"Even … Windows forces you to create an admin password when you install," one developer wrote in an e-mail. "Poor coding, security or thoughtlessness on the part of open-source developers should not be pooh-poohed. Defending [Microsoft] by blaming the user was laughed at by the arrogant technorati who band together behind open source; neither is it good enough for open source to hide behind it now."
MySpooler was a bot attack launched against default Windows installations of MySQL that infected vulnerable systems at the rate of up to 100 per minute. It was halted after DNS (Domain Name System) service authorities shut off access to IRC servers controlling the worm.
One MySQL user, George Michel, a programmer/analyst for the Yale Center for Medical Informatics at Yale University in New Haven, Conn., said MySQL is getting ever more polished in subsequent versions.
"I guess now they will have to pay more attention to these harmless installs by making sure the application wizard forces them to change roots passwords," Michel said.
Zack Urlocker, vice president of marketing at MySQL AB, based in Uppsala, Sweden, defended the companys zeal for all things security-related, including the default-password issue, which has actually been addressed in versions 4.1 and later.
"We already put some of this in place with 4.1," Urlocker said. "You have to go out of your way not to change the root password. The fixes in 4.1 look at these issues, [but] theyre like seatbelts.
"Weve got seatbelts on a car, and we want users to use them. … But [when it comes to] people who dont want them on, should we automatically put them on for them? Thats the balancing issue."