[jrockway]

I approach this from a different angle. If someone broke into my web app by injecting SQL, I'd be mad that I allowed them to do so. If someone broke into my apartment by smashing the window with a brick, I wouldn't be mad at myself for not using thicker glass.

Therefore, I see SQL injections as sloppy programming, but physical break-ins as sloppy ethics. IMHO YMMV IANAL KTHXBYE.

[meowface]

Where do you draw the line?

What if your site uses Wordpress or some CMS, and it has a SQL injection zero day that is then exploited to gain access? Even if you did due diligence, kept your kernel and all your software up to date, and generally secured the server and the application as best you could, you could still be entirely unaware of flaws lurking within.

It'd be more comparable to the lock on your front door being vulnerable to easy lockpicking with a paperclip and 4 seconds. You're still not "allowing them to break in" by being sloppy (it's not like you left the door unlocked), but the manufacturer of the lock was sloppy and as a result, someone is able to break in without any "brute force".

[tekacs]

If you actually cared about your data being taken care of in this instance you should probably be running an IDS-esque or similar to notice and stop that form f attack in a blanket fashion (these certainly exist for SQLi attacks, names escape me in this moment).

When using a proprietary, paid for web service or app you can blame the service provider.

When hosting OSS code on your own server, exactly this is what the NO WARRANTY section in the license is about, thus making it fully your responsibility to go over the code or to accept that bugs and security vulnerabilities happen.

Edit:

To all those talking about the skill level of the individual - if you are using a proprietary service, you can easily point the finger at the service provider. In the case of OSS code, the license is there to remind you that you are taking responsibility for being competent enough to use the code yourself.

If your house was broken into because the lock was shoddily installed by a locksmith, you might have some legal recourse (though, IIRC, you may be required to validate & disclaim the install) but if you were to install the lock yourself, you have nobody to blame.

[meowface]

I work in information security, so don't get me wrong, I agree with you for the most part. People writing their own applications and/or setting up their own server/service are often extremely naive in how they go about securing them.

However, in terms of legal (or ethical) culpability it shouldn't really matter. An intruder is an intruder. Sometimes it's due to utter ignorance and foolishness on the part of the owner, sometimes it's due to a latent flaw in something they're using, sometimes it's a compromise of their hosting company, sometimes they get hit by a complete zero-day.

You should have legal recourse no matter the case, unless you are truly grossly negligent (posting your admin password on your index page, for example).

[jussij]

So does that mean if someone picked the lock on your front door and just had a look around your apartment, without doing any damage; you’d be ok with that and just be mad at yourself for not installing a better lock?

[jrockway]

I guess if I never knew about it, I wouldn't be upset.

[Lewton]

And I imagine the line you draw for where it's "sloppy programming" vs a legitimate break-in coincides exactly with your knowledge and skill level...

[rmc]

If someone broke into my apartment by smashing the window with a brick, I wouldn't be mad at myself for not using thicker glass.

OK, but did they do anything wrong with SQL-injecting/breaking-a-window? I mean, if someone smashes your window can you call the cops and/or sue them for damages? In order to call the cops on the window smasher, you have to acknoledge they did a wrong.

[icambron]

And if you were missing window panes altogether, is it open season on robbing your house?