“Never Trust, Always Verify” - Harri Hursti Hacks a Voting Machine LIVE on PBD Podcast! | PBD Podcast | Ep. 478
01:36:18 Share

This episode is brought to you by CarMax. Boldly searching for your next used vehicle? With CarMax, you don't have to settle on anything when it comes to your ride. Instead, steer clear of the ordinary and buy the car that's right for you. Because CarMax makes it easy to stop settling and find a car you'll love today. Start shopping now at CarMax.com. CarMax, the way car buying should be.

Freshly made ravioli or hand-pulled ramen noodles. When you dine with Chase Sapphire Reserve, either will be amazing because it's the choice between a front row seat at the chef's table while getting a live demo of how to make ravioli or dining family style as you hear the story behind your ramen broth. This weekend, it's ravioli. Next weekend, ramen.

There's a lot of people that are worried, what the hell is going on here? Because it just doesn't make sense. Is my vote going to count? Can you come back and manipulate it? People don't have a lot of trust in the system today.

What is your level of faith in the accuracy of the machines that we currently use? Every single independent study where we have had access to voting machines, 100% of the voting machines have been hacked. Unhackable doesn't exist. Instead of saying trust but verify, you should have a zero trust approach. Never trust and always verify. Fuck the speed!

Hackers can manipulate the system this dramatically? Once you gain access to the system, you can change anything as you want. They can fix it if they really want to, but you're saying every machine has the same vulnerabilities of how to get into it. You think that's accidental? There has to be a political will to create those standards to be mandatory and enforced. This is not a technological problem. This is a regulation and legal problem.

What do we need? This transparency. We don't have it, though. Well, we do, actually. How do we have that? You just said at the beginning of the podcast that, hey, never trust. Always verify. And now you're saying we have to trust because it's bad for democracy. You just validated millions of people's concerns. I'm walking away with enough stories to tell for the next month. Did you ever think you were me?

I feel I'm supposed to take sweet victory. I know this life meant for me. Yeah, why would you bet on Goliath when we got Bet David? Value taming, giving values contagious. This world of entrepreneurs, we get no value to hate it. I be running, homie, look what I become. I'm the one.

All right, so listen, since we're around 40 days away from the elections, I thought it was appropriate to bring somebody who has bought hundreds of voting machines himself and who has hacked into many voting machines himself to see if there's the ability to hack into them to the point where March of 2020, eight months before the elections of 2020, which was a controversial one, he was on an HBO documentary showing that many machines out there are able to be hacked into.

And eventually he was so successful that they called something the Hurstie hack. Hurstie is his last name.

It was a successful attempt to alter the vote recorded on a die-bolt optical scan voting machine. The hack is named after Harry Hurstie, who is here with us, and I'll show you the results. And he decided to take it to a whole different level. Not only is he here in the flesh for us to talk about what's out there, what's possible out there, he brought a voting machine here with him

to show us, and he's going to actually hack into it live. You're going to see it here with our friend who's a guest today, Harriet Scurri, to have you on the podcast. Thank you for having me. Yeah, so as a hacker security researcher, I want to start it off with this first, okay? I think it's the first story, Rob, if I'm not mistaken, which, let me go to the story, and I want to get right into this here.

Story comes out August 12th of this year. Politico. OK, you're quoted in it. The nation's best hackers found vulnerabilities in voting machines, but no time to fix them. OK, top hackers at DEF CON. DEF CON is where a lot of these hackers you guys go to expose vulnerabilities in U.S. voting machines. But fixes are unlikely. Rob, if you want to pull up this article, if this is it.

Before November 2024 election, due to the long and complex process of updates, organizers are frustrated. There is so much basic stuff that should be happening and is not happening, said co-founder Harry Hurstie. It's not a 90-day fix, and it continues. Security concerns are heightened by past foreign interference like the 2016 Russian hacks and recent threats. Hurstie warned, if you don't think this kind of place works,

This kind of place is running 24-7 in China. Russia, you're kidding yourself. Adversaries have access to everything. While DEF CON hackers highlight these issues annually, the slow response from manufacturers and election officials raises fears that unpatched vulnerabilities could fuel future allegations of election fraud. So after your experience with all these different machines, what is your level of faith in the accuracy of the machines that we currently use?

So first of all, the quote you said about the room running 24-7 in an adversary country, that actually was a quote made by one of the top spy agencies of a U.S. director in DEFCON. So if it's put to me, it's just repeating what he said. Who was the person that said it? That was Rob Joyce of NSA. Okay, got it. If you want to pull up his name so we can give him credit, please keep going. So my confidence actually in U.S. elections is high.

Right now, we have to improve the systems, but we already know how to get elections done right on this handmarked paper ballots. And since I started and my colleagues started to expose the problems, more and more of the United States have transitioned to have a handmarked paper ballots.

And in the U.S., you have to understand the U.S. elections are almost uniquely complex. There are countries which have more complex elections than the U.S., but not very many. In the U.S., there is no alternative in most of the U.S. to use voting machines. You have to use them because voting machines actually are more accurate than humans. The error rate of humans, especially if you think about the stress environment on election night, is higher than margin of victory in a lot of places. So you have to use voting machines.

To count paper ballots. Now you have paper ballots, which means that you can always verify the results. And there's a methodology called risk limiting audit, which is amazing and developed by Professor Philip Stark, one of the main authors of that. It's a very cost effective in labor hours and you can verify that the election have a right outcome. So we already know how to fix it.

At the same time, when we look at voting machines, yes, we have vulnerabilities in machines and we will have vulnerabilities always. Unhackable doesn't exist.

So instead of saying trust but verify, you should have a zero trust approach. Never trust and always verify. So we always have to verify the results. Never trust and always verify is what you say. Correct. Okay. All right. But you went back and you said your confidence in the election and everything is very high. It's going to be good because, you know, it's a lot easier to use the machines versus you're going to do, you know, paper ballots. And you said you're right. But the question isn't if it's left alone to do its job.

The problem that people have, which is why you did the documentary deal with HBO. It's so interesting when you guys did it. You did it March 2020, which was eight months before the elections. And there was not much done on that afterwards from HBO. It was an interest of what happened before that. So I guess my question for you would be the following.

In the area of tampering, when it comes down to things like this, tampering with these machines by hackers, okay? We have a machine here. In a few minutes, you'll hack it and show everybody that you can hack into this machine here, and you'll give the model and all that stuff that we'll talk about. If we line up 50 of your colleagues who are also hackers like yourself, and we gave a million-dollar prize—

To hack into the most recent machines that we have, all of them, out of 50 people, how many would be able to hack into the machines to manipulate the votes? I would guess everyone. You would guess everyone? Because these machines are, when we look at the systems, and we had DEF CON this summer, brand new system, which is used in a very limited sense.

I think the number was 42 vulnerabilities found in two and a half days. So these systems have a lot of vulnerabilities. Now the question is how you mitigate. That's why we have to expose the problems so that we can develop a mitigation strategy. Like the hack what I'm going to show here, the mitigation strategy is limiting physical access.

At the same time, it's very bad idea to think that somebody would wake up in an election day morning and say, oh, today I have nothing to do. I will hack election. Obviously, you would have a year some planning or months of planning ahead of that.

I also want to say one thing about this movie where the kill chain, the cyber war in American elections, that was the second movie. Our first HBO documentary came out of 2006. So this is already a follow up. And we were filming it, give or take five years. The reason that it came out in 2020, March,

was just how long the production took. But that was years and years of filming, gathering material, doing the research, doing the investigations. So I want to do this for the audience to also know who you are and who you're not. More or so for the audience to know who you're not.

Rob, where's the story of, let me find this. I think it's important because this will give a lot of context. You went to the event, if I'm not mistaken, where Mike Lindell, there you go. Mike Lindell was holding a three-day cyber symposium in August of 2021, right? And he had the promise that he would present irrefutable evidence of election fraud in 2020 elections. Okay.

And you attended the event with a journalist, Donnie O'Sullivan, if I'm not mistaken. Correct me on any of this if I'm saying that. And then at the end of it, you said there was a pile of nothing and found no proof of election fraud. Do you still stand by that? Absolutely. And actually, even before that, Mike Lindner's claim, what he has, were fundamentally impossible claims.

That kind of data he claimed to have doesn't exist and no government even has a capability of gathering that information. So even before coming there, I knew there will be nothing. Actually, my suspicion was that there would be a synthetic data which would be hard to prove right or wrong. And my shock was there was nothing, absolutely not even this kind of smoke and mirror data.

So that was a absolute nothing. Did he bring a hacker up on stage and say, here's how easy it is to hack into the systems? I don't know what happened on stage because we experts were locked in the back rooms. So we didn't see what is happening on stage. Was it a public event or was it a private event? I think it was a private event because it was invitation only. And like he was he didn't even want to have hackers. Right. He was putting different rules who are involved.

But then he told publicly that media and elected officials can bring their own experts. So I was never invited there by Mike Lindell. I was actually brought in by CNN because they were the media who got me in.

Got it. So CNN was able to get you in, but you were not fully in there to see what was going on. None of the experts. Right. So on one end, you believe the top 50 hackers at DEF CON could...

into any one of the machines that they have, including the latest one. Yet at the same time, you don't believe the Mike Lindell's theories were anything that there was any credibility behind it. So both positions is what you're taking. Okay, correct. And I want to say that's one thing what was so hilariously funny about Mike Lindell's statement, because he was showing that he had claimed the data. He has a data how every single place was hacked.

And one of the list was all 320 jurisdictions of New Hampshire. Well, the problem is out of the 120, 320 jurisdictions, 123 uses no computers whatsoever. It's a pure hand count, no computers. Yet he claimed that he has an evidence how these places were hacked by Chinese. They don't have computers.

There's nothing to be hacked. Right. But the part, again, two things can be right and wrong at the same time. Correct. You're not saying the machines are impossible to hack. You're saying we can hack every one of them. But at the same time, you're saying what he's saying was not accurate. There was not a lot of proof there. Okay. So let's put those out there for the audience to know where we're at with that. Right? Correct. And I have to say one thing. Every single independent study where we have had access to voting machines is

100% of the voting machines have been hacked. And that's going to be the – every computer in the world can be hacked if you have access and no mitigation. Now, when we've hacked the machines, that is for the purpose that we can improve. And if you cannot improve the system, then you have to improve everything around the system, have a mitigation strategy, how you defend the system.

Either by having a tamper evident or preventing the access what hackers need. But there's always a way to try to mitigate. But we really, really have to get this more secure so that the machines, there's less requirement for mitigation. You think there's certain people that almost don't want it to be fixed?

I have to say that I'm very worried for initiatives now when jurisdictions in the U.S. are actually disabling and dismantling their own security for a reason that whatever is their reason. So there are these small rogue places where people are actually destroying their own security on purpose. Destroyed their own security on purpose.

Yes, what I said. And that's what happens here in the States. There are states, there are counties where that's actually happening right now. And all it takes is a couple of good counties to be able to flip the vote, right? So. Well, it's even if those cannot flip the vote, the, the,

The reason here is to deny the result or make a false allocation, disinformation, disinformation, malinformation. So a lot of this is very dangerous because it is feeding to the distrust of the public and in democracy itself.

Any distrust is damaging the participation. And democracy is all about participation. Any distrust? Distrust is causing apathy. Apathy is something which is detrimental for functioning democracy. Hari, do you know how you started a podcast? Do you know what you said? Yes. What did you say? I said that I have a trust on the voting and elections. No, no. You said, always verify, never trust. Yes. Yes.

So, but hear me out because you just said at the beginning of the podcast that, hey, never trust, always verify. And now you're saying we have to trust because it's bad for democracy. No, we have to verify. Yeah, but you said never trust. You said we should trust a little bit because democracy needs for us to trust the system. Well, system, it...

So you have to be able to trust that if the system fails, if the voting machine fails, you will be always still being able to verify the result and the outcome. And that's why hand-marked paper ballots allows you to do that. No matter what the voting machines are doing, you can always put humans to look every ballot and make sure that the outcome is right. It's kind of a – I mean it's – And by the way, we have had thousands of years of fraud on paper.

That's why we are so good in mitigating against fraud on paper. So you just have to make certain that those huge piles of paper is protected physically. And at the same time, you hear Elon Musk saying the fact that he's not a fan of electronic voting machines as he wades into sensitive Indian debate. Anything can be hacked. This was just a few months ago. I'm sure you saw that. And he's calling for eliminating electric voting machines ahead of U.S. elections, risk of hacking elections.

This is a story, again, for India. And he's concerned about a lot of people are concerned about that as well, which I'm sure you can understand why. And then at the same time, while we're going through this, we saw what happened with Dominion when Dominion sued Fox and they had to pay whatever, seven hundred and eighty million dollars. Yet. Did you hear about Smartmatic? I know that that company is, you know, when Smartmatic, you know how much money they wanted from Fox News.

Do you remember the article? So Smartmatic, they want to, can you go a little lower so we can show what Smartmatic was asking for, Rob, if you have that number. So Smartmatic, zoom in a little bit, which is, this is, by the way, Harry, I appreciate you doing this. Trust me, a lot of people are interested. Yeah. But there's a lot of people that are worried, what the hell is going on here? Because it just doesn't make sense. If you can pull up what Smartmatic wanted to ask from, if you type in 2.7, Rob,

type in 2.7. Okay. For denies wrongdoing and finding New York state smartmatic wants $2.7 billion from Fox and other Trump allies that it named in the lawsuit. Right? So that's this. Now, Rob, if you can go to the story about smartmatics founder, did you see this story about smartmatics president, smartmatic president, two other execs charged with bribing Philippines elections, official DOJ, the voting machine,

Company executives allegedly paid $1 million in bribes. This is a month ago, two months ago. So this is the part where the American voters sitting there saying, wait a minute.

You just asked for $2.7 billion accusing everybody of crime. You're the real criminal doing something like this. And ABC, CBS, NBC, CNN, everybody's writing about it. So that's where people are conflicted. Is my vote going to count? Can you come back and manipulate it? People don't have a lot of trust in the system today. That's very good. Smartmatic is not used in the U.S.,

Basically, only L.A. County is doing anything to do with the smart money. The reason why I'm showing you this is because these guys, they jumped on the bandwagon of Dominion. So I'm making the comparison on the fact that all of these guys want to come out there, act like they're...

and they're doing everything the right way and not saying the fact that there's a possibility of somebody tampering with our technology that we have. Okay, so of everything that you've done with your investigation into these systems, if you don't mind kind of sharing the story of what happened with Leon High School, the pre-hack and the post-hack. I don't know if you know the story about the whole series of four tests conducted February, May, and December of 2005.

Sancho invited black box voting to Tallahassee after an invitation to check the die-ball machines. The black box voting engaged the services of Dr. Herbert Hugh Thompson and Harry Hurst. It's a Leon County. Right. I totally get that. No, what I'm trying to say is the fact that a small camp, a small, what do you call it, test to see how much effect it had. Right.

So then the first two projects targeted a computer program that adds up all the voting machine results and produces the final report, right? On February 14th and again on May 2nd, Thompson successfully hacked the Diebold GEMS central tabulator and bypassed all passwords by using a visual basic script, right? Mm-hmm.

This, however, will be detected in a vigilant environment if the supervisor of elections checks the poll tapes, voting machine results, against the central tabulator report for purpose of demonstration. An election was ran using this just to kind of test the model out.

And the results of the first hack are shown as right here. Okay. So this is pre-hack. Bud Baker was winning. What is it? 54.79%. And then Thomas was at 16.89%. And Nadia was at 28%. Post-hack, Bud was at 10.71%. And Thomas was at 3.3%. And Nadia was at 85.98%. That means...

hackers can manipulate the system this dramatically? Absolutely. I mean, once you gain access to the system, you can change anything as you want. Change might be unbelievable and a trigger immediately distressed. But yes, once you are in the system, there's no limits what you can do with it. Such as? Can you unpack that for us? Like when you say no limits...

And by the way, can you vote in America? I'm a citizen. You're a citizen, so you can vote. Okay. But you're Finnish, right? I'm a dual citizen. Right. You're a dual citizen. So when you say unlimited what you can do with it, how much can you flip it? So at that...

At DEF CON, we ran a test election, mock election, which was a close race between George Washington and Benedict Arnold. And when after everybody had voted, we printed the results, Tark Tangent, the founder of DEF CON, won. And he wasn't even on a ballot.

Freshly made ravioli or hand-pulled ramen noodles. When you dine with Chase Sapphire Reserve, either will be amazing because it's the choice between a front row seat at the chef's table while getting a live demo of how to make ravioli or dining family style as you hear the story behind your ramen broth. This weekend, it's ravioli.

Next weekend, ramen. Find the detail that moves you with immersive dining experiences from Sapphire Reserve. Chase, make more of what's yours. Learn more at chase.com slash sapphirereserve. Cards issued by JPMorgan Chase Bank and a member FDIC. Subject to credit approval.

Oh, it's such a clutch off-season pickup, Dave. I was worried we'd bring back the same team. I meant those blackout motorized shades. Blinds.com made it crazy affordable to replace our old blinds. Hard to install? No, it's easy. I installed these and then got some from my mom. She talked to a design consultant for free and scheduled a professional measure and install. Hall of Fame's son? They're the number one online retailer of

Ha ha!

Okay, and the people that come to DEF CON, are they all from America or all over the world? All over the world. What country represents the most to DEF CON? US, of course. And who's number two? I don't know. Okay, how many people show up normally? About 30,000. 30,000 show up. And, okay, so when you guys in your community talk about what country produces the best hackers, who has the reputation? Like, you know, in America, like yesterday I'm having lunch at this restaurant and

in Naples, Florida, because I'm coming back from a soccer tournament in Sarasota, Florida. So we go to this restaurant, nice place, we're eating. Guy comes up, hey, I love the content, I love the podcast, can I take a picture? Yes, where are you from? I'm from Dominican Republic. Who's the best player ever from Dominican Republic? Because they produce very good baseball players. Juan Soto, great. When it comes down to hackers, who produces the best hackers generally? Hackers come from all types and stages, everywhere in the world. So there's no...

Plays producing best hackers. Hackers come everywhere from the world and every background. And a lot of the hackers, you know, used to be in the U.S., but right now they are everywhere. And who typically, are there hackers that are edgy, that they'll flirt in the gray area? Maybe even they'll go to flirting with crime and doing things as long as you pay them well.

They would do certain things that could break the law. I think that could be fair to say that, right? It's fair to say. And at the same time, we are right now in the first phase of statecraft.

So it's increasing amount of hackers who are not in a crime organizations, but are in state sponsored crime, whether it's a crime, a financial crime in neighboring countries, whether it's a disrupting their critical infrastructure. So there are many, many motivations why people go to the dark side. And the reason why I'm asking this is because there

there are a lot of people that would be willing to pay unlimited amounts of money to be able to control the elections in the U.S., right? - Absolutely. - Such as countries like China, countries like Russia, countries like Iran, a lot of places would, right? - Absolutely. - So do hackers every once in a while get offered certain amount of money that's tempting to say no?

I mean, there are a number of marketplaces where hackers are being recruited and there are a number of ways to recruit. So absolutely, there's always a different actors and organizations who are trying to hire hackers for a purpose.

Things which are crime somewhere else in the world or crime even in the countries where they're living in. So absolutely, there is a market and there is a recruitment by bad actors and adversaries. Yeah, I think this is a very, very unique set of skill sets that can determine the leader of the free world. That's not a regular skill set. You can have a sniper. Okay.

Good for you for having that skill set, right? You can have the skill set of doing a lot of different things. When you're a hacker, hackers typically think very highly of themselves. And I don't blame them. And I'll say why. Because in hackers' mind, if they wanted to destroy someone's life,

They generally could not physically, but they could do it credit wise, financially, password, business, many different ways. Would you agree? Absolutely. Okay. So, so let's get to this. So for you, I read an article where you once bought a voting machine on eBay and they were freaking out, right? Is there a story of that when you bought one? I don't know what I saw the story.

It says a voting machine ends up on eBay, an official launch urgent probe. This was a couple of years ago. And let me read this because this is very interesting on what happens with this one here. Let me tell you one thing in between. So...

Very notable computer scientists and especially Ron Rivest, who is the R in RSA, coined a term called software independence. It's a principle how elections should be run, which means that no software error, malicious act on software or an honest error should be undetected and allow you to change the outcome of the election. So we already know that we have to make the computers to be never trusted. So

So that we can always come up with the right result and we can have confidence that the outcome of the election is right. Because the hackers will always be able to hack the elections and machines. The question is, you have to make sure that it doesn't happen without being able to detect and remediate the problem.

But what is the, okay, but let me go back to what I was saying here is here's the one where you, Michigan officials, a hacker bought a voting machine on eBay. Okay. Harry Hersey, cybersecurity expert, bought a Dominion image cast X voting machine for $1,200 on eBay. Michigan officials unaware it was missing are now investigating. Hersey said they really had no idea. And this is one of the biggest dangers to election security. This is you saying that. The eBay seller, Ian Hutchinson, found the machine on a Michigan Goodwill website,

For $7.99, eight bucks, and listed it on eBay, claiming it had been used in the most recent Michigan elections. And Michigan is investigating whether the machine was stolen. Hersey featured in documentaries like Hacking Democracy, emphasized that the biggest threat to election devices is often human incompetence. He regularly buys machines to test for vulnerabilities, explaining the reason you pop open the machine is to learn the vulnerabilities to safeguard democracy.

So first of all, when I bought the machine, I didn't know whether it came from Michigan or some other state. Of course, how would you know? Well, there was a conflicting data in the advertising. So I actually personally contacted Michigan and a couple of other states saying, I bought it. It's right in a FedEx. It's not yet in my possession.

Go figure it out what happened. So I self-reported it because I have bought over the years hundreds of voting machines and I have made certain that none of those machines are obtained illegally.

So I always had the receipt. I always make sure that I know exactly where the machine came from and what is the chain of custody of that particular machine. By the way, some of these machines have been directly coming from the counties which have stopped using them. Even when some other counties are using, they are stopping. So some of these are directly from the government, local governments. Some of these are from eBay. Some of those are actually of all the places from Alibaba. So...

Out of all the machines you've bought, you bought hundreds, you said, right? What's the least you paid for one? What's the most you paid for one? So the least is zero dollars because government, sometimes these voting machines are so bulky, especially the high speed scanners. So they just want to get rid of them. So actually I have once needed to pay because I want to have the receipt. So they couldn't write the receipt for the machine they're giving for free. So I had to pay them to write the receipt so they have it.

evidence that I have legally obtained this. So the lowest number is zero. And actually that $1,200 is the highest. Oh, really? Yeah. Okay. Because I really wanted to have it. And as I said, I immediately reported it. I had a conversation with the law enforcement authorities until it was clear that everything is fine. Hari, some kids are interested in baseball cards. Some kids are interested in video games. Some want to grow up and become singers, actors, actors.

you know, celebrities, you know, movie stars. Why the interest with voting machines? Actually, I had none.

So why did you buy a few hundred of them? So let me tell the story why I got into this. So I had sold again my businesses. I had retired again. Yeah. Second time. And I was backpacking around the world and I stopped in California and a couple of my friends wanted to have a conversation and talk about the problems in voting machines.

And I told them that what they tell me doesn't make any sense at all. It cannot be that bad. And they must have been, have been misinformed or they have misunderstood. And they were asking, would I be interested? I say, absolutely not. Off to Tahiti. I'm gone.

Then they tried to convince me for the best part of a year. And I said, no, no, no. Until then, they relayed my information to Britain. And then I started getting calls from the UK. And I went to the UK a couple of times. They were trying to get me interested. And I really was like, I don't really, I'm retired. I don't want to do this. Eventually,

Aion Sancho was the person from Leon County. He was the guy who convinced me because after I was there with Hugh Thompson and I looked into the possible ways, then he was the one who told me that he thinks he has a fixturary duty to investigate. And either if I investigate or find someone for him to investigate what is truth in these vulnerabilities, because he was responsible for Bush versus Gore recount on 2000.

So who's that? Ayn Sancho. Ayn Sancho. Okay. Yeah. So he was telling me, and that's how he convinced. He said, when Supreme Court stopped my recount, I didn't get my answers. I want to know the truth. And that's why he convinced me to start investigating. And rest is history. It's a, I really didn't have any desire. Actually, I was actively saying no for, I think, a year and a half. Got it. And then, and then when was the tipping point for you where you were obsessed? Yeah.

I don't think I'm still obsessed. You have a few hundred voting machines. You don't think that's obsessed? No. Where do you put these voting machines? They are in multiple storages around the US. Some are in Washington, D.C., some are in Nevada near Las Vegas.

I mean, the reason is that we also do demonstrations. So I'm with the Election Integrity Foundation, which is non-profit. It's a non-profit which is grassroots. All the money comes from donations from common, normal people. And it's all funded up. One thing what we do is we go very often to Capitol Hill to show that the legislators who

What are the vulnerabilities? And try to raise the awareness. What is true and what is not? So how we make this more secure. So that's why there's not a single place where the voting machines live. They live in multiple locations. Got it. Okay. So while you're going through these voting machines that you own and you're personally hacking, do you, in your mind, do you measure it in a way of...

Let me see how long it'll take me to hack into this one. This one took me 38 seconds. Let me see how long it took me to hack in this one. Wow, this one took me two and a half hours. Is that how you measure? Okay, how do you measure it? I don't, I actually, after the fact, I looked at vulnerability and I'm thinking how hard it is to mitigate, how hard it is to stop this to happen and how easy it is to stop this ever happening in real life. That's how I measure it. It's not like how quickly you find the first vulnerability because it's,

Also, very often when you find the first vulnerability, it's not the bad vulnerability. It takes time to figure out what really is the big flaw, if you may. So that's why it's never a process of – Hercity Hack 2, I have to tell the story behind it. That was the hack and the study was done in a courthouse. Was that Hack 2? Yeah.

The Hirst hack number two. Oh, okay. Yeah, yeah. So that was done in a courtroom. And there was a courtroom which was sealed off. I was looking at the voting machines. And I had been promised access, I think it was three days. But they didn't say three consequent days. So I already found a lot of stuff in the first two days. And then I decided I need to take a break. So I left. That was done in Utah. So I flew from there to Oregon, had beers. And all of a sudden I was like, wait a minute.

It was slower. And I did the crazy stuff like sniffing, like smelling the voting machine, all of that. And all of a sudden I realized it was slower and it smelled. So it heated up. And that's when I came to discover, which then later became the Hearst hack too. It was not any of the first ones. It was the last one, which was the really bad vulnerability.

So do you think the Al Gore, President Bush election was accurately counted at the time? So first of all, we have been investigating so many of allegations. And not a single time we have been seeing outcome determining flaw or miscalculation or anything. So I cannot make a determination one way or another.

about Bush versus Gore because I was not investigating that. A lot of good people were investigating that and they make their determinations. What does Ian think? Ian Sancho? Ian Sancho was doing the recount, but I was not involved in Bush versus Gore election. He was doing the recount. And where is he at? Does he think that it was Gore who won? I don't have ever asked that and I really don't want to go into a place saying,

speculating, I've looked the evidence and data and every single time, that's why I'm also saying for 2016 and 2020, every single time there is a credible allegation and there's access. There's me and a lot of other experts who are dying to go there and figure it out what happened. And

When I was doing, so New Hampshire didn't have a law allowing forensic audit. So I helped in that. We did a forensic audit in Rockham. So it's a Windham County, Rockham District 7. That was summer 2021. And it was misreported in the news. So let me tell what it was. There was a down in a ballot race. Eight candidates vote for four. The four Republicans won.

And the one of the Democrats was so close that she asked for recount. In New Hampshire, when recount is requested, it's always granted. And they do it amazingly. It's a public event. Everybody can see the recount. Everybody from the audience can ask if there's something they can stop. They do the best. It's one of the best things in the whole U.S.,

So when they did the recount, and in New Hampshire, when you do a recount, everybody gets more votes because voters are not following the instructions. So there's always assumption everybody gets more votes. So in the recount, the four Republicans got about 300 votes more. Three of the Democrats got about 30, 40 votes more. And the woman who asked for recount lost 99 votes. So first of all,

Having 300 votes more is the biggest numerical difference there has been. Losing votes is basically impossible in the sense of 99 votes. So it was obvious something is wrong. New Hampshire did the right thing. They wanted to find out what it is. So the special law was passed where they said there will be an audit. It will not change the outcome. But let's try to figure out what went wrong.

When I was appointed by a Democratic secretary of state and jointly with the Republican attorney general as one of the three investigators, my first saying was, we might never know, but we have to take a look and try to figure it out.

So eventually, out of this whole thing, we found out what happened. And it was a paper folding machine. So the paper had a crease so that when a human is bending it, it always bends in a safe zone. Also, the secretaries did the right thing. They had tested if folding it through a vote target would cause a phantom vote. And they determined no, it won't do it.

So what happened was the election office was behind in sending the mail-in ballots. Somebody had remembered, oh, in DMV, there's a paper folding machine. So they brought the paper folding machine. They didn't adjust it. So it folded the paper in the wrong spot. It also was slightly broken so that it didn't fold the paper completely horizontally. It was slightly diagonal. So as a consequence, they folded it through the Democratic candidates' vote targets.

Now, the Secretary of State has tested foldings, but they didn't realize one part, which is whether you fold it up or down makes a difference. So they didn't have a documentation, but the assumption is right now they only folded it the way which doesn't affect and the other way does. So this way, and because the folding machine was broken, it folded through the target without damaging the timing marks, because otherwise the voting machine would have been rejecting it.

So eventually we figured out this is the reason. It's a 14% of the ballots, which were used by the, folded by the folding machine, caused this fandom vote. And when the fandom vote was somebody voted straight party line Republican and the voting

The folding created a phantom vote. It created overvotes, so it tossed the votes for the Republicans. If, again, you didn't vote for her and you didn't have already four votes, it created a phantom vote. So the same folding...

created both anomalies. And then there was an additional part, which was that one of the voting machines, which was not used normally, hadn't been cleaned probably forever. And in the printing process, there is a dust, which is used for making the ink dry so they don't stick. There was a buildup of that dust inside the voting machine, but that didn't create the problem. It just amplified the problem.

So anyway, we eventually found out what happened. And for the good measure, we also audited by the law the governor's race and the senator race. And we also recounted all of that. So we found out that actually only that one target, which was that Democrat candidate target, that was the only one where there was a significant anomaly. So even in that case, it didn't change the outcome. No matter what happened, all those four same Republicans were going to get elected.

But we investigate and found out now why the machine was miscounting those votes. And it was not malicious. It was just a conspiracy of coincidences. So many things needed to go wrong to create that anomaly. Got it. Okay. So let's go back to the machines. Was there any one of the machines that you bought that was the toughest one to break into? They are all unfortunately simple. And it's a question of just finding what is the vulnerability.

We in a voting village, we have been inviting every year the voting system vendors to bring the newest voting machines because always the claim is, oh, you didn't have the newest one. So we have been inviting them to come with the newest machines and let's put them to. So voting village is not a formal test. You want to just show it to us to see how this works?

This one, we can do it in a moment. Let me answer this question. So we have been inviting the newest machines and they haven't brought in. At the same time, a lot of the newest machines, when you look at the certificates documents, have the same features as the previous generations of software and hardware. So while we have the older machine, we already know that the same vulnerability, if it's a certain vulnerability, is in the newest machines. Doesn't that make you question why they don't listen to you guys to improve if you guys have easily...

hack into all of them? Why wouldn't they, while they're designing it, bring it to hackers and say, here, try to break into it? Why don't they do that? So some of the companies claim that they do it in private. And the number one principle is independent research, which means that it's done by researchers who are not paid personally.

by the vendor themselves who are independently doing the study. We have had independent research. Basically, the Everest study for Secretary of State Ohio was one where she commissioned a university and I was part of the university's team to hack independent research in number one. And it also creates a little bit of public pressure to get things fixed. When you read my comment,

One part of the comment is that, for example, one system still today, the newest version, uses a bootloader from 2004, kernel for 2007. So even when the software version is brand new, it uses components which are old and tired and should have been changed a long time ago. And

Personally, self-regulation I don't think works. We need a regulation. We need standards which are requiring the voting system vendors to improve. And I don't have a silver bullet. I don't know how to get this done. Only thing what we can do is try to raise awareness what is the problem and that problem needs to be fixed. I have so many questions, though. I mean, the average, it doesn't take a genius on the other side to say,

If they really want to fix this, fix it. They can fix it if they really want to. But you're saying every machine has the same vulnerabilities of how to get into it. So it doesn't look like they're making any kind of progress. So back in 2005, when I published Hurst the Hack. Right. What happened sequentially was the voting system vendor, which is no longer in business with that name, Diebold, they claimed that they basically told that this was a magic show and it's not true.

Secretary of State California, Deborah Bowen at the time, no, it was not Deborah Bowen. It was before Deborah Bowen, ordered a study where a University of California, Berkeley, conducted a study to verify if my findings were right or wrong. Not only they verified my finding right, but they found, I think there was over a dozen new vulnerabilities, additional vulnerabilities. At that time, me and everybody else thought, OK, job is done. It will get fixed.

We thought we have now done our job. We have shown there's vulnerability. It will get fixed. That same software version is still in use today. The same thing what I showed vulnerable, thank God, is getting phased out. But it's still, it never actually was. Doesn't it make you realize they don't want to fix it?

Well, I don't know. Why don't you, as a very smart guy, much smarter than me, you're a technical guy, you have to sit there, a part of you realize they just don't want to fix it. If they did want to fix it, think about it this way. How much has the phone advanced from this to Nokia 5960, 5690 from 20 years ago? A lot. Absolutely. There's a smartphone now, right? I mean, if you go to how much safer is...

You know, when you're going in and the camera and TSA, what they're doing versus 30 years ago, a lot safer. How much? There's so many things that we've made so much progress. Yet the one that chooses our policies, how much we pay in taxes, our protection, the president, they're moving slow in it. You think that's accidental? Well, I mean, there's another aspect on this. When 2000 happened and it was very embarrassing.

America did what America does, which is to throw $3 billion into the problem. So that created a Help America Vote Act, HAVA Act of 2002. So it created a lot of money to buy and modernize U.S. election infrastructures.

Now, that money was handed out without establishing security standards. That means that the counties went to buy whatever is available and there was no security standards attached. And again, they bought technology which was old 2002.

So it created the problem we are dealing with right now. Now, there has been no subsequent poll of money of that size enabling another leapfrog to the next step. And also, there is still today no mandatory security standards. The certification voting machine is called Volunteer Voting System Guidelines. The number one word is volunteer voting.

So today we have a VVSG 1.0, 1.1, 2.0, 3.0. But basically all voting machines are still certified against the 2005 1.0 because there is no mandatory voting.

requirement to use the newest guidelines on your standard. So what we really need is the standards to be set out. We have National Institute of Standards and Technology. They are amazing writing standards. So US government has the people who can write the standard, but there has to be a political will to create those standards to be mandatory and enforced.

And today, even today's best standards are not, in my opinion, good enough. But the whole thing starts from regulation and laws. So this is not a technological problem. This is a regulation and legal problem. This is not a technological problem. This is a regulation and a legal problem. Well, let me ask you this question. So this is the part where there may be another disconnect.

Have you ever voted in America? Of course. Okay, so that means you have a political leaning, right? So we all do, okay? The moment it gets to the political leaning, the only way this could work is if it's people who are involved in this that are representatives to audit it, 10 people who are Democrats, 10 who are Republicans, right?

and put five that are independents and libertarians to audit the whole... There needs to be auditors of the auditors of the auditors, or else I don't trust you. You're a hacker, because even... And what I mean, I don't mean that I don't trust you as a hacker, right? You vote a certain way you do. You may... Ian Sanchi, he's not a Bush guy. He's a Gore guy, so he's a Democrat, right? Now, he may not be happy...

about the fact that some Trumps in 2020 said there was election interference and election fraud. He may say, no, no, no, 2020 was a clean election, right? And 2000 in Bush's side, maybe Bush people will say, no, no, no, it was clean. Bush won Florida. We understand it was so close, right? That's the area where people on both sides don't trust. But if there's one area that I'm convinced that

When somebody doesn't want to address fixing something too quickly, it's because it's working for them.

You made amazingly good point without knowing. And let me tell you, we are filming this in Florida. So in Florida, Aion Shantzoo was in an office which is a non-partisan office. And in Florida, the county, some of the counties had a partisan office as election supervisor. And some of the counties had that as a non-partisan office. Recently, Florida changed that all election supervisors are partisan offices. Does it make sense to you?

This is a recent change. So actually, I and Sanj... What do you mean? What do you mean? Recently, Florida just changed everything for it to be partisan offices. Election supervisors. Election supervisor for Republicans, election supervisor for Democrats. So previously, it was nonpartisan office. So there was no...

So the counties could choose whether it's a partisan office or nonpartisan. Well, what is a nonpartisan office? It means that you don't have a primary of Republican, Democrat running, and it's not a... I don't trust that. Well...

So the point here is that even then, if you have an independent office, if the office is independent from partisan, so it's a non-partisan office. Right. It's, in my opinion, better than having that as a partisan office. No, I don't trust that. Here's what I trust. Let me tell you what I trust. You know who's winning right now with you and I going back and forth? Guess who's winning right now? Okay.

I would say that if this is hopefully this is not discouraging people from voting, because I think that's very important. But every single thing, what is distrust and creates confusion is all the adversaries of the United States. You know who's winning right now? The audience that gets to watch and say, I'm with him or I'm with him. But you know what the chances are? The audience is watching. And what are they saying? A part are going to agree with you.

disagree with me, a part are gonna agree with me, disagree with you. And that's how it needs to be. To me, it doesn't need to be partisan or nonpartisan. To me, it needs to be five representative that are Democrats, five representative that are Republicans in a state and put three in the middle. That's how it needs to be to hold each other accountable. It's like Billy Graham once said,

Back in the days, pastors used to go on trips and they would give these preachers would go up there and they would preach. Well, women love pastors from stage that are great speakers. When pastors would go by themselves, a lot of ladies would come back to the hotel room and they would get caught. Then some pastors said, well, let's share rooms with one other person. Well, when you share rooms with one other person, one pastor could convince the other pastor to do something stupid. Billy Graham realized one thing. Whenever he would travel to go give speeches, guess who would

he would do. He would share rooms with three people because when it comes down to three, one person's going to say, no, no, we're not doing that. No, no, we're not doing that. I am not comfortable just putting one Democrat in a room and one Republican in the room and let's trust they're going to do the right thing. Absolutely not.

5-5-3 for each state, depending on what the size of the state's influence is. To do some, some bigger need to be more, some less. There needs to be the fight and everyone needs to watch. It can't be like, no, no, you can't see what I'm doing. No, no, you can't see this. No, there needs to be that protection from both sides if somebody's playing games. That's why we don't trust in America right now, the elections. And by the way, for full count, and maybe I'm wrong with this one and the audience is going to say, no, Pat, you're not right. You're wrong about this.

You didn't help me trust voting even more. You're not helping me trust it more. You just validated millions of people's concerns. Well, actually, what I'm saying here is what we need is transparency. We don't have it, though. Well, we do, actually. How do we have that? So I spent over six months in Georgia in 2020 election, starting from all of the special elections, primaries, and after the presidential election, the special election of the Senate seats,

There is amazing amount of transparency if you are willing to do it, if you are willing to be an observer, if you are willing to go and watch and you can see how it's done and you can see if there's something going wrong. What I really hated in Georgia was, for example, claims of the election saying, oh, this one happened after everybody was thrown out.

I actually took pictures also about the other observers, and I can show the picture saying, oh, the observers were still in the room. Nobody was leaving. This claim that there's no transparency is partly misinformation. So, again, I strongly encourage people to be careful.

watching over this and participate in the process, either as a poll worker, but also as an observer, independent observer, or your political party's observer. And what we really need is more transparency because, again, never trust, always verify. And it's not only that you verify, but you also watch how the process is done. Never trust, always verify. Trust me.

most people are where you are and what you said at the beginning. And then you said later on, because you know how powerful that is, a democracy we have to trust, no one trusts right now. It's the lowest trust in the history of America and the U.S. government and the mainstream media because we don't trust these machines. Okay, if you don't mind, would you mind taking a moment here and sharing with us? Sure. And maybe tell us a little bit about the machine. And then from there, if you can show us how you hack into this thing, it would be great. Absolutely.

So this machine is WinVote. And the reason I'm using this particular machine, it's no longer in use in the United States. So this way, no claim can be made that what we are doing here is helping somebody to realize how voting machines can be hacked. Let's wait for it. So what year is this? Does this have like a model to it or no? Is this like a 1986 CRX? Like, is there names to it or no? This is a WinVote machine. And

For the reasons that we don't want to put a logo, this voting system technology company name is just a fake name because I have been using this particular machine in filming a number of training videos, some of those for the government, just to show vulnerabilities like USB vulnerability, which we are going to be using. This machine actually has many vulnerabilities, and at a time when this was still in use,

This was called the worst voting machine used in the United States. The worst? The worst voting machine used in the United States. And where was this used? That was used in Maryland. It was in Virginia. I don't have the complete list what all places it was used, but it was fairly widely used. When this is used, this box here is closed and locked. And that's why we are not going to be needing this to be open or closed. It's just open because we have a power button.

So what we are going to be exploiting here is a USB vulnerability. The USB vulnerability is amazingly good to identify because it's easy to mitigate. You just stopped access to the USB port. I have plugged here an extension cable just so that we can see that the actual USB port is behind there and it's accessible by the router. I'm using here a commercially available USB computer called Bash Bunny.

It can be many other devices. This is just an example. This particular device is $120. You can buy it from online. And I have pre-programmed it. And if this would be a real attack, the attack will take six, seven seconds. I have slowed it down and make it visible so that the audience can see what is happening. So when I'm plugging it in, this is the Scheringer's USB stick. It's always the wrong way. So the computer starts.

And once it started, it's doing its magic. The moment you see that the screen is changing, that is when the hack would have been already done and I would be unplugging it. But I'm just showing this number of things. So now it would have been done. It's showing you the program manager. It's showing you now the comment prompt. And this is where all the votes live. So I'm just showing that the directory where all the votes would be.

At this point of time, this stick has already complete control over the system. So at this time, anything can be done, anything can be changed. And as the last thing, I'm just showing a fake result, just so that can be done. It's just a show that how the system is controlled.

So this is a good example of a hack and I said only reason why anything is seen on the screen and why it's this slow is because I artificially slowed it down and made it visible so that the audience can see that there's a control over the voting machine. This particular machine has many other vulnerabilities way worse than this one. So that's why it's very good that this machine is no longer in use in the US. And this is also showing how demonstrating the vulnerabilities work because that causes changes.

and, for example, removal of this machine from being used in the U.S. So now what is it doing right now, Harri? Nothing. It's already – the whole hack was done. But if this would have been an election, I could have gone to the database and, for example, changed the votes. That's one possibility. How much of it could you have changed? Anything. You could have gone from 51 to 73. Add a new candidate who was not even on the ballot. It doesn't matter.

Because if you have total control over the system, you can do anything you want. As I say, one example was that we add a new candidate and make that candidate to win. It would be obvious if... The president of DEF CON is the one who won, George Washington. That's the one you're saying. Yeah. I got what you're saying. So is this like to the average hacker, is this machine a joke on how easy it is? It is a joke. And how many years ago was it used? I think this was last time used in 2012. God.

12 years ago. And also, just an example, that when this was brought first time to DEF CON, we had a professor from Denmark, and in less than half an hour, he hacked into this machine wirelessly. He didn't even touch the machine. He took complete control over this machine wirelessly, because this voting machine happens to have a wireless Wi-Fi access.

So, okay, so is it fair for one to speculate and question that any of the election, electronic voting machines we've used previously, possibility that could have been hacked, possibility that the winners were flipped because somebody got into it? So, again, the problem, the fundamental problem with this voting machine is it doesn't have a paper ballot. So if somebody hacked this kind of machine and

would have manipulated it, there is no evidence. That's why we need paper ballots, and especially we need hand-marked paper ballots. Because if the results are called in the question, now you can go and hand count those ballots and verify that the outcome of the election is right.

But in these older type of machines called DRIs, Diary of Recording Election Machines, this is if somebody gets into and changes the outcome, the game is over. So that means anything previously used 2012, if somebody did get into it, one may be sitting here saying 99% of all the people that have won pre-2012, maybe somebody had their hands on it. I don't believe in... So first of all, I would say that if you think about elections as the attacker's point of view,

U.S. elections use many type of machines. And I think the number in 2016 was 52 different types of voting machines were used. The money is on the local elections. It's not in the top of the ballot. It's in the proposal, a few billion dollars for Chris. The question, that's where the motivation is. Hi, my name is Harry Hurstin. I'm a lifelong hacker and security researcher, an engineer with a heart which thinks that impossible is such a state of mind.

Connect with me in a minute. I'm here to explain anything you might wonder about election security, critical infrastructure security, cyberspace, cyber warfare, information space, information warfare and connecting warfare. So please ask me questions. Hope to see you there in a minute. The person who gets to come up with policies that's going to protect this country, which the rest of the world relies on what America does.

is in the hands of someone that can tamper with it. So interesting point is that a lot of the voting machines used in the U.S. actually don't have a U.S. technology. They are not made in U.S. technology. Number two machine, for example, is programmed in Serbia. That's where the software comes from. That's where everybody who is controlling that. Which one is that? The Serbia one? What's the model called? That's the new Dominion machines. Do you trust those?

As I said, never trust, always verify. Have you messed with those yet or you don't have access to them? I have one of those machines in the voting village. How new is it? It's how recent? I mean, again, the question is, because we are hardware vulnerabilities, we look, it doesn't matter. And every single time when somebody says, well, you didn't have a newest machine, well, then please submit to independent research the newest machine and let's see what happens. Because again, it's

How secure a company is, is not how easily it's hacked. It's what you do after it has been hacked. Because every single problem can be fixed or mitigated. The first step is to identify the problem so it can be mitigated. And as I said, the software independence as a principle means you go to the hand-marked paper ballots, which means that no matter what happens in the voting machines, you can always get the outcome verified. This episode is brought to you by Maersk.

The supply chain is the backbone of any business, but with the growing complexity of logistics, it's getting harder to stay on top of everything that's happening. That's why Maersk created Logistics Insights, a hub full of articles, videos, and e-books to help you keep your business running smoothly. And there's even a podcast called Beyond the Box. Head to Logistics Insights to discover all the free resources and listen to Beyond the Box. Get it all at maersk.com slash insights.

This episode is brought to you by GlobalX. Since 2008, GlobalX ETFs has been committed to empowering investors with unexplored intelligence solutions. GlobalX specializes in exchange-traded funds that offer exposure to the artificial intelligence ecosystem, including themes like data centers, robotics, semiconductors, and cloud computing. To learn more about GlobalX's entire suite of ETFs, from covered calls, fixed income, emerging markets, and more, visit GlobalXETFs.com.

Rob, can you do me a favor and pull up what we did exercise earlier? So here's what we did earlier just to test it on. And credit goes to Brandon with this. Shout out to Brandon. Does a great job. Okay. So we first took the different tabulations methods used in 2020. Okay. And Rob, if you want to say this, and then we compared it to 2024 to see what's changed, right? Correct. According to Ballotpedia. According to Ballotpedia. And then we fed it to ChatGBT.

And what did Chad GBT tell us? It gave us a list of, I believe it was 13, 16 states that have changed the way that they count or tabulate the votes for the 2024 election as opposed to 2020. So 2020 went from Alaska, went from hand count and optical scan in 2020 to the DRE with VVPAT now using hand count, optical scan and DRE. Okay. Arizona optical scan, including DREs and VVPAT,

They went to that and now only using hand-marked paper ballots and BMDs. Okay. Delaware optical scan to BMD tabulator. Hawaii optical scan and DRE to now they removed optical scan only, no more DRE. Idaho hand count optical scan and DRE to now hand count and optical scan only, remove DRE. Kansas, you see it, they removed hand count and DRE.

Kentucky, they are using BMDs only in 2024. Mississippi, they reduced the DREs. Missouri, they reduced DREs. Montana, no major change, about the same.

Nevada, no major change, but emphasis on mail ballots, New Hampshire, no major change. And in New Jersey, they went from optical scan to BMD tabulator, optical scan, DRE, accessible interference, expanded use system, system use. And there's a couple more, three more left at the bottom. Ohio went from optical scan, DRE to BMD tabulator, optical scan, DRE. And in Oklahoma, uh,

They added direct recording assistive interference, West Virginia hand count, optical scan, DRE, and now BMD tabulator and optical scan. When you see this, and at the bottom, just to explain what the different things are, additional BMD tabulator systems in states like Delaware, Kansas, and West Virginia, reduction of DREUs, Ohio, Idaho, Mississippi, Missouri, shifting voting system in the House of Representatives.

When you hear this, are you telling yourself, okay, good, they're making progress or no, they're still doing the same thing? So first of all, this is DRE. And DRE is the most insecure way of voting. Most what? Most insecure. Most insecure way of voting. So that's why every reduction of DRE is a move to the right direction.

My joke was that 2020 election was secured by COVID because when in-person voting went down, it means that less DREs were used because DRE is the most insecure way.

So you're saying 2020 election was the most accurate one, according to your assessment. So I'm not agreeing with what Chris was saying when he was running Aziza, that this was most insecure, most secure election. I say it's most recent, it's more secure recent elections, because we don't know how secure elections were 50s and 60s and 70s. There's no way of making that measurement. But since HAVA,

That 2020 was most secure election because all of the problems had been flagged, not all of the problems, but the problems have been flagged. And that's why more eyeballs were looking into the election. Most scrutinizing was put in place.

And that is always good. As I said, transparency is very important. And people wanting to scrutinize the election is the good thing. So when I look at this whole thing, I like the fact that DRA is going away because that's a move in the right direction. I'm disagreeing that using a ballot marking device is a good move because ballot marking devices is putting another computer between voter and voters' vote. There's a recent study by University of Michigan

where voters were presented a voting machine. They were told that they are testing a new method of voting, and that was ballot marking device. And the voters were encouraged and advised to study the ballot. What the voters didn't know is that the machine will cheat every single time.

Every ballot printed by the machine was wrong. Really? And at the same time, only a tiny fraction of the voters actually caught it because we humans are very bad in verifying our choices. This was a study where people were told to verify the ballot.

So again, I'm against ballot marking devices. I'm advocate for hand marked paper ballots. And I'm advocating at the same time to use where if a jurisdiction is large, use a ballot optical scans to do the scanning because when it works, it's accurate. But you cannot trust it. You always have to use risk limiting audit or complete recount if you want to verify that the machine got right.

Because the human error rate is too high. And again, you have to think about the way elections are carried out. Rob, check your phone. Go ahead. The average age of poll workers, the joke is average age of poll workers goes up one every year. So...

There's always a shortage of poll workers. The whole idea which some activists are promoting, well, let's make smaller precincts and let's bring another set of people to do a hand count after the election night, it doesn't work because you don't have the manpower. You don't have the people who are willing to do it. And if you use same people who have been up 14 hours before you start counting, you have even increased, you have the pressure, you have the tiredness, all of that.

So hand-marked paper ballots, optical scan, and then mandatory risk-limiting audit. Every race, every ballot, every race, every time, you are doing a mandatory check that the outcome of the election is right. And let me underline one thing. Risk-limiting audit starts from an assumption that the result is wrong.

It never, it's not, it's misrepresented to say it verifies the result. No, it starts from the assumption the result is wrong. And then risk-limited audit is proving that the outcome is correct. So it starts by thinking it's wrong and then it's proving it's right. Or it proves that you have to go and recount everything because it doesn't match. What kind of machines are used in Wisconsin? Do you know?

I don't on top of my head. And remember one thing, there are two kinds of states. There are states where every whole state uses the same machine. Most states don't have that. So you have multiple different kind of machines used across the state. Like Georgia is, is special in the sense that the whole Georgia is, is voting with the same machines. Most U S is it's every county is different. So next county over might have a completely different machine than your county. My God, that's,

Do you think that's a good idea? There is a strong belief in the U.S. that elections are state rights. So every state has a right to do the elections whatever way they want. I believe that. So that is, then you have two different kinds. My question isn't that. My question is that they use different ways to calculate in a same state by different counties. I understand if it's state, but is it better to use one way of counting votes in an entire state?

Well, if you think about different size of jurisdictions, like in New Hampshire. New Hampshire has 120 plus voting jurisdictions who don't need voting machines because they are so small. So it would be not good to force them to use voting machines just because the large jurisdictions need to have a voting machine.

So what I'm saying is that we need to federally set basic standards, what all voting machines have to meet. And after that, it doesn't matter if the next county over in the same state uses a different machine, but we need to have a unified set of rules. What are the minimum requirements for voting machines to be accepted to be used in the United States? Yeah, I just, you know, when you're counting...

you know, it's kind of like a crude versus cash basis. When a company is selling and you're calculating your EBITDA, if you, the way you calculate valuations, cash basis, such as say somebody else does a crude,

Those are two different philosophical ways of calculating something. All right. That's why I don't know if it's a good idea to have different methods of counting votes in the same state. I understand you want to do DREs. You want to do BMDs. You want to do paper ballots. But it's the entire state paper ballots, the entire state DRE, the entire state BMD, the

That gives a little bit more credibility than diversifying it too much. I think every state and every county in the U.S. should be paper ballots. I don't think the DRE should be accepted. I mean, that's fundamentally the most insecure. We have been using mail-in ballots during Vietnam War, Korean War, World War II, World War I.

