Rafael Ruiz wrote:
I am a lurker (I think), I am an embedded programmer and work at
Lowrance (a brand of the Navico company), and I don't think I can't
provide too much to security because embedded software is closed per se.
IMHO, it is very dangerous to assume that "since it is embedded, nobody has the source code". This "security through obscurity" approach was employed by the Bell telephone system in th 70's and 80's, but it turned out that there was no limit to what Phone Phreaks and their kin could dig up of supposedly secret information, including schematics and instruction manuals.

In more recent times, reverse engineering of the DVD Content Scrambling System (CSS) and various RFID electronic fare cards has proven that if someone has physical access to a device, you must also assume that they can access the software.


Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to