In this episode, hosts Brianna Lennon and Eric Fey speak with BiaSciLab, a teenage white hat hacker who has been working in the elections cybersecurity space since she was 11 years old. They discuss the role of DEF CON’s Voting Village and ethical hackers in testing and identifying cybersecurity vulnerabilities in the American election system.
To learn more about DEF CON’s Voting Village, visit their YouTube page – here.
High Turnout, Wide Margins Credits:
Managing Editor: Rebecca Smith
Managing Producer: Aaron Hay
Transcription of the episode is as follows:
BiaSciLab: DEF CON was like screaming out to the public like, “Hey, our system is not secure, our system is not secure,” and no one really paid attention until it became a bigger deal and more people knew about it, and then all these election officials and things are like, “This is not realistic” [or] whatever because they're kind of turning a blind eye, and the system has never truly been secure and never can be 100% secure. But I mean – we can try.
[High Turnout Wide Margins Introduction]
Eric Fey: Hey, it’s another exciting episode of High Turnout Wide Margins I’m Eric Fey, Director of Elections in St. Louis County, along with my co-host –
Brianna Lennon: Brianna Lennon, County Clerk in Boone County, Missouri.
Eric Fey: And today we’re speaking with –
BiaSciLab: Hello, everybody. My name is Bianca, but you can call me by my hacker name, BiaSciLab. Bia Science Lab – that's what it stands for. I've worked in the hackerspace, cybersecurity field for a while now. Since I was like 11ish, I would say. I've spoken internationally on all sorts of topics when it comes to cybersecurity. I also run a nonprofit called Girls who Hack where I teach girls the skills of hacking so that they can change the future. I provide online and in-person classes – all things intro level cybersecurity.
Brianna Lennon: Today, we’re going to be talking about DEF CON, which is a hacking event that’s held in Las Vegas every year, and for the last five, ten years they have done a big focus on elections cybersecurity and created a Voting Village, and Bia Sci Lab, which we’re talking to today is an almost 16-year-old white hat hacker who has been going to the Voting Village for quite some time. She is an ethical hacker and so she does a lot of this work to try and bring attention to some of the security vulnerabilities – but in a way that allows people to help fix them, improve the process, make things better, and that is what she has done on the election side, as well.
So, we’re really excited to be talking to her because she has a lot of really great wisdom that she has gained over the years of doing a lot of this hacking side of things with voting machines, and especially with voting result pages.
And I think you were one of the original hackers at DEF CON that kind of broke into that world of being able to hack into voting machines and playing around with them, and that really started a lot of the conversation about security in the election world and voting equipment. How did you find your way into that election community at 11 years old?
BiaSciLab: It was very wild. I mean, as an 11-year-old or middle school, elementary, high school level student – you don't really think too much about elections. I mean, sometimes you're curious about the big level presidential election and who's going to win, but you don't really know how the system works and you don't really care to know. It's more of one of those “at the dinner table at Thanksgiving only adults can talk about it and fight about it kind of things.”
So, of course, I wasn't interested in it until I got to hack a mock election reporting system at the røøtz AsylumDEF CON 26? 26, yeah? I just did the mental math here, and they held this mock election reporting system that was a copy of the one used in Illinois, where us kids got to try different hacking techniques to change the vote count.
And I'm like, “Whoa, I can barely use a keyboard and a mouse, but I was able to change the vote count. How is this even like a thing? Why haven't people fixed this? Why is our system not more secure?”
So, I started researching election security as a topic, as a whole, and while I was researching, Congresswoman Mikie Sherrill of New Jersey invited me to go to a congressional hearing on election security, where I got to talk to all the Congressmen and women. Asked like, “What do you know about election security? What are your questions and concerns?”
That's around the same time that I started building my own end-to-end election system called Secure open vote, and I brought that into DEF CON, as well, to get hacked and tested. No one was able to change the vote count, which is really cool. Going off of more research topics and such, I'm like, “Okay, I can put a talk together about this.” So, I brought that talk to the DEF CON Voting Village and I also brought it internationally to Romania to talk on election security.
Brianna Lennon: So, I think one of the things that has come out of that – from the election administrators’ point of view – has been a great deal of fear. It freaks a lot of people out, I think it freaks a lot of the voting machine equipment companies out, as well. And now that you've been going to DEF CON for so many years, have you seen the relationship between that change? Because I feel like I remember that story coming out, and I remember working in elections, and everybody trying to ostracize DEF CON as “This is not realistic. This is not something that's really ever going to happen,” and so, as a result, they really like pulled back and didn't want to engage with what was happening, and it seems to have been shifting, but maybe that's just my own optimism? So, I'm curious what you've seen.
BiaSciLab: It definitely has been shifting. I mean, DEF CON since the start of the Voting Village, itself – I mean, that one year, in 90 minutes, they got root on all of the machines at DEF CON, and DEF CON was like screaming out to the public, like, “Hey, our system is not secure, our system is not secure,” and no one really paid attention until it became a bigger deal and more people knew about it. And then all these election officials and things are like, “This is not realistic,” whatever, because they're kind of turning a blind eye, and this, the system has never truly been secure and never can be 100% secure, but I mean – we can try or at least try to make it better. But I don't think people taking that approach as “Let's turn that blind eye, let's not think about it, let's not worry too much about it. This is like not really a real problem” is not going to actually fix the real problems.
Brianna Lennon: So, what have, what’s been the focus, I think, on trying to pull out and address what some of those problems have been? Like, what are the problems, I guess?
BiaSciLab: Some of the biggest problems are definitely the use of older machines that have not been updated, that have not been tested or fixed in years. I mean, every single DEF CON, I see the same exact machines for years now that are being hacked, broken into easily, but they're still being used around the US. I don't know, I find it kind of silly that – like you can see the problems, but no one is really taking any initiative to fix it, and I think that's one of the biggest problems. And another problem that I'm sure we're gonna get deeper into, as well, is people thinking online voting or like voting on your phone is a better option, and I'm like, “That's a little too forward thinking,” especially with all the flaws in that idea for that system.
Eric Fey: I don't know how to ask this question. I think the thing that I struggle with most about DEF CON, and full disclosure – I have not been in person, so perhaps this is not a fair question having not been there – but I feel like most of the attention DEF CON receives is footage of somebody busting open a physical voting machine, and that, you know, is not used hardly anywhere in the country anymore, you know, some old machine, and they've like hooked it up to something and they're playing Frogger on it or whatever. And that's where it gets all the headlines, you know, generally speaking, people don't have physical access to voting machines to do things like that. So does that kind of splashy headline about DEF CON – I think and that's the thing I think most election officials would know about DEF CON – does that do a disservice in your opinion to DEF CON because you're talking about a lot of other things that you know, are very informational, beneficial –
BiaSciLab: I think the title that's given to it is the unrealistic part of it. I mean, I don't think anyone – not even a hacker themselves truly believes that they can go to this polling place, pull the little curtain, get their screwdriver and their drill out and open it and spend an hour sitting there opening the machine – that's not how it's hacked. How it's hacked is basically just by a computer, sometimes a USB into a physical machine – but usually remote from your own home. You wouldn't even need to go to a place to do these attacks.
When it comes to those like classic photos of people going into machines and putting different funny things on it and memes and playing like Doom on it, whatever – those are people opening machines, so they can see how it works physically – out of curiosity. I mean, hardware hacking is a big part of cybersecurity, and a lof of – well, all voting machines are not open source at all. So, you don't know how the hardware works. You don't know how they're set up? These people who are opening machines and messing around with them, just want to know, okay, “How do the insides work? What are the components of this?”
And I'm not going to generalize all DEF CON hackers, but I'd like to believe that at least – at least 85% of DEF CON hackers are good hackers with good intentions, if not more. But most of the hackers who go to the DEF CON Voting Village are just interested in voting security, seeing how the system works, seeing its flaws, and then being able to share better information on how we can fix this system, what the flaws are and how we can watch out for them, how we can change them, or what what's a better system.
And, of course, different news outlets want to paint DEF CON “the hacking,” which always gets a bad rep in general, the “hacking conference” to look like the bad guys. Meanwhile, we're just there with an interest in cybersecurity to gain information on these systems that have not been disclosed by the people themselves because they know their system sucks. And to be able to tell the public, “This is what's wrong with our system. Here are ways we can fix it. Somebody hear us. Somebody do something about it.” Instead of just staying there and being oblivious.
[High Turnout Wide Margins Mid-break]
Brianna Lennon: I would love to talk about the electronic voting though. I know that you brought that up earlier.
BiaSciLab: Oh, I'd love to talk about that, too. I have some opinions.
Brianna Lennon: People bring that up. There's definitely, I think, a core group of people – especially people that want to see voter turnout increase and want to, you know, get completely away from machines, and want to go completely electronic, and you hear people talking about how secure it could be, but we're not testing it out enough. What are your thoughts on that? Because I know, it's very controversial right now.
BiaSciLab: Definitely, definitely, and I think there's a lot of misinformation surrounding it, as well, and though, in theory, it does seem convenient and fast and easy and accessible, it's really not for a lot of reasons. I mean, I saw a panel at DEF CON this year – that they also recorded and put it on the official DEF CON Voting Village YouTube channel, which you can find online – and it's called “If I can shop online, why can't I vote online?” It's like an hour long, but I'm going to summarize some of the important parts of it and some other things I've heard. But I definitely encourage anyone listening to go and see that too, as well as Amanda Glazer's risk limiting audit presentation. Anything else from this year is really good. We had a great, some great presenters.
So, for the convenience of it – people think that voting should be done online, like on your phone or on your computer, but one of the biggest problems is – is that phone or is that computer secure? Or what if that computer itself or phone has a virus? Or has some kind of tracker on it? Or if it's old, etc.?
But let's say in a perfect world where all phones and computers are secure, how do those votes get into a database? They go over the public internet. Who has access to this public internet? I wonder who – everybody. Sol, those votes can also be tracked and even if they're encrypted, those can also be broken into, as well.
That's why people are screaming like, “What about Blockchain with voting?” What about not. What about not doing that – that can be tracked and tampered with, as well. And then once they get to the database itself, that can be attacked. So going down that whole line – there's so many points where these votes can be messed with or tampered with.
There's also the whole fact of voter verification, and some people are saying like, “Oh, what about having the face ID or the fingerprint ID on your phone or your computer, give you permission to vote” or use that as a form of identification? Some people were saying that's a good idea. It's definitely not. I mean, one of the things is – what if you're asleep and I bring your thumb to your phone and then vote for you, fill in your information, use your face? Or there's also the accessibility issue with that. Not everyone has access to a phone or a computer, and even if they went and used a library computer, that's in front of people, and then you're not as able to keep your privacy.
And so, down the whole line, there's a lot of problems. And when it comes to in-person voting and doing it that way, there's less middlemen, and if you have that hand marked paper ballot, and you go in in-person to see exactly what you're doing, then there's like human tracking on it and not just all over machine, which can be more easily tampered with.
Eric Fey: So, you know there's – especially in the disability advocacy community – there's concern about the insistence on hand marked paper ballots. And, you know, if you just have one machine in the polling place for disabled voters, then, you know, quite often the poll workers won't remember how to use it, or it won't get set up very well. And if you have more ballot marking devices that almost all the voters are using, that it's a better situation for disabled voters and I wonder what you thought about that argument.
BiaSciLab: I mean, there are two approaches when it comes to like disabled voters in general, if they do switch to online, maybe making online voting an option for disabled people only and having them be able to use that rather than everyone. Or another option – better yet – is to provide better education, better funding and better machines for these people, so that they're also able to have an equal vote and an equal say in the election, and that's less of a cybersecurity problem and that goes more to a funding problem and that's just a whole nother ballpark in and of itself and just one of the many problems of our amazing system.
Brianna Lennon: One of the ways that it can be helpful to kind of bridge the gap between what local election officials don't know and what cybersecurity experts, attendees of DEF CON do know – are what kind of questions should we be asking our voting machine vendors? Our IT departments? Because we're expected to be – especially after 2016 – our own cybersecurity experts, and in a lot of places, there's only one or two staff in a County Clerk or an Election office. What should we be expecting from, what would be a good relationship with vendors or a good way to be able to improve our own cybersecurity posture?
BiaSciLab: When it comes to talking to vendors for machines – and such a big thing to ask is like, how new is this machine? When was it last updated? What problems were fixed? What problems were there to learn more about the machine itself? And what's going on on that side?
And also asking – I'm a big advocate for hand marked paper ballots and more hands-on voting – to ask about that, and see if there is a paper trail and ask what happens to those votes after they go to the database? Like how can my voters feel secure in the sense that their vote is actually cast correctly? And what they want is given there.
I mean, they have those machines that print out like a receipt, a piece of paper, and you can read through it and double check and be like, “Okay, okay, okay, this all looks right.” So, even if you type something into the machine wrong, you can redo it. Or if you type something into the machine and it didn't have that paper trail, you didn't know if it got tampered with further on. So, having your voters be able to see their vote – in a physical sense – can help them have more trust in the system, as well. So, asking those kinds of questions, and also asking like – let's say there was a problem or a breach or something during the election, what would you do to fix the machines? To fix the problem? Like what would I have to do to make my voters feel secure?
Brianna Lennon: You mentioned earlier about the YouTube channel that's available. Can you talk a little bit about – two things:
One is when I went, I was kind of intimidated because I am not, I do not have a background in computers, and the whole kind of like lay of the land, it’s not like a conference that I have been to before. So can you talk a little bit about ways to not be intimidated by it?
And then also, if you can't go – can you talk about how DEF CON has been working to make the information that comes out there more accessible to people that don't have the resources?
