 Howdy, everyone. Democracy is a little rough in the morning here. Oh, that was a shot. Okay. Freedom burns. I love it. Yeah, so, you know, I'm Josh Franklin. And I'm Kevin Franklin. You know, and we're going to talk about some of the like, like online election hijinks that we've been seeing since 2012 and then basically talk about our efforts to protect the 2018 midterm elections. We'll basically be seeing some some typosquadding on like, you know, large, well known political figures, political parties also take a look at malware inside of campaigns and state state election websites. So this is a real important disclaimer. This this work really does not represent the opinions of our employers. This is personal work. We do this on personal time. I'm working out of the basement. He's working out of the basement. It is intended to be party agnostic, despite my goon like colors. Am I blue one? So not a goon. Yeah. Yeah. So this you know, this is your typical voting machine. It is something that folks have been, you know, spending a lot of really good time looking at in investigating since the year 2000, 2002, we are not talking about these. We are, you know, going to be talking about the stuff that actually has been tapped. We're going to be taking a look at all the things surrounding like these systems to make these things function. Here's the agenda that we'll cover today. We're going to talk about the history of our project. It's been a labor of love for us. We'll talk about the methodology of how we do what we do. We're going to spend some time trying to educate you and inform you about the elections infrastructure. We'll look at some results of some campaign analysis that we've done. We'll look at some state results. We'll look at results of scanning vendors. We'll have some recommendations and we'll have some conclusions at the very end. Okay, so on this slide, I got to hold the sword. It was a big deal for me. So I wanted to have a white hat, a white top hat. But so I'm Kevin Franklin. Yeah, and I'm Josh Franklin. And so I've been in the game since 04. Since I started in college, I've been working with, you know, election systems in some form or fashion ever since. I helped set up and, you know, run and repair voting machines in the state of Georgia for about six years, five years while I was in college. And then I moved to the US Election Assistance Commission, where I basically did testing and certification of voting systems. And then I moved to the National Institute of Standards and Technology, where I've been basically leading some of the cybersecurity aspects of the voting project there. I have recently worked there and I'm not speaking for any of those folks. Yeah, and my background is IT. I've been in IT for about 30 years. My my history really is in performance and optimization of code transactions per second. Think of it that way. Early on I did some work with with Lockheed and with NASA. I've been in big data for about the last 20 years. And I worked for a financial institution. Word, word. Yeah, this one's this one's yours, man. Yeah. So what is election buster? Getting getting terminology right is is often a very difficult thing. We tend to overuse the word election buster. It is a Python application that we've written. We call that election buster. It is also a software suite that we've written. That's called election buster and it's the project itself. But everything that we do is is all about protecting the US election ecosystem. The scope this scope is very large. There are lots of candidates. There are tons of election officials, many different voting system manufacturers, service providers. The initial thrust of this effort started with trying to find fake presidential sites. And currently we're assessing different campaign infrastructure and the online state and local infrastructure. And we are identifying fake sites for candidates, PACs and states. Yeah, so this all started in 2012 as a as a George Mason project. Go Patriot Hackers. You know, this was just something that I needed a semester project for. And I thought it would be interesting to take a look at, you know, who was basically typosquadding on Mitt Romney and, you know, and Obama. We were basically just hunt and peck typing, trying to find various, you know, fake sites. Shout out to, you know, Robert and Matt, who basically were, you know, really end on the on the ground floor. And we actually presented our initial results at Schmucon in 2014. After that, we we released the first version of our code at besides DC in 2015. Since then, we've been basically collecting huge amounts of data, looking at all the infrastructure that we can find. And we were really focusing on basically having a, you know, measurable impact for 2018. And I think that you'll see that we basically got there. All right, this is this is how we do our election buster work. This is this is the way we do it. Let's say we're interested in a specific office and analyzing that. We'll obtain a list of candidates for that are buying for that office. And we'll also get state election websites that we may be interested in as well. We process all of that through our election buster tool. And we have other assessment tools and a grading rubric rubric that we use at the end. We do a lot of manual analysis. We've automated a lot of that. We've thrown a lot out, but there's still a ton to do. There have been several nights where I sit in the basement and I page through a thousand different results or web pages that we went and found. Once we find issues, we do attempt to practice responsible disclosure. And then we, since we're in Vegas, we party like rock stars like you guys did last night. Yeah, so, you know, to basically bring it down another level in the top left, we basically get candidate names, which is basically first name, last name, party office year and state that the candidate's from. We then put that into election buster, which then outputs results files. And then those results files go into some phantom JS scripts. Those phantom JS scripts basically take pictures of those websites in memory and then we just have a crap ton of screenshots. Those screenshots then need either manual analysis. But we are also implementing some fairly simple neural networks to basically take out some of the obvious things that we don't really need to look at things like parked domains. At the same time, we are getting tons of candidate websites alongside voter registration and state websites. There are no lists for those out there. So it's basically me watching 13 Marvel movies making those, you know, giant lists. We then basically do who is lookups and then send them through basically online security assessment tools. And then we take those results files and do manual re-view there. And if like basically something's fun, we're going to be talking about it here if not throw it on the pile. And it's a giant pile. Yeah, so what systems are actually out there? I like to think about it as basically being in three separate groups. Those controlled by some sort of election officials, someone from the government. You know, these are just various examples. You know, you have Opscan, touch screen systems, ballot marking devices. You have ePoll books for basically checking in voters. You have state election websites. And then you have voter registration systems with online interfaces. You also have systems that are owned and controlled by candidates. And those are basically going to be, you know, candidate and party websites and also all of the large databases where they're taking in information from a whole heck of a lot of different sources. And then finally, you have basically third party sites, stuff like PAC and stuff from nonprofits, you know, rock the vote, that sort of stuff. This, you know, infographic, what it's, you know, trying to really show here is basically how information flows from a voter into various parts of the election system. There's, you know, three main ways that I would really say that, you know, information leaves a voter here. Voters voluntarily give information to candidate websites and parties. So, you know, that's going to be like first name, party, affiliation, money. And that's, you know, a, you know, that's a voluntary transfer of information and that's what blue represents here. And then candidate websites, you know, put that information into the campaign voter information databases in the bottom left-hand corner. In order to vote, you, you, like, must give information to your state or loc, or locality. And then that information is then pro-vided to the statewide voter registration systems. It is at, like, that point, there is something a little bit interesting there. And that's, like, basically campaigns can basically ask for information from the, from the statewide voter registration system. And then also, they may have to pay for it. But it's like a, you know, in order to vote, you, like, essentially have to give your personal information to these, you know, large candidates and parties. On the right-hand side, you basically have a whole different type of information transaction. And that's basically going to be voter selections, the stuff you put on ballots, put into voting systems. Which, you know, ultimately get aggregated and tabulated and, you know, make their way to basically, like, state election websites. And for me, it came as a surprise that, that we gather all this information and then we offer it for sale. They gathered it for free or they gathered it to register you. But then, then it's offered for sale. Yeah. As someone who works in big data, he was, he was very interested in that. Yeah. So what sort of tax happened in the 2016 elections? You know, this, you know, really helps to frame how we approached this effort, especially in the past two, two, two years. We have a lot more detail in the back of our slides. And so you can, like, catch that later. But, you know, what we really saw, like, I think, summed up into one slide is basically phishing of campaigns, voting service and pro-viders and manufacturers alongside election officials. We also saw typosquadding on campaign fundraising sites, and then party contractor controlled domains. And so, like, basically, you know, whatever IT company is basically helping some party. We also saw social media manipulation and disinformation. We didn't do anything with that. There's actually data breaches at the federal, state and local levels of, you know, of, you know, private data, essentially. And then we also saw data breaches in candidate and campaign systems. And so basically, you know, if there was data to be breached over the past couple, couple years, it has at least happened once. And one of them was here at DEF CON inside of the, you know, voter hacking village. You know, big, big shout out to the, to the voter hacking village, right? Really, really cool if you haven't stopped by, you should. So they basically found a, you know, county voter information database, essentially, like on an ePoll book. And it was just part of the voting machines that they got a hold of. And then there was, like, basically direct tax on online voter registration systems and campaign infrastructure. And here's my campaigns one-on-one slide. So for, for this midterm election cycle, there are thousands of candidates that are running. We've scanned a lot of them. We've scanned most of them. But I'm sure that we've not scanned all of them. We've, we've got, we've got a ton of information. And, you know, as you might expect, most of these campaigns are, are pretty small. And these guys have little or no IT experience. And then you have just the opposite of that, the larger campaigns, which might have a sophisticated staff and a huge IT staff. We, we did observe campaigns that are being run purely from Facebook or Twitter, Instagram and Snapchat. And maybe that's what the future holds is. Our small campaigns like that are, are cheap and they're secure. Maybe so. I like it. Yeah. Back in 2012, here's some of our, you know, fairly early 2012 findings. You know, the really big thing that we, that we found was like a fake DNC and fake RNC accepting donations. And then, you know, we also found a couple in, in infected political action committee sites. What you can see here at the, at the bottom is a screenshot from a Google search result called Our Country Deserves Better Pack. And I'm not sure if they really want to be selling Viagra. I don't know what they're trying to say. Our, you know, country needs to get better at. But, you know, so basically they have been compromised and they are basically actively hawking pharma, pharma pseudocals. This is, you know, this is the fake DNC site that we, that we found at this point in time in 2012. The DNC did not own Democratic National Committee.org. Someone else did. There was also a, you know, like an RNC corollary as well. And this is a, it's an okay site. I mean, it doesn't super look fishy or odd. But there is a nice big make a donation button there. And those, you know, I mean, from what we could tell, they were actively taking contributions and not passing them along to the DNC. We reported this to the FBI. And they were, you know, subsequently taken down. In 2014, that's really when I was brought into the project by Josh. He brought me in to look at some of the code or to give him a hand with some analysis. And it was really our first iteration of election busters. We did find some in our, in our CC sites that could potentially confuse voters. So you might be thinking that you're donating to a certain candidate, but you're really given to the other guys. We found that some of the candidate sites were, were actively distributing malware. We also found some leakage of sensitive who is information. And it did, it did highlight the need to focus on, on our analysis. Yeah, yeah, I mean, so, so this looks to to be a pro anchor Patrick website. It's got great web design. It's got a, you know, very nice picture, a very large donate button, right? And that's like one eighth of the whole page is that one donate button. And, but, you know, what you don't realize is if you don't read that small black text, you're actually voting for her opponent. And we saw 12 other sites like, like these. And there was a, you know, little box at the very, very bottom of all these sites that said owned and operated by the National Republican Congressional Committee. Yeah. And those were really interesting. We have, we found another one here. This is Phil Gingry, I think is his first name. He was running for Senate in Georgia. His site was just basically distributing malware to anyone who happened to stop by. Probably not the best way to get campaign contributions is to, you know, have a nice dropper there. Yeah, we tried to actually contact them over Twitter to no avail. This is where we first ran into, you know, responsible disclosure being a big, big problem and saying, hey, actually, it's kind of difficult to contact these folks and let them know that they need to sort their stuff out. And this is the output from our election buster application. It's a directed graph is the representation here. Perhaps the text is very difficult for you to read out in the audience. But at the center here, you can see it's Hillary's main site, Hillary for president dot com. This is data that we gathered on election day of 2016. I took that data and put it into R. There's an iGraph package in R. That's good for network diagrams. Some of the some of the nodes around it are the job for president. Rubio 2018. Let's see Walker dot vote and crew sucks. Okay. Yeah, I got that in the mic really well. But what you can see is you can see how she is. I saw examples on both sides, but how she is squatting on the domain names of several of her competitors, which is a common practice, certainly not illegal. And here's one for Donald Trump in the 2016 election. He did the same thing or or someone did the same thing. I don't know if it was if he did this, but Jeb Bush is being redirected to Donald J. Trump. We have president Cruz and we have Jeb for president. Ted 2016 is going there as well. These are the fun graphs the draw. And this one's really tiny. So this is 2018. This is middle of July of this past month. Let's see what we have. Gillibrand for president. Rock 2020. Dwayne the Rock Jots. Dwayne. Yeah. Jim Mungie. And I don't know. Trump for Trump for Prez, friends of friends of Trump. Yeah, it's not not as exciting. Yeah, here we go. So here's where, you know, we've been doing this for a little while and we saw one of our biggest failures in our in our project. And I think that's okay. It's, you know, you know, good to take lessons learned. But it was unfortunate. This was such a big lessons learned moment. So we took election buster and made a version of it made for PACs and like other NGO type organizations. And we actually pointed it at Act Blue, which is the primary funding platform for the for the Democratic Party. And what you would, you know, like what you would do is if you're a candidate, you basically take Act Blue and, you know, embed their widget into your site and you can take money. You know, recent indictments, though, from Mueller show that when the foreign adversaries got into the DNC and the CCC systems, they actually redirected the main, you know, URL on their website for Act Blue to act blues dot com. We actually a month ago, we found out that we had found Act blues.com in our searches back in 2016. So while it was going on, we actually looked at that site in the face. We said this site looks reasonable. It seems to have good web design. There's nothing immediately odd the, you know, who is information is normal. And it seems to be hosted in a different spot, but no big deal cloud flare, you know. And so we basically stared the stuff straight in the face in 2016 and did not realize it goes to show how hard detection actually is. So far this year in 2018, we took the Python code that we had and I think it was Python 2.5 and 2.7. Okay. And put it into Python 3. The threading model that we were using in the previous version is different than the process model that we're using now in Python 3. So we also had some new variants of templates for packs. We included election websites and manufacturers websites. We started correlating election buster data with open source thread intelligence information. And we started writing a version of evil URL and DNS twist and then realized there's something there already. And we decided not to continue that development, just take advantage of the good work that folks have already done and utilize those tools. And we did start looking for some homographic attacks. Yeah, you do Linda. Linda. What's up, Linda? Yeah, so Linda Coleman is a, you know, is someone running for state office in North Carolina. So since she was a state, she was generally a little bit under our radar. She had previously ran for lieutenant governor. Her old lieutenant governor domain had its code stripped from way back machine. Her old domain was actually purchased and someone named Yvonne Goosev or, you know, even Goosev, I'm saying it wrong. Sorry. Ivan. Ivan. I keep saying it wrong. Ivan Goosev, you know, left his name in the who is information there. We did a little bit of research. This is assumed to be a fake name, not necessarily politically motivated. But you can see this is, you know, Linda's old, you know, Lou, Lou, lieutenant governor page, sorry, domain and page. This was Linda for NC.com in yellow there. You can see something in French talking about purchasing pharmaceuticals. If you click donate, you are not going to be offered an opportunity to donate to her campaign. You're going to be buying Viagra. That's the thread through this talk. Yeah. So it's really, really weird though. In some who is interfaces, you know, it actually said Ivan Goosev. And you know, this one, it just shows that basically a Russian national, you know, owns this domain. We don't necessarily think this is politically motivated. I just think that this person purchased this and was just trying to cast a wide net in selling their pharmaceuticals. But we're not sure. You saw the results of the election buster output that I showed you before with the graphs. And and I think some of the some of the intent was to say, you need to be proactive and you need to protect your domain name space. And you need to be you need to buy some domain names that are associated with you or could be associated with you. This guy carried it to the nth. He went a little nuts and he bought all of these names all around his his name space. And I think it's great. But but maybe it's a little bit overkill. I think there's 37 websites there. But that's cool. Go Pete. Go Pete. Pete for Congress. Comrade? Yeah, so this is so this is a site that is, you know, electdevinnunez.com. Someone wasn't happy with him and made a nice tribute, you know, basically coded in the, you know, sickle and hammer and all that. So if you scroll down here you would see a bunch of Russian oriented, you know, pictures with Devin, some really decent photo shops. I think the site is still active. If you wanted to visit it yourself there didn't seem to be anything wrong with it. But this is sort of an example of, you know, like a free speech issue. This isn't necessarily illegal or, you know, by any means. We saw this time and time again, folks really just wanted to, you know, throw up these sorts of domains. Another one that we saw was Gillibrandsucks or Gillibrandsucks.com. I think she's a Democrat from New York and she had this domain purchased against her and it was read die record to the Democratic Socialists of America page. You know, we want to show some funny stuff from both sides there. Here is Carly Fiorina's current page. You know, really nice. It looks awesome. Nothing fishy here. But then we found her old site from 2000. It's still going. I don't know what kind of campaign money you get to purchase like a domain for 20 years and hosting for 20 years. But it's kind of, you know, it's kind of interesting. We saw tons of this. Candidates just leave their old campaign websites up forever. I don't understand why, yeah, it's just kind of odd. So I'll talk a little bit about the congressional site statistics. The stats that we're going to show include everyone running for Senate that we could identify. All House incumbents are included in these stats. We included some of the races that we deemed important. There were too many candidates for us to include in some of this information. And likely there's some skewing towards incumbents. And a majority of these cans we took in June of this year. We did rely on ballot to pedia for pulling some of the candidate information. Thank you, ballot pedia. You're awesome. So I'm going to let Josh talk a little bit about some of these, but I want to say that there's in this grading scheme, there's an A plus. And there's a there's a B and a is good all the way down to T and F. And then there's no grade. I wanted to put an F minus on the no grade. But Josh wouldn't let me put an F minus there. But this is the output from our, you know, you know, online scanners that we aren't allowed to mention because of licensing issues. But we're looking at TLS implementations and there's grades involved. You figure it out. Yeah. So what's really great to mention here is that like, you know, over 50% of the, you know, folks in the house, you know, over 60% have a score of B or better. There's about 30% of the folks out there running for house have either no TLS or SSL, or they have a major cert issue. And so we wanted to try and contact all these folks, but it got really time consuming really quickly to go to each of their pages and look at the information there and find an email address. Yeah, they got to be really, really difficult. If you look at the Senate, though, you know, tops house, bottoms Senate, the Senate fairs so much better about 80% of folks just have an A. And then, you know, 4% had some sort of issue. We think that's because, you know, Senate campaigns are generally better funded. And they, yeah, I mean, I think that's just probably the answer that they're just better funded and around for six, for six years. If you look at some of the con congressional TLS implementations, you know, from left to right, we have, you know, TLS 1.0, 1.1, 1.2, 1.3. And then what you see is that on the giant bar is the, you know, total folks in the house who supported that that version of TLS in the tiny bar is the total number of people in the Senate who support that, you know, that version. What you see is very small usage of TLS 1.3, which just came out TLS 1.3. That's awesome. But, you know, most folks had TLS 1.2, fewer had 1.0 and even fewer had 1.0 and no one had SSL, which is kind of interesting. Really wasn't expecting that. Let's look to the states. The states and local jurisdictions, they also have websites. They, they host election websites as well. Those election websites, they provide information, results and they help register voters. The sites could be hosted by the Secretary of State, the State Board of Elections or some other third-party group like Cloudflare or Google. The overwhelming majority use a .gov top-level domain. Others use .us or .org TLD and about half of the voter registration systems, they, they move from .gov to .us or .org. Just not sure why. It's, it's a little, little chaotic there. He's going everywhere, man. You just, yeah, so this is what one of those voter registration systems look like. Honestly, they're just a web app. I mean, they, you know, you basically put in information about who you are. There's basically knowledge-based authentication going on. And this is how you register to vote in 37 out of 56 states and territories. Speaking of the 56 states and territories, Americans MOA is an, like, unincorporated U.S. territory. You know, they actually run separate .gov and .org sites, which is fairly common. We don't know why. Maybe the older .org site gets, you know, kept alive. I'm just, I'm just, I'm really unclear as to why that happens. They were using Drupal and they were basically affected by a Drupal vulnerability as you do. And they actually were distributing malware to all of the folks who came to their site. It was something that we, you know, contact them about. There's a big time difference there, obviously. We actually called them up. They were a one-person IT operation. And they tried to fix it. And then it kept coming back. And then it ended up being that you could only get the malware version of their site if it came from an IP outside of the U.S., which is really strange. I don't quite understand what's going on there. Maybe they knew about us and or something. I have no idea something weird was going on there. This is what the, you know, affected website looked like. You can see the, you know, Chrome address bar on the top, you know, on the top left saying this is, this is dangerous. And so this was, you know, Americansmoaelectionoffice.org is the website here. And then stuff started to get weird when we were re-viewing everything for this talk. We sort of realized that Americans SamoaElectionOffice.org was mentioned in the leaked NSA reality winner memo. And that memo talked about foreign adversaries sending malware to affect the American SamoaElectionOffice systems. It was really weird. And they were the only election office that we found that was, you know, actively hosting malware. Although strange, we do believe this to be coincidental, partially because it just seems to be a random Drupal vuln that was, like, exploited. And the fact that you have to come from outside of the U.S. in order to get the page. But we're not quite sure. Okay. So remember there are voter registration systems. And then there are state board of election websites. And we put those into two different buckets. They host two different types of information. Very, very different sensitivity of the information there. So the voter registration site grades. You know, everyone's heard about these systems being under attack over the past two years. You know, what's really great news is that an overwhelming majority got over a score of B or better. That's awesome. You know, it gets really, really sweet. We did have two F's there. And we had a C as well. We think this is really cool information to have because it's sort of like a measurable thing that folks can be, you know, graded against in the future to see if we're getting better, worse, what have you. When we contacted the first F state board there, they fixed it immediately. They were extremely happy to get that information. They're like, you know, cyber security is really important to us. And they fixed it ASAP. The other C and the other F, it was a little more complicated. We are two guys coming from, you know, Gmail addresses. So that doesn't look awesome. It's probably a good thing that they were really worried and, you know, on guard against people fishing them. But it took over a month to get a response. And the only way that we were able to get a response was to go through back end channels. And we'll sort of talk about how to improve that later. All these are all fixed now, which is dope. Yeah, so HSTS use inside of voter registration systems. So we saw that not a lot of folks, only about 25% of the VR systems had HSTS. This is HTTP strict transport security. And this basically can help stop a man in the middle attacks when you're, you know, initially requesting the HTTP version of a page versus an HTTPS version of the page. No one was on the HTT, sorry, was on the HSTS preload list. And we think that would be a really great thing for voter registration systems to basically sign up for 10 minutes till the show starts. Okay. So that was an all that reference. Voter registration, vulnerable vulnerabilities, there was no heartbleed, there were no poodle, we did see some robot, we had difficulty parsing those results for some reason, so they're not displayed here. Beast was a fairly common occurrence there. There are a number of states still have that in there, not the biggest issue, but definitely want to see if we can get that sorted and cleaned up. You want to do this one? No? Okay, okay. Mow through. So the election sites, typically states have a, you know, like a department of state site or a secretary of state site, they might also have a state board of election site, they might just have a voter registration site to tell you where to go register to vote and to lead you to their voter registration system, and they might also have a results site, so you can imagine results.penceltucky.gov. About 20% of the folks, you know, of the sites that we took a look at had some critical issue, typically just not using TLS or having a cert shared with a couple hundred sites, which is a little bit weird. That was sort of like a cloud misconfiguration issue we think, still haven't got that come completely sorted. I think the only way, you know, initially we were sort of being told by states that they don't need to have TLS on their websites. It wasn't until that we said this doesn't just protect you, this actually protects your voters as well, that we started to see that that argument seemed to have some weight with them. And all these aren't quite sorted yet, but we're working to get these sorted. These sites were a little bit older. They were a little bit worse off. A robot was also in about half probably. Beast was in half and was also poodle. No one had heart bleed again, which is awesome. That's a great news. People should be saying good things when we have good news, right? Everything's not on fire. So it turns out that vendors have websites too, so these are the people who might produce some of the software or some of the hardware. It might be some voting system resellers, and it could be voter registration vendors or voting service providers. We saw some failures here as well. We did contact the vendors. Good news here is we did contact the vendors and they were able to address everything pretty quickly. Except for one. Except for one. Kind of got crappy with me. It sort of turned into this is not a vulnerability. Don't call this a vulnerability. You're a vulnerability type issue. I was like listen, I don't care. Fix it. Fix it. They were like don't ever talk about this to anyone. So we're not saying anything. And I think we are at the recommendations. Okay. We got seven minutes left. We got this. Okay. So recommendations, two cam pains. Be aware what you click. Everyone already knows this. Two factor off even on personal accounts. I think the campaigns definitely know this now. But here's a big one that still isn't really addressed. If you're going to run a website, you need to basically defensively typo squat on your own name. You just definitely need to. We have basically a giant list of ones that you should purchase in the back that we saw as being most common. If you want these slides, you can go to donaldjtrump.vote. And so, seriously. So basically use a trusted digital search please, you know, TLS 1.2 or better strong cyber suites. Use HSTS especially if you're a long-term incumbent. Get on that preload list. Consider EV certs. Work with ISPs and FBI for domain takedowns. And run free, you know, assessment tools on your own domain. For states, again, two factor off, you know, especially with your, you know, personal devices, password, hygiene, all that. Like purchase common domains, like register penciltucky.com because folks are out there and they're going to be doing that, you know, that sort of stuff. Maintain a trusted cert. This was a big issue. States just didn't have trusted certs. Use TLS. That's a really reasonable baseline web thing. Get on the HSTS preload list. It is free. It is one sheet of paper online. You have to fill out. If you don't have a dot gov site, please get a dot gov site because that was a big issue. Does anyone know the domain to get a dot gov site? Dot gov dot gov. Yeah. Well played. Yeah. So, you know, the EISAC and DHS are out there to basically help with threat intel and remediation. Run open source tools against your own domain. Don't just trust other folks. But, you know, do get outside assessments. Vet them first. Make it easy to contact you. It was extremely difficult for someone in this room to contact an election official about some sort of volume in their site. Also, there's like a big new international standard out there. And you can, you know, it basically talks about the best ways to make yourself available. I think States should definitely take a look at that standard. You know, use something like security at penciltucky.gov or alert at penciltucky.gov. You know, the aftermath, zero sites with SSL, zero homographs, which was very interesting. We expected those. A lot of HTTP. We had two big VR systems with a, you know, with the grade of F, one with the grade of C, basically contacted campaigns and vendors about all sorts of issues. We contacted all and worked with some states affected by, you know, likely typosquats, suspicious domains, poor, you know, TLS implementation, known volns, untrusted certs, and then malware actively on their site. A little bit of, you know, some thoughts on the U.S. cybersecurity posture in the next two minutes. The situation is improving, yet there's still some common sense ways to, you know, make things better. States are getting some monetary assistance from Congress. But yeah, you know, we need more of that. The whole community is responding. You know, the the Center for Internet Security released an, you know, election focused handbook on cybersecurity and elections. The Center for Democracy and Technology in the Center for Technology and Civic Life basically worked together to make, you know, classes for election officials to learn cybersecurity basics. And then the Defending Digital Democracy Effort is, you know, focusing on campaign cyber out of Belfer Center in Harvard. Last slide, you know, we need to continue defending our elections. We need to, you know, do more, better at larger scale and faster. So we assess the bare minimum of web security. What was legal? We honestly think we shouldn't have found what we, you know, what we found. It is difficult to talk with election officials about some of this stuff. But that doesn't mean that it's not worth it. Responsible disclosure is very important in the field of elections, especially when folks are actively using these systems to run elections. Listen, if you don't vote, you're helping the attackers, you know, you're ultimately, you know, making the system worse. In my opinion, all this can be done by ordinary citizens. All, you know, all of you can actually help here, right? And if you want to help get involved, work the polls. Folks really, really need you. I like the woo. I like the woo. Yeehaw! That's what we'll do, okay? So for a copy of everything, you can also go to Please Go Vote. Thank you so much, everyone. Thanks, guys. Cool.