Slashdot Mirror
Lawsuit Against Microsoft Over Insecure Software
Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"
...no one gets killed when Dr. Watson pops up and you have to restart Word. When your tire explodes and you flip and burn, well...let's just say it seems more severe.
(Besides, I think almost no one here would enjoy being held accountable for all the bugs they've written over the years...)
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Perhaps an "incentive" could be established for commercial software manufacturers to not throw in that horrid clause in their EULAs disclaiming all liability.
Hopefully the decision will be intelligent enough to exclude free, take-it-as-it-is software.
Use ISO 8601 dates [YYYY-MM-DD]
Besides, every time I see an exploit, it's after Microsoft has already issued a patch. This would seem to suggest that they aren't as responsible for the problems as many seem to think they are; as soon as they're aware of an issue, they fix it. Maybe they could design the stuff secure out of the box, but they'd be the first manufacturer to accomplish such a feat.
Stop using it if it's a problem. There are alternatives now.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
...someone finally grew enough testicles to stand up and bring this problem to the courts. I sadly predict it will be swiftly quashed, however.
What are the costs to the user when software vendors are held to the same reliability standards as auto makers?
Should there be differentiation between operating system stability and application stability?
What responsibility does the user have for securing their own property?
How will different countries answer these questions, and what is the implication for US software vendors if there are 80 separate standards of culpability for an operating system?
And since I should have at least one answer, the speed of light is slower in materials with a higher index of refraction.
Should Microsoft's software be treated any differently than, say, automobiles?
Que all the "If your car was designed by Microsoft" jokes. It would crash every day, you wouldn't be able to open the hood, blah blah blah, shut up people.
Seriously though, I think that not just Microsoft, but all "critical" level systems should be held accountable. Obviously machinery for hospitals are held accountable - if an XRay machine overdoses a patient with radiation and kills them you better believe the manufacturer is in deep shit.
Obviously games/etc don't have much at steak, but any product that is intended to have people depend on it (an Operating System, or a rendering package used in Hollywood, etc) should be aware of the dependency its costomers have on it, and yes - it should be held accountable if infact it causes the customers conciderable financial (or health, or whatever) damage.
no comment
If you wish for them to be held liable, remember it's only fair that Apple, or even Linus be held liable as well when Linux or OSX get's hacked (and don't even mention that it could never happen - it already has, many times). Anything else would be hyposcrisy.
With the horrible network congestion and system compromisation that has come with the recent rash of massive MS worms, you do not have to have agreed to a EULA in order to be harmed by Microsoft's poor design and blatant disregard for security.
In other words: it has reached the point where even people who are not Microsoft product users are harmed by Microsoft's irresponsibility. The messes created by the holes in MS products make EVERYONE a possible target for collateral damage.
Car manufacturers must make their cars safe because there are already laws in place that apply to everyone. You can't all of a sudden decide to pick on one companies' product. They are not breaking any existing regulations, and so they shouldn't be held liable. Moreover, they could certainly claim that they did not intend for their product to be insecure, so they had no malicious intent. Lastly, they can always play the end-user license card.
No matter what the EULA, or any warranty, expressed or implied states, the only proof needed to hold sofware makers responsible for their creations is to prove that the software was vulnerable due to negligence on the manufacturers part. There are many states and possibly even US law that dictates that you cannot disclaim responsibility due to negligence...
Oh yeah.. AIANAL...
Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
If you get food-poisoned in restaurant, you may go ahead and demand compensation.
If you eat, what you cooked, whose fault is it, when you get upset stomach?
Here in Australia we take things into account like the price of the goods and the purpose for which they were intended. You're not, for example, going to have much luck suing someone over those $2 scissors you were using to conduct major surgery, but you may succeed with the $200 surgical variety.
Now if MS were happy charging a reasonable (given the price of hardware, say, $100 - 10% of a machine's value rather than $1500 and 150%!) price for their software, and weren't running around trying to force their way into everything with a processor then they'd probably be safer from such claims than they are now.
"The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?"
I'm glad somebody else finally said this.
There are a few simple things to consider:
- Software is written by error-prone humans.
- Software is maliciously used by people who concoct creative ideas.
- Linux may be more secure by default, but it's still a human error away from having the same type of problem hit it.
I'll tell you all something, if I'd be scared shitless about releasing an app on the web if it turned out I could be responsible for somebody else being a bastard with it.
"Derp de derp."
It'd be interesting to know whether that was a buffer overflow in Outlook that was patched, or if it's a new problem. I remember a couple of patches addressing issues with the preview pane, but Valve are the kind of smart guys who could probably identify new problems.
Anyway, that said, regarding suing Microsoft for security issues; it all comes down to user negligence at the end of the day. If a car company issues a recall for a fuel pump issue, and your car explodes due to a faulty fuel pump, that's your fault.
Same with Windows; if you don't patch the holes, then that's user negligence too and people can't say they weren't told. You could argue that you didn't know I guess - the units of cars shifed and the dealer networks mean that car recalls can be done pretty much 100% of the time, but software is a nascent industry and you can't catch all copies of Windows shipped and remind all users.
From the article: "Microsoft's eclipsing dominance in desktop software has created a global security risk," the lawsuit filed in Los Angeles said. "As a result of Microsoft's concerted effort to strengthen and expand its monopolies by tightly integrating applications with its operating system ... the world's computer networks are now susceptible to massive, cascading failure."
I think the above statement is pretty interesting. What it says (to me) is that the issue isn't that there are bugs or security problems with Microsoft products, nor is the issue that Microsoft dominates (or weighs heavily in) many software markets. The issue seems to be that Microsoft does both of these things, which results in a ubiquitous and totally insecure majority around the world.
This reminds me of the general pattern where Microsoft is busted for doing something that another company did first or is also guilty of. The non-Microsoft instance (could be a small company, or a large company with a small component) can usually can get away with it because of scale, whereas Microsoft cannot since it's on such a large scale that everyone notices and cannot ignore it. One of many examples is the "OS integrated with the browser" war. Nobody gave a shit when IBM shipped OS/2 warp with built-in browser support even though in principle it was the same thing Microsoft did with Internet Explorer. IBM's reach was minimal with OS/2, so it was rather irrelevant what they did. Not so with Microsoft.
So is this class-action suit setting a precedent that bugs in your software will lead to lawsuits? I don't think so. I also don't think it claims that being a gigantic, far-reaching company is bad. Just don't mix the two, or the wolves will come after you.
Should anyone's software be treated differently from the auto industry?
I figure when MS can start charging $20,000 per OS license, then maybe we can expect bullet proof software safety. The kind of engineering required to give some kind of guarantee or waranty against "bad things" that these people are expecting would cause the cost of software to be prohibitive. Heck it may not even be possible if the software is complex enough. At some point you have to say well we've gotten it as hardened as is feasible, but there will always be some risk.
Sure MS stuff could be better engineered, but there's a point of diminishing returns for everyone involved. If YOU want guarantees, YOU pay to develop your own unbreakable system and use that. Otherwise the old "buyer beware" caveat still holds - especially in the case where the licensing agreement TELLS YOU they are not liable. If you don't like that by all means don't use the software. But don't sue the manufacturer of the car when they warn you in advance that the car could get stolen, that they're not liable if it gets stolen, you don't do what's required to prevent it getting stolen and then by gum it gets stolen!
This whole shuffling of responsibility through litigation is sinking this country faster than any liberal welfare policy or conservative defense budget.
I don't think cases like this are good for the industry in general, MS or no MS.
I hate to say this but I agree...
HOWEVER, if it could be proved that Microsoft was aware of the problem but did nothing (their famous security through obscurity) then they should be held accountable. There have been many instances where Microsoft was informed of a problem but did nothing. In this case I think they should be held accountable.
I don't really see this going anywhere because you really have no rights when you buy software.
I realize it's very amusing to most everybody here to see MS drawn into court for anything at all, but this is actually much worse for the free software community than it is for MS. Think about the following very carefully:
If the lawsuit is succesful then software authors can be held responsible for damages caused by flaws in their programs.
How many of us here are software authors? How many of us want to be sued because our software, which by it's very nature isn't 100% secure, was made to malfunction by a malicious third party? How many people will stay way the hell away from contributing to open source software if they can reasonable expect to be litigated upon if the software somehow becomes vulnerable?
If MS loses this case it's not a big deal for them. They pay a fine, they change a practice or two, life goes on. OSS, though, could very likely die.
If I was MS I would be trying to lose this case.
-Bren
I suspect that when you PURCHASE software, there are reasons that the developer is more 'legally' accountable for their products then when you use open-source and/or free software.
Generally, there seem to be more protections against poor products when a transaction is involved-->it is much easier to release your product 'as-is' then it is to sell it.
Microsoft may also be a unique case----I suspect that the sheer complexity and audacity that is the MS EULA might be easier to challenge in court then a simple, "You can have my software if you like, it might blow up your computer, but its not my problem, and don't say I didn't warn you".
Additionally, MS claiming that they are developing trustworth products, advertising claims that you can rely on their software, and the overwhelming monopoly position they have on the desktop may place a greater, if not unique, burden upon them.
You don't often see MS claiming that Window's security faults are your problem, do you? Except in the fine print of a legal document which probably wouldn't stand up in court.
The question is, what sort of general consumer protection laws would apply if the EULA is declared invalid?
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
All software sold today is sold as unsuitable for any purpose. It says that, right in the license. So claiming your software is insecure is moot; you didn't buy secure software. You just bought some crap off the shelf and expected it to meet your needs. It didn't; and nobody's surprised.
But this case is even worse than that -- It involves Microsoft's ware, which is known to be insecure. It's in the news every single day. Trusting your corporate secrets to of-the-shelf software is just stupid, doubly so for MS ware.
Not that this wasn't entirely predictable.
Firstly, software is your choice. Your complaints about MS software may be worthy of attention. However, you chose to use MS. And now that this is /., we all know there are alternatives. You can buy them on the Internet and even in some stores.
"The lawsuit, which was filed on Tuesday in Los Angeles Superior Court, also claims that Microsoft's security warnings are too complex to be understood by the general public and serve instead to tip off "fast-moving" hackers on how to exploit flaws in its operating system."
If you cannot interpret the information MS provides you, there are thousands of web pages and forums to help you. These are free as well. There are services which you can contract to do the work for you. Using computers has a cost. Using machines connected to the Internet has a cost. It is not the fault of MS that someone exploited the OS. They were irresponsible for leaving the vulnerabilities there, but unless you want to make the claim that they intentionally attempted to provide you with an insecure OS, then I do not understand the argument. XP does not say on the box "hack-proof: Try It!".
I have a little idea:
Software that directly controls physical devices (automobiles for example) which are themselves regulated should be held accountable to similar standards as the device which the software controls. They should be legally linked.
Software that does word processing, serves web pages, browses the Internet, sends email, etc. would not fall into this trap. We have disclaimers on lots of things saying don't use x with y or p as a q. So mark your software accordingly.
Its the kind of crap I've come to expect from companies that dont want to compete but just want the governemnt to hand them market share. Its the kibs of all those parents who sued the schools becuase they (the kids) where getting bad grades. The've grown up and expect the same kind of treatment from the real world. The sad part is they may get it.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
well, for the joke that sprang to mind immediatly:
It goes;
A Mechanical Engineer, Marketer and Programmer were driving in the mountains, when the car's brakes failed and they crashed into one of the breakdown barriers (big mounds of gravel to stop trucks).
The Mechanical Engineers says, "I will look under the car and determine why the brakes failed, and how to fix it so it does not happen again".
The Marketers says, "I've got to tell the car company, so that word can get out if this needs to be a recall notice".
The Engineer and Markerter look at the Programmer who says, "I think we should push it back up the hill and see if we can get it to crash again".
Think about it... this seems very close to Microsoft's Mentality: all windows users are crash test dummies.
Case(s) in point: The remote code execution in Windows Media Player that allowed content to be executed (similar to the MIDI flaw in dx9.0a and below) was fixed in 6.x versions and re-opened in subsequent versions, not once, but at least 3 times!
The RPC vulnerability wasn't fixed until the second time, hence the need for *another* patch because Microsoft had not FIXED the vulnerability, just enough to protect against the first exploit.
(little dutch boy story ring a bell, mr pavalov?)
And their strategy for integrating everything into the OS is actually driving XP users back to 98se.
Yes, 98se where the IM client, browser, outlook express, media player, passport and another half dozen things aren't integrated into the OS (as proven by 98lite).
Why?
It *annoys* the piss out of people.
Wonder why?
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
I'm assuming this is flamebait, but I'll respond anyway... karma to burn and all...
Read my post again and you'll find you agree with it (also my reply to the other person who replied to me). I didn't say that the monopoly wasn't a problem and wasn't being abused. Capitalism as a system is not responsible for that though - as you pointed out, it's the government's lax attitude toward big business and antitrust issues at the root of that problem.
I already described the ways Microsoft abused this monopoly, which were the same ones you gave. You and I are on the same page...
But capitalism still does work on competition. Microsoft has an advantage, but free software is continually getting better and while the competition is harder because of the Microsoft monopoly, it still can level things. It'll just take longer.
-N
I've nothing to say here...
I put out some free Perl & PHP code, and planned to release some more next week. But I partly rely on the BSD license to protect me from liability. What does this case mean for someone like me? While I think I'm such a good programmer that eventually my code will be super-tight, I know I'm a poor enough programmer that it will take many iterations and bug reports to get there. Should I only release code when I'm certain no security issues exist (which probably means I'd never release stuff)?
My Greasemonkey scripts for Digg &
You get what you pay for.
If you don't pay for it, then the user is responsible.
If you do pay for free software (and many people do) then it depends on what you are paying for.
If you are paying for the CD, or the distribution medium then clearly you are responsible. If you are paying to have the machine kept up2date, then _PERHAPS_ the vendor is responsible, IF their EULA doesn't hold up in court.
The EULAs all say that the vendor is not responsible for these things. The question is whether those EULAs will stand up in court.
I understand where you are coming from, but think about what Microsoft software runs- nuclear power plants, railroad systems, banks and God knows what else.
Let's say a railroad system goes down (like the one in Maryland that went down because of SoBig) because of a hole in some MS code. I don't think it's MS's sole responsibility, BUT they do play a large part in the failure.
I think of it like this- if someone writes a book or flier that is to be seen by thousands of people, and there is a typo or error that causes confusion, it might not be the authors fault, but he or she SHOULD have taken caution to check for typos. The author is not at fault, but should take some responsibility for the mishap.
...and the businesses that use their software were coastal Alaska, does the sea life have to clean the oil off the shore every time one of Microsoft's products is exploited for it's insecurity? Why is a software company treated any differently than an energy company when something happens that involves their product and harms it's surrounding environment? It's about time a law suit like this came around.
Moral questions aside, if you use Microsoft software, you have no way of knowing if you are going to be hacked, you have no way of knowing what new exploits will be discovered, and you have no legal recourse when black hats damage you or your corporation.
Just to play devils advocate here, but this is no different from Linux/OSS/BSD/Apple software. There have been SSH problems surfacing lately, and who knows if there will be say, an exploit to own someone box through apple's mail.app tomorrow.
There's just as little legal recorse with OSS or apple as Micrsoft or ibm or dell or.... whoever. On the other hand, should Dell be held responsible if a terrorist used a dell notebook to say, plan an attack?
I'm all for kicking MS in the gnards if I can, but this is pretty shakey ground.
It shouldn't be held to the same liabilities as an automobile. An automobile has the potential to hurt or kill people in it if it has defects. It is the responsibility of the auto company to make sure their cars will not hurt people due to their engineering flaws. In the case of Windows, no one is stopping you from using another operating system if theirs is not stable enough for your use. I think you should be able to get a refund if their software doesn't do what it says it can and then move to Linux, OS X or whatever else you would like to use. Suing MS for bad software is like saying you cannot use something else. I use something else so why can't California?
Yet automobile manufacturers are also sued for nonhazardous situations. I think Toyota was sued for premature engine failure due to sludge build-up. I think suing Microsoft is more in line with this thinking.
Using your logic, there is no expectation of fitness for use for software at all. You can have all the features in the world. Just don't expect to use them.
'Use something else,' you say. How would you like your car "Microsoft" dealer to tell you that after you discover your car is a lemon? Oh, by the way, all the other manufacturers cars don't work on Microsoft Roads. And there is no refund.
So what's to stop MS from stamping an "As-is" label on Windows? People will still buy it. Shit, for all I know there's an "as-is" clause in the EULA already, I didn't read it.
What I do know is that while MS may claim its software is secure, they never suggest it cannot be broken into. So they've never lied to you. My house is pretty secure until you break a window. Is it the window manufacturer's fault?
Auto companies only issue recalls because they can be sued for wrongful death if a critical part dies. Non-critical parts go bad all the time, no recall. I suspect Jeep was making shoddy transmissions for years (my dad's had FIVE of them, good thing it's a work car!) but since a bum transmission doesn't cause the car to explode, they've never recalled it. I know subaru has a problem with the bearings on the Impreza, I know its due to shoddy workmanship because the part numebr changed (meaning they fixed the problem), but I don't get free bearings until a few peoples' wheels fly off.
Since MS software has NEVER killed anyone to my knowledge (no FUD about embedded OSs, please, even in automotive applications, CE is only used for mapping software and audio programs), and MS strictly forbids the use of its software in such conditions where peoples' lives would be at stake, I don't see why they have any liability here.
What losses have been sustained? Lost data? Well, people have tried to sue hard drive manufacturers for that and failed. IT costs? Well, nowadays when people get viruses it is because IT was lax and didn't properly apply patches, or didn't install virus software, or left their default settings untouched, or had no firewall...court's not going to reward when it's your own damn fault.
Hey freaks: now you're ju
> the story on shacknews for example on how valve got trojaned..
> why on earth did they keep using software they knew was suspectible to be trojaned?
To me, this is the place responsibility needs to lie. It's the people who choose systems that are *known* to be bad for important things. Find the forces that "made" them use Outlook and there is a first line of blame.
If a power plant uses MS Windows or Linux for a critical system and it blows up, it's the person who made that call who should be held mostly responsible due to negligence.
If manufacturers are making claims that their systems are secure, or are useable for critical work, then that's probably a case of false advertising and should be dealt with as such.
Valve should be looking to see if its own staff were negligent first. Who was responsible for choosing a known bad, internet connected, system for storing very important data?
Just the same as if I left a printout of the source code in the local pub by accident. If it was an Outlook exploit, then I don't see this as any different fundamentally.
If you have a multi-million dollar asset, you should put some effort into protecting it. Not blame HP for letting you print it out and leave it in the pub.
If I was working on the source for Doom 4, you can be damned sure I wouldn't keep it on my internet connected debian box.
- Muggins the Mad
Software should be treated differently than automobiles. Because it is very different than automobiles! [insert expletive and aggrivated shake of head]
Your analogy, sir, is faulty!
~ Aero
Yeah, but the truth is that their software is insecure by _architecture_. They seem to realise this however, and have initiatives to amend this problem. Not the ones you and I are after, I agree, but they do seem to be slightly more on track (.NET).
However, even now they make mistakes. Doing a SOAP call over HTTP port 80 is as stupid as it can get. The whole idea that firewalls are open only to port 80 is to run a (relatively) save web-server behind the port. Doing remote procedure calls over the same port...you could as well open all the ports again.
As long as MS lets functionality and ease of use predominate security, they won't make secure systems. There is always a trade off in the real world. MS Outlook and Outlook express are the ultimate examples of that policy.
Speaking as one, I *do* like the sound of it.
If my company can be held liable for defects in software, I suddenly have a *huge* economic argument to take to my bosses and say "this schedule is unrealistic. We're going to need more time/resources/etc to get this thing done *right* if you intend to distribute it"
What it really means is that the whole attitude the software industry has of "Release early, patch later" will have to undergo a significant shift.
Yeah, it hurts those slapjack coders who can't tell security from UI, but I tend to think that's a good thing as well.
That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze
" why should software be treated differently than other products? And I have yet to see a lucid argument that it should."
It's very simple: Software is in a unique environment where just about anything can happen. Afterall, computers are very generalized in what they do. The nature of this generalized environment is that somebody can be malicious in so many different ways that it's ridiculous to believe that anybody can every make anything totally secure. Once somebody is *in*, then that's it. They can destroy the data on the computer, they can lock it up so nobody can use it, or they can infect another machine.
As for physical products, there's an entirely different environment happens. There are controlled ways to use this product. It's reasonable that your car is on the road driving a certain speed. It's reasonable that if the tire explodes for whatever reason, it does so in such a way that it doesn't get tangled up int he car and lock it up, causing rollover. So what happens when it turns out that the tires are defective, they get recalled. Software can be patched, but not recalled.
So let's talk about a computer on the net here. You've got a Windows computer using Outlook Express. It's on the net 24/7 thanks to broadband. (Spare me the usual uptime jokes about Windows, they were funny back in 99.) Somebody sends you an email, and it causes something to happen in Outlook Express. The exploit was use of a feature in Outlook. Let's say that the hacker didn't use a buffer overflow or anything like that, they just used the default features and found a way to cause mischief with them.
Okay, so somebody went with Microsoft's defaults and they ended up sending a virus to everybody in their contact list. Is Microsoft responsible?
Well, that's the funny thing about computers, the answer is not black and white. First, when the feature was originally developed, was Microsoft negligent for allowing that sort of exploit? that's a toughie. In some ways, yes, in some ways, no. Should Microsoft have anticipated somebody'd be an ass with it? Hindsight is 20/20. Did one programmer put in the activex feature and another programmer put in the 'email everybody on your contact list' feature? Was there a disconnect that prevented the foresight that somebody did that? If so, what about the user? Were they being responsible? Did they take the proper security precautions?
Even back in 1995, there was talk about internet security. Watch out for malicious files. Careful what you open! Should the user have at least looked at the security settings? Some would say, yes. Computers are not simple devices. Nor are they assembly line machines, almost all of them are unique in some form or another. It's sort of like depending on TV to have your values in mind when it blasts programming to your children.
What about patches? Microsoft can't 'recall' the product reasonably. (look at all the pirated copies of Windows out there) So what do they do? They release a patch. Should users stay on top of patching? Of course! MS puts all this effort into fixing stuff, at some point they just cannot be blamed for the damage caused by a virus or worm.
Anyway, I've babbled too much here. You asked why software is different. The short and very simple answer is that responsibility is shared between both the software maker and the user to a larger degree than most products. Worse, the exploits that are often used don't really apply in a negligence case in the real world. Buffer underruns come to mind. Somebody has to be fairly slick to figure that one out. It's sort of like figuring out the exact sonic frequency it'd take to make a car's tires explode, and then figuring out a way to broadcast it in such a way that it affects cars all over the place. Is Firestone responsible for negligence for not protecting thier tires against this type of attack? Afterall, materials resonate at certainn frequencies. Are they negligent for leaving that vulnerability o
"Derp de derp."
Is it the driver's fault for using a car that explodes when rear-ended?
It never ceases to amaze me that people continue to make this ridiculous car/software argument. the correct analogy is:
Is it the driver's fault for using a car that explodes when a rocket-propelled-grenade is launched at it?
Rear ending a car is a normal day-to-day *ACCIDENT* that normal drivers do all the time.
Writing a virus/worm/exploit to specifically attack known holes in a piece of software is not an accident, and it is not something normal users do. Show me a RPG-proof car, and then I'll build you some hacker-proof software.
Face it people: the truth is that today, software products are far more "secure" than the majority of consumer products. You are just having a hard time making the distinction between warranty failures and security attacks. We are talking about security here, not faults. I bet a lot more cars get stolen every day than OS's and email clients that get hacked.
I don't mean to be politcally distasteful here, but instead of comparing a piece of software to a car, perhaps we should be comparing it to something like a building. Both have architects, so this makes sense. An important, highly-populated building should probably be designed to anticipate and withstand a variety of terrorist attacks, such as planes flying into it. Recent events show us that this is not always the case. And that cost us lives, not just dollars! But we don't constantly sit here and hate the architects - we learn to deal with it and try to find ways to get better, knowing that we will never completely eliminate all vulnerabilities the building might have to a terrorist attack. Today I don't think anyone walks into a building assuming the building is 100% invulnerable. Or a plane. Or any other highly complex, highly targeted construction.
Making analogies to cars worked when we were complaining about defaults. But it doesn't make any sense when we are talking about security. Let's try to use some better analogies, and think about whether they are relevant.
Should this class action go through the courts and succeed, it sets a hell of a precedent. Specifically, it implies that software should be thoroughly engineered and reasonably defect-free prior to release, with no damaging defects at the point of release. It essentially also says that releasing patches after the fact is not good enough (and that it's not the customer's responsibility to apply them), which causes two minefields I'll try and touch on later.
Trying to enforce defect-free software is a great idea - except that, as we all know, software exhibits weak-link behaviour, and that in turn suggests that you'd need to get rid of 100% of defects to be absolutely certain that no damaging defects exist. You can't over-engineer software in the way you can, say, a building, to protect against potentially damaging structural defects. Oftentimes, over-engineering software makes it more prone to the kind of defect that makes the software useless.
This precedent I percieve in turn means that the open source community - specifically, the people "managing" a given software project - are open to the same kind of litigation as, well, Microsoft are facing. I sure as hell don't want to be sued because my software's not perfect...
As for basically disregarding patches, well, that raises one major issue: it makes the vendor responsible for deploying those, which in turn either requires a "returns" policy on software (unworkable!), or requires that they have the ability to deploy software (privacy issues).
In short, this disquiets me. While I've been waiting for this kind of legal action to happen for a while, and in the long term it'll probably lead to much more reliable, much better software, I don't think the software industry as a whole is really ready for this kind of thing yet. Frankly, we still suck at making reliable software, and that's not just something Microsoft can take the hit for...
If they can obtain a judgement against M$ for shitty software, then that means that the standard waiver of liability in the EULA is not enforceable, which likely means that the similar waiver of liability in the GPL, etc. is not enforceable, which means that you and I could potentially find ourselves in the same position for something we gave away for free, not to mention the effect it would have on those who run mom-and-pop software shops.
There is a mechanism in place to pressure M$ (and all of us) to ensure product quality: competition.
I think that Windows sucks; but Windows 2000 sucks quite a bit less than 98 did; It seems that M$ has taken notice of the alternatives, and is beginning to come around in terms of security and quality of their software (not saying that they don't have a long way to go, still) presumably due to market pressure.
Besides, look at it this way: I hate Windows because it sucks; If/when M$ improves the quality of their OS (and other software), don't we all win?
I am a Linux fan; but if M$ produces a product that is truly an attractive alternative, from both quality and price standpoints, I am not going to ignore it because of some "religious" viewpoint. (Nor will I bother myself with Windows until they do).
The point is, this is a textbook example of a situation where the govmint should keep out of it, and let capitalism/competition work things out naturally. People are just beginning to be exposed to Linux (and others) as real alternatives; M$ will naturally have to improve, or die.
"No they aren't. You can be damn sure that Ford would be sued if there was a bug in the software that controls a car's breaks. The same applies to software on the space shuttle, elevators, and medical equipment."
Um, no, you're comparing apples to oranges here. There's a significant difference between software for PCs and software to do a very specific task, such as controlling brakes on a car.
"It is all a matter of how you approach programming."
There's more to it than that. No approach of programming is going to 100% secure you from defective software on a general PC'esque evironment. It's one thing to guarantee that brakes work, like in your example. It's another to say "this program will never ever crash, even though it's running alongside other programs."
"Derp de derp."
Actually. It was probably one of the 24 known, and reported, and unpatched/acknowledged holes in IE/Outlook.
If your code isn't properly split into many small, specific tasks, then you're doing something wrong.
If you make statements like this, you obviously don't have a clue about programming anything more than little helper utilities.
All code is split into small, specific tasks. They're call functions.
The interation between the small specific tasks is where you have problems. You get even more problems when parts of the system have to maintain some sort of "state" about what's going on.
Mix 1000 of these things together, and it's hard to keep working right. Now mix 10,000 of them. Now deal with 100,000 of them.
Next, throw a few extra simple things like threads into the mix and tell me that you will know the implication of the interaction of all of those pieces at any given moment in time.
Are automakers held responsible when someone breaks into your car using a jimmy or breaks the glass with a hammer? Or pops your tires by throwing nails on the ground? These are security exploits similar to Code Red and SoBig and Slammer and Blaster, etc.
If people didn't try to break into your Operating System, there wouldn't be a problem. Automakers aren't forced to redeisgn locks or equip cars with shock-proof glass and no-flat tires. Software designers shouldn't be forced to design software to be secure from unauthorized entry. It's a great feature, but it shouldn't be required unless the software is advertised as being secure.
30s? Business computing is only a decade or two old... It is still very experimental. I think people that incorporate computers into their business systems should expect to take a few arrows.
love is just extroverted narcissism