| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Exciting Oracle News :: Oracle DB Worm Code Published :: Oracle Passwords Crack in Mere Minutes
I must disrespectfully disagree!
The only worm you ever wrote is the one that crept up your ASS! Pardon my ........
Replace default accounts in the code with a real call to Oracle own
zecurity code
like lmpxe; give it a key schedule with the decrypt options and your
prized
env is a NEW ORLEANS waiting to be KATRINIZED!
Do not you get it? Oracle has a password transform with very few
possibilities (well
less than 275 billion) and those are with predictable rainbow
endpoints.
That's actually not the real story though: Oracle encryption and
decryption use
the same damn routine; only a flag determines which one to do; no check
for any kind of environment; no security check of any kind. So if you
have an Oracle
library; you have pretty much everything you need to wack that crack in
their
red slack. At least last time I checked. NOT GOOD for assholes like
you either.
I say it is time to wIP Oracle OFF the map!
DA Morgan wrote:
> hpuxrac wrote:
> > # HansF wrote:
> > #>
> > #> Further apologies for feeding the troll.
> > #>
> >
> > Sorry Hans don't understand your last remark. Both of the url's cited
> > pose dangers for the oracle database community.
> >
> > How long until variants of the worm appear that actually cause damage?
> >
> > How many oracle databases are there out there that are at risk? How
> > many times do developers or consultants or contractors unskilled or too
> > "busy" install things and leave them at default settings? Way too
> > often.
> >
> > It's bad news for all of us.
>
> I must respectfully disagree. There is nothing in the announcements
> that indicates a vulnerability in Oracle. The fact that stupid people
> can do stupid things is not a product vulnerability. And any language
> worthy of calling itself a language can be used to write a worm. Heck
> I did it with Lotus 123 Macros back in the early '80s.
>
> The current utlpwdmg.sql goes back to 1996/7 and any competent DBA has
> had more than a decade to figure out how to drop, lock, or otherwise
> protect accounts. If a DBA has an elementary school level vulnerability
> left in their database they should be learning to say "Do you want fries
> with that."
> --
> Daniel A. Morgan
> http://www.psoug.org
> damorgan_at_x.washington.edu
> (replace x with u to respond)
Received on Tue Nov 08 2005 - 02:21:53 CST
 |
 |