Subject Re: Database protection
Author Alexander V.Nevsky

> Are you saying that the reason Oracle is considered more secure it
> because it is closed source?


> Are you saying that if I can have direct access to Oracle data files
> cannot get at the data itself?

If plotter can have direct access to Oracle data files he can damage
it but not knowing passwords it is not simple task to access data from
stolen and installed on another machine files. Of course, any defence
can be broken, but having server's source it's much more easy.

> Open Source is what guarantees you security, security in closed
> is just obfuscation.

Sorry, I can't understand your thesis. If you mean some employes of
Oracle corp. can access any stolen database, I think they have enough
salary to shrink such a deeds.

> I'll say it again, a system in which an entity (user, software,
> whatever) has access to the data files can not be considered secure
> against that entity,

Agreed. To be honest, in my personal work for solid company I take a
little care about SQL security, OS/Net level and organizational order
on physical access to server machine are much more important and
effective. But what about developers who sale mainly data, not
application (simply application and large amount of valuable
information carefully collected from different sources)? They don't
like that any customer can easily pump this data and include into
another system. I know, there are laws in civilized world, but not all
the world is civilized :)

> The discussion then moves to the degree of security you want/are
able to
> obtain.

Agreed. Software defence should provide level when cost of hack is
comparable with cost of data, no more. But I have no doubts that I can
find many C programmers who for $200-300 will build FB server that
ignore all passwords and privileges. They even can don't know about
purpose of this order, they can be told "to improve performance".

Best regards.