Re: Obfuscated stored procedures (was Re: Oracle andPostgresql)

David Fetter shaped the electron traffic to say:
<...snip...>
>
> First, make a case for implementing PL obfuscation under any
> circumstances.
>
> While you are making your case, please bear in mind that security by
> obscurity is in effect an attack launched from that nastiest of places
> to have an attacker, the inside of your trust boundaries.

Devil's advocate since I don't like any form of security by obscurity [or most any other o-word].

We can set permissions to prevent a user from seeing the data in a table (REVOKE SELECT FROM ...) but if they have access to the database it is hard (impossible ? I have never tried...) to prevent them from seeing the _existence_ of the table and even the structure.

Isn't this analogous to not allowing users to see a procedure's innards, but allowing them to see the name, parameters and return type ?

Ditto for trust ... let me be root and I will be able to get around any security you have. Roles and users not withstanding.

Greg Williamson
Senior DBA
DigitalGlobe

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information and must be protected in accordance with those provisions. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

(My corporate masters made me say this.)