1 00:00:00,000 --> 00:00:04,970 buna ziua bucharest buna ziua romania 2 00:00:10,219 --> 00:00:20,250 she buna ziua mama ok everybody 3 00:00:15,839 --> 00:00:24,710 so let's get started my talk is the 4 00:00:20,250 --> 00:00:27,448 election system can we fix it yes we can 5 00:00:24,710 --> 00:00:33,719 solutions to improve the election system 6 00:00:27,449 --> 00:00:37,500 with yours truly be a scilab so Who am I 7 00:00:33,719 --> 00:00:40,290 I'm a 12 year old girl I was a younger 8 00:00:37,500 --> 00:00:41,969 speaker at Hope hackers on planet earth 9 00:00:40,290 --> 00:00:44,610 which is one of the oldest hacker 10 00:00:41,969 --> 00:00:46,800 conferences I am now a three times 11 00:00:44,610 --> 00:00:49,230 speaker at Def Con I spoke at the voting 12 00:00:46,800 --> 00:00:53,129 village the bio hacking village and the 13 00:00:49,230 --> 00:00:56,760 Ruth asylum I am a maker and a hacker 14 00:00:53,129 --> 00:00:58,858 and my election hacking from the roots 15 00:00:56,760 --> 00:01:00,930 asylum was highlighted at a 16 00:00:58,859 --> 00:01:03,059 congressional hearing on election 17 00:01:00,930 --> 00:01:09,270 security here is me with the witness 18 00:01:03,059 --> 00:01:12,179 panel while this talk will be focused on 19 00:01:09,270 --> 00:01:14,460 the u.s. election system the lessons 20 00:01:12,180 --> 00:01:19,619 learned here can apply to any election 21 00:01:14,460 --> 00:01:22,530 system worldwide so what did the roots 22 00:01:19,619 --> 00:01:25,439 Asylum do they held a mock election 23 00:01:22,530 --> 00:01:28,350 reporting system and us kids got to 24 00:01:25,439 --> 00:01:31,350 perform sequel injection to change the 25 00:01:28,350 --> 00:01:33,780 results what is sequel injection you may 26 00:01:31,350 --> 00:01:36,169 ask here is part of my girls who hacked 27 00:01:33,780 --> 00:01:42,570 course on sequel injection 28 00:01:36,170 --> 00:01:44,579 dun-da-da-da the application in this 29 00:01:42,570 --> 00:01:46,740 case a webform that talks to the 30 00:01:44,579 --> 00:01:49,798 database is tricked into sending an 31 00:01:46,740 --> 00:01:54,720 attack query so here is the classic 32 00:01:49,799 --> 00:01:57,000 username and password field now here is 33 00:01:54,720 --> 00:02:03,600 a simple attack or one equals one is 34 00:01:57,000 --> 00:02:05,640 true so this is the code sequel equals 35 00:02:03,600 --> 00:02:07,589 select from users where name equals you 36 00:02:05,640 --> 00:02:09,330 name and pass equals you pass 37 00:02:07,590 --> 00:02:11,670 so it's requesting a username and a 38 00:02:09,330 --> 00:02:12,740 password and let's say Alice wants to 39 00:02:11,670 --> 00:02:16,250 attack the 40 00:02:12,740 --> 00:02:19,310 website because I mean why not so she 41 00:02:16,250 --> 00:02:19,910 puts in Alice double-quote or one equals 42 00:02:19,310 --> 00:02:23,090 one 43 00:02:19,910 --> 00:02:27,109 they user name field and then Alice pass 44 00:02:23,090 --> 00:02:30,170 or double quote or one equals one in the 45 00:02:27,110 --> 00:02:33,680 past field so then this command in 46 00:02:30,170 --> 00:02:37,030 orange gets sent to the database select 47 00:02:33,680 --> 00:02:40,580 from users where name equals you name 48 00:02:37,030 --> 00:02:43,280 where you name equals Alice or one 49 00:02:40,580 --> 00:02:47,690 equals one and pass equals Alice pass or 50 00:02:43,280 --> 00:02:49,630 one equals one does one equal one yes 51 00:02:47,690 --> 00:02:51,800 okay good 52 00:02:49,630 --> 00:02:54,920 you passed the test 53 00:02:51,800 --> 00:02:56,390 you all greet graduated from preschool 54 00:02:54,920 --> 00:02:59,660 yay 55 00:02:56,390 --> 00:03:02,119 goldstar stickers for everyone and then 56 00:02:59,660 --> 00:03:04,670 the sequel above is valid and will turn 57 00:03:02,120 --> 00:03:08,680 all rows from the user and past table 58 00:03:04,670 --> 00:03:14,540 since or one equals one is always true 59 00:03:08,680 --> 00:03:17,090 back to my talk sequel injection like I 60 00:03:14,540 --> 00:03:19,700 said the kids and I and the roots column 61 00:03:17,090 --> 00:03:23,240 did this attack last year and this year 62 00:03:19,700 --> 00:03:27,619 you're thinking big deal it was rigged 63 00:03:23,240 --> 00:03:30,200 for the kids but Russia use the same 64 00:03:27,620 --> 00:03:32,150 sequel injection attack and successfully 65 00:03:30,200 --> 00:03:35,480 broke into a State Board of Elections 66 00:03:32,150 --> 00:03:39,170 website where they gained access to the 67 00:03:35,480 --> 00:03:41,480 voter records and exfiltrated them they 68 00:03:39,170 --> 00:03:44,079 were then able to pivot into the network 69 00:03:41,480 --> 00:03:47,840 and who knows what happened after that 70 00:03:44,080 --> 00:03:50,330 this is outlined in Volume one on pages 71 00:03:47,840 --> 00:03:55,550 50 and 51 of the Mueller report if you 72 00:03:50,330 --> 00:03:58,880 don't believe me now let's start what 73 00:03:55,550 --> 00:04:03,380 the election system the election system 74 00:03:58,880 --> 00:04:06,200 has a huge attack surface over 10,000 75 00:04:03,380 --> 00:04:08,660 voting precincts voter registration 76 00:04:06,200 --> 00:04:11,060 databases voting machines reporting 77 00:04:08,660 --> 00:04:14,150 systems and of course election officials 78 00:04:11,060 --> 00:04:15,640 as dr. Latanya Sweeney said at the 79 00:04:14,150 --> 00:04:19,760 hearing on voting technology 80 00:04:15,640 --> 00:04:24,460 vulnerabilities every step introduces a 81 00:04:19,760 --> 00:04:24,460 vulnerability and I agree with you 82 00:04:24,830 --> 00:04:31,818 and let me just say they're problems 83 00:04:28,210 --> 00:04:34,219 everywhere most states lack the 84 00:04:31,819 --> 00:04:36,440 resources and technical expertise and 85 00:04:34,220 --> 00:04:39,289 let's face it they are election 86 00:04:36,440 --> 00:04:41,990 officials not computer security experts 87 00:04:39,289 --> 00:04:46,490 if not we wouldn't be in this situation 88 00:04:41,990 --> 00:04:48,289 they have aging equipment many of the 89 00:04:46,490 --> 00:04:50,960 voting machines that have been pawned at 90 00:04:48,289 --> 00:04:55,280 the voting village at DEFCON are still 91 00:04:50,960 --> 00:04:57,919 in use in many districts they have a 92 00:04:55,280 --> 00:05:00,559 lack of consistent funding for security 93 00:04:57,919 --> 00:05:02,060 a lot of the voting security money comes 94 00:05:00,560 --> 00:05:05,240 in a lump sum 95 00:05:02,060 --> 00:05:07,909 this is fixes problems now but not in 96 00:05:05,240 --> 00:05:11,780 the future states need consistent voting 97 00:05:07,909 --> 00:05:15,550 security budgets attacked by foreign 98 00:05:11,780 --> 00:05:18,440 adversaries with endless time and money 99 00:05:15,550 --> 00:05:21,800 versus the underfunded state and local 100 00:05:18,440 --> 00:05:24,560 election websites or Stephen Frank have 101 00:05:21,800 --> 00:05:27,440 to secure them along with all the other 102 00:05:24,560 --> 00:05:29,569 sites and help Bob print out his emails 103 00:05:27,440 --> 00:05:34,490 who do you think will win in that 104 00:05:29,569 --> 00:05:37,759 situation then NIST's election security 105 00:05:34,490 --> 00:05:41,779 research team consists of one full-time 106 00:05:37,759 --> 00:05:43,430 for part-time and four contractors there 107 00:05:41,779 --> 00:05:45,259 are more people working at a single 108 00:05:43,430 --> 00:05:50,569 McDonald's and they are working on 109 00:05:45,259 --> 00:05:53,599 election security people like really so 110 00:05:50,569 --> 00:05:55,639 let's jump into more problems and how to 111 00:05:53,599 --> 00:05:58,009 solve them this is me at the 112 00:05:55,639 --> 00:05:59,629 Pennsylvania voting machine review where 113 00:05:58,009 --> 00:06:02,870 we are allowed to examine the machines 114 00:05:59,629 --> 00:06:05,629 all we wanted either of them crazy this 115 00:06:02,870 --> 00:06:07,759 simple to pick lock covers the USB ports 116 00:06:05,629 --> 00:06:15,550 that contain the votes and the software 117 00:06:07,759 --> 00:06:15,550 update port so wow I mean look at that 118 00:06:15,669 --> 00:06:21,198 now for all of you wondering how the 119 00:06:18,860 --> 00:06:25,099 u.s. election system works here is a 120 00:06:21,199 --> 00:06:27,979 brief overview SEP number one voters 121 00:06:25,099 --> 00:06:29,599 must register to vote it's not automatic 122 00:06:27,979 --> 00:06:31,430 because that would actually make sense 123 00:06:29,599 --> 00:06:36,800 we want to make the election system as 124 00:06:31,430 --> 00:06:38,129 complicated as we can right then you 125 00:06:36,800 --> 00:06:40,379 cast your vote 126 00:06:38,129 --> 00:06:43,559 it's done at your local voting precinct 127 00:06:40,379 --> 00:06:45,449 not the one by your work it has to be by 128 00:06:43,559 --> 00:06:48,269 your house so you've got to wake up 129 00:06:45,449 --> 00:06:50,819 early go vote and then go to work and 130 00:06:48,269 --> 00:06:53,789 yes it is not a national holiday it's 131 00:06:50,819 --> 00:06:56,219 still a work day then the voter is 132 00:06:53,789 --> 00:06:59,580 identity is verified and then your vote 133 00:06:56,219 --> 00:07:05,489 is cast the voting machines differ from 134 00:06:59,580 --> 00:07:08,519 precinct to precinct then the votes are 135 00:07:05,489 --> 00:07:11,549 tabulated at a local ven state level in 136 00:07:08,519 --> 00:07:14,369 the presidential election the Electoral 137 00:07:11,550 --> 00:07:16,499 College decides the president this keeps 138 00:07:14,369 --> 00:07:20,129 the larger states from having too much 139 00:07:16,499 --> 00:07:24,629 power and as January generally based on 140 00:07:20,129 --> 00:07:26,729 the state's popular vote the Electoral 141 00:07:24,629 --> 00:07:31,559 College can be talking itself but I'm 142 00:07:26,729 --> 00:07:34,169 just keeping it short for you guys okay 143 00:07:31,559 --> 00:07:36,929 so here are some voting a sack of voting 144 00:07:34,169 --> 00:07:39,448 machines at the vote waiting village duh 145 00:07:36,929 --> 00:07:41,399 a DEFCON I'm pretty sure this was 146 00:07:39,449 --> 00:07:45,800 actually the first of first voting 147 00:07:41,399 --> 00:07:48,839 village at DEFCON two now voter 148 00:07:45,800 --> 00:07:51,209 registration systems they differ from 149 00:07:48,839 --> 00:07:53,579 state to state some have standalone 150 00:07:51,209 --> 00:07:55,889 systems while other tie in with their 151 00:07:53,579 --> 00:08:00,509 Department of Motor Vehicles driver's 152 00:07:55,889 --> 00:08:03,269 registration system everyone including 153 00:08:00,509 --> 00:08:05,759 bad guys nation states and groups trying 154 00:08:03,269 --> 00:08:08,309 to upset democracy is trying to hack 155 00:08:05,759 --> 00:08:10,409 these systems all the time if you 156 00:08:08,309 --> 00:08:12,719 monitor an intrusion detection system 157 00:08:10,409 --> 00:08:15,748 which is a machine that examines all the 158 00:08:12,719 --> 00:08:17,490 network traffic you will see constant 159 00:08:15,749 --> 00:08:20,219 attacks like sequel