Biz & IT

claude-ai-to-process-secret-government-data-through-new-palantir-deal

Claude AI to process secret government data through new Palantir deal

AI, AI ethics, Amazon, Anthropic, Biz & IT, chatgpt, chatgtp, Claude, Claude 3, Claude 3.5, confabulation, ethical ai, futurism, government contracts, large language models, LLaMA, machine learning, Meta, military AI, openai, palantir, US Defense Department, US intelligence agencies, Victor Tangermann / /

An ethical minefield

Since its founders started Anthropic in 2021, the company has marketed itself as one that takes an ethics- and safety-focused approach to AI development. The company differentiates itself from competitors like OpenAI by adopting what it calls responsible development practices and self-imposed ethical constraints on its models, such as its “Constitutional AI” system.

As Futurism points out, this new defense partnership appears to conflict with Anthropic’s public “good guy” persona, and pro-AI pundits on social media are noticing. Frequent AI commentator Nabeel S. Qureshi wrote on X, “Imagine telling the safety-concerned, effective altruist founders of Anthropic in 2021 that a mere three years after founding the company, they’d be signing partnerships to deploy their ~AGI model straight to the military frontlines.

Anthropic's

Anthropic’s “Constitutional AI” logo.

Credit: Anthropic / Benj Edwards

Anthropic’s “Constitutional AI” logo. Credit: Anthropic / Benj Edwards

Aside from the implications of working with defense and intelligence agencies, the deal connects Anthropic with Palantir, a controversial company which recently won a $480 million contract to develop an AI-powered target identification system called Maven Smart System for the US Army. Project Maven has sparked criticism within the tech sector over military applications of AI technology.

It’s worth noting that Anthropic’s terms of service do outline specific rules and limitations for government use. These terms permit activities like foreign intelligence analysis and identifying covert influence campaigns, while prohibiting uses such as disinformation, weapons development, censorship, and domestic surveillance. Government agencies that maintain regular communication with Anthropic about their use of Claude may receive broader permissions to use the AI models.

Even if Claude is never used to target a human or as part of a weapons system, other issues remain. While its Claude models are highly regarded in the AI community, they (like all LLMs) have the tendency to confabulate, potentially generating incorrect information in a way that is difficult to detect.

That’s a huge potential problem that could impact Claude’s effectiveness with secret government data, and that fact, along with the other associations, has Futurism’s Victor Tangermann worried. As he puts it, “It’s a disconcerting partnership that sets up the AI industry’s growing ties with the US military-industrial complex, a worrying trend that should raise all kinds of alarm bells given the tech’s many inherent flaws—and even more so when lives could be at stake.”

Claude AI to process secret government data through new Palantir deal Read More »

new-smb-friendly-subscription-tier-may-be-too-late-to-stop-vmware-migrations

New SMB-friendly subscription tier may be too late to stop VMware migrations

Biz & IT, Broadcom, vmware / /

Broadcom has a new subscription tier for VMware virtualization software that may appease some disgruntled VMware customers, especially small to medium-sized businesses. The new VMware vSphere Enterprise Plus subscription tier creates a more digestible bundle that’s more appropriate for smaller customers. But it may be too late to convince some SMBs not to abandon VMware.

Soon after Broadcom bought VMware, it stopped the sale of VMware perpetual licenses and started requiring subscriptions. Broadcom also bundled VMware’s products into a smaller number of SKUs, resulting in higher costs and frustration for customers that felt like they were being forced to pay for products that they didn’t want. All that, combined with Broadcom ditching some smaller VMware channel partners (and reportedly taking the biggest clients direct), have raised doubts that Broadcom’s VMware would be a good fit for smaller customers.

“The challenge with much of the VMware by Broadcom changes to date and before the announcement [of the vSphere Enterprise Plus subscription tier] is that it also forced many organizations to a much higher offering and much more components to a stack that they were previously uninterested in deploying,” Rick Vanover, Veeam’s product strategy VP, told Ars.

On October 31, Broadcom announced the vSphere Enterprise Plus subscription tier. From smallest to largest, the available tiers are vSphere Standard, vSphere Enterprise Plus, vSphere Foundation, and the flagship VMware Cloud Foundation. The introduction of vSphere Enterprise Plus means that customers who only want vSphere virtualization can now pick from two bundles instead of one.

“[T]o round out the portfolio, for customers who are focused on compute virtualization, we will now have two options, VMware vSphere Enterprise Plus and VMware vSphere Standard,” Prashanth Shenoy, vice president of product marketing in the VMware Cloud Foundation division of Broadcom, explained in a blog post.

New SMB-friendly subscription tier may be too late to stop VMware migrations Read More »

matter-1.4-has-some-solid-ideas-for-the-future-home—now-let’s-see-the-support

Matter 1.4 has some solid ideas for the future home—now let’s see the support

alexa, apple home, Biz & IT, connectivity standards alliance, csa, EVSE, Google Home, home automation, matter, matter 1.4, Smart Home, Tech, Thread / /

With Matter 1.4 and improved Thread support, you shouldn’t need to blanket your home in HomePod Minis to have adequate Thread coverage. Then again, they do brighten up the place. Credit: Apple

Routers are joining the Thread/Matter melee

A whole bunch of networking gear, known as Home Routers and Access Points (HRAP), can now support Matter, while also extending Thread networks with Matter 1.4.

“Matter-certified HRAP devices provide the foundational infrastructure of smart homes by combining both a Wi-Fi access point and a Thread Border Router, ensuring these ubiquitous devices have the necessary infrastructure for Matter products using either of these technologies,” the CSA writes in its announcement.

Prior to wireless networking gear officially getting in on the game, the devices that have served as Thread Border Routers, accepting and re-transmitting traffic for endpoint devices, has been a hodgepodge of gear. Maybe you had HomePod Minis, newer Nest Hub or Echo devices from Google or Amazon, or Nanoleaf lights around your home, but probably not. Routers, and particularly mesh networking gear, should already be set up to reach most corners of your home with wireless signal, so it makes a lot more sense to have that gear do Matter authentication and Thread broadcasting.

Freeing home energy gear from vendor lock-in

Matter 1.4 adds some big, expensive gear to its list of device types and control powers, and not a moment too soon. Solar inverters and arrays, battery storage systems, heat pumps, and water heaters join the list. Thermostats and Electric Vehicle Supply Equipment (EVSE), i.e. EV charging devices, also get some enhancements. For that last category, it’s not a moment too soon, as chargers that support Matter can keep up their scheduled charging without cloud support from manufacturers.

More broadly, Matter 1.4 bakes a lot of timing, energy cost, and other automation triggers into the spec, which—again, when supported by device manufacturers, at some future date—should allow for better home energy savings and customization, without tying it all to one particular app or platform.

CSA says that, with “nearly two years of real-world deployment in millions of households,” the companies and trade groups and developers tending to Matter are “refining software development kits, streamlining certification processes, and optimizing individual device implementations.” Everything they’ve got lined up seems neat, but it has to end up inside more boxes to be truly impressive.

Matter 1.4 has some solid ideas for the future home—now let’s see the support Read More »

law-enforcement-operation-takes-down-22,000-malicious-ip-addresses-worldwide

Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Biz & IT, cybercrime, Interpol, police, Security / /

An international coalition of police agencies has taken a major whack at criminals accused of running a host of online scams, including phishing, the stealing of account credentials and other sensitive data, and the spreading of ransomware, Interpol said recently.

The operation, which ran from the beginning of April through the end of August, resulted in the arrest of 41 people and the takedown of 1,037 servers and other infrastructure running on 22,000 IP addresses. Synergia II, as the operation was named, was the work of multiple law enforcement agencies across the world, as well as three cybersecurity organizations.

A global response

“The global nature of cybercrime requires a global response which is evident by the support member countries provided to Operation Synergia II,” Neal Jetton, director of the Cybercrime Directorate at INTERPOL, said. “Together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime. INTERPOL is proud to bring together a diverse team of member countries to fight this ever-evolving threat and make our world a safer place.”

Among the highlights of Operation Synergia II were:

Hong Kong (China): Police supported the operation by taking offline more than 1,037 servers linked to malicious services.

Mongolia: Investigations included 21 house searches, the seizure of a server and the identification of 93 individuals with links to illegal cyber activities.

Macau (China): Police took 291 servers offline.

Madagascar: Authorities identified 11 individuals with links to malicious servers and seized 11 electronic devices for further investigation.

Estonia: Police seized more than 80GB of server data, and authorities are now working with INTERPOL to conduct further analysis of data linked to phishing and banking malware.

The three private cybersecurity organizations that were part of Operation Synergia II were Group-IB, Kaspersky, and Team Cymru. All three used the telemetry intelligence in their possession to identify malicious servers and made it available to participating law enforcement agencies. The law enforcement agencies conducted investigations that resulted in house searches, the disruption of malicious cyber activities, the lawful seizures of servers and other electronic devices, and arrests.

Law enforcement operation takes down 22,000 malicious IP addresses worldwide Read More »

trump-plans-to-dismantle-biden-ai-safeguards-after-victory

Trump plans to dismantle Biden AI safeguards after victory

AI, AI regulation, Biden, Biz & IT, Donald Trump, Joe Biden, large language models, machine learning, Policy, US government, White House / /

That’s not the only uncertainty at play. Just last week, House Speaker Mike Johnson—a staunch Trump supporter—said that Republicans “probably will” repeal the bipartisan CHIPS and Science Act, which is a Biden initiative to spur domestic semiconductor chip production, among other aims. Trump has previously spoken out against the bill. After getting some pushback on his comments from Democrats, Johnson said he would like to “streamline” the CHIPS Act instead, according to The Associated Press.

Then there’s the Elon Musk factor. The tech billionaire spent tens of millions through a political action committee supporting Trump’s campaign and has been angling for regulatory influence in the new administration. His AI company, xAI, which makes the Grok-2 language model, stands alongside his other ventures—Tesla, SpaceX, Starlink, Neuralink, and X (formerly Twitter)—as businesses that could see regulatory changes in his favor under a new administration.

What might take its place

If Trump strips away federal regulation of AI, state governments may step in to fill any federal regulatory gaps. For example, in March, Tennessee enacted protections against AI voice cloning, and in May, Colorado created a tiered system for AI deployment oversight. In September, California passed multiple AI safety bills, one requiring companies to publish details about their AI training methods and a contentious anti-deepfake bill aimed at protecting the likenesses of actors.

So far, it’s unclear what Trump’s policies on AI might represent besides “deregulate whenever possible.” During his campaign, Trump promised to support AI development centered on “free speech and human flourishing,” though he provided few specifics. He has called AI “very dangerous” and spoken about its high energy requirements.

Trump allies at the America First Policy Institute have previously stated they want to “Make America First in AI” with a new Trump executive order, which still only exists as a speculative draft, to reduce regulations on AI and promote a series of “Manhattan Projects” to advance military AI capabilities.

During his previous administration, Trump signed AI executive orders that focused on research institutes and directing federal agencies to prioritize AI development while mandating that federal agencies “protect civil liberties, privacy, and American values.”

But with a different AI environment these days in the wake of ChatGPT and media-reality-warping image synthesis models, those earlier orders don’t likely point the way to future positions on the topic. For more details, we’ll have to wait and see what unfolds.

Trump plans to dismantle Biden AI safeguards after victory Read More »

corning-faces-antitrust-actions-for-its-gorilla-glass-dominance

Corning faces antitrust actions for its Gorilla Glass dominance

antitrust, Apple, Biz & IT, Corning, European Commission, Gorilla Glass, IPhone, Tech / /

The European Commission (EC) has opened an antitrust investigation into US-based glass-maker Corning, claiming that its Gorilla Glass has dominated the mobile phone screen market due to restrictive deals and licensing.

Corning’s shatter-resistant alkali-aluminosilicate glass keeps its place atop the market, according to the EC’s announcement, because it both demands, and rewards with rebates, device makers that agree to “source all or nearly all of their (Gorilla Glass) demand from Corning.” Corning also allegedly required device makers to report competitive offers to the glass maker. The company is accused of exerting a similar pressure on “finishers,” or those firms that turn raw glass into finished phone screen protectors, as well as demanding finishers not pursue patent challenges against Corning.

“[T]he agreements that Corning put in place with OEMs and finishers may have excluded rival glass producers from large segments of the market, thereby reducing customer choice, increasing prices, and stifling innovation to the detriment of consumers worldwide,” the Commission wrote.

Ars has reached out to Corning for comment and will update this post with response.

Gorilla Glass does approach Xerox or Kleenex levels of brand name association with its function. New iterations of its thin, durable glass reach a bit further than the last and routinely pick up press coverage. Gorilla Glass 4 was pitched as being “up to two times stronger” than any “competitive” alternative. Gorilla Glass 5 could survive a 1.6-meter drop 80 percent of the time, and 6 built in more repetitive damage resistance.

Apple considers Corning’s glass products so essential to its products, like the ceramic shield on the iPhone 12, as to have invested $45 million into the company to expand its US manufacturing. The first iPhone was changed very shortly before launch to use Gorilla Glass instead of a plastic screen, per Steve Jobs’ insistence.

Corning faces antitrust actions for its Gorilla Glass dominance Read More »

anthropic’s-haiku-3.5-surprises-experts-with-an-“intelligence”-price-increase

Anthropic’s Haiku 3.5 surprises experts with an “intelligence” price increase

AI, AI pricing, Anthropic, Anthropic Claude, API, Biz & IT, chatbots, chatgpt, chatgtp, Claude, Claude 3.5, Claude 3.5 Haiku, Claude Haiku, large language models, machine learning / /

Speaking of Opus, Claude 3.5 Opus is nowhere to be seen, as AI researcher Simon Willison noted to Ars Technica in an interview. “All references to 3.5 Opus have vanished without a trace, and the price of 3.5 Haiku was increased the day it was released,” he said. “Claude 3.5 Haiku is significantly more expensive than both Gemini 1.5 Flash and GPT-4o mini—the excellent low-cost models from Anthropic’s competitors.”

Cheaper over time?

So far in the AI industry, newer versions of AI language models typically maintain similar or cheaper pricing to their predecessors. The company had initially indicated Claude 3.5 Haiku would cost the same as the previous version before announcing the higher rates.

“I was expecting this to be a complete replacement for their existing Claude 3 Haiku model, in the same way that Claude 3.5 Sonnet eclipsed the existing Claude 3 Sonnet while maintaining the same pricing,” Willison wrote on his blog. “Given that Anthropic claim that their new Haiku out-performs their older Claude 3 Opus, this price isn’t disappointing, but it’s a small surprise nonetheless.”

Claude 3.5 Haiku arrives with some trade-offs. While the model produces longer text outputs and contains more recent training data, it cannot analyze images like its predecessor. Alex Albert, who leads developer relations at Anthropic, wrote on X that the earlier version, Claude 3 Haiku, will remain available for users who need image processing capabilities and lower costs.

The new model is not yet available in the Claude.ai web interface or app. Instead, it runs on Anthropic’s API and third-party platforms, including AWS Bedrock. Anthropic markets the model for tasks like coding suggestions, data extraction and labeling, and content moderation, though, like any LLM, it can easily make stuff up confidently.

“Is it good enough to justify the extra spend? It’s going to be difficult to figure that out,” Willison told Ars. “Teams with robust automated evals against their use-cases will be in a good place to answer that question, but those remain rare.”

Anthropic’s Haiku 3.5 surprises experts with an “intelligence” price increase Read More »

suspect-arrested-in-snowflake-data-theft-attacks-affecting-millions

Suspect arrested in Snowflake data-theft attacks affecting millions

Biz & IT, Data breaches, infostealers, Security / /

Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers.

Credit: Mandiant

Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers. Credit: Mandiant

None of the affected accounts used multifactor authentication, which requires users to provide a one-time password or additional means of authentication besides a password. After that revelation, Snowflake enforced mandatory MFA for accounts and required that passwords be at least 14 characters long.

Mandiant had identified the threat group behind the breaches as UNC5537. The group has referred to itself ShinyHunters. Snowflake offers its services under a model known as SaaS (software as a service).

“UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024,” Mandiant wrote in an emailed statement. “In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations. The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”

Mandiant said a co-conspirator, John Binns, was arrested in June. The status of that case wasn’t immediately known.

Besides Ticketmaster, other customers known to have been breached include AT&T and Spain-based bank Santander. In July, AT&T said that personal information and phone and text message records for roughly 110 million customers were stolen. WIRED later reported that AT&T paid $370,000 in return for a promise the data would be deleted.

Other Snowflake customers reported by various news outlets as breached are Pure Storage, Advance Auto Parts, Los Angeles Unified School District, QuoteWizard/LendingTree, Neiman Marcus, Anheuser-Busch, Allstate, Mitsubishi, and State Farm.

KrebsOnSecurity reported Tuesday that Moucka has been named in multiple charging documents filed by US federal prosecutors. Reporter Brian Krebs said specific charges and allegations are unknown because the cases remain sealed.

Suspect arrested in Snowflake data-theft attacks affecting millions Read More »

new-zemeckis-film-used-ai-to-de-age-tom-hanks-and-robin-wright

New Zemeckis film used AI to de-age Tom Hanks and Robin Wright

AI, AI image generator, Biz & IT, de-aging, Deepfakes, face replacement, films, generative ai, Here film, image synthesis, machine learning, Metaphysic, Robert Zemeckis, Robin Wright, Runway, Special Effects, Tom Hanks, video synthesis / /

On Friday, TriStar Pictures released Here, a $50 million Robert Zemeckis-directed film that used real time generative AI face transformation techniques to portray actors Tom Hanks and Robin Wright across a 60-year span, marking one of Hollywood’s first full-length features built around AI-powered visual effects.

The film adapts a 2014 graphic novel set primarily in a New Jersey living room across multiple time periods. Rather than cast different actors for various ages, the production used AI to modify Hanks’ and Wright’s appearances throughout.

The de-aging technology comes from Metaphysic, a visual effects company that creates real time face swapping and aging effects. During filming, the crew watched two monitors simultaneously: one showing the actors’ actual appearances and another displaying them at whatever age the scene required.

Here – Official Trailer (HD)

Metaphysic developed the facial modification system by training custom machine-learning models on frames of Hanks’ and Wright’s previous films. This included a large dataset of facial movements, skin textures, and appearances under varied lighting conditions and camera angles. The resulting models can generate instant face transformations without the months of manual post-production work traditional CGI requires.

Unlike previous aging effects that relied on frame-by-frame manipulation, Metaphysic’s approach generates transformations instantly by analyzing facial landmarks and mapping them to trained age variations.

“You couldn’t have made this movie three years ago,” Zemeckis told The New York Times in a detailed feature about the film. Traditional visual effects for this level of face modification would reportedly require hundreds of artists and a substantially larger budget closer to standard Marvel movie costs.

This isn’t the first film that has used AI techniques to de-age actors. ILM’s approach to de-aging Harrison Ford in 2023’s Indiana Jones and the Dial of Destiny used a proprietary system called Flux with infrared cameras to capture facial data during filming, then old images of Ford to de-age him in post-production. By contrast, Metaphysic’s AI models process transformations without additional hardware and show results during filming.

New Zemeckis film used AI to de-age Tom Hanks and Robin Wright Read More »

nvidia-ousts-intel-from-dow-jones-index-after-25-year-run

Nvidia ousts Intel from Dow Jones Index after 25-year run

AI, Biz & IT, machine learning / /

Changing winds in the tech industry

The Dow Jones Industrial Average serves as a benchmark of the US stock market by tracking 30 large, publicly owned companies that represent major sectors of the US economy, and being a member of the Index has long been considered a sign of prestige among American companies.

However, S&P regularly makes changes to the index to better reflect current realities and trends in the marketplace, so deletion from the Index likely marks a new symbolic low point for Intel.

While the rise of AI has caused a surge in several tech stocks, it has delivered tough times for chipmaker Intel, which is perhaps best known for manufacturing CPUs that power Windows-based PCs.

Intel recently withdrew its forecast to sell over $500 million worth of AI-focused Gaudi chips in 2024, a target CEO Pat Gelsinger had promoted after initially pushing his team to project $1 billion in sales. The setback follows Intel’s pattern of missed opportunities in AI, with Reuters reporting that Bank of America analyst Vivek Arya questioned the company’s AI strategy during a recent earnings call.

In addition, Intel has faced challenges as device manufacturers increasingly use Arm-based alternatives that power billions of smartphone devices and from symbolic blows like Apple’s transition away from Intel processors for Macs to its own custom-designed chips based on the Arm architecture.

Whether the historic tech company will rebound is yet to be seen, but investors will undoubtedly keep a close watch on Intel as it attempts to reorient itself in the face of changing trends in the tech industry.

Nvidia ousts Intel from Dow Jones Index after 25-year run Read More »

thousands-of-hacked-tp-link-routers-used-in-years-long-account-takeover-attacks

Thousands of hacked TP-Link routers used in years-long account takeover attacks

Biz & IT, botnets, microsoft, password spraying, Security, tp-link / /

Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the company warned Thursday.

The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of more than 16,000 compromised devices at its peak got its name because it exposes its malicious malware on port 7777.

Account compromise at scale

In July and again in August of this year, security researchers from Serbia and Team Cymru reported the botnet was still operational. All three reports said that Botnet-7777 was being used to skillfully perform password spraying, a form of attack that sends large numbers of login attempts from many different IP addresses. Because each individual device limits the login attempts, the carefully coordinated account-takeover campaign is hard to detect by the targeted service.

On Thursday, Microsoft reported that CovertNetwork-1658—the name Microsoft uses to track the botnet—is being used by multiple Chinese threat actors in an attempt to compromise targeted Azure accounts. The company said the attacks are “highly evasive” because the botnet—now estimated at about 8,000 strong on average—takes pains to conceal the malicious activity.

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Some of the characteristics that make detection difficult are:

  • The use of compromised SOHO IP addresses
  • The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
  • The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.

Thousands of hacked TP-Link routers used in years-long account takeover attacks Read More »

colorado-scrambles-to-change-voting-system-passwords-after-accidental-leak

Colorado scrambles to change voting-system passwords after accidental leak

Biz & IT, colorado elections, Policy, voting system passwords / /

BIOS passwords on website

“The goal is to complete the password updates by this evening,” government says.

Colorado Secretary of State Jena Griswold holds press conference with Matt Crane, Executive Director of the Colorado County Clerks Association, at her office in Denver on Thursday, October 24, 2024. Credit: Getty Images | Hyoung Chang

The Colorado Department of State said it accidentally posted a spreadsheet containing “partial passwords” for voting systems. The department said there is no “immediate security threat” because two passwords are needed for each component, but it is trying to complete password changes by the end of today. There were reportedly hundreds of BIOS passwords accessible on the website for over two months before being removed last week.

A government statement issued Tuesday said the agency “is aware that a spreadsheet located on the Department’s website improperly included a hidden tab including partial passwords to certain components of Colorado voting systems. This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted.”

Secretary of State Jena Griswold told Colorado Public Radio that “we do not think there is an immediate security threat to Colorado elections, in part because partial passwords don’t get you anywhere. Two unique passwords are needed for every election equipment component. Physical access is needed. And under Colorado law, voting equipment is stored in secure rooms that require secure ID badges. There’s 24/7 video cameras. There’s restricted access to the secure ballot areas, strict chain of custody, and it’s a felony to access voting equipment without authorization.”

Griswold said her office learned about the spreadsheet upload at the end of last week and “immediately contacted federal partners and then we began our investigation.”

The department’s statement said the two passwords for each component “are kept in separate places and held by different parties” and that the “passwords can only be used with physical in-person access to a voting system.” Additionally, “clerks are required to maintain restricted access to secure ballot areas, and may only share access information with background-checked individuals. No person may be present in a secure area unless they are authorized to do so or are supervised by an authorized and background-checked employee.”

The department also cited “strict chain of custody requirements that track when a voting systems component has been accessed and by whom,” and it said that each “Colorado voter votes on a paper ballot, which is then audited during the Risk Limiting Audit to verify that ballots were counted according to voter intent.”

Goal is to change all passwords by this evening

Griswold described the upload as an accident and said the mistake was made by a civil servant who no longer works for the department. “Out of an abundance of caution, we have people in the field working to reset passwords and review access logs for affected counties,” she said.

Gov. Jared Polis and Griswold, who are both Democrats, issued a joint update about the password changes today. The Polis administration is providing support “to complete changes to all the impacted passwords and review logs to ensure that no tampering occurred.”

“The Secretary of State will deputize certain state employees, who have cybersecurity and technology expertise and have undergone appropriate background checks and training,” the statement said. “In addition to the Department of State Employees and in coordination with county clerks, these employees will only enter badged areas in pairs to update the passwords for election equipment in counties and will be directly observed by local elections officials from the county clerk’s office. The goal is to complete the password updates by this evening and verify the security of the voting components, which are secured behind locked doors by county clerks.”

Griswold said she is “thankful to the Governor for his support to quickly resolve this unfortunate mistake.” Griswold told Colorado Public Radio that her department has no reason to believe the passwords were posted with malicious intent, but said that “a personnel investigation will be conducted by an outside party to look into the particulars of how this occurred.”

GOP slams Griswold

The Colorado Republican Party criticized Griswold this week after receiving an affidavit from someone who said they accessed the BIOS passwords on the publicly available spreadsheet three times between August 8 and October 23. The file “contained over 600 BIOS passwords for voting system components in 63 of the state’s 64 counties” before being removed on October 24, the state GOP said.

The affidavit described how to reveal the passwords in the VotingSystemInventory.xlsx file. It said that right-clicking a worksheet tab and selecting “unhide” would reveal “a dialog box where the application user can select from one, several, or all four listed hidden worksheets contained in the file.” Three of these worksheets “appear to list Basic Input Output System (BIOS) passwords” for hundreds of individual voting system components, the affidavit said.

The state GOP accused Griswold of downplaying the security risk, saying that only one password is needed for BIOS access. “BIOS passwords are highly confidential, allowing broad access for knowledgeable users to fundamentally manipulate systems and data and to remove any trace of doing so,” the GOP said. The “passwords were not encrypted or otherwise protected,” the GOP said.

State GOP Chairman Dave Williams said the incident “represents significant incompetence and negligence, and it raises huge questions about password management and other basic security protocols at the highest levels within Griswold’s office.” He also claimed the breach could put “the entire Colorado election results for the vast majority of races, including the tabulation for the Presidential race in Colorado, in jeopardy unless all of the machines can meet the standards of a ‘Trusted Build’ before next Tuesday.”

US Rep. Lauren Boebert (R-Colo.) and other Republicans called on Griswold to resign. Griswold said she would stay on the job.

Griswold: “I’m going to keep doing my job”

Republicans in the state House “and Congresswoman Lauren Boebert are the same folks who have spread conspiracies and lies about our election systems over and over and over again,” Griswold told Colorado Public Radio. “Ultimately, a civil servant made a serious mistake and we’re actively working to address it.” Griswold added, “I have faced conspiracy theories from elected Republicans in this state, and I have not been stopped by any of their efforts and I’m going to keep on doing my job.”

Colorado previously had a voting-system breach orchestrated by former county clerk Tina Peters of Mesa County, who was sentenced to nine years in prison in early October. Peters, who promoted former President Donald Trump’s election conspiracy theories, oversaw a leak of voting-system BIOS passwords. Griswold said after the Peters conviction that “Tina Peters willfully compromised her own election equipment trying to prove Trump’s big lie.”

Testimony from the Peters case was cited in the GOP’s criticism of Griswold this week. “In the Tina Peters trial, a senior State official even testified that release of these passwords in a single county represented a grave threat. Here, they have been released for the whole state,” the state GOP said.

The Trump campaign called on Griswold to halt the processing of mail ballots and re-scan all mailed ballots that were already scanned.

Photo of Jon Brodkin

Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.

Colorado scrambles to change voting-system passwords after accidental leak Read More »