Here’s another case of government officials engaging in a funny exchange of soundbytes.
Commission on Elections spokesperson James Jimenez has reportedly said the proposed P100 million reward for anyone who can successfully hack the poll automation system dishonors the whole project. He, however, clarified that the Comelec is open to having the system challenged by ethical (white hat) hackers.
Mr. Jimenez ought to know that the danger of having the system hacked is a possibility that could very well happen during the actual elections. He should also know that if and when that happens the distinction between white hat and black hat hacking will hardly matter. What then is the logic behind keeping the hacking of the system open only to white hat hackers?
Mr. Jimenez also reportedly said that offering such a reward would only turn the pursuit of exposing weaknesses in the system into a hacking competition driven by money. So what? Is Mr. Jimenez certain that such a scenario will not occur if there was no P100M reward? Last time I checked hackers would crack source code for fun or the challenge. This is funny stuff.
But what really made me laugh was his statement that the proposed reward dishonors the poll automation project. I can’t see how that is. What I can see clearly is how one incompetent agency can dishonor not only the project itself but the Filipino people’s decades-long fight for clean and honest elections.
I normally don’t use this kind of tone when I criticize but this whole issue over the P100 million reward is just so funny on so many levels. The biggest joke in all this is the fact that Mr. Jimenez even bothered to dignify Senator Alan Peter Cayetano’s proposal with a response.
Pinoy Buzz has already criticized the honorable senator’s statement. He speculates that Mr. Cayetano probably issued the statement in an attempt to derail the automation project for the benefit of a duck. Pinoy Buzz could be right. I have a different take on the matter but my analysis of the senator’s motives is nowhere near the juiciness of Pinoy Buzz’s theory so I will beg your indulgence.
I think the good senator came out with that statement for the simple reason that he wants some attention. Just consider his proposed reward amount, P100,000,000. That’s too many zeros just for hacking in my opinion. It’s clearly a ridiculous amount, one that could lead anyone to suspect that Mr. Cayetano may not even be serious about his proposal. Sure, he may file a resolution to back it up but that won’t prove that he is serious at all. It would however prove how ridiculous he is. But, then again, the senator may actually believe that his proposal stands a chance of getting approved. We can never be sure considering how our lawmakers think and operate.
I can already see the headline “Lawmakers Approve P100M Reward For Hacking of Automation System.” Now that would be truly ridiculous.
Perhaps Comelec Spokesperson James Jimenez could have pointed out that the only testing required by the law RA 9369 or the Amended Automated Election Law is the pilot testing of the Automated Election System and this was already done in ARMM.
Further assurances could have been gotten by the groups and personalities now advocating for further “testing” if they attended the hearings or deliberations on the technical aspects of the automated election system.
And also, the more you open the Automated Election System to attempts at hacking, the more vulnerable it becomes. If you open it up right now, especially if people get access to the source code, you’ll be able to map out exactly how you can manipulate the system. It’ll take time to rework the flaws plus to reinstall new security features and in the end, Comelec may not implement it.
That’s the real danger and if we don’t get to have automated elections in 2010, we will never have automated elections ever.
This is what is really getting to me, BP.
[Reply]
lpgd Reply:
April 21st, 2009 at 3:23 am
i see your point. that’s the problem with software. you can never be sure it is 100% secure. i agree completely with your point that exposing the system to more testing may ultimately result in the scrapping of automation altogether. however, i am of the opinion that if no further testing will be done the risk of it being manipulated later on — God forbid on election day itself — will remain a big concern.
you mentioned that the system was subjected to testing during the armm elections. i have a few questions. what exactly was tested then? what was it tested for? was it tested for vulnerabilities or just to see if it works? don’t get me wrong these are not rhetorical questions i’m really asking because i’m a little confused with the whole set up. if the system was tested before then it means the system — hardware and software — is already in place. if that’s the case then what the heck is being bidded out now? i’m thinking if we’re just about to procure new or additional hardware and/or software for this then it would be prudent to conduct further testing. just my thoughts.
if only the government handled this whole automation business more seriously right from the beginning. the way it has turned out the government didn’t even have a clear timetable for it. i mean had the government set a definite timetable, which should have also covered vulnerability tests, and stuck to it then this whole automation business would have been conducted more smoothly.
i’m not sure if i’m making sense here and i blame the government particularly the comelec for it. all their dillydallying and non-transparency have made a mess of everything.
btw, i heard from the grapevine that a local group once presented their own automated system to the comelec a couple of years back. (btw, this group isn’t the computer professionals’ union you talked about in your previous post.) the system they presented is purely software, one that can be installed and run effectively on ordinary computers. the group explained that this feature alone would cut down the cost of automating the system significantly. of course, the group also highlighted the fact that their system is proudly philippine made. the group even offered to have the system tested/hacked by anyone. to cut the story short, the comelec as a whole was apparently impressed with the system. but then, after the presentation., a ranking comelec official asked the group, “do you have foreign partners?” hmm. why ask the question when the group was quite clear on their being all filipino right from the start. does the comelec have a fascination for foreign entities? if so, why?
to this day this group continues to wait for the comelec to give their system another look but to no avail.
[Reply]
“i have a few questions. what exactly was tested then? what was it tested for? was it tested for vulnerabilities or just to see if it works?”
RA 9369 mandates pilot testing of automated election system in at least one real election. Originally, it was supposed to have happened during the 2007 elections in 6 cities and 6 provinces. 1 city and 1 province in Luzon, 1 city and 1 province in Visayas, and 1 city and 1 province in Mindanao.
This was later revised to make it applicable to the ARMM elections and thereby comply with RA 9369.
Before pilot testing could begin, the Comelec through the technical advisory committee had to scrutinize the system that would be employed in the ARMM. This is a thorough check, meaning all software and hardware used had to pass muster and all requirements for an automated election machine. This includes security features — features that would prevent hacking and other means of tampering the votes and the voting results.
Using the automated election machines itself in ARMM was the real live test.
This happened on Aug. 11, in which around 1.5 million ARMM residents voted.
The results were that cheating still happened but this was on the level of the users (vote buying, flying voters, etcetera) and was hardly significant on the regional level.
But as to wholesale vote manipulation or cheating the actual result on the provincial/regional level by manipulating the system itself to produce favorable results for a candidate in particular, this did not happen.
If the system could have been hacked, it should have been hacked then. It wasn’t.
[Reply]
As long as it was online through internet, It would be vulnerable in any kind of attack such as SQL(Structured Query Language)injection/Bruteforce method attacks/sniff/remote access/Remote Administrative Tool (RAT) or I’d rather say etc. coz there’s a lot of ways to access computers,white hat/black hat hacker is no necessary,the important is the result,There’s no secured in the internet, and i would like to tell you all, the most secured computer is the one which is not connected on the Internet and it was turned off with a lots of security guard around it and it was inside the concrete barrier sealed with iron with high voltage, at bakit nga po pala tayo nag English,Eh nandito tayo sa sarili nating bayan at pilipino. tayo…
[Reply]