Re: Public announcements of SQL Security Vulnerabilities

From: BP Margolin (bpmargo@attglobal.net)
Date: 08/02/02 

From: "BP Margolin" <bpmargo@attglobal.net>
Date: Fri, 2 Aug 2002 14:15:18 -0400

Neil,

> You mean no-one has tried yet?

I think the EULA pretty much prevents it :-)

> But the worst you could blame the original programmer for is
incompetence.
> The hacker is actually trying to cause damage/harm to
data/systems/network.

I understand the difficulty of programming without errors ... you should see
some of the code I've put into production ... on second though, NO, you
shouldn't see some of the code I've put into production ;-)

But re: incompetence ... ever hear of a medical malpractice suit. There are
standards for competence in other fields. I'm not saying that I would
necessarily like to have one put into law for programmers, but
"incompetence" is not really a good excuse, IMHO. If a doctor
"damaged/harmed" a member of your family through incompetence, not via
intent, would it really matter to you? To sorta continue the medical
analogies here ... IMHO, better to treat the root cause ... the original
security holes in MS code ... rather than just try to treat the symptoms
(the hackers).

And I applaud MS for getting to a point of understanding that they have to
do a better job.
I was simply disappointed in Hal that he, as an MS person, seemed to still
be at a point where he was unwillingly or unable to accept that the ultimate
responsibility lies with MS to produce code that does not have security
holes. That was the attitude of MS that got them into this "mess" in the
first place. Now that MS has "owned up" to the fact that it is their
responsibility to create secure code, I would have hoped that that attitude
had penetrated the ranks as well :-(

BPM

"Neil Pike" <neilpike@compuserve.com> wrote in message
news:VA.00005d68.005038f3@compuserve.com...
> BP,
>
> > I'm sorry, but I just have to respond to your post ;-(
>
> And I'll come back on yours ;-)
>
> > I wonder how Microsoft would feel if every time that a virus exploits a
hole
> > in one of their products, MS customers around the world sued Microsoft.
>
> You mean no-one has tried yet?
>
> > The reason that's it's "not easy" to sue the hackers is because the code
> > with the flaw was written by Microsoft, not by the hacker.
>
> But the worst you could blame the original programmer for is
incompetence.
> The hacker is actually trying to cause damage/harm to
data/systems/network.
>
> I seriously doubt that most hackers would be able to pay any significant
> damages/costs even if sued - they certainly aren't going to have
professional
> insurance!
>
>
> Neil Pike MVP/MCSE. Protech Computing Ltd
> Reply here - no email
> SQL FAQ (484 entries) see
> http://forumsb.compuserve.com/gvforums/UK/default.asp?SRV=MSDevApps
> (faqxxx.zip in lib 7)
> or www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
> or www.sqlserverfaq.com
> or www.mssqlserver.com/faq
>