DomainKey-Signature: a=rsa-sha1; c=nofws;        d=gmail.com; s=gamma;        h=mime-version:in-reply-to:references:date:message-id:subject:from:to         :cc:content-type;        b=mdX565dBQFM2Sc3sd9adoT0/GCzPwyKWq4QINTj+PJ/M87Gru2kug8m7XCjSLAUdSG         +PgSFOumDNgEFO1Ogde2e+VOZja8sbL/NgQaIE3a8bKPI2GWMn3rRGp8ds0bSeths5GG         OlPzlZ3dEoG18CfTblJcCuIp2vExTaLVkTfKQ=
MIME-Version: 1.0
In-Reply-To: <BANLkTiktZo32VBeTg+G8yJU+gpjDeiFB7w@mail.gmail.com>
References: <BANLkTimwPiD0t21Fn_Fgquo6dwKYT6d5SQ@mail.gmail.com>	<BANLkTinYzNGwcHGW_7Nn3j+q8OBfJcHnvQ@mail.gmail.com>	<BANLkTinTQqORQVma6REXKTc=TbXV3TVkRA@mail.gmail.com>	<BANLkTi=Aax+kMaFityf98w_dAiQB_Fr6fQ@mail.gmail.com>	<BANLkTinW3168XiydhYiMiZDbu7WEhYm97g@mail.gmail.com>	<BANLkTiktZo32VBeTg+G8yJU+gpjDeiFB7w@mail.gmail.com>
Date: Thu, 5 May 2011 15:00:19 -0400
Message-ID: <BANLkTikoB50bj4+S2NXjNL6rHOZ3q=6wDg@mail.gmail.com>
Subject: Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements
From: Michael Wehrle <michaelw436@gmail.com>
To: Jared Still <jkstill@gmail.com>
Cc: Oracle-L Freelists <oracle-l@freelists.org>
Content-Type: multipart/alternative; boundary=000325557976073d0604a28bfc9f
Sender: oracle-l-bounce@freelists.org
Errors-to: oracle-l-bounce@freelists.org
Precedence: normal
Reply-To: michaelw436@gmail.com
--000325557976073d0604a28bfc9f
Content-Type: text/plain; charset=ISO-8859-1

Jared, I have not tested this issue in 11g. I agree, that it should have
been identified as a bug, once Oracle decided to give us a one-off patch.
Its possible that it was quietly fixed in the latest versions.

On Thu, May 5, 2011 at 11:06 AM, Jared Still <jkstill@gmail.com> wrote:

> On Wed, May 4, 2011 at 6:28 PM, Michael Wehrle <michaelw436@gmail.com>wrote:
>
>> Jared, sorry about the link. It looks like they have since moved the
>> Oracle By Example series into an Apex site that uses Single Sign On. Go to
>> www.oracle.com/technetwork/tutorials/index.html, then click on the link
>> at the bottom to access the "learning library". Once you have logged in, you
>> can search for "Using Transparent Data Encryption for Database 10g
>> Release 2".
>>
>>
> Thanks, I will look for that.
>
>
>> As far as the patch, it was a one-off for my previous employer. And it
>> took lots of support calls, involving VP level and above, finally involving
>> some backline engineers to fix the problem. I am not sure what they would do
>> if you asked for the same patch, since its not publicly searchable. It never
>> hurts to ask about it though, since its truly a security issue for everyone,
>> that is not easily worked around.
>>
>>
> Have you tried this in 11g?
>
> It seems to me that failure to encrypt the data in AWR is a bug.
>
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
> Oracle Blog: http://jkstill.blogspot.com
> Home Page: http://jaredstill.com
>

--000325557976073d0604a28bfc9f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Jared, I have not tested this issue in 11g. I agree, that it should have be=
en identified as a bug, once Oracle decided to give us a one-off patch. Its=
 possible that it was quietly fixed in the latest versions.<br><br><div cla=
ss=3D"gmail_quote">
On Thu, May 5, 2011 at 11:06 AM, Jared Still <span dir=3D"ltr">&lt;<a href=
=3D"mailto:jkstill@gmail.com">jkstill@gmail.com</a>&gt;</span> wrote:<br><b=
lockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px =
#ccc solid;padding-left:1ex;">
<div class=3D"gmail_quote"><div class=3D"im">On Wed, May 4, 2011 at 6:28 PM=
, Michael Wehrle <span dir=3D"ltr">&lt;<a href=3D"mailto:michaelw436@gmail.=
com" target=3D"_blank">michaelw436@gmail.com</a>&gt;</span> wrote:<br><bloc=
kquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #cc=
c solid;padding-left:1ex">


Jared, sorry about the link. It looks like they have since moved the Oracle=
 By Example series into an Apex site that uses Single Sign On. Go to <a hre=
f=3D"http://www.oracle.com/technetwork/tutorials/index.html" target=3D"_bla=
nk">www.oracle.com/technetwork/tutorials/index.html</a>, then click on the =
link at the bottom to access the &quot;learning library&quot;. Once you hav=
e logged in, you can search for &quot;<span style=3D"font-family:Arial, san=
s-serif;font-size:14px;font-weight:bold;line-height:20px">Using Transparent=
 Data Encryption for Database 10g Release 2</span>&quot;.<div>


<br></div></blockquote><div><br></div></div><div>Thanks, I will look for th=
at.</div><div class=3D"im"><div>=A0</div><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><di=
v></div>
<div>As far as the patch, it was a one-off for my previous employer. And it=
 took lots of support calls, involving VP level and above, finally involvin=
g some backline engineers to fix the problem. I am not sure what they would=
 do if you asked for the same patch, since its not=A0publicly searchable. I=
t never hurts to ask about it though, since its truly a security issue for =
everyone, that is not easily worked around.</div>


<div><div></div><div>
<div><br></div></div></div></blockquote><div><br></div></div><div>Have you =
tried this in 11g?</div><div><br></div><div>It seems to me that failure to =
encrypt the data in AWR is a bug.</div><div class=3D"im"><div>=A0</div><div=
>
<br clear=3D"all">Jared Still<br>

Certifiable Oracle DBA and Part Time Perl Evangelist<br>Oracle Blog: <a hre=
f=3D"http://jkstill.blogspot.com" target=3D"_blank">http://jkstill.blogspot=
.com</a><br>Home Page: <a href=3D"http://jaredstill.com" target=3D"_blank">=
http://jaredstill.com</a><br>
</div>
</div></div>
</blockquote></div><br>

--000325557976073d0604a28bfc9f--
--
http://www.freelists.org/webpage/oracle-l