Slashdot Mirror
Negligence and Open Source
icing asks: "With the story about the Melissa trial, some people argue that Microsoft is partly to blame. Negligence in making a product safe to use, cannot be excused. And again, software is compared to real world things like cars and how car makers could not get away with what Microsoft is doing. Does not the same argument apply to makers and distributors of open software? Could makers or distributors of Open Source be held liable? Under which conditions? Or do we have a double standard here?" Hmmm...a touchy issue. What are your impressions?
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
So no, no one can be held responsible for anything their GPL'ed program does. I don't know how the BSD license works, but I would assume some sort of similar constraint.
Jeremy
Looking for a Python IRC bot?
I think the best analogy to use in this case is something like kit airplanes. If you buy a whole, complete airplane from a manufacturer (closed source) and it blows up in midair, you naturally and rightfully blame the company that made it. However if you buy a kit plane, put it together yourself, and the engine drops out of the plane in midair, you have only yourself to blame.
So, following this analogy, closed source companies should be held liable, because some things are hidden from the consumer, and open source companies should not, because the customer is able to see _exactly_ what they're getting. This would encourage many companies to switch to an open source model, don't you think?
---- El diablo esta en mis pantalones! Mire, mire!
By selling the software to an individual, Microsoft should have a responsibility to make "safe" software. Comparing it to auto manufacturers is reasonable. Microsoft should hire "software engineers" who are professionally licenced and insured to sign off product as safe.
Open source on the other hand shouldn't have this responsibility because it is given out for free. The the responsibility exists with the individual who implements the systems. If I designed a car and left the drawings open source. I would never be held liable for the car if it proved to be a defective design. If I sold the designs, I would.
If someone else sells my free drawings, maybe they should be liable as well.
News for UW students
As for the issue at hand, I don't think anyone, even Microsoft, should be held responsible for such bugs. Cmon, all programs are going to have problems; just because one of the bugs happens to have more risky consequences doesn't mean that it is any worse than a bug that is relatively harmless. It shouldn't be concidered "negligence" - it should be expected by users of the program.
On the other hand, both Microsoft and Open source programmers should be prepared to either a) fix bugs or b) pubish them as soon as they are notified of them.
This is not the case with Microsoft's non-disclosed-source-code software - they don't give the customer the power to check or fix their negligence, thus the negligence is all theirs.
True Open Source in general declines warranties because the software is distributed gratis or at very low cost. Of course, you have the option to make a contract with a support provider who might provide you warranties against negligence. I don't think it's likely that a provider of gratis software, Open Source or not, would be found liable for damages he explicitly disclaims. I'd like to hear of any cases where this has happened.
Thanks
Bruce
Bruce Perens.
Comparing a design by Microsoft (or any other desktop/server software company) that has a flaw in it to a design by an automobile company that has a flaw is a poor analogy, in that a flawed automotive design has the potential to cause loss of life or limb. Desktop and server software doesn't put the customer at the same risk.
Christopher A. Bohn
cb
Oooh! What does this button do!?
While both open source and shrink wrap licenses disclaim liability, what about support contracts? When a security hole is known, especially when it is reported to the company providing the support by someone with a support contract, I would think that the courts would be much more likely to find that company liable if they made no attempt to remedy the problem or at least warn their customers of it.
The net will not be what we demand, but what we make it. Build it well.
Let history repeat itself. It took car manufactures well over 20 years to start incorporating saftey features into their vechicles, but until that happened, the only people complaining about how unsafe cars were were the people who cleaned up after the accidents (ie Doctors, nurses, etc).
This all changed with the Nadar report - and the publicity it generated in the media and the public eye.
What needs to be done is to increase people's awareness of how bodgy the Micro$ server code is, and how only the micro$ exchange servers were the ones that were affected adversly by the Melissa virus...
Since the design criteria for Java were published, there is a clear source available warning of the dangers of allowing arbitrary pieces of code to be executed without the knowledge and consent of the user. Setting the security switches that would prevent this to the choice that allows it to happen by default is only slightly better than providing no way to turn it off. In essence, designing a way for arbitrary pieces of code to be sent to a machine and executed automatically is designing in a security flaw. That is an error of commission, not one of omission.
The net will not be what we demand, but what we make it. Build it well.
As it stands with current licenses, I think you can't blame anyone, at least not legaly. However, maybe the 'we are not responsible' clause should not be allowed if you sell the software... Dunno the legal implications, but it seems reasonable.
If you are only selling the medium, I suppose you aren't liable.
There have been several posts claiming that Open Source software has less necessity for security, or safety. That the GPL somehow exonerates OSS in some way that the MS EULA does not. All of this is bunk.
If OSS software is really a general purpose solution then it must meet as stringent a security requirement as any other such solution. For all of those Linux evangelists out there, we can't claim security as an advantage in on sentence, and then claim less resposibility for it in the next without sounding silly.
What Linux does have is a better testing system, a more heterogenious and reliable user base, and a significantly better bug response method.
The concerns about safety, be they virus propogation, data integrety problems, or uptime/essential systems issues. Are the responsibilty of the system's administrator. Any system can be made secure by a careful admin, and any system can be made unsafe by running unknown (read closed) software.
The reality is that computers are so complicated that Admin's (for that matter developers) cannot go through the code checking all cases in some perverse proof of correctness. Making software engineers sign off just means that someone who really isn't responsible for having a buggy or defective piece of softwar can be canned for the zealous marketing and management of his company.
If a company claims that a system is secure - e.g. NT according to MS or perhaps Open BSD then the company could be considered liable if:
a) It fails to take reasonable measures to make sure that said product is secure.
b) Refuses to respond to security issues as they arrive.
The software you buy is always as is. Beware.
The liability should be on a product sold. With RedHat etc you paid for the pacaging not the develupment of the software. If something is wrong with the software that RedHat caused by the way the pacaged it or could have prevented by a small change in pacaging then they should be liable but if the problem is a flaw in the software RedHat did not develup (or develuped and gave away) they should not be liable.
If you buy a Compaq computer with Windows preinstalled you still paid Microsoft not Compaq for the software.. But if a defect in Windows is caused by the way it is installed then Compaq who installed it is liable.
The open source develuper who codes and gives away his software sold nothing and is liable for nothing unless he makes clames to the fitness of his software.
Basicly Microsoft might be liable for selling a defective product or a product with an unreasonable security defect. Sence open source develupers do not sell any product they can not be held reliable for that non-sale.
Giving away a defective product is (at this time) not subject to liable.
This may change over time with busnesses selling support instead of product but for now if Microsoft is found liable for selling a defective product it could boost open source a great deal..
Sell product and be liable for defects or sell support and let the userbase be responsable for the repairs.
But again even in open source your liable for clames so if you clame a product is bug free you could put yourself in a position of being even more liable than if you had sold the software to start with... Sold product can get away with a few defects so long as it can be shown to be reasonable.
I don't actually exist.
It's important to note the fact that microsoft is a corporation and most open source developers are individuals, and there aren't many developers that have formed oprn-source based corporations, relatively speaking.
When you speak of liability I assume you mean money. If microsoft is held liable for whatever they have done, generally the only penalty would be monetary, at worst they might be broken up.
Since microsoft (and most corporations) are pretty big, the penalties don't do all that much damage. It is extremely rare for a government body to come out and say "you have been found guilty, your company will cease to exist, your assets will be liquidated."
When we get to individuals, however, monetary damages can seriously impede your ability to do anything, such as programming, and often times people are thrown in jail (fraud, malpractice, whatever). Bill gates is most certainly not going to do jail time, even if it were proven his company has broken numerous laws with him knowing it. When you have a number of individuals developing a certain product open source style, with no business relationship, who would be held liable anyway? Try to single out who wrote the offending lines of code? It's not that simple and our law system doesn't cover this very well to my knowledge.
Is there much software out there that has a warantee anyway? I haven't seen any...you basically accept it "as is" as far as I know.
Anyway, I think the bottom line is that open source software is much, much more accountable to begin with than microsoft will ever be for plainly obvious reasons: it's simple to determine whats causing the problem.
You can be held liable for whatever you promise, which is why most open source software has a clause something like:
;)
:) This would probably not change the promises or the software, but it would make the general public aware of the lack of promises they actually get from spending huge cash on closed source software.
>> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
If you read the EULA from Microsoft, I'm pretty sure that they have a similar clause, much to most people's surprise. Then what are you actually paying for, you might ask. Well, that's the good question
The car-makers have a responsibility of making cars *reasonably* safe, according to government regulations. They are not required to stop your kids from driving into brick walls using your car. They are however required to make sure your car doesn't fall apart or stops breaking when you want it to etc.
There are no such rules (yet) for software. The vendors make the rules, and the vast majority of customers/consumers simply neglect this fact and *expect* that there is some sort of reasonable agreement behind it all, just like when they bought their car.
Open source licences are usually very cautios to ``warn'' people of the possible dangers that lie ahead when using the software. And some people may even pay attention because ``there's gotta be a catch with gratis software after all''. I think this is a pretty good way to handle things.
There could be some sort of either regulations or at least some rule that software vendors should state LOUD AND CLEAR what they promise and what they don't. Pretty much like the warning messages on cigarette boxes
Mr. Perens has (as usual) an apt comment. Disclaimers:
1) IANAL
2) I am not directly associated with Open Source Software.
The concept of due diligence is hyper important. In fact, a finding of negligence is essentially a finding that due diligence was not performed.
What I have seen of Open Source indicates that the people who work on it are extremely "diligent" where bugs of all kinds, not just security bugs, are concerned. When one is reported, generally someone gets after it right away, to (1) confirm it's there (2) figure out what a fix should be and (3) fix it. This is an historical pattern, I believe, and could be substantiated by lots of testimony.
Note that the Law doesn't require that the bugs actually be fixed, or that the fix be better than the bug was. Due diligence simply means that all reasonable methods were used to conclude what the problem was and how it might be fixed, and to fix it if it seemed warranted.
Note that in the Pinto and GM Truck cases mentioned above, due diligence broke down -- the companies involved concluded that the problem existed, but that it wasn't economically justifiable to fix it, that is, the necessary fix would cost so much that it wasn't worth it. The Court, in general, is hostile to this view, to say the least.
There's also the matter of 'deep pockets' and political correctness. Even with all the malicious hacker stories in the press, you still wouldn't get very many lawyers willing to sue some 26-year-old nerd for negligence in fixing a software bug; defense lawyer starts telling sob stories, and it's likely to turn the whole thing around -- plus, how much are you likely to get? An Open Source programmer isn't likely to have much. Companies like Red Hat theoretically have money, although most of it's virtual, Stock Market valuations that probably couldn't be realized. With BMW payments to make, how many will chance it? Microsoft on the other hand is known to have a pile of real cash, easily converted to your Actual Folding -- just what a plaintiff's lawyer likes to see.
So no, I can't see open source being in much danger from negligence suits for software bugs. It isn't an attractive target for such suits, and a fairly strong defense is on hand. Bill & Steve might should sweat it.
Regards,
Ric
Yes, this is a double standard. Let's examine why.
First, the Melissa virus is possible due to the dominance of one specific piece of software on the average users desktop. The only open source equivalent to this kind of dominance -- that I know of -- is sendmail. It is not the same for a variety of reasons, but let's continue on for the sake of discussion.
Compare the closest open source equivalent "virus" -- again, that I know of -- that happened with sendmail to the Melissa-Macro Virus. You will notice two interesting things. First, the CERT advisory for Melissa states: "This macro virus is not known to exploit any new vulnerabilities." Second, note the options they give for correction: block the mail, utilize virus scanners, and encourage users to disable Word macros. The free software solution would be to fix the problem at the source -- pun intended. In a free software environment the option to: fix the problem, is available whereas in a closed source solution it is not. You have to wait for company X to fix the problem for you, and in the mean time, get by with blocking, anti-virii programs and the like. Since this problem is not new and any user that buys Microsoft products has to wait for them to deign to fix it, it would seem that there is a powerful argument for some culpability on Microsoft's part.
There are of course the issues that other people have mentioned here: no warranty, free software is not a "product" sold by a business (let us remember companies like Red Hat make money off the service not the CD), etc. However, I think this is the central point. They have different standards because they are not analagous. You are not comparing like things.
Or to put it another way: Sure, a "thief" is responsible for his own actions. However, if I entrust the security of my home to some company, it seems quite reasonable to say that if someone steals something because that company left my door open, the company is also at fault.
For free software, you use it with the understanding that you are not entrusting anything to anyone so the same standard does not apply.
Cheers.
I'm having some difficulty understanding the distinction. All I know is, it keeps locking up, crashing, going to sleep and then refusing to wake up, or refusing to let me log off or shut it down. And I've had to reinstall the damn thing more than a dozen times in the three months or so I've had it. You call that working? I don't. It's a crock. It's cost me thousands of pounds in lost productivity. And I don't consider an admonition that I should have bought NT to be a sufficient defence. If they're going to sell Win98SE and charge GBP140.00 for it I think we've a right to expect it to work without significant problems let alone hourly disasters.
Consciousness is not what it thinks it is
Thought exists only as an abstraction
With Open Source software, there is typically no warranty as to the quality or fitness for a particular purpose. But that's OK because the user is not required to pay for the product and is permitted to inspect it and modify it should the quality or suitability be lacking.
The GNU license permits a seller (who is not necessarily the developer) to offer warranty protection. Which means that if you want someone to blame, you just have to find someone who is willing to sell such warranty protection for a given product.
The Microsoft model doesn't permit the user to inspect the software and make improvements. Nor does it create business model for third party vendors. What I mean is, you could sell warrany protection for Microsoft software but you would be crazy to do so, not having any power to actually resolve an emerging issue.
In other words, there is fairness in the Open Source world. I'm not going to guarantee that this program works, but neither will I twist your arm with a draconian license that doesn't permit copying, withhold the source code from you and charge you good money. If you are going to pay money to me, then, unlike say Microsoft, I'm going to stand behind the software.
To me, the issue isn't that MS is the bad guy and OSS is the good guy, but rather the response to safety and security "issues".
I think that due diligence for software faults lies in a) acknowledging problems when they occur, b) fixing them rapidly, or if not possible, at least suggesting a workaround, and c) releasing the fixes or workarounds to the customer as quickly and publically as possible.
Open Source Software has a tendancy to do all of these reasonably well. More and more, OSS projects are having publically accessible bug tracking databases, reasonably fast turnaround for security bugs, and a fast enough release cycle (esp. for patches) to fix most security bugs rapidly.
With things like BUGTRAQ, CERT, and other mailinglists and security-advisory sources, most Unix-based systems (Linux, *BSD, Solaris, HP-UX, etc) are fairly good at reacting quickly to a known problem -- the RTM Worm woke them up to the foibles of ignoring security issues -- and they do do a decent job of alerting their customers.
Microsoft isn't entirely negligent -- a quick scan of BUGTRAQ showed a lot of MS-related security bugs, and many of them had MS patches. I think where MS fails is making those patches known to the public.
Another possible pitfall for liability is negligent design -- designing something that should be obvious is a problem. From a "real world" security standpoint, this would be like putting a dimestore lock on a bank vault.
This is where I think that fundamental differences between OSS and MS come to the foreground. A very large percentage of OSS software is designed to run on Unix-like systems, where underlying OS security issues have been considered, studied, and beaten on for nearly 30 years. It's very hard to accidentally code a general system exploit for a program designed to be run as a user. And if an exploit is discovered on purpose, it's a bug in the OS, and is treated as such. Among other things, this creates -some- inherent resistance to viruses. Unix security is generally good, but not perfect. Unix has a reasonably high-quality lock on the bank vault.
On the otherhand, MS Win95/98 isn't really designed with security in mind. At a fundamental level, the OS is open to any meddling that any program wants to do. On top of that, MS has added "features" that become reasonably trivial to exploit to creat security issues -- MS Word macros, ActiveX controls, etc.
For years, security experts have been telling people that the "Good Times" virus is a hoax -- that you can't get a virus from just reading an email, you have to run a program to do it. MS managed through their "features" and "enhancements" to make "Good Times" possible.
It's like MS, not content with putting a dimestore lock on the bank-vault, decided to put a plate-glass window on the vault so people could see their money from the sidewalk!
I don't think I have a double standard with regard to negligence, but I think that, in general, OSS software tends to meet my standards more than MS does.
As you will be reading in the news in the next few days, Hotmail was down because passport.com went down (passport.com is used to authenticate users). Passport.com went down because (listen carefully) microsoft was late paying the $35.00 domain registration fee to Network Solutions Inc. and NSI removed the IP from the DNS. Even the big guys have to pay there bills.
We're not ragging on ms. They due a good enough job of triping on there own feet(read:msbob). We're just around to point it out when they do.
_________________________
It's possible to have a powerful macro language that also has a good security model. Microsoft failed in it's due dilgence by ignoring security rules that have been observed in computer science for decades when they made the decision to deploy VB into an application it wasn't designed for.
_________________________
If I sell you a bill of goods but don't misrepresent it - and give you opportunity to validate my claims - well buyer beware.
That is counted as your stupidity.
If I sell you a bill of goods but I did misrepresent it and you really had no chance to validate my claims - you have me to rights.
That is counted as my taking advantage of you.
OSS is no different than selling used cars. I can sell a used car without telling you about some problems and it is your problem if you buy it from me. What? You are not competent to identify those problems? Sorry - that is why you have the right to get the car inspected by an independent mechanic or to bring in a friend. If you didn't do that, that is your problem.
So whether or not you have the skills to evaluate software, you can hire someone with said skills, so failure to do so is your problem, not mine.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
You gain the right to redistribute my software.
I gain the guarantee that my wishes are respected regarding the distribution of my works.
Read the GPL closely, you don't need to agree to it to use the software, only to distribute it. In other words it isn't the act of downloading that is the point of agreement, it is the point of putting it on your ftp site.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
What is this word "consumer" you use... the whole point of GPL and other such licenses is freeness. If software is free you're not buying it. And 99.9% of computer usage is not quite as important as a life, which could be put at stake by this loose seatbelt. The other 0.1% generally writes their own software. The writers of those pieces of software are always held accountable, they lose their jobs if their software fails.
Restating the obvious since nineteen aught five.
Don't you ever get the urge to tell the license lawyers to stop shouting? ;)
Damn straight! When someone buys Microsoft products, they know what they are getting into. All this whining about Microsoft products executing arbitrary code sent to them has been going on for years. When these products first came out, it was Microsoft's fault. But it's old news now. If you buy a known defective product with the expectation that when (not if, but when) it blows up, you can just sue the maker, then you are the negligent one. These products all come with a warning label in huge letters: the Microsoft trademark. How can a person possibly pretend they were ignorant of the danger?
I bet more people know about Microsoft these days than even the Ford Pinto.
The best way to improve software quality is for people to start taking responsibility for their decisions. If you buy an Internet product for your company from Microsoft -- a company with an established reputation and a known and consistent track record of repeatedly making horribly defective product after horribly defective product -- then you should get fired. It's as simple as that.
For people to keep blaming their problems on Microsoft is immoral. It's 1999 and if you're still using Microsoft products, then you deserve what's coming to you.
It's like you buy a '74 Ford Pinto, and it blows up and kills your son. That's bad, and it shouldn't have happened. You go to the pub to drown your sorrows in beer, and everyone else is also talking about how their Pintos also blew up and killed a loved one. Then you buy another Pinto. It blows up and kills your daughter. You buy another one, and it blows up and kills your wife. Who is your wife's ghost going to haunt: Ford, or you?
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I think it should all come down to whether the software was guaranteed or not. If software is sold as "Super-Secure Server" and there's a thing in it that says "May not actually be secure and probably isn't" then i dunno it gets confusing and these things should be decided on a case-by-case deal. Let's say software says it will do something and there's a line in the license that says "Not guaranteed to serve a particular purpose" then that line isn't really valid is it because there's somewhere else (whether it's in the license or not) that says it does such and such. Of course if it doesn't do such and such, you should be able to sue for the price of the software. Back to case-by-case, that's how it should be. I could see a situation where someone is learning to program and puts a program up that says "OK I'm trying to get it to do such and such and it works for me and you can try it if you want" then that's not a guarantee. A license shouldn't be able to contradict itself. That's that. Whoa you read my rant! :-)
Restating the obvious since nineteen aught five.
Disclosed source-code, however, sounds so ugly. Open is such a pretty, pleasing pair of syllables, so fitting to name a company with....
Not being Mr. Perens, I can't say for sure, but it seems to me that he used "Disclosed source-code" rather than "Open Source ode" purposely, since there is a difference between the two. His arguments apply to any situation in which the source code has been disclosed. This source code, however, is not necessarily "Open Source." For example, code licensed under the SCSL (Sun's not-quite-Free license) is disclosed to the user, but not Open.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Sometimes it makes sense to talk about that without licensing coming in to the picture.
You are correct that all cases of non-disclosed source code are probably proprietary. But my argument didn't rest on the license being compliant with the Open Source Definition, so there was no point in bringing Free/Proprietary into it.
I hope that makes it easier to understand.
Thanks
Bruce
Bruce Perens.
Difference: A combination lock claims security. Microsoft win98 doesn't.
Restating the obvious since nineteen aught five.
In the U.S. I think negligence gets you triple damages in a lawsuit, while simple liability gets you just damages, but IANAL and it's no doubt more complicated than that.
Thanks
Bruce
Bruce Perens.
Wait: here's another analogy :-). I create software that makes my toaster work better. My friends all say "Great, can I have a copy" and I decide to GPL it and put it on my public ftp server. I nolonger use my new toaster software, when I discover a proprietary product that I like better. I take it off of my ftp server, but it's still other people's ftp servers because it was gpl'd. People continue to use my toaster software because it's nifty and they don't want to have to pay extra on their toasters. It turns out there's a bug in my toaster software that makes one out of every 1,000,000 toasters explode. There is no way I could've known about the bug beforehand, as I stopped development. There is now no way I could patch it, as I'm no longer the source for my popular toaster software... it's all over and no one looks at my ftp site anymore now that it doesn't have the toaster software. Even if I released a patched version, which i wouldn't because I'm no longer the developer, no one would use it... all the ftp sites have the buggy version. So toasters keep exploding, but I can't be liable. Someone point out any flaws in my logic please.
Restating the obvious since nineteen aught five.
Bruce
Bruce Perens.
The main differences between open source and commercial software on this matter is cost and claims. Lets look at a few points:
It's akin to claiming to make an impenetrable door. Selling the customer a version with a doggie-door and plastic hinges instead. Then strong-arming the contractor into installing it with built-in plate-glass Windows. Then charging the customer for shutters, metal hinges and, oh yeah, a lock.
Linux is the alternative. It's free, and everyone knows (and keeps repeating) that it's written by the community. The quality disclaimer is implicit - it's written for fun, in spare time, by people who know (and love) what they're doing. You can look inside the door jambs and see how reinforced it is. You can put in a steel plate if you want - and there's plenty of people willing to tell you, and help you, get it done. For free.
Not only are you able to do this, but you are encouraged to do this. And, if security matters to you, you are given the means to take responsibility for the security of your system. This way, the responsibility is divided. You can check that the developer did his job, and if not, or if your needs differ enough to make it a special case, then you can remedy the situation.
With closed software, you are not given the choice of taking responsibility. Logically then, the full responsibility rests squarely on the shouders of the people who made the product.
If you don't like Linux, you can go out back, drag home one of the reinforced BSD doors, and hoist it into place youself. The cost? Your time.
The cost of securing an OS, be it from a big closed-source shop or from some freak in a Bazaar, is time. In the case of the former it's also money. And you don't get to see why it needs securing in the first place so you end up guessing or taking a priest at his word.
In the case of the latter, you can pore over the code to find the flaw, fix it and take it back to the freak. He won't give you money for your efforts, but he'll give your suggestion to his freaky friends for review - and you might get a free beer out of it.
-- Did anyone notice that the latest security innovation in NT2k is Kerberos security?
-- What you do today will cost you a day of your life.
In addition to Bruce's comment about the code being open, I think it's important that the process is (usually) open too.
A typical closed source product gets developed behind closed doors and then unleashed on the public - we don't really know how decisions were made about what problems to fix. It's easy to imagine (even if it's not true) that people behind closed doors might conspire to conceal problems rather than fixing them.
An Open Source project typically has a public mailing list where problems are reported and discussed. Somebody might still make a decision to release the product with known problems - but there's no question of it being a secret.
I make it a practice to subscribe to development lists for products that are important to me. It allows me to get a great sense of how the product is doing - even if I have no intention of modifying the code. I would think that any company large enough to have a few million dollars worth of damages should be able to have somebody follow the development of essential software.
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
And you, of course, are a Microsoft user. Nope, all of these posts are made from Slackware 7. If you read my userinfo you would know that (but who reads userinfo anyway... I know I don't.) I wasn't advocating microsoft, I was pointing out that they know they aren't secure.
Restating the obvious since nineteen aught five.
Scoff, viruses can occur almost as easily in linux... they just don't occur quite as often because usually the first people to use a new piece of software are the guys who will read the code and if they find a virus they will scream loudly. An OSS app with a virus in it will not exist for long.
I've got another analogy for us that proves why virus writers can't be held responsible because they wrote the virus...
I have 2 old and decrepit computers, and I decide I want to end their lives in a bang. I write a program that could be considered a virus that's designed to attack several computers on a network. My friend likes it. He asks if he can have a copy. He stupidly runs it on his computer that is attached to a T1 and it starts infecting not only his computer, but also some other computers on the internet. Can he be held accountable? NO, he didn't realize he was releasing it. Can I be held accountable? No, I didn't release it.
OK there was another rant.
Restating the obvious since nineteen aught five.
In response to the responses to my original post, I propose an alternative analogy. A refrigerator. If the refrigerator has a flaw such that, if abused, the door would fail to seal, then the manufacturer would really tick off a lot of people and could cause a lot of companies to lose money (especially in the food service industry). Yet, we could come up with a scenario in which this could threaten life or limb, such as if the refrigerator is used as temporary storage of blood in a surgical ward. Or if someone failed to notice that the refrigerator was no longer cold and then failed to properly cook the food inside. Or when someone opened the freezer, all the melted ice spilled out and that someone slipped on the floor. Or someone who cannot travel outside the home and must rely on someone else to bring the groceries, and the new groceries aren't due for another week.
But by its nature, by its obvious intended purpose, such a flaw is an inconvenience and a cause of lost money, but is not a direct threat to life or limb (unlike a 1000kg collection of steel, aluminum, and plastic travelling at 100kph).
And that last bit really is the crux of this discussion -- the suitability for any particular purpose. And that's been discussed sufficently elsewhere in this article.
And, yes, I realize a different flaw in a refrigerator could cause it to topple over, but that isn't my point ... I chose a refrigerator because it was easier to come up with a flaw with similar results to a flaw in Microsoft's OLE than if I were to suggest a flaw in a book (besides something so obvious as misprinting) that could, in certain scenarios, threaten life or limb.
Christopher A. Bohn
cb
Oooh! What does this button do!?
The sad fact is, unreliable software -does- cost lives, every year. The difference is, you can -see- the cause and effect from a motor accident, it's usually a lot messier, and it's usually a lot more direct. This isn't true for deaths or injuries relating to computer software errors.
However, that's almost by the by. Software companies claim that the Turing Halting Problem gives them exemption. As they cannot prove fitness for use, they argue that they should be exempt from any and all quality legislation.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Let's take a look at the typical EULA.
The fact is, software companies have got it made. The EULA's are getting legal protection in the USA, which gives software houses total immunity from prosecution for any reason, whatsoever, for anything and everything.
That's not the only scary thing. You think it'll stop there? Car manufacturers are -big-! If the software companies get immunity from prosecution and immunity from consumer protection laws, do you think the larger manufacturers are going to just say "oh, well, that's them"? Or are they going to say "hey! Give us immunity too!"
How long before no consumer protection exists in the US, and you are literally taking your life in your hands every time you use the microwave or toaster?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
After seeing this I want to expound a bit on what
someone else said in response.
> I disagree... having the ability to look deep
> into the product to check for possible problems
> is not the job of the consumer.
This is exactly why I think Free Software
programmers should not be held liable.
Free Software does not follow the standard
Capitalist model. The standard model is, Party 1
makes the product, party 2 pays money to party 1
for the product.
Free software is "Party 1 makes the product.
Anyone is free to take the product". Rather than
"Hey here it is, the one thing you need"
its
"Heres what I did, use it if it fits your needs,
don't use it if it doesn't"
Its about being open and shareing. The whole
purpose of negligence and similar things came
about because capitalism inherintly rewards
cutting corners and making products as cheaply
as possible, whether its safe or not.
It is because of this that negligence laws and
similar responsibilities of product producing
companies exist.
In Free Software, there is no incentive to cut
corners. A person working on a piece of software
is usually writting it first and formost because
he needs it. As such the incentive is in getting
it to work and fill his need.
As such, there is no "Consumer". A person who
needs the same need filled can take his code and
use it if they like. They are the ones that seek
it out, and they are the ones who put it in place.
Ultimatly they should be responsible for making
sure it meets their need before they put it in
place.
> Software engineers are simply unethical
> engineers.
I disagree emphaticaly. What is so unethical about
disclaiming any warrenty? Other engineers
generally work for hire or for a company. This
means they are getting money to design something
for someone else, as such they are liable to the
person who is paying them.
However, if an electical engineer designs his own
TV remote control from parts he can buy at radio
shack, completely at home and on his own. Then he
releases the plans on how to build it...
should he be liable if someone builds it and it
doesn't work for them?
He didn't charge them for the plans. He just said
"Here is how I did it, this works for me"
Should he suddenly be liable if it doesn't work
or causes harm to someone elses TV?
If that is to be the case, then free exchange of
information may as well be a dead idea. It would
make it much to costly.
"I opened my eyes, and everything went dark again"
> Windows, any version, is not as defective as
> you make it out to be
I was a PC tech on Desktop machines in a HUGE
Win95 environment. I can make WIndows out to be
pretty damned defective from what I have seen it
do.
> Windows 98 works just fine for the vast majority
> of people who use it.
Well...the "vast Majority of people" are morons.
They have just gotten used to rebooting several
times a day when the system crashes. They have
gotten used to phrases like "You have to expect
it will crash ocasionally".
I have even heard a salesman on TV saying that
computers run so FAST these days that they
ocasionally make mistakes and get themselevs
screwed up. I kid you not he was actually saying
on no uncertain terms that "crashes" and lockups
were the fault of the hardware going real fast
and losing track of what it was doing.
I have seen too many Windows machines with too
many differnt problems for too many users to
say that Windows is not extremely defective.
It IS defective.
Which is exactly why I no longer run it on any of
my machines.
"I opened my eyes, and everything went dark again"
I think you are either lying...
...or have truely defective hardware.
...
...does not mean it's a defective product.
I neither lied not exaggerated. Why should I? I don't have any hidden agenda. My only animosity towards Microsoft is precisely because of my negative experiences with Windows.
I have had the same or similar problems with a range of hardware including three different CPUs, two different chipsets and four different motherboards, three different sound cards, three different graphics cards. And four different hard disk, three different sets of Simms, three different CD-ROM drives.
It's therefore a fact that there is a great deal of hardware out there upon which Win95 OSR2 and Win98SE simply will not run reliably. I'm giving you the benefit of the doubt here because I don't directly know of any hardware configurations upon which it will run reliably.
Windows, any version, is not as defective as you make it out to be. Windows 98 works just fine for the vast majority of people who use it.
The only remotely stable Windows 95 configurations I have ever seen was the original (pre-OSR2) Win95 release on integrated motherboards from Intel. From what I've heard, Win98SE is not stable on any configuration and the problems I've been having are widespread.
Just because YOU can't figure something out or because it doesn't work for YOU
I can figure out plenty. I've had to learn because Windows 95 OSR/2 and Windows 98 are so temperamental. I've spent hundreds of hours studying Microsoft Knowledge Base articles and following their useless recommendations. The fact is Microsoft are extremely reluctant to admit to faults that can't be fixed which are down to inadequacies in their software, so many of the problems I've faced are simply not acknowledged.
It doesn't work as advertised. Microsoft cannot or will not fix it. It is, by any meaningful definition, a defective product.
In attempting to refute facts which are well known to correspond to most technical users' experience, you clumsily expose yourself as a Microsoft employee. No surprise then that you post as an AC. Listen up drone; denying that the problem exists will not make it go away. At least, not here it won't.
Consciousness is not what it thinks it is
Thought exists only as an abstraction
IANAL, but I think it might have something to do with the intended use of the 'product', what it is sold for.
If you buy a car, the intended use is to drive it on roads. Thus you have cause to sue if the brakes stop working or the wheels fall off. If you decided instead to use it as a foodstuff, you couldn't sue claiming injury because of indigestion. It's your own fault for using it for
a purpose it wasn't designed for.
You can apply this to software too. If you bought a web browser and found that it wouldn't display web pages (and you could prove that this was the browser's fault, and not badly-behaved site, broken networking or whatever else), you would have a legitimate grievance. (Although IMHO the most you should be entitled to is a refund of what you paid, unless you have agreed different warranty terms in advance.)
However, if you used the browser for a mission-critical information display, in a hospital or whatever, you wouldn't have a legitimate complaint if memory leaks caused it to crash after two weeks of use. A browser is not designed to give that kind of reliability, and it doesn't claim to. (Some things such as Java explicitly say that 'X is not designed for use in safety critical applications'.)
So I think that you have to ask: is the user just being stupid by trying to use the software for something inappropriate?
-- Ed Avis ed@membled.com