10 ways to HACK the Automated Elections

[raski]

---

The real danger in all of this is that it seems everyone thinks they are entitled to an opinion against Smartmatic without even the slightest clue about communications security, encryption/decryption keys and the kinds of attacks hackers can or cannot use with these machines. I cannot even say I'm an expert on all these things, though I have actually taken a master's level subject in computer security.

There are full-fledged four-year computer science degrees that focus on internet and computer security but there are very few, if any, truly well-versed security experts in the Philippines, so to say that the breadth and complexity of the subject is staggering is an understatement. Even in advanced countries like the United States, there is such a great shortage of security specialists in this area that these consultants often command six-figure salaries.

What am I trying to get at here? I think we need to be careful about jumping to conclusions and formulating opinions at the great and likely risk of spreading misinformation and damaging our country as a result. I can't even imagine how the Supreme Court will rule on any of these issues, as it's unlikely any of the Justices would know enough about computer security to issue a proper ruling. As I mentioned before, anything is hackable, but people don't seem to realize that a lot of what 'hacking' really is amounts to guesswork or brute force. A 128-key encryption can literally take millions of years to crack given the current speed of our computers. However, if a hacker is extremely lucky (as in luckier than a lotto winner) he can theoretically break an encryption in just one second. It's a balance of probabilities...

Also take note that the encryption/decryption methods to be used in the smartmatic system are likely not that dissimilar from the system used in internet credit card transactions. You may note that internet transactions are growing in number year after year, no doubt due to the increasing confidence that consumers have with a system that has had very few incidents of security breach. As you are reading this message, there have probably been tens of millions of online internet transactions that have been safely encrypted at the buyer's end and decrypted at VISA's servers. Can a single internet transaction be hacked by a dedicated enough individual? Yes of course. But it wouldn't be worth it, and it would take a very, very long time if the credit card information was encrypted with a 128-bit long key.

Next, a lot of people are saying that the system will be hacked because when it comes to cheating Filipinos will find a way. I think you people are overestimating our own intelligence and ingenuity, for certainly we are no better at hacking than the best hackers in America and we have yet to hear of an incident of electoral-based hacking in that country after their long history of election automation.

Lastly, I want everyone here to remember that automated elections, while not solving the massive problems this country faces, is in a lot of ways the holy grail.. the catalyst that may bring about such great changes to our system of electing leaders that we cannot even begin to imagine the potential world-changer that it could be. Think also of the more possible grand possibilities, than the highly unlikely worst-case scenarios... We need to be positive about something this important for once...

[cebu-future]

mas grabe ang tikas if manual counting. electronic counting makes more sense. It's like opening a bank ATM account compare sa ipakupot lang nimo imo kwarta sa imo relatives hehe. At least if it is electronic counting dali ra masubay asa nagsayop pero kung mano mano, dugay pangitaon ang sayop.

[ix-888]

The real danger in all of this is that it seems everyone thinks they are entitled to an opinion against Smartmatic without even the slightest clue about communications security, encryption/decryption keys and the kinds of attacks hackers can or cannot use with these machines. I cannot even say I'm an expert on all these things, though I have actually taken a master's level subject in computer security.

There are full-fledged four-year computer science degrees that focus on internet and computer security but there are very few, if any, truly well-versed security experts in the Philippines, so to say that the breadth and complexity of the subject is staggering is an understatement. Even in advanced countries like the United States, there is such a great shortage of security specialists in this area that these consultants often command six-figure salaries.

What am I trying to get at here? I think we need to be careful about jumping to conclusions and formulating opinions at the great and likely risk of spreading misinformation and damaging our country as a result. I can't even imagine how the Supreme Court will rule on any of these issues, as it's unlikely any of the Justices would know enough about computer security to issue a proper ruling. As I mentioned before, anything is hackable, but people don't seem to realize that a lot of what 'hacking' really is amounts to guesswork or brute force. A 128-key encryption can literally take millions of years to crack given the current speed of our computers. However, if a hacker is extremely lucky (as in luckier than a lotto winner) he can theoretically break an encryption in just one second. It's a balance of probabilities...

Also take note that the encryption/decryption methods to be used in the smartmatic system are likely not that dissimilar from the system used in internet credit card transactions. You may note that internet transactions are growing in number year after year, no doubt due to the increasing confidence that consumers have with a system that has had very few incidents of security breach. As you are reading this message, there have probably been tens of millions of online internet transactions that have been safely encrypted at the buyer's end and decrypted at VISA's servers. Can a single internet transaction be hacked by a dedicated enough individual? Yes of course. But it wouldn't be worth it, and it would take a very, very long time if the credit card information was encrypted with a 128-bit long key.

Next, a lot of people are saying that the system will be hacked because when it comes to cheating Filipinos will find a way. I think you people are overestimating our own intelligence and ingenuity, for certainly we are no better at hacking than the best hackers in America and we have yet to hear of an incident of electoral-based hacking in that country after their long history of election automation.

