[kictanet] KICTANet Digest, Vol 174, Issue 17

Tue Aug 23 19:20:38 EAT 2022

I'm starting to see interesting questions pop up and even statements like
every technology is not perfect but ....

1. Can we ascertain & inventory versions & dependencies in the software
used in the #KIEMS kits and IEBC's front & back-end servers? Were these
pieces of software current/up-to-date? Vulnerable? Have publicly assigned
#CVEs and/or exploits in the wild?
2. Are there security features for the configs/databases loaded onto the
#KIEMS kits? If yes, have there been analyses for both hardware + software
risks?
3. A #KIEMS kit for a polling station is the only device that can
transmit(images of the Form34A) and there are limited chances to do so
...Are there tests and security analyses to substantiate
authentication(verification) + authorization of these devices?
  3.1 What's the process/flow of replacing a failed #KIEMS kit for a
polling station ...
4. On transmission ...It is well known that IMSI catchers aka "Fake Cell
Towers" are readily and aren't exorbitantly expensive. Considering many
polling stations are clustered in a small geographical area this is even
more feasible. There is even a 5G version of the device. Were #KIEMS kits'
modems and/or cell towers hardened to mitigate well known issues like
root-kits/backdoors can be injected into the SIM modules, access storage on
a device, read messages and even intercept connections on a VPN!?
...sometimes the modem is given free reign to access the entire system!
Read -> *https://replicant.us/freedom-privacy-security-issues.php
<https://replicant.us/freedom-privacy-security-issues.php>* and Watch ->*
https://www.youtube.com/watch?v=31D94QOo2gY
<https://www.youtube.com/watch?v=31D94QOo2gY>*

There are too many of these types of questions and rabbit holes to go over
...

IEBC kindly open source your entire codebase, infrastructure provisioning +
configurations etc. Have days where hobbyists and "hackers"/tinkerers can
play & take apart the hardware to be used in the next elections. Start this
process now! Yes this will limit companies you can contract with in the
future but for the sake of transparency, accountability and potentially
identifying, quantifying & thwarting risks do this!

Regards,
Adrian Teri

---------- Forwarded message ----------
> From: Benson Muite <benson_muite at emailplus.org>
> To: kictanet at lists.kictanet.or.ke
> Cc:
> Bcc:
> Date: Sun, 14 Aug 2022 22:18:43 +0300
> Subject: Re: [kictanet] Invitation to Participate in ' Talk to IEBC'
> On 7/14/22 13:30, A Mutheu via KICTANet wrote:
> > *SERVERS*:
> > Our servers are more than 3 years old and so would need an upgrade as a
> > norm. Has such an upgrade been effected? The voter numbers have
> > increased and so will the current servers have adequate capacity? If
> > they lack capacity then at this eleventh hour when it is too late to
> > order in others, then perhaps we need to look for other solutions as a
> > matter of urgency for example, taking into account Data Protection
> > considerations, IEBC can look into borrowing capacity from other major
> > government servers that hold sensitive information as a norm, assuming
> > they have extra capacity, like KRA or CBK?
> >
> It appears that forms.iebc.or.ke is on Amazon S3.  Making this data
> available increases transparency.  The information on these forms seems
> to be public, though publishing a hash of the files to confirm integrity
> would be useful.  Some of the forms have returning officer id numbers.
> My expectation would have been that the name, and possibly a telephone
> number for the returning officer would be publicly visible, but not the
> id number.  My hope is that servers holding confidential information are
> not in the public cloud.
>
> >
> > *OCR (OPTICAL CHARACTER RECOGNITION) TECHNOLOGY*:
> > As far as I am aware IEBC does not have OCR technology or do they? If
> > they do not then for aggregation purposes this will have to be done
> > manually and human error can arise (both accidental or intentional), as
> > this is always a risk where the human factor is a component. If this is
> > the status quo then what measures has IEBC put in place to secure this
> > process?
> This is something that IEBC should invest in more. A paper audit trail
> is important, but OCR would allow speed up in tabulation.
> https://electionlab.mit.edu/research/voting-technology
> Tools such as:
> https://github.com/PaddlePaddle/PaddleOCR
> https://github.com/tesseract-ocr/tesseract
> can help in processing A forms, and non machine readable uploads of B
> forms. Those with technical skills and interest in the election process
> will have already automated the processing of 34A forms. Nevertheless,
> the dataset should prove useful for those interested in computer vision:
> http://cs230.stanford.edu/projects_spring_2020/reports/38792124.pdf
> >
>
> >
> > *CIVIC EDUCATION AND REGULAR UPDATES EVEN ON THE IEBC WEBSITES*:
> > IEBC has not been aggressive in much needed civic education to sensitize
> > and update the public on the GE and even their website can be better
> > utilized. In all of this accessibility of information to the differently
> > abled is an important factor and their democratic right. How has IEBC
> > addressed this? Even on election day what steps have been put in place
> > to protect the privacy of the differently abled but enable them to
> > exercise their democratic right fairly?
> The updates for forms other than 34 are slow/non-existent.  Media
> coverage is incomplete.  By making forms 34 available, this has allowed
> the general public to do their own tallying, with the understanding that
> verification is still needed.  This seems to have increased confidence
> in the process. Hopefully, the numbers on the other forms will also be
> made available.
> >
> >
> >
> > IEBC needs to realize that with great power like they have, comes great
> > responsibility to uphold the democratic rights of Kenyans to fair and
> > free elections, and not allow technological issues that are resolvable
> > to curtail this right again.
> >
> > Stay happy,
> >
> > *Mutheu Khimulu*
> > *LLM. Cybersecurity, Counter Terrorism & Crisis Management*
> > *https://www.linkedin.com/in/mutheu-khimulu-law/
> > <https://www.linkedin.com/in/mutheu-khimulu-law/> *
> >
> >
>
>
>
>
>
> ---------- Forwarded message ----------
> From: A Mutheu <mutheu at khimulu.com>
> To: "Kenya's premier ICT Policy engagement platform" <
> kictanet at lists.kictanet.or.ke>
> Cc:
> Bcc:
> Date: Mon, 15 Aug 2022 10:10:10 +0300
> Subject: Re: [kictanet] Invitation to Participate in ' Talk to IEBC'
> Dear Benson,
>
> Your insights are noted with appreciation.
>
> Stay happy,
>
> *Mutheu Khimulu.*
> *LLM. Cybersecurity, Counter Terrorism & Crisis Management*
> *https://www.linkedin.com/in/mutheu-khimulu-law/
> <https://www.linkedin.com/in/mutheu-khimulu-law/>*
>
> On Sun, Aug 14, 2022 at 10:19 PM Benson Muite via KICTANet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> On 7/14/22 13:30, A Mutheu via KICTANet wrote:
>> > *SERVERS*:
>> > Our servers are more than 3 years old and so would need an upgrade as a
>> > norm. Has such an upgrade been effected? The voter numbers have
>> > increased and so will the current servers have adequate capacity? If
>> > they lack capacity then at this eleventh hour when it is too late to
>> > order in others, then perhaps we need to look for other solutions as a
>> > matter of urgency for example, taking into account Data Protection
>> > considerations, IEBC can look into borrowing capacity from other major
>> > government servers that hold sensitive information as a norm, assuming
>> > they have extra capacity, like KRA or CBK?
>> >
>> It appears that forms.iebc.or.ke is on Amazon S3.  Making this data
>> available increases transparency.  The information on these forms seems
>> to be public, though publishing a hash of the files to confirm integrity
>> would be useful.  Some of the forms have returning officer id numbers.
>> My expectation would have been that the name, and possibly a telephone
>> number for the returning officer would be publicly visible, but not the
>> id number.  My hope is that servers holding confidential information are
>> not in the public cloud.
>>
>> >
>> > *OCR (OPTICAL CHARACTER RECOGNITION) TECHNOLOGY*:
>> > As far as I am aware IEBC does not have OCR technology or do they? If
>> > they do not then for aggregation purposes this will have to be done
>> > manually and human error can arise (both accidental or intentional), as
>> > this is always a risk where the human factor is a component. If this is
>> > the status quo then what measures has IEBC put in place to secure this
>> > process?
>> This is something that IEBC should invest in more. A paper audit trail
>> is important, but OCR would allow speed up in tabulation.
>> https://electionlab.mit.edu/research/voting-technology
>> Tools such as:
>> https://github.com/PaddlePaddle/PaddleOCR
>> https://github.com/tesseract-ocr/tesseract
>> can help in processing A forms, and non machine readable uploads of B
>> forms. Those with technical skills and interest in the election process
>> will have already automated the processing of 34A forms. Nevertheless,
>> the dataset should prove useful for those interested in computer vision:
>> http://cs230.stanford.edu/projects_spring_2020/reports/38792124.pdf
>> >
>>
>> >
>> > *CIVIC EDUCATION AND REGULAR UPDATES EVEN ON THE IEBC WEBSITES*:
>> > IEBC has not been aggressive in much needed civic education to
>> sensitize
>> > and update the public on the GE and even their website can be better
>> > utilized. In all of this accessibility of information to the
>> differently
>> > abled is an important factor and their democratic right. How has IEBC
>> > addressed this? Even on election day what steps have been put in place
>> > to protect the privacy of the differently abled but enable them to
>> > exercise their democratic right fairly?
>> The updates for forms other than 34 are slow/non-existent.  Media
>> coverage is incomplete.  By making forms 34 available, this has allowed
>> the general public to do their own tallying, with the understanding that
>> verification is still needed.  This seems to have increased confidence
>> in the process. Hopefully, the numbers on the other forms will also be
>> made available.
>> >
>> >
>> >
>> > IEBC needs to realize that with great power like they have, comes great
>> > responsibility to uphold the democratic rights of Kenyans to fair and
>> > free elections, and not allow technological issues that are resolvable
>> > to curtail this right again.
>> >
>> > Stay happy,
>> >
>> > *Mutheu Khimulu*
>> > *LLM. Cybersecurity, Counter Terrorism & Crisis Management*
>> > *https://www.linkedin.com/in/mutheu-khimulu-law/
>> > <https://www.linkedin.com/in/mutheu-khimulu-law/> *
>> >
>> >
>>
>> _______________________________________________
>> KICTANet mailing list
>> KICTANet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/mutheu%40khimulu.com
>>
>>
>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>> interested and involved in ICT policy and regulation. KICTANet is a
>> catalyst for reform in the Information and Communication Technology sector.
>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>> Research, and Stakeholder Engagement.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>> engagement platform.
>>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20220823/00ab06e6/attachment.htm>