 Hi, welcome to the first annual vote hacking village here at Defcon. Yeah. Yeah, all right So my name is Jake Braun. I this ridiculous thing was my idea and so somehow that landed me as the emcee today so I'll be in here all day and introducing people welcome and I Was the White House liaison to the Department of Homeland Security. I run a small National security and cyber security strategy and policy consulting firm called Cambridge Global Advisors And I teach cyber policy at the University of Chicago So just to do some quick table setting on what we're actually trying to achieve here and kind of what we're not trying to achieve here As well before I introduce our first speakers Let me just start by saying anybody who Thinks that they are machines network or database can't be hacked is either a fool or a liar, right? I think that's actually a totally uncontroversal thing to say at a place like this. However, unfortunately It's it's a pretty controversial thing to say in the election space And by the way because of some of the great work that this conference has done over the last 20 years 25 years You've got people in some of the Top industries top countries are top companies in the world Apple Google Lockheed Martin JP Morgan even the NSA Would never say with the straight face. We can't be hacked. We're unhackable and by the way 20 years ago They were all saying the same thing that we hear today in the election issue Oh, our machines don't never touch the internet, you know Our databases are air gapped and backed up all the time all this stuff Well now not only again because of the great work Death kind has done not only would all these industries say that they're hackable They would say we're probably being hacked right now successfully by multiple different actors, right? And so the goal of what we're trying to do here is not to play gotcha and show we can hack into this machine Or that database or or this county clerks, whatever first of all a we already know that we can write the Russians have already done it and And many researchers have already done it. This is they haven't been able to make the research public That's not the point. The point of this is actually much greater The point is to erase the idea of unhackability from the election industry writ large Why is that important? Well, that's important because We are actually now under a direct existential threat to the United States from a foreign adversary who has essentially unlimited resources Russia and Until we can get this industry to to get the whole concept of unhackability out of their mind We won't be able to begin to start Securing our democracy and so What we what we seek to do As as this goes on year after year is help get this industry to come around and again realize that that they are hackable They will be hacked the Russians are going to be back other bad guys are going to be back And they're going to get in and so then what do they need to do as our friends from friends from verified voting are going to talk about They need to actually talk to each other and share threat information they need to take the help of of Hack of the hacker community and securing their networks and they need to work with with our national security apparatus in this country To help secure their networks and by the way, you know, Google Facebook Apple Lockheed Martin JP Morgan None of them wanted to work with the national security apparatus 20 years ago when they were first being hacked and so on but you know They're sitting duck when there's a nation state after them and they've all now realized this in the election industry needs needs to do the same and so On that note by the way one thing I do want to point out before we get started is that if it wasn't for some really amazing local election officials Like a Dean Logan in LA Ricky hatch in Utah Lance golf in Chicago and some other people in the Chicago area that prefer to be remain nameless Helping us with this and really taking Understanding this for what it is which is an opportunity again not for us to play gotcha, but for their staff To get access to some great training and to have some great research done on on their Systems and machines and so on None of this would have been possible. So I do want to give the election officials who helped us with this around of applause before we get started Okay, so without further ado our first speakers David Jefferson is the board chair of verified voting Verified voting has been working on this issue for well over a decade decade David is a visiting computer scientist at Lawrence Livermore National Lab where he works on supercomputing applications, but has also been active in research in this space since Well for for decades In 1994 while a digital equipment corporation He oversaw development of the California election server the first web server anywhere to provide online voting information on candidates and issues In 1995 he helped develop in cooperation with California voter foundation the first online database of campaign finance information ever for the San Francisco Elections that year and Barbara Simons is the president of verified voting same organization Barbara has been on the board of advisors of the US election assistant commission since 2008. She published a book called broken ballots that you should all read and On voting machines that she co-authored with guy named Douglas Jones She also co-authored a report that led to the cancellation of Department of Defense Internet voting service done Oh, and but I can't I have to say that she's also the former president the Association for Computing machinery the largest and oldest international educational scientific society for computing professionals. All right, so Barbara and David please come up All right, so I'm going to speak first and I'm what I'm going to try to talk to you about is the ecosystem of Hardware and software and procedures in a US election There's a lot of concentration in people's minds on the voting machines themselves Those are the gray ones that I have in this diagram But there's a lot more to it than that and I want to introduce you to what it is when you learn the architecture about the information flows in in an election