CI Kim Zetter Final.mp3 transcript powered by Sonix—the best audio to text transcription service
CI Kim Zetter Final.mp3 was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best way to convert your audio to text in 2019.
Eric Levai:
Welcome to counterintelligence. This is Eric Levai.. Today, we're joined by national security journalist Kim ZETTER, whose explosive reporting for Vice has revealed new details about American election security forensic news. Thanks. Our patrons Andre Danka, Angela Jackson, Zacharias Zee Score, Kaminsky, Sasha Millstone, Craig Pierce, Jim Rice and Greg Snider support forensic news and counterintelligence unpatriotic. Without further ado, here's the show.
Eric Levai:
Kim ZETTER, welcome to counterintelligence.
Kim Zetter:
Thank you.
Eric Levai:
Kim, it is so great to have you here. You're your piece for Vice's motherboard is called A Critical U.S. Elections. Systems have been left exposed online despite denials. First of all, I just want to congratulate you like this. And to our audience, like this is a must read piece. And I'm not I don't you know. So those are you listening right now? You have got to read this. And you know, just before we get into it, I just wanted to kind of summarize this piece in my own words and then, well, I'll leave it to you. But you tell me if this is correct him according to your reporting, basically American elections systems are are online. They've been online for a long time. And even as this reporting, they continue to be online. Do I have that correct?
Kim Zetter:
Yes. I mean, the researchers have are watching them pop off line after the story is published, but there are still problems around that. There's a caveat around that popping off line and also caveat around the number that they actually found connected to the Internet, because we don't know if it's them. It's a complete.
You know, I just want to say maybe as a kind of editorializing for a second. This is the exact reason that we need to support like especially long form investigative journalism, because this is just not something that was pretty clear reading your piece that I don't think any of these companies were necessarily. It's not really in their interests to. This will not be known if not for you and other other journalists. So just again, we have to support our journalism.
Well, I appreciate that. But I mean, the the credit really goes to the researchers who uncovered this. I mean, they brought the information to me and I pulled it all together and worked with them to make sense of it. But they did the hard legwork.
You're out. I mean, I appreciate Adagio for journalism, though.
No. Yeah. And to those researchers as well. Amazing work. I know. I summarized in kind of the my own words. But could you maybe just take a second, summarize your piece for for our audience.
Yes. So, I mean, for years, election officials and voting machine vendors have been assuring the public asserting to the public in news articles and in congressional hearings, et cetera, that the voting machines are not and are never connected to the Internet. And not only the voting machines, but the back and critical election management systems that programmed voting machines that tabulate official results, they say are never connected the Internet. And, you know, those words were repeated over and over again, particularly after the 2016 election when there was, you know, this alarming revelation that Russian hackers had been targeting online election systems like voter registration databases. So everyone rushed to assure the public that these systems weren't connect to the Internet, therefore, they couldn't be hacked. Therefore, no votes could ever be changed. And what the researchers found is that that really is not true at all. And the voting machine vendors have known this for years. They have hidden that information from election officials. They have couched it in really passing their language to election officials and to the public. And so, yeah, I don't think that the blame completely falls on election officials because they believed what the vendors were telling them in many cases. But the fact of the matter is, these systems have been connected to the Internet in some cases for years, and that made them potentially open to manipulation and hacking.
I mean, if I recall correctly, your piece said some of them could have been connected since modems started. I mean, are we going? Are we talking like 20, 30 years here?
It's hard. It's hard to say what what we have. The only evidence that we have right now is the configuration for a specific model of system made by election systems and software. And these are called the D's 200 optical scan machines. These machines sit in precincts and optical scan machines use full size paper ballots that the voter marks by filling in a bubble or marking a line. And then they're scanned through this optical reader. And those machines are the newer version of systems that if this makes optical scan machines and those machines can have embedded modems in them if a county wants to transmit results on election night. But he also has had an earlier version of optical scan machine called M 100 that also had modem capabilities. But all we know is what the architecture is specifically for this GSM 200. And so what I write in this story, that it's unclear if those in one hundreds had the same architecture. I'll explain what was problematic about the architecture. So if you've got a machine sitting in a precinct that has a modem in it, it's transmitting these votes on election night over a cellular network. Now, election officials and voting machine vendors will tell you that's not over the Internet. We said what they say publicly, cellular network.
It sounds right. It sounds right. Going to the cellular network, that doesn't sound like the Internet. But I read this story last February in The New York Times explaining that the cell unit network traffic does indeed go through the Internet. And what? Published with the story this week is actually a diagram that he s and has provided. Rhode Island election officials. And on that type scan, it shows the modem transmission. And yes, and has marked Internet on that diagram. So, yes, this is knowing that their cellular transmission is an Internet transmission. I wrote in this story last year. But election officials continue to deny or are ignorant of the fact that cellular networks do go over the Internet. So they even if they acknowledge that, they will say, well, that connection is so brief at the end of an election that it doesn't really matter. No one can get into it. Yes. Yes. We'll talk about all these kinds of security mechanisms that would prevent anyone from getting into those voting machines, because if you're connecting that voting machine to the Internet through their cellular modem, you're opening a pathway to get back into that voting machine. But they'll tell you that it's only connected for a brief period.
And your piece makes clear that the researchers that it doesn't it's it's irrelevant, because even if it's connected for I think it's said two minutes, an election could be compromised. Is that correct?
Yes, but that's not that. But that's that's sort of like the the the least case scenario. And what we've actually discovered is that their worst case scenario exists. So the researchers knew after the story published last year, they knew that obviously these modems are connecting over the Internet and transmitting. But they had to be transmitting to something. Right. There has to be something on the receiving end to collect these results. These election results that are being transmitted by the modem. So they wanted to see if they could actually discover these systems connected to the Internet that are receiving the transmission through the cellular networks.
And that's what last week story was about. They actually were able to find these systems online. And they're they're sort of two parts to this, because if all you have is sort of a box on the Internet that's receiving transmitted results. That is a problem in itself because that box can be compromised. So a couple of ways you can track you can intercept the votes that are going to that box server online.
You can intercept the votes that are going there and replace them with your own votes. Now, if this will say, well, the votes are encrypted and they're signed and so there's all this authentication and you can't do that. But we don't really know how. Yes, this does that securely. So no one can independently agree with. Yes. That they do it securely. But those votes that are transmitted over the modem are unofficial results. So the official results that are taken actually from the voting machines would not match.
In that case, what the other problem with that?
But the other problem with that box set that collects those votes is that you can use that as what we call a watering hole attack, a watering hole attack plants, malware on a system that other systems connect to. And when other systems connect to that, then that malware can be transmitted down to them. So if you've got this box sitting on the Internet, the server and all these voting machines are connecting to it on election night to transmit results. An attacker can compromise that box and use it in such a way that when those voting machines connect to it, they can transfer malware back back to them. And then you're setting up an attack for a future, an election.
But that's not the worst of what they found. You're going to continue.
Oh, yes. I'm feeling much better at least. Please continue.
So if that was all that was connected to the Internet, that would be bad enough. But in talking with easiness and looking at diagram of that back our back end architecture, it turns out that, yes, this doesn't just have this empty box sitting there to receive the result. Also connected to that system that's receiving results is the critical back end election system, a system that's not only tabulate those unofficial results that come over the modem, but also tabulated the official results that are taken from the memory cards at the end each election. And there's a system called election management system that also is used to do all the other critical functions of elections. They produce the printed ballots, they program the voting machines before elections. All this critical stuff that we've been told is not accessible to hackers because they're completely air gap that if they're not connected to the Internet and not connected to any system, that's going to mean it. And yet it turns out that they are remarkably, even if actually shows this on diagrams that it has provided election officials over the years, it shows these systems connected to a firewall that's connected to the Internet. But yes, and I maintain that because this firewall sits in front of these systems. The systems themselves are not connected the Internet. And that's just the net, that definition of Internet connectivity that no one else in the security community has. Deafness has developed its own definition of what it means for us to be connected to the Internet. And it just contradicts what any of us want it what anyone else uses to describe a connected system.
This is just. I was waiting for it to get worse there for a second. Not much. If there's any delay, if I cut you off there, if there's any stage five of depression, let me know. Oh, wait, there is a safe Sy. OK. You know. Jim, go ahead. This is this is great. Please go ahead.
A phase five and there's a stage six. Oh, spades.
Stage five is that the election officials will tell you and they insist that even after the story published, that even those even if those back end connected, even if this back end systems are connected, which they insisted for years aren't connected. But even if they are connected, all of that infrastructure only gets connected to the Internet for those a few seconds on election night and maybe a minute or so before an election to test the transmission. They say that they only get connected to the Internet for this really, really, really brief period of time. And therefore, no one would be able to find them and no one would be able to hack them. But what the researchers found was that these systems were sitting on the Internet months at a time, and in some case, at least a year. They only they only searched for these systems for years. So we don't know how long they were connected prior to July 2018 when they first started doing the research. But if they were connected for a year, there's a good chance that they were connected much longer than the last year and likely they were connected during the 2016 election, some of them.
So that's the stage five. If these systems were connected for months and four years, just barely able to grow.
Whiskey? Oh, no, I think so.
Yes. And I will say, OK, maybe these systems are connected, that they're connected to this firewall. And this firewall is configured in such a secure manner that no unauthorized user can get into these back end systems. And no one authorized user can communicate and get data through or through either way, sending or receiving through this firewall. Well, that may be the case if the firewall is configured securely, but I'm mis configured firewalls are one of the member one ways that hackers get into systems. The recent Capital One hack that a hacker was able to get millions and millions of data from Capital One was because of the mis configured firewall.
And this configured firewalls are really common on the Internet. But even if if it had done everything right and configured these firewall securely, if there is any software vulnerability in that firewall, the configuration doesn't matter. A software vulnerability would allow an attacker to completely bypass any of that configuration. Any of those security restrictions on that firewall and get into those backend systems. And it turns out that the firewall that you, Ethan, it uses for this critical infrastructure. It's called the Cisco RSA Series Fire 500 series firewall. This firewall had a critical vulnerability in it, software vulnerability. Cisco announced this vulnerability in January 2000 in 18 and provided a patch for it. And that's when Cisco learned about it. But we don't know how much longer. How, how? How long? How long before that attackers may have already known about this vulnerability and may have used it to compromise these systems. But we do know that even though Cisco released a patch for it in January in Wisconsin, for example, which was in a critical swing state in the 2016 election, didn't patch their firewalls for six months after the patch was released. So for six months, that vulnerability was publicly known. Let's put aside the fact that maybe other attackers had already known about it privately. But let's just address what it was publicly known in January 2002, May 18. And hackers jump. They pounce on these vulnerability announcements when they become public and they very quickly try and exploit systems that aren't yet patched. And so for that six month period between January 2008, 18 and June 2018, when Wisconsin finally patched those firewalls, those systems were open to an attack that would have allowed a hacker to completely bypass any protections that were on that firewall. And this is in the run up to the 2018 midterms.
Oh, my gosh. Yeah, I'm going to start drinking now, but I'll I'll be done by this. This is unbelievable. I just that was that was stage six, right? That was it.
I we say.
I don't have anywhere to further the the you know, and these researchers, you know, I'm not I can't say I'm the biggest tech guy, but I do know that if a researcher can find it or as they call it, or I guess a white hat hacker, the the the the bad guys can find it.
I mean, that's generally true. Right.
Yes. I mean, the way that they found it is is also very simple. You know, they looked for they looked for sort of the technical specs of this back end architecture. So there are documents online posted by counties and states that provide the technical specifications of this back. And architecture particularly, there's one in Florida that's published by the Department of State that it shows that the ESF honest reporting system for transmitting votes. The modem uses the Cisco as a firewall. It uses a particular brand of FCP server software on that firewall, on the server, connected the firewall and also use a particular software for VPN virtual private network access. And so with a knowledge of this kind of software, use the model and make of the firewall. With all of this information, the researchers basically decided to do a search of this configuration looking for any system connected to the Internet that matched this footprint of hardware and software combination. And they used a specialized search engine called Sensis that looks for connected devices. And using these search parameters of that hard wall in that software, they were able to uncover these ESF and their systems connect to the Internet. And so any hacker at all of this information is open source. Any hacker who who studies the technical specifications that are posted online could have done the same search to find these systems.
When I was reading your piece, I found myself thinking about I think what for many of us defines the just the problems in this country's election history, which is the 2000 election and. I guess now I'm wondering. I mean, despite even the flaws that we know about, I wonder if they were hooked up to modems and some of this stuff was going on. I don't know.
Yeah, we don't we don't know because no one ever does. Forensic examination of voting machines after elections, even when anomalies come up in elections like what we saw in Florida. We see efforts to prevent investigations. You know, in the Florida 2000 case, of course, that didn't involve specifically the voting machines, but there were definitely anomalies going on there. And the Supreme Court intervenes and stops any investigation. And that happens over and over and over around the country. We talk about being very concerned about election integrity. But when it comes down to actually investigating things that come up that show that that raised questions about the integrity of election, we see over and over again efforts to halt any investigation into anomalies.
You mean your piece made it abundantly clear that. I mean, what what sort of a mate? You know, something else, too, you know, I went on so I went on his Web site and, you know, I see why this is so for the American public would be so hard to know because without your reporting and the researchers who discovered this, you read there's a sense on the Web site that's like this is totally certified by, you know, this stuff, some agency, the federal government. But you made clear that it's the machine maybe. But the the. I'm sure I'm getting this wrong, but it's not. They were using language like a lawyer does the passwords.
Yes. It's not it's really not clear how transparent. Yes. Missives about this. So what you're referring to is that actual back end architecture, the configuration of that server and that fiscal firewall and all that backend system that's connect to the Internet. That configuration. Yes. And it says that it's configured all of its very securely. But no one has actually ever independently looked at that configuration to see if it is securely put together. The Election Assistance Commission, which you referred to, the ICAC, oversees the testing and certification of voting machines. There are testing labs, independent testing labs that look at the voting machines and they follow a certain testing protocol to examine those machines and they certify the machines. I should point out, first of all, that those labs don't do very much security testing of even the voting machines. But when it comes to that back end configuration, they haven't looked at that configuration at all. They've at least looked at the voting machines. But that configuration, the easy testing labs have never looked at and never certified. And so in their communication with state, it's unclear how transparent. Yes. And this is about this. In one document they provided to Rhode Island, what they've done is they've sort of couched this in very foggy language. They have a diagram of their voting machines. And the part that is certified and tested is in blue. And then the diagram that shows the actual transmission of results over a modem and the receiving of those votes by this back end architecture is highlighted in white, not in blue. And it's not marked CAC certified. What it's marked is, quote unquote, extended configuration. So the wording is it seems a little deceptive. It's not clear if. Yes. And if customers are aware even that that configure has not been independently examined by anyone and certified.
And do I have to correct that, according to your reporting? It's actually illegal for research. We can't get behind these firewalls because it's illegal for these independent researchers to do that.
Yes, that would be unauthorized access into the Computer Fraud and Abuse Act. So they can do a search that just goes up to the firewall and sees the firewall, but they can't test the firewall. So there is there's a system that's connected to the firewall where the votes get transmitted.
They get transmitted through what we call FCP software into it, FTB server. And when the researchers pull up this firewall, let's say, at a county in Wisconsin, what they see is a log in page asking for user name and password. And the voting machine, when it transmits votes, will supply that page automatically with that password to get in. While the researchers can't see if that password is, let's say, a default password that's already posted on the Internet somewhere. If it's a secure password, maybe it's just the name of the county. You know, maybe it's just Milwaukee County and that's the user name and password. We don't know yet. The researchers can't test that because actually testing that would put them in violation of the law. So all they can do is go up to the firewall and say it looks like something is connected here that shouldn't be connected, but they can't actually do what we call a penetration test to see if it's vulnerable to him to hacking.
