Securing a database
Diez B. Roggisch
deets at nospam.web.de
Fri Jan 23 02:38:12 EST 2009
kt83313 at gmail.com schrieb:
> My company provides some services online, which now they are planning
> to make it offline and sell to customers who can use it in their
> networks.
>
> One of our major moneywinners is some data which is stored in a
> database. Now, this data inside the database was obtained after paying
> through the nose - so the company does not want to disclose the data
> in the DB to the outside world - not to mention the lawsuits which the
> original providers of data will start which will sink the company if
> the data goes out.
>
> Now, the code is in Python - and we have a big problem. How to secure
> the data in DB? One idea was to encrypt it and store the password in
> the code. I dont believe security through obscurity - and python code
> can easily be reverse-engineered too - right?
>
> Is it even possible to secure a data in this case?
No. And that has nothing to do with python. If the data is valuable, it
will be decyphered from a compiled piece of code in no time. Believe me,
I work for a company that sells a C++-software with protective measures
of various kinds. It gets hacked. Fact of live.
You could try and raise the bar, as e.g. skype does, with an onion-kind
of code-encryption-scheme. But even *that* is analyzed. And it is
nothing that is done easily and without major impact on your source, so
you might need quite a bit of time to get it right. Is that covered by
the expected revenues?
And even if one doesn't want to hack into the system, if there is an
interface to the data, who stops your users from exploiting that
automatically to access all the data in the DB somehow?
Diez
More information about the Python-list
mailing list