The Jordan Harbinger Show - 405: Harri Hursti | The Cyber War on America's Elections
Episode Date: September 17, 2020Harri Hursti (@HarriHursti) is an ethical hacker and researcher, co-founder of Nordic Innovation Labs, and has been featured in the HBO documentaries Hacking Democracy and Kill Chain: The Cyb...er War on America's Elections. What We Discuss with Harri Hursti: Who's trying to hack our elections and why. Why all Americans lose if we allow enemies of the state to tamper with our election results -- even if our "side" emerges victorious this time around. Why electronic voting machines are more vulnerable to fraudulent manipulation than mail-in ballots and other forms of voting that leave an auditable paper trail. What we know about hacking strategies that have worked on other countries -- because every single NATO country has had Russian interference in their election. How fostering the public's eroding trust in our election system is the ultimate goal of our enemies. And much more... Full show notes and resources can be found here: jordanharbinger.com/405 Sign up for Six-Minute Networking -- our free networking and relationship development mini course -- at jordanharbinger.com/course! Like this show? Please leave us a review here -- even one sentence helps! Consider including your Twitter handle so we can thank you personally!See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Transcript
Discussion (0)
Coming up on the Jordan Harbinger show.
When you are examining any kind of device, whether it's an ATM, whether it's a life support system or voting machine, you always find vulnerabilities.
But how safe you are is how the company reacts.
If the company says, oh my God, help us.
Let us fix this problem.
Now you know this is in a good hands.
If the company goes, we are going to sue you and try to stop this message.
Now you know nothing gets fixed and the culture is the one which is causing all the trouble.
because you are not trying to fix the problem.
Welcome to the show. I'm Jordan Harbinger.
On the Jordan Harbinger show, we decode the stories, secrets, and skills of the world's
most fascinating people.
If you're new to the show, we have in-depth conversations with people at the top of their game.
Astronauts and entrepreneurs, spies and psychologists, even the occasional four-star general,
each show turns our guest's wisdom into practical advice that you can use to build deeper
understanding of how the world works and become a better critical thinker.
Today's guest is an amazing hacker that you've probably never heard of.
This guy's a genius and we're lucky he's on our side.
He memorized all the country flags at age three and by age 12 he was programming mainframe computers.
How many flags do you know? Think about it. That's what I thought.
Today we're talking about election security.
Voting is important. We need regular and peaceful transfer of power or we get discontent and revolutions instead.
And if we don't use democracy, it goes away. It's like a muscle that atrophies with use.
So it becomes a big problem if we lose faith in voting or our electoral system for this reason.
Today, Harry Hirsty takes us through how secure or how insecure our voting technology really is
and explains how he found the vulnerabilities, what's been fixed so far and what hasn't,
and what we as citizens can do about this to ensure the integrity of our elections and of our democracy.
If you're wondering how I managed to book all these great authors, thinkers, hackers every single week,
It's because of my network.
I'm teaching you how to build your network for free over at Jordan Harbinger.com slash course.
And by the way, most of the guests on the show, they subscribe to the course in the newsletter
or they contribute to it or both.
So come join us.
You'll be in smart company.
Now, here's Harry Hirsty.
Well, thanks for joining us.
I know you're on a super long, not necessarily by choice extended business trip.
So thanks for coming in.
Thank you for having me.
Are you even able to talk about what you're doing right now, or is that even kind
under wraps. Well, we're actually going to have, I'm right now in Quantico, Virginia, and we are going
to have tomorrow American Cyber League and Election Integrity Foundation, mini-conference, a webinar
about election security, which is going to be having people from DHS and from a state of Virginia,
Chief Information Security Officer. We are going to have a conversation where we are heading,
and before that I have been spending the last almost three weeks down in Atlanta, where I have
been looking into the election security issues in Georgia.
Wow. Okay. So election security car, it's good that there is an election security or election hacking conference of some kind because it sounds like there was and is a lot of problems with that. First, before we get into that, though, I do want to go by way of background here. You were 12 and 13 years old and you wrote mainframe computer software. Can you take us through that? That sounds kind of unbelievable, really.
So I wasn't actually interested about computers at all. My love was astronomy. And by that, I was introduced.
to computers. First, the mini-computer, because we didn't really have a home computers back
those days. So mini-computers, and after that, I got introduced to mainframes. And actually, after
mainframes, first time to what we today call a PC. But yeah, that's where I ended up. And it is
very interesting how mainframe world has been. It's still around. And today, if you know how
mainframe is working, you actually can command a very sizable salary by just virtue of that,
Because people who used to write an IBM 370 assembler or Cobol, they are either dead or retired.
So there are not many, very many people around who still know how that works.
I mean, even a coronavirus era, the governor of New Jersey called for help, called for action,
if there are people who know how to program Cobol so that they can help their coronavirus address.
So Cobol is like this older mainframe computer language that, like you said, not many people know they're either retired or dead.
Exactly.
at one point of time, the enterprise and business software, a global language was developed
so that you would have a language which you can in English read. So it was meant to be easy
to understand, but it's not. Yeah, now that makes sense. So you're 12, 13 years old,
programming mainframe computer software for, was it like some kind of blood analysis? Was that
what that was? Well, that's actually a mini computer. So I did, I wrote the software for
atomic emulsion plasma spectrometer, where you can take any substance, but
It was developed for blood.
You can put it through and see what are the compounds and elements in that sample.
I did programming for that.
Other system I did programming for is using a radioactive isotopes injected to bloodstream
and use that to imagine, making an image of three-dimensional image of heart when it's bumping.
You were doing this at age 12?
Yeah.
This might be a dumb question for somebody who is programming mainframe computer software at age 12.
But did you understand the blood stuff as well as the computer stuff, or were you mostly focused
on the computer stuff, of course?
So I'm not the medical doctor.
So I need to know enough so that I can get the job done.
But I didn't understand why these things are interesting in the blood.
I knew a little bit about the chemical process, how the blood is prepared before it's injected
into argon plasma.
I knew a little bit about the physics of argon plasma.
But this was really straightforward programming where I didn't know.
know why the data is important to somebody else.
Gotcha.
That's I learned later.
And were you playing Atari or kickball or anything at this time, or were you just like programming
all day?
And I'm trying to imagine you at age 12 doing this.
It's not a typical 12-year-old kind of hobby.
So most of the devices you take didn't exist really.
This is really the so early days of the time.
So I actually didn't have anything to play with.
I would have.
I would have, but I didn't.
So how did you learn how to program mainframe computers when you were 12 if you didn't even have an Atari or any kind of computer?
I mean, of course, I had mini computers, but, you know, everything was size of a room or at least a huge closet.
But yeah, I mean, it's self-learning, it's reading, it's understanding how it does, and a lot of trial and error.
Back those days, we didn't have so clear concepts.
So it was a lot of hacking.
There was a lot of trial and error.
It's a lot of testing to get this right.
And probably I would be very embarrassed if I would be seeing the code.
day because principle was just to get it worked. But yeah, it's trial and error learning by
dude. I think, yeah, you might be embarrassed, but also you were 12, so it might not be as
embarrassing as you might think. Yeah. I will probably still be very embarrassed. It's kind of funny.
Back in my old place in Finland, I still have a punch tape reader and puncher, old teletypes,
all kind of things, which you can see in old movies, but you don't really anymore use.
But I have kept a lot of my old stuff and it's all stored in New York.
Oh, wow.
Well, that stuff's probably a collector's item by now, I would imagine.
So moving forward to the 2016 election, we talked about interference being on the
propaganda side.
I'm going to do a whole show about election interference and the kind of things that we're
seeing right now.
But this has been used before in many countries, including the United States.
Let's start with the hacking democracy documentary, the older one.
Somehow Al Gore had negative 16,000 votes in Florida.
Only the totals for the presidential race were affected, so it wasn't just a machine failure.
Tell us what's going on here.
Was this your first foray into election hacking?
How did you even become aware that this was a thing?
So I had retired.
I sold two businesses in a row.
I decided this is it.
I was doing 2004 around the world trip backpacking.
And I stopped in California, and now this is a friend of mine.
And she was asking if I would be interested to take a look into that.
And I said, no.
And then I was explained by a group of people how what they thought is going on in election.
And I point blank told this is impossible.
Nothing.
You must have been a misunderstanding.
Something this has been deliberately told the wrong way, but this cannot be true.
After that, if I'm interested to take a look, I said, still know, off to Tahiti, goodbye.
It took me, was personally about half a year.
And after that, they relayed my information to,
England and they keep pestering me and eventually I then decided to get rid of them I will make
an impossible set of rules and I say yes I would do it but my terms are something you can never
get anyone to agree and it took like six months again and then I got a call that Ion sancho
from tallahisi Florida he would be inviting me and I spoke with him and he told it he wants to know
about the system which he is using and it turned out that the system he is using
exactly the same system, which created this mind of 16,022 votes in Volusia County for Al Gore.
So I took a look into the system, figured out a couple of ways to manipulate the central tabulator,
but I told, well, this is not elegant.
You leave an audit trail.
You leave an evidence that bread crumbles.
You can trace it.
And I was asking, well, what is the elegant way?
So I don't know if there's one, but if there is, it got to be this memory card.
So it's a memory card that fits into the voting machine that you found could be the more or less untraceable or hard to trace way to manipulate the results, whereas they were thinking it was something in the machine.
You thought this was impossible because you would see a ton of evidence and, like you said, breadcrumbs being left by the tampering party.
No, not even that.
I was just thinking about the architecture of the system.
And with that architecture, it made sense that there's executable program in the memory card.
And I was quickly told that that's impossible because it's against the certified rules.
But also, the vendor was dishonest about the origin of the cards.
Well, if they're not honest about one thing, they're probably not honest about the second thing.
And I found an executable program on a memory card.
I found it's completely unprotected.
This memory card is so old.
It's older than floppy drive.
So actually I found it because I remember that I have seen it before floppy drives existed.
So that's why I found who was the original manufacturer of it.
Interesting thing about this explanation afterwards was that the minus 16,000 was malfunction
of the memory card.
That's the reason why it happened.
Not possible.
That reason why it's not possible is that that memory card doesn't know how to make negative
numbers.
So whatever caused that minus 16,000 votes, which we don't know what caused it, at least the
official explanation given at the time, not possible.
Something else happened.
So these memory cards are just like, ain't.
ancient disks that had programs on them. And the vendor said there's no programs on them.
Don't worry. It couldn't be that. And you found that not to be true. And you said they lied about
the origin of the memory card. What does that mean? They lied about where it was made or what?
So that means that they had told the election officials in Florida that they have created the
memory card. And I immediately recognized this is not true. I have seen this card
manufactured by someone else.
And I eventually found a company called Cropscan from Minnesota who are spraying a corn
with a radioactive isotope and measuring the decay and they are still using this memory card.
And the memory card was made by Epson, a Japanese company.
I contacted them because I found from the original pattern of laptop that that memory card
was the replacement of floppy drive at the time.
So this is really ancient technology.
And yeah, they were claiming they developed it and they didn't.
So the vendors lying about this, why, just to sort of pass the security inspection so they don't have as many hassles? Like, why lie about this?
I have no idea. Okay. I have no theory. It doesn't make any sense. Maybe it just be proud about something they didn't do.
Yeah, I guess that's possible. There's a writer in the documentary, this woman, Beverly,
she downloads all of the Dibold security manuals, all of the software from the manufacturer,
and says, okay, well, if this stuff is all available online for me to get, not freely,
but like through a FTP site that was insecure, she finds this PhD engineer who then finds
that these files are easily hackable. And these machines were covering, what, 80% of the electronic
voting market. And this is in 2002. I would imagine the,
vast majority of voting now is electronic, correct?
Not anymore.
So those machines are dearies.
They are direct recording.
There's no paper in that, which means that if you hack the, what is inside of the machine,
you have hacked the election.
There's no audit trail.
We have been since then, since 2006, 2007, 2008, massively been going back to the paper ballot.
We still use computers to scan the paper ballots and tablet.
But now when the voter has, and preferably handmarked,
paper ballot. Now you have always a remedy. You can always go to the permanent media paper and
see what the voter intent has been. You can audit it. You can recount it. You can always recover
from any kind of suspicion of a fraud or untrue results. And there was even recently a case where
a voting machine was reporting, and I believe that was in the last year in North Carolina,
voting machine was in the race where they had 50,000 votes cast,
was reporting to one candidate, 164 or something like that votes.
And when the paper was looked, that person actually got 26,000 votes and won by 1,000 volts.
Wow.
So we really need to have that paper ballot.
We don't have a technology to do electronic voting.
We don't know how to do it.
What do you think of something like blockchain, or is that just a fancy word for something
that is basically going to have the same problems?
blockchain is a solution looking for a problem. It doesn't solve any problem. It was never created to solve any problem.
Blockchain really cannot help us. If there's 10 big problems in elections,
blockchain can help to solve one of them, but by putting blockchain, you created three new problems.
So blockchain really cannot help us in this area. There's a lot of peer-reviewed documents and studies
explaining why the public elections and blockchain are fundamentally incompatible technology.
The reason why in secondary perspective, election is a unique problem is that you have a requirement of secret ballot and auditability at the same time.
And then you have the requirement that it has to go right every single time the first time.
There's no do-overs.
There's no, you cannot correct an error, so to speak.
The combination of secret ballot and auditability is the heart problem.
If I a little bit more go to that direction, there's always a small company who claim we have solved this electronic voting.
problem. Well, the problem is similar and almost the same as what would be the mathematics needed
to create a true digital cash. Something you can go to the corner hot dog stand at one in the
morning after bar and buy your hot dog without telling who I am and the seller not telling
who they are. So if you actually solve this problem, you probably first make your trillion dollars by
making a digital cash and, you know, take a couple of Nobel prizes. And only after that you will
to start to worry about the electronic voting.
So that's why there is no small company.
There is no someone who has solved this problem and or will solve it next year.
Because we fundamentally are lacking mathematics.
We are fundamentally lacking the building blocks, how to make that to work.
Also, there's another thing, if you think about democracy,
election is the cornerstone of democracy.
The promise of democracy is a peaceful transition of power.
The winners will always accept the results, always.
So it's not about the winners.
It's about the losers.
Because the only way the peaceful transition of power is possible
is if the losing parties and support or losing ideas
accept that the election was conducted fair,
the results are correct.
And, well, they didn't get it their way this time,
but it's going to be fair in next election
and they haven't new try.
So that's why elections are all about transparency
and trust and evidence and proof.
And you have to give it.
that proof. If you have something magical like blockchain, how you will be explaining to normal
people on the street, this is how we verified that the blockchain worked. A lot of European
countries have a constitution, their constitution, that the election has to be conducted in such a way
that normal person with no special education and no special tools will understand and be able to
verify how they both are cast. So until we are in a Star Trek universe where teenagers are
casually talking about quantum mechanics, I'm not going to spend my time to try to explain
70-year-old power worker how something like homomorphic encryption with the blockchain works.
Yeah, you got me on that one. Yeah, I think that makes a lot of sense.
Even trying to explain to somebody who is pretty computer savvy that these blockchain
results are legitimate is going to be very hard. I mean, you're still taking a lot on faith,
even if you're the most avid bit coiner around, right? I mean, you're still looking at a handful of
people that can really look at this and understand what they're seeing. So, okay, I gotcha.
So we would think that after that election in the early 2000s, we've really upped our election
machine security game, right? But it sounds like we kind of happen. So what happened year 2000,
by the way, it's kind of funny. I'm co-founder and co-organizer of voting machine hacking
village at the FECON. We actually had the same 2000 voting system, which caused the hanging
shed and pregnant shred and whatnot shed a problem.
So let me pause you for a second and explain what that means. So you run a, there's a conference for hackers called DefCon in Las Vegas. And you run like a little, like a sub event where you just have hackers, including yourself, hacking voting machines, right, just to see what the security looks like.
We are one of the biggest parts of the DefCon. Yes. And so we have been having a room full of voting machines. And it's an educational effort. We always knew that every single voting machines I can buy and my co-workers can buy from government surplus.
plus, eBay, everything can be happy.
Really, the thing was to let
other people to see and
experiment their own eyes and
do it themselves. That's the education.
One thing what made me so happy
the first year when we have done now four
years was to have an election
officials who came to hack the
very voting machine they are using in their
daily job. People who, for
legal reasons and for contractual reasons,
have not been able to peek
into the machine they have been using
to run the election. And when they come
back with their eyes wide. This cannot be true. Well, you know, you found it yourself. So, yes,
that's really, we are educational effort. While we are not trying to find new vulnerabilities,
we every year are publishing a report about new findings. But that's not the goal. The goal is
education and helping people to understand why the voting systems are vulnerable. What are the
election system, you know, how it really works and educate. It's not a secular research.
You're listening to the Jordan Harbinger Show with our guest, Harry Hirstie.
We'll be right back.
And now back to Harry Hirsty on the Jordan Harbinger Show.
So you're hacking these voting machines using a regular computer.
And this is in part of the documentary, which will link in the show notes.
And it looks like the manufacturers tried to stop you from distributing the documentary
where you showed how easy this was because it was bad business,
which is like a classic case of shooting the messenger, especially since this same machine
is going to be used in 20 states in this year's 2020 election.
Yeah, that's another thing when I and others, when we 2005, 2006 got involved in time
until 2008, we all thought now when the problem has been exposed, it will be fixed very quickly.
It was completely always incomprehensible for me and other secondary researchers.
Now 2020, we are talking about this topic.
And also we are 2020 using the same machines with the same software.
It's just you wouldn't be using a 30.
year old PC with no security patches, but that's exactly how the elections are conducted.
What's the chief vulnerability here? Is it that there's removable media on every machine,
so the cards, USB drives, ports? What's the chief vulnerability here?
The chief vulnerability is nobody thought about secure. When Help America Vote Act in 2002
created a $3 billion over $3 billion funding to go and buy voting machines, there were no
security standards at all. So everybody just went to the future shop and bought whatever
is sold. And of course, what was sold back then was created in 90s and 80s. So they were
created at a time when cyber warfare was science fiction. Nobody would have ever thought about
cyber warfare to be real. There was never a consideration of secured. And now these same systems
are around. But even more importantly, the culture hasn't changed. And I have always said that when
you're examining any kind of device, whether it's an ATM, whether it's a life support system
or voting machine, you always find vulnerabilities. But how safe you are is not how you find a
vulnerability, but how the company reacts. If the company says, oh my God, help us. Let us fix this
problem. Now you know this is in a good hands. That's the way we are going to fix this problem.
If the company goes, we are going to sue you and try to stop this message. Now you know
nothing gets fixed and the culture is wrong. And the culture is wrong. And the culture.
is the poison bill. The culture is the one which is causing all the trouble because you are not
trying to fix the problem. I know that a foreign power had penetrated one of the vendors that
supplies the voter registration databases. Is it always Russia or is that something that happens
from other countries too? Because you really only hear about Russia and the news meddling with
elections. So this year, DefCon, we had a number of speeches about who are the foreign players
in historically, who are around. One of the streets really went through
the last, was it, 16 years of hacking, government hacking, and it really showed that there are
certain big countries, Russia, China, Iran, which are the big three, and after that, North Korea
and the use of suspects underneath. But it's never only one country. And in 2016, the widely
published things, which is in every single intelligence report, what the Russian activities are,
since the last four years, every other nation has been very busy to duplicate their capabilities.
They are not alone.
So we might see, or we will see, election interference from China, Iran, North Korea, and Russia all at the same time, essentially?
Well, there has been already in the news almost a year ago when a huge American public trade company took an Iranian activity down, which was at the time attributed, whether it's true or not, as a preparation for possibly election activities.
my personal opinion and my professional opinion,
this is going to be a number of different countries
who have now the capabilities,
a question is how they are going to use it.
Some countries might have just developed a capability,
but decide to not act.
Some nations might be doing the difference.
And that's really important that in America,
the threat model election has been wrong until very recently.
Threat model was a dishonest candidate
or support group of dishonest candidate
who tries to win.
That is not what names.
nation states are doing. Nation states have a multiple different objectives and primary and secondary.
And if you look, Cold War, Cold War was ideological war between capitalism and communism.
If you look that path, the goal is to this show the trust in democracy that is to undermine your
government and people's believe in the society. So if you then can gain something else also,
that's fun. But you have to think about who are the threat actors. What are the motivations? What are the
tools, what are the primary and secretary
targets? And only after you have
done that homework, you can start
to think about how I'm going to defend
the fort. And the most
crazy thing here is that
since you've done to massive amount of technology
have been pouring in the elections. We have
an idea and thinking that there's an election
office, the election office has an IT
department, and the ID department has a security
practice. Nothing could be further
from the truth. Most of the election
offices have no security protection
at all. They don't even necessarily have
their own IT full-time staff. They have a couple of volunteers, everything is outsourced.
So there is no practice in that side. At the same time, if a foreign nation would be coming
with the ships and putting a couple of tanks on the US soil and started rolling over,
you wouldn't be expecting the local sheriff to fend off the foreign nation military.
But in asymmetric warfare, that's what is happening. The local election officials who are
underfunded, under-resourced and try to do the best, they are fending off a foreign
nation in this attack. And a lot of people don't think it in the terms, but every other war we fight,
land, sea, underwater, space, all of these are natural domains where laws of physics and
laws of nature's work. The only place where we fight a war, which is man-made domain, is cyber.
We don't have distances. We can actually cheat the clock. There are no similar rules.
The rules are what we make them to be.
And that's why this is completely different in every single way how you look to a strategy
and how you look for what you need to do in order to keep safe.
And voting is a canary in the coal mine because all the problems we see in a voting
are repeated in critical infrastructure.
And that's why Department of Homeland Security has designated elections as part of critical infrastructure.
Governments can be changed by bullets or ballots.
We choose ballots instead of bullets, which some of the government.
other countries have chosen. So we really, this is really that important. It really requires to be
studied and secure, but also you need to look the other part, civil system, drinking water,
electricity, and look all of the other things which we need to fix in order to secure our
society. I know you'd said that every single NATO country has had Russian interference in
their election, every single one of them. And I want to separate this from collusion or whatever.
That's not what we're talking about. We're talking about election.
hacking, regardless of your politics, the facts are all information points to this as an ongoing
threat to free elections, free and fair elections in the United States. I'm going to do an entire
show on election interference, especially from Russia and the history of that and how that goes.
But for now, I'm more interested in the vulnerability of the machines themselves.
It sounds like, and you mentioned this in one of your talks, Russia knows it can't compete with
the U.S. military when it comes to planes, tanks, boats, bombs. China knows this, Iran knows this,
but they can and do compete with disinformation and cyber capabilities because of the reasons you just mentioned.
So is this something that you think we've ignored because we have more aircraft carriers and satellites, basically?
I would say that the U.S. has a very good intelligence community.
There has been a lot of attention.
It's just the political side might have not been taking this as serious as it should be.
And at the same time, this is a complex topic.
As in the later movie, Kill-Chane, Cyber War and American Elections, ex-White House official.
are pointing out, there has been a wrong focus. It doesn't matter how much money you spend to have
the best military if the war is fought in cyberspace and in election hacking, because that's the
way you can influence the government and that's the way you can influence the minds of the people.
If you think about the misinformation, disinformation, as an idea, we are using too many words
as inter-exchangeable when they are not. Propaganda is for me to convince you something I want to
convince you to do. Misinformation is I'm going to be sending out another information which is
undermining your trust. Malinformation is that same as a malicious act, but the most dangerous is
this information. Because this information, everything before, all the other ones are tactical.
They are for a single purpose in a very short period of time. This information is a mental
virus. The whole idea there is to destroy our capability as humans.
to have a frame of reference which we need in order to learn and get new information and build
our worldview.
So with that, you cannot use it in a few years, but you can poison the minds of a society
by undermining your capability of learning and, you know, building a framework of mind.
