Kevin Loney tells the story of making a call to the data center from
the CIO's office and asking them to make a copy of the backup tapes and
leave them at reception. since the call came from the CIO's office,
they made the copy
- Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk> wrote:
> Hi Peter
>
> Glad to hear that there are controls in Oracle for use of DUL, I was
> thinking of a case where i heard that one guy rang up the backup
> storage
> company for a large company and requested a set of backup tapes be
> left
> at reception at the company and he just walked in off the street and
> took them. Mitnik tells similar stories in his book.
>
> Thanks for the internal Oracle insight Peter,
>
> kind regards
>
> Pete
>
> In article <F001.005D0650.20030918100953_at_fatcity.com>, Peter Gram
> <peter.gram_at_miracleas.dk> writes
> >Hi Pete
> >
> >I have used Dul many times at customer sites when I was employed by
> >Oracle Denmark.
> >
> >Every time the customer management had to verify by phone and fax
> that
> >they understood
> >the full impact of using Dul.
> >
> >Oracle have disclaimer that explains the problems with missing
> >transaction consistency of the
> >data saved by Dul and the security issues.
> >
> >The customer has to sign and fax the disclaimer back to Oracle
> before we
> >came on site .-)
> >
> >After I left Oracle several people ask me if would write a Dul and I
>
> >declined.
> >
> >I'm of the opinion that Dul should stay behind the Oracle firewall.
> >
> >/peter
> >
> >
> >Pete Finnigan wrote:
> >
> >>Hi Mark
> >>
> >>I agree with you Mark, even if its supplied by Oracle technicians -
> it
> >>is as you say possible to by-pass security completely. Does anyone
> in
> >>Oracle check that the field support personnel dispatched to a site
> ( in
> >>urgency ) are dumping data for the owner of it? -
> >>
> >>I covered the issue of DUL with regards to security is the SANS
> Oracle
> >>security step-by-step book - action 6.5.1
> >>
> >>kind regards
> >>
> >>Pete
> >>
> >>In article <F001.005D0632.20030918083501_at_fatcity.com>, Mark Leith
> >><mark_at_cool-tools.co.uk> writes
> >>
> >>
> >>>One problem I see with giving this away "free" is that you will be
> supplying
> >>>a tool that allows you to extract data from the database,
> bypassing all
> >>>inbuilt security. A BIG "no no". I suppose that also applies to
> this kind of
> >>>tool even under a paid license structure.
> >>>
> >>>
> >>>
> >
>
> --
> Pete Finnigan
> email:pete_at_petefinnigan.com
> Web site: http://www.petefinnigan.com - Oracle security audit
> specialists
> Book:Oracle security step-by-step Guide - see http://store.sans.org
> for details.
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Pete Finnigan
> INET: oracle_list_at_peterfinnigan.demon.co.uk
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Rachel Carmichael
INET: wisernet100_at_yahoo.com
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Received on Thu Sep 18 2003 - 20:29:40 CDT
