Thanks to KO and his investigation skills we have come across yet another fiasco that will haunt the government of Pakistan in the lead up to the elections.
In the past few weeks the Election Commission of Pakistan had hired the services of a certain Mr. Hayee Bokhari of Cronomagic Canada Inc, a data warehouse, to electronically host Pakistan’s election lists in safe custody under hacker proof conditions, on the face of it, it sounds honest enough, but probing a little further armed with the interview published by Canada.com of the company reveals some interesting and eye-opening flaws.
It must be mentioned that the list containing the 80 Million names of all Pakistanis eligible to vote generally does carry all our sensitive and personal information, ranging from our names, ages, home addresses, parental information and most importantly our ID Card number, if not anything else, simply said enough information to be a security risk. Paranoid as I might be all such information must be protected by the Government of Pakistan and ensured that it must never fall into the wrong hands, let alone transfer the data across the world via the Internet to a software house located in Montreal, try as much as you might, the Internet is considered highly insecure regardless of any number of security levels one might use, it is all crackable at many points along the route and definitely prone to data monitoring & mining. We all know that NSA does not hide the fact that it does data mining of all traffic going in and out of North America despite the attempt to block them in 2003 but I am certain that due to the sensitive nature of Pakistan practically all information coming out of Pakistan will definitely get ‘mined’ to help collect information for their efforts on the War on Terror in this region
I am quite sure that our local IT industry is not ‘that’ inept that we cannot host this information locally within our own secure premises which could be under the full control of the Government, heck it just requires a few good servers and a good firewall to keep hackers out and does not requires a braniac in Canada to figure this out. In all honesty I feel this is sensitive country information which should be housed and protected within the confines of our own territory, not handed over to some company housed in a foreign land in god knows where.
If the ECP was promised a hacker-proof environment then sadly even Bokhari himself admitted to Canada.com that “There is no 100 per cent solution, but in tests that we have run we did all right. Hackers that we deal with it tried to get in and couldn’t.” hence we are back to square one, the list is still prone to hackers and if a leak does accidentally happen then we can all sit here twirl our fingers, curse the living day lights at a company located 4000 miles away, damages and court proceedings will do little to heal the repercussion we will face if it were to ever happen.
The other problem is that the ECP plans to host this information online allowing all Pakistani voters to check their registration information at the touch of a mouse-click, brilliant idea. But herein also lies another problem, as this critical data is now going to travel across the Internet across the globe on each click, had it been stored locally in Pakistan then a web browser request would have simply been routed locally on a Pakistan wide fiber optic cable never needing to every jump on the Trans-world or the Flag Internet backbones (the only two Internet access points leading out of Pakistan)
The comedy of errors does not stop here as KO went further and dug up some really interesting information about Hayee Bokhari, a Pakistani by origin based in Canada also happens to be the founding member of a Pakistani match making website called Mehndi.com. A match-making portal geared towards the Pakistani market… I hope you all see the apparent business edge he were to have if he accidentally uses it there, he now has access to the 80 million eligible bachelors and bachelorettes with their entire biodata which includes their names, ages, addresses and parental information, there could easily be a good side to all this, since not a single Pakistanis will ever die without having found the right match on Mehndi.com, the complete solution to all our match-making issues for the next many years. Mehndi.com will always have the right match for you, heck if you don’t like the first set of choices they offer, don’t worry their database of 80 Million will definitely land you suitable option so extensive will be the search that you can locate your significant-other by address location (hence posh localities will always be in higher demand) – a brilliant business plan which is bound to be a definite success, the new motto at Mehndi.com could now be, Pakistanis will find the perfect match made
in heaven at mehndi.com – Money Back Guarantee
Shaji in an interesting comment on KO’s Blog points out that the domain of the Election Commission of Pakistan ecp.org.pk was registered by Hayee Bokhari back in 2002, so its apparent why ECP thoroughly relies on Hayee Bukari for his advise on such information. While KO does the mathematics ’80 million records – a simple calculation, say each record takes up 16kb – which is enough to store a whole lot of info then: 16 kilobits * 80 million = 152 gigabytes’ heck that much data can easily fit on one simple 500 GB Hard Disk already available in the market for roughly $150.
On one hand it could be possible that Mr. Bukhari might have the right intentions at heart but I would not trust anyone with this data and remain shocked that the Government of Pakistan has taken this issue so lightly, that they could NOT find a local company and needed to outsource to Canada, brilliant on one hand they talk about economic progress, soaring GDP etc etc while the government cant develop their own products locally even in the IT sector, talk about market confidence
For more information do check out KO’s Blog posts on this issue – Pakistan electoral rigging outsourced to Montreal & Dating service provider to match voters to politicians
Update: ReallyVirtual has an interesting post on the hack-safe ECP website
I am a computer systems engineer with about 10 years of experience under my belt, and to the best of my knowledge the secure data transfer between any two points on the internet is performed using encryption tunnels (more than one tunnels). This whole process is pretty secure and standard and is used by mostly banks everywhere. So the internet transfer can be made fairly secure with equipment easily available in Pakistan.
As to the intentions of Mr. Bokhari, no comments. But realistically speaking having the data of ‘eligible bachelor/bachelorettes’ is still pretty useless for matrimonial or matchmaking purposes considering that the data might be outdated and the business model of a matchmaking site usually requires paid subscription to generate revenue and having the data alone does not guarantee paid membership.
Third point, the data is usually stored in a database since the idea is to index and quickly retrieve only relevant information of a person via random-access. The database may have its own 128-bit (or most probably 256-bit encryption) which would exponentially increase the space required for the data. Then you need to have a multi-disk RAID setup to assure reliability. So a $150 Segate 500GB 16MB cache drive would not be the ideal solution here 🙂
First of all… I highly doubt ECP would have any type of secure transfer in mind, though it should. Even then the most any browser will do is a 128-bit encryption over HTTPS, which in certain cases is breakable, again the possibility of employing such technology to gain access to this data seems highly implausible.
We’re are basing all this conspiracy theory on the assumption that ECP has presumably uploaded ALL the data on the servers. Although it would seem very likely considering the ECP, I think they have uploaded just a small segment of the voter list, presumably the CNIC, Name, Locality, Dates and maybe a few other fields. The fact that voter’s list does not have any Address or contact information or any other sort of personally identifying information should allay the fears of NSA getting their hands on our data (which btw they already have) as does FBI in the case of Immigration Data.
And for quick access, I’m sure anyone would be able to tell you that access from within Pakistan would be a much more simpler and faster alternative for access within Pakistan. I’m sure COMSATS would have figured something out.
If the US govt. wants the personal data of Pakistanis then they already have it. What do you think NADRA CNICs are for?
Shaji: I was referring to VPNs (refer to http://computer.howstuffworks.com/vpn15.htm for a detailed description), not merely a browser based 128-bit SSL access :). They are pretty common in Pakistan in the Banking sector
Abdussamad: Hahahaha!! you are so right!
Mr. Hayee Bokhari is one of the partners of a hositng company called cronomagic (http://www.cronomagic.com/) they are host providers to the likes of secp.gov.pk (having all the records for all the pakistani companies) and also minitry of finance (http://www.finance.gov.pk/) as it says on the main page, the site is hosted by Cronomagic. The mehndi.com is an after-thought for cornomagic, their main area is hosting. Bokhari’s brother is in the military and is based out of Islamabad. Most of these hosting (SECP, Ministry of Finance), etc. are all hosted in Canada, without having gone through any tendering process (belive me – there are none). No transparency, no PPRA regulations followed, etc.
ECP has done a major violation of two regulations that prohibit the exporting of this data to outside of Pakistan.
what do u expect from musshy and the keystone cops anyway. they are incompetent.
