and actually, the fundamentals of security say that you should follow the principal of least privilege. Only allow any person to have exactly the amount of authority that is necessary to do his or her job. That also has little or nothing to do with the Oracle situation at hand, but it does speak to having (or allowing) physical access to boxes. My dad told me that it doesn't matter how big or how good you lock is, it is only designed to be sure to keep out an honest person. Anyone determined to not be honest will get in. April Wells Oracle DBA/Oracle Apps DBA Corporate Systems Amarillo Texas @>-->-->-- "Few people really enjoy the simple pleasure of flying a kite" Adam Wells age 11 "Imagination is the highest kite one can fly." Lauren Bacall -----Original Message----- From: Igor Neyman [mailto:ineyman@xxxxxxxxxxxxxx] Sent: Wednesday, March 10, 2004 8:51 AM To: oracle-l@xxxxxxxxxxxxx Subject: RE: Funny sort of question re sys password All this has nothing to do with Oracle security - it's OS security. Igor Neyman, OCP DBA ineyman@xxxxxxxxxxxxxx -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Juan Cachito Reyes Pacheco Sent: Wednesday, March 10, 2004 9:32 AM To: oracle-l@xxxxxxxxxxxxx Subject: Re: Funny sort of question re sys password The principle of security says if you have access to the server (the physical computer) you have access to its data. For example in Oracle in NT, you drop the service and recreate it, this is the time it takes to recreate the service and restart the server. In NT, to bypass NTFS there is a floppy disk (cia software) used to restart with it you can change server password, fix regedit, copy files, etc. Other chance is install another nt installation that gives you acces to everything. ----- Original Message ----- From: "Nuno Souto" <dbvision@xxxxxxxxxxxxxxx> To: "Oracle L" <oracle-l@xxxxxxxxxxxxx> Sent: Wednesday, March 10, 2004 6:07 AM Subject: Funny sort of question re sys password > Someone at work maintains that it takes them 10 minutes to > break the Oracle SYS password security. > > And the Sun boof-head (a different person and I use the > term loosely...) assures me he's capable of doing so any time > he wants. > > Now, I've been away from this security stuff for a year or so and > I may well be wrong here, but breaking the password security > means cracking the Oracle encryption. While this may be possible, > I can't believe it only takes 10 minutes? > > Wouldn't it rather be a case of social engineering at work? > Or just a plain vanilla "change_on_install" case? > > <says he who used to change it to "changed", > with the obvious funny consequences> > Cheers > Nuno Souto > nsouto@xxxxxxxxxxxxxxx > ---------------------------------------------------------------- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > ---------------------------------------------------------------- > To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx > put 'unsubscribe' in the subject line. > -- > Archives are at //www.freelists.org/archives/oracle-l/ > FAQ is at //www.freelists.org/help/fom-serve/cache/1.html > ----------------------------------------------------------------- > ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- The information contained in this communication, including attachments, is strictly confidential and for the intended use of the addressee only; it may also contain proprietary, price sensitive, or legally privileged information. Notice is hereby given that any disclosure, distribution, dissemination, use, or copying of the information by anyone other than the intended recipient is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender immediately by reply e-mail, delete this communication, and destroy all copies. Corporate Systems, Inc. has taken reasonable precautions to ensure that any attachment to this e-mail has been swept for viruses. We specifically disclaim all liability and will accept no responsibility for damage sustained as a result of software viruses and advise you to carry out your own virus checks before opening any attachment.