And heck, why go to all that trouble. Just take screen snap shots of
displayed data. Nowadays the camera phones are so small you could stand
there and snap pictures and no one would notice.
I have never thought of that! Thank you.
Sometimes the most obvious things are these that you ignore.
-Vassilis
P.S: In my next application if I really want to protect my precious data I
will make my data records invisible!!! -:)
----- Original Message -----
From: "Charlie Coleman" <[EMAIL PROTECTED]>
To: "ProFox Email List" <[email protected]>
Sent: Tuesday, September 05, 2006 8:42 PM
Subject: Re: [NF] Open Source Rookie + Database Servers
At 06:59 PM 9/5/2006 +0300, Vassilis Aggelakos wrote:
Charlie ,
All true and I totally agree with you.
Try walking in my shoes,
I develop and deploy a vertical market app and I send my CDs to
approximately 1000 companies all over the country. Many of my clients are
totally unknown to me. One of the
...
My *valuable* database is an open book if a user of mine (just because he
is the pc owner and has admin rights) modifies the source code of the
server. My ExtraLongAndDifficult password is useless.
...
I think others have explained things better (and briefer) than I on the
technical issues. But I'll add one more thing before shutting up.
I think you may be expecting too much in respect to security. For one,
what you describe above would not be quite so simple. To 'break into' your
SQL DB, you'd have to do something like:
- get the source of MySQL
- modify the source, compile it
- take the new server software to the server machine (physically)
- stop/remove the previous MySQL Server and replace with the hacked
version
As others have pointed out, being able to get onto the server and
write/delete/modify files is already a security breach way beyond your
control.
And heck, why go to all that trouble. Just take screen snap shots of
displayed data. Nowadays the camera phones are so small you could stand
there and snap pictures and no one would notice. Get fancier, set up a
very small camera in an unseen corner, and you could watch/record
everything they bring up - and probably even find out their password, etc.
You cannot guarantee security of your software if the system/network it's
installed on is compromised. About all you can do is let your customers
know what the system will do in regards to security. The stuff I've put
out uses VFP DBs all the time. I simply let the customers know what the
system capabilities/limitations are, and what they can do if they're
concerned about security.
The whole world of security is pretty odd when you think about it. You'll
get IT shops that absolutely refuse to allow FTP because they're afraid it
may be insecure. But those same shops 'standardize' on Internet Explorer
which is (IMO) the most insecure piece of software ever released in the
history of computers (if you count the number of compromises).
For my systems, after I've provided the details on how to secure the VFP
database, clients rarely have any issues and use the software with no
problems. There was one or two cases where they requested an enhancement
so that they could set up a 'public' area to completely hide the real DB.
With a few triggers, a separate directory, and very little code they were
completely satisfied and happy.
-Charlie
[excessive quoting removed by server]
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
