Star wars log – Fixing the absent digital signature

Where is the digital signature?

It appears that the Comelec disabled the password requirement before the poll inspectors (the BEI) could transmit the results to a central server.  This was effectively and literally an absent digital signature.

It is submitted that the uniqueness of the so-called I-bot cannot guarantee that the person required to sign the non-electronic election return (ER) was in fact also the one “sending” the results electronically.  The I-bot is attached to the machine, but the machine may not be in the control of the responsible poll inspector when the results are transmitted, particularly as the time-stamp on the machine is known to be not authentic.

What can be done?

Here’s a simple fix.  Each responsible BEI member can send a password-protected secure e-mail to Comelec attesting to the absence of discrepancy between the manually printed and signed ER at the time of transmission, and the data on the public precinct-level Comelec website.  This should not be difficult to set up.  At least one BEI is required to be sufficiently tech-savvy to be able to go to an internet café and send such a message.  The BEI can be instructed to use two different subject headings:  One says “No discrepancy”(for non-problematic ERs) and “There is a discrepancy” for others.  The responsible BEI can be held administratively liable for an incorrect message in the event that a review of the relevant ER indicates an irregularity on his/her part.

Comelec can then sort out the problems relating to messages flagging discrepancies.  It can report to the national canvass on the status of such discrepancies, and on the receipt of the proposed e-mail messages in lieu of the required digital signatures.

While this requires human intervention, it seems a minimum requirement that may solve the problem of the absence of digital signature.

No to “looking the other way”

The alternative of “looking the other way” suggested or hinted at by certain politicians should be ignored.  Too many short cuts have already been made in the automation exercise, which has made the country a de facto giant pilot test of the system sold by Smartmatic-TIM to Comelec.

Advertisements

7 thoughts on “Star wars log – Fixing the absent digital signature

  1. I believe that your interpretation and opinion of the “absent” digital signature is highly flawed probably due to your lack of technical understanding of how the Public Key Infrastructure works and the different technologies involved in digital signatures.

    In the first place there is NO absent digital signature. The i-Button opens up the PKI structure that is unique for each PCOS machine or precinct. The digital signature is generated by the unique PCOS machine. No additional human intervention is necessary to affix an additional and unnecassary digital signature as it is deemed redundant.

    Comelec Resolution No. 8786, sections 34-s,t and 40-a (go to Comelec website to see for yourself) define the processes for the generation of the PCOS machine’s digital signature through the use of a proprietary token known as the i-Button. This contains the private key assigned to the specific voting precinct, and which should always be under the control and custody of the BEI Chairman assigned to that voting precinct. Note that it is these processes as defined in sections 34-s,t and 40-a which give the necessary Public Key Infrastructure-based security features (including a secure digital signature) to the electronic Election Return (ER). The PKI infrastructure gives the ER its integrity, confidentiality and non-repudiation properties, and enabling the encryption of the ER data as needed for secure transmission. The additional digital signatures for the BEI members that were “negated” (i.e. as indicated in section 40-g) were deemed by the COMELEC En Banc to be an unnecessary redundancy as they really do not add significant value to the security/integrity of the electoral process and the cost to activate this option is prohibitively high and deemed to be an unnecassary additional expense. These are the kind of executive decisions the Comelec En Banc make to balance the integrity and costs without sacrificing it effectivity and security.

    Like

    1. Thanks for this comment. It is thoughtful, unlike that from trolls and astroturf. I can understand the logic. It however presumes a high level of “sainthood” within Comelec and Smartmatic, something many have not conceded. After all, the automated system was supposed to fix dagdag-bawas, which is a form of cheating done only “from the inside.”

      Let us grant everything you say on the technicals of the public-private key pairs of a secure system, even though as a normal human I do not understand why the BEI is being cut out from the password requirement as a matter of security. How many seconds before transmission of results does it take for the BEI chairman to key in her password? Certainly, only a few.

      There is then a unique digital signature, unique to the machine, the I-button, and perhaps also the CF card. But what if an insider in Comelec or Smartmatic can take control of the machine, including the program in the Canvassing Center that screens for digital signatures? What if a “ghost” machine (complete with I-buttons, etc.) is good enough to hijack the results from a given precinct? Then you have an easy window for cheating. No?

      If you require the BEI to get an initial password, and then she has to change it to her own unique way of having her own password, that gives one layer of security that is of course now absent from the system.

      I believe the value of that security is high, and the cost is very low (how much training do you need to tell a BEI to generate her own password?), given the possibility of insider cheating. Especially when the time stamp is inaccurate, and the audit logs can be manipulated.

      Like

  2. I guess you have to have a better understanding of the whole system before you isolate certain issues then pound on them to death. What I’m trying to say here is the reason certain security features are turned off is because there other security features that more than compensate for it or make it just an unnecessary cost. As an example, the PCOS stores a digital image of all ballots and summarizes how each ballot was read or not read or rejected. This is a major feature not often discussed in the whole scheme of things. If one is to cheat or rig the PCOS, he has to be able to reproduce the digital image of the ballots. This is very very hard to do.

    Contrary to your belief, the audit logs CANNOT be manipulated without leaving a trace because that particular electronic document is digitally signed. Any change out of the ordinary is red flagged and would render it unprintable. The system has been designed that every electronic transaction with the PCOS is logged then digitally signed to have a solid audit trail.

    The time stamp issue has already been answered by Comelec and Smartmatic.

    With the issue of trust, that’s a judgment call of the all voters not just a few so called “experts”.

    Like

    1. I don’t mean to “pound issues to death.” It seems it is the other way around; the apologists for Comelec/Smartmatic seem to want the issues to die by pure dicta on the rest of the world. The issues will never die until Comelec has become transparent, which is the main beef of those of us not “in the know.”

      You say it is difficult but indeed possible to rig the PCOS if the cheater can reproduce the digital image. I disagree. I think you can do it easily. Get some renegade ballots, a renegade machine, an insider with the passwords (no BEI required since she was cut out), and voila, you have a ghost ER that looks totally legit. It can even freeze out the correct ER, and we will never know until the ballot box is opened in an electoral protest. Incidentally, the rules should have allowed for the machine, CF cards, ballots, I-buttons to be retained within Comelec’s possession in the event of an electoral protest. The evidence should not be “spirited away.” I hope that is not an issue, but I suspect it is or will become just another roadblock to the “sore losers.” No?

      I agree with you, trust (and transparency) are something that have to be earned, and not just the province of “experts,” of which I’m not, though perhaps you are. This means neither you nor I can dictate to the rest that there should or should not be trust in the machine, which after all is a black box (no pun intended).

      On time stamps, they may have answered the issue, but I find the answer defective. They could have allowed the machine to synchronize time with the server on initialization, not a difficult thing to do.

      Like

      1. Wow, are you really serious that it is that easy to rig or reproduce the digital images of the ballots. In the scenario you just laid out, do have any idea how much this will all cost? If the Comelec, spent P7.2 Billion to lease it one time, how much do you think a group of individuals will spend to buy these things? On top of that, they would have to have extra cash to pay off the insiders. This could run up to multibillion pesos. Let’s get really here, please. Yes, it is very easy to come up with scenarios that you think can “outsmart” the system assuming you’ve got sky’s the limit.

        Bottomline, you don’t trust Comelec or Smartmatic for whatever reasons you have and this is why you will continue to find ways to discredit them. Just admit it and I will be fine with that. At least, I won’t waste my time defending them. On the other hand, there are millions of voters that accepted the credibility of this automated elections and as I’ve said before, it’s all that really counts. Not perfect but generally acceptable, as is all things in life. Otherwise, the people will be on the streets protesting.

        Like

        1. I think rigging from the inside is easy. There were 50 million ballots, and only some 40 million were used. Where are the ten million? And the true cost of a PCOS machine is probably around $400 (it is a low-end laptop with a scanner). A CF card is perhaps about $15 or so. And of course, an insider has all the necessary passwords and software to configure a CF card any way he wants. You seem to say that the insider will want a very high price for his “services.” That is possible, and can explain why the election looks clean overall. Most likely, the potential cheaters among the candidates wouldn’t “bite.”

          In a tight local contest, insider rigging may nonetheless be worth a try, especially if a manual recount under an electoral protest might take “forever.” But Smartmatic officials and James Jimenez, to their credit, kept saying a recount should be easy. There are too many copies of the manually printed ERs, and of course there are the audit logs.

          Here’s a possible obstacle. You claim the audit logs can be tampered although there would be an alteration of the so-called machine digital signature. But if the audit logs are tampered, the CF card data may be useless. We are then back to the tedious manual recount to check for any discrepancy between the ER and the ballots actually still in the box.

          My beef is the lack of transparency. It seems hard for an ordinary netizen to “watch” how Comelec and Smartmatic do their thing because they make it difficult. Let us hope things will change, so that the process will be transparent and easy enough for outsiders to be able to satisfy themselves that the system is reasonable and accurate. That many simply think it was okay (pwede na, di ba?) or that they are willing to trust the insiders does not necessarily mean that we should be content.

          Who was it who said that vigilance was the price of liberty?

          Like

  3. Transparency, like all other things have limitations. In the case of Comelec/Smartmatic, they tried to be as transparent as they can but at the same time they needed to protect the sanctity of the election system from rogue “IT experts” and politicians/operators who might take advantage of divulging too much sensitive information.

    Nonetheless, for the life of me, I still don’t get your logic that rigging the elections from the inside is EASY. With the many layers of security embedded in the PCOS machine, some of which are not even known to the public, precisely as another layer of security renders it impossible to penetrate without leaving an audit trail because every electronic transaction is captured by the audit log. The so called “cloning of PCOS” and “ghost ER precincts” are stuff that are only made to tantalize the people’s imagination. Fairy tales.

    Then you ask the elementary question of where the 10 million unused official ballots are? It’s with Comelec, of course, inventoried and accounted for!

    Another amateurish observation of yours, the tampering of the audit log renders the CF card useless. WRONG! The tampering of the audit log can only happen post elections as the CF card that contains the audit log is inside the PCOS machine which is operating offline during the election period.

    This is getting embarassing but I admire your presistence.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s