Thread: Advice needed on using postgres in commercial product
Hi all,
We're currently developing some large-scale software with the intention of selling it (online and off-the-shelf). The version in development uses Postgres to store stuff in a number of large databases.
Ignoring potential licensing issues for now, the big issue for us is that the data in the databases has significant intellectual property value. It has taken literally years of work to collect the data. We do not want the users of the commercial product to be able to fire up postgres and type something like: user]% pg_dump their_data > our_product
Additionally, we don't want to have to encrypt every entry in the database, because that will cause significant overhead during processing.
My question is, what options do we have? Can postgres store data as some sort of unreadable binary, much like you would find in a C binary data file?
If not postgres, what other database could possibly do this, if any? I really don't want to have to write our own RDBMS. :)
Thanks in advance for any advice or suggestions on this subject,
Pakt.
We're currently developing some large-scale software with the intention of selling it (online and off-the-shelf). The version in development uses Postgres to store stuff in a number of large databases.
Ignoring potential licensing issues for now, the big issue for us is that the data in the databases has significant intellectual property value. It has taken literally years of work to collect the data. We do not want the users of the commercial product to be able to fire up postgres and type something like: user]% pg_dump their_data > our_product
Additionally, we don't want to have to encrypt every entry in the database, because that will cause significant overhead during processing.
My question is, what options do we have? Can postgres store data as some sort of unreadable binary, much like you would find in a C binary data file?
If not postgres, what other database could possibly do this, if any? I really don't want to have to write our own RDBMS. :)
Thanks in advance for any advice or suggestions on this subject,
Pakt.
pakt sardines wrote: > Hi all, > > We're currently developing some large-scale software with the > intention of selling it (online and off-the-shelf). The version in > development uses Postgres to store stuff in a number of large databases. > > Ignoring potential licensing issues for now, the big issue for us is > that the data in the databases has significant intellectual property > value. It has taken literally years of work to collect the data. We do > not want the users of the commercial product to be able to fire up > postgres and type something like: user]% pg_dump their_data > our_product So you don't trust your customers. Then the honest thing to do then is not give them the raw data. I hate the idea of *buying* sofware and then being told I can't use the software I bought in any fashion I need, rather than what the developer thinks I need. If the data is valuable, then stop acting like its 1994. Do the whole thing as web service. If you really got to have something to install from a CD, just make it a link back to your web server. Invest money in a quality server environment for the customer, rather than locking the data from your customer. If it took you years to collect this information, make the requirement to use it a web enabled device... Do you really want to deal with support questions about postgresql installation/support/upgrades/bugs/versions/OS's/etc... ? -- Walter
pakt sardines wrote: > ...the big issue for us is > that the data in the databases has significant intellectual property > value. It has taken literally years of work to collect the data. We do > not want the users of the commercial product to be able to fire up > postgres and type something like: user]% pg_dump their_data > our_product That seems more like a legal question than a technical one. The first thing that comes to mind is a lawyer to review your license agreements, contracts, and NDAs with your customers. Perhaps a contract giving you rights to audit their facilities in the extreme cases. > Additionally, we don't want to have to encrypt every entry in the > database, because that will cause significant overhead during processing. That's unlikely to work anyway. Organizations protecting valuable data using technical approaches (DVDs, etc) find it gets out anyway. Since you'll ship a client that can decrypt the data anyway, anyone with a debugger could decrypt it (unless you only want it to run on Trusted computing platform / palladium computers). > My question is, what options do we have? I'd say that many of the more successful companies that sell products with valuable data (geospatial data vendors; market research companies) use the legal options rather than the technical ones. > Can postgres store data as > some sort of unreadable binary, much like you would find in a C binary > data file? Huh? > If not postgres, what other database could possibly do this, if any? I > really don't want to have to write our own RDBMS. :) Doesn't seem much like a database question. I'd say ask on some trusted computing (google Trusted Computing) list if you want a technical solution or a lawyer if you want a legal one. > Thanks in advance for any advice or suggestions on this subject,
On Sat, Jan 06, 2007 at 11:14:42AM +1100, pakt sardines wrote: > > Hi all, > We're currently developing some large-scale software with the > intention of selling it (online and off-the-shelf). The version in > development uses Postgres to store stuff in a number of large > databases. Ignoring potential licensing issues for now, There aren't any. PostgreSQL is under the 3-clause BSD license. > the big issue for us is that the data in the databases has > significant intellectual property value. It has taken literally > years of work to collect the data. We do not want the users of the > commercial product to be able to fire up postgres and type something > like: user]% pg_dump their_data > our_product If you don't want your customers to see it, don't ship it to your customers. That's true whether you use PostgreSQL or not. > Additionally, we don't want to have to encrypt every entry in the > database, because that will cause significant overhead during > processing. My question is, what options do we have? Can postgres > store data as some sort of unreadable binary, much like you would > find in a C binary data file? If not postgres, what other database > could possibly do this, if any? None, no matter what they purport, and you won't be able to build one either. You should also consider carefully what it is you're telling your customers by starting off with an adversary relationship. If your data is that secret and that valuable, you should not ship it in the first place. Cheers, D -- David Fetter <david@fetter.org> http://fetter.org/ phone: +1 415 235 3778 AIM: dfetter666 Skype: davidfetter Remember to vote!
