(Re: “Capers Jones: Too many bugs are still reaching end users,”), the sad truth is that while too many developers and organizations fail to avail themselves of ready-to-hand bug remediation, we have a worse problem that goes unmentioned.

Many developers and organizations include flaws quite consciously to allow government intelligence and law enforcement (as well as other purported stakeholders, usually copyright and software-patent vigilantes) multiple layers of access to end-user systems. In a community propagandized to believe it is incapable in standard cases of producing functional products without potentially catastrophic defects, “bugs” provide ready deniability and misdirection on the uncomfortable subject of backdoors.

A few years back, prompted by repeated attacks on my own systems, I looked into exploits, backdoors, and the huge difficulties involved in defending networks against crime in a world driven around the bend by 9/11, with the thought that I would publish the results. What I found was astonishing. The level of industry and developer complicity in rendering our machines and networks defenseless was completely dispiriting.

Sadly, on a lot of machines, copyright jackals, government spooks, and gangsters from Eastern Europe all visit using the same protocols, the same exploits, and the same general code, give or take some sloppiness and repackaging. (Not to mention double translation to put investigators off the scent: It is common for all of the above to use a surface layer of Japanese, Thai or, above all, Chinese, only to find after reversing and extracting that all the important hidden stuff is in English and once in a while Russian.)

Which ones we call the criminals can be a matter of perspective. For me, they were all criminals—the spies and contractors, the software watchdogs, and the identity thieves and botnet resellers, each up to no good. And the ones who terminated my last machine were the ones you might least expect.

It is important to face these issues. Project leaders need to learn how remote exploits and backdoors work and how developers can introduce them. Organizations need to resist the urge to use them and to tolerate their introduction. The introduction of backdoors never ends well, and they never remain the domain of those who insist upon their presence.

The bad end is not often exposure to the public but rather the uptake of the tool by unintended parties. In particular, the American effort at total surveillance has been a disaster for national network security. But to know that, you need to be looking at “hidden” network traffic, which requires a bit of coding and decoding. Hence the non-news, but the consequences are everywhere, and developers need to look in the mirror.

Robert Callahan

Entity Framework puts SQL Server over MySQL
It’s features like Entity Framework (re: “Entity Framework and the evolution of data access,”) that set SQL Server out as being so feature-rich and worthwhile compared to MySQL. Don’t get me wrong, MySQL can be great, especially with all the internal configuration options available, not to mention the cost. SQL Server also has easily one of the best (if slightly buggy) administration console’s out there: SQL Server Management Studio.

United Kingdom