[Tfug] Any SQL gurus out there?

Ronald Sutherland ronald.sutherland at gmail.com
Thu Oct 25 23:22:43 MST 2007 

Jim March wrote:
> * The county admits that the security of the Diebold product line in
> general sucks wind.  Among other issues, anybody with a copy of
> MS-Access can walk right past the Diebold security, dickering with the
> database with no password required and no audit log trail of activity
> even created - never mind that the audit log is just another table and
> can be edited like everything else - like, say, vote totals.  (In
> other words, they put the security at their own application's level,
> not the OS (even the Win2k they run would be better!) and not at JET.
>
> * There are FEDERAL rules on how voting systems get certified at the
> Fed level that include bans "interpreted code" and "self modifying
>   
Does the CPU not interpret machine instructions (is that not code)? I'm 
thinking the feds just prevented the use of computers with that rule. 
But what pisses me off is the line of thought that a binary blob is some 
how safer and more verifiable than a script. The blob was compiled from 
something, that can be looked at and studied to figure out its intent, 
its called source. The source can be held in a version management system 
to keep an audit trail of any changes, but once its compiled the blob is 
difficult to trace back to the source, you need the exact libraries it 
was created with, in other words your locked out of updates to most 
everything. I've more than once compiled the same program and gotten 
different blobs, which makes the compiler setup a critical step in the 
verification process. If I have a script I can difference it directly 
with a version management server and see if its the same. I can also 
look at it directly as source to evaluate intent. If the scrip is self 
modifying I would hope that intent is found (add eyes to make things 
clear), this ever present desire to hide all sorts of stuff is a wrong. 
The scrip interpretor could be modified to do tricky stuff to a scrip 
that makes failing things pass but the script itself can run self test 
and keep track of the interpretors (md5sum). Scrips can also be provided 
on read only media, thus gaining readability and verifiability with the 
original source while retaining the ability to self identify known good 
interpretors.

> code".  So if the database (.mdb file) has "program code" in it, and a
> complete blank database is created with a single "create new election"
> command in GEMS.EXE, wouldn't that stomp all over the "no self
> modifying" part?
>   
so our election results will be held in .mdb files made with the MS Jet 
DB engine, what a joke. But I see no reason to worry since everyone is 
programed how to vote anyway. Voting is totally a wast of time with mass 
media because enough will vote based on the signal that noise is lost 
(signal to noise ratio). Unfortunately the media is all about the better 
mind virus, and nothing about what is good for humanity, we are truly a 
animal with a mind made for the same reason a peacock has a tail. The 
election is won with a virus that fits best in the organ we all have 
faith is most like god.
> Jim
>
>

More information about the tfug mailing list