[Tfug] Call for a volunteer or two...

Bexley Hall bexley401 at yahoo.com
Thu Aug 16 16:38:14 MST 2007


--- jblais <joe.blais at pti-instruments.com> wrote:

> > On that last, in this case, this is a Diebold
> system.  The city has
> > it's own central tabulator station...basically a
> server-grade Dell
> > running Win2k and the Diebold software (really an
> MS-Access front
> > end).  Key thing that must NOT be anywhere around:
> MS-Access.  It's
> > usable as a "hack tool" to directly modify the
> database of votes
> > without needing a password and without leaving an
> audit trail.  Very
> > bad mojo.  Extra network connections running off
> to a back room
> > running MS-Access are bad news as well.
> >
> > One important note: support for the worst voting
> systems possible is
> > coming in HARD from Microsoft lobbyists and
> megabucks.  They don't
> > want voting systems shifted over to open-source
> for max transparency,
> > because people would (rightfully) take it as a
> slam on Windows
> > security and the whole closed-source world.  So
> getting involved in
> > election integrity is a way to directly attack MS
> on a new front :).
> >
> 
> Hello -
> 
> Don't just worry about having Access around.  Look
> for the MS Jets engine
> (and probably a slew more available) for C++, VB,
> anything that Visual
> Studio will compile.  I use if for some of our
> machines, It provides all the
> 'access' to the db file that Access can give you,
> without ever installing
> Access.  Access is just the GUI, probably going
> through the same DLLs that
> Diebold, or any other application would.  Look for
> apps or services using
> anything like OLEACC.DLL.  You could rename it and
> then see if any apps
> barf.  I don't know the winders equivalent of ldd.

(sigh)  If there was a *real* "conspiracy" here,
there's damn little you can do FROM THE OUTSIDE
to prove/disprove it.  The only way to have true
security in these things is to have truly open
systems that can be inspected at will by *anyone*.
Alternatively, sponsor a "hack the voting machine"
contest where folks are encouraged to find flaws
in its design -- just like alpha and beta tests
are *intended* to do for real products.

If you spend some time looking into industries known
to have adversarial exposure all the time (gaming,
vending machines, telephony, etc.) you'll be amazed
at the number of creative ways there are to hack
"hack proof" devices!  :<

So, you just need a procedure whereby the contents
of the "control store" (i.e. program memory) can be
verified at power up along with the types of things
that are allowed to attach to or be proximate to
the device during operation.

IMO, the more practical risk are devices that
attempt to *count* votes before the official
tally (though this doesn't, by itself, influence
the outcome).


       
____________________________________________________________________________________
Choose the right car based on your needs.  Check out Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/




More information about the tfug mailing list