Monday, April 20, 2009

Hacking the 2010 Automated Elections or Laying the predicate for Villar's electoral protest when he loses in 2010

I think the name of the game here is to stop Automated Elections in the Philippines, no matter what the cost is.

Then again, we may have an example of a duck that laid, not a golden egg, but a predicate for an electoral protest when his billionaire candidate loses in 2010 -- despite the surveys that say he will win.

In an Inquirer article Senator Alan Peter Cayetano said at a press conference that he has filed a resolution setting aside P100 million as an incentive to anyone who can convincingly demonstrate the weakness of the automated poll system.

Cayetano, at a press conference Friday, said that if any IT expert can establish that the system to be used in the 2010 polls is not secure from fraud and tampering, “Comelec should cancel the contract, save the P11 billion and sue for damages the contractor in the event of such successful hacking.”

He said he would rather revert to the manual counting of votes if the computerized system would lead to wholesale cheating.



The reporter did not mention if Cayetano's resolution identified the source of funding or if such funds are really available.

I think what Cayetano is really doing is laying the predicate for a electoral protest later, just as is often the case with all the elections we have been through since we had elections. This is the rotten, transactional culture that is HIS legacy and heritage -- kay Cayetano, walang nananalo at walang natatalo, kungdi may mga abugadong nagsasabi na may mandaraya at may nadaya.

I think it is short of saying that he knows that with the Automated Election System in place, his favored Billionaire Presidential candidate from Las Pinas will lose in the 2010 elections -- contrary to all the surveys that say he will win.

Another reason why he wants to find out if the Automated Election System has flaws is that he wants to find out how the automated election system can be cheated, so his billionaire buddy from Las Pinas can exploit the vulnerabilities.

But in any case, as I have said, any mere mention of money for hacking is enough to create a friendster among computer geeks.

I can see a situation where hundreds of Filipino geeks with laptops are going to claim that they can hack the Automated Election System and live-out their fantasy of being Hugh Jackman's character in Swordfish -- because many of them weren't alive when Robert Redford did Sneakers.

And right on cue, the Computer Professionals' Union (the first time I've heard of them) has surfaced to say that hacking the Automated Election System can be done.

A group of computer experts has warned that the planned automation of national and local elections in May next year will not diminish fraud and cheating and could lead to the rise of a new type of election operator capable of manipulating the results of the automated polls.


Rick Bahague, national coordinator of the Computer Professionals’ Union, said automated large scale cheating could happen with the Commission on Elections’ (COMELEC) plan for automated elections. He said poll automation could give rise to a new "Garci", referring to former Commission on Elections official Virgilio Garcillano who allegedly tampered with the elections results of the 2004 presidential elections.


"Perpetrators of cheating and fraud like Garci will be back in 2010, more manipulative and more systematic than the past elections with the help of [automated elections system] that we have to be ready to preempt their plans," Bahague said in a statement on the CPU website.

Bahague said the proposed automated election system (AES) has several technical vulnerabilities including insider threats, software engineering limitations, network vulnerabilities and lack of required auditing procedures.



In the last paragraph, Bahague's claim of knowledge about technical vulnerabilities in the Automated Election System seems like he really knows something about it. But then again, terms such as "insider threats" or "software engineering limitations" or "network vulnerabilities" are just high fallutin terms which can be attributed even to the most advanced and sophisticated computer systems.

I am sure, there are geniuses within the Computer Professional's Union that can claim to have hacked an ATM network and made away with hundreds of millions of pesos.

I've met a lot of Filipino super geeks in my life and the more respectable ones are still blowhards when it comes to hacking.

Anyway, not one sentence in the article says that the Computer Professional's Union has actually gotten their hands on the Automated Election System or has actually tried to hack the system successfully.

Just as well, Cayetano and the Computer Professional's Union are both barking at the wrong time as the ideal time to spot flaws has already passed. They should have tried spotting flaws when the Automated Elections System was tested in the ARMM elections.

