Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)

From: David Fetter <david(at)fetter(dot)org>
To: Bill Moran <wmoran(at)collaborativefusion(dot)com>
Cc: Greg Smith <gsmith(at)gregsmith(dot)com>, Jonathan Bond-Caron <jbondc(at)openmv(dot)com>, 'Postgres General List' <pgsql-general(at)postgresql(dot)org>
Subject: Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)
Date: 2008-09-16 00:50:25
Message-ID: 20080916005025.GE3666@fetter.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-www

On Mon, Sep 15, 2008 at 08:29:22PM -0400, Bill Moran wrote:
> Greg Smith <gsmith(at)gregsmith(dot)com> wrote:
> >
> > The problem here is that the PostgreSQL community is fully aware
> > how bogus any encryption method is and doesn't even bother, while
> > Oracle is perfectly happy selling a solution that is easily
> > bypassed. Don't get me wrong--the work involved is just difficult
> > enough that I'm sure most PL/SQL procedures are quite safe from
> > being reversed, and what you get back again will be kind of crummy
> > code, so that's good enough for your typical ISV. But the
> > security doesn't stand up to simple scrutiny, and a highly visible
> > open-source project doing the same quality of implementation would
> > receive seriously bad press for releasing something so shoddy.
> > PostgreSQL would be compelled to name it something like
> > "half-assed obfuscation" in order to make it clear just how
> > limited the protection actually is, and then you've kind of lost
> > the sales pitch that motivated the feature in the first place.
>
> I don't understand why this is so bloody difficult to implement:

First, make a case for implementing PL obfuscation under any
circumstances.

While you are making your case, please bear in mind that security by
obscurity is in effect an attack launched from that nastiest of places
to have an attacker, the inside of your trust boundaries.

Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Scott Marlowe 2008-09-16 00:54:21 Re: could not open file "pg_subtrans/0014": Invalid argument
Previous Message David Fetter 2008-09-16 00:30:38 Re: about partitioning

Browse pgsql-www by date

  From Date Subject
Next Message Tarah M. Wheeler 2008-09-16 00:55:04 unsubscribe
Previous Message Bill Moran 2008-09-16 00:29:22 Obfuscated stored procedures (was Re: Oracle and Postgresql)