Hack-tivism is real deep penetration

by Maria Eleanor E. Valeros, #citizenmedia

So I missed the 8th Rootcon? And I’m about to throw fits. It was in a Rootcon thingie that I got surrounded by 99 hackers, and how it felt sooo good, it aches to be left out.

 

What I remember most is meeting lawyer Al Vitangcol III who inspired me to scribble this piece, which saw print first in Cebu’s longest-running community daily, The FREEMAN. Read on:

“The reality is that the government and even the private firms do not have an established and effective security mechanism to protect computer systems and communication networks, including the Automated Elections System, from determined hackers.”

If you find this at the concluding portion of a report on “…Automation and Electoral Fraud,” penned by lawyer Al Vitangcol III, would you trust the PCOS (Precinct Count Optical Scan) machines again?

Vitangcol, a treasure trove when it comes to computer/network security, graced the “Rootcon 5 Hackers Conference” here in Cebu City, Central Philippines as one of the event’s valuable resource speakers. However, he refused to give a categorical answer to the question if there was indeed tampering of election results during the 2010 polls given the premise that “no system is 100-percent hack-proof.”

Instead, the Information Technology specialist and the Philippines’ first (and only lawyer) Electronic Commerce Council-certified computer hacking forensic investigator referred me to a report he presented to the Senate during one of the house’s “investigation in aid of legislation” on the alleged vulnerability of the PCOS machines to vote shaving and vote padding.

Vitangcol’s report which also saw print in national newspaper The PHILIPPINE STAR (StarWeek Magazine) read: “The most common question asked by the voting public is whether or not the election results can be tampered with. The answer is possibly Yes.”

He cited the following major technical issues which the Commission on Elections and Smartmatic-TIM have yet to resolve:

  • Software and subsequent voting date of the PCOS machine. It was said that these will be placed in a separate memory card, distinct from the unit itself. Such opens up opportunities for damage, tampering, data alteration, and even memory card switching.
  • Crypto keys. The cryptographic keys, both private and public, to the machine, are both under the control of Smartmatic-TIM – contrary to internationally established cryptographic standards. Thus, Smartmatic-TIM and its associated parties can make changes to the precinct election results without detection.
  • Data transfer. Transmission to the Comelec-Smartmatic-TIM hubs will be done through public telecommunications network. Transmitted data to designated points nationwide may be lost, erased, or even altered, once the Philippines’ AES comes under attack from computer hackers and crackers.

“With the few identified vulnerabilities of the AES,” Vitangcol wrote, “the final question that begs to be answered is this — Is the AES susceptible to hacking?”

He underlined that the Comelec, through its spokesman, had already admitted that it can be hacked, in this wise, “I am not saying that the system cannot be hacked. No system is 100-percent hack-proof. I am just saying that we have made sure that the system will not be hacked.”

“Even the Supreme Court, in its decision in Roque et. al. vs. Comelec et. al. had failed to look into the big picture of the AES relative to computer hacking,” this was also learned.

“Said decision focused only on the PCOS machine – and not on the whole AES infrastructure.”

Pertinent portion of the said decision reads: “Additionally, with the AES, the possibility of system hacking is very slim. The PCOS machines are only online when they transmit the results, which would only take around one to two minutes. In order to hack the system during this tiny span of vulnerability, a super computer would be required. Noteworthy also is the fact that the memory card to be used during the elections is encrypted and read-only — meaning no illicit program can be executed or introduced into the memory card.”

Vitangcol pointed out that the Supreme Court was correct in saying that the PCOS machines are only online when they transmit the results, which would only take around one to two minutes. “There is no question about this. Nobody would even want to hack the PCOS machines,” he added.

“But how about the municipal, provincial and national hubs that will receive the transmission of election results? Are they online for only two minutes? No, they are not,” he stressed.

“In fact, these hubs will be online for a prolonged period of time – from the time that the first clustered precinct will transmit its results to the time that the last clustered precinct will transmit its results to the same hub – effectively exposed and vulnerable to hacking all throughout that time.”

He added that with all due respect to our revered justices, the Supreme Court, in the same decision, “possibly made a lapse when it stated that the ‘memory card to be used during the elections is encrypted and read-only.’ The memory card is not ‘read-only.’ In fact, the images of all the ballots cast, together with the final count of all the votes of all the candidates, will be stored in the same memory card during elections day. If the memory card is ‘ready-only,’ then the results cannot be written and stored in the same card. For sure, the memory card is ‘read-write’ capable.”

What is the significance of this? “This means that the contents of the memory card can be erased, altered, or even manipulated,” Vitangcol said.

The report comes with a reminder that hackers are motivated by challenges, especially when an event of transcendental proportion takes place, and when the organization responsible for that event raises a challenge. According to him, “it is the adventure that primes these hackers to develop a system that can paralyze, if not totally break down, another system.”

And for huge hacking incidents, the involvement of a Filipino explicitly tells how impressive our engagement with technology is. Only that we seem to lose sense when proper application of such is already required of us. Remember the ILOVEYOU computer worm aka Love Letter authored by Filipino computer programming students and released to the wild in 2000? Even the series of defacements of government websites profess the genius of Pinoy IT specialists.

Collectively called Philkers (Philippine Hackers), these smart alecks claim that their invasion is not meant to destroy protected files. In fact, they have a commanding, rallying, engaging description to justify their act of deep penetration: Hacktivism. This, to show to our leaders – smack on their faces – how much work is still to be done; how much knowledge to imbibe; and methods and strategies to relearn and unlearn, when faced with the current and emerging challenges of securing information.###

Advertisements