injection cross-site 160 00:08:17,490 --> 00:08:23,579 scripting and other exploits from all 161 00:08:20,219 --> 00:08:27,990 over the world including Russia China as 162 00:08:23,579 --> 00:08:30,629 well as tor exit notes okay now there's 163 00:08:27,990 --> 00:08:32,579 something really important that I want 164 00:08:30,629 --> 00:08:35,729 you all to listen if you're on your 165 00:08:32,578 --> 00:08:39,448 phones pay attention don't pick your 166 00:08:35,729 --> 00:08:43,110 nose and listen to this the scary thing 167 00:08:39,448 --> 00:08:46,109 is election officials are not required 168 00:08:43,110 --> 00:08:49,380 to report any detected compromises or 169 00:08:46,110 --> 00:08:51,660 vulnerabilities in these systems 170 00:08:49,380 --> 00:08:54,210 if the election was hacked we wouldn't 171 00:08:51,660 --> 00:09:03,180 know maybe they know but there they 172 00:08:54,210 --> 00:09:03,840 don't have to tell us so how do we fix 173 00:09:03,180 --> 00:09:06,719 this 174 00:09:03,840 --> 00:09:09,110 while voter registration systems are 175 00:09:06,720 --> 00:09:11,850 things we actually know how to secure 176 00:09:09,110 --> 00:09:13,590 website and database security is 177 00:09:11,850 --> 00:09:17,070 something we know one have security 178 00:09:13,590 --> 00:09:21,420 standards for so let's use some 179 00:09:17,070 --> 00:09:23,460 guidelines number one there is OS wasp 180 00:09:21,420 --> 00:09:27,569 or the open web application security 181 00:09:23,460 --> 00:09:30,120 project they have tons of resources too 182 00:09:27,570 --> 00:09:32,450 many to list here the NIST cybersecurity 183 00:09:30,120 --> 00:09:37,020 framework provides a way to identify 184 00:09:32,450 --> 00:09:40,140 protect and detect any compromises then 185 00:09:37,020 --> 00:09:42,180 there is open SCAP or security content 186 00:09:40,140 --> 00:09:44,490 automation protocol that supports 187 00:09:42,180 --> 00:09:46,530 automated configuration vulnerability 188 00:09:44,490 --> 00:09:49,860 patch checking and security measurement 189 00:09:46,530 --> 00:09:52,439 then my personal favorite the SAFE Act 190 00:09:49,860 --> 00:09:56,400 which is still currently sitting in 191 00:09:52,440 --> 00:09:57,360 Congress but I hope I really hope it 192 00:09:56,400 --> 00:10:02,100 becomes a thing 193 00:09:57,360 --> 00:10:04,020 so here's more on the safe fact the SAFE 194 00:10:02,100 --> 00:10:07,260 Act requires many important things 195 00:10:04,020 --> 00:10:09,360 including voter verified paper ballots 196 00:10:07,260 --> 00:10:14,550 these are important because the voter 197 00:10:09,360 --> 00:10:17,190 actually verifies their vote and then 198 00:10:14,550 --> 00:10:19,760 there is an analogue paper trail so you 199 00:10:17,190 --> 00:10:22,110 can check with a physical piece of paper 200 00:10:19,760 --> 00:10:24,870 there are risk limiting audits 201 00:10:22,110 --> 00:10:27,480 that's where votes are counted by humans 202 00:10:24,870 --> 00:10:30,930 to make sure the machines are accurate 203 00:10:27,480 --> 00:10:33,420 and using risk limiting audits and voter 204 00:10:30,930 --> 00:10:38,219 verified paper ballots are best defense 205 00:10:33,420 --> 00:10:40,740 against election tampering then you've 206 00:10:38,220 --> 00:10:44,490 built your reporting system now what 207 00:10:40,740 --> 00:10:46,530 test it first make sure it actually 208 00:10:44,490 --> 00:10:49,080 works because that's kind of important 209 00:10:46,530 --> 00:10:51,839 then have your team test it make sure 210 00:10:49,080 --> 00:10:55,260 you cover the basics like the top ten 211 00:10:51,840 --> 00:10:57,570 and fix the bugs don't waste your budget 212 00:10:55,260 --> 00:10:58,950 on having professionals come in just to 213 00:10:57,570 --> 00:11:02,330 tell you what could you could have found 214 00:10:58,950 --> 00:11:05,180 out by yourself next step 215 00:11:02,330 --> 00:11:06,890 test it with hackers make sure it is 216 00:11:05,180 --> 00:11:09,530 fully tested before you bring in an 217 00:11:06,890 --> 00:11:12,319 external pen testing team they will find 218 00:11:09,530 --> 00:11:13,819 things that you never thought of if you 219 00:11:12,320 --> 00:11:18,460 are thinking that the systems out there 220 00:11:13,820 --> 00:11:21,020 secure well let me tell you they are not 221 00:11:18,460 --> 00:11:23,090 hackers have found siegel injection 222 00:11:21,020 --> 00:11:27,140 working on a state site just recently 223 00:11:23,090 --> 00:11:30,110 like two weeks ago states need to have a 224 00:11:27,140 --> 00:11:32,860 bug bounty or at very least a clear 225 00:11:30,110 --> 00:11:35,390 channel for reporting vulnerabilities 226 00:11:32,860 --> 00:11:39,530 if registered to vote 227 00:11:35,390 --> 00:11:42,230 now what hacking the voting machines oh 228 00:11:39,530 --> 00:11:47,000 wait sorry just the voting machines 229 00:11:42,230 --> 00:11:48,560 themselves voting machines you would 230 00:11:47,000 --> 00:11:50,860 think the US would have a thriving 231 00:11:48,560 --> 00:11:53,719 voting machine industry unfortunately 232 00:11:50,860 --> 00:11:55,640 this is not true if you want to make a 233 00:11:53,720 --> 00:11:58,880 voting machine you need to make the 234 00:11:55,640 --> 00:12:01,310 entire system everything from the voter 235 00:11:58,880 --> 00:12:03,860 registration system the voting machine 236 00:12:01,310 --> 00:12:08,000 then the tabulator and reporting system 237 00:12:03,860 --> 00:12:10,090 this is why 80% of the u.s. voting 238 00:12:08,000 --> 00:12:14,750 machines are made by two manufacturers 239 00:12:10,090 --> 00:12:18,670 yes in US and Dominion yes in us by 240 00:12:14,750 --> 00:12:22,760 global election systems which became 241 00:12:18,670 --> 00:12:26,240 Diebold oh they're so insecure as you'll 242 00:12:22,760 --> 00:12:28,490 see soon yes and a senior programmer and 243 00:12:26,240 --> 00:12:33,290 VP was convicted of computer software 244 00:12:28,490 --> 00:12:35,600 tampering and embezzlement in 2004 they 245 00:12:33,290 --> 00:12:38,449 performed an emergency software patch in 246 00:12:35,600 --> 00:12:42,230 37 swing states these are key states 247 00:12:38,450 --> 00:12:44,870 that could swing the election one way or 248 00:12:42,230 --> 00:12:47,570 the other I wonder why they only did it 249 00:12:44,870 --> 00:12:51,110 in the swing states something's fishy 250 00:12:47,570 --> 00:12:52,940 there then Georgia and Tennessee have 251 00:12:51,110 --> 00:12:54,500 reported machines losing votes in 252 00:12:52,940 --> 00:12:57,320 predominantly african-american 253 00:12:54,500 --> 00:13:03,260 neighborhoods now that just doesn't 254 00:12:57,320 --> 00:13:05,540 sound right these manufacturers keep 255 00:13:03,260 --> 00:13:08,780 their source close and will threaten to 256 00:13:05,540 --> 00:13:12,290 sue people if they try to examine their 257 00:13:08,780 --> 00:13:12,650 software the daibul gems tabulator was 258 00:13:12,290 --> 00:13:15,630 found 259 00:13:12,650 --> 00:13:18,930 lowering vote counts it's not 260 00:13:15,630 --> 00:13:22,410 that hard people vote gets vote plus one 261 00:13:18,930 --> 00:13:26,280 or for my C fans out there vote plus 262 00:13:22,410 --> 00:13:29,189 plus many machines and tabulators have 263 00:13:26,280 --> 00:13:34,620 hidden back doors that allow votes to be 264 00:13:29,190 --> 00:13:38,690 manipulated during the election now 265 00:13:34,620 --> 00:13:43,290 let's talk about direct recording 266 00:13:38,690 --> 00:13:45,570 systems direct recording systems are 267 00:13:43,290 --> 00:13:48,209 voting machines that do not produce a 268 00:13:45,570 --> 00:13:51,870 human readable paper trail these 269 00:13:48,210 --> 00:13:54,600 machines cannot not be made secure so 270 00:13:51,870 --> 00:13:59,790 please follow my advice and don't use 271 00:13:54,600 --> 00:14:02,490 them as was proven every year at Def Con 272 00:13:59,790 --> 00:14:06,180 voting village the vote count can be 273 00:14:02,490 --> 00:14:07,800 undetectably manipulated these types of 274 00:14:06,180 --> 00:14:10,949 machines are used in many countries 275 00:14:07,800 --> 00:14:12,540 around the world including Brazil who 276 00:14:10,950 --> 00:14:19,980 wants to guess who made the machines in 277 00:14:12,540 --> 00:14:21,630 Brazil Diebold yay not really you know 278 00:14:19,980 --> 00:14:32,780 what I would trust more than a direct 279 00:14:21,630 --> 00:14:36,120 recording system yeah now paper ballots 280 00:14:32,780 --> 00:14:39,660 another way to collect votes is with 281 00:14:36,120 --> 00:14:43,350 paper ballots there are two types number 282 00:14:39,660 --> 00:14:46,800 one hand marked paper ballots this is 283 00:14:43,350 --> 00:14:49,170 the best most secure option these are 284 00:14:46,800 --> 00:14:51,630 marked by the voter themselves scanned 285 00:14:49,170 --> 00:14:55,620 with an electronic scanner or counted by 286 00:14:51,630 --> 00:14:57,870 hand then ballot marking devices these 287 00:14:55,620 --> 00:15:01,590 were originally made for the handicapped 288 00:14:57,870 --> 00:15:03,750 voters but what demand for public for 289 00:15:01,590 --> 00:15:06,690 paper ballots the voting machine 290 00:15:03,750 --> 00:15:10,640 manufacturers saw an opportunity to sell 291 00:15:06,690 --> 00:15:13,290 more expensive BMDs as paper ballots 292 00:15:10,640 --> 00:15:16,560 there are a few problems with these 293 00:15:13,290 --> 00:15:18,300 machines if the human flips here if the 294 00:15:16,560 --> 00:15:22,130 machine flips your vote what do they do 295 00:15:18,300 --> 00:15:25,380 was a human error or a machine error 296 00:15:22,130 --> 00:15:27,600 some machines print a barcode as a paper 297 00:15:25,380 --> 00:15:29,100 trail how do you know what it says 298 00:15:27,600 --> 00:15:32,840 fat bar skinny 299 00:15:29,100 --> 00:15:36,810 fat bar fat bar skinny bar this just in 300 00:15:32,840 --> 00:15:39,990 BMD suck some new machines take up to 10 301 00:15:36,810 --> 00:15:42,900 minutes to switch screens while voting 302 00:15:39,990 --> 00:15:45,120 10 minutes if there's a long line you 303 00:15:42,900 --> 00:15:48,390 just want to jump right out texas 304 00:15:45,120 --> 00:15:51,600 machines unable to read RFID voter card 305 00:15:48,390 --> 00:15:53,630 causing massive delays again people want 306 00:15:51,600 --> 00:15:57,180 to get out of the line and go to work 307 00:15:53,630 --> 00:16:00,689 brand new SNS machines reporting zero 308 00:15:57,180 --> 00:16:03,170 Democrat votes on printout but then once 309 00:16:00,690 --> 00:16:09,720 they do a hand cow it reveals that 310 00:16:03,170 --> 00:16:14,490 Democrats won hmm this just in do your 311 00:16:09,720 --> 00:16:17,070 ease sock Virginia change to hand marked 312 00:16:14,490 --> 00:16:18,990 paper ballots and the Democrats won for 313 00:16:17,070 --> 00:16:25,840 the first time in twenty years 314 00:16:18,990 --> 00:16:27,530 something's wrong there too so now let's 315 00:16:25,840 --> 00:16:30,600 [Music] 316 00:16:27,530 --> 00:16:33,000 the Accu vote is a direct recording 317 00:16:30,600 --> 00:16:34,560 system some of them have a printer so 318 00:16:33,000 --> 00:16:39,780 that the voter can verify their vote 319 00:16:34,560 --> 00:16:42,479 some don't in 2007 one year after I was 320 00:16:39,780 --> 00:16:44,819 born the source code was reviewed by 321 00:16:42,480 --> 00:16:46,950 state of California and they found it 322 00:16:44,820 --> 00:16:49,800 was susceptible to viruses that could 323 00:16:46,950 --> 00:16:53,010 alter the vote count my friends over at 324 00:16:49,800 --> 00:16:55,290 the hacker house were able to load their 325 00:16:53,010 --> 00:17:00,770 own phone firmware into the machine and 326 00:16:55,290 --> 00:17:05,069 could do this hacker house 2020 election 327 00:17:00,770 --> 00:17:10,530 fixing software hack toy injecting new 328 00:17:05,069 --> 00:17:14,550 United States President CDC loading 329 00:17:10,530 --> 00:17:20,399 operating system rigging election they 330 00:17:14,550 --> 00:17:23,609 were also able to do this and what does 331 00:17:20,400 --> 00:17:28,040 every hardware hacker ask can you play 332 00:17:23,609 --> 00:17:28,040 Doom on it yes yes you can 333 00:17:30,520 --> 00:17:34,940 [Applause] 334 00:17:36,050 --> 00:17:42,300 now I have a question for all of you 335 00:17:39,330 --> 00:17:51,330 where are your voting machines stored 336 00:17:42,300 --> 00:17:54,110 right meow well if you live in the US 337 00:17:51,330 --> 00:17:58,710 where are your voting machines right now 338 00:17:54,110 --> 00:18:01,110 say you don't know how I live they are 339 00:17:58,710 --> 00:18:04,500 stored in cold storage so how well are 340 00:18:01,110 --> 00:18:05,280 they secured while in cold storage hey 341 00:18:04,500 --> 00:18:08,220 Bob 342 00:18:05,280 --> 00:18:10,620 where are the spare traffic cones oh you 343 00:18:08,220 --> 00:18:14,610 know by the voting machines where I eat 344 00:18:10,620 --> 00:18:17,750 my lunch and get this they protected it 345 00:18:14,610 --> 00:18:21,030 with one thing no one can get past 346 00:18:17,750 --> 00:18:29,130 caution tape everybody those caution 347 00:18:21,030 --> 00:18:31,680 tape back away back to cold storage bad 348 00:18:29,130 --> 00:18:32,310 actors can purchase machines off the 349 00:18:31,680 --> 00:18:34,230 internet 350 00:18:32,310 --> 00:18:36,450 reverse the software and the firmware 351 00:18:34,230 --> 00:18:38,910 then install the hack software and 352 00:18:36,450 --> 00:18:40,650 firmware on machines and cold storage 353 00:18:38,910 --> 00:18:43,710 while these machines may have 354 00:18:40,650 --> 00:18:47,460 tamper-evident seals they really are not 355 00:18:43,710 --> 00:18:50,760 that tamper evident here is me at DEFCON 356 00:18:47,460 --> 00:18:53,100 25 removing tamper-evident tape with 357 00:18:50,760 --> 00:18:55,440 acetone that's also known as fingernail 358 00:18:53,100 --> 00:18:57,570 polish for all of you out there I was 359 00:18:55,440 --> 00:18:59,670 then able to reapply with no noticeable 360 00:18:57,570 --> 00:19:02,010 difference all you need is a syringe 361 00:18:59,670 --> 00:19:04,920 some nail polish remover get a little in 362 00:19:02,010 --> 00:19:07,440 the syringe and a little at a time on 363 00:19:04,920 --> 00:19:11,040 the seal you squirt a little it comes 364 00:19:07,440 --> 00:19:13,170 out it's still sticky you manipulate the 365 00:19:11,040 --> 00:19:18,830 voting machine in the box then you tape 366 00:19:13,170 --> 00:19:18,830 it back again and you go eat lunch boo 367 00:19:19,160 --> 00:19:25,350 so what can we do to secure voting 368 00:19:22,260 --> 00:19:28,290 machines in cold storage well we can 369 00:19:25,350 --> 00:19:31,110 invest in more secure storage monitored 370 00:19:28,290 --> 00:19:34,970 security systems and cameras complex 371 00:19:31,110 --> 00:19:41,939 locks and booby traps 372 00:19:34,970 --> 00:19:44,310 okay maybe not booby traps wink another 373 00:19:41,940 --> 00:19:46,020 way to help secure voting machines is to 374 00:19:44,310 --> 00:19:48,990 reinstall the software and firmware 375 00:19:46,020 --> 00:19:51,900 before the election making sure to 376 00:19:48,990 --> 00:19:54,240 softer fingerprints and checksums before 377 00:19:51,900 --> 00:19:56,880 installing doing this will not only 378 00:19:54,240 --> 00:19:59,070 ensure the latest patch software is 379 00:19:56,880 --> 00:20:00,660 running it will also wipe out any 380 00:19:59,070 --> 00:20:05,820 malicious code that may have been 381 00:20:00,660 --> 00:20:09,510 installed it's a two-for-one deal so 382 00:20:05,820 --> 00:20:12,110 where does your vote go next different 383 00:20:09,510 --> 00:20:15,420 election systems have different ways to 384 00:20:12,110 --> 00:20:17,790 delivering the final vote count votes 385 00:20:15,420 --> 00:20:20,160 are printed out in triplicate checked 386 00:20:17,790 --> 00:20:22,649 and signed by poll workers these are 387 00:20:20,160 --> 00:20:26,220 then phoned in in sent by car to the 388 00:20:22,650 --> 00:20:29,580 election office USB sticks by car is 389 00:20:26,220 --> 00:20:34,170 that data file encrypted if not it can 390 00:20:29,580 --> 00:20:35,970 be manipulated some machines report 391 00:20:34,170 --> 00:20:39,420 their counts by cellular data 392 00:20:35,970 --> 00:20:42,420 transmission this still goes over the 393 00:20:39,420 --> 00:20:46,800 public Internet but we all know how 394 00:20:42,420 --> 00:20:49,679 secure the Internet is right yeah it is 395 00:20:46,800 --> 00:20:52,530 also worth stating that there is no 396 00:20:49,679 --> 00:20:58,110 established chain of custody rules for 397 00:20:52,530 --> 00:20:59,850 any of these delivery methods so how do 398 00:20:58,110 --> 00:21:02,969 you secure in transit 399 00:20:59,850 --> 00:21:05,689 well you encrypt the records while being 400 00:21:02,970 --> 00:21:09,179 transmitted and while at rest you 401 00:21:05,690 --> 00:21:11,640 perform with risk limiting audits make 402 00:21:09,179 --> 00:21:15,090 sure the paper ballots match what the 403 00:21:11,640 --> 00:21:17,550 machine recorded and please do not use 404 00:21:15,090 --> 00:21:19,500 the public Internet the machine 405 00:21:17,550 --> 00:21:21,990 manufacturers want you to think that 406 00:21:19,500 --> 00:21:26,640 cellular modems are not connected to the 407 00:21:21,990 --> 00:21:28,710 public Internet guess what they are here 408 00:21:26,640 --> 00:21:33,300 is a diagram the manufacturers could 409 00:21:28,710 --> 00:21:35,910 learn from this is me 410 00:21:33,300 --> 00:21:39,178 that's the voting machine over there on 411 00:21:35,910 --> 00:21:41,040 the Left transmitting over the air with 412 00:21:39,179 --> 00:21:43,980 its cellular modem to the cell tower 413 00:21:41,040 --> 00:21:46,110 that's connected to the public Internet 414 00:21:43,980 --> 00:21:49,650 where my friend Rainbow Dash is taking a 415 00:21:46,110 --> 00:21:52,500 nap then the voting tabulator is 416 00:21:49,650 --> 00:21:55,559 connected to the internet behind a 417 00:21:52,500 --> 00:21:57,950 firewall but firewalls do not stop 418 00:21:55,559 --> 00:21:57,950 hackers 419 00:21:59,789 --> 00:22:06,389 now the next step the next step is the 420 00:22:03,239 --> 00:22:08,759 vote count reporting systems these just 421 00:22:06,389 --> 00:22:11,279 like the voter registration systems are 422 00:22:08,759 --> 00:22:14,489 standard things we know how to secure 423 00:22:11,279 --> 00:22:16,169 and again like registration systems we 424 00:22:14,489 --> 00:22:19,440 should follow industry standards and 425 00:22:16,169 --> 00:22:26,460 guidelines I recycle this slide I'm 426 00:22:19,440 --> 00:22:30,749 going green remember wasp NIST opens gap 427 00:22:26,460 --> 00:22:36,679 safe and remember encrypt data in 428 00:22:30,749 --> 00:22:41,340 transmission and while at rest now 429 00:22:36,679 --> 00:22:43,979 humans they have so many flaws that's 430 00:22:41,340 --> 00:22:47,599 why I like cats better and let's face it 431 00:22:43,979 --> 00:22:50,279 all the security in the world can't stop 432 00:22:47,599 --> 00:22:53,609 Bob from clicking on a link you 433 00:22:50,279 --> 00:22:54,979 shouldn't yeah really Bob come on you 434 00:22:53,609 --> 00:22:58,799 can do better than that 435 00:22:54,979 --> 00:23:00,899 spear phishing campaigns exist and have 436 00:22:58,799 --> 00:23:03,840 been successful against voting machine 437 00:23:00,899 --> 00:23:06,449 manufacturers using fake emails they can 438 00:23:03,840 --> 00:23:10,289 direct to users to fake websites that 439 00:23:06,450 --> 00:23:12,749 compromised their machines mr. Kelly who 440 00:23:10,289 --> 00:23:15,960 is Registrar of Voters at Orange County 441 00:23:12,749 --> 00:23:19,289 California sit at the hearing how well 442 00:23:15,960 --> 00:23:21,929 are my election officials trained not to 443 00:23:19,289 --> 00:23:27,720 click on links they shouldn't chances 444 00:23:21,929 --> 00:23:32,009 are not well enough sorry mr. Kelly now 445 00:23:27,720 --> 00:23:34,529 social engineering election officials 446 00:23:32,009 --> 00:23:38,099 must be regularly trained on how not to 447 00:23:34,529 --> 00:23:41,039 be socially engineered regular training 448 00:23:38,099 --> 00:23:48,059 is very important not just during the 449 00:23:41,039 --> 00:23:50,340 election season now fix the humans stage 450 00:23:48,059 --> 00:23:52,519 should form election working groups with 451 00:23:50,340 --> 00:23:55,320 local federal and state officials 452 00:23:52,519 --> 00:23:58,109 including the Department of Homeland 453 00:23:55,320 --> 00:24:01,019 Security the FBI as well as the state 454 00:23:58,109 --> 00:24:06,899 Cyber Command this knowledge should be 455 00:24:01,019 --> 00:24:09,389 shared across the entire state so you're 456 00:24:06,899 --> 00:24:13,260 like yeah yeah all these problems all 457 00:24:09,389 --> 00:24:15,879 these solutions what's the big fix 458 00:24:13,260 --> 00:24:19,690 well we need to look at the election 459 00:24:15,880 --> 00:24:21,100 system as a very hackable security 460 00:24:19,690 --> 00:24:23,290 problem from the start 461 00:24:21,100 --> 00:24:28,060 security can't be something we just bolt 462 00:24:23,290 --> 00:24:31,030 on on the end the election system is one 463 00:24:28,060 --> 00:24:32,679 big hardware and software system so we 464 00:24:31,030 --> 00:24:35,860 need to train our developers and 465 00:24:32,680 --> 00:24:36,820 engineers teach them secure coding from 466 00:24:35,860 --> 00:24:39,219 the start 467 00:24:36,820 --> 00:24:41,439 teach them how to hack and think like a 468 00:24:39,220 --> 00:24:43,600 hacker so that they can better code 469 00:24:41,440 --> 00:24:48,000 systems that are more difficult to 470 00:24:43,600 --> 00:24:52,840 compromise send them to security 471 00:24:48,000 --> 00:24:54,850 conferences and hire hackers they bring 472 00:24:52,840 --> 00:24:59,399 a different perspective they think 473 00:24:54,850 --> 00:25:01,600 around outside and destroy the box I 474 00:24:59,400 --> 00:25:05,380 hope I