Re: capture oracle pwd change in 3rd party application. help needed

From: Daniel Morgan <damorgan_at_x.washington.edu>
Date: Sat, 08 Nov 2003 09:46:44 -0800
Message-ID: <1068313626.69563@yasure>

Anurag Varma wrote:

> Daniel,
>
> I think I did reply you offline .. but not sure if the mail reached you.
>
> Anyway, I realized that the email I was using to mail from this location
> was wrong.
>
> My email is: avdbi_at_hotmail.com <mailto:avdbi_at_hotmail.com>
>
> Anurag
>
> "Daniel Morgan" <damorgan_at_x.washington.edu
> <mailto:damorgan_at_x.washington.edu>> wrote in message
> news:1068311431.525724_at_yasure...
> Anurag Varma wrote:
>
>>
>>
>> "Daniel Morgan" <damorgan_at_x.washington.edu
>> <mailto:damorgan_at_x.washington.edu>> wrote in message
>> news:1068245466.11957_at_yasure...
>> Pete Finnigan wrote:
>>
>>>>> My objection is that it would take me a matter of minutes to
>>>>>
>>>>>
>>>> make myself an account on another
>>>> machine on which I had no permissions. It is a hacker's delight.
>>>>
>>>>
>>>
>>>Hi Daniel,
>>>
>>>I think there is another point to make here is that we are not
>>>implementing this but just discussing possible solutions without knowing
>>>the application or architecture, tools, requirements etc.... I would say
>>>that a script to synchronise password hash values should be run in a
>>>secure manner and also would not add new accounts, just synchronise old
>>>ones. I would also re-iterate this isn't the way to fix an issue like
>>>this, why does this application need to have synchronised access to two
>>>databases? and why isn't the manufacturer involved.
>>>
>>>kind regards
>>>
>>>Pete
>>>
>>>
>> My personal opinion? The person asking the question is trying
>> to crack a database.
>> I've never seen an application with this architecture in 34
>> years in the business.
>>
>> I'd really like to be wrong.
>>
>>--
>>Daniel Morgan
>>http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
>>http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
>>damorgan_at_x.washington.edu
>>(replace 'x' with a 'u' to reply)
>>
>>--------------
>>
>>Actually one of the databases I manage runs on an application which does
>>
>>something similar (Not the synchronization .. but the way it creates application accounts ...
>>
>>by creating an Oracle account). The application being Bladerunner.
>>
>>If you ever get a chance .. run (really fast) away from it.
>>
>>:0)
>>
>>Anurag
>>
>>
>>
> I'll do that.
>
> BTW: I've tried to email you off-line and failed. Please send me
> your actual email address off-line. Thanks.
>
>--
>Daniel Morgan
>http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
>http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
>damorgan_at_x.washington.edu
>(replace 'x' with a 'u' to reply)
>

Thanks. I'll get back to you off-line.

-- 
Daniel Morgan
http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)

Received on Sat Nov 08 2003 - 11:46:44 CST