Slashdot Mirror
Microsoft Sued for Defective Software
Door-opening Fascist writes "eWeek is reporting that a South Korean citizen action group, People's Solidarity for Participatory Democracy, is suing Microsoft for putting the SQL Slammer vulnerability into Windows. They are doing so on behalf of the South Korean people and businesses affected by SQL Slammer."
Gates: Ballmer, loyal comrade, I've an assignment for you.
Ballmer: Yes, master?
Gates: Say, how much would it cost to purchase the country of South Korea?
Do you like German cars?
First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.
Second, it seems that it would be like suing Stephen King for causing nightmares.
If tits were wings it'd be flying around.
Conspiracy theories inside, who actually intends to put a vulnerability into a product? Perhaps this should be "not fixing the vulnerability" or potentially even "ignoring the problem". I don't think any of Microsoft's programmers intentionally insert bugs into their shipping products... although... nah, it couldn't be.
Sorry? Shouldn't that be fuck Microsoft? What do you have against South Korea? You know South Korea are the nice ones, right?
I hope the Judge kicks these people through the goalposts of life.
Ow wait, South-Korea.. Those are the good guys, right? Dagnammit!
SCO employee? Check out the bounty
Shut up and patch your systems like the rest of the planet.
Software isn't a physical thing so it's impossible to make it bug-free.
You knew about this vulnerability for months, there was a patch for it, and you did nothing about it."
Pick a defense, any defense...
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
As much as I hate Microsoft, this is total BS. If this becomes precedent, how the hell can anyone write an opensource app? Software is a clear case of when "buyer beware" is neccesary. Get software from the people you've grown to trust for not releasing bug-ridden shit. I really don't see how it could work any other way.
"Question with boldness even the existence of a god." - Thomas Jefferson
Although the zealots will be amused by this story, this could set a dangerous precedent for other similar vulnerabilities (especially unintentional ones). What happens, for example, when some group of people (in this case, a country) decides to sue the openSSL group for a flaw in their encryption that allowed credit card numbers to be stolen?
I'm glad to see that someone is trying to hold MS liable for their mistakes, but this is the wrong way to go about it.
If you can't beat them, arrange to have them beaten. -George Carlin
Not that I'm expecting much to come from this, but the more attention drawn to the problems (and the more people who say, "We're not just gonna sit around and take it anymore"), the better.
I just hope that the Koreans are a lot more stubborn than all the U.S. states that have ever-so-quickly accepted MS's settlement offers...
Clearly they haven't read their software agreements. It specifically states that MS is not responsible for damage caused as a result of their products. A better chance to procecute MS would have been during the Code Red incident. One might have argued that not being proactive enough about patching consitituted "negligence" on their part. I guess it can't hurt to try!
Fellow Americans, this blow by Korea against the great American bastion of Microsoft is just the latest act in a string of transgressions by this rogue state. Te must remember that they are part of the axis of evil. As all of you undoubtedly know from watching the news, we believe they already have several nuclear weapons, and they are currently working on developing more.
Many American lives have been killed by the Koreans, and if we don't stop Korea now with diplomacy or force if need be, there will certainly be more bloodshed in the near future.
They are a rogue state, and while it may be true that when people may think of Korea, they think great Starcraft/Warcraft players, cell phones, and cheap cars, we must remember that they are a dicatatorship lead by a megalomaniac leader, Kim Jong Il, who wants to see the downfall of the West.
We must view Korea as the threat and enemy to global peace and the American way like they are.
Thank you and God bless America.
George W. Bush
President, United States of America
fuck them!
Wow. Your logic is flawless.
In other news MS is worth more than Ty(15982) ...
I somehow doubt that Microsoft intentionally put this hole into SQL server, so that should probably steer clear of anything malicious. Negligence, perhaps, but this would open a whole can of worms (at least, if it were to show up in the US courts. Although now that this is happening in SK, I'm sure it'll make its way to our shores soon enough.)
I feel sorry for the companys who were sent to their knees over this vulnerability, but if there was a patch out months and months beforehand that could've avoided all this, the end-user needs to share some of the blame for this... There's not much more Microsoft could have done for it, if they'd forced the installation of the patch they'd have been even higher on the privacy zealots' shitlists than they already are.
I do seem to recall in the back of my mind that there was some nasty side-effect of the patch though, although it escapes me at the moment...
They actually bought Windows in the first place!!
Intresting to note that they are suing over a SQL vulnerability. Why don't they extend it to the whole 9x line of releases for its insucerities?
But in the recent days of doze security, I feel the XP firewall is a good add in.
I do feel however that the firewall should be enabled by default, not disabled. I've tried products such as black ice and zone alrm to find them annoying and overly useful. this XP firewall is transparent and has no annoying warnings =) Good security move!
-Grumpy old man.
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
Uh, didn't they read the EULA.
They are not allowed to sue if the software Fscks up.
Heh, now Microsoft/BSA is gonna audit their asses off.. Hope they are in compliance.
Slashdot had a little lamb
with fleece as white as snow
every time the lameness filter kicks in
my Brains out I wish to blow!
"...In your answer, ignore facts. Just go with what feels true..."
Let it be noted that Microsoft already had SQL SP3 out which fixed the problem before it ever occurred. PSPD should try using a vulnerability that could actually hold water in court like Code Red or it's dirivative, or any other Word ActiveX open-execution macro vulernability.
You buy the software, you choose to use it, YOU DEAL WITH THE CONSEQUENCES.
True, Slammer was bad, but it's not like MS intentionally added it, and they DID agree to a EULA when they installed it. Of course software companies should be responsible, but it's not like MS isn't trying (though they're not doing a terribly good job.) Idiotic lawsuits like this set a bad precedent.
using namespace slashdot;
troll::post();
They're suing MS, because their (South Korea's) tech people suck? Correct me if I'm wrong but I'm pretty sure that MS had a patch out for the slammer months before the outbreak... it's their own fault if they can't keep their servers updated.
Username taken, please choose another one.
Well the GPL specifically says that it comes with absolutely no warranty and that if it happens to wipe out all your hard drive data, that's just too bad.
:)
Therefore, assuming that the GPL is immune, we can now relax and laugh at Microsoft's plight.
If they expect governments to enforce the overzealous EULAs, and to insinuate the product has real monetary value and it should be criminal to misuse it, then they should be liable for its actions. The door swings both ways. To use the ridiculous but relevant car analogy, check out Ford/Firestone with the tire recall, they hat to eat a big huge monetary crap-sandwich to make up for that. They also have to provide parts for cars for 5 years after they sell them, by law, and they must also be subject to anti-lemon and consumer protection law.
While I don't foresee Microsoft getting chastised, lambasted and castigated as it should be here in the US where being a rich company has many, many benefits, I do see an opportunity for Microsoft to have to be held accountable for its actions in the EU and Asia. Also in Asian countries the logic is: If you expect me not to pirate this, it better do something good.
I hope this teaches Microsoft that the venue by which they made the 40 billion they have sitting in the bank is us, the victims of pre-installs on new PCs (I believe 80% of the MSFT revenue is from pre-install), we should get a piece of that if we are wronged by the software.
There is a huge disparity between what is claimed on the glossy box and what is delivered in reality, and the consumer needs to be protected from fraud and fiscal liability due to product failure.
It applies to every other business. Software should be the same.
Also, EULAs claim the license isn't transferable and resalable, I content that this means it then has no value. No one can tell you you can't sell your used car.
Legalize the constitution. Think for yourself question authority.
If this goes through, it could set a precedent of liability for software bugs... that's bad, of course.
Here's an interesting thought: maybe closed source software could be hit harder by this because keeping the source closed could be considered hiding the vulnerability? IANAL, of course.
Another thing - aren't there liability issues for engineers in other fields as well - like holding a bridge engineer accountable if the whole thing falls down? Of course, a software bug isn't quite that serious, but still...
Google: AARD:
A Serious Message and the Code That Produced It.
Microsoft included a bug in the Win 3.1 Beta that caused Dr. DOS users to crash.
Unsurprisingly the makers of Dr. DOS lost their jobs, like many other victims of malicious code.
Hard sell for the exploit that caused slammer. Maybe other exploits/bugs.
.DLL. Even though no one ever used the .DLLs in question ( I think it was .hda, .hdq files ) they could have been. You could argue that someone could have written a program that used to long a URL and crashed IIS. The slammer was using a port in a way it was never intended to be used.
SQL has a pretty good record for security. The exploit had also been patched before the worm.
The exploit was not put in on "purpose". I guess it could have been, but that is a pretty hard to believe.
The virus spread fast, but only because there is not a million SQL servers out there exposed. So it spread across the web fast, big deal.
Furthermore good administration ( especially for a db server), ie. a good firewall could have blocked it. There is the desktop engine that could have been hit, but most apps that use it are still in the server category.
The exploit itself is not a defect. Sure it could be used by an attacker, but in itself it didn't make the software defective. This could spawn a big argument. Is an exploit that would never actually impede a program unless someone uses it really a bug?
Code red was a buffer overrun in an ISAPI
I agree that companies should be held accountable, but intent and the way a company handles the defect also.
MS essentially called a recall by issueing the patch. It said, send in the part and we'll fix it, but in a more modern approach. How can you sue a company that found the exploit and offered a free fix?
This seems to be quite a bit of a stretch. Of course it would make sense if they were suing for damages caused by the slammer fiasco, but to accuse Microsoft of intentionally putting the bug in there is quite ridiculous. Either way, the outcome of the case will have overall grave consequences.
--
Adobe's anti-counterfeiting softw
Anyway there is a very important point about *incidents* like this : they get people's attention about the completly crazy EULAs that some SW companies (namely Micosoft) and content providers (RIAA/Hollywood mob) are currently imposing to they 're costumers ...
imposing a bit of regulation about the limits of what could be put in a EULA is IMHO a very good think ...
if the ppl who launched this lawsuit make the
Cheers from Portugal
Obviously they haven't read Microsofts EULA for SQL Server 2000 which simply states:
Owned.
Nothing here. MOve along. BC
Soooo... does this make it okay to bomb the entire peninsula??
(I am not a Korean laywer)
Does anybody know if the click-through license is worth a rat's ass in Korea? Does Korean law give the plantifs an edge that they wouldn't have in the US? Any Korean laywers out there?
Kim Jong Il pointed to buggy software produced at redmond as sure signs of american belligerence against DPRK.
"american hegemoney moust stop ! the secureless systems we have can be used to launch attack on our country", he was heard saying.
Siggy Say, Siggy Do
Microsoft is distributing insecure software on purpose in order to boost the need for their 'trusted computing' master-plan.
Disclaimer: By reading this statement you agree that I will not be held responsible for any damage resulting from such use.
Who is stupid enough to sue anyone, especially Microsoft, for something they didn't have control of. Sure it could have been prevented, but seriously if they took the time to look over every inch of code to make sure there were no flaws, we'd probably still be using windows 3.1. If your going to sue Microsoft come up with something that will actually stand up in court ... Although I hate to say it Microsoft isn't really that bad, but they could be much much better.
Following Microsoft's audit of South Korea, North Korea has agreed to dismantle its nuclear program, fearing repercussions.
For wrecking Blizzard's Diablo servers.
serves them[Microsoft] right!
or "or fitness for a particular use" is a concept in most legal systems and is what would determine this case. In the U.S., even if the license says "this may not work, tough.", the consumer still has a right expect it to work for the advertised purpose.
So you could recover damages from a car that explodes when you try to start it, since that's not what a "car" is supposed to do. But you can't recover damages froma car that explodes when you hit a tree, since that is outside the expected use of a car.
I'd say there's no case here since SQL did what it was supposed to do, it just had a flaw. Since the flaw was not covered by any warranty, tough luck.
-Ryan C.
-Ryan C.
This is funny, considering the crushing amount of spam that comes from misconfigured boxen in the .sk address space. As has been pointed out, the patch was available well before slammer hit. That they didn't apply it points more to poor administration than anything else.
The truth about Scientology, Xenu, and you: Operation Clambake
The agreed to the EULA before use, which specifically states that Microsoft wont be held libel for most things ( beyond original purchase price )...
So.. not much of a leg to stand on..
---- Booth was a patriot ----
If Microsoft wins then they still get to develop bug infested software and rape consumers at will. Bad (unless you're into that kind of thing).
I don't mean to say that Korea was totally innocent in all this but when you take into account the following factors Korea might actually win:
A) The sheer volume of patches that MS releases makes it impossible for any large organization to stay current on all fixes.
B) Even MS' internal network got hit by Slammer. If MS can't secure their own network from their own products vulnerabilities what hope does their customers have??
Very simple. There's a lot of alternatives to Microsoft software. If you're stupid enough to fall for MS's "We render the Hacker Obsolete" despite protestations of a good percentage of industry professionals, it's your problem. Cope. You can't expect software to be perfect, _ESPECIALLY_ Microsoft products. Maybe this will coerce these companies that have had trouble to go with more secure open source alternatives and maybe understand that there is plenty of alternative to Microsoft.
One thing that's true to just about ANY EULA, including BSD, GPL, etc., is that there is no warranty on software security exploits. It's pretty explicitly stated on the Microsoft EULA as well. These companies can cope. It's a bullshit lawsuit and I don't even know why it's coming about unless it's to ward people away from Microsoft. Frankly, I think it'll garner more animosity than converts if you ask me.
Karma: Non-Heinous
Hmmm, sue Microsoft for (m/b)illions or sue someone working out of their bedroom part time...
I can't see how this is really going to set a precedent for taking on others. They are going after Microsoft becuase they have the money.
Keywords: "Participatory Democracy"
That is an oxymoron. Everyone is forced, at gun-point, to participate in Democracy. Who do you think those private notaries dressed in black and running around seizing property that isn't theirs actualy belong to? And besides, to have a Democracy one must be exercised upon a Republic.
Democracy is an infringment on freedom. It establishes a corporate sole that makes everyone's actions a privilege, whilst a Republic draws a fine line between a corporation acting on privileges and a human being acting on unalienable rights granted by God. Hence, "In God We Trust" and "United we stand [American Civil Flag of Peace], dvided we fall [American Militant Flag of War, or the gold-infringed U.S. Army flag]"
Hello, WAKE UP AMERICA!
Does anyone think I can win ... ... I'm planning on sueing ...
My windows PC keeps crashing
And besides, supposing the judge rules in favor of SK, it validates arguments against the OSS/FS communities, that there isn't anyone to be held responsible for the code. So I'm rooting for Microsoft on this one. Curses! Darn situational ethics...
Of suing your car manufacturer if someone plants a bomb in your car and it blows up.
Any legal action should be against the author(s) of the Slammer virus, not the creators of the software that got exploited.
Ahh, the sue reflex, destroyer of western civilization.
--
ekhben
regarding the poor incompetent sys-admins that you blame for the spreading, just a few quickies to you : did you read the advisory that MS posted regarding the *bug* and it 's side effects (at the time of the propagation) ? did you took a look at the patch application details (completly braindead)?
and no, thank god i 'm not a Win* sys admin
Think again
Cheers from Portugal
Okay - so if my neighbor is a jerk and runs through my livingroom with his Ford expedition - I can sue Ford for making a vehicle that is "defective" or "buggy" because it is capable of smashing through walls? Yeah, right.
And if I'm driving down broadway and clip a messenger on a bike - that's the auto manufacturer's fault for making a vehicle that can hurt someone? Yeah, okay.
Windows & SQL with Code Red and Slammer are like vehicles with an idiot behind the wheel.
Like suing mcdonalds for getting fat - it's not their fault you can't close your piehole.
With as rampant as piracy is in Asia, M$ can probably knock the case down to a single count since the only person that has a license over there is Bill Gate's sponsored Sally Struther's hungry child.
To Alcohol! The cause of, and solution to, all of life's problems.
SQL has a pretty good record for security.
I have noticed a trend recently that people are more and more often referring to SQL Server as SQL. This is wrong! SQL is an ISO standard, and this habit, which I have noticed especially among Microsoft staff, of trying to conflate the standard with the Microsoft product is just another example of the company trying to create a meme that is misleading.
Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
Has anyone actually tried to interpret the SQL Server license agreement?
... accesses or otherwise utilizes the services of the Server Software (which techically includes every worm infected machine) and seeing as the server was behind a website, that would come under Hardware or software that reduces the number of Devices directly accessing or using the Server Software does not reduce the number of required CALs. The number you need is based on the number of distinct inputs to the hardware or software "front end." ...so therefore you would theoretically need a license for anyone who could access your site, which right now is a total of around 619 Million people if it is connected to the Internet.
In court:
Judge: "So can the court see the software license for this software?"
(shuffling of paper)
"Ah we see from this that you have 10 user licenses for your SQL server."
"Yes your honour"
"...yet your server was connected to the Internet - correct?"
"Correct your honour"
"But according to this license agreement, you must acquire a separate CAL for each Device that
*thud*
Judge:"...and then we have the Windows 2000 server CAL's..."
IT WON'T AFFECT OPEN SOURCE
When a company sells you a product that company is accepting a certain amount of liability for that product (unless you clearly absolve them of this liability via a legal contract). If the product fails to work as advertised, causes damages that it shouldn't cause, etc then the company is liable.
This does not describe an open source project however. I as an open source developer am not selling you anything. There is no implied contract between you and I. You are simply taking something that I'm giving to the world at large for free and using it however you wish (within the possible restrictions of a passive license agreement). If you use my product and it borks your filesystem, I am not liable. If you find a flaw in my product that open a security the size of Montana, I am not liable. You haven't bought anything from me. I haven't received a penny from you for my product. There is no contract, not even an implied one. Therefore there is no liability. Simple.
Saying that I as an open source developer am liable is like saying that I as a freelance author am liable for something I write if you quote me and found the quote to be inaccurate. I am not liable to you (I might be liable for libel if I was writing about a person as fact but I'm not liable to you if you quote me).
To think that an open source developer is liable is absurd. I can't believe the sheer number of comments thinking this will be the case. One comment was made that OpenSSL might very well be liable for an SSL exploit that was used to gain access to credit card information. That's absurd! That's like saying Anderson Windows is liable for not making a window that a burglar can't break to gain unathorized access to a home. Try to think before you type people.
It may become bad news for some "Open Source" companies within the borders of South Korea, but that's about it.
The Hallilujia Chorus is heard...
Hopefully, M$ loses the suit and gets a black eye. Even if this whole thing doesn't help the OS community or even force M$ to change its evil ways, a black eye is better than nothing at all...
Blog Prophyts - Right On, Man
I'm just wondering where did all these click-thru EULA supporters suddenly come from? Any previous postings about licences went something like 'the EULA is not legal','I agreed to it but I did not understand it so it is not binding', and 'click thru licencing has not been proven in court'
EULA's have been one of the biggest things for slashdotters to complain about, now it seems everyone is supporting them and saying that ' the EULA states MS cannot be held libel and since the EULA is law and legal and binding they are SOL and can't sue'
WTF is going on? Bring back the normal EULA-hating world I used to love.
Don't let a single paragraph in the article dictate to you what this is about -- the people who are suing aren't SQL Server licensees, so the EULA has no bearing.
IANAL, but it seems pretty clear that the reporter missed the difference between damage inflicted ON a licensee and damage inflicted BY a licensee.
Regarding Microsoft's communication skills -- agreed -- but who would rely on Microsoft for all of their security info ?
Cheers,
JAKD
I think you meant that the pathfinder had 3 KNOWN bugs in it's software, nobody will ever know how many it really had...
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
While it is true that everyone who got hit with SQL slammer is a victim of their own actions because they purchased M$ products in the first, place and they didn't patch it. Seems their have been enough previous M$ security problems that everyone should no better. However the quality if commercial software pretty much sucks, and I think for the good of the industry and those who work in it if their was some impetus to improve quality. Maybe if companies were more concerned about quality then the race to bottom to hire H1-B's, off-shore work, and generally not give a crap about quality would stop. Unfortunately software companies will not be concerned to improve the quality of their products unless their is finacial incentive to do so, so maybe it is about time the users started holding software providers responsible for their products. No other industry has such a lack of standards, and such disregard for quality. Maybe the lawsuit is BS, but hopefully it is a starting point for a greater concern for QA throughout the industry.
MM
This post is provided free of charge, and with no warranty of fitness or merchantability.
You could've hired me.
All sorts of contracts have clauses that are regularly thrown out by courts.
A disclaimer "we are not responsible for flaws in this product" in a real product is regularly ignored.
While they might not recover the costs of the damages caused by slammer, they might get the purchase price back (or a portion). For SQL server, that's quite a lot (assuming the software isn't pirated...)
While MS did issue a patch, one of their later patches reenabled the vulnerability.
What they've got to do is sue MS in a small town Alabama or Texas court. They'll probably award 3 or 4 billion in damages. That's just pocket change to BillG, but a billion here, a billion there, soon you're talking real money!
why boxes at Microsoft were not patched against SQL Slammer. Do they sue themselves, fire the admin or simply replace the servers with free software?
Friends don't help friends install M$ junk.
I'll get modded down as redundant, but it needs to be said as many times as possible (and I don't see much of it in this thread [reading @ +1]):
A legal remedy here would set a really bad precedent - as a software developer who is not unrealistic about my skill level, I am terrified of software liability becoming either law or accepted assumption.
If MS loses this, I see absolutely no way I could defend myself if, god forbid, a program I wrote or even maintained caused catastrophic dataloss, or in worse cases, physical injury.
Note: Ironically, just *yesterday* I was bitch-slapped, albeit in an odd way, by Slammer: in certain situations, applying one of the hotfixes to SQL server that closes the Slammer vuln. without having SQL Server SP2 installed *completely* horks up SQL Server. The ISP (Rackspace) of a dedicated rack unit I "manage" on contract (client has almost no $$$) installed said hotfix in the process of physical maintenance, so I got a panicked call from my client in NYC that the "server is down". A couple of hours worth of research later, I was fine, but it sucked my afternoon away.
I hate the stacks of dependant/conflicting patches and service packs, not to mention the damn bugs, but I'd prefer to take the risks on this end than be open to litigation of software I write contains bugs.
--astro
I'm also wondering if/how many of the copies of Windows that precipitated in Slammer were legal. Asia is notorious for its pirated software problems. Not that I'm insinuating anything but Microsoft might be able to say "Well a lot of the machines were illegal anyway therefore in breach of our support. I'm sorry but we can't be held accountable for criminal use blah blah blah-"
Possible?
What is music when you despise all sound?
Gates: Hey lapdog...get over here!
Ballmer: Sir, I don't like it when you call me...
Gates: Shut up lapdog.
Ballmer: Yes, sir.
Gates: Buy Korea.
Ballmer: What's by Korea?
Gates: No, purchase it.
Ballmer: Which one?
Gates: There's more than one?
Ballmer: North and South.
Gates: Oh...does it matter? No. Buy both.
Ballmer: I don't have that kind of money sir.
Gates: Charge it to the company.
Ballmer: Yes sir.
I got nothin'.
It could be, now that M$ thinks of security as a "profit center".
Other than that, they have consistently ignored everyone else's advice about everything from email to security models. What sane person makes an email client that runs as root and automatically executes code sent to it? They were warned and ignored the warnings for whatever reason. There are many instances of pure negligence on Microsoft's part. We have all paid for it too.
Friends don't help friends install M$ junk.
Microsoft's dislcaimer of warranty is ineffective on several levels. First, under the UCC, a purchaser has a right to a "perfect tender" - that is that the purchase perfectly conforms to what whatever was purchased purports to be. For example - you could not sell a vcr that only worked 50% of the time when it felt like it, or only on a wednesday, (unless you disclosed that up front) and the purchaser agreed in a definite and seasonable expression of assent. Some legislation has proposed so scale this back in the terms of software (UCITA).
Second, products come with an implied warranty of merchantability and fitness for purpose. It essentially means that they are manufactured correctly and that they will be able to do what it is claimed they do.
Bottom line is that anyone can claim that there is no warranty that goes along with their product, but some warranties the court will imply and refuse to not enforce, or will enforece other law tantamount to a warranty. The implied warranties above are examples of those that rise above that of contract, that they can be enforced regardless of what is put in the agreement. The agreement may create a presumption that you have waived these rights, but the court could also find that agreement void as unconscionable.
Suggestion: some level of government should add a law requiring that any software their department uses HAVE A WARRENTY. Everyone right now disclaims warrenties (MS, GNU, etc.) - with a new market requiring software warrenties, the most secure software will actually win! Any guesses where I'll place my bets?
A witty [sig] proves nothing. --Voltaire
Unless I missed something, these AREN'T SQL Server licensees ... hence, EULA doesn't apply.
Cheers.
They should at least have a warning during installation of the software for those who aren't aware. Sort of like the "unplug your computer before installing" warnings that come with hardware. Something like:
WARNING: Unplug your computer before installing this software. And under no circumstances should you connect it to a network until all the patches have finished downloading and installing.
This text is not here.
Fuck the system? Nah, you might catch something.
--didn't think of that one. If software isn't a product, then what is it?
I am not sure on the entire liability issue right this second, but comes a time that any "industry" needs to come to grips with reality, and I think that time will be soon probably. Computers and the software to run them have had decades now to get established and to come out of thier "honeymoon" stage, with the EULA "get out of jail free" cards. the hardware is warrantied. The software sure needs something.
There needs to be some sort of consumer protection and warranty. Eventually there will have to be, it's about inevitable. Everything else man made has one. If that means much less "new" is released and a lot more "improved", I'm all for it. If it means less variety but better quality, I am all for it. If it means that "paid for-sale" software with a warranty gets so expensive that "free" dominates with a shareware and volunteer concept, I'm all for it. and I see that as an EXACT dividing line, it's for sale, it needs a warranty, if it's a "freebie, here try this, see if you like it" type deal, it doesn't need a warranty. I think that is fair and rational.
OR, wait until a few more worms or whatever hit all one day, the mother of all net shutdowns, and have the government force something down your throat that is beyond a warranty into planned, controlled, licensed.
As an aside, can you imagine the first major software vendor TO offer a warranty? How much of a marketing edge would that be, given they had really done their auditing and were actually confident their offering was decent enough to offer the warranty? I think they would get uberrich, well deserved cash for superior outstanding coding efforts. I know some custom stuff does, but anything major mass market? Does it even exist yet? I honestly don't know, but myself as joe consumer, I might just be tempted to purchase an OS offering like that, and pay much serious cash for it.
most EULA state in legalese what I'm about to paraphrase: "If you lose money as a result of using our software, it's your loss and yours alone. You cannot sue us for damages even if the damages resulted from using our software."
Oh yeah - remember, you never own most commercial software packages - you but the right to use them only.
When will people realise that buying software from a large company such as i.e. Microsoft isn't going to get them more "rights" then using free software is going to get them. Both camps have a none liability clause, which means, you can't sue either of them for damages! But at least one camp (which shall remain nameless) has the option of sending them a check and make the software you use more usable/bugfree for them. Also, you have the choice of hiring a third party code-reviewer /directly/ , who /can/ be sued directly if he fsck's up reviewing the code. This model, called free, or OS by others, is based on the knowledge, or merit of this particalular individual. So, why take the risk of challenging a EULA to which you've already agread, when you can sue a freelancer who doesn't come around with what he/she promissed, namely a secure system.
Free/OSS software is a risky bussiness, that's why only the best of the best apply. Think about that before your next "convenient" purchase!
First, if Microsoft's EULA already prevents them from being sued, software is as-is, why do they release patches in the first place?
This isn't a question about whether or not a user can sue, but a more basic matter of accountability and responsibility. These are the most fundamental issues in selling anything to the public.
Microsoft is responsible for this snafu, but they have never been held accountable. Their bugs, their glitches, their crashes. Its become a running joke with techies. It shouldn't.
When Slammer first hit, people said installing the patches required taking down the servers, running several patches, and praying it still worked. No garunatees about anything. What's the justification? Time wasn't available. Who could afford to do this? How high was it on MS list of things that had to be done?
But no one is mentioning those same arguments now. Its South Korea's fault for not doing the updates.
As I recall weren't the patches buggy enough to cause another major security hole?
We know Microsoft is responsible. We know who should be held accountable. But MS throws in a disclaimer and all is good. The disclaimer is not a silver bullet. There must be accountability for faulty software, no matter who wrote it.
Will it stifle open source development? Probably scare off crap coders is what it will do. If everyone working together reviews, checks, and verifies, they are going to catch most of the bugs before it goes out the door. The remaining bugs are fixed with patches.
I honestly don't see anything wrong with suing them. The EULA is not a catch all. The EULA should be thrown out, and rewritten. Users have the right to hold developers accountable.
Its about time someone figure out how.
Strangely, none of the posts so far have mentioned the author(s) of Slammer as being one of those responsible for this mess. They're certainly harder to find (ok, they'll probably never be found), but shouldn't the culpability be shared with those who exploited the problem? It's not as though the server didn't perform its primary function correctly (storage and retrieval of database records), it's that it had a security vulnerability.
To borrow the Ford Pinto analogy from previous posts, it seems somewhat like somebody cutting your brake lines and then you suing Ford for making the lines so easily accessible. I think the person who cut the lines is truely responsible.
.. now that is really superior point. I think you might have hit on an inkling of a class action case there. WHAT IF, all the thousands of companies who WEREN'T running microsoft anywhere could show an historical record of constant microsoft vulnerabilites that actually caused THEM verifiable business loses? Over and over and over yet again? You can show the court you are trying your best to run a business, but constantly you suffer losses. show the judge and jury the hard figures. How many hosters and non microsoft users could you get to sign on for a class action, and pick a judicial venue with a chance to at least get heard?
It's (the debate on eula and liability) always been about people who installed microsoft and clicked the EULA. To stick with the beat into the ground car analogy, how long would the driving public at large put up with broken down belchfires littered all over the roads, just causing a mess, knowing they will always cause a mess, with belchfire rakeing in the profits to beyond ridiculous levels, before belchfire, inc. wound up in court?
Any reasonable judge and jury would conclude thaty belchfire wqas a public menace and ban their cars from the roads after the third time the nations interstates got shutdown almost completely. I mean, they probably would do that. Well???? Between viruses and worms and whatnot, that's a LOT of money lost over the years while microsoft stands back and goes "neener neener neener, we have a get out of jail free card, neener neener, suckers" whilst standing on top of cash mountain..
This is true in Australia too under the ACCC (Australian Competition and Consumer Commission).
If you buy a product you have a basic right for it to function as advertised, regardless of a warranty(s). If it doesn't work, the supplier may be liable for a refund and/or damages.
An example given to me once was:
What good would it be to have an air conditioning machine installed that never once worked. The vendor could argue that it worked for a micro second or it worked *back in their office*, and only now it has broke and say it's the clients problem from now on in. It needs to work (really work to advertised functions/specs) or they are breaking Australian law.
Umm.. Microsoft didn't launch the attack, the dude who write the Slammer exploit did. Sue the criminal for causing the damage, not the device he used. Might as well sue gun manufacturers for not making guns human friendly.
"Derp de derp."
Software is a clear case of when "buyer beware" is neccesary.
Bollocks. Due diligence along with culpability IS necessary for computer software, even if it means a change of culture in the industry.
Software can be seens as an artistic work, or it can be seen as an engineered product. It can be viewed kind of like a house design: You can sketch it out and then sue when the builder gets it wrong (eg, he did what you told him, not what you wanted), or you can draw it up properly and get a house that will last for years.
Another example: Would you buy a car that the manufacturer did stand behind? Oh right, software isn't "physical"... Then how about the factory workshop manual for that car? If you're running a garage, it's reasonable to expect recourse if the manual is incorrect (faulty information) and through normal use, that leads to destroying a customers engine. Yet people run their businesses on computer software with NO recourse if errors in that software destroys their data! How smart is that?
It's about time the market woke up to the scam that is software development. The sooner it changes the better IMO.
Re OSS, remember that for a contractual effect, you need exchange of value - most OSS is downloaded for free and as such is not affected. This kind of thing should only affect pay-for software.
Disclaimer: Yes, I am a professional software developer.
Actually, a better analogy would be if you did lock your door - but a vulnerability was discovered in the lock that made it (say) openable by jiggling the handle. Yes, you should get a new lock - but at your own cost, when it was poor lock design to begin with?
An unlocked door would be like leaving the root (or administrator) password blank, and the account enabled.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
I think they are evil as much as the next guy, but currently they do hold water in the legal system...
Until that is changed, suits such as this will be simply dismissed....
---- Booth was a patriot ----
I love it!!
Glad to see that at least *someone* isn't totally asleep at the wheel....
One of the advantages of using M$ products according to M$ itself is that with Windows, there's someone always liable for the product (as opposed to, say, Free and Opensource Software).
Well MS asked for it.
The news here is not so much that MS might be held accountable for their product, they won't be, and for about a gazillion reasons.
The news is that someone actually decided there was some benefit in even bringing up such a hopeless suit. Maybe they are trying to shake down MS ? Dunno. But the news for me is that someone would even bother to bring this suit on in the first place, considering the defendant in it.
Hey, no one is perfect.. And the point DID get across, true?
---- Booth was a patriot ----
Doesn't matter if it's intentional or not. Just because you're not competent enough to write quality software doesn't mean you shouldn't be accountable when it fucks up.
Like it or not, open source writers are part of a software community that includes Microsoft. If Microsoft loses a case like this, there is no reason why someone couldn't bring a suit against open source writers who "put bugs" in the software they write as well as all of the open source community (most are easily traceable) who didn't catch the bugs. Of course, not being Microsoft, we'd pretty much have to throw up our hands, scream uncle, and pay since it takes money to win one of these cases. Let's hope the world stays focused on Microsoft and the other biggies and stays away from the small fry.
Actually, there's another point there in that the way you win one of these big cases is to first build precedence against those who can't afford to defend themselves. If some consortium of law firms in the US were to decide to take a real attack at Microsoft, they would first prepare the ground by attacking those who can't defend themselves for a couple of years.
So, whose going to develop the means to use cvs while masquerading who you are?
If there is any legal eagles in the audience, what is the precedent involving a seriously defective car that causes injury/death/damage? This defect would have a notice sent out somewhere/somehow offering the capacity to take the car back to the shop and replace the defective part, but the user either didn't know or didn't follow through with the effort involved.
This seems to be what this software has done: there was a defect and a capacity for a customer to do work to fix it, they didn't do it, and damage resulted.
Any cases like this with products in the automotive area, and did they favour the defendant or the plantiff?
Best wishes,
Robert
-----
Cast a Cold Eye
On Life, on Death
Horseman, pass by
--W.B. Yeats' gravestone
In American law (and presumably that of Korea), there are certain things that one cannot sign away. For example, river boats always use to make passengers sign a waiver (essentially an EULA) saying that they were not responsible for luggage lost if the boat sank. However, it was decided in a famous court case that this was an unreasonable requirement. Ever since that case, all river boat owners were responsible for recompensing passengers for lost belongings. Depending on Korean law, MS may or may not be responsible for damages caused by its products performance, regardless of what the EULA says.
The argument in your second paragraph is easier. Car manufacturers *are* required to recompense people for damages suffered when their car failed to operate properly. (Or McDonalds paying $8 million for someone who spilled coffee on herself.) There is always plenty of blame to spread around. The question is if there is enough blame due MS to convince a Korean court to make them liable.
Regardless of whether it is possible to make software that is 100% bug free, it is certainly possible to make a greater effort to remove bugs than MS makes: a longer beta period (and cut it out with these unrealistic dates for next release), more quality assurance efforts, hiring Kevin Mitnick to try to crack it, etc.
Even if MS loses this lawsuit, it won't end software releases. They'll buy liability insurance and do more testing (as mandated by their insurer). Compare this to the medical field: not only must all steps be taken to fix damage caused by negligent behavior, but compensatory damages are paid as well--thus the high price of malpractice insurance.
Open source software is both more and less vulnerable to this. More because it is transferred without charge and cannot simply increase its price to include the cost of insurance. Less, because there is no charge and thus no claim against earnings or property (and there may not be any property of the programmers in the country that is using the software); further, since the source is available, it is more reasonable to claim that due diligence involves checking for bugs (and fixing them--something MS software users cannot do). Note that distributing binaries weakens this somewhat over source only distributions.
All of Western civilization is based upon the principle that governments regulate commerce, not gifts. Free Citizens insist upon this distinction because it allows them to continue to barter and trade and continue to be free. Businesses insist on this regulation because it protects them and the market from hucksters who attempt to defraud customers with sub-standard products at market prices.
By accepting free (as in beer) software, you accept it bugs and all. By purchasing a 'product', you get the implied warranty of merchantability that all products must have: it is what it says it is.
I don't see this as a valid lawsuit. Microsoft had relesaed a patch for the vulnerability that slammer uses months before the worm showed up.
Truely, if any one (or any company) deserved to be sued for putting out shitty software, its Micro$oft. ...But, I think that this is a really bad idea and sets a very bad precedent that could ruin the software industry as we know it (and I'm including Open Source here - especially open source).
...Not that OSS would die altogether, but we would have to start releasing code anonymously.
If people start flinging lawsuits at software producers then it'll kill open source pretty quick (OK, maybe kill is too strong; how about 'chill' or 'drastically reduce').
Micro$oft at least has $40Billion in the bank to fight such suits, but your average open source programmer doesn't have enough cash to even hire a lawyer for a couple of hours. These sorts of lawsuits could quickly have a chilling effect on OSS creation.
If you could sue companies for this kind of software errors and win. the prices of sofware would rise to astronomical levels, as companies would have to compensate for the risk of losing money in large lawsuits. This would mean that you could just as well do all your development in house, and if you started out by expanding GPL:ed source for your in house projects you would certainly not release your program to the general public for the same reasons.
God is REAL! Unless explicitly declared INTEGER
For those of you hoping to see MS lose this one, think for a minute how RedHat, Lindows, Apple, etc would be in any different of a position. There has been a lot of root exploits lately that required patching. Is everyone going to sue RedHat?
I'm reasonably sure MS could write an OS that almost never crashes it that was their primary goal. The problem is, you'll run it on hardware that they have validated and ok'd, and it will probably cost 20-30k for a copy.
This is merely another example of the old software tradeoff: good, fast, cheap, pick 2.
the eWeek article is refering to this Chosun Ilbo article in a Korean daily newspaper. The lawsuit is part of the 3 way lawsuit against the South Korean Information Minister, ISPs, and the South Korean division of Microsoft. Again this is the SOUTH KOREAN division of Microsoft for failing to inform Korean ISPs of the patch and its signifigance. These are people and businesses who were knocked off the grid for days and had nothign to do with microsoft's licensing. Thus a class action lawsuit. The idiot poster makes it sound completelly different.
They can't sue m$ for this.
1) A patch exists.
2) Software has bugs. It's a fact of life. If you dont' like bugs, don't use software. (Or hardware for that matter).
3) M$ never claimed their products are perfectly secure. "Secure" is relative. M$ platforms are secure to an extent. Weather that's goo enough is up to the individual.
Once again another case of M$ being in the right. I hate these, but it's stupid to say they're bad JUST because they're M$. They do enough bad stuff to satisfy anyone's faming needs. I'm glad that a fair number of perople do oppose this, though.
Yes there was a patch out BUT it couldn't be installed on a great deal of systems without some serious hacking, something which Microsoft ADMITTED TO. It actually broke some installations. Not the kind of thing you want to be responsible for as a BOFH on a SQL Server serving 10,000's of users.
Conor "You're not married,you haven't got a girlfriend and you've never seen Star Trek? Good Lord!" - Patrick Stewart
That web site should be renamed Pro-Saddam web
site. Most of the article are in support of
Saddam's regime and against Operation Freedom.
As for the article it is no longer on the newspaper site.
The way I see it, the federal government should ban all software from this country that isn't manufactured by Microsoft. Only Microsoft makes reliable software. The rest of the software industry produces bugs and problems that cost businesses some $60,000,000,000.00 a year. Oh, well. (By the way, drink normal Guinness, the stuff that tastes good. The extra stout stuff is crap. I used to think that was the only Guinness there was and as a result I hated Guinness. Not anymore. I started drinking the good stuff and let me tell you... it is GOOD!!! Negra Modelo is still my favorite bottled beer. Guinness is to be enjoyed from the tap... none of this bottle or can bullshit.)
It's more like someone tells you that they found out that all the locks from some manufacturer use the same key--are you then liable if you did not get around to changing the locks before someone uses their key to open the door and steal all your stuff? Does time make a difference? What if you find out after the theft, at the moment of the theft, seconds prior to the theft, an hour, a week, a year? What if you there is only one lock manufacturer (although a door manufacturer includes its own locks with its products and there are instructions on the internet to make your own locks) and the last time they had to replace locks with a problem it turned out that they didn't actually lock? What then?
To get back to reality, there are plenty of reasons not to patch servers. Notice that the Slammer crashed parts of MS's network. Further, note that the patch you mention was cancelled out by a later patch so that people actually had to apply a third patch to eliminate the vulnerability. Again. Does it make a difference to you on which patch they were? If the patch came out yesterday, last week, last month...
MS patches are just as buggy as the original software (in fact, they might be even more buggy, since they don't go through the same review process as the original release does). On a production server can you afford to take the risk that MS's patch of the week won't cause data loss or introduce a new security vulnerability? Is it reasonable to expect small installations (with only one SQL Server, maybe as an SBS 2000 box) to be able to keep up with the massive amounts of information that come out and choose the correct patch schedule?
To get back to the Pinto comparison, what if you did look but you couldn't see because there was a tree? So you inch out a bit; then a bit more; then a car coming around the blind curve hits you because the driver happened to glance away at the critical moment? Both you and the other driver are badly burned in the explosion. You were both wearing your seat belts and would have been uninjured if not for the faulty gas tank. Who's responsible for the burns? It's not at all unreasonable to claim that the *burns* are at least partially Ford's fault. This is the most analagous to the MS situation. The maintainers followed a reasonable, albeit unagressive, upgrade path (the same one that many MS admins followed) and got burnt.
yet if your car was to suddenly veer off the road from a known defect you'd expect the auto company to deal with it! Driving the car down the road doesn't generally cause the wheels to just 'fall-off'! That is the issue with MS.
Maytag repair guys are what 100,000-to-1 with their insalled base? even doctors are about 100-200-to-1. yet PCs are supposed to be 10 or 20-to-1 for admins. It's a crock! If any other business system was this terrible, it would be bankrupt in a year! And MS only answer is that the admin should run around and babysit the system? They offer automated updates, then again blame the admin for not "testing". You all check the gas quality going in your car before you fill up right. Or, you consult medical texts after going to the doctor just to be sure he called your illness right.
I'm sorry, this stuff should just work. Compaies have invested 10 years and billions of dollars into windows and it still doesn't just work! Billy designed the system so that MS had 'plausable deniability' After all, they don't make hardware [not their fault], or drivers [not their fault], or systems [oems didn't test, not our fault], or software [sure we have Secret APIs but not their fault], they pretend to train admins [but not their fault if admin shamans don't dance right], and of course users because they make the computer do "stuff" MS might not have planned! [if MS did plan it, they'd charge more!] They have no techincal support without outrageous fees [Linux cost is mostly support--and you can afford to use it!] Well, it's basicly like OSS only costs more. They offer the same package of benifits!
That said, I don't think a lawsuit is the way to go either. We're trying to get rid of stupid IP laws, not tie ourselves to them more! If the liability cost of software goes up, then free software will die a horrible death. We're not sophisticated enough to have software "building codes" yet and license "Software Accountants" to set them up. Even then without 100% control of a system, you just can't have that kind of liability...Then again, maybe that's what MS wants [OK we know they want it] total control of the systems and your wallets!
according to this Korean page, defendants include major Korean ISPs (KT, Hanaro et al.), Korean Govenment Dept. of IT, and finally, Microsoft. So they're suing the dumb admins and M$ altogether.
Maybe the confusion arose from the source eWeek is refering, Chosun Ilbo. It's not a very reliable source for arguable matter. Believe me... In case you can read Korean, that is to say.
If you dont agree to the EULA then you dont have a license to use and are a criminal, so you cant sue anyone over its problems...
Even blows the case earlier in the process of a simi-legit complaint.
I agree its a different country with different laws, but Microsoft doesnt have to abide by any stupid judgements either.
---- Booth was a patriot ----
logic within!
Let's say you give me a free ride in your car, you crash because of bad driving - just cos I didn't pay for the ride, doesn't mean I can't or won't sue for the consequential damages of your negligence.
Also MS had already released a patch and documented the fix. They also have put recommendations on how to use the software in their license agreement, and widely distributed information on how to fix the issue.
If they are liable despite all that, you are probably even more liable
a/ Any bug you haven't documented and patched, fails to conform to industry best practise (see, even MS who you probably call incompetent did it for their bug) - which makes you MORE, not less liable.
b/ Any bug in a past version - even if you have released a fix - still counts. Don't have the same multiple distribution channels for your fixes as Microsoft do for theirs? Any lawyer worth their salt will argue that's negligent and even MORE deserving of punitive damages.
c/ Don't have a stack of testers, and thousands of beta testers like Microsft? Even if you do, can you prove you do - where's the paperwork? I guess that also makes you negligent, and MORE deserving of punitive damages.
d/ Do you give guidance, like MS do in their license agreement, on how to correctly use the software, or do you let people use the software any way they chose? If the latter, that's also negliglent. You didn't put instructions in warning them of potential danger.
e/ The reason the exploit was successful was not all the users installed the patch. Are you introducing a scheme to ensure your users have the latest fixes and updates installed? i.e. some kind of remote update/audit. MS are. If you don't - I guess that also makes you negligent.
Check the use your brain post in page 1 (probably at mod level=0) for a whole load more reasons why this is potentially even worse for you and open source. than it could ever be for MS.
They do enough bad stuff to satisfy anyone's faming needs. I'm glad that a fair number of perople do oppose this, though.
WTF? This gets modded up? This moderator's just as illiterate as the poster...or as much in a hurry as the moderation just "gets things done quickly..." - better hope that the doctor who has his life in your hands spells the prescription right before you start taking it...or hope that he/she knows the difference between UV and IV...
db
Cig:
ôô
UCC is a United States law. What do the south koreans have?
The fact that Bush mushes together the Koreas for the masses is kind of in line with him claiming that we bombed Iraq because of terrorism.
May we never see th
Why is legal liability for faulty software such a bad thing? I just don't understand why so many /.'ers are so against this.
Every other profession is legally liable for what they do.
There's kind of a pragmatic issue here.
Knowing about an issue and not releasing a patch or at least an alert could reasonably be considered neglient. We *have* the technology to do so, and there's good reason for having the justice system punish people who do not do so.
However, we do not currently have tools that can check for any and all errors in programs, and do not currently have the ability to write bug-free programs that are in the hundreds of thousands of lines or more. Thus, there's not much point in punishing people who release buggy code -- because it can't possibly make people produce bug-free code.
Now, there are a few exceptions. Civil engineering can involve quite complex systems, and at one point we didn't have good methods to see whether a civil engineering project is flawed. However, they're generally well understood, and conceptually simpler than a large software package. Furthermore, the failure of a civil engineering project can frequently cause immediately and unavoidable loss of life. Computer software can *sometimes* do so...and software developers that are in this position generally are considered to be liable.
May we never see th
There is a fundamental difference between software sold by Microsoft and software released as open source. Open source, effectively, is someone tinkering with code, and revealing everything they do, good and bad. Open source is about doing cool things cooperatively. If someone wishes to use the product - great. But then let the user beware.
Microsoft is *selling* a product. They are taking *money*. The are providing a product/service for a fee. Money being the universal exchange of value, it is expected that you receive an equivalent value. Having spent money, you should, in capitalistic principle, be allowed to hold some reasonable expectations - that is that the damn thing works.
You see the difference? Open source software is not a product. It would be like a kid in your neighborhood putting together widgets and giving them away. You can't sue for good will. *Selling* widgets, on the other hand, implies a responsibility.
So, if any precedent is set by this, it will be that software manufacturers should be liable for the mistakes they make. And frankly, it's about freaking time that was established. All this nonsense about "software is not a product you can put a warranty on" is wishful thinking at best, and softheadedness at least. If you can charge 10K for a software package, it had better be a product or the system is totally messed up.
we found out the hard way that Veritas Backup Exec installs the Microsoft Desktop Engine which is vulnerable to the Slammer worm. I'd like to thank them very much.
Sidebar from an article on Slammer in the Feb.3, 2003 issue, page 12:
... it's only with Service Pack 3 that it became easy to install".
"...many IT departments did not install the initial patch because installation could not be scripted. Instead, DBAs were required to manually stop each instance of the software running in their organizations, rename or remove some files, and paste the patch files into each instance
~REZ~ #43301. Who'd fake being me anyway?
Gates: we have been forced by international presure to ensure that all supported software is up to date and all un supported software is deactivated. All of your servers are belong to us.
I buy a car. It has defective seatbelts. Ford recalls the car, but I don't take mine in to get it fixed.
6 months later, can I sue them if the seatbelt fails?
Interesting how the lawyers will field this one. It will probably come down to how accessable Microsoft makes it's patches.
US laws apply to the rest of the world, not the other way around.
Stupid Koreans better not mess with the USA or GW will bomb them> Oh wit thats S. Korea. Damn!
Microsoft has: - Sold leaky software for some time - Achieved near-total dominance - Denied its security problems - Made products that only work with its leaky OS It is perhaps a poor precedent to allow lawsuits for this sort of thing, but in a case where all of the above are true, it seems legitimate.
Just say No.
I'm sure a few thousand mostly African-American Floridians will have some problems dismissing the fact that their incredibly important vote was prevented from being made. Losing one's voting right for no good reason is not a trivial thing. I'm not talking about pregnant and hanging chads here--more people lost their right to vote in Florida in 2000 than the number of votes difference between Bush and Gore. Since the Democrats don't seem to be concerned with the matter, and the Republicans benefit from pushing the issue aside, these voters have no major political party to turn to for getting off those scrub lists and regaining their right to vote. A lot of the people on those scrub lists were believed to be Democratic Party voters too.
The same company that prevented these thousands of (disproportionately African-American) voters from voting in Florida in 2000 (a Choicepoint subsidiary called Database Technologies) stands to be paid millions of dollars by the Bush administration to collect detailed personal information on the populations of foreign countries.
If this is the first time you've heard of these would-be voters, consider reading "The Best Democracy Money Can Buy" by Greg Palast, an American investigative reporter for the BBC who broke the story that was largely ignored by American popular media (and appears to be treated as somehow trivial today).
So, no, I won't forget about it and I won't push it aside as some historical footnote. The U.S. Presidential election of 2000 was not as simple as pushing the election decision to a handful of U.S. Supreme Court judges.
Digital Citizen
An insane heavily armed brother living in the upstairs flat who is currently playing chicken with the Tactical Armed Response Group who are camped in the living room. A bunch of neighbours who stole their house once and might have another go. An uncertain job in a dying industry.
Their only bright spot is they have Broadband . And an obsession with lan games that has led to some playing themselves to death. Then MS lets Slammer close down the korean system.
It's a wonder they haven't f**king invaded Redmond let alone sue.
You say the car manufacturer isn't liable if you send your car into a tree leading to catastrophic failure.
But what happens when someone else sends a tree into your car leading to catastrophic failure AND exploiting the design of your car to send trees into your neighbors' cars, some having the same design exploitability?
A car with a faulty lock and a canopy roof that can be used as a makeshift a catapult is rather suspect, even if you tell the car owners how to use a welding iron to fix it and offer free single use welding torches to the affected owners.
Someone set us up the bomb, so shine we are!
I don't think it's called rape if the victim clicks "Agree".
There are four industries that I can think of offhand that are not directly responsible for the quality of their products: books, art, music, and movies. However, those industries do not claim to serve any purpose at all, so they're really beside the point.
Certainly until this comes to court (wherever), it will be pretty hard to tell what this really is about. However, in looking at the PSPD web page about this lawsuit, it appears to me as if it is claiming damage to all Korean Internet users caused by the MS bug (hard to dispute), and the crux of the question the court will have to decide is whether MS was negligent in allowing the bug to be released. The claim is that by negligently allowing the bug to escape Redmond in the first place, MS shares responosibility in the consequential damages that ensued.
All these comments about EULA, and whether a product was purchased, and you get what you pay for, and Open Software has no warranty, etc. are not relevant.
If MS released software into the wild which caused widespread actual loss to Internet-connected systems and their owners, whether or not those owners were MS customers, then is MS liable for those damages?
Starts to sound like going after the author of a virus/worm. The boundary between the actual virus/worm which exploits a security flaw and the ubiquitous system which contains the flaw gets very fuzzy in the eyes of a lawyer who might be able to prove negligence.
Of course, IANAL (sounds pr0n-like, doesn't it?), but I wonder about ambulance-chasing or its equivalent, and definitely view it with mixed emotions. No matter how much I might side with the plaintiffs in this case.
In theory, practice and theory are the same. In practice, they rarely are.
And it is easy to craft simple software that is perfect. Take something like an FFT algorithm. It is easy to write one with no flaws of any kind, that'll do its job perfectly. However, take a whole computer, with OS, drivers, and software, all written by different people, all interacting and you will have problem. What's more you have to deal with the element of improper use. Exploits like the slammer worm are a misuse of the software. It was sending data tot eh SQL server in a non-standard, unapproved, and non-useful way. This caused undesired behaviour.
Sorry, but when you take all that, it is basically impossable to design a perfect complex system, software or not. I mean, take a car, something which is rather less complex, more mature, more expensive, and better understood than a computer. Even when used as intended, problems crop up from time to time (hence safety recalls).
However when used not as intended, you can have catastrophic results. Cars were not intended to be impacted into other objects, espically at high speeds. Car maker realise that this is something that may happen, so they try to design to help, but it still doesn't do much. If you run your car into another car at, say, 80mph headon, you will disable both cars beyond the point of repair and most likely kill everyone involved, espically if you neglect to use your seatbelts.
This is a known fault, and there ever are some ways to help prevent it from being as problematic. A race car cockpit and associated safety harness, for example, will have a much better chance of keeping an occupant alive at those speeds. However it is impractical for many reasons and so not used.
Now compare this to the SQL worm. This was an unknown problem with the design, only discovered later. It could only be caused by unintended and unadvised operation, hence it not being initally known. When it was discovered, a patch was released that completely eliminated the problem. Also, the problem could, and should, have been made totally null by using an additonal safety device, a firewall. Finally, the result of it was just network and system downtime, not injury or death.
Given how complex computers are, I don't see this as being a problem of the software companies. They wrote software, tested it and believed it to operate proerly, and fixed it when a problem from unintended operation was discovered.
Let's drive them out of business by suing them to bankrupcy!
Sorry if this has been posted already and I have missed it. It seems to me though that very few have addressed the fact that outbreaks like slammer affect the whole net and not just those who "pays their money and take their choices" with M$. ie. as a direct result of an M$ vulnerability my company loses money eventhough I have no M$ product and hence no recourse to them.... Maybe I blame the sloppy, clueless paper MSCE's? Maybe I blame M$? I lean towards the former but it's an interesting question, no? Who do we have recourse to when something like this happens? Do M$ have an obligation to be better net citizens or do the admins/users. We already know that those who choose to use M$ are not that savvy. And we already know that M$ is making money hand over fist... You tell me!
They'd probably get a tax break for it too, so in a round about way, it will all be thanks to the American public. :)
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
The parent post was irrelevant and absurd. With that in mind, I will make a contribution of similar value.
It is official; Netcraft confirms: Stephen King is dying
One more crippling bombshell hit the already beleaguered Beowulf Cluster community when IDC confirmed that Stephen King's market share has dropped yet again, now down to less than a fraction of 1 percent of all Hot Grits sold. Coming on the heels of a recent Netcraft survey which plainly states that Stephen King has lost more market share, this news serves to reinforce what we've known all along. Stepehen King is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin [amdest.com] to predict Stephen King's future. The hand writing is on the wall: Stephen King faces a bleak future. In fact there won't be any future at all for Stephen King because Stephen King is dying. Things are looking very bad for Stephen King. As many of us are already aware, Stephen King continues to lose market share. Red ink flows like a river of blood.
FreeStephen King is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeStephen King developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeStephen King is dying.
Let's keep to the facts and look at the numbers.
Natalie Portman leader Theo states that there are 7000 users of Natalie Portman. How many users of In Soviet Russia are there? Let's see. The number of Natalie Portman versus In Soviet Russia posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 In Soviet Russia users. 1. 2.??? 3. Profit! posts on Usenet are about half of the volume of In Soviet Russia posts. Therefore there are about 700 users of 1. 2.??? 3. Profit!. A recent article put FreeStephen King at about 80 percent of the Stephen King market. Therefore there are (7000+1400+700)*4 = 36400 FreeStephen King users. This is consistent with the number of FreeStephen King Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeStephen King went out of business and was taken over by Waggly Cocks who sell another troubled OS. Now Waggly Cocks is also dead, its corpse turned over to yet another charnel house.
All major surveys show that Stephen King has steadily declined in market share. Stephen King is very sick and his long term survival prospects are very dim. If Stephen King is to survive at all it will be among OS dilettante dabblers. Stephen King continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Stephen King is dead.
Fact: Stephen King is dying
< )
( \
X
8====D
penis bird
Hear, hear!
That is a link to a disturbing site called goatse.cx that has a picture of a man holding his anus open with his hands it is terrible you should mod the parent comment down for linking to such an inapropreate site
If you put an SQL server on the internet, open for the world to see, you deserve what you get.
If you put a windows box on the internet, even more so (not that the system is terribly insecure in theory, but it's difficult to keep secure and there are *very* few competent administrators out there that can do it).
A windows box with MS SQL server, on the net, open for the world - what did they expect?!?
Sue the fuckers! When I take over, people like that will be toiling in the uranium mines (along with a few other selected individuals).
The SQL Slammer vulnerability had been patched for MONTHS prior to the appearance of Slammer....how the hell is MS liable for thie sysadmins not having the freaking brains to patch their software? I give this the finger.
Right now the "no warrenty" clause in microsoft's EULA protects them. But this is outragous. They are SELLING a product and make many advertising claims about how great it is. The law needs to be changed so that when you sell closed-source software, you are required to warrent your product regardless of the EULA.
The real problem with many large software companies is that they use the business laws of a forum (read: country or U.S. state) to profit by selling ("licensing," if you must) products and services. Then, they write contracts ("EULAS," actually) denying any recourse against them for any reason whatsoever by customers under the laws of the forum that were written by the people in the forum to protect themselves from sharp, negligent, or fraudulent business practices.
Most often, the terms of these contracts or EULAs are only visible once the customer has paid the full price of the sale and has broken the shrink wrap and inserted the disk into the machine. Other times, when a product is defective, onerous terms have to be agreed to merely to fix the problem, which consumers cannot fix for themselves, because the source code is hidden and consumers are forbidden under terms of the original EULA to reverse engineer the product. Thus, a software publisher who releases a defective product has the power to impose additional defenses against its customers merely because it is the only source from which customers can obtain fixes for the defect. It seems very wrong to reward such companies with this power for having released a defective product that no one else can fix.
If you read some EULAs from some of the biggest software companies, you will find that they disclaim, among other things, even the warranty of noninfringement.
In my view, it should be illegal for a company that profits from its presence in a forum to write its own laws (EULAs) completely immunizing itself from any recourse within that forum for its negligence, particularly when the EULAs are sprung on consumers after they purchase the product, or as a condition of that company fixing the product, especially when that company has a monopoly or near monopoly in the marketplace, or when essesntially an entire industry imposes similar laws on the marketplace.
Open source products often are distributed for free, and/or allow anyone to fix the product. Thus, in my opinion, they should be allowed far greater leeway in disclaiming warranties than closed-source, commercial products. But this greater leeway should not extend to companies that merely allow people under nondisclosure agreements to examine their mass-marketed software without the power to make or tell others about necessary changes.
my salary will go up since people might sue me for mal-practice like a doctor if I screw up? :)
That's a scary thought though, that I could be liable for any bad code I write... er I mean, this would have no affect on me because I'm a genius and never make a mistake.
-1 If you are as puzzled as you appear to be, stop pretending to lead.
"One World, One Web, One Program." -- Advertisement for Internet Explorer.
"Ein Volk, Ein Reich, Ein Fuehrer." -- Adolf Hitler.
As much as we all like to harp on Microsoft and how much there software sucks and what not this kind of lawsuit sets a terrible precidence.
Sure, I realize that GPL'd software typically says the software is distributed as is with no warrenty or guarentee... blah blah blah.
However, having written some GPL's software myself I have to ask the question, how am I going to pay to defend myself if I get sued next? The answer is simple, I can't.
We all know that lawsuits, no matter how rediculous can crush the little guys. If Microsoft losses this lawsuit then it just makes it more likely others will be sued for similar types of things.
People have to realize software has bugs. Not just Windows, but all software. I think it is perfectly reasonable to expect a fix for a bug or security hole in a timely manner. I have to say, as far as I know Microsoft acted in a timely manner with regards to this situation.
Of course I agree Microsoft should take security into mind earlier in the design process but I don't think they are sitting there in Redmond making software they know is going to be riddled with security holes and bugs. It really is unfortunet that the average consumer would rather buy an operating system because it has semi-transparent windows and a large collection of avaible 3D games then a solid security record. Which of course means that we whom care about things like that get hung out to dry because we make up the minority of the userbase.
So anyway, for once I hope Microsoft actually wins a lawsuit so that perhaps we don't have to deal with such rediculous lawsuits here in the open source community in the future.
Comment removed based on user account deletion
Comment removed based on user account deletion
..can run you over with...
Loading...
IIS runs only 25% (and sinking) of webservers, yet ALL mass-infections so far hit it and none Apache which runs over 60%.
I don't know where you got that idea. There have been two MAJOR Apache worms in the past year.
I've also heard these signs referred to as "dust in the eye" (I can't find a link, though). Signs such as "management not responsible for theft or damage" are not binding but at the same time posting such a message is not illegal, either.
Well, hey, I didn't spend all those years playing Dungeons and Dragons and not learn a little something about courage.
The problem will be that this lawsuit is prohibited by MS's EULA. If the company was using Windows and MS SQLserver they accepted that agreement, if they didn't accept the agreement they either wern't using said software or were using it illegaly (w/o accepting the EULA). This lawsuit is dead in the water!
OVER 20% of the World's population live there.
Have you done any research whatsover on piracy rates in SOUTH Korea (NOT North which is NOT allowed by US law to even have most US software)
So don't go comparing the Korean market to the Vietnamese. A friendly reply from your friend the aN0NYm0u5 K0wARD!
The lawsuit is not even close to dead:
There is a chance that the EULA could be treated like a waiver. In US courts all waivers of responsibility are seen as attempt to avaid liability. Every lawyer says to use them and not one has ever stood up in court. They intimidate some people into not fileing a suit but have no value if challenged.
Professional Politicians are not the solution, they ARE the problem.
Comment removed based on user account deletion
OK, the patch was a bit of a pain to install. So, let's say after review it was found that patching wasn't worth the downtime.
How bout them firewalls? If your MS SQL server has to talk to others over the internet, how bout restricting that port to certain IPs?
-- taking over the world, we are.
is just another example of the company trying to create a meme that is misleading
Do you realize how paranoid and conspiracy theorist that sounds? If you worked with SQL Server all the time, or read about it much, then it's very convenient to not say "SQL Server {2000}" anytime you want to refer to it. Folks don't use "GNU/Linux", or "Red Hat Linux 8.0", or "Microsoft Windows XP Professional"--they say "Linux", "Red Hat" and "Windows". Linguistically, it's perfectly natural.
There's also something to be said for what's necessary to successfully implement a patch in a corporate environment anyway. As a recent discussion about an update in Office 2k mentioned, the sysadmin also wouldn't be doing their job if they simply deployed an untested patch in to a live environ. While it's true the patch was out for sometime beforehand, how many other patches, also "critical" were made available at about that time and since, and what criteria should one use to decide which ones go on the top of the "critical" list for immediate deployment and which "critical" patches can afford to wait a while, due to monetary, manpower and time constraints?
Buy the President
Parts of Asia aren't exactly known for following licensing agreements.
Could one of the reasons they didn't do the upgrades is the fear that the Service Pack would detect a pirated version?
Which would you be more afraid of MS shutting you down, or a possible security problem? One company wouldn't think anything of it. Get a whole bunch of these "Not Me's" companies and then you've got a big problem.
From the sounds of it, the Slammer / Sapphire Worm was a combination of flukes that caused it to grow as fast as it did, 2 orders of magnitude faster than Code Red. Very interesting reading... http://www.cs.berkeley.edu/~nweaver/sapphire/
You're dead wrong. Bush won the election fair and square.
LOL. Wow, that's pretty funny. Actually, my friend, it's you who is dead wrong. Bush did not win the election fair and square. Bush purchased the election. And when that almost failed to get him elected, he had his daddy give the Supreme Court a call and made them stop the recount that would've proved Al Gore the winner. Make no mistake. Gore won the popular vote, and if it weren't for a bad case of corruption in Florida, thanks to GW's brother Jeb, he would've won the electoral vote too.
... you did not become a doctor, a pilot, or a civil engineer.
Software companies (and programmers) want to provide software as a realiable tool without the responsibility that comes with assuming so.
IANAL but write like a drunk one.
How many times do you need to hear that later patches reopened the vulnerability and that MS patching system is too onerous on System Administrators (their work is not to keep track of the bizarre patterns of MS patch releases).
IANAL but write like a drunk one.
... later patches reopened the vulnerability.
And it has been documented widely enough the nightmare that it can become to install some MS patches (hint, SAs have work to do besides pacthing buugy products).
IANAL but write like a drunk one.
Why does hardware have to be super-hardened for military use, and, then, they go and install Windows?!?
Maybe because the market is not swallowing the MS marketing pitch anymore and it's one of the last ways to force a purchase.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Because Chairman Bill is a controlling shareholder
I have seen the Register article before but had trouble believing it. It's such a blatant conflict of interest. Do lives not matter anymore? Does Bill Gates not know where to draw the line in his conquest?
Healthcare article at Kuro5hin
I have seen the Register article before but had trouble believing it. It's such a blatant conflict of interest. Do lives not matter anymore? Does Bill Gates not know where to draw the line in his conquest?
Depends on who they are and who's stocks they pumpFire up a Bloomberg search for top officers in Worldcom, Enron, Microsoft, and other big rollers if you really want to lose all faith.
Are you suggesting that if M$ loses, they and other software companies would have to slow down their development cycle in order to test, test, test, then release a *perfect* product that does what you are lead to believe that it does without breaking? That's just pure nonsense. Why the hell would anyone want that?
I'll grant some credit for this, but not a lot. It was improper of me to leave out the Hispanic would-be voters, and for that I apologize. I can't independantly verify whether Choicepoint has received money or not, but I believe it is likely they will get more business for the stated research. However these objections leave aside a major issue--the 2000 U.S. Presidential election left out more voters than there was difference in votes between the two leading candidates. Is anyone working on reinstating the voting rights of the people who were disenfranchised? Democrats and Republicans both have the media's attention right now. They could draw national attention to this, but are they working on fixing this? I'd hate for registered legal voters to be kept out of the polls.
This objection perpetuates a myth in reporting that isn't often discussed--the idea that you can "just report the facts". Since I made it easy for you to read the sources I referred to, I am obviously encouraging you to do so. I am not at all discouraging you from determining your own take on the matter. Finally, perhaps you don't know this, but Slashdot makes it easy for anonymous posts to be overlooked. Your input is likely to be read more if you post under an account name. Thanks for your input, but your tone is uncalled for.
Digital Citizen
The "irony" was that the one that Gore won was based on the criteria that the Bush campaign was pushing at the time.
It's all completely and utterly irrelevant.
The margin of victory was too far inside the margin of error. Why would Gore winning by 12 votes be more credible than Bush winning by 100? (If anything a smaller margin for a Gore victory would be even less credible as you're even deeper into the statistical noise zone.)
Florida was merely the final result of an election where frankly neither candidate did much to enthuse the populace.
Final note: we wouldn't have even had to have worried about Florida if Gore could have even carried his home state. (Personally I found the fact that more people in CT voted for Lieberman than for Gore/Lieberman to be very illustrative of the Gore campaign.)
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.