"Nathan" <nathan_970365_at_yahoo.com> wrote in message
news:989d0dbe.0306031051.63579101_at_posting.google.com...
> Dear Vladimir,
>
> Thanks for your response...Basically, the database is an intellectual
> property of mine and I wish not to provide read/write access to
> certain objects when my database is transferred to my client's server.
> Is there any legal way of providing partial access to my client's
> staff (including thier DBA).
As others suggested, you probably need to use packaged interfaces
for data access, and encryption so that direct access won't give away
your data. But keep in mind that since SYSDBA is really omnipowerful,
there are ways to get through your protection. The most complex
thing for an attacker will be getting the encryption keys if he wants
to just decrypt your data offline - and I believe it can be done with
Probe (the debugging tool built into the Oracle.) Also he can always
impersonate legitimate application user (since there *is* some way
to access the data, there are ways to figure out the necessary environment
for this to happen) and then iteratively retrieve the data of interest
through your packaged APIs. Anything can be hacked/cracked, it only
depends on how much effort it takes and what benefits the hacker gets
by accessing the data. If the protection is stong enough for hacking
effort to outweight potential benefits, chances are that nobody will
bother hacking your app unless they will discover a backdoor to it
(not necessarily intended.)
Ultimately though this is more of legal rather than technical issue.
--
Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.
Received on Wed Jun 04 2003 - 00:16:42 CDT
