On Wed, Apr 15, 2009 at 3:50 PM, Ryan Rix <
phrkonaleash@gmail.com> wrote:
> physical access -> data owned.
That's mostly true - as somebody else pointed out, with a hex editor
if necessary.
BUT, when you use MS-Access's front end to dicker with a Diebold
database, the "ease of use" of tampering is just off-scale. Basically
you open the door to literally anybody doing it, including the janitor
or an office clerk.
How easy are we talking about?
Well we managed to teach a chimp to do it. Yeah. I mean a real live
furry tailless monkey.
http://www.bbvforums.org/forums/messages/2197/2368.html
In case anybody is wondering how we got a Chimpanzee to do minimal
MS-Access editing: the dang thing was a fiend for Menthos[tm]. Swear
to God. Peppermint flavor. Couldn't get enough :).
OK, yeah, it was a PR stunt. Bev knew somebody who trained movie
animals. Still, when things are this ugly, desperation is called
for...
---
On a more serious note: banks have procedures to prevent insiders from
hacking accounts. You can't absolutely block people from doing it,
but you can block people from tampering with the discovery/oversight
mechanism. Serious computer accounting takes the term "audit log"
seriously.
Diebold put the audit log into the MS-Access database as just another table.
In other words, they weren't even trying.
Jim
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)