[Tfug] Any SQL gurus out there?

Jim March 1.jim.march at gmail.com
Thu Oct 25 20:47:52 MST 2007


Guys, sorry for not keeping up with this thread after starting it.  A
friend had surgery today (nothing too major) but helping her past that
took priority.

Let's please try and keep this in the group, no cross-posting, m'kay?

Here's what the question is about:

The Pima County Democratic Party is doing a public records request for
the main databases that run elections in Pima County, post-election of
course.

They're really MS-Access/JET (laid out by Diebold) but contain SQL elements.

The county is claiming that there's "program code" inside the database
and cite a warped view of a state law to claim that "election
programs" cannot be released under public records, even to a political
party (which has special oversight rights under AZ election law).

Facts:

* Diebold is NOT claiming proprietary trade secret rights to the
database.  They are for their own "Global Election Management System"
(GEMS.EXE and related).

* The county admits that the security of the Diebold product line in
general sucks wind.  Among other issues, anybody with a copy of
MS-Access can walk right past the Diebold security, dickering with the
database with no password required and no audit log trail of activity
even created - never mind that the audit log is just another table and
can be edited like everything else - like, say, vote totals.  (In
other words, they put the security at their own application's level,
not the OS (even the Win2k they run would be better!) and not at JET.

* There are FEDERAL rules on how voting systems get certified at the
Fed level that include bans "interpreted code" and "self modifying
code".  So if the database (.mdb file) has "program code" in it, and a
complete blank database is created with a single "create new election"
command in GEMS.EXE, wouldn't that stomp all over the "no self
modifying" part?

* In the management and programming team that devised all this crap,
there's been five convicted felons.  The guy that managed the project
for at least a couple of years when some of the screwiest features
appeared (2002 - 2004 era) embezzled $425,000 from a Seattle law firm
in the late 1980s.  Sigh.  I wish I was making this up.

-----

What I'm trying to get at is, under these circumstances, isn't burying
"program code" in the relational MS-Access (Jet) database a peculiar
practice degrading the MS-Access security even further and opening up
last-minute code mods with just a copy of MS-Access?  (Which might be
describable as "interpreted code"?)

Can this list take .PDF attachments?  You guys will die if you see the
"requested stipulations of fact" by the county.

Jim




More information about the tfug mailing list