Slashdot Mirror
Lawsuit Against Microsoft Over Insecure Software
Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"
Valve might want to take a look at this lawsuit considering their potentially devestaing loss reported earlier today. According to Gabe Newell, from whom the source code of their latest was stolen, a hacker gained access to his machine "via a buffer overflow in Outlook's preview pane." Read his entire message here.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?
{{.sig}}
You agreed to the product being sold AS IS. Yeah, so Microsoft does operate like a used car dealer, but I doubt that Canada has any legal cause here.
Any ruling making Microsoft liable could be used by the legal system as a precendent to make ALL software companies and/or individuals who produce software *personally* liable damages arising from use. This may look like a "we've got 'em now" scenario, but it might come back to bit us.
Later, GJC
Gregory Casamento
## Chief Maintainer for GNUstep
Can any motivated and talented enough 16-year-old car theif break into your car and steal it? Probably, the answer is yes. Sufficiently motivated people can find ways around security. What do you do if you own a car that you don't want stolen? Buy an alarm system and have it installed. Similarly, you buy a firewall and antivirus and install that on Windows.
Communism was just a red herring.
I'm up for some MS-bashing as much as the next slashdotter, but this isn't the way to beat Microsoft or get them to release secure code.
Capitalism holds the answer - provide a better alternative that takes away their market share forcing them to improve or be left behind. With them being a monopoly, this problem is far greater in difficulty, but progress is always being made. Free software is getting viably close to many of the roles that many people use Windows for.
I'd rather wait for that to happen than have another frivolous lawsuit like this. I'll feel better about the successs of better software all around if MS gets to be better because of competition from free software getting better.
-N
I've nothing to say here...
At first I though that this could be a very interesting case for many points. But its central argument appears to be poorly constructed. They are suing microsoft because their monopoly makes their insecurity a bigger problem. I'm all in agreement with the "monoculture is bad" argument for many reasons, but you can't sue someone for being a monopoly, or for the bad effects being a monopoly. Companies can only be held accountable for leveraging a monopoly, and this case has already been heard and decided on. The fact that we know more bad stuff that can happen because of their monopoly does not provide any more evidence that they are indeed leveraging their monopoly, so why do they think bringing them to court again over the same issues will result in a different ruling. Do they really think they have more resources and motivation to pursue this than the US and state governments combined?
The other two claims are the interesting ones. Can software writers be held accountable for damages caused by flaws in their software? Even if they put an "anti-warrantee" in their license? (I hope not) Are click-through licenses agreements valid in this case? These are all question that would have to be asked.
Back in the 1980s, a Japanese worker was killed by a robot on an assembly line due to a software failure. And robot control systems are very throughly tested before a new model of robot is released. Microsoft is trying to muscle their way into the embedded marketplace; do you want software that has plenty of known defects/security issues running your robot?
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
... this was never really a very big issue for most people until Microsoft starting issuing security bulletins.
Now they issue a bulletin, somebody exploits its, somebody else does not bother to read it.
The law suit claims that the update process is too complex, yet these are the same people who complain that no software company has the right to make an update process automatic.
So you realy think that the government should FORCE consumers to buy a non MS product? Will we see black clad shock troopers in the isles of Comp USA ready to enforce such laws? Bottom line is that at the end of the day, for whatever reason, consumers want Windows and Office. Who are you to say their choice is wrong just because its not the same as yours?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
you'll notice the case seems to hinge on Microsoft's monopoly status.
... I don't know. Since I'm not a lawyer, this is where the case falls apart for me.
If they did not have a monopoly on desktop computer systems, this type of lawsuit wouldn't be a problem for them. Since, due to all sorts of vendor lock-in promoted by Microsoft itself, it is difficult for users to pick a different desktop, the lack of security in their software ( i.e. buffer overflows everywhere )
But maybe a monopolist which continues to abuse it's position _should_ be held to a higher standard than others ? Is it not arguable that MS has the resources required to audit all of it's code and fix such issues ? Maybe not technically true, but arguable in court...
The incentive is that companies can demand a higher price for life-safety grade software. Same reason a marine life vest costs substantially more than an inflatible pool toy.
Should Microsoft's software be treated any differently than, say, automobiles?
No, it shouldn't. This would perhaps slow down software development a bit, but commercial software manufacturers should have similar responsibility over their products like any other industry.
Like our (Finnish) Product Responsibility Law points out (not literally but practically): "Manufacturer must repair manufacturing defects, whether the product still has warranty time left or not, or give a full refund." This should mean: "I just (2003-10-03) found critical bug from MS-DOS 1.0 - please fix it or give me my money back." (Provided that I still have the invoice or other proof of purchase somewhere.)
“Wait for Hurd if you want something real” –Linus
That's not a coincidence. A good way to find out where software are vulnerable is by examining the patch issued to fix it. It's only a matter of finishing that analysis and making the exploit before most people have patched, which can be months later.
If Microsoft can be held legally liable, then it's extremely likely that in the future patches would be automatic and not optional. It's also likely to be more expensive, to cover the cost of "malpractice" insurance.
Though I am adamantly opposed to shrinkwrap "licenses," the one thing they do that I happen to agree with is the disclaimer of liability.
Writing solid software is hard. Writing solid software to run on cheap, unreliable hardware is even harder. Though we ridicule software vendors, crashing software is a fact of life. One day, new technologies or engineering practices may appear to make writing reliable software easier, or to allow the user to "reverse" the machine back to the last known good state so they can at least save their work. But for now, software is flaky and, undesireable though it may be, users need to plan appropriately.
That said, however, I believe there should be an exemption to the liability shield. Off the top of my head, the following factors should be considered to determine if liability should apply:
The scale of each factor would be weighed to determine whether the software vendor should suffer liability. This standard should be set fairly high. If a company is consistently pro-active in correcting bugs, releasing patches, and informing users; or the failures are comparatively minor; or their products exhibit failures on a comparatively rare basis -- in other words, if they are clearly a good, conscientious citizen of the computing community -- then the vendor should escape liability. OTOH, if a company can be shown to persistently use flawed methodologies and designs, and they regularly ignore bug reports until the excrement hits the rotary impeller, and the bug can cause widespread havoc, then the vendor should be exposed to liability.
Needless to say, Microsoft's 25-year history of releasing junk and not giving a $#!+ about it should be a reasonable foundation for a liability suit.
Schwab
Editor, A1-AAA AmeriCaptions
Unfortunately this isn't the way it actually works.
Microsoft has a database of bugs in its software, with rumours have it, something of the order of a half million or more problems in it. A lot of these are little cosmetic things, menu items missing etc., some of them are really serious, and some of them are in between. Now Microsoft could sit down and try really hard to fix all those problems, but unfortunately it would be several years before you saw any new software out of them if they did - especially bearing in mind that on average for every 10 bugs you fix, you'll create at least one new one.
So Microsoft, and in fact all other software manufacturers make a call on which bugs have to be fixed, and which bugs can just stay there. Since they're effectively a monopoly, their definition of bugs that the user will just have to live with, is not going to be terribly rigorous, unless that particular user is a big corporate customer with some leverage, but even then getting a fix out of them isn't easy.
In the meantime, because coding is also an ongoing process, they keep writing new code on a buggy base, and so things gradually get worse and worse. This is besides all the very basic design mistakes they've made over the years, which have been well documented here and elsewhere. To protect themselves they have a license agreement on their software which would be illegal applied to just about every other consumer product you could name, and which absolves them of all and any responsibility for their product's problems.
There's an old saying, the bad drives out the good - and this is basically what has happened to much of the software industry - it's more than about time they got sued over this, i'm just amazed it hasn't happened sooner.
I realize that the EULA of almost all software says if it doesn't work, its your problem but, what if I run a totally Unix shop and don't have any Micro$oft products anywhere and don't use any but, my services are rendered useless due to high volumes of spam, sql queries, MSRPC calls, large virus attachments etc. all aimed at M$ products. Would I then be able to sue them for the poor quality of their product?
Banjo - The more I know about Windoze, the more I love *nix
I'm not sure if Microsoft's license includes anything about liabilities and what not, but the open source licenses do. I imagine that if Microsoft can be successfully sued, then open source can as well. Personally, I think that anyone who is stupid enough to believe Microsoft's hype and never bothered to consider the downside of using overly-user-friendly software gets what's coming to them.
There should be some law or penalty against meaningless lawsuits. There should be some law or penalty against predatory lawyers. There should be some law or regulation to give the profession of law some credibility.
I was going to add this to the end of my submission, but I decided to let someone else bring up this very point. While it is true that Microsoft's software is not to be used in life-critical applications, think on a lower scale.
/. and most struggle to simply install software, let alone run Windows Update)
What about the colleges that need to hire extra support personnel to fix infected Windows computers? What about the networks that are brought to a crawl by worms and Internet related viruses? What about the kids that have their term paper ruined because Word crashed?
Sure, blame these problems on ignorant Windows users for failing to run Windows Update. But as far as I know, Microsoft (and the OEMs) fail to stress the absolute necessity of running update in their printed material. In this case, are consumers to blame for failing to patch, or does the blame rest solely upon Microsoft? (Remember: most of America does not read
Granted, the aforementioned problems listed above may not be life-critical mishaps, but from a company which touts security and stability as their primary strengths, they should be sued for false (deceptive) advertising over those very situations alone. Ask Symantec and Network Associates about the security of Windows software. There's an entire segment of the Windows software industry dedicated to picking up where Microsoft fails.
And on a side note, there's a HUGE difference between sharware/freeware coders and large corporate coding farms like Microsoft. Individual coders have limited resources... working with little capital and minimal manpower. In contrast, Microsoft employs thousands of people and makes millions of dollars every year. Clearly, it is not right to go after the big guy simply because he's the big guy, but in this case, Microsoft has the resources to make a bullet-proof operating system. Instead, recent events have shown that Microsoft prefers to take a "lets plug the holes" approach to security, instead of a top-down redesign of their back-end mechanism(s).
Even if it is ultimately chosen by consumers, a line should be drawn when a product is prone to security breaches and the company producing it makes more money than the entire GDP of several small countries. People may not die when Windows is exploited (or crashes) but the lesser results of Microsoft's negligence should not be ignored.
Liability is a tricky issue. It's really a function of the maturity of our industry.
In 1910 if every single Model-T produced had a defect that caused the brakes to fail what would Ford's liability have been? Probably very little.
In 2003 if a guy is driving drunk at 80 MPH without a seat belt and his tire blows causing him to roll over he can sue the auto maker and win.
At what point did the transition occur?
It's all a matter of professional status. Are the creators of software a professional group (like doctors and auto makers) and therefore liable for the mistakes we make. (Professional status is more than simply getting paid for a job)
It's a tricky question to answer. Has the art of creating software advanced to the point where we can demand that institutions warranty their products for a particular purpose and be exposed to liability if those products fail? Should individuals be held to the same standard?
I personally think we're in a period of transition. Methods exist to create software at a much higher quality standard than is currently commonly available. It's time to start expecting SMALL levels of liability to encourage these methods to be adopted across the industry.
This will encourage individuals to learn new methods. It will encourage corporations to give their developers the tools and (more importantly) the authority to follow practices that produce better software.
If we start down this path maybe someday I wont have to chuckle when someone calls me a "software engineer"
I hope the court grants some degree of liability while at the same time realising that what the industry needs is baby steps, not giant leaps.
you trying to say that a critical failure in a microsoft operating system couldn't cause death or injury? What about when the government uses it for navigation of a Navy Submarine? What would have happened if that was also running the big, red, nuke button?
Do you know who beta tests Microsoft products?
The paying consumer.
Who beta tests automobiles?
Hundreds and hundreds of professional test engineers until the end product is as safe as the government regulates.
Currently, in the US, it is illegal to write or knowingly spread a malicious virus or trojan. Isn't the Microsoft Windows series of operating systems guilty of spreading malicious viruses and trojans?
Why read the article when I can just make up a snap judgement?
I have always said a security exploit is only an exploit when someone takes advantage of it. It is in that moment that the hole becomes a problem.
What is more upsetting to me is simply that computer failure is being compared to automobile failure.
You simply cannot compare the two. They not only two different ballparks they are two different games. If a computer fails to be secure because some guy who has a preternatural talent; hacks, cracks and compromises the security of a computer system... no ones life si threatened. If an automobile fails to do its task of braking or turning lives are put to a risk. People can and will die in the event a failure occurs because an engineer screwed up. That is unexcusable.
The mere audasity to compare computers which do not effect the ebb and flow of ones life span versus an automobile that has to work or people die is just wrong. It shows lack of compassion for life.
Ironically, in the leaked source code for HL2 there are many buffer overflows ready to be exploited.
One such example of this is in net_ws.cpp:
Prehaps, since the game isn't ready for release the buffer overflows were not high on the priority list. But if Valve sued Microsoft for problems in their code, would Valve have several thousand suits coming their way for one of these exploits?No. Actually, some of us aren't ignorant, and know what a microkernel is.
Well, don't sell it then (free distribution should still be okay). Either that, or stick with software that doesn't play a critical role in system security/stability. I'm sure that no number of bugs in grep is ever going to lead to a security problem.
No, patches aren't disregarded... Patches that cause stability problems, and can't reasonably be applied, are disregarded. Lesson: Make decent patches.
You don't have to have bug-proof software... just something to prevent the bugs from causing serious problems. Chrooting helps, systrace does the job quite well, and a microkernel does the job perfectly.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
If you're a monopoly, then the government should be setting some special rules for you to abide by. A sort of guarantee of quality of service, I believe. Utility companies, for example, can't behave in the same manner as shoe manufacturers because you can always buy a different brand of shoes. But the local electric company has to run its business according to some government standards, since consumers have little choice but to use that company's electric service (I'm ignoring the differences between electric suppliers and the company that delivers it, which could be two different companies).
Which takes us to Microsoft. They've been declared a monopoly by the US government, so they really do need to get a different set of rules to follow in the areas where MS is a monopoly (web browser, desktop OS, and perhaps office suite). I know you're probably thinking that there are other choices, but for most people, using an alternate OS is akin to building a windmill for your power supply - not for the average consumer.
The electric company has to maintain a certain quality of service. A city block can't go without power for two weeks, and we can expect to not experience wildly fluctuating power levels coming out of our outlets. Likewise, MS, as a monopoly, needs to supply a product that doesn't put us at higher risk than, say, one of the many competitors the company has illegally muscled out of the industry. Sure, it sounds tough, but MS brought this on itself, and it isn't nearly as tough as the challenges it put forth to all its former competitors.
I really hate signatures, but go to my website.