Brett - A Webmaster would have to be a low-grade moron to run SQLServer on an internet connection with no sa password.

Interesting to know of the problem though, as I have SQLServer running on my servers.

We just recently got a linux firewall running, so at first, I got worried our system was going to need more shots...after reading the end of the article, though, I breathed a little easier. It's almost hard to believe this is happening...

Will Micro$oft ever actually change their ways? I think they'll have to be forced into it, and won't do it voluntarily...

What? Are you kidding? Be responsible for the integrity of their product? No way.

With all respect, Microsofts server problems are not Breaking Search Engine News.
I think it should fall under Web Site Technology Issues.
We should not confuse demand with delivery.

I guess a new MS virus isn't news worthy anymore anyhow.

just got attacked by SirC32.exe at work (slowly destroys 98), luckily enough, only clients are win OS, started formatting them, shall have it completely irradicated next weekend, moving all systems onto w2k.

<rant>I just don't get these people at M$. Don't they care that the products they make are not secure or are they just dumb? I'm not a software programmer but it seems to me with all the people working at M$ they could test the products more before they are released. Why don't they hire some hackers or teach their own people how to hack to test the stuff? The latest bug in Internet Explore was the last straw for me. I mean gee wiz, they are on 6.0 get it right the first time! Glad I did not have to pay for that bug ridden piece of junk. Well I got the patch but from now on the browsers I will use are Opera and Netscape :)</rant>

Son_House said: "<rant>I just don't get these people at M$. Don't they care that the products they make are not secure or are they just dumb?"

<rant>I just don't get these people at United Airlines. Don't they care that the flights they make are not secure or are they just dumb?

The logic of the rant against United Airlines is just as illogical as the rant against Microsoft.

Why are we not mounting the same kind of effort against the cyber-terrorist that we are mounting against the terrorist?

Both United Airlines and Microsoft are victims in my opinion.

Son_House said: "Why don't they hire some hackers"

Why doesn't United Airlines hire Osama bin Laden?

Same logic isn't it?

cyril_kearney > The logic of the rant against United Airlines is just as illogical as the rant against Microsoft.

I think it is plain for everyone to see that there was more that United Airlines could have been doing. Almost every week there is a new security problem with a M$ product. When will they learn? How many more will it take?

cyril_kearney > Why are we not mounting the same kind of effort against the cyber-terrorist that we are mounting against the terrorist?

Ask billon dollar Bill. If he could start making secure products, that would be a big step in the right direction.

cyril_kearney > Both United Airlines and Microsoft are victims in my opinion.

M$ are a bunch of slackers. What ever happened to taking pride in your work and doing it right the first time? How many years of programming does Mr. Gates have under his belt? 20+? Then how come a 13 year old can hack M$ products? Didn't he learn anything about secruity in those 20+ years? He uses people who use his products as human guinea pigs. M$ sells/gives their garbage to the public and waits for the hackers to find the holes. Then they fix what they were to lazy to do in the first place.

cyril_kearney > Why doesn't United Airlines hire Osama bin Laden?

Who knows more about terrorism than a well trained terrorist? The point I was trying to make about M$ hiring some hackers is who knows more about hacking M$ products than a hacker. I'm sure if Mr. Bill waved some $$$ at them, he could get some to sell their soul to the beast (M$). It is amazing what people will do for $$$.

First and foremost, this isn't a Microsoft IIS exploit. This is a SQL Server exploit. Fine. So it sets up a blank sa password. So some of their product design including security isn't flawless. We work around these kinds of challenges everyday. Why couldn't a piece of JavaScript code work similarly across every browser. It's not rocket science, but sh*t happens. I wish people would stop whining about Microsoft. I don't support them more over any other company. But I certainly don't whine about their products, every product has a limitation, a hole, a useless function, get over it and get on with it.

I have only installed Oracle 8i once. To the best of my rememberance it used a default system¦manager password.

It has been a while since I installed the Redhat version of Linux but again I remember it too has a defualt password.

The Microsoft SQL Server install allows a blank password as the default. To accept it you must check a box and view a warning message. I am more sure this is true on 6.0, 6.5 and 7.0 and think I am right on 2000 too.

Now if a manufacturer sells you a pre-hung door with a lock and you choose not to lock that door, who is responsible if a thief enters and steals something?

Yes, the criminal is the one responsible not the door manufacturer. You might be careless for not locking the door but it is the criminal that STOLE. You are not responsible for HIS theft. He goes to jail NOT you.

Now if the District Attorney tried to prosecute the head of the company that manufactured the door, the case would be thrown out.

I think jailing the thief is better advice than hiring him. Now I do accept that making a pact with the devil sometimes works.

However, this time I think a sharp PR person at a security company has turned the industry practice of default passwords into a great way to get free publicity for his product.

Well said cyril/techie.

I read an article over the weekend that talked about the recent comments Gartner made to the effect that we should all ditch Microsoft products (I also remember Brett's posting on this a few weeks ago).

As the author said, what do Gartner/anti-MS zealots recommend that all those computer professionals with 10-15 years working with MS products do? Throw away all their experience?

Sure, MS products could have better security (although as someone already mentioned, in this case the vulnerability will only be present if the db admin is incompetent). Then again, at least MS do something about the issue with security patches, etc.

By contrast, how long have people been campaigning for things like better public transport and aid for third world countries?

Let's get it in perspective.

hi, a few comments if you dont mind ..
First, I find the debate a bit sidetracked. M$ is a business monster and it's only that. How come nobody complains about knowing the release date of W2k almost 10 months before the release ?!?. Every coders around knows it's impossible to be as precise as that. But when the schedule says "it's time" the release is done. And several weeks later we see a SP1 correcting 65000 bugs !!!!.
Now, it's not a novelty form M$. We get to know them since it's more or less been the same since the very earlier versions of Windows.
What's really wrong is that you actually have to _pay_ M$ products !, which, according to the docs, are supposedly safe .. but are not. Next, if you want a safe system? , get OpenBSD. A good http server ?, get Apache, etc. . All these are reported to be working correctly, free, updated frequently and FREELY. Or if the word "free" is not in your vocabulary, go buy yourself SunOS/Solaris. Of course, there's not much fancy windows, but is it the point ?. you're a professional ?, get professional tools and that's it. Stop toying and then, stop complaining. you got what you paid for.

Sylvain Chipaux

(edited by: Marcia at 11:36 pm (gmt) on Nov. 27, 2001)

Ahh yes... now you've brought up a whole different issue. Professionalism. Let me sum it up by saying this: what makes a professional a professional? Either I can sit here and complain about MS being a monster and go find some alternative software that claims to be in "working" order; or I can accept the fact that I have to use them because it's been dictated to me, my company isn't going to invest in anything else, how am I going to deal with the challenges? I believe I can be more of a professional for realizing MS stuff ain't quite perfect, but I overcame that and I can be proud of that.

It is incredible how arrogant M$ is.

In these days there was an interesting article in the Italian newspapers.

A former italian President "Francesco Cossiga" installed in his office the new Windows XP. It didn't work as supposed and he wrote a letter of complaint directly to Bill gates.

The "efficient" M$ technicians needed two days to find how to solve the problem.....

The former President is a VIP.

Think about our common people: did you try to get in touch with their technicians?

First of all they want to collect any information from you, several times; I think that next time they will ask me my if my blood is A+ or AB etc.

After that they want to know if the motherboard and any installed card is Microsoft certified; if anything comply with the MS rules they suggest to format and reinstall the system; finally, if you do not solve the problem, in most of the cases the responsible is the hardware manufacturer....

I have a dream... Linux!!

I don't buy all this "get yourself a real OS" stuff. If *NIX p***es all over Windows AND free, why is it that 90 whatever percent of the world still uses MS server software AND pays for it?!

The fact is, hating MS for being a large corporation is a different issue to the security of their products. The fact is, MS charge for their software because giving it away is not an effective business model.

ANY system, when administered by someone who doesn't know what they are doing, is not going to be secure. A competent administrator who knows what (s)he is doing will get the job done, whatever the OS.

Code Red is a perfect example. The problem was known to MS, the patches were available weeks before the event and still thousands of servers got infected. The only reason for this was incompetence/laziness on the part of the administrators.

>Code Red is a perfect example. The problem was known to MS, the patches were available weeks before the event and still thousands of servers got infected. The only reason for this was incompetence/laziness on the part of the administrators>

Whit a difference: If a car manufacturer discovers a defect in the car, usually it acts to update (to recover) old sold car and NEW car ready for clients.

You can still find in a shop some Windows ME ready to be sold with all the defects.
Not expert people trust in what they buy and do not know how to upgrade patching.

A so big company like M$, considering the prices they ask, should give you the ultimate product: they shouldn't permit to sell products that have to be patched!!!! The price of the CD and packaging is nothing: they should substitute old products in shelves before selling it.

I think there is a misconception. Why is it that everyone thinks MS knows there are bugs in their software? Case and point: I am Web Programmer. I develop products all the time that when it goes through Q/A nothing is wrong at all. Lo and behold 1 or 2 weeks later, someone has figured out a way to break my script. Does that mean I'm a bad programmer? No. Does that mean I did the market an injustice? No. If a product was flawless, think about the implications. Am I suggesting now that people develop crappy products? No. All I'm saying is everyone is so anti-Microsoft that their minds are clouded and any logic disappears.

techie is right again.

I have yet to see a new software product for any system that shipped bug free. The old adage is that "the only good code is old code" and this is true whoever writes it, no matter how much testing it goes through.

I have tried Unix, Linux et al and without exception, every single one has suffered from numerous bugs.

There are generally patches available for *nix straight away, but how is Microsoft any different? Their patches are available promptly and free of charge.

The fact that old versions of Windows are still available in shops is again no different from any other OS. Otherwise, how else could I have picked up RedHat 6.1 a couple of months ago (and - shock horror - paid for it). How can any company that ships millions of product copies worldwide be expected to recall them all when they discover a few minor bugs? Get real. Anyway, there are plenty of cars on sale that are not fit to be on the road. I don't know about you, but I'd much rather have my hard disk die that the brakes on my car.

I develop products all the time that when it goes through Q/A nothing is wrong at all. Lo and behold 1 or 2 weeks later, someone has figured out a way to break my script. Does that mean I'm a bad programmer?

No, it only means that you produce more complexity that you can handle... ;)

This is very often hard to avoid, even though people have sought to develop methods to get the problem under control (incidentally, one of those methods is called "XP programming"!) The smart thing to do in that situation, is to make the software (or its submodules) as simple as possible, given the desired functionality.

On the other hand, Microsoft has a track record of making their software, modules, and protocols much more complicated than functionally necessary. This happens mainly for three reasons:

• They are trying to keep the competition from interacting with their products. This is most obviously the case for the SMB networking protocol vs. the Samba server software, but that's by far not the only example.
  
• Their marketing department demands more "features" that nobody actually uses, but can be bragged about in their selling pitch.
  
• The same marketing department demands that the software be perfectly easy to use for a perfect idiot.
  

The developers confronted with those demands are fighting an uphill battle, but have no choice than to implement them somehow. It is not difficult to show that most of the problems mentioned in this thread and elsewhere are direct consequences of this struggle. It's not that the engineers at MS wouldn't be able to write robust software, they have some extremely brilliant folks there, after all. They're simply not given the chance to do so.