Slashdot Mirror
Microsoft Sued for Defective Software
Door-opening Fascist writes "eWeek is reporting that a South Korean citizen action group, People's Solidarity for Participatory Democracy, is suing Microsoft for putting the SQL Slammer vulnerability into Windows. They are doing so on behalf of the South Korean people and businesses affected by SQL Slammer."
Gates: Ballmer, loyal comrade, I've an assignment for you.
Ballmer: Yes, master?
Gates: Say, how much would it cost to purchase the country of South Korea?
Do you like German cars?
Conspiracy theories inside, who actually intends to put a vulnerability into a product? Perhaps this should be "not fixing the vulnerability" or potentially even "ignoring the problem". I don't think any of Microsoft's programmers intentionally insert bugs into their shipping products... although... nah, it couldn't be.
I hope the Judge kicks these people through the goalposts of life.
Ow wait, South-Korea.. Those are the good guys, right? Dagnammit!
SCO employee? Check out the bounty
Shut up and patch your systems like the rest of the planet.
Software isn't a physical thing so it's impossible to make it bug-free.
You knew about this vulnerability for months, there was a patch for it, and you did nothing about it."
Pick a defense, any defense...
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Clearly they haven't read their software agreements. It specifically states that MS is not responsible for damage caused as a result of their products. A better chance to procecute MS would have been during the Code Red incident. One might have argued that not being proactive enough about patching consitituted "negligence" on their part. I guess it can't hurt to try!
fuck them!
Wow. Your logic is flawless.
In other news MS is worth more than Ty(15982) ...
They actually bought Windows in the first place!!
Let it be noted that Microsoft already had SQL SP3 out which fixed the problem before it ever occurred. PSPD should try using a vulnerability that could actually hold water in court like Code Red or it's dirivative, or any other Word ActiveX open-execution macro vulernability.
Opponents of open source frequently argue that proprietary products are better then open source because "you can sue somebody".
Here somebody is suing MS. Let's see how that works out.
War is necrophilia.
They're suing MS, because their (South Korea's) tech people suck? Correct me if I'm wrong but I'm pretty sure that MS had a patch out for the slammer months before the outbreak... it's their own fault if they can't keep their servers updated.
Username taken, please choose another one.
First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.
How so? Last I checked, people who released software under the GPL didn't spend millions on advertising that claims said software is secure and reliable.
Plus, GPLed software has the source publicly available, so the argument could be made that reviewing the code before deploying it would comprise 'due diligence' on the part of anyone who wished to use that software, and that if someone didn't do that, it's negligence on their part.
With Microsoft, you can't take a look at their code, you just have to take them at their word (HAH!) when they say how good it is.
Either you're trolling, being sarcastic or just plain haven't noticed the NO WARRANTEE blurb in the MS EULA. The only software I know of that had a warrantee was some telco software I worked on a part of in my previous job and it was done on a contract basis (I'm sure there are other examples).
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
Google: AARD:
A Serious Message and the Code That Produced It.
Microsoft included a bug in the Win 3.1 Beta that caused Dr. DOS users to crash.
Unsurprisingly the makers of Dr. DOS lost their jobs, like many other victims of malicious code.
Hard sell for the exploit that caused slammer. Maybe other exploits/bugs.
.DLL. Even though no one ever used the .DLLs in question ( I think it was .hda, .hdq files ) they could have been. You could argue that someone could have written a program that used to long a URL and crashed IIS. The slammer was using a port in a way it was never intended to be used.
SQL has a pretty good record for security. The exploit had also been patched before the worm.
The exploit was not put in on "purpose". I guess it could have been, but that is a pretty hard to believe.
The virus spread fast, but only because there is not a million SQL servers out there exposed. So it spread across the web fast, big deal.
Furthermore good administration ( especially for a db server), ie. a good firewall could have blocked it. There is the desktop engine that could have been hit, but most apps that use it are still in the server category.
The exploit itself is not a defect. Sure it could be used by an attacker, but in itself it didn't make the software defective. This could spawn a big argument. Is an exploit that would never actually impede a program unless someone uses it really a bug?
Code red was a buffer overrun in an ISAPI
I agree that companies should be held accountable, but intent and the way a company handles the defect also.
MS essentially called a recall by issueing the patch. It said, send in the part and we'll fix it, but in a more modern approach. How can you sue a company that found the exploit and offered a free fix?
Obviously they haven't read Microsofts EULA for SQL Server 2000 which simply states:
Owned.
Except MS has the same wording in their license.
Michael Loves Me!
(I am not a Korean laywer)
Does anybody know if the click-through license is worth a rat's ass in Korea? Does Korean law give the plantifs an edge that they wouldn't have in the US? Any Korean laywers out there?
In case you didn't notice, free software (being free and supplied at no charge) carries no warranty, expressed or implied.
This is all fine because they made no representation to you about what it could do. They never made any claims that it was fit for purpose.
Sure - Mandrake, RedHat et al might be in trouble, but open source software and especially the writers are legally in the clear.
Personally I believe that if someone impliments OpenSSL badly _in a way that I cannot check_ and requires me to trust my data to them then they _should_ be liable for damages. (So this would cover, say, implimentations of SSL where the host was cracked or traffic sniffed at a later point where it was in plain text, or the key was compromised.) However, this is not the fault of the OpenSSL developers, and so they should not be liable.
In contrast to this Slammer was caused (in part) by Microsoft making it very hard to install a critical security fix, and not properly notifying people of the peoblem (in their usual 'security fix language' it was described as a minor issue), when part of their responsibility in selling you SQL server was making it secure. Thus they should be at least partly responsible for the damages.
Beep beep.
Following Microsoft's audit of South Korea, North Korea has agreed to dismantle its nuclear program, fearing repercussions.
So you'd also like to hear "Your Pinto exploded? To bad, you shouldn't have gotten rear-ended."
No automobile company would get away with selling products as defective as most commercial software. Why should the software industry be immune from product liability?
Well in this case, "you shouldn't have gotten rear-ended" is not a good analogy. A better analogy would be the front door on your house. If you leave it unlocked, well that's pretty stupid. It's not the lock manufacturer's fault you didn't lock it. Similarly, if you don't patch a server for a vulnerability that's been known for months, it's not the software developer's fault.
This isn't to say Microsoft software is inherently secure or better or blah blah blah. Don't take it that way. But in this case, it is the fault of the sys admins for not patching their damn systems. Or for that matter, running SQL servers accessible by the public internet. There's a difference between getting rear-ended, and backing out into traffic without looking first. If you don't take adequate precautions, you (at the very least) share the burden of guilt for what happens.
"Wow, you're like some kind of superhero able to ward off happiness and success at every turn."
-- Ryan Stiles
But, you're missing the more important point, this suit has NOTHING to do with EULAs, except for a bunch of /.rs trying to hammer home a (valid) point by squinting until they see an opening that fits their needs.
..."
...
Consider the reasons why Slammer was such a problem:
- there was a bug in SS2K
- exploit used a stateless connection (UDP)
- the state of Internet border security is "allow everything but
- admins didn't apply a patch that had been available for 6 MONTHS (more than enough time to test)
- admins don't properly protect their servers
Of these, only the first is Microsoft's fault and they are the only ones who fixed their contribution to the problem proactively.
But, since Microsoft has deep pockets and geeks hate them, let's sue them
Time to grab some perspective -- patch and defend your fucking systems, people !!!
Cheers,
JAKD
Just like those admins that didn't patch their boxes didn't exercise "due diligence"? Even though a patch was availible for months before? Negligent like them?
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
I disagree with your statement. If someone wants to sell you a commercial product you SHOULD absolutely be able to hold them liable if their product loses you money.
If someone gives you something for free it's another story. You sell me your $5000 program, that you only produced once and have now sold 100,000 times, then try to explain to me that I WASN'T supposed to be purchasing something that functioned within reasonable tolerance. Yes I know that's exactly what is done now, but that doesn't mean there shouldn't be consumer protection laws to the contrary.
There should also be laws against the new conditions in MS EULA that state you cannot share your negative experiences with the software.
If I install office, when I click finish my computer explodes, I think I should not only be able to sue microsoft for being negligent in distributing the software this way, but I believe I should be able to bitch to my neighbors, news stations, tabloids, rant sites, slashdot or to anyone else I care to.
And the MSSQL patch was available BEFORE the slammer worm hit. I don't see the difference.
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
I'll get modded down as redundant, but it needs to be said as many times as possible (and I don't see much of it in this thread [reading @ +1]):
A legal remedy here would set a really bad precedent - as a software developer who is not unrealistic about my skill level, I am terrified of software liability becoming either law or accepted assumption.
If MS loses this, I see absolutely no way I could defend myself if, god forbid, a program I wrote or even maintained caused catastrophic dataloss, or in worse cases, physical injury.
Note: Ironically, just *yesterday* I was bitch-slapped, albeit in an odd way, by Slammer: in certain situations, applying one of the hotfixes to SQL server that closes the Slammer vuln. without having SQL Server SP2 installed *completely* horks up SQL Server. The ISP (Rackspace) of a dedicated rack unit I "manage" on contract (client has almost no $$$) installed said hotfix in the process of physical maintenance, so I got a panicked call from my client in NYC that the "server is down". A couple of hours worth of research later, I was fine, but it sucked my afternoon away.
I hate the stacks of dependant/conflicting patches and service packs, not to mention the damn bugs, but I'd prefer to take the risks on this end than be open to litigation of software I write contains bugs.
--astro
Gates: Hey lapdog...get over here!
Ballmer: Sir, I don't like it when you call me...
Gates: Shut up lapdog.
Ballmer: Yes, sir.
Gates: Buy Korea.
Ballmer: What's by Korea?
Gates: No, purchase it.
Ballmer: Which one?
Gates: There's more than one?
Ballmer: North and South.
Gates: Oh...does it matter? No. Buy both.
Ballmer: I don't have that kind of money sir.
Gates: Charge it to the company.
Ballmer: Yes sir.
I got nothin'.
Microsoft's dislcaimer of warranty is ineffective on several levels. First, under the UCC, a purchaser has a right to a "perfect tender" - that is that the purchase perfectly conforms to what whatever was purchased purports to be. For example - you could not sell a vcr that only worked 50% of the time when it felt like it, or only on a wednesday, (unless you disclosed that up front) and the purchaser agreed in a definite and seasonable expression of assent. Some legislation has proposed so scale this back in the terms of software (UCITA).
Second, products come with an implied warranty of merchantability and fitness for purpose. It essentially means that they are manufactured correctly and that they will be able to do what it is claimed they do.
Bottom line is that anyone can claim that there is no warranty that goes along with their product, but some warranties the court will imply and refuse to not enforce, or will enforece other law tantamount to a warranty. The implied warranties above are examples of those that rise above that of contract, that they can be enforced regardless of what is put in the agreement. The agreement may create a presumption that you have waived these rights, but the court could also find that agreement void as unconscionable.
They should at least have a warning during installation of the software for those who aren't aware. Sort of like the "unplug your computer before installing" warnings that come with hardware. Something like:
WARNING: Unplug your computer before installing this software. And under no circumstances should you connect it to a network until all the patches have finished downloading and installing.
Strangely, none of the posts so far have mentioned the author(s) of Slammer as being one of those responsible for this mess. They're certainly harder to find (ok, they'll probably never be found), but shouldn't the culpability be shared with those who exploited the problem? It's not as though the server didn't perform its primary function correctly (storage and retrieval of database records), it's that it had a security vulnerability.
To borrow the Ford Pinto analogy from previous posts, it seems somewhat like somebody cutting your brake lines and then you suing Ford for making the lines so easily accessible. I think the person who cut the lines is truely responsible.
Ok, fine, that's not what I'm worried about. I'm worried about how this will affect the closed source that I develop. You know, the kind that I get paid to write? You mean a customer can now sue me or the company I work for, even though they insisted on having the software completed in an unreasonable amount of time without testing, and put it into production well before it was ready for that? Wonderful.
--Drunk as in Beer
"haven't noticed the NO WARRANTEE blurb in the MS EULA."
On the other hand, Microsoft software is "leased (not sold)," which means any damage done was done by Microsoft property.
Wrong. MS was caught by the Slammer worm because some developers had installed SQL Server on their workstations and neglected to keep them patched. Seems your memory is the one at fault.
More importantly the 3 month old MS patch was useless and had caused many complaints which is why MS released a new patch just hours before Slammer struck.
Wrong. The original patch worked perfectly. Where I work, my department runs two SQL 2000 servers which were patched properly before the virus hit. When we came into work that Monday we were one of the few departments that hadn't been affected by the virus. What MS released right before the virus hit was SP3 for SQL Server 2000 which *contained* the Slammer patch along with several other updates.
To summarise in simple words:
To summarise in simpler words:
yet if your car was to suddenly veer off the road from a known defect you'd expect the auto company to deal with it! Driving the car down the road doesn't generally cause the wheels to just 'fall-off'! That is the issue with MS.
Maytag repair guys are what 100,000-to-1 with their insalled base? even doctors are about 100-200-to-1. yet PCs are supposed to be 10 or 20-to-1 for admins. It's a crock! If any other business system was this terrible, it would be bankrupt in a year! And MS only answer is that the admin should run around and babysit the system? They offer automated updates, then again blame the admin for not "testing". You all check the gas quality going in your car before you fill up right. Or, you consult medical texts after going to the doctor just to be sure he called your illness right.
I'm sorry, this stuff should just work. Compaies have invested 10 years and billions of dollars into windows and it still doesn't just work! Billy designed the system so that MS had 'plausable deniability' After all, they don't make hardware [not their fault], or drivers [not their fault], or systems [oems didn't test, not our fault], or software [sure we have Secret APIs but not their fault], they pretend to train admins [but not their fault if admin shamans don't dance right], and of course users because they make the computer do "stuff" MS might not have planned! [if MS did plan it, they'd charge more!] They have no techincal support without outrageous fees [Linux cost is mostly support--and you can afford to use it!] Well, it's basicly like OSS only costs more. They offer the same package of benifits!
That said, I don't think a lawsuit is the way to go either. We're trying to get rid of stupid IP laws, not tie ourselves to them more! If the liability cost of software goes up, then free software will die a horrible death. We're not sophisticated enough to have software "building codes" yet and license "Software Accountants" to set them up. Even then without 100% control of a system, you just can't have that kind of liability...Then again, maybe that's what MS wants [OK we know they want it] total control of the systems and your wallets!
Sidebar from an article on Slammer in the Feb.3, 2003 issue, page 12:
... it's only with Service Pack 3 that it became easy to install".
"...many IT departments did not install the initial patch because installation could not be scripted. Instead, DBAs were required to manually stop each instance of the software running in their organizations, rename or remove some files, and paste the patch files into each instance
~REZ~ #43301. Who'd fake being me anyway?