This blog entry is purely my own view.
“That’s one small step for man, one giant leap for mankind”.
Yesterday was one such day for Chief Election Commission – India, when the CEC announced that – they are going to organize a hacking contest for their e-Voting software and the winner take 10Lacs. More details here.
A few weeks ago I had posted about the Chief Election Officer’s website being hacked and now this – no wonder its a giant step for Chief Election Commission – India.
Though I am not interested in taking part in this contest cause this is not about any hacking contest nor about the EASIEST way to earn 10 lacs but about the ideology itself.
The ideology of introducing Internet / Computer as a medium to enable users to cast their valuable vote.
CEC goes at length to verify the authenticity of a voter during voting, though there are exceptions but due to the sheer fact that a voter has to be physically present to cast the vote, many of the wannabe fake voters for the fear of getting apprehended shy away from such anti-national acts.
Internet, though a preferred medium for communications but doesnt provide much help to processes which require stringent identity identification.
According to CEC, they plan to provide an interface which will allow a voter to register himself and the moment the voter is registered, his name will be struck off from the EVM (physical voting list). What if someone spoofs the identity of a complete locality and gets them registered online – on the day of voting there is going to be a mayhem, when these voters turn at their designated polling stations to cast their vote.
From emails to SSL certificates, everything under the sun has been spoofed and can be spoofed but when it comes to real-world scenarios, the ratio of forgery / spoof is much less when compared with the virtual world. One would wonder why , read the summary of this blog.
According to me, the old way is the better way – physically visit the booth, get your finger marked and then cast your vote, hear the beep (EVM) and leave the booth a satisfaction that you have done one good deed for your country.
CEC wants to deploy eVoting system but at the same time they want ethical hackers to hack into their system, well – the simplest form of hack is the DDOS attack – no access no vote. Denying a voter to cast the vote is a criminal offense.
Till this date, in my 18 year career, I have never come across a fool proof system which disables DDOS attacks – CEC please learn your lesson from Anonymous.
Now comes the Identity Verification part – one thing needs to be seen, how does CEC plans to deploy a FOOL-PROOF Identity Verification system (please no more password verifiable logins with Captcha – command-line OCR can be tweaked to automate the captcha – done this ages ago)
Now for the bombshell – voter information is available online which CEC gladly provides containing all the information eg. Voter ID number, full name, address, locality etc etc etc which even a 5 year old kid can retrieve. Under these circumstances, what other EXTRA unique information does a Voter and CEC have to identity him online?
My only contention is that – If CEC is adamant on online voting system (which already has its tons of cons) then why doesnt the MEA (Ministry of External affairs) department provide online passport – only the application forms can be submitted online and for verification the applicant has to be present IN PERSON for verification and application-form submission, alongwith this there is police verification, postal address, residence address and passport delivery address verification, all done physically i.e. physical visits. Probably because MEA is a part of the government and CEC is an autonomous body?
A Passport and Casting of vote are to be treated on par with each other, as the basic requirement is same for both i.e. citizenship of India. If one department is paranoid about identity verification then why is the other department so very naive?
A few months ago, a few experts had fiddled with the EVM systems and in turn were locked up. After this incident – CEC had issued a Wise guideline – an expert should hack into EVM without opening it – lulz.
I guess CEC’s guidelines for this hacking contest would be:
1: NO DDOS attacks – cause they are not a hack, its just packet overload.
2: NO Reverse Engineering – cause reverse-engineering is un-ethical and, we have specifically asked for Ethical hackers.
3: No port scanning or OS identification scans or DB identification of the server, cause it is illegal.
4: Administrator and the IT team, handling the servers / network or the firewall or the database, alongwith their family members / friends cannot take part in this contest.
5: No foreign hackers allowed, as India has stringent FEMA laws (how do you transfer INR 10 lacs to a non-indian outside of India) and logically non-Indians should not have any interest what-so-ever in which government gets elected. (I presume, no one has learnt anything from Stuxnet and its effect on a nuclear reactor except the programmers and researchers)
6: Hop servers for change of source IP should not be used, cause it would be almost impossible to track down the WINNER of the contest and it is un-ethical for an Ethical hacker to spoof/hide their IP address.
What happens when a hacker logs in from outside India hacks the server residing in India – CBI has already answered that question
The CBI had on Dec 4 last year (2010) registered a case against unknown persons …………
According to the CBI, the IP addresses in the US has been linked to Amazon.com Inc. (Amazon Web Services) and Network Operations Center Inc whereas the third one is traced to DEACDCRIGAHOSTINGNET, Digitalas Ekonomikas Attistibas Centres 24 J. Riga in Latvia…….
Guess, no hacker ever goes to the extent of hiding their IP address or launch an attack from a server, located in some Data Center on planet Pluto, its way to complicated and un-imaginable, right?
PS: Till date – there has been no update from the CEC – whether their database or infrastructure was compromised or not, during the previous hack by an un-ethical hacker.
Summary of the Blog:
1: The fear of getting caught while impersonating is very high, only when the impersonator is physically interacting with the victim. In the Online Virtual World, the computer acts as a barrier for the mind/fear and hence facilitates impersonation eg. email spoof. Ask any manager who has fired his employee or a jilted lover and they end up finding loads of email junk or flame mails in the inbox or finding their porn profile on Social networking sites.