And defcon. Our guest report from the Washington Post is joseph marx. Mr. Moss, remind us again what is black hat and defcon, and w did they come about . Well, so defcon is a largest conference in the world hacking conference at will, about 30,000 attended in las vegas, precovid and a black hat is one of the largest security covers also held in las vegas. One is the university and one is more like a party. One is focused on your professional Career Advancement and the other one is eating the soul of hackers and aspiring. Host when did you found these . Guest defcon is pretty old. It was about 1993, at and about three or four years later black hat started, 1997 i believe. The secret was we did no advertising or marketing of the just group organically. Host what is your background that you are able to do this . Guest well, originally i thought i was going to be an fbi agent. Instead i turn into a hacker, and it was a hobby like everything hobby that turned into a career. I started throwing a party for some of our friends who is going away on a Computer Network i belong to, and i ended up inviting everybody i knew back then online and the internet was brandnew, pretty soon everybody started showing up. Everything back in was invite only for hackers and that was the first to invite everybody publicly. Host lets get joseph marks of the Washington Post involved in our conversation. Jeff, one of the biggest components of defcon is recently is the voting village where hackers try to break into Voting Machines. How did that go this year virtually, and what is your sense of the security of voting as we head toward the election . Guest thats a a pretty broad topic. Originally it was conceived of attacking Voting Machines because nobody knew everybody knew what was being published about them was wrong and are put into the manufacturers were very litigious, go after anybody that tried to those are some big red flags. They give before, the voting village started, the dmca Digital Millennium Copyright Act how to carve out allowing you to attack and research Voting Technology without violating copyright law. All of a sudden finally it was legal for us to look at this stuff. The next question is how to get your hands on it if its only sold directly to the municipalities . We found a vendor, a reclaimed vendor who it bought a bunch that were damaged when a ceiling collapsed in a county voting warehouse. So now we have the machines. Now law allows us to get them apart and thats exactly what we did. Thank you, ebay. In 2010 you said there was a civil war between inside the voting machine vendors where it was a personal committee, about for big ones where some were supportive of what you guys are doing and some of them were really fearful and hostile. Is that still going on and who is winning . Guest it still going on. If you look at it, the manufacturers are all pretty further with each other, and if you try to figure out who actually owns shares in some of these companies, their offshore Shell Companies outside of the United States and its impossible to determine who owns these voting machine manufacturers. Its not a simple sink they are publicly traded or its 100 u. S. Owned. Nobody knows. Theres a little bit of development this year at black hat were Election Officials and software, the biggest of voting machine manufacturers announced it will do disclosure project essentially allow hackers to report vulnerabilities to them. Is that a development . Where are we on that now . Guest i dismiss it because the history of the companies involved. Theres a long history of this. Have goes is this. A Company Wants to prove to the public as a marketing gimmick to have secure product. They create very strict parameters around the test and then they come to defcon of the coaching of the conference, and for two or three days people try to look at the technologies. Of course they fail because theyve only had the machine for two or three days and then the Marketing Department says look how secure we are. Im very skeptical of any these programs that are not fully transparent and open and available to any security researcher. As soon as you start finding in das, i dont trust it. The criticism that the voting vendors historically had at defcon is hey, your old equipment, you dont know the vulnerabilities edge or not doing this in a realistic voting situation. What you say about that . Guest [inaudible] you wont release the updates, there will provide a realistic testing environment. They get to complain about everything but the dont do a single thing to improve the situation. So, for example, how long with the new cycles consumed by this argument of our voting Technologies Technology is not connected to the internet . Only be trickled up bit by bit but it is connected to get net, a lot of it. Not every manufacture but a lot of it was. Tactically nestles be on the net have builtin 3g or gsm modem. So than last year if the was controversy because we had a village with a hack simulated election sites. People were very mad saying thats not possible, thats unrealistic. And then when the fbi releases have some election sites were hacked it was with the exact same techniques the kids used. Vulnerable county web servers. Its exactly in reality it was exactly what the kids simulant. Every time theres an objection about six months later or a year later it turns out that no, we were pretty accurate. You have to remember the way these rules are written, the machines get quoteunquote certified, certified safe or whatever. They get deployed and they are in use. Lets say the manufacture finds a bug. Theres not a process to update the machines. So you have machines that are ten years old now being used with tenyearold vulnerabilities. They are not recall and then not updated, and to do so would require recertification which can be costly, so manufacturers tend to not want to recertify. It should be fair, also criticism, this is such a laborious process, it doesnt work on the speed of guest weve only known about this, for 20 years but we havent engineered a solution. Im not terribly i think maybe im so skeptical because of how poorly ive seen the manufacturers behave, the threats they made against researchers. Thats not a partnership. This makes me think of back in the day microsoft was very hot piled for researchers, until security get to be such a severe problem with the customers come physically the Us Government was threatening to stop buying their operating systems. Bill gates had this microsoft wont romcom security moment where he announced the would be a big stop, they will rearchitect their software, invented this concept called the security felt that the lifecycle, and microsoft did 180degree turn. They took about five your to do it another one of the safest operating systems. Unless youre the kind of leadership from the top, its not going to happen. You will have these fights between engineers inside the companies but unless the decision comes from the top i dont think these companies will improve. They are full of chinese chips manufactured in china from an integrated in taiwan. Host just to be clear, who does the certification . Guest so theres different counties have different requirements and different states have different requirements. So theres a generally agreedupon set of rules. Sort of Like Software should not be reprogrammable once it is written. These kind of baseline things but its from its from the election commission, right . Guest but it is decades old. For example, this the requirement for audit. These machines to really have any ability for you to test if they been tampered with. The manufacturer will say this evidence is machines have been compromised. Thats right, there is no way to gather evidence because the machines did not gather evidence. Of course you will not find a problem. So anyway, they are very frustrating. We did this with old equipment and the next to become better equipment, and now what were looking at, look at the individual machines because thats all we could get our hands on, in which i do get hands on more of the back in software. Use like the equipment used to program tabulators, and then what we really try to get our hands on is the software that controls i cant remember the name of it, its like es 200. Its what all the counties report into. That software is very hard to get your hands on because its very licensed and so anyway, along this progression of onsite to a county to may be an whole state we found is that nobody has ever perform an audit on the complete system. They perform an audit of machine or maybe the whole process but the whole process of niven tested because theres somebody different components and every county slightly different. Theres not a onesizefitsall. Should we be confident about or how confident or anxious should we be about security of the 2020 vote against hackers from russia or elsewhere . Guest im going to vote and go to trust the result but i think whats different in this election in the previous election is the awareness is much higher. The people that up and talk about these issues, they are not terribly new, but now people are going to use them, where before they would say its too expensive or thats now they turned this into spotlight. Thinking with and marked human readable ballots. For a long time manufacturers said its human readable because the machine marks it, and the Gold Standard is and march. That tells you the intention of the voter, human readable, its not a mission, not a barcode. A lot of these machines will print out an audit report of what you voted, but its in a barcode you cant read. He just have to trust that the barcode reads. There are so many more people sensitize that at the first whiff of an issue, there would be 1000 eyes and that wasnt the case four a few years ago. Host incented by terms, were you able to alter a vote count in this years black hat . Guest so i dont know about at defcon voting village of this year. I havent gotten all the results back so i dont know, sorry. In previous years you have . Guest yeah, other small to voice to this. When was lets say you got these machines and they are sitting in a warehouse every other year and use, so they sit for a year hoping nobody comes in tabs with them during that year. But when it comes time to program the machine, so you know how to vote, theres usually a memory card and your pleasant memory card into the machine and that teaches the machine who is on ballot. Or maybe on a stack of the cart and you will pick each one. If you are a smart attacker you would not protect each machine. You would attack the master machine that is programming that card, and thats what we saw russia trying to do. They skipped going after all of machines and the trying to go after the Election Office to get to that machine and corrupt the master copy. So when it is used to program 1000 machines, they only, only had to hack at once, not a thousand times. So the one thing that drives the them concern is we make an earlier or truly only four manufacturers. Even though we have 1000 different styles of loadings really comes down to four fours of technology that are very similar and outdated. On a separate topic, in the opening address at phishers black hat to talk about the danger chinese components dating into critical use industries and you suggested there should be a u. S. National industrial policy. Could you talk about what that look like and what the danger is of chinese components . Guest thats a proxy for, it could be anybody, im trusted components. The difference is 20 Years Ago Society didnt necessarily depend so heavily on these components what they do now. The consequences are much larger. When you to update the way in which we allowed such critical commodious to come into our economy or be used. Its interesting because i gave that talk and then i think that they the state Department Released their document on the clean supply chain and clean telco. I didnt know that was coming but it was suspicious timing. What led me to believe that the United States was moving toward or is going to move toward an industrial call volume one, pretty much every other country in the world has an industrial policy except the United States. That was okay maybe when we were the world leader and everybody by car stuff, but we are not the world leader in a lot of areas and everybody stopped by our stuff. Now we probably did a policies like anybody else that is consuming stuff. Thats an industrial policy. We first saw this a couple years ago and then it got formalized in the white house is 5g strategy. That we see the state Department Strategy and these are all bots that are starting to form a line leading directly to an industrial policy. That will create a lot of clarity. And i think another thing we didnt think through properly is, so, for example, in the state department they talk about how theres a lot of foreign telco operators. But we never fully through. Is that a good thing or a bad thing . Its like four years when you come lets say you use your cell phone and call somebody longdistance. Theres a billing records so they know if you gotten of your minutes. That telco outsourced that build and Record Collection to company that aggravates it all and return to because tmobile or whoever doesnt want to be in the business of running these building systems. The outsource them. So who do you think was the cheapest bidder on all the telco billing . All the building and the United States ended up in Israeli Companies and they been in Israeli Companies for like a decade. Do you think israel knows about every single focal every american has ever made . What happens when you dont have an industrial policy, business goes to the lows, denominator. Is the proposed ban for the ban and they becoming in 45 days on tiktok a component of this . Guest i dont know if its the right move, but when there was skirmish on the indian and chinese border and indian soldiers were killed by the chinese come in here responded very quickly and they banned tiktok. Tiktok that announce that at a 6 billion consequence to their projected revenue. 6 billion. And so india had a plan right away to hit china where it hurt, at least commercially. That was the beginning of this kind of path war. The United States is getting in on it now, or this white house is getting in on it now because you cant hurt youre not going to engage in a military conflict over any of this. So that leaves other venues, d economic venue now is so large that if you dont have a policy on this, i think youre going to have, the issue that india had when facebook had it moved into india and india did not respond, now that is the dominant platform. So is the benefit more that youre protecting National Security because youre not creating the possibility of the Chinese Government getting access to all of these teams, tiktok and messages and so forth, or is it that you are hurting the chinese economy . Guest i dont think youre hurting the economy. I think its more about, hey, china, you dont let facebook in. You dont let google in. You dont let twitter in. You dont let any of these platforms in, but your foreign minister is on twitter all the time tweeting away. Your operatives are all over facebook engaging in conversations, yet we cant do the same in your country. So here you come with the state subsidized popular social media, again, and youre going to get all this demographic and all this Trend Analysis on our youngest generation, yet we cant come into your market . That doesnt seem fair so we going to stop it. Maybe use this as a leverage to say you can be in our app market if we can be in yours. Its completely onesided right now, and i think subtle negotiation negotiations public outsource probably turned into this gross negotiation. Host jeff moss, have you been a tiktok user in the past and what kind of social media do you personally use . Guest so we have done defcons in china twice now, and so i use the chinese version, and so white and produces multiple versions, domestic and foreign. Just like theres a we chat for domestic changes consumers and we chat for foreign. When we talk to people in china we use we chat, and so its pretty interesting, the we chat app is such a walled garden. Everything is done through it because essentially the state has that this is a preferred messaging platform and so it is a dominant no competitors can really get close to it. Where in the states theres a lot of them still a lot of churn. Im a big twitter user. I give up facebook about three, four years ago, for me facebook is little to toxic and a little stressful because you always feel like you are behind and you have to show off your latest gadget and feel guilty you havent told all your friends what you are doing, where twitter is much more emotionally stable for me. Is there a concern with huawei, a telecoms that is been largely banned from the u. S. , and the apps and other things that are hurtling towards this will that includes china and parts of asia and parts of africa and this u. S. Sphere of technology that includes north america, europe, japan, is that a concern and what do we lose . Guest yes, its a concern, and that ship sailed a couple years ago. I was a chief Security Officer for number of years and we were very concerned about the fragmentation of the internet. Now i think the refer to as the splitting of the internet. Once you lose global interoperability, you get friction on everything. Its more expensive. You saw this when your end of the countries started demanding data localization. Not facebook or whoever, google gadgets keep the data in the most efficient spot. They have to build a data center in germany and in france and in china and all over the world to keep that countries data in that one location. So the cost of doing business increased everywhere just for data localization. Now youll see the same thi