vimarsana.com

Guest well, def con is largest tech conference in the world about 30000 people attended in las vegas pre covid and black hat is one of the largest security conferences also held in las vegas and one the university and one is more like the party. One is focused on professional Career Advancement and the other is focused on the sole of hackers and inspiring them. Host when did you found these . Guest def con is pretty old, before the. Com bubble, before 1993 in about three, four years later black cat started in 1997, i believe. The secret was we did no advertising or marketing and they just grew organically. Host what is your background that you were able to do this . Guest well, originally i thought i would be an fbi agent but instead i turned into a hacker and it was a hobby like everything, a hobby that turned into a career and they started throwing a party for some of my friends that were going away on one of the Computer Networks are belong to and instead i ended up inviting everyone i knew back then online and that was brandnew and pretty soon everybody started showing up and everything back then was invite only for hackers and that was the first to invite everybody publicly. Host lets give joseph marx of the Washington Post involved in our conversation. Jeff, one of the biggest proponents of def con is recently the voting village where hackers try to break into Voting Machines. How did that go this year virtually and what is your sense of the security of voting as we head toward the election . Guest thats a pretty broad topic but originally we conceived attacking Voting Machines because nobody knew, everybody knew that what was being published about them was wrong and everybody knew that manufacturers were very litigious and would go after anybody that tried to host them so those are some big red flags so the year before the voting villages started the mca digital [inaudible] had to carveout allowing you to attack and research Voting Technology without violating copyright laws so all of a sudden finally it was legal for us to look at the stuff and then the next question is how to get your hands on it if that is only sold to municipalities and we found a reclaimed repeat offender who had bought a bunch there were damaged when the ceiling collapsed in the county voting warehouse so now we have the machines and now it allows us to tear them apart and thats what we do. Thank you ebay. And 2018 he said there was a civil war between inside the voting machine vendors does a pretty small, for big ones where it was portable and you are doing and some of them were fearful of hostiles was that still going on . Yeah, it is still going on. If you look at it the manufacturers are friendly with each other and if you try to figure out who owns shares in some of these companies there offshore Shell Companies outside of the United States is impossible to determine who owns the voting machine manufacturers so its not as simple as just saying its publicly traded or 100 u. S. Owned and nobody kno knows. Theres a little bit development of black cat where election assistance in software, the biggest of the voting machine manufacturers announces it will do a full disclosure project essentially of how hackers do reports, vulnerability in certain to them and where are we on that . I dismiss it sort of because the history of the Companies Involved and so there is a long history of this. Company wants to prove to the public as a marketing gimmick they have a secure product so they create very strict parameters around tests and then they come to def con or go to another conference and for two, three days people try to hook into their technology and if theyve only had the machines to three days then they fail and they say look how secure we are. Im very skeptical any of these programs that arent fully transparent and open and available to any security researcher because soon as you sign ndas i dont trust it. The criticism that the voting vendors historically have had def con is youve got old equipment that was coded easily by the people that owned it and you dont know the vulnerabilities and youre not doing this in a realistic voting situation. What you think of that . Guest yes, they wont release the updates and they wont provide the realistic testing environment so they get to complain about everything but they dont do a single thing to improve the situation. For example, how long were the new cycles consumed by this argument of our voting technologies are not connected to the internet. Only a future gold out bit by bit that it is connected to the internet, a lot of it, not every manufacture but a lot of it was and these machines were not technically supposed to be on the internet but have a builtin 3g or dsl modem. Last year we had a kid village that hacks and related election sites and people were mad and said thats not possible and unrealistic and then when the fbi releases how some election sites were hacked it was with the exact same techniques that the kids used. So, its exactly in reality thats exactly what the kid simulates so every time theres an objection about six month later or a year later it turns out that no, we were pretty accurate. You have to remember the way these rules are written the machines get quote unquote certified. Certified safe or whatever and they get employed and they are used. Now we take a manufacturer bug and there is not a process to update the machines so you have machines that are ten years old now being used with ten yearold vulnerabilities. Full of known vulnerabilities and they are not recalled or updated and to do so would require recertification which can be costly so manufacturers tend to not want to recertify. But this is a criticism that the manufacturers have made. If it doesnt work on the speed weve only known about this problem for 20 years but you have not engineered a solution and im not terribly, i think maybe im so skeptical because of how poorly i have seen the manufacturing behave on the threats they have made against research and that is not a partnership and it makes me think of back in the day microsoft was very hostile towards researchers until security got to be such a severe problem that their customers, specifically the u. S. Government was threatening stop firing their operating systems. The security moment he announced bill gates they would rearchitect the software and invented this concept called the secure Development Lifecycle and microsoft did 180 degrees turn and took them five years to do it but not there one of the safest operating systems. Unless you have that leadership from the top its not going to happen. You will have these fights between engineers and comedies but unless this decision comes from the top i dont believe these companies will improve. Tiny chips manufactured in china from an integrator in taiwan. Host mr. Moss, just to be clear who does the certification . Guest well, there are different counties have different requirements in different states have different requirements. There generally agreedupon a set of rules sort of like a software should not repair bible belt once it is written in but its only but its decadesold thinking and so for example there is no requirement for audit so these teams dont have any ability for you to test if its been tampered with. The manufacturer will say theres no evidence that its been compromised and thats right, there is no way to gather evidence because the machine does not gather evidence. So of course you wont find a problem so anyway so we did this village with older equipment in the next year we got better equipment and now we are starting to look at it as we look at the individual machine because thats all we could get our hands on and then we tried to get our hands on the back end of the software so these are like equipment that you had to program or tabulators and then what we are really trying to get our hands on is the software that controls i cant remember the name like a ds 200 and it is what all it reports into so that software is very hard to get your hands on. Its very licensed and so anyway, longest progression of onsite to a full county or maybe to a full state but what we found is no one has performed an audit on the systems and the whole system has never been tested because theres so many different components that every county is slightly different. So theres not a onesizefitsall. Should we be confident about or how confident or anxious should we be about security of the 2020 vote against hackers from russia or elsewhere . Guest i mean, i will vote in trust the result but i think what is different in this election to the selection is the awareness is much higher and the people that have been talking about these issues risk limiting audit they are not terribly new but now people are actually going to use them where before they would say its too expensive and now its on the spotlight. Same thing with human readable [inaudible]. For a long time manufacturer said its human readable because of the Machine Market and the Gold Standard is if it is hand marked and that tells you the intention of the voter and human readable and not a machine or a barcode because a lot of these machines will print out an audit report of what you voted but its in a bar code you cant read and you just have to trust the barcode works so i think now theres so many more people sensitize that at the first width of an issue there are a thousand eyes and that wasnt the case four years ago. Very p people are sensitized to this. Host mr. Moss, in simplified terms were you able to alter a vote count in this years black hat . Guest i dont know about def con this year so yeah, im not gotten all the results back so i dont know but what i can say i . But in previous years you have. Guest and multiple ways to do this one was lets see who got these machines in the warehouse four years unused or every other year so they sit for a year hoping that no one comes and tampers with them during that year but when it comes time to program the machines you know how to vote there is usually a memory card and you plug that memory card into the machine and that teaches the machine who is on the ballot or maybe a stack of cards so if you were a smart hacker you would not attack each machine but you would attack the master machine programming that card and that is what we saw russia tried to do in a skip going after the machines and they go after the Election Office to get that machine and cropped the master copy so when it is used the program a thousand machines they only have to hack it wants not 1000 times. One thing that drives some concern is we mentioned earlier there is poor manufacturers so even though we have a thousand different styles of voting really comes down to four types of technology and very similar and outdated. On a separate topic in the opening address at this years black hat you talk about the danger of chinese components getting into supply chains with some pretty critical u. S. Industries and suggested there should be a u. S. National industrial policy could you talk about what that would look like that with the danger is the chinese components . Guest thats a proxy for it could be anybody on trusted components but i think the difference is 20 Years Ago Society did not necessarily depend so heavily on components and they are much larger and we need to update the way in which we allow critical components to come into our economy or use medical devices or Industrial Programs and its interesting because i gave that talk and then i think that they state Department Released their documents on clean supply chain and clean and i did not know that was coming but it was suspicious timing so let him lead me to believe that United States was moving towards or is going to move towards industrial policy one but pretty much every other country in the world has industrial policy except the United States and that was okay it may be when we were at the world leader and everyone bought our stuff but we are not the world leader in a lot of areas and everyone is not buying our stuff. Its not we probably need to have consuming stuff and so that is an industrial policy. We first saw this with the battle a few years ago and then it got formalized in the white house 5g strategy and now we have the street to permit strategy and these are all thoughts that are starting to form a line leading directly to an industrial policy and so that will give a lot of clarity and i think another thing that we didnt think through properly is, for example, in a state farm and they talk about a document and talk about how foreign telco operators but we never fully thought that through. Is that a good thing or bad thing and it is like for years when you use your cell phone and call so many Long Distance theres a billing record so they know if you have gone over your minutes so the telcos for set billing records collection to comedies and the hacker gets it all and returns it because the mobile or whoever doesnt want to be in the business of running these billing systems. They outsource it. Who do you think was the cheapest better on all the telco billing . All the billing in the United States ended up being an Israeli Company and they been interviewed Raley Company for decades. So, do think israel knows about every single phone call in every american has ever made . That is what happens when you dont have an industrial policy side. This goes to the lowest common denominator and is the proposed ban or the van becoming and 45 days on tiktok a component of this . Is that the right move . Guest i dont know if it is the right move but when there was a skirmish on the indian and chinese border and indian soldiers were killed by this chinese india responded very quickly and they banned tiktok. Tiktok then announced that that had a 6 billiondollar consequence to their projected revenue. 6 billion. So india had a plan right away because they hit china where it hurts at least commercially and i think that was the beginning of this kind of cap war. The United States is getting in on it now or the white house is getting in on it now because you cant, you will not engage in a military conflict so that leaves other venues and economic venues now is so large that if you dont have a policy on this i think you will have, the issue that india had with facebook had moved into india and india did not know how to respond that is the dominant platform. Is the benefits more that you are protecting National Security because you are not treating possibility of the Chinese Government getting access to all of these tiktok and messages and so forth or that you are hurting the chinese economy by guest yeah, i dont thank you are hurting the economy but is more about haiti china, you dont let facebook and any dont let google and and you dont let twitter in and you dont let any of these platforms in but your minister or foreign minister is on twitter all the time and your operatives are all over facebook engaging in conversations yet we cant do the same in your country so here you, with this subsidized popular social media apps again and getting all the demographic and all this analysis on her youngest generation yet we cant come into your market, that doesnt seem fair so we will stop it and maybe use this as a leverage point to say we can to be in your at market if you arent in ours but its completely onesided right now and settle negotiation it has probably failed and has turned into this gross negotiation. Host jeff moss, have you bending tiktok user in the past and what social media do you personally use . Guest we have done def con in china twice now and i use the chinese version called [inaudible] and so they produce multiple versions. There is a domestic and foreign version, tiktok just like there is a we chat for domestic chinese consumers and we chat for foreign. When we talk to people in china we use we chat and so it is pretty interesting that the we chat cap is a special Walled Garden in everything is done through it because essentially the state is that this is a preferred messaging platform and so it is so dominant no competitors can get close to it where in the states there is a lot of turn and im a big twitter user and i gave up facebook about three, four years ago and for me facebook is a little too toxic and stressful because you always feel like you are behind and have to show off your latest gadget and feel guilty youve not told all your friends what you are doing were twitter is much more emotionally stable for me. Is there a concern with huawei that has largely been banned from the u. S. And the apps and other things that we are hurtling toward this world where theres a chinese bureaucrat technology that includes parts of africa and this u. S. Bureaucrat that includes north america, europe, japan and is there a concern and what do we lose when guest it is a concern and that ship sailed a couple of years ago and so i was a chief officer for a number of and we were very concerned about the fact of the asian internet and now they refer to it as the splintering of the internet but once you lose global interoperability you get friction on everything and its more expensive and you saw this in europe where other costs to sins so no facebook or whatever google cant keep it in the most sufficient spot but they had to do it in france in in china and in all over the world to keep that country data in that one location so the cost of doing business increased everywhere and now you see the same thing happening with the fragmenting internet and routers and they had to build extra data centers and control over to china to hose icloud data for the citizens but that is the tip of the iceberg and it will get more and more comp gated with regulatory requirements that im sure we will have pretty severe consequences if you violate them. You are creating a more fragile Global Network which you are concentrating power so if you look at it now if i want to create a blog or have a social media platform there are a few left and what is happening now through email or either google or microsoft and that is convenient for regulators. Now they have to only go to google and facebook and twitter where there may be ten years ago they wouldve had to of gone to 50, 60 or hundred and now by concentrating the power were getting marketing efficiencies but getting regulation and so that is why i think the internet is a point where removing two more fragile or political less resilient last distributed internet and its generally because of market efficiencies and these great powers aggregated so up to your original question about china i think of it more as there will be a sphere of countries instead of the rule of law country that democracies or rule that out the laws dont have to be the same but there will be countries that respect the rule of law whatever it may be in respect each others tradition and then there will be a group of countries that are more authoritarian naval may be be iran, north korea or china and they have a different system and they view the world differently and therell ultimately be, i believe, essentially these two spheres with the undecided in between so i wouldnt be surprised if five, ten years from now there is the rule of law Data Protection appeal the ruling in internet and the we dont know why we are down but these are the ban words and dont use them online. [inaudible] guest yeah, conflict of two different visions of the world. Its the belt and wrote a vision of the world or the wto and just like it was in nato they watched around russia i would not be surprised if five or ten years is another organization that is the digital equivalent of that surrounding china and whether, so in the last couple of months i think there has been countries that have been angered by china, japan and taiwan, south korea and thailand and malaysia wants to get out of the predatory loan and i think they are unhappy but basically india is angry and basically anyone touching the chinese border right now has a conflict in russia pulled out and they claim the chinese were spying on the Russian Technology so if you draw a line completely around china right now and all those countries have an issue and that starts to visually look like what happened with russia. Host mr. Moss, what you think about the new Cyber Command being developed at the pentagon . Guest yeah, i think you have to have the capability to defend yourself and you have to have the capability to project for it and i think what is happening though and i hope it has evolved is that the types of conflict we will be engaged in what some people refer to as cognitive warfare. It is not fake news, it is not disinformation but those are all subcomponents and all elements of positive warfare and trying to get your opponent to behave differently and never have to engage in any physical conflict but it would be great if on their own they decided to do what you do so i would love it if Cyber Command a large component of command because that is what we will be facing in the future with technology. Money closeouts with this influence, the first def con was out in 2013 when there was disclosures and lots of tension between the Hacking Community and the federal government and has that gotten better because this year i think def con you had Cyber Command and the nsa dhs so what was your relationship with their friends or guest i wouldnt say it was like it used to be. That panel you just mentioned was all around how those agencies will affect the election so people cannot get behind that message, i think. But there are a lot in this demonstration ran out of the way things have been politicized and until that fear goes away i think everyone will try some of these agencies for assistance. Host mr. Moss, what are you doing in singapore . My wife is in singapore and we come here for Chinese New Year and this year again with me couple weeks or months and it is been four months or five and they came in february. Im kind of stuck here. Is there and asian black cat, def con happening as well . There is a singapore black cat that will be virtual and we were going to try to to do another chinese def con which is all but canceled and i think black cat in the uk encompass world has been turned on its head right now. Host jeff moss is the founder of def con and black cat and joseph marks covers cybersecurity issues for the Washington Post read thank you both for being on the community leaders. Thank you. Guest thank you. Weeknights this month we are featuring booktv programs as a preview of what is available every weekend on cspan2. Tuesday nights beginning at 8 0t essays and opinions. First essay Samantha Irby sharing her thoughts on identity, body image and her writing style. Then Douglas Murray associate editor at the spectator talking about brexit, the culture wars in the United Kingdom and the impact of, 19 on that country. Later aaron right on economic inequality during the coronavirus. Enjoy book tv on cspan2. The president available in paperback, hardcover and ebooks from Public Affairs presents biographies of every president inspired by conversations with noted historians about the leadership skills that make for a successful presidency and in this president ial Election Year as americans decide who should lead our country this collection offers perspectives into the lives and events that forged each president s leadership style. To learn more about all our president s and the books featured historians visit cspan. Org the president s. Available in paperback, hardcover and ebook. Wherever ebooks are sold. U. S. Postmaster general louis dejoy took questions from lawmakers about the u. S. Postal service is ability to deliver the nations election related mail during the coronavirus pandemic. He testified before the House Oversight committee. [background noises] [background noises]

© 2024 Vimarsana

vimarsana.com © 2020. All Rights Reserved.