I'm starting to see interesting questions pop up and even statements like every technology is not perfect but ....

1. Can we ascertain & inventory versions & dependencies in the software used in the #KIEMS kits and IEBC's front & back-end servers? Were these pieces of software current/up-to-date? Vulnerable? Have publicly assigned #CVEs and/or exploits in the wild?
2. Are there security features for the configs/databases loaded onto the #KIEMS kits? If yes, have there been analyses for both hardware + software risks?
3. A #KIEMS kit for a polling station is the only device that can transmit(images of the Form34A) and there are limited chances to do so ...Are there tests and security analyses to substantiate authentication(verification) + authorization of these devices?
  3.1 What's the process/flow of replacing a failed #KIEMS kit for a polling station ...
4. On transmission ...It is well known that IMSI catchers aka "Fake Cell Towers" are readily and aren't exorbitantly expensive. Considering many polling stations are clustered in a small geographical area this is even more feasible. There is even a 5G version of the device. Were #KIEMS kits' modems and/or cell towers hardened to mitigate well known issues like root-kits/backdoors can be injected into the SIM modules, access storage on a device, read messages and even intercept connections on a VPN!? ...sometimes the modem is given free reign to access the entire system! Read -> https://replicant.us/freedom-privacy-security-issues.php and Watch -> https://www.youtube.com/watch?v=31D94QOo2gY


There are too many of these types of questions and rabbit holes to go over ...


IEBC kindly open source your entire codebase, infrastructure provisioning + configurations etc. Have days where hobbyists and "hackers"/tinkerers can play & take apart the hardware to be used in the next elections. Start this process now! Yes this will limit companies you can contract with in the future but for the sake of transparency, accountability and potentially identifying, quantifying & thwarting risks do this!


Regards,
Adrian Teri


---------- Forwarded message ----------
From: Benson Muite <benson_muite@emailplus.org>
To: kictanet@lists.kictanet.or.ke
Cc: 
Bcc: 
Date: Sun, 14 Aug 2022 22:18:43 +0300
Subject: Re: [kictanet] Invitation to Participate in ' Talk to IEBC'
On 7/14/22 13:30, A Mutheu via KICTANet wrote:
> *SERVERS*:
> Our servers are more than 3 years old and so would need an upgrade as a
> norm. Has such an upgrade been effected? The voter numbers have
> increased and so will the current servers have adequate capacity? If
> they lack capacity then at this eleventh hour when it is too late to
> order in others, then perhaps we need to look for other solutions as a
> matter of urgency for example, taking into account Data Protection
> considerations, IEBC can look into borrowing capacity from other major
> government servers that hold sensitive information as a norm, assuming
> they have extra capacity, like KRA or CBK?
>
It appears that forms.iebc.or.ke is on Amazon S3.  Making this data
available increases transparency.  The information on these forms seems
to be public, though publishing a hash of the files to confirm integrity
would be useful.  Some of the forms have returning officer id numbers.
My expectation would have been that the name, and possibly a telephone
number for the returning officer would be publicly visible, but not the
id number.  My hope is that servers holding confidential information are
not in the public cloud.

>
> *OCR (OPTICAL CHARACTER RECOGNITION) TECHNOLOGY*:
> As far as I am aware IEBC does not have OCR technology or do they? If
> they do not then for aggregation purposes this will have to be done
> manually and human error can arise (both accidental or intentional), as
> this is always a risk where the human factor is a component. If this is
> the status quo then what measures has IEBC put in place to secure this
> process?
This is something that IEBC should invest in more. A paper audit trail
is important, but OCR would allow speed up in tabulation.
https://electionlab.mit.edu/research/voting-technology
Tools such as:
https://github.com/PaddlePaddle/PaddleOCR
https://github.com/tesseract-ocr/tesseract
can help in processing A forms, and non machine readable uploads of B
forms. Those with technical skills and interest in the election process
will have already automated the processing of 34A forms. Nevertheless,
the dataset should prove useful for those interested in computer vision:
http://cs230.stanford.edu/projects_spring_2020/reports/38792124.pdf
>

>
> *CIVIC EDUCATION AND REGULAR UPDATES EVEN ON THE IEBC WEBSITES*:
> IEBC has not been aggressive in much needed civic education to sensitize
> and update the public on the GE and even their website can be better
> utilized. In all of this accessibility of information to the differently
> abled is an important factor and their democratic right. How has IEBC
> addressed this? Even on election day what steps have been put in place
> to protect the privacy of the differently abled but enable them to
> exercise their democratic right fairly?
The updates for forms other than 34 are slow/non-existent.  Media
coverage is incomplete.  By making forms 34 available, this has allowed
the general public to do their own tallying, with the understanding that
verification is still needed.  This seems to have increased confidence
in the process. Hopefully, the numbers on the other forms will also be
made available.
>
>
>
> IEBC needs to realize that with great power like they have, comes great
> responsibility to uphold the democratic rights of Kenyans to fair and
> free elections, and not allow technological issues that are resolvable
> to curtail this right again.
>
> Stay happy,
>
> *Mutheu Khimulu*
> *LLM. Cybersecurity, Counter Terrorism & Crisis Management*
> *https://www.linkedin.com/in/mutheu-khimulu-law/
> <https://www.linkedin.com/in/mutheu-khimulu-law/> *
>
>





---------- Forwarded message ----------
From: A Mutheu <mutheu@khimulu.com>
To: "Kenya's premier ICT Policy engagement platform" <kictanet@lists.kictanet.or.ke>
Cc: 
Bcc: 
Date: Mon, 15 Aug 2022 10:10:10 +0300
Subject: Re: [kictanet] Invitation to Participate in ' Talk to IEBC'
Dear Benson,

Your insights are noted with appreciation.

Stay happy,

Mutheu Khimulu.
LLM. Cybersecurity, Counter Terrorism & Crisis Management
https://www.linkedin.com/in/mutheu-khimulu-law/

On Sun, Aug 14, 2022 at 10:19 PM Benson Muite via KICTANet <kictanet@lists.kictanet.or.ke> wrote:
On 7/14/22 13:30, A Mutheu via KICTANet wrote:
> *SERVERS*:
> Our servers are more than 3 years old and so would need an upgrade as a
> norm. Has such an upgrade been effected? The voter numbers have
> increased and so will the current servers have adequate capacity? If
> they lack capacity then at this eleventh hour when it is too late to
> order in others, then perhaps we need to look for other solutions as a
> matter of urgency for example, taking into account Data Protection
> considerations, IEBC can look into borrowing capacity from other major
> government servers that hold sensitive information as a norm, assuming
> they have extra capacity, like KRA or CBK?
>
It appears that forms.iebc.or.ke is on Amazon S3.  Making this data
available increases transparency.  The information on these forms seems
to be public, though publishing a hash of the files to confirm integrity
would be useful.  Some of the forms have returning officer id numbers.
My expectation would have been that the name, and possibly a telephone
number for the returning officer would be publicly visible, but not the
id number.  My hope is that servers holding confidential information are
not in the public cloud.

>
> *OCR (OPTICAL CHARACTER RECOGNITION) TECHNOLOGY*:
> As far as I am aware IEBC does not have OCR technology or do they? If
> they do not then for aggregation purposes this will have to be done
> manually and human error can arise (both accidental or intentional), as
> this is always a risk where the human factor is a component. If this is
> the status quo then what measures has IEBC put in place to secure this
> process?
This is something that IEBC should invest in more. A paper audit trail
is important, but OCR would allow speed up in tabulation.
https://electionlab.mit.edu/research/voting-technology
Tools such as:
https://github.com/PaddlePaddle/PaddleOCR
https://github.com/tesseract-ocr/tesseract
can help in processing A forms, and non machine readable uploads of B
forms. Those with technical skills and interest in the election process
will have already automated the processing of 34A forms. Nevertheless,
the dataset should prove useful for those interested in computer vision:
http://cs230.stanford.edu/projects_spring_2020/reports/38792124.pdf
>

>
> *CIVIC EDUCATION AND REGULAR UPDATES EVEN ON THE IEBC WEBSITES*:
> IEBC has not been aggressive in much needed civic education to sensitize
> and update the public on the GE and even their website can be better
> utilized. In all of this accessibility of information to the differently
> abled is an important factor and their democratic right. How has IEBC
> addressed this? Even on election day what steps have been put in place
> to protect the privacy of the differently abled but enable them to
> exercise their democratic right fairly?
The updates for forms other than 34 are slow/non-existent.  Media
coverage is incomplete.  By making forms 34 available, this has allowed
the general public to do their own tallying, with the understanding that
verification is still needed.  This seems to have increased confidence
in the process. Hopefully, the numbers on the other forms will also be
made available.
>
>
>
> IEBC needs to realize that with great power like they have, comes great
> responsibility to uphold the democratic rights of Kenyans to fair and
> free elections, and not allow technological issues that are resolvable
> to curtail this right again.
>
> Stay happy,
>
> *Mutheu Khimulu*
> *LLM. Cybersecurity, Counter Terrorism & Crisis Management*
> *https://www.linkedin.com/in/mutheu-khimulu-law/
> <https://www.linkedin.com/in/mutheu-khimulu-law/> *
>
>

_______________________________________________
KICTANet mailing list
KICTANet@lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Twitter: http://twitter.com/kictanet
Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/mutheu%40khimulu.com


KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
_______________________________________________
KICTANet mailing list
KICTANet@lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet