'Hacking into poll machines like winning lotto 5 times'

It's not impossible to mess with the machines that will be used in the automated elections, but the likelihood of hacking them is the same as winning the lotto five consecutive times. Commission on Elections (Comelec) officials made the statement Tuesday following the hacking of five government websites since December 2009. In an interview on dwIZ radio, Comelec Commissioner Gregorio Larrazabal assured that the Precinct Count Optical Scan (PCOS) machines that will be used in the country's first nationwide automated polls operate independently of each other and utilize 128-bit encryption —the same security strength used in banks around the world. What is 128-bit encryption? Many banks and websites worldwide utilize 128-bit encryption because, for a hacker to access the information, he would need to have the encryption key composed of 2¹²⁸ or about 340,000,000,000,000,000,000,000,000,000,000,000,000 separate digits. Most security experts believe that the chance of guessing all the digits correctly is extremely difficult, if not impossible. Short of acquiring the encryption key directly from administrative personnel, hackers would have little choice but to try each possible number combination. Even with the use of a very fast computer, it would take 11,000 quadrillion years to hack. Attempting to guess the encryption key has similarly slim chances. 'Like winning the lotto five times' Comelec law department head Ferdinand Rafanan likened the possibility of hacking into the PCOS machines to winning the lottery five consecutive times. "You cannot say you can hack into our system after hacking a few websites. A hacker who claims he or she can hack into the automated system we will use is like saying he or she will win the top prize in five straight lotto draws. It is not impossible, but who will believe it?" Rafanan said in Filipino in an interview on dzXL radio. Speculations of cheating in the automated elections arose after hackers defaced at least five government websites: the Departments of Health, Labor and Social Welfare; National Disaster Coordinating Council; and Technical Education and Skills Development Authority. Very limited window of hacking opportunity The near impossibility of being able to hack the 128-bit encryption is further strengthened, according to Larrazabal, by the fact that there is no master code and that each machine is standalone with no connection to any sort of network until after the voting process. Thus, hackers will have very little time to access any given machine. "The window of opportunity for hackers to get into a system is very limited. You have one to two minutes. In the very remote possibility access ka sa one precinct gagawin mo yan sa each precinct, there are 75,000 precincts (In the remote chance you gain access to a counting machine in one precinct you have to alter the data in machines in over 75,000 precincts)," he said. Larrazabal said that the machines are not connected to the Internet or to any mobile network until after the voting, counting and printing of election returns. "After printing copies, that’s the only time the Board of Election Inspectors connects the modem to the machines and transmits the data, so there’s no possibility makapasok sila (hackers can get in) because there’s no connectivity," he said. Once the machines are connected to the modem, they will transmit their data to several servers, including those of the Comelec and the dominant majority and minority parties. The setup of multiple secure servers will make sure the data is redundant, and that there is a backup copy if one of the servers is broken into.

NBI still on alert for hackers National Bureau of Investigation (NBI) Anti-fraud and Computer Crimes division chief Palmer Mallari, however, said law enforcement agencies must still be on alert even though the chances of hacking into the PCOS machines are very slim. "Alam naman po natin ang creativity at mga kakayahan ng mga hackers. Sila po gustong gusto nila na bago yung kanilang gagawin para malaman kung gaano ba sila kagaling (We know the creativity and capability of hackers. They get challenged by the unfamiliar because they want to test their mettle)," Mallari said in an interview over GMA News' Unang Hirit . "I'm not saying it's not possible because it is, so law enforcers should really prepare for these kinds of challenges," he added. Mallari said that the NBI is now looking looking into who is behind the recent defacement of several government websites, but added that insufficient coordination with Internet service providers, telecommunication companies are hindering them from swiftly resolving their probe. He lamented the absence of a law on cyber-crimes that clearly define what information ISPs are required to provide law enforcers investigating crimes made over the Internet. "There is a particular process that we can make use of in tracing the origin of an Internet activity," he said. "We have long been advocating for reforms in the IT industry. Right now the system of coordination with ISPs and telcos are not in place, so we it's hard to get evidence that will be used in our investigation." "This would really require the creativity of law enforcers para makapag-imbestiga ng mga klase ng computer crimes (This would really require the creativity of law enforcers, for them to investigate computer crimes)," added the NBI official. - with reports from Johanna Camille Sisante and TJ Dimacali/RSJ, GMANews.TV