<div dir="ltr"><div dir="ltr"><div>I'm starting to see interesting questions pop up and even statements like every technology is not perfect but ....</div><div><br></div><div>1. Can we ascertain & inventory versions & dependencies in the software used in the #KIEMS kits and IEBC's front & back-end servers? Were these pieces of software current/up-to-date? Vulnerable? Have publicly assigned #CVEs and/or exploits in the wild?<br></div><div>2. Are there security features for the configs/databases loaded onto the #KIEMS kits? If yes, have there been analyses for both hardware + software risks?</div><div>3. A #KIEMS kit for a polling station is the only device that can transmit(images of the Form34A) and there are limited chances to do so ...Are there tests and security analyses to substantiate authentication(verification) + authorization of these devices?</div><div> 3.1 What's the process/flow of replacing a failed #KIEMS kit for a polling station ...</div><div>4. On transmission ...It is well known that IMSI catchers aka "Fake Cell Towers" are readily and aren't exorbitantly expensive. Considering many polling stations are clustered in a small geographical area this is even more feasible. There is even a 5G version of the device. Were #KIEMS kits' modems and/or cell towers hardened to mitigate well known issues like root-kits/backdoors can be injected into the SIM modules, access storage on a device, read messages and even intercept connections on a VPN!? ...sometimes the modem is given free reign to access the entire system! Read -> <span style="color:rgb(0,0,255)"><u><a href="https://replicant.us/freedom-privacy-security-issues.php">https://replicant.us/freedom-privacy-security-issues.php</a></u><font color="#000000"> </font></span>and Watch -><span style="color:rgb(0,0,255)"><u> <a href="https://www.youtube.com/watch?v=31D94QOo2gY">https://www.youtube.com/watch?v=31D94QOo2gY</a></u></span></div><div><br></div><div><br></div><div>There are too many of these types of questions and rabbit holes to go over ...<br></div><div><br></div><div><br></div><div>IEBC kindly open source your entire codebase, infrastructure provisioning + configurations etc. Have days where hobbyists and "hackers"/tinkerers can play & take apart the hardware to be used in the next elections. Start this process now! Yes this will limit companies you can contract with in the future but for the sake of transparency, accountability and potentially identifying, quantifying & thwarting risks do this! <br></div><div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><br></div><div><br></div><div><span style="font-family:arial,sans-serif">Regards,</span></div><div><span style="font-family:arial,sans-serif">Adrian Teri</span><br></div></div></div></div><br></div></div></div><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">---------- Forwarded message ----------<br>From: Benson Muite <<a href="mailto:benson_muite@emailplus.org" target="_blank">benson_muite@emailplus.org</a>><br>To: <a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><br>Cc: <br>Bcc: <br>Date: Sun, 14 Aug 2022 22:18:43 +0300<br>Subject: Re: [kictanet] Invitation to Participate in ' Talk to IEBC'<br>On 7/14/22 13:30, A Mutheu via KICTANet wrote:<br>
> *SERVERS*:<br>
> Our servers are more than 3 years old and so would need an upgrade as a <br>
> norm. Has such an upgrade been effected? The voter numbers have <br>
> increased and so will the current servers have adequate capacity? If <br>
> they lack capacity then at this eleventh hour when it is too late to <br>
> order in others, then perhaps we need to look for other solutions as a <br>
> matter of urgency for example, taking into account Data Protection <br>
> considerations, IEBC can look into borrowing capacity from other major <br>
> government servers that hold sensitive information as a norm, assuming <br>
> they have extra capacity, like KRA or CBK?<br>
><br>
It appears that <a href="http://forms.iebc.or.ke" rel="noreferrer" target="_blank">forms.iebc.or.ke</a> is on Amazon S3. Making this data <br>
available increases transparency. The information on these forms seems <br>
to be public, though publishing a hash of the files to confirm integrity <br>
would be useful. Some of the forms have returning officer id numbers. <br>
My expectation would have been that the name, and possibly a telephone <br>
number for the returning officer would be publicly visible, but not the <br>
id number. My hope is that servers holding confidential information are <br>
not in the public cloud.<br>
<br>
> <br>
> *OCR (OPTICAL CHARACTER RECOGNITION) TECHNOLOGY*:<br>
> As far as I am aware IEBC does not have OCR technology or do they? If <br>
> they do not then for aggregation purposes this will have to be done <br>
> manually and human error can arise (both accidental or intentional), as <br>
> this is always a risk where the human factor is a component. If this is <br>
> the status quo then what measures has IEBC put in place to secure this <br>
> process?<br>
This is something that IEBC should invest in more. A paper audit trail <br>
is important, but OCR would allow speed up in tabulation.<br>
<a href="https://electionlab.mit.edu/research/voting-technology" rel="noreferrer" target="_blank">https://electionlab.mit.edu/research/voting-technology</a><br>
Tools such as:<br>
<a href="https://github.com/PaddlePaddle/PaddleOCR" rel="noreferrer" target="_blank">https://github.com/PaddlePaddle/PaddleOCR</a><br>
<a href="https://github.com/tesseract-ocr/tesseract" rel="noreferrer" target="_blank">https://github.com/tesseract-ocr/tesseract</a><br>
can help in processing A forms, and non machine readable uploads of B <br>
forms. Those with technical skills and interest in the election process <br>
will have already automated the processing of 34A forms. Nevertheless, <br>
the dataset should prove useful for those interested in computer vision:<br>
<a href="http://cs230.stanford.edu/projects_spring_2020/reports/38792124.pdf" rel="noreferrer" target="_blank">http://cs230.stanford.edu/projects_spring_2020/reports/38792124.pdf</a><br>
> <br>
<br>
> <br>
> *CIVIC EDUCATION AND REGULAR UPDATES EVEN ON THE IEBC WEBSITES*:<br>
> IEBC has not been aggressive in much needed civic education to sensitize <br>
> and update the public on the GE and even their website can be better <br>
> utilized. In all of this accessibility of information to the differently <br>
> abled is an important factor and their democratic right. How has IEBC <br>
> addressed this? Even on election day what steps have been put in place <br>
> to protect the privacy of the differently abled but enable them to <br>
> exercise their democratic right fairly?<br>
The updates for forms other than 34 are slow/non-existent. Media <br>
coverage is incomplete. By making forms 34 available, this has allowed <br>
the general public to do their own tallying, with the understanding that <br>
verification is still needed. This seems to have increased confidence <br>
in the process. Hopefully, the numbers on the other forms will also be <br>
made available.<br>
> <br>
><br>
> <br>
> IEBC needs to realize that with great power like they have, comes great <br>
> responsibility to uphold the democratic rights of Kenyans to fair and <br>
> free elections, and not allow technological issues that are resolvable <br>
> to curtail this right again.<br>
> <br>
> Stay happy,<br>
> <br>
> *Mutheu Khimulu*<br>
> *LLM. Cybersecurity, Counter Terrorism & Crisis Management*<br>
> *<a href="https://www.linkedin.com/in/mutheu-khimulu-law/" rel="noreferrer" target="_blank">https://www.linkedin.com/in/mutheu-khimulu-law/</a> <br>
> <<a href="https://www.linkedin.com/in/mutheu-khimulu-law/" rel="noreferrer" target="_blank">https://www.linkedin.com/in/mutheu-khimulu-law/</a>> *<br>
> <br>
> <br>
<br>
<br>
<br><br><br>---------- Forwarded message ----------<br>From: A Mutheu <<a href="mailto:mutheu@khimulu.com" target="_blank">mutheu@khimulu.com</a>><br>To: "Kenya's premier ICT Policy engagement platform" <<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a>><br>Cc: <br>Bcc: <br>Date: Mon, 15 Aug 2022 10:10:10 +0300<br>Subject: Re: [kictanet] Invitation to Participate in ' Talk to IEBC'<br><div dir="ltr"><div style="font-family:tahoma,sans-serif;font-size:large">Dear Benson,</div><div style="font-family:tahoma,sans-serif;font-size:large"><br></div><div style="font-family:tahoma,sans-serif;font-size:large">Your insights are noted with appreciation.</div><div style="font-family:tahoma,sans-serif;font-size:large"><br></div><div style="font-family:tahoma,sans-serif;font-size:large">Stay happy,</div><div style="font-family:tahoma,sans-serif;font-size:large"><br></div><div style="font-family:tahoma,sans-serif;font-size:large"><b>Mutheu Khimulu.</b></div><div style="font-family:tahoma,sans-serif;font-size:large"><b><font color="#0000ff">LLM. Cybersecurity, Counter Terrorism & Crisis Management</font></b></div><div style="font-family:tahoma,sans-serif;font-size:large"><b><font color="#0000ff"><a href="https://www.linkedin.com/in/mutheu-khimulu-law/" target="_blank">https://www.linkedin.com/in/mutheu-khimulu-law/</a></font></b><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Aug 14, 2022 at 10:19 PM Benson Muite via KICTANet <<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 7/14/22 13:30, A Mutheu via KICTANet wrote:<br>
> *SERVERS*:<br>
> Our servers are more than 3 years old and so would need an upgrade as a <br>
> norm. Has such an upgrade been effected? The voter numbers have <br>
> increased and so will the current servers have adequate capacity? If <br>
> they lack capacity then at this eleventh hour when it is too late to <br>
> order in others, then perhaps we need to look for other solutions as a <br>
> matter of urgency for example, taking into account Data Protection <br>
> considerations, IEBC can look into borrowing capacity from other major <br>
> government servers that hold sensitive information as a norm, assuming <br>
> they have extra capacity, like KRA or CBK?<br>
><br>
It appears that <a href="http://forms.iebc.or.ke" rel="noreferrer" target="_blank">forms.iebc.or.ke</a> is on Amazon S3. Making this data <br>
available increases transparency. The information on these forms seems <br>
to be public, though publishing a hash of the files to confirm integrity <br>
would be useful. Some of the forms have returning officer id numbers. <br>
My expectation would have been that the name, and possibly a telephone <br>
number for the returning officer would be publicly visible, but not the <br>
id number. My hope is that servers holding confidential information are <br>
not in the public cloud.<br>
<br>
> <br>
> *OCR (OPTICAL CHARACTER RECOGNITION) TECHNOLOGY*:<br>
> As far as I am aware IEBC does not have OCR technology or do they? If <br>
> they do not then for aggregation purposes this will have to be done <br>
> manually and human error can arise (both accidental or intentional), as <br>
> this is always a risk where the human factor is a component. If this is <br>
> the status quo then what measures has IEBC put in place to secure this <br>
> process?<br>
This is something that IEBC should invest in more. A paper audit trail <br>
is important, but OCR would allow speed up in tabulation.<br>
<a href="https://electionlab.mit.edu/research/voting-technology" rel="noreferrer" target="_blank">https://electionlab.mit.edu/research/voting-technology</a><br>
Tools such as:<br>
<a href="https://github.com/PaddlePaddle/PaddleOCR" rel="noreferrer" target="_blank">https://github.com/PaddlePaddle/PaddleOCR</a><br>
<a href="https://github.com/tesseract-ocr/tesseract" rel="noreferrer" target="_blank">https://github.com/tesseract-ocr/tesseract</a><br>
can help in processing A forms, and non machine readable uploads of B <br>
forms. Those with technical skills and interest in the election process <br>
will have already automated the processing of 34A forms. Nevertheless, <br>
the dataset should prove useful for those interested in computer vision:<br>
<a href="http://cs230.stanford.edu/projects_spring_2020/reports/38792124.pdf" rel="noreferrer" target="_blank">http://cs230.stanford.edu/projects_spring_2020/reports/38792124.pdf</a><br>
> <br>
<br>
> <br>
> *CIVIC EDUCATION AND REGULAR UPDATES EVEN ON THE IEBC WEBSITES*:<br>
> IEBC has not been aggressive in much needed civic education to sensitize <br>
> and update the public on the GE and even their website can be better <br>
> utilized. In all of this accessibility of information to the differently <br>
> abled is an important factor and their democratic right. How has IEBC <br>
> addressed this? Even on election day what steps have been put in place <br>
> to protect the privacy of the differently abled but enable them to <br>
> exercise their democratic right fairly?<br>
The updates for forms other than 34 are slow/non-existent. Media <br>
coverage is incomplete. By making forms 34 available, this has allowed <br>
the general public to do their own tallying, with the understanding that <br>
verification is still needed. This seems to have increased confidence <br>
in the process. Hopefully, the numbers on the other forms will also be <br>
made available.<br>
> <br>
><br>
> <br>
> IEBC needs to realize that with great power like they have, comes great <br>
> responsibility to uphold the democratic rights of Kenyans to fair and <br>
> free elections, and not allow technological issues that are resolvable <br>
> to curtail this right again.<br>
> <br>
> Stay happy,<br>
> <br>
> *Mutheu Khimulu*<br>
> *LLM. Cybersecurity, Counter Terrorism & Crisis Management*<br>
> *<a href="https://www.linkedin.com/in/mutheu-khimulu-law/" rel="noreferrer" target="_blank">https://www.linkedin.com/in/mutheu-khimulu-law/</a> <br>
> <<a href="https://www.linkedin.com/in/mutheu-khimulu-law/" rel="noreferrer" target="_blank">https://www.linkedin.com/in/mutheu-khimulu-law/</a>> *<br>
> <br>
> <br>
<br>
_______________________________________________<br>
KICTANet mailing list<br>
<a href="mailto:KICTANet@lists.kictanet.or.ke" target="_blank">KICTANet@lists.kictanet.or.ke</a><br>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br>
Twitter: <a href="http://twitter.com/kictanet" rel="noreferrer" target="_blank">http://twitter.com/kictanet</a><br>
Facebook: <a href="https://www.facebook.com/KICTANet/" rel="noreferrer" target="_blank">https://www.facebook.com/KICTANet/</a><br>
<br>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/mutheu%40khimulu.com" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/mailman/options/kictanet/mutheu%40khimulu.com</a><br>
<br>
<br>
KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.<br>
<br>
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br>
<br>
KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.<br>
</blockquote></div>
_______________________________________________<br>
KICTANet mailing list<br>
<a href="mailto:KICTANet@lists.kictanet.or.ke" target="_blank">KICTANet@lists.kictanet.or.ke</a><br>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br>
</blockquote></div></div>