Re: (Informal) Databases and RDBMSs

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Tue May 11 2004 - 12:55:20 CDT

On May 11, 2004, at 11:18 AM, David Mertz wrote:

> We DO NOT need, nor want, a RDBMS at polling places; but
> only at higher canvassing levels (county, state, etc).

We may want to be careful about inclusion of a general purpose
database management tools at higher levels. The Diebold GEMS
story illustrates some of the risks:

Diebold's GEMS system uses a database that is stored in a
format that is compatible with Microsoft Access. A bad choice
of database manager, but let's ignore that for the moment. The
key thing is, the data format is compitable with a widely
available tool. Presumably, GEMS was written using standard
database access modules from a library that is distributed for
use with Access, and so we can hope that Diebold benefitted
from reuse of standard code instead of rolling their own and
from use of standard data representations instead of ad-hocery.

But, if a county happened to load Access on their GEMS election
management system (and in many cases, we've found that their
contract with the county actually required that they install
Access), then all of the auditing constraints imposed by GEMS
are irrelevant because a modestly prepared user can simply run
Access to make arbitrary changes to the database, including
updates to electronic ballot images, audit records and anything
else they may want to fiddle with.

So, unless the database tools are secure and have auditing
mechanisms that can't be turned off or redirected to /dev/null,
we must be extremely careful about installing any general purpose
tools on the system used for canvassing.

                Doug Jones
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:34 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT