Re: Database Encryption (now required by law in Italy)
| От | Silvana Di Martino |
|---|---|
| Тема | Re: Database Encryption (now required by law in Italy) |
| Дата | |
| Msg-id | 200403060824.40597.silvanadimartino@tin.it обсуждение исходный текст |
| Ответ на | Re: Database Encryption (now required by law in Italy) ("scott.marlowe" <scott.marlowe@ihs.com>) |
| Список | pgsql-admin |
Alle 20:34, venerdì 5 marzo 2004, scott.marlowe ha scritto: > Sorry, but that's the wrong answer. Once someone has root on a unix box > her can do ANYTHING he wants. and he can cover his tracks. If the > encryption takes place on his box, he can attach to the process doing the > encryption and /or replace it with a trojan copy of his own and get your > data. The ONLY way to keep the data secure is for it to be encrypted > elsewhere before it gets to the storage box. If the box that stores it > encrypts, it, the root user on that box can impersonate anyone and any > process on that box to get to the data in mid stream. That's right, of course, but I think we have to consider what we actually have to prevent, accordingly by law. A "man-in-the-middle" attack to the encryption system or a brute-force/dictionary-based attack to the password/data is a crime "per se", both in Italy and in many other countries. The law does not impose on us the burden to defend the end-user from a well-planned, well-performed criminal act. This is the business of our Police. We just have to do our best to protect our data from human curiosity, human errors and teenager hackers. The italian law states exactly this: protect your data at the best of your technological capabilities. Real crime is a police problem. Anyway, even data encrypted on Mars would be vulnerable to a well-performed brute-force attack. It is just a matter of computing resource and time. See you ----------------------------------------- Alessandro Bottoni and Silvana Di Martino alessandrobottoni@interfree.it silvanadimartino@tin.it
В списке pgsql-admin по дате отправления: