+1 I will repeat what Adam has noted: It sounds like he did the best job possible but a penetration test is just one of many layers needed for security so this really does appear to be a textbook example of a failed implementation of an important technology system. Pentest and securing of a system does NOT in any way stop someone with access privileges from compromising the system in their own special way:) On 9 March 2013 11:58, Adam Nelson <adam@varud.com> wrote:

It doesn't really matter in terms of the election itself because the system was abandoned and was never intended to be the definitive basis of results.

However, saying that attacks were stopped in real time is already bad news. The fact that he was changing passwords and taking the "SQL server" off the network (I presume he means on some sort of public or unsafe network) just days before the election is pretty bad. The system could have been hijacked before he set up the IDS and did that work. It sounds like he did the best job possible but a penetration test is just one of many layers needed for security so this really does appear to be a textbook example of a failed implementation of an important technology system.

However, many best practices and lessons could come out of this. It almost seems like a book-length project.

-Adam

On Sat, Mar 9, 2013 at 11:47 AM, Rebecca Wanjiku < rebeccawanjiku@yahoo.com> wrote:

...

Just in case you were wondering whether it was hacked, the person who did the pen test and monitored the network says no.

Read the views......

http://www.wanjiku.co.ke/2013/03/was-the-iebc-network-compromise-an-insiders...

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/adam%40varud.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/odhiambo%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler.

Finally a response that indicates that all we had was an implementation issue, this explains why you need clear division of duties when dealing with any size of system. If they had an experienced DBA the issues would have been resolved promptly and the election would have been a trump for IT in Kenya but because one person tried to do everything we now all as an industry have egg on our faces. Regards   Robert Yawe KAY System Technologies Ltd Phoenix House, 6th Floor P O Box 55806 Nairobi, 00200 Kenya Tel: +254722511225, +254202010696 ________________________________ From: Erik Hersman <erik@zungu.com> To: robertyawe@yahoo.co.uk Cc: KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke> Sent: Saturday, 9 March 2013, 12:55 Subject: Re: [kictanet] Was the IEBC hacked? An insider's view +1 on the fact that this was an add-on system, meant to provide transparency, but was never intended to be the official source for the tally of elections.   We finally have an idea of the system setup and what went wrong: http://iebctechkenya.tumblr.com/post/44928868808/a-clear-definition-of-the-i... Erik Hersman www.ushahidi.com | www.iHub.co.ke www.whiteafrican.com | @whiteafrican On Mar 9, 2013, at 12:21 PM, Odhiambo Washington <odhiambo@gmail.com> wrote: +1

I will repeat what Adam has noted:

It sounds like he did the best job possible but a penetration test is

just one of many layers needed for security so this really does appear to be a textbook example of a failed implementation of an important technology system.

Pentest and securing of a system does NOT in any way stop someone with access privileges from compromising the system in their own special way:)

On 9 March 2013 11:58, Adam Nelson <adam@varud.com> wrote:

It doesn't really matter in terms of the election itself because the system was abandoned and was never intended to be the definitive basis of results.  

...

However, saying that attacks were stopped in real time is already bad news.  The fact that he was changing passwords and taking the "SQL server" off the network (I presume he means on some sort of public or unsafe network) just days before the election is pretty bad.  The system could have been hijacked before he set up the IDS and did that work.  It sounds like he did the best job possible but a penetration test is just one of many layers needed for security so this really does appear to be a textbook example of a failed implementation of an important technology system.

However, many best practices and lessons could come out of this.  It almost seems like a book-length project.

-Adam

On Sat, Mar 9, 2013 at 11:47 AM, Rebecca Wanjiku <rebeccawanjiku@yahoo.com> wrote:

Just in case you were wondering whether it was hacked, the person who did the pen test and monitored the network says no.

...

Read the views......

http://www.wanjiku.co.ke/2013/03/was-the-iebc-network-compromise-an-insiders...

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/adam%40varud.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/odhiambo%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/erik%40zungu.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/robertyawe%40yahoo.co.... The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

Was someones toes stepped on? The initial link does not work... On Sat, Mar 9, 2013 at 12:34 PM, S.M. Muraya <murigi.muraya@gmail.com>wrote:

A KE.xpert says the IEBC multiplication error was caused by a "faulty SQL join".

https://twitter.com/paul_mungai/status/310334406168571904

Something to do with 8 candidates and a multiplication of 8....

On Sat, Mar 9, 2013 at 11:58 AM, Adam Nelson <adam@varud.com> wrote:

...

It doesn't really matter in terms of the election itself because the system was abandoned and was never intended to be the definitive basis of results.

However, saying that attacks were stopped in real time is already bad news. The fact that he was changing passwords and taking the "SQL server" off the network (I presume he means on some sort of public or unsafe network) just days before the election is pretty bad. The system could have been hijacked before he set up the IDS and did that work. It sounds like he did the best job possible but a penetration test is just one of many layers needed for security so this really does appear to be a textbook example of a failed implementation of an important technology system.

However, many best practices and lessons could come out of this. It almost seems like a book-length project.

-Adam

On Sat, Mar 9, 2013 at 11:47 AM, Rebecca Wanjiku < rebeccawanjiku@yahoo.com> wrote:

...

Just in case you were wondering whether it was hacked, the person who did the pen test and monitored the network says no.

Read the views......

http://www.wanjiku.co.ke/2013/03/was-the-iebc-network-compromise-an-insiders...

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/adam%40varud.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/murigi.muraya%40gmail....

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/krsnjo%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- * If the human brain were so simple that we could understand it, we would be so simple that we couldn't. - Emerson M. Pugh *