It's time to make poor coding a felony

Are you responsible for horrible code that's allowed millions of user accounts to be compromised? Go directly to jail

1 2 Page 2
Page 2 of 2

I think it's high time that this level of technical absurdity be punishable by law. The company and employees directly responsible for constructing code so poorly that it stores plain-text passwords of millions of users and can apparently be compromised at will should, at the very least, be fined a vast amount, with some portion of that money going to each possibly affected user and the rest used to assist in addressing identity theft problems that will inevitably appear following a breach. If I had my way, there would also be mandatory loss of employment and possible jail time involved for those whose unspeakably poor decisions led to this event. Simply being on the receiving end of a server or network hack isn't what I'm talking about -- it's designing a system that stores such sensitive information so poorly that should be thought of as criminally negligent behavior.

Let's reframe this a bit. Suppose that a developer sneaks a function into a Web portal that snoops a user's name, email address, and plain-text password during the registration process and then stores this information somewhere. Suppose that the portal itself is designed well enough that the password is hashed before being stored, but this little function call also stores it in plain text. Suppose that the site is cracked and the plain-text database downloaded and paraded around the Internet. Odds are that the developer who snuck that function into the site would not only be fired, but he or she would probably be arrested for corporate sabotage or similar crimes and face fines and jail time.

The only difference between this hypothetical situation and what actually happened with Universal Music and a host of other sites is that instead of having a bad actor slip code into a solid design, these developers actually designed their code to function this way. They did it on purpose. That should actually be considered a far worse crime than the developer who snuck in the function. Incompetence is no defense, doubly so in this case.

But I highly doubt we'll see anything of the sort, and definitely not soon. If Anonymous and the various other hacktivist groups continue on their path of exploiting horribly implemented code, all we'll get are more regretful press releases and the occasional person who might fall on their sword and quit. It's not enough. It's not nearly enough.

I say throw the book at the ones who allow these breaches to happen. Maybe then they'll realize exactly how critical these design decisions really are. Maybe then they'll understand that they can't play fast and loose with other people's data without consequences.

But right now, they can -- and that's the real crime.

This story, "It's time to make poor coding a felony," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2