Decrypting : A question of morals, ethics, or both?

I've had a situation of deadlocks within one of my servers. I knew the application doing it, I knew the behaviour that was leading to it and I wanted to pull the code, but didn't.

I went to the vendor and said "hey, your application is causing deadlocks because you are attempting to update every column in a table any time you change one thing and you have an index on each and every one of those 25 columns killing everyone else that's attempting to do anything, can you fix this?".

The vendor comes back with "there's nothing wrong with our code".

I can't prove that their code is bad without pulling it, but if were to pull it where would it lead me from a legal standpoint? Even were I able to show it and the legal aspects to be fine, should I do something to change things and make it work swimmingly what happens when we run into an issue down the road? They take a look, say things have changed and refuse to provide support.

Pretty much a no win situation, so I get to look at 40 deadlocks a day in my logs...

I have to admit that I decrypted some vendor code at early in my career.  There was a procedure that appeared to have a problem so I did some troubleshooting and determined that the procedure had a bug.  I reported that I believed that there was an issue in that procedure.   I actually don't remember if it was fixed or not, but it was definitely a thorny issue.

I don't think vendors should encrypt SQL Code.  I believe any proprietary application code should go in the compiled app, but I also don't think we should be decrypting encrypted code and I was surprised to find the functionality in the new SQLPrompt Pro.  

PingBack from http://topsy.com/tb/bit.ly/6It2y6

Personally, I have indeed decrypted in the past, mainly as a way to learn how certain stuff was done. I'm curious by nature, and I feel if I do not commercially try to exploit the knowledge I gained, I should be alright.

The situation described where the vendor is not responsive is a different issue. I personally do not view EULAs as fully legally binding, as 99% of the time, they are merely meant as paper tigers; try and intimidate people, but if ever be brought in front of a court, deemed one-sided and too oppressive.

A way to sidestep the legal issue altogether though is to publish your findings on blogs and relevant professional sites. Publish your research and taken steps in a neutral way so your peers can see what you did and how you came to your conclusions, and perhaps someone might point out something you overlooked. If your findings are confirmed by others, feed the response back to the vendor, and if the vendor still refuses, name and shame them, and just do not buy their stuff anymore.

My 2 cents.

This is a little OT, but I've been wondering why MS didn't include better encryption for database objects.  SQL 2005 and 2008 have much better encryption capabilities than 2000 did. Simple insecure obfuscation seems to be a backwards-compatibility throwback, and a pretty useless one at that.  With SQL 2008 and EKM you could theoretically create a "dongle" type hardware key to protect your properly encrypted database objects -- assuming the ability to encrypt database objects using cryptographically secure algorithms was even a possibility.

I think that this is always going to be a tricky issue. But I have seen Vendor Stored Procedures in the past that once decrypted (I'm as curious as Peter about anything that is running on my SQL Servers) are using Cursors etc that could have been written out of the Stored Procedure to give better performance. In most cases I have found that when this is discreetly pointed out to the Vendor they are happy to change it, especially when you benchmark your work and show the better performance. I'm not particularly worried if the vendor then uses my work to make their product better as it helps me out.