It's a long game.
We see this now when we talk about things that are settled science in a lot of ways or
that are just very clearly have been fact-checked by multiple parties and that
you get a huge number of people that are like, no, Bill Gates wants to put microchips in your blood.
And it's like, where are you getting this? Oh, it's, I saw this on the internet and on Facebook and on
YouTube. And then you bust out, you know, a scientific journal article that has 10 different
studies in it. And people go, oh, well, that's a bunch of crap. Watch this documentary made
by some yutz in his garage. And they put equal weight on those sources. That's one result
of disinformation, right? That's one result of that. And also, I have to say that if you look how
the disinformation. Because in this information, the beauty of that is that you are actually
deciding contradicting messages where you contradict your own message. So this information provider
is not trying to drive one point. It's driving multiple points which are contradicting
inside of because you are trying to create as much chaos in the mind of the receiver as
possible. When you look the production, if you look today's pieces in YouTube and social media,
they are professionally produced. They are very beautiful.
And they are in such a quality that if you look the production value, you can easily think this is real.
Now you have to have the critical thinking and you have to stop.
And where we are here is that we don't have a human firewall.
We have a firewall for the computers.
But we have not been educating our generations in school and our young to have a human firewall,
to have a capability of critical thinking and questioning.
When I'm presenting this information, how I know this is.
true, even if I like it, because that's one thing about we humans, we really like things
which are agreeing with us.
Right.
Things that agree with us, yeah.
Ideas that we agree with, yeah.
And that's not necessarily true.
Right.
This goes into the Russian disinformation that we've uncovered.
And again, I'll be doing more of a show about this as well, but why they have different
Facebook groups that are actually against one another and they're run by the same group or the
same party.
Going back to election hacking, Ukraine actually discovered some software in the
their machines that had specific outcomes programmed into it. So it wasn't just, let's skew the votes
this way or let's skew the votes that way. It was, we're going to put a far right candidate
in office with 37% of the vote, even though he only got 1% of the vote. So they had programmed
the result into these machines. Can you discuss that a little bit? Can you speak to that?
So not specifically about Ukraine, but let's talk about everything in the world how this works.
So you have a voting machine and voting terminals. That's how you cast your ballot, either
electronically or paper ballot is going scanning.
And after that, these machines are reporting those results
very often over communication lines to the central tabulator.
Now, in both in the county level or state level,
where the votes are accumulated in database and along the path,
there are a number of data storage systems, databases.
And if you manipulate those, you can create an illusion of different results.
And you can even do it in,
in the election reporting system.
So instead of even hacking anything in the tabulator system,
you are just creating wrong reporting.
So there are a number of ways how you can,
through this whole path, influence the results.
And we have to actually step even further back
because if we look the election as whole,
it's a myriad of system.
We have voter registration system.
We have electronic poll book systems.
We have the election management.
We have the ballot casting.
We have the tabulation.
And we have the reporting.
Any of these, if you hack one of these, you can always have the result.
You can disfranchise voters so they can cast their ballot.
You can change the outcome.
You can change the reporting.
Each of these needs to be secured.
None of these is less important than the others.
And that's why we have been, I think in the public mind, we have been focusing in a very narrow
area, which is you cast a ballot and how the ballot is counted.
But not missing the whole pickpick.
picture, how many other systems from an adversary, from ethical's point of view, where the
attacker can go and achieve the same goal.
This is the Jordan Harbinger show with our guest, Harry Hirsty.
We'll be right back.
I want to thank you for listening and supporting the show.
Your support of our sponsors, our advertisers, that's what pays the bills, keeps the lights on.
To learn more about those sponsors and get discounts, the ones you just heard about here,
go and check out Jordan Harbinger.com slash deals.
We've also got worksheets for today's episode, and that link is all.
also in the show notes at Jordan Harbinger.com slash podcast.
Now for the conclusion of our episode with Harry Hirsty.
This is interesting.
So each segment of, it's not just voting, it's voting and then the results being counted,
and then the results being sent over communication lines to a central area where they then
have to be audited and stored.
Each of those areas has a vulnerability that in the case of Ukraine with these specific
outcomes were programmed into the software of the machine, they somehow caught this
and removed it before the election.
And this blew my mind, Harry, that Russian media still reported the exact percentages of the fake outcome.
So it was like this sort of negligent slash they just don't give a crap at all about getting caught.
If they're going to sit there and have given the fake results to the media already, it's like they just didn't even care if they got caught doing that, clearly.
Or they counted on being caught.
That's also a power play saying, see what I can do. See, I don't care.
That's also a communication and message.
So we always are too easily jumping into conclusion what there are a lot of people who say,
I can think like the enemy thinks.
No, you are thinking like you wishfully think that your enemy would think.
Your enemy doesn't necessarily agree with your idea.
It's very dangerous to say, oh, this is obviously what the enemy was thinking.
No, it might be that they just were counting.
Let's get ourselves caught.
Let's chaos.
Let's be on your face saying we can do this.
it's all is possible. You don't know what the enemy is thinking. And the other thing, which is also
in the case of any cyber attack in any area, one of the most difficult areas is attribution.
How you know who is the actual attacker? Because there are a number of ways to disguise. There's
number of ways to have a false flag. You need to have a credible intelligence community,
credible company. You have to have a, nobody can call it. It's always.
You have to put a lot of research so that you can say, I'm almost certain, I'm certain, to
certain extent that this is the actual attacker.
It's really difficult.
I guess they're not worried about getting caught.
I mean, how do we know it's not just random criminals, but it's actually the government
doing this?
You know, that's a common counter argument that we hear.
Well, I mean, if you look from the kill chain, my good friend, Mikko Hippan,
and says it very well, if it's a public entity, it's a government, they don't care.
They don't worry about the cops showing up their door because they are the cops.
If it's a private enterprise, if it's a criminal troop, they will change because they
would be afraid that government will show up.
You know, some government will show up.
Cops will show up.
It's really that kind of things which are very telltelling what kind of entity is driving
there, how they react to when they are being caught.
Right.
And if they're not worried about it, it's because they're protected at the state level, right?
Exactly.
