In the wake of the MySpooler worm that spread via weak MySQL passwords on Windows installations, database users criticized the open-source database for lax security lockdown on installation, saying that it should be held to the same high standards as trad
In the wake of the MySpooler worm that spread via weak MySQL passwords on Windows installations last week, database users criticized the open-source database for lax security lockdown on installation, saying that it should be held to the same high standards as traditional security whipping-boy Microsoft Corp.
Windows forces you to create an admin password when you install," one developer wrote in an e-mail. "Poor coding, security or thoughtlessness on the part of open-source developers should not be pooh-poohed. Defending [Microsoft] by blaming the user was laughed at by the arrogant technorati who band together behind open source; neither is it good enough for open source to hide behind it now."
MySpooler was a bot attack
launched against default Windows installations of MySQL that infected vulnerable systems at the rate of up to 100 per minute. It was halted after DNS (Domain Name System) service authorities shut off access
to IRC servers controlling the worm.
One MySQL user, George Michel, a programmer/analyst for the Yale Center for Medical Informatics at Yale University in New Haven, Conn., said MySQL is getting ever more polished in subsequent versions.
But he said MySQL AB
the company that develops and markets the MySQL code under a dual-licensing structure
should lock down installs in order to prevent root account passwords.
"I guess now they will have to pay more attention to these harmless installs by making sure the application wizard forces them to change roots passwords," Michel said.
Database Topic Center Editor Lisa Vaas says we must educate downloaders of free software who are naive about security. Read more here.
Zack Urlocker, vice president of marketing at MySQL AB, based in Uppsala, Sweden, defended the companys zeal for all things security-related, including the default-password issue, which has actually been addressed in versions 4.1 and later.
"We already put some of this in place with 4.1," Urlocker said. "You have to go out of your way not to change the root password. The fixes in 4.1 look at these issues, [but] theyre like seatbelts.
"Weve got seatbelts on a car, and we want users to use them.
But [when it comes to] people who dont want them on, should we automatically put them on for them? Thats the balancing issue."
Next Page: Some users say MySQL should be locked down by default.