Slashdot Mirror
Lawsuit Against Microsoft Over Insecure Software
Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"
Besides, every time I see an exploit, it's after Microsoft has already issued a patch. This would seem to suggest that they aren't as responsible for the problems as many seem to think they are; as soon as they're aware of an issue, they fix it. Maybe they could design the stuff secure out of the box, but they'd be the first manufacturer to accomplish such a feat.
Stop using it if it's a problem. There are alternatives now.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
What are the costs to the user when software vendors are held to the same reliability standards as auto makers?
Should there be differentiation between operating system stability and application stability?
What responsibility does the user have for securing their own property?
How will different countries answer these questions, and what is the implication for US software vendors if there are 80 separate standards of culpability for an operating system?
And since I should have at least one answer, the speed of light is slower in materials with a higher index of refraction.
With the horrible network congestion and system compromisation that has come with the recent rash of massive MS worms, you do not have to have agreed to a EULA in order to be harmed by Microsoft's poor design and blatant disregard for security.
In other words: it has reached the point where even people who are not Microsoft product users are harmed by Microsoft's irresponsibility. The messes created by the holes in MS products make EVERYONE a possible target for collateral damage.
Severity isn't the only issue. If your automobile was faulty in a way that caused it to safely pull over to the side of the road but it wouldn't restart for half an hour, you'd still see recalls for lost time and money.
The danger here isn't just that it feeds a lot of lawyers, and isn't making software manufacturer produce less buggy code -- that's something that's been needed for a long time.
The danger is that someone like MS says "OK, we'll accept liability, but only if it's our software, running on our operating system, with no additional code on the system that we didn't install, and only on hardware we approve of, and we end up with even more of a monopoly.
Here in Australia we take things into account like the price of the goods and the purpose for which they were intended. You're not, for example, going to have much luck suing someone over those $2 scissors you were using to conduct major surgery, but you may succeed with the $200 surgical variety.
Now if MS were happy charging a reasonable (given the price of hardware, say, $100 - 10% of a machine's value rather than $1500 and 150%!) price for their software, and weren't running around trying to force their way into everything with a processor then they'd probably be safer from such claims than they are now.
"The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?"
I'm glad somebody else finally said this.
There are a few simple things to consider:
- Software is written by error-prone humans.
- Software is maliciously used by people who concoct creative ideas.
- Linux may be more secure by default, but it's still a human error away from having the same type of problem hit it.
I'll tell you all something, if I'd be scared shitless about releasing an app on the web if it turned out I could be responsible for somebody else being a bastard with it.
"Derp de derp."
Notably, lawsuits can be filed for things that just cost tremendous amounts of money. Case in point, the supposition that the Halflife 2 beta may have been leaked through an Outlook preview pane exploit, as other
Of course, this all begs the question "why the hell were the nuclear power plant, train system, and half-life build system connected to the internet in the first place?" Folks, here's a gigantic hint: software is insecure. If you want something to be secure, take it off of the fucking intarweb. The nuclear power plant just doesn't need Fark that badly. Let them read it on their PDAs.
Like the people maintaining those systems don't know better.
StoneCypher is Full of BS
I suspect that when you PURCHASE software, there are reasons that the developer is more 'legally' accountable for their products then when you use open-source and/or free software.
Generally, there seem to be more protections against poor products when a transaction is involved-->it is much easier to release your product 'as-is' then it is to sell it.
Microsoft may also be a unique case----I suspect that the sheer complexity and audacity that is the MS EULA might be easier to challenge in court then a simple, "You can have my software if you like, it might blow up your computer, but its not my problem, and don't say I didn't warn you".
Additionally, MS claiming that they are developing trustworth products, advertising claims that you can rely on their software, and the overwhelming monopoly position they have on the desktop may place a greater, if not unique, burden upon them.
You don't often see MS claiming that Window's security faults are your problem, do you? Except in the fine print of a legal document which probably wouldn't stand up in court.
The question is, what sort of general consumer protection laws would apply if the EULA is declared invalid?
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
well, for the joke that sprang to mind immediatly:
It goes;
A Mechanical Engineer, Marketer and Programmer were driving in the mountains, when the car's brakes failed and they crashed into one of the breakdown barriers (big mounds of gravel to stop trucks).
The Mechanical Engineers says, "I will look under the car and determine why the brakes failed, and how to fix it so it does not happen again".
The Marketers says, "I've got to tell the car company, so that word can get out if this needs to be a recall notice".
The Engineer and Markerter look at the Programmer who says, "I think we should push it back up the hill and see if we can get it to crash again".
Think about it... this seems very close to Microsoft's Mentality: all windows users are crash test dummies.
Case(s) in point: The remote code execution in Windows Media Player that allowed content to be executed (similar to the MIDI flaw in dx9.0a and below) was fixed in 6.x versions and re-opened in subsequent versions, not once, but at least 3 times!
The RPC vulnerability wasn't fixed until the second time, hence the need for *another* patch because Microsoft had not FIXED the vulnerability, just enough to protect against the first exploit.
(little dutch boy story ring a bell, mr pavalov?)
And their strategy for integrating everything into the OS is actually driving XP users back to 98se.
Yes, 98se where the IM client, browser, outlook express, media player, passport and another half dozen things aren't integrated into the OS (as proven by 98lite).
Why?
It *annoys* the piss out of people.
Wonder why?
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
It shouldn't be held to the same liabilities as an automobile. An automobile has the potential to hurt or kill people in it if it has defects. It is the responsibility of the auto company to make sure their cars will not hurt people due to their engineering flaws. In the case of Windows, no one is stopping you from using another operating system if theirs is not stable enough for your use. I think you should be able to get a refund if their software doesn't do what it says it can and then move to Linux, OS X or whatever else you would like to use. Suing MS for bad software is like saying you cannot use something else. I use something else so why can't California?
Yet automobile manufacturers are also sued for nonhazardous situations. I think Toyota was sued for premature engine failure due to sludge build-up. I think suing Microsoft is more in line with this thinking.
Using your logic, there is no expectation of fitness for use for software at all. You can have all the features in the world. Just don't expect to use them.
'Use something else,' you say. How would you like your car "Microsoft" dealer to tell you that after you discover your car is a lemon? Oh, by the way, all the other manufacturers cars don't work on Microsoft Roads. And there is no refund.
" why should software be treated differently than other products? And I have yet to see a lucid argument that it should."
It's very simple: Software is in a unique environment where just about anything can happen. Afterall, computers are very generalized in what they do. The nature of this generalized environment is that somebody can be malicious in so many different ways that it's ridiculous to believe that anybody can every make anything totally secure. Once somebody is *in*, then that's it. They can destroy the data on the computer, they can lock it up so nobody can use it, or they can infect another machine.
As for physical products, there's an entirely different environment happens. There are controlled ways to use this product. It's reasonable that your car is on the road driving a certain speed. It's reasonable that if the tire explodes for whatever reason, it does so in such a way that it doesn't get tangled up int he car and lock it up, causing rollover. So what happens when it turns out that the tires are defective, they get recalled. Software can be patched, but not recalled.
So let's talk about a computer on the net here. You've got a Windows computer using Outlook Express. It's on the net 24/7 thanks to broadband. (Spare me the usual uptime jokes about Windows, they were funny back in 99.) Somebody sends you an email, and it causes something to happen in Outlook Express. The exploit was use of a feature in Outlook. Let's say that the hacker didn't use a buffer overflow or anything like that, they just used the default features and found a way to cause mischief with them.
Okay, so somebody went with Microsoft's defaults and they ended up sending a virus to everybody in their contact list. Is Microsoft responsible?
Well, that's the funny thing about computers, the answer is not black and white. First, when the feature was originally developed, was Microsoft negligent for allowing that sort of exploit? that's a toughie. In some ways, yes, in some ways, no. Should Microsoft have anticipated somebody'd be an ass with it? Hindsight is 20/20. Did one programmer put in the activex feature and another programmer put in the 'email everybody on your contact list' feature? Was there a disconnect that prevented the foresight that somebody did that? If so, what about the user? Were they being responsible? Did they take the proper security precautions?
Even back in 1995, there was talk about internet security. Watch out for malicious files. Careful what you open! Should the user have at least looked at the security settings? Some would say, yes. Computers are not simple devices. Nor are they assembly line machines, almost all of them are unique in some form or another. It's sort of like depending on TV to have your values in mind when it blasts programming to your children.
What about patches? Microsoft can't 'recall' the product reasonably. (look at all the pirated copies of Windows out there) So what do they do? They release a patch. Should users stay on top of patching? Of course! MS puts all this effort into fixing stuff, at some point they just cannot be blamed for the damage caused by a virus or worm.
Anyway, I've babbled too much here. You asked why software is different. The short and very simple answer is that responsibility is shared between both the software maker and the user to a larger degree than most products. Worse, the exploits that are often used don't really apply in a negligence case in the real world. Buffer underruns come to mind. Somebody has to be fairly slick to figure that one out. It's sort of like figuring out the exact sonic frequency it'd take to make a car's tires explode, and then figuring out a way to broadcast it in such a way that it affects cars all over the place. Is Firestone responsible for negligence for not protecting thier tires against this type of attack? Afterall, materials resonate at certainn frequencies. Are they negligent for leaving that vulnerability o
"Derp de derp."
If your code isn't properly split into many small, specific tasks, then you're doing something wrong.
If you make statements like this, you obviously don't have a clue about programming anything more than little helper utilities.
All code is split into small, specific tasks. They're call functions.
The interation between the small specific tasks is where you have problems. You get even more problems when parts of the system have to maintain some sort of "state" about what's going on.
Mix 1000 of these things together, and it's hard to keep working right. Now mix 10,000 of them. Now deal with 100,000 of them.
Next, throw a few extra simple things like threads into the mix and tell me that you will know the implication of the interaction of all of those pieces at any given moment in time.