woke up any of you who are 475 00:25:01,600 --> 00:25:07,810 sleeping there are security minded 476 00:25:05,380 --> 00:25:10,600 individuals to whom everything is a 477 00:25:07,810 --> 00:25:16,510 secure puzzle just waiting to be solved 478 00:25:10,600 --> 00:25:19,360 it's right there also don't be afraid to 479 00:25:16,510 --> 00:25:22,690 hire hackers without certifications kids 480 00:25:19,360 --> 00:25:24,729 right out of school too they bring they 481 00:25:22,690 --> 00:25:30,040 will bring an excitement and desire to 482 00:25:24,730 --> 00:25:34,570 prove themselves beyond expectations so 483 00:25:30,040 --> 00:25:38,980 what is the best system hand marked 484 00:25:34,570 --> 00:25:41,139 paper ballots I made this really big so 485 00:25:38,980 --> 00:25:44,080 you can take a picture and if you're not 486 00:25:41,140 --> 00:25:46,900 taking a picture you better you better 487 00:25:44,080 --> 00:25:52,689 memorize this okay okay 488 00:25:46,900 --> 00:25:56,880 and with risk limiting audits I'll give 489 00:25:52,690 --> 00:25:56,880 you guys a second to take a picture 490 00:26:06,050 --> 00:26:12,399 [Applause] 491 00:26:07,620 --> 00:26:14,189 okay everyone I have a big announcement 492 00:26:12,400 --> 00:26:19,350 to make 493 00:26:14,190 --> 00:26:29,250 next year at Def Con I will have 494 00:26:19,350 --> 00:26:29,250 drumroll please my own election system 495 00:26:30,670 --> 00:26:33,759 [Applause] 496 00:26:34,470 --> 00:26:41,080 in a quick shout-out to one Dark One for 497 00:26:37,539 --> 00:26:44,320 making this amazing logo my election 498 00:26:41,080 --> 00:26:47,470 system that I'm making myself will be 499 00:26:44,320 --> 00:26:50,889 called secure open vote and this awesome 500 00:26:47,470 --> 00:26:53,470 logo has the SS unlock the circle as the 501 00:26:50,890 --> 00:26:57,340 oh and the checkmark as a V secure open 502 00:26:53,470 --> 00:27:01,779 bow cool right so what will secure open 503 00:26:57,340 --> 00:27:04,389 vote be well secure open vote is an open 504 00:27:01,779 --> 00:27:06,399 source voting system used with hand 505 00:27:04,390 --> 00:27:09,340 marked paper ballots cuz that's the 506 00:27:06,399 --> 00:27:12,370 safest type my goal is to have a 507 00:27:09,340 --> 00:27:14,860 complete end-to-end system I figure I 508 00:27:12,370 --> 00:27:16,418 have the smartest hacker friends we 509 00:27:14,860 --> 00:27:19,840 could probably make a pretty awesome 510 00:27:16,419 --> 00:27:23,559 election system I hope to have parts of 511 00:27:19,840 --> 00:27:27,220 it available at Def Con for the hackers 512 00:27:23,559 --> 00:27:29,549 to try to hack now what are your 513 00:27:27,220 --> 00:27:29,549 questions 514 00:27:39,719 --> 00:27:46,269 that was absolutely awesome we can take 515 00:27:43,749 --> 00:27:49,719 about three to five questions defending 516 00:27:46,269 --> 00:27:52,119 gun just make it you know quick and keep 517 00:27:49,719 --> 00:27:54,219 it short in the suite so we can fit in 518 00:27:52,119 --> 00:27:57,158 more of you please keep your hands up 519 00:27:54,219 --> 00:27:59,169 until Mike gets to you so we can see 520 00:27:57,159 --> 00:28:01,239 where you are put your hand up and it 521 00:27:59,169 --> 00:28:02,859 would also help if you stood up while 522 00:28:01,239 --> 00:28:05,529 you were talking so I can actually see 523 00:28:02,859 --> 00:28:10,239 where you are and so they know who to 524 00:28:05,529 --> 00:28:14,979 give the mic to okay so if you have the 525 00:28:10,239 --> 00:28:17,139 mic stand up stand up whoever has a mic 526 00:28:14,979 --> 00:28:20,859 I hope no one stole it and it's running 527 00:28:17,139 --> 00:28:24,309 off when I did their back oh hello hello 528 00:28:20,859 --> 00:28:26,499 thanks for the presentation BIA my 529 00:28:24,309 --> 00:28:30,879 question is related to Romania because 530 00:28:26,499 --> 00:28:33,669 we have paper ballots here but we also 531 00:28:30,879 --> 00:28:35,408 have a problem where people stand in 532 00:28:33,669 --> 00:28:37,299 line to vote especially people who are 533 00:28:35,409 --> 00:28:40,209 outside of the country and have to vote 534 00:28:37,299 --> 00:28:41,369 in consulates and places like that so 535 00:28:40,209 --> 00:28:44,950 they are considering introducing 536 00:28:41,369 --> 00:28:46,749 electronic voting and obviously I guess 537 00:28:44,950 --> 00:28:50,679 no one here would trust the government 538 00:28:46,749 --> 00:28:52,149 to implement something like that so what 539 00:28:50,679 --> 00:28:53,549 would you tell the Romanian officials 540 00:28:52,149 --> 00:28:55,748 who are considering introducing 541 00:28:53,549 --> 00:28:58,629 electronic voting which you have in the 542 00:28:55,749 --> 00:29:01,779 West for a long time thank you paper 543 00:28:58,629 --> 00:29:04,269 ballots are amazing I think they should 544 00:29:01,779 --> 00:29:06,279 stick with paper ballots please do not 545 00:29:04,269 --> 00:29:08,619 change to our chronic voting machines 546 00:29:06,279 --> 00:29:11,559 those are super hard to secure the 547 00:29:08,619 --> 00:29:15,579 elections can be tampered with so please 548 00:29:11,559 --> 00:29:18,009 say two paper ballots and to solve that 549 00:29:15,579 --> 00:29:20,709 problem I don't I'm not sure if it is 550 00:29:18,009 --> 00:29:22,869 already but if it isn't then make it a 551 00:29:20,709 --> 00:29:25,209 national holiday I think it should be 552 00:29:22,869 --> 00:29:27,488 everywhere yeah and it I don't know how 553 00:29:25,209 --> 00:29:29,820 many days they are allowed to vote Dana 554 00:29:27,489 --> 00:29:32,950 mom because you're Romanian you know 555 00:29:29,820 --> 00:29:36,218 well if you have like three days maybe 556 00:29:32,950 --> 00:29:40,019 it could be more days than that so 557 00:29:36,219 --> 00:29:43,809 people have more time to vote more 558 00:29:40,019 --> 00:29:46,809 places to vote maybe or a bigger space a 559 00:29:43,809 --> 00:29:48,039 bigger precinct a little space to vote 560 00:29:46,809 --> 00:29:50,678 with more 561 00:29:48,039 --> 00:29:54,158 Sheens so yeah I hope that answers your 562 00:29:50,679 --> 00:29:56,729 question awesome let's go to the next 563 00:29:54,159 --> 00:29:59,379 one please stand up make yourselves show 564 00:29:56,729 --> 00:30:00,700 thank you for presentation I'm really 565 00:29:59,379 --> 00:30:03,309 amazed that you are so young and you've 566 00:30:00,700 --> 00:30:05,799 done this and the question that I have 567 00:30:03,309 --> 00:30:07,570 is that what is the most important 568 00:30:05,799 --> 00:30:09,489 advice that you can give to the young 569 00:30:07,570 --> 00:30:13,289 girls out there who want to start the 570 00:30:09,489 --> 00:30:16,479 career in cyber security or hacking I 571 00:30:13,289 --> 00:30:17,799 say just go for it if you don't know 572 00:30:16,479 --> 00:30:20,019 where to start there are a lot of 573 00:30:17,799 --> 00:30:23,408 resources on this amazing thing called 574 00:30:20,019 --> 00:30:27,460 the Internet and if it's a girl wanting 575 00:30:23,409 --> 00:30:29,889 to learn cybersecurity and hacking I a 576 00:30:27,460 --> 00:30:32,590 couple months ago I just started girls 577 00:30:29,889 --> 00:30:36,340 who hack on my t-shirt it says girls who 578 00:30:32,590 --> 00:30:38,109 hack is their motto is teaching girls 579 00:30:36,340 --> 00:30:40,539 the skills of hacking so that they can 580 00:30:38,109 --> 00:30:43,449 change they're the future 581 00:30:40,539 --> 00:30:46,570 it gives free lessons to on my website 582 00:30:43,450 --> 00:30:51,190 girls who hack com2 any girl who wants 583 00:30:46,570 --> 00:30:58,960 to learn cyber security and hacking an 584 00:30:51,190 --> 00:31:01,869 awesome keep that in mind okay two more 585 00:30:58,960 --> 00:31:05,529 questions we have one in the back there 586 00:31:01,869 --> 00:31:07,928 oh we have some one here and then we'll 587 00:31:05,529 --> 00:31:09,849 come to your promise thank you very much 588 00:31:07,929 --> 00:31:13,599 for your talk can you move the mic 589 00:31:09,849 --> 00:31:16,299 closer tear it it's okay thank you very 590 00:31:13,599 --> 00:31:18,489 much for your talk and I'm wondering if 591 00:31:16,299 --> 00:31:20,649 there are any regulations because the 592 00:31:18,489 --> 00:31:23,830 voting system from the yes looks like 593 00:31:20,649 --> 00:31:28,418 inherently insecure and we're icarus 594 00:31:23,830 --> 00:31:29,999 because it's the voting democracy and I 595 00:31:28,419 --> 00:31:34,479 would expect to have really strong 596 00:31:29,999 --> 00:31:36,309 regulations in this area exactly they 597 00:31:34,479 --> 00:31:39,789 actually don't really have any 598 00:31:36,309 --> 00:31:41,918 guidelines pretty much at all so like I 599 00:31:39,789 --> 00:31:44,879 said on two slides guidelines exist 600 00:31:41,919 --> 00:31:47,349 let's use them I hope the SAFE Act 601 00:31:44,879 --> 00:31:49,059 passes in Congress and it becomes a 602 00:31:47,349 --> 00:31:51,249 thing because it sounds super awesome 603 00:31:49,059 --> 00:31:54,399 if we all change to hand marked paper 604 00:31:51,249 --> 00:31:56,649 ballots and have the it be a national 605 00:31:54,399 --> 00:31:59,529 holiday with risk limiting audits I'm 606 00:31:56,649 --> 00:32:01,050 pretty sure we can secure way better 607 00:31:59,529 --> 00:32:05,680 than it is 608 00:32:01,050 --> 00:32:08,050 thank you so one last question I know we 609 00:32:05,680 --> 00:32:10,000 have someone there please give the 610 00:32:08,050 --> 00:32:15,159 gentleman a mic he's been keep your 611 00:32:10,000 --> 00:32:16,410 hands up yes yes we can do it yes that's 612 00:32:15,160 --> 00:32:19,690 teamwork 613 00:32:16,410 --> 00:32:21,730 teamwork makes the dream work very 614 00:32:19,690 --> 00:32:24,610 interesting presentation congrats for 615 00:32:21,730 --> 00:32:28,120 that and very interesting subject 616 00:32:24,610 --> 00:32:33,639 Bianca one very quick question what is 617 00:32:28,120 --> 00:32:36,610 your IQ I've never taken a test but I'm 618 00:32:33,640 --> 00:32:39,250 hoping it's really high but your IQ 619 00:32:36,610 --> 00:32:43,000 isn't what your IQ is it's about how you 620 00:32:39,250 --> 00:32:45,130 feel like you could even be 70 years old 621 00:32:43,000 --> 00:32:47,860 and super smart or five years old and 622 00:32:45,130 --> 00:32:49,480 super smart it's about how you feel and 623 00:32:47,860 --> 00:32:51,969 what you think you know that really 624 00:32:49,480 --> 00:32:54,850 matters same with how young you feel you 625 00:32:51,970 --> 00:32:57,660 can be 80 and still like doing the hula 626 00:32:54,850 --> 00:32:57,659 and what not 627 00:33:03,690 --> 00:33:07,929 thank you so much Viet was so awesome to 628 00:33:06,460 --> 00:33:09,940 have you here on stage with us and I 629 00:33:07,929 --> 00:33:11,559 hope this is only the first time and 630 00:33:09,940 --> 00:33:14,429 definitely not the less so thank you 631 00:33:11,559 --> 00:33:14,428 again thank you 632 00:33:14,470 --> 00:33:17,299 [Applause]