Polish electorial calculator
-
Basically someone decompiled the byte code of the software used in Polish elections. This is after the system failed yesterday for over a day.
Background: Poland wanted a fancy electronic system for reporting votes, attendance, etc because killing trees is bad. They put out a RFP in July 2014, selected a winner in August 2014. The winner had 3 months to build it. And it's 3 months later and they tried to use it!
1. Calculator module for handling electoral district electoral commission in the local elections, 2. Control module trailing protocols of voting results in the circuit, 3. Module adoption of electronic data with the protocols of voting results in the circuit sent by the converter module election 4. The handler electoral authority (the territorial election commission, election commissioner and the National Electoral Commission) in the properties of the body, 5. Module determining voting results and election results, 6. Software for management of the IT service choices based on LDAP database made available by the Employer, 7. Software service public key infrastructure to issue and share certificates 8. Data collection system of electoral committees, lists of candidates and the candidates and districts, counties and warehouses committee of sites made available by the Employer, 9. Implementation of export data, providing data transfer of election committees, lists of candidates and candidates voting districts, constituencies and voting results, performance division of seats in the archive (implemented as a relational database) 10. Execution of the handler entry, receive data on the number of voters who took part in the vote during the voting, transfer of supervision, control accuracy, 11. Conducting training of users of the ordered software 12. Administering the IT infrastructure in the premises of the Employer and the external processing center.
Problems mentioned by others:
- PDB files were distributed with the application, the source code now being accessible is an no duh
- It uses plain text to transmit election results, and uses HTTP as a fallback for HTTPS not working(LOL).
So let's see:
//https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/Attendance.cs
[code]
string xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>";
xml += "<save>";
[/code]
Creates XML by hand.
[code]
try
{
if (this.attendanceHour.SelectedItem != null)
{
hour = (this.attendanceHour.SelectedItem as AttendanceItem).getName();
}
}
catch (System.Exception ex)
{
}
[/code]
Didn't want the hour anyway.[code]
string xml = "";
xml = xml + "<jns_kod>" + this.jns.Text + "</jns_kod>";
if (this.role == "P")
{
xml = xml + "<nrObwodu>" + this.obwod.Text + "</nrObwodu>";
}
else
{
string obw = "";
if (this.obwodList.SelectedItem != null)
{
obw = (this.obwodList.SelectedItem as AttendanceOBWItem).getName().ToString();
}
xml = xml + "<nrObwodu>" + obw + "</nrObwodu>";
}[/code]Hand built XML also has no consistency in naming, camel case + underscores, why not!
[code]
private void setComboBoxHour(string electoralEampaignSave)
{
if (!System.IO.Directory.Exists(this.path + "\Attendance"))
{
try
{
System.IO.Directory.CreateDirectory(this.path + "\Attendance");
}
catch (System.ArgumentNullException)
{
MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
}
catch (System.ArgumentException)
{
MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
}
catch (System.UnauthorizedAccessException)
{
MessageBox.Show("Nie masz uprawnień do tworzenia katalogów. Otwórz aplikacje jako adnimistrator.", "Uwaga");
}
catch (System.IO.PathTooLongException)
{
MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
}
catch (System.IO.DirectoryNotFoundException)
{
MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
}
catch (System.NotSupportedException)
{
MessageBox.Show("Nieprawidłowy format ścieżki. Nie można utworzyć katalogu "Attendance"", "Error");
}
catch (System.IO.IOException)
{
MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
}
}
string uri = "KALK/freq/" + electoralEampaignSave.Replace('_', '/') + "-freq";
Connection con = new Connection();
KLKresponse res = con.getRequestKBWKlk(uri, this.path + "\Attendance\frekwencja.xml", 0);
XmlDocument hour = new XmlDocument();
hour.Load(this.path + "\Attendance\frekwencja.xml");
XmlNode hourRoot = hour.SelectSingleNode("/frekwencja");
System.Collections.ArrayList AttendanceTime = new System.Collections.ArrayList();
AttendanceTime.Add(new AttendanceItem("0", ""));
foreach (XmlNode item in hourRoot)
{
XmlNode id = item.Attributes.GetNamedItem("id");
XmlNode value = item.Attributes.GetNamedItem("value");
if (id != null && value != null)
{
AttendanceTime.Add(new AttendanceItem(id.Value, value.Value));
}
}
this.attendanceHour.DataSource = AttendanceTime;
this.attendanceHour.DisplayMember = "LongName";
this.attendanceHour.ValueMember = "ShortName";
}
[/code]
So it bitches and moans about an error but fails to actually exit out of the function so I can only assume the file writes that occur afterwards(after a file exists check exception) == gun in mouthThat's just one file.
-
Ah, had to find the http fallback.
[code]
public Connection()
{
this.servers = new string[1];
this.servers[0] = "https://syswyb.kbw.gov.pl/";
this.servers2 = new string[1];
this.servers2[0] = "http://klk.kbw.gov.pl/";
this.timeout = 30000;
}
[/code]servers2 is used when you dig through and find out, ANY kind of web exception trying to talk to the https server results in it doing http.
[code]catch (System.Net.WebException) { i++; result = this.getRequestKBWKlk(uri, savePath, i); return result; }
[/code]
which calls
[code]
public KLKresponse getRequestKBWKlkDocx(string uri, string savePath, int i)
{
int bytesProcessed = 0;
KLKresponse res = new KLKresponse();
KLKresponse result;
if (i < this.servers2.Length)
{
System.Uri target = new System.Uri(this.servers2[i] + uri);
[/code]
-
More from reddit;
https://www.reddit.com/r/programming/comments/2ml27h/source_code_of_polish_electoral_calculator_big/[code]
catch (XmlException)
{
}
catch (System.NullReferenceException)
{
}
[/code]Because null checking is hard
[code]
3283 private void getCalculator()
3284 {
...
4941 }
[/code]Didn't actually need that calculator
Guess who won the contract to code this crap?
[code]
[assembly: System.Reflection.AssemblyCompany("Hewlett-Packard Company")]
[/code]
-
bump for great justice. There's tons of WTF in here.
-
We instal applications around here. Brillant!
-
To the Temporary paths thread!!
-
Background: Poland wanted a fancy electronic system for reporting votes, attendance, etc because killing trees is bad.
Not quite - you still get a piece of paper, it just helps with getting the reports out faster. In principle, that is...
They put out a RFP in July 2014, selected a winner in August 2014.
And it was, from what I know, the lowest bidder (standard procedure, by the way). Which explains a lot.
Of course, given that it's Poland, there's a lot of tinfoil demand lately...
So it bitches and moans about an error but fails to actually exit out of the function so I can only assume the file writes that occur afterwards(after a file exists check exception) == gun in mouth
Classic
On Error Resume Next
.
-
By the way, no suprise the printing module failed...
The file doesn't even fit on screen in GitHub.
Also:
According to the rough analysis of the executable and the application workflow one can only assume that the task of creating the Election Calculator has been given to a single student, probably working for an externam contractor. Ms. Agnieszka, we're with you!
Poland is a country where the fate of thousands of electorial commission members rests with a beginner programmer.
-
this.servers[0] = "https://syswyb.kbw.gov.pl/";
I see what is the problem. They are using perl
would not have happened if they used php
-
I see what is the problem. They are using perl
would not have happened if they used Python
FTFY
-
Not quite - you still get a piece of paper, it just helps with getting the reports out faster. In principle, that is...
Meh it's what I got from an article, I don't read Polish often, don't blame me! It took me a hour just to read that article >_<
-
And it was, from what I know, the lowest bidder (standard procedure, by the way). Which explains a lot.
Of course, given that it's Poland, there's a lot of tinfoil demand lately...
It was the ONLY bidder. No other company was desperate enough to accept such ridiculous requirements (3 months ftw!)
-
(3 months ftw!)
Given the quality of the code, I'm surprised it actually took 3 months.
Though, granted, manually banging a HTML page from XML via string concatenation is tough...
-
The most ridiculous thing is that this project was delivered in time. This doesn't happen often in Poland. Thoroughly bugged software that's rendered unusable - yes. But TBSTRU delivered in time - no.
-
I do hope it's just one module of the system that was made as part of this public tender.
-
I do hope it's just one module of the system that was made as part of this public tender.
As far as I can tell, it's the report printing module. Which, coincidentally, is also the exact module that fucked up.
It was the ONLY bidder. No other company was desperate enough to accept such ridiculous requirements
Indeed it was; but for the wrong reasons. You see, when the criteria are 49% "price" and 51% "idea", it's an obvious sign that the bid is rigged towards a particular company (since no matter what price you offer, they can still zero your score on the "idea" part).
-
If you are refering to ".pl" it's not perl extension but Poland's TLD
-
Wooooosh?
-
If you are refering to ".pl" it's not perl extension but Poland's TLD
Is it appropriate to write *whoosh * here? I'm relatively new over here, still trying to grasp the local culture....oh, ninja'd. But still gonna post because I had to put 29 spaces inbetween
*
and\*
above to get italic whoosh surrounded by spaces. And can't get the ending*
to italic. @discoursebot ?
-
@Gaska - Days Since Last Discourse Bug: 0
-
<i>\woosh\</i>
?
-
Is it appropriate to write *whoosh * here? I'm relatively new over here, still trying to grasp the local culture.
It's mandatory....oh, ninja'd.
Mostly we refer that asHanzo'd
over here, named after an (in)famous IT-ninja nobody wants to read about.But still gonna post because I had to put 29 spaces inbetween
*
and\*
above to get italic whoosh surrounded by spaces. And can't get the ending*
to italic. @discoursebot ?
That's Discourse or CommonMark for you. Welcome!
-
It's called Hanzo'd here, named after an (in)famous IT-ninja nobody wants to read about.
Last I checked, Hanzo is dead, courtesy of Blizzard's new game.
-
*ahem*
Ladies and gentleladies*! I present to you our newest TDWTF hero! He's so badass that not even death could stop him! His trusty katana shall strike down the unworthy and his ravening appetite shall keep him ever vigilant....
It is my great pleasure to present to you.......
ZOMBIE HANZO!
* and the guys too i guess... maybe
-
ZOMBIE HANZO!
Sorry, Halloween was last month. We're celebrating Hanzo the Turkey now.
-
Sorry, Halloween was last month. We're celebrating Hanzo the Turkey now.
I'm pretty sure they don't have Thanksgiving in Deutschland.
-
-
I'm pretty sure they don't have Thanksgiving in Deutschland.
http://de.wikipedia.org/wiki/Erntedankfest (not a national holiday, though)
BTW: According to that Wikipedia article, Thanksgiving celebrates the first Erntedank celebration of the pilgrims?!
-
Come on now, *Markdown isn't that hard* You have to escape both of the inner asterisks.
Edit: I say that and then I get a formatting Discobug. Literally WTF how hard can it be to make Markdown work correctly @discoursebot
-
@JazzyJosh - Days Since Last Discourse Bug: 0
-
Well, actually the company that won the contract is called Nabino and has nothing to do with Hewlett-Packard.
They put HP in assembly information for some reason (maybe copied from OS settings?).
-
maybe copied from OS settings
Likely. The assembly company comes from the registered owner of the computer. For OEM installs, this often is often set to the computer's manufacturer.
-
Basically someone decompiled the byte code
At least one person on the forum thinks that anyone who decompiles code before the heat death of the universe should be strung up by their entrails.
Not me, but just pointing this out. ;)
-
@Intercourse said:
At least one person on the forum thinks that anyone who decompiles code before the heat death of the universe should be strung up by their entrails.
Not me, but just pointing this out. ;)
Why? The distributed the .pdb files with the dlls, which made decompiling even more reliable.
-
@Intercourse said:
At least one person on the forum thinks that anyone who decompiles code before the heat death of the universe should be strung up by their entrails.
Interestingly, there are two opposite factions that share this same thought. One is IP protectors, who want to milk the cow named Michael Jackson until the end of the world, etc., and so they consider decompiling source the worst crime ever, worse than serial murder and on par with torrenting. The other is anarchocommunists who think no one should decompile binaries because the original source code should be available free of charge in the first place.
-
Surely they can work in an exception for the compiler writers.
-
More news:
- incredibly high number of invalid votes
- National Electorial Commission's website and database holding employees' passwords were hacked
- ETA on complete official results is Monday
-
- incredibly high number of invalid votes
- National Electorial Commission's website and database holding employees' passwords were hacked
Big surprise there given the quality of this app alone
-
Big surprise there given the quality of this app alone
Such explanation makes sense in case of website getting hacked. But it doesn't explain invalid votes.Just to clear it up: invalid vote is when a member of local commission (who gets the votes out of urn, counts them and enters into the system) spots a voting card that has either no candidate marked or more than one candidate marked. In some districts, invalid votes percentage is as high as 10-20%. I seriously doubt 20% of voters are so stupid they can't even mark one and only one candidate.
-
I seriously doubt 20% of voters are so stupid they can't even mark one and only one candidate.
Did anyone from Florida vote?
-
You think some of our old butterfly ballots got shipped over to Poland? Maybe Karl Rove is doing some international consulting and this is another episode of "hanging chad"?
-
Did anyone from Florida vote?
In Newcastle, the inky hand print often covers more than one candidate.
Filed under: Banned by @PJH in 5, 4, 3...
-
In Newcastle, the inky hand print often covers more than one candidate.
It's usually the webbing between the fingers to blame.
On other occasions, it's the number of digits..
-
I thought that was mainly a problem in Norfolk...
-
No, it's not a problem in Norfolk - there it's normal.
-
Also
_\*whoosh\*_
.
-
Such explanation makes sense in case of website getting hacked. But it doesn't explain invalid votes.
Just to clear it up: invalid vote is when a member of local commission (who gets the votes out of urn, counts them and enters into the system) spots a voting card that has either no candidate marked or more than one candidate marked. In some districts, invalid votes percentage is as high as 10-20%. I seriously doubt 20% of voters are so stupid they can't even mark one and only one candidate.
Are you sure? Because this app has plenty of places where it will submit blank results. One example I included above as well, when it fails input validation,(i.e. exception occurs) it submits the record anyway to whatever server.
-
Actually, I lied. This 10-20% invalids thing was from previous elections where they didn't use this piece of utter shit (or any other, for what I know).
-
Actually computer system for elections is in use for over 10 years (if I remember correctly, I worked with it during every elections from the start).
Current utter shit system is third one in use. First one was shit too, but it was used only once or twice.
Second system, used for some 8 or 9 years was very good - stable, fast, ergonomic, intuitive, etc (didn't see its
source code though).So why did they order new system from unknown shitty company if they had proven solution in use?
From what I heard (source in the know, but information by no means official), creator of the second system
wanted 'too much' for its support, someone from Election Committee got angry and decided 'screw them, we'll get a new one'.Long time lurker, first post, yay!
-
Sorry, Halloween was last month. We're celebrating Hanzo the Turkey now.
Wasn't our behated(1) Hanzo always a turkey?(1) Like beloved, but in a very negative sense, and definitely not "behatted".