Gensanportal - Mindanao News Blog

  • Create an account
    *
    *
    *
    *
    *
    Fields marked with an asterisk (*) are required.
You are here: Home News Blog General Santos News Blog James Jimenez Reacts to CenPEG’s list of Vulnerabilities of AES 2010

James Jimenez Reacts to CenPEG’s list of Vulnerabilities of AES 2010

E-mail Print PDF

In the Inquirer.net article of July 7, 2009 where James Jimenez (JJ), Comelec spokesman, comments on the 30-point vulnerabilities of the 2010 computerized elections published by CenPEG, Jimenez mentions a few items that indicates his lack of knowledge of the computerized system that Comelec is buying or leasing. Below PManalastas of CenPEG gives his reactions to Jimenez’s comments.



JJ: We do not have the system yet so it’s curious how they already have this list of vulnerabilities.

CenPEG: The Smartmatic website gives a few details on the SAES 1800 PCOS machine, and the REIS v2.0 canvassing program, so computer literate people have an idea of the capabilities and vulnerabilities of these Linux-based systems. Also, during the SBAC testing on May 28, 2009, a CenPEG observer who is a Linux programmer was able to ascertain that the canvassing program is a web application running under Apache, and uses Java for receiving transmitted precinct elections returns. It is not true that Smartmatic/Comelec does not have the system yet. The system exists, and has been partly tested by SBAC on May 28, 2009 and subsequent days. Data from the Smartmatic website, observation data during the SBAC testing, and historical data from Comelec on the ARMM elections and previous Comelec activites, provided CenPEG with enough basis for its list of vulnerabilities. It is just that CenPEG is quicker at doing the job of studying the PCOS/REIS systems, a job that Comelec is supposed to be doing, not CenPEG.

JJ: “Comelec is assuring the public that we will implement safeguards to ensure that the whole process, from preparation until Election Day is secured…”

CenPEG: Comelec should not make assurances like this, since it is technically not qualified to implement such security precautions. Comelec depends on Smartmatic for all technical-related issues regarding AES 2010. Even the CAC does not have enough technical expertise to advise Comelec on the Linux systems that Smartmatic will use for AES 2010. Comelec will be better advised by members of the Philippine Linux Users’ Group, or by the Bayanihan Linux team of the DOST-ASTI at the U.P. campus.

JJ: “It will be futile to review a code not yet customized for Philippine elections months before the customization process. We tell CenPEG and other groups repeatedly we will release the schedule of the source code review and other activities once the contract is signed”

CenPEG: The AES Law, RA-9369 Sec 14 states: “Once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested political party or groups which may conduct their own review thereof”. So the law is clear on when Comelec shall make the source code of the election programs (technology) available to CenPEG, an interested group which wants to do its own review, and which has requested Comelec many weeks ago, and has repeatedly asked for a reply from Comelec. CenPEG does not want the schedule of the source code review, but instead CenPEG wants Comelec to make the source code of the election program available for its review, as is CenPEG’s right under the law.

JJ: Posting the code on the Internet “will not be likely”, given that the Comelec is mandated by law to guard the intellectual and proprietary right of the bidder’s source code during the review period.

CenPEG: The SAES 1800 runs embedded uClinux, and an election program added on to uClinux, also embedded (here “embedded” means written to non-volatile memory). Now uClinux is copyrighted under the GPL open source license, which requires that add-on improvements (like the election program) must also be covered by the same GPL open source license. Following this argument, Smartmatic is required to GPL-open-source the election program. If the intention is to write the election application program as commercial closed source software, then Smartmatic should have used FreeBSD instead. The fact that it used Linux is a clear indication that Smartmatic intends to GPL-open-source its election application. Therefore, if Comelec provides CenPEG the source code of SAES and REIS programs or posts the programs in sourceforge.net or in comelec.gov.ph, such provision or posting does not violate the IPR of Smartmatic.

JJ: “.. we will install smart anti-virus programs that will detect, prevent and stop tampering on machines brought out by malwares or viruses aimed to destroy the system ..”

CenPEG: Both the PCOS computer and the canvassing computer run on Linux. Malicious parties will try to destroy a Linux system by SYN flooding and similar steps that take advantage of buffer overflow problems of improperly written Linux applications. Windows viruses do not have any effect on Linux systems. So using smart anti-virus programs on the PCOS and canvassing computers will have no effect on these machines and will not prevent tampering.

JJ: “.. the team who will handle the project implementation part will be composed of IT veterans with long history of experience in the technology space including some who had big IT projects in IBM and HP.”

CenPEG: The Comelec needs IT veterans who know Linux, which is a specialized niche within the IT industry. If Comelec gets 1970s-era IBM mainframers, these guys will not know what to do. As originally suggested, CenPEG recommends getting people from the Bayanihan Linux team of the DOST-ASTI and the members of the Philippine Linux Users’ Group.

 

Last Updated ( Tuesday, 15 December 2009 18:02 )