Over the past few weeks, I've received a ton of email and comments in response to my argument that those who produce slipshod code should be held legally accountable when damage results. Although I generally don't like to feed the trolls, many of the responses I received fit a certain pattern, so I thought I'd take this opportunity clear the air -- and offer a challenge to readers.
One of the most common reactions to my appeal for accountability is that any type of government regulation is a horrible, terrible thing. I was called a "liberal" in some comments and far worse in email. First, why do some people seem to think that "liberal" is an epithet? Second, I hate the "nanny state" concept and generally lean toward the Republican side of things. (Well, I did before the Republican party turned into a clown car. I'm an Eisenhower Republican.)
Regular readers of this blog know how much time I've spent railing that the law and legislatures just don't get technology and how detrimental that fact is to IT. Read anything I wrote about the Terry Childs case for umpteen examples. If anyone out there understands just how much the law needs to catch up to technology, it's Terry. Nonetheless, I don't think that companies can continue to store sensitive personal information in the digital equivalent of a wet paper bag without penalty.
I'll put it to you this way: While the government can definitely do the wrong thing (you need look no further than the debt ceiling circus), it can also do things very right. Personally, I like the fact that I don't have to take my life in my hands when I buy a steak from the store. Thanks, USDA!
So while I'm no fan of government interference and stifling regulation, something must be done. It's clear this isn't going to take care of itself.
And that segues to my second point. Many people commented on how storing hashed strings is barely more secure than plain text. Many even pooh-poohed using several levels of hashing. To them, and to anyone, I hereby issue a challenge.
Observe this string:
It's a hash generated by MySQL using any number of hashing methods. The challenge is not to crack it -- heck, the original string is
accountablecode. No, the challenge is to tell me how it was hashed. MD5? SHA1? Multiple passes? Is there a salt? Go for it. I've even given you clues in the past few columns if you know where to look. If you manage to figure it out, post in the comments (add a comment) and how long it took you to figure it out.
The whole idea of this exercise is to show how painfully simple it is to wrap security around sensitive information in modern programming languages. No developers worth their salt (pun intended) should think otherwise. That we're even having this discussion illustrates the sad fact that there are many people now in software development who should really find other work.
That said, no matter how necessary, I highly doubt that this type of regulation will be enacted in the next decade. The antiregulatory fervor is too pervasive.
I hereby step off the soapbox and return to our regularly scheduled blogging. And when you figure out this week's puzzler, let me know.
This story, "The last word on app dev accountability -- and a reader challenge," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.