Fcon is the largest hacking conference in the world. Black hat is one of the largest Information Security compasses, also held in las vegas. One is a university, and one is a party. One is focused on your professional career advancement, and the other is focused on being the soul of hackers and inspiring them. When did you found these . Con is pretty old, it was founded about 1993, and about three or four years later, black hat started. They just grew organically. What is your background that you were able to do this . Originally i thought i was going to be an fbi agent. Instead i turned into a hacker. It was a hobby that turned into a career. I started by throwing a party for some of my friends going away on a few networks that belonged to. Knew backeveryone i then who was online. The internet was brandnew. Everybody started showing up. Everything back then was invite only for hackers and i was the to invite everybody publicly. First lets get joseph marx of the Washington Post involved in our conversation. Componentshe biggest of def con is the voting village. Hackers try to break into Voting Machines. How did that go this year virtually, and what is your sense of the security of voting as we head toward the election . A pretty broad topic. Originally it was conceived as attacking Voting Machines because everybody knew that what was being published about them was wrong. Everybody knew the manufacturers were very litigious and wind go after anybody. Those were big red flags. The year before the voting had ae started, the dmca carveout allowing you to attack and research Voting Technology without violating copyright laws. All of a sudden, finally, it was legal for us to look at this stuff. The next question is how do you get your hands on it if it is only sold directly to municipalities . We found a vendor who had bought a bunch that were damaged when a ceiling collapsed in a county voting warehouse. Now we have the machines. Now the law allows us to tear them apart. That is what we did. Thank you, ebay. In 2018, there was a civil war inside the voting machine abouts, pretty small, four big ones, some were supportive of what you guys were doing and some of them were fearful and hostile. Is that still going on and who is winning . It is still going on. If you look at it, the manufacturers are all pretty friendly with each other. If you try to figure out who owns shares in some of these companies, they are offshore Shell Companies outside of the United States and it is impossible to determine who owns these voting machine manufacturers. It is not as simple as saying they are publicly traded or u. S. Owned, nobody knows. There is development at black hat where election systems and software, the biggest voting machine manufacturers announced there would be doing vulnerability disclosure to allow hackers to report vulnerabilities to them. Is that a new development . Where are we on that now . I dismiss it sort of because of the history of the companies involved. There is a long history of this. How it goes is this Companies Want to prove to the public as a marketing gimmick that they have a secure product. So they create very strict parameters around the test. Then they come to def con or they go to another conference and for two or three days, people look at the technology. They fail because they have only had the machines for two or three days. The Marketing Department says how secure we are. I am very skeptical of these programs that are not transparent and open and available to any security researcher. As soon as you start signing ndas, i do not trust it. The criticism that the voting vendors historically have had of def con, you have old equipment. It theas coded into people who owned it. You dont know the vulnerabilities and you are not doing this at a realistic voting situation. But yet, they will not release the updates, provide the realistic testing environment, so they get to complain about everything but do not do a single thing to improve the situation. For example, how long were new cycles consumed by this argument that Voting Technology is not connected to the internet . Only for it to be trickled out bit by bit that a lot of it is connected to the internet. Some that were not supposed to be connected to the internet might have a builtin 3g or gsm modem. Last year, there was a controversy where they had simulated election sites. People were very postop saying that is not possible. That is unrealistic. Then when the fbi releases how election sites were hacked, it was with the exact same techniques as the kids use. Sql on vulnerable county web servers. It was exactly what the kid s simulated. Every time there is an objection, about six months or one year later, it turns out we were pretty accurate. You have to remember, the way that these rules are written, certified,get certified safe. They get deployed and they are in use. Lets say the manufacturer finds a bug. There is not a process to offset the machines. Machines 10 years old being used with 10yearold vulnerabilities. They are not recalled and updated. To do so would require recertification, which get be costly, so manufacturers tend to not want to recertify. To be fair, there is also criticism that this is such a laborious process. It does not work on the speed of [indiscernible] we have only known about this problem for 20 years, but we have not engineered a solution. I thinkrribly maybe i am so skeptical because of how poorly i have seen manufacturers behave, the threats they have made against researchers. That is not a partnership. This makes me think of it back in the day, microsoft was very hostile toward researchers until security got to be such a severe that theor customers u. S. Government was threatening to stop buying their operating systems. Bill gates had a security moment where he announced there is going to be a big stop. They will rearchitect their software. There would be a lifecycle. Microsoft did a 180 degrees turn. They took five years to do it and now they are one of the safest operating systems. Unless you have that kind of leadership from the top, it is not going to happen. You will have fights between engineers in the company, but unless the decision comes from the top, i do not believe these companies will improve. They are full of chinese chips manufactured in china from an integrator in taiwan. Go ahead. Just to be clear, who does the certification . Different counties have different requirements. Different states have different requirements. There is a generally agreedupon set of rules. Software should not be reprogrammable once it is written. These kinds of baseline things. It is not the commission, right . It is decades old. There is no requirement for audit. These machines dont have any ability to test if theyve been tampered with. The manufacturers will say there is no evidence these machines have been compromised. That is right, there is no way to gather evidence because the machines have not gathered evidence. Of course you will not find a problem. They are very frustrating. We did the voting village with older equipment and the next year we got better equipment. We looked at individual machines, because that is all we could get our hands on. Then we tried to get our hands on the backend software. The equipment used to program or tabulators. What we are really trying to get our hands on i cannot remember the name of it. It is like the ds 200. It is what all counties report into. That software is very hard to get your hands on because it is very licensed. A lot of this progression from onsite to maybe a whole state, what we found is if nobody has ever performed an audit on the complete system. They have performed an audit of book,ine or maybe a poll but not a whole system. There are so many components at nd every county is different. There is not a one size fits all. Big picture, should we be confident how confident or anxious should we be about security of the 2020 vote against hackers from russia or elsewhere . I am going to vote and i am going to trust the results. What is different in this election is the awareness is much higher. The people that have been talking about these issues, they are not terribly new, but now people are going to actually use them, where before people would say it is too expensive. Now these audits are in the spotlight. With hand marked, human readable ballots. For a long time, manufacturers say it is human readable because a machine made it, and the Gold Standard is hand marked. It is not a barcode. A lot of these machines will print out an audit report of what you voted, but it is a barcode you cannot read. You just have to trust a barcode. Now there are so many more people sensitized that at the first whiff of an issue, it will be 1000 eyes. That was not the case a few years ago. Mr. Moss, in simplified terms, here you able to alter a vote count in this years black hat . I do not know about def con. I have not gotten all the results back. I do not know. Sorry. In previous years you have . Yeah, and there are multiple ways to do this. Lets say you have these machines and they are sitting in a warehouse unused. They sit for a year hoping nobody comes and tampers with them in that year. When it times to program the machines, there is usually a memory card. You plug that memory card into every machine and that teaches the machine what is on the ballot, or maybe on a stack of cards and you will pick them all. If you were a smart attacker, you would not attack each machine. You would attack the master machine programming that card, and that is what we saw russia trying to do. They skipped going after the machines and they tried to go after the Election Office to get that machine and corrupt the master copy so that when it is used to program the machines, they only had to hack it once, not 1000 times. The one thing that drives concern, there are really only four manufacturers. Even though we have 1000 different styles of voting, it comes down to four types of technology that are similar. And outdated. On a separate topic, and the opening address at this years black hat, you talked about the danger of chinese components components getting into supply chains of u. S. Industries and you suggested there should be a National Industrial policy. Can you talk about what that would look like at the danger of chinese components . That is a proxy for it could be anybody, untrusted components. The difference is 20 years ago, society was not necessarily depending so heavily on these components, where they do now, so consequences are much larger. We need to update the way in which we allow such critical components to come into our economy or be used in ethical devices or industrial control systems. It is interesting, because i gave that talk, and that day the state Department Released their document on the clean supply chain and clean telco. I did not know that was coming. It was suspicious timing. What led me to believe the United States was moving toward or is going to move toward an industrial policy, one, pretty much every country in the world has an industrial policy except the United States. That was ok maybe when we were the world leader and everybody bought our stuff, but we are not the world leader in a lot of areas and not everyone is buying our stuff. So maybe we need to have other policies. We first saw this with quality battles a couple of years ago and then it got formalized in the white houses 5g strategy. Now we see the state department strategies. They are starting to form a line leading directly to an industrial policy. That will give a lot of clarity. Another thing that we did not think through properly for example, the state department, and talk about documents how there is a lot of foreign telco operators. But we never fully thought that through. Is that a good thing or a bad thing . For years, you use your cell phone and you call longdistance. There are a billion records so they know if go over your minutes. The telcos outsource that billing Record Collection to a company that aggregates it all and returns it, because tmobile or whoever does not want to be in the business of running these billing systems. They outsource it. Who do you think was the cheapest bidder on all the telco billing . All of the billing in the United States ended up in israeli companies. They have been there for a decade. Do you think israel knows about every single phone call every american has ever made . That is what happens when you do not have an industrial policy. Business goes to the lowest common denominator. Is the proposed ban on tiktok a component of this . Is that the right move . I do not know if it is the right move, when there was a skirmish on the chinese and Indian Border and indian soldiers were killed by the chinese, india responded very quickly and banned tiktok. Tiktok announced that in a 6 billion consequence to their projected revenue. 6 billion. India had a plan right away to hit china where it hurts at least commercially. I think that was the beginning war. Is kind of app the United States is getting in on it now. The white house is getting in on it now. Because you are not going to engage in a military conflict over any of this, so that leaves other venues. The economic venue is so large that if you do not have a policy on this, you are going to have the issue that india had when facebook had a move into india and india did not know how to respond. Now, that is the dominant platform. Is the benefit more that you are protecting National Security because you are not reading the you are not creating the possibility of the Chinese Government getting access to all of these teams, tiktok messages, or is it that you were hurting the chinese economy . I do not think you are hurting the economy. I think it is more about, hey, china, you do not let facebook in. You do not let google in. You do not let twitter in. You do not let these platforms in, but your foreign minister is on twitter all the time. Tweeting away. Your operatives are on facebook engaging in conversation, yet we cannot do the same in your country. Here you come with a state subsidized social media app , again, and you will get all of this demographic and this Trend Analysis on our youngest generation, yet we cannot come into your market . That does not seem fair, so we are going to stop it. Maybe you use this as a leverage point to say you can be in our app market if we can be in yours. But it is completely onesided right now, and i think some negotiations have probably failed, so it is turned into this gross negotiation. Jeff moss, have you been a tiktok user in the past, and what kind of social media do you use . We have done def con in china twice now, so i use the chinese version. Bytedance produces multiple versions. There is a domestic version and a foreign version. When we talk to people in china, we use wechat. It is interesting, the wechat app is such a world garden. Everything done through it. Essentially the state has said this is a preferred messaging platform. It is so dominant, no competitors can get close to it, whereas in the states there is still a lot of return. I am a big twitter user. I gave up facebook about three, four years ago. Probably three years ago. For me, facebook is a little too toxic and stressful, because you always feel like you are behind and you have to show off your latest gadget and feel guilty you have not told your friends what you were doing, where twitter is much more emotionally stable for me. Is there a concern with the telecom that has been largely banned from the u. S. , and the app and other things we have been hurtling toward this world with a chinese fear of technology that includes china and parts of asia and parts of africa and the u. S. Sphere of technology that includes north america, europe, japan. Is that a concern and what do we lose . It is a concern, and at that and that ship sailed a couple of years ago. I was a chief Security Officer for a number of years and we were very concerned about the presentation of the internet. They referred to it as the splintering of the internet. Once you lose global interoperability, it gets more expensive. You saw this when europe and other countries started demanding data globalization. Facebook or google cannot keep the data in the most efficient spot. They have to build a data center in germany and france and in china and all over the world to keep that countrys data in that one location. The cost of doing business increased everywhere just for data localization. You will see the same thing happening with these fragmenting internet. Apple had to build extra data centers and give control to china mobile to house icloud data for chinese citizens. That is just the tip of the iceberg. It will get more complicated with regulatory requirements that will have severe consequences if you violate them. You are creating a more fragile global network. You are concentrating power, so if you look at it now, if i want to create a blog or have a social media platform, there are few left that are large. It isappening now either google or microsoft. That is very convenient for regulators. Now they only have to go to google and facebook or twitter, where 10 years ago they would have had to go to 50 or 60 or 100 companies. By concentrating the power, you are getting greater market efficiency but you are getting the opportunity for more regulation. Thats why a think the internet is a disinfectant point, we are removing the more fragile, more political, less resilient ess this tribute it distributed internet, and it is generally because market efficiencies, these great powers aggregating like amazon aggregating. States, ithe united think of it as there is going to be a sphere of countries that are rule of law countries, the democracies. The laws dont have to be the same, but there will be countries that respect the rule of law. Whatever it may be. They respect each others traditions and democracies. And then there will be a group of countries that are more authoritarian, like iran, north korea, china. They have a different system. They view the world differently. There will ultimately be, i believe, essentially these two spheres with the undecided in between. I would not be surprised if five or 10 years from now, there is the rule of law data protection, appeal the ruling internet world , and we dont know why it was taken down, these are the band words, dont use them online. A conflict of two different vis