pakt sardines wrote: > ...the big issue for us is > that the data in the databases has significant intellectual property > value. It has taken literally years of work to collect the data. We do > not want the users of the commercial product to be able to fire up > postgres and type something like: user]% pg_dump their_data > our_product That seems more like a legal question than a technical one. The first thing that comes to mind is a lawyer to review your license agreements, contracts, and NDAs with your customers. Perhaps a contract giving you rights to audit their facilities in the extreme cases. > Additionally, we don't want to have to encrypt every entry in the > database, because that will cause significant overhead during processing. That's unlikely to work anyway. Organizations protecting valuable data using technical approaches (DVDs, etc) find it gets out anyway. Since you'll ship a client that can decrypt the data anyway, anyone with a debugger could decrypt it (unless you only want it to run on Trusted computing platform / palladium computers). > My question is, what options do we have? I'd say that many of the more successful companies that sell products with valuable data (geospatial data vendors; market research companies) use the legal options rather than the technical ones. > Can postgres store data as > some sort of unreadable binary, much like you would find in a C binary > data file? Huh? > If not postgres, what other database could possibly do this, if any? I > really don't want to have to write our own RDBMS. :) Doesn't seem much like a database question. I'd say ask on some trusted computing (google Trusted Computing) list if you want a technical solution or a lawyer if you want a legal one. > Thanks in advance for any advice or suggestions on this subject,
On Mon, 2007-01-08 at 20:11, Ron Mayer wrote: [snip] > That's unlikely to work anyway. Organizations protecting valuable data > using technical approaches (DVDs, etc) find it gets out anyway. > Since you'll ship a client that can decrypt the data anyway, anyone with > a debugger could decrypt it (unless you only want it to run on Trusted > computing platform / palladium computers). Hmm, I do hope those techniques will never be good enough to stop hackers cracking them. But this is a philosophical and off topic question... the point is, I don't believe there is any kind of software/hardware out there that can't be cracked once it gets in hostile hands. On to the off topic thing, I really think all data should be legally forced to be free... research would have to change and maybe stumble a bit in the beginning, but I'm completely sure all interested parties would be forced to better cooperate and that would boost the advancement of science in the long term. Hiding research results will not work these days, so companies would be forced to do it in cooperation with all other players... of course not convenient for todays big corporations, but maybe they should disappear anyway. Cheers, Csaba.
On Jan 8, 2007, at 2:11 PM, Ron Mayer wrote: >> If not postgres, what other database could possibly do this, if >> any? I >> really don't want to have to write our own RDBMS. :) > > Doesn't seem much like a database question. I'd say ask on some > trusted > computing (google Trusted Computing) list if you want a technical > solution or a lawyer if you want a legal one. Valentina claims to be able to securely encrypt your data for the entire database or individual fields/records. http://www.paradigmasoft.com/en/technology/TECH_SECURITY John DeSoi, Ph.D. http://pgedit.com/ Power Tools for PostgreSQL
On Wed, 2007-01-10 at 00:12, John DeSoi wrote: > On Jan 8, 2007, at 2:11 PM, Ron Mayer wrote: > >> If not postgres, what other database could possibly do this, if > >> any? I > >> really don't want to have to write our own RDBMS. :) > > > > Doesn't seem much like a database question. I'd say ask on some > > trusted > > computing (google Trusted Computing) list if you want a technical > > solution or a lawyer if you want a legal one. > > > > Valentina claims to be able to securely encrypt your data for the > entire database or individual fields/records. > > http://www.paradigmasoft.com/en/technology/TECH_SECURITY But I'm not sure that would keep the customer from getting to the data. If the app you ship can decrypt the data, so can the customer, with enough work. IFF they claim to be able to do what the OP is asking for, it's snake oil.