You'll you'll be able to understand the vulnerabilities That are not obvious otherwise. I'm going to probably just get rid of this microphone and speak to the diagram No, I don't mind Okay all right so There are basically Three kinds of information flows in an election the red arrows here talk about the flow of software and firmware through the system The green arrows talk about the election definition Which is data that describes the election what the candidates are what the propositions are where they where you Where the boxes are that you touch or or check and then the blue arrows Are the flow of votes and ballot information and derived information from from them? And then I have dotted lines here for in the case of voter where Systems have what's called a voter verified paper trail now I'm gonna go over this quickly and then I'm gonna Retrace in some with some particular marks about the software So first of all in the top left corner you see the vendor the vendor is the Company that both builds or contracts for the building of the voting machines themselves and also writes all of the software for for the voting machines not just the terminal voting machines where voters Record their vote but also the back. Whoops. Pardon me The back-end canvas computers that aggregate all the votes from the voting machines and and Produce the the final results so Let's look follow the red arrows from the vendor the vendor. They're very few vendors in the country a handful five six Nationally there are thousands of jurisdictions so many vendors or each vendor sells to many jurisdictions The vendor writes the software for both the voting machines and for the canvas computers those are treated as a single product and And a given jurisdiction buys all of its software both front-end and back-end from the same vendor The vendor then sells its Systems and services to the various jurisdictions so the next line there is supposed to represent local election officials government officials Who are legally responsible for the conduct of the election? They get copies of the software from the vendors. They only get binaries. They never see the source That's one of the issues that I'll come back to later They load those binaries prior to an election. They load those binaries onto the voting machines that are going to be distributed out into the into the precincts in the jurisdiction The This diagram is talking about Electronic voting machines such that you have over there in the in the hackers Forum over there You could vary this diagram for jurisdictions that use Optical scan voting systems, but For purposes of today. I'm talking about electronic voting machines. All right So the vendors of sorry the the election officials install software and all of the voting machines and they distribute all of the voting machines to each precinct a Few days before the election the voting machines sit there for a while in the custody of Maybe a nobody's custody they may just be locked in a closet or they may just be sitting in a hall somewhere They may be in the custody of a pole worker, but they find their ways to the pole on the election day Also the election officials install the software in the canvas systems and the so-called election management systems and the Ideally the election officials are the ones who run the canvas and run the election management system however more and more it seems to be the case that Jurisdictions don't actually do that. They also outsource The the running of these applications the back-end applications to the very same vendors So That's the flow of software to the voting machines and to the election management and canvas systems The flow of election definition Data that describes the election also comes from the the vendors To the election officials the election officials load it Load it on to the voting machines and to the canvas systems Oftentimes they outsource the production of that election definition file also to the vendors So the vendors play an absolutely critical central role here oftentimes a much more a much stronger role than even the election officials do The flow of votes of course a voter walks into a precinct Authenticates himself as being allowed to vote in this election being registered in this precinct Walks over to a voting machine Casts his his vote At the end of the day at the end of election day all of the votes are recorded on Memory cards that were inserted somewhere in the in the back of the voting machine Ideally those memory cards are removed at the end of the day and hand transported by poll workers To the back to the county where they are read by the canvas machines and the canvas systems Aggregate all the all the results and determine Who has won the election? Of course they have to deal with absentee ballots as well And there are many other kinds of many kinds of ballots you have to deal with provisional ballots So it's much more complicated than I'm talking about but this is idealized Eventually the canvas report is published and that indicates to the world who's supposed to have won the election Now let me do a time check here Okay Some Electronic voting machines have a feature called the verified voter verified paper audit trail Some of the machines that you will see down the hall have them some do not The voter verified paper audit trail was a late addition to the concept of an electronic voting machine In attempt to deal with the security weaknesses of all electronic voting machines because with the all electronic voting machines You basically have to trust all the software We did not want to be in that position so we tried to shall we say backpatch by adding a a Voter verified paper trail and the way that works is this when the voter is standing at the voting machine and Presses that cast my ballot button of course his ballot is recorded electronically But it is also printed on paper At the side of the voting machine and the voter is supposed to look at that and the voter is supposed to verify What's printed on the paper is the way? I intended to vote and he's supposed to report it if there's any difference as a Matter of fact hardly anybody ever does that which is one of the profound weaknesses of the VVPAT concept