![Campaign Security with [REDACTED] Artwork](https://www.buzzsprout.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBCT1hpL1FJPSIsImV4cCI6bnVsbCwicHVyIjoiYmxvYl9pZCJ9fQ==--fbabc3eb7f2c7b3e9f9ff4385205f2df0ae074b8/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdDVG9MWm05eWJXRjBPZ2hxY0djNkUzSmxjMmw2WlY5MGIxOW1hV3hzV3docEFsZ0NhUUpZQW5zR09nbGpjbTl3T2d0alpXNTBjbVU2Q25OaGRtVnlld1k2REhGMVlXeHBkSGxwUVRvUVkyOXNiM1Z5YzNCaFkyVkpJZ2x6Y21kaUJqb0dSVlE9IiwiZXhwIjpudWxsLCJwdXIiOiJ2YXJpYXRpb24ifX0=--1924d851274c06c8fa0acdfeffb43489fc4a7fcc/security-cryptography-whatever-black.jpg)
Security Cryptography Whatever
Security Cryptography Whatever
Campaign Security with [REDACTED]
With the 2024 United States Presidential Election right around the corner, we talk to an unnamed guest who has worked on cybersecurity for political campaigns in the United States since 2004. We recorded this in late August, 2024.
Transcript: https://securitycryptographywhatever.com/2024/10/13/campaign-security/
Links:
- Active Measures by Thomas Rind: https://us.macmillan.com/books/9780374287269/activemeasures
- Aurora: https://en.wikipedia.org/wiki/Operation\_Aurora
- Google APP announcement, October 2017: https://www.wired.com/story/google-advanced-protection-locks-down-accounts/
- XXD: https://linux.die.net/man/1/xxd
- Adobe Reader October 2016 Security Update: https://helpx.adobe.com/security/products/acrobat/apsb16-33.html
"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Hello, welcome to Security Cryptography, whatever I'm Deirdre.
Speaker 3:I'm David. I'm trying to figure out what this broken YubiKey I'm looking at is for. There's something I can't log into right now and I don't know what it is.
Speaker 1:Okay, that's Thomas, and we have a special guest today. How are you?
Speaker 4:Hello, hello. Thank you very much for having me on the podcast. This is going to be fun.
Speaker 1:Absolutely, this is going to be fun. Absolutely, do you work? On campaign security or election security Wow that is a wacky way to sit down and say it.
Speaker 4:I have done US presidential election campaign security since 2004. Technically I've worked in 2000 for Al Gore's campaign. I was a volunteer. It was easy to volunteer for Al Gore's campaign because I went to college in Nashville, Tennessee, and his headquarters was in Nashville.
Speaker 4:My life is such that I just sort of fall into jobs and it's fine. So I would sit down and say I focus on campaign security Within the election sort of industry. I don't know. It's hard to understand if you don't actually work within the system. So I can probably explain a little bit about how the system works. So there are basically three groups who work in the election space, and those three groups, because of campaign finance laws, irs laws and other laws, they can't talk to each other. So, for lack of a better term, there's what is called the election infrastructure ISAC community. These are the folks who are literally in something called the EI ISAC. These are like secretaries of states. These are voting machine companies. These are entities that have equities within that space and unless you are in that space, very specifically, you cannot play in their pool, which is totally fine, that's great. Then there's the middle tier. These are the campaigns and candidates themselves.
Speaker 1:Why are they the middle tier? Why is ISAC the top?
Speaker 4:Well, I wouldn't sit down. And Well, it's not like a top In my head. The reason why they're the top tier? Because the election infrastructure folks, they truly represent government, they're the folks who are the, they're the judges, they're the folks who are the judges, they're the referees, they're the people who are setting up how elections, the mechanics of the elections, work. And then you have the players who are in the field, you know, doing the election soccer or football thing.
Speaker 4:And so those are the campaigns, those are the committees, those are base, basically them, uh, that, that middle tier. They are under either section 527, which is quite literally the carve out for presidential campaigns, um, and the related committees, whose tax code I do not actually remember, which is a little embarrassing. And then, last but not least, you have this third group, which are non-campaign democracy organizations, who are 501c3 organizations that have stakes in the campaign. These tend to be what kids call super PACs. These are issue-based educational outfits, sometimes they're 501c3s, sometimes they're 501c6s, which are social and they're advocating for a position and not a candidate. And yeah, those are the three, and because of laws, none of these groups can talk with each other.
Speaker 4:But as a sector, because you know, in the security space we like to talk about, like, do bad guys look at you as all the same thing? Yes, the bad guys look at all three of those groups as kind of the same sets of targets. You'll have the same sets of threat actors hitting up those guys. All of those teams kind of at the same time. Guy, uh, all of those teams kind of at the same time. Um, and, because it's an election cycle, you can, you can, you can time it to your watch. It's. It's the end of august, so it's almost september, so cue the russians.
Speaker 1:Um, okay all right can you tell us a little bit about kind of the threat landscape when the calendar ticks over to end of summer and you're just sort of like, oh look, here come your fancy bears and your All the pandas and all the kittens. Yeah, sharks, I don't know what the animal avatars are for things that aren't Chinese or Russian.
Speaker 4:Screaming Eagle.
Speaker 1:Screaming Eagle. Oh, that's a good one. Is that another crowd strike name? Can you tell us a little bit like what signals you campaign and election security sort of minders of the threat actor landscape start to see around? This time you can almost set your watch to it. Like what do you start seeing?
Speaker 4:and you're like, oh yeah, it's that time of the year yeah, so, um it, it's kind of useful to like that's a good question and I'm gonna answer it in sort of a curious way.
Speaker 4:The thing is is that in the beginning, like aka in 2004, when I first started working in campaigns, you could very clearly see the fact that the threat actors were traditional foreign intelligence officers who sit down and say, hmm, I need to know how this works, because we have some outcome that we're trying to go in favor of.
Speaker 4:Let us do our intelligence work the way that we normally do it, which is we're going to go after human intelligence, we're going to go after people, because these people are key decision makers, and what we need to know is what information key decision makers are looking at and seeing to make their decisions, so that we can either, one, understand what their decisions are and how to counter it. Two, to how we can possibly modify those data points to be able to alter the trajectory. And then, three, how do we make a better space for us, the foreign intelligence officer, for where we want to throw, officer for, uh, where we want to throw then into? Like, the way to think about it is it's weird, right, like in the cold war in the united states and this again.
Speaker 4:I'm going way off path in the cold war in the united states we had a defense theory that's called game theory, and game theory is a lot you're saying it's time for some game theory.
Speaker 4:Sure, I mean, obviously you guys know what game theory is, but like that is just one defense sort of hierarchy and thought process. The Chinese use something that they call defensive push or something like that. The idea is the Chinese will alter the new space that you are receiving to be able to tailor the landscape to be more favorable to their operations. The Russian version of this is called a reflexive control.
Speaker 4:It's kind of like judo, basically what you do is you hit an opponent and you cause that opponent to reflexively go into some reaction space and you're trying to control what possible outcomes that they're doing. I am not making up any of this stuff. If you want to read more about it, I suggest reading Active Measures by Thomas Ridd.
Speaker 1:Oh, that's a good book.
Speaker 4:I would recommend going to read a whole bunch of stuff from SAIS about China and their stuff. I just dabble and I read what I have to because of work within that realm of an intelligence officer trying to understand what's going on in the space. They're again trying to gather human intelligence, understanding where decisions are and are not coming, but first and foremost, they go. We're watching a lot of CNN. How do campaigns work? Because if you're an outsider looking in, how about this one? If you're an American and you look at a US election system, it's, it's un-understandable, it's unintelligible, right?
Speaker 1:It's like it's a it's un-understandable.
Speaker 4:It's. It's unintelligible, right it's. It's like it's a it's it's. You said it's like the Olympics every four years. The Olympics happen this this week.
Speaker 4:You know, in the business we call it E-Day, um, and E-Day happens on a cycle. So there's the election year. The year after the election year is actually a very shallow. After the election year is actually a very shallow, fallow year. There's only there's like a governor of California, there's a governor in New Jersey race and there's governor in Virginia. The Virginia governor's race is the last Wild West in the United States that's left. In the Virginia governor's race it's the last state that allows you to do soft money. So if ExxonMobil wants to spend a billion dollars on you, they can just give you a billion dollars and it's totally fine. You find a lot of wackiness happening in the Virginia governor's race, wow.
Speaker 4:And then the year after is midterms, and then the year after is midterms, and midterms mean one third of the Senate is up for election and 100 percent of the House is up for election the year before the show. Well, it's the year before the show and we're tooling up for the show. A presidential campaign is unlike any other company you've ever heard of or worked for. The job is that you have three people decide that we're going to have a mascot and this mascot we're going to get a new job. So we're going to incorporate a for profit company that runs 100 percent on donations, more profit company that runs 100% on donations, and in 18 months, if we're good at our job, we're going to go from three of us to like 6,700 or 7,000 people and then, like, on Wednesday, we're all fired.
Speaker 1:It's like the worst startup you've ever worked for, except it's also the best.
Speaker 4:It's not one startup, it's like eight startups. Startup you've ever worked for except it's also the best. It's not one startup, it's like eight startups.
Speaker 1:Yeah, okay.
Speaker 4:So, like as of, for instance, in 20, let's go ahead and say 2016, the Hillary Clinton campaign there was a medium-sized tech startup, there was a medium-sized boutique communications firm. There was a small publishing firm, there was a travel agency, there was an event planning company. There is a very detailed and rather huge finance department. There's an advanced team team. I don't even know what, what. I don't think there's a business analog to an advanced team logistics.
Speaker 4:Yeah, I don't, yeah, I mean even logistics doesn't quite say that, because like you can do logistics from home, you don't do logistics from iowa but every four years, a bunch of people just go to iowa and to Iowa and New Hampshire and trundle around there and so, like working at the presidential campaign, it's, it's a wild ride, right, like in 2015,. I started, I was, I think I was employee number like, I think I was like 14 on the tech team. Um, by the time we ended, I think we had 80 or 90, um, and some of those folks that we were, we were working with, uh, I thought I had been working with them for like years, because that's another thing that happens on a campaign. It's an effect that I call the campaign time dilation effect. Yeah, every week feels like a year.
Speaker 1:Yeah.
Speaker 4:Towards the end. It gets harrowing how much stuff gets compacted into individual days Especially in October yeah. And so again to where you're asking. If I'm a foreign intelligence officer, I need to understand how these elections work.
Speaker 1:Yeah.
Speaker 4:Watching the news, reading the news, it doesn't seem to make any sense. So let me go ahead and try to get real aggressive and real aggro, to go see what campaigns are up to. And they try and they do, and a lot of the information is public information. That's first and foremost, so they don't have to break in. Please stop breaking in.
Speaker 1:And two the information that people have.
Speaker 4:It tends to be the intelligence part of it is absolutely 100% useless after we're done with it.
Speaker 1:Oh, okay, okay.
Speaker 4:Because it's things like here's a marketing analysis of where we should do television ad buys.
Speaker 1:Yeah, yeah, yeah.
Speaker 4:Once we do those ad buys that morning, we don't care.
Speaker 1:Yeah, it's useless now.
Speaker 4:That info is absolutely useless to well, certainly to opponents. Yeah, and that's the oh. That's the other part of the campaign. I should really explain that one too. In the timing of a campaign there's basically two major phases of a campaign, well I guess three. So there's a primary election, there's a general election. They have different legal meanings because you can raise two different pots of money for the two different elections. The current limit is like $2,750 per election. So combined you can give like 52 or 50, I don't know. Do math like 2750 times two. You can donate that in a year 5480.
Speaker 1:Right, I mean 40. 5440.
Speaker 4:But that 5480 is just like one pool of money that you could give, like the candidates in the committees have like teamed together because they've said well, you can donate $27.50 per election per campaign. $7.50 per election per campaign. So what if we bundled all the elections together, sort of like you know the mortgage crisis? We're just going to take all these campaigns and bundle them all together so you can just donate a whole bunch of money all at once Triple A rated campaigns.
Speaker 4:Yeah, and that's what happens. And that's what happens. You have these things that they called, you know, joint committees, aggregate committees, coordinated campaigns, things like this and it's you know one. It's important because fundraising is important, because the real phases in the election besides the primary and the general is the fundraising part. So the two phases in the campaign in my head is there's a fundraise portion and then there's the tactics portion. The fundraising portion is kind of easy to understand. Hello, please give us money. Hello, it's Barack Obama, I'm in your inbox.
Speaker 1:To ask you for five bucks.
Speaker 4:Use a non-shitty payment processor and PII handler and you're good to go right, yeah, and we're basically raising money hard, like really really hard, up through basically September-ish, like it's not to sit down and say there's not fundraising happening after September. There's absolutely a thousand percent fundraising that's happening after September. But September, august, right around now, is when the money spigot really turns on and all of a sudden the campaign starts going into tactics mode and the tactics mode is get votes, clock votes, talk to voters, communicate with voters, make sure they have a plan to vote. If they have a plan to vote, present them options on how to vote and then make sure they please go out and vote.
Speaker 1:And then early voting starts like within two or three weeks, right, it's like two weeks, yeah, yeah yeah, it's happening.
Speaker 4:Yeah, and these are the Money, money, money, money, yeah, money, money, money. Votes, votes, votes, please, please, please and thank you. And then you have just sort of the sort of atmosphere of the campaign, and what a lot of people see is they see what we call earned media hits and paid media hits. Paid media hits are really easy to understand. These are advertisements that we've paid for and they go on television. Earned media hits are when the campaign is able to get on air for no money. It turns out the 24 hour news cycle is like taylor made for this um in 2016 airing trump rallies, you know, unbroken, for hours upon hours upon hours.
Speaker 4:That's just bajillions of dollars.
Speaker 1:Yeah, like infinite money Free media.
Speaker 4:Free media In earned media hits. Yeah, yeah, and a lot of those earned media hits are to define and shape the candidates in the campaign, to discuss and refine issues. There's some some mudslinging. That happens. You know it varies between campaigns, but the real mudslinging happens in other organizations because folks don't want to be tied, their hands tied to that.
Speaker 1:Are these the third category? We talked about these PACs and advocacy groups and things like that. Some.
Speaker 4:PACs, some advocacy groups. I'm not going to sit down and paint a brush because there are many good democracy groups within these 501c3s. Everyone's just taking advantage of the tax laws as they're written, because there is no comprehensive federal law around elections. All elections are done at the local level and this is the big problem that the EI ISAC folks deal with.
Speaker 1:Yeah, so like, given that kind of calendar, like around this time of you know, t minus three months of E-Day, it sounds like you're seeing signals, like in the wind, in the chatter, so they start messing around. So like what's, what is your radar look like and what kind of things do you see popping up on your radar? They're like yep, okay, that's, it's starting now. Now like batten down the hatches in the past.
Speaker 4:Um, I don't know. I'll tell you what my favorite leading indicator, the best uh ttp that I have, um, for a north korean uh threat actor to go ahead and start doing stuff. Did they launch a nuke? Did they test the nuke in six hours, I guarantee you, and start doing stuff. Did they launch a nuke? Did they test the nuke In six hours?
Speaker 4:I guarantee you they start doing a hardcore phishing test across as many folks as they can, because what they're trying to do is they're trying to pick up any chatter as a reaction to their test. It happens exactly like clockwork. You can set your watch to it. I literally did. I was like, oh, this is happening, oh, we should go deal with that. The threats to the campaigns themselves is you end up having several sets of folks we have in the policy space. You'll have folks who are in the policy team Policy team. It sounds like their job is to sit down and like, come up with policy and, you know, put good words down into paper and do things. While that is a thousand percent true, policy is also tasked with, and probably their most important job that they're tasked with is vetting speeches To make sure that the talking points within the speech that's what we talked about, that's what we're doing. We're cool with it.
Speaker 4:The way that these policy groups work is they tend to work by basically whatsapping each other and signaling each other and, back in the day, emailing each other. Um, it was pretty common for just these huge giant chains of emails going between very important person that you've definitely heard of in the media and other very important person that you've definitely heard of in the media and other very important person that you've definitely heard about in the media and important person whose name you recognize, and they're just just emailing each other just ideas and thoughts and and stuff. Um, if a bad guy can get a toehold into that, that's perfect. Those are all the thought leaders that they want. These are the key decision makers and people who are giving the right sets of inputs to the right sets of people. We would like to go mess with them.
Speaker 4:If that's the type of thing that we would like to mess with, if we're the type of a threat actor that wants to sit down and say, cause a different outcome in an election, maybe what we're going to try to do is do some hack and leak operations. Maybe we're going for some damage. What damage can we do? And they are opportunistic. Whenever they find something, it's almost always like hey, I found a thing. So it's like, ha ha, here's a problem. How do I make it the worst problem you've ever seen?
Speaker 1:Yeah. So besides a hack and leak, what are they able to do if they say they got a toehold on these sort of email conversations, either because, like, a staffer was in the loop and they popped the staffer's account or anything like that? Like, are they able to like blackmail, or are they able to kind of like, send kind of signals elsewhere in a way that's not like a hack and leak sort of thing, like a wiki?
Speaker 4:leak sort of campaign. Uh well, I've only worked for one team and um, so I don't know what's happening on the other side, but the things that you're saying, yes, uh, all of that has definitely happened in the past, going back to like the 1950s, not with, but, um, there have been sort of individual influence operations that have happened where you know we're just trying.
Speaker 4:We're just trying to compromise humans. It turns into just regular human intelligence type of work. The advantage with sort of digital tools and digital communication means is the toolbox that you have is now just much wider. Things that you'll definitely see, though, is that threat actors at the nation state level they tend to they seem to have, uh like different teams, right, like there's a team. These are the kids who can definitely code and they can definitely write like polished code and full chain exploits and amazing, amazing tools, and then, sort of at the bottom, you have like the intern, and they're kind of bad, but their task is like linkedin and whatsapp, and and which is very valuable, to actually just be like just scouring random shit that gets accidentally posted to linkedin and you figure out some random crap.
Speaker 1:Or you know, you hop into a large whats WhatsApp group that you probably weren't supposed to be allowed into, or anything like that. That's valuable, even if you can't code a multi-level zero-day X point.
Speaker 4:Yeah no, like LinkedIn is the strangest thing to me because in the most American of ways, it is a personal account, but it's about work, but it's about work, but it's not work only in america and and so america.
Speaker 1:We love to work. Our lives are work, work is our life so our work-life balance is all messed up.
Speaker 4:on linkedin, yeah, and by mining linkedin you can. You can get pretty far to go find folks and I definitely found threat actors a thousand percent mining LinkedIn trying to set up meetings. Please, here's a PDF, it's fun.
Speaker 2:So that's probably somewhat newer. You mentioned the 2004 campaign, so like what does cybersecurity for campaign in 2004, 2008 look like compared to, say, 2016, 2020? I think you know cybersecurity is a lot more top of mind in the 2016 campaign than it was for campaigns prior to that, at least in the general populace. So how have things kind of changed over the year? What did it even look like in 2004?
Speaker 4:So in 2004, stripe didn't exist, yeah, we had to implement our own payment processor.
Speaker 1:Oh.
Speaker 4:God. It was written in something called Perl. I remember Perl.
Speaker 1:We used Mason as a framework.
Speaker 4:I don't know what that is.
Speaker 4:And we had this little bank called can I name them? We had a small bank. It was a bank of a nation and we asked them because we were worried about the nomination night, because we knew we were going to get a flood of online donations. But like, hey, how many donations, how many payments can this thing process? It doesn't seem to be very stable like this payment processor that we're using at this top bank, and so I asked the question hey, how many transactions can you do per second? And it took them two weeks and they finally get back to us and they go you can do. We guarantee you can do four transactions a minute.
Speaker 1:I was like no.
Speaker 4:And he's like no, no, no, that's what you can do. We guarantee that you can do four transactions per minute. I was like what does Amazon do? He's like oh, are not allowed to batch these trans, these donations, because there's a magic set of words that happens on the nomination night and you can always hear the magic set of words. The magic word is I accept your nomination to be president of the United States. That marks the end of the primary and the beginning of the general election. But donations up to that night count towards the primary. And because all of a sudden there was this deadline, we asked lawyers because I don't do anything that the lawyers don't tell us to do, because I'm smart, because I'm smart. And they said well, you can take donations up to midnight Eastern time, because Cary's giving his talk here, and so midnight here. I was like what if that was midnight Pacific?
Speaker 2:And he's like wait, what that's like three extra hours.
Speaker 4:I was like, exactly Like, what about Guam?
Speaker 1:Yeah, and he's like what? Where is the farthest US territory?
Speaker 4:What about the US? Like Guam Guam, I think, is the farthest out I can get he's like is that on the dateline? I was like I think it's just before. Yeah, I I was like.
Speaker 2:I think it's just before.
Speaker 1:Yeah, I was like I want it to be Guam.
Speaker 4:Can you please make it Guam? And he's like that's a very interesting question.
Speaker 1:No, Fuck, good, yes, very good question.
Speaker 4:I'm very glad that you tried to push it as far as you could get it to go. The boss came back and the boss was like, hey, listen, midnight West Coast. That seems like a pretty good compromise because otherwise you know, guam or not even Guam Hawaii, hawaii's a full-on state. Midnight Hawaii, that's like a thing I tried to look at the Bering Islands to figure out in Alaska. I was like how far in the time zone does that go?
Speaker 1:Is it further west than Hawaii? If it is, then let's do Alaska.
Speaker 4:Anyways, while we were doing all of that stuff, I'll tell you the type of threat actors we saw. I saw $90,000 in 10 cent transactions.
Speaker 1:Trying to flood you, spam you, knock you off.
Speaker 4:And I said, hey boss, do you want me to return these donations? And he looks at me and he goes what do you mean? I was like they're $90,000 worth of 10 cent donations. He's like are you kidding? How many donations is that? It's like you moved a decimal place, two places, and yeah it turns out my batch code works so hooray like we can handle the load.
Speaker 4:We're good, um, but it turns out carter's figured out that this is a great way to go test their pile of credit card numbers that they wanted to go do. Um, we already put in some controls because in the US elections, non-us individuals cannot donate into the campaign. The way that we've technically implemented this because you know we're technologists is we rely on the credit card, the credit card issuer, to give us the data that tells us what's going on, and encoded within the credit card is all this like weird information I didn't realize was there. But it will tell you like what country the credit card was issued in. It will tell you what denomination money the credit card uses by default and like it's got like zip. And then there's some fun crypto math, which is like crayon and rubber band crypto math.
Speaker 4:But like it's fine like it works to do the verifications and so, like I always, we were already turning down non-us cards. But there was a weird outlier which was I think it was Turkey.
Speaker 4:Like in Turkey, you could have a Turkish card that was processing in US dollars that had a US zip code because of mail, so like all the checks would like go through, and I was like, eh, and so like we had to do a couple extra checks. I was like, yeah, I found the cards, I found the donations. I don't have the credit card numbers because I didn't have the credit card numbers.
Speaker 4:I was like I can refund them. He's like do it, do it, do it, do it. And I was like what do you want me to do about this boss? He's like what do you want me to do about this boss? He's like what do you think? I was like I think you're going to tell me to raise the limit. And these are people who have other people's credit cards and they found a great way to not commit mail fraud to test a credit card number and if we raise the limit to $10, they're just going to donate $10. And the problem is going to be way, way, way worse than the FEC report. And he's like, oh, humped, well, raise it to a dollar and keep watching.
Speaker 4:I was like okay. And so like I built a graph to just stare at donations, which turns out that's my entire life staring at a graph of donations coming in. It's a really good leading indicator for me. We can tell if our payment processor is crashed because all of a sudden the donations flatline. Yeah, If there's some sort of funny business, like anytime someone does a chargeback attack, we can tell because the graph should monotonically increase.
Speaker 4:It should never, ever go down.
Speaker 1:Yeah, so this is not per day or per hour or whatever. This is literally. How much money have we processed for the whole thing?
Speaker 4:It's really a lazy graph, I have to tell you.
Speaker 1:I mean it's kind of nice because you can see the history of patterns. It's not just literally like what is my rate of income or whatever processing per minute.
Speaker 4:Obviously, I take derivatives of those curves as well, but, like at the end of the day, it's really easy to see the graph like slightly do a change in inflection, rather than like staring at the positive and negatives of an acceleration graph Because, like when I tried doing that with the acceleration graph, the boss was like that graph hurts my head.
Speaker 2:I don't want to see it and he's just like okay yeah, that makes sense.
Speaker 4:Okay.
Speaker 2:So payment processing, credit card fraud, at some point phishing becomes center of the story, I feel like by 2016. Yeah, and so was that around then, or is that a somewhat new development?
Speaker 4:Phishing had been happening all throughout, like 2008, 2012. There was a lot of ph fishing that was happening then, um, but can I talk about there was? There were some successes that the bad guys had in uh 12 that were very real on both sides of the aisle from the campaign. In the obama campaign got popped by chinese uh threat actors china.
Speaker 1:China was having the ball in, like the 2010s, 2012s era dude, they went hard.
Speaker 4:they went hard, um, but the the difference in the operations was that a lot of the Chinese tooling is automated right, like they're really sort of built for like okay, click this thing and run this Windows executable. Like, do the thing. Here's a Windows executable Like go, go, go. And as campaigns started maturing, different and different, and Apple existed, a lot of the more senior people started just like switching to Apple computers.
Speaker 4:Yeah, especially for like that like sweet window of time between like 2010 to like 2014, there was like a sweet window of time where, like, there were kind of not many apple o days out in the wild it was like it was, like it was like it was calm and nice and like my suggestion was like buy an iphone, have a macbook pro and we're kind of pretty okay pretty okay like your edr isn't doing what you think it's doing yeah so like it's pretty okay, yeah, um, yeah, but in 20, 2016 campaign, fishing with uh buck wild um, I had I had been hired in the campaign, like 2015, september 2015, and I had come up with a plan to protect uh what's coming into the campaign, what's going out from the campaign, and protecting the principles of the campaign.
Speaker 4:Because that's it, that's real. Like you protect the people you protect to stop coming in. Protect the stuff going going out.
Speaker 1:And that's the plan.
Speaker 4:But to that end, I was always, and I continue to, mostly worry about personal accounts. It is the strangest thing to me today. If you work for a company, we can do all kinds of stuff for you, we can do amazing amounts of stuff for you security wise, but if I am just with my gmail account, I'm just at, I guess, my own personal like recognizances, like yeah, like whatever individual responsibilities, individual responsibilities, right. App didn't exist at the time. There was, like there was.
Speaker 4:Uv keys did exist, but the two-factor auctions the ecosystem was pretty bad at the time. The biggest pain in the butt, of course, with the QR TOTP passwords was backing up. It was TOTP passwords because that was a nightmare and so the usability wasn't quite there. But I was very concerned and I was watching through this and I said that we should probably convince all of our principals, all the high level senior officials, 1000% across the board, everyone you need to have at least some sort of multi-factor authentication on your works but also your personals. I went a step further and argued that we should do all this on our banks and just everywhere that I could possibly get us into. Let us do those bits of basics, because this campaign isn't going to exist in 18 months. We're a ghost town in 18 months. The only thing that matters is the people that are here now, and I had made my face known around the campaign because I have a dog and my dog was like the informal mascot around the campaign.
Speaker 4:And then one day it happened, I think it was either February or March the Russians started doing their first sets of phishing emails and they hit high and low and they were very, very, very targeted. Again, these are how you could tell differences between different nation state actors. In this particular case, they would hit senior campaign officials down, like they would go from senior officials to their assistants, like legitimately their assistants, and then down the line, like just like down the reporting line. How would they know how to do this? The FEC report.
Speaker 1:Oh.
Speaker 4:So when the bad guys started doing their thing, I, within 15 minutes of them starting their campaign, I had, uh, campaign team members walk up to me and go. I got a really weird email, can you like?
Speaker 1:check it out.
Speaker 4:I was like yeah, I'm in and I checked it out. It was a garbage uh fishing link and it had a bitly link. I was like cool, give me this bitly link. Let me put a plus sign at the end of the thing. Let me hit the go button and it will tell you meta information about the link. Primary thing that was important was they were using a bitly account, because they were using the API to create these links and so they had to do it from an account, and so then you could take the username of the account and then you could iterate on all of their things.
Speaker 3:And so I wrote this.
Speaker 4:Honestly, this garbage, just potato level Python script, yeah, and she would just scrape Bitly every 10 minutes.
Speaker 1:Hell yeah.
Speaker 4:And just tell me what's going on, because it's Bitly. It would also tell you how often someone clicked and I was like I don't love this, but this is your security team that finally has metrics. Yeah right, I was like hey, this is good, this is good, this is good, and like we would sit and we would watch this account and like they started, because like they were using basically three different Bitly accounts.
Speaker 4:And they were just iterating through them and like I could watch all three of them and at one point in August of 2016, bitley stopped my ability to publicly scrape that VGIN point.
Speaker 1:You're the malicious actor.
Speaker 4:I vaguely never found out why. I vaguely assumed someone in law enforcement was like yo, I want to know more about what's going on here. And they're just like we're shutting this whole thing down, Okay, and like I go oh no, I want to say it's August, but like probably. In actuality it was probably October. Oh, wow.
Speaker 4:Campaign time Dalatian effect. I don't actually remember when anything happened. We were watching things happen. Effect. I don't actually remember when anything happened. We were watching things happen when a high level principal got an email. I walked over to their assistant and said hi, hey, do me a favor, go into bosses email because I know you have access to their account and just delete this email. I really don't want to just delete it. It's cool. And while we're talking, boss is on the phone with IT and he's saying hey, I got this email from Google saying to change my password. What should I do? And IT goes it's from Google. It sounds like a good idea, boss.
Speaker 4:And he clicked the link in the email the bad guys were only in the account for a very short period of time um that is a piece of specific value. I don't think I can share exactly how long, but they weren't there for a long time because, again, we had eyes on, yeah, um, all of that damage was from that very short period of time.
Speaker 1:Oh my.
Speaker 4:God, and that was brutal. And, by the way, in my estimation, as I was saying, nation states have different tiers of teams.
Speaker 1:Yeah.
Speaker 4:This was probably their B team. I mean this was like B team work, because again the Bitly League and all this other stuff Like one level above intern. Yeah, I consider there to be about. There are three distinct, different waves of attacks that hit us in 2016. And they all have sort of like time features and weirdly they're broken up by the Olympics.
Speaker 4:So like the B team hit us before the Olympics, okay, and then they were just doing a bunch of stuff, they're emailing a bunch of things and then all of a sudden, august hits up and it's the Olympics and that, like terrifying moment, happens as a security analyst happens, which is all of a sudden your bad guy stops targeting you yeah like, and you're just like oh no, he's still sending emails, like they're still sending stuff, oh wait.
Speaker 4:But like all of a sudden, no one on our team is the ones on the receiving end and we're just like oh, this is bad, oh what did they get?
Speaker 1:did they succeed?
Speaker 4:they're done with us like it's the worst, like like pit in my heart, feeling, um, I in my head, I feel like I spiraled for like three or four days. My friend and co-worker is like, oh, you were pissed off for like 20 minutes. Uh, it turns out I don't know why this particular threat actor during the like, right before and during the olympics, they started only targeting, uh, olympic committee doping doctors and testing companies. It was the strangest thing it went really hard against these like suddenly they had a reprioritization at work yeah, I would google some of these email addresses like what?
Speaker 4:this is a doctor, this is like in college, like what is this? I don't understand what I'm looking at like this target list is is strange, yeah. And then also I was like like a light bulb, which was olympics dummy. I was like, oh yeah, oh, this is that first sign that the russians had to play under like the roc flag and not like the the actual russian flags. Yeah, because of all, the doping yeah, um, they were mad.
Speaker 1:Yeah, they were super duper mad.
Speaker 4:Then, like after that, there was another wave which was, I think to me, this is their A-team, and their A-team was cute. They never broke into any of our systems, but they worked really. They got really close, they got scary close and so, like, again, heavy knock on wood, they did not break into any of our campaign resource technology.
Speaker 2:Good.
Speaker 4:They did get into the DNC, yeah, and that was. That was pretty rough, that was pretty rough. We had to do IR on that issue and it was pretty long IR. Again, I'm happy to report that today those issues do not exist because all of those problems are gone, because the DNC has taken security extraordinarily seriously. Post and I mean even during, like they were. They were because DC. The only thing we do is overcorrect.
Speaker 4:And like and like thankfully, the folks that they've hired up, they've managed to like steer the ship in like a good direction and like keep the eyes on the prize. And I like that, I really like shout out to Bob bob and steve because like they're good dudes.
Speaker 2:Um then there is what I call s team like s tier, oh super s tier cool, like they were hardcore we're big in the tier lists on this podcast.
Speaker 4:They were super hardcore. S tier was a phishing email.
Speaker 1:Okay, yes.
Speaker 4:Coming from not owned infrastructure, coming from the Google Play Store. Oh God, and it was amazing, it was from the google play store. Oh god, and uh it was. It was amazing, it was from the play store and it said hello, we've deemed that you should install google scanner on your account and it's like it's got it.
Speaker 4:You know rainbow g and all this stuff. You click the thing. It takes you to the app store oh my god. And I was just like whatever the fuck this is is bad. And like I reach out to a couple folks that I know over there and I'm just like take this off right now. And one figure out what it's doing and two, give me a copy and they're like Tim, tim, we can't give you a copy, but it is hazmat, it is, it is it is legitimately bad.
Speaker 4:I was like go on, and they're like I don't know how much is this this? I think google actually released, uh, most of this, um, uh in a report. So like, uh, it would attach to your account and it was an oauth to cred to your account and just tapped into all your stuff and just covered up everything else and shuttled it out to some server on yandex oh, my lord, I'm surprised we don't see more of this, because this is like the universal fishingishing bypass.
Speaker 2:It's terrifying, but, like we say, phishing is solved.
Speaker 4:I go around a lot saying like install YubiKeys.
Speaker 2:But OAuth 2, like this is tough because you are still authenticating to the real identity provider when you do something like this.
Speaker 4:Yeah, and it was like Dave, you're absolutely right. I am shocked I don't hear about these attacks more. I've seen other folks do something like this, trying to tip into OAuth creds, but this was one where it came straight from the app store and I was just like that's bad. I had no idea this is bad in all shapes and forms, Like I immediately recognize that as an OAuth 2, like attack and I was just like I don't know why I never thought of this.
Speaker 3:Like the original. The original phishing mail comes from the app store, right, and then you're in a. You're in an app, like you've installed an app, it's going to mint a cred Like that's where the OAuth 2.0. That used to be a low-quality bug on pen tests was finding a system somewhere that would let you send an email and then be like, okay, that's set info, and it probably is still set info in a lot of places. But if you can find that bug somewhere in the Play Store where you can send an attacker-controlled email, that's obviously pretty rough.
Speaker 4:Yeah know, send an attacker controlled email, that's obviously pretty rough, yeah, and like, by the way, they only sent out the. The target list was like only top tier and I was just like oh, oh so they were keeping it quiet too, um, and then, like the s tier team, they also like when that didn't work, I believe, because, again, you never know Right, that's, that's, that's the worst part about our jobs. It's like you never really know. You have good feelings.
Speaker 1:Yeah.
