On Wed, Apr 15, 2009 at 3:50 PM, Ryan Rix <phrkonaleash@gmail.com> wrote:
> physical access -> data owned.

That's mostly true - as somebody else pointed out, with a hex editor
if necessary.

BUT, when you use MS-Access's front end to dicker with a Diebold
database, the "ease of use" of tampering is just off-scale.  Basically
you open the door to literally anybody doing it, including the janitor
or an office clerk.

How easy are we talking about?

Well we managed to teach a chimp to do it.  Yeah.  I mean a real live
furry tailless monkey.

http://www.bbvforums.org/forums/messages/2197/2368.html

In case anybody is wondering how we got a Chimpanzee to do minimal
MS-Access editing: the dang thing was a fiend for Menthos[tm].  Swear
to God.  Peppermint flavor.  Couldn't get enough :).

OK, yeah, it was a PR stunt.  Bev knew somebody who trained movie
animals.  Still, when things are this ugly, desperation is called
for...

---

On a more serious note: banks have procedures to prevent insiders from
hacking accounts.  You can't absolutely block people from doing it,
but you can block people from tampering with the discovery/oversight
mechanism.  Serious computer accounting takes the term "audit log"
seriously.

Diebold put the audit log into the MS-Access database as just another table.

In other words, they weren't even trying.

Jim
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss