Please Follow us on Gab, Minds, Telegram, Rumble, Gettr, Truth Social, Twitter
Yesterday morning, the Colorado Free Press reported a security breach in the Colorado Secretary of State’s Office, where the election equipment BIOS passwords were publicly posted on the Secretary’s website, impacting over 600 pieces of election equipment across 63 of 64 Colorado counties.
Yesterday afternoon, the Secretary’s office issued a press release confirming the security breach, while claiming that secure BIOS passwords being publicly available on the internet – for months during election preparation, testing, and voting – poses no threat to Colorado elections.
Last night, Secretary Griswold joined Kyle Clark on 9News, but her appearance may have done more harm than good.
Griswold improperly claimed the compromised passwords were “partial passwords” in her press release, but when Clark pressed her on this point she admitted that the passwords were the complete passwords held by her office. There is a second password held by county IT teams, but the passwords compromised by Griswold’s office are not “partial passwords.” They are complete passwords.
Secretary Griswold is relying on the fact that county-held passwords were not compromised in an attempt to minimize that the passwords held by her office were compromised.
Thankfully, the impact of this breach is easy to understand – we only need to look at the testimony of Jesse Romero, given on August 1, 2024, during Tina Peters’ trial.
Counsel: “When a trusted build is occurring, are there two sets of passwords that are involved in the process?”
Romero: “So the counties are required to maintain the passwords to the actual election software. That is not for us, that is not for the vendor. It's simply for the counties. We at the State during the trusted build set the bios passwords. Bios is kind of the underlying program beneath the operating system of, like, Windows, that kind of instructs the computer what to do when you start it up. We change settings in the bios menu to secure the system. So we set that password and we retain it so the counties don't even know that password.”
Counsel: “You said the counties do not know their particular bios password?”
Romero: “They do not.”
Counsel: “How sensitive or confidential are those bios passwords?”
Romero: “They're very confidential. So, for example, we maintain them in our system in the folder they're kept in. Only my team, the four of us, and my direct manager have access to the actual passwords, the spreadsheet itself.
Counsel: Are they under legitimate lock and key?
Romero: “Yes.”
These are the same passwords, and ostensibly the same spreadsheet, that Secretary Griswold confirms was available, unencrypted and unprotected, online for months. It is likely that this spreadsheet was available while Romero was making these comments; it is confirmed that it was available seven days later on August 8.
Romero goes on to explain what a big deal this is.
Counsel: “So what did you then do next upon confirming that what you saw was the Mesa 2021 most recent bios passwords that are kept under lock and key because they're confidential?
Romero: “I set off the alarms. I notified my management, the administrative team, and basically everyone, you know, who would be involved and just said we have a serious problem.”
Again, this is Jesse Romero, from the Secretary of State’s Office. He was under oath when he made these comments.
Further, Jena’s biggest defense in response to the current breach is “two sets of passwords.” There were also two sets of passwords in 2021 – when the exact same breach caused Romero to “set off the alarms,” because the passwords being online constituted a “serious problem.”
What is the serious problem? Well, let’s ask Jesse Romero, whose answers are under oath.
Counsel: “Do you know if the bios can be used to turn off external ports, like Wi-Fi connectivity?”
Romero: “Yes, it can.”
Counsel: “And the -- whether or not a system is connected to the internet, that's determined by the bios, the basic operating system, correct?”
Romero: “If the component itself has the functionality to connect to the internet, it is disabled in the bios, correct.”
Counsel: “Is it your understanding that these systems do not have the capability?”
Romero: “Some components -- they're just computers. So components do have the capability. If it does, we disable it in the bios.”
Despite this record, she doubled down last night. Watch:
Jena Griswold’s answers about this security breach are contradicted by the sworn testimony of her staff. Yikes.
In light of the seriousness of the BIOS passwords being published online for months, consider this statement from Griswold:
She claims they took immediate action. Anyone with even a cursory understanding of password security knows that “immediate action” – step one – for a password breach is to change the compromised password. Changing the BIOS passwords in voting equipment has to be done via physical access to the equipment – and for that, the clerks would be involved.
Multiple Colorado clerks, who requested to remain anonymous due to fear of retaliation, confirmed to Colorado Free Press that they were never contacted by State before yesterday, Monday, October 29, 2024, after this story broke.
According to these clerks, at 5pm on Monday, there was a 45 minute “Teams call” with Deputy Secretary of State Chris Beall and all Colorado County Clerks. Secretary Griswold did not attend, likely because she was busy with Kyle.
Sources on the call confirm that many clerks “claimed to have heard about the BIOS password leak from their election judges.” The clerks were concerned, and requested an explanation from Deputy Beall.
Deputy Beall allegedly said that a voting system vendor alerted the Secretary's Office of the problem last Thursday, October 24. This is when the file was taken down and a clean file replaced it, as confirmed by Griswold in her interview with Clark. A vendor alerted the Secretary to the breach.
The Secretary’s office changed the passwords on impacted equipment yesterday... hours after the story broke, four days after the breach was identified, at the same time that Colorado voters are voting.
Step one for a password breach is to change the password.
The Colorado State Department is changing election system passwords in the middle of the election.
Think about that for a second.
The Secretary claims that this is not a security issue – “not a breach” – because no unauthorized person had physical access to the machines, and therefore it did not need to be reported to the clerks.
Yet, Colorado voters are voting, people are interacting with the systems all over the state, and this breach impacts 63 of 64 counties. How can they possibly be confident about unauthorized access if they didn’t speak to the clerks?
And, again, “immediate action” for a password breach is to change the passwords. The immediate action by the Secretary’s office appears to have been to engage in a cover up.
Side Note: During my research and discussions for this story, I was reminded of summer 2021 when Jena Griswold used COVID-19 emergency rules to ban independent forensic audits.
Convenient, right?
If State is changing BIOS passwords during an election because of a security breach, and no forensic audit is performed to determine if anyone accessed the system – either in person or remotely – while the BIOS passwords were publicly accessible, how can the system remain certified and in use?
More importantly, how can Colorado voters trust the 2024 election?
My personal opinion is that the entire State Department needs to be shut down and thoroughly investigated by independent forensic investigators. The office is a potential crime scene and, in any other domain of critical infrastructure, the threat landscape would be elevated and independent forensic teams would be running the show.
Public Trust cannot tolerate the State Department investigating itself.
And, yet, she's investigating herself. You just need to take her word on the outcome.
I agree with Jesse Romero. We have a serious problem.
Watch Griswold's full interview below.