18Apr2009 (UTC +8) On Fri, Apr 17, 2009 at 23:35, Pablo Manalastas <[email protected]> wrote: > I am more interested in checking that the Comelec computers > will do the job correctly (that the PCOS machines will actually > count our votes) than in ensuring that the PCOS machines can not > be hacked.
I agree with you on this. Verification of the trustworthiness of the AES and the conduct of the entire electoral system as a whole, is what we Filipinos really want. As for the AES itself, the AES must work as expected --no more, no less. Security features should be built in, just like seatbelts in a car, or side-protection beams in the doors, or airbags or anti-lock braking systems --and not as opportunistic options from the IT product vendor. Therefore IMHO, this "hacking" invitation will not give Filipinos the best value for the money. At best, the PhP 100M bounty for the hacking challenge is both costly and inefficient. At worst, the criminal hackers just get to learn about the weaknesses of the AES and not share it with anyone, and then later exploit it for their own profit. (I vaguely remember the words of a senator saying that one needs at least PhP 1B for a national campaign, yet has no guaranteed results. Thus PhP 100M for an assured position is therefore a much cheaper and less risky alternative... but I digress). "Hacking", or what the information security professionals and IT auditors call "penetration testing", is just a subset of a proper source code review. Source code review includes (very briefly): Review of vendor / developer documentation and claims > Review of vendor / developer SDLC > Analysis of hardware & software functions (Static code analysis, and source code audit as per generally-accepted standards) > Testing and documentation of findings (Dynamic code testing, Penetration testing, etc.) > Vendor / developer fixes > Celebration of end-of-project. (The amount of "work units" included for a typical source code review (i.e. evaluation and assurance) project depends on the level of assurance required. Simply put, the higher the assurance requirements, the more effort is put in the source code review project.) Other disadvantages, other than those above, of a "hacking" only approach to testing the AES include: 1. No guarantee that the penetration tester won't be later charged with "illegal access" or other charges. Can anybody here compare to other laws, that the punishment for "electoral sabotage" in R.A 9369 is one of the harshest? 2. "Hacking" contests can only go after the hardware & software interfaces, so that's a very limited approach. "Black box" testing is much less conclusive than "white box" testing. 3. 100 testers spending 100 hours each, is not equivalent to 10,000 man-hours of testing. All those "hackers" are doing just the same tests. 4. A typical "hacking" approach is ad hoc and random. Many times there are no verifiable methodologies used nor adequate risk assessments. 5. "Hacking" contests are unfair to the testers. The testers are outsiders trying to get in. It does not cover the situation where you have malicious or incompetent insiders. And as everybody knows, it's the insiders who can do the most damage in the least amount of time. 6. If the "hackers" don't find nor report any problems, it does not necessarily mean there are no problems. It may only mean that the penetration testers could not exploit nor even just recognize the problems. (This point is so unfortunately TRUE and prevalent !!!) Even worse, the "hackers" may choose not to report all or some of the problems because it may not be in their best interests :( 7. "Hacking" contests promote the vicious cycle of "Deploy > Get exploited and panic > Patch". What we should instead encourage is the use of proper engineering techniques in the SDLC. So for PhP 100M, we Filipinos already ought to have more than "hacking" services! As a side note, here's a well-known story of what happened in a hacking contest: http://www.securityfocus.com/news/1717 [...] >> From: Jerome Macaranas <[email protected]> >> Subject: [plug] OT: 100M rewards for breaking the automated poll system >> To: [email protected] >> Date: Friday, April 17, 2009, 8:45 PM >> >> http://www.gmanews.tv/story/157488/P100-M-reward-sought-for-automated-poll-system-hacking-challenge Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
