EVoting software - request for clarification
-
Hi guys,
I've been a long, long time reader of the site, but this is my first posting (signed up and everything).
I need a little help checking the implementation of a SecureAppender class written in Java for the log4j framework. The class wasn't written by myself, but rather by Jason Kitcat (homepage) for the now defunct GNU.Free project. I'm currently working in the area of eVoting and eDemocracy and had blogged about this class (linky) as an example of how bad security can creep into OSS projects as well as commercial ones, Mr Kitcat found the site (I think he googles for himself every night, which I've heard can make you go blind) and refutes my claims that the class implementation is borked.
The class is meant to produce a chain of digests of log messages such that changing a message in the clear text log would require you to reproduce the whole of the digest log. However I believe the implementation is boned and only requires you to change the digest of the message you've altered and the subsequent digest.
The original post is here along with the comments chain (including my responses).
Thanks in advance guys. I really hope I'm not wrong.
-
Daniel,
you are completely right. If the digest of a message doesn't become part of the subsequent digest, it's too easy to change the log - just replace one message and two digests. If this code was really "reviewed by smart people in out of universities around the world", it means that WTFU must have a lot of subsidaries.
-
Cheers mate, I passed this one round at work and some pretty smart people there went "No... it's b0rked", good to have someone from the outside see the same problems.
