Smartmatic-TIM running out of time to fix glitches

ABS-CBN News

Posted at May 04 2010 10:22 AM | Updated as of May 04 2010 06:55 PM

MANILA, Philippines - A top official of poll machine supplier Smartmatic-TIM believes time constraints could affect the company's plans to address glitches in its Precinct Count Optical Scan (PCOS) machines before the May 10 elections, a poll watchdog official said Tuesday.

Henrietta de Villa, head of the Parish Pastoral Council for Responsible Voting (PPCRV), said she called up Smartmatic Southeast Asia president Cesar Flores after she received reports from volunteers that PCOS machines in Metro Manila and nearby provinces malfunctioned during the tests. 

"I also called up up Cesar Flores. They are also alarmed, not because they cannot fix [the machines], but because of the remaining time they have [to fix the machines]," de Villa told ABS-CBN's Umagang Kay Ganda (UKG).

She said she received reports from PPCRV volunteers that PCOS machines deployed in Pasay City, Las Piñas City, Parañaque City, Makati City and Batangas province failed to read votes cast for local candidates during Monday's testings.

She said PPCRV volunteers went on reporting the same kind of problem until 10 p.m. Monday.

De Villa, meanwhile, said that Flores assured her that even with only 6 days before the first ever nationwide automated elections, they will try to fix the problem.

She said that according to Flores, PCOS machines that have yet be deployed from the Smartmatic warehouse in Laguna province will be subjected to further tests to identify what caused the problem.

Commission on Elections (Comelec) Commissioner Lucenito Tagle told UKG that the problem seems to have originated from the PCOS machines' memory cards, based on an initial report by the Smartmatic.

Tagle said that the Comelec has been assured by the PCOS machine provider that it will be able to fix the problem on time.

The poll official admitted that the new problem might be used by groups that have been critical of the full automation to question the credibility of the May 10 elections.

Problems found in PCOS source code

An independent review conducted by SysTest also noted several problems in the source code used by the PCOS machines, according to the Computer Professionals Union (CPU) and Kontra Daya.

Rick Bahague of CPU and Kontra Daya said erroneous programming on the database can lead to serious problems in data corruption and integrity. "Transmission of data is not always encrypted and this can be exploited to manipulate results,” he said.

Some findings in the review were:
 

  • Source codes for database transactions that include possibilities of being improperly terminated.
  •  
  • The pattern of miswritten exception handling and erroneous transaction terminating logic is so widespread that it appears that the system authors used an incorrectly written template for such source code logic.
  •  
  • Commands to add, update and delete existing database records lack enclosing transaction logic which may affect database contents and may possibly result in database integrity and other corruption issues.
  •  
  • Lack of thorough functional path testing conducted
  •  
  • Source codes are not properly commented. "The Ballot Production source code modules as submitted on 8 Feb 2010 did not have within themselves one single comment or internal documentation.
  •  
  • Several of the logging functions in the Smartmatic CCS project appear to omit the inclusion of the time and date from the logged messages. This omission can result to audit log entries.
  •  
  • Election Management Software (EMS) is susceptible to SQL injections.
  •  
  • Possibility of unencrypted passwords being stored in the EMS database.
  •  
  • At least one instance of encryption keys found to be explicitly coded into the source code which can potentially reveal them to anyone.
  •  
  • Logs on the PCOS can be overwritten
  •  
  • Election data may not always be properly encrypted before being stored.
  •  
  • Certificate of Canvass and Statement of Votes documents are not always encrypted before transmission.
  •  
  • The software inventory provided by Smartmatic is inadequate. One software "contains a solicitation for beer” for the software's creators, which brings into question the software credibility.


Bahague said that the source code also revealed hasty programming with inadequate comments on the source code, test variables that were not deleted, and inaccurate memory management. It also found that audit log entries are not always recorded with proper timestamp.
 
“There is also some concern on how the machine will read undervotes. The review cautioned the non-standard treatment of undervotes which can lead to exclusion of such votes during counting,” he said in a statement.

“While the Systest review pointed out "minor" errors, it has strongly recommended operational safeguards which if not properly implemented will seriously affect the accuracy of the results,” he added.