BSidesCharm 2022 Closing Keynote - Secure the Era - Mick Baccio

make sure i got all these things good morning everyone uh thanks for coming i know it's super early i'm gonna move away from this uh so let's get started the title is secure the era there was a guy i used to work for named pete buddha judge his campaign slogan was win the era this would have made more sense two years ago that's going to be an ongoing theme just bear with me this morning all right so before we get started it's 2022 this is not 2020. uh campaign's over with you know like a lot of things this is kind of dated information we're kind of a time capsule uh but i think it's relevant now

it's relevant more so in two years so like me like many things it's so much cooler two years ago uh for also fun facts some more housekeeping i'm super colorblind like really i see a 12. and that's really it um so there's like some real primary colors going on all right uh fun fact i joined the navy and i was supposed to be a nuclear engineer and this lady walks in and she's like hey no uh it's not gonna happen so your file says you're good at computers and i was like we're gonna go with that and here we are so uh i figured i'd break this down into four parts make it pretty easy pretty

digestible uh first we'll start off with like why am i here who am i uh what it's like to be a campaign ceo in a presidential campaign uh talk about 2020 a little bit and i might be a downer and then finish off with uh dana ma so oops all right oh no the formatting is gone oh well all right so that's me mick bacho uh no hack me on twitter and the internets um random stuff been doing this for a super long time spent most of my my career in the federal government uh last fed job was at the white house running a threat intelligence team i run a conference called thruntcon blue team village if you're not a part of it

you should go find a part of it i think muteki is here this weekend somewhere find her um co-host a show called coffee talk with surge blue check mark on twitter for whatever reason and i super dig air jordans um not work stuff like i really really dig lock picking you can find me in lockpick village when i'm not doing stuff like this um thing one thing two all the stuff we did uh scuba certification i'm a goon at def con and that one time i was a monk in northeast thailand uh career-wise like i said most my time in the federal government got to hang out the pentagon i ended up at the white house then i went to work

for pete for america and now i work for a company called splunk some of you might have heard of on a research group called surge uh so yeah that's a lot of work a lot of government stuff mostly in the threat intelligence wheelhouse uh but cyber's taking me all over the world and you know hopefully it will take you there too so we're gonna focus mostly on this area like when i was at the white house um i kind of got there in october of 2015. everything leading up to the 2016 election uh the inauguration the transition and a year and a half in the trump administration and then my time with the buddha judge campaign and then 2020

where like all the elections happen and there was no problems and here we are now uh so yeah side note uh i did work at the white house and remember this when secretary sean spicer tweeted out what looked like his password at the time so i get to work and i get caught over the west wing and the person tells me hey mick this intel's an hour old i'm like all right oh i'm sorry it's an hour and 15 minutes old because it took you 15 minutes to get over here and i'm like oh it's one of those converse i'm tracking i got it i need you to call air force one and i'm like i what

dialed nine first or like how do you do that um so you know this happens when you find out what's going on you need to get to the bottom of this and i'm like that's not really threat intelligence right threat intelligence is stacking actors this is somebody doing something stupid more than likely um and so you know end up calling air force one hey i need to speak to uh mr spicer he's with the media right now do you want me interrupted i'm like what no the branch chief of a threat intelligence team does not need to interrupt the press secretary while he's on air force one talking to the media please don't do that um

so long day plans in atlanta we get to the bottom of it and all that to say you dial nine first all right and then but you know a job like that um you know layla talked what a campaign was like that high pressure high intensity environment be ready for anything uh that's what working at the white house was like so when i quit uh i know that's not really a linear transition and and and you know and i didn't quit because of that i quit like a much longer time later but there's a lot of stuff i really can't talk about so we're just not going to talk about it sorry so i want to be a campaign ceso um

sure why not right well well real quick uh show our hands who are applause who has worked on a political campaign anybody awesome austin you're the man uh all right so there's this guy pete buddha judge and i had to google how to pronounce his name because i just did not know uh but when you go to his campaign headquarters like boot edge edge is written on the wall pretty big so it's pretty easy so before i took the job i'll be honest with you like i don't know how campaigns work uh i don't know how elections work uh a caucus like i knew it was this thing in iowa where there's tape on the floor and

like where you stand on the tape is who you put your vote for and i'm like that's how we choose our president in america uh election day is on a tuesday because can't have it on sunday i gotta travel on monday but not too late in the season because the crops come in that's right crops that's that's our system um so really i learned so much about it in that time but i kind of walked in and hey i know all these other things you know i've done vip executive protection you know like uh making sure principal principal ops you know they're kind of secure um you know and then i i thought about i was like

this is such a unique job a campaign is so unique it's i got a call one day and hey mick we got your name from someone do you want to come work on this campaign uh and i was like no uh you heard all the things yesterday right campaigns don't pay well at all it's a very very temporal job either you win or you don't and anywhere along the line you can get fired or you can just quit you cannot have a job anymore so i was like no i don't want to do it but then i had some friends like hey look this is a really big thing like you're the first person ever to do this

um this job might not come around in four years you know i guess i'll do it then uh so i accepted spent a long weekend fourth of july out in colorado with some friends and then flew to south bend indiana which i had never been to uh if you've never been to south bend like there's notre dame we all know notre dame right and then there's the rest of south bend did not know that so this is a great great place um so joining was non-stop since the entire time like leo's 100 right it is super busy on a campaign you're always working um so i was working there in july went to defcon in august and

this article came out so like i um most of my career has been on the classified side of things right i just do secret squirrel stuff it's kind of my background i've been real big on my privacy right and then this hey this mig is this guy coming out oops um let me go back when so just came out and there was privacy it was super awesome but you know uh and then on reddit fat cat in tight places endorsed me so like i don't can't get any better than that so let's talk a bit about that campaign a political campaign at you know a presidential level even lower level it's a for-profit company it's incorporation

all right it has its own tax code the fec is a separate tax law for it it sells items of no value uh for donations so it's funded entirely by donation and its sole purpose is to elect its mascot president uh and and i say mascot because and it's not a negative way for the most part um it's not a ceo right your your candidate is not the ceo of this campaign it's completely detached and it's not like a board of directors either where you know it has some kind of involvement in day-to-day operations that's not what a candidate does a candidate does exactly what you see a candidate do on tv run for president so

and the other thing this job might end tomorrow anything can go wrong you don't raise money you're out of a job you say something stupid on tv you're out of a job um perfect example anyone remember this it was a long time ago 2004 howard dean gave a speech to a lot of people he's going to the white house we're going to d.c yeah and then like i had friends who worked on that campaign were in the room when he said it and they're like well done here [Laughter] uh fun fact about that so we some of you have seen the clip heard the audio the initial recording of it his voice was not that scream

someone took the audio lowered the rest of it and raised just the end and that's the part that went viral that video is went viral so sorry bro we gonna do right um so let's talk about campaigns in general all right so you have election infrastructure your voting machines your voting systems everything like that that's covered under eic influence operations you see a lot about that now because you know it's the new hotness so those are things that are covered under the election assistance commission uh those are things that are covered under cesa's definition of election security campaigns aren't there's no there's no oversight so you know it's a the distinction between these i don't

think is made enough okay there's no oversight in a campaign so all of you uh that work in the field now who's ever been audited like who knows what fisma is or security scorecard i know i made all of you sad just saying that all right i work on a campaign i don't have to do that i don't have to follow anything uh and the problem becomes because this is such a temporal job is the juice worth the squeeze and and that's what you're going to run into chip had a good point yesterday where it was uh hey you want to be secure we all want things to be secure but when you impact operations

it's not going to let you do it this can't happen so you know that that's a very very big thing so the other two i don't know as well i know cyber security been doing it for so long so all right let's do this let's put this in a campaign what's that look like uh campaigns generally there is no security culture right uh 2016 we saw the things that happened with hillary for america with john podesta with the dnc the d-trip everything like that um that it you think there's more security inside of it but security is a cost center just like your job so if i'm trying to every vote every dollar i spend on you is a dollar

i don't spend on votes in iowa that's just the way it goes so creating security on a real budget on a real temporal thing is super hard to do so you're creating a culture like heavy on the cult part right think of who this staffer is and i'm trying really hard not to be scary most your campaign staffers are either first job out of college or second job out of college and the first job was on a campaign all right so i've been doing super threat intelligence type stuff for the past decade of my life and i'm sitting down with some 20 year old like hey russia going to get you um and i really felt bad there was one time

i gave a speech my training the whole team because when you aren't a campaign you can't do one to one you try to as much as you can do one-to-one with principals uh but with the entire teams the entire campaigns you're doing an entire broad message right the training we all go through it's kind of like that so i'm doing it and there was this cat named ian malue who was in a leak dc leaks back in 2016. talked about him a bit and said oh that's my friend ian and i'm like oh no i'm sorry i don't mean to rag on your friend but has he heard a multi-factor spoiler he did not so

when you talk about a campaign all right so a political campaign is is a lot like a lot of businesses you you work with now but it's entirely different because each has its own fund and pillar so you have principal ops principal ops is your um your candidate candidate's family immediate staff so for me you know i think uh peter judge think his husband his mom the immediate close members you want to lock them down those are the folks that have the tightest level of security think of when you do a crown jewels assessment now like your ring zero stuff you need to protect that's what you need to look at first after that your policy folks policy folks are

going to get targeted because if i want to know what your candidate is thinking i'm going to steal their work all right that's just how it goes finance is the money media control the message investment it's campaigns are really really money is so fast all the time think about how much money when you've seen this on the news when a candidate raises 30 million dollars in a month all right cool we got 30 million dollars well no actually you don't um the problem with that becomes when you go out in the vendor space you're like hey i need to do this solution oh we saw you have 30 million dollars you're like oh that's adorable

you think that goes to me it's no it's to iowa votes uh data and data is a very very big problem i think in all the campaigns we deal with every time it's data is a very very nebulous ecosystem behind everything we'll get into um and again they don't pay well so you're not getting like the sharpest and brightest you just get who wants to believe in this candidate and help them win so each of these departments inside of a campaign has a security story and your job just like it is now is to tell that story so supply chain we can't have a cyber talk without talking about supply chain right it's kind of our thing the past two

years so when you were on a campaign and i was on a democratic campaign so i can't really speak to uh what where what a gop side is like i imagine it's exactly the same so you have everything pretty much in the cloud then you rely on an ecosystem things like the civist act blue ngp van these are kind of back-end databases that are hosted by third parties you log into for information uh there was a thing that happened back in 2016 which i get it where senator sanders campaign accessed the voter data of then secretary clinton um and if any of that you know oh you can't use this data for two weeks so that was the

penalty for it but the problem becomes you know this information when you download it from these uh these vendors if that gets out it's kind of on you if that data is manipulated it's kind of on you if one of these vendors gets compromised that's a downstream effect so i'm sure we've all seen things like that in our day jobs so uh canvassing data you know that's also a really really big thing that's your door knockers uh trying to get folks to vote through real targeted real targeted demographics that you're going for every day and another aspect consider when you're doing security is the gamesmanship so someone registered pete buddhajudge.org and when you went to that it redirected

you to donald j trump.com which we directed you to his campaign website like what are you going to do right this is how it goes right um if you remember the debates when president biden said hey text joe 30 30 and he misspoke someone registered that domain and pointed it to pete for america which that's just part of the game like if you didn't do it fast enough we see it all the time uh so that's not really malicious right i mean i don't i care but i don't really care that much unless you're having to go to like some really foul website and i'm like oh i gotta do something about that uh and then it becomes important

your relationships with those cloud providers with those uh with those registrars because we've all tried to take down a domain how long does that take is it an hour is there a day like we don't have that kind of time of the campaign so spoof domains like this is something we all know way too much about run dns twist on pete for america and let me know what comes back when i did this there were 525 i i have a staff minimal at a campaign you're gonna do the same thing we talked about what funding is like you just don't have that kind of staff you wear so many hats so i hope they're not bad those 18 uh are

they registered they send in mail like what are you gonna do so it's something you keep an eye on and you try and leverage that ecosystem as much as possible but like we all know nothing happened bad from spook domain ever so we're good we're good uh supporters and optics is another you know big big area to consider and this isn't really the information side of it it's kind of close though um you know your your people that are supporters of your campaign you don't want to piss them off right so let's say that uh you know you're a fan of campaign you open up a website you're selling t-shirts you know you're selling bumper

stickers but i didn't make those those aren't official like peak for america ones they're not official campaign ones that's copyright that's brand that's you know so what do you do do you shut it down like do you go tell one of your your campaign supporters hey bro i can't have you doing that um so that's a really really big problem and all those things on the right like the buddha judge campaign yeah that was his account or his account the rest of those are unofficial ones so you kind of got to play that balancing act if it gets too loud you got to do something it doesn't get loud enough you don't really care it's the same thing we deal every

day so has anyone here ever donated money to a political campaign or to the dnc or all right are you still on that mailing list yeah all right um sucks so the problem becomes on a campaign i'm trying to reach as many people as possible right i'm trying to uh you know get my message out to everyone let them know who my candidate is and also it all comes down to money we need money so please donate some money kind of like spam kind of like every bec email you deal with every day there are campaigns that have gotten caught in things like spam house and like you're going there like we're gonna do like hey no we're just trying

to ask for money from people strangers no what i meant was we're trying to raise funds for a guy who doesn't matter so you know that's gonna be an ongoing thing and i mentioned like who's donated to a campaign before because once you've donated and you try and unsubscribe from that mailing list it's just i've never been able to and it's been on over 12 years um but yeah i'm not saying campaigns are bad for doing that but like [Music] remember this this is jeb bush 2016. he so he gave a speech in florida he said i will not trash talk i will not be a divider in chief or an agitator in chief i won't be blow harding talk a big game

without backing it up i think the next president needs to be a lot quieter but send a signal we're prepared and to act in the national security interest of the country to get back in the business of creating a more peaceful world it's pretty good right so jeff bush said this to a room full of people and he thought hey man that's pretty good nobody clapped nope there's kind of like this this is good and then he said please clap and um i don't know if you've ever talked in front of a crowd or told a joke or anything like that but uh if you have to ask people to it's like explaining a joke jason you're with me

right like you explain a joke it's not really a joke at that point you're just ah and then shortly after jeb was dropped out so again like be ready for anything job at any time just be ready for anything at any time so be ready for anything at any time uh i was in south bend indiana right and i said you wear a lot of hats in a campaign mick you you worked the white house you're doing a lot of technical stuff um mail screening is a problem right campaign gets mail and uh when i first started you know oh my god sir you wouldn't believe what they are saying about you on the internet uh and

so mail came in like it was not a great mail all the time so we got a screen mail right mention how a campaign is pretty nebulous pretty temporal just don't have a lot of time for things uh so i'm calling around south bend and hey i need a room inside a building it needs its own ventilation though okay uh because we're gonna do some things and make sure stuff doesn't blow up or poison everything like that i need more ventilation i also need a month-to-month lease so um might not be here in a couple months so like hey i need a month-to-month lease and and i play it back in my head and i'm like oh i sound like a terrorist

like i would call the fbi too i would that this guy called and he wants to like blow stuff up in a room and and i play it back in my head and yeah be ready for anything that's that's kind of uh so yeah that happened that happened so on a campaign you know your job is to see so your job as a security person in general you're the same thing you're doing anywhere else right you want to get people engaged in security which is really hard to do because we're a super pedantic bunch and we kind of let the perfect be the enemy the good a lot and it's not a bad thing i guess but it kind

of is a bad thing when you come across like a jerk and people just ignore you um educate people like we work in a pretty technical field and my friend ryan likes to make this analogy of wizards and muggles and i don't mean in a mean way but like we do a lot we do something that a lot of people in the world can't do and don't want to do and don't care about so like no one cared about the plumbing in rome till it stopped working so security is the same way um and encourage people like we all screwed up i have made so many mistakes in my career and then just you know

it's it's teach people that it's nothing bad what's the worst thing that can happen oh we lost some data we lost the computer i get it right it's not the end of the world but let's try and make that not happen um and just how to be secure most folks they're not against it they just don't know again this is like first job at of college second job out of college real real young just i get all these things like why why is it a threat for me um and and your job is to kind of encourage that and move that ball along uh you know i had difference between like an edp and edr

they don't care hey how come my email is slow where'd my email go um you know culture is everyone it only works if we're all involved kind of like security i i think everybody in the infosec field uh we're kind of going through that now we're like hey we gotta kind of be more open in what we're doing or else no one's gonna play ball with us so a few considerations and i'm sorry the formatting got messed up i i moved to powerpoint this morning because google slides on a full screen it doesn't happen anyway um vendors are a problem like i mentioned right you're in a campaign tops 18 months so i start running for president today

2022 elections november 2024 you know after that i'm done i go hang out with layla the team at gsa i go transfer my network over uh so i don't have a year contract to give you um and things have gotten better michael kaiser and ddc group you know if vendors hey we have services for you discounted things like that are super great uh but take advantage of them you know a lot of folks just don't know that they're available to them kind of like all the stuff we do now competition between campaigns man it's just the dumbest dumbest thing i don't get it um i had a thing where hey i've got campaigns don't share right

so i had an email hey look we got a phishing email should i call someone from the warren campaign and let them know should i call someone from biden camp and just say hey should i call someone from the trump camp say hey guys we got this email like i know they're 20 guys over there should i give a call no it's a competitive advantage uh you heard mike yesterday mike sager's awesome dude he works on the democratic field he is a pretty progressive guy he will never work for a republican campaign you know and that's kind of polarization it's not against mike everyone i know is like that um but would you share information with them right politics is

super polarizing it's competitive advantage but is it really like what are you helping out um and i think that's the thing that really needs to change more every dollar you spend as a dollar doesn't go to votes i heard that so many times and i get it and i get it but security is the cost center and it's always going to be you got to find that balance one of the big problems is uh folks that are running campaigns like security is not in your syllabus just yet right security is a cost we can get by without it and i'm sure a lot of you do without every day now like why do i need to put this in it's just a

roadblock it's a hurdle we don't have a lot of time left so you know what are you gonna do um and like i said there's no compliance you don't have to do something if you don't wanna do something which is crazy uh you can set up your environment and not have multi-factor for your accounts and that's cool no one's going to say anything about it uh you can set up your email not have spf checks or something like that you might get some like some horrible article online about oh this guy doesn't have sps checked that's it like no one's gonna there's no there's no fine there's nothing like that at all your ato is not gonna get revoked so

it's really up to you how good you wanna make it and therein lies the problem you can make it really good you just gotta get involved and what's your bar um you mentioned yesterday the the bell first hundred playbook that came out of harvard after 2016. if you haven't read it go read it i think it's fantastic i also think like security doesn't have a bigger role in it as it could as it should but i'm a security guy and super biased right so what do i know um and again security is likely one of the hats you're gonna wear and most campaigns like i was a ciso is the only one after i after i left out um

biden cam picked up chris derussa and kind of went from there right security guy is also usually the it guy also usually the data guy you just know computers so you do all the things on the back end that's just your job in a campaign because look we're operating lean here we're you know we're here for a couple months we're here for a for a good time not a long time i guess the phrase just you're here to win and after that if you know how to do something i'm gonna take advantage of it oh you speak spanish okay look what we're doing now oh you speak russian oh look what we're doing now uh just take advantage of your staff

members which i think is actually really good it gives you a chance to let people shine in an area they might not normally because they just didn't know they were able to so but at the same time you kind of get overworked you're super stressed you're just super super busy all the time um i'm not quit it's not a theme i know this thing feels like it uh like yeah i quit shortly before the iowa caucus um just a bunch of stuff or like you can google it you know there was like like a new york times thing and um wall street journal article and uh i quit right like i can't really talk about it too much

but i i guess it's kind of a different conversation for a different day a different talk we've all kind of been in this there there's some truisms we have in our career um things that kind of kind of stick with you right nobody takes care of you like you that's just that'll stick with you the rest of your life um and whatever job you have whatever place you work out now it's probably there before you and it's going to be there after you all right you are not irreplaceable things are not going to shut down just because you left and it's like an ego smack to say that to a lot of people like i walked away from the

white house as a fed that's your dream job so you know the white house is still running shockingly but the white house is still around you know um it's just things are temporal just remember that in your career so anyway i quit um along the way i met a lot of really really cool people uh they didn't work in security though now you heard some some folks yesterday talk about professional political operatives these are folks that work on one campaign campaign ends they go to another campaign camp it's like contracting but you don't really make money i i don't um it's a lot of moving you know it's like uh you're working a campaign you're working

the buddy judge campaign hey let's go to south bend like you're gonna go get an apartment in south bend and leave what you're doing here i don't think there's a lot of folks that can just kind of pick up and do that and i know i couldn't and i don't think i'd want to so you know i think more folks that are in security and campaigns would be awesome uh i think more campaign folks that were aware of security is where we would come in so all right let's talk about 2020 a little bit um i don't i don't i don't really know what happened so like is everybody is a bit comfortable like

it's hard to talk about politics without things getting political and working on a campaign it's super because like hey man i don't i don't care about politics i just work in security um and you try and keep that like you really try like i worked the white house you know first year and a half the trump administration it's the chair you know not who sits in the chair and after a while yeah it's kind of suits in the chair um so you know the next part here it it this is all my aperture and yours might be different and i'm not saying this is the way everything went down it's just hard to really kind of recap everything

um without you know causing a lot of strife and dissent you know i just i'm not trying one side's wronger than the others just you know so 2020 all right um when you look at what happened it kind of there was no hack right there was no dnc d-trip things like that um you know it's normal election for the most part as far as like the election process itself um you know polarization is alive and well i think we learned that a lot in in 2020. you know for some people in america is exactly the outcome we expected um there's a whole lot of like uh well well well it isn't if it isn't the

consequences of my actions so you know it was just it's just a really really weird election cycle this time but there wasn't like a um nothing got hacked like there was no no nothing like a technical hack like in 2016. it was a different different area this time 2016 this is me inauguration day wild uh not as wild as this time but like it was on par i guess um you know i remember i was the capital uh and a fight broke out that's where i was looking like a fight broke out at the capitol on inauguration day like it's like a kegger and it's just wild i just never seen like i've been to

the government for a long time and i've never seen something like that so 2020 i was like oh yeah you know that kind of tracks like you know this time they brought grain instead of a keg i got it um so it was just it was different you know it was still screwed up super screwed up but in a different way which i guess is good um 2016 let's look at what we had right the d trip hack the dnc uh hfa guccifer anthony remember that guy remember like like two days or a week before the election when uh fbi director comey came out i was like hey this guy has some emails on his laptop that weren't his

but it's cool like that was a big deal and of course the whole email thing that like i just whatever um 2020 it's a lot of technical poking you saw like that weak sauce that iran did you know like irgc is not really known for impact operations it's more of an mls thing it's a whole different talk but like that's what we saw we didn't see a campaign get hacked or at least publicly know about it and i think that's a really good credit to the folks at google folks at microsoft because that infrastructure is hosted there um missed information disinformation you know you gotta you gotta admit it was a pretty big deal right there's a lot of

that going around this time like a whole big bunch um and kovid like you you kovid changed the way campaigns are campaigns are big like door-to-door knocking right like hey man come vote for pete if you knock on my door like the third week of march i'm not gonna answer that door so how does that work for a campaign we're like we need to go out and talk to people we need to go to these primary states and go out and talk to people hey get awareness with my guy how's that work now a lot of phone banks a lot of phone banks and i think that changed forever and covid you know everything leading up to the

election everything after is just was wild uh the response the vaccine you know that did have an impact on our election this year i mean you know two years ago it's what happened so 2024 what's that mean i don't know like i really don't i it could be awesome it could be just like a fiddle plane in the background well i'm just um and i know there's a bunch of stuff i'm leaving out right like i understand i understand i spent most of my career especially the 2016 election at the white house it's like i read a lot of classified stuff and i don't want to get arrested for saying something there's clouds oh that was oh huh turns out

um so yeah november 5th 2024 um like i said you know you're gonna see a lot of folks campaign spinning up now got about 18 months got a year and a half um security's 24 7 thing normally a campaign is like three or four cats in a room like hey man you should run for president and that's literally how it goes spins out from there start getting your fundraiser to start security guy might come in you know eight nine months down the road if at all uh so i guess what i'm saying is maybe you should run for for candidacy and security is first right that's the way to do it [Applause] so because i'm a nerd because we're all

nerds we're going to break this down the ways we're not you know people process technology right that's what you break things down into and there's always a wild card on the end um you know and and i think it comes down to these areas here uh when you talk about people you know you talk about the mis disinformation sisa kind of has something for that where it's their their rumor central you know election myth versus reality uh i get all my news from twitter and do my own research so i'm good i'm kidding don't do that don't be a dum-dum uh this is like point people to this this is the problem is you know hey

this is the place where you should get your actual information from um there it's gotten a lot better but the weaponization of information is definitely not new you know the ability to rationally discourse is is gone and i think part of the problem is you know no one's gonna have a conversation like oh you know you know i really appreciate it i've reviewed the notes you sent me i read cross reference and notes and i see your point of view now and i'm a better person for it and like nobody says that [ __ ] those aren't the conversations i wish they were they're just not so point people to place where information from if they don't want to go they don't

want to go i can drag you to the water i can't make you drink it um voter fraud so i kind of didn't want to put this in but it's kind of a more and more big thing um i do a lot of like i work with a lot of voter lawyers and i'm trying to understand it but like the only thing that i can come up with for a rational explanation is like i lost um you guys have heard of math right your numbers you guys know numbers like if i want to swing an election i'm not going to change three voter rolls in wisconsin it's just not how that works it's so i'm gonna i'm gonna mess with that

but the back end where the votes are counted i'm gonna say that's an integral system and there's nothing wrong with that at all like that's not how you rig an election how you swing an election i was lucky enough to hang out in countries in the military where they do swing elections and they didn't change voter rolls i'm just saying like i have no doubt that voter fraud exists okay i also have no doubt that voter fraud does not exist the scale it would need to to actually swing an election okay it's not how math works so and again you can't tell folks that because that rational discourse isn't gone hopefully it gets better but yeah if you

explain math to people in numbers it'd be super good so this was an fbi note that came out um cyber actors part of an ongoing campaign tax technology hacked the things a couple of you know secretaries of state election officials getting targeted it's happened i want to say yeah october of last year um sucks right it's midterms like but nobody cares about midterms so i don't get why so and it's midterm elections getting targeted you know i don't care enough about it and it's weird because when you go back to 2018 same thing happened then uh midterm centers targeted campaigns targeted elections securities targeted again midterms nobody cares so start calling bruno uh so road to a broken campaign right you're a

security guy your job is keep that campaign secured i think these are kind of the big things that you're really worried about uh technical compromise that is your nightmare one of your systems getting locked up on a campaign fun fact remember that part i mentioned the egregious lack of oversight or compliance so i would say 90 to 99.9 percent of your staff is using their own laptop like it's using their own gear um then it becomes a big problem you want to install what on my machine uh no and to be honest i'm like no i'm with you on that one i get that that makes sense to me so you know again goes back to buying but a

technical compromise that's what your fear is um proxy interference we all know what that is and how bad that can be as a cso you can't really do much about it but you better be aware of it um you're a security professional your staff is not so a lot of the things that get into your head are gonna just kind of float around and echo back out um the oversight it's a huge problem and credibility like right let's see once you screw something up and this is internal or external you're gonna buy that trust back right we've all messed something up at work and like all right nick next time we're just gonna let somebody else talk and you can just sit

back branches but that credibility is super important because security is so new in the political sphere you know let's make it count let's make it do the right thing but i think the biggest one is apathy and and i think that's a huge problem because all the things i mentioned none of them change if if we don't care if we don't do anything if we just sit around [ __ ] about it and like don't do something about it and i get it's messed up it's super messed up like what are you gonna do like we just sit around complaining about it i'm with you but we'll get drunk but like it has to get better and

we have to make it better so let's wrap this up uh oh look at me go okay so which way is momentum swing i did like a whole bunch of like probability formulas you know i had like a bayesian calculation in there and whether things were anyway um there's a couple things i think are different now you know um [Music] uh jen easterly over at cesa is doing awesome work they just picked up bob lord you guys know bob lord if you talk to him for more than like three minutes a hardware token appears uh doing super awesome work bob lords of the dnc in 2016 uh 2020 rather and and the work he was doing

there was so amazing like the dnc in 2016 we all know what happened uh bob and the team there are really responsible for kind of restoring that credibility and you look at what they've done and where they were it's super awesome uh yeah free fido keys you know you mentioned um michael kaiser here yesterday ddc that group if you're ever thinking of going in a campaign remember his number remember his name um those services that are available through that catalog are incredibly useful the other one i found useful was dhs has a services catalog they offer you know hey we'll do some vulnerability scanning we'll do some fishing tests like we didn't see eye to eye on that

but like it's fine um but they'll do it for free and if you're in a campaign you've got no money like that's what i need free stuff i need all the free stuff you're gonna give me uh but i think it all comes down to this dumb phrase right you ever heard this before all politics is local um and i know what it meant like everybody the campaign said it and i was like oh thank you for that that's super helpful um but we've all heard the phrase the mitochondria is the powerhouse of the cell it's completely useless but it's true and that's what this is it's completely useless fact but it's true um if we don't start locally nothing

changes widely so you know go vote your vote does count in dc not you so much but like [Laughter] sorry about it alexander maybe don't change not gonna change but go vote um real quick you know it's having your vote her account dc sorry about that but like true um show my hands like who is registered to vote everybody here registered if you're not go this website and it'll tell you like where you need to go what you need to do who you represent it's really simple stuff it's like just go do it it's just tell people to go here um some of the other considerations donate money i know i just kind of [ __ ]

on the part where like you're gonna get spam emails all the time but like time is money and if you don't have time donate money to a campaign um volunteer you know we all live somewhere there's a candidate running and i don't mean on a presidential campaign there's probably a congressman or a senator or even local they don't have the staff they don't have the money like i i was on a presidential campaign for a state house election how much budget do you think he has for security or she has for security this is not gonna happen so voluntary to organization there are plenty of groups out there um i want to say is defending

[Music] the other ddc there's michael kaiser's ddc and there's another one and i get him confused but basically we talk about donations like you can donate to a campaign right you can only donate want to say 2600 or so 26 28 right around there that's all you get so there's some groups out that like hey i'm gonna come down to my little checklist sit down with staff lock down their devices things like that i can do i can give you twenty six hundred dollars worth of that service anybody here done consulting is that like what 10 minutes cup coffee maybe just like what are you gonna get out of that so that's the problem um

pay attention midterms coming up you guys know that pretty big one yeah all right pay attention to it um go work on a campaign you know i i've had good experience bad experience but it's the wildest raw you will ever go on uh it is like a career capped into a couple months you know like either you win or you don't and that's just how it goes it's a pretty binary job unless along the way yeah and then you get fired but you know and the other part don't be apathetic i i really i can't stress i know it's easier said than done i know i know um again kids in the bag iwillvote.com go

there go vote it's just it's super important um so you know i i did a thing one time in pretty big stage right i was the first season u.s presidential campaign to bachchio so maybe like a 300 jeopardy question like sometimes um but there's other campaigns that need help every campaign out there does they need more than to see so they need security staff it needs security awareness you need to be more aware of what security is in the world we live in today um the only way to get better to get better my they're just supposed to be birds uh you know and it closed out like yeah it's hard of course it's hard you

work in security guys come on we pushed that rock up the hill every day of our career we're going to do it in politics now we're doing a campaigns now so that's how that works uh like that's it so thanks to a whole big bunch of people um thank all of you for coming and i guess that's really all i have any questions yes

how does physical physical for who like the principle

no i'm kidding um so so the question was like uh physical like purse force per like persec and cyber security so you kind of wear both of those hats right and maybe you shouldn't like with my background i i've kind of done that before so yeah i kind of know how to do that um limited staff so for a candidate you know your your principal is always going to have that that body man that's going to have that you know service with them uh staff you know put some cameras up if they're there you're normally in a rented building for a few months so how much can you really do uh you have badge access set up you know just your generic

stuff your basic stuff low level but you're gonna put in what you have time for what you have budget for and kind of what you're allowed to do right because hey we're doing numbered pins on every door in the building yeah man that's not gonna happen we don't have time for that [ __ ] we gotta we got uh so you know kind of pick and choose but you as a security guy probably going to be under your wheelhouse too yes

typically they don't you know no uh kidding i'm kidding not really but i'm kidding um i got a call randomly from a friend who was like hey we got your name from from someone which is like never a good phone call and you know i i want to say i know ragtag is one of the groups out there um but there are plenty of folks out there when you know the dnc they don't recruit actively that's the thing they're not looking for a cyber person they're looking for a person to go knock on doors so go knock on doors and say i also know computers and then you'll kind of wear that hat as well you'll make the same

money right but then you'll which i'll just do the more work that's how that works good awesome well thank you so much everyone i really really appreciate it

[Applause] you