This week on the communicators, our guest is jeff moss, the founder of black hat. Nd devcon def con mr. Moss, remind us again, what andlack hat and def con other they come about . It is the largest hacking conference in the world. Largest is one of the security conferences also in las vegas. One is a university, and one is a party. One is focused on your professional career advancement, and the other is concerned about the soul of hackers and inspiring. When did you find these . Was about 1993, and about three or four years later, black hatstarted black started. They just grew organically. What is your background that you were able to do this . originally i thought i was going to be an fbi agent. Instead i turned into a hacker. It was a hobby that turned into a career. A party to some of my friends going away. Then wasi knew back online. The internet was brandnew. Everybody started showing up. That was the first to invite everybody publicly. Marxts get joseph involved in our conversation. The neatest components is the voting village. Hackers try to break into voting machines. How did that go this year virtually, and what is your sense of the security of voting as we had for the election head toward the election. . Originally was perceived as attacking buddy machines. Voting machines. Knew that what was being published about them was wrong. Those were big red flags. The year before the voting village started, the allowing you to attack and research putting Technology Without violating copyright laws. It was finally legal for us to look at this stuff. The next question is how do you get your hands on it if it is only sold directly to municipalities . We found a vendor who had bought a bunch that were damaged when a ceiling collapsed in a county voting warehouse. Now we have the machines. Now we are allowed to tear them apart, and that is what we did. And 2018, there was a civil war inside the voting machine big ones whot four were supportive of what you guys were doing and some of them were fearful and hostile. Is that still going on and who is winning . It still going on. The manufacturers are all pretty friendly with each other. If you try to figure out who owns shares in some of these companies, they are offshore companies. It is impossible to determine who owns these voting machine manufacturers. It is similar to saying there publicly traded or u. S. Owned, nobody knows. There is development at black at. Black hat. They will allow hackers to report vulnerabilities. Development . Where are we on that now . I just missed it because of their history of the companies involved. There is a long history of this. Companies want to prove to the public as a marketing gimmick that they have a secure product. Strict create very parameters around the test. They go to another conference and for two or three days, people look at the technology. They feel because they have only had the machines for two or three days. The Marketing Department says look how secure we are . I am very skeptical of these programs that are not transparent and open it available to any security researcher. I do not trust it. The criticism that the voting ,endors historically at def con you have old equipment. Stuff was put into people stuff was put in by people. You are not doing this at a realistic voting situation. Not release the updates, provide the realistic testing environment, so they just complain about everything but do not do a single thing to complain thing to fix the situation. How long were new cycles consumed by this argument that Voting Technology is not connected to the internet . It is connected to the internet, a lot of it. [indiscernible] 3g or gsmuiltin modem. Last year, there was a controversy where they had simulated election sites. People said that is not possible. That is unrealistic. When they released how election sites were hacked, it was with the exact same techniques as the kids use. Vulnerable county web servers. It was exactly what the kid simulated. Every time there is an objection, about six months or one year later, it turns out we were accurate. The way that these rules are written, the machines get certified safe. They get deployed and they are in use. Lets say the manufacturer finds above. There is not a process to offset the machines. You have machines full of known vulnerabilities and they are not recalled and updated. To do so would require recertification, which get be costly, so manufacturers tend to not want to recertify. Thatere is also criticism this is such a laborious process. It does not work on the speed of [indiscernible] we have done about this problem for years and we have not engineered a solution. Skepticalybe i am so because of how poorly i have seen manufacturers behave, the threats they have made against researchers. That is not a partnership. This makes me think of it back in the date microsoft was hot dialed for researchers until security got to be such a severe problem that customers were threatening to stop buying their operating systems. Bill gates at the security moment where he announced there is going to be a big stop. They will rearchitect their software. Did 180 degrees turn. They took five years to do it and one of the safest operating system. If you have that kind of leadership from the top unless you have that kind of leadership from the top, it is not going to happen. Unless the decision comes from the top, i do not believe these companies will improve. They are full of chinese chips manufactured in china from an integrator in taiwan. Go ahead. Just to be clear, who does the certification . Different counties have different requirements. Different states have different requirements. There is not a generally agreedupon set of rules. Software should not be reprogrammable once it is written. It is not the commission, right . It is decades old. There is no required no requirement for audit. The manufacturers will say there is no evidence these machines have been compromised. No way right, there is to gather evidence because the machines have not gathered evidence. Of course you will not find a problem. They are very frustrating. Older this to some equipment, and at the next year we got better equipment. We looked at individual machines , because that is all we could get our hands on. Then we tried to get our hands on the backend software. Programpment used to evoke books or tabulators. What we are really trying to get our hands on i cannot remember the name of it. It is like the ds 200. It is what all counties report into. Hards are is very hard to get your hands on because it is very license. A lot of this progression from onsite to maybe a whole state, what we found is if nobody has ever performed an audit on the complete system. The whole system as never been never beenuse has tested because there are so many components at every county is different. There is not a one size fits all. Confident how confident or anxious should we be about security of the 2020 vote against hackers from russia or elsewhere . I am going to vote and i am going to trust the results. What is different in this election is the awareness is much higher. The people that have been talking about these issues, they are not terribly new, but now people are going to actually use them, where before people would expensive. Oo marked humanth had readable ballots. For longtime manufacturers say it is human readable because a machine market, and the Gold Standard is had marked. Hand marked. It is not a barcode. A lot of these machines will ofnt out an audit report what you voted, but it is a barcode you cannot read. You just have to trust a barcode. There are so many people sensitized, that at the first whiff of an issue, it will be 1000 eyes. That was not the case a few years ago. Mr. Moss, in simplified terms, where you able to alter a vote count in this years black hat . Con. Do not know about def i have not gotten all the results back. I do not know. Sorry. Have . Previous years you yeah, and there are multiple ways to do this. Lets say you have these machines as they are sitting in a warehouse unused. They sit for a year hoping nobody comes and tampers with them in that year. When it times to program the machines, there is usually a memory card. You plug that memory card into every machine and that teaches the machine was on the ballot, or maybe on a stack of cards and you will pick them all. If you were a smart attacker, you would not attack each machine. You would attack the master machine programming that card, and that is what we saw russia trying to do. After the to go Election Office to get that machine and corrupt the master copy so that when it is used, they only had to hack it once, not 1000 times. Drives thing that concern, there are really only four manufacturers. Even though we have 1000 different styles of voting, it comes down to four types of technology that are similar. Topic, and thee opening address at this years black hat, you talk about the danger of chinese you suggested there should be a National Industrial policy. Can you talk about what that would look like at the danger of chinese components . That is a proxy for it it could be anybody, untrusted components. The difference is 20 years ago, society was not necessarily depending so heavily on these components, where they do now, so consequences are much larger. We need to update the way in which we allow such critical components to come into our economy. It is interesting, because i gave that talk, and that day the state Department Released their document on the supply chain and clean telco. It was suspicious timing. Led me to believe the United States was moving toward or is going to move toward [indiscernible] in themuch every country world has an industrial policy except the United States. That may be because we were the world leader in everyone but our stuff, but we are not the world leader in a lot of areas stoppedop by buying our stuff. We first saw this with the battles a couple of years ago and then it got formalized in the white houses 5g strategy. Form a linerting to leading to an industrial policy. That will create a lot of clarity. Another thing that we did not think through properly. Look at the state department. There is about how loss of foreign telco operators. We never fully thought that through. Is that a good thing or a bad thing . Years, you user your cell phone you call longdistance. There are a billion records. The telco outsource that billing Record Collection to a company that aggregates it all and returns it, because tmobile or whoever does not want to be in the business of running these billing systems. They outsource them. Could you think was the cheapest bidder on all the telco billing . All of the billing in the United States ended up in israeli companies. They have been there for a decade. Do you think israel knows about every single phone call every american is ever made . That is what happens when you do not have an industrial policy. At best as it goes to the lowest common denominator. Ban onthe proposed tiktok a component of this . I do not know if it is the when theyreut with the skirmish on the chinese and Indian Border and indian soldiers were killed by the chinese, india responded very bannednd band tiktok. They announced that in a 6 billion consequence to their revenue. India had a plan right away to hit china where it hurts at least commercially. Beginning of this kind of war. The United States is getting in on it now. The white house is getting in on notow, because you are going to engage in a military conflict over any of this, so that leaves other venues. Largeonomic venue is so that if you do not have a policy on this, you are going to have the issue that india had when facebook had a move into india and india did not know how to respond. Now, that is the dominant platform. Is the benefit more that you are protecting National Security because you are not reading the possibility of the Chinese Government getting access to all messages,eams, tiktok or is it that you were hurting the chinese economy . I do not think you were hurting the economy. China,ore about, hey, you do not let facebook in. We do not let google in. You do not let twitter in. You do not let these platforms in, but your foreign minister is on twitter all the time. Your operatives are on facebook engaging in conversation, yet we cannot do the same in your country. After you come up with the state subsidized social media app again, and you will get all of this demographic and this Trend Analysis on our youngest generation, yet we cannot come into your market . That does not seem fair, so we are going to stop it. You can be in our app market if we can be in yours. It is completely onesided right now, and i think some negotiations have probably failed, so it is turned into this gross negotiation. Have you been a tiktok user in the past, and what kind of social media do use . Chinahave done def con in now, so i use the chinese version. White dance byte dance produces multiple versions. Consumers andese we chat for foreign. When we talk to people in china, we use we chat. Appe chat at the wechat is such a wild garden. At the state has said this is a preferred messaging platform. It is so dominant, no competitors can get close to it, whereas in the states there is still a lot of return. I am a big twitter user. I gave up facebook about three, four years ago. Facebook is a little too toxic and stressful, because you always feel like you are behind and you have to show off your latest gadget and feel guilty you have not told your friends what you were doing, where twitter is much more emotionally stable for me. Concernere a sermon with huawei and the apps and other things. We are hurtling toward this world with a chinese fear of technology that includes china and parts of asia and parts of africa and the u. S. Sphere of technology that includes north america, europe, japan. Is that a concern and what do we lose . Concern, and at that ship sailed a couple of years ago. Officerchief security for a number of years and we were very concerned about the fact that owned the internet. They referred to it as the splintering of the internet. Once you lose global operability, it gets more expensive. You saw this when europe and other country started demanding date of globalization. Facebook or google cannot keep the data in the most efficient spot. They have to build a data center in germany and france and in china and all over the world to keep that countrys data in that location. The cost of doing business increased everywhere just for data localization. You will see the same thing happening these fragmenting internet. Apple had to build extra data centers and give control to house icloudtwo data for chinese citizens. That is just the tip of the iceberg. It will get more complicated with regulatory requirements that will have severe consequences. You are creating a more fragile global network. , soare concentrating power if you look at it now, if i want to create a blog or have a social media platforms, there are a few left that are large. What is happening now it is either google or microsoft. That is very convenient for regulators. Now they only have to go to facebook or twitter, where 10 years ago they would have had to go to 50 or 60 or 100 companies. Youoncentrating the power, are getting greater market efficiency but you are getting the uptake of more regulation. The internet is at such a point where we are moving to more fragile, more political, less resilient internet, and it is generally because market efficiencies were these great powers aggregating like amazon aggregating. [indiscernible] there is going to be a sphere of countries that are rule of law countries, the democracies. They do not have to be the same, but they will be countries that respect the rule of law. They respect each others traditions and democracies. And then there will be a group of countries that are more authoritarian, like iran, north korea. They have a different system. They view the world differently. There will be these two spheres side in between. I would not be surprised if five or 10 years from doubt there is the rule of law data protection, appeal the ruling internet world and the we do not know why we are taking down. Two different visions of the world. The vision of the road the world and the wto of the world. Surprised if five another there is a organization not called nato that is the digital equivalent of that surrounding china. In the last couple of months, i think there has been countries anchored by china, japan and thailand,uth korea, malaysia at once you get out of predatory loans. Indonesia is unhappy. Anybody that is touching the chinese border right now has a consequence. Russia just pulled out of selling air Defense Missions because they claimed the chinese were spying on russian technology. Countries have an issue. Happened lot like what with russia in the cold war. You think about the new Cyber Command that is being developed . , the Cyber Command i think you have to have the capability to defend yourself and the capability to project force. , and i what is happening hope it evolves is that the types of conflicts we will be engaged in our what some people refer to as cognitive warfare. Disinformation, misinformation. Elements all tools or of cognitive warfare, trying to get your opponent to behave differently and never having to engage in any physical conflict. Would it not be great if they decided on their own just too . I would love it if Cyber Command had a large component of cognitive command. That is what we will be facing in the future with technology. Sphere ofd in this influence, the first defcon and black hat in 2013, right after the snowden disclosures. As that gotten better, because this year at defcon, you might dhs. Command, the nsa, is there trust . I would think it is not like it used to be. It was all around how those agencies are going to protect the election, so people can get behind that message. This is a lot of fear and administration right now with the way things have been politicized. Until that fear goes away, i think everybody will try to keep these agencies off distance. What are you doing in singapore . Singapore,is from and we come here every year for chinese new year. This year i came expecting to be here for just a couple of weeks and months. It is been four months or five months. I came in february. I am stuck here. Cats there an asian black black hat, defcon happening as well . There will be a singapore black hat happening. That was a def con canceled. Conference world is being turned on its head right now. Of black ss, founder con. Nd def thank you both for being on the communicators. Thank you. Thank you. Youru are watching cspan, unfiltered view of government created by americas Cable Television company as a Public Service and brought to you today by your television provider. Postmaster general louis dejoy testified before the senate u. S. Homeland Security Governmental Affairs Committee today on u. S. Postal Service Operations during the covid19 pandemic and the 2020 election. She told senators that no operational changes would take place until i want to thank the postmaster general dejoy for making himself available and the short notice, and also task of trying to maintain the u. S. Post office as a entity. Lly viable unfortunately he found out over the last few weeks that not only was it a thankless