Received: (qmail 4258 invoked from network); 5 May 2011 10:09:17 -0500 Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180) by static-ip-85-25-126-90.inaddr.intergenia.de with SMTP; 5 May 2011 10:09:12 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id F10D0E11B25; Thu, 5 May 2011 11:08:24 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freelists.org; s=turing; t=1304608105; bh=ggjy+56ljVvdZ/fkCVtQpcGBNyupscsgzfSHEt+a h2c=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID: Subject:To:Cc:Content-Type:Sender:Reply-To:List-help: List-unsubscribe:List-Id:List-subscribe:List-owner:List-post: List-archive; b=f6D90hVG1ZErm2JDg2YMkFGoRQLO2XihrOTVUbN9ZoScmBscBP BQ3MMiioRqcUK1NNmXCOH3EKehzs+cFD2xMJQrrD1Clm8GarShG2C948AwRPZ0aovOo 4IQpg12ELODgGvVB3H96b9qu+BadWtXW5JbtZPWsHitf3xaLhdZPEE= X-Virus-Scanned: Debian amavisd-new at localhost.localdomain Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3VGW1SXxO8sT; Thu, 5 May 2011 11:08:24 -0400 (EDT) Received: from turing.freelists.org (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id AE23EE11AD4; Thu, 5 May 2011 11:07:40 -0400 (EDT) Received: with ECARTIS (v1.0.0; list oracle-l); Thu, 05 May 2011 11:06:59 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id AFE69E11B26 for ; Thu, 5 May 2011 11:06:58 -0400 (EDT) Authentication-Results: turing.freelists.org; dkim=pass (1024-bit key) header.i=@gmail.com Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hsAwahUFGMo for ; Thu, 5 May 2011 11:06:58 -0400 (EDT) Received: from mail-pv0-f179.google.com (mail-pv0-f179.google.com [74.125.83.179]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id A685DE11AC8 for ; Thu, 5 May 2011 11:06:52 -0400 (EDT) Received: by pvf33 with SMTP id 33so1000646pvf.10 for ; Thu, 05 May 2011 08:06:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=CB5rq8LYSR9nVC3zsaDAs9PUacZGa4uLvTUI+9UdLMM=; b=xDHfNCqIPXYyZ1AqX2Rn+3V/uZSXTcaXAP1JHWsLaXjLgyTnQRzLg5G5/LMbyKSb7y gzo4rCI1BargEnzEmrvWV677Sfz/IZLvbitfRAYi8tg99IHJA0cazkCOvo1hfLg4Y5h3 D5fNBX2oqukN5TyMmglmmGC3TyIPubg7o3NMM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=ZzK1EmAStET25vxAqKIrenUPPwErWk+zqQy3N4dxvsejgRQfEMyS8IdbVuBFX4U6rv 0igLgFmS0m2D8jJJn9osS5MuhgSPQvGS6UCk9LGF2TB7iICNTgT0or+8DCmfsDymK+yG JmPyen8bM5P8qWppNJuqCufrWlDLkKrLEe8sQ= Received: by 10.142.11.9 with SMTP id 9mr1288777wfk.243.1304608008318; Thu, 05 May 2011 08:06:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.158.7 with HTTP; Thu, 5 May 2011 08:06:28 -0700 (PDT) In-Reply-To: References: From: Jared Still Date: Thu, 5 May 2011 08:06:28 -0700 Message-ID: Subject: Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements To: Michael Wehrle Cc: Oracle-L Freelists Content-Type: multipart/alternative; boundary=000e0cd243d2e82f7104a288b805 X-archive-position: 36120 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: jkstill@gmail.com Precedence: normal Reply-To: jkstill@gmail.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l --000e0cd243d2e82f7104a288b805 Content-Type: text/plain; charset=ISO-8859-1 On Wed, May 4, 2011 at 6:28 PM, Michael Wehrle wrote: > Jared, sorry about the link. It looks like they have since moved the Oracle > By Example series into an Apex site that uses Single Sign On. Go to > www.oracle.com/technetwork/tutorials/index.html, then click on the link at > the bottom to access the "learning library". Once you have logged in, you > can search for "Using Transparent Data Encryption for Database 10g Release > 2". > > Thanks, I will look for that. > As far as the patch, it was a one-off for my previous employer. And it took > lots of support calls, involving VP level and above, finally involving some > backline engineers to fix the problem. I am not sure what they would do if > you asked for the same patch, since its not publicly searchable. It never > hurts to ask about it though, since its truly a security issue for everyone, > that is not easily worked around. > > Have you tried this in 11g? It seems to me that failure to encrypt the data in AWR is a bug. Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist Oracle Blog: http://jkstill.blogspot.com Home Page: http://jaredstill.com --000e0cd243d2e82f7104a288b805 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Wed, May 4, 2011 at 6:28 PM, Michael Wehrle <= span dir=3D"ltr"><michaelw436@g= mail.com> wrote:
Jared, sorry about the link. It looks like they have since moved the Oracle= By Example series into an Apex site that uses Single Sign On. Go to www.oracle.com/technetwork/tutorials/index.html, then click on the = link at the bottom to access the "learning library". Once you hav= e logged in, you can search for "Using Transparent= Data Encryption for Database 10g Release 2".


Thanks, I will look for that.
=A0
As far as = the patch, it was a one-off for my previous employer. And it took lots of s= upport calls, involving VP level and above, finally involving some backline= engineers to fix the problem. I am not sure what they would do if you aske= d for the same patch, since its not=A0publicly searchable. It never hurts t= o ask about it though, since its truly a security issue for everyone, that = is not easily worked around.


Have you tried = this in 11g?

It seems to me that failure to encryp= t the data in AWR is a bug.
=A0

Jared= Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Oracle Blog: http://jkstill.blogspot.com
Home P= age: http://jaredstill.com
--000e0cd243d2e82f7104a288b805-- -- http://www.freelists.org/webpage/oracle-l