Slashdot Mirror
Lawsuit Against Microsoft Over Insecure Software
Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"
Valve might want to take a look at this lawsuit considering their potentially devestaing loss reported earlier today. According to Gabe Newell, from whom the source code of their latest was stolen, a hacker gained access to his machine "via a buffer overflow in Outlook's preview pane." Read his entire message here.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?
{{.sig}}
How long before SCO joins in and sues Microsoft? "Your honor, this code is so crappy, it *clearly* had to come from us!"
Perhaps an "incentive" could be established for commercial software manufacturers to not throw in that horrid clause in their EULAs disclaiming all liability.
Hopefully the decision will be intelligent enough to exclude free, take-it-as-it-is software.
Use ISO 8601 dates [YYYY-MM-DD]
Besides, every time I see an exploit, it's after Microsoft has already issued a patch. This would seem to suggest that they aren't as responsible for the problems as many seem to think they are; as soon as they're aware of an issue, they fix it. Maybe they could design the stuff secure out of the box, but they'd be the first manufacturer to accomplish such a feat.
Stop using it if it's a problem. There are alternatives now.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
It specifically says in M$'s TOS that the software is not to be used for any life-critical applications. In fact, QNX is the only compnay that will license software for life critical stuff. Microsoft also has a non-responsability clause in their TOS. This is going to be a long, drawn out fight, like the one against tobacco companies.
Statistically, one could probably claim that Microsoft products have killed people in an indirect manner.
Sig (appended to the end of comments you post, 120 chars)
What are the costs to the user when software vendors are held to the same reliability standards as auto makers?
Should there be differentiation between operating system stability and application stability?
What responsibility does the user have for securing their own property?
How will different countries answer these questions, and what is the implication for US software vendors if there are 80 separate standards of culpability for an operating system?
And since I should have at least one answer, the speed of light is slower in materials with a higher index of refraction.
Any ruling making Microsoft liable could be used by the legal system as a precendent to make ALL software companies and/or individuals who produce software *personally* liable damages arising from use. This may look like a "we've got 'em now" scenario, but it might come back to bit us.
Later, GJC
Gregory Casamento
## Chief Maintainer for GNUstep
With the horrible network congestion and system compromisation that has come with the recent rash of massive MS worms, you do not have to have agreed to a EULA in order to be harmed by Microsoft's poor design and blatant disregard for security.
In other words: it has reached the point where even people who are not Microsoft product users are harmed by Microsoft's irresponsibility. The messes created by the holes in MS products make EVERYONE a possible target for collateral damage.
I'm up for some MS-bashing as much as the next slashdotter, but this isn't the way to beat Microsoft or get them to release secure code.
Capitalism holds the answer - provide a better alternative that takes away their market share forcing them to improve or be left behind. With them being a monopoly, this problem is far greater in difficulty, but progress is always being made. Free software is getting viably close to many of the roles that many people use Windows for.
I'd rather wait for that to happen than have another frivolous lawsuit like this. I'll feel better about the successs of better software all around if MS gets to be better because of competition from free software getting better.
-N
I've nothing to say here...
At first I though that this could be a very interesting case for many points. But its central argument appears to be poorly constructed. They are suing microsoft because their monopoly makes their insecurity a bigger problem. I'm all in agreement with the "monoculture is bad" argument for many reasons, but you can't sue someone for being a monopoly, or for the bad effects being a monopoly. Companies can only be held accountable for leveraging a monopoly, and this case has already been heard and decided on. The fact that we know more bad stuff that can happen because of their monopoly does not provide any more evidence that they are indeed leveraging their monopoly, so why do they think bringing them to court again over the same issues will result in a different ruling. Do they really think they have more resources and motivation to pursue this than the US and state governments combined?
The other two claims are the interesting ones. Can software writers be held accountable for damages caused by flaws in their software? Even if they put an "anti-warrantee" in their license? (I hope not) Are click-through licenses agreements valid in this case? These are all question that would have to be asked.
Severity isn't the only issue. If your automobile was faulty in a way that caused it to safely pull over to the side of the road but it wouldn't restart for half an hour, you'd still see recalls for lost time and money.
The danger here isn't just that it feeds a lot of lawyers, and isn't making software manufacturer produce less buggy code -- that's something that's been needed for a long time.
The danger is that someone like MS says "OK, we'll accept liability, but only if it's our software, running on our operating system, with no additional code on the system that we didn't install, and only on hardware we approve of, and we end up with even more of a monopoly.
Here in Australia we take things into account like the price of the goods and the purpose for which they were intended. You're not, for example, going to have much luck suing someone over those $2 scissors you were using to conduct major surgery, but you may succeed with the $200 surgical variety.
Now if MS were happy charging a reasonable (given the price of hardware, say, $100 - 10% of a machine's value rather than $1500 and 150%!) price for their software, and weren't running around trying to force their way into everything with a processor then they'd probably be safer from such claims than they are now.
Back in the 1980s, a Japanese worker was killed by a robot on an assembly line due to a software failure. And robot control systems are very throughly tested before a new model of robot is released. Microsoft is trying to muscle their way into the embedded marketplace; do you want software that has plenty of known defects/security issues running your robot?
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Notably, lawsuits can be filed for things that just cost tremendous amounts of money. Case in point, the supposition that the Halflife 2 beta may have been leaked through an Outlook preview pane exploit, as other
Of course, this all begs the question "why the hell were the nuclear power plant, train system, and half-life build system connected to the internet in the first place?" Folks, here's a gigantic hint: software is insecure. If you want something to be secure, take it off of the fucking intarweb. The nuclear power plant just doesn't need Fark that badly. Let them read it on their PDAs.
Like the people maintaining those systems don't know better.
StoneCypher is Full of BS
All software sold today is sold as unsuitable for any purpose. It says that, right in the license. So claiming your software is insecure is moot; you didn't buy secure software. You just bought some crap off the shelf and expected it to meet your needs. It didn't; and nobody's surprised.
But this case is even worse than that -- It involves Microsoft's ware, which is known to be insecure. It's in the news every single day. Trusting your corporate secrets to of-the-shelf software is just stupid, doubly so for MS ware.
Not that this wasn't entirely predictable.
you'll notice the case seems to hinge on Microsoft's monopoly status.
... I don't know. Since I'm not a lawyer, this is where the case falls apart for me.
If they did not have a monopoly on desktop computer systems, this type of lawsuit wouldn't be a problem for them. Since, due to all sorts of vendor lock-in promoted by Microsoft itself, it is difficult for users to pick a different desktop, the lack of security in their software ( i.e. buffer overflows everywhere )
But maybe a monopolist which continues to abuse it's position _should_ be held to a higher standard than others ? Is it not arguable that MS has the resources required to audit all of it's code and fix such issues ? Maybe not technically true, but arguable in court...
well, for the joke that sprang to mind immediatly:
It goes;
A Mechanical Engineer, Marketer and Programmer were driving in the mountains, when the car's brakes failed and they crashed into one of the breakdown barriers (big mounds of gravel to stop trucks).
The Mechanical Engineers says, "I will look under the car and determine why the brakes failed, and how to fix it so it does not happen again".
The Marketers says, "I've got to tell the car company, so that word can get out if this needs to be a recall notice".
The Engineer and Markerter look at the Programmer who says, "I think we should push it back up the hill and see if we can get it to crash again".
Think about it... this seems very close to Microsoft's Mentality: all windows users are crash test dummies.
Case(s) in point: The remote code execution in Windows Media Player that allowed content to be executed (similar to the MIDI flaw in dx9.0a and below) was fixed in 6.x versions and re-opened in subsequent versions, not once, but at least 3 times!
The RPC vulnerability wasn't fixed until the second time, hence the need for *another* patch because Microsoft had not FIXED the vulnerability, just enough to protect against the first exploit.
(little dutch boy story ring a bell, mr pavalov?)
And their strategy for integrating everything into the OS is actually driving XP users back to 98se.
Yes, 98se where the IM client, browser, outlook express, media player, passport and another half dozen things aren't integrated into the OS (as proven by 98lite).
Why?
It *annoys* the piss out of people.
Wonder why?
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Though I am adamantly opposed to shrinkwrap "licenses," the one thing they do that I happen to agree with is the disclaimer of liability.
Writing solid software is hard. Writing solid software to run on cheap, unreliable hardware is even harder. Though we ridicule software vendors, crashing software is a fact of life. One day, new technologies or engineering practices may appear to make writing reliable software easier, or to allow the user to "reverse" the machine back to the last known good state so they can at least save their work. But for now, software is flaky and, undesireable though it may be, users need to plan appropriately.
That said, however, I believe there should be an exemption to the liability shield. Off the top of my head, the following factors should be considered to determine if liability should apply:
The scale of each factor would be weighed to determine whether the software vendor should suffer liability. This standard should be set fairly high. If a company is consistently pro-active in correcting bugs, releasing patches, and informing users; or the failures are comparatively minor; or their products exhibit failures on a comparatively rare basis -- in other words, if they are clearly a good, conscientious citizen of the computing community -- then the vendor should escape liability. OTOH, if a company can be shown to persistently use flawed methodologies and designs, and they regularly ignore bug reports until the excrement hits the rotary impeller, and the bug can cause widespread havoc, then the vendor should be exposed to liability.
Needless to say, Microsoft's 25-year history of releasing junk and not giving a $#!+ about it should be a reasonable foundation for a liability suit.
Schwab
Editor, A1-AAA AmeriCaptions
...and the businesses that use their software were coastal Alaska, does the sea life have to clean the oil off the shore every time one of Microsoft's products is exploited for it's insecurity? Why is a software company treated any differently than an energy company when something happens that involves their product and harms it's surrounding environment? It's about time a law suit like this came around.
It shouldn't be held to the same liabilities as an automobile. An automobile has the potential to hurt or kill people in it if it has defects. It is the responsibility of the auto company to make sure their cars will not hurt people due to their engineering flaws. In the case of Windows, no one is stopping you from using another operating system if theirs is not stable enough for your use. I think you should be able to get a refund if their software doesn't do what it says it can and then move to Linux, OS X or whatever else you would like to use. Suing MS for bad software is like saying you cannot use something else. I use something else so why can't California?
Yet automobile manufacturers are also sued for nonhazardous situations. I think Toyota was sued for premature engine failure due to sludge build-up. I think suing Microsoft is more in line with this thinking.
Using your logic, there is no expectation of fitness for use for software at all. You can have all the features in the world. Just don't expect to use them.
'Use something else,' you say. How would you like your car "Microsoft" dealer to tell you that after you discover your car is a lemon? Oh, by the way, all the other manufacturers cars don't work on Microsoft Roads. And there is no refund.
This man speaks the truth: "if I were on life-support, I'd rather have it run by a Gameboy than a Windows box"
-- Cliff Wells, 2002.03.13, in comp.lang.python (original UseNet article)
> the story on shacknews for example on how valve got trojaned..
> why on earth did they keep using software they knew was suspectible to be trojaned?
To me, this is the place responsibility needs to lie. It's the people who choose systems that are *known* to be bad for important things. Find the forces that "made" them use Outlook and there is a first line of blame.
If a power plant uses MS Windows or Linux for a critical system and it blows up, it's the person who made that call who should be held mostly responsible due to negligence.
If manufacturers are making claims that their systems are secure, or are useable for critical work, then that's probably a case of false advertising and should be dealt with as such.
Valve should be looking to see if its own staff were negligent first. Who was responsible for choosing a known bad, internet connected, system for storing very important data?
Just the same as if I left a printout of the source code in the local pub by accident. If it was an Outlook exploit, then I don't see this as any different fundamentally.
If you have a multi-million dollar asset, you should put some effort into protecting it. Not blame HP for letting you print it out and leave it in the pub.
If I was working on the source for Doom 4, you can be damned sure I wouldn't keep it on my internet connected debian box.
- Muggins the Mad
Should this class action go through the courts and succeed, it sets a hell of a precedent. Specifically, it implies that software should be thoroughly engineered and reasonably defect-free prior to release, with no damaging defects at the point of release. It essentially also says that releasing patches after the fact is not good enough (and that it's not the customer's responsibility to apply them), which causes two minefields I'll try and touch on later.
Trying to enforce defect-free software is a great idea - except that, as we all know, software exhibits weak-link behaviour, and that in turn suggests that you'd need to get rid of 100% of defects to be absolutely certain that no damaging defects exist. You can't over-engineer software in the way you can, say, a building, to protect against potentially damaging structural defects. Oftentimes, over-engineering software makes it more prone to the kind of defect that makes the software useless.
This precedent I percieve in turn means that the open source community - specifically, the people "managing" a given software project - are open to the same kind of litigation as, well, Microsoft are facing. I sure as hell don't want to be sued because my software's not perfect...
As for basically disregarding patches, well, that raises one major issue: it makes the vendor responsible for deploying those, which in turn either requires a "returns" policy on software (unworkable!), or requires that they have the ability to deploy software (privacy issues).
In short, this disquiets me. While I've been waiting for this kind of legal action to happen for a while, and in the long term it'll probably lead to much more reliable, much better software, I don't think the software industry as a whole is really ready for this kind of thing yet. Frankly, we still suck at making reliable software, and that's not just something Microsoft can take the hit for...
If they can obtain a judgement against M$ for shitty software, then that means that the standard waiver of liability in the EULA is not enforceable, which likely means that the similar waiver of liability in the GPL, etc. is not enforceable, which means that you and I could potentially find ourselves in the same position for something we gave away for free, not to mention the effect it would have on those who run mom-and-pop software shops.
There is a mechanism in place to pressure M$ (and all of us) to ensure product quality: competition.
I think that Windows sucks; but Windows 2000 sucks quite a bit less than 98 did; It seems that M$ has taken notice of the alternatives, and is beginning to come around in terms of security and quality of their software (not saying that they don't have a long way to go, still) presumably due to market pressure.
Besides, look at it this way: I hate Windows because it sucks; If/when M$ improves the quality of their OS (and other software), don't we all win?
I am a Linux fan; but if M$ produces a product that is truly an attractive alternative, from both quality and price standpoints, I am not going to ignore it because of some "religious" viewpoint. (Nor will I bother myself with Windows until they do).
The point is, this is a textbook example of a situation where the govmint should keep out of it, and let capitalism/competition work things out naturally. People are just beginning to be exposed to Linux (and others) as real alternatives; M$ will naturally have to improve, or die.