Monday, January 01, 2007

Some observations over the last few weeks

This is a multi-entry post dealing with three points:
a) the Dizwell site. Most of you, if you don't already know, Howard Rogers decided to shut down his Dizwell site citing time constraints and also frustration with readers who seems to either can't follow directions or who seems to be demanding that they be spoon-fed with knowledge and refusing to learn/experiment on their own. There were several posts by other bloggers which indicated that HJR had a change of mind and decided to bring back Dizwell (and I sincerely hope he does as it is a very source of valuable Oracle information for the Oracle community) but when I last looked, it was still unavailable although instead of getting a "Page not found" error I got the following.


It seems that the error page also displayed the password used (erased in my picture) which I think is a security breach for if the error occurred not because of an invalid password but some other misconfiguration, then in essence, Drupal had just given the keys to whatever is in the MySQL database.

b) Oracle password hashes. David Litchfield has posted an entry to freelist containing C code which demonstrate that it is possible to get Oracle passwords if you know hashed passwords (stored in DBA_USERS) and the associated AUTH_SESSKEY and AUTH_PASSWORD from sniffing the packages on the network. Thanks to Paul Wright for pointing out the entry. I have yet to try out Litchfield's code to verify but that would mean that the hashed passwords stored within the database has to be protected and restricted. The question is how and what the impact would be.

c) There is a recently new blog called OracleBrains whose aim was to provide a source for Oracle information. I applaued the intention but I find it lacking in that it seems to restate stuff that are in the Oracle documentation and I find that a lot of the posts do not explain why but only show how which is as dangerous as certain things/changes should only be attempted after verification and under certain conditions. For example, their post on Oracle roles did not explain why you would get an error after you have switched role within your session and I could not be bothered to leave a comment on their blog as it required logging in with a WordPress account (another account to track). I for one is puzzled by their comment setup as it seems to referred back to the posting instead of showing the comments left by the readers and the folks at OracleBrains will post responses to these comments as another blog entry which is confusing as anything since you are now trying to following multiple postings dealing with the same subject/topic. Now this entry is not meant to criticize OracleBrains but to suggest some improvements as I am for more Oracle resources to be available on the Internet.

5 comments:

Freek said...

The dizwell site is back again. Probably the error was due to some misconfiguration or something like that.

But I have seen the error page myself and I am wondering if it really showed the password and not only a message that a password was present?

Regards

Freek

Peter K said...

Freek, you could well be right. I've not considered that it might be just an indicator.

Good to know that Howard is bringing Dizwell back.

APC said...

I agree with you about the Oracle Brains blog. I have been tracking it as Raj Singh publicized in on the OTN forums, which showed initiative. Recently they seem to have taken my advice about demonstrating their points with code example rather than just parroting the documenation. But they do still seem to be skimping on the investigative side of things. That's why I wrote a blog piece on SQL%NOTFOUND.

The need for an account before we can comment is annoying. It isn't even just a WordPress account. I have a WordPress account but I still can't comment on their blog. So I guess it an actual Oracle Brains account is required.

Cheers, APC

Don said...

Peter you've disabled comments on your blogroll post, and I just wanted to note that you added an extraneous "d" to Bruce Schneier's last name.

Peter K said...

Thanks Don, I've corrected the typo.

The disabling of comments for the "Blog Roll" entry was deliberate as I didn't think it would need commenting but wouldn't you know it, typos and mispellings had to go "ruin" it.