On Mon, Sep 14, 2009 at 12:17:55PM -0400, Tom Lane wrote:
> Sam Mason <sam@samason.me.uk> writes:
> > On Mon, Sep 14, 2009 at 05:45:14PM +0200, Saleem EDAH-TALLY wrote:
> >> How can a user extract data from a container, by whatever
> >> name we call it, if he does not have the key to open it ?
>
> > Exactly the same way that libpq does--debuggers are powerful tools!
>
> Or even easier, modify the source code of libpq to print out the data
> after it's extracted it.
Yup, I suppose you could even modify libpq to rewrite the "good" SQL
into whatever the attackers wants--bypassing any secret based scheme
completely.
> Security in an open-source world requires
> a different set of tools than security in a closed-source world.
Strictly speaking, a debugger is the universal mallet :)
Also, it shouldn't change much. Security through obscurity is never
good, it is employed far too often though thankfully (a bit) less in
open-source programs.
--
Sam http://samason.me.uk/