| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Sep 2004 14:32:12 -0400 From: Gene Cronk <gcronk@...g.net> To: Polazzo Justin <Justin.Polazzo@...ilities.gatech.edu> Cc: pressinfo@...bold.com, bugtraq@...urityfocus.com Subject: Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes Polazzo Justin wrote: > > If we don't have any data, then we are making decisions based on > propaganda, no matter what side you listen to. > > Of course California suing then does raise questions :) Any state that > implements voting technology that has not been verified by independent > means needs rethink their approach. Any state could use the resources at > their disposal to evaluate these systems independently at a very low > cost, if any at all. (preferably by some local Tech school :) > > Either way, without POC, how can we discuss this on bugtraq? > > -JP > > P.s.: > > Even though MS sux out of box, you can turn off the netlogon process on > any windows client, voiding any authentication to the local workstation. > The only authentication that can take place is server based, which can > then be further be restricted through policies and reghacks to kerberos > only. If you then delete the domain accounts as the card is used fears > of locally compromising the systems would be a non issue. > > While I am pretty sure this has not been done, it illustrates why we > need to evaluate the code. > http://www.why-war.com/features/2003/10/diebold.html My question is, why would Diebold attempt to enact the DMCA if they didn't have something to hide? I completely agree that propaganda should not be listened to from either side, something smells very fishy here. Also agreed on the server authentication, but what happens if I happen to get a copy of that Access DB and throw it on another computer? If an electronic trail isn't there, a paper trail should be. For a more mainstream article on this subject, you can also check out the NYT: http://www.nytimes.com/2004/09/19/politics/campaign/19vote.html?pagewanted=print&position= As far as a POC and a local tech school auditing the code, I'm all for it, but the campaign contributions aren't. -- Gene Cronk - ISSAP,CISSP,NSA-IAM (gcronk@...g.net) The Robin Shepherd Group -- Systems Administrator Office: (904)-359-0981 Ext. 36 Cell: (386)-795-3081 Web: http://www.trsg.net
Powered by blists - more mailing lists