to sign their own microcode patch for intel/amd.

I was going to write about BitLocker, but I doubt people that store BIOS passwords in Excel sheets think about disk encryption much.

I would really, strongly, urge you not too try to extrapolate how a home computer bios configuration works to voting machines. It's bad whenever there is a leak of any kind of course but this is like if there was a leak of the physical key design to the entrance of the polling location that still has armed guards stations 24/7. To make use of these you'd need to know which keys correspond to which machine, have prolonged physical access to the machines, plug a keyboard or some peripheral device into them and then maybe you'd be able to do something unclear.

Or you’d need to plug a small microcontroller which can emulate a keyboard into it, then reboot it while you are in the voting booth with it.

Which is an attack that people have been demonstrating at defcon every year for at least 20 years, and is why for 20 years until something mysteriously changed in 2020, liberals were against voting machines, and it was common knowledge among hackers that voting machines were a joke.

I'll add to this that BIOS passwords do not provide much security even in the ordinary context without armed guards. In order to do something with a BIOS password, you need physical access to a machine to type it in. But if you have physical access, you can also easily reset the BIOS password by removing a battery. (This would break a seal on the machine, but those seals can also be replaced.) So I don't think this leak of BIOS passwords meaningfully made the election less secure.

I'm still very much opposed to electronic voting, however, because of all the other ways they make voting insecure.

And the people who install or maintain those machines would have access to all that information. A very small conspiracy could hijack voting machines. Slip in a USB, run a program, and it's done. Machines have to be updated and maintained all the time anyways. And it's totally feasible to write a program that infects other USBs plugged into the device: Infect one machine, and then some third unknowing party who maintains the machines ends up infecting more.

It would be very easy to do! How do we know that this isn't being done? We would need a thorough audit of machine votes and record systems, and that's a right-wing Republican dangerous conspiracy that undermines trust in our sacred democracy.

Sure but like, at that point the bios passwords aren't really necessary right? We're talking about a level of access and familiarity with the system that makes this look like having a partial print of your home's key for a team that is totally capable of just removing your door form its hinges.

Ok, but how does this relate to the OP? This is true whether or not there's a leak of some specific passwords in a publicly accessible excel document. Somebody has to have access to maintain voting machines and by the nature of maintenance would be able to compromise the thing they're maintaining.

In a secure operation, only a few people would have access to important passwords (like bios). Now, everybody has access to those passwords. The list of people who could be suspected of tampering with a ballot machine goes from documented individuals with a need-to-know to... everybody. And there would be lots of people with legitimate reason to handle a ballot machine who would not have legitimate reason to know those passwords. Lots of people handle ballot machines!

We know how to secure systems in this country, we do it all the time. If these passwords belonged to drones being used in Ukraine, the officer in charge wouldn't say, well, mistakes happen, but five day delays are normal, we shouldn't worry about Russia hacking into our systems, etc. etc.

The list of people who could be suspected of tampering with a ballot machine goes from documented individuals with a need-to-know to... everybody. And there would be lots of people with legitimate reason to handle a ballot machine who would not have legitimate reason to know those passwords.

Yes, and in the event one of those "documented individuals" was planning something nefarious, "accidentally" releasing that data to the public would be a clever way to muddy the waters for any future audit or investigation. "I swear, it could've been anyone your honor."

Oops, I've strayed into cynical conspiracy-minded Republican territory again.

I mean, I could turn around and say if you knew that somebody was planning something nefarious but couldn't prove it, "accidentally" releasing the passwords to the public is also a clever way to increase common knowledge of the attack vector, thus making it more likely that people will look in the right place during the investigation.

This could be less serious than it seems. If the voting system is designed right, a BIOS password would be insufficient to cast a fraudulent vote - one possible example is in the vein of Windows' Bitlocker. A modified BIOS would cause the OS to reject the boot attempt, so you'd fail to get anywhere. If you booted something else, like a facsimile of the actual voting system but that swaps 25% of the votes for Trump to Harris or something, then you wouldn't have the credentials to submit the votes gathered and your pack of votes would be tossed.

But you could also use that as the attack, if you deploy machines that look like they're doing the right thing but then have bad/missing credentials and their votes are not counted, you could poke holes in areas that lean heavily Trump. This would be detectable after the fact - there'd be machines that mysteriously "glitched out" but you can't trust the machine so those votes can't come back in.

Either way, that's assuming there's decent security design in place. And of course, if they are right that you need access to the machine to put in the password and there's no remote management gunk somebody forgot to disable and they're under 24-7 guard, then the leak isn't actionable in the first place.

So overall effect - if you trust them to be mostly competent, things are in fact fine (unless/until a bunch of machines' worth of votes are tossed).

Bitlocker has been so thoroughly pwned it's a pure joke.

I'm not endorsing it - I'm just using it as an example more people are likely to know by name. It is the type of protection you want to see - disc encryption that only unlocks under the right conditions.

A modified BIOS would cause the OS to reject the boot attempt

I don't know how the security architecture works in detail, but that really seems like the sort of thing a modified BIOS could work around with a strategic byte write to a known memory address. It's ~impossible to defend yourself against an attacker running on a higher ring than you.

You are, in principle, correct but that's exactly what dedicated cryptography hardware like a TPM is there to resolve. The BIOS stuffs some values not known ahead of time but measured/detected during the boot process (like a hash of the values in a bunch of different registers at point D during an ABCDEFG register sequence) into the hardware gizmo. Then the OS polls the gizmo for its current value and tries to decrypt its main boot volume using that as the key - wrong value, fail to boot. A compromised BIOS will now get different results from the measurements/hashses and can't reproduce that same state. If it had full control over the TPM, it could, but it doesn't - it does not respect ring 0. To be clear, there is still a way to beat this - you just have to monitor the values sent to the gizmo and then replay them in order, rather than trying to do the measurements yourself, but you can't accomplish that without physical access to the internals of the machine and some kind of sensor/probe to watch whichever bus the traffic goes over. You can also try to crack open the gizmo and read back its state, but that's also access-to-internals level.

Ah, that's fair. So for instance the TPM could detect a patched bios by polling the actual eeprom for a checksum? Or just signature check the whole thing. It wouldn't even have to use the BIOS to talk to the hardware in the first place. The BIOS just has to go "okay, you have the hardware, I won't touch the bus for the next x ms."

I guess that's pretty convincing in theory. (Do I trust that it's actually working like that? Is it even on?)

Ehhh, it's not great that these passwords have been disclosed but honestly, it's not the end of the world in this situation, assuming the voting machines are designed intelligently (not a safe thing to assume, I know): if someone has access to enter the BIOS password, they probably already have the kind of access they need to the machine to compromise it in many ways.

Sure. But every time an exploit comes out that chains together like seven distinct vulnerabilities, people ask "how was this possible? they seem to pull out a new security hole at every single layer of security." And the answer is normalization of deviance, ie. "that's bad but we still have more layers of defense".

Of course, it shows a lack of attention from the IT team who made the document, which puts into question how much we can trust them with regards to the security layers that actually matter. I'm just pointing out that this one "security layer" does not matter.

Is it any wonder that republicans have trouble trusting the integrity of our election systems when fair-minded professionals like Griswold are in charge of it?

I can't speak to the exact systems they are using, but my laptop from 15 years ago had two levels of BIOS passwords. You could set one (and I did) to prevent booting without the password, and another to actually making changes to the system. Assuming this is similar, I'd bet it's the password to just turn the thing on, not change it.

We don't actually know: why would you assume it's not serious?

Because if my biggest enemy managed to get the BIOS password to one of my machines (if I even cared to put one; I don't), I would not give a fuck. If you told me my biggest enemy managed to get the BIOS password to my machine AND unsupervised physical access to my machine for for a couple of hours, then yeah I'd be worried and wouldn't trust that machine anymore.

But so would I if he just had unsupervised physical access to my machine for a couple of hours.

Hence, the BIOS password is inconsequential.

Considering that this organization is literally publishing their passwords in an Excel document on the open internet, would you think that their physical security is likely to be particularly competent?

Considering that this organization is literally publishing their passwords in an Excel document on the open internet, would you think that their physical security is likely to be particularly competent?

No, I don't think it is. But the BIOS password is not holding back anything if the physical security is lacking.

Who has access to voting machines? Lots of people, presumably. It's not like we have a full list of all election workers who stand near a ballot. I went and voted early this week, there were two ballot machines, in the hullabaloo it would have been easy for someone to stick a USB in. How would you feel about the scenario, "My biggest enemy managed to get the BIOS password to my machine AND dozens of people have unsupervised access to my machine, and one of those people could or could not be my worst enemy."

in the hullabaloo it would have been easy for someone to stick a USB in

If that was possible, then the issue is not a BIOS password, it's unsecured USB ports and no one keeping an eye on them. Someone could stick in a keylogger or rubber ducky and cause all sorts of issues, without any BIOS password.

I'm not making the case that voting machines are secure; from my understanding they're very much not. Just that the situations in which having the BIOS password enables someone to do something nefarious overlap almost perfectly with the situations in which someone could do similar harm without the BIOS password. Replacing the OS with a tampered version is not a drive-by attack even with the BIOS password any worker can do in a couple of minutes with the machine. They need physical access to the machine for a length of time that is in the same ballpark as the time they would need to bypass a BIOS password.

How would you feel about the scenario, "My biggest enemy managed to get the BIOS password to my machine AND dozens of people have unsupervised access to my machine, and one of those people could or could not be my worst enemy."

Pretty much the same as if no one had my BIOS password and dozens of people have unsupervised access to my machine, and one of those people could or could not be my worst enemy. BIOS passwords are a paper thin security feature, they're more to keep nosy kids and clueless employees from creating issues for IT to solve than protect the integrity of the data on the machines.

I don't understand how anyone reasonably intelligent or familiar with IT could be so blase about this.

Lots of people from random officials and polling site volunteers, to the voting public themselves are going to have unsupervised physical access to these machines. Meanwhile the number of people who have legitimate reasons to access the bios, change settings, etc... can't be more than a few dozen. This is, to all apperances, quite bad.

Lots of people from random officials and polling site volunteers, to the voting public themselves are going to have unsupervised physical access to these machines.

Because that's the very point point, a BIOS password is hardly any protection against someone who knows what they're doing having unsupervised access to the hardware, AND it requires having unsupervised physical access to the machine to exploit a leaked password anyway. At best it saves them a bit of time. The usefulness of a BIOS password is protecting against people who don't know what they're doing accidentally changing BIOS settings, or very unsophisticated malicious actors (kids, disgruntled employees wanting to break something).

Lots of people are going to have physical access to these machines who shouldn't have access to things like system settings.

Is it really so difficult for you to understand why that presents a problem? Or are you also in the habit of arguing that people should leave thier doors unlocked because a determined thief will just pick the lock or break a window to get in anyway?

Lots of people are going to have physical access to these machines who shouldn't have access to things like system settings.

And they all have access to the BIOS settings, with or without the BIOS password. Unsupervised physical access to a machine makes completely irrelevant a BIOS password.

Or are you also in the habit of arguing that people should leave thier doors unlocked because a determined thief will just pick the lock or break a window to get in anyway?

I'm not saying they SHOULD give out the BIOS password. I'm saying that for these machines to be trustworthy, the BIOS password does basically nothing if untrusted people have access to them unsupervised for significant amounts of time.

I'm saying it makes no difference if the door is locked or not if someone is given a couple of hours unsupervised access to your house; they have more than enough time to get in with or without a locked door.

I don't understand how anyone reasonably intelligent or familiar with IT could be so blase about this.

Because all is lost anyway. Computer systems are not generally secure things with layers of protection that are sometimes breached. Rather, inside any connected system there's likely malware from the CIA, NSA, a couple of Russian and Chinese groups, and some freelancers. Inside the malware is malware from the other bunch, plus the Mossad. And also the firewalls and such are thoroughly pwned. And this is all just automated, it's just luck whether anyone actually notices whether they've gotten into anything of value.

I have felt for a long time that fatalism more often than not a coping mechanism for a percieved or imagined lack of agency.

The attitude being that if nothing matters than I can't be held responsibile for anything can I?

There isn't anything most reasonably intelligent people familiar with IT can do about it, since they don't have any power, authority, or influence over the security of these particular machines. If a house is thoroughly infested with termites, worrying about a woodpecker pecking at the facade is pointless.

Again smells like cope to me.

The normalization of deviance and incompetence is not an excuse for it.