So Debold and other vendors say, look,
These machines are unhackable.
Maybe you can get it, but you've got a machine in your office, and you've got a memory card in your office, and you're sitting there all day messing with it.
The bad guys are not going to have access to the machines.
And then in Kiltzane, you go out to a recycling center and what?
You pick one up for like $75.
So, yes.
First of all, as a representative NSA said in Afghanistan, he said, if you are not understanding that there's this kind of room which we have here for two and a half days,
If you don't understand there's this kind of room in every other nation running 24-7 of the massive resources, you have to be kidding.
The voting machine vendors are selling this internationally.
The U.S. second-largest voting machine company, their pilot customer was state of Mongolia, between Russia and China.
I'm absolutely certain the good people there are honoring U.S. copyright laws.
But the whole thing is these machines are sold internationally.
even if they wouldn't be on eBay, you are already selling them internationally, and they
are available, and also from a security perspective, security by obscurity doesn't work, that no such
thing exists. So in the security research, you are assuming that your adversary has complete
access, not only to the machines, not only to the code, but also everything, the development
documents and everything, your security cannot be based on the idea the attacker don't have
access to disinformation on this machine.
Because they'll find it.
They'll find it. Between election cycles, everyone's guard is down.
They can put malware in the machines. They can tamper them while they're sitting in a warehouse.
The other common defense we hear is, well, look, the machines are never connected to the
internet, so you'd have to tamper with each individual machine, and that's just not scalable.
It's not possible. But you busted that bubble, too.
Well, first of all, everything is connected to internet.
But before that, I also want to talk about the other thing, which is, yes, the common
rebutal for Defcorn voting village has been, okay, if somebody would be popping the voting
machine open in the polling place, they would be noticed. Well, first of all, you don't wake
up in a hangover on Tuesday morning and say, oh, today, hangover, I will go to Hakee election.
No, there's a little bit more preparation. So secondary research is all about finding the
vulnerability, not weaponizing. When you are developing the way how you can actually distribute,
that's the weaponization. And generally speaking, secondary researchers don't go there.
That's not the goal.
So goal is only to find where it is.
But also the argument, voting machines are under lock and key.
One of the things which we didn't get to the movie because too many people and too much
things to tell.
I mean, we filmed the Kill Jane movie.
We filmed almost four years of that.
Wow.
But we were in the real election.
Very nice people.
We were in a polling place.
The polling place chief was going around.
And I noticed that the voting machine had the seals were broken.
And the most critical part is.
little door where the most critical part, that was a little bit open. So I went and we went to
speak in the front of the voting machine. I was trying to guide the, because there's the election
judge, there was a poll worker, there's the polling place chief because we're doing it in a quiet
hour. And I was pointing towards the voting machine. And nobody seems to notice that the seals are broken.
So eventually I said, well, hey, the seals are broken and the door is open. Oh, don't worry about it.
We stopped putting the seals 10 years ago. It's from previous election. The seeds were always
broken in and people were worried. So we stopped putting the seals to place in 10 years ago.
We should actually clean these seals because so that people don't think they are broken because
we don't seal them anymore. Now I had a conversation and say, well, do you understand that
the most critical part of this machine is underneath? And they're no, no, voting machine vendor
has said that this is completely safe. We have been saving money. And so basically when I
explain them what is the risk, they say, oh my God, we have to seal this. And by the way,
the only reason we stop it, because the vendor lied to us and tell this is completely safe. This
is completely secure. At the same time, the same vendors are telling, oh, in real world,
nothing can happen because they are all sealed and under lock. It's like, first of all,
the keys are the simplest mini-bar keys, but also the sealing and all of that doesn't happen
in the real world. About the internet, really, everything is connected to internet, either directly
or indirectly. And the more modern voting machines, they actually have a mobile phone
connectivity to county headquarters. They are sending the results. Violence is coming
back to the voting machines in the newer generations. Nice marketing material trying to tell
it's not, but it is. A journalist a year ago, she found 200 voting machines in the internet.
Voting machine vendors say, well, they are not in internet because they are not pingable?
My answer to that is, are you from the past? Because since 15 years ago, nothing is really
any more pingable. And they are still connected to internet. The whole argument is 15. That argument
It would have been meaning something 15 years ago. It doesn't mean anything today.
I just came from Atlanta, and they have new voting machines because the judge ordered the
old ones to be scrapped. And part of the things in the judge's ruling, the finding was that
the voting machine were programmed by basically three guys from their homes and who sent all
the programming of the voting machine for an excellent over internet to be distributed all the machines.
Oh, so these guys had programmed the machines from home, and then they pushed the code update
to the voting machines via the internet.
But they pushed it to the state, and then the state pushed it to the counties.
And actually, this whole thing about the critical election-specific programming going over
internet is very common, because a lot of this programming is done by private companies,
a third-party company, election management companies.
It has been shocking in the last two years when I've been working for a number of secretaries
of state and looking how the security is done in their state just to find that email,
FTP with no security.
these are the common methods to send the most mission-critical programming
from the private company, which might be out of state,
to the local county who is putting it into the machines.
And it is whoever controls that data controls the election.
And these machines, like you said, they have network cards.
You show in KillChane, again, the documentary that will link in the show notes,
that they have USB ports, they have memory card slots,
they have modems and phone jacks sometimes.
So these things were built for connectivity.
They're not immune to connectivity.
And seemingly we don't have to hack hundreds of machines. These are networked. You can just make
software that infects one and then dozens of others or just changes the data. Is it possible? I guess that's a
dumb question, but I'm going to say it anyway. So do you think it's possible that we could create a
worm that we get on one machine in a voting center and it just connects to the other machines
covertly and infects them without the bad actor so much as laying a hand on the machine themselves?
The real proof of concept virus was demonstrated over 10 years ago. So that already has been demonstrated
publicly that voting machine virus which can self-propagate from one voting machine to another,
that's a reality which we have shown it's possible. And that's one of the things why that was
created was because again, when you say it's possible by showing the vulnerability, people
said, well, I don't believe until you show it. So it's one of the rear things where a team of
researchers developed in the actual virus just to show the logical outcome of the vulnerability. Yes,
there can be a voting machine virus, full stop.
