Re: viewing source code

On Dec 20, 2007 3:52 PM, Andrew Sullivan <ajs@crankycanuck.ca> wrote:
> On Thu, Dec 20, 2007 at 03:35:42PM -0500, Merlin Moncure wrote:
> >
> > Key management is an issue but easily solved.  Uber simple solution is
> > to create a designated table holding the key(s) and use classic
> > permissions to guard it.
>
> Any security expert worth the title would point and laugh at that
> suggestion.  If the idea is that the contents have to be encrypted to
> protect them, then it is just not acceptable to have the encryption keys
> online.  That's the sort of "security" that inevitably causes programs to
> get a reputation for ill-thought-out protections.

right, right, thanks for the lecture.  I am aware of various issues
with key management.

I said 'simple' not 'good'. there are many stronger things, like
forcing the key to be passed in for each invocation, hmac, etc. etc.
I am not making a proposal here and you don't have to denigrate my
broad suggestion on a technical detail which is quite distracting from
the real issue at hand, btw.  I was just suggesting something easy to
stop casual browsing.  If you want to talk specifics, we can talk
specifics...

merlin