Lastly, I want everyone here to remember that automated elections, while not solving the massive problems this country faces, is in a lot of ways the holy grail.. the catalyst that may bring about such great changes to our system of electing leaders that we cannot even begin to imagine the potential world-changer that it could be. Think also of the more possible grand possibilities, than the highly unlikely worst-case scenarios... We need to be positive about something this important for once...

Bravo! very well said sir!

I longed to hear a thorough explanation na mkapasabot kanamong wala n4suh1t0 aning security sa wireless and net security... i opened this thread pra mkashare sad ang mga experts like you to make others aware of the risks and the security measures available to prevent hacking the electoral machines... i just would like to ask you sir if kung aside from the 128-bit encryption nga nagprotect sa data upon transmission... is it otherwise possible that the tampering of the number of votes going to a certain candidate pwede himuon by a certain code in their software nga mo-add ug certain amount of votes to a certain candidate (who presumably has set his own sabotage scheme by paying large amounts of money to the original programmers) na murag logical bomb ug style ba? in my own opinion, i think this is logically possible coz during transmission from other provinces, wala bya hard evidence kung pila ka votes ang na-counted pra sa usa ka-candidate from that area, then on the receiving end when the software activates that command upon a certain trigger kay ang votes would go to the sabotaging candidate... or pwede sad that the trasmitting machine maoy naay bomb na mo-activate ata certain trigger and change the number of votes so that the receiving machine reads otherwise... and if all data changes and synced, then murag lisod man i-trace what changes were mades since data writing and retrieval is digital, so walay way of knowing if naay na-tamper coz the software could easily change the data synchronously, in this way, there is no need to pay hackers to intercept the packets on transmission, no brute force needed, all the people who are in power need to do is pay adequately one of the programmers to make such code (although i still believe in the goodness of humanity, and i hope walay programmer na mosugot)... si kinsa gani ang nangusog aning computerization? and pila gani ang government budget pra ani? and ngano gani naay Filipino counterparts sa Smartmaticna dili independent security body?

you're an expert in this field sir, so please shed us some light if this are possible and if the government is taking the appropriate actions for a secure code for all the machines... and kinsa pod mo-evaluate and mo-check sa codes sa software na gamiton sir kung wala bay mga hidden lines of commands that could sabotage the entire process? naa bay independent security body na mo-ensure for a secure and bug-free code? and what about if naay mga power surges or black-outs, then inig siga balik kay lahi na ang figures sa votes, labaw na ang pikas?

i'm sorry for asking too much and for stating mga worst case cenarios... but we all know that absolute power corrupts absolutely so that anyone who wants to be in power and who are already in power will do everything to stay in power.... i am not against this computerization of the electoral process, in fact i am impressed by our people's movement towards change and technology... but i just think that the politicians who approved it should look more into the security issues pra maplantsa daan and masiguro na fair jud ang elections...

xoxox . . .Technology is always a double-edged sword ... May we choose to be in the light . . . xoxox

[ix-888]

@ raski

i tried to research a little on network security and saw these videos in you-tube, they claimed to have cracked the current standard, WPA/WPA2 128-bit encryption keys:

YouTube - Cracking WPA/WPA2 wireless network
YouTube - crack wpa2 easily with crack-wpa.fr
WPA/WPA2 Cracking in Linux No Clients! - Video

i dont know if these are real hacks but you said it yourself that it can be done although for a considerable amount of time, usually half day or a couple of days... my question is, with the right finances and tools, if politicians can pay a million or 3 to a team of hackers to build a powerful multi-8core, multi-12-core or Intel's 80-core CPU running Linux or other preferred OS to crunch all the brute forcing algorithms, is it possible to cut the crunching time to say a couple of minutes? if a politician really wants to win, mas mkasave pa xa to hire these few skilled hackers than buying votes, mka-ginanxa pa xag octa-core na computer nig human. Problema lng sa hackers kung if ma-crack nila ang security key, ma-exploit ba nila ang code....


For those unfamiliar with 8-core and 12-core CPUs' please read here :
http://www.tomshardware.com/news/Opt...core,7616.html

[Luskan]

Even with the doubts of some people

I find the new system way better than that manual one.

[raski]

i just would like to ask you sir if kung aside from the 128-bit encryption nga nagprotect sa data upon transmission... is it otherwise possible that the tampering of the number of votes going to a certain candidate pwede himuon by a certain code in their software nga mo-add ug certain amount of votes to a certain candidate (who presumably has set his own sabotage scheme by paying large amounts of money to the original programmers) na murag logical bomb ug style ba?

xoxox . . .Technology is always a double-edged sword ... May we choose to be in the light . . . xoxox

I just want to clarify that I don't consider myself an expert in this field, although I think I do know more than the average person. As I mentioned before, I've taken a single subject in computer security which includes the study of encryption-based systems, but it really takes an entire degree, even a PhD to really be a master in this subject.

