On Monday 15 September 2008 20:50:25 David Fetter wrote:
> On Mon, Sep 15, 2008 at 08:29:22PM -0400, Bill Moran wrote:
> > Greg Smith <gsmith(at)gregsmith(dot)com> wrote:
> > > The problem here is that the PostgreSQL community is fully aware
> > > how bogus any encryption method is and doesn't even bother, while
> > > Oracle is perfectly happy selling a solution that is easily
> > > bypassed. Don't get me wrong--the work involved is just difficult
> > > enough that I'm sure most PL/SQL procedures are quite safe from
> > > being reversed, and what you get back again will be kind of crummy
> > > code, so that's good enough for your typical ISV. But the
> > > security doesn't stand up to simple scrutiny, and a highly visible
> > > open-source project doing the same quality of implementation would
> > > receive seriously bad press for releasing something so shoddy.
> > > PostgreSQL would be compelled to name it something like
> > > "half-assed obfuscation" in order to make it clear just how
> > > limited the protection actually is, and then you've kind of lost
> > > the sales pitch that motivated the feature in the first place.
> >
> > I don't understand why this is so bloody difficult to implement:
>
> First, make a case for implementing PL obfuscation under any
> circumstances.
>
> While you are making your case, please bear in mind that security by
> obscurity is in effect an attack launched from that nastiest of places
> to have an attacker, the inside of your trust boundaries.
>
> Cheers,
> David.
> --
> David Fetter <david(at)fetter(dot)org> http://fetter.org/
> Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
> Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com
>
> Remember to vote!
> Consider donating to Postgres: http://www.postgresql.org/about/donate