Aggregator

by Doug Bock Clark

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up for Dispatches, a newsletter that spotlights wrongdoing around the country, to receive our stories in your inbox every week.

Until Monday, a new online portal run by the Georgia Secretary of State’s Office contained what experts describe as a serious security vulnerability that would have allowed anyone to submit a voter cancellation request for any Georgian. All that was required was a name, date of birth and county of residence — information easily discoverable for many people online.

The flaw was brought to the attention of ProPublica and Atlanta News First over the weekend by a cybersecurity researcher, Jason Parker. Parker, who uses they/them pronouns, said that after discovering it, they attempted to contact the Georgia Secretary of State’s Office. The office said it had no records of Parker’s attempts to reach out.

“It’s a terrible vulnerability to leave open, and it’s essential to be fixed,” Parker said.

The issue Parker exposed was “as bad as any voter cancellation bug could be” and “incredibly sloppy coding,” said Zach Edwards, a senior threat researcher at the cybersecurity firm Silent Push, who reviewed the flaw at the request of ProPublica. “It’s shocking to have one of these bugs occur on a serious website.” Edwards said that even a basic penetration test, in which outside experts vet the security of a website before its launch, “should have picked this up.”

ProPublica and Atlanta News First jointly alerted the Secretary of State’s Office to the vulnerability and held the publication of their articles until it was fixed.

“We have updated the process to include an error message letting the individual know their submission is incomplete and will not be processed,” Blake Evans, Georgia’s elections director, said in a statement from the Secretary of State’s Office.

In the days after the portal launched last Monday, The Associated Press and The Current each reported the existence of separate security vulnerabilities that exposed voters’ sensitive personal information, including the last four digits of their Social Security number and their full driver’s license number. The Secretary of State’s Office told the news organizations that it quickly fixed the portal. Democrats warned that the system could be abused, as right-wing activists have been challenging tens of thousands of voter registrations in a different process that a 2021 state law expanded. Over the weekend, ProPublica reported that users of the portal had unsuccessfully attempted to cancel the voter registrations of two prominent Republican officials, Secretary of State Brad Raffensperger and Rep. Marjorie Taylor Greene.

The flaw found by Parker was different from the two previously reported ones. This one would allow any user of the portal to bypass the screen that requires a driver’s license number and submit the cancellation request without it.

The Secretary of State “needs to consider this an all-hands-on-deck” moment “and hire multiple testing and security firms and stop relying on the public’s goodwill and pro bono security researchers to test the quality of their website,” Edwards said. “At this point, we should assume there are other subtle bugs that could have potentially serious impact.” Edwards said that it would have been easy for a malicious actor to automate cancellation requests to get around security measures built into the website and submit thousands of them.

In a video shared with ProPublica, Parker, who is moving from Georgia to another state, demonstrated how the registration cancellation tool could be exploited in roughly a minute. First, they entered their name, date of birth and county of residence to get past the website’s initial screening page. When the portal asked them for a driver’s license number, Parker right-clicked to inspect the browser’s HTML code — a basic option available to anyone — and deleted a few lines of code requiring them to submit their driver’s license number. Parker then hit submit. A window popped up stating that “Your cancellation request has been successfully submitted” and that county election workers would process the request within a week.

Parker said it took them less than two hours of poking around the website to find the vulnerability.

“Incomplete paper and online applications will not be accepted,” Evans said in the statement. (Parker’s cancellation request would have lacked a driver’s license number.) The Secretary of State’s Office did not respond to individual questions about what testing the portal underwent before launch, the system’s security procedures, what happened to Parker’s cancellation request and how the public could be sure of the portal’s security given the recent disclosures of security flaws.

Cybersecurity Researcher Shows Flaw With Georgia’s Voter Registration Cancellation Website

“The Secretary of State’s Office needs to do better,” said Marisa Pyle, the senior democracy defense manager for Georgia with All Voting is Local, a voting rights advocacy organization. “The state needs to be really intentional about how it rolls out these things. It needs to make sure they’re secure and provide their rationale for making them.”

Jake Braun, the author of a book on cybersecurity flaws in election systems and lecturer at the University of Chicago, said that there is a long history of elections-related websites suffering from easily exploitable security failures, including Russians hacking election infrastructure during the 2016 election and public-interest competitions in which participants breached replicas of state election websites in minutes. Online elections infrastructure, he said, “needs more standards and better standards.”

Edwards said that the portal’s vulnerability-plagued rollout showed the necessity of improving the vetting process.

“Georgia should step up and pass a law saying all new websites in which the public interacts with government documents should have an outside review,” Edwards said. The public “should expect” officials “did some due diligence.”

Do you have any information about the Georgia voter registration cancellation portal, voter challenges or anything voter-related that we should know? Contact reporter Doug Bock Clark by email at doug.clark@propublica.org and by phone or Signal at 678-243-0784. If you’re concerned about confidentiality, check out our advice on the most secure ways to share tips.

Bradley C. McKinney, 35, is federally charged with stealing the car in July 2023.

New Mexico State Police and University of New Mexico police arrest pro-Palestinian protesters at the University of New Mexico in Albuquerque on April 30, 2024.

Chancey Bush/The Albuquerque Journal via Associated Press

Charges have been dismissed against two Albuquerque journalists who were arrested at the University of New Mexico during a police sweep of a pro-Palestinian encampment in May. Although they no longer face trial, the journalists’ arrests and subsequent prosecution were violations of their constitutional rights and should have never occurred in the first place.

“By dropping the prosecutions, the UNM Police Department sent a message, albeit belatedly, that journalists can report freely,” Freedom of the Press Foundation (FPF) advocacy intern Jimena Pinzon wrote for the Albuquerque Journal. “While they deserve some credit for eventually coming to their senses, next time they need to avoid heading down this path in the first place.”

Pinzon also discussed a problematic legal quirk that allows police in New Mexico to prosecute misdemeanor cases without involving actual prosecutors. That allowed police to cut out the local district attorney, whose office had vowed not to prosecute First Amendment activity at protests.

You can read the op-ed here.

Three people from Granite City died in separate crashes over the weekend in Pontoon Beach.

The brutal Chicago police response to protests during the 1968 Democratic National Convention was disastrous. As the city hosts another convention, during another unpopular war, police have a chance to get it right.

AP Photo/RHS

As journalists flock to Chicago to cover the Democratic National Convention Aug. 19-22, local police must allow the press to report on what’s happening inside and outside the event — even if tensions escalate.

In a highly politicized election cycle, characterized by the ongoing war in Gaza, protests are likely to be widespread and newsworthy. In an op-ed for the Chicago Sun-Times, Freedom of the Press Foundation (FPF) urged Chicago authorities to uphold the First and Fourth amendments and allow journalists to do their jobs.

As we explained, “The issue isn’t about putting journalists on a pedestal … When journalists aren’t watching, abuses of peaceful protesters are more likely. The public suffers by being uninformed. The only beneficiaries are officials looking to avoid accountability.”

You can read the op-ed here.

ROCKFORD, Ill. (WTVO) - Duke Webb, the man accused of killing three people at Don Carter Lanes in Rockford nearly four years ago, is heading to trial. The jury trial is scheduled to begin at 9 a.m., Monday, Dec. 2, in Courtroom A inside the Winnebago County Justice Center with Judge John Gibbons presiding. Webb, [...]

“I sat in my car in disbelief, in tears,” the winner recalled when she realized she won the top prize.

A franchisee of the chain is waiting for final approval from the St. Charles City Council to demolish a former fast-food restaurant building and build a coffee shop.

REO Speedwagon frontman Kevin Cronin has paid tribute to Aerosmith following the news the band has retired from touring due to Steven Tyler’s vocal issues. Cronin writes on Instagram that in the '70s they were…

Source

Southern Glazers Wine and Spirits of Missouri is relocating its St. Charles warehouse to Raymore, Missouri, offering all employees employment at the new facility but warning that those unable to transfer will be laid off on November 1, 2024.

EDWARDSVILLE - The manager of Kyoto Steakhouse Edwardsville Inc. was indicted by a Madison County grand jury on several charges including sales tax evasion, theft of government funds, and more. He allegedly used false sales figures for more than three years to avoid paying over $100,000 in taxes to the state. Lin Hua, 41, of Edwardsville, was charged with one count of Theft of Government Funds (a Class X felony), one count of Sales Tax Evasion (a Class 1 felony), and three counts of Filing a Fraudulent Sales & Use Tax Return (each Class 3 felonies). The indictment, filed on Aug. 1, 2024, concerns a series of crimes Hua reportedly committed from Oct. 20, 2018 to March 21, 2022. During that time, he “utilized false sales figures to prepare and file monthly sales and use tax returns on behalf of Kyoto,” exceeding $100,000 in taxes owed, according to the indictment. The three Class 3 felonies filed against Hua stem from fraudulent sales and use tax returns filed on Jan.

Continue Reading

ST. LOUIS - A St. Louis County man appeared in federal court on Monday and admitted carjacking and robbing two people in downtown St. Louis last summer. Prosecutors with the U.S. Attorney’s Office for the Eastern District of Missouri said Bradley McKinney, 35, carjacked a 2015 Chevy Cruze on July 29, 2023. The indictment further [...]

The state has consistently ranked among the worst for nursing home staffing levels.

EFFINGHAM/ST. LOUIS - No matter what industry you’re in, Turnkey Computer Systems offers IT support that’s tailored to fit your needs. Based out of Effingham, Illinois, Turnkey Computer Systems has over 100 clients in different industries across Missouri, Illinois and Indiana. They specialize in dentistry but can offer outsourced IT support to nonprofits, school districts and countless other organizations and industries. Aaron Geisen, one of the newest members of the 10-person team, explained the importance of Turnkey’s work. “We’re providing a Turnkey service of being the boots on the ground, the first point of contact for all these systems that we don’t own, we don’t manage, but we do support,” Geisen said. “Being able to have the independence so we’re able to do the troubleshooting we need to do to take care of our customers while also being able to partner with those vendors is amazing.” Turnkey started

Continue Reading

A woman is in custody after attempting to snatch a toddler off the street in downtown Edwardsville, Illinois.

In the 1960s, St. Louis nearly became one of the most magical places on earth. A planned Disneyland, called the Riverfront Square, captured imaginations as local leaders sought to strike a deal with Walt Disney himself — until that deal went bibbidi, bobbidi, bust. In this encore episode from May 2024, writer Devin Thomas O'Shea reminds us of what the canceled Disney attraction might have been, the disputed reasons why the plan fell apart (no, it wasn't just over beer), and the problematic characters and mythologized storytelling that the park would have been designed around.

Missouri Attorney General Andrew Bailey’s efforts to delay sentencing in former President Donald Trump’s hush money case in New York were rejected Monday by the U.S. Supreme Court. The decision comes a day before Bailey will face off in the Aug. 6 primary election against Will Scharf, a member of Trump’s legal team. In a one-page order, the court refused to intervene in the case, meaning a gag order against Trump will remain in place and sentencing on his 34 felony convictions will move…