Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
The Courts Government Microsoft News

Microsoft Sued for Defective Software 641

Posted by michael
from the consumer-safety dept.
Door-opening Fascist writes "eWeek is reporting that a South Korean citizen action group, People's Solidarity for Participatory Democracy, is suing Microsoft for putting the SQL Slammer vulnerability into Windows. They are doing so on behalf of the South Korean people and businesses affected by SQL Slammer."
This discussion has been archived. No new comments can be posted.

Microsoft Sued for Defective Software

Comments Filter:
  • Silly lawsuit (Score:3, Insightful)

    by PD (9577) * <slashdotlinux@pdrap.org> on Tuesday May 06, 2003 @05:55PM (#5896065) Homepage Journal
    First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.

    Second, it seems that it would be like suing Stephen King for causing nightmares.

  • Maybe... (Score:4, Insightful)

    by Bendy Chief (633679) on Tuesday May 06, 2003 @05:56PM (#5896071) Homepage Journal
    Maybe those people and businesses affected by Slammer should have gotten their lazy asses in gear and patched and/or firewalled like all the half-decent sysadmins in the world. Great idea, guys, run a SQL server connected to the net.

    I hope the Judge kicks these people through the goalposts of life.

  • Precedent? (Score:4, Insightful)

    by mrjive (169376) on Tuesday May 06, 2003 @05:57PM (#5896083) Homepage Journal
    Although the zealots will be amused by this story, this could set a dangerous precedent for other similar vulnerabilities (especially unintentional ones). What happens, for example, when some group of people (in this case, a country) decides to sue the openSSL group for a flaw in their encryption that allowed credit card numbers to be stolen?

    I'm glad to see that someone is trying to hold MS liable for their mistakes, but this is the wrong way to go about it.
  • by Zebra_X (13249) on Tuesday May 06, 2003 @05:57PM (#5896087)
    Clearly they haven't read their software agreements. It specifically states that MS is not responsible for damage caused as a result of their products. A better chance to procecute MS would have been during the Code Red incident. One might have argued that not being proactive enough about patching consitituted "negligence" on their part. I guess it can't hurt to try!

  • Shifting blame... (Score:3, Insightful)

    by Mortanius (225192) on Tuesday May 06, 2003 @05:58PM (#5896105) Homepage
    I somehow doubt that Microsoft intentionally put this hole into SQL server, so that should probably steer clear of anything malicious. Negligence, perhaps, but this would open a whole can of worms (at least, if it were to show up in the US courts. Although now that this is happening in SK, I'm sure it'll make its way to our shores soon enough.)

    I feel sorry for the companys who were sent to their knees over this vulnerability, but if there was a patch out months and months beforehand that could've avoided all this, the end-user needs to share some of the blame for this... There's not much more Microsoft could have done for it, if they'd forced the installation of the patch they'd have been even higher on the privacy zealots' shitlists than they already are.

    I do seem to recall in the back of my mind that there was some nasty side-effect of the patch though, although it escapes me at the moment...
  • Duh (Score:3, Insightful)

    by JanusFury (452699) <kevin...gadd@@@gmail...com> on Tuesday May 06, 2003 @05:59PM (#5896117) Homepage Journal
    You buy the software, you choose to use it, YOU DEAL WITH THE CONSEQUENCES.

    True, Slammer was bad, but it's not like MS intentionally added it, and they DID agree to a EULA when they installed it. Of course software companies should be responsible, but it's not like MS isn't trying (though they're not doing a terribly good job.) Idiotic lawsuits like this set a bad precedent.
  • by anotherone (132088) on Tuesday May 06, 2003 @06:01PM (#5896143)
    They're suing MS, because their (South Korea's) tech people suck? Correct me if I'm wrong but I'm pretty sure that MS had a patch out for the slammer months before the outbreak... it's their own fault if they can't keep their servers updated.
  • Re:Silly lawsuit (Score:5, Insightful)

    by Anonymous Coward on Tuesday May 06, 2003 @06:02PM (#5896145)
    First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.

    How so? Last I checked, people who released software under the GPL didn't spend millions on advertising that claims said software is secure and reliable.

    Plus, GPLed software has the source publicly available, so the argument could be made that reviewing the code before deploying it would comprise 'due diligence' on the part of anyone who wished to use that software, and that if someone didn't do that, it's negligence on their part.

    With Microsoft, you can't take a look at their code, you just have to take them at their word (HAH!) when they say how good it is.
  • Re:Silly lawsuit (Score:5, Insightful)

    by Bill Currie (487) on Tuesday May 06, 2003 @06:02PM (#5896155) Homepage
    Either you're trolling, being sarcastic or just plain haven't noticed the NO WARRANTEE blurb in the MS EULA. The only software I know of that had a warrantee was some telco software I worked on a part of in my previous job and it was done on a contract basis (I'm sure there are other examples).
  • Re:Duh (Score:3, Insightful)

    by blamanj (253811) on Tuesday May 06, 2003 @06:03PM (#5896162)
    So you'd also like to hear "Your Pinto exploded? To bad, you shouldn't have gotten rear-ended."

    No automobile company would get away with selling products as defective as most commercial software. Why should the software industry be immune from product liability?
  • Re:Duh (Score:1, Insightful)

    by Anonymous Coward on Tuesday May 06, 2003 @06:03PM (#5896170)
    Sctually, if it's S Asia, they likely didn't agree to the license agreement. wink wink.
  • by death to hanzosan (669177) on Tuesday May 06, 2003 @06:04PM (#5896180) Homepage Journal
    Google: AARD:

    A Serious Message and the Code That Produced It [ddj.com].

    Microsoft included a bug in the Win 3.1 Beta that caused Dr. DOS users to crash.

    Unsurprisingly the makers of Dr. DOS lost their jobs, like many other victims of malicious code.
  • slammer (Score:5, Insightful)

    by Twillerror (536681) on Tuesday May 06, 2003 @06:04PM (#5896184) Homepage Journal
    Hard sell for the exploit that caused slammer. Maybe other exploits/bugs.

    SQL has a pretty good record for security. The exploit had also been patched before the worm.

    The exploit was not put in on "purpose". I guess it could have been, but that is a pretty hard to believe.

    The virus spread fast, but only because there is not a million SQL servers out there exposed. So it spread across the web fast, big deal.

    Furthermore good administration ( especially for a db server), ie. a good firewall could have blocked it. There is the desktop engine that could have been hit, but most apps that use it are still in the server category.

    The exploit itself is not a defect. Sure it could be used by an attacker, but in itself it didn't make the software defective. This could spawn a big argument. Is an exploit that would never actually impede a program unless someone uses it really a bug?

    Code red was a buffer overrun in an ISAPI .DLL. Even though no one ever used the .DLLs in question ( I think it was .hda, .hdq files ) they could have been. You could argue that someone could have written a program that used to long a URL and crashed IIS. The slammer was using a port in a way it was never intended to be used.

    I agree that companies should be held accountable, but intent and the way a company handles the defect also.

    MS essentially called a recall by issueing the patch. It said, send in the part and we'll fix it, but in a more modern approach. How can you sue a company that found the exploit and offered a free fix?

  • Re:Precedent? (Score:5, Insightful)

    by Realistic_Dragon (655151) on Tuesday May 06, 2003 @06:11PM (#5896262) Homepage
    In case you didn't notice, free software (being free and supplied at no charge) carries no warranty, expressed or implied.

    This is all fine because they made no representation to you about what it could do. They never made any claims that it was fit for purpose.

    Sure - Mandrake, RedHat et al might be in trouble, but open source software and especially the writers are legally in the clear.

    Personally I believe that if someone impliments OpenSSL badly _in a way that I cannot check_ and requires me to trust my data to them then they _should_ be liable for damages. (So this would cover, say, implimentations of SSL where the host was cracked or traffic sniffed at a later point where it was in plain text, or the key was compromised.) However, this is not the fault of the OpenSSL developers, and so they should not be liable.

    In contrast to this Slammer was caused (in part) by Microsoft making it very hard to install a critical security fix, and not properly notifying people of the peoblem (in their usual 'security fix language' it was described as a minor issue), when part of their responsibility in selling you SQL server was making it secure. Thus they should be at least partly responsible for the damages.
  • by Otter (3800) on Tuesday May 06, 2003 @06:16PM (#5896311) Journal
    ...and if they do win, there are two possible outcomes:

    1) It's the end of software sales in South Korea. That means Red Hat and FreeBSD, too.

    2) Lawyers come up with some new way to avoid liability. EULA's become more convoluted and "ownership" of software becomes even more tenuous.

    No idea how a case like this would be tried in the Korean system, but that's a lot of damage a witless or simply anti-American jury could do to a major technology power.
  • Re:Silly lawsuit (Score:2, Insightful)

    by andyh1978 (173377) on Tuesday May 06, 2003 @06:16PM (#5896318) Homepage
    First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.
    GPL license text [gnu.org] And in capitals, too:
    NO WARRANTY

    11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

    12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  • Re:Duh (Score:5, Insightful)

    by .com b4 .storm (581701) on Tuesday May 06, 2003 @06:17PM (#5896329)

    So you'd also like to hear "Your Pinto exploded? To bad, you shouldn't have gotten rear-ended."

    No automobile company would get away with selling products as defective as most commercial software. Why should the software industry be immune from product liability?

    Well in this case, "you shouldn't have gotten rear-ended" is not a good analogy. A better analogy would be the front door on your house. If you leave it unlocked, well that's pretty stupid. It's not the lock manufacturer's fault you didn't lock it. Similarly, if you don't patch a server for a vulnerability that's been known for months, it's not the software developer's fault.

    This isn't to say Microsoft software is inherently secure or better or blah blah blah. Don't take it that way. But in this case, it is the fault of the sys admins for not patching their damn systems. Or for that matter, running SQL servers accessible by the public internet. There's a difference between getting rear-ended, and backing out into traffic without looking first. If you don't take adequate precautions, you (at the very least) share the burden of guilt for what happens.

  • Re:Maybe... (Score:4, Insightful)

    by darkov (261309) on Tuesday May 06, 2003 @06:18PM (#5896340)
    That's right, Microsoft's defects are our problem, we should get our lazy arses into gear becuase we haven't got anything better to do than evaluate, install, test and support Microsoft's constant patches. God forbid that we spend anytime on what we actually bought the software for, running our business or whatever. Lets all just be extensions of Microsoft's flawed development strategy: we're all testers!

    It seems life's arelady kicked you or your brain through the goalposts.
  • by Cheffo Jeffo (556675) on Tuesday May 06, 2003 @06:19PM (#5896353)
    But, you're missing the more important point, this suit has NOTHING to do with EULAs, except for a bunch of /.rs trying to hammer home a (valid) point by squinting until they see an opening that fits their needs.

    Consider the reasons why Slammer was such a problem:

    - there was a bug in SS2K
    - exploit used a stateless connection (UDP)
    - the state of Internet border security is "allow everything but ..."
    - admins didn't apply a patch that had been available for 6 MONTHS (more than enough time to test)
    - admins don't properly protect their servers

    Of these, only the first is Microsoft's fault and they are the only ones who fixed their contribution to the problem proactively.

    But, since Microsoft has deep pockets and geeks hate them, let's sue them ...

    Time to grab some perspective -- patch and defend your fucking systems, people !!!

    Cheers,

    JAKD

  • Re:Silly lawsuit (Score:1, Insightful)

    by Anonymous Coward on Tuesday May 06, 2003 @06:29PM (#5896448)
    Have got to disagree,

    A big difference is that source code is available for GPL software -- the bugs aren't a *secret*.

    IMHO, this is one of those cases where an EULA that denies any and all liability is completely valid; With all those tasty rights should come a helping of responsibility.

  • Re:Duh (Score:2, Insightful)

    by Realistic_Dragon (655151) on Tuesday May 06, 2003 @06:30PM (#5896466) Homepage
    "Can you honestly say that in this day and age, the entire country of South Korea is 'forced' to buy and use Microsoft Windows?"

    To an extent, yes.

    * They are locked in by bad document formats.
    * Marketing and lobbying against alternatives is very persistant.
    * Look elesewhere and suddenly you get huge anticompetative discounts thrown your way to make it impossible for the competition to stay profitable, a practice called 'dumping'.
    * Promoting product+1, telling you that 'brighter days are just around the corner, and all your problems will go away'.
    * Using APIs that are only available to other MS divisons to add more features to their products that competitors cannot replicate without serious performance penalties.
    * Using APIs that are closed to further lock in developers (as well as users) to their platform. (Like Direct X.)
    * Using legal measures to prevent the legitimate reverse engineering of APIs.

    Obviously there are alternatives, but as a company Microsoft are especially good at persuading _companies_ that it would be an unsafe business desicion, no matter what evidence actually exists.

    To some extent this is just how business conducts itself, but when you are in a monopoly position the line between promotion (especially crosspromotion) and abuse is very fine indeed.

    "If they were suing Apple or Red Hat, you'd be singing a different tune, I bet."

    I hope not, as if either company were to behave in such a manner I would stop supporting them like a shot. (Not that I will support Apple anyway, untill they will sell me a box without a MacOS license.)
  • Re:Maybe... (Score:2, Insightful)

    by Bendy Chief (633679) on Tuesday May 06, 2003 @06:32PM (#5896488) Homepage Journal
    I take it from your attitude that you're not a programmer, or if you are, you have some sort of access to a magical AI that fixes every miniscule bug for you. Bear in mind that this lawsuit is potentially dangerous for every kind of programmer, not just the noodleheads at MS.

    Why don't you go take a look at how many remote root exploits exist for GNU software before you decide MS is to blame for all the world's ills. Believe it or not, sysadmins are given lots of little green pieces of paper for keeping their wits about them when it comes to patching and firewalling; this is what we call a JOB.

  • SQL SQL Server (Score:3, Insightful)

    by jpetts (208163) on Tuesday May 06, 2003 @06:35PM (#5896527)
    SQL has a pretty good record for security.

    I have noticed a trend recently that people are more and more often referring to SQL Server as SQL. This is wrong! SQL is an ISO standard [jcc.com], and this habit, which I have noticed especially among Microsoft staff, of trying to conflate the standard with the Microsoft product is just another example of the company trying to create a meme that is misleading.
  • by Anonymous Coward on Tuesday May 06, 2003 @06:37PM (#5896561)
    I've read a dozen comments so far from people freaking out because they think this suit will set a precedent that will be used against open source projects. Let me make this very simple for you:

    IT WON'T AFFECT OPEN SOURCE

    When a company sells you a product that company is accepting a certain amount of liability for that product (unless you clearly absolve them of this liability via a legal contract). If the product fails to work as advertised, causes damages that it shouldn't cause, etc then the company is liable.

    This does not describe an open source project however. I as an open source developer am not selling you anything. There is no implied contract between you and I. You are simply taking something that I'm giving to the world at large for free and using it however you wish (within the possible restrictions of a passive license agreement). If you use my product and it borks your filesystem, I am not liable. If you find a flaw in my product that open a security the size of Montana, I am not liable. You haven't bought anything from me. I haven't received a penny from you for my product. There is no contract, not even an implied one. Therefore there is no liability. Simple.

    Saying that I as an open source developer am liable is like saying that I as a freelance author am liable for something I write if you quote me and found the quote to be inaccurate. I am not liable to you (I might be liable for libel if I was writing about a person as fact but I'm not liable to you if you quote me).

    To think that an open source developer is liable is absurd. I can't believe the sheer number of comments thinking this will be the case. One comment was made that OpenSSL might very well be liable for an SSL exploit that was used to gain access to credit card information. That's absurd! That's like saying Anderson Windows is liable for not making a window that a burglar can't break to gain unathorized access to a home. Try to think before you type people.

  • Re:Maybe... (Score:3, Insightful)

    by InsaneGeek (175763) <slashdot@insaneg ... m minus language> on Tuesday May 06, 2003 @06:39PM (#5896591) Homepage
    I take it you haven't looked at the security patches for Linux lately. Remember the root compromises that were out just a couple of weeks ago, or did you not "evaluate, install, test and support" those root compromise patches.
  • Re:Silly lawsuit (Score:5, Insightful)

    by cptgrudge (177113) <cptgrudge&gmail,com> on Tuesday May 06, 2003 @06:40PM (#5896607) Journal
    ...so the argument could be made that reviewing the code before deploying it would comprise 'due diligence' on the part of anyone who wished to use that software, and that if someone didn't do that, it's negligence on their part.

    Just like those admins that didn't patch their boxes didn't exercise "due diligence"? Even though a patch was availible for months before? Negligent like them?

  • by ctve (635102) on Tuesday May 06, 2003 @06:46PM (#5896689)
    One could argue that software can be made perfect because it is based on logic.

    Most physical things cannot because they are mechanical/electromechanical, and so are prone to defects due to decay.

  • by Anonymous Coward on Tuesday May 06, 2003 @06:50PM (#5896730)
    You are so full of shit. There isn't a meaningful piece of software released that doesn't have bugs. The Slammer worm came out 6 months after the vulnerability was patched. This is just some S. Korean lawyers participating in 2 of America's favorite past-times: Claim your mistakes are someone elses fault and get rich quick by suing whoever has the money. It's horseshit like this that gives EULA's validity because corps claim they need to protect themselves from frivolous lawsuits. It will also stifle innovation by independent developers due to fears of being sued when someone discovers a bug in the software that you wrote. Notice I said when, not if.
  • Re:Silly lawsuit (Score:5, Insightful)

    by shaitand (626655) on Tuesday May 06, 2003 @06:53PM (#5896764) Journal
    I disagree with your statement. If someone wants to sell you a commercial product you SHOULD absolutely be able to hold them liable if their product loses you money.

    If someone gives you something for free it's another story. You sell me your $5000 program, that you only produced once and have now sold 100,000 times, then try to explain to me that I WASN'T supposed to be purchasing something that functioned within reasonable tolerance. Yes I know that's exactly what is done now, but that doesn't mean there shouldn't be consumer protection laws to the contrary.

    There should also be laws against the new conditions in MS EULA that state you cannot share your negative experiences with the software.

    If I install office, when I click finish my computer explodes, I think I should not only be able to sue microsoft for being negligent in distributing the software this way, but I believe I should be able to bitch to my neighbors, news stations, tabloids, rant sites, slashdot or to anyone else I care to.
  • Re:Silly lawsuit (Score:5, Insightful)

    by cptgrudge (177113) <cptgrudge&gmail,com> on Tuesday May 06, 2003 @06:56PM (#5896800) Journal
    No -- the source is available BEFORE the program was installed...

    And the MSSQL patch was available BEFORE the slammer worm hit. I don't see the difference.

  • Software Liability (Score:5, Insightful)

    by astro (20275) on Tuesday May 06, 2003 @07:00PM (#5896862) Homepage
    I'll get modded down as redundant, but it needs to be said as many times as possible (and I don't see much of it in this thread [reading @ +1]):

    A legal remedy here would set a really bad precedent - as a software developer who is not unrealistic about my skill level, I am terrified of software liability becoming either law or accepted assumption.

    If MS loses this, I see absolutely no way I could defend myself if, god forbid, a program I wrote or even maintained caused catastrophic dataloss, or in worse cases, physical injury.

    Note: Ironically, just *yesterday* I was bitch-slapped, albeit in an odd way, by Slammer: in certain situations, applying one of the hotfixes to SQL server that closes the Slammer vuln. without having SQL Server SP2 installed *completely* horks up SQL Server. The ISP (Rackspace) of a dedicated rack unit I "manage" on contract (client has almost no $$$) installed said hotfix in the process of physical maintenance, so I got a panicked call from my client in NYC that the "server is down". A couple of hours worth of research later, I was fine, but it sucked my afternoon away.

    I hate the stacks of dependant/conflicting patches and service packs, not to mention the damn bugs, but I'd prefer to take the risks on this end than be open to litigation of software I write contains bugs.

    --astro
  • by Anonymous Coward on Tuesday May 06, 2003 @07:03PM (#5896890)
    Nice try dumb ass... Couple of problems: A.) There is no such place as just "Korea", and B.) This is SOUTH Korea, not NORTH Korea... North Korea being a member of the "Axis of Evil"/rouge state/etc... stupid sarcasim like yours is not all that funny to begin with, but it is even less so when it's INCORRECT.
  • by Anonymous Coward on Tuesday May 06, 2003 @07:13PM (#5896988)
    most EULA state in legalese what I'm about to paraphrase: "If you lose money as a result of using our software, it's your loss and yours alone. You cannot sue us for damages even if the damages resulted from using our software."
    Oh yeah - remember, you never own most commercial software packages - you but the right to use them only.
  • Why ? (Score:2, Insightful)

    by Anonymous Coward on Tuesday May 06, 2003 @07:14PM (#5896996)
    When will people realise that buying software from a large company such as i.e. Microsoft isn't going to get them more "rights" then using free software is going to get them. Both camps have a none liability clause, which means, you can't sue either of them for damages! But at least one camp (which shall remain nameless) has the option of sending them a check and make the software you use more usable/bugfree for them. Also, you have the choice of hiring a third party code-reviewer /directly/ , who /can/ be sued directly if he fsck's up reviewing the code. This model, called free, or OS by others, is based on the knowledge, or merit of this particalular individual. So, why take the risk of challenging a EULA to which you've already agread, when you can sue a freelancer who doesn't come around with what he/she promissed, namely a secure system.
    Free/OSS software is a risky bussiness, that's why only the best of the best apply. Think about that before your next "convenient" purchase!
  • Re:Maybe... (Score:3, Insightful)

    by Overly Critical Guy (663429) on Tuesday May 06, 2003 @07:20PM (#5897047)
    Isn't your job as a sysadmin to "evaluate, install, test, and support" the networks you run?

    Face it. Running unpatched servers connected to the net are the sysadmins' faults. Not Microsoft's. Nobody's forcing them to use Microsoft software.
  • by Mundocani (99058) on Tuesday May 06, 2003 @07:21PM (#5897062)
    Strangely, none of the posts so far have mentioned the author(s) of Slammer as being one of those responsible for this mess. They're certainly harder to find (ok, they'll probably never be found), but shouldn't the culpability be shared with those who exploited the problem? It's not as though the server didn't perform its primary function correctly (storage and retrieval of database records), it's that it had a security vulnerability.

    To borrow the Ford Pinto analogy from previous posts, it seems somewhat like somebody cutting your brake lines and then you suing Ford for making the lines so easily accessible. I think the person who cut the lines is truely responsible.
  • by Bendy Chief (633679) on Tuesday May 06, 2003 @07:29PM (#5897129) Homepage Journal
    I don't see how unplugging your computer is going to be conducive to downloading patches. :)
  • by chrisvdp74656 (448900) on Tuesday May 06, 2003 @07:33PM (#5897157)
    If you leave it unlocked, well that's pretty stupid. It's not the lock manufacturer's fault you didn't lock it.

    Actually, a better analogy would be if you did lock your door - but a vulnerability was discovered in the lock that made it (say) openable by jiggling the handle. Yes, you should get a new lock - but at your own cost, when it was poor lock design to begin with?

    An unlocked door would be like leaving the root (or administrator) password blank, and the account enabled.

  • by el cisne (135112) on Tuesday May 06, 2003 @07:46PM (#5897271) Journal

    The news here is not so much that MS might be held accountable for their product, they won't be, and for about a gazillion reasons.
    The news is that someone actually decided there was some benefit in even bringing up such a hopeless suit. Maybe they are trying to shake down MS ? Dunno. But the news for me is that someone would even bother to bring this suit on in the first place, considering the defendant in it.
  • Re:Silly lawsuit (Score:2, Insightful)

    by Cromac (610264) on Tuesday May 06, 2003 @08:17PM (#5897478)
    If someone wants to sell you a commercial product you SHOULD absolutely be able to hold them liable if their product loses you money.

    Even if you lost money because your IT department didn't install a security patch 6 months earlier that fixed the problem?

    If I buy the Redhat Advanced Server, which is a commercial product for them, and lose money 6 months later because I didn't run a patch to close a security hole should I be able to sue Redhat?

  • by Colonel Panic (15235) on Tuesday May 06, 2003 @08:31PM (#5897560)
    Truely, if any one (or any company) deserved to be sued for putting out shitty software, its Micro$oft. ...But, I think that this is a really bad idea and sets a very bad precedent that could ruin the software industry as we know it (and I'm including Open Source here - especially open source).

    If people start flinging lawsuits at software producers then it'll kill open source pretty quick (OK, maybe kill is too strong; how about 'chill' or 'drastically reduce').
    Micro$oft at least has $40Billion in the bank to fight such suits, but your average open source programmer doesn't have enough cash to even hire a lawyer for a couple of hours. These sorts of lawsuits could quickly have a chilling effect on OSS creation. ...Not that OSS would die altogether, but we would have to start releasing code anonymously.
  • Re:Silly lawsuit (Score:3, Insightful)

    by Colonel Panic (15235) on Tuesday May 06, 2003 @08:36PM (#5897593)
    Plus, GPLed software has the source publicly available, so the argument could be made that reviewing the code before deploying it would comprise 'due diligence' on the part of anyone who wished to use that software, and that if someone didn't do that, it's negligence on their part.

    Sure, but you're thinking logically, not legally. Besides, how much would it cost you by the time you proved this in court? It would probably cost as much or more than a mortgage on a house. How many OSS developers could afford that kind of defense?
  • Re:Silly lawsuit (Score:1, Insightful)

    by Anonymous Coward on Tuesday May 06, 2003 @08:39PM (#5897616)
    You forget that www.microsoft.com was caught by slammer (and Nimda and Code Red) because the MS "patches" so often do more damage than good. It is therefore essential that sys admins very thoroughly test and debug the patch prior to installation. Without the source code this is extremely time consuming.

    Otherwise they end up like all those poor sods who have recently had their XP boxes converted to a 286 by the latest auto-update.

    More importantly the 3 month old MS patch was useless and had caused many complaints which is why MS released a new patch just hours before Slammer struck.

    To summarise in simple words:
    1 Irresponsible software vendors rush out half finished patches so they can say "its just another lazy sysadmins problem - we put out a patch months ago".
    2 Lazy sysadmins install the MS patches and dont give a * what happens.
    3 Responsible sysadmins test the patches before installation.
    4 The stupid believe the sloppy vendor.
  • BAD Korlas (Score:3, Insightful)

    by Unregistered (584479) on Tuesday May 06, 2003 @08:52PM (#5897693)
    They can't sue m$ for this.
    1) A patch exists.
    2) Software has bugs. It's a fact of life. If you dont' like bugs, don't use software. (Or hardware for that matter).
    3) M$ never claimed their products are perfectly secure. "Secure" is relative. M$ platforms are secure to an extent. Weather that's goo enough is up to the individual.

    Once again another case of M$ being in the right. I hate these, but it's stupid to say they're bad JUST because they're M$. They do enough bad stuff to satisfy anyone's faming needs. I'm glad that a fair number of perople do oppose this, though.
  • Re:Silly lawsuit (Score:4, Insightful)

    by Anonymous Coward on Tuesday May 06, 2003 @09:09PM (#5897785)
    You forget that www.microsoft.com was caught by slammer (and Nimda and Code Red) because the MS "patches" so often do more damage than good.

    Wrong. MS was caught by the Slammer worm because some developers had installed SQL Server on their workstations and neglected to keep them patched. Seems your memory is the one at fault.

    More importantly the 3 month old MS patch was useless and had caused many complaints which is why MS released a new patch just hours before Slammer struck.

    Wrong. The original patch worked perfectly. Where I work, my department runs two SQL 2000 servers which were patched properly before the virus hit. When we came into work that Monday we were one of the few departments that hadn't been affected by the virus. What MS released right before the virus hit was SP3 for SQL Server 2000 which *contained* the Slammer patch along with several other updates.

    To summarise in simple words:

    To summarise in simpler words:

    1. Bullshit
    2. Bullshit
    3. More bullshit
    4. You are so full of shit
  • Re:Silly lawsuit (Score:2, Insightful)

    by AlternateSyndicate (644818) on Tuesday May 06, 2003 @10:12PM (#5898165)
    Last I checked, people who released software under the GPL didn't spend millions on advertising that claims said software is secure and reliable.

    Luckily they don't have to spend millions of dollars to claim their software is secure and reliable... they've trained most users of Linux to tell this to everyone they know.

    This lawsuit is retarded anyway, as is the wording of the story. People don't intentionally insert bugs into code, and anyone that uses software should know that there's no guarantee that it is secure. New vulnerabilities are coming up all the time; every software product has bugs.

    Even if they did somehow manage to convince some dimwitted judge that this is Microsoft's fault, the fact that they had 6 months to apply the patch is not going to work in their favor. This lawsuit is completely ridiculous, and I certainly hope it's thrown out of court.

  • Re:Silly lawsuit (Score:2, Insightful)

    by drsmithy (35869) <drsmithy@gmailSLACKWARE.com minus distro> on Tuesday May 06, 2003 @10:20PM (#5898212)
    Not analyzing the source of software before using, or using software for which the source is not freely viewable and modifiable (at least for your own internal use, and viewable for all) is just fscking stupid ;)

    So, have you personally audited every line of code running on your machines, or are you "just fscking stupid" ?

  • by drsmithy (35869) <drsmithy@gmailSLACKWARE.com minus distro> on Tuesday May 06, 2003 @10:31PM (#5898274)
    My bad - perhaps a better example would be the Outlook bourne viruses that were the craze a few years ago.

    Not really, since the vast majority of Outlook viruses relied on the end user to activate them (it would be a bit like suing RedHat because Linux lets you alias "rm" to "ls" command and a user inadvertently deleted all their data with it).

    There was a period - briefly - while a buffer overflow was present in Outlook that could be used to run attachments automatically, but it was patched quickly. Do we really want to get into the situation at this point in time where developers can be sued for having buffer overflow bugs in their code ?

    If people _really_ want software that can be "guaranteed", then they need to kiis goodbye the idea of cheap, general purpose bits code and be prepared to pay for heavily audited application-specific code.

  • Re:Call me naive (Score:2, Insightful)

    by PetWolverine (638111) on Tuesday May 06, 2003 @10:48PM (#5898372) Journal
    This is the best argument in this direction I've seen on this thread. Though my first reaction when I read the article was the complete opposite, I think you have a very good point. However, I still think this suit has the potential to go too far, too fast.

    If this lawsuit is successful, it will set a precedent that EULAs are legally untenable, no matter what. The patch was out there for six months, and Microsoft is still responsible? That will be interpreted to mean that all software vendors are responsible for all problems with their products, always.

    What needs to happen is to start with a bug that's undocumented, and show that the software company is accountable for that. Once the courts have some experience dealing with these cases, then we can start to get into subtleties like the fact that the patch required taking down the server, the patch introduced other vulnerabilities, etc., that would hold the company liable in this case without the bug being undocumented, but also without them being liable in all cases.
  • Re:Silly lawsuit (Score:2, Insightful)

    by gandy909 (222251) <gandy909&gmail,com> on Tuesday May 06, 2003 @10:56PM (#5898407) Homepage Journal
    Surely you jest. The 'other party' in any decent lawsuit is always 'negligent'. Since it is so common to be negligent that thousands of suits claiming it are filed every day, it can hardly be classified as 'extreme'.
  • by ogre2112 (134836) on Wednesday May 07, 2003 @12:19AM (#5898726)
    I buy a car. It has defective seatbelts. Ford recalls the car, but I don't take mine in to get it fixed.

    6 months later, can I sue them if the seatbelt fails?

    Interesting how the lawyers will field this one. It will probably come down to how accessable Microsoft makes it's patches.
  • by Capsaicin (412918) on Wednesday May 07, 2003 @12:20AM (#5898730)
    When a Korean buys Microsoft software, he is subjected to the same disclaimer to which an American is subjected. Namely, the disclaimer is that the software comes with no warranty or guarantee of performance. The disclaimer is printed boldly an almost every software package produced in the Western world. The disclaimer also appears on non-Microsoft products. Why is a Korean incapable of reading a simple disclaimer?

    Do you really believe everything you read printed on the side of boxes? The mere fact that MS prints such a disclaimer, nor even that bold type-face is used, does NOT mean that it is so. I would presume that, like in most in most of the Western world, products for sale in Korea are subject to a statutory warrantee for fitness of use, despite what the packet says. But since neither I, nor I assume you, are experts in South Korean sale of goods law, we should probably leave it to a South Korean court to determine how (in)effective this disclaimer is under South Korean law.

  • by zerocool^ (112121) on Wednesday May 07, 2003 @02:44AM (#5899217) Homepage Journal
    Truely, if any one (or any company) deserved to be sued for putting out shitty software, its Micro$oft. ...But, I think that this is a really bad idea and sets a very bad precedent that could ruin the software industry as we know it (and I'm including Open Source here - especially open source).

    Commence conspiracy theory:

    Bill gates to South Korea: Hey, you know, you've been pissed off about our software not working? Well, here's 2 billion dollars. Sue us, and don't put up much of a fight.
    S. Korea: Why would you want us to sue you?
    Bill: Well, because when we win (which we will), it will set a precident for future lawsuits regarding bad software. This one is over a silly issue, but mabey the next one will really be serious. If that's the case, then we can point to this one and say "it's already been tried", and we have a leg to stand on.

    ~Wx
  • Re:Silly lawsuit (Score:3, Insightful)

    by BlackHawk-666 (560896) <ivan.hawkes@gmail.com> on Wednesday May 07, 2003 @04:53AM (#5899625) Homepage
    So, am I to understand that you have read every line of source code for your OS, browser, email client, comnmand shell or are you just fscking stupid too?

    Unless you have read the code, then it's no more visible to you than the closed source equivalent. Sure, you can *assume* someone else has read it and thinks it's great, but you have still not taken personal responsiblity.

  • Re:I disagree! (Score:2, Insightful)

    by Eristone (146133) * <slashdot@casaichiban.com> on Wednesday May 07, 2003 @09:08AM (#5900680) Homepage
    Well, probably not. On the other hand, there is this full database of every single Ford on the road and who owns it and where they live. And you are required by law to provide that information if you want to drive your Ford... and hey, you have to renew every year too... hmm.
  • by forii (49445) on Wednesday May 07, 2003 @10:13AM (#5901193)
    >>>Bush won the election, fair and square.


    that's not entirely true. at least not in terms of popular vote.


    "Not entirely true"? You're dead wrong. Bush won the election fair and square. According to the constitution, he won. End of story. There is no special rules for winning the popular vote. There's no half-winning or half-losing. He won. Complaining otherwise just demonstrates a non-understanding of the US Constitution. Get over it.


    And no, I didn't vote for Bush. I voted for Gore. And who do I blame for his loss? Gore himself, for running an awful, pandering, uninspired campaign. I also blame the Nader-ites, who, in their quest to make a political statement, managed to cut off their noses to spite their face.

Money is the root of all wealth.

Working...