What's new

My proposal for reforms in General Election / Election Commission

Regarding your question about stealing POS machine , you dont need to . You just need to have access to it ( read about Kapoxta , JackPOS, Backoff , Nemanja etc ) . Banks get victims of fraud all the time ( Read about Zeus malware , spyeye , amongst other ) . Going by their sheer volumes in sale a few millions are nothing , however a few millions can turn the tide here .

wow, you turned out to be technical, but unfortunately you forgot Complete just of the system. These all malwares are used to steal card data, not get into the system, it's like your merchant get into the machine and install these malware into the machine to get the Card data, or you are absence someone get on the machine and install this. On the top, in PKI environment, data can't be stolen in communication or end node. Almost all of the card fraud happens if someone has access to the database as well get flat files for emobossing (I am still not sure why they even generate flat files it's stupidity).

Now lets bring a system which works on take vote. On the morning of Election Nadra generates new key, which get distributed automatically to all Marchants (in this case Banks, Union Consels, or may be Mobile Phones). Now when voting starts people who are going to the bank to pay bill, also put their finger print for their favorite candidate. Internally, this system encrypt the data with 2048bit public key, and sends the data over normal internet to Nadra Office, where there is firewalls, a system working only to receive such requests, goes to HSM and put this information in the database. On the end of voting, Nadra again send command which wipe out the old Public Keys. (I am skipping lots of security check which will ensure more security, but just giving small overview of new system which isn't build yet)

Now you have a system, which is secure portable and can do a lot better, for more security you can even introduce one time used Pins by Soft RSAs.

It's perfectly secure system for voting and doesn't requires too many resources to manage.

Sir what you are suggested is possible in Oman or Western world wherever you live. But it is simply not possible in Pakistan due to simple reasons and I see no point in explaining it once again
Oman has sultant, and voting system is just a formality. And there is only small difference is not possible and Can be done.
 
wow, you turned out to be technical, but unfortunately you forgot Complete just of the system. These all malwares are used to steal card data, not get into the system, it's like your merchant get into the machine and install these malware into the machine to get the Card data, or you are absence someone get on the machine and install this. On the top, in PKI environment, data can't be stolen in communication or end node. Almost all of the card fraud happens if someone has access to the database as well get flat files for emobossing (I am still not sure why they even generate flat files it's stupidity).

Now lets bring a system which works on take vote. On the morning of Election Nadra generates new key, which get distributed automatically to all Marchants (in this case Banks, Union Consels, or may be Mobile Phones). Now when voting starts people who are going to the bank to pay bill, also put their finger print for their favorite candidate. Internally, this system encrypt the data with 2048bit public key, and sends the data over normal internet to Nadra Office, where there is firewalls, a system working only to receive such requests, goes to HSM and put this information in the database. On the end of voting, Nadra again send command which wipe out the old Public Keys. (I am skipping lots of security check which will ensure more security, but just giving small overview of new system which isn't build yet)

Now you have a system, which is secure portable and can do a lot better, for more security you can even introduce one time used Pins by Soft RSAs.

It's perfectly secure system for voting and doesn't requires too many resources to manage.


Oman has sultant, and voting system is just a formality. And there is only small difference is not possible and Can be done.


i will explain better tomorrow . Going to sleep now .
 
wow, you turned out to be technical, but unfortunately you forgot Complete just of the system. These all malwares are used to steal card data, not get into the system, it's like your merchant get into the machine and install these malware into the machine to get the Card data, or you are absence someone get on the machine and install this. On the top, in PKI environment, data can't be stolen in communication or end node. Almost all of the card fraud happens if someone has access to the database as well get flat files for emobossing (I am still not sure why they even generate flat files it's stupidity).

Now lets bring a system which works on take vote. On the morning of Election Nadra generates new key, which get distributed automatically to all Marchants (in this case Banks, Union Consels, or may be Mobile Phones). Now when voting starts people who are going to the bank to pay bill, also put their finger print for their favorite candidate. Internally, this system encrypt the data with 2048bit public key, and sends the data over normal internet to Nadra Office, where there is firewalls, a system working only to receive such requests, goes to HSM and put this information in the database. On the end of voting, Nadra again send command which wipe out the old Public Keys. (I am skipping lots of security check which will ensure more security, but just giving small overview of new system which isn't build yet)

Now you have a system, which is secure portable and can do a lot better, for more security you can even introduce one time used Pins by Soft RSAs.

It's perfectly secure system for voting and doesn't requires too many resources to manage.


Oman has sultant, and voting system is just a formality. And there is only small difference is not possible and Can be done.

Completely wrong . They were spread remotely via hacking into the systems . All of the POS malwares i mentioned .

PKI is mostly to eastablish trust . Now if the Root certificate is compromised whole system is . Read about komodo or Dininotar breach .

OTOH there is no point of communication security ( RSA and stuff) if the bank system is compromised . in KAPOXTA POS breach the card data was being secured but to do that it was being read into memory and it was from there that malware was hooking into the data .

Mobile devices open a whole another can of worms regarding security . These issues are primarily the reason even US has not implemented it.
 
Completely wrong . They were spread remotely via hacking into the systems . All of the POS malwares i mentioned .

PKI is mostly to eastablish trust . Now if the Root certificate is compromised whole system is . Read about komodo or Dininotar breach .

OTOH there is no point of communication security ( RSA and stuff) if the bank system is compromised . in KAPOXTA POS breach the card data was being secured but to do that it was being read into memory and it was from there that malware was hooking into the data .

Mobile devices open a whole another can of worms regarding security . These issues are primarily the reason even US has not implemented it.
With new POS devices you cant install any thing which is not trusted. Everything has to go back to original manufacture which is installed through manufacturer trusted. Even woth old device i am not convence that you can do it, since POS is client based device which dont accept any packet from you, even if you spoof the IP, you need ssl from NCC box. Which is in the company, so with physical access, its not possible to install anything, unless you installed an open POS which isnt following standard.

Now for root certificate (data encryption) read more about HSM device and please tell me how exactly you are planning to steal that, since still almost all ATM skmers relay on camera to capture the PIN. Because ofbthe fact HSM is unbreakable.
 
Last edited:
@Chak Bamu

What do you have to say about post number 1? Any additions you can make?
 
With new POS devices you cant install any thing which is not trusted. Everything has to go back to original manufacture which is installed through manufacturer trusted. Even woth old device i am not convence that you can do it, since POS is client based device which dont accept any packet from you, even if you spoof the IP, you need ssl from NCC box. Which is in the company, so with physical access, its not possible to install anything, unless you installed an open POS which isnt following standard.

Now for root certificate (data encryption) read more about HSM device and please tell me how exactly you are planning to steal that, since still almost all ATM skmers relay on camera to capture the PIN. Because ofbthe fact HSM is unbreakable.


Dude all those were new POS devices . Just read a couple of detailed reports before you make assumptions . You need to first understand how they infect and spread before we take this forward . Also Physical access is not required and IP spoofing has nothing to do with it .

ALso RC and ATM skimming has not relation . Read more about how komodo RC compromise effected the whole web of trust thing .
 
Dude all those were new POS devices . Just read a couple of detailed reports before you make assumptions . You need to first understand how they infect and spread before we take this forward . Also Physical access is not required and IP spoofing has nothing to do with it .

ALso RC and ATM skimming has not relation . Read more about how komodo RC compromise effected the whole web of trust thing .

Bhai I work there so I know, and don't need to read anything for it. "All coming from my Head" ;) Just let me give you pretty small basics, POS device don't have an standard windows OS, the OS is built in firmware, and to install you need different device and the Application which get authorized by your POS distributor. When This is POS is installed, you can only redistribute stuff, while calling those device back to originator. Only small kind of stuff like your Public Key (Generated by HSM), New merchant details can be sent through PMS deployed at Bank.

btw what is komodo RC? some RC truck? ;) I didn't get anything about it.
 
Bhai I work there so I know, and don't need to read anything for it. "All coming from my Head" ;) Just let me give you pretty small basics, POS device don't have an standard windows OS, the OS is built in firmware, and to install you need different device and the Application which get authorized by your POS distributor. When This is POS is installed, you can only redistribute stuff, while calling those device back to originator. Only small kind of stuff like your Public Key (Generated by HSM), New merchant details can be sent through PMS deployed at Bank.

btw what is komodo RC? some RC truck? ;) I didn't get anything about it.

Windows Embedded comes with it's own share of troubles which gets it hacked .

Here you go , adviosry from Visa regarding "dexter" : https://usa.visa.com/download/merchants/alert-dexter-122012.pdf I can share multiple research papers and technical analysis on POS malwares if you are interested . Just because They are using a slightly different version of windows ( embedded one) it does not make it safe from all the security bugs windows suffer with .
 
Windows Embedded comes with it's own share of troubles which gets it hacked .

Here you go , adviosry from Visa regarding "dexter" : https://usa.visa.com/download/merchants/alert-dexter-122012.pdf I can share multiple research papers and technical analysis on POS malwares if you are interested . Just because They are using a slightly different version of windows ( embedded one) it does not make it safe from all the security bugs windows suffer with .

Bhai only limited number of POS Companies Uses Embedded Windows. Major Players comes with DOS, and Linux Some also uses MAC. And I disagree with also, Embedded Windows is as vulnerable are normal windows. Since, Embedded windows (which is pretty small number) drill down normal OS down to only required Clients only. Mostly problem related to RPC, SMBs and NETBIOS get null and void after you use default firewall on Embedded XP.
 
Bhai only limited number of POS Companies Uses Embedded Windows. Major Players comes with DOS, and Linux Some also uses MAC. And I disagree with also, Embedded Windows is as vulnerable are normal windows. Since, Embedded windows (which is pretty small number) drill down normal OS down to only required Clients only. Mostly problem related to RPC, SMBs and NETBIOS get null and void after you use default firewall on Embedded XP.

Only difference of opinion between us is that you see the things from point of view of implementation and i see them the way malware compromise them . 40 million credit cards were stolen in Target breach during late last year and early this year . This shows the usage is not any less . Also this was one of the greatest credit card breaches of all times .
 
Only difference of opinion between us is that you see the things from point of view of implementation and i see them the way malware compromise them . 40 million credit cards were stolen in Target breach during late last year and early this year . This shows the usage is not any less . Also this was one of the greatest credit card breaches of all times .

I am talking about from practically. I don't have stats, but I am 100% sure, almost all in 40 million Credit Card which are being compromised on POS level, will belong to "Magnetic Strips", not Pin & Chip based systems. EMV is pretty secure so far. And I can challenge you if thumb impression and soft rsa get used for voting then they will be secure for atleast next 8-10 years. Things will change when Quantum Computer comes into Public or AI become normal.

Any ways, I know it will be pretty secure.. and fully portable with less chances of rigging in election which is related to this thread.
 
Bollywood mujra should be played in the polling stations. Most of the 2 numbers will be busy watching it.
 
@Chak Bamu

What do you have to say about post number 1? Any additions you can make?

Bro, I have a couple of disagreements.

1. Elections should be held on the same day like it is done now. Otherwise the voter choice would be said to be influenced, even if the voting result is not announced. I can anticipate your answer, but believe me this is important.

2. We must have a paper trail. I do not trust the E-voting as a stand alone system. An inbuilt printer can spit out a slip confirming the voting choice and should have some sort of identification (thumb print?) mechanism. This would be fall-back option; plus storing slips should not be difficult at all for a a few months at least.

One successful hacking incident can create chaos, otherwise.

3. All representatives of political parties must not have any access whatsoever to the polling area. There should however be security cameras in the premises. Not expensive these days.

4. E-voting should be introduced first in the cities and then in the rural areas over two election cycles. This is controversial and debatable, and I am open to suggestions.

5. E-voting machines must be protected with sufficient security.

I can not think of anything else on the fly. May come up with something in addition to these later.
 
I am talking about from practically. I don't have stats, but I am 100% sure, almost all in 40 million Credit Card which are being compromised on POS level, will belong to "Magnetic Strips", not Pin & Chip based systems. EMV is pretty secure so far. And I can challenge you if thumb impression and soft rsa get used for voting then they will be secure for atleast next 8-10 years. Things will change when Quantum Computer comes into Public or AI become normal.

Any ways, I know it will be pretty secure.. and fully portable with less chances of rigging in election which is related to this thread.


Chip and pin are as insecure as magnetic strip , maybe more . check the presentation "Chip & PIN is Definitely Broken - CanSecWest" . Nonetheless i won't hijack this thread anymore .
 
Back
Top Bottom