Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration data
Dear Listers, Today I'm wearing my CISA hat. IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live. Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data Can IEBC correct the anomaly? Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register. Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET ______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment. On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Greetings, Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter. I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services. Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context". Regards, EC On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet < kictanet@lists.kictanet.or.ke> wrote:
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
@Chebukati I like the idea of a legitimate implementable solution. And I believe we have many of those here--on this list. So Listers, take up Chebukati's challenge and suggest what is pragmatic and would probably help the techies at IEBC move this process forward with less glitches. Best regards Githaiga, Grace On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote: Greetings, Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter. I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke [1] is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services. Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context". Regards, EC On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet wrote: This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment. On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" wrote: Dear Listers, Today I'm wearing my CISA hat. IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live. Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data Can IEBC correct the anomaly? Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register. Voter Details For Id: 12345678 ID / PASSPORT NUMBER 12345678 PRIMARY NAME KIBET SECONDARY NAME KIRUI BIRTH DATE 01/01/1994 GENDER M POLLING STATION CODE 101 POLLING STATION LELACH PRIMARY SCHOOL COUNTY KERICHO CONTITUENCY BURETI WARD CHEPLANGET ______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh [2] _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/ronojinx%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/echebukati%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. Co-Convenor Kenya ICT Action Network (KICTANet) Twitter:@ggithaiga Tel: 254722701495 Skype: gracegithaiga Alternate email: ggithaiga@hotmail.com Linkedin: https://www.linkedin.com/in/gracegithaiga www.kictanet.or.ke "Change only happens when ordinary people get involved, get engaged and come together to demand it. I am asking you to believe. Not in my ability to bring about change – but in yours"---Barrack Obama. Links: ------ [1] http://voterstatus.iebc.or.ke [2] http://twitter.com/lordmwesh
Do we have someone from IEBC on this list? This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove.. This whole verification exercise needs to be suspended until this rookie mistake is rectified. Ali Hussein Principal Hussein & Associates +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle Sent from my iPad
On 30 Jun 2017, at 1:05 AM, Grace Githaiga via kictanet <kictanet@lists.kictanet.or.ke> wrote:
@Chebukati
I like the idea of a legitimate implementable solution. And I believe we have many of those here--on this list. So Listers, take up Chebukati's challenge and suggest what is pragmatic and would probably help the techies at IEBC move this process forward with less glitches.
Best regards
Githaiga, Grace
On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote: Greetings,
Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter.
I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services.
Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context".
Regards,
EC
On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet <kictanet@lists.kictanet.or.ke> wrote: This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" <kictanet@lists.kictanet.or.ke> wrote: Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Co-Convenor Kenya ICT Action Network (KICTANet) Twitter:@ggithaiga Tel: 254722701495 Skype: gracegithaiga Alternate email: ggithaiga@hotmail.com Linkedin: https://www.linkedin.com/in/gracegithaiga www.kictanet.or.ke
"Change only happens when ordinary people get involved, get engaged and come together to demand it. I am asking you to believe. Not in my ability to bring about change – but in yours"---Barrack Obama.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40campusciti.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
I dunno how practical it is now, but I think this is one of the things that would benefit from integration on the ecitizen platform. Plus, the implementation shows that in the absence of guidelines on how citizens data is managed, then anything is possible. Besides, it wouldn't be so hard to mine this data from iebc servers for whatever purpose. Victor On 30 Jun 2017 6:55 a.m., "Ali Hussein via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Do we have someone from IEBC on this list?
This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove..
This whole verification exercise needs to be suspended until this rookie mistake is rectified.
*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113
Twitter: @AliHKassim
Skype: abu-jomo
LinkedIn: http://ke.linkedin.com/in/alihkassim
"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle
Sent from my iPad
On 30 Jun 2017, at 1:05 AM, Grace Githaiga via kictanet < kictanet@lists.kictanet.or.ke> wrote:
@Chebukati
I like the idea of a legitimate implementable solution. And I believe we have many of those here--on this list. So Listers, take up Chebukati's challenge and suggest what is pragmatic and would probably help the techies at IEBC move this process forward with less glitches.
Best regards
Githaiga, Grace
On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote:
Greetings,
Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter.
I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services.
Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context".
Regards,
EC
On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet < kictanet@lists.kictanet.or.ke> wrote:
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Co-Convenor Kenya ICT Action Network (KICTANet) Twitter:@ggithaiga Tel: 254722701495 Skype: gracegithaiga Alternate email: ggithaiga@hotmail.com Linkedin: https://www.linkedin.com/in/gracegithaiga www.kictanet.or.ke
"Change only happens when ordinary people get involved, get engaged and come together to demand it. I am asking you to believe. Not in my ability to bring about change – but in yours"---Barrack Obama.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info%40campusciti.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/vkapiyo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Good morning, ECitizen integration sounds like a great idea! IEBC could make use of the login credentials - via an API perhaps - and authenticate the user before allowing them to check their status. The challenge I foresee with this is the perception of lack of independence stemming from an Independent institution "sharing" I.T services with a government entity. In essence, while you and I know that the two databases can sit on separate servers: will the average Kenyan be convinced of this? *"Kenyan context".* Using the serial number - which is printed on both the passport and the National ID - as the "password" sounds like a better idea. It is unique, user friendly and addresses the concerns raised by Mwendwa on this thread. While possible to brute force - as it only contains numbers - any competent system should be able to ban that specific user after a number of tries. Question is: Does IEBC have access to this data in their database? Regards, EC On Fri, Jun 30, 2017 at 7:07 AM, Victor Kapiyo via kictanet < kictanet@lists.kictanet.or.ke> wrote:
I dunno how practical it is now, but I think this is one of the things that would benefit from integration on the ecitizen platform.
Plus, the implementation shows that in the absence of guidelines on how citizens data is managed, then anything is possible. Besides, it wouldn't be so hard to mine this data from iebc servers for whatever purpose.
Victor
On 30 Jun 2017 6:55 a.m., "Ali Hussein via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Do we have someone from IEBC on this list?
This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove..
This whole verification exercise needs to be suspended until this rookie mistake is rectified.
*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113
Twitter: @AliHKassim
Skype: abu-jomo
LinkedIn: http://ke.linkedin.com/in/alihkassim
"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle
Sent from my iPad
On 30 Jun 2017, at 1:05 AM, Grace Githaiga via kictanet < kictanet@lists.kictanet.or.ke> wrote:
@Chebukati
I like the idea of a legitimate implementable solution. And I believe we have many of those here--on this list. So Listers, take up Chebukati's challenge and suggest what is pragmatic and would probably help the techies at IEBC move this process forward with less glitches.
Best regards
Githaiga, Grace
On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote:
Greetings,
Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter.
I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services.
Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context".
Regards,
EC
On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet < kictanet@lists.kictanet.or.ke> wrote:
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Co-Convenor Kenya ICT Action Network (KICTANet) Twitter:@ggithaiga Tel: 254722701495 Skype: gracegithaiga Alternate email: ggithaiga@hotmail.com Linkedin: https://www.linkedin.com/in/gracegithaiga www.kictanet.or.ke
"Change only happens when ordinary people get involved, get engaged and come together to demand it. I am asking you to believe. Not in my ability to bring about change – but in yours"---Barrack Obama.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/info%40campusciti.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/vkapiyo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
I don't think information sharing affects the independence of the institution. IEBC itself benefits from the register of persons & immigration, managed under Ministry of Interior. Besides, these institutions are public institutions and as such it would benefit the taxpayer if they could provide their services under the same platform, just as they do at Huduma Centre, such that ecitizen is the online huduma. Further, and just as they manage their desks at the Huduma centre, they can maintain control over the general management of their database while allowing citizens to access their information from the online system. I think NTSA started doing that on ecitizen for the Driving Licenses, but then moved MV registration & other services to their TIMS platform. But then again, who wants a verifiable register? *Victor Kapiyo* Partner | *Lawmark Partners LLP* Advocate of the High Court of Kenya & Commissioner for Oaths *Suite No. 8, Centro House, Westlands, Nairobi | **Web: www.lawmark.co.ke <http://www.lawmark.co.ke> * ==================================================== *“Your attitude, not your aptitude, will determine your altitude” Zig Ziglar* On 30 June 2017 at 07:59, Emmanuel Chebukati <echebukati@gmail.com> wrote:
Good morning,
ECitizen integration sounds like a great idea! IEBC could make use of the login credentials - via an API perhaps - and authenticate the user before allowing them to check their status.
