From Chairman Dave Williams <[email protected]>
Subject Stop the Cover-up - Leaked CO Election Passwords
Date October 30, 2024 3:17 PM
  Links have been removed from this email. Learn more in the FAQ.
  Links have been removed from this email. Learn more in the FAQ.
The Colorado GOP will seek accountability...

A Message from the Colorado Republican Party
View this email in your browser ([link removed])
Colorado Republicans demand assurances that our systems are not compromised a week before a major election.
DONATE TO HOLD GRISWOLD ACCOUNTABLE & TO MAKE OUR ELECTIONS FAIR ([link removed])

FOR IMMEDIATE RELEASE

THE SECRETARY WANTS A DOUBLE STANDARD BUT THE CO GOP WILL SEEK ACCOUNTABILITY FOR HER LEAK & SCANDAL COVER-UP.

(Greenwood Village, CO) – As disclosed yesterday, the Colorado Secretary of State posted highly confidential election system passwords online for months. The passwords were viewable by anyone, including county clerks, employees, and third-party vendors with physical access to election systems who are prohibited to have BIOS passwords.

Her response, however, raises even more concerns than it answers. She calls the passwords partial passwords and claims two passwords are necessary for system access. This is not true for the BIOS, and at best, shows a serious lack of understanding of how the systems themselves even work by her and her most senior team members, including Matt Crane, the head of the Colorado Clerk Association.

The BIOS passwords access the Basic Input/Output System (BIOS), which runs “underneath” the operating system. Its vulnerabilities present such a grave threat that way back in 2015, WIRED said that “anyone with moderately sophisticated hacking skills” could “compromise and control a system surreptitiously.” Since then, many other articles have been written about the threat.

For this reason, Griswold’s own election rules forbid their disclosure to all but a few trusted State employees. In the Tina Peters trial, a senior State official even testified that release of these passwords in a single county represented a grave threat. Here, they have been released for the whole state.

Here is what we do know at this point. There is no gold standard. What we hope, however, is that there is at least not a double standard.

Griswold and her team released a statement yesterday on this mess. What was most telling is what was not included:
* She doesn’t deny that the passwords were current. She said some were no longer current in an interview, but how many of the hundreds released were current?
* She did not say who posted the confidential passwords or how it happened.
* She did not say whether an investigation had been commenced or completed to determine why the file was posted (accidental or intentional). She just claims it was an accident. How does she know that?
* She does not say when it was posted. Were they posted before the primaries? Are those results now also in jeopardy?
* She talks about physical access controls, but there are numerous individuals with access to the systems; the protection is that they are not to have the BIOS passwords too; the individuals include:
+ county employees
+ county clerks
+ third party vendors
+ other State employees in her office that are forbidden BIOS password access for security reasons
* How is she able to assure the public that none of these hundreds or thousands of individuals accessed the BIOS over that large amount of time?
* She failed to address the findings of the 2022 Douglas County review that demonstrated the ability to remotely access election systems.


Our letter to her and the release yesterday was not worded to score political points. We were fair, and our requests which are still unanswered, were reasonable. This is not a partisan issue.

This is a serious incident, and her response is not a serious response. Matthew 7:1 state: “For in the same way you judge others, you will be judged, and with the measure you use, it will be measured to you.” The Secretary and her office should be held to the same high standard as everyone else. The integrity of our elections is too important.

The Colorado Republican Party will seek legal relief in the courts as long as the Secretary refuses to provide sufficient reassurances as outlined in our previous letter to her. Additionally, we are calling on the legislature, especially Republican lawmakers, to convene an emergency audit committee hearing to uncover what the Secretary has been hiding from the public. She admitted to the press that she refused to disclose this password leak until our State Party exposed it. This is a cover-up.

Finally, to the counties, you have obligations now under the Colorado Election Rules. The Secretary has violated Election Rule 20.5.2(c)(11) [8 CCR 1505-1]. She admits it. You have a requirement under Rule 20.5.8(a)(1) to file an incident report for any violation of Rule 20. The Secretary must then determine under Rule 20.12/2(b), in good faith, whether the machines should be decertified.

Confidential passwords were leaked to individuals with physical access. That is all anyone needs to know. It demands more than a press release.

###


------------------------------------------------------------
[link removed]
[link removed]
Colorado Election Rule 20.5.2(c)(11)

You can review the previous press release and letter that exposed this scandal below.

FOR IMMEDIATE RELEASE
COLORADO ELECTION PASSWORDS LEAKED AND SYSTEM MAY BE COMPROMISED
(Greenwood Village, CO) – According to an affidavit sent to the Republican Party of Colorado, Colorado Secretary of State, Jena Griswold, shared a file on her website that contained over 600 BIOS passwords for voting system components in 63 of the state’s 64 counties. On Thursday, October 24, 2024, those BIOS passwords were discretely removed by an unnamed official. A letter from the Colorado GOP has been sent to the Colorado Secretary of State's Office and can be reviewed below.

The passwords were not encrypted or otherwise protected – this means they were available for public consumption. The file appears to have been posted at least since August; the amended version of the file was reposted last Thursday.

BIOS passwords are highly confidential, allowing broad access for knowledgeable users to fundamentally manipulate systems and data and to remove any trace of doing so. Due to the sensitivity surrounding BIOS passwords, Colorado election regulation (8 CCR 1505-1), Rule 20.5.2(c)(11), requires limited access to a select few at the Colorado Department of State; neither county clerks nor commissioners have access to these files.

While the above does not constitute evidence of a breach by itself, it does demonstrate a major lapse in basic systems security and password management.

“We hear all the time in Colorado from Secretary Griswold and Governor Polis that we represent the 'Gold Standard' for election integrity, a model for the nation,” said Dave Williams, Chairman of the Republican Party of Colorado. “One can only hope that by the Secretary of State posting our most sensitive passwords online to the world dispels that myth.” said Williams.

A bad actor would still need access either physically or remotely to the systems. It is also unclear whether the passwords were in use at any point while publicly available.

“It’s shocking really. At best, even if the passwords were outdated, it represents significant incompetence and negligence, and it raises huge questions about password management and other basic security protocols at the highest levels within Griswold’s office,” said Williams. This type of security breach could have far-reaching implications, putting the entire Colorado election results for the vast majority of races, including the tabulation for the Presidential race in Colorado, in jeopardy unless all of the machines can meet the standards of a “Trusted Build” before next Tuesday.

Vote tabulation in Colorado using the voter systems is already underway with results intended to be inaccessible until the close of polls next week.

###

------------------------------------------------------------
Link: “Voter System Inventory – 2024 (XLSX)”: [link removed]
Heidi Ganahl, the Republican candidate for governor in 2022, recently highlighted concerns regarding remote access to Colorado voting systems. See: [link removed]

October 29, 2024

The Honorable Jena Griswold
Colorado Secretary of State
1700 Broadway
Suite 200
Denver, CO 80290-1201

Re: Your Public Disclosure of the BIOS Passwords for Colorado Election Systems Dear Secretary Griswold:

It has come to our attention this week that last Thursday, October 24, 2024, your team quietly removed a publicly accessible spreadsheet file from the Colorado Secretary of State’s website that contained BIOS passwords for election systems in 63 of the 64 counties in Colorado.

The passwords were not encrypted or otherwise protected. They were open to the public for anyone with the knowledge or wherewithal to look (located simply on hidden sheets within the spreadsheet, a file that appears to have been posted publicly for months).

As you are well aware, a BIOS password could allow a knowledgeable user to not only gain total control over any system accessed either physically or remotely, including the ability to manipulate those systems and results, but it would allow that user to remove any trace that she was ever there (overwriting even fundamental system logs necessary during a subsequent audit to show whether illicit access or activity had ever occurred).

It goes without saying how significant this is. We realize that a bad actor or actors would still need access to the systems, but this, coupled with the recent discoveries about network access announced by Heidi Ganahl, former Republican Candidate for Governor, just weeks ago, should give every party, every candidate, and every voter serious concerns.

We can only imagine that, since the discovery last week, you and your staff have been working tirelessly to remedy these vulnerabilities. To ensure us and the public that the election in a little over a week is indeed secure, we demand you provide the following in writing:
* Confirmation that all passwords disclosed have since been changed or were otherwise not current at any point while made public;
* Confirmation that all new passwords, their storage, and management meet best practices for password strength and encryption, unlike those publicly disclosed;
* Confirmation that all systems are running the current software as necessary for proper certification, as the hidden pages also provided software certification concerns;
* If the passwords were current at any point while public, confirmation that, to the best of your knowledge, the election systems have not been accessed physically or remotely by any unauthorized person or persons, including any individuals otherwise authorized to access the systems but not the system BIOS;
* Understanding that with BIOS access it may be difficult or impossible to identify if a system has been indeed compromised, provide confirmation or a detailed plan as to how all exposed systems still or will meet the certification requirements of a “trusted build” before any votes are counted by those systems in this election; and
* Provide a list of any and all other steps your team has or is taking to address these vulnerabilities, including when any steps still pending will be completed.

While some may attempt to characterize this letter as a fringe or partisan issue, we are confident that you understand the critical nature of having released these “skeleton key” passwords to the world. As such, we fully expect that you will gladly and forthrightly provide us with all that we are asking, using the same standard and diligence you are applying in Mesa County and understanding that best practices would be for you to already have those steps completed or in process. If, however, you fail to provide necessary assurances that our elections are secure, we are prepared to encourage county officials throughout the state to fulfill their duty to decertify any election machines with a password on the released list and to compel you through C.R.S. 1-1-113 to secure the elections, as required by law.

Given that the election is now in a matter of days, kindly provide your response within twenty- four hours.

Sincerely,
Dave Williams
Chairman, Republican Party of Colorado

CC: The Honorable Merrick Garland, United States Attorney General
The Honorable Matt Kirsch, Acting United States Attorney for the District of Colorado
The Honorable Sean Cooksey, Chairman of the Federal Election Commission
The Honorable Jared Polis, Governor of Colorado
The Honorable Phil Weiser, Colorado Attorney General
Boards of County Commissioners for Colorado
Colorado County Clerks and Recorders
CO Political Party Chairs

============================================================
** Twitter ([link removed])
** Facebook ([link removed])
** Website ()
** Email (mailto:[email protected])



Paid for by Colorado Republican Committee. Not authorized by any candidate or candidate's committee. ** www.cologop.org ([link removed])

Colorado Republican State Party
5950 S. Willow Drive, Suite 210
Greenwood Village, Colorado 80111


This message reflects the opinions and representations of the Colorado Republican Party. You are receiving this email because you signed up as a member of the Colorado Republican Party's online community. If you would prefer not to receive future emails from the Colorado GOP, click ** here ([link removed] from this list)
.



Copyright © 2022 - Colorado Republican Party
All rights reserved.

You can ** update your preferences ([link removed])
or ** unsubscribe from this list ([link removed])
Screenshot of the email generated on import

Message Analysis