I misunderstood what you meant by "custom embedded tool" and connecting directly to the database. It sounds like you're talking about a custom-built version of Firebird that they load onto the machine (somehow?), do what they need to do, and then unload before they go (presumably wiping up after themselves).
So they need to be sure that the customer isn't logging their keystrokes and copying their files while they are working, all of which is easy these days with off-the-shelf software. In other words, all you've done is move the problem. I understand that a bit of obscurity is all some of these application developers are looking for - and it can be helpful, like locks on your windows when a thief can just break the glass. My main point is that anything beyond that "bit of obscurity" is a lot of work for not much gain. -- Geoff Worboys Telesis Computing Pty Ltd Dalton Calford wrote: > Hi Geoff, > You must have missed the part about the developer using a custom > embedded tool ie, not going through the server but touching the > database directly. Using custom embedded tools for such work is > quite common and if the developer leaves that tool in the clients > control when they are not working on the system, that is their own > fault. You can only provide tools assuming a base level of > competence. If you don't provide the solution with the > understanding that the end user has to be smart enough to use it > properly, then you can extend that line of thinking to removing all > cars from the roads on the basis that some users may drive impaired. > If you are concerned about security, you would not connect to any > element in your software stack that you are not confident of. I > take it to the next level and do not run my servers on any form of > microsoft product, but, not everyone maintains databases that > contain private customer data............. > As for redsoft, the part of their software stack that I am > referring to happens to be the grant visible code. I also know > they have encryption implemented, but as I have not performed any > security testing with their product, I can not vouch for how it is > implemented or works. > As I have stated in multiple posts - I am not looking for the > authentication/authorization/encryption layer to be complete, just a > parser change. In the same vein as "COMMENT ON" replaced "UPDATE > RDB$.... SET RDB$DESCRIPTION=..." . > best regards ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
