>> If you want any chance of security by obscurity you must
>> do it outside the open source - the Firebird developers
>> cannot do it for you.

> Exactly right. Which is why I originally asked about the
> possibility of having a hook of some sort to a .dll that
> *wouldn't* be open source. Then all of this would be up
> to the user.

If the project implements such a hook then within a few days
you will find the bypass hooks available for download.

Given that I have access to your system (the assumption we
have made to be having this conversation) then depending on the
situation I can copy what files I need to my own system or...

if you have implemented something like:

> some bit of custom USB-plug-based hardware (something you
> have) with code in ROM (so it couldn't be hacked)

I simply insert the new break DLL into the existing system and
have it output the decrypted data to a new file that I will
pick up after the next backup has run (all pages will have been
read and so decrypted through the hooks).

[And please dont argue that you can stop users installing a
new DLL onto the computer. If you could do that reliably
then you would simply protect the database file properly to
start with and ignore all this obfuscation nonsense.]

I do not have to do anything difficult like try to steal keys
or break encryption, I just hook in to the spot made so
conveniently ready and identifiable your request to the
open-source project. There is nothing obscure about it.

I can only repeat myself:

If you want any chance of security by obscurity you must
do it outside the open source - the Firebird developers
cannot do it for you.

--
Geoff Worboys
Telesis Computing