Creative Zens Ship with Worms

An anonymous reader writes "Engadget reports about 3700 Creative Zen "Neeons" shipped with a virus. The virus in question was the W32.Wullik.B@mm worm. Creative released a statement today to help consumers pinpoint the possibly effected devices."

Product Liability

[Monte]

Ouch - that's going to be a black eye. Although it isn't the first case of software shipping with malware, IIRC there was some kid's game on CD that included a Bonus Virus inside.

Now a comment and a question for the peanut gallery - it's always been a pet peeve of mine that software companies aren't held to any real sort of accountability for shipping product that is clearly flawed. They hide behind the "shrink wrap" license, and (at least IMHO) get away with murder. Imagine if GM or Ford or Daimler-Chrysler put such a waiver of liability on a sticker on the doors of their new cars. The courts would tear them a new one so fast it'd be like lightning.

The question - what sort of liability does Creative have in this case, and what's fair recompense for shipping a clearly flawed product where said flaw has the possibility of harming the user's computer, data integrity and / or privacy?

How much is enough? Should Creative be given a hard enough pranging to get the attention of other software manufacturers?

Personally, I say "Yes". GM spends a hell of a lot of time and energy making sure their brakes work, I'd like to see software companies (and you all know exactly who I've got my sights on here) make sure they ship product that isn't horribly broken right out of the box.

Re:Product Liability

[GauteL]

People dying are only the most extreme form of defective product which manufacturers are liable for, not the only one.

You can be sued for compensation if some stupid design flaw in your washing machine causes it to burst and spill water all over your apartment.

You can be sued for compensation when some daft design flaw causes your vacuum cleaner to explode ruining your carpet and possible causing some minor injury to yourself.

Likewise, requiring some license that excludes you from any compensation AFTER the product has been purchased is despicable business tactic that should never be allowed.

Requiring a license BEFORE you purchase or download is different, but this should still be very limited if you are actually paying for the product.

Because of the sheer prevalence of people with the intent to mess with your computer when connected to the internet, some limitations to your responsibility is in order, but real, stupid flaws that really should have been discovered before sale should require compensation for loss of productivity, limited loss of files, etc.

Backups of important stuff should be expected from the user, but purchased DRM content that do not allow backups certainly should be compensated for.

In particular decent terms should be required from companies having a monopoly on some product or service, requiring you to purchase from them even if you don't like their license.

Software is highly complicated, but so is many other types of engineering. The worst and most blatent flaws should make the software producer accountable.

When giving away some product however, you should be able to totally remove your accountability except for intentional breakage (malware for instance), as long as the user is made aware of this properly.

Re:Product Liability

[Rayaru]

Clearly, death is worse. However, when a virus/worm/whatever brings down a business's' whole network by exploiting some unknown flaw in the operating system, that business stops working if they rely on computers for communication, sales, customer service, etc. This can impact not only on the economic well-being of the company in question, but also the livelihoods of each of the employees of the company. Again, it's not death, but it's still something significant that deserves attention.

Re:Product Liability

[TheViewFromTheGround]

Though very rarely, strange shit like this happens. I had a friend brought home his clothes from the laundromat compressed together in big bags. The clothes (particularly the metal pieces) were hot enough from the drying that they set fire to the bags, which should have burned out but set fire to some paper, which resulted in his apartment slowly catching fire. The resultant fire and (mainly) smoke damage, his lack of insurance, and his slum-lord renter meant his family almost wound up homeless. Shit happens, but weird shit happens, too.

Re:Product Liability

[firewrought]

It's always been a pet peeve of mine that software companies aren't held to any real sort of accountability for shipping product that is clearly flawed.

What makes you say that Creative's product was clearly flawed? Perhaps the virus was introduced by the CD manufacturer right before it went golden master. Perhaps they ran antivirus scans but--due to a subtle interaction b/t a bug in the antivirus product and a temporary network glitch--the latest virus definitions were not used. Perhaps Creative did due diligence at every step of the way, only to have their product intentionally compromised by a disgruntled employee with a bump key.

That said, let me approach this from another angle. The average commercial software ships with ~3000 bugs in it. Most of them don't matter, but you will occassionaly encounter some that do. Pain, frustration, and potiential monetary loss will result. We could avert this with extensive over-engineering (like we do for the space shuttle), but as a result we would not have all the great functionality that's readily available on today's computers. Imagine: the web might not exist within your lifetime. Militarily, industrially, and socially, we'd still be stuck in the 70's or 80's. With no economies of scale, computers would still be rare and expensive.

Fortunately, the market is smarter than you (not you specifically, but people who advocate software liability for non-critical systems)... the market has rewarded vendors who produce more functionality at lower quality. That's not to say that the market has got it perfect, but there are reasos for why things are balanced they way they are. (As an aside, I would argue that open source software--not being so strictly subject to traditonal market pressures--can occupy a wider range of the quality curve. That's probably a part of why it's so successful in the server market.)

I think the ideal solution to this would be to have a set of methodology standards which software vendors could claim their software adheres to. E.g., the consumer could determine for themselves if they want to buy a grade-B word processor or a cheaper grade-C word processor. The vendor would only be liable for not following the methodology they claimed. It would be difficult to set up such a system without locking developers into specific metholodogies though, and there's no guarantee that methodologies produce software of uniform quality across different software markets. (E.g., the methodology you would use to design a high-quality automotive subsystem probably doesn't have the amount of user-interface testing you would want if trying to design a high-quality video game.)

Re:Product Liability

[sjames]

Software product liability tends to get much more complicated than for most products. Some of that is due to the complex interactions between different software and user environments, and some of it is simply because users, judges, and juries have no understanding of the issues involved.

In part this is because everything in a computer can potentially interact. Hanging ba pair of fuzzy dice on your rearview cannot result in a brake failure, but installing a funky screensaver CAN be the reason your spreadsheets all went corrupt. It can even be part of the event chain that causes the HR department at your best friend's employer to lose employee records (or it might have been that wierd Chinese looking email Joe in sales got lats Tuesday). Next thing you know, everyone is playing "Who to Sue" and "The Blame Game" So now we have thousands of apps with only a degree or two of separation over the network and everyone has at least three conflicting opinions of where the problem started. It was probably the freakish porn the PHB downloaded, but nobody but him knows about that.

It doesn't help that in any given situation, many lawyers will start with a reasonable enough response, then embellish and overreach until it becomes a monument to outrageousness.

In this case, there's plenty of blame to go around. Creative should have kept much tighter control over the software load, users shouldn't be doing everything as 'admin', MS should make that a more reasonable proposition, when you're running Windows, you should be using anti-virus software, etc.

That's why Win32 in a factory is a bad idea

[SysKoll]

This is exactly why having windows machines in a production process is a bad idea. You never know when a worm, virus, trojan or other beast is going to interfere with your fabrication, the files or the hard disk imaging.

IBM is running its new 90-nm microelectronics fab (in Fishkill, NY) entirely on Linux. So if it's feasible for a plant of that complexity, it should be feasible for a small assembly plant such as Zen Creative's.

Re:That's why Win32 in a factory is a bad idea

[ajs318]

We hear this all the time from the Windows apologists {and if it were true in the general case, there should be more attempted attacks against the web server with twice the market share of its next competitor, but there quite clearly aren't}; but the fact remains that Unix-like systems -- and that includes Linux -- are by design more secure than Windows, and Open Source systems in general are by design more secure than closed-source systems. Linux supports privilege separation and hardware abstraction by default, and it forces you to use them.

Also, the only applications which could be a viable vector for virus propagation are closed-source ones. The open source ones are being looked at by the good guys as well as the bad guys, and the former outnumber the latter.

I guess Zen doesn't run Linux

[AndroidCat]

Come to think of it, how does this worm manifest itself on a player device?

"W32.Wullik.B@mm is a mass-mailing worm that attempts to send itself to all the contacts in the Outlook address book. The worm makes numerous copies of itself in random locations, and moves to a new location when Windows Explorer browses to the folder from which it runs. It can spread to floppy disks and shared network drives under some conditions.

