[spam] Re: [E-voting] Third party code

Aengus Lawlor aengusl at eircom.net
Fri Jun 3 03:06:57 IST 2005


David GLAUDE wrote:
> Aengus Lawlor wrote:
>> Brian O'Byrne wrote:
>>> For example: we know the count machines run an operating system and
>>> database application provided by Microsoft.
>>
>> (As I understand it, it's also not correct to refer to a "database
>> application from Microsoft" or to an Access database. As far as I
>> know, the PowerVote application uses the odbc calls to the default
>> Jet database engine. This happens to be the same engine as Access
>> uses, but I don't think that Access is installed on the Count
>> machines).
>
> If the default Jet database engine is a Microsoft piece of software
> then it is right to say "database application from Microsoft" where
> application is the non tech word to say "driver" or "engine" or
> "module".

No, David, the non-tech word for application is "program". This list is
proof - people here hear "Microsoft Database application" and they assume it
means "Microsoft Access".

> For more definition on the Jet database...
> http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/0353.html

Maybe you should read it yourself, David - it includes a very good
description of what the Jet engine is, and a description of an exploit that
has very little relevance to the situtaion we're dealing with (why would you
need an exploit if you had physical access to run your own code on the count
system?)

> David GLAUDE
>
>> Off the shelf software is arguably safer than custom code for the
>> situation we are talking about - it's a reasonably safe bet that the
>> developers at Roxio didn't build in a special Nedap hacking module
>> on the off chance that their software might end up counting the
>> results of an Irish Election.
>
> Does leaving a way to do a buffer overflow is considered as a way to
> participate to a special Nedap hacking module? See above link.

Again, David, why would you need a buffer overflow if you had access to the
system? If you think custom code from PowerVote/Nedap for burning the
results to CD would be immune to buffer overflows, I have a bridge that I'd
like to sell you.

Aengus




More information about the E-voting mailing list