Slashdot Mirror
Lawsuit Against Microsoft Over Insecure Software
Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"
Valve might want to take a look at this lawsuit considering their potentially devestaing loss reported earlier today. According to Gabe Newell, from whom the source code of their latest was stolen, a hacker gained access to his machine "via a buffer overflow in Outlook's preview pane." Read his entire message here.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?
{{.sig}}
More like Firestones...
How long before SCO joins in and sues Microsoft? "Your honor, this code is so crappy, it *clearly* had to come from us!"
...no one gets killed when Dr. Watson pops up and you have to restart Word. When your tire explodes and you flip and burn, well...let's just say it seems more severe.
(Besides, I think almost no one here would enjoy being held accountable for all the bugs they've written over the years...)
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Perhaps an "incentive" could be established for commercial software manufacturers to not throw in that horrid clause in their EULAs disclaiming all liability.
Hopefully the decision will be intelligent enough to exclude free, take-it-as-it-is software.
Use ISO 8601 dates [YYYY-MM-DD]
Besides, every time I see an exploit, it's after Microsoft has already issued a patch. This would seem to suggest that they aren't as responsible for the problems as many seem to think they are; as soon as they're aware of an issue, they fix it. Maybe they could design the stuff secure out of the box, but they'd be the first manufacturer to accomplish such a feat.
Stop using it if it's a problem. There are alternatives now.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
It specifically says in M$'s TOS that the software is not to be used for any life-critical applications. In fact, QNX is the only compnay that will license software for life critical stuff. Microsoft also has a non-responsability clause in their TOS. This is going to be a long, drawn out fight, like the one against tobacco companies.
Statistically, one could probably claim that Microsoft products have killed people in an indirect manner.
Sig (appended to the end of comments you post, 120 chars)
You agreed to the product being sold AS IS. Yeah, so Microsoft does operate like a used car dealer, but I doubt that Canada has any legal cause here.
...someone finally grew enough testicles to stand up and bring this problem to the courts. I sadly predict it will be swiftly quashed, however.
Note all the one line comments above: they want to get the FP but, sadly, also want Karma so prefer to spill a single line comment or something mildly provoking, rather than something meaningful.
--
FreeNET user? Comfortable with the adverse selection?
...the 9th circus of appeals...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
... focused on Security, a great deal of public information on the subject, influence with a wide array of standards bodies and a published strategy covering the topic I'm guessing that this will be a tough case to win in a court.
Well... think of the world we'd be in if this suit succeeds. No matter what you think of Microsoft, the precedent set would be dangerous to the software industry as a whole and even individual open source developers. Who do I sue if a Linux vulnerability causes damages? Sure Linux developers disclaim responsibility for these kind of problems... but so does Microsoft. I guess I'd have to go after Linus or his equivelants depending on the project at fault. Maybe I should quit technology and just become a lawyer... I'd make more money if this thing goes through.
What are the costs to the user when software vendors are held to the same reliability standards as auto makers?
Should there be differentiation between operating system stability and application stability?
What responsibility does the user have for securing their own property?
How will different countries answer these questions, and what is the implication for US software vendors if there are 80 separate standards of culpability for an operating system?
And since I should have at least one answer, the speed of light is slower in materials with a higher index of refraction.
...Should *all* software be treated any differently than, say, automobiles?
Don't want others to think we're baised, after all... :)
(And yes, I know MicroSoft is the worst culprit.....)
Matt
Should Microsoft's software be treated any differently than, say, automobiles?
Que all the "If your car was designed by Microsoft" jokes. It would crash every day, you wouldn't be able to open the hood, blah blah blah, shut up people.
Seriously though, I think that not just Microsoft, but all "critical" level systems should be held accountable. Obviously machinery for hospitals are held accountable - if an XRay machine overdoses a patient with radiation and kills them you better believe the manufacturer is in deep shit.
Obviously games/etc don't have much at steak, but any product that is intended to have people depend on it (an Operating System, or a rendering package used in Hollywood, etc) should be aware of the dependency its costomers have on it, and yes - it should be held accountable if infact it causes the customers conciderable financial (or health, or whatever) damage.
no comment
Any ruling making Microsoft liable could be used by the legal system as a precendent to make ALL software companies and/or individuals who produce software *personally* liable damages arising from use. This may look like a "we've got 'em now" scenario, but it might come back to bit us.
Later, GJC
Gregory Casamento
## Chief Maintainer for GNUstep
Can any motivated and talented enough 16-year-old car theif break into your car and steal it? Probably, the answer is yes. Sufficiently motivated people can find ways around security. What do you do if you own a car that you don't want stolen? Buy an alarm system and have it installed. Similarly, you buy a firewall and antivirus and install that on Windows.
Communism was just a red herring.
If you wish for them to be held liable, remember it's only fair that Apple, or even Linus be held liable as well when Linux or OSX get's hacked (and don't even mention that it could never happen - it already has, many times). Anything else would be hyposcrisy.
as much as i think their products are crap, i don't like lawsuits. it's simply legal lottery. when they violated anti-trust laws, nail 'em to the wall. but this is really asinine. last time i checked, they never marketed windows with security being one of the features. if they purposely left holes in their software, then go after them. go after the people who made the decision. negligence is punishable. incompetence shouldn't be. just don't buy their crap. i realize the option isn't there for desktops, but it is for servers. and i am sure it will be for desktops soon.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
With the horrible network congestion and system compromisation that has come with the recent rash of massive MS worms, you do not have to have agreed to a EULA in order to be harmed by Microsoft's poor design and blatant disregard for security.
In other words: it has reached the point where even people who are not Microsoft product users are harmed by Microsoft's irresponsibility. The messes created by the holes in MS products make EVERYONE a possible target for collateral damage.
Of course it should, they're different things.
Macintoshes would be suspect to "massive, cascading failures" if they accounted for 96% of the personal computers in the world. ;)
Car manufacturers must make their cars safe because there are already laws in place that apply to everyone. You can't all of a sudden decide to pick on one companies' product. They are not breaking any existing regulations, and so they shouldn't be held liable. Moreover, they could certainly claim that they did not intend for their product to be insecure, so they had no malicious intent. Lastly, they can always play the end-user license card.
Gabe held a number of positions in the Systems, Applications, and Advanced Technology divisions during his 13 years at Microsoft. His responsibilities included running program management for the first two releases of Windows, starting the company's multimedia division, and, most recently, leading the company's efforts on the Information Highway PC. His most significant contribution to Half-Life was his statement "C'mon, people, you can't show the player a really big bomb and not let them blow it up."
I wonder if he signed a contract that prevents him from joining a lawsuit against MS since it was their software that allowed his next big project to go buh-bye.
...what disclaimers are for?
I'm up for some MS-bashing as much as the next slashdotter, but this isn't the way to beat Microsoft or get them to release secure code.
Capitalism holds the answer - provide a better alternative that takes away their market share forcing them to improve or be left behind. With them being a monopoly, this problem is far greater in difficulty, but progress is always being made. Free software is getting viably close to many of the roles that many people use Windows for.
I'd rather wait for that to happen than have another frivolous lawsuit like this. I'll feel better about the successs of better software all around if MS gets to be better because of competition from free software getting better.
-N
I've nothing to say here...
At first I though that this could be a very interesting case for many points. But its central argument appears to be poorly constructed. They are suing microsoft because their monopoly makes their insecurity a bigger problem. I'm all in agreement with the "monoculture is bad" argument for many reasons, but you can't sue someone for being a monopoly, or for the bad effects being a monopoly. Companies can only be held accountable for leveraging a monopoly, and this case has already been heard and decided on. The fact that we know more bad stuff that can happen because of their monopoly does not provide any more evidence that they are indeed leveraging their monopoly, so why do they think bringing them to court again over the same issues will result in a different ruling. Do they really think they have more resources and motivation to pursue this than the US and state governments combined?
The other two claims are the interesting ones. Can software writers be held accountable for damages caused by flaws in their software? Even if they put an "anti-warrantee" in their license? (I hope not) Are click-through licenses agreements valid in this case? These are all question that would have to be asked.
follow the link and read the story, the case is built "on the claim that its market-dominant software is vulnerable to viruses". It does not say that the case "alleges the Redmond software giant produces software with little concern for security" as the /. article suggests.
I'm not aware of an OS that isn't vulnerable to viruses. Precedent is a dangerous thing.
No matter what the EULA, or any warranty, expressed or implied states, the only proof needed to hold sofware makers responsible for their creations is to prove that the software was vulnerable due to negligence on the manufacturers part. There are many states and possibly even US law that dictates that you cannot disclaim responsibility due to negligence...
Oh yeah.. AIANAL...
Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
..you should ditch what you are using, no matter how convinient it is..
the story on shacknews for example on how valve got trojaned.. why on earth did they keep using software they knew was suspectible to be trojaned? or kept using webmail that was compromised(why did they use webmail, and outlook, in the first place is beyond me too if they really were trying to keep a lid on things, they're quite awful to trust)?
**Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.**
do i have to take it as that he felt something fishy was going and yet didn't secure his webmail?
fuck, a company that suspectible for hacking should be really paranoid and read the mail first on some other platform than one that has had a history of buffer overflows exploitable even without opening the attachment..
world was created 5 seconds before this post as it is.
I haven't had the fortune of reading any of Microsoft's licenses, but I would be willing to bet that there is a clause that limits thier liability.
-= alphaFlight =-
How complex is it to look at a security warning and click on windows update? As much as I like MS being sued, this is just for the lawyers to get rich.
They're claiming that releasing a security fix is "unfair competition." The people sueing don't want Microsoft to release security fixes at all...
What kind of crap is that?
Here in Australia we take things into account like the price of the goods and the purpose for which they were intended. You're not, for example, going to have much luck suing someone over those $2 scissors you were using to conduct major surgery, but you may succeed with the $200 surgical variety.
Now if MS were happy charging a reasonable (given the price of hardware, say, $100 - 10% of a machine's value rather than $1500 and 150%!) price for their software, and weren't running around trying to force their way into everything with a processor then they'd probably be safer from such claims than they are now.
Back in the 1980s, a Japanese worker was killed by a robot on an assembly line due to a software failure. And robot control systems are very throughly tested before a new model of robot is released. Microsoft is trying to muscle their way into the embedded marketplace; do you want software that has plenty of known defects/security issues running your robot?
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
were you using X12 Windowmaker again??? DON'T SEASONALLY ADJUST YOUR WINDOWS!!!
lameness filter enounted: Reason: Don't use so many caps. It's like YELLING.
--
FreeNET user? Comfortable with the adverse selection?
It shouldn't be held to the same liabilities as an automobile. An automobile has the potential to hurt or kill people in it if it has defects. It is the responsibility of the auto company to make sure their cars will not hurt people due to their engineering flaws. In the case of Windows, no one is stopping you from using another operating system if theirs is not stable enough for your use. I think you should be able to get a refund if their software doesn't do what it says it can and then move to Linux, OS X or whatever else you would like to use. Suing MS for bad software is like saying you cannot use something else. I use something else so why can't California?
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
If their EULA/T&C says they are not liable then they are not liable. Its the responsibility of who-ever buys/installs the software to check, but no-one does, and if they did they would probably find no alternative software that had more liability. When a whole company gets hit with some stupid vb-script email virus its definately the equivilent of someone leaving the back door open and a burgler walking in - whos fault is that? (well actually its the equivilent of the builders not putting the door on and no-one noticing. If Microsoft forgets to put the door on but says that you agree they are not liable if you click "yes" then are they liable?
Its almost impossible to regulate software like you regulate health and safety for example.
This comment does not represent the views or opinions of the user.
Not Secure? Your kidding me? My Microsoft consultant told me those were features not security exploits!
This is my sig. There are many like it but this one is mine.
From the article: "Microsoft's eclipsing dominance in desktop software has created a global security risk," the lawsuit filed in Los Angeles said. "As a result of Microsoft's concerted effort to strengthen and expand its monopolies by tightly integrating applications with its operating system ... the world's computer networks are now susceptible to massive, cascading failure."
I think the above statement is pretty interesting. What it says (to me) is that the issue isn't that there are bugs or security problems with Microsoft products, nor is the issue that Microsoft dominates (or weighs heavily in) many software markets. The issue seems to be that Microsoft does both of these things, which results in a ubiquitous and totally insecure majority around the world.
This reminds me of the general pattern where Microsoft is busted for doing something that another company did first or is also guilty of. The non-Microsoft instance (could be a small company, or a large company with a small component) can usually can get away with it because of scale, whereas Microsoft cannot since it's on such a large scale that everyone notices and cannot ignore it. One of many examples is the "OS integrated with the browser" war. Nobody gave a shit when IBM shipped OS/2 warp with built-in browser support even though in principle it was the same thing Microsoft did with Internet Explorer. IBM's reach was minimal with OS/2, so it was rather irrelevant what they did. Not so with Microsoft.
So is this class-action suit setting a precedent that bugs in your software will lead to lawsuits? I don't think so. I also don't think it claims that being a gigantic, far-reaching company is bad. Just don't mix the two, or the wolves will come after you.
If you experience loss due to Windows' flakiness in 1990, it is Microsoft's fault. If you experience loss due to Windows' flakiness in 2003, it is your fault.
Don't buy something that is infamous for being a piece of crap, and then pretend that you don't know what you're getting into. There simply aren't any rocks big enough in this solar system, for you to have lived under them and not be informed about Microsoft's reputation.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
You know, there is a simple solution to all of this.
M$ files a patent for insecure and buggy software.
It then becomes a "feature".
And just think of the possible income streams to be gained from lawsuits over infringement.
Bill, I would have much kinder words for your company if you would adopt me (or at least put me in your will). I'm such a sellout!
"Kittens give Morbo gas!"
Should anyone's software be treated differently from the auto industry?
I figure when MS can start charging $20,000 per OS license, then maybe we can expect bullet proof software safety. The kind of engineering required to give some kind of guarantee or waranty against "bad things" that these people are expecting would cause the cost of software to be prohibitive. Heck it may not even be possible if the software is complex enough. At some point you have to say well we've gotten it as hardened as is feasible, but there will always be some risk.
Sure MS stuff could be better engineered, but there's a point of diminishing returns for everyone involved. If YOU want guarantees, YOU pay to develop your own unbreakable system and use that. Otherwise the old "buyer beware" caveat still holds - especially in the case where the licensing agreement TELLS YOU they are not liable. If you don't like that by all means don't use the software. But don't sue the manufacturer of the car when they warn you in advance that the car could get stolen, that they're not liable if it gets stolen, you don't do what's required to prevent it getting stolen and then by gum it gets stolen!
This whole shuffling of responsibility through litigation is sinking this country faster than any liberal welfare policy or conservative defense budget.
I don't think cases like this are good for the industry in general, MS or no MS.
What were they thinking?
Probably something along the lines of "Oh, look. A somewhat convenient and visually appealing way of reading email. Surely if there were still a problem with using this, Microsoft would have put out an update that would disable this feature/bug as a security hole."
I had a sucky sig.
is going to change the world of software fundamentally.
Anyone who purchases Microsoft software without a guarantee that it is secure should have no grounds to sue for it not being secure.
Seriously, all of these companies who are bitching about worms and viruses hitting them need to either demand a guarantee from Microsoft or just accept the costs of the damages.
I realize it's very amusing to most everybody here to see MS drawn into court for anything at all, but this is actually much worse for the free software community than it is for MS. Think about the following very carefully:
If the lawsuit is succesful then software authors can be held responsible for damages caused by flaws in their programs.
How many of us here are software authors? How many of us want to be sued because our software, which by it's very nature isn't 100% secure, was made to malfunction by a malicious third party? How many people will stay way the hell away from contributing to open source software if they can reasonable expect to be litigated upon if the software somehow becomes vulnerable?
If MS loses this case it's not a big deal for them. They pay a fine, they change a practice or two, life goes on. OSS, though, could very likely die.
If I was MS I would be trying to lose this case.
-Bren
... this was never really a very big issue for most people until Microsoft starting issuing security bulletins.
Now they issue a bulletin, somebody exploits its, somebody else does not bother to read it.
The law suit claims that the update process is too complex, yet these are the same people who complain that no software company has the right to make an update process automatic.
All software sold today is sold as unsuitable for any purpose. It says that, right in the license. So claiming your software is insecure is moot; you didn't buy secure software. You just bought some crap off the shelf and expected it to meet your needs. It didn't; and nobody's surprised.
But this case is even worse than that -- It involves Microsoft's ware, which is known to be insecure. It's in the news every single day. Trusting your corporate secrets to of-the-shelf software is just stupid, doubly so for MS ware.
Not that this wasn't entirely predictable.
to link their trustworthy computing platform to the security overflow issues...C'mon meatheads, one has very little to do with the other. The trust wrothy computing crap will cover locking the user out of their own PC. The security holes almost exclusivly derive from their STUPID decision to 'mingle' the code from IE and the local file explorer. The locl file handles had years of secure testing while the internet call were coded by nitwits on the fly after 27 hours of caffienated creativity. They work usually but had NO security, on convience in mind...
errr....umm...*whooosh* *whoosh* Is this thing on ?
So you realy think that the government should FORCE consumers to buy a non MS product? Will we see black clad shock troopers in the isles of Comp USA ready to enforce such laws? Bottom line is that at the end of the day, for whatever reason, consumers want Windows and Office. Who are you to say their choice is wrong just because its not the same as yours?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Firstly, software is your choice. Your complaints about MS software may be worthy of attention. However, you chose to use MS. And now that this is /., we all know there are alternatives. You can buy them on the Internet and even in some stores.
"The lawsuit, which was filed on Tuesday in Los Angeles Superior Court, also claims that Microsoft's security warnings are too complex to be understood by the general public and serve instead to tip off "fast-moving" hackers on how to exploit flaws in its operating system."
If you cannot interpret the information MS provides you, there are thousands of web pages and forums to help you. These are free as well. There are services which you can contract to do the work for you. Using computers has a cost. Using machines connected to the Internet has a cost. It is not the fault of MS that someone exploited the OS. They were irresponsible for leaving the vulnerabilities there, but unless you want to make the claim that they intentionally attempted to provide you with an insecure OS, then I do not understand the argument. XP does not say on the box "hack-proof: Try It!".
I have a little idea:
Software that directly controls physical devices (automobiles for example) which are themselves regulated should be held accountable to similar standards as the device which the software controls. They should be legally linked.
Software that does word processing, serves web pages, browses the Internet, sends email, etc. would not fall into this trap. We have disclaimers on lots of things saying don't use x with y or p as a q. So mark your software accordingly.
you'll notice the case seems to hinge on Microsoft's monopoly status.
... I don't know. Since I'm not a lawyer, this is where the case falls apart for me.
If they did not have a monopoly on desktop computer systems, this type of lawsuit wouldn't be a problem for them. Since, due to all sorts of vendor lock-in promoted by Microsoft itself, it is difficult for users to pick a different desktop, the lack of security in their software ( i.e. buffer overflows everywhere )
But maybe a monopolist which continues to abuse it's position _should_ be held to a higher standard than others ? Is it not arguable that MS has the resources required to audit all of it's code and fix such issues ? Maybe not technically true, but arguable in court...
Flaws in Microsoft software are common knowledge, if any fault needs to be passed out it would be against companys that used Microsoft software in life critical appliactinos without lots and lots of testing.
Not quite, it's more suing Ford because they forgot to install a lock on the car door and made the ignition push button.
In fact, if that happened and someone store your car and drove it into another car, the car company WOULD be liable. And in this case Microsoft should be liable too.
"Should Microsoft's software be treated any differently than, say, automobiles?"
I've never been physically injured from a PC crash.
well, for the joke that sprang to mind immediatly:
It goes;
A Mechanical Engineer, Marketer and Programmer were driving in the mountains, when the car's brakes failed and they crashed into one of the breakdown barriers (big mounds of gravel to stop trucks).
The Mechanical Engineers says, "I will look under the car and determine why the brakes failed, and how to fix it so it does not happen again".
The Marketers says, "I've got to tell the car company, so that word can get out if this needs to be a recall notice".
The Engineer and Markerter look at the Programmer who says, "I think we should push it back up the hill and see if we can get it to crash again".
Think about it... this seems very close to Microsoft's Mentality: all windows users are crash test dummies.
Case(s) in point: The remote code execution in Windows Media Player that allowed content to be executed (similar to the MIDI flaw in dx9.0a and below) was fixed in 6.x versions and re-opened in subsequent versions, not once, but at least 3 times!
The RPC vulnerability wasn't fixed until the second time, hence the need for *another* patch because Microsoft had not FIXED the vulnerability, just enough to protect against the first exploit.
(little dutch boy story ring a bell, mr pavalov?)
And their strategy for integrating everything into the OS is actually driving XP users back to 98se.
Yes, 98se where the IM client, browser, outlook express, media player, passport and another half dozen things aren't integrated into the OS (as proven by 98lite).
Why?
It *annoys* the piss out of people.
Wonder why?
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Should Microsoft's software be treated any differently than, say, automobiles?
No, it shouldn't. This would perhaps slow down software development a bit, but commercial software manufacturers should have similar responsibility over their products like any other industry.
Like our (Finnish) Product Responsibility Law points out (not literally but practically): "Manufacturer must repair manufacturing defects, whether the product still has warranty time left or not, or give a full refund." This should mean: "I just (2003-10-03) found critical bug from MS-DOS 1.0 - please fix it or give me my money back." (Provided that I still have the invoice or other proof of purchase somewhere.)
“Wait for Hurd if you want something real” –Linus
Though I am adamantly opposed to shrinkwrap "licenses," the one thing they do that I happen to agree with is the disclaimer of liability.
Writing solid software is hard. Writing solid software to run on cheap, unreliable hardware is even harder. Though we ridicule software vendors, crashing software is a fact of life. One day, new technologies or engineering practices may appear to make writing reliable software easier, or to allow the user to "reverse" the machine back to the last known good state so they can at least save their work. But for now, software is flaky and, undesireable though it may be, users need to plan appropriately.
That said, however, I believe there should be an exemption to the liability shield. Off the top of my head, the following factors should be considered to determine if liability should apply:
The scale of each factor would be weighed to determine whether the software vendor should suffer liability. This standard should be set fairly high. If a company is consistently pro-active in correcting bugs, releasing patches, and informing users; or the failures are comparatively minor; or their products exhibit failures on a comparatively rare basis -- in other words, if they are clearly a good, conscientious citizen of the computing community -- then the vendor should escape liability. OTOH, if a company can be shown to persistently use flawed methodologies and designs, and they regularly ignore bug reports until the excrement hits the rotary impeller, and the bug can cause widespread havoc, then the vendor should be exposed to liability.
Needless to say, Microsoft's 25-year history of releasing junk and not giving a $#!+ about it should be a reasonable foundation for a liability suit.
Schwab
Editor, A1-AAA AmeriCaptions
Good undergrad microeconomics textbooks (Pindick or Varian will do) cover the basics on that. The academic journals have quite a few interesting solutions to such market failures.
Potential market failures are still in less quantity and less gravity than government failures. Three characters: ADA.
Like were FORCED to not to use microsoft ?
So the government in its history has never put the screws on Criminal companies that STEAL through monopolies.
Ever heard of the Bells ?
I enjoy the irony in your statement " the gov forcing people"
When in fact it's microsoft forcing everything.
I'm assuming this is flamebait, but I'll respond anyway... karma to burn and all...
Read my post again and you'll find you agree with it (also my reply to the other person who replied to me). I didn't say that the monopoly wasn't a problem and wasn't being abused. Capitalism as a system is not responsible for that though - as you pointed out, it's the government's lax attitude toward big business and antitrust issues at the root of that problem.
I already described the ways Microsoft abused this monopoly, which were the same ones you gave. You and I are on the same page...
But capitalism still does work on competition. Microsoft has an advantage, but free software is continually getting better and while the competition is harder because of the Microsoft monopoly, it still can level things. It'll just take longer.
-N
I've nothing to say here...
This is fundamentally different from something sold for its utility but with no attendant literary or educational value.
Lacking <sarcasm> tags,
I put out some free Perl & PHP code, and planned to release some more next week. But I partly rely on the BSD license to protect me from liability. What does this case mean for someone like me? While I think I'm such a good programmer that eventually my code will be super-tight, I know I'm a poor enough programmer that it will take many iterations and bug reports to get there. Should I only release code when I'm certain no security issues exist (which probably means I'd never release stuff)?
My Greasemonkey scripts for Digg &
OpenBSD: Only one remote hole in the default install, in more than 7 years!
Microsoft: Where do you want to go today?
All this time, I thought Microsoft was talking to their customers when they were really talking to the hackers and script kiddies.
A programmer is a machine for converting coffee into code.
Offtopic? Do /. moderators have any sense of humour??
"You lied to me! There is a Swansea!"
I thought that the reason that closed source software was so great was that when you buy it from someone, you've got indemnification? Someone to turn to when it all goes wrong?
So - when it all goes wrong every other day - isn't the point that MS has to indemnify their users, i mean, that's why we bought it, right? If your software goes to shit - then Microsfot will indemnify you if you lose everything important, or if you die when your BMW 740 goes crazy. That's why OSS sucks, right? Cause you get no indemnification?
I like this lawsuit because of this reason, than if no other.. MS is clear in its EULA - MS WILL NOT INDEMNIFY USERS. Not any more than IBM will... or HP will, or any OSS...
other than purchse price - and if that's the case - then wtf don't you start off with free to being with?
And what's worse - users MAY get indemnification - its just for a portion of the cost of the product... like $10 for that OEM copy of Windows or $75 OEM copy of Office - since they will be found only partically at fault for the virus/worm problem.
I like this lawsuit because the whole bitchfest about indemnification will be exposed to the light - IT TOTAL BULLSHIT.
You get jack-shit indemnification from Open Source software, just like you get it from Microsoft.
guns kill people like spoons make Rosie O'Donnell fat.
...and the businesses that use their software were coastal Alaska, does the sea life have to clean the oil off the shore every time one of Microsoft's products is exploited for it's insecurity? Why is a software company treated any differently than an energy company when something happens that involves their product and harms it's surrounding environment? It's about time a law suit like this came around.
I think the parent is making an insightful analogy. compiled code is to open source as restaurant food is to home cooking..
I would liken oss projects like a microwave dinner (after all you may have added some seasoning for your own benefit but you didn't create it from scratch).. and in that case if you followed the instructions and your tv dinner still made you sick or killed you, who's responsible? you are. because there are governing bodies in place to insure that tv dinners are approved before you can goto the store and buy one.
perhaps we need the same thing for software. of course compiled code is out've the question (why should code ever be compiled for distribution anyways, just build the compilation step into the OS, the whole compiled code = secure code fallacy needs to be resolved).. anyways I better shutup before I get more flamebait mods today
bite my glorious golden ass.
Yes software should stand up to normal abuse, lets look at cars, ok if you drive it the wheels should not fall off. However should Car manufacturers be responsible for cars being broken into? I left 1000 bucks on the front seat of the car and someone smashed the window, clearly thats Fords fault for not making the windows stronger. A professional thief can open my car in seconds, I could have a more secure car but it would cost more. So the question is.... has microsoft made a good enough effort to secure their product? Well... probably yes, the problem really is they are the number one target.
James
You mean like how a lot of airplanes are :)
My coworker took me flying the other day, and pointed out that some of the planes have no locks on the doors, and the ignition is a push button... He said that some of the "better" planes actually had locks on the doors and such.
Capitalism does not work with operating systems.
.
Making the BEST os at the best value price means nothing here.
I like that statement you made " Microsoft has an advantage "
Their 'advantage' is that they are criminals that have LOCKED in 99% software makers in this country. So if your dependant on a certain software then you have to use microsoft
It will NEVER end until the government does what governments were created to do with WHITE COLLAR crime as in ENRON's case . They are created to STOP crime.
And if you say microsoft is not a criminal organization then your wrong.
Didn't anyone notice the part in the licencing agreement, you know, the one that's been there since the first Bill Gates version of DOS, that says there is no warranty of suitability in any of microsoft's products?
It doesn't get any clearer than that. You use their products at your own risk. They have said this since day one. You may notice that hospitals don't use microsoft products to monitor or run critical machinery, right? That's because... you guessed it... Microsoft has NEVER EVER EVER said that they guarantee their software to do anything correctly or consistently.
People wonder why medical and military equipment seems overpriced. This warranty/guarantee of suitability is one reason. Whenever someone's life is at stake, the software and hardware must undergo a significantly more rigorous testing and validation process to provide the guarantee that it is suitable for a specific task.
Again, check that license from Microsoft, because it's always been there, one of the few parts of the license that never ever changes.
It's kind of like suing a shoelace company if your shoelace breaks and you trip. The shoelace is designed to hold your shoe on, everyone uses shoelaces, and people depend on shoelaces every day. But where does it say that the shoelace is guaranteed to actually DO anything?
Find the part of the Microsoft product licenses that say their products are actually certified to DO ANYTHING AT ALL, and you might have a lawsuit, however you'll find that the license specifically states the opposite.
So the people who actually expected a MS product to work correctly need to quit whining and stop putting all their eggs in one basket. Everyone knew that principle long before the first computer was made and it's no different now. The only people who profit from a frivolous lawsuit like this are the lawyers.
my wife pointed out the other day that the major banks have disclaimers on their safety deposit boxes concerning loss due to fire and/or theft. At first I would've thought that the thing would be more secure in the bank's vaults than at home.
;)
One wonders if you could still sue the bank, since this waiver of liability could be construed as not so different than MS's waiver of liability right?
This man speaks the truth: "if I were on life-support, I'd rather have it run by a Gameboy than a Windows box"
-- Cliff Wells, 2002.03.13, in comp.lang.python (original UseNet article)
This isn't new; many people have had this idea before, including me, but this is the first time I've ever seen a state actually trying to *do* something about it.
California, I admit that I haven't trusted your judgement that much of late, what with your energy scandals, your various boneheaded court decisions, and currently the California recall... but I support and applaud your efforts to hold Microsoft accountable to the consumer again. Who knows, maybe we'll see a Microsoft recall next.
pb Reply or e-mail; don't vaguely moderate.
Personally, I think they (and much of the rest of the industry) should be held liable for pushing all of this technology onto an unsuspecting public that frankly isn't ready for it (or vice versa). The state of the art these days is still such that the grandfathers and housewives and (to a lesser degree) schoolkids of today can't make it work properly.
The automobile began as a toy for tinkerers, then spent a few decades as a luxury for those who could afford to hire those tinkerers, and didn't find its way into the driveway of every home until the technology was actually ready for non-technical users. Computers got rushed into the public's homes much faster, largely by vendors insisting that they were easier to support than they really are. Compounding this has been the strategy of using low-cost components to bring the price - and level of reliability - down.
There's a principle codified in the Uniform Commercial Code that a product that is sold by a merchant (i.e. one whose primary business is involved in selling products of the given type) must be "merchantible," meaning "fit for the ordinary purposes for which such goods are used." UCC sec. 2-314. This is called the implied warranty of merchantibility. It may be explicitly disclaimed in a written contract (and every EULA includes a term disclaiming express and implied warranties of merchantibility).
Here's the rub: retail software sales are clearly sales. When you go to the store and buy a pc preloaded with MS Windows,or even a boxed copy of windows, you are not presented with a contract at the time of sale. You pay your money and leave with a box - clearly a sale. Only when you boot up your new computer for the first time, or install your new OS do you have these new non-negotiable terms sprung on you without your approval or consent.
First - a "take-it-or-leave-it" contract like a EULA purports to be is called a contract of adhesion. These contracts are enforceable, but courts are generally inclined to take a close look at adhesion contracts where one party has disproportionate power over the other.
Second - In the real world, one party may not unilaterally add to or amend a contract, or impose terms on a sale, without the consent of the other party. (They can try, but the new terms will not be enforceable in court.) "Aha", says Microsoft, "but you agreed! You clicked 'I agree.'" Well, wait a second - what are your alternatives? If you bought a boxed copy of windows, the retailer will not, as a matter of policy, accept a return. So basically Microsoft (and every other commercial software vendor) is saying to you "We already have your money. You're not getting it back. Now agree to these additional terms or get bent." I rather suspect a court, even an extremely conservative one, would take a dim view of this arrangement. (except in Virginia and Maryland, the two UCITA states where click-wrap EULAs are explicitly enforceable.)
And since we're on the topic of adhesion contracts and Microsoft, how about the additional terms they add when you use Windows Update to fix new vulnerabilities? Talk about strongarm tactics - "either accept these new terms or accept that this software which we sold,er,licensed you with network capability (but of course we claimed it was fit for no purpose at all) is no longer suitable for its advertised purpose." Bite me. That's not duress, but it's it's damn sleazy.
</RANT> Whew. I'm not a lawyer, and none of this is legal advice, of course.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
I realize that the EULA of almost all software says if it doesn't work, its your problem but, what if I run a totally Unix shop and don't have any Micro$oft products anywhere and don't use any but, my services are rendered useless due to high volumes of spam, sql queries, MSRPC calls, large virus attachments etc. all aimed at M$ products. Would I then be able to sue them for the poor quality of their product?
Banjo - The more I know about Windoze, the more I love *nix
If a driver tries to change lanes while another car is in that lane, there is no clippy that jumps up and explains that such an action can cause a crash and perhaps severe injuries.
...
If a tire blows up at high speed, there is a good chance that you end up in the ditch (at best).
A malicious person can hide a bomb inside your car that blows up when the engine starts, killing you outright.
From the article post: "Should Microsoft's software be treated any differently than, say, automobiles?"
Only when software is the cause for either serious bodily injury or death. Using automobiles as an anaolgy is flawed on so many levels...people need to get a better example.
Software should be treated differently than automobiles. Because it is very different than automobiles! [insert expletive and aggrivated shake of head]
Your analogy, sir, is faulty!
~ Aero
I honestly like and use windows everyday (in addition to my mac) and I don't mind their terrany as much as some people on slashdot, however with the recent trend in really annoying virus's, seriously lowsy and slow to respond security patches, not to leave out the fact that windows update got FUX0R3D a while back....I'm coming to the conclusion that i'm fucked unless something changes. But my options are limited by these 2 problems:
1) I can't switch to linux because it does not have the software I run (and no the open source counterparts are don't work either)
2) My mac is great, but call only fill about 90% of my daily work activities...there are just "some" things I need a pc for.
With that i'm left to rely on MS to come out wiht a new version of Xp with some new added feature, but it will still have "SOME" flaw in it. What I would like MS to do is NOT release another version of windows until this one is totally SOLID if that means I have 2-4 more service packs to get in the next year thats fine, i'd rather see that than a new XP-64bit version - SAME DAMN THING AS XP BUT 64bit - lady friggin da
Maybe i'm asking too much....
Ave Molech Setting
My car's manufacturer would be responislbe if it was a Were-Car who's headlights turn unsuspecting robots into where-cars that spread the disease exponentially, expanding with each generation.
Microsoft clearly places advertising as a higher priority than security, to the detriment of their subjects^H^H^H^H^H^H^H^Hcustomers.
For a serious analogy, an automaker should be held responsible if their cars could be unlucked and started by tapping the hood a certain way, and the same problem kept recurring in many models despite being absent in competitor's models.
This is not about Winshit breaking down every chance it gets; this is about recurring security issues resulting from vulnerabilities that are never quite fixed.