The Automated Election System was already tested and passed successfully during the ARMM elections. The ARMM is among the most difficult areas in which to ensure honest, clean and accurate elections. It was an acid test for the Automated Elections System and if any so called technical vulnerabilities were present, it should have shown up during the ARMM polls and would have been exploited -- but no one was able to breach the security features of the AES.

The Computer Professional's Union, lest it be suspected of wanting or planning to sabotage the electoral process, should have volunteered to do ethical hacking when Automated Elections were being held in ARMM. For real hackers to earn their keep, they should try hacking on a real live system and not a simulation -- that would have been available during the ARMM elections.

I wonder who's funding the Computer Professional's Union? See if the bank is from Pateros or Las Pinas, you'll have your answer -- unless, of course, they got their money in cash.

13 comments:

Tek for the Pipol said...

Google Alerts happened to capture your reference to our group, the Computer Professionals' Union (CPU). Below are some of my comments:

"And right on cue, the Computer Professionals' Union (the first time I've heard of them) has surfaced to say that hacking the Automated Election System can be done."

CPU has been active in the Philippine open source since 2004. You can visit our website at www.cp-union.com and read many positions and articles on technology and impacts to the filipino people.

In our positions and writings, we always try to use simple words and language such that we are easily understood. The following terms are self-explanatory: insider threats - similar to inside jobs in crimes; software engineering limitations - software bugs etc; network vulnerabilities: remote access and manipulation.

Unfortunately, no member of the group has hacked an ATM network. CPU's technical capabilities are to "advance ICT for the people". You can visit our website again to know more on this.

One main problem on Automated Election System is the lack of proper testing. One test (ARMM) is not enough to point out its flaws and errors. In our recent posting, we are advocating for a full review of any system that will be selected. Only through a rigorous scientific test of the said system can we discover most of its shortcomings.

Who are our funders? We are a volunteer group and most activities are done with members volunteering their free time. We usually ask for sponsors during our events. If you can refer us to anyone, we will appreciate it.

Admin said...

Oh, and if your friend Senator Alan Peter Cayetano or Senator Manny Villar wants the cheat code for the Automated Election System, all you have to do is type in "itik-itik sa manila zoo" in your status update.

Guaranteed, 1 million votes will be added to the latest tally.

Enjoy!

better said...

that does sound a little dangerous making the source code available to the public.

Admin said...

Eric,

I mistakenly deleted your comment on this post. If you are out there somewhere, please put in that comment again. What you said is really good.

Tek for the Pipol said...

In the case of AES, while there are public consultations on how the AES, in general, should look like or work, the actual implementation and guidelines are defined by the agency, in this case COMELEC. The COMELEC did a technical review of possible systems last year. Even the technical committee (with one technical person knowledgeable on AES, a representative from DOST), advised that the COMELEC is not capable of implementing AES for 2010. The main reason is its lack of competence and not enough time for tests. Would you believe that even the technical reports is not released in public? We were fortunate to get a copy from another concerned group. I guess this answers paragraphs 1-9.

If you are not familiar on open source and free software, you can visit wikipedia. This movement created firefox, openoffice, linux and many other high quality softwares. Source codes are open such that other volunteers can improve the particular project. Open source developers value contributions of everyone. We properly credit any relevant submission to any particular open source project.

There is still this mistaken notion that to secure a system one has to hide to everyone else except to an elite group, its technical implementation (source codes, designs, etc). Security by obscurity. The aim of releasing the source code to the public is to enable developers fix bugs. This practice has already been perfected by open source communities.

AES testing can not be only during the last ARMM elections. Critical systems are not tested once. Even Windows 7 is going through many tests – developers only tests, release candidates until most bugs are fixed. But even with rigorous tests, Microsoft issues fixes and service packs during the life of the software. You can only make a robust system by testing, testing, and testing. Of course you have to fix whatever errors during those tests.

