Re: Diebold Voting Machines - Security Hole

Jay C. James:

Excuse please a top posted intro. Will respond inline below.

I just had a great good laugh (about a security issue) that I would like
to share with you and the group, to kind of set a good tone for this
answer.

But first let me say to you personally that you are not a good or faithful
correspondent. You have had a couple of days to respond to my relatively
mild query (did you really think your message was positive?) and you
haven't responded to that. So let's go through this bit by bit so there
will not be misunderstandings later.

But here's the funny story that made me laugh. First, this link goes to
ISC - diary. This is a blog style page and changes, so if you come back a
day or two later you won't see what I am looking at. But you can always
go to the "previous" links to get backwards in time (kind of mind-bending
right there :>). Anyway, if you don't know ISC already, think they might
harm your systems, doubt they have anything new to tell, ... hey - don't
go there. I'm trying to tell a funny story and if you want to join me
then please do.

http://isc.sans.org/diary.php

The story I am looking at is:

Word 0-day, recommended defenses. (NEW) Published: 2006-05-19, Last
Updated: 2006-05-19 22:04:19 UTC by Johannes Ullrich (Version: 1)

A bit down, there is this link:

The Windows Live Safety Center is located at the following website:
http://safety.live.com [NOTE: link might not work for gecko based browsers
such as FireFox]

Ha, haha. What a surprise! (Not) It would be way off topic to have any
full explanation, and the sheer volume of written data already available
would choke a horse (no offense to horse lovers, and we don't want to
choke any horses, anyway. It's just an old expression.) Micro$oft has
been hauled into federal courts here in the US, and into courts in the EU
and elsewhere, for predatory and anti-competitive practices. Their "war"
against Netscape, Mozilla and Firefox is longstanding and well known, even
among the uninitiated. But this is all still preface.

As it turns out, the link works just fine in Firefox. And it takes you
(me?) to a Micro$oft page full of wonderful free helpful security stuff.
there's this link, (big yellow button) Find and fix safety and health
issues on your PC now. Launch full service scan, that takes me
here:http://safety.live.com/site/en-US/scanner/unsupportedclient.htm

That says:

Whoops. The scanner doesn't work with your Web browser or operating
system.

You need Windows XP Home Edition, Windows XP Professional, Windows 2000
Professional, Windows Server 2003, or Windows 2000 Server to use the
scanner. You also need either Microsoft Internet Explorer 6.0, or MSN®
9.0.



What can you do?

· Get the latest version of Internet Explorer (free download)

· Upgrade your operating system

· Get PC help in the Community

· Browse our service centers for tips and advice


There it is, guys and gals:

· Upgrade your operating system

Please remember that this whole chain of links is because of another "new"
0-day exploit of M$ software. Anyone seriously concerned with security
should upgrade to Linux, ... _any_ Linux.

I could keep laughing for a long time. And I can also stop anytime by
remembering that 80% -90% of the world's computers are running this crap,
and 80% -90% of the good people whom I personally am depending on for
essential goods and services are also that vulnerable. Very sad, really.
.... And scary, too. But that one line in particular really made me laugh
out loud. I hope it brings a smile to your face and a bit of happiness
into y'all's day when you read.

=============================================================

Please note that the NNTP software, yours, mine, and ours have completely
screwed up the formatting of the following text. I regret that, but will
not obsess about it. WYSIWYG. Sorry.

=============================================================

Jay C. James wrote:

Date: Wed, 17 May 2006 13:52:19 -0700 From: "Jay C. James"
<x0040973@xxxxxx> Lines: 169 Message-ID:
<e4g2e3$e41$1@xxxxxxxxxxxxxxx> NNTP-Posting-Date: 17 May 2006 20:52:19
GMT NNTP-Posting-Host: sandx0040973b.sand.design.ti.com Newsgroups:
comp.os.linux.security Organization: Texas Instruments Path:

border1.nntp.dca.giganews.com!nntp.giganews.com!newshub.sdsu.edu!logbridge.uoregon.edu!news.smu.edu!news.ti.com!not-for-mail
References: <pan.2006.05.12.13.39.23.788992@xxxxxxxxxxxxx>
<e42pqf$9gs$1@xxxxxxxxxxxxxxx> <c-2dnW3SPchzafnZRVn-hA@xxxxxxx> Subject:
Re: Diebold Voting Machines - Security Hole X-Complaints-To:
usenet@xxxxxxxxxxx X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
X-Newsreader: Microsoft Outlook Express 6.00.2800.1807 X-Priority:
3
X-Trace: home.itg.ti.com 1147899139 14465 146.252.135.29 (17
May 2006 20:52:19 GMT) Xref: number1.nntp.dca.giganews.com
comp.os.linux.security:81014 MIME-Version: 1.0 Content-Type:
text/plain


"responder" <no@xxxxxxxxxxxx> wrote in message
news:c-2dnW3SPchzafnZRVn-hA@xxxxxxxxxx
Jay C. James wrote:


"John" <John@xxxxxxxxxxxxx> wrote in message
news:pan.2006.05.12.13.39.23.788992@xxxxxxxxxxxxxxxx
The following describes a significant security hole in Diebold
voting machines.

http://politics.slashdot.org/politics/06/05/12/1228203.shtml



John seriously, this is USENET, not RSS. Please give more information

Jay C. James, observe please, right here with your very first words you
have clearly implied that OP does not know the difference between RSS and
Usenet, which is obviously not true, and which is obviously offensive. You
owe the man an apology, and you owe every reader here an apology for
making such a *negative* remark, right in your very first words here. You
owe me an apology for having to read that.

And you didn't give any reason for your rudely expressed request. ...

Had you said something like, I choose for my own reasons and preferences
to use an antiquated (though still currently maintained) text based
newsreader that does not make it easy to follow a link, and so I would
prefer to know more before I make that effort, and if you were already a
person who was a demonstrated good and intelligent writer and a good
correspondent, that would have been entirely appropriate and sufficient.

Had you said something like, I read news offline so having more
information about a link in the original post helps me decide which I want
to download when I reconnect, that would have been entirely appropriate
and sufficient.

Had you said something like, I am a complete newbie and such an idiot that
I cannot even be expected to know a slashdot URL when I see it, so I need
more information, well, at least then we could all have had the
opportunity to respect your honesty and request for help.


But you didn't give any reason for your rudely expressed request. ...

with your posts.

Jay C. James seriously, what's the problem here? Oh, I see:

That's what I said. Right up front I asked what the problem was. And why
would I ask, except that you didn't give any reason for your rudely
expressed request.

So I looked, and there you are Jay C. James:


X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
X-Newsreader: Microsoft Outlook Express 6.00.2800.1807

There is no crime or offense in reading or posting here with m$ software.
Read away. The offense was in what you wrote (both times). And since you
didn't give any reason for your rudely expressed request, I looked for
that reason in every single letter of your message.

Pardon for not explaining the jargon. But it has been my unfortunate
experience that "windows wankers" "troll" linux newsgroups and post
disruptive messages. Since you were so rude and inarticulate, it was my
initial asesment that you might indeed be a "windows wanker" "trolling" to
make trouble. Nothing I have seen since substantially alters that
perception. Maybe if you learned some basic polite manners it would take
some of the sharp corners off of that.

For a lot of us on this ng, just clicking on the link brings up the
full story in our browsers. If you object to blindly clicking on links
(a valid objection) we just highlight the link text and paste it with a
middle click into our browser (not IE) URL bar.

Hey Jay C. James, (see how easy I can copy and paste?), he told you
what the story was about. OK (Deep sigh)

==============================
Critical Security Hole Found in Diebold Machines Posted by Zonk on
Friday May 12, @09:13AM from the want-my-money-back dept. United States
Security Software Politics ckswift writes "From security expert Bruce
Schneier's blog, a major security hole has been found in Diebold voting
machines." From the article: "The hole is considered more worrisome
than most security problems discovered on modern voting machines, such
as weak encryption, easily pickable locks and use of the same, weak
password nationwide. Armed with a little basic knowledge of Diebold
voting systems and a standard component available at any computer
store, someone with a minute or two of access to a Diebold touch screen
could load virtually any software into the machine and disable it,
redistribute votes or alter its performance in myriad ways."

Feel better now?

Here's another link, which is to a pdf format paper (redacted version)
that described the vulnerabilities. (Or should they be called security
faults? Maybe threats to our governments?)

You are posting from a Texas Instruments. If you can read NNTP from
work, why can't you just take your IE over to the given URL and read
the story, or not?

Jay C. James seriously, this is USENET, not kindergarten. Get with the
program. Please. If you want to read a Linux ng from work with IE, at
least have the courtesy to not complain about your browser.

This is a serious security issue that affects voting and our our future
(and present?) governing officials may be. I am sure that if you are
serious, you want good elections as much as anyone else does.

If you are really a patriotic US American (or Canadian, I guess) please
take this somewhat seriously and quit complaining. The man did the
right thing and I for one appreciate it. If you can't live with that
kind of thing, then politely and please take your adolescent NNTP
attitude back to the microsoft newsgroups and let us talk about more
serious things without interruption. Please and thank you very much.
Now go away. Please. And Thank You.



*yawn*

(Oh, so sorry that you are so bored that you took the time to write all of
the following. Not.)

First of all, you have no idea what my politics are, and whatever they
may be if I even
have political convictions, they are none of your business -- and what I
replied with has
no bearing on the subject matter and required no input from you
whatsoever. While I do

Jay C. James, I don't particularly care what your politics are. In the
overall scheme of things, of course it matters. But I never made that a
criterion of issue. The linked news article was about voting machines. To
start off by trying to make this a political discussion is a blatant
attempt to sidetrack any serious discussion. It is the kind of thing that
Usenet Trash usually try to do. You are called "trolls".

appreciate your own emotional interest in the subject, your own

You don't know anything about my interests or emotions.

conviction in the matter
does not particularly give you cause for such an outburst and is kinda

That was not an outburst. That was a teaser to get you to come out and
show your true character. (It worked.)

embarassing. In
other words, I wasnt talking to you.

You posted here. You were talking to me and to everyone else who reads
here. Get used to it. "This is Usenet, not Kindergarten."

Your outburst was unnecessary and detracts from both my sentiment, -and-
yours.

I am well capable of telling you what my "sentiment" is, and do not need
you to tell me what my "sentiment" is.

Secondly, calling me adolescent in light of your own quasi-anonymous
posting is ironic.

Many of us chose to post anonymously to avoid spam and trolls. I am
leaving my e-mail sig enabled in this post in the event you might want to
contact me off-group. I doubt you will, but the offer is open to you
should you so choose. Trying to couple anything related to my identity or
choice of posting name is completely inappropriate. I didn't call you
adolescent, I said your behavior was adolescent.

Bear in mind that if you spam, harass or stalk me, I will file appropriate
complaints, and there are (real) penalties. And of course, as always, the
best place to talk is right here on the NG.

Thirdly, some of us while able to use NNTP at our places of employment,
do n ot get
to pick and choose how we do it. That said, regardless of the tools used
for NNTP posting,
I am still a Unix professional and Usenet provides me and my cohorts a
knowledge base
with which to give to and take from. None of that knowledge base, by the
way, resides
within the Microsoft newsgroups.

"a Unix professional" Wow and Ha. Certainly not a very well respected
"Unix professional". If you were respectful of your employer's interests
you would have avoided offensive and snide remarks in your first message,
and you would have taken the time then, in as much as it might have had
any real importance to you, to include a line or two about why your
(rudely expressed) request should have any respect or consideration from
others. Then you would never have needed to have felt the need to write
168 lines of negative material on your employer's time. You owe your
employer an apology. For your benefit, I quote a dictionary definition of
"snide".

