On Tue, May 23, 2006 at 06:26:42AM +0900, Kris Leech wrote:
> Yes two things I am concerned with, I have also looked at Java and .NET 
> and they also have the same problems.

Because this is a general problem, not depending on language.

> > Hiding code is useless because if it can be executed
> > by a computer it can be cracked by a person.

True. You could store it in "safe" hardware, a smartcard for example.

> I would not say useless, if you offer open source then you are asking 
> for trouble. If you take measures to obsfucate/encrypt the code the 
> skill level to get/change it increases. There is no such thing as 
> absolute security but...

Enryption is hard. You will implement a useless scheme privatly. Doing
this any other way than open source, under peer review, will lead to a
trivially breakable system. Sorry if this seems harsh.

> > So: must the sensitive data be given to only *some* of the insiders by 
> > your
> > program? Or must only *some* of the data be revealed to the insiders?
> > If you are trying to give people encrypted data that is only readable
> > by your program, I think that's a lost cause.

Very true. Except you stuff that data *and* the processing program
into "safe" hardware, and only communicate unclassified results from
that to your rails app.

Lastly, if that data is really "highly sensitive", it is also highly
valuable, and obfuscation won't keep the bad boys away. If it ain't
valueable, don't bother with obfuscation, because your time is of
value too.

Jgen

-- 
 The box said it requires Windows 95 or better so I installed Linux