Securing a database
kt83313 at gmail.com
kt83313 at gmail.com
Fri Jan 23 11:00:03 CET 2009
On Jan 23, 12:38 pm, "Diez B. Roggisch" <de... at nospam.web.de> wrote:
> kt83... at gmail.com schrieb:
> > My company provides some services online, which now they are planning
> > to make it offline and sell to customers who can use it in their
> > networks.
> > One of our major moneywinners is some data which is stored in a
> > database. Now, this data inside the database was obtained after paying
> > through the nose - so the company does not want to disclose the data
> > in the DB to the outside world - not to mention the lawsuits which the
> > original providers of data will start which will sink the company if
> > the data goes out.
> > Now, the code is in Python - and we have a big problem. How to secure
> > the data in DB? One idea was to encrypt it and store the password in
> > the code. I dont believe security through obscurity - and python code
> > can easily be reverse-engineered too - right?
> > Is it even possible to secure a data in this case?
> No. And that has nothing to do with python. If the data is valuable, it
> will be decyphered from a compiled piece of code in no time. Believe me,
> I work for a company that sells a C++-software with protective measures
> of various kinds. It gets hacked. Fact of live.
> You could try and raise the bar, as e.g. skype does, with an onion-kind
> of code-encryption-scheme. But even *that* is analyzed. And it is
> nothing that is done easily and without major impact on your source, so
> you might need quite a bit of time to get it right. Is that covered by
> the expected revenues?
> And even if one doesn't want to hack into the system, if there is an
> interface to the data, who stops your users from exploiting that
> automatically to access all the data in the DB somehow?
Thank you very much Diez.
This was my fear.
Anyways, if we can make it real hard for them to analyze also, I think
we are in the good - esp since the clients are not extremely rich
enough to go for professional analyzers --
What is the skype method? The code is not huge - less than 20K LOC so,
code encryption looks somewhat OK - would you be able to direct me to
any hints on this?
One another option that I was thinking was to automatically generate
the password for the database - re-encrypt every 1 hr - and store the
password inside the code itself. Is that possible in Python? i.e.
changing the code itself.
More information about the Python-list