Cheers mate, I passed this one round at work and some pretty smart people there went "No... it's b0rked", good to have someone from the outside see the same problems.
Posts made by DanielGray
-
RE: EVoting software - request for clarification
-
EVoting software - request for clarification
Hi guys,
I've been a long, long time reader of the site, but this is my first posting (signed up and everything).
I need a little help checking the implementation of a SecureAppender class written in Java for the log4j framework. The class wasn't written by myself, but rather by Jason Kitcat (homepage) for the now defunct GNU.Free project. I'm currently working in the area of eVoting and eDemocracy and had blogged about this class (linky) as an example of how bad security can creep into OSS projects as well as commercial ones, Mr Kitcat found the site (I think he googles for himself every night, which I've heard can make you go blind) and refutes my claims that the class implementation is borked.
The class is meant to produce a chain of digests of log messages such that changing a message in the clear text log would require you to reproduce the whole of the digest log. However I believe the implementation is boned and only requires you to change the digest of the message you've altered and the subsequent digest.
The original post is here along with the comments chain (including my responses).
Thanks in advance guys. I really hope I'm not wrong.