Polish electorial calculator



  • Basically someone decompiled the byte code of the software used in Polish elections. This is after the system failed yesterday for over a day.

    Background: Poland wanted a fancy electronic system for reporting votes, attendance, etc because killing trees is bad. They put out a RFP in July 2014, selected a winner in August 2014. The winner had 3 months to build it. And it's 3 months later and they tried to use it!

    1. Calculator module for handling electoral district electoral commission in the local elections, 2. Control module trailing protocols of voting results in the circuit, 3. Module adoption of electronic data with the protocols of voting results in the circuit sent by the converter module election 4. The handler electoral authority (the territorial election commission, election commissioner and the National Electoral Commission) in the properties of the body, 5. Module determining voting results and election results, 6. Software for management of the IT service choices based on LDAP database made available by the Employer, 7. Software service public key infrastructure to issue and share certificates 8. Data collection system of electoral committees, lists of candidates and the candidates and districts, counties and warehouses committee of sites made available by the Employer, 9. Implementation of export data, providing data transfer of election committees, lists of candidates and candidates voting districts, constituencies and voting results, performance division of seats in the archive (implemented as a relational database) 10. Execution of the handler entry, receive data on the number of voters who took part in the vote during the voting, transfer of supervision, control accuracy, 11. Conducting training of users of the ordered software 12. Administering the IT infrastructure in the premises of the Employer and the external processing center.

    Problems mentioned by others:

    1. PDB files were distributed with the application, the source code now being accessible is an no duh
    2. It uses plain text to transmit election results, and uses HTTP as a fallback for HTTPS not working(LOL).

    So let's see:
    //https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/Attendance.cs
    [code]
    string xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>";
    xml += "<save>";
    [/code]
    Creates XML by hand.
    [code]
    try
    {
    if (this.attendanceHour.SelectedItem != null)
    {
    hour = (this.attendanceHour.SelectedItem as AttendanceItem).getName();
    }
    }
    catch (System.Exception ex)
    {
    }
    [/code]
    Didn't want the hour anyway.

    [code]
    string xml = "";
    xml = xml + "<jns_kod>" + this.jns.Text + "</jns_kod>";
    if (this.role == "P")
    {
    xml = xml + "<nrObwodu>" + this.obwod.Text + "</nrObwodu>";
    }
    else
    {
    string obw = "";
    if (this.obwodList.SelectedItem != null)
    {
    obw = (this.obwodList.SelectedItem as AttendanceOBWItem).getName().ToString();
    }
    xml = xml + "<nrObwodu>" + obw + "</nrObwodu>";
    }[/code]

    Hand built XML also has no consistency in naming, camel case + underscores, why not!

    [code]
    private void setComboBoxHour(string electoralEampaignSave)
    {
    if (!System.IO.Directory.Exists(this.path + "\Attendance"))
    {
    try
    {
    System.IO.Directory.CreateDirectory(this.path + "\Attendance");
    }
    catch (System.ArgumentNullException)
    {
    MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
    }
    catch (System.ArgumentException)
    {
    MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
    }
    catch (System.UnauthorizedAccessException)
    {
    MessageBox.Show("Nie masz uprawnień do tworzenia katalogów. Otwórz aplikacje jako adnimistrator.", "Uwaga");
    }
    catch (System.IO.PathTooLongException)
    {
    MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
    }
    catch (System.IO.DirectoryNotFoundException)
    {
    MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
    }
    catch (System.NotSupportedException)
    {
    MessageBox.Show("Nieprawidłowy format ścieżki. Nie można utworzyć katalogu "Attendance"", "Error");
    }
    catch (System.IO.IOException)
    {
    MessageBox.Show("Nieprawidłowa ścieżka. Nie można utworzyć katalogu "Attendance"", "Error");
    }
    }
    string uri = "KALK/freq/" + electoralEampaignSave.Replace('_', '/') + "-freq";
    Connection con = new Connection();
    KLKresponse res = con.getRequestKBWKlk(uri, this.path + "\Attendance\frekwencja.xml", 0);
    XmlDocument hour = new XmlDocument();
    hour.Load(this.path + "\Attendance\frekwencja.xml");
    XmlNode hourRoot = hour.SelectSingleNode("/frekwencja");
    System.Collections.ArrayList AttendanceTime = new System.Collections.ArrayList();
    AttendanceTime.Add(new AttendanceItem("0", ""));
    foreach (XmlNode item in hourRoot)
    {
    XmlNode id = item.Attributes.GetNamedItem("id");
    XmlNode value = item.Attributes.GetNamedItem("value");
    if (id != null && value != null)
    {
    AttendanceTime.Add(new AttendanceItem(id.Value, value.Value));
    }
    }
    this.attendanceHour.DataSource = AttendanceTime;
    this.attendanceHour.DisplayMember = "LongName";
    this.attendanceHour.ValueMember = "ShortName";
    }
    [/code]
    So it bitches and moans about an error but fails to actually exit out of the function so I can only assume the file writes that occur afterwards(after a file exists check exception) == gun in mouth

