Rafael Ruiz wrote:
I am a lurker (I think), I am an embedded programmer and work at
Lowrance (a brand of the Navico company), and I don't think I can't
provide too much to security because embedded software is closed per se.
IMHO, it is very dangerous to assume that "since it is embedded, nobody
has the source code". This "security through obscurity" approach was
employed by the Bell telephone system in th 70's and 80's, but it turned
out that there was no limit to what Phone Phreaks and their kin could
dig up of supposedly secret information, including schematics and
instruction manuals.
In more recent times, reverse engineering of the DVD Content Scrambling
System (CSS) and various RFID electronic fare cards has proven that if
someone has physical access to a device, you must also assume that they
can access the software.
-Martin
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