Here it is.
It goes from voting to another.
Wow.
So essentially, then nobody ever knows.
There's no trace.
There's no physical access.
I mean, if you can get this onto the machine remotely,
you could just sit in the parking lot.
We're not even going to see a sketchy guy in a leather jacket and track pants
walk into the voting center.
He's just going to sit out in his truck.
So a voting machine, which shouldn't be in the US anymore.
But when we had that machine in DefCon,
that machine was hacked wirelessly in 20 minutes by a researcher
from Denmark. The voting machine has a Wi-Fi and it has unpaatched operating system,
but literally you can hack that machine from parking lot without knowing it's a voting machine
because you can use a meta-sploit. There's a gazillion metasploits for that machine,
so you don't even need to know it's a voting machine. You can just hack it to say any window
on XP computer around. And what's metisploit for people who aren't really up on that?
Metasploit is a framework which is open source, free of charge, has thousands of different
vulnerabilities and payloads, which you can use as a tool of security testing to quickly build a
prototype and deploy it against any target. So we'd say it's a framework of vulnerability
exploitation framework. And this is something anybody can get, doesn't cost any money, it's everywhere,
it's not under lock and key, and it's for security testing. But you can, if you're a bad guy,
you can also grab it and you don't even need to be specialized to this voting machine.
It's already in meta-sploit. So you can sort of like cookie cutter off the
I guess is what I'm looking for, grab this metaploit and you can hack a voting machine.
The metasploit is, I guess, any kind of, it's not really limited to voting machine, but this
is actually a very important point. The tools, which are the best tools, they are free.
They are available for everywhere in the world. Anyone in the whole world can get the tools for
free. If we look for a specific hardware, which you can use, for example, an attack USBs,
the most of the hardware is under $100. And they are made in the new.
U.S. So you can just with a credit card, you know, FedExit for you overnight. The tools are not expensive.
And for example, when I just laugh when I saw the pictures of Russian military intelligence who were
hacking a chemical weapons laboratory in Netherlands, when their trunk was opened and they showed
what the equipment there is, the key element was a $200 piece of equipment made in California.
And so to everyone, I have four of those.
So again, they don't use that $200 piece because of possible inability.
We are not military intelligence.
It's because it's good.
It works.
Wow.
It seems like we can't really do anything about this.
I mean, is there sort of a bright side to any of this?
Are we working on making these things more secure?
Or is it just like, look, we got to go back to paper full stop?
So first, we have to make everything we can to make it more secure.
but we also have to go back to handmark paper ballots.
We don't have any other technology.
Ballot marking devices which are like touchscreen computer printing the paper for you.
University made such a recent study where they told the test voters,
we are going to test the new method of voting.
Please check your ballot.
But they were not told that the machine will cheat every single time.
And only under 7% of the voters catch that the paper they got out of the machine
was not fully representing what they were chosen.
So handmarked paper ballot.
Now, American elections are uniquely complex in the world.
So you cannot really, unless it's a small county, there are small counties, but
unless it's a very exceptional small county, you need to use computers to process the paper.
As a European origin person, it's uncomprehensible for me that in the US, the losing party
has to ask for recount or audit.
Why not have a mandatory audit for every race?
every single time because once you have a paper ballot,
there's a method called risk limiting audit,
which is a very quick and very nice public way
where you can invite everybody who is wanting to see
how the result is proven to be correct
to witness and understand how it's done.
So handmarked paper ballots and risk limiting audits
and you use the computers in between to create the results
because there's no alternative in because they're so complex.
But unlike what the Russian saying,
which was quoted by,
Reagan when he says trust but verify. It's old Russian saying, actually in this case, don't trust
and verify because you cannot trust the voting machine. Everything we have today, everything we have
in the future can be hacked. So let's understand that and verify the results.
And you mentioned this a little bit before, but in closing, I'd love to sort of put a nice bow on this.
The reason that people are hacking elections, it's not necessarily like in Ukraine where they want to
put in a right-wing candidate or a left-wing candidate somewhere.
where this is not just to get a specific outcome in that election,
it's to chip away democracy itself, correct?
There are number of death threat actors,
and certainly nation state, ideological.
I mean, it can be a nation state who wants to undermine democracy,
but it can be a religious group.
It can be all kinds of disruptors who just want to create chaos.
So that's another thing what I would like to point out.
Even when we are talking about nation state,
they're using the same tools which are available to you and me.
So nation states are dangerous and they have different motivations by individuals.
But also these tools are available for individuals and crime organizations.
You don't need to have that much money to buy the tools and learn how to use it.
So we have to not assume it's nation state which needs to have a massive resource.
It can be a smaller group.
We have to defend our democracy against all enemies, domestic and foreign.
You know, I actually thought about becoming a poll worker this year.
It's hard because there's coronavirus and I have a one-year-old baby and I'm worried about that.
But you're right.
When you walk in those places to vote, man, everybody's 73 years old.
And I'm thinking, how are you going to troubleshoot the machine?
You can't even turn on your laptop.
You're going to troubleshoot this voting machine.
It's going to take you half an hour so they don't do that.
They just put a sign over it that says out of order.
And then they have two voting machines for, you know, 800 people in a line that's been going for five and a half hours in the heat or the rain or whatever, snow.
it's just a mess.
And it's actually sad news last weekend.
So I wasn't down in Atlanta.
Shatanooga is, you know, across the border next day.
The election director of Shatanooga died in coronavirus last weekend.
Oh my God.
So we actually are seeing the older poll workers, a vulnerable population to be at risk.
Mail-in ballots are the way we have to go.
And it's just insanity to put people at risk.
I mean, the whole public claim that voting is a privilege. No, it is a right. It's a fundamental right as part of this nation and being citizen of United States, the same in Western democracies. It is not a privilege. It's a right. And you shouldn't be choosing your health if you can vote.
Yeah, you're absolutely right. No, I mean, you're correct. Well, Harry, is there anything I haven't asked you or brought up that you think we should put into this episode?
So first of all, most important, if you are eligible to vote, please vote. There's nothing I said, we should discourage you to vote. Please vote every race in a ballot because apathy is as dangerous to democracy as somebody hacking and more people voting, harder it is to have. So if you can vote, please go to vote. Take your neighbor, take your friend, give a right to your friend to get to the vote. The second thing is, is you really care, become a poll worker. The average,
age of poll workers is going up all the time. More people who are computer savvy, more people
who are security-minded in polling places help to keep the line shorter. They help to find if there's
problems there, become a poll worker. And this is everywhere. I want to underline hacking elections
and election security is not U.S. only. It's all of our Western democracies, all of our, not even
Western, but all of our democracy. Every single country, wherever you are, please go to vote
please try to guard your own country's system.
Harry Hirstie, thank you so much.
This is fascinating.
Thank you for having me.
You know, I've got some thoughts on this episode,
but before I get into that,
here's what you should check out next
on the Jordan Harbinger show.
A lot of people hear the name Pussy Riot,
and they think, all right, what is this?
You're just trying to get shock value.
Can you tell us the beginning a little bit
of what Pussy Riot is?
When I was reading in the book,
and you said you just made it up for a lecture,
I was like, there's got to be more to it than that.
No, seriously?
Not really.
No, seriously.
They decided to punish us.
They opened a criminal case, and in two weeks after the performance, we were arrested.
We knew how to hide from the cops, and for a week, dozens of cops were looking for us.
And when they caught us, finally, they were so happy.
Making them look like fools.
It's our profession.
How does it feel to have these world leaders who are in these private chambers with their tea and their bodyguards,
and you're sitting in a Russian prison, and they're like, these 22-year-old women, they're, they're screwed.
ruin my world up, man. Gotta do something about this. Look at how bad they are. I was really happy
that Putin is in trouble because of us, because they definitely didn't expect anything like that.
My mother thinks that I need to immigrate, Iran immediately. Yeah, you still live in Russia. I can't
even believe. Yeah. You wrote, the future has never seemed so full of enriched and wonderful
possibilities as when I was in a labor camp and literally had nothing but dreams.
What gives you the strength to go forward when you're worried about, are they going to try to blind me?
Are they going to try to beat me up?
I mean, they were highly abusive to you while you were behind bars.
I just prefer not to think about it.
For more from Pussy Riot and world-renowned artist Nadia Tolokonikova and her time in Russian prison, and of course their crusade against Vladimir Putin's regime, check out episode 118 on the Jordan Harbinger show.
This episode freaked me out a little bit.
I mean, when you click someone's name on an electronic screen, you don't really know.
if you actually selected the right person and the computer, what's happening between your finger
and the ballot, right? The computer can kind of do whatever it wants. It's a black box. How do we know
if the computer counts the votes properly? It's so weird to hear myself saying this because it's like
crazy Uncle Frank who always complains at Thanksgiving about how you can't trust those pesky computers.
It's like he was right all along. Scientists and computer hackers broke into the voting machines
within 10 seconds, 10 seconds. And system security in these machines was not penetration tested
whatsoever. I know a lot of you who listen are info security types, but pen testing, it's like
taking a computer system or any system and seeing if someone can break it or break into it.
They just didn't even try to test our voting machines with this method or these methods at
all. The independent authorities that verify voting systems, they simply didn't do that.
Again, this was 2002. I hope they're doing more of this now. Harry's on the forefront of this,
but Harry's been able to hack voting machines remotely in minutes from the parking lot. Remember that.
And editing election results on those older Dibold voting machines, that was as simple as editing
a spreadsheet located on the same machine, on the same computer. And as recently as the past
couple of years, we've seen the election assistance committee get hacked, and Rasputin,
the hacker was selling access to these machines and this data online. They had buyers from
Iran, Russia, and other places. So this is bad news and desperately, desperately needs to be
fixed. And I thought this is very apropos given the November 2020 elections right around the
corner here. Big thank you to Harry Hirsty. We'll link to some of his resources and the documentaries
I watched in preparation for this in the show notes. Links to everything is always in the show notes.
The worksheets are in the show notes. The transcripts are in the show notes. There's a video of this
interview on our YouTube that's at Jordan Harbinger.com slash YouTube. And I'm at Jordan Harbinger
on both Twitter and Instagram where you can just add me right on LinkedIn. I'm teaching you how to
connect with great people and manage relationships using systems and tiny habits over at our six-minute
networking course, which is free.
That's at Jordan Harbinger.com slash course.
Dig that well before you get thirsty.
Most of the guests you're hearing on the show, they subscribe to the course, they contribute
to the course.
Come join us.
You'll be in smart company.
This show is created in association with podcast one and, of course, my amazing team.
That includes Jen Harbinger, J.Sanderson, Robert Fogarty, Ian Baird, Millie Ocampo,
Josh Ballard, and Gabriel Mizrahi.
Remember, we rise by lifting others.
The fee for this show is that you share it with friends when you find something useful or interesting.
If you know somebody who's into hacking or elections or security or infosec, share this episode with him.
Hopefully you find something great in every episode, so please do share the show with those you care about.
In the meantime, do your best to apply what you hear on this show so you can live what you listen, and we'll see you next time.
This episode is sponsored in part by Something You Should Know podcast.
Finding a new great podcast shouldn't be this hard, so let me save you some time.
If you like the Jordan Harbinger show, you'll probably like something.
think you should know with Mike Carruthers. It's one of those shows that makes you smarter in a
practical, useful way. Same curiosity vibe we go for here, just in a fast, focused format.
Mike brings on top experts and asks the exact questions that you'd want to ask, and the topics
are all over the place in the best way. Recently, they've covered things like why we care so much
what other people think, the benefits of laughter, why sports fans get so invested, and what makes
people like you or not. The through line is always the same. Smart ideas you can actually use
in real life. Something you should know has been featured.
and Apple's shows we love, and it's got thousands of five-star reviews because it's consistently
interesting. So if you want another show that scratches that I want to understand how people
in the world really work, itch, search for something you should know wherever you get your
podcasts. Look for the bright yellow light bulb and start listening. You can thank me later.