As for crashes being litigatable, I lost a year's worth of source code when my last Windows machine corrupted its allocation tables. (Then again, seeing as how that got me to switch completely over to unices, I consider it a profit. I guess I can't sue, but I'd love to see M$'s lawyers make the point that I didn't lose anything in the crash because of Linux's superiority...)
You can't judge a book by the way it wears its hair.
Its an all or nothing thing here, cant point fingers and claim immunity..
I agree that gross neglect should be dealt with, but I'm not sure this is the way.
It could ruin the entire software industry, requiring expensive insurance, government licensing, etc...
---- Booth was a patriot ----
I'm not sure if Microsoft's license includes anything about liabilities and what not, but the open source licenses do. I imagine that if Microsoft can be successfully sued, then open source can as well. Personally, I think that anyone who is stupid enough to believe Microsoft's hype and never bothered to consider the downside of using overly-user-friendly software gets what's coming to them.
I want to see them win this suit.
Why?
Because Microsoft winning will completely destroy the "there's no one to sue if it breaks" argument against open source. B-)
And it will rub the PHBs' noses in the fact that Microsoftware is expensively buggy and that risk, which is practically impossible to insure against, comes straight off their bottom line.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It is my understanding that Class action lawsuits are generally done to the benefit of the lawyers filing the complaint, as they are the one's that usually walk away with most of the $. This is probably a case of some lawyers reading recent security experts statements to the effect that a homogony of computers hurts security, hoping that Microsoft would rather settle for a relatively small sum of cash than a lengthy court battle, and praying that Microsoft's reputation for security would tip the scales in their favor. I do not believe that anything will come of this; Microsoft seems to have its bases covered in respect to liability.
Of course I also thought the SCO v. IBM case would go nowhere too.
Also - IANAL
There in no religion higher than truth.
There should be some law or penalty against meaningless lawsuits. There should be some law or penalty against predatory lawyers. There should be some law or regulation to give the profession of law some credibility.
Liability is a tricky issue. It's really a function of the maturity of our industry.
In 1910 if every single Model-T produced had a defect that caused the brakes to fail what would Ford's liability have been? Probably very little.
In 2003 if a guy is driving drunk at 80 MPH without a seat belt and his tire blows causing him to roll over he can sue the auto maker and win.
At what point did the transition occur?
It's all a matter of professional status. Are the creators of software a professional group (like doctors and auto makers) and therefore liable for the mistakes we make. (Professional status is more than simply getting paid for a job)
It's a tricky question to answer. Has the art of creating software advanced to the point where we can demand that institutions warranty their products for a particular purpose and be exposed to liability if those products fail? Should individuals be held to the same standard?
I personally think we're in a period of transition. Methods exist to create software at a much higher quality standard than is currently commonly available. It's time to start expecting SMALL levels of liability to encourage these methods to be adopted across the industry.
This will encourage individuals to learn new methods. It will encourage corporations to give their developers the tools and (more importantly) the authority to follow practices that produce better software.
If we start down this path maybe someday I wont have to chuckle when someone calls me a "software engineer"
I hope the court grants some degree of liability while at the same time realising that what the industry needs is baby steps, not giant leaps.
There are plenty of other states that will gladly take the companies that you piss off by suing them. Keep it up and you will find yourself both bankrupt AND alienated.
I wonder if the solution to this problem will be crippled software like other consumer goods.
I mean "solutions" like having to step on parking brake before you can put your car in gear or having to press a button on your automotive GPS before you can navigate with it.
Or possibly huge warning labels like you find on ladders or on your car visors.
Who's to say the unintended consequence for this kind of lawsuit could be to have very large popup menus before internet access is enabled each time you use your system or mail is read?
Maybe the outcome will be having Trusted Computing forced upon us?
Should this class action go through the courts and succeed, it sets a hell of a precedent. Specifically, it implies that software should be thoroughly engineered and reasonably defect-free prior to release, with no damaging defects at the point of release. It essentially also says that releasing patches after the fact is not good enough (and that it's not the customer's responsibility to apply them), which causes two minefields I'll try and touch on later.
Trying to enforce defect-free software is a great idea - except that, as we all know, software exhibits weak-link behaviour, and that in turn suggests that you'd need to get rid of 100% of defects to be absolutely certain that no damaging defects exist. You can't over-engineer software in the way you can, say, a building, to protect against potentially damaging structural defects. Oftentimes, over-engineering software makes it more prone to the kind of defect that makes the software useless.
This precedent I percieve in turn means that the open source community - specifically, the people "managing" a given software project - are open to the same kind of litigation as, well, Microsoft are facing. I sure as hell don't want to be sued because my software's not perfect...
As for basically disregarding patches, well, that raises one major issue: it makes the vendor responsible for deploying those, which in turn either requires a "returns" policy on software (unworkable!), or requires that they have the ability to deploy software (privacy issues).
In short, this disquiets me. While I've been waiting for this kind of legal action to happen for a while, and in the long term it'll probably lead to much more reliable, much better software, I don't think the software industry as a whole is really ready for this kind of thing yet. Frankly, we still suck at making reliable software, and that's not just something Microsoft can take the hit for...
"What does this mean for small-time geeks?"
If you write something and it displays font 1 pt bigger then it is supposed to, then probably nothing.
If you are selling software that is supposed to adjust the control rods in a nuclear plant and fails, a lot.
Here is the mandatory automobile analogy:
You cars tail light goes out just after you take it off the lot, do you sue? probably not.
They may not be liable to fix it, but probably will. Just like a tiny bug in software.
If you are going home. the electrical system burst into flame, then explodes, should your widow sue? yes. I would also say, if it was a known problem that was covered up, executives should go to jail for manslaughter. Possible murder 2, but I have no idea what that is, I just say it on TV.
The Kruger Dunning explains most post on
a) Software is complex, hardware is unreliable, you can never prove that it works correctly.
b) The same is true for hundreds of other markets which do have liability laws.
c) Liability would hurt Free Software a lot (we simply can't afford it, since there's no income to offset any costs).
d) Liability can be limited to gross negliegence. It already is in other areas.
e) Liability can be limited by cost, e.g. your maximum liability is sales price times x. No sale, no cost.
f) The EULA clauses are not entirely safe. Depending on local jurisdiction, you can usually not rid yourself of liability completely just by saying so. In most of europe, for example, liabilities due to intent or gross negliegence can not be protected against by contract.
g) Yes, introducing full software liability would put Microsoft out of business within the week. Also most other companies.
h) Not introducing at least limited liability will damage the IT industry in the long run, as it will prevent the move to professionalism and reliability that every mature industry makes. I'm pretty sure the first cars weren't exactly reliable, either.
i) Software isn't the same as automobiles. Differences have to be taken into account.
j) The market place is not a panacea. Especially not when it has been successfully cornered.
k) It may well be one possible solution to decide that since Microsoft enjoys a monopoly position, their responsibilities (e.g. liabilities) are higher than everyone elses.
l) In the end, politicians will decide. In the US that means corporate money decides, in the EU it means party lines decide. Both will turn against software companies and pro liabilities exactly when the other industries has suffered enough from software bugs.
m) Until then, enjoy the show. Write Free Software, especially anonymous distribution systems. When liability becomes law, continue to write Free Software and distribute it through anonymous channels. Crypto signatures and public keys can make two-way communication possible without identifying the author.
Assorted stuff I do sometimes: Lemuria.org
Your preaching to the wrong group. When Standard Oil was broken up, it was split into 20 parts and each part would compete with other parts. When people started talking about breaking up MS, most of the /. crowd thought it would be good to have a MS-OS and MS-application group. That was just stupid. MS should bave been broken up into one company that got say excel and NT and a second company that got Word and Flight sim and no OS, one one that got power point and ME/XP or whatever. Too bad none of that ever happened.
As I understand it, with open source software, you own the software when you use it, in the sense that you are allowed to make modifications, and the license does not allow anyone to control what you do with it (modify it for personal use, etc.) With Microsoft's products, you license the program, which may place them at more of a liability for what happens with it. Would that make a difference?
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
I'll admit that I am a Microsoft hater. However, unlike most slashdotters who have the "open source good, microsoft bad" slogan as their religion, I am not ignorant (or at least try not to be, heh).
So here's my opinion on this lawsuit. Microsoft creates bad software. It has done a severe amount of harm to the world. However, it only does that harm because people allow it to. Most people know how insecure Windows is, but they insist on using it anyway. I have no sympathy for them when they whine "wheh wheh wheh, i hate viruses".
However, they have committed no crimes. As much as I hate the company, they have all the right in the world to create shitty software. They only continue to do it, because there is demand for it. Supply-and-demand is no crime. As much as I'd love to see Microsoft get sued into the next millenium, let's have it be for an actual crime?
*cough* anti-trust *cough* (Wait, they were sued into the next millenium for anti-trust, literally!)
Hypocrisy is the 8th deadly sin.
Best outcome for the free software guys would be a policy that "If you buy defective software (any SW with any bug), you can return it to your vendor and get your money back.".
I think the oft-seen comparison with the car industry can provide us with some leads:
If your brakes fail for no reason in a new car, clearly the car manufacturer should be held responsible. If they fail because you haven't brought your car in for a checkup in the last ten years, it's your own fault. If you drive into a hydrant at 20mph and the car explodes as a result, sue the manufacturer. If a truck hits you at 100mph, too bad.. it would be a joke to suggest the manufacturer neglected car safety.
To translate such analogies into the language of software and operating systems is of course a huge task. But that's what lawyers are for... let's hope they do a good job for once!
However, the insecurity purposely designed into software (e.g., macros in your documents, automatically running executable email attachments) should be more susceptible to legal action. What is Microsoft thinking allowing any old program to run?
If they can obtain a judgement against M$ for shitty software, then that means that the standard waiver of liability in the EULA is not enforceable, which likely means that the similar waiver of liability in the GPL, etc. is not enforceable, which means that you and I could potentially find ourselves in the same position for something we gave away for free, not to mention the effect it would have on those who run mom-and-pop software shops.
There is a mechanism in place to pressure M$ (and all of us) to ensure product quality: competition.
I think that Windows sucks; but Windows 2000 sucks quite a bit less than 98 did; It seems that M$ has taken notice of the alternatives, and is beginning to come around in terms of security and quality of their software (not saying that they don't have a long way to go, still) presumably due to market pressure.
Besides, look at it this way: I hate Windows because it sucks; If/when M$ improves the quality of their OS (and other software), don't we all win?
I am a Linux fan; but if M$ produces a product that is truly an attractive alternative, from both quality and price standpoints, I am not going to ignore it because of some "religious" viewpoint. (Nor will I bother myself with Windows until they do).
The point is, this is a textbook example of a situation where the govmint should keep out of it, and let capitalism/competition work things out naturally. People are just beginning to be exposed to Linux (and others) as real alternatives; M$ will naturally have to improve, or die.
After thinking about the whole liability issue, and the (poor) comparison to cars, I haven't come up with an answer. With the forementioned alleged electrical outages caused by worms/viruses(which I give little creedence too), it's possible that a voracious worm could shut down a power grid, and someone could die. A couple of people have advocated pulling such vital infrastructure as power stations, hospitals, etc. off of the network, but they NEED to be on the network for monitoring in the case of power plants, insurance record access for hospitals.
The underlying problem is Window's saturation of the market. Blame whoever you want(Bill Gates, Andrew Boies[sp?], Novell for not developing a real network server), but the reality is Windows is installed on the vast majority of computers, including those in the forementioned infrastructure.
The solution, whatever that will be, will work itself out in the marketplace. Companies have already started to openly discuss other OSs, and that migration will either make M$ respond by making their software more secure or losing marketshare. It's not going to happen overnight, or even over a couple of years. Windows is so engrained into business, that it's going to take twice as long to get rid of it as it did to get to it's position.
I agree that Microsoft has made marketing and growth the one and only priority for their products since the late '80's, to the exclusion of *anything* that would slow their product introduction cycle. The trojan/virus/worm transmission systems named IE and Outlook were brought to market without a thought for the security of their customers. I believe this is inexcusable. I believe the whole experience shows Microsoft's contempt for their customers. (So... If you use Microsoft Windows, everyone owns your computer but you: The crackers get access through Microsoft's endless vulnerabilities, Microsoft gets access because it's their software, and Microsoft-friendly software vendors have their spyware tricks.
It'll be a great day when software companies are held to standards like automobiles by gov't by and for the people.
I for one am tired of this breakneck innovation in this industry. The auto industry has stagnated nicely for the past 50+ years, I think a nice constant is preferred over any sort of change and advancement.
Plus once laws are passed by the US to kill the US tech edge, third world countries or maybe even China or Russia can step in and start making advances in software and run the risk of lawsuits for us!!! Hooray!
If you think lawsuits like this are good hats off to you, you're an idiot. This is a job for the marketplace. Company A makes crappy product, Company B is free to make an uncrappy product, no need to get the gov't involved here people.
-- taking over the world, we are.
Hmmm, I dont know, but in the world I live in, it takes times to fix problems. Especially when you need to test for unintended consequences; its hardly intelligent to fix one exploit but create a few bugs or exploits in the process. Especially considering these patches need to be installed on mission-critical servers.
Manipulate the moderator system! Mod someone as "overrated" today.
Stupid people like you need to be banned from the internet.
This is ridiculous... if MS Software sucks, STOP USING IT. No one is forcing anyone to use MS software. If it's crappy and full of bugs, use something else. I feel no sympathy for these people.
Confucious say: "Is stuffy inside fortune cookie."
I think that relating automobiles to software is somewhat of a poor relation. For instance, with cars you know that some of them will be in accidents. You can test the cars getting hit from all different directions and make sure that they are safe before they go into production. With software, however, it is nearly impossible to predict what new attacks people will come up with to break your software. Now, I'm not saying that security holes should be tolerated, or that you can't test for them to some extent; I'm just saying that its not like a car where you can test all the possibilities before it is released.
SIGFAULT
There's a substantive difference between the nature of the failures in software and the car that rolls over - the hacker. The software defect, in and of itself, is not harmful. It is the person who exploits it that is at fault here.
This doesn't excuse incompetance, but as has been mentioned, the market will take care of defects - as long as there is a viable alternative. Who would buy a lock that doesn't keep a door closed, as long as you can get one that can.
It would be a grave error for the software industry in any form to take resposibility for keeping everyone who wants to cause trouble from doing so. No one will win, and softare will end up as over regulated and lawsuit scared as airplanes and medical equiptment - for the wrong reasons.
Doesn't M$ have a history of penalizing people that report bugs, including pursuing them with legal action ?
No. If they did, the people that find the exploits wouldn't bother reporting them. You'll notice that in a lot of the knowledgebase articles they give credit to the people who discovered the problem and thank them for their help.
...because we all know that that BMW has an undocumented 802.11b device in there somewhere that polls the internet periodically for virii...
I have always said a security exploit is only an exploit when someone takes advantage of it. It is in that moment that the hole becomes a problem.
What is more upsetting to me is simply that computer failure is being compared to automobile failure.
You simply cannot compare the two. They not only two different ballparks they are two different games. If a computer fails to be secure because some guy who has a preternatural talent; hacks, cracks and compromises the security of a computer system... no ones life si threatened. If an automobile fails to do its task of braking or turning lives are put to a risk. People can and will die in the event a failure occurs because an engineer screwed up. That is unexcusable.
The mere audasity to compare computers which do not effect the ebb and flow of ones life span versus an automobile that has to work or people die is just wrong. It shows lack of compassion for life.
For once I am hoping M$ won't get pounded on this one. Someone or something needs to define where the responsibility line is. They would need to categorize software.
Most of the M$ software would probably rank as the most responsible on that scale.....But the line needs to be defined. Otherwise we will have enough lawsuits to go around to keep the bubble growing.
Should Microsoft's software be treated any differently than, say, automobiles?
If software should be protected as free speech, as most everyone around here agrees, then the obvioius answer to this question is, Yes.
If Microsoft can be sued for flaws in its software, so can everyone else. And "everyone else" does not have the money to defend themselves. There are many ways to fight Microsoft's monopoly. This is NOT one of them.
Are automakers held responsible when someone breaks into your car using a jimmy or breaks the glass with a hammer? Or pops your tires by throwing nails on the ground? These are security exploits similar to Code Red and SoBig and Slammer and Blaster, etc.
If people didn't try to break into your Operating System, there wouldn't be a problem. Automakers aren't forced to redeisgn locks or equip cars with shock-proof glass and no-flat tires. Software designers shouldn't be forced to design software to be secure from unauthorized entry. It's a great feature, but it shouldn't be required unless the software is advertised as being secure.
Kinda funny. The title blames Microsoft for "Worm Holes"...
Believing in "marketplace" naturally regulating the quality of products in a market, weeding out the crappy products, is fine and cool. But actually getting off your ass to make sure that "marketplace rules are applied" is quite another business.
In Soviet Russia, our new overlords are belong to all your base.
LOL! When I read your post I spit up my drink.
Gotta love sarcasm.
Can I get an eye poke?
Dog House Forum
The company I work for writes bespoke code to control industrial X-Ray systems (we also build the industrial X-Ray systems). I know that a vast amount of the software we produce is not written securely usually due to time constraints and a certain level of ignorance among our developers about how to write secure code (Book clicky Sun atricle clicky).
I applaud the exposure that this case will bring to the need for secure code in all applications, but wonder what reprocussions it will have if a precident is set that companies can sue for failures in code security. Will the computing industry become bound by legislated saftey (or security) tests that software must pass before it is issued (i.e. as in the automotive industry as everyone is so prone to compare us)?
Not a tyraid just a wondering
Paul Gogarty
Is Ford liable if someone breaks into your car and crashes it into a tree, or steals the briefcase with those confidential corporate documents, or shoots you through the windshield?
Of course not. And Microsoft shouldn't be liable if someone breaks into your computer and crashes your hard drive either.
Ford isn't selling you a bulletproof safe on wheels, and Microsoft isn't selling you a hack-proof OS either. If it's a hack-proof OS you want, there are other (much more expensive) alternatives that will do a much better job of keeping your computer secure.
And inexpensive alternatives, like unplugging the internet connection. If Valve doesn't want people running off with their software, they shouldn't develop their software on a network connected to the outside world.
So yes, Microsoft should be held to the same standard as a car manufacturer, which means that no, they are not liable for failing to protect you from the malicious acts of others.
paintball
Like most I have used windows for years because it was easy, colorful and worked for the most part. About 2 years ago I went away from Windows, using Linux in its variety of flavors. I can without doubt say that these last 2 years have been the most stable my system has known (apart from when its off).
Microsoft lost their ability to have any impact on my machine & its tasks. For the most part I have worked in IT, being surrounded by computers, or rather operating systems that don't work properly for various reasons. It is true that just about anything is possible in software, but this is no excuse for the millions of windows computers that could fall over any time due to flaws in Micrsoft's operating systems or nasty people dedicated to writing viruses/worms that have the same effect.
To use the car analogy, it would seem I would get a more reliable car from Joe down on the corner than the large well known new car yard in the next city. Microsoft has no excuse. They should be held accountable. For example, I have spoken to roughly a dozen people in the last two weeks that have gone and bought themselves a new computer preinstalled with windows XP. All of these people gave me a call because after connecting to the internet for just a few minutes, their PC was either turning off or the connection was unusable.
This is ludicrous. What are these people meant to do with their 'off-the-shelf' copy of windows? Computer retailers are apparently not supposed to patch windows for *known* problems. Has Microsoft ever thought of these people, or are they so busy trying to keep their existing clientele.
I would like for just more people to say that its not acceptable for wheels to occasionally fall off Microsoft cars regardless of blame, and to go speak to old Joe down on the corner.
"This complaint misses the point. The problems caused by viruses are the result of criminal acts by people who write viruses," said Microsoft spokeswoman Stacy Drake
So MS are saying that it is not their responsibility to write secure software, it's the virus-writer's responsibility not to take advantage of it?
http://blog.nexusuk.org
I'm no fan of MS, but sure, software should be treated differently than automobiles, primarily because people's lives aren't typically at risk from poorly written software (and yes, I can think of instances to the contrary, but this is in general.) However, I see no reason why MS shouldn't be held accountable for financial losses caused by unreasonable security lapses in their software. I'm sure that if MS were looking at footing the bill across the country for all that IS overtime to patch software and fend off viruses, then they might invest a little more time and resources in their products before releasing them.
The problem with that is that, of course, no software is perfectly secure, but there ought to be at least a minimal expectation. After a certain point, one has to wonder what we gain by letting MS off the hook.
--Rick "If it isn't broken, take it apart and find out why."
Tissier made a Citron CX conversion, with inch-thick windows, armour-plated doors, armour-plated underside, two aircon packs to keep it nice and cool inside, and lots more goodies. Bloody expensive, it was designed for ferrying European diplomats about. It weighed about 3 tonnes, and just looked like a stock CX. It was about as fast as a Porsche 911, too.
Ironically, in the leaked source code for HL2 there are many buffer overflows ready to be exploited.
One such example of this is in net_ws.cpp:
Prehaps, since the game isn't ready for release the buffer overflows were not high on the priority list. But if Valve sued Microsoft for problems in their code, would Valve have several thousand suits coming their way for one of these exploits?comparing a software product's price to the hardware it runs on isn't logical. Should we compare the costs of graphics programs to video cards? how about games?
Microsoft's OS is still not nearly as costly as some of the products that run on it. Their Office suite looks expensive, but price all the pieces out separately and see what you have. Don't even go looking at prices on graphics software, web software, and the like, some of it is unbelievable.
Lastly, poor little Apple ain't cheap with their OS either - and you really have less choice on that platform.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
If you give away something knowingly defective ( remember we are discussing negligence here, not simple goof-ups ) you ARE liable for damages...
Free doesn't get you out of legal liability.
---- Booth was a patriot ----
but you wont get hospital staff trying to run the solitare app when everyones back is turned.
I really wish the person who modded me as "troll" would post a reply.. I would like to know his reasoning.
-- 'The' Lord and Master Bitman On High, Master Of All
If someone comes and breaks into your car and you try to sue Ford for it, they'll likely get summary judgement against you dismissing the case. Why is this? I mean Ford has to know that the locks on their cars are weak. They could potentially improve them (better locking systems are out there) but at a cost. Well the thing is, a malicious person was attacking your car in an unapproved way. This isn't Ford's fault, it is the burglar's fault.
Or how about if you decide to run your car into a brick wall doing 90 with no seatbelt and die. Is that Ford's fault? Again, no. YOU were the one that were operating the vehicle in an unsafe and approved manner. I'd also notice they know about, and can do something about this, to a degree. An 8 point harness might save your life in that situation.
Well these situations are precisely what happens with computers: Either a malicious person exploits it in an unapproved (and unforseen) way, or the user does something stupid they shouldn't. Now, since software is something where a fix CAN easily be issued to everyone, it is expected, unlike cars where a fix would cost money on a per car basis (and is therefore only done for faults that occur during normal operation), or sometimes is not possible due to the laws of physics. So, in a way, software has a leg up.
So I'd say the situation is quite similar. People do shit they shouldn't, problems occur. This is NOT the fault of the manufacturer, and nothing they can really prevent. Now, if they neglect to do anything about it, like release a patch, THEN they could potenitally be liable, but so long as they fix it, I don't see how anyone can reasonably claim them to be at fault.
Also, for the rest of you, pelase remember before you start pointing at MS, our law doesn't allow for laws to be made against one specific company. A law like this would apply to ALL software, including the small dev houses and the free software. Please note the receant OpenSSH and SSL exploits and think on if those products could afford ot exist if they had civil liability for that.
Why should proprietary software makers be held liable and OSS makers not liable? The answer is simple. OSS is open for examination. There are no "hidden" defects (unknown perhaps, but not hidden). Proprietary software is not open for examination and may contain hidden defects. You have to take the vendors word that proprietary software does what it is advertised to do and nothing more. You are relying upon the vendor's word, so that should carry some legal responsibility for the vendor. OSS should not carry a warrenty because the public is free to find and fix the defects themselves. You don't have to rely upon the distributor's word. You can examine it (or hire somebody to examine it).
I think this case will fail, ultimately, because it is too extreme, it seeks too much, it demands a huge stretch in interpretation of existing case law. But a ruling holding MS liable (and possibly the entire industry) to a REASONABLE standard of quality and care would be a positive change. To use the auto analogy, perhaps something along the lines of lemon laws that force the manufacturer to actually fix problems rather than inconveniencing the consumer with repeated half-assed repairs.
I agree with your main point, however. MS is currently the biggest blip on the radar, but whatever arsenal we develop to take them out will subsequently be used on smaller blips. MS should duck their profit margins long enough to rebuild a more stable base, one of the differences between their OS and others is the others have the luxury of avoiding the mistakes MS has already made. MS is still building on the same buggy platform. The biggest difference, tho, is that MS is the biggest target, the one kriminals are gunning for. Once they're out of the picture, those same miscreants will be focusing on other systems, and they will find holes, and they will exploit them.
-RI1
If you're a monopoly, then the government should be setting some special rules for you to abide by. A sort of guarantee of quality of service, I believe. Utility companies, for example, can't behave in the same manner as shoe manufacturers because you can always buy a different brand of shoes. But the local electric company has to run its business according to some government standards, since consumers have little choice but to use that company's electric service (I'm ignoring the differences between electric suppliers and the company that delivers it, which could be two different companies).
Which takes us to Microsoft. They've been declared a monopoly by the US government, so they really do need to get a different set of rules to follow in the areas where MS is a monopoly (web browser, desktop OS, and perhaps office suite). I know you're probably thinking that there are other choices, but for most people, using an alternate OS is akin to building a windmill for your power supply - not for the average consumer.
The electric company has to maintain a certain quality of service. A city block can't go without power for two weeks, and we can expect to not experience wildly fluctuating power levels coming out of our outlets. Likewise, MS, as a monopoly, needs to supply a product that doesn't put us at higher risk than, say, one of the many competitors the company has illegally muscled out of the industry. Sure, it sounds tough, but MS brought this on itself, and it isn't nearly as tough as the challenges it put forth to all its former competitors.
I really hate signatures, but go to my website.
Because it is open for examination the user is free to examine OSS and find any defects. With closed source, your are forced to rely upon the vendors representation, so liability should follow.
30s? Business computing is only a decade or two old... It is still very experimental. I think people that incorporate computers into their business systems should expect to take a few arrows.
love is just extroverted narcissism
>Especially to free software ?
1. Free software does not advertise on TV directly to consumers stuff like "the unstoppable NT," "now easier and more secure than ever" etc.
2. Consumers are fighting a convicted monopoly, something free software isn't. This is probably the biggest reason why this class action has legs. MS is a monopoly. They're held to a much different standard.
3. Free software involves no purchasing thus most consumer proctection laws don't apply. Fuzzy legal ground here, but things get more serious as money is added to the equation.
4. Its all relative:
All tires in the world will break down at a certain point. If they happen to break after six months of purchase in large amounts that doesn't spell doom for the tire industry it spells doom for the company that made them.
If MS is found to be negligent or below typical security standards with its OS, ActiveX/IE, IIS, protocols, design etc as compared to other vendors then there's an argument to be made that MS is manufacturing a crappy product. If not, if MS is up to par with everyone else then the case should be thrown out on those ground alone
I don't think the above is unreasonable, software may be a little different than manufacturing widgets but a junk manufacturer making false promises is still a junk manufacterer.
Software is propery (according to IP law)
Software can be a complex system, inviting best practice to be used. That at least is what happens in the automotive sector. Software paranoid process.
Why shouldn't it be treated in all those respects as just the same as any other goods that are sold. Companies under contract law can still disclaim most things except where negligence causes harm or death.
There's better protection for consumers though.
I like OS X. I use it on my home PC every day.
But perhaps you missed the OpenSSH exploit that was "fixed" by the 10.2.8 update that was later pulled for various reasons.
Why wasn't this a big deal? Well, it appears that 3% of the market brings with it only 3% (if that) of the l33+ h4X0rZ, and even if a hacker wrote something, well, there aren't that many OS X boxes server-side with SSH turned on -- not nearly as many as there are Win2k boxes with MS SQL Server!
Rock solid software is nearly oxymoronic. After working for three different companies and even releasing my releasing my own trialware, I've yet to see anything past some well written versions of Hello, World! that fits that bill. And if you're not rock solid, well, by defn you're a little flaky. I've been impressed with OS X so far, but be careful not to give out your IP when you post that it's unhackable.
(As an aside, I've heard it said that Windows was initially written without a network in mind (makes sense... how often was your box online when you had 3.1 installed?) and the some security holes -- even more importantly, the whole "insecure mindset" people sometimes get from Windows -- are left over from legacy code that hasn't been refactored. Security is something of a mindset thing. OS X, and this is probably your point, took a server-side OS (*BSD) and rebuilt on top of that. It's by design a better network OS, though a previous poster's ref to Win98 "Lite" is a good counterexample of how "insecurity through incest" can be easy to fix.)
It's all 0s and 1s. Or it's not.
Windows 2000 isn't better than 98 because of anything Microsoft has done for *security*, but because they're replaced the macintosh-inspired kludges between DOS and the Win32 API with NT. Win32, which is where far too much of the security is implemented, is no better than it ever was.
... application-level firewalls composed of restricted environments that do not include an escape mechanism for attackers to exploit ... they will continue to suffer from continuing security failures.
So long as Microsoft refuses to establish hard firewalls between secure and insecure data in Windows
This is an interesting article for debate. I feel that MS should NOT be treated differently because MS sells products based on their "security" for business needs. The problem lies in that no one has really had the balls to take on a corporate giant due to the lack of monetary backing. MS has lawyers out the wahoo, and you think I'm going to go a couple bouts with them? That's nuts. I'd lose, no matter what I did. However, I feel that if MS is going to churn out crap and sell it like it's gold, it had better work right. I won't buy a product where security is its pinnacle marketing ploy and have some 13-year old script kiddie whack my system because Billie-Boy Gates didn't check a buffer on a remote service that was enabled by default. Thanks Bill. Instead, they should disable most services and have them enabled by the end-user JUST LIKE THE WONDERFUL OS, REDHAT. If MS is going to crank out an OS that is NOT dependable, then, the first line of the EULA it should state, "FOR ENTERTAINMENT PURPOSES ONLY".
-- Game Developers: Stop porting badly-textured games from crappy console systems!
Yes it's the driver's fault and it's the car's fault AND it's the car manufacturer's and driver's mother's fault if there's MS involved anywhere near them goddamnit!
Preserve old classics: copy your collection onto all hard drives.
consumers want Windows and Office.
No they don't. They want a computer with a word processor. Microsoft simply manipulated the OEMs such that Windows and Office were the only choices in an certain price range (read: below Apple/Sun/SGI/etc. but above going without). OpenOffice.org/StarOffice is beginning to seriously change this.
Healthcare article at Kuro5hin
This is a great opportunity for MS to promote Palladium and maybe even to get it to be required by law.
-- Cheers!
While I would definately agree that from an operational (and non-crashing) perspective, 2000 and XP are noticibly improving on previous versions, from a security perspective more recent windows versions have been abymal. One of the problems is the practice of having internet-accessible server daemons (or whatever MS calls them) as part of the OS, and turned on by default.
This especially comes with what seems to be poor testing before initial releases, and other plagues of problems. We're not debating as to whether 2000/XP are nicer from a usability standpoint, but that usability becomes moot when your system decides that it's going to sponstaneously reboot, or clog your network/internet due to the latest virus based on a dumb exploit.
Uhm, although I already commented on how funny your comment was, I must also point out that Microsoft has in the past distributed their software with Virus(es) included, nfo files from warez groups and a few other misc goodies. There have been a great many mixup with what gets distributed from Microsoft.
I would be worried if I knew my car ran Windows. I'd be even more worried when they start selling underground roms that change settings. Remember they do sell car chips that tweak fuel efficiency and power output.
I can see the headlines now
"Rice Rocket Crashes on Rise! Microsoft releases Windows CarOS SP1"
Can I get an eye poke?
Dog House Forum
Dan Bernstein has a $500 guarantee that no security holes will be found in qmail or djbdns:
. yp.to/djbdns/guarantee.html
http://cr.yp.to/qmail/guarantee.html
http://cr
WMBC freeform/independent online radio.
How many people go out and buy a retail, separate version of Windows? Very few; most people use it because it's what comes with their computers, and they complain about it constantly. Of course, they associate Windows with PCs, so they complain about "the computer", and the slightly more informed ones complain about Windows but will never switch.
WMBC freeform/independent online radio.
As a perfect example of software not being perfect, slashdot decided to munch part of my last post ... resubmitting ...
// data = char * passed into function
;)
:) I personally think that it is poss
So you think buffer overflows, for example, can never be 100% avoided?
Do you think all buffer overflows are as simple as the following code?
char * foo = new char[255];
while (*data != '\0') *foo++ = *data++;
They're not. The scarry thing is that the above code could very well be guaranteed to never overflow if the data * passed in is guaranteed to be be less than 255 chars. Someone later on 20 steps removed from this function may change that, suddenly causing a buffer overflow. But this type of overflow is very easy to detect and fix. It gets harder when you have different modules interacting with the same piece of data from multiple threads. There are also buffer overflows caused by integer overflows. And so on, and so on, and so on. There are hundreds of books written on the topic describing how to prevent, detect, and fix buffer overflows. And none of them are the size of a pamphlet. They're usually textbook sized. If it was an easy problem, the books would not be long, and there wouldn't be many of them written.
You're also crazy if you don't think that a company like Microsoft doesn't take measures to fix and correct problems similar to the reported problem. The number of potential exploits fixed during the development of Win2k3 was well in excess of 10k if I remember correctly. When a flaw is discovered, all you can do is learn from it, fix it, and try to make sure it doesn't happen again. The latter involves writing tests to verify that a regression doesn't occur in the future and writing tools to scan for similar problems. Code reviews can be employed, though it's of dubious value after about 4 people who know the code look at it (code reviews are all but useless if they're being performed by someone unfamiliar with the code in question, and studies show that the number of defects found after 4 people look at it fall off sharply -- the studies also correspond with my personal experience in the matter, for what it's worth).
I don't see a level of diligence any where near approaching that
And what level of diligence can you see? All you see are the patches. You don't have any insight about what goes on inside the company, or what they do to catch or prevent these sort of problems.
But I don't think it's acceptable for a manufacturer to simply wash their hands of any responsibility
A manufacturer washing their hands of responsibility wouldn't bother to fix their product at all. There is a difference between responsibility and liability.
we don't accept that in other walks of life and I still don't see a good reason that the same principle shouldn't apply to software
Sure we do. When you buy a new car you have a warantee for x miles or years against defects (analogous to how long a particular piece of software is supported). After that warranty expires, if a part fails due to a problem on the manufacturers side (ie: not normal wear 'n tear) you still have to pay to get it replaced. Even if the part does fail under waranty, you will have to make arrangements to get your car back to the dealership (usually at your own cost; higher end cars/dealerships will tow your car for you and give you a loaner though). When you buy a cheap radio and one of the knobs fall off, most people don't do anything about it. When you buy a shirt and a button comes off after the 2nd time you wash it, can you take it back to the store and get a replacement? Sure people bitch about it, but they don't DO anything about it. And if they tried they'd get nowhere anyway.
I'll also retract what I said in my first post - your reasoning is lucid, it just isn't convincing (to me, at least