LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

DC Internet voting test

DC Internet voting test

Posted Mar 18, 2012 9:24 UTC (Sun) by khim (subscriber, #9252)
In reply to: DC Internet voting test by giraffedata
Parent article: Security quotes of the week

They say that without source code the system still could have been compromised, but with more work. But they don't elaborate and I wasn't convinced.

No? Why no? Demostration without published sources http://lwn.net/Articles/485162/ happened just a couple of weeks ago.

Sure, if they will build everything from scratch without using any COTS components then yes, it'll be much harder - but a few orders of magnitude more expensive, too.

(Log in to post comments)

DC Internet voting test

Posted Mar 19, 2012 18:50 UTC (Mon) by raven667 (subscriber, #5198) [Link]

I would also point out that SQL injection is the same kind of vulnerability, passing unsanitized data to an interpreter, and is most often found without any access to source code in web apps. Reading the source code to find the vuln may have been convenient for them but certainly wasn't required and isn't even the most convenient for everyone. Some people prefer writing a test suite to poke for vulns rather than trying to audit all the source.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds