INSIDER HACKING
NO HOLDS BARRED (039) November 03, 2009
By Ike Señeres
INSIDER HACKING
It is not in my place to say that electronic cheating in the 2010 elections. What is in my place is to say that the system is vulnerable to cheating, if there are people with evil plans to cheat, in whatever way possible. For the record, COMELEC Chairman Jose Melo has already declared that the system is not hack-able. Technically speaking, he could be wrong, because all systems are potentially hack-able.
When I was head of the computer and communications office of the Department of Foreign Affairs (DFA), I was visited by an American security expert who declared straight to my face that he could hack my systems if he wants to. At first, I felt insulted by what he said, but I eventually realized that he was correct.
The economics of hacking is very simple. All systems are potentially hack-able, but hackers will only challenge a system if it is worth hacking, either for bragging rights, or for financial gain. To the hackers, it is not worth spending time or money to hack a system if the value of the data to be obtained is lesser than what it would cost to crack it. The other factor is time, because it is not worth hacking a system if the data to be obtained is already stale or useless by the time the codes are cracked.
To their credit, many computer experts have told me that the threat in the coming election is really not hacking from the outside. The threat they say is hacking from the inside, which is actually an oxymoron technically speaking. By definition, hacking means any unauthorized manipulation of a system. This is the reason why hacking from the inside is an oxymoron, because if the manipulation is authorized by an insider, it could no longer be considered as hacking.
Referring now to an actual example, we could say that the storage of ballot boxes inside the House of Representatives is highly secure, meaning that it could not be broken into by outside elements. As we have seen it happen, the ballot boxes were stolen, probably because somebody from the outside had the keys to the padlocks. Either that or somebody from the storage room opened the locks from the inside. An inside job that was what happened.
In reality therefore, any locked door is secure, it could be opened by anyone who has the keys. Either that or the doors could be opened from the inside by anyone who could free the locksets, even without the keys. Given this reality, it would still be correct to say that Fort Knox could not be penetrated, not unless the locks are opened by the right keys from the outside, or are opened from the inside.
By definition, source codes are not the same as passwords. Anyone with the passwords could open or access computer systems, even if they do not have a copy of the source codes. Anyone who has a copy of the source codes however could open or access computer systems, because the passwords could be read or extracted from the source codes.
For some reason that is not too smart, the COMELEC has ruled that it is SMARTMATIC who will designate who should control or manage the Certification Authority (CA) of the election canvassing and transmission systems. In technical terms, a CA is the directory of passwords, and the users who are authorized to hold or keep the public and private keys. In effect, we now have a foreign entity that will have full control of a process that is at the heart of our national security.
While it is still being debated whether SMARTMATIC is in a position to give copies of the source codes to the COMELEC, it is already clear that the former has the power and authority from the latter to give the passwords and the keys to anyone, while there are no clear rules as to who should be given these codes and how these could be controlled or accounted for.
In real and practical terms, it is possible for anyone who has the passwords to submit fake election results to the main server that will consolidate and tabulate these results. Since the server is just like a robot, it will accept and record these results, and will have no way of knowing that these are faked. Once the genuine results will come in, the server will simply deny it, sensing the logic that the earlier fake transmission was already processed and was accepted. This is what is called a “denial of service” strategy. With the right passwords, it is also possible to bombard the server, in effect “flooding” it.
Watch my business show 9:00 am to 1:00 pm in Global News Network (GNN), Channel 21 in Destiny Cable. Email iseneres@yahoo.com or text +639293605140 for local cable listings. Visit senseneres@blogspot.com
By Ike Señeres
INSIDER HACKING
It is not in my place to say that electronic cheating in the 2010 elections. What is in my place is to say that the system is vulnerable to cheating, if there are people with evil plans to cheat, in whatever way possible. For the record, COMELEC Chairman Jose Melo has already declared that the system is not hack-able. Technically speaking, he could be wrong, because all systems are potentially hack-able.
When I was head of the computer and communications office of the Department of Foreign Affairs (DFA), I was visited by an American security expert who declared straight to my face that he could hack my systems if he wants to. At first, I felt insulted by what he said, but I eventually realized that he was correct.
The economics of hacking is very simple. All systems are potentially hack-able, but hackers will only challenge a system if it is worth hacking, either for bragging rights, or for financial gain. To the hackers, it is not worth spending time or money to hack a system if the value of the data to be obtained is lesser than what it would cost to crack it. The other factor is time, because it is not worth hacking a system if the data to be obtained is already stale or useless by the time the codes are cracked.
To their credit, many computer experts have told me that the threat in the coming election is really not hacking from the outside. The threat they say is hacking from the inside, which is actually an oxymoron technically speaking. By definition, hacking means any unauthorized manipulation of a system. This is the reason why hacking from the inside is an oxymoron, because if the manipulation is authorized by an insider, it could no longer be considered as hacking.
Referring now to an actual example, we could say that the storage of ballot boxes inside the House of Representatives is highly secure, meaning that it could not be broken into by outside elements. As we have seen it happen, the ballot boxes were stolen, probably because somebody from the outside had the keys to the padlocks. Either that or somebody from the storage room opened the locks from the inside. An inside job that was what happened.
In reality therefore, any locked door is secure, it could be opened by anyone who has the keys. Either that or the doors could be opened from the inside by anyone who could free the locksets, even without the keys. Given this reality, it would still be correct to say that Fort Knox could not be penetrated, not unless the locks are opened by the right keys from the outside, or are opened from the inside.
By definition, source codes are not the same as passwords. Anyone with the passwords could open or access computer systems, even if they do not have a copy of the source codes. Anyone who has a copy of the source codes however could open or access computer systems, because the passwords could be read or extracted from the source codes.
For some reason that is not too smart, the COMELEC has ruled that it is SMARTMATIC who will designate who should control or manage the Certification Authority (CA) of the election canvassing and transmission systems. In technical terms, a CA is the directory of passwords, and the users who are authorized to hold or keep the public and private keys. In effect, we now have a foreign entity that will have full control of a process that is at the heart of our national security.
While it is still being debated whether SMARTMATIC is in a position to give copies of the source codes to the COMELEC, it is already clear that the former has the power and authority from the latter to give the passwords and the keys to anyone, while there are no clear rules as to who should be given these codes and how these could be controlled or accounted for.
In real and practical terms, it is possible for anyone who has the passwords to submit fake election results to the main server that will consolidate and tabulate these results. Since the server is just like a robot, it will accept and record these results, and will have no way of knowing that these are faked. Once the genuine results will come in, the server will simply deny it, sensing the logic that the earlier fake transmission was already processed and was accepted. This is what is called a “denial of service” strategy. With the right passwords, it is also possible to bombard the server, in effect “flooding” it.
Watch my business show 9:00 am to 1:00 pm in Global News Network (GNN), Channel 21 in Destiny Cable. Email iseneres@yahoo.com or text +639293605140 for local cable listings. Visit senseneres@blogspot.com
0 Comments:
Post a Comment
<< Home