Kevin Loney tells the story of making a call to the data center from the CIO's office and asking them to make a copy of the backup tapes and leave them at reception. since the call came from the CIO's office, they made the copy
--- Pete Finnigan <[EMAIL PROTECTED]> wrote: > Hi Peter > > Glad to hear that there are controls in Oracle for use of DUL, I was > thinking of a case where i heard that one guy rang up the backup > storage > company for a large company and requested a set of backup tapes be > left > at reception at the company and he just walked in off the street and > took them. Mitnik tells similar stories in his book. > > Thanks for the internal Oracle insight Peter, > > kind regards > > Pete > > In article <[EMAIL PROTECTED]>, Peter Gram > <[EMAIL PROTECTED]> writes > >Hi Pete > > > >I have used Dul many times at customer sites when I was employed by > >Oracle Denmark. > > > >Every time the customer management had to verify by phone and fax > that > >they understood > >the full impact of using Dul. > > > >Oracle have disclaimer that explains the problems with missing > >transaction consistency of the > >data saved by Dul and the security issues. > > > >The customer has to sign and fax the disclaimer back to Oracle > before we > >came on site .-) > > > >After I left Oracle several people ask me if would write a Dul and I > > >declined. > > > >I'm of the opinion that Dul should stay behind the Oracle firewall. > > > >/peter > > > > > >Pete Finnigan wrote: > > > >>Hi Mark > >> > >>I agree with you Mark, even if its supplied by Oracle technicians - > it > >>is as you say possible to by-pass security completely. Does anyone > in > >>Oracle check that the field support personnel dispatched to a site > ( in > >>urgency ) are dumping data for the owner of it? - > >> > >>I covered the issue of DUL with regards to security is the SANS > Oracle > >>security step-by-step book - action 6.5.1 > >> > >>kind regards > >> > >>Pete > >> > >>In article <[EMAIL PROTECTED]>, Mark Leith > >><[EMAIL PROTECTED]> writes > >> > >> > >>>One problem I see with giving this away "free" is that you will be > supplying > >>>a tool that allows you to extract data from the database, > bypassing all > >>>inbuilt security. A BIG "no no". I suppose that also applies to > this kind of > >>>tool even under a paid license structure. > >>> > >>> > >>> > > > > -- > Pete Finnigan > email:[EMAIL PROTECTED] > Web site: http://www.petefinnigan.com - Oracle security audit > specialists > Book:Oracle security step-by-step Guide - see http://store.sans.org > for details. > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Pete Finnigan > INET: [EMAIL PROTECTED] > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > San Diego, California -- Mailing list and web hosting services > --------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).