Remember the Hackers Who Invaded the COMELEC Website?
In March 2016, Anonymous Philippines defaced the COMELEC website with this message: "What happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld?"
Just in time for the elections two months later, the mysterious hacktivists spoke to Esquire—albeit very cryptically—about the vulnerabilities of our government’s IT systems, the security of our personal information, and the movement they support.
ESQUIRE PHILIPPINES: How did your group begin?
ANONYMOUS PHILIPPINES: The Anonymous collective in the Philippines took up speed back in 2012, during the midst of the controversial enactment of the Cybercrime Bill.
ESQ: How many people are a part of it?
AP: There is no definite number. We cannot be measured by any quantity, because anyone who has the same ideology is already a part of the collective.
ESQ: Do you directly communicate or associate yourselves with the people from the Anonymous Worldwide collective?
AP: For the most part, Anonymous Philippines is still premature. There are some, however, who do not affiliate themselves with the Anonymous collective in the Philippines, but who participate in the worldwide collective.
ESQ: For Anonymous Philippines, your operations have included: successfully hacking around 200 Chinese government and commercial websites in protest of protecting the West Philippine Seas; hacking local government’s websites in protest of the signing of the Cybercrime Prevention Act of 2012; and most recently, hacking the COMELEC website. These are just among many. How do you choose the issues to protest against?
AP: It would depend on the scale of the issue and if the general public is invested [in them].
ESQ: How easy is it to hack?
AP: Not as easy as you think. It takes a lot of time and effort to research possible loopholes in the system. Some may take hours, some days, while others may take months of research to discover peculiar behavior.
ESQ: What kind of loopholes do you usually detect?
AP: The usual loopholes are developer mistakes—for example, they could forget to implement “basic” security features. The most common “loophole” is an SQL injection [Ed’s Note: this is something which allows attackers to tamper or destroy existing data, or become administrators of the database server], but we prefer not to disclose any technicalities.
ESQ: What is the biggest misconception about hacking?
AP: The presumption that it can be “easy”. And how the media and the general public misinterpret “hacking” as “cracking.”
ESQ: What is the difference?
AP: Hacking is more an exploration of curiosity. Cracking has more devious gains. Hacking is accessing a computer system without the owner’s permission. Cracking, on the other hand, is where you edit a program’s source code. Or you could create a program, like a key generator, a patch, orsome sort of application that tricks an application into thinking that a particular process has occurred.
ESQ: What happens when a person who can hack then starts to use it for something other than good?
AP: Far worse than you can ever imagine. They would most likely be offering their services or selling a zero-day attack to the highest bidder. A zero-day attack is an exploit that is currently not known to the developers of the system, an unknown vulnerability to a certain platform. [Ed’s Note: it’s called “zero-day” because once the developer of the system finds out there is flaw, they have zero days to plan action against its exploitation]. Zero-days are sold and bought in underground forums. The bidders can vary, from criminal rings to government spy agencies. The bidding process occurs in underground message boards and IRC channels.
ESQ: Have you ever encountered people like this?
AP: Yes, quite a lot, frankly. To each man his own. It’s an unwritten rule. When someone gets screwed over, you just have to shut up and insist you have nothing to do with them.
ESQ: The upcoming elections will make use of the PCOS machines. What obvious loopholes do you see with this system that the COMELEC should fix immediately?
AP: The COMELEC conducted a code review for the software to be used in the PCOS machines. Anyone with software engineering experience can participate in the code review. The loopholes, however, are still the same—and it’s a human factor. If quality control fails, condescending loopholes will follow suit. The best possible way to combat this is to have a dedicated department for information technology, and encouraging open source so that everyone can freely participate. I know as a matter of fact that the local IT industry is capable enough to help improve and maintain good governance.
ESQ: Do you mean quality control with regards to protection of the ballots?
AP: Quality control in all aspects.
ESQ: When you say open source—do you mean that everyone can see how the machines read the data?
AP: Yes, and being able to modify the source code freely. If the source codes are open to the public, the opensource community can help in maintaining these websites without giving the government too much hassle.
ESQ: What are some of the most important things you have learned through hacking?
AP: To answer personally: another viewpoint in handling and solving complex problems; also knowing how things work, breaking them, and then documenting peculiar behaviors. Hacking isn’t only limited to computers, you can hack people too in real-time.
ESQ: How can a person feel protected online, now that citizens are capable of tapping private data?
AP: It all boils down to how aware a person is in maintaining their Operations Security or OPSEC [Ed’s Note: OPSEC is a U.S. Military term used to determine the protection of information that might be critical once it is obtained by adversaries.] It’s better to be informed and be aware of what’s going on… not only in our country, but in cyberspace as well.
ESQ: Were you personally involved in the defacement of the COMELEC website?
AP: If you are referring to the person who is typing these answers, yes (I am n3far1ous), but I want to address that these were referred to all of the people behind the Anonymous Philippines Facebook page.
ESQ: How many people does it take to deface a website? For example, the COMELEC website?
AP: It only takes one.
ESQ: Where do you meet?
AP: Social Networks like Facebook and in Internet Relay Chat (IRC) rooms.
ESQ: Can you give us an idea of the culture of the collective?
AP: Anonymous is a nascent and small culture, but one with its own aesthetics and values, art and literature, social norms and ways of production, and even its own dialectic language. Anonymous is not a group, but rather a movement.
This article originally appeared in the May 2016 issue of Esquire Philippines. Minor edits have been made by the Esquiremag.ph editors.