|Re: [firebird-support] Re: Undocumented internal encrypt/decrypt in FB
>> If you want any chance of security by obscurity you mustIf the project implements such a hook then within a few days
>> do it outside the open source - the Firebird developers
>> cannot do it for you.
> Exactly right. Which is why I originally asked about the
> possibility of having a hook of some sort to a .dll that
> *wouldn't* be open source. Then all of this would be up
> to the user.
you will find the bypass hooks available for download.
Given that I have access to your system (the assumption we
have made to be having this conversation) then depending on the
situation I can copy what files I need to my own system or...
if you have implemented something like:
> some bit of custom USB-plug-based hardware (something youI simply insert the new break DLL into the existing system and
> have) with code in ROM (so it couldn't be hacked)
have it output the decrypted data to a new file that I will
pick up after the next backup has run (all pages will have been
read and so decrypted through the hooks).
[And please dont argue that you can stop users installing a
new DLL onto the computer. If you could do that reliably
then you would simply protect the database file properly to
start with and ignore all this obfuscation nonsense.]
I do not have to do anything difficult like try to steal keys
or break encryption, I just hook in to the spot made so
conveniently ready and identifiable your request to the
open-source project. There is nothing obscure about it.
I can only repeat myself:
If you want any chance of security by obscurity you must
do it outside the open source - the Firebird developers
cannot do it for you.