I doubt it executes on the player itself. Can it infect the PCs that you connect the player to for syncing?

oopsies

[theheff]

It'll be interesting to see how both the consumer and the company react to this situation and to see how public this could get. If damage is actually done here from the defect, who would be liable? Oh the joys of transitioning into the digital age...

Where was their QA?

[flajann]

I thought QA was supposed to catch this type of thing, I mean really.

I can't imagine how something like this got into the production image unless there were a lot with their thumbs up their anal orficies that day...

Re:Not the first, won't be the last

[aed]

I have NEVER had a virus, trojan, spyware, etc.
How can you tell, if you don't run an up-to-date virusscanner?

Not just Windows

[RAMMS+EIN]

``This is exactly why having windows machines in a production process is a bad idea.''

Although Windows has a deserved reputation for being susceptible to viruses and break-ins, this problem is not unique to Windows. Any software written in unsafe languages (like C and C++) is bound to contain exploitable vulnerabilities. Any system that allows the user to run software that they bring to it is susceptible to trojans.

AFAIK, no current operating system is both usable and provides adequate protection mechanisms against viruses. A fine-grained permission system might help, though. Allow the MP3 player's software access to your music directory, but nothing else. Allow the word processor access to your documents directory, but nothing else.

I wrote a utility called chrootexec that allows you to run a program in a chroot jail (it cannot access files outside that directory). It's basically the same as the chroot command, except that you don't need to be root to use it (but it does have to be installed suid root to work).

However, some programs (file managers come to mind) need access to many directories to be useful. These will still be exploitable.

Re:Not just Windows

[RAMMS+EIN]

I can't speak for the others, but OpenBSD and QNX definitely don't protect you against trojans. If you chose to run some software, it can delete any files you can delete. If you run someone's Makefile or post-install script as root, it can delete any file on the system.

Also, although the software in the OpenBSD base install has been audited, this (1) doesn't mean there aren't any vulnerabilities in it, and (2) doesn't protect you against any additional software you install. Someone could still exploit a vulnerability in a CGI script or interpreter and delete all files on all websites on your system.

Death vs. Back Door.

[Chaotic+Spyder]

While I totally agree with the concept I don't think your argument holds up.

If brakes fail on a car a person dies, while if a OS has a hole privacy is breached, and data is corrupted. This is not quite the same level of damage(although I'm sure there are cases which go both ways.. I'm speaking in general here)

The problem is if a new Honda Civic was to wait in storage for 2 years it would still be allowed on the road, and would be in better condition than the greater population of the cars out there. While if you wait 2 years for an os things change so rapidly that the os needs to be patched right out of the box.

Beyond that there are a lot of people (or very few very good people) who aim to destroy software and find vulnerabilities. While correct me if I'm wrong but unless murder is your goal not to many people target cars so they become a hazard to the owner.

With that said. I do believe that something like shipping a product with a virus which brings us back to TFA, is something that really needs to be followed up on. Creative got caught with their pants down here and I am curious to see what the final result will be.

Actually happened to a former employer of mine.

[Nick+Driver]

I once worked for a software developer in the Dallas, TX area who had a mainframe development side, and a PC development side. I worked on the mainframe side of the house, and thus didn't have to concern myself with the PC stuff, which was relatively new at the time. One of the PC developers shipped a software update to one of our customers, a big law firm, who also had a large Novell PC network in their offices. The PC software was infected with a virus, because the PC programmer was habitually visiting BBS's to download pr0n and games while at work. This was in the days before even dialup Internet was widespread available. Well, the virus spread all over the law firm's network, and they simply hired an outside network security contractor to come in and clean everything up. They handed a $30,000 bill to my employer for the contractor's fees, plus another bill for $100,000 in lost work due to unavailability of their network. My employer at first refused to pay either, but after consulting with their own attorneys (at an additional expense of probably a couple $K) paid both bills since they were told there was about a 75% chance that they'd lose and the court would award triple damages. The programmer who'd fault this was, was fired... not for the virus, but because they (allegedly) caught him sleeping at his desk in the middle of the afternoon.