"The Collaborative International Dictionary of English v.0.48" Snide
Snide, a.
1. Tricky; deceptive; contemptible; as, a snide lawyer; snide
goods. Slang, archaic
1913 Webster

2. derogatory in an insinuating manner; as, a snide remark.
PJC Snider rifle

Notice I didnt mention anything about On-Topicness of the original post,
but just about the RSS-like
quality of it, hoping to inspire others to shy away from cross
pollinating protocols. Just in case, I shouldnt have to explain RSS to
you, should I? You obviously have demonstrated superior knowledge of
NNTP, so hopefully you understand that as well.

That's a load of crap. Your first message was rude and snide, and there
is no justification for that, particularly in review of your second post.

So, if you are anal enough to pull out a header and show it to me, but

You owe every reader of this group an apology for writing that. And you
have also identified yourself thereby as a standard Usenet troll. Your
apology is required, but does not alter that assessment.

yet assert that an NNTP
posting merely containing a link and the briefest of summaries not even
related to the newsgroup
is fine enough to represent legitimacy regardless of content, then it
reinforces that your presence
will be missed much less than my own would be to Usenet. Dont assume

Don't make any mistake in thinking that I am going away, any time soon. I
have a very tough hide, thank you. And I like to know who I am talking to
and with. This isn't a popularity poll; anyone can post, - you and I
both. But I have little tolerance for rudeness and phony-ness (if that is
a word).

The people I am talking to and with are reading here. When they don't
want to read or write with me, they will make that clear. But you will
not.

that the rest of us can
or will 'click' things we arbitrarily run into on Usenet. You obviously

In this particular case I will say that if you don't know a slashdot URL
when you see it, then surely you should NOT be clicking links.

go the extra mile with following
links and pulling up headers. Good for you, Power User! Check out my
headers for another telling
message.

Post whatever you want to say in clear text. We all have enough real
thing to deal with without jumping into some game world of your making.
Whatever you need to say to me can be said in front of all these other
people.

Feel free to add me to your blocklist of alleged Adolescent Microsoft
Newsgroup Posters, because
as tempting as your invitation to 'go away' is (I appreciate you
thanking me ahead of time, its out of character for you) I will continue
to use the newsgroups in accordance with the way they should be used. I
would probably be in good company in your blocklist anyway, considering
the source. So yea,
add me and dont forget to "*plonk*" me where I can see it and be
suitably offended that you got the
last and most elitest word.

Nope, no easy out for you there. I will be reading whatever you write
here, no matter how adolescent it may be. I can read a lot faster than
you can write. Don't count on a lot of respect, however.

My relatively brief posting history has been nothing but positive, and

Ha.

Ha ha ha haa.

Your history here has been nothing _but_ negative.

If you want to be respected, write something respectable. Trolling
doesn't count.

will continue to be that way.
I feel confident in my employers faith in me by allowing me to

Good. Keep this up and I will query them myself about that.

contribute to and query Usenet on
an ongoing basis where I feel that overall I am a credit to the
community in a very minute way.

Probably a key would lie in being "a credit"

jcj


Additionally, I did read the article... via someplace else, probably
like 99% everyone else who reads this newsgroup.

Responder, feel free to continue to use Usenet for all your Breaking
News. Others like myself will continue to choose to be informed about
world events in real time, via real channels, and save certain Usenet
groups for on-topic technical discussions that oftentimes result in
actual obtainable results, strangely enough without your advanced NNTP
skills getting in the way, despite the distraction you have provided.

I am so looking forward to next snide missive. Since you are not a
faithful correspondent, it may or may not come at any moment, or never. I
vote for the last.

--
colloquy_no_9 {at-sign} spam-mailingaddress.org
eliminate the spam-

.