At 06:59 PM 9/5/2006 +0300, Vassilis Aggelakos wrote:
Charlie ,
All true and I totally agree with you.
Try walking in my shoes,
I develop and deploy a vertical market app and I send my CDs to
approximately 1000 companies all over the country. Many of my clients are
totally unknown to me. One of the
...
My *valuable* database is an open book if a user of mine (just because he
is the pc owner and has admin rights) modifies the source code of the
server. My ExtraLongAndDifficult password is useless.
...
I think others have explained things better (and briefer) than I on the
technical issues. But I'll add one more thing before shutting up.
I think you may be expecting too much in respect to security. For one, what
you describe above would not be quite so simple. To 'break into' your SQL
DB, you'd have to do something like:
- get the source of MySQL
- modify the source, compile it
- take the new server software to the server machine (physically)
- stop/remove the previous MySQL Server and replace with the hacked version
As others have pointed out, being able to get onto the server and
write/delete/modify files is already a security breach way beyond your control.
And heck, why go to all that trouble. Just take screen snap shots of
displayed data. Nowadays the camera phones are so small you could stand
there and snap pictures and no one would notice. Get fancier, set up a very
small camera in an unseen corner, and you could watch/record everything
they bring up - and probably even find out their password, etc.
You cannot guarantee security of your software if the system/network it's
installed on is compromised. About all you can do is let your customers
know what the system will do in regards to security. The stuff I've put out
uses VFP DBs all the time. I simply let the customers know what the system
capabilities/limitations are, and what they can do if they're concerned
about security.
The whole world of security is pretty odd when you think about it. You'll
get IT shops that absolutely refuse to allow FTP because they're afraid it
may be insecure. But those same shops 'standardize' on Internet Explorer
which is (IMO) the most insecure piece of software ever released in the
history of computers (if you count the number of compromises).
For my systems, after I've provided the details on how to secure the VFP
database, clients rarely have any issues and use the software with no
problems. There was one or two cases where they requested an enhancement so
that they could set up a 'public' area to completely hide the real DB. With
a few triggers, a separate directory, and very little code they were
completely satisfied and happy.
-Charlie
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
