MySQL Criticized in Wake of MySpooler Worm

 
 
By Lisa Vaas  |  Posted 2005-02-04 Email Print this article Print
 
 
 
 
 
 
 

In the wake of the MySpooler worm that spread via weak MySQL passwords on Windows installations, database users criticized the open-source database for lax security lockdown on installation, saying that it should be held to the same high standards as trad

In the wake of the MySpooler worm that spread via weak MySQL passwords on Windows installations last week, database users criticized the open-source database for lax security lockdown on installation, saying that it should be held to the same high standards as traditional security whipping-boy Microsoft Corp. "Even … Windows forces you to create an admin password when you install," one developer wrote in an e-mail. "Poor coding, security or thoughtlessness on the part of open-source developers should not be pooh-poohed. Defending [Microsoft] by blaming the user was laughed at by the arrogant technorati who band together behind open source; neither is it good enough for open source to hide behind it now." MySpooler was a bot attack launched against default Windows installations of MySQL that infected vulnerable systems at the rate of up to 100 per minute. It was halted after DNS (Domain Name System) service authorities shut off access to IRC servers controlling the worm.
One MySQL user, George Michel, a programmer/analyst for the Yale Center for Medical Informatics at Yale University in New Haven, Conn., said MySQL is getting ever more polished in subsequent versions.
But he said MySQL AB—the company that develops and markets the MySQL code under a dual-licensing structure—should lock down installs in order to prevent root account passwords. "I guess now they will have to pay more attention to these harmless installs by making sure the application wizard forces them to change roots passwords," Michel said. Database Topic Center Editor Lisa Vaas says we must educate downloaders of free software who are naive about security. Read more here.
Zack Urlocker, vice president of marketing at MySQL AB, based in Uppsala, Sweden, defended the companys zeal for all things security-related, including the default-password issue, which has actually been addressed in versions 4.1 and later. "We already put some of this in place with 4.1," Urlocker said. "You have to go out of your way not to change the root password. The fixes in 4.1 look at these issues, [but] theyre like seatbelts. "Weve got seatbelts on a car, and we want users to use them. … But [when it comes to] people who dont want them on, should we automatically put them on for them? Thats the balancing issue." Next Page: Some users say MySQL should be locked down by default.



 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel