Securing a database

kt83313 at gmail.com kt83313 at gmail.com
Fri Jan 23 11:00:03 CET 2009


On Jan 23, 12:38 pm, "Diez B. Roggisch" <de... at nospam.web.de> wrote:
> kt83... at gmail.com schrieb:
>
>
>
> > My company provides some services online, which now they are planning
> > to make it offline and sell to customers who can use it in their
> > networks.
>
> > One of our major moneywinners is some data which is stored in a
> > database. Now, this data inside the database was obtained after paying
> > through the nose - so the company does not want to disclose the data
> > in the DB to the outside world - not to mention the lawsuits which the
> > original providers of data will start which will sink the company if
> > the data goes out.
>
> > Now, the code is in Python - and we have a big problem. How to secure
> > the data in DB? One idea was to encrypt it and store the password in
> > the code. I dont believe security through obscurity - and python code
> > can easily be reverse-engineered too - right?
>
> > Is it even possible to secure a data in this case?
>
> No. And that has nothing to do with python. If the data is valuable, it
> will be decyphered from a compiled piece of code in no time. Believe me,
> I work for a company that sells a C++-software with protective measures
> of various kinds. It gets hacked. Fact of live.
>
> You could try and raise the bar, as e.g. skype does, with an onion-kind
> of code-encryption-scheme. But even *that* is analyzed. And it is
> nothing that is done easily and without major impact on your source, so
> you might need quite a bit of time to get it right. Is that covered by
> the expected revenues?
>
> And even if one doesn't want to hack into the system, if there is an
> interface to the data, who stops your users from exploiting that
> automatically to access all the data in the DB somehow?
>
> Diez

Thank you very much Diez.
This was my fear.
Anyways, if we can make it real hard for them to analyze also, I think
we are in the good - esp since the clients are not extremely rich
enough to go for professional analyzers --
What is the skype method? The code is not huge - less than 20K LOC so,
code encryption looks somewhat OK - would you be able to direct me to
any hints on this?

One another option that I was thinking was to automatically generate
the password for the database - re-encrypt every 1 hr - and store the
password inside the code itself. Is that possible in Python? i.e.
changing the code itself.

KT
--



More information about the Python-list mailing list