BiaSciLab: Definitely. So, when it comes to being intimidated by DEF CON, there's no way to not be intimidated. I've been going for years, and I've spoken there, and I'm still like, “Woah, this is crazy.” I mean, it's a big conference in and of itself, and the Voting Village is also pretty huge. But DEF CON has an official schedule, which gets changed around a bit, but for the most part, you can look over the schedule before DEF CON even starts and see, “Okay, these are the presentations, the workshops and things being held in the Voting Village, these are the topics that are going to be covered, this is who's speaking on it. I want to see that because I have questions on that and I'm curious about that.”
This year most of the talks focused on the people-side of elections, which I think is a good topic that doesn't get very technical, necessarily. So, if you are going to go on the official DEF CON Voting Village YouTube channel, which it's titled exactly that – they have talks on the human-side of elections and less just about the computers. So, when it comes to things like misinformation and being scared of the system itself and not really knowing what's going on, you can see that or talk on that subject, as well as like the danger of online voting and getting those sort of questions answered.
And DEF CON has a lot of their resources and things – like I said, the videos online for you – they have an official page and different blogs when it comes to voting security, as well, that you can check out. I'm pretty sure the DEF CON Voting Village also has an official social media, and by looking at these talks that have been recorded, or that you're going to go see, you can email or message or even see these people in person who work in this field. So, you can be like, “Hey, I watched your talk. It was all too technical. Can you explain this better?” And you can email that to them or ask them in person and ask them any other questions that they may not have covered or get to be able to see some of their work because you might not know who even works in election security, but by seeing this, you can be like, “Oh, that person works there, that person works there. I can see more of their content and maybe get more of my questions answered.”
Brianna Lennon: Have you delved into any of the – I think a lot of counties that have low resources have just said like, “Well, I'll just throw up a Facebook page. We'll create a social media page and that'll take the place of our official page and that's where we'll put everything.” Have you delved into that at all to see – because that whole world is, I mean, the whole world of social media has its own issues, but I don't think that I've even really considered the security of like, “Well, what if somebody spoofs my social media page and then puts out election results and says these are the official election results?”
BiaSciLab: Yeah, messing with and hacking with social media accounts or creating a fake social media account is easier than creating a fake website or messing with and hacking with a website – especially since there's so many different names, and I'm sure already taken names for, “blah blah blah official reporting site” or “official site,” etc. when it comes to like Facebook or Instagram or anything like that. Anyone could make that domain easily – people hack into social media accounts regularly. It's not as secure as people would imagine it to be.
I'd say if you're able to – post your election results on an official site, if you're able to get a site, Manage it on there – even though it takes more time and a bit more effort – it's definitely more secure, and then on your social media, which like you should just have a social media to remind people to vote and say things like, “This is where the polling places are, etc.” Have a link to your site there so that people can be like, “Okay, this is where I go see my results. This is where I can get all my questions answered on the official site.” And that way people can be like, “Okay, that's the official site” instead of just Googling “blah, blah official site,” you have the exact link from the official social media account, which I would say try to get verified. But now, on a Twitter aka X, you could just pay 15 bucks for verification. So, that's a bit of a mess too. But I'd say an official site is the better way to go than posting this important information on something that's even more hackable and even more easy to mess around with.
Brianna Lennon: I guess my only other question is, do you think that any of the – I mean, with next year being an election year, do you think that DEF CON is going to change its approach to the Voting Village or do anything particularly focused on whatever challenges 2024 starts to bring for us?
BiaSciLab: Oh, most definitely. I mean, with election year coming up – like adversaries and people in general are going to be just attacking the system, trying to tamper with it more than ever – especially from a psychological warfare, social media approach. And like more misinformation than ever – you don't really know who to trust or what to trust – this is going to be one interesting science experiment of an election. So, I think the Voting Village is definitely going to be even bigger than it's been next year, with the hot topic of the election. And I'm sure that there's gonna be a lot of amazing speakers this year. So, if you're thinking, “Should I go to DEF CON one year for the voting stuff?” This would be the year to do it. This is when they're going to talk about what they think they're going to do for the 2024 system and problems that are going to happen with it. They're probably going to predict who the adversaries are going to be, what attacks they're going to use, and make a lot of educated predictions on what's going to happen so that you can be better prepared towards fighting against it.
And if you can't make it to the actual conference, definitely check out the YouTube channel and the official page to be able to see the information they talked about and what the hot topics are from cybersecurity professional individuals.
Brianna Lennon: I think that's a great thing to end on.
BiaSciLab: Of course, it's exciting. I can't wait to see what happens. I'm like on the edge of my seat already.
Eric Fey: You've been listening to High Turnout Wide Margins, a podcast that explores local election administration. I'm your host, Eric Fey, alongside Brianna Lennon. Thanks to KBIA for making this podcast possible. Our Managing Editor is Rebecca Smith. Our Managing Producer is Aaron Hay. This has been High Turnout Wide Margins. Thanks for listening.
