comelec: a question of confidence
DESCRIPTION
TRANSCRIPT
Presented at the Kapihan sa Manila Hotel, May 3, 2010
Comelec: A Question of Confidence
By Joey de Venecia IIISenatorial Candidate & Spokesman
on Poll Automation
Pwersa ng Masang Pilipino
D Day -- May 10, 2010
• One week from today, 50 million Filipino voters will head for their respective precincts to elect the next president, vice president, 12 senators, party-list representatives, and local government officials. This will be the first time that the Commission on Elections will conduct automated (AKA computerized) elections.
There are serious issues the Comelec needs to address
• The Comelec has not succeeded in winning the trust and confidence of the electorate for a number of reasons:1. The PCOS machines have failed or
underperformed in a number of instances;2. The entire voting system appear to have
numerous pitfalls/shortcomings; and3. It is not clear if cheating – in the form of digital
dagdag bawas – can still take place.
COMELEC & the AES
Stakeholders(PUBLIC)
Automated Electoral System
RISKSSystems
ConcernsCountermeasureMinimize/
mitigaterisks
CONFIDENCE
Source Code Review
Evaluation
Assurance
THE MISSING LINK
The COMELEC has been unsuccessful in providing information on the AES to gain voter confidence
• Release of critical documents were delayed giving the perception that they are hiding something.
COMELEC has been trying to create this link
without any success
By: Drexx LagguiInformation Security Consultant
Documents
Systest Labs Report – promised to be provided on April 27
Technical Evaluation Committee (TEC) certification and report – promised to be provided today April 27
PCOS Machine Test Results (and the PCOS test procedures that generated these results)– promised to be provided April 27• Three (3) test results in particular: mean time
between failures (MTBF); average rejection rate of valid ballots; and accuracy rate (given x test ballots, how many were miscounted, if any) If we can have full access to the reports per machine, we can do statistically analysis and have a good idea about the % of failures, ballot rejections, and count accuracy levels to expect on May 10
Random Manual Audit (RMA) Procedures – promised to be provided by April 27
Design Specifications – still to be discussed during en banc on Tuesday, April 27
Test Protocols – to be discussed during en banc on Tuesday, April 27
On Monday, April 26, 2010, 5:00 PM, The following documents were requested.
On Friday, April 30, 2010, 3:00 PM, The following documents were received.
TEC Resolution 2010-002.pdf Tabular Information 03 03 2010.pdf Systest Source Code Review Readiness and
Security.pdf System Acceptance Test.pdf Systest Certification Report Summary.pdf RMA Resolution No 8873.pdf PCOS Firmware Extract Hash 03 03 2010.pdf Other Certifications.pdf DOST Discrepancies Reports Analysis.pdf Certification on Final Trusted Build.pdf ANNEX J - TEC Compensating Controls.pdf ANNEX G - Revised Continuity Plan.pdf ANNEX F - TEC Validation and Verification
Procedures.pdf
Hard copy of the documents were received then converted to PDF format for proper distribution.
Downloadable through Joey’s website: http://www.joeydevencia.com
Remaining documents were promised to be given on Monday, May 3, 2010
IMPORTANT NOTE
• Of all the documents provided us by the Comelec, we consider the Certification Test Report for Source Code Review, Readiness and Security Testing the most important. This is also known as the SysTest Lab report.
• The copy of the report provided us had a potentially important page missing.
• The report indicated the extent of the test performed on the system.• The report showed the strength and weaknesses of the system.• A statement in the SysTest Labs website says a comprehensive test was done to the system
COMELEC MATERIALS & THEIR SIGNIFICANCE
Technical Evaluation Committee (TEC) certification and report • These certifications and reports are mandated by law.
• Test Results on accuracy, security and quality of the system.
• The Certification released to the public does not satisfy the requirement of the Law.• RA 9369 states: “"SEC. 11. Functions of the Technical Evaluation Committee. - The Committee shall
certify, through an established international certification entity to be chosen by the Commission from the recommendations of the Advisory Council, not later than three months before the date of the electoral exercises, categorically stating that the AES, including its hardware and software components, is operating properly, securely, and accurately, in accordance with the provisions of this Act based, among others, on the following documented results:”
PCOS Machine Test Results (and the PCOS test procedures that generated these results) • The test results show the basis for both COMELEC and Smartmatic’s acceptance of the system.
• Smartmatic received the machines from their Chinese manufacturer.• What was the basis for accepting these machines?
• COMELEC received the machines from Smartmatic.• What was the basis for accepting these machines?
• There has to be some form of Test Data for both COMELEC and Smartmatic to accept these machines. None were provided.
• The report should also show the strength and weaknesses of the system.
SYSTEMIC PITFALLS
PCOS Machines• 82,200 PCOS machines & backup batteries purchased• 75, 471 precinct clusters• 6,729 spare PCOS machines available. ( 8.9% of the total number of clustered precincts )
Memory Cards• 180,640 memory cards purchased.• Two Memory Cards per precinct cluster (one firmware, one data) yields a requirement of
150,942 memory cards.• 29,698 spare memory cards available. (39% of the total number of clustered precincts)
• These cards could either be used for data or firmware.
• Spare PCOS machines can be used to generate multiple ERs and store the corresponding data file to the spare memory cards.• Could be used as the basis when a candidate questions the results.• Could be used to switch the data card during transport.• These Compact Flash cards are small enough to cover with the palm of your
hand.• Spare PCOS machines could be used to connect to the servers.
• There is more than enough spare data cards to attach to the spare machines.• Identity and profile for these spare machines could be easily be configured.
SYSTEMIC PITFALLS
• Although it is very clear in RA 9369, the COMELEC decided solely to disable this function• RAs can only be changed by amending the law in Congress.
• Disabling the feature to read UV markings.• The official COMELEC reason is “alignment problems.”
• Disabling the voter verification feature which implements the provision of the law allowing the voter to confirm that the machine (PCOS) registered his/her choice.
• Empowering the BEI to control the fate of the Ballots.• To date, voters are unaware of how this UV markings should look like.
SYSTEMIC PITFALLS
• All Digital Signatures were prepared and generated by Smartmatic/COMELEC.• The Comelec has removed another significant security feature which makes it
possible to transmit data from other PCOS machines without the presence of any BEI member.
• The BEI will no longer be required to Digitally Sign the ERs.• The Digital Signature will
automatically be embedded by the PCOS machine.
• This contradicts the original General Instruction document released by the COMELEC. Although a revised GI was released to reflect this change.
SYSTEMIC PITFALLS (CCS)
• The CCS (Consolidating/Canvassing System) will be the basis for protests. Just like during the manual voting days wherein the COCs were the basis for electoral protests.• With the absence of time and date logs, records & results can be accessed
during and after elections without the public knowing the time and date they were accessed.
• Systest Labs even acknowledges this problems stating “it is however, an impediment to an accurate re-creation of election actions, should the need arise.”
Audit Functionality
Several of the logging functions in the Smartmatic CCS project appear to omit the inclusion of the time and date from the logged messages. These functions are accessed throughout the system as logging functionality is required. This apparent omission may result in audit log entries without complete date and time information being included as part of each individually logged message. (Page 18, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)
SYSTEMIC PITFALLS (CCS)
• This simply states that it is possible to make changes to the database bypassing the implemented security measures. • Remote operations on the database is possible.• These injections are actual database related instructions that can manipulate
data stored in the system.
Security Functionality
SysTest's processing of the Dominion EMS source code through the Parasoft tool application, however, indicated that there are possible susceptibilities to SQL injections within the Dominion EMS…Several instances were found to exist in which user-entered data-related commands may be submitted to the database in such ways that the implemented protective coding may be bypassed. (Page 19, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)
SYSTEMIC PITFALLS (CCS)
• Encryption Keys provide added security features to the system by turning various data into unreadable format.• Any threat to the system (such as hackers)
have basically their work cut out for them making it faster to access the system.
Security Functionality
It was also determined that, in at least one instance, encryption keys were found to be explicitly coded into the source code of the system. That encryption keys were discovered within the source code could potentially make them available to anyone that might have access to the executable binary version of the EMS application. (Page 19, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)
SYSTEMIC PITFALLS (CCS)
• Programming languages require you to define the type of numerical value of all variable that will be processed. (i.e. Decimal, Integer, etc.)• Converting types during program execution could affect the values during the
conversion process (round up, round down, etc).• This could be a threat especially when dealing with number values in the
millions range.
Other Functionality
Mixed mode operations may have risks involved if the value being converted is of a floating type, and it is converted to a decimal type, thereby potentially losing precision, or if the type being converted is assigned to a type implemented as a smaller variable type, in what is known as a narrowing conversion.. (Page 20, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)
Type of Variable is Integer
SYSTEMIC PITFALLS (PCOS)
Audit FunctionalityIt appears that multiple entities may have the possibility of writing to a single log file using class method logFile.LogMsg() without clear controls over ownership of the file handle, or clear comments indicating that that is the single audit logging thread….. It is however, an impediment to an accurate re-creation of election actions, should the need arise. (Page 21, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)
• The appears to have the same issues as the CCS• The log file could be overwritten thus clearing the previous log records.• Could be a challenge in re creating events as mentioned in the report.
BallotsA few instances were found where the source code did not include checks for the possibilities of vote count variables being overflowed. Numeric variable overflow is possible if the value assigned to the variable becomes more than the maximum permitted value for the numeric type of the variable. The risk can only become manifest if a large number of votes are processed through a single PCOS. (Page 22, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)
• This states that the PCOS machine can generate more votes than the prescribed amount.
Digital Dagdag - Bawas
• Majority of the findings in the Systest Labs Report have been tagged as either Major or Minor• Statements like “the implementation of manual processes and procedures will further
mitigate any potential issues” are frequently used in the document to downplay the gravity of the findings.
• Relying on manual processes to address shortcomings of the system contradicts the entire idea of AUTOMATION.
• Issues creating opportunities for Digital Dagdag – Bawas• CCS Security issues allow database manipulation.
• Adding and removing records in the database. • Log issues will make make it almost impossible to recreate events when needed.• Significant amount of Backup Memory Cards in tandem with the spare PCOS machines
can be used to generate ERs.• Lack of Test Data for the 48,000 modems makes the transmission of ERs questionable.
• Could create the scenario to transfer Data Card to a different machine for transmission due to modem failure.• Switching of Data Cards is always possible once it is removed from the PCOS
machine.• Could create the scenario to send the ERs manually.• Cannot discount the fact that there are still 5,000 signal jammers at large.
Digital Dagdag - Bawas
• Issues creating opportunities for Digital Dagdag – Bawas (cont’d)• Alignment issues (as demonstrated and confirmed in the UV marking controversy) could
result to significant Ballot rejection.• There is no certainty at this point that the alignment issues applies to the names
and ovals in the Ballot.• Digital Signatures of the BEI are no longer required by the PCOS in order to transmit the
ER.• Allows any PCOS machine to transmit ERs without any BEI officer present.• There are 6,726 spare PCOS machines on standby.• There are 29,698 spare memory cards readily available.
COMELEC – SMARTMATIC - TIM
Voting Transmission Canvassing
With the COMELEC having absolute control and access to the entire Voting System, it should truly secure this and ensure honest elections.
Notes on Digital Dagdag - Bawas
• Of the 48,000 voting centers nationwide, only 36,000 have been surveyed for signal, power, etc.
• Only 48,000 field technicians were recruited to handle 75,471 machines to be used on election day
• Comelec assigned only 438 trainers to train 260,000 Board of Election Inspectors (1 trainor for every 593 BEIs)
Notes on Digital Dagdag - Bawas
• There are only 48,000 modems for the 75,471 PCOS machines.
• For all the SIM cards to be used in the elections, Smartmatic generates passwords, issues digital certificates, verifies the certificates, and operates the machines. This is like merging in a single person the functions of accountant, cashier, auditor, operator and vendor!
• Data centers are in secret locations which the Comelec refuses to reveal to the public. This is equivalent to conducting a canvass in a secret place only the Comelec and Smartmatic know
RECOMMENDATION
• To request the COMELEC for full transparency in the steps taken in addressing the findings indicated in the Systest Labs Report.
• To request the COMELEC for full disclosure on how spare PCOS machines and CF cards be secured against misuse.
• The COMELEC should educate the voters on how the UV Markings look like.
• Discolose features of the PCOS machines that can be configured without modifications to the software.
Thank You