So there really could be like a stage 7 through 15 that we don't even know yet. Yes, yes, yes.
They don't know if, for instance, that Cisco firewall is actually patched. All we know, we know is.
Yes. And if they told me last year that they would be working with customers to make sure that the patch, Cisco patch was applied to the firewall. We know, for instance, in Wisconsin that it took six months to get that patch applied, because I've discovered that in my reporting. But we don't know if you know, we don't know if actually those patches are solidly applied. We don't know if they were applied in other states. We don't know. That's something that the researchers could test.
But they'd be breaking the law if they did. And so there really is no way to independently look at.
These systems, the Department of Homeland Security, they work these with these counties. They can now go in and test the systems and see what fits, you know, what's the situation for them, what's the status for them. But independent research is going on.
Yeah, it's just a. You know, what I keep coming back to here is that there's no. And this is in any in any field. This is always the a a warning sign.
There's no transparency here. Zero. No.
No. And the concerning thing is that it's not in the interest of the vendors to be transparent. And it's not in the interest of the vendors to not only be transparent to the public, but to their customers as well. I mean, if they were to tell their customers that these systems are connected to the Internet, the customers would say, well, hold on. We've you've been telling us for years that they're not going to be doing it. We've been telling the media and the public they're not to to viewing it. So, yes, this has to continue to maintain and insist that they're not connected to the Internet. If someone, you know, pushes them, they would have to re architect this and it's easier for them to connect them to the Internet this way. It's easier for them to receive these votes and do the processing of the vote in a way that is connected than if they had to re architected in a more secure manner. So they've taken the they've taken the lesser secure route of doing this transmission. First of all, I mean, security experts say you shouldn't be transmitting votes at all. You should do it through the sneaker net. You should walk it in on that memory card in a way that other counties do that don't transmit that. You shouldn't be transmitting at all. But vendors have told the counties you want this transmission. Okay. We're gonna charge you extra for that and we'll be happy to take your money. And this is what you have to do for it.
And what they sold them is an insecure transmission model.
And, you know, when I was reading that so it sounded like this some of the reason for the Internet transmission is, as you said, the votes themselves are the official or a memory card. But it sounds like many of these counties, the reason they want this Internet connectivity is for media purposes to get it. Is that correct?
Well, that's what they'll tell you, because they don't want media writing stories that that point out. The problem with this, what they will say to the media and any journalist who calls up about this and says, why are you transmitting results? The vendors and the election officials will say, because you, the journalist, demanded fast results from us. And that's just that sort of passing off responsibility, because, you know, the media will wait like everyone else will wait. I mean, there are plenty of counties that don't transmit these results and they come in over memory cards and we get the results. Yes, there are voters who don't like that. Let's say if there are problems with memory cards, they go to bed at the night of an election. They still don't know who the winner is. Sure. People don't like that. People are impatient in this country. Want. We want instant everything. But if, you know, the election officials basically said a foot down and say this is the most secure manner we can do it, we are going to wait for the results to come in via memory. They can set that, you know, the media and the public don't demand election results coming in. And in this, your manager in a party in an insecure manner, the election officials who are responsible for the security and integrity of those results can set the parameters for how and when we receive those results.
So what? You know, that's that's fascinating. So what? Why haven't they done that? Why? Why are these machines? I think people could easily wait a day.
I mean, I don't know, because the vendors have sold them on a quick solution. I mean, this is this isn't a feature if you want to pay two hundred fifty dollars more for a modem and then we'll install this back end architecture for you and we'll supply you with all of these other add ons. This is these are add ons for the vending machine. That is it's another way to make revenue. The vendors will say we're only supplying what our customers want. Our customers demand this from us. But there are customers, for instance, in California and New York who've actually passed laws that prevent their voting machines from having transmission capability.
