Re: Funny sort of question re sys password
- From: Tim Gorman <tim@xxxxxxxxxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 10 Mar 2004 07:04:47 -0700
Good idea, but just be careful that some bonehead on your system isn¹t
entering ³sqlplus sys/<password>² on the OS command-line? Or that he¹s not
found a ³hidden file² with the password embedded and file-permissions not
set properly? (Is that what you meant by ³social engineering²?)
Otherwise, he¹ll have that $10 out of your hands, toot sweet!
Either way, it would still be $10 well spent... :-)
on 3/10/04 6:49 AM, Whittle Jerome Contr NCI at Jerome.Whittle@xxxxxxxxxxxx
wrote:
> Tell them that the proof is in the pudding. Challenge them to a $10 bet; get
> out a stopwatch; and sit them at a computer. If they succeed, it will be $10
> well spent to expose a security weakness. Otherwise enjoy the $10 and watching
> them squirm.
>
> Jerry Whittle
> ASIFICS DBA
> NCI Information Systems Inc.
> jerome.whittle@xxxxxxxxxxxx
> 618-622-4145
>> -----Original Message-----
>> From: Nuno Souto [SMTP:dbvision@xxxxxxxxxxxxxxx]
>>
>> Someone at work maintains that it takes them 10 minutes to
>> break the Oracle SYS password security.
>>
>> And the Sun boof-head (a different person and I use the
>> term loosely...) assures me he's capable of doing so any time
>> he wants.
>>
>> Now, I've been away from this security stuff for a year or so and
>> I may well be wrong here, but breaking the password security
>> means cracking the Oracle encryption. While this may be possible,
>> I can't believe it only takes 10 minutes?
>>
>> Wouldn't it rather be a case of social engineering at work?
>> Or just a plain vanilla "change_on_install" case?
>>
>> <says he who used to change it to "changed",
>> with the obvious funny consequences>
>> Cheers
>> Nuno Souto
>> nsouto@xxxxxxxxxxxxxxx
>
Other related posts:
