Good idea, but just be careful that some bonehead on your system isn¹t entering ³sqlplus sys/<password>² on the OS command-line? Or that he¹s not found a ³hidden file² with the password embedded and file-permissions not set properly? (Is that what you meant by ³social engineering²?) Otherwise, he¹ll have that $10 out of your hands, toot sweet! Either way, it would still be $10 well spent... :-) on 3/10/04 6:49 AM, Whittle Jerome Contr NCI at Jerome.Whittle@xxxxxxxxxxxx wrote: > Tell them that the proof is in the pudding. Challenge them to a $10 bet; get > out a stopwatch; and sit them at a computer. If they succeed, it will be $10 > well spent to expose a security weakness. Otherwise enjoy the $10 and watching > them squirm. > > Jerry Whittle > ASIFICS DBA > NCI Information Systems Inc. > jerome.whittle@xxxxxxxxxxxx > 618-622-4145 >> -----Original Message----- >> From: Nuno Souto [SMTP:dbvision@xxxxxxxxxxxxxxx] >> >> Someone at work maintains that it takes them 10 minutes to >> break the Oracle SYS password security. >> >> And the Sun boof-head (a different person and I use the >> term loosely...) assures me he's capable of doing so any time >> he wants. >> >> Now, I've been away from this security stuff for a year or so and >> I may well be wrong here, but breaking the password security >> means cracking the Oracle encryption. While this may be possible, >> I can't believe it only takes 10 minutes? >> >> Wouldn't it rather be a case of social engineering at work? >> Or just a plain vanilla "change_on_install" case? >> >> <says he who used to change it to "changed", >> with the obvious funny consequences> >> Cheers >> Nuno Souto >> nsouto@xxxxxxxxxxxxxxx >