So even if this actually has actually had to produce two versions of its voting machine software, it has one version. And I'm not talking about, you know, just removing the modem from the voting machine. They actually have to architect their systems so it has no capability of transmitting and communicating results. That's to prevent someone from attaching an external modem to the system and then connecting it to the Internet. So California and New York require that if and if provide them with a system that has no transmission capability, no connectivity capability. And so, yes, if had that system that it can market to counties that want that extra security. And after I wrote the story in The New York Times last year talking about how these modems do transmit over the Internet, how ISIS does have two separate versions, I know that there are some election officials in some states who contacted the U.S. Senate inquiring about the possibility of getting that version of the system that doesn't have transmitting capability in it.
There was such a. It was just like a I don't know. Parks and recreation aspect that I was thinking about. Like, you know, like you said. Just some it could be just some county election official who doesn't. They're not technical. They. Like you said, I'm sure these usss great. You know, it's like they have great salespeople. Hey, do you want this? You know, extra modem. Sure. And then we end up. It's it's just so absurd. I guess what I'm trying to say.
Yeah. I mean, the election official, as you point out, they they're not tech savvy. How many of them don't have budgets to hire someone on staff who is tech savvy? And even if they have someone who's tech savvy, that tech savvy person is not getting the security savvy. Right. I'm hooking up a system to a network, if not the same as hooking up in that system to the network security, security of a niche part of computer and network operation. And if you're not very specially trained in secure networking, you're going to say, sure, let's get that modem up. Yes, let's get that back end infrastructure. Yes. Yes. And as I understand your doing it security, but you don't have the independent capability to actually verify that it's being done. Security. And so when election officials are told your your voters will be happier, the media will be happy when you get these quick results. You'll be able to close your office early on election night and go home. That all sounds really good to an election official. And that becomes their priority. They're not trained to think about security.
Well, and you really just I guess you have to laugh. Are you crazy? You know, so there's no federal voting. So there's no there's no federal guidelines. There's like basically it's kind of like a free for all out there. And there's no consequences for for this stuff. Am I am I correct? Yes.
I mean. I mean, you know, there's the federal law. It's limited in what it can do. It can. It can set some parameters for federal elections. And then those parameters sort of trickled down to for local elections as well. For instance, the federal election law requires that election officials hold on and maintain retain election materials for 22 months after a federal election. And so, you know, if you have a presidential election and you have reason to suspect as we find that 2016. Right. It takes a while for questions to come up and for challenges to election results to come up. And so that's why this this law exists, that you retain this material for 22 months.
But what we see over and over again is that election officials don't retain things and especially not logs on voting machines. These machines get used again in local elections very quickly.
And so it's it's I don't even know if, you know, if there's any election direct jurisdiction around the country that actually takes a mirror image of their voting machines and their network at the time of an election and preserves that for 22 months. So even if you wanted to go back and look at anomalies in the election to try and find if there was any manipulation or if there was a breach or something like that, in most cases you wouldn't even have the capability of doing that because there is no there's no there's no law that requires them to hold onto the log. It's not clear that even that federal law that requires 22 month retention actually applies to computer logs and not just a ballot. And even when election officials don't follow that law and destroy materials, we're not seeing any kind of repercussions for that.
When I was on when I was looking at ISIS is Web page again that. Yes, NSA, you know, I just found myself thinking that myself, along with most Americans, have literally never heard of this company that apparently is in charge of the voting machines for the largest one for the whole country. I mean, who are these people who work there? I know I wasn't really part of your reporting, but in general, as an open ended question, I mean, who are these executives?
They are. They are. Well, I mean, if this has an interesting background, I mean, we are reporting about this industry since 2004.
And yes, this was started by two brothers, Bob and Teddy Roosevelt. And one of them actually went on to work for a competitor, Diebold. And it's the Internet is based out of Omaha, Nebraska.
And at one time, it was the CEO of the voting machine company. At the time, it was called American Information Systems. Was actually Chuck Hagel, who went on to run for the Senate and had considered running for the president, and Chuck Hagel resigned from his position with the voting machine company just weeks before he decided to run for the Senate.
And in his Senate election, it was his own machines, yes, miss machines that were counting the votes in Nebraska for his election. So, you know, there's been very little oversight.
There was no sort of sunshine and disinfectant applied to this industry. You know, election integrity activists have done all of the work on this of exposing these kinds of ties and things like this. Congress has done absolutely no oversight. States have done a little oversight, but only when they directly discovered that the voting machine vendors lied them to California, for example, in 2004, discovered that DB Old had installed uncertified software. On voting machines used in 19 counties there. And when California discovered this, they immediately decertified all the voting machines. They held hearings with with Diebold and then they passed a law saying that all the voting machines in California had to have a paper trail. So when we see things like that, you know, when something happens and a state gets angry, then we see individual states providing a little more oversight. But even that oversight was sort of a one time thing. California actually has been continuing to do its own testing and certification of voting machines used in that state. But the other states are very lax in this regard. And when it comes the federal government, the federal government created this problem by passing a law in 2002 that gave states money to buy these machines. And then they were they've been hands off ever since.
If you want to work at one of these companies or be an executive, I'm. I was. I'm thinking I've been thinking about the. I understand from a remote hacker perspective how dangerous this is. But I'm just curious, do you need a background check or a security clearance to work at an American voting machine company?
I certainly don't need a security clearance. Presumably, I you know, hopefully they do background checks on their workers. But election integrity activists have found. Yes, meth workers with the with criminal backgrounds, convictions for fraud or kickbacks. A lot of different kinds of activity. And so and there's also an open door, the revolving door between elections offices and the vendors.
We see a lot of people who work for the vending machine. Vendors were one time election officials who purchased machines for their counties. We've seen people who work for the vending machine companies then become election directors, election officials. So there's like I say, it just there's been no oversight. The vendors have operated really with impunity for a long time simply because no one no one has actually been looking at what they've been doing.
And yes. And, you know, is do we have any plausible explanation why specifically the Republicans have no or are actively or blocking election security right now?
I you know, I it's hard to know. I mean, they're very concerned or, you know, their focus is on voter fraud. Right.
So they're very concerned with forcing voters to show an I.D. at the polls. They're much less concerned with the integrity of election results. And so their tactics of showing concern just for the eligibility of voters to vote. I mean, it's an important one, right? You only want eligible voters to cast ballots. That's legitimate. But their requirement that the way to do that is to force voters to show an I.D., of course, has been shown to be prejudicial toward groups of voters that are already often disenfranchised and kept off the voter rolls. The way to intimidate voters that they know may not have I.D.. And so either way, to disenfranchise those kinds of voters. They show no. All right. They show no interest on the other end of actually securing elections, of overseeing the voting machine vendors, of making sure that when anomalies show up in elections, that they actually get investigated. And so this one sided concern about election integrity is kind of remarkable. And it does come down to really a partisan fight between the Democrats who seem interested in the integrity of the result and Republicans who seem primarily concerned with getting voters to produce an I.D. As you yourself said in your piece, three of the sort of the states that I believe is Wisconsin, Michigan and Florida were the biggest vendors are for.
Yes, us. Is that correct?
No. These were the states that the researchers found the most number of systems online. So they found systems online ethnicities into 10 different states. But in most of those states, they only found one or two systems online. But in Wisconsin, they found nine systems, nine counties. In Michigan, they found four.
And in Florida, they found seven, three states that flipped to Trump under some which had voting irregularities that as you pointed out, again, that, you know, trends were not followed. I mean, it is it is interesting.
Yes. I mean, you know, you don't want to connect dots that don't have any business connecting. But, you know, it's those were. I mean, particularly Wisconsin and Michigan, where state that, as you point out, had results that didn't follow the state's past trends. And those were also those states that the Green Party presidential candidate Jill Stein had tried to get recounts in. I'm sorry.
Jill, did I get any lighter skinned black?
And so and so, you know, effort like it's like it's like again, like I point out is that election officials say over and over again that, you know, voters have to have confidence in election or they won't show up to vote. But as someone pointed out at a recent security conference, that that confidence has to be earned and that confidence gets earned when you actually follow through on anomalies. And, you know, if someone is calling for a recount, because there are possibly reasons, potentially reasons to question results than going to court to fight that. Doesn't doesn't actually support that idea of integrity. It supports the opposite that there's something to hide, potentially something to hide.
So is there a country that does get voting. Right. That we could use as a model, in your opinion?
I don't know. Foreign voting systems well enough. I really focused most of my attention on the U.S. courts. So I it's hard for me to hold up anyone. I know Estonia likes to hold up its complete Internet voting system, but I don't know anyone who thinks that Internet voting in the U.S. is a good idea.
And I don't know that the Estonian idea actually is secure. I know that there are people who looked at it a few years ago and found security problems with it. Switzerland has looked at also doing Internet voting and security researchers sort of eviscerated that system by pointing out critical flaws in it. So I don't you know, the the best solution that we can have for the U.S. is a voter marks paper ballot that is used with an optical scan machine. Now, the optical scanners, sheen is still using software to count those ballots. Look at those ballots. But if you have those paper ballots, in addition to mandatory risk limiting audits and audit that forces election officials to hand manually compare a certain percentage of those voter marked paper ballots against the digital tallies. That's our best hope for catching anomaly.
So even you're never going to have a secure voting system as long as there is software in the voting system. There's potential not just for hacking, but there's a potential for glitches. Right. We don't want to focus just on intentional malicious behavior, but software has glitches all the time and we see elections where the machines dropped votes, delete them. And so you want some way to recover from that in the same way with your banking. Right. You get a receipt from the A.T.M. that you can compare to your bank statement at the end of the month. And if there's anomaly there, you've got that receipt to back up effort we want in elections. We want something that is that backup that we can actually compare and see if there's a problem with those results.
And so the best solution and the only solution we have right now is that paper ballot that's marked by the voter and a risk limiting audit.
It's so true. I mean, as you know and I'll just maybe I'll just close on this. I as an American, I always assume, as we all did, that my candidate may or may not win. And that's that's part of voting. That's that's what's beautiful about our system. But I never thought so recently that my candidate might win.
And loose or somebody might hack the results, Yes or not just hack it at the voting machine. It produced bad results and no one caught it or no one bothered to look.
Well, Kim ZETTER, I want to thank you so much for this reporting. And again, just it's just invaluable. And the other researchers, too. Who are they? So our audience knows.
Well, there was a group of about 10 researchers. They they were they had varying degrees of participation in the research.
The lead researcher on this with Kevin Scotland, who is he's an independent computer security consultant. But he is also on the advisory board for producing voting machines, security standards for the National Institute of Standards and Technology. So he's not he's not sort of this outsider who doesn't know anything. Elections coming in and finding that he's been working in the election space and like some security space for quite a while. He's the lead researcher. The rest of the researchers really wanted to stay in the background and remain anonymous.
That I can understand that. Well, you know, again, thank you so much. And I'd love to talk to you again soon. Next time. You know, anytime.
Sure.
We'd be happy to thank you for listening. Follow forensic news on Twitter at forensic NEWSNIGHT. Counterintelligence is an intel pod. My personal account is Eric Levai. support forensic news on Patriot subscribed to counterintelligence. Everywhere you listen to podcasts, this is Eric Levai.. And this is counterintelligence.
Quickly and accurately convert audio to text with Sonix.
Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.
Thousands of researchers and podcasters use Sonix to automatically transcribe their audio files (*.mp3). Easily convert your mp3 file to text or docx to make your media content more accessible to listeners.
Sonix is the best online audio transcription software in 2019—it’s fast, easy, and affordable.
If you are looking for a great way to convert your mp3 to text, try Sonix today.