But if we assume that voters actually did that Then that printed audit trail from every voting machine Which now the voters have verified contains their true? Intense in principle they could all be aggregated and looked at it's on paper now and the paper copies of the votes are Of course immune to any kind of software attack. That's the beauty of it No matter whether they're bugs or malicious code anywhere in the line the paper trail is immune to To that kind of attack or failure so ideally you could you could it? Okay, you could take a random sample Or or the entire corpus of Voter verified paper records and compare them to the canvas report and if there were differences You could know there's a problem somewhere in the software in the procedures used to to to aggregate or possibly malicious code and if the if the law so supported it you could actually Presumably prefer the results from the hand counted paper audit trail the law doesn't prefer this but I mean principle it could So that's the that's the general flow of software votes and Election data, and I just want to make a few quick comments about the software itself before I turn this over to my colleague Barbara Simons The software written by is written by anonymous programmers Who work for the vendors? We don't really know who they are. We don't know how they're vetted They do not have to have security clearances. We know they're anonymous The software itself is considered proprietary by the vendors it is They are very protective of that proprietary nature So there's a network of law and contract restrictions and NDA's that prevent you or me or anybody else from Really seeing the insides of that software a few of us have under certain Circumstances been able to see that sort the source code But most people are not and that includes election officials election officials all over the country are running software And they do not even have the the source a Lot of the software in both the voting machines and the canvas systems is Cots software commercial off-the-shelf stuff. It's about mostly operating system stuff You will note that when you go down there you will see that some of these systems are so old They're running Windows XP. They're running Windows CE Some of them run Windows 2000 Nothing nowhere in the country are they running act systems newer than these or hardly anywhere if I'm not aware of any I mean that these are old and the reason that they are so old is because once they are certified You can't change a voting system without going through a complete recertification process, which is long slow and expensive The security features of these systems from beginning to end are especially weak The weak points would include the software update and installation process the password and key management cryptography and randomization all generally very weak and even the physical security the ports and And seals on voting machines when they are When when they're in storage and when they're in use It's a mess I Already mentioned that the software has to be certified to meet certain federal standards These are drafted by NIST and the EAC you'll hear more about that in the next panel So I'm not going to go into that now Except to say that the current standards are over a decade old Quite weak in the subject of security and they're only voluntary on the states anyway And they're enforced only by testing protocols not by any kind of deep analysis of of the source code So this I think I'm going to stop there and turn this over to Barbara Simons my colleague Barbara Okay, I guess this this will work I'm not going to bother with having slides up because they're not very exciting I'm going to be exciting, but the slides aren't exciting. So First of all, I want to thank you guys for coming here and for working on this really really important issue I mean, we need to get many more people involved we need to be able to show that there are major problems with these machines and I'm hoping that some of you will actually be able to show that with the work you're doing here. So thank you very much Here before it's been very difficult for independent experts to Examine these machines for some of the reasons that David mentioned the software is proprietary and some of you guys probably know the digital Millennium Copyright Act which makes it very difficult to To examine software if you don't have permission to do so. So There's been an exception made which allows this to go forward this this hacking village to go forward Fortunately that will remain for more than like the next year or two, but we may they may take it away So that's another issue As David said early test the testing is totally inadequate the early testing was even worse a lot of these machines that are in use some of them the ones that you'll see there were certified to early testing Where there was no penetration testing. I mean, can you imagine they had a list of requirements? I mean, can you imagine a major software vendor doing testing by just checking off a list of requirements like single entry single exit Loop without doing penetration testing and yet that's what's what's been done for many of these voting machines The results are sometimes secret So even the testing results are secret and there's a case in California Where the then Secretary of State Kevin Shelley tried to get the test results from debold machines because he was concerned about the debolds That were being used in California and the testing agency said to him These results are owned by debold and you can't get them from us You have to get them from debold and of course debold wouldn't turn them over. So even a very Proactive Election official who wants to know what's happening who wants to know the test results couldn't get them and So I'm gonna talk a little bit about how we got here and and the story kind of begins back with Florida 2000 which of course I'm sure so those of you who aren't old enough to remember what happened have probably heard of it and Some of us are old enough to remember And that but what really happened was forwarded 2002 because they had more problems in the midterm in Florida also as Result to help America vote act was passed in 2002 and it allocated About three billion that's with the bee dollars to replace voting systems And one of the unfortunate conclusions that a number of people reached from Florida 2000 Was that paper is bad? Paper is bad paper list is good. And in fact, I would go further than that to say that there was also an effort made to I'm not sure if exploit is the right word but to manipulate voters with disabilities Because there was there were people going around saying Paper machines with paper discriminate against voters with disabilities as if all voters with disabilities Had vision problems and as if there weren't alternatives for people who do have vision problems So a lot of people felt that that to support paper was to be against voters with disabilities Which is a really bad place to be put. I mean as a policymaker. So that's something else that happened and of course all This money was suddenly made available election officials wanted to get it and they wanted to get the newest and greatest shiny object and And not only so the vendors would say completely secure Federally certified we already know what that meant and of course You did they could just touch a button at the end of the day and get the results And if you're a hard-working election official that sounds really good You can go home, you know It's some decent hour of the night and you don't have to worry no recount. It's perfect You're done. So it was very appealing plus. There was sort of a gold rush mentality Everybody wanted to get this newest thing and besides they wanted to get have to get the money What was still there? So there was a big rush to buy machines And of course computers had to be introduced if you're going to go paperless you need computers David's already talked a bit about direct recording electronic machines These are the machines where which directly record the vote so the typical one will show the vote on the screen You will touch the screen. They're not all they want to all touch screen but most of them were you would touch the screen for your candidate and Presumably that information would be stored in the memory of the computer and initially most of them were paperless There were of course issues even early on because if the machines were not properly calibrated You could have problems. You would have jumping votes and people, you know, and and we've seen this a lot in recent elections We're say what they said, you know, I voted for Obama and there's other candidates name, you know And then people would say these machines aren't secure because I touched the vote for the button for candidate a and candidate b's Name approach appeared, but in fact, we don't know if that was insecure or not because we don't know what happened inside these machines So it's quite possible. They touched the button for candidate a and a was recorded in the machine Or maybe b was recorded in the memory. We don't know because of course nobody knows So these machines on top of everything else were really badly engineered I mean the technology the touchscreen machine was bad because it had to be constantly recalibrated They were insecure the testing was lousy It was a bad deal all the way around and yet they were used almost throughout the country In response as David said when when the computer scientists and other people election activists started complaining about this These they were there were retrofits with these voter verified paper audit trails Which tended to be continuous roll thermal paper With small font that was hard to read bad human factors one of the major vendors recorded every single step that the Let that the voter did which made it very hard to figure out what your final results were People didn't look at them and then if you did want to recount them It was a continuous roll which is hard to recount the thermal printed like what you get at a gas station which can fade in the heat I mean again, so really badly engineered machines were retrofitted with really bad retrofits I mean they were at least consistent So there were also paper ballot systems Typically, these are what we call upscan systems where you have a paper ballot in California You connect the broken arrow to decide who you're going to you know to signify who your selection is some places There'll be you know You feel in an oval and then these machines are put through scanners, which of course have computers in them So there are again problems with the scanners if they're not calibrated properly They may if they're calibrated to be too sensitive They may pick up stray marks and think that you voted twice Which you're not supposed to do if they're not sensitive enough they may miss So there are calibration problems there too, but the good news is that there are paper ballots So with if there's malware or software bugs Or calibration problems you can find them if you look at the paper ballots another advantage of course is that With paper ballots if the scanner is down people can vote the paper ballots and deposit them in a ballot box for counting later So it's a way to avoid long lines Although ironically we've seen in the past couple of elections that sometimes poor workers don't even know you can do that And so the lines is still they still form because poor workers don't tell voters that they don't have to wait for the scanners There's another problem which is that a Lot of people don't understand that these things have computers in them I mean that might I'm sure this audience finds that hard to believe But in fact people don't understand that the way the scanner works is it's basically a computer So we saw in Wisconsin in the recount in 2016 in Wisconsin That some places did a recount by manually recounting the ballots, which is what a recount is Other parts re-scan them. They put the ballots back into the scanners, which does not check the computer I mean it's sort of a silly exercise, but that's an example of the lack of understanding So I think I'll talk a little bit about debold because debold is the poster child of all that's wrong with these machines And I have to say in debold's defense They I mean they did have really lousy security and they did post their software and open FTP website Just asking for people to download. I mean they weren't asking but you know They set it up so that it could be downloaded and checked So yeah, they deserve a lot of what they got but the fact is the vendors were all bad We know that at this point, but anyway debold in 2002 was used in Georgia in a Georgia major Georgia midterm where both the senator senator Max Cleveland and the governor Were head in the polls and they both lost So we don't know if they truly lost or if there was a problem What we do know is that there were last-minute changes being made to the software with no oversight Now anyone who's worked on a large software project knows That you're always making last-minute changes, you know until the company releases it because you're always finding problems So there could have been very legitimate reasons for these last-minute changes or somebody could have decided who they wanted to win We don't know and nobody examined the software and of course that software is long gone So and and it was paperless. So these machines were used in Georgia 2002 in 2003 as I said somebody actually a journalist found The bold software on an open FTP website and downloaded it handed it off to some security people at Johns Hopkins and Rice and They examined that software and that was the first case where we've had an independent Examination done by people by computer security experts. They found They found gaping holes for example There was a single key a single key to encrypt all the data on every storage device And it was in it was in the program text and that key was F2 654 HD 4 That's all you needed So that was one of the things they found in 2006. There was another study. Well, there have been a lot of studies I'm skipping over a lot of material in the book. I wrote this whole chapter on deep old If you know, it's kind of interesting but in 2006 the Princeton team Showed how to implant a virus on a deep old machine on deep on these deep old machines So that you could basically rig an election. In fact, they testified before Congress on that Ed Felton did They also noted that The slot which contains the memory card has a lock and you could open that lock using a standard hotel bar key and They're pretty standard. So it was also easy to pick but you didn't have to bother you just get this bar key These same machines are in use today in Georgia They were used for the Georgia CD 50 election. Some of you may recall that election $50 million were spent. This is for a house of representative seat. It was the most expensive election ever and actually There were some other problems found in Georgia, which I won't go into one of the people found them Logan Lamb is here And so when I finish he's going to come up and just talk a little bit about Georgia because it's that's also an interesting story But these machines are still there still use in use today and there's no justification whatsoever for their use So there have been some studies. So you guys are not the first ones to try to look at these machines There have been a couple of studies that were sponsored by Secretaries of State and David mentioned how he was able to look at something because he was involved with these studies so in California the secretary of state Bowen did what was called the top-to-bottom review and She required the vendors to produce the machines and the software and all the all the related Material for getting an election setup and she was only able to do that because of a court case that had happened a few Years earlier with an earlier with Kevin Shelley and earlier Secretaries say who actually went to court and won that's the only way she could get these machines I mean you wouldn't believe how hard it is for people to get their hands on them So they she basically went to the University of California And they put together a missive folks put together a team They examined the security the the documentation The accessibility is the only time that that these machines have ever been examined to see how easy they are for voters with disabilities to use They did badly on everything and I should mention a there's some people here like Candace Hocus here Who was one of the people involved with this and Matt blaze was also In fact Matt blaze had an interesting quote We found significant deep-rooted security weaknesses in all three vendors software It should now be clear that the red teams were successful not because they somehow cheated But rather because the built-in security mechanisms. They were up against simply don't work properly There was a pervasive lack of good security engineering across all three systems. So as I said, it's not just debold These were two other systems as well. I believe e s and s and what was the third one was a heart I don't know So the red teams were able to break into all of them That should be inspiration to you guys The California study was validated by a subsequent study done in Ohio called the Everest study Which also again brought together, you know, really good security people They found they they basically found that they validated everything that was discovered in California plus they found more problems this was back in 2006 2007 and Some of these machines are still in use today. They were still used for the 2016 election To my way of thinking this is nothing short of a national scandal in addition. Many of the old machines are falling apart David's already mentioned some of the ancient software that's on them and the fact that it's not even updated frequently But even where there are updates because of the whole certification issue because then they need to be recertified So there's a catch 22 on top of everything else if you want to be conscientious and Update your software then you've got to go through recertification in which can be expensive and time consuming So if you don't want to go through that you don't update The hardware is also failing I mean these machines are just literally falling apart in some cases and some election officials are having to cannibalize other Machines to keep some of the machines going so election officials actually do want to replace these machines I mean, this is not a case where we are fighting against election officials the problem is there isn't money and So that's another issue obviously not directly related to DEF CON but that's something we need to be concerned about Oh, I should just mention that you've all I'm sure heard about the long lines in 2012 and 2016 a Lot of these were caused by the DREs the direct recording electronic machines because unlike paper ballots You must vote on the machine if the machine if there are some machines that are down Or if there are long lines a lot of people want coming to the polls at the same time You have to wait or not vote and go to work because you can't afford to spend an hour waiting in line so The good news, I mean Jake talked about how we are under attack and I agree I lose sleep over this and I hope you will too Because we have to fix the problem but We know how to protect ourselves against hacking we have the solution and it's pretty straightforward We need paper ballots and we need manual post-election ballot audits To check that the computers that count the paper are working correctly If we can get that nationwide We'll be safe from hacking of our voting systems. I mean, I'm not I'm not talking about the voter registration databases That's a different issue. We need to do we need to take significant steps there too to protect those But if you look at the voting technology itself paper ballots manual post-election ballot audits By the way, you have to randomly select the ballots clearly because if you don't use randomness The bad guys will know what you're going to look at and they'll they won't touch They'll just touch the other stuff and incidentally a lot of people don't know what random means Sometimes election officials will announce beforehand what they're going to you know Which precincts or whatever they're going to look at that ain't random so One of the problems we've had historically is Convincing people that this is a problem Not people like you but the press policymakers election officials and I've talked to a lot of reporters where they say to me well give us an example of a of an election that was hacked and The problem is the beauty of these paperless systems both these Touchscreen voting machines and internet voting by the way, which is another which I know there's going to be a whole session on that That's another really dangerous. I mean that's the worst actually But the beauty of these systems that don't have paper ballots that were marked by the voters Is there's no evidence? It's the you know, I mean It's very very very hard to prove that election has been Stolen not only because of the lack of evidence, but because of the resistance to looking we saw that in the 2016 Recount where there was great resistance even to doing recounts of a small number of states And in fact the Michigan recount which Michigan is all paper was halted in by the courts And of course most of the country wasn't really adequately examined at all So in fact, we don't know Whether or not the 2016 machine election was hacked because nobody has done an adequate study to determine whether or not it was hacked So going forward. We just can't allow this to happen. We have to fix these systems And we have to get paper ballots everywhere. So I'll just end with a quote from former FBI director Comey, which I completely support they'll be back in 2020 they may be back in 2018 and one of the lessons they may draw from this is that they were successful because they introduced chaos and division and Discord and so doubt about the nature of this amazing country of ours and our democratic process I think they will be back in 2018. They're a major major midterm elections coming up they're even important elections coming up in 2017 the governors of New Jersey and pencil and I'm sure Virginia are going to be reelect or elected in 2017 and There are a lot of bad machines Pennsylvania 80% of Pennsylvania is paperless buddy machines that are incredibly insecure 80% and this is a major state We've got to fix that. So thank you for the work you're doing and thank you for your support And I would I would like to see if Logan them could come up Talk about Georgia. This is Georgia. I'm a pacer All right, cool. Hey friends. So I'm Logan lamb. I'm a cybersecurity researcher based out of Atlanta. I primarily do wireless cybersecurity research, but Since it was election season and we all like to break things. I really really wanted to get my hands on some voting systems so I ended up going down to the elections office in Fulton County and I was attempting to speak with the election supervisor Richard Baron I think and I was gonna say hey, I'm a you know local cybersecurity researcher I'd like to do some good work and help you guys Well, as you can imagine, I didn't get past the secretary so she ran my card back to Richard Baron and Then they came back to me and let me know that all of the election systems in Georgia are actually handled at Kenesaw State University by the Center for election systems So immediately I thought this was kind of wacky, right? It's like what what is this university doing with all these systems? so Prior to sending an email to the director there. I figured I'd try and get some you know background information on the group And just see like who are these people? What do they do? So I checked out their website and then you know just fired off like the simplest Google dork ever I was just like hey, I'd like to see all of your documents and PDFs you have on this website, okay? Lo and behold There were some really really interesting documents that were already cached by Google, okay? I clicked one of the links and what appeared to be in front of me Was a list of voter names Okay, so at this point I was like is this real life is this happening right now so Yeah, I mean this was just a web server. So I went up a couple of directories Because it had like a directory structure in the route And then I looked at their robots.txt wrote a quick like bash script a curl everything off recursively And then I went to lunch Yeah, so Then I went to lunch and when I came back and I checked to see how much data I had on my computer I had 15 gigs worth of data y'all It's crazy crazy stuff so Yeah amongst this 15 gigabytes worth of data I had all of the voter registration information for everyone in Georgia. Okay, so that includes Names, addresses, birthdays, last four digits of your social Also your full driver's license number which seems relatively innocuous But you can actually use all that information to change people's Registration with the DMV. So that's just a whole nother kind of worms Okay, what else was there? We had PDFs of election day passwords and This seemed to be the same across all counties. Okay, and there were also Some gyms databases and like to this day. I have no clue what those were doing on that server. It's just a web server and From what I could gather it looks like this server was being used to disseminate information to all of the counties and There was like a a bulk update file which had a bunch of voter registration information and a couple windows binaries The center for election systems They would actually tweet out every couple months and be like hey There's a new bulk update file that you all should go download and run on your systems Well, yeah, so it looks like this Hilariously insecure system was being used to disseminate information related to the election systems Well, I mean it keeps getting worse actually So this web server it was vulnerable to Drupal get in okay, and Drupal get in is like the easiest exploit. It's easy mode There are YouTube videos detailing how to pop boxes using Drupal get in and this has been around since 2014 I think and I'm pretty sure it's 2017 now. So that's that's no bueno so an attacker could Trivially get root on this box that is being used to disseminate information and Amongst that information that they are intending to disseminate are windows binaries. I mean come on so I mean an attacker could very trivially implant malware in that and I mean never mind actually getting root on that box and then more than likely being able to pivot in Deeper into the center for election systems networks Oh Okay, so just to reiterate the center for election systems. They handle provisioning Every single DRE in Georgia. Okay, so I mean it makes for a hell of a target and They say that they're testing networks or actually You know, they're partitioned Segregated from whatever network that I happen to get gain access to but given what we've seen so far. I Don't think they have the discipline to really do that All right, so Yeah, I found all this information Immediately questioned if this was real life and then figured out the best way to actually get this resolved because at the end of The day, this is always about building more secure systems so I spent a day or two trying to craft an email to make it sound like I'm not some Rando crazy guy who is getting into their networks. I sent that to the director for the center for election systems and Yeah, I had a weird conversation with him, which I'll get to so I sent him this email and I didn't hear a response I didn't wait 24 hours because I was really really concerned about this So I ended up getting his cell phone number and giving him a call, right? So I was like, hey Merle you You got my email. You're actually fixing this, right? And he oh gotcha gotcha Yeah, so chat with Merle King. He He assured me they were gonna fix this so at that point I dropped it Fast forward to March in March. I was working on the talk I'm gonna be giving tomorrow, which you all should come to cable tap and Over beers working with my buddies I was talking to Chris Grayson and I hadn't told him about this work previously So he went and double-checked what I had accomplished and they had not remediated it correctly So then of course I proceeded to download everything again, right? To see if they had actually made any changes The system was they fixed the Drupalgetten issue But they were still using the server to disseminate information as recently as 2017 so He let an individual at KSU know who could actually get this issue resolved They ended up bringing the FBI into it and then I ended up having the feds come to my apartment unannounced which For the for those of you who haven't experienced that I don't recommend it. It's not fun Yeah, so chat with the feds a bit and Yeah, as far as I know I I'm told they've actually fixed this issue now I haven't really looked into it because the feds are unhappy with me So I don't know if anybody's moderating this but I guess I have the mic Yes Logan Yeah, so the gyms database is that's where all of the votes are actually tallied and I have no clue what those were doing on that server. I don't have a real explanation there Sorry, so the gyms databases are not where the votes are tallied the those votes are tallied on the gyms machine What we think this is if because we're looking at the dates of the files that were when they were uploaded They actually come after the elections, so it's possible that those gyms databases were Tally totals that the counties then sent up to the election center after the elections Any further questions? I can't see who asked the question. Oh a question about open source there There are two jurisdictions in the country Los Angeles and Austin, Texas Travis County in Los Angeles County who are building Open source voting systems and then the elections community is certainly aware of open source as a possibility but Right now there are none as far as I know in use in the United States so obviously open source is preferable to proprietary software These both of these systems are fairly far along but at this point they need money to do the development work So if you know somebody who wants to invest in these in these systems It would really help with replacing these machines if we had the open source systems because they'd be cheaper So this is a this is the last question. We're going to have to we're running over time here So we see this we see this a lot. We see VPNs we see network connections that are not supposed to be there by law or by practice we see VPNs we see all sorts of Terrible operation security practices in various jurisdictions all over the United States. I don't even think Wisconsin is the worst at all I wish we had more time to talk about this But we're gonna have to cut this off now because the next session is gonna have to start So thank you all very much for being here