Harri Hursti (@HarriHursti) is an ethical hacker and researcher, co-founder of Nordic Innovation Labs, and has been featured in the HBO documentaries Hacking Democracy and Kill Chain: The Cyber War on America’s Elections.
What We Discuss with Harri Hursti:
- Who’s trying to hack our elections and why.
- Why all Americans lose if we allow enemies of the state to tamper with our election results — even if our “side” emerges victorious this time around.
- Why electronic voting machines are more vulnerable to fraudulent manipulation than mail-in ballots and other forms of voting that leave an auditable paper trail.
- What we know about hacking strategies that have worked on other countries — because every single NATO country has had Russian interference in their election.
- How fostering the public’s eroding trust in our election system is the ultimate goal of our enemies.
- And much more…
Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!
Election years are always a bit stressful on the national psyche. But when that election year happens to also be 2020 — among a pandemic, civil unrest, widespread consequences of global warming, and two political parties vowing to contest the election if it doesn’t go their way — multiply that stress by a hundred. Add to that what ethical hacker Harri Hursti (as seen on HBO documentaries Hacking Democracy and Kill Chain: The Cyber War on America’s Elections) has to say about how vulnerable our election is to being hacked by enemies of the state, and we should all be concerned — no matter what “team” we’re rooting for.
On this episode, Harri takes us through how secure (or insecure) our voting technology really is, and explains how he found the vulnerability, what’s been fixed so far (and what hasn’t), and what we, as citizens, can do about this to ensure the integrity of our elections, and of our democracy. Listen, learn, and enjoy!
Please Scroll Down for Featured Resources and Transcript!
Please note that some of the links on this page (books, movies, music, etc.) lead to affiliate programs for which The Jordan Harbinger Show receives compensation. It’s just one of the ways we keep the lights on around here. Thank you for your support!
Sign up for Six-Minute Networking — our free networking and relationship development mini course — at jordanharbinger.com/course!
Grammarly goes beyond spellchecking — it levels up your writing at work, school, and personal projects. Premium features include advanced suggestions on grammar, punctuation, sentence structure, and style, and it works in anything from Outlook to Gmail to Twitter, LinkedIn, Google Docs, WordPress — you name it. Get 20% off Grammarly Premium at Grammarly.com/jordan!
PayPal is the secure, easy way to pay and get paid that we’ve all been using for the past 20 years. But what can PayPal do for you now that it couldn’t do in the past? Download the PayPal app here and find out more!
Are you trying to hire the right person for your business, but the best candidates keep slipping away? Let ZipRecruiter — the fastest way to hire great people — help you screen only the best at ziprecruiter.com/jordan!
Raycon earbuds start at about half the price of any other premium wireless earbuds on the market — and they sound just as amazing. Find out for yourself and get 15% off your order at buyraycon.com/jhs!
NetSuite by Oracle allows you to manage sales, finances, accounting, orders, and HR for your business instantly on the cloud from anywhere! Download your free guide — Seven Key Strategies to Grow Your Profits — at netsuite.com/jordan!
Miss our interview with Read & Riot: A Pussy Riot Guide to Activism author Nadya Tolokonnikova? Catch up with episode 118: Pussy Riot’s Nadya Tolokonnikova | How to Read and Riot here!
THANKS, HARRI HURSTI!
If you enjoyed this session with Harri Hursti, let him know by clicking on the link below and sending him a quick shout out at Twitter:
Click here to thank Harri Hursti at Twitter!
Click here to let Jordan know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at friday@jordanharbinger.com.
Resources from This Episode:
- Kill Chain: The Cyber War on America’s Elections | Prime Video
- Hacking Democracy | Prime Video
- Nordic Innovation Labs
- Harri Hursti | Twitter
- Harri Hursti | Facebook
Transcript for Harri Hursti | The Cyber War on America’s Elections (Episode 405)
Jordan Harbinger: [00:00:00] Coming up on The Jordan Harbinger Show.
Harri Hursti: [00:00:02] When you are examining any kind of device, whether it's an ATM, whether it's a life support system or voting machine, you will always find vulnerabilities, but how safe you are is how the company reacts. If the company says, "Oh my God, help us. Let us fix this problem." Now, you know, this is in good hands. If the company goes, "We are going to sue you and try to stop this mess." Now, you know, nothing gets fixed and the culture is the one which is causing all the trouble because you are not trying to fix the problem.
Jordan Harbinger: [00:00:37] Welcome to the show. I'm Jordan Harbinger. On The Jordan Harbinger Show, we decode the stories, secrets, and skills of the world's most fascinating people. If you're new to the show, we have in-depth conversations with people at the top of their game, astronauts and entrepreneurs, spies and psychologists, even the occasional four-star general. Each show turns our guests' wisdom into practical advice that you can use to build a deeper understanding of how the world works and become a better critical thinker.
[00:01:02] Today's guest is an amazing hacker that you've probably never heard of. This guy is a genius and we're lucky he's on our side. He memorized all the country flags at age three. And by age 12, he was programming mainframe computers. How many flags do you know? Think about it — that's what I thought. Today, we're talking about election security. Voting is important. We need regular and peaceful transfer of power or we get discontent and revolutions instead. And if we don't use democracy, it goes. It's like a muscle that atrophies with use. So it becomes a big problem if we lose faith in voting or our electoral system for this reason. Today, Harri Hursti takes us through how secure or how insecure our voting technology really is and explains how he found the vulnerabilities, what's been fixed so far and what hasn't, and what we as citizens can do about this to ensure the integrity of our elections and of our democracy.
[00:01:54] If you're wondering how I managed to book all of these great authors, thinkers, hackers, every single week, it's because of my network, I'm teaching you how to build your network for free over at jordanharbinger.com/course. And by the way, most of the guests on the show, they subscribed to the course in the newsletter or they contribute to it or both. So come join us, you'll be in smart company. Now, here's Harri Hursti.
Jordan Harbinger: [00:02:19] Well, thanks for joining us. I know you're on a super long, not necessarily by choice, extended business trip. So thanks for coming in.
Harri Hursti: [00:02:27] Oh, thank you for having me.
Jordan Harbinger: [00:02:28] Are you even able to talk about what you're doing right now? Or is that even kind of under wraps?
Harri Hursti: [00:02:33] Well, we actually going to have — I'm right now in Quantico, Virginia, and we are going to have tomorrow American Cyber League by Cyber Bytes Foundation, mini-conference and webinar about election security, which is going to be having people from DHS and from the State of Virginia chief information security officer. We are going to have a conversation where we are heading. And before that, I have been spending the last almost three weeks down in Atlanta where I have been looking into the election security issues in Georgia.
Jordan Harbinger: [00:03:02] Wow, okay. So election security — it's good that there is election security or election hacking conference of some kind because it sounds like there was and is a lot of problems with that. First, before we get into that though, I do want to go by way of background here. You were 12 and 13 years old and you wrote mainframe computer software. Can you take us through that? That sounds kind of unbelievable, really.
Harri Hursti: [00:03:25] So I wasn't actually interested about computers at all. My love was astronomy. And by that time I was introduced to computers, first the mini-computer, because we didn't really have the home computers back those days — so mini-computers and after that, I got introduced to mainframes. And actually after mainframes, first time to what we today call a PC. But yeah, that's where I ended up on it. It is very interesting how mainframe world has been — it's still around. Today, if you know how mainframe is working, you actually can command a very sizable salary by just virtue of that because people who used to write IBM 370 Assembler or a COBOL, they are either dead or retired. So there's not many, very many people around who still know how that looks. I mean, even the coronavirus era, the governor of New Jersey called for help, called for action, if there are people who know how to program a COBOL so that they can help the coronavirus address.
Jordan Harbinger: [00:04:23] So COBOL is like this older mainframe computer language that like you said, not many people know they're either retired or dead.
Harri Hursti: [00:04:30] Exactly. At one point of time, the enterprise and business software, a COBOL language was developed so that you would have a language, which you can in English read. So it was meant to be easy to understand, but it's not.
Jordan Harbinger: [00:04:43] Yeah, now that makes sense. So you're 12, 13 years old programming mainframe computer software for — was it like some kind of blood analysis? Was that what that was?
Harri Hursti: [00:04:52] Well, that's actually a mini-computer. So I wrote the software for atomic emulsion plasma spectrometer, where you can take any substance, but it was developed for blood. That you can put it through and see what are the compounds and elements in that sample. I did programming for that. Another system I did programming for is using radioactive isotopes injected to bloodstream and to use that to make an image of a three-dimensional heart when it's pumping.
Jordan Harbinger: [00:05:21] You were doing this at age 12.
Harri Hursti: [00:05:23] Yeah.
Jordan Harbinger: [00:05:23] This might be a dumb question for somebody who is programming mainframe computer software at age 12, but did you understand the blood stuff as well as the computer stuff, or were you mostly focused on the computer stuff, of course?
Harri Hursti: [00:05:34] So I'm not the medical doctor.
Jordan Harbinger: [00:05:36] Right.
Harri Hursti: [00:05:36] So I need to know enough so that I can get the job done, but I didn't understand why these things are interesting and the blood. I need a little bit about the chemical process, how the blood is prepared before it's injected into an argon plasma. I knew a little bit about the physics of argon plasma, but this was really straightforward programming where I didn't know why the data is important to somebody else.
Jordan Harbinger: [00:06:01] Gotcha.
Harri Hursti: [00:06:01] That I learned later.
Jordan Harbinger: [00:06:03] Were you playing Atari or kickball or anything at this time? Or were you just like programming all day? And I'm trying to imagine you at age 12 doing this, it's not a typical 12-year-old kind of hobby.
Harri Hursti: [00:06:15] So most of the devices didn't yet exist really. This is really the so early days of the time. So I actually didn't have anything to play with. I would have, I would have, but I didn't.
Jordan Harbinger: [00:06:27] So how did you learn how to program mainframe computers when you were 12 if you didn't even have an Atari or any kind of computer.
Harri Hursti: [00:06:34] Of course, I had mini-computers, but everything was a size of a room or at least a huge closet but yeah, I mean, it's self-learning, it's reading. It's understanding how it goes and a lot of trial and error. Back in those days, we didn't have so clear concepts for a lot of hacking. It was a lot of trial and error. It's a lot of testing to get this right. And probably I would be very embarrassed if I were to be seeing the code today because the principle was just to get it worked. But yeah, it's trial and error, learning by doing it.
Jordan Harbinger: [00:07:03] I think, yeah, you might be embarrassed. But also you were 12, so it might not be as embarrassing as you might think.
Harri Hursti: [00:07:10] I would probably still be very embarrassed. It's kind of funny, back in my old place in Finland, I still have a punch tape, reader, puncher, old teletypes, all kinds of things which you can see in old movies, but you don't really any more use. I have kept a lot of my old stuff. And it's all stored in New York.
Jordan Harbinger: [00:07:28] Oh, wow. Well, that stuff is probably a collector's item by now, I would imagine. So moving forward to the 2016 election, we talked about interference being on the propaganda side. I'm going to do a whole show about election interference and the kind of things that we're seeing right now. But this has been used before in many countries, including the United States. Let's start with the Hacking Democracy documentary, the older one. Somehow Al Gore had negative 16,000 votes in Florida. Only the totals for the presidential race were affected. So it wasn't just a machine failure. Tell us what's going on here? Like, was this your first foray into election hacking? How did you even become aware that this was a thing?
Harri Hursti: [00:08:08] So I had retired, I sold two businesses in a row. I decided this is it. I was doing in 2004 around-the-world trip backpacking and I stopped in California. And a now-deceased friend of mine, she was asking if I would be interested to take a look at this, and I said, "No." And then I was explained by a group of people what they saw what's going on in the election. And I point blank told, "This is impossible. Nothing — you must have been misunderstanding something. This has been deliberately told the wrong way, but this cannot be true." After that, I was asked if I'm interested to take a look at it. I said, "Still no!" Off to Tahiti, goodbye. It took me probably about half a year. And after that, they relayed my information to England and they kept pestering me. And eventually, I then decided to get rid of them. I will make an impossible set of rules. And I said, "Yes, I would do it. But my terms are something you can never get anyone to do it for free." And it took like six months again. And then I got a call from Ion Sancho from Tallahassee, Florida. He would be inviting me. I spoke with him and he told him he wants to know about the system, which he is using. And it turned out that the system he is using is exactly the same system which created this minus 16,022 votes in Volusia County for Al Gore. So I took a look into the system, figured out a couple of ways to manipulate the central tabulator, but I told, "Well, this is not elegant. You leave an audit trail You leave evidence, the bread crumbles, you can trace it." And Ion asked me, "Well, what is the elegant ways?" "I don't know if there's one, but if there is a kind of this memory card."
Jordan Harbinger: [00:09:48] So it's a memory card that fits into the voting machine that you found could be the more or less untraceable or hard to trace way to manipulate the results. Whereas they were thinking it was something in the machine you thought this was impossible because you would see a ton of evidence and like you said, breadcrumbs being left by the tampering party.
Harri Hursti: [00:10:06] No, not even that. I was just thinking about the architecture of the system. And with that architecture, it made sense that there's an executable program in the memory card. And I was quickly told that that's impossible because it's against the certified rules but also the vendor was dishonest about the origin of the cards. Well, if they are not honest about one thing, they're probably not honest about the second thing. And I found an executable program on a memory card. I found it's completely unprotected. This memory card is so old, it's older than the floppy drive.
[00:10:38] So actually, I found it because I remember I have seen it before floppy drives existed. So that's how I found who was the original manufacturer of it. The interesting thing about this explanation afterward was the minus 16,000 was a malfunction of the memory card. That's the reason why it happened — not possible. The reason why it's not possible is that memory doesn't know how to make negative numbers. So whatever caused that minus 16,000 votes, which we don't know what caused it. At least the official explanation given at the time not possible, something else happened.
Jordan Harbinger: [00:11:15] So these memory cards are just like ancient discs that had programs on them. And the vendor said, "There are no programs on them. Don't worry. It couldn't be that." And you found that not to be true. And you said they lied about the origin of the memory card. What does that mean? They lied about where it was made or what?
Harri Hursti: [00:11:31] So that means that they have told the election officers in Florida that day you have created the memory cards. And I immediately recognized this is not true. I have seen this card manufactured by someone else. And I eventually found a company called Cropscan from Minnesota who is spraying corn with a radioactive isotope and measuring the decay. And they are still using this memory card. And the memory card was made by Epson, a Japanese company. I contacted them because I found from the original padded laptop, that that memory card was the replacement of the floppy drive at the time. So this is really ancient technology. Yeah, they were claiming they developed them but they didn't.
Jordan Harbinger: [00:12:10] So the vendor's lying about this. Why? Just to sort of pass the security inspections so they don't have as many hassles. Like why lie about this?
Harri Hursti: [00:12:19] I have no idea.
Jordan Harbinger: [00:12:19] Okay.
Harri Hursti: [00:12:20] I have no theory. It doesn't make any sense. Maybe just be proud about something they didn't do.
Jordan Harbinger: [00:12:25] Yeah, I guess it's possible. There's a writer in the documentary, this woman, Beverly, she downloads all of the Diebold security manuals, all of the software from the manufacturer, and says, "Okay, well, if this stuff is all available online for me to get," not freely, but like through an FTP site that was unsecured. She finds this PhD engineer who then finds that these files are easily hackable and these machines were covering — what? 80 percent of the electronics market. And this was in 2002. I would imagine the vast majority of voting now is electronic. Correct?
Harri Hursti: [00:12:58] Not anymore. So those messages are DREs. They are direct-recording. There's no paper in that, which means that if you hack what's inside the machine, you have hacked the election. There's no audit trail. We have been since 2006, 2007, 2008, massively going back to the paper ballot, we still use computers to scan the paper ballots and tablet, but now when the voter has preferably hand-marked paper ballot, you have always a remedy. You can always go to the permanent media paper and see what the voter intent has been. You can audit it, you can recount it. You can always recover from any kind of suspicion of fraud or untrue results.
[00:13:40] And there was even recently a case where a voting machine was reporting — and I believe that was in the last year in North Carolina — voting machine was in the race where they had 50,000 votes cast reporting to one candidate, 164 or something like votes. And when the paper was looped, that person actually gets 26,000 votes and won by 1000 votes.
Jordan Harbinger: [00:14:04] Wow.
Harri Hursti: [00:14:05] So we really need to have that paper ballot. We don't have the technology to do electronic voting. We don't know how to do it.
Jordan Harbinger: [00:14:11] What do you think something like blockchain or is that just a fancy word for something that is basically going to have the same problem?
Harri Hursti: [00:14:18] Blockchain is a solution looking for a problem. It doesn't solve any problem. It was never created to solve any problems. Blockchain really cannot help us. If there are 10 big problems in elections, blockchain can help to solve one of them, but by putting blockchain and you're creating new problems. So blockchain really cannot help us in this area. There's a lot of peer-reviewed documents and studies explaining why the public elections and blockchain are fundamentally incompatible technologies. The reason why in security perspective election is a unique problem. It's that you have a requirement of secret ballot and auditability at the same time. And then you have the requirement that it has to go right every single time, the first time, there are no do-overs. You can correct an error, so to speak.
[00:15:05] The combination of secret ballot and auditability is the hard problem. If I a little bit more go to that direction, there are always small companies who claim, "We have solved this electronic voting problem." Well, the problem is similar almost the same as what would be the mathematics needed to create a true digital cast. Something you can go to the corner at a hotdog stand at one in the morning after the bar and buy your hot dog without telling who I am and the seller not telling who they are. So, if you actually solve this problem, you probably first make your trillion dollars by making a digital cast and, you know, take a couple of Nobel prizes. And only after that, you will start to worry about electronic voting. So that's why there is no small company. There is no someone who has solved this problem and/or will solve it next year because we fundamentally are lacking mathematics. We are fundamentally lacking the building blocks on how to make that to work.
[00:16:04] Also, there's another thing, you think about democracy. Election is the cornerstone of democracy. The promise of democracy is a peaceful transition of power. The winners will always accept the results — always. So it's not about the winners. It's about the losers because the only way the peace will transition of power is possible is if the losing parties and supporters of losing ideas accept that the election was conducted fair, the results are correct. And well they didn't get it their way this time, but it's got to be fair in next election and they can have a new try. So that's why elections are all about transparency and trust and evidence and proof. And you have to give that proof. If you have something magical, like blockchain, how you will be explaining to normal people on the street, "This is how we verify that the blockchain works."
[00:16:55] A lot of European countries have a constitution, their constitution that the election has to be conducted in such a way that a normal person with no special education and no special tools will understand and be able to verify how the votes are cast. So until we are in Star Trek universe where teenagers are casually talking about quantum mechanics, I'm not going to spend my time trying to explain to a 70-year-old poll worker how something like homomorphic encryption with blockchain works.
Jordan Harbinger: [00:17:23] Yeah. He got me on that one. Yeah. I think that makes a lot of sense. Even trying to explain to somebody who is pretty computer savvy that these blockchain results are legitimate is going to be very hard. I mean, you're still taking a lot on faith, even if you're the most avid Bitcoiner around. Right? I mean, you're still looking at a handful of people that can really look at this and understand what they're saying. So, okay, I got you. So we would think that after that election in the early 2000s, we've really upped our election machines security game. Right? But it sounds like we kind of haven't.
Harri Hursti: [00:17:56] So what happened in year 2000 — by the way, it's kind of funny — I'm co-founder and co-organizer of Voting Machine Hacking Village at Defcon, we actually had the same 2000 voting system, which caused the hanging chad, fragment or shred and whatnot chad problem.
Jordan Harbinger: [00:18:12] So, let me pause you for a second and explain what that means. So you run a — there's a conference for hackers called Defcon in Las Vegas, and you run like a sub-event where you just have hackers, including yourself, hacking voting machines. Right? Just to see what the security looks like.
Harri Hursti: [00:18:29] We are one of the biggest parts of the Defcon, yes. So we have been having a room full of voting machines. And it's an educational effort. We always knew that every single voting machine I can buy and my co-workers can buy from government surplus, eBay, everything on behalf. Really the cool thing was to let other people see, by an experiment, their own eyes and do it themselves. That's the education. One thing that made me so happy the first year when we did — we have done now four years — was to have an election official who came to hack the very voting machine they're using for their daily job. People who for legal reasons and for contractual reasons have not been able to peek into the machine that they have been using to run the election. And when they come back with their eyes wide open, "This cannot be true." I said, "Well, you know, you found it yourself." So yes, definitely, we have educational efforts. While we are not trying to find new vulnerabilities, every year we are publishing a report about new findings, but that's not the goal. The goal is education and helping people to understand why the voting systems are vulnerable. What are the election system — how it really works and to educate, it's not just security research.
Jordan Harbinger: [00:19:42] You're listening to The Jordan Harbinger Show with our guest Harri Hursti. We'll be right back.
[00:19:47] This episode is sponsored in part by Grammarly. Okay, I got to admit it when they first sponsored me, I thought, "Okay, people actually pay for this weird grammar spell check tool? Come on. I've had this since the '90s." I love Grammarly. I actually requested they renew their sponsorship of the show. So Grammarly doesn't just check spelling and things like that. Grammarly premium, it elevates your writing because it shows you if you're being professional. You can set goals. It gives you a writing score. It suggests vocabulary. So if you're wondering why I use so many fancy pants words in a lot of the shows, it's because I'm learning a lot of new ones with Grammarly. They also have conciseness checks, tone checks. They'll check if you're plagiarizing. Obviously, I turned that one off. Because look, there's only so many hours in the day, people. But it's really intuitive. It works in every little window. It's not just like something that runs in your word processor. It will run in a forum on the web. It will run in Docs. It'll run anywhere, in emails. I just really think it's a useful tool. It's great if you're a reader. It's great if you're a writer and it really does help you improve. Jen.
Jen Harbinger: [00:20:48] Get 20 percent off Grammarly Premium when you sign up at grammarly.com/jordan. That's 20 percent off Grammarly Premium at grammarly.com/jordan, G-R-A-M-M-A-R-L-Y.com/jordan.
Jordan Harbinger: [00:21:02] This episode is also sponsored by PayPal. You all know PayPal, come on, we use it all the time. We use it to pay some of our contractors. We use it to send and receive money all the time. This is an app that — if you haven't heard of PayPal, I don't know like what rock you've been living under, but the new normal has changed. Right? Everyone is online these days, even if you're a technophobe, now you got to get PayPal to send and receive money unless you're going to go out into the wild world — the wild outdoor world with your mask on and — I don't know your bulletproof vehicles or whatever. With the PayPal app sending and receiving money is super-fast, you can quickly and securely send money to friends and family pretty much everywhere in the world. You can start a money pool to split the bill. You can go in on a gift and it'll just sort of divide up everything automatically for you. You can now pay restaurants with it using QR codes. You can even use it to donate money or support a local nonprofit or cause if you're in a position to do that.
Jen Harbinger: [00:21:55] PayPal is making it easy to pay safely, quickly, and easily. Download the PayPal app today. Terms and conditions apply.
Jordan Harbinger: [00:22:01] And now back to Harri Hursti on The Jordan Harbinger Show.
[00:22:07] So you're hacking these voting machines using a regular computer. And this is in part of the documentary, which we'll link in the show notes. And it looks like the manufacturers tried to stop you from distributing the documentary where you showed how easy this was because it was bad business, which is like a classic case of shooting the messenger, especially since this same machine is going to be used in 20 states in this year's 2020 election.
Harri Hursti: [00:22:30] Yeah. That's another thing when I and others, in 2005, 2006, got involved and down to 2008, we all thought now when the problem has been exposed, it will be fixed very quickly. It was completely, always incomprehensible for me and other security researchers. Then now 2020, we are talking about this topic and also we have in 2020 using the same machines with the same software. You wouldn't be using a 30-year-old PC with no security patches but that's exactly how the elections are conducted.
Jordan Harbinger: [00:23:02] The chief vulnerability here is it that there's removable media on every machine. So the cards USB drives ports. What's the chief vulnerability here?
Harri Hursti: [00:23:11] The chief vulnerability is that nobody thought about security. When the Help America Vote Act in 2002, create a three billion dollar, over three billion dollar funding to go buy voting machines, there were no security standards at all. So everybody just went to the future shop and bought whatever is sold. And of course, what was sold back then was created in the '90s and '80s. So they were created at the time when cyber warfare was science fiction. Nobody would have ever thought about cyber warfare to be real. There was never a consideration of security and now the same systems are around, but even more importantly, the culture hasn't changed.
[00:23:51] I always say that when you are examining any kind of device, whether it's an ATM, whether it's a life support system or a voting machine, you always find vulnerabilities, but how safe you are is not the vulnerability, but how the company reacts. If the company says, "Oh, my God, help us. Let us fix this problem." Now, you know, this is in good hands. That's the way we are going to fix this problem. If the company goes, "We are going to sue you and try to stop this mess." Now, you know, nothing gets fixed and the culture is wrong and the culture is the poison pill. The culture is the one which is causing all the trouble because you are not trying to fix the problem.
Jordan Harbinger: [00:24:30] I know that a foreign power had penetrated one of the vendors that supplies the voter registration databases. Is it always Russia or is that something that happens from other countries too? Because, you know, we really only hear about Russia in the news meddling with elections.
Harri Hursti: [00:24:44] So this year at Defcon, we had a number of speeches about who are the foreign players, and historically, who are around. One of the speakers who really went through the last — was it 16 years of government hacking and it really showed that there are certain big countries, Russia, China, Iran, which are the big three. And after that North Korea, [indiscernible] underneath, but it's never only one country. And in 2016, the widely published things, which is in every single intelligence report of what the Russian activities are. Since the last four years, every other nation has to be very busy to duplicate their capabilities. They are not alone.
Jordan Harbinger: [00:25:25] So we might see or we will see election interference from China, Iran, North Korea, and Russia all at the same time essentially?
Harri Hursti: [00:25:34] Well, there has been already in the news almost a year ago when a huge American public trading company took Iranian activity down, which was at the time after I reviewed it whether it's true or not as a preparation for possibly the election activities. My personal opinion and my professional opinion, this is going to be a number of different countries who have now the capabilities. The question is how they are going to use it. You know, some countries might have developed a capability but decided not to attack. Some nations might build a difference.
[00:26:05] And that's really important that in America, the [indiscernible] on election has been wrong until very recently. [indiscernible] was a dishonest candidate or support group of a dishonest candidate who tries to win. That is not what nation-States are doing. Nation-States have multiple different objectives and primary and secondary — and if you look cold war Cold War was an ideological war between capitalism and communism. If you look that path, the goal is to destroy the trust in democracy. It is to undermine your government and people's belief in the society. So if you then can gain something else also, that's fun. But you have to think about who are the threat actors? What are the motivations? What are the tools? What are the primary and secondary targets? And only after you have done that homework, you can start to think about how I'm going to defend the fort.
[00:26:58] And the most crazy thing here is that since 2002, massive amount of technology has to be pouring in the election. We have an idea and thinking that there's an election office. The election office has an IT department and the IT department has a security practice. Nothing could be further from the truth. Most of the election offices have no security protection at all. They don't even necessarily have their own IP full-time staff. They have a couple of volunteers. Everything is outsourced. So there is no practice in that side. At the same time, if a foreign nation would be coming with the ships and putting a couple of tanks on the US soil and started rolling over, you wouldn't be expecting the local sheriff to fend off the foreign nation military. But in asymmetric warfare, that's what is happening.
[00:27:41] The local election officials who are underfunded, under resource, and try to do the best, they are fending off a foreign nation in this attack. And a lot of people don't think in the terms, but every other war we fight — land, sea, underwater, space — all of these are natural domains where the laws of physics and the laws of nature's work. The only place where we fight a war — which is a man-made domain — is cyber. We don't have distances. We can actually cheat the clock. There are no similar rules. The rules are what we make them to be. And that's why this is completely different in every single way on how you look the [indiscernible] and how you look for — what you need to do in order to keep safe.
[00:28:27] And voting is a canary in the coal mine. Because all the problems we see in voting are repeated in critical infrastructure. And that's why the Department of Homeland Security has designated elections as part of critical infrastructure. Governments can be changed by bullets or ballots. We choose ballots instead of bullets, which some other countries have chosen. So this is really that important. It really requires to be studied and secured but also you need to look at the other part, sewer system, drinking water, electricity, and look at all of the other things which we need to fix in order to secure our society.
Jordan Harbinger: [00:29:04] I know you'd said that every single NATO country has had Russian interference in their election, every single one of them. And I want to separate this from collusion or whatever. That's not what we're talking about. We're talking about election hacking, regardless of your politics. The facts are all information points to this as an ongoing threat to free elections, free and fair elections in the United States. I'm going to do an entire show on election interference, especially from Russia and the history of that and how that goes. But for now, I'm more interested in the vulnerability of the machines themselves. It sounds like — and you mentioned this in one of your talks — Russia knows it can't compete with the US military when it comes to planes, tanks, boats, bombs. China knows this. Iran knows this. But they can and do compete with disinformation and cyber capabilities because of the reasons you just mentioned. So is this something that you think we've ignored because we have more aircraft carriers and satellites, basically.
Harri Hursti: [00:29:53] I would say that the US has a very good intelligence community. There has been a lot of attention. It has the political side. We might have not been taking this as serious as it should be. And at the same time, this is a complex topic. As in the later movie Kill Chain: The Cyber War in America's Elections, ex-White House officials are pointing out that there has been a wrong focus. It doesn't matter how much money you spend to have the best military if the war is fought in cyberspace and in election hacking because that's the way you can influence the government. And that's the way you can influence the minds of the people.
[00:30:29] If you think about the misinformation, disinformation as an idea, we are using too many words as interchangeable when they are not. Propaganda is for me to convince you something I want to convince you to do. Misinformation is I'm going to be sending out another information, which is undermining your trust. Mal-information is the same as a malicious act. But the most dangerous is disinformation because disinformation — all the ones are tactical. They are for a single purpose in a very short period of time. Disinformation is a mental virus. The whole idea there is to destroy our capability as humans to have a frame of reference, which we need in order to learn and get new information and build our worldview. So with that, you cannot use it in a few years, but you can poison the minds of a society by undermining your capability of learning and building a framework of mine. It's a long game.
Jordan Harbinger: [00:31:33] We see this now when we talk about things that are settled science in a lot of ways, or that just very clearly have been fact-checked by multiple parties. And then you get a huge number of people that are like, "No, Bill Gates wants to put microchips in your blood." And it's like, "Where are you getting this?" "Oh, I saw this on the Internet and on Facebook and on YouTube." And then you bust out, you know, a scientific journal article that has 10 different studies in it. And people go, "Oh, well, that's a bunch of crap. Watch this documentary made by some yahtz in his garage and they'd put equal weight on those sources. That's one result of disinformation, right?
Harri Hursti: [00:32:07] That's one result of that. And also I have to say that if you look how disinformation — because in disinformation, the beauty of that is that you are actually designing contradicting messages where you contradict your own message. So disinformation provider is not trying to drive one point. It's driving multiple points, which are contradicting inside of you because you are trying to create as much chaos in the mind of the receiver as possible. When you look at the production — if you look today, there are still pieces in YouTube and social media, they are professionally produced. They're very beautiful. And they are in such a quality that if you look at the production value, you can easily think this is real. Now, you have to have critical thinking and you have to stop.
[00:32:52] Where we are here is that we don't have a human firewall. We have a firewall for the computers, but we have not been educating our generations in school and our young to have a human firewall, to have a capability of critical thinking and questioning when I'm presenting disinformation. How do I know this is true? Even if I like it, because that's the one thing about we humans, we really like things which agree with us.
Jordan Harbinger: [00:33:18] Right. Things that agree with us. Yeah. The ideas that we agree with. Yeah.
Harri Hursti: [00:33:22] And that is not necessarily true.
Jordan Harbinger: [00:33:24] Right. This goes into the Russian disinformation that we've uncovered. And again, I'll be doing more of a show about this as well, but why they have different Facebook groups that are actually against one another and they're run by the same group of the same party. Going back to election hacking. Ukraine actually discovered some software in their machines that had specific outcomes programmed into it. So it wasn't just let's skew the votes this way or let's get the votes that way. It was, we're going to put a far-right candidate in the office with 37 percent of the vote, even though he only got one percent of the vote. So they had programmed the result into these machines. Can you discuss that a little bit? Can you speak to that?
Harri Hursti: [00:33:58] So not specifically about Ukraine, but let's talk about everything and about how this works.
Jordan Harbinger: [00:34:03] Okay.
Harri Hursti: [00:34:03] So you have a voting machine and voting terminals, that's how you cast your ballot, either electronically or paper ballot, this goes scan. And after that, these machines are reporting those results, very often our communication lies through the central tabulator. Now, in both the county level or state level where the votes are accumulated in the database and along the path, there are a number of data storage systems, databases. And if you manipulate those, you can create an illusion of different results and you can even do it in the electronic reporting system. So instead of even hacking anything in the tabulator system, you are just creating wrong reporting. So there are a number of ways how you can throw this whole path influence the results.
[00:34:53] And we have to actually step even further back because if we look at the election as a whole, it's a myriad of systems. We have voter registration system. We have electronic poll book systems. We have election management. We have the ballot casting. We have the tabulation and we have the reporting. Any of these, if you hack one of these, you can always hack the result. You can disenfranchise voters so they can't cast their ballot. You can change the outcome. You can change the report. Each of these needs to be secured. And none of these is less important than the others. And that's why we have been — I think in the public mind, we have been focusing in a very narrow area which is you cast a ballot and how the ballot is counted, but not missing the whole big picture. How many other systems from an adversary, from the attacker's point of view, where the attacker can go and achieve the same goal. ,
Jordan Harbinger: [00:35:49] This is The Jordan Harbinger Show with our guest Harri Hursti. We'll be right back.
[00:35:53] This episode is sponsored in part by ZipRecruiter. ZipRecruiter is one of the easiest ways to hire. It's really tough to hire even these days when you'd think there'd be tons of people out and tons of great talent. It's really just one of the trickiest parts about running a business. Ziprecruiter.com/jordan is our link to support the show. If you want to. Throw your job up there. ZipRecruiter sends your job to over a hundred of the web's leading job boards. And then they use their powerful matching technology, which is some fancy machine learning stuff to find people with the right experience and invite them to apply to your job. Then they've got a dashboard, so you're not fishing through your inbox and resumes and emails and notes. It's just all in one place. And ZipRecruiter is so effective that four out of five employers who post on ZipRecruiter get a quality candidate within the first day. And I've actually heard from some of you who have tried this and it's worked out for you. So I'm glad to hear that. Of course, I love it when you use the sponsors and let me know if they're good and ZipRecruiter, I'm proud to say, makes the list.
Jen Harbinger: [00:36:48] And right now to try ZipRecruiter for free, our listeners can go to ziprecruiter.com/jordan. That's ziprecruiter.com/J-O-R-D-A-N, ziprecruiter.com/jordan. ZipRecruiter, the smartest way to hire.
Jordan Harbinger: [00:37:02] This episode is also sponsored by Raycon, whether you're working from home or working on your fitness, which all of us probably should be by now. You want what you're listening to, to be what you're actually listening to, not what your roommates, your neighbors, your wife, your kids are listening to. Everyone needs a great pair of wireless earbuds. Before you drop hella ching on another pair, checkout wireless earbuds from Raycon. They started about half the price of other premium wireless earbuds on the market. They sound just as good. The newest one, the Everyday E25 earbuds are the best ones yet. Six hours of playtime, Bluetooth pairing, more bass, and a lot of bass. I'll tell you right now, and a compact design that gives you a nice noise, isolating fit. Jen wears these when she's bingeing on podcasts in bed and feeding Jayden, which is, seems like half her life these days, Jen. The company was co-founded by Ray J. Celebrities like Mike Tyson, Snoop Dog, and Rich the Kid are obsessed with Raycons.
Jen Harbinger: [00:37:51] Now is the time to get the latest and greatest from Raycon. Get 15 percent off your order at buyraycon.com/JHS. That's B-U-Y-raycon.com/J-H-S for 15 percent off Raycon wireless earbuds. Buyraycon.com/JHS.
Jordan Harbinger: [00:38:09] This episode is also sponsored in part by NetSuite. If you're a business owner, you don't need us to tell you that running a business is tough, but you might be making it harder on yourself than necessary. Don't let QuickBooks and spreadsheets slow you down anymore. Upgrade to NetSuite. Stop paying for multiple systems that don't give you the information you need when you need it. Ditch the spreadsheets and all the old software that you've outgrown. Now is the time to upgrade a NetSuite by Oracle, the world's number one cloud business system. They give you visibility and control over your financials, HR, inventory, e-commerce, and more all in one place instantly. It's essentially a really, really advanced dashboard that reconciles all your other systems. So whether you're doing a million in sales or hundreds of millions, save time and money with NetSuite. 21,000-plus companies are using NetSuite right now.
Jen Harbinger: [00:38:53] Let NetSuite show you how they'll benefit your business with a free product tour at netsuite.com/jordan. Schedule your free product to our right now at netsuite.com/jordan. Netsuite.com/jordan.
Jordan Harbinger: [00:39:06] I want to thank you for listening and supporting the show. Your support of our sponsors, our advertisers, that's what pays the bills. Keeps the lights on. To learn more about those sponsors and get discounts, the ones you just heard about here, go and check out jordanharbinger.com/deals. We've also got worksheets for today's episode, and that link is also in the show notes at jordanharbinger.com/podcast. Now for the conclusion of our episode with Harri Hursti.
[00:39:31] This is interesting so each segment of — it's not just voting, it's voting and then the results being counted, and then the results being sent over communication lines to a central area where they then have to be audited and stored. Each of those areas has a vulnerability to it. In the case of Ukraine with these specific outcomes programmed into the software, the machine, they somehow caught this and removed it before the election. And this blew my mind, Harri, that Russian media still reported the exact percentages of the fake outcomes. So it was like this sort of negligent/they just don't give a crap at all about getting caught if they're going to sit there and have given the fake results to the media already. It's like, they just didn't even care if they got caught doing that, clearly.
Harri Hursti: [00:40:14] Or they count it on being caught. That's also a power play saying, "See what I can do. See, I don't care." That's also communication and message. We always are too easily jumping into conclusions. There are a lot of people who say, "I can think like the enemy thinks." No, you are thinking like you wishfully think that your enemy would think.
Jordan Harbinger: [00:40:35] Right.
Harri Hursti: [00:40:35] Your enemy doesn't necessarily agree with your idea. It's very dangerous to say, "Oh, this is obviously what the enemy was thinking." No, it might be that they've accessed the counting. "Let's get ourselves caught. Let's go chaos. Let's be on your face saying we can do this." It all is possible. You don't know what the enemy is thinking. And the other thing, which is also in the case of any cyber-attack in any area, one of the most difficult areas is attribution. How do you know who is the actual attacker? Because there are a number of ways to disguise. There's a number of ways to have a false flag. You need to have a credible intelligence community, credible company. You have to have — nobody can call it. It's always that. You have to put a lot of research. So you can say, "I'm almost certain, I'm certain to a certain extent that this is the actual attacker." It's really difficult.
Jordan Harbinger: [00:41:30] We're not worried about getting caught. I mean, how do we know it's not just random criminals, but it's actually the government doing this. You know, that's a common counter-argument that we hear.
Harri Hursti: [00:41:37] Well, I mean, if you look from the Kill Chain, my good friend, Mikko Hypponen says it very well — if it's a public entity, it's a government, they don't care. They don't worry about the cops sewing up there. No, because they are the cops. If it's a private enterprise, if it's a criminal group, they will change because they would be afraid that the government will show up. You know, some government will show up, cops will show up. It's really that kind of thing which is very tale-telling what kind of entity is driving attack. How to react when they are being caught?
Jordan Harbinger: [00:42:09] Right. And if they're not worried about it, it's just because they're protected at the state level. Right?
Harri Hursti: [00:42:13] Exactly.
Jordan Harbinger: [00:42:13] So, Diebold and other vendors say, "Look, these machines are unhackable." Maybe you can get it, but you've got a machine in your office and you've got a memory card in your office and you're sitting there all day messing with it. The bad guys are not going to have access to the machines. And then in Kill Chain, you go out to a recycling center. And what? You pick one up for like 75 bucks.
Harri Hursti: [00:42:33] So yes, first of all, as a representative NSA said in Defcon, he said, "If you are not understanding that there's this kind of room which we have here for two and a half days — if you don't understand, there's this kind of room in every other nation running 24/7 and the massive resources, you have to be kidding me." The voting machine vendors are selling this internationally. US second-largest voting machine company, [their pilot customer was the state of Mongolia between Russia and China.
Jordan Harbinger: [00:43:04] Seems legit.
Harri Hursti: [00:43:05] I'm absolutely certain the good people there are honoring you as copyright laws, but the whole thing is these machines are sold internationally. Even if they wouldn't be an eBay, you are already selling them internationally. They are available. And also from a security perspective. Security by obscurity doesn't work. No such thing exists. So in the security research, assuming that your adversary has complete access, not only to the machines, not only to the code but also everything that development documents and everything. Your security cannot be based on the idea the attackers don't have access to this information on this machine.
Jordan Harbinger: [00:43:45] Because they'll find it.
Harri Hursti: [00:43:46] They will find it.
Jordan Harbinger: [00:43:47] Between election cycles, everyone's guard is down. They can put malware in the machines, they can tamper out them while they're sitting in a warehouse. The other common defense we hear is — well, look, the machines are never connected to the Internet, so you'd have to tamper with each individual machine and that's just not scalable. It's not possible but you busted that bubble too.
Harri Hursti: [00:44:05] Well, everything is connected to the Internet — but before that, I also wanted to talk about the other thing, which is yes, the common rebuttal for Defcon Voting Village has to be — okay, if somebody would be popping the voting machine open in polling place, they would be noticed. Well, first of all, you don't wake up in a hangover on Tuesday mornings, "Oh, today, hangover, I will go to hack the election." No, there's a little bit more preparation. So security research is all about finding the vulnerability, not weaponizing. Whether you are developing the way on how you can actually distribute, that's weaponization. And generally speaking, security researchers don't go there. That's not the goal. So the goal is only defined where it is.
[00:44:46] But also the argument, voting machine is under lock and key. One of the things which we didn't get to the movie because of too many people and too much things to tell. I mean, the Kill Chain movie, we filmed almost four years of that.
Jordan Harbinger: [00:44:59] Wow.
Harri Hursti: [00:45:00] But we were in a real election, very nice people. We were in a polling place. The polling place chief was going around and I noticed that the voting machine had the seals were broken and the most critical parts — a little door where the most critical part was a little bit open. So I went and we went to speak in front of the voting machine. I was trying to guide the — because there was an election judge, there was a poll worker, there's the polling place chief because we're doing it in a quiet hour and I was pointing to the voting machine. And nobody seems to notice that the seals are broken. So eventually I said, "Well, hey, the seals are broken and the door is open." "Oh, don't worry about it. We stopped putting the seals 10 years ago. It's from the previous election. The seals were always broken in and people were worried, so we stopped putting the seals that were placed 10 years ago. We just actually cleaned the seals because other people don't think they are broken because we don't seal them anymore." Now, I had a conversation. I said, "Well, do you understand that the most critical part of this machine is underneath?" They said, "No, no voting machine vendor has said that is completely safe. We have been saving money." And so, basically, when I explained to them, what is the reason, they were, "Oh my God, we have to seal this. By the way, the only reason we stopped it was because the vendor lied to us and told us this is completely safe. This is completely secure." At the same time, the same vendors are telling, "Oh, in real world, nothing can happen because they are all sealed and locked." First of all, the keys are the simplest minibar keys, but those are the sealing and all of that doesn't happen in the real world.
[00:46:29] About the Internet, everything is connected to the Internet, either directly or indirectly. And the more modern voting machines, they actually have mobile phone connectivity to county headquarters. They are sending the results. Wireless is coming back to the voting machine in the newer generations. Nice marketing material trying to tell, it's not but it is. A journalist, a year ago, found 200 voting machines in the Internet. Voting machine vendors say, "Well, they are not in the Internet because they are not pingable. My answer to that is, "Are you from the past?" Because since 15 years ago, nothing is really any more pingable and they are still connected to the Internet. That argument has a meaning something 15 years ago. It doesn't mean anything today.
[00:47:16] I just came from Atlanta and they have new voting machines because the judge ordered the old ones to be scrapped. And part of the things in the judge's ruling, the finding was that the voting machines were programmed by basically three guys from their homes and who sent all the programming of the voting machine for the next election over the Internet to be distributed to old machines.
Jordan Harbinger: [00:47:37] So these guys had programmed the machines from home, and then they pushed the code update to the voting machines via the Internet.
Harri Hursti: [00:47:44] They pushed it through the state, and then the state pushed it to the counties. And actually, this whole thing about critical election specific programming going on the Internet is very common because a lot of this programming is done by private companies, third-party companies, election management companies. It has been shocking in the last two years when I've been working for a number of secretaries of state and looking how the security is done in their state, just to find that email, FTP with no security. These are the common methods to send the most mission-critical programming from the private company, which might be out of state to the local county who is putting it into the machine. And it is whoever controls that data controls the election.
Jordan Harbinger: [00:48:26]And these machines, like you said, they have network cards. You show in Kill Chain — again, the documentary that we'll link in the show notes — that they have USB ports, they have memory card slots. They have modems and phone jacks sometimes. So these things were built for connectivity. They're not immune to connectivity. Seemingly, we don't have to hack hundreds of machines. These are networks. You can just make software that infects one and then dozens of others or just changes the data. Is it possible? I guess that's a dumb question, but I'm going to say it anyway. So do you think it's possible that we could create a worm that we get on one machine in a voting center and it just connects to the other machines covertly and infects them without the bad actor, so much as laying a hand on the machine themselves?
Harri Hursti: [00:49:03] The real proof of concept of viruses demonstrated over 10 years ago. So that already has been demonstrated publicly that voting machine virus, which can propagate from one voting machine to another, that's a reality which we have shown it's possible. And that's one of the things why that was created. Because again, when you say it's possible by showing the vulnerability, people said, "Well, I don't believe until you show it." So it's one of the real things where a team of researchers developed and the actual virus, just to show the logical outcome of the vulnerability. Yes, there can be a voting-machine virus, full stop. Here, it is. It goes from one voting machine to another.
Jordan Harbinger: [00:49:42] Wow. So essentially then nobody ever knows there's no trace. There's no physical access. I mean, if you can get this onto the machine remotely, you could just sit in the parking lot. We're not even going to see a sketchy guy in a leather jacket and track pants walk into the voting center. He's just going to sit out in his truck.
Harri Hursti: [00:49:56] So a voting machine, which shouldn't be in use in the US anymore. But when we had that machine in Defcon, that machine was hacked wirelessly in 20 minutes by a researcher from Denmark. The voting machine has Wi-Fi. And it has unpatched operating system but literally, you can have that machine from a parking lot without knowing it's a voting machine because you're going to use Metasploit. There's a gazillion Metasploit for that machine. So you don't even need to know it's a voting machine. You can just hack to anyone using XP computer ROM.
Jordan Harbinger: [00:50:27] And what's Metasploit for people who aren't really up on that?
Harri Hursti: [00:50:31] Metasploit is a framework which is open source, free of charge has thousands of different vulnerabilities and payloads, which you can use as a tool of security testing to quickly build a prototype and deploy against any targets. So I would say it's a framework of vulnerability, exploitation framework.
Jordan Harbinger: [00:50:50] something anybody can get, doesn't cost any money. It's everywhere. It's not under lock and key. And it's for security testing, but if you're a bad guy, you can also grab it. And you don't even need to be specialized to this voting machine. it's already in Metasploit. So you can sort of like cookie-cutter — off the shelf, I guess, is what I'm looking for — grab this Metasploit and you can hack a voting machine.
Harri Hursti: [00:51:10] The Metasploit, I guess, is not related to voting machine. This is actually a very important point. The tools, which are the best tools, they are free. They are available everywhere in the world. Anyone in the whole world can get the tools for free. If we look for specific hardware, which you can use, for example, adaptable USBs, most of the hardware is under a hundred dollars and they're made in the US. So you can just get it with the credit card, FedEx it to you or not. The tools are not expensive and flexible.
[00:51:43] For example, I just laughed when I saw the pictures of the Russian military intelligence, who were hacking chemical weapons, a laboratory in the Netherlands when their trunk was opened and they show what the equipment there is. The key element was a $200 piece of equipment made in California and sold to everyone. I have four of those. So again, they don't use that $200 piece because of possible deniability. We are not military intelligence. It's because it's good. It works.
Jordan Harbinger: [00:52:16] Wow. It seems like we can't really do anything about this. I mean, is there sort of a bright side to any of this? Are we working on making these things more secure or is it just like, "Look, we got to go back to paper, full stop"?
Harri Hursti: [00:52:29] So first we have to make everything we can to make it more secure, but we also have to go back to hand-marked paper ballots. We don't have any other technology. Ballot marking devices which are like touch-screen, computer printing the paper for you. University made a recent study where they told the test voters, "We are going to test the new method of voting. Please check your ballot." But they were not told that the machine will cheat every single time. And only under seven percent of the voters catch that the paper they got out of the machine was not fully represented of what they were chosen — so hand-marked paper ballot.
[00:53:06] Now, American elections are uniquely complex in the world. So you cannot really unless it's a small county, there are small counties, but it's a very small county, you need to use computers to process the paper. As a European originating person, I say it's incomprehensible for me that in the US the losing party has to ask for a recount or audit. Why not have a mandatory audit for every race every single time, because once you have a paper ballot as a method called risk-limiting audit, which is a very quick and very nice public way where you can invite everybody who is wanting to see how the result is proven to be correct to witness and understand how to do stuff. So hand-marked paper ballots and risk-limiting audits and you use the computers in between to create the results because there is no alternative because they also are so complex. But unlike what in the Russians saying, which was quoted by Reagan when he said trust, but verify. It's an old Russian saying. Actually, in this case, don't trust and verify, because you cannot trust the voting machine. Everything we have today, everything we have in the foreseeable future can be hacked. So let's understand that and verify the results.
Jordan Harbinger: [00:54:18] You've mentioned this a little bit before, but in closing, I'd love to sort of put a nice bow on this — the reason that people are hacking elections, it's not necessarily like in Ukraine where they want to put in a right-wing candidate or a left-wing candidate somewhere. This is not just to get a specific outcome in that election it's to chip away at democracy itself. Correct?
Harri Hursti: [00:54:38] There are a number of different disruptors and certainly, nations state ideology — I mean, it can be a nation-state who wants to undermine democracy, but it can be a religious group. It can be all kinds of disruptors who just want to create tales. So that's another thing. What I would like to point out, even when we are talking about nation-state, they are using the same tools, which are available to you and me. So when nation-states are dangerous and they have different motivations by individuals, but also these tools are available for individuals and crime organizations. You don't need to have that much money to buy the tools and learn how to use it. So we have to not assume it's a nation-state, which needs to have massive resources. It can be a smaller group. We have to defend our democracy against all enemies, domestic and foreign.
Jordan Harbinger: [00:55:27] You know I actually thought about becoming a poll worker this year. It's hard because there's a coronavirus and I have a one-year-old baby and I'm worried about that. But you're right, when you walk in those places to vote, man, everybody is 73 years old. And I'm thinking, "How are you going to troubleshoot the machine? You can't even turn on your laptop. You're going to troubleshoot this voting machine. It's going to take you half an hour." So they don't do that. They just put a sign over it that says out of order. And then they have two voting machines for, you know, 800 people in a line that's been going for five and a half hours in the heat or the rain or whatever, snow.
Harri Hursti: [00:55:58] Yeah.
Jordan Harbinger: [00:55:59] It's just a mess.
Harri Hursti: [00:56:00] And it's actually sad news last weekend. So I wasn't down in Atlanta. Chattanooga is, you know, across the border of the next state. The election director of Chattanooga died in coronavirus last weekend.
Jordan Harbinger: [00:56:13] Oh my God.
Harri Hursti: [00:56:13] So we actually are seeing the older poll workers are vulnerable population to be at risk. Mailing ballots are the way we have to go. And it's just insanity to put people at risk. I mean the whole public claims that voting is a privilege. No, it is a right. It's a fundamental right as part of this nation and being a citizen of the United States. The same in Western democracies. It is not a privilege. It's a right. And you shouldn't be choosing your health if you can vote.
Jordan Harbinger: [00:56:46] Yeah, you're absolutely right. I mean, you're correct. Well, Harri, is there anything I haven't asked you or brought up that you think we should put into this episode?
Harri Hursti: [00:56:54] So, first of all, most important, if you are eligible to vote, please vote. There's nothing I said which should discourage you to vote. Please vote every race in a ballot. Because apathy is as dangerous to democracy as somebody hacking. And more people voting the harder it is to hack. So if you can vote, please go to vote, take your neighbor, take your friends, give a ride to your friend to get to the vote.
[00:57:20] The second thing is if you seem to really care, become a poll worker. The average age of poll workers is going up all the time. More people who are computer savvy, more people who are security-minded in polling places. Help to keep the line shorter. Help to find if there are problems there, become a poll worker. And this is everywhere. I want to underline, hacking elections and election security are not in the US only. It's all of our Western democracy, not even Western but all of our democracy. Every single country, wherever you are, please go to vote. Please try to guard your own country system.
Jordan Harbinger: [00:57:56] Harri Hursti, thank you so much. This is fascinating.
Harri Hursti: [00:57:59] Thank you for having me.
Jordan Harbinger: [00:58:02] You know, I've got some thoughts on this episode, but before I get into that, here's what you should check out next on The Jordan Harbinger Show.
[00:58:10] A lot of people hear the name Pussy Riot and they think, "All right, what is this? You're just trying to get shock value." Can you tell us the beginning a little bit of what Pussy Riot is? When I was reading the book and you said you just made it up for a lecture, I was like, "There's got to be more to it than that.
Nadya Tolokonnikova: [00:58:23] No seriously.
Jordan Harbinger: [00:58:24] Not really.
Nadya Tolokonnikova: [00:58:26] They decided to punish us. They opened a criminal case and in two weeks after the performance, we were arrested. We knew how to hide from the cops. And for a week, dozens of cops were looking for us. And when they caught us, finally, they were so happy.
Jordan Harbinger: [00:58:43] You're making them look like fools.
Nadya Tolokonnikova: [00:58:44] It's our profession.
Jordan Harbinger: [00:58:45] How does it feel to have these world leaders or in these private chambers with their tea and their bodyguards. And you're sitting in a Russian prison and they're like, "These 22-year-old women, they're screwing my world up, man. I got to do something about this. Look at how bad they are."
Nadya Tolokonnikova: [00:59:01] I was really happy that Putin is in trouble because of us. Because they definitely didn't expect anything like that. My mother thinks that I need to immigrate, run immediately.
Jordan Harbinger: [00:59:12] Yeah, you still live in Russia. I can't even believe it. You wrote, "The future has never seemed so full of enriching wonderful possibilities as to when I was in a labor camp and literally had nothing but dreams." What gives you the strength to go forward when you're worried about, "Are they going to try to blind me? Are they going to try to beat me up?" I mean, they were highly abusive to you while you were behind bars.
Nadya Tolokonnikova: [00:59:33] I just prefer not to think about it.
Jordan Harbinger: [00:59:35] For more from Pussy Riot and world-renowned artists, Nadya Tolokonnikova, and her time in the Russian prison and, of course, their crusade against Vladimir Putin's regime, check out episode 118 on The Jordan Harbinger Show.
[00:59:49] This episode freaked me out a little bit. I mean, when you click someone's name on an electronic screen, you don't really know if you actually selected the right person in the computer. What's happening between your finger and the ballot, right? The computer can kind of do whatever it wants, the black box. How do we know if the computer counts the votes properly? It's so weird to hear myself saying this because it's like crazy Uncle Frank, who always complains at Thanksgiving about how you can't trust those pesky computers. It's like he was right all along. Scientists and computer hackers broke into the voting machines within 10 seconds — 10 seconds. And system security in these machines was not penetration tested whatsoever. I know a lot of you listen are info security types, but pen testing, it's like taking up a computer system or any system and seeing if someone can break it or break into it. They just didn't even try to test our voting machines with this method or these methods at all.
[01:00:38] The independent authorities that verify voting systems. They simply didn't do that again. This was 2002. I hope they're doing more of this now Harri's on the forefront of this. But Harri's been able to hack voting machines remotely in minutes from the parking lot. Remember that. And editing election results on those older Diebold voting machines, that was as simple as editing a spreadsheet located on the same machine, on the same computer. And as recently as the past couple of years, we've seen the election assistance committee get hacked and Rasputin, the hacker who's selling access to these machines, in this data online. They had buyers from Iran, Russia, and other places. So this is bad news and desperately, desperately needs to be fixed. And I thought this is very apropos given the November 2020 elections right around the corner here.
[01:01:22] Big thank you to Harri Hursti. We'll link to some of his resources and the documentaries I watched in preparation for this in the show notes. Links to everything are always in the show notes. The worksheets are in the show notes. The transcripts are in the show notes. There's a video of this interview on our YouTube channel. That's at jordanharbinger.com/youtube. And I'm at @JordanHarbinger on both Twitter and Instagram. Or you can just add me right on LinkedIn.
[01:01:44] I'm teaching you how to connect with great people and manage relationships, using systems and tiny habits over at our Six-Minute Networking course, which is free. That's at jordanharbinger.com/course. Dig that well before you get thirsty. Most of the guests that you're hearing on the show, they subscribe to the course. They contribute to the course. Come join us, you'll be in smart company.
[01:02:04] This show is created in association with PodcastOne and, of course, my amazing team that includes Jen Harbinger, Jase Sanderson, Robert Fogarty, Ian Baird, Millie Ocampo, Josh Ballard, and Gabriel Mizrahi. Remember, we rise by lifting others. The fee for the show is that you share it with friends when you find something useful or interesting. If you know somebody who's into hacking or elections or security or InfoSec, share this episode with him. Hopefully, you find something great in every episode. So please do share the show with those you care about. In the meantime, do your best to apply what you hear on this show, so you can live what you listen, and we'll see you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.