On Mon, 15 Sep 2008, Jonathan Bond-Caron wrote:
> For me, "Oracle stored procedures can be encrypted." is a very real and
> valuable argument.
Let's just hope none of your rogue customers find
http://www.petefinnigan.com/orasec.htm or learn that "unwrap" is the magic
word to find utilities to do that.
To answer one of the questions that keeps popping up in this thread (the
details are in the "How to unwrap Oracle PL/SQL" presentation there):
the short answer is that in earlier revs the "encrypted" Oracle PL/SQL is
just the code transformed (reversably!) into the intermediate language
actually used to execute it. In 10g the "encryption" is hardened with
some 31337 base 64 tricks. I hear the next version will include such
cutting-edge encryption technologies as rot13.
> It would certainly be a valuable feature in pgsql (in the enterprise space).
The problem here is that the PostgreSQL community is fully aware how bogus
any encryption method is and doesn't even bother, while Oracle is
perfectly happy selling a solution that is easily bypassed. Don't get me
wrong--the work involved is just difficult enough that I'm sure most
PL/SQL procedures are quite safe from being reversed, and what you get
back again will be kind of crummy code, so that's good enough for your
typical ISV. But the security doesn't stand up to simple scrutiny, and a
highly visible open-source project doing the same quality of
implementation would receive seriously bad press for releasing something
so shoddy. PostgreSQL would be compelled to name it something like
"half-assed obfuscation" in order to make it clear just how limited the
protection actually is, and then you've kind of lost the sales pitch that
motivated the feature in the first place.
I feel like I should have been wearing a DeCSS t-shirt while typing the
above.
--
* Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD
