Wednesday, October 22, 2008
Documents released by WikiLeaks last week appear to support earlier reports that Germany's federal police plan to use Trojan horse malware to conduct surreptitious searches of targeted computers, including Skype communication and encrypted SSL traffic.
According to one of the documents, which are unverified and were first published by the German political party PiratenPartei (Pirate Party), the Bavarian police appear to have commissioned a German security company to create a Trojan horse for capturing Skype communications and SSL traffic from surveilled computers that would be directly installed on targeted systems or delivered to unsuspecting suspects via an e-mail with a rogue attachment (much as the FBI delivered a Trojan horse to a Washington high school student last year).
One of the two documents appears to be a letter from the Bavarian Ministry of Justice to prosecutors. It discloses that a company named DigiTask was contracted to provide the Trojan horse, or Skype Capture Unit. The document discusses who is responsible - the Bavarian police or prosecutors -- for the cost of surveilling VoIP traffic used in criminal proceedings.
According to this document and the second one dated September 4 of last year -- which appears to be a letter from DigiTask to government authorities outlining how the program would work and its costs -- the police would be required to rent the software at a cost of EURO 3,500 a month, for a minimum of three months. In addition to the rental fee, the letter describes a one-time installation and de-installation fee of EURO 2,500 (the software de-installs itself after a set timeframe but can also be de-installed manually at any time), plus the cost of renting two proxy servers used to route the collected data to police. The document also mentions an additional EURO 2,500 required to rent SSL-decoding.
Of course Skype traffic is encrypted so just collecting the communication as it's in transit isn't enough. Authorities would need a key to decrypt it. German authorities spoke publicly last year about being thwarted by Skype's encryption. The two leaked documents, which have been somewhat poorly translated into English, address the encryption issue:
Encryption of communication via Skype poses a problem for surveillance of telecommunications. All traffic generated by Skype can be captured when surveilling a Dialin- or DSL-link, but it cannot be decrypted. The encryption of Skype works via AES wih a 256-Bit key. The symmetric AES keys are negotiated via RSA keys (1536 to 2048 Bit). The public keys of the users are confirmed by the Skype-Login-Server when logging in. To surveil Skype-communication it thus becomes necessary to realize other approaches than standard telecommunications surveillance.
The concept of DigiTask intends to install a so called Skype-Capture-Unit on the PC of the surveilled person. This Capture-Unit allows recording of the Skype communication, such as Voice and Chat, as well as diverting the data to an anonymous Recoridng-Proxy. The Recording-Proxy (not part of this offer) forwards the data to the final Recording-Server. The data can then be accessed via mobile Evaluation Stations.
The mobile Evaluation Units can, making use of a streaming-capable multimedia player, playback the recorded Skype communication, such as Voice and Chat, also live. To minimize bandwidth usage special codecs for strong compressions are used. The transmission of data to the recording unit is encrypted using the AES algorithm.
Germany's Supreme Court ruled last year that evidence gained from surreptitious searches of a suspect's computers were inadmissible in the absence of surveillance laws regulating police hacking activity. Legislators began drafting such a bill late last year, but as the leaked documents show, police didn't wait for legislators to make their move before they began talking with DigiTask about creating made-to-order Skype malware.
Around the same time that the police were negotiating with DigiTask, Germany passed another hacking bill that now makes it illegal for anyone (other than police presumably) to create, spread or purchase tools that are designed for hacking.
The DigiTask letter leaked online and dated after the new hacking law was passed includes a disclaimer saying that DigiTask will not be held responsible for usage of the software or any damages caused by it -- such as could happen if the rogue software wreaked havoc on a target's machine or if a lucky hacker stumbled across it on a target's machine and commandeered it for his own surveillance purposes. Noticeably, the letter doesn't appear to mention any guarantee by DigiTask that its secret software can bypass standard firewall and anti-virus protection.
Computer keystrokes can be snooped from afar by detecting the slight electromagnetic radiation emitted when a key is pressed, according to new research.
Other security experts have theorised keyboards were vulnerable to such detection, wrote Sylvain Pasini and Martin Vuagnoux, both doctorate students with the Security and Cryptography Laboratory at the Ecole Polytechnique Fédérale de Lausanne in Switzerland.
But Vuagnoux and Pasini believe theirs is the first set of experiments showing such spying is feasible. They blamed cost pressures on keyboard manufacturers for not making keyboards more snoop proof.
Keyboards "are not safe to transmit sensitive information," they wrote in an entry on
the school's website. "No doubt that our attacks can be significantly improved since we used relatively inexpensive equipment."
The researchers tested 11 different wired keyboard models produced between 2001 and 2008, including some with USB connectors and keyboards embedded in laptops. All were vulnerable to one of four surveillance methods.
Two videos posted show two different experiments, both of which accurately picked up the typed text.
The first video shows a white Logitech keyboard with a PS/2 connector that was attached to a laptop for power. It was monitored with a simple 1-metre wire cable about a metre away. After typing "trust no one" on the keyboard, the same phrase is returned on the researchers' monitoring equipment.
A former iMerge partner is accused of installing a backdoor server in the company's hosting center to send proprietary and financial information to his Gmail account.
In a legal battle to document the alleged industrial espionage of its former chief technology officer, iMerge.nl has obtained a court order requiring Google to release information associated with a Gmail "spybox." IMerge is an e-commerce business incubator based in the Netherlands.
"The suspect was, until September 2006, active as CTO, and had designed the [company's] security network," said Martijn Hoogeveen, CEO of iMerge, in an e-mail. "It is always very difficult to protect against the threat from within."
The former CTO, Hoogeveen claims, had installed a "backdoor" server in the company's hosting center. Although the company had changed all the passwords when the suspect left the company, the backdoor server went undetected. It was revealed when a subsequent network audit showed that financial information had been copied to the server. It turned out that the server had been set up to forward information from a corporate director's mailbox to the so-called spybox, a Gmail account used as a document drop.
Hoogeveen said he'd had suspicions about the CTO, a former partner, for some time because the suspect had been harassing people associated with the company with information that he shouldn't have known. This included knowledge of negotiations about the sale of one of its e-retail company, TakeItNow.com, which had been successfully concluded and was being kept quiet through a nondisclosure agreement. The suspect claimed he was providing information about another iMerge company, ICEcat.biz, to one of the company's competitors.
The final straw, said Hoogeveen, "was that he forwarded private (love) mail of one of our directors to his wife. She provided these (14) e-mails to us, which were sent from an anonymous Gmail account. Their marriage was already heading for a divorce, but the disclosed e-mails and dishonorable allegations about the victimized director created an unworkable situation. In the e-mails also the name of the main suspect was mentioned a few times."
According to the Dutch court's ruling, Google resisted iMerge's request for information about the Gmail account in question to protect user privacy, saying that iMerge didn't have a legitimate interest in the data requested and that its request was unlikely to identify the account owner because of the limited information Google requires for Gmail accounts to be opened.
Nonetheless, a Dutch court recently ruled in iMerge's favor and ordered Google to reveal the information associated with the Gmail account "alfaiscool2002@gmail.com" and the IP addresses used to access it.
"We needed user information from the Gmail account to rule out other possible suspects or accomplices," said Hoogeveen. As it turns out, the suspect's new employer's IP address is in the IP list provided by Google, according to Hoogeveen.
"We are waiting now on the last bits and pieces of the Gmail box (the registration data), and are preparing a next case against Dutch Telecom (KPN / xs4all), to prove other allegations," he said.
Mark Meijjer, iMerge's counsel, observed in a statement that it is "surprising how easy it is to harass innocent people with anonymous (Gmail) accounts. The verdict shows that U.S.-based Google Inc. is willing to comply [with] Dutch law, and that the privacy of a victim 'overrules' the privacy of the person who did wrong. As it should be."
The law in the Netherlands prohibits Hoogeveen from naming the suspect, presumably to protect the person's privacy.
According to Hoogeveen, there's a maximum penalty of one year in prison or a fine for accessing someone's e-mail account in the Netherlands without authorization. However, repeated break-ins multiply the possible penalty. He said the damage claim could reach 10 million euros ($13.3 million) if his company can prove that stolen information was provided to a competitor. And the suspect should lose his shares in the company, if convicted.
Google did not immediately respond to a request for comment. As a matter of policy, it does not reveal user information unless required to do so by law. The degree of legal online privacy protection afforded to individuals varies widely from country to country.
Government agencies should weigh up the risks to security and New Zealand's wider economic interests before outsourcing IT systems overseas, says the State Services Commission.
The commission has been developing guidelines for agencies considering "offshoring" information processing for 18 months.
An IT industry executive at one multinational says the upshot is that while departments could send processing overseas, it would probably be easier for them to "pass their datacentres through the eye of a needle".
Commission spokesman Jason Ryan says the advice stresses the dangers of offshoring, but also sets out how they could be managed.
"That was the intention - to make people well aware of what the risks were and how they could think about mitigating them."
The biggest supplier of IT services to the Government, EDS New Zealand, now a division of Hewlett-Packard, says the framework gives agencies a tool to weigh up the risks. "In the business world, it is accepted that sending work offshore can provide an opportunity to improve service delivery and reduce costs."
But the commission says agencies should create a risk report and look at the "worst case scenario". Risks include industrial espionage, "intelligence-gathering by foreign governments" and the difficulty of enforcing privacy and legal rights in overseas jurisdictions.
"Agencies should consider the likely public reaction to a data breach of that information if they have any doubts about its suitability for outsourcing or sending offshore."
Trust in government could be undermined by offshoring, even if data was kept safe, and agencies should take this into account, the commission advises. "Public perception may be a more significant concern than an objective view of risk might suggest."
It recommends seeking ministerial agreement before negotiating with overseas outsourcers.
The commission says agencies should consider the effect on New Zealand's labour force when deciding where to carry out work.
"Moving large-scale operations offshore may also affect unemployment rates, the balance of trade and Crown revenue. Where this risk is identified, advice should be sought from Treasury."
Mr Ryan says the commission has not studied how much processing is already done overseas.
Anecdotal reports suggest that it is very limited. Unisys New Zealand last year confirmed that it was carrying out a small amount of work for ACC, Inland Revenue and the Agriculture and Forestry Ministry in India, where it employs 1500 IT services staff.
The private sector has recently made stronger moves to embrace Indian outsourcing companies, though in most cases by inviting them to carry out work under contract in New Zealand. Fonterra and Telecom recently signed deals worth tens of millions of dollars with Indian outsourcers and ANZ National Bank last month confirmed plans to move up to 500 back office jobs to Bangalore.
State Services Commission deputy commissioner and government chief information officer Laurence Millar has given agencies and businesses till December 15 to give their feedback on the guidelines.
The Web site of the Ohio state agency that handles voter registration and other election information was shut down briefly after it was hacked, an official said on Tuesday, vowing to guard against fraud in the key battleground state in the November 4 presidential contest.
Ohio Secretary of State Jennifer Brunner said the agency temporarily took the Secretary of State Web site at www.sos.state.oh.us down on Monday after "one or more" security breaches were detected.
The site was restored to partial service on Tuesday after technicians worked overnight to ensure that no information could be compromised.
"Our focus is and has always been to protect the vote of every eligible Ohio voter from any kind of fraud, be it voter registration fraud, illegal voting or vote suppression. This action has been taken to detect and prosecute any illegal breach of our voting infrastructure to maintain voter confidence," Brunner said.
Ohio Gov. Ted Strickland, a Democrat, said in a separate statement that Brunner and her family had been subjected to "repeated serious threats."
With 20 of the 270 Electoral College votes needed to win the presidential election, Ohio is a central front in this year's White House campaign between Republican John McCain and Democrat Barack Obama. Ohio was the state that secured Republican President George W. Bush his 2004 re-election victory.
The Ohio State Highway Patrol is assisting with an investigation into the security breach, Brunner said.
There were widespread complaints of voting problems in Ohio in the 2004 presidential election, and Republicans and Democrats in the state have been battling in recent weeks over voting registration rules and early voting procedures.
Brunner, a Democrat, said her office has also been assaulted in recent weeks by a barrage of phone calls and e-mails containing "menacing messages and even threats of harm or death." Last week, a suspicious package covered with threatening messages and containing an unidentified powder was mailed to the office, Brunner said.
Voor de rechtbank in Leeuwarden zijn straffen uitgedeeld voor virtuele diefstal. Het is voor het eerst dat dat gebeurt.
Een 15-jarige jongen kreeg 200 uur werkstraf opgelegd en twee maanden voorwaardelijke cel; zijn 14-jarige vriendje 160 uur werkstraf en één maand voorwaardelijk. In het vonnis zijn ook bedreiging en mishandeling opgenomen.
Geslagen
De twee minderjarige jongens dwongen in september vorig jaar een jongen van 13 met hun mee naar huis te gaan. Daar werd het slachtoffer geslagen, geschopt en met messen bedreigd.
De verdachten wilden met de mishandelingen bewerkstelligen dat de jongen zijn virtuele bezittingen uit het spel RuneScape zou overboeken. Hij stemde uiteindelijk toe.
Spel
RuneScape is een spel in een virtuele wereld op internet. De spelers creëren een personage die vaardigheden kan leren, zoals houthakken, vuur maken of vissen. Ook wordt er in het spel gevochten.
Via missies die de deelnemers moeten uitvoeren, verdienen ze ervaringspunten en virtueel geld. Daarmee kunnen spullen worden gekocht. Net als in Second Life doen de spelers ook alledaagse dingen, zoals naar de film gaan of naar school.
Je kunt het spel gratis spelen, maar ook betaald. In het laatste geval heb je meer mogelijkheden, zo leef je in een grotere wereld en heb je toegang tot meer voorwerpen.
Wereldwijd staan bij RuneScape 135 miljoen mensen geregistreerd. Zo'n tien miljoen daarvan, onder wie de verdachten, loggen iedere maand in en spelen de gratis versie. Eén miljoen mensen maakt gebruik van de betaalde versie.
'Niet tastbaar'
De advocaten van de verdachten vonden dat hun cliënten moesten worden vrijgesproken van het stelen van virtuele bezittingen, omdat die volgens hen geen juridisch goed zijn en dus niet gestolen kunnen worden. "Punten in een spelletje zijn niet tastbaar, want ze bevinden zich in een niet-echte wereld. Hoe kun je nou iets uit een niet-echte wereld stelen?"
Tijdens de behandeling van de zaak, twee weken geleden, verwees het Openbaar Ministerie naar het aftappen van elektriciteit. Ook elektriciteit is niet tastbaar, maar het aftappen ervan is wel strafbaar, aldus het OM.
De advocaten van de verdachten vonden dit geen goede vergelijking, omdat je met elektriciteit in de echte wereld iets kunt doen: een lamp aanzetten bijvoorbeeld. En met virtuele goederen kun je in de echte wereld helemaal niets, luidde hun verdediging.
De rechter was het echter wel eens met de vergelijking van het OM.
Fixing the heart is hard. Certain procedures have to be performed on a stationary organ, so the heart is stopped and the patient put on a cardiopulmonary bypass machine. But stopping the heart increases the risk of brain damage. Now researchers at Harvard University and Children's Hospital Boston are testing a robotic system that could help surgeons perform a common valve repair while the heart beats on. The system uses 3-D ultrasound images to predict and compensate for the motion of the heart so that the surgeon can work on a patient's mitral valve as it moves.
"Some 50,000 people a year, in the U.S. alone, get mitral-valve surgery," says Robert Howe, a professor of engineering at Harvard and a researcher on the project. "It is a pressing clinical concern."
The goal of the procedure is to decrease the size of the valve. Traditionally, this is done by placing a stiff ring around the valve and suturing it in place by hand.
"We know how to repair valves. But what patients and doctors want is a more rapid recovery," says Marc Gillinov, a cardiac surgeon at the Cleveland Clinic who was not involved in the research. It can take two or three months for a patient to recover from an open-heart procedure; if the heart didn't have to be stopped, the recovery time could drop significantly. Performing the surgery on a beating heart would also give the surgeon instant feedback on the effectiveness of the procedure. "You'd know just as you do it whether the valve is working well," Gillinov says.
Howe says that, moreover, a number of studies show that stopping the heart can result in long-term cognitive deficits, and that older or frail people in particular don't always respond well to bypass machines. He hopes that his system will make heart surgery safer.
Unlike traditional mitral-valve repair, Howe's procedure does not involve opening up the heart itself. Instead, a hollow needle is inserted into the organ. The needle is used to introduce small anchors into the heart and affix them to the tissue around the mitral valve. The anchors can then be pulled together by a suture wire to decrease the size of the valve opening. "The challenge here is that [to affix the anchors] we need to keep track of where the heart tissue is, as the heart moves continuously," Howe says. Howe's team opted to use 3-D ultrasound to visualize heart movement because with other imaging techniques, such as video, the internal structures of the organ would have been concealed by circulating blood.
Data from the 3-D ultrasound images is analyzed using special software written by the researchers. The software can predict where heart tissue will be approximately 70 to 100 milliseconds in the future, so the position of the tip of the handheld surgical tool can be adjusted accordingly. Sensors in the tool also detect whether it comes in contact with the tissue. "We can detect very quickly if things deviate greatly from what's predicted and then pull back the [instrument] to get it out of the way," Howe says.
After studying the motion of real hearts, the researchers developed a foam model to test whether their device increased the dexterity of a small group of surgeons asked to affix anchors to the foam in particular positions. Howe says that the surgeons' performance was notably improved when they used the motion-compensation system. "Without it, there was a far higher failure rate, and the forces they applied were much higher as well," he says. In a clinical setting, applying too much force to the valve could damage heart tissue. Howe says that the system allows surgeons to affix the anchors within one to two millimeters of their intended position, which is fine, given the pliancy of heart tissue.
"It is very promising research," says Cenk Cavusoglu, an associate professor of electrical engineering and computer science at Case Western Reserve University. Cavusoglu is working on a similar system to allow surgeons to perform coronary-artery bypass surgery. While the procedure itself is quite different, the need for motion compensation is the same. Cavusoglu says that he is impressed by the simple design of the valve-repair tool and by the researchers' results so far.
Shelten Yuen, a Harvard PhD student who worked on the motion-compensation system, says that preliminary animal trials have already begun. But there is still much work to be done to perfect the tool. "There's a lot of interest on my part in terms of incorporating additional sensors, such as electrocardiograms and force sensors," Yuen says.
Romuald Ginhoux, a medical-software systems analyst at Median Technologies, in France, agrees that additional sensors could make the system more accurate. Ginhoux was also impressed by the small size of the device, which is about as big as a soldering iron. Ginhoux says that back in 2003, he worked on similar robots for heart surgeries, but that they were "the size of a real arm."
Yuen says that he hopes to make the device even smaller and lighter so that it will respond better to slight pressures, giving surgeons a better feel for the heart's tissue.
Click here to see it in action!
The UK'S Home Secretary was "perverse and inhuman" in her rejection of Pentagon hacker Gary McKinnon's plea that his mental health made him unsuitable for detention in the US, the High Court was told on Friday.
Jacqui Smith, the Home Secretary, agreed to consider McKinnon's extradition after he was diagnosed with Asperger's Syndrome, a form of autism, in August. She dismissed his appeal last Monday. But on Friday afternoon, McKinnon's legal team applied to the High Court for a judicial review.
McKinnon's claim for a judicial review raised Asperger's Syndrome again as the grounds to stay his extradition to a face imprisonment under conditions that have been criticised by human rights champions in the United Nations.
"Given the Claimant’s mental disability, the lengthy incarceration he faces and the likelihood that the loss of family contact and the experience of serving a sentence abroad," said the claim, made by renowned human rights lawyer Edward Fitzgerald QC, "It will expose him to a severe deterioration in his condition. It is perverse and inhuman not at least to seek an undertaking that he will not be repatriated," it said.
Smith had said she had no "residual discretion" to consider McKinnon's health. The claim asserted she did have a statutory right to do so, and that she had neglected it.
"Given Mr. McKinnon’s age, physical health and make-up as a person of great vulnerability with overt behavioural and social difficulties, the extreme duration and the degrading detention regime will subject him to intense physical and mental suffering," said the claim.
This would breach his human rights. Smith had rejected this defence because the evidence that McKinnon would serve time in a supermax prison, and that such prisons were operated under inhumane regimes, was flakey. But the claim said Smith's own evidence to the contrary was non-existent.
"Instead of informing herself the [Home Secretary] simply appears to have set out to undermine the evidence presented by the claimant," said the claim. "At the very least... the [Home Secretary] should have sought information and/or assurances from the US as to whether the Claimant will be detained in a Supermax prison rather than simply reaching her own conclusion without seeking any information or clarification from the US," it said.
Similarly, Smith hadn't even bothered to ask the US whether McKinnon could be repatriated to serve his sentence in the UK, when other countries such as Israel and the Netherlands refuse to allow extradition without repatriation at all.
It stands to reason, said the claim, that as the US intends to try McKinnon as a terrorist who used his hacking exploits to bring down military computer systems and "coerce and intimidate" the US into changing government policy, that he will be sent to a supermax prison where the US sends convicted terrorists.
Abu Hamza, the one-eyed, hook-handed Muslim cleric who is also fighting extradition to face terrorism charges in the US, had his extradition held by the European Court of Human Rights in August.
The court wanted to determine whether human rights law would allow him to be sent to a supermax prison. It would be "perverse" and contrary to human rights law for the government to extradite McKinnon before the ECHR had reached a conclusion over supermax prisons, said the claim. Moreover, the UK courts had already asked whether long detention in a supermax might "violate the prohibition on torture and on inhuman and degrading treatment".
The matter had not yet been settled.
Bruce Haggard, an election commissioner in Faulkner County, Arkansas, is baffled by a problem that occurred with two voting machines in this month's state primary elections. The machines allocated votes cast in one race to an entirely different race that wasn't even on the electronic ballot. The problem resulted in the wrong candidate being declared victor in a state House nomination race.
"I don't understand how it could possibly happen," Haggard told Threat Level.
The problem occurred with two touch-screen voting machines made by Election Systems & Software, which were the only machines used in Faulkner County's East Cadron B voting precinct.
Haggard says the night before the election, officials noticed that the electronic ballot on two machines slated to be used at East Cadron B was missing the State House District 45 race. So officials printed up paper ballots to be used just for that race in that precinct.
Voters cast electronic ballots on the voting machines for other races, then cast paper ballots for the District 45 race. At the end of the day, Dr. Terry Fiddler (D) had beat Linda Tyler (D) for nomination to the House seat with 794 votes to Tyler's 770. But a post-election examination revealed that despite the fact that the electronic ballots on the two machines at the East Cadron B precinct didn't display the District 45 race, the machines recorded votes for that race anyway.
After some examination, officials determined that the machines had taken votes that were actually cast in a different race -- the Cadron Township Constable race -- and given them to the non-existent District 45 race instead. Luckily, Haggard says officials were able to determine this is where the votes came from because the touch-screen machines produce a voter-verifiable paper audit trail.
Those paper trails showed correctly that there was no District 45 race on the ballot and, thus, that there were no votes cast on the machines for the District 45 race. But memory cards taken from inside the machines, showed that the machines recorded votes in the District 45 race. Officials were able to determine that those District 45 votes actually belonged to the Cadron Township Constable race because the same number of votes that were allocated to the District 45 race in the memory cards matched the number of votes that voters had cast in the Cadron Township Constable race, which appeared on the voter-verifiable paper audit trail.
"Somehow the recording software had tabulated it into the wrong race," Haggard says. "Thank goodness for the paper trail. We went to the paper trail and could show how people actually voted."
Haggard doesn't have a clue how the switch could have happened but says that it was either a problem with the ballot definition file that election officials created before the election that tells the machines where to allocate votes or in the voting machine software itself.
Once the bogus votes in District 45 were subtracted from the totals, Fiddler lost 51 votes in the race, showing that Tyler had actually won the nomination for the House seat.
ES&S did not respond to a call for comment but Haggard says the company will be expected to come up with an answer about what happened.
He says the two machines in question have been sequestered in the county warehouse, and the county will be requesting help from the secretary of state's office to conduct an examination with ES&S. Haggard says the examination will likely occur next month. Haggard says they have no plans to bring in an independent investigator, though he says he's going to insist that ES&S examine the machines on site in his presence.
This is not the first time that ES&S voting systems have had vote-flipping problems. In Ohio during last November's general election ES&S tabulation software flipped the vote totals for two candidates. Officials noticed the problem when they compared the vote totals produced from the memory cards to the totals that appeared on paper printouts from the machines.
ES&S machines in Ohio also had a separate problem last November when voters, among them the secretary of state, reported that their machine had dropped a candidate's name from the race and displayed a gray bar in his place.
ES&S machines were also at the center of the controversy over the 13th Congressional District race in Florida in 2006 when more than 18,000 ballots cast in Sarasota County showed no vote cast in the CD-13 race after hundreds of voters had complained that the machines failed to respond to their touch. An investigation by the Government Accountability Office indicated that the machines likely weren't to blame in that case, though critics have questioned the thoroughness of that investigation.
CORRECTION: A previous version of this post said the race was for a state House seat. It was actually a primary race for nomination to the state House seat election