Would cheating be that easy in the recent election?

[fourtheboys96]

"Koala bear's" accusations made it sound easy.

For those who have technical knowledge and background, how easy would it be? How how difficult?

[shadow]

show proof, that simple! pinapalabas niya sobrang galing siya IT expert and all, pero wala man pang siyang nagamit na technology to record yun ginawa nila...pwede cellphone, video cam etc.

[fourtheboys96]

show proof, that simple! pinapalabas niya sobrang galing siya IT expert and all, pero wala man pang siyang nagamit na technology to record yun ginawa nila...pwede cellphone, video cam etc.

that is what i've been saying in the other thread in relation to Locsin's invectives against Smartmatic.

This thread is about the technical aspect of the automated election.

[shadow]

it's very easy to put on a mask and say that you did this and that, but showing proof is another thing.

[fourtheboys96]

it's very easy to put on a mask and say that you did this and that, but showing proof is another thing.

"that is what i've been saying in the other thread in relation to Locsin's invectives against Smartmatic.

This thread is about the technical aspect of the automated election.
"

I am not saying Koala's statements are true. I am neither saying it is a lie. His accusations are just a backgrounder here.

What I would like to know is if what he is saying is possible, plausible or impossible from an IT person point of view. If possible, will it be easy or difficult or somewhat in between.

[lazyfoot]

He needs to show solid proof first. Cheating or hacking the PCOS machine is very very difficult. even if you try to decompile the code (128 bit encryption is way too dificult to crack already) there are hundreds and thousands of codes and you need to still figure out how they work in order to edit them for cheating. very unlikely. For a code that complex 300 bugs (in beta phase) is quite normal or even low (i.e resetting of dates in the return) as long as it is not critical and it does not affect the final count.
I don't think anybody in the Philippines have the capability do decompile, edit, recompile the flash cards enough to affect the results of the national elections.

[Taurus]

One easy way is to pay off the system administrator.

Even with all of those encryptions and digital signatures . . . these are still operated by

[fourtheboys96]

He needs to show solid proof first. Cheating or hacking the PCOS machine is very very difficult. even if you try to decompile the code (128 bit encryption is way too dificult to crack already) there are hundreds and thousands of codes and you need to still figure out how they work in order to edit them for cheating. very unlikely. For a code that complex 300 bugs (in beta phase) is quite normal or even low (i.e resetting of dates in the return) as long as it is not critical and it does not affect the final count.
I don't think anybody in the Philippines have the capability do decompile, edit, recompile the flash cards enough to affect the results of the national elections.

ok. thanks!

[digitalron]

As I haven't seen the actual implementation and configuration of the PCOS machines and servers used, it would be very difficult to give an accurate assessment of how easy (or hard) cheating could be done.

However, there are various avenues of attack for any system that relies in data transmission from remote locations going to central servers.

The normal process used to protect data are to encrypt for protection and generate checksums to serve as validation. Checksums (or hashes such as MD5) are very important because changing a single character or changing the position of two characters in the same set of strings will result in vastly different checksums. As an example, see the MD5 hashes of the different strings below:

tsikot: e3f75b618adb2c5fec33305ff55ff27b
Tsikot: 72dad29a0df6c6765221c1b29c6497e8
tsokit: f265e69f522ff38ab31180ee169ceef6

even an extra space or capitalizing one character can have immense changes in the resulting hash value. The normal procedure is to generate an MD5 hash of the raw data in salted form (raw data appended with some secret value), and this hash is sent over along with the encrypted data. The server will then decrypt the data and compute for the MD5 hash and compares the value it received with the value sent by the PCOS. If it is not a match, then something funny happened somewhere.

Data transmission itself is also protected by using secure sockets, and in the firewalls that receive data from the PCOS, there would either be secure tunnels or secure IP implemented.

So man-in-the-middle attacks can be easily detected.

Koala Bear's point shaving claims is therefore quite hard to accept. There are too many safeguards in that front, and tampering in that direction can be relatively easy to detect. I find his claims to be quite unrealistic.

That said, the implementation of the automated election had a lot of lapses and due to the sheer volume of machines involved -- some in remote locations -- as well as the whole lot of manual interventions/processes done (due to machine failure, transmission failure, etc), the surface area of potential fraud has increased in size significantly.

How so? First, how sure are we that there are only 76,000 PCOS machines involved? What if there were more, hidden somewhere and used to generate "election returns." Second, how sure are we that all valid returns have been actually transmitted? What if valid returns were simply not sent to the server and replaced with something else (that still computed correctly as far as checksums go). Third, it is not wholly transparent to everyone what the encryption, validation, and data transmission processes are. Where they followed judiciously? Or where questionable data (like data with suspicious checksum values) still accepted by the aggregating servers?

In a perfect world, there would have been no technology glitches and all transmission would have been done electronically and copies of each PCOS machine's summary results (with checksums) should have been provided to the different party representatives as well as audit groups. This could then be manually tallied and compared with the aggregated result. If we are gonna be strict (as strict as company financial accounting goes), a single voting discrepancy should already be a cause for concern. Note that in financial accounting, a difference of 25 centavos between individual item results as opposed to journal results can be cause for massive re-computation. This I know as I have worked with a lot of financial systems implementation for quite a while. (I wonder what the difference is between the server-aggregated results from manually aggregating the result of each known PCOS machine, hehehe).

To summarize, if the automated election process was implemented strictly following industry-standard, enterprise-class security and data integrity protocols, cheating as per Koala's claims does not compute. However, if the implementation had a lot of loopholes and human workarounds, then cheating could still be done... not in the manner that Koala narrated, but in an even more sinister form.

-----

As a backgrounder, I work in the IT department of a company that does its business online and turns over almost US$1 billion per year in real-time transactions. Security and integrity is our top priority and I'm basing my above comments on a highly-simplified version of some of the things we do to protect our data and customers

[first_light]

He might be right, he might be wrong. We don't know yet. But I believe that there is always cheating. Hindi naman mawawala iyon eh. Kung Pentagon, na-love bug. Kung mga credit cards, naha-hack. Kung U.S. stock, meron glitch daw? See this video, baka mag iba ihip ng hangin:
[ame="http://www.youtube.com/watch?v=ifJw0r0rz_I"]http://www.youtube. com/watch? v=ifJw0r0rz_ I[/ame]