The Revolutionary War. We know how mail-in ballots work. And in mail-in ballots, you get the paper ballot. You have problems like voter coercion, for example. Somebody can be forced, and that's usually happening in close circles next to you. All of those technologies are way better because you have a paper ballot, which you can go back. Instead of DRE, where you don't have, you have just electronic records. The same reason is...

Internet voting, we don't have a technology to do internet voting today. We just fundamentally don't have a way to do it. And people who are promoting internet voting use false analogies, for example, claiming that since we can do online banking, why can't we vote on internet? So first of all, election is a unique security problem in the world because of two requirements, secret ballot and auditability.

Secret ballot means that even if the voter wants to reveal how he or she voted, shouldn't be able to. Because if you can be proving how you vote, it enables vote buying, vote selling and vote coercion, election coercion, voter coercion. So that's the one thing. So if we wouldn't have secret ballot, we will have all of these problems coming back.

And then we need to have the auditability. Of course, additional aspect is now public trust. And there are promising ways of thinking, internet voting, for example, homomorphic encryption. But would you believe if I say that this machine is using the homomorphic encryption correctly? I don't think it's a good idea to use technology which is

Very small handful of people can even verify that it honestly works right. We need public trust. And paper ballot, hand-marked paper ballot is the only way we can bring public trust. Also, people who are promoting internet voting are claiming that it will activate young voters.

Estonia is one of the democracies which have been using internet voting longest, and they publish the age brackets. And when you go to Estonia, you see that the young voters are actually going down as a percentage. And the people over 55 is the growing people of internet voting. So the analogy used and the claim used, we need internet voting and mobile phone voting in order to

That's a valid argument. That's a valid argument. But the evidence doesn't support the argument. I get what you're saying. What do you think about blockchain? A lot of these guys are talking about what if we decide to go to blockchain for, you know, voting. A lot of hackers are fans of blockchain technology, right? Actually, hackers are not. Hackers are not? No. So let me ask you, let me ask you a question. How do you think, what do hackers think about Bitcoin and cryptocurrency? So let me go back to the blockchain.

Blockchain is a solution looking for a problem it can solve. And it really haven't found a problem it can solve. Blockchain is fundamentally energy efficient, inefficient, slow distributed database system, depending what is your consensus algorithm, how you put it. Blockchain, if you look 10 problems in elections,

Blockchain can be a partial solution to one or two of those ten. But blockchain would create then ten more problems. So you will be always net negative. Blockchain has no role in the vote counting part of the elections at all. It just doesn't. And even if you look for other parts like voter registration, then the question becomes a consensus algorithm of all the other technologies.

Furthermore, blockchain voting systems have been proposed. For example, Duma for Moscow. Yeah. And it got immediately hacked. If you look at the US proposals votes, it got hacked and got demonstrated. So the whole idea that blockchain is somehow harder to be hacked, not true.

Can you hack into blockchain? I mean, depends which blockchain, but just before COVID, I was hired to validate three different blockchain systems overseas in Europe, and I hacked all three of them. It's a question of what is the vulnerability. So, okay, so then just answer the second question, if you could. Hackers, are they fans of Bitcoin, Ethereum, cryptocurrency? Are they fans of it or no?

If you look how many hacker conferences have always presentation, what are the vulnerabilities and how Bitcoin, for example, has a fundamental problem with the blockchain. Individually, yes, there's probably one hacker here than there who are a fan of that. But generally speaking, blockchain is not really a favorite thing for hackers. Interesting. Interesting. Hackers are not fans of blockchain. Because I'm looking at this year's Cyber Defense Magazine says, why do hackers love cryptocurrency?

I've had another guy that was a hacker who was a very big fan of blockchain and cryptocurrency, but you're not. I really have to say that if I think my community of hackers and security researchers, if I have one out of 10 who are fans of blockchain, that's about it. One out of 10. One out of 10. Mm-hmm.

Because if you look how blockchain works, first of all, most of the people who claim to be blockchain experts don't even understand how blockchain works. And you can always test it by starting asking questions, for example, how the consensus algorithm works, what is the anchor of trust, how you measure all of that. And you realize whether the person actually understands how blockchain works or not. So, yeah, I mean, there are people who call themselves hackers and hackers.

I would say also that over the years, this has changed. When blockchain was a brand new technology, it was a way different acceptance level than it's now. Okay, Rob, can I read this here? I think you have the same article. Can you go all the way to the top, what it says? It doesn't have a title for some reason. It's not loading, but it is the same article. But in here it says, why do hackers love cryptocurrency? Cyber criminals and hackers love cryptocurrency because it's off the books and

And it's perfect for, I understand, it's at cyber criminals. Yes. You are using here hackers as a synonym of a criminal. Totally get it. That's why I stopped it. It's perfect for moving illegal payments and demanding ransom. Ransomware is a type of malicious software designed to block access to computer system and data, typically by encrypting it using ransomware. Attacker usually demands payment. Okay, so this is criminal activity. We're not talking the same thing. Actually, let me... This is actually a very good conversation. Because...

When you look at the history of ransomware, ransomware was dying. It was going away. In a lot of my presentation, I have the first ransomware because the first ransomware ever asked checks to be mailed to PO box in Panama. Right. That was how the ransom was supposed to be paid. Very slow. And what made ransomware to bloom and the whole criminal ecosystem around ransomware was cryptocurrencies. That was the rocket fuel.

So absolutely, if you are using hacker as a synonym, the criminals, yes, then they love it. But when I'm using hacker, I'm using hacker as the original term. People who are curious, who are thinkers, who are researchers, and they are not criminals. What do you think about Elon Musk? I don't have personal opinion. I have only met the guy once.

Was it at a conference or? That was when he was not that famous yet. Really? How long ago was that? Over 10 years ago. You met him? Yeah, that was a conference in California. That was right at the time when he was starting with the Tesla roaster. You think he's a net positive to society with what he's doing and what he's questioning? I'm not taking that position one way or another. Okay. Are most hackers similar to you?

There was an amazing study, a PhD study in psychology by a guy who was working for Pentagon a long time. And he made an assumption when he started a PhD study. He had a hypothesis. There's this thing called camellian hacker hypothesis.

So there's a special breed, an archetype of chameleon hacker. Chameleon hacker? Yes. Okay. So he was defining that as a hacker who have a credibility with enterprises and government and criminals at the same time. So he was searching for a archetype of chameleon hacker. What he came up with... Is this Mark Mifred? No. The Rhino 9? Or no, you're not... No, no, no. Okay. So...

What he found out that there's no one archetype. There's actually two different archetypes who are achieving that. So hackers come with all, as I said, all backgrounds, shapes and sizes. So there is a, it's a wrong assumption to say that there would be, this is all hackers are the same. No, we are not. We are not.

We are very different. We come from different backgrounds. And again, originally hackers were basically non-political. I mean, it was curiosity and tinkering which arrived. Then media started mixing hackers to be a criminal and the word of hacker changed.

became meaning something else than it originally was. I'm always using myself proudly. I'm a hacker because I use the original engineer curiosity, studying and try to make the world better place. And when you go to old school hacker conferences, there is a strong moral compass and strong intention to make the world better place for all. I think you guys are necessary because you can break into things that, okay, so,

You know Ryan Montgomery? I don't. Okay. We had Ryan Montgomery on, and he's another hacker. And he calls himself the ethical hacker, right?

One of the things he was investigating is human trafficking. Okay. Because with, with the ability to be able to hack systems messaging, you can see if somebody is trying to, you know, go and, you know, link up with a 12 year old, 14 year old, 15 year old. And he was catching a lot of people is what he was doing. Right. And it was consistent. And he does, he's done that for a while. It is, is,

If you have access to be able to get the kind of information they wanted to get, if the U S government wanted to hire all the hackers to find out, you know, what the communications like right now, did he's being accused of all this stuff, puff daddy. I don't know if you listen to a lot of puff daddy. He's been accused of doing a lot of stuff that he did with,

Kids and all that stuff were Epstein back in the days. If the U.S. government really wanted to know that stuff and they hired 50 of you guys, 100 of you guys, would you guys be able to hack into systems to find out communications, what's been said, what's not been said? Would you be able to get to the bottom of it faster? Different U.S. agencies are hiring hackers in large numbers, especially if you look at the alphabet soup.

So different intelligence agencies. Really, the question is the legal system. Again, what kind of evidence can be archived? What different ways? Also, hackers, generally speaking, respect privacy.

So when you are asking a question, can people hack to certain systems, the first question is, is it legal? But second thing is, even if it would be legal, hackers tend to have a strong respect of privacy of the others for good reason.

And that's really the difference between when you think hackers as criminals and when you think hackers as the way I define hackers. Yeah, but I mean, that's kind of like when, you know, mainstream media, say from the left, there's somebody that's investigating the story. And if they don't like the story because it goes against them, they'll say that's a conspiracy theorist. That's what he's doing. And they'll kind of they want to kind of put them in a box to make fun of them and have them lose credibility. It seems like that's the same thing they do with you guys, with hackers and

And they put you in that, you know, sounds like you guys are offended by that as well when it happens to you. Well, it's a necessary evil, but it's very important to know the difference. So now, again, going back to when you said ethical hacker, that's another thing which is important to understand. I'm very often asked, you are white hat. I say, not necessarily so. I'm ethical hacker.

But white hat hackers are very often trained and certified so that they are smarter than the other people. Well, criminals don't

What do you think about Bill Gates?

What about him? Any opinion on him? Like the work he's done, the things he works on? Do you have an opinion on him? I mean, one of the pioneers, unlike Steve Jobs, which was a marketing guy...

Bill Gates was a true engineer and put a lot of work into building early software and trailblaze how we work, whether we are agreeing or disagreeing about open source and different kernel models and different ways of making things work. Those are part of the corporate world. But nobody can deny his contributions to early computers and how we get to where we are today. Got it. Mark Zuckerberg, what do you think about him?

Again, that's more an application, not trailblazing. Social media is a... So when we talk about cyber war, we have to understand that every domain where we fight wars, air, space, land, sea, undersea, they are natural domains. There's a laws of physics. There is a rules of the road by the laws of physics.

The main domains we fight wars is cyber and information. For a long time, those two things have been put in the same basket because cyber was, information was not understood to be separate. What Mark Zuckerberg and the founder of Twitter, all of them, they created a new space, information space. Information space has been established.

existing since the dawn of the time, but they make new mechanisms to reach the information space. So when I look at Mark Zuckerberg and everybody who created the social media, they created a new space which can be used for good and bad. Right now, when we look at the

The crime and everything bad happening, cybercrime and cyberspace is different than information space and cognitive warfare, information, influence operations, all of that. That's completely different space because that is what happens between your ears and behind your eyes. And one thing what we don't have is a human firewall.

So what Mark Zuckerberg and all of them, when they created this whole new industry and whole new space, information space, what we are right now lacking is the defense mechanisms because these have to be built into humans. Yeah. Last question for you. When it comes down to hacking nuclear plants, is that something that worries you at all? Of course. Is it easy to do?

Russia has a hacker conference which is strongly promoted and basically working for Russian government. It's called Positive Hack Days. It was about 23rd to 26th of May this year. And they had a number of capture the flag competitions, which were targeted in different areas of critical infrastructure. One of those were nuclear. One of those were nuclear.

And one of the award monies which have been reported was to pay for a hack to shut down the cooling system of a nuclear power plant, which was framed as stopping energy production. Well, it will stop the energy production, but it will cause some other problems too. So everything in a critical infrastructure system.

has a long lifespan and it's hard to upgrade. It's hard to secure because they are old and they have a long lifespan. Isolation, air gapping is the only way to keep those systems safe. The only way. And of course, we have the weakest link, which is humans. If you look Stuxnet, you have air gap system and then people were carrying around USB sticks and off you go.

So, of course, I'm worried. I would be stupid if I wouldn't be worried about nuclear power plant security. I don't want to upset you. You seem like you're getting upsetting. I'm just asking an open-ended question. No, no, I'm not upset. I'm just saying that this is one of the many things which, when we look at critical infrastructure, whether it's nuclear, power grid, water treatment. Yeah.

We have to pay more attention. I mean, are you kidding me? Like I'm looking at the website right now, which you're telling me, right? The conference. Yeah. This is, and they, hey, contest. Oh, but it says it's a, this hacker party is ground zero for Russia's cyber spies. Kremlin's intelligent officers, Russian traders, and Moscow's answer to the global dragon tattoos. They all gather at this cyber security conference. That is wild.

That is wild. Now you understand why I got excited about critical infrastructure, because critical infrastructure is everything we need for keeping the society going. And if there's a conference where they are targeting indiscriminately civilian life, indiscriminately finding ways to disrupt civilian life,

That's worrisome. This is an ad for BetterHelp. Welcome to the world. Please read your personal owner's manual thoroughly. In it, you'll find simple instructions for how to interact with your fellow human beings and how to find happiness and peace of mind. Thank you and have a nice life. Unfortunately, life doesn't come with an owner's manual. That's why there's BetterHelp Online Therapy. Connect with a credentialed therapist by phone, video, or online chat. Visit

Visit BetterHelp.com to learn more. That's BetterHelp.com. Yeah, it says, let me see here. So there's also some of the things that they don't like here. Held is your technology complex and event central called Digital October, about a mile away from Kremlin. A 2014 attendees list included two of the GRU officers charged with breaching...

the Democratic National Committee, as well as two other key figures in Russia. Pavel Yavlusky-Yershov was one of the attendees, a GRU officer by the name of his charge, or Robert, now this is getting into very interesting things. Either Russian intelligence officers went there to recruit or they went there to learn. I guess it's a combination of both. Yeah.

So this answers your question. Are people hiring hackers to... Well, no. Listen, if you have to... Anytime you're looking to size your enemy, you have to think like them. Exactly. So if a criminal, if a country hates America, wanted to destroy America, how would you do it? I'm hiring every single hacker...

In the world, I'm hiring 500 of you, paying each of you a million a year. You know what that budget is? 500 million a year. That's nothing. Absolutely. That's nothing. They're printing billions right now. I would hire you. I'd put you in a nice place. I'd bring you in. I would feed you good food if you're an evil leader that wants to put down the greatest country in the world, which is U.S., which is where you live, which is where I live, right? That would be the way to go. That's why I'm wondering how often does your resume get shopped by people from Russia saying, hey,

Harry, come on, kapi sivajitsi. I come from Finland. We have the longest border with Russia. But the other thing is, you made a very good point. A lot of people in the U.S. say, oh, I can think like an enemy. Critical thinking is not human. We humans build societies because we have inherent trust. And a lot of the things which are spin out of hacker culture, like social engineering, are exploiting that trust.

So a lot of people say, I can think like an enemy. No, you are thinking like you wish your enemy would be thinking. But the enemy doesn't agree. It's actually a fiction writer, Robert Lundlum, who coined that phrase.

That is hilarious. So, okay. So what's the plan? Are you planning on keeping this, selling this, auctioning this off? By the way, for the folks that are listening to this, at this point, you know, Hari is on Manect. You can ask him questions. I am sure you have a ton of questions. Go on Manect, download the app, ask them the questions. There's a list of questions that people have about this. I'm sure it's coming your way. I really enjoyed this. I'm not going to lie to you. Coming into it, I'm like, I don't know what's going to happen.

I'm walking away with enough stories to tell for the next month where it starts off with, you will not believe who I spoke to the other day. This guy named Harry, let me tell you what he did. But anyways, it's great to have you here. Where would you like the audience to go look for you outside of Manect?

So I'm in LinkedIn. I'm in X. You want to put your nonprofit? Yeah, nonprofit, which we have election integrity foundation, AF.vote. Please check because we run the voting village and we are educational. So we're

DEF CON Voting Village is not about proving that voting machines can be hacked. Every voting machine can be hacked. We are educational. We want to dismiss the misinformation, disinformation, make sure that people have the right facts. And Voting Village single-handedly have hundred-folded the people who have a first-hand understanding what is true about voting machines, how the voting machines actually work. So our mission is educational.

Purely educational. We want to educate the stakeholders, the government officials, the policymakers, the people who are working for policymakers and the general public about the truth. And truth here is that's why for years we have now been very hard. We have been waiting, fighting against misinformation, disinformation, making sure that people have the facts in their hands.

Just keep your politics out of it. Try to stay as fair as possible. I know you give me the vibes of which way you lean politically. Just keep it out of it. Be fair. We always, in Voting Village, we are nonpartisan or bipartisan. We never want to do anything partisan. I have a feeling, I'm trying to see like 80% of hackers, based on what you're telling me, are liberals. On the left, who...

are fans of probably New York Times, CNN, and MSNBC. That's the vibe you're giving me, which I would prefer it be 50-50, but I don't think you guys sound like because, you know, you were not a fan of Musk, so I'm just trying to see where you would be with it. But anyways, either way...

Very educational. And I'm going to reconsider my vote for 2024. Maybe not even vote this year after talking to you. You have discouraged me from voting this year. No, that's the wrong message. I'm going to sit this one out. Wherever you can vote, please vote. Don't let anything to discourage me. Whoever you vote doesn't matter. This man is discouraging you to not vote.

Never trust, always verify. Obviously, we're having a good time with you. I'm teasing you a little bit, but Hari, thanks for coming. I've been a great sport, truly. Thank you. I appreciate you. Thank you so much. Yes, this was great. Hi, my name is Harry Hurst. I'm a lifelong hacker and security researcher, an engineer with a heart which thinks that impossible is just a state of mind. Connect with me in a minute.

I'm here to explain anything you might wonder about election security, critical infrastructure security, cyberspace, cyber warfare, information space, information warfare and connected warfare. So please ask me questions. Hope to see you there in a minute.