Technically, it is possible to do the transfers securely. However, I’d remind everyone of the e-voting debate in the U.S. The technology required to facilitate electronic voting (I’m referring to using an electronic poll station, NOT voting online from your home, etc) is very simple and is not the issue in the debate. The issue is how to establish TRUST in the whole process. In the paper process, the ballots are taken out physically while they are being watched by opposition party workers…..however with an electronic system, how do you ENSURE that the person handling the transfers can be trusted?
I have worked in the medical information systems industry in the U.S. and I can tell you that there are very stringent HIPAA rules that govern who can access what data…there are also very strong reporting and auditing requirements…to me your post highlights the fact that NADRA, etc has all of this information on ID cards, passports, etc and any idiot who is able to curry favour with them will be able to access all of this information and can use it to ill-effect.
Similarly anybody in Mobilink/Ufone has access to your calls and can eavesdrop if necessary, or maybe somebody in WAPDA can do a little check on electricity usage and see if you are out of town or not, and then maybe arrange a little theft.
Stop bashing and realize that there already is a lot of information that is accessible to anyone with enough contacts.
The point being our nation’s asset is now in the possession of a foreign nation. How dare the @#$@# khaki’s go around acquiring land and doing other stuff in the name of national security when they cant even manage the simple stuff. Someone’s ass needs to be kicked, and it better not be anyone below that of a maj-general, be it retired or serving! Incompetent bloody khaki’s!
Newsflash. The U.S government and their secret services already have a huge database of our countries registered citizens. What do u think happens when u step upto an immigration counter and yr pic is taken and yr passport entered. Which database do u think is used to check if u are on “The list”. They do not need to data mine anything. They have the whole original database with them.
Technically, the ‘List’ comes from FIA and is fed into their servers at the airports. It just that the equipment was provided by FBI and they come every month to replace hard drives and we don’t get to keep ANY data. The system is called PISCES btw.
I am a Canadian journalist.I am working on this story for my paper. Please give me more details about his brother in Islamabad.
( Please text me I will call back right away)
i want to mention this that why election commision postponed elections,this is completly a irreesponsbilty showen by them they r not a indepndant , but election commision just follow the orders of president
pleaz hnour urself and do what is right in ur mind
dont obey the ordrs of any person
I am looking to interview , if you available the tech side of this issue.
Doc.. with all due respect… what the HELL are you going on about?!
“heck it just requires a few good servers and a good firewall to keep hackers out”
are you serious!?!?!?!?!?!?! information security is one of the BIGGEST HAZARDS in the corporate world! if it was just a matter of a few servers,what? you think the corporate world cant figure that out? Why are there still info sec incidents happening so frequently everywhere in the world? Visit “http://etiolated.org/” to find out more about breaches happening in the world! its not just a matter as simple as that! what you are proposing is putting up a lock to keep the contents of a bank safe! im incredulous at the height of stupidity presented here!
secondly, the data on the internet, ESPECIALLY SENSITIVE DATA travels though a SECURE PIPE! which means its encrypted to very high levels and sent through a variety of paths before reconstituted at the destination and decrypted. If anyone really is interested in knowing what data is passing through, all they’ll get is CIPHER TEXT (or garbage!). Cipher text means nothing without its key! Also, Pakistan is *NOT ALLOWED* read again *NOT ALLOWED* to have encryption above 128bits~! and anything even remotely resembling a 1024bit encryption key can get you jailed! why? go ask them, they made the laws! However, CANADA DOES NOT HAVE THAT RESTRICTION, so ‘technically’ the data is much safer there, encrypted at 1028bits.
Now, coming to the fact that any tom dick or harry can intercept transmissions and retrieve plaintext personal information, im pretty certain such a system would not be developed by a 14 year old B.Com masqurading as a software engineer, sitting in a one room software house above fish market! Have you even heard of SSL transmissions? HTTPS protocol? If you come out of the freaking stone age, youd realize there are ways for servers and clients (no matter where they are placed in the world) to share data without anyone else reading it. How do you think Ecommerce works man? You think credit card information can be read by any tom/dick or fricking harry with a laptop and an internet connection?
Its almost a post on its own, and i haven’t even gone half way!!!! Doc, i seriously expected more from you. More to follow in the next comment! need to take a breather here!!!
no computer system is completely secure, the statement which you ripped to shreds, or tried to, is a sad fact of life. Nothing is safe from anyone determined to get to it, because each security system is designed by a human, hence another human is able to break it. Not even the most extensive information security system (at FBI) involving more than 512 firewalls was compromised at one point. its a continuous battle between the good and evil and is as old as time unmemorable.
still moving on, data protection laws and the criminal justice system in canada is much better than it is in pakistan, and if anything were to happen to the data, mr. hayee would be better prosecuted there. if such an incident were to happen here, it would be hung up in our courts for years expending even more tax payers money.
now, for your jab at mehndi.com utilizing data for its own uses, my dear doc, you have very low opinions of professionals belonging to this country (which leads me to consider just how good a dentist people are at your firm). Such data warehouses, have a big contract list, not to mention a huge system of checks and balances to ensure organization’s data, stored with them, is not misused! its called a process and it does work my dear doc, otherwise the whole data protection industry would not exist.
granted there are ways to utilize that data for malicious purposes, but you forget there are much more severe breaches of information security at home (from banks and other credit institutions) which do not have a system of checks and balances in place and which is why you get calls from 6 odd banks if you as much as inquire it from one bank. a business, such as for mehndi.com, would be almost ruined as far as credibility is concerned if it did involve itself in such a activity, and im pretty sure the founder knows that!
damn doc! what the hell were you *thinking*!!! i know you have a thing to be a watchdog and a pioneer of whatever your projecting, but please! for god sakes, have your facts straight before maliging everything you see the government doing!
looks like having better servers and better hosting solutions “IS” after all a big deal.
I have been trying to access reports at ECP’s website for past 10 hours in different intervals
and still 500 error. And I wouldn’t explain what a 500 error means to you obviously.
Also, just because a canadian firm is involved in an application like this DOES NOT mean Coronomagic is also using more than 128bit encryption. Firefox didn’t warn me of any data security-change even when I could see the search page is non-encrypted. http://search.ecp.gov.pk/
Then, your rhetoric regarding corporate world’s dilemmas over security and other such issues were quite ill-timed, I might add. What we (I am sure KO and Dr. others wd gree) are trying to express our bewilderment is over the fact that if Pakistan REALLY is incapable of hosting 150gb’s sensitive data in Pakistan and then serve it to “few thousands” (how’s that now) users, then there’s something very terrible going on inside the Army House which has been claiming everything otherwise.
Mansoor, there’s good reasons why people in Pakistan (leave likes of KO and Dr Awab) are skeptical about anything that’s happening officially. For example, taking this case as an example, there’re TWO official Elections Commissions’ websites in Pakistan. Seriously.
ecp.gov.pk registered somewhere in 2002 hosted at Cronomagic
elections.gov.pk registered somewhere in 2006 hosted partly at Cronomagic and partly at NTC’s servers
both sites claim to be official sites. From Elections.gov.pk you could browse same pages from elections.gov.pk’s directory structure until you want to search for your list which is when you’re taken to ecp.gov.pk
Since Elections.gov.pk was registered much later than ecp.gov.pk we have a reason to believe it would have been BETTER OFFICIAL site and since it’s partly hosted at NTC’s servers which host over 200 government websites including FIA, PAF, Senate and other sites.
Don’t you just get frustrated at the lack of transparency and height of ambiguity here? Of course, ours is a country popular in its lack of access to information and other civil liberties but where do we go then?
sir most respectfully i have to say that i am from pakist province sindh and district larkan i want to see pakistani voters list with adresses there fore please guide me about this thanks
sir most respectfully i have to say that i am from pakist province sindh and district larkan i want to see pakistani voters list with adresses there fore please guide me about this thanks
sir iam living in province blochstan.my distrct is soob.plese send me voter list of district soob. thanks
I want Voter List Of Punjab, Please send it ASAP