Speaker 4:But like you never know, but like I feel like at the time we're low chance, maybe, maybe, hopefully. Someone forwarded me an email with this wild pdf and like and they're like hey, tim, this pdf won't open and my computer's acting weird I was like cool give me, your fuck, give me your laptop.
Speaker 4:And I just turned the thing off. Yeah, I was like, go to it and get a new one. And they're like like. But I was like, but nothing, everything you're doing is on the cloud. If it's not, you're not getting it today. Go get a new laptop right now.
Speaker 1:Is there a shredder nearby? I'm going to get this with a baseball bat.
Speaker 4:Yeah, I pop open the malware using my favorite tool, which is XXD, because YOLO Like live off the land, right yeah, and like object dump. And I'm just looking at a fat-packed binary and this was a wild binary Like this was a PDF that had multiple operating system executables. What the fuck For multiple mobile operating systems, multiple desktop operating systems. This was the one that was going to work, and it was all magically encapsulated in that garbage PDF file, because PDFs are garbage.
Speaker 1:Yeah.
Speaker 4:They're just absolute garbage, like hey, here's a memory address that we just go to and then we run an interpreter on it, oh great.
Speaker 1:It's a little computer. It's a little Turing machine.
Speaker 4:It's still a Turing complete machine.
Speaker 4:So like I looked at the thing, I found enough to sit down and be like's an l petter, yeah, okay, I don't know what, because like I've done enough memory dumps to sit down to like, okay, yeah, zero, zero, okay got it there and I was just like, okay, that looks like. Oh, okay, there there's multiple binaries that are in this. I don't have have time for this shit, yeah. And so, like I throw it over the wall to a friend, I was like I know it's bad, I don't have time for this. It's like late October.
Speaker 1:Yeah, yeah, yeah.
Speaker 4:Or mid-October, like it was getting late in the season and we had to like do a thing. And yeah, getting late in the season and we had to like do a thing. Um, and yeah, it turns out, if you look, in october of 2016, adobe has like eight cves on one release two of them are like tens and I'm like, I'm like no joke, like this is as bad as it possibly could be, and like I was legit until I was like that's the one you found and I was like cool, thanks super props.
Speaker 2:Usually when I talk to people about like securing an organization or running a security team or any form of security, I like tell people not to worry about odes.
Speaker 4:I'm like you need to sort out your identity provider and your logins and then, like patch, there's a bunch of other stuff to get through management. Do you know what you're doing?
Speaker 2:like just authorization credential tokens yeah, exactly, but also this undertone of you're just not fucking important enough for an ode most of the time, right, and this is great advice until you suddenly become important enough to have a pdf that's got like privilege escalation binaries embedded for five different operating systems inside of it. Um and so, like, what do you? What do you do about that? Aside, is it just go after the fundamentals again, like because now you're existing in the world that I tell people, most people not to worry about, like today?
Speaker 4:my biggest fear is is mobile devices Like I like laptops and computers, your windows desktops, all this other stuff. This is garbage. No one cares. Again, I always say your EDR is not doing what you think it's doing, it's fine, but your mobile phone is doing everything what you think it's doing, it's fine, but your mobile phone is doing everything that you think it's doing. It is OAuth credited into all of your life.
Speaker 1:Yep.
Speaker 4:And if you want to go from a place, that's the place to go do. Hopefully the jails within the mobile devices like jail correctly, but who knows? Yeah.
Speaker 3:Like I mean. So Pegasus Is what I'm trying to say. You all talked a lot about like 2016 and the experience of you know, the campaign getting fished and all that, and then in 2018, part of the reaction to the experience in 2016 was a bunch of security. People got together and did organized training for a bunch of congressional campaigns.
Speaker 3:I did a little bit of it. I did less than everybody else did and there was a Slack channel with a really big long conversation about recommendations to give all the campaigns and that produced Maché's tech solidarity congressional campaign list. I'm curious what your take is on in in 2024 versus where we were in 2018. So you just brought up mobile devices right like a. Really a core recommendation on the tech solidarity list was get your shit off of laptops or whatever and move it on to your eye and move it on to an iphone I know because the iphone platform, I mean there are.
Speaker 3:There are things where, like you know, we can go back and forth on how campaigns operate for, but from a computer science perspective, the iphone is a safer platform. Oh yeah, your phone, then your, then your laptop is right. So like, yeah, I mean, that's an interesting case there, right where, like now in 2018, we also would have said you need to be everybody on your campaign needs to be running a modern iphone right, like no and no android no android, but like apple six or better at least, or I, yeah, iphone sixes are better right, right.
Speaker 3:And today you'd say you know whatever the lat, you know. A phone within the last I don't know four years or whatever from um you know, runs modern ios right, I'm willing.
Speaker 3:I'm willing to sit down and say any phone that has a security enclave, you're okay ish, one of like one of the things that I feel like we ran into when we did trainings and just like a thing that we learned from talking to people was it's like there's a perennial debate about android versus, you know, ios security and at this, at this point, like I've given up on it right, like it's gotten too complicated for me to have any faith whatsoever in like whether I know what's going on there or not. But the bigger even back then, the bigger issue was um, if you tell people they can run android phones, they're gonna run random ass.
Speaker 3:Best buy you know shitty android phones right timu if you could, just if you could just get people to say, if you just get people on flagship phones, yeah, you'd be fine. But but now you're explaining the concept of a flagship phone and in a campaign security context.
Speaker 4:It's much, it's as much crisper to say, you know, get an iphone or don't, don't plug in um, that is mostly right, because today, an iphone in lockdown mode, an ipad in lockdown mode, you're pretty good things. I add to that is I also sit down and say, hey, uh, we're, we're gonna use iverify, which is a startup coming out of trail of bits, guys and guys, and it is not an MDM. It's way better. It's built to find things like Pegasus. It's great, use it. And the Defending Digital Campaigns folks, michael Kaiser's team. They've really made the ecosystem a lot better. Because the biggest problem with campaign finance in 2004 was that campaigns cannot get a deal on vent from vendors.
Speaker 4:Um, because if we get a deal from a vendor that other campaigns cannot get as an in-kind contribution yeah, and so like I would sit down if we get this vendor and they give us a discount, as long as they offer that discount to the other team, that's kosher right. And he's like that's kosher. I was like, okay, cool, that's not an in-kind contribution.
Speaker 1:But they have to take it right.
Speaker 4:Private company what they do is what they do? I don't know.
Speaker 1:No, no, no. I mean like the other side, like if you got a deal offered to both of you but only one of you took it. I don't know, I'm not a lawyer, anyway, but okay, yeah.
Speaker 3:So I'm like I verify here would be like the one possible exception to the uninstall all your EDR and antivirus stuff to the uninstall all your EDR and antivirus stuff, which would have been a 2018 recommendation of ours. Yeah, you know, for me still probably, but like I could, you know, and iVerify is great, it seems fine to me.
Speaker 2:Yeah, yeah, there haven't been any notable EDR issues in the last month.
Speaker 1:No, not at all yeah no, it's pretty good stuff.
Speaker 4:It's August. Oh wait, it's still August. It's still August, it's still August. The ecosystem has changed. It is different. Everyone is using cloud services. Very few people are doing things exclusively on their laptops, with some notable exceptions, and even then those exceptions are going away.
Speaker 3:Uh, we were like we really generally what one of the things that flummoxed us was like trying to figure out a way to get people not to double click on things like you can take, you can take.
Speaker 3:So first of all, you kind of I'm sure this is still good, right, like you want to get people out of the habit of sending attachments in the first place and instead have them send links to g docs or something like that, right, so they're in. Right, but like, if they're going to, you can do the attachment thing. If you, you know, copy the attachment out and upload it to Google driver or something like that, right, like sure. Or if you do it in Gmail and look at, or if you're doing it on your iPhone or whatever, right, but the thing that's getting normal people to understand not to, like we were to the point where we were talking about, like distributing applications that would be the file handlers for those applications and just redirect them or whatever. I'm still like I don't know that there is a good answer on getting people not to double click things, which seems like a pretty big kind of hole in the whole campaign security apparatus.
Speaker 4:So one of the things I worked on recently was the Office of the National Cyber Directorate has the Cybersecurity Workforce Task Force, and I was brought in to the White House to go read through some of their papers, give them feedback and input onto some of the things. And the biggest problem that I identify is that information security today exists in the same kind of space that sex education existed in the 1950s. Right, it is mostly anecdotal, it is mostly peer kind of learnings from the age of, and this is my favorite thing to do is whenever my friends have kids, I sit down like cool, hey, when did you just give up and like give your kid your phone? When did the kid figure out your password or your unlock code to your phone? When did you give up and give them a tablet? Um, and like when did they first install their their own software on their own tablet? Um, there's like because, like kids are doing this, oh yeah. And like the olds like to sit down and talk about like digital natives and this and another like whatever.
Speaker 4:I just like to say that's 2024 and this is just life and the norms that we have in the sort of tech business world is drive, engagement, drive engagement, drive engagement, drive engagement, drive engagement. And, tom, what you're saying is is like, how do I stop double clicking? How do you stop people from like sharing things on a thing and just randomly clicking on it because they saw, here's a TikTok video or at least a TikTok looking URL, and I'm just going to go?
Speaker 1:Stop engaging, Thomas. It's just about not engaging when the entire internet and the entire software ecosystem of your life is trying to get you to engage and has trained you to engage.
Speaker 4:And so instead we need to focus on those basics to make sure that some adequate system of controls do exist. But none of these controls exist for you and your personal account and it hurts. Well, I mean, I mean not really it's. It's like you can sign. You can choose to sign up for APP you can choose to sign up for. Microsoft has the same thing, except they call it Maps, so it's M-A-P-P. I mostly recommend folks work inside Signal Groups if they can. I know a lot of folks still use Wicker, which is fine. It's fine enough.
Speaker 1:I know some good cryptographers that work for Wicker.
Speaker 4:There's some good work that's been put into Wicker. Things I tell people not to use is things like wire and telegram and fiber, because that was like a thing for half a second I definitely don't use telegram in france no yeah
Speaker 4:don't run telegram and go to france. Um, I don't know what, what to do about the idea of, like, please stop engaging with things, because campaigns move extraordinarily fast. Uh, if you're a low-level staffer, you're getting hammered by all kinds of bosses all the time, and bosses are sending stuff from their personals all the time. I well, less and less, but we, we know that it still happens. Yep, people are people, um, and then bosses are getting emails from everyone, yeah, all the time, because they're bosses and they're fancy. Um and like, how do you take some people who should be treated as, like, a national security asset, who is now a private civilian working with or volunteering with the campaign? How, how, how do we put adequate controls around those people? They need to take a personal interest in doing so, and many folks have.
Speaker 4:And 2024, that's the biggest change. Okay, um, am I saying that we're good across the board? Oh, definitely not. Um, I would sit down and say that even in 2020, we had to explain to, uh, relatives and spouses of candidates. I was like hi, yeah, we're gonna. You know, hello, grandma, we're gonna go through your, we're going to go through your, we're going to put some security controls on Facebook. And they're like you can't mess with Facebook because that's where my grandkids are. I'm like, no, you'll still have it, we're just going to lock down the thing. And then they say, well, I can't see a post because you touched their Facebook account. And all of a sudden, the Facebook algorithm did something, and all right, and so that drives anger. All of a sudden, the Facebook algorithm did something yeah, and all right, and so that drives anger. And any change? Yeah, any change.
Speaker 1:Any change, coincidental or not, is now your fault.
Speaker 4:Yeah, Just because you touched it, so like that's definitely a thing, yeah, and so humans being humans, tom, what people do is they buy two phones.
Speaker 1:Right yeah.
Speaker 4:And then they're like I solved a problem. I have two phones and you know, now you have your campaign and work-related BYOD device and then you have your like personal fun phone for, I guess, clash of Kings or whatever game you want to sit down and like play time on.
Speaker 3:It was always the dream to get people to buy Chromebooks for this, which was a pipe dream.
Speaker 4:I mean, we bought a lot of Chromebooks in 2020, or the DNC bought a lot of Chromebooks in 2020.
Speaker 1:Did they get used?
Speaker 4:Yeah.
Speaker 1:I mean like documents, google Docs, whatever. There's a little thing like boom.
Speaker 4:Like there's a wild market difference between the tooling that the different teams use. Okay, it's weird, right. Like DEMs are typically AWS, Linux, Mac shops. Okay, and the Republican camp tends to be Office 365 with Azure setups and like, yeah, it's like it's a market difference in tech. Now I will say that there are some gem committees that are also on Office 365, but they also have to play with the Google workspaces stuff because everyone else is doing it and they've decided we're still sticking to this.
Speaker 1:And.
Speaker 4:I mean good for them because I will say that if you have the manpower to adequately administer an Office 365 environment, you know Windows Defender is like a really amazingly good tool. That's like remarkably cheap at uh for what it does.
Speaker 4:And if you pay for that e5 license and you get all of your security telemetry and you have some thing that can ingest and digest that and maybe you hire an MSP to create you some alerts, you'll find stuff Like no doubt Cool, but in the individual campaign world, if you're running for a Senate, if you're running for the House, if you're running for even the, for the White House, making sure that those equities to spend the money on security is hard. I know that this cycle there are a lot of folks who are pushing elbows to make sure that that budget is there and doing stuff and kudos to that. You might need to cut that, but the best part is that people are caring and people are noticing. Finding the right balance is hard and, tom, I do not know how you train everyone Because, again, a campaign is young and old. Right, it is digital. Smart in digital. You know less smart it'd be.
Speaker 4:It'd be big if true, if you did know how to solve that problem yeah, no, yeah right, because, because, like I don't know like it it always comes back down to me is like there's some set of liabilities that we've, that that some set of companies have been able to like work around, such that we're in this world that we live prioritizing API backwards compatibility and like feature requests and features and building new features, versus like addressing tech debt and like solving like long-standing security problems. This entire strange ecosystem of like stuff wouldn't have to exist. Um, and the problem is, is a liability right? Like if they made a change to fix the thing, there's a small chance that someone would sue them for fixing the thing, and so if the choice is do nothing, don't get sued, do something, get do nothing always wins, and maybe that's above my pay grade. That's a policy discussion that needs to happen with some very serious thought leaders and suits. I don't know, not me.
Speaker 1:What do you think about pass keys that can be synced?
Speaker 4:Not me. What do you think about passkeys that can be synced? I think that passkeys are. They're a lot better than YubiKeys, like, so here's the reason why they're better than YubiKeys. In 2020, we gave out tons of these YubiKeys to campaigns and I'm holding up, like, like, my key chain of three different multi-factor devices and there's actually five and six over there on my desk. Yeah, the problem with this is that this isn't the only device that you need to connect to that device. You also need a dongle to be able to make sure that it can talk the right uh usb to my device and what happens is I got the key and you know, I lose the dongle. You don't have the key, and in 2020, the nfc stuff didn't work really well. Uh and all that. Pass keys are better because users notice when they don't have their phone anymore. Users take action when their phone breaks. They're very self-motivated in making sure that that device is in their hands and working.
Speaker 3:It feels like the distinction is not meaningful in a campaign setting.
Speaker 3:I know specific people who wildly disagree with me on this point right but it seems like in the context of a campaign where the principle in the campaign is likely is not messaging the rest of the team or receiving messages from random personal accounts using whatever device was most quickly at hand for them right, like just getting them onto some kind of phishing proof. Authentication is the top line thing you're trying to get done right. And then like isolating the key onto bound hardware so they can't be transferred or whatever. That's a fun, like movie plot attack and I'm sure that really that attack happens. But like the, the actual fruit for attackers is so much lower. Hanging in existing campaigns like why wouldn't you just use the phone?
Speaker 4:Yeah, and so the passkey becomes this extra fee factor that I have around the device. And, yeah, all the keys are in the security enclave, right, and you cannot get to them from any of the local non-privileged API requests that you can do on the device to get there. But, like right now, the usability ain't great and the biggest problem with passkeys that I have found is that the path because the usability of the passkeys is sort of like being stuttered, rolled out account recovery becomes the hardest, becomes the easiest way to pop an account.
Speaker 1:Oh yeah.
Speaker 4:And like pass keys. Without advanced protection mode, account recovery is still like hey, I'm sending you a text, right, I'm sending you a plain old SMS text, are you? Did you get it? Cool, great, and I'm going to SIM jack your device and we're off to the races. I don't know if that attack is live, but it's a thing that I've a thousand percent thought about and have been able to pull off on myself and friends accounts to just test that theory and, like google, will nag you if you don't have a recovery phone logged with them.
Speaker 1:Yeah, they, they like you have to go out of your way to avoid the uh account recovery flow as a tax vector thing yeah, and and like it's weird for me to sit down and say this, but like maybe no account recovery and like I completely understand why they're like for a normal, for everyday user like they.
Speaker 1:Like they get locked out for whatever fucking reason, like I've gotten locked out in the distant past, but like I know which of my google accounts is like the roots and like the other accounts because all your google accounts point at each other yes, like and like other things, like what they fail over to fail over to recover, to recover to the one that doesn't have any recovery flow.
Speaker 1:But google, like, even with app, with every bells and whistles, like every signal I can send to google that like, this account is special and you should put me in the highest. You know, blah, blah, blah. They have all these other things that will nag you to be like you don't have this and you don't have that. You don't want to not be able to recover your account, like, no, that's exactly what. This is the one that's not recoverable.
Speaker 4:And explaining that to a regular user sounds scary, right? Yep, Like because it's scary to me. Is it for a baby?
Speaker 1:Oh, yeah, yeah, yeah, yeah. That's why that account has like several Yuba keys, including one that's in like a box that you like bury in the ground, like those 10 backup account recovery passwords.
Speaker 4:Right, those 10 backup account recovery passwords, right, like I had one person go hey, tim, like our AWS or GCP root account, like we did the thing, and now we have these like these 10 passwords and these seem really powerful. I was like, oh yeah, no, they're super, duper powerful. Like, what do I do with them? Do I just print them out and put them in the safe? I was like is the safe, fireproof? He's like maybe I was like trick question no, safe is really fireproof, You'll just make charcoal. He's like what?
Speaker 2:are you going to do?
Speaker 4:I was like, legitimately. I've heard of teams that have taken those recovery account passwords and used a laser cutter in a piece of steel. Yeah and like, cut that into a thing and then throw that into a safe and throw that safe into, I guess, the ocean or whatever. Um, but like, but like. This is not an okay thing for regular users. Um, and I think that at the end of the day, attackers are lazy, like they have, and cheap and cheap, and like in the b team they're given again linkedin and whatsapp and email addresses and maybe, maybe evil engine x and um the s tier teams, they're just doing stuff and like, if you can, and even if you bat away the b tier, the s tier is still going to come back.
Speaker 4:And if you are the target and I've always said this to to my users when I've done my security awareness trainings which is like if you are the target of a nation state attacker like you, your name, you yourself, you, you as a person, you're kind of bumped. There's not there's a lot that we can do to delay them. There's a lot we can do to get signals to see that something else is happening, but at the end of the day, what we're going to rely on is we're going to end up relying on the vendors to do what they can do, and that's the right answer. We can't make every user a security person. Right, we need to make, we need I mean I'm going to sound like Jen Easterly and put my fingers like this but like secure by design is like a thing that is a noble effort that is going to be implemented poorly because, the equities are voluntary, right?
Speaker 4:Yeah, Like there's no mandate to have to do this. And even if you were told you have to do it, the secured by design paradigm is not like I don't know. Like you guys have probably had this same thing happen to you A coder a junior coder comes up to you and goes Tim, tell me how to make code secure, Like just whatever it is. How do I do it? I'll just do whatever it is that you say Delete it I'll write secure code, delete it.
Speaker 2:Yeah, why hadn't we thought of making things secure by default before? I should have just been hitting the insecure button, oh yeah.
Speaker 4:So I don't know. I've been talking a lot, but this industry is a hard industry because, at the end of the day, we don't Us as the security team. We are either a cost center right or we are a pain in the neck to product PMs.
Speaker 1:Yeah.
Speaker 2:Who here would be a product PM, I think. On that note, I just want to go wrap up with one thing that you mentioned in terms of time dilation, which is we're recording this on August 26th. It was less than two months ago that Biden debated Trump.
Speaker 4:Yeah, and then like so two months ago Biden debated Trump, yeah, and then like so that so two months ago Biden debated Trump it, but to me that feels like about three years ago. It also feels about two and a half years ago, when Trump got shot. It feels like it feels like probably definitely two years at this point. When Kamala got, you know they switched up and switched up candidates. It's hard, it's, it's, it's, and we have 70 days to go 70 days to go.
Speaker 2:Well, we appreciate you taking some time to talk to us.
Speaker 1:Thanks, man, thank you so much Godspeed to Election Day and beyond. Keep doing what you're doing. Thanks for the stories.
Speaker 4:Yeah, yeah, yeah, yeah. Yeah, this is fun. I appreciate you guys having me on your podcast.
Speaker 1:Totally Security cryptography whatever is a side project from Deirdre Connolly, thomas Tachek and David Adrian. Our editor is Nettie Smith. You can find the podcast online at SCWPod and the host online at Durham Press Room, at TKBF and at David C Adrian. You can buy merch online at merchsecuritycryptographywhatevercom If you like the pod. You can give us a five-star review wherever you get your podcasts. Thank you for listening.