You are viewing an obsolete version of the DU website which is no longer supported by the Administrators. Visit The New DU.
Democratic Underground Latest Greatest Lobby Journals Search Options Help Login

Reply #36: that's "no thanks, I don't open .xls files from shady pseudonyms with a geocities page" [View All]

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
Home » Discuss » Topic Forums » Election Reform Donate to DU
foo_bar Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Aug-06-08 07:32 AM
Response to Reply #35
36. that's "no thanks, I don't open .xls files from shady pseudonyms with a geocities page"
Given the whole trojan horse thing, the subject of half my post that you somehow overlooked. For instance:
A new Microsoft Excel virus is targeting fantasy football league fans, luring them with an offer of worksheets to track the performance of their team.

The XF97/Yagnuul.A virus can infect users' dot-xls spreadsheets once the attachment is opened. The virus deploys an infected fantasy league file on the computer's hard drive and may also modify a user's data, according to an alert on Monday from security company Sophos.,3800003100,391587...

The post suggests an Open Source system developed by professional programmers for use in all state precincts not a set of individual spreadsheets written by non-professionals. A robust Excel VBA application could be developed in a matter of weeks.

"Open Source system" ... "Excel VBA application"; again with the one track resume. "Open" VB source is little better than closed source, since it can only be "compiled" through a proprietary Microsoft API on a huge Windows bullseye, leaving it open to numerous routes of attack:

What can VBA do to me?
Bad VBA code has been talked about in several previous articles. For example, the VBA.Interaction.Shell command which executes a command on the local system is a quick and dirty payload, especially when coupled to the "regedit /s" command which would allow an attacker to create a .reg file, and import it into the registry.

A cleaner way uses the API functions Reg*Ex in advapi32.dll to perform direct registry IO without taking the time to upload a .reg file. These functions can simply be defined along with the hideous necesary constants inside the VBA code.

In addition, an attacker can follow in the footsteps of Melissa et al and use the VBA.Interaction.CreateObject call to create an MS Outlook instance which sends trojan email to every address in the addressbook.

VBA Password Bypasser's main advantage is the capability to bypass VBA code password protection of any Visual Basic project whatever the main software is: MS Office (Access, Excel, Word, etc), Corel Office, AutoCAD, etc.
VBA Password Bypasser Features:

OK, and now on Excel:

So, let's look now to a simple decryption methode for a excel vba module.

Dim Shared H$(7)
Sub Auto_Open()
H$(0) = "¥"
H$(1) = "ꮳ"
H$(2) = ""
H$(3) = "ӧ"
H$(4) = "¥"
H$(5) = ""
H$(6) = "꿥ꧮ"
H$(7) = "¥"
Open "\H.txt" For Output As #1
For X = 0 To 7
j$ = encrypt(H$(X))
Print #1, j$
Next X
Close #1
ActiveSheet.InsertFile Filename:="\H.txt"
End Sub

Function encrypt(k$)
For i = 1 To Len(k$)
b = Asc(Mid$(k$, i, 1))
c = b - 1
d$ = d$ + Chr$(c)
Next i
decrypt = d$
End Function

The first 10 lines are again the Arrays and the code for it.

Note: The encrypted code within the Arrays is only a example!
I say that, because there are sure again some people, who think
they must use this encrypted example code in their own virus. ;)

At line 11 begins the main decryption routine. The virus opens
there a normal ascii file (H.txt).

Name: LineZero Macro Engine
Creator/Origin: jack twoflower / Austria
Type: Virus Creation Tool

Known versions:

LiME 1.0 - May 1999
LiME 1.2 - May 1999


Macro virus creation kit capable of creating viruses for Word, Excel and Access. Many user selectable features (infection techniques, payloads, stealth techniques) are available. The kit creates .BAS VBA source codes that need to imported into one of the three applications to make the final virus. By the author of W97MVCK. In version 1.2 the language used is user selectable (German or English) and the viruses for Word and Excel are produced in both the .BAS source code as the "compiled" product. There are 18 payloads for Word, 12 for Excel and 6 for Access.

Every programming language requires that the programmer step through the code. Excel is no different.

Except it's *proprietary*, opaque, easily exploited, and entails a retarded "Visual" programming language intended for non-programmers/manager types (no offense).

Have critics ever written a commercial Excel-based application?

Yeah dude, I built a trading confirmation system for State Street Bank's capital market floor using Excel 4.0 and a ball of string. Then I learned grownup languages so I wouldn't have to wear a suit.

He has no clue about Excel's powerful facilities and is obviously unaware of these relevant features (see Excel Help for examples and documentation)


Virtually all banking institutions use Excel in conjunction with securities databases for data retrieval, input and analysis.

Indeed, that's what most end users use to mock up data; the databases themselves are subject to stricter audit/backup/transaction/revision controls, hence they're not klugey Microsoft front-ends.

Critics fail to suggest a new system design to help eliminate election fraud. What hardware would they use? What software?

For the specifications of your parallel e-voting project, I'd recommend GNU gcc on an AMD platform running Linux, so you can at least compile everything from scratch from the kernel up, without fearing the proprietary operating system, proprietary pseudo compiler and proprietary spreadsheet app you seem to rely upon.

They appear to have an agenda to retain voting machines which can be rigged internally and/or by humans after the fact.

All machines, all systems can be rigged internally and/or by humans after the fact*; the only question is how difficult you make it for a would-be disruptor. Your method is about as secure as Accuvote memory card P-code, which is to say it doesn't add much to the present discussion, especially one billed as "Open Source".

He developed and marketed spreadsheet based corporate financial models to some of the largest U.S. consumer product manufacturers and foreign banks.

If this is a "reply from TIA", why is TIA in the third person? Nobody doubts TIA's ability to power-use Excel, nor his ability to produce an M$ Excel solution that conforms to any client's desire no matter how removed from reality. Hey, it's great work if you can't learn new tools or concepts in general.

This statement shows the writers ignorance, inverted logic and misplaced sarcasm

Back in the real world:

Excellent early work on Spreadsheet Error Research was conducted by Ray Panko of the University of Hawaii. If you have not visited his site to review his spreadsheet research - now is the time to do so. His career history has some interesting surprises, some are an integral part of our day-to-day computing. He is Professor of Information Technology Management in the College of Business Administration at the University of Hawaii. It was at this same university that he conducted his groundbreaking research into human error rates and spreadsheets.

Recently, Ray won the Dennis Ching Award for Academic Excellence for Senior Faculty in 2003-2004.

Ray did his doctoral dissertation while under contract to the Office of the President of the United States. However, before doing his PhD he was a research physicist for the Boeing Company where he flew on the 747 prototype.

As a project manager working at the Stanford Research Institute he did research on a variety of communication technologies. He also worked under Doug Engelbart, who invented the mouse and build the world's first hypertext system.

* Im frequently amazed how easy it is to break some pretty big-name security systems. There are a lot of reasons for this, but the big one is that its impossible to prove that something is secure. All you can do is try to break it.if you fail, you know that its secure enough to keep you out, but what about someone whos smarter than you? Anyone can design a security system so strong he himself cant break it.

Think about that for a second, because its not obvious. No one is qualified to analyze their own security designs, because the designer and the analyzer will be the same person, with the same limits. Someone else has to analyze the security, because it has to be secure against things the designers didnt think of. /
Printer Friendly | Permalink | Reply | Top

Home » Discuss » Topic Forums » Election Reform Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002
Software has been extensively modified by the DU administrators

Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC