On Monday 15 September 2008 20:50:25 David Fetter wrote: > On Mon, Sep 15, 2008 at 08:29:22PM -0400, Bill Moran wrote: > > Greg Smith <gsmith@xxxxxxxxxxxxx> wrote: > > > The problem here is that the PostgreSQL community is fully aware > > > how bogus any encryption method is and doesn't even bother, while > > > Oracle is perfectly happy selling a solution that is easily > > > bypassed. Don't get me wrong--the work involved is just difficult > > > enough that I'm sure most PL/SQL procedures are quite safe from > > > being reversed, and what you get back again will be kind of crummy > > > code, so that's good enough for your typical ISV. But the > > > security doesn't stand up to simple scrutiny, and a highly visible > > > open-source project doing the same quality of implementation would > > > receive seriously bad press for releasing something so shoddy. > > > PostgreSQL would be compelled to name it something like > > > "half-assed obfuscation" in order to make it clear just how > > > limited the protection actually is, and then you've kind of lost > > > the sales pitch that motivated the feature in the first place. > > > > I don't understand why this is so bloody difficult to implement: > > First, make a case for implementing PL obfuscation under any > circumstances. > > While you are making your case, please bear in mind that security by > obscurity is in effect an attack launched from that nastiest of places > to have an attacker, the inside of your trust boundaries. > > Cheers, > David. > -- > David Fetter <david@xxxxxxxxxx> http://fetter.org/ > Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter > Skype: davidfetter XMPP: david.fetter@xxxxxxxxx > > Remember to vote! > Consider donating to Postgres: http://www.postgresql.org/about/donate
