Speaker 0
0:10 – 0:13
Welcome to Tech Talk. Bye. CT.
Speaker 1
0:13 – 0:14
Tea.
Speaker 2
0:18 – 1:34
Welcome to CDT's tech talk where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski and it's time to talk tech. Because we know you can't get enough of it, we're talking about election security again. This time, we get a report out from Defcon's voting village where hackers yet again expose some glaring vulnerabilities in America's voting infrastructure. And then we talked to the head of the Center for Technology and Civic Life about how they are working to make the Internet improve the democratic process. And yes, that includes elections. Defcon, the world's largest hacking convention, recently took place in Las Vegas. Again, one of the highlights was the voting village where hackers looked for vulnerabilities in voting machines. Surprise, surprise, they were able to hack into most voting machines, some in under two minutes. CDT senior technologist, Maurice Turner, was among the techies at Defcon, and he's here to talk about his experience. Welcome, Maurice. Thank you for having me. You're now our most regular guest. You must love being on Tech Talk. Oh, I do. I can tell. So tell me about Defcon. Was this your first time there? What was it like?
Speaker 1
1:34 – 2:03
So this is actually my second time at Defcon. Okay. Last year was the first year that I attended. I've been wanting to attend, for quite a while now. So, to say it's a dream come true is probably stretching a little bit too much, but I did have a really good time and actually, learned a lot more than I expected. Did you get hacked? Thankfully, no. I was well prepared. I I turned off my phone when appropriate, took the security measures that everyone should take, which is, making sure they have strong passwords and not picking up any abandoned USB devices.
Speaker 2
2:05 – 2:23
I bet those were all over the place. Well, I'm glad you did not get hacked. We had a couple other folks there, and they also did not. So, I guess CDT, you know, our technologists are training as well. So let's talk about the voting village. You were there with, Joe Hall, our chief technologist. What exactly is the voting village aspect of DEF CON?
Speaker 1
2:23 – 2:49
Well, the village aspect of DEF CON is really more of a a hands on approach to showing folks, what can happen in different industries. So other villages would include, like, a cryptography village, a car hacking village, a biomedical village is also very interesting. But I spent most of my time in the voting machine village, where they actually had voting machines, from several jurisdictions set up in realistic scenarios.
Speaker 2
2:50 – 3:00
So scary. Right? I'm like, okay. The voting machines and people are hacking into them. What happened? Like, what was kind of the jaw dropping, oh my goodness moments that happened?
Speaker 1
3:00 – 3:29
Well, it started off with a bang. There were hundreds of people waiting in in line for the village to open. So folks definitely heard about the village and wanted to get their hands on these machines, which is actually pretty unusual. If you're thinking about the other villages that I talked about, like the car village or the medical device village, those are machines that people can actually have experience with on a daily basis. But when it comes to voting machines, typically, it's only gonna be the election officials who have regular access to these devices. And a regular person would only see them maybe for a few minutes, every couple of years.
Speaker 2
3:30 – 3:48
So what what was kind of the crazy that you saw? What was, like, when people started hacking in, so there was interest in it, what actually were the outcomes of this? What were the things that people were like, wow? People literally dug into them. I mean, it it looked like corpses of voting machines by the time the weekend was done. They were all torn apart.
Speaker 1
3:49 – 4:04
Folks are really examining them down to to the chip level. What I found was really interesting, was the fact that there were so many people of all different ages and backgrounds interested in getting their hands on these machines, and they were really focused on finding these vulnerabilities.
Speaker 2
4:05 – 4:15
And did they find a lot of vulnerabilities? Yes. They did. What were some of the the vulnerabilities that were either surprising or, what what were the ones that were surprising?
Speaker 1
4:16 – 4:22
I'd say the the biggest surprise was a tabulation machine, which was a new addition to the village compared to what was available last year.
Speaker 2
4:23 – 4:34
And there was a buffer overflow that was found on the very first day. And there are I have no idea what that means, Maurice. You're gonna have to help me out there. Tabulation, miss Jean, I assume, counts votes. Yes. Buffer overflow. What?
Speaker 1
4:35 – 5:01
Well, buffer overflow is a little bit more of a a technical exploit, but it's pretty simple. It's where, commands are sent, with in such a volume that they actually overflow, and so folks can gain some access you'd wouldn't normally expect them to gain. So that was, like, the found vulnerabilities in that one then. Correct. And this was a machine that, despite being over 30 years old, is still in use in elections today.
Speaker 2
5:01 – 5:05
Wow. So that is one that actually could count votes wrong then. Certainly.
Speaker 1
5:06 – 5:31
That's bad. So if you were, were there election officials there? Did they kind of come and see their their voting machines and technology broken apart? Sure. There were some election officials who were there that I recognize, and there are some who were there a little bit more undercover, which is not unusual for DEF CON. There are quite a few folks from different industries who come not in their normal attire and and definitely don't wanna be identified. And they usually come from three letter agencies. So it's definitely
Speaker 2
5:32 – 5:43
a typical occurrence at DEF CON. There we go. What do you think if you were an election official or, you know, someone who works with election officials as you are, what election officials as you are, what would you hope that they took away from kind of this experience at Defcon?
Speaker 1
5:44 – 5:48
Well, I hope they had two takeaways. The first being that there are certainly vulnerabilities in all these machines,
Speaker 2
5:49 – 6:15
and the second being that there's a legitimate interest from researchers to find these vulnerabilities and report them back to the election officials or to the vendors to make sure that they actually get patched. So hackers as allies. Exactly. It can actually be the case. Right? And what about policymakers? I mean, obviously, the voting village generated a ton of headlines. I'm sure policymakers were reading this and thinking, well, what should what should we be doing to support election officials? What would your recommendations be there?
Speaker 1
6:15 – 6:41
Well, it certainly calls out the need for additional funding to make sure that these systems are kept up to date. But more importantly, it calls out the need for there to be some legitimacy, between the researchers and the election officials. So things like, vulnerability disclosure policy would be very important for states to have so that these vulnerabilities can be reported in a responsible way. Cool. So, actually, that's the next topic I wanted to ask about vulnerability disclosures.
Speaker 2
6:41 – 6:57
You mentioned, you know, you didn't just stay in the voting village. You did venture out a little bit, and there was talk around, around, like, legal safe harbors for bugs bug bounties. What is that? Kind of what's new and novel and interesting here? Well, the big announcement was Tesla coming out with their updated policy
Speaker 1
6:57 – 7:19
on not only how they receive vulnerabilities, from researchers, but also that owners of the vehicles can do research on their vehicles, without actually voiding the warranty, which is massive. You know, there is no other large manufacturer that I'm aware of that actually specifically states that a person's warranty of their device would not be voided,
Speaker 2
7:19 – 7:46
if they were to do research on them. That's interesting and especially, you know, all of us have cars and we're all driving, not all, but most are kind of driving computers these days and the fact that you can't actually research that, but I can think of few things that well, I can think of a lot of things that would be terrifying if they were hacked. But a car is pretty scary, you know, if that gets hacked and suddenly my brakes don't work or, you know, I'm accelerating because someone has taken over control of the car because I'm an excellent driver. So this would be, problematic.
Speaker 1
7:47 – 8:00
That's scary. So this is a really big deal. It really is. There there needs to be more of these legal safe harbors and vulnerability disclosure policies published and made available so that researchers know that there is actually an avenue for them to do legitimate research,
Speaker 2
8:01 – 8:14
and bring that information back to the manufacturer so they can be updated, and those vulnerabilities can be patched. Very, very cool. Alright. So last question for you. The swag. What is the swag like at Defcon? What did you bring back with you? What was your favorite piece?
Speaker 1
8:15 – 9:16
There's a little bit of everything at Defcon. Obviously, you have the the t shirts and the stickers. So I do have a couple more empty spaces on my my laptop. They're probably gonna get filled this week once I narrow down my selection. As long as the CDT one is still on there. Yes. It is very prominently displayed. Good. You had your typical camera covers for laptops, because there are more pool themed, parties that were happening. I did pick up a squirt gun and also a a branded beach towel. Alright. There we go. But I I think the, the swag that I am most proud of bringing back are the badges. So every attendee gets a a fun badge that gets them, into the conference. But then there are also, other groups that make their own badges for sale. And so I picked up, one of those and a couple of add ons to go with it. They're very blinky and flashy when it comes to, the lights and the screens. And some of them are even, hacker tools themselves. So, they can become, Wi Fi servers and also turn off TVs and do other
Speaker 2
9:17 – 10:03
nefarious things that are sometimes a little a little bit too much fun. I I was gonna ask why you weren't wearing them around the office, but now I think I don't want you to wear them around the office. Alright, Maurice. Sounds like you had a great time. Thanks for the readout from Defcon, and always a pleasure to have you. Alright. Thank you. Is technology good for democracy? Right now, that's rather debatable. But the team at the Center for Technology and Civic Life or CTCL is doing their best to make the Internet improve the democratic process. Today, we're joined by Tianna Epps Johnson, the founder and executive director of CTCL. Welcome, Tianna. Hi. Thanks for having me. Oh, it is such our pleasure. So tell us about the Center for Technology and Civic Life and why you started it.
Speaker 0
10:04 – 11:08
Yeah. So my self and my two co founders founded the center in 2014, and we're working every day to ensure that whether someone is voting in person or by mail or early or on election day that everyone encounters an easy, seamless process and that everyone has the information they need to make decisions at the ballot box. And so we go about that work in sort of two distinct ways. The first is through a strategy, working directly with government. And the second is by, through a strategy that's focused on connecting folks with civic data. Our government team organizes and trains election administrators on how to run more inclusive elections by advancing their digital and data and design skills through direct training. And our civic data team focuses on connecting the public with answers to questions like what's on my ballot and who are my elected officials, so that folks are able to stay engaged with the with government sort of at every level.
Speaker 2
11:09 – 11:29
Cool. So let's dig into those programs a bit more. The first one, we were lucky to partner with you a little bit on at a a couple classes. So I know a little bit about the type of, information that you share with, election officials. But what what does it entail when you say, you want election officials to kind of leverage technology and the Internet more? What do you actually do?
Speaker 0
11:30 – 12:49
Yeah. So that looks like, making sure that election officials, particularly folks at the local level, are able to have the skills to, engage with voters and public in the places that that the modern community expects to engage. So particularly through, online digital channels. So we provide direct training and tools on things like using social media for voter engagement or how to design materials, especially ones that would be distributed through online channels in ways that are clear and compelling and easy to understand and act upon. We also do things like, help election officials understand how you might collect and use data so that you can make decisions around the elections process. For example, how you might use data to make decisions about how to staff, and resource polling locations so we don't see things like hours long lines at a polling place. So, really, using some of the best practices that are, being used in other industries and thinking about how to use them specifically in in election context and then, making it really easy to, for election officials to adopt those skills, and pairing that with tools when,
Speaker 2
12:49 – 13:14
there might be gaps in what's available. Yeah. No. That's incredible. And, you know, through our election work, we you know, I'm always reminded by our our technologist working on the project how understaffed a lot of these offices and the election officials are. So creating these sort of resources are helping them, you know, find ways to leverage technology. It seems like an amazing value add for them. Have you found that election officials are are receptive to your program?
Speaker 0
13:15 – 14:31
Definitely. I think you totally hit the nail on the head, when sort of considering the resource constraints that election officials are under. I think one of the things that's really notable and sometimes, striking is that in most election offices across the country, there's maybe two to four staff people who Wow. Are responsible for everything related to administering elections at the local level. And often, those two to four people aren't only focused on administering elections. They also have other responsibilities within an office. Maybe they do business licenses or they, do the responsibilities of an auditor or registrar. It really depends on the given state. So they're under, a a lot of pressure and have, limited resources to do their work. And so we've found that through our conversations with election officials, listening to them about things that they're really proud of and listening to what their challenges are, that we've been able to develop out programs to really focus on, helping address some of those challenges in election administration that, election officials across the country have been really receptive to. That's really incredible. Have you seen a a change recently?
Speaker 2
14:32 – 14:54
Obviously, elections and voting is very much, you know, kinda more in the headlines now for mostly not great reasons from, you know, actual hacking to, you know, disinformation. Have you seen kind of election officials maybe a little bit more reluctant to use technology, or do you think they're still optimistic despite, you know, potentially taking on state actors in in some cases?
Speaker 0
14:55 – 15:30
Yeah. I think that election officials are still very open to using technology, but are, through our conversations with, folks on the ground in their offices and, through our work that we do with our advisory committee of election officials that represent jurisdictions of different sizes and different geographies, that there's certainly much more of a focus now on, cybersecurity and and making sure that folks are prepared to be on the front lines of defending democracy, and local elected officials are taking it really seriously.
Speaker 2
15:30 – 15:42
Absolutely. So let's let's talk about your second program a little bit more. You know, what what you do with civic data, what kind of data are you kind of talking about? What data do you leverage to achieve your goals? Yes. So we collect, the our core programs about information project. The
Speaker 0
15:45 – 17:19
program, the ballot information project, the answer to what for my ballot. So what that Okay. Concretely looks like is collecting the candidates and contests that are going to be on, a ballot. Also, understanding the political geography, so what districts go on this contest and candidate, and doing the work to make the connection between an individual registered voters address and ultimately the candidates that they will see on their ballot. We collect that information by, talking with election officials, collecting sample ballots, sometimes getting faxes, sometimes getting mail. And we take all of that information and we standardize it into big datasets, that have candidates from the federal level all the way down to hyper local, special districts. And we then partner with civic engagement organizations and technology companies who build tools on top of that data so that someone can really easily put in their address and in advance of an election to find out exactly what they will expect to see when they go to cast their ballot and do research and learn more so that, we're not so we're seeing sort of increased participation, but also so that we're seeing, folks not only voting for what's at the top of the ticket Yep. But also really focusing on the more localized offices where, you know, every day those elected officials are making really important decisions about how our communities,
Speaker 2
17:20 – 17:58
are shaped in our everyday lives. I mean, as as you were telling talking through that, I was thinking about the last time I voted, which was in the the DC primary election not too long ago. And, there was an entire back page to the ballot of names I had never heard of. And I consider myself a fairly informed voter, and I was like, oh my goodness. I don't know who to vote for here. So this would be a wonderful, wonderful resource because I would have done a little bit more research. I could do kind of the mayor level and the, you know, member of congress and, you know, a little bit on a kind of our council member. But beyond that, I'm like, oh my goodness. I didn't even know we voted for these positions. So
Speaker 0
17:59 – 18:06
I can totally relate to that. In Chicago, we had a ballot, I think in the twenty sixteen election where we had 60, judges
Speaker 2
18:07 – 18:08
Oh my goodness. On the ballot,
Speaker 0
18:09 – 18:40
you know, after you get through all of the other other pieces that you might feel really well prepared for and some of that experience of showing up and, like, doing all of the pieces to be ready, like, being registered to vote, getting to the polling place, doing all those parts and them showing up and finding out that there's a bunch of people whose name you never heard of. Yeah. And whose job they're not sure of, like, what they actually do is a really common experience that we're working to solve for. I love that. I would love to be even more informed. It is a kind of
Speaker 2
18:41 – 18:45
surprising moment where you're like, my goodness. I I thought I was ready, but I'm clearly not.
Speaker 0
18:47 – 18:53
So Yeah. Voting shouldn't be like the test. No. Yeah. That's one of the things that we're really working to,
Speaker 2
18:54 – 19:09
change. That's awesome. So, you have some big personal news, obviously, as well. I mean, this year, you were chosen as part of the inaugural class of the Obama Fellows. Congratulations. What does that mean for you? What what what what's comes with all that?
Speaker 0
19:10 – 19:59
Oh my gosh. It has been such an exciting development to be named one of the first, members of, a cohort of Obama fellows. What that really completely means for us is that the Obama Foundation is, doing work to amplify the work that we're doing here at the center, and that they're also, doing work to really help each of us, who are fellows grow professionally. And so, in addition to some of the work that they're doing to amplify what we're doing at the center, they're also really investing in me as a leader. Concretely, one of the things that I'm most excited about with this fellowship is that I get paired. I've been paired with an executive coach who's going to help me figure out, and shape the way that I wanna grow as a leader over the next two years during this fellowship.
Speaker 2
20:00 – 20:01
That's awesome. The commitment
Speaker 0
20:02 – 20:13
to, helping us all, to take our leadership to the next level is something that I am so excited about. Well, you're off to a really great start from what I can see.
Speaker 2
20:13 – 20:22
What's next for CTCL? I mean, maybe that's what these next two years are gonna help you figure out. But do you have any kind of, like, near horizon type things that you're working on?
Speaker 0
20:23 – 21:15
Yeah. So right now, our our big thing that we're focused on in partnership with CBT is, we'll need to make sure that local election officials across the country are really well equipped, with the knowledge that they need, around cybersecurity. So that's a big focus for us right now. We're actually we just wrapped up our first set of cybersecurity training, and we're going to do another set of them in August. They're backed by popular demand. Good. So, very excited about kicking that off. And in addition to that, our our civic data team is really focused on how we can continue to expand the information and the context about who you might, find on your ballot and who your elected officials are, and why we should care in particular about,
Speaker 2
21:16 – 21:28
our representatives at the local level. That's incredible. Tiana, thank you so much for being on Tech Talk. Everyone should take a look at the Center for Technology and Civic Life. It's amazing, and I'm certain we'll see amazing things from you in the future, Tiana.
Speaker 0
21:30 – 21:32
Thanks again for having me. Our pleasure.
Speaker 2
21:37 – 21:50
That's it for this episode of Tech Talk. For the very latest on what CDT is doing on election security, follow us on Twitter, like us on Facebook, or visit cdt.org.org. I'm Brian Wasilowski. Thanks so much for listening.