| Subject | Re: [ib-support] Re: Database protection |
|---|---|
| Author | Nando Dessena |
| Post date | 2001-11-29T08:05:07Z |
Alexander,
comparable to whatever you can come up with in closed source, simply
because closed source cannot be verified. That's the reason people claim
WinNT is not secure whilst Linux is (be it true or not). All security
standards in use worldwide nowadays are public. A secure implementation
of IB should use such standards, but nothing can be done if the data is
not phisically protected as well.
If you can't get at my data files, there's nothing you can build that
will give you the data.
Otherwise, in general, there's nothing I can do to keep my data secret
if you can get to the files, be them interbase, Oracle or whatever *and*
know the encryption method (if any).
"security" in my view is full security. When I know the method that has
been used to protect some data, and I know I can't break it, that's
security. When I don't know which method has been used, it may be hard
for me to figure out, but it's a matter of time. That's not security,
just obfuscation (which may well be enough for many).
I hope I have made my point clearer.
Ciao
--
____
_/\/ando
> > Open Source is what guarantees you security, security in closedI mean that, in general, proven secure open source algorithms aren't
> source
> > is just obfuscation.
>
> Sorry, I can't understand your thesis. If you mean some employes of
> Oracle corp. can access any stolen database, I think they have enough
> salary to shrink such a deeds.
comparable to whatever you can come up with in closed source, simply
because closed source cannot be verified. That's the reason people claim
WinNT is not secure whilst Linux is (be it true or not). All security
standards in use worldwide nowadays are public. A secure implementation
of IB should use such standards, but nothing can be done if the data is
not phisically protected as well.
> Agreed. Software defence should provide level when cost of hack isAnd this just gives more credit to my "thesis". :-)
> comparable with cost of data, no more. But I have no doubts that I can
> find many C programmers who for $200-300 will build FB server that
> ignore all passwords and privileges. They even can don't know about
> purpose of this order, they can be told "to improve performance".
If you can't get at my data files, there's nothing you can build that
will give you the data.
Otherwise, in general, there's nothing I can do to keep my data secret
if you can get to the files, be them interbase, Oracle or whatever *and*
know the encryption method (if any).
"security" in my view is full security. When I know the method that has
been used to protect some data, and I know I can't break it, that's
security. When I don't know which method has been used, it may be hard
for me to figure out, but it's a matter of time. That's not security,
just obfuscation (which may well be enough for many).
I hope I have made my point clearer.
Ciao
--
____
_/\/ando