    That's just one file.



  • Ah, had to find the http fallback.

    [code]
    public Connection()
    {
    this.servers = new string[1];
    this.servers[0] = "https://syswyb.kbw.gov.pl/";
    this.servers2 = new string[1];
    this.servers2[0] = "http://klk.kbw.gov.pl/";
    this.timeout = 30000;
    }
    [/code]

    servers2 is used when you dig through and find out, ANY kind of web exception trying to talk to the https server results in it doing http.
    [code]

    			catch (System.Net.WebException)
    			{
    				i++;
    				result = this.getRequestKBWKlk(uri, savePath, i);
    				return result;
    			}
    

    [/code]

    which calls
    [code]
    public KLKresponse getRequestKBWKlkDocx(string uri, string savePath, int i)
    {
    int bytesProcessed = 0;
    KLKresponse res = new KLKresponse();
    KLKresponse result;
    if (i < this.servers2.Length)
    {
    System.Uri target = new System.Uri(this.servers2[i] + uri);
    [/code]



  • More from reddit;
    https://www.reddit.com/r/programming/comments/2ml27h/source_code_of_polish_electoral_calculator_big/

    [code]
    catch (XmlException)
    {
    }
    catch (System.NullReferenceException)
    {
    }
    [/code]

    Because null checking is hard

    [code]
    3283 private void getCalculator()
    3284 {
    ...
    4941 }
    [/code]

    Didn't actually need that calculator

    Guess who won the contract to code this crap?

    [code]
    [assembly: System.Reflection.AssemblyCompany("Hewlett-Packard Company")]
    [/code]



  • bump for great justice. There's tons of WTF in here.



  • We instal applications around here. Brillant!



  • To the Temporary paths thread!!



  • @delfinom said:

    Background: Poland wanted a fancy electronic system for reporting votes, attendance, etc because killing trees is bad.

    Not quite - you still get a piece of paper, it just helps with getting the reports out faster. In principle, that is...

    @delfinom said:

    They put out a RFP in July 2014, selected a winner in August 2014.

    And it was, from what I know, the lowest bidder (standard procedure, by the way). Which explains a lot.

    Of course, given that it's Poland, there's a lot of tinfoil demand lately...

    @delfinom said:

    So it bitches and moans about an error but fails to actually exit out of the function so I can only assume the file writes that occur afterwards(after a file exists check exception) == gun in mouth

    Classic On Error Resume Next.



  • By the way, no suprise the printing module failed...

    The file doesn't even fit on screen in GitHub.

    Also:

    According to the rough analysis of the executable and the application workflow one can only assume that the task of creating the Election Calculator has been given to a single student, probably working for an externam contractor. Ms. Agnieszka, we're with you!

    Poland is a country where the fate of thousands of electorial commission members rests with a beginner programmer.



  • @delfinom said:

    this.servers[0] = "https://syswyb.kbw.gov.pl/";

    I see what is the problem. They are using perl

    would not have happened if they used php



  • @Monarch said:

    I see what is the problem. They are using perl

    would not have happened if they used Python

    FTFY



  • @Maciejasjmj said:

    Not quite - you still get a piece of paper, it just helps with getting the reports out faster. In principle, that is...

    Meh it's what I got from an article, I don't read Polish often, don't blame me! It took me a hour just to read that article >_<



  • And it was, from what I know, the lowest bidder (standard procedure, by the way). Which explains a lot.

    Of course, given that it's Poland, there's a lot of tinfoil demand lately...

    It was the ONLY bidder. No other company was desperate enough to accept such ridiculous requirements (3 months ftw!)



  • @klarki said:

    (3 months ftw!)

    Given the quality of the code, I'm surprised it actually took 3 months.

    Though, granted, manually banging a HTML page from XML via string concatenation is tough...


  • Banned

    The most ridiculous thing is that this project was delivered in time. This doesn't happen often in Poland. Thoroughly bugged software that's rendered unusable - yes. But TBSTRU delivered in time - no.



  • I do hope it's just one module of the system that was made as part of this public tender.



  • @klarki said:

    I do hope it's just one module of the system that was made as part of this public tender.

    As far as I can tell, it's the report printing module. Which, coincidentally, is also the exact module that fucked up.

    @klarki said:

    It was the ONLY bidder. No other company was desperate enough to accept such ridiculous requirements

    Indeed it was; but for the wrong reasons. You see, when the criteria are 49% "price" and 51% "idea", it's an obvious sign that the bid is rigged towards a particular company (since no matter what price you offer, they can still zero your score on the "idea" part).



  • If you are refering to ".pl" it's not perl extension but Poland's TLD


  • Fake News

    Wooooosh?


  • Banned

    @Gipak said:

    If you are refering to ".pl" it's not perl extension but Poland's TLD

    Is it appropriate to write *whoosh * here? I'm relatively new over here, still trying to grasp the local culture.

    ...oh, ninja'd. But still gonna post because I had to put 29 spaces inbetween * and \* above to get italic whoosh surrounded by spaces. And can't get the ending * to italic. @discoursebot ?



  • @Gaska - Days Since Last Discourse Bug: 0


  • FoxDev

    <i>\woosh\</i>

    ?


  • Fake News

    @Gaska said:

    Is it appropriate to write *whoosh * here? I'm relatively new over here, still trying to grasp the local culture.

    It's mandatory.

    @Gaska said:

    ...oh, ninja'd.
    Mostly we refer that as Hanzo'd over here, named after an (in)famous IT-ninja nobody wants to read about.

    @Gaska said:

    But still gonna post because I had to put 29 spaces inbetween * and \* above to get italic whoosh surrounded by spaces. And can't get the ending * to italic. @discoursebot ?

    That's Discourse or CommonMark for you. Welcome!


  • Banned

    @JBert said:

    It's called Hanzo'd here, named after an (in)famous IT-ninja nobody wants to read about.

    Last I checked, Hanzo is dead, courtesy of Blizzard's new game.


  • FoxDev

    *ahem*

    Ladies and gentleladies*! I present to you our newest TDWTF hero! He's so badass that not even death could stop him! His trusty katana shall strike down the unworthy and his ravening appetite shall keep him ever vigilant....

    It is my great pleasure to present to you.......

    ZOMBIE HANZO!

    * and the guys too i guess... maybe


  • ♿ (Parody)

    @accalia said:

    ZOMBIE HANZO!

    Sorry, Halloween was last month. We're celebrating Hanzo the Turkey now.


  • Banned

    @boomzilla said:

    Sorry, Halloween was last month. We're celebrating Hanzo the Turkey now.

    I'm pretty sure they don't have Thanksgiving in Deutschland.


  • ♿ (Parody)

    @Gaska said:

    I'm pretty sure they don't have Thanksgiving in Deutschland.

    Sure they do:


  • Winner of the 2016 Presidential Election

    @Gaska said:

    I'm pretty sure they don't have Thanksgiving in Deutschland.

    http://de.wikipedia.org/wiki/Erntedankfest (not a national holiday, though)

    BTW: According to that Wikipedia article, Thanksgiving celebrates the first Erntedank celebration of the pilgrims?!



  • Come on now, *Markdown isn't that hard* You have to escape both of the inner asterisks.

    Edit: I say that and then I get a formatting Discobug. Literally WTF how hard can it be to make Markdown work correctly @discoursebot



  • @JazzyJosh - Days Since Last Discourse Bug: 0



  • Well, actually the company that won the contract is called Nabino and has nothing to do with Hewlett-Packard.
    They put HP in assembly information for some reason (maybe copied from OS settings?).



  • @krs said:

    maybe copied from OS settings

    Likely. The assembly company comes from the registered owner of the computer. For OEM installs, this often is often set to the computer's manufacturer.


  • Grade A Premium Asshole

    @delfinom said:

    Basically someone decompiled the byte code

    At least one person on the forum thinks that anyone who decompiles code before the heat death of the universe should be strung up by their entrails.

    Not me, but just pointing this out. ;)



  • @Intercourse said:

    At least one person on the forum thinks that anyone who decompiles code before the heat death of the universe should be strung up by their entrails.

    Not me, but just pointing this out. ;)

    Why? The distributed the .pdb files with the dlls, which made decompiling even more reliable.


  • Banned

    @Intercourse said:

    At least one person on the forum thinks that anyone who decompiles code before the heat death of the universe should be strung up by their entrails.

    Interestingly, there are two opposite factions that share this same thought. One is IP protectors, who want to milk the cow named Michael Jackson until the end of the world, etc., and so they consider decompiling source the worst crime ever, worse than serial murder and on par with torrenting. The other is anarchocommunists who think no one should decompile binaries because the original source code should be available free of charge in the first place.



  • Surely they can work in an exception for the compiler writers.


  • Banned

    More news:

    • incredibly high number of invalid votes
    • National Electorial Commission's website and database holding employees' passwords were hacked
    • ETA on complete official results is Monday


    • incredibly high number of invalid votes
    • National Electorial Commission's website and database holding employees' passwords were hacked

    Big surprise there given the quality of this app alone


  • Banned

    @delfinom said:

    Big surprise there given the quality of this app alone

    Such explanation makes sense in case of website getting hacked. But it doesn't explain invalid votes.

    Just to clear it up: invalid vote is when a member of local commission (who gets the votes out of urn, counts them and enters into the system) spots a voting card that has either no candidate marked or more than one candidate marked. In some districts, invalid votes percentage is as high as 10-20%. I seriously doubt 20% of voters are so stupid they can't even mark one and only one candidate.


  • ♿ (Parody)

    @Gaska said:

    I seriously doubt 20% of voters are so stupid they can't even mark one and only one candidate.

    Did anyone from Florida vote?


  • Grade A Premium Asshole

    You think some of our old butterfly ballots got shipped over to Poland? Maybe Karl Rove is doing some international consulting and this is another episode of "hanging chad"?



  • @boomzilla said:

    Did anyone from Florida vote?

    In Newcastle, the inky hand print often covers more than one candidate.


    Filed under: Banned by @PJH in 5, 4, 3...


  • Discourse touched me in a no-no place

    @Keith said:

    In Newcastle, the inky hand print often covers more than one candidate.

    It's usually the webbing between the fingers to blame.

    On other occasions, it's the number of digits..



  • I thought that was mainly a problem in Norfolk...


  • Discourse touched me in a no-no place

    No, it's not a problem in Norfolk - there it's normal.



  • Also _\*whoosh\*_.



  • @Gaska said:

    Such explanation makes sense in case of website getting hacked. But it doesn't explain invalid votes.

    Just to clear it up: invalid vote is when a member of local commission (who gets the votes out of urn, counts them and enters into the system) spots a voting card that has either no candidate marked or more than one candidate marked. In some districts, invalid votes percentage is as high as 10-20%. I seriously doubt 20% of voters are so stupid they can't even mark one and only one candidate.


    Are you sure? Because this app has plenty of places where it will submit blank results. One example I included above as well, when it fails input validation,(i.e. exception occurs) it submits the record anyway to whatever server.


  • Banned

    Actually, I lied. This 10-20% invalids thing was from previous elections where they didn't use this piece of utter shit (or any other, for what I know).


  • Notification Spam Recipient

    Actually computer system for elections is in use for over 10 years (if I remember correctly, I worked with it during every elections from the start).
    Current utter shit system is third one in use. First one was shit too, but it was used only once or twice.
    Second system, used for some 8 or 9 years was very good - stable, fast, ergonomic, intuitive, etc (didn't see its
    source code though).

    So why did they order new system from unknown shitty company if they had proven solution in use?
    From what I heard (source in the know, but information by no means official), creator of the second system
    wanted 'too much' for its support, someone from Election Committee got angry and decided 'screw them, we'll get a new one'.

    Long time lurker, first post, yay!



  • @boomzilla said:

    Sorry, Halloween was last month. We're celebrating Hanzo the Turkey now.

    Wasn't our behated(1) Hanzo always a turkey?

    (1) Like beloved, but in a very negative sense, and definitely not "behatted".


Log in to reply