I got curious on Botong Pinoy. No wonder you are against opening the source codes and rigorous testing. Are a connected to a vendor?

“Welcome to the Botong Pinoy website. Botong Pinoy is a revolutionary total voting system developed by Mega Data Corporation, specifically for use in Philippine elections. It is composed of three modules which can operate individually by themselves but which can easily be integrated to form one complete TOTAL election solution. It has built-in safeguards against fraud and manipulation, and has specific design features to help even disabled and the illiterates in voting.”

Admin said...

To you Tek, I say "Heghlu'meH QaQ jajvam!" (And don't pretend you don't understand klingon!)

Levity aside, let me share my contention and it is this: How many times do we have to test the Automated Election System (AES) until we are completely satisfied that it is kosher and it can be used in the 2010 elections?

If it were up to you guys, I'd think any AES would be in a perpetual beta testing phase and eventually, it still wouldn't be ready for the 2010 elections.

No offense to you and your Brainiac sized craniums, but at this point in time, I really doubt you can conduct a thorough review of the system, remedy the bugs, and roll it out in time for the May 2010 elections.

Most especially considering that you guys are VOLUNTEERS HELPING OUT USING THEIR FREE TIME.

Besides all this, let's just talk about what is mandated in RA 9369. Basically, this is that the technology to be used has to be approved by the Comelec; the technology has to have been used in an election; and that the technology has to be pilot tested in the Philippines.

I could cite chapter and verse of the law, but that's just too tedious at this point.

However, the point is, all of these requisites have already been complied with.

I don't know if you'd be smart enough to avoid arguing against this point, so just take my advise: Don't.

Why don't you just admit it guys, you're just raising this issue to stop automated elections in 2010.

If you aren't being paid to mouth off your opposition to the Automated Election by either Senator Manny Villar or his pet Senator Peter Cayetano, perhaps you are being paid by the Mafia in the Comelec (the same ones that had Comelec law department chief Alioden Dalaig and Winnie Asdala killed, gangland style).

As to being connected to a vendor, I am not. I don't have friends, relatives, business associates, or whatever who is even remotely connected to a vendor.

I note your attempt to cast doubt on my motives for taking you to task for your asking for the source code of the systems to be used.

We did work with Botong Pinoy in 2007 before and that was only because they were the only ones willing to help us demonstrate what automated elections could be.

Botong Pinoy was willing to donate the software, which could run on any computer and the technology was DRE based, meaning it was a touch screen system which had a paper trail with what seemed to me to be a sophisticated bar code security features. There was also almost zero human interference as votes were directly recorded into the computer, tabulated, and transmitted to the central computer.

In any case, Botong Pinoy is not one of the vendors or suppliers for the 2010 elections. Apparently, Comelec doesn't want free software and as it turns out, they want to buy OMR based machines.

As far as this blog and this blogger is concerned, I render my decision and it is this:

YOU ARE ON THE WRONG SIDE OF HISTORY!

Tek for the Pipol said...

It appears, you have to resort to inappropriate language and not reasons to show your point. Sorry if i disagree with you.

History will indeed confirm who is in the right side. We'll wait for that.

However, this is sure to happen. The hasty implementation of AES and no defined safeguard to make the election transparent, will always raise doubts not only from us but the people themselves.


P.S. I could still point out many documented technical errors with DRE-based system, but I would just refer you to again wikipedia.

Admin said...

What inappropriate language are you talking about?

Anyway, define your use of 'hasty' in referring to the implementation of the AES.

If this is merely your opinion, then I leave you alone to it.

But the fact is that the system has already undergone scrutiny by competent professionals several times over by now.

It's implementation has already been delayed for over ten years and in that time, numerous automated election systems have already been tested and proven to work accurately -- these are more or less, the same systems that will be used in this country.

If you are going to cite the Miami Recount as an instance where automated elections failed to stop cheating, my rebuttal would be merely to point out that we aren't using those machines and it was the MANUAL recount that was flawed.

Your call may be for transparency but that's just to mask the intent of setting up another road block to automated elections.

Or, if you are at all that sophisticated, your real intent may be to lay the predicate for an electoral protest later.

At the end of the day, it has already been decided that the entire country will go through with automated elections -- unless you succeed in derailing it.

It is a risk, as anything new is a risk but it is a risk worth taking because it will ensure that massive wholesale cheating will be a thing of the past. (If your contention is that automated elections can be rigged through hacking, I challenge you to show some proof of concept otherwise, shut up.)

As to your documented technical errors with the DRE, what's the url of that article in wikipedia (already largely debunked as a source of information by the academe and professionals)? I don't suppose it was the Computer Professional's Union who actually wrote that entry?!

Live long and prosper!

kathang said...

This blog (truly a disgrace to all citizen journalists) lost all its credibility when you started bitch-mouthing people who disagreed with you. It won't be long till you start calling anyone on the spectrum opposing yours as "klingons" with "brainiac-sized craniums" (it probably takes one to know one, or at least, know how to appropriate "klingons" as a label, and to know its language, too boot!)


You seem to be hell-bent on pushing through with the AES without it undergoing public, scientific scrutiny. Are you saying we should take COMELEC's word for it? It's like you're asking us to believe that the Garci and Abalos scandals are the best symbols of a working democracy!


And FYI, the voting public is not polarized between pro-Cayetano/Villars and anti-Cayetano/Villars. Just because you're an apologist of the anti camp doesn't mean all other dissenters are on the opposite spectrum. Some people welcome the automation of elections but refuse to be used (directly or indirectly) as pawns of the administration, as they stand to gain from the AES' manipulation (come to think of it, we all know how the mercenary COMELEC is always in ruling regime's favor.)

Admin said...

I'll ignore your obvious slurs and focus on dissecting your comment to expose its flaws.

"You seem to be hell-bent on pushing through with the AES without it undergoing public, scientific scrutiny."

The law, RA 9369, prescribes the process for public scrutiny and the COMELEC has complied with it. If YOU don't know what that process of scrutiny is and how Comelec complied with it, you ought to do more research.

"Are you saying we should take COMELEC's word for it?"

Would you rather that I take your word for it? Of course you would.

But the law or laws did not designate Kathang as the one who will say go or no go to Automated Elections. Neither did it designate Tek the Pipol or what's his name from Computer Professionals Union.

It designated the technical advisory committee of the Comelec to undertake scrutiny of the AES. The technical advisory committee is composed of officials from the DOST, other agencies, and private individuals with expertise in IT.

"It's like you're asking us to believe that the Garci and Abalos scandals are the best symbols of a working democracy!"

This is a great flying leap, not just a jump to an irrational conclusion.

Where did you get the idea that just because I support Automated Elections this immediately means that I think Garci and Abalos are the best examples of democracy?

The reason why we have Garci is because we DID NOT have Automated Elections immediately after the first Automated Election Law was enacted. It had to take an amendment to make the 2010 elections automated.

And finally, you ought to consider these before flaming me:

First of all, you guys have to prove that the Automated Election Systems can be hacked or manipulated as you claim. PROOF OF CONCEPT IS NEEDED.

Second, your proposal for a thorough review (granting that it could be allowed) should be done within a period of time short enough so that it can allow the fixing of bugs and security problems, thus avoiding any delays that may jeopardize automated elections in 2010. You have shown no proof at all that you can do this and still have automated elections in 2010.

Who died and made you Chief Computer Rabbi whose blessings would deem the AES kosher or not kosher?

Live long and prosper!

Admin said...

I have a compulsion to publish comments in this blog, just try to be nice and keep a sense of humor when reading it.

We can disagree, but that doesn't mean we can't go out for a beer when hell freezes over.

kathang said...

Speak for yourself. It is ironic how you ask people to be nice when the barbs started from your own horse's mouth.

Are you saying that with the advent of an AES, COMELEC manipulation will become an obsolescence? You can claim to all logic and technical expertise, but you seem to be largely lacking in the social realities department. Note that there still remains a human element in the AES process, one that is largely LIMITED to the elite few (i.e. the COMELEC operators) who have the benefit of access to the AES itself. THAT'S the problem if you don't open the process to election watchdogs. You are willfully ignorant of the fact that the past Garci and Abalos experiences remain a PROBABILITY regardless of whether the process is automated or not.

I would daresay my track record as a citizen would definitely give me more credibility than historically-corrupt COMELEC. But yes, that's my opinion, and your hosanna-to-the-highest praise of COMELEC as an authority is just another, albeit a more deluded one.


We have come to the point where your dogmatic stance and obvious pro-COMELEC, pro-Administration biases are no longer contributive to a healthy debate.

An indicator of this is your rabid assertion that CPU is ANTI-Automation, when in fact all it calls for is more testing, testing, testing, as what any logical IT group would call for (unless you want the system to remain untested for CERTAIN reasons.) Time is not a resource we should be scrimping on when it comes to something as important as the elections, hence just the ARMM elections does not suffice enough.

With that, we leave you to your own little ranthole. After all, the talk is nothing without the walk, so we might as well use our energies to mount our advocacies.

Live long and prosper.

Admin said...

What barbs?

Kathang, why don't you just show PROOF OF CONCEPT or demonstrate that you guys can actually IN REAL LIFE hack an automated election system.

I'll even ask Botong Pinoy or one of the companies that provided AES during the ARMM polls to cooperate with you and provide you with a REAL AES to hack.

I am that confident it can't be hacked, as you allege.

Any takers? Huh!? Wanna walk the walk? Huh?!

My contention is you're all just a bunch of blowhards... You, Tek the Pipol and the four other guys with you who are wearing Klingon masks at this very moment.

If you hate my guts for pointing out that the Comelec is the legally empowered body that finally decides whether or not to go for automation, then so be it.

If you refuse to recognize the law, then what kind of citizen are you?!

At least I am basing my opinion on LEGAL FACT. You're opinion is based on pure conjecture.

And what debate are you talking about?

You have made no arguements except for fallacious ones.

CPU is anti-Automation because it has said that the Automated Election System can be hacked WITHOUT EVEN DEMONSTRATING or SHOWING PROOF THAT IT HAS ACTUALLY HACKED IT.

Anything is possible in the realm of possibilities, until you actually try it in real life. Maybe you guys just watched SWORDFISH too many times and think that Hugh Jackman is a real computer hacker.

WHAT is appalling about YOU is that YOU just expect everyone to believe CPU (who has not even had their hands on a real AES) over those people in the Comelec's technical advisory council, who actually scrutinized the system?

Time is not a resource we should scrimp on... Really? Why don't you think about this line again and perhaps, by some miracle, you'll realize how stupid that sentence is.

We only have a limited amount of time. You, me, Tek the Pipol, and the four guys wearing Klingon masks beside you. Perhaps not the Vulcan, they live for 300 of our earth years.

We've had automated election system technologies around the world since the sixties.

We've had the automated election law for over 15 years and it had to take an amendment in order for automated elections could be finally implemented in 2010.

Now you're asking for further testing as if it were a completely new technology.

What this "advocacy" of yours really is a damned if you do and damned if you don't ruse.

If testing by your group is allowed the way you want it to happen, you will inevitably find one flaw or another as no system designed by man is ever perfect or fool proof. Then you'll have some basis to put off automation for, say, 20 more years.

If testing by your group is not done, then you'll say that this is because Comelec is not being transparent and this is a sign that they will be employing sophisticated techniques to rig the polls.

Walang panalong position sa inyo, basta ayaw niyo ng automated elections and that's it.

I think that's the TRUTH.

Related Posts Plugin for WordPress, Blogger...