Thursday, March 19, 2009

Comelec dares hackers to crack software

I first read this article two days ago in the Philippine Daily Inquirer.

Let's just say I was appalled and amused by what I read.

Here are some excerpts:

The Commission on Elections (Comelec) is challenging computer hackers to take a crack at the software that will be used in the 2010 elections to prove that the system is secure from fraud and tampering.

The system isn't even in place with the bidding still in its early stages, yet the COMELEC is already arrogant enough to claim that their system is "hack-proof". I've got news for them. There is no system that is "hack-proof".

The list of high-profile institutions which have been hacked in the past include the CIA, the FBI, NASA, the FAA, and various other foreign utilities, even a travel site used by U.S. government agencies. Indian government sites have been subject to cyber-vandalism as well. It probably goes without saying that these entities are in all likelihood light-years ahead of our own COMELEC in using and securing information technology, and yet they have been victimized by hackers.

Is the COMELEC really that IT-savvy that it is cocky enough to think that its system (that's not even in place yet) is really impervious to intrusions? I don't think so. And yet they are goading hackers to try and break into it. If it were a private system I really wouldn't care, but it's a system for what amounts to be the entire electoral system of the country. It is not far fetched to think that some unscrupulous hacker, possibly someone from somewhere outside this country, will take up the challenge "just for kicks" and for the right to brag in cyberspace that he or she has brought down the electoral system of some third world country. Hell I would. Of course, I have scruples.

“By the time a hacker gets into our system, the election is over,” Comelec Executive Director Jose Tolentino boldly declared Monday in a press briefing.

Manipulating election results is not the only reason to hack into the COMELEC's election system. It's possible you can obtain confidential voter information, identify the candidates a voter voted for, or get election results ahead of everyone else. This information could conceivably be valuable for some. And even if the elections were over, manipulating the election results, even if detected, could erode whatever confidence the public may have in their system, thus lowering the credibility of the electoral process as a whole, assuming of course, that there's at least some credibility to begin with.

Programmers and the general public can also scrutinize the source code of the company that will bag the P11.3-billion automation contract for the 2010 national elections.

The source code refers to the set of programs that carries the system’s instructions.

“The winning bidder’s software, the source code, will be open to inspection by the public,” Tolentino told reporters.

“They can look at it line by line to ensure that there is no malicious program inside,” he said.

If I were a hacker dead-set on breaking in the COMELEC's election system, viewing the source code would actually be a bonanza because it will give me an opportunity of identifying weaknesses and vulnerabilities in the system. Frankly, I think it's a bad idea to open the source code to the general public. If they want to prove that the program doesn't have any malicious code, they should just have it examined and certified by a reputable third-party software firm, a non-governmental agency, or an international body. A non-disclosure agreement should be standard, regardless of whichever entity examines the program.

The Comelec will also open the system and the machines to “ethical hackers” or IT experts who would be allowed by the agency to test the system.

“Then there are those who might try to hack the system without telling us. That’s OK. We are open to that,” he said.

It seems to me that they want the automated election system to fail this early on. Hardly any effort seems to be exerted in maintaining the security and confidentiality of the system. If you want the system tested for weaknesses and vulnerabilities, give the job to firms qualified to do so and make them sign non-disclosure agreements as well.

Doubting the Comelec’s readiness to fully automate by May 2010, former Comelec Chair Christian Monsod earlier warned that “software specialists” would now take on the dirty job previously carried out manually by unscrupulous poll personnel and political operatives.

I agree. The COMELEC is even giving these "software specialists" the heads up by showing them the in and outs of the system this early in the game.

For added security, the source code of the chosen system will be stored “in escrow” at the Bangko Sentral ng Pilipinas (BSP), he added.

Frankly, what would be the point, after you have disclosed the source code line-by-line to the public? Well, at least no one gets to tamper with it. Then again, you really don't have to have physical access to the source code to tamper with the system if you're really bent on modifying it.

The Comelec will release the TOR documents, priced at $20,000 per set, on March 18.

It's amusing that the COMELEC is 100% confident with success of the election system, when basically all they have to show for is a set of specifications (the TOR, or Terms of Reference) and not the finished product.

I don't know about you, but I'm not exactly brimming with confidence with the way the COMELEC is handling the automation of the 2010 elections. While I would like to think that they are indeed sincere in their objective of keeping the elections honest, at the back of my mind I still can't help but think that they are in over the heads, considering that none of them seem to really understand the technology or even how to properly use it.

Well, let's see what happens.

Post a violent reaction

Links to this post:

Create a Link

<< Home