The challenge I foresee with this is the perception of lack of independence stemming from an Independent institution "sharing" I.T services with a government entity. In essence, while you and I know that the two databases can sit on separate servers: will the average Kenyan be convinced of this? *"Kenyan context".*
Using the serial number - which is printed on both the passport and the National ID - as the "password" sounds like a better idea. It is unique, user friendly and addresses the concerns raised by Mwendwa on this thread. While possible to brute force - as it only contains numbers - any competent system should be able to ban that specific user after a number of tries. Question is: Does IEBC have access to this data in their database?
Regards,
EC
On Fri, Jun 30, 2017 at 7:07 AM, Victor Kapiyo via kictanet < kictanet@lists.kictanet.or.ke> wrote:
I dunno how practical it is now, but I think this is one of the things that would benefit from integration on the ecitizen platform.
Plus, the implementation shows that in the absence of guidelines on how citizens data is managed, then anything is possible. Besides, it wouldn't be so hard to mine this data from iebc servers for whatever purpose.
Victor
On 30 Jun 2017 6:55 a.m., "Ali Hussein via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Do we have someone from IEBC on this list?
This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove..
This whole verification exercise needs to be suspended until this rookie mistake is rectified.
*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113
Twitter: @AliHKassim
Skype: abu-jomo
LinkedIn: http://ke.linkedin.com/in/alihkassim
"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle
Sent from my iPad
On 30 Jun 2017, at 1:05 AM, Grace Githaiga via kictanet < kictanet@lists.kictanet.or.ke> wrote:
@Chebukati
I like the idea of a legitimate implementable solution. And I believe we have many of those here--on this list. So Listers, take up Chebukati's challenge and suggest what is pragmatic and would probably help the techies at IEBC move this process forward with less glitches.
Best regards
Githaiga, Grace
On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote:
Greetings,
Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter.
I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services.
Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context".
Regards,
EC
On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet < kictanet@lists.kictanet.or.ke> wrote:
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Co-Convenor Kenya ICT Action Network (KICTANet) Twitter:@ggithaiga Tel: 254722701495 Skype: gracegithaiga Alternate email: ggithaiga@hotmail.com Linkedin: https://www.linkedin.com/in/gracegithaiga www.kictanet.or.ke
"Change only happens when ordinary people get involved, get engaged and come together to demand it. I am asking you to believe. Not in my ability to bring about change – but in yours"---Barrack Obama.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/info%40campusciti.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/vkapiyo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Dear All, A simple 2 Factor Authentication mechanism via SMS would suffice to start with. Regards, Denis On Fri, Jun 30, 2017 at 9:34 AM, Victor Kapiyo via kictanet < kictanet@lists.kictanet.or.ke> wrote:
I don't think information sharing affects the independence of the institution. IEBC itself benefits from the register of persons & immigration, managed under Ministry of Interior. Besides, these institutions are public institutions and as such it would benefit the taxpayer if they could provide their services under the same platform, just as they do at Huduma Centre, such that ecitizen is the online huduma. Further, and just as they manage their desks at the Huduma centre, they can maintain control over the general management of their database while allowing citizens to access their information from the online system. I think NTSA started doing that on ecitizen for the Driving Licenses, but then moved MV registration & other services to their TIMS platform.
But then again, who wants a verifiable register?
*Victor Kapiyo* Partner | *Lawmark Partners LLP* Advocate of the High Court of Kenya & Commissioner for Oaths *Suite No. 8, Centro House, Westlands, Nairobi | **Web: www.lawmark.co.ke <http://www.lawmark.co.ke> * ====================================================
*“Your attitude, not your aptitude, will determine your altitude” Zig Ziglar*
On 30 June 2017 at 07:59, Emmanuel Chebukati <echebukati@gmail.com> wrote:
Good morning,
ECitizen integration sounds like a great idea! IEBC could make use of the login credentials - via an API perhaps - and authenticate the user before allowing them to check their status.
The challenge I foresee with this is the perception of lack of independence stemming from an Independent institution "sharing" I.T services with a government entity. In essence, while you and I know that the two databases can sit on separate servers: will the average Kenyan be convinced of this? *"Kenyan context".*
Using the serial number - which is printed on both the passport and the National ID - as the "password" sounds like a better idea. It is unique, user friendly and addresses the concerns raised by Mwendwa on this thread. While possible to brute force - as it only contains numbers - any competent system should be able to ban that specific user after a number of tries. Question is: Does IEBC have access to this data in their database?
Regards,
EC
On Fri, Jun 30, 2017 at 7:07 AM, Victor Kapiyo via kictanet < kictanet@lists.kictanet.or.ke> wrote:
I dunno how practical it is now, but I think this is one of the things that would benefit from integration on the ecitizen platform.
Plus, the implementation shows that in the absence of guidelines on how citizens data is managed, then anything is possible. Besides, it wouldn't be so hard to mine this data from iebc servers for whatever purpose.
Victor
On 30 Jun 2017 6:55 a.m., "Ali Hussein via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Do we have someone from IEBC on this list?
This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove..
This whole verification exercise needs to be suspended until this rookie mistake is rectified.
*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113 <+254%20713%20601113>
Twitter: @AliHKassim
Skype: abu-jomo
LinkedIn: http://ke.linkedin.com/in/alihkassim
"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle
Sent from my iPad
On 30 Jun 2017, at 1:05 AM, Grace Githaiga via kictanet < kictanet@lists.kictanet.or.ke> wrote:
@Chebukati
I like the idea of a legitimate implementable solution. And I believe we have many of those here--on this list. So Listers, take up Chebukati's challenge and suggest what is pragmatic and would probably help the techies at IEBC move this process forward with less glitches.
Best regards
Githaiga, Grace
On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote:
Greetings,
Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter.
I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services.
Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context".
Regards,
EC
On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet < kictanet@lists.kictanet.or.ke> wrote:
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Co-Convenor Kenya ICT Action Network (KICTANet) Twitter:@ggithaiga Tel: 254722701495 Skype: gracegithaiga Alternate email: ggithaiga@hotmail.com Linkedin: https://www.linkedin.com/in/gracegithaiga www.kictanet.or.ke
"Change only happens when ordinary people get involved, get engaged and come together to demand it. I am asking you to believe. Not in my ability to bring about change – but in yours"---Barrack Obama.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/info%40campusciti.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/vkapiyo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/dwahome%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
EC, This is probably the *only* workable solution given the *time constraints* IEBC faces. *Username: ID/NO* *Password: ID/Serial No* Also, going forward, this could be central to our authentication, where Citizens are made to keep their ID Serial number as their 'private key' for all authentication in GoK platforms. Regards P.S I am inclined to ask, is this Chebukati 'The Chebukati' ? :-) On Fri, Jun 30, 2017 at 7:59 AM, Emmanuel Chebukati via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Good morning,
ECitizen integration sounds like a great idea! IEBC could make use of the login credentials - via an API perhaps - and authenticate the user before allowing them to check their status.
The challenge I foresee with this is the perception of lack of independence stemming from an Independent institution "sharing" I.T services with a government entity. In essence, while you and I know that the two databases can sit on separate servers: will the average Kenyan be convinced of this? *"Kenyan context".*
Using the serial number - which is printed on both the passport and the National ID - as the "password" sounds like a better idea. It is unique, user friendly and addresses the concerns raised by Mwendwa on this thread. While possible to brute force - as it only contains numbers - any competent system should be able to ban that specific user after a number of tries. Question is: Does IEBC have access to this data in their database?
Regards,
EC
On Fri, Jun 30, 2017 at 7:07 AM, Victor Kapiyo via kictanet < kictanet@lists.kictanet.or.ke> wrote:
I dunno how practical it is now, but I think this is one of the things that would benefit from integration on the ecitizen platform.
Plus, the implementation shows that in the absence of guidelines on how citizens data is managed, then anything is possible. Besides, it wouldn't be so hard to mine this data from iebc servers for whatever purpose.
Victor
On 30 Jun 2017 6:55 a.m., "Ali Hussein via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Do we have someone from IEBC on this list?
This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove..
This whole verification exercise needs to be suspended until this rookie mistake is rectified.
*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113
Twitter: @AliHKassim
Skype: abu-jomo
LinkedIn: http://ke.linkedin.com/in/alihkassim
"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle
Sent from my iPad
On 30 Jun 2017, at 1:05 AM, Grace Githaiga via kictanet < kictanet@lists.kictanet.or.ke> wrote:
@Chebukati
I like the idea of a legitimate implementable solution. And I believe we have many of those here--on this list. So Listers, take up Chebukati's challenge and suggest what is pragmatic and would probably help the techies at IEBC move this process forward with less glitches.
Best regards
Githaiga, Grace
On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote:
Greetings,
Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter.
I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services.
Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context".
Regards,
EC
On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet < kictanet@lists.kictanet.or.ke> wrote:
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Co-Convenor Kenya ICT Action Network (KICTANet) Twitter:@ggithaiga Tel: 254722701495 Skype: gracegithaiga Alternate email: ggithaiga@hotmail.com Linkedin: https://www.linkedin.com/in/gracegithaiga www.kictanet.or.ke
"Change only happens when ordinary people get involved, get engaged and come together to demand it. I am asking you to believe. Not in my ability to bring about change – but in yours"---Barrack Obama.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/info%40campusciti.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/vkapiyo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ngigi%40at.co.ke
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- *Regards,* *Wait**haka Ngigi* Chief Executive Officer | Alliance Technologies | MCK Nairobi Synod Building T +254 20 525 0750 |Office Mobile: +254 716 201061 | M +254 737 811 000 www.at.co.ke
@ Githaiga, I concur with you on the Techies. They are a great resource in many areas we are "short in" and especially here in the Counties as we move to phase 2.0 of devolution - so please rudi nyumbani before we make a bad situation worsened. I also do not buy into the notion that the Government people are "rookie" - I suspect they went to the same schools and professional bodies (and if not, back to point no 1). Inasmuch as here I am yet to understand why @ Kivuva is on fire, I appreciate what he is trying to say which is NOT an issue specific to IEBC, haya ni mazoea and not an IEBC issue. The blame aka responsibility lies right here with the internet community that should have been (and be) the public eye.As a government agency, it is not only IEBC that has this open unlimited public access information . Befriend an Airtel, Orange, Equitel, MPESA or other agent today, ask to photocopy their manual booklet - perhaps try. Even as you transact to sign off, you can take a good picture of the pages they use with consent of not, from how they handle the booklets. Children should not be screened without parental approval. We have this in mainstream media, even kids taken court which is a NO NO?? All in all, it might be a good place to start on this while speaking to the right body. I suspect this goes back to the Ministry of Information - the Acts and Statutes that should govern and how adherence is ensured. I am not sure privacy has a definition any more in respect to where we have allowed ourselves to go. But there is always room for recovery. Be blessed. Regards/Wangari --- Pray God Bless. 2013Wangari circa - "Being of the Light, We are Restored Through Faith in Mind, Body and Spirit; We Manifest The Kingdom of God on Earth". On Friday, 30 June 2017, 2:08, Grace Githaiga via kictanet <kictanet@lists.kictanet.or.ke> wrote: #yiv9511989605 body, #yiv9511989605 p, #yiv9511989605 td, #yiv9511989605 div, #yiv9511989605 span{font-size:13px;font-family:Arial, Helvetica, sans-serif;}#yiv9511989605 #yiv9511989605 body p{margin:0px;}@Chebukati I like the idea of a legitimate implementable solution. And I believe we have many of those here--on this list. So Listers, take up Chebukati's challenge and suggest what is pragmatic and would probably help the techies at IEBC move this process forward with less glitches. Best regards Githaiga, Grace On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote: Greetings, Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter. I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services. Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context". Regards, EC On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet <kictanet@lists.kictanet.or.ke> wrote: This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment. On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" <kictanet@lists.kictanet.or.ke > wrote: Dear Listers, Today I'm wearing my CISA hat. IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or. ke/voter If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live. Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data Can IEBC correct the anomaly? Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register. Voter Details for Id: 12345678 | Id / Passport Number | 12345678 | | Primary Name | KIBET | | Secondary Name | KIRUI | | Birth Date | 01/01/1994 | | Gender | M | | Polling Station Code | 101 | | Polling Station | LELACH PRIMARY SCHOOL | | County | KERICHO | | Contituency | BURETI | | Ward | CHEPLANGET | ______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/m ailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTA Net/ Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronoji nx%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ echebukati%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. Co-Convenor Kenya ICT Action Network (KICTANet) Twitter:@ggithaiga Tel: 254722701495 Skype: gracegithaiga Alternate email: ggithaiga@hotmail.com Linkedin: https://www.linkedin.com/in/gracegithaiga www.kictanet.or.ke "Change only happens when ordinary people get involved, get engaged and come together to demand it. I am asking you to believe. Not in my ability to bring about change – but in yours"---Barrack Obama. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/wangarikabiru%40yahoo.... The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Chebukati, It was easy for IEBC to say send your IDNumber#IDSerialNumber to 70000, match the two in a procedure, strip whichever after the match and return results - just for instance. The inclusion of the SerialNumber is a tight check! Well, we all don't think programmatically, donge? On 30 June 2017 at 01:29, Emmanuel Chebukati via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Greetings,
Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter.
I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services.
Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context".
Regards,
EC
On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet < kictanet@lists.kictanet.or.ke> wrote:
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/odhiambo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Hi everyone, Two concerns we need to factor in: NTSA motor vehicle transfer service (TIMS) uses serial numbers to verify. It is so much trouble if for any reason you changed your ID and the serial number of the ID you have is different from the one they have in the database. The second issue is that the purposes of this exercise is for the public to verify the register. Not only for each person to verify their individual details but also for the general public to inspect the whole register. The question then would be, which parts of the information are public and which ones are not. Regards, 2017-06-30 15:30 GMT+03:00 Odhiambo Washington via kictanet < kictanet@lists.kictanet.or.ke>:
Chebukati,
It was easy for IEBC to say send your IDNumber#IDSerialNumber to 70000, match the two in a procedure, strip whichever after the match and return results - just for instance. The inclusion of the SerialNumber is a tight check! Well, we all don't think programmatically, donge?
On 30 June 2017 at 01:29, Emmanuel Chebukati via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Greetings,
Thinking out loud here: what are the alternatives to an open system? In my view: Limiting requests per IP address would obviously lock out many users. Implementing cookies et al to limit to one query per day would also lock out several legitimate users (e.g. those who share PCs at cybers). Introducing a username/password combo made out of perhaps the birth-date would complicate matters for the average voter.
I think the only legitimate options they have to prevent abuse/mass mining of this information is to implement a service like Cloudflare on the subdomain. This would at least stop a repetitive CURL request in its tracks or at least severely slow it down. Nevertheless, a quick IP ping shows that it appears as though the subdomain voterstatus.iebc.or.ke is running on Google Cloud servers which offer similar services as Cloudflare these days. I trust the good people at IEBC have explored these services.
Let's brainstorm. Perhaps a legitimate, implementable solution may arise from this discussion that works for the "Kenyan context".
Regards,
EC
On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet < kictanet@lists.kictanet.or.ke> wrote:
This is a very serious anomaly that must be addressed soonest possible. It begs the question, are we safe as data subjects? If a body like IEBC that is expected to be beyond reproach can have such open flaws...then we say that we are ready to go for elections huh?its a disappointment.
On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
Dear Listers,
Today I'm wearing my CISA hat.
IEBC has launched a voter verification tool both through sms, and web query at http://voterstatus.iebc.or.ke/voter
If you are privacy conscious, and a little bit paranoid, you will realize that IEBC is doing badly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills can be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen's details, at least ID number, and name, and where they live.
Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also have a challenge questions like date of birth to supplement the ID number, therefore thwart any mischievous individuals from harvesting the rich data
Can IEBC correct the anomaly?
Attached is a sample demo screenshot. Of course there is the other thing of strange ID numbers finding their way into the voter register.
Voter Details for Id: 12345678 Id / Passport Number 12345678 Primary Name KIBET Secondary Name KIRUI Birth Date 01/01/1994 Gender M Polling Station Code 101 Polling Station LELACH PRIMARY SCHOOL County KERICHO Contituency BURETI Ward CHEPLANGET
______________________ Mwendwa Kivuva, Nairobi, Kenya twitter.com/lordmwesh
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/ronojinx%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/echebukati%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/odhiambo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/nmutungu%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F
participants (11)
-
Ali Hussein -
Denis G. Wahome -
Emmanuel Chebukati -
Grace Githaiga -
Grace Mutung'u -
Mwendwa Kivuva -
Ngigi Waithaka -
Odhiambo Washington -
Ronald Ojino -
Victor Kapiyo -
WANGARI KABIRU