But my opinion on your question is that it is possible but it would be very difficult and it's unlikely that the tampering would remain undetected. Their system no doubt required the work of a large team of programmers, and any tampering and the subsequent cover-up that would be needed would require the collusion of more than a single programmer. There will no doubt also be an audit of the software prior to first use that would compare all code to the original source, so any tampering could easily be discovered.

I would have to say that tampering with the source code and getting away with it is a very, very remote possibility at best. It would require collusion and conspiracy on such a grand scale, I doubt they would be able to implement it without someone knowing and putting a stop to the scheme before it can even be put into motion.

i tried to research a little on network security and saw these videos in you-tube, they claimed to have cracked the current standard, WPA/WPA2 128-bit encryption keys:

YouTube - Cracking WPA/WPA2 wireless network
YouTube - crack wpa2 easily with crack-wpa.fr
WPA/WPA2 Cracking in Linux No Clients! - Video

With the first video at least, several of the comments on the video itself already explain what's wrong with it. The person doing the "hacking" already knew the password, so of course he was able to "break" the code.

Let me try and simplify encryption/decryption. Encryption is merely the garbling of information, so that nobody but the person with the correct "encryption key" can write the data and none but the correct "decryption key" can decode it. If either the encryption key or decryption key are wrong, you get garbage, which would indicate false information.

A very simple explanation is the simple "shift letters" algorithm and encryption. In this, each letter in a message is shifted by X number of letters. X being the encryption key. So given the message:

Hello - original message

And an encyption key of 2, shifting each letter by 2:

Jgnnq - garbled 'secret' message

Now in order to get back to the original message, you need to shift it back -2, so the decryption key is the same as the encryption, this is what they call symmetrical, which is certainly NOT going to be used in the Smartmatic system. Smartmatic is probably going to use an assymetrical key where the encryption and the decryption keys are similar in length but are not actually the same. The algorith is of course going to be much, much more complicated than the above and the keys much longer and assymetrical, but the concept remains the same, the object is to garble information and ungarble so only the official keys can do so.

The 'hack' shown in the video is a hack with knowledge of the password that itself generates the key. Of course knowing the password, you can obtain the key easily. This is why poorly chosen passwords result in easy brute force attacks, the attacker could merely 'guess' the password. It would surprise you to know that most IT admins used the word 'password' as their password, making it easy to hack into computer systems. However, this is beside the point because Smartmatic is not using a password-generated encryption key, but a public-key infrastructure with digital signing/certificates. I have also heard that it is likely Smartmatic will be using a 2048-bit long key to sign its digital certificates, which more than suffices for purposes of security and protection from brute-force attacks.

[rambutan]

lagi lagi lagi, ma hack na lagi.. nya kung di ma hack ? saman ?
kung ganahan jud mog kausaban, kita tanan magbantay ana para di ma hack.
if naay mka hack , so naa jud para counter sa hack. tanan man kaha posible. so posible jud nga di ma hack.
hehe mao lang.

[Tin_Tin]

Ang problema sa uban kay magpa sweto2x lagi dayun... I tell you, don't believe the things you see on movies pareha atong die hard 4 and the likes... If it was that easy hacking then online banking and the likes would be troublesome...

Ang ako lang makita jud nga security threat is DOS attacks sa ilahang servers to hamper the elections...

Is the writer of that article a security expert? If he's just another writer, then I don't think what he wrote is credible. Don't believe too much in the media, specially media here in the Philippines.

[salbahis]

tsk2x.... another crab mentality on-action....

[ix-888]

@ raski
Thank you sir for clearing our minds of the possible security threats on the electoral process and for the information as to what smartmatic will do to ensure that their system is really secure....

@Tin_Tin
mam, i agree that DOS attacks could be a major threat . . . the writer of the article is not a security expert . . . the excerpt was just posted in order to site the common and average Filipino's apprehensions about the new system. . . mao bitaw purpose ani na thread to clarify all those issues, para kamo nga mga expert and daghan nahibaw-an, mka-assure namo nga gamay ra tawn ug nahibaw-an nga secure jud bag-o na system . . . that is why this topic was brought up in the first place to clarify issues in the average Filipino mind . . . Peace mam!
================================================== =======================================
sa tanan mo-post please, dili ta maglalis as to ma-hack ba or dili, kay as mentioned already, there is no perfect system

this is just a tickler thread in order to discuss unsay mga possible ways of hacking the system, and unsa pod ang mga security measures done,.... if kita mismo mga iStoryans makiglalis sa kapwa iStoryans, how much more sa greater Filipino community nu, mao ning wa juy padulngan atong goberno... share your ideas nalang, let's stop pointing our fingers kung kinsay mas maayo nato, or mas sakto nato... it's better to have a dialogue than an argument para mas daghang ideas ang manggawas....