David Fetter <da...@fetter.org> wrote: > One of the things the security community has learned is that the > only way it's even possible to get an information leak rate of zero > is to have a system which does nothing at all. It's a fact we need > to bear in mind when addressing this or any other issue of access > control. And to get all old-school about it, I tend to go with the position put forward by Admiral Grace Hopper[1] when I heard her speak at an ACM meeting here. She said that *any* security could be broken, and that the goal should be to put the cost of creating the breach higher for the perpetrators than the benefits which would accrue to them. That informs my perspective, anyway. So, one of the first questions I ask about an information leak is "what good would it do someone to know that?" So I don't worry too much about someone knowing the size of my database or the number of rows in a table, or for that matter whether county 12 has a 2009GN000317 case or how many party records have a Social Security Number stored. I care very much that the SSN associated with a person or a document flagged as confidential doesn't leak to unauthorized viewers, because that information could benefit someone who obtains it and harm others. Perspective is more important that purity here. -Kevin [1] http://en.wikipedia.org/wiki/Grace_Hopper
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers