Microsoft Sued for Defective Software 641
Door-opening Fascist writes "eWeek is reporting that a South Korean citizen action group, People's Solidarity for Participatory Democracy, is suing Microsoft for putting the SQL Slammer vulnerability into Windows. They are doing so on behalf of the South Korean people and businesses affected by SQL Slammer."
What they'll be told: (Score:5, Interesting)
Shut up and patch your systems like the rest of the planet.
Software isn't a physical thing so it's impossible to make it bug-free.
You knew about this vulnerability for months, there was a patch for it, and you did nothing about it."
Pick a defense, any defense...
- A.P.
Funny this came up today... (Score:3, Interesting)
Silly how little explots like this can cost millions of dollars.
Microsoft fixed the problem before it happened (Score:4, Interesting)
Re:bad news for opensource (Score:5, Interesting)
Here somebody is suing MS. Let's see how that works out.
Re:What they'll be told: (Score:5, Interesting)
My mail server runs on Linux, but it was unavailable for at least 30 minutes because of the Slammer worm. Not because it was vulnerable, but because of all the idiots dumb enough to put SQL server on an open network...
This is what's needed (Score:2, Interesting)
While I don't foresee Microsoft getting chastised, lambasted and castigated as it should be here in the US where being a rich company has many, many benefits, I do see an opportunity for Microsoft to have to be held accountable for its actions in the EU and Asia. Also in Asian countries the logic is: If you expect me not to pirate this, it better do something good.
I hope this teaches Microsoft that the venue by which they made the 40 billion they have sitting in the bank is us, the victims of pre-installs on new PCs (I believe 80% of the MSFT revenue is from pre-install), we should get a piece of that if we are wronged by the software.
There is a huge disparity between what is claimed on the glossy box and what is delivered in reality, and the consumer needs to be protected from fraud and fiscal liability due to product failure.
It applies to every other business. Software should be the same.
Also, EULAs claim the license isn't transferable and resalable, I content that this means it then has no value. No one can tell you you can't sell your used car.
Setting precedents, and liability (Score:2, Interesting)
Here's an interesting thought: maybe closed source software could be hit harder by this because keeping the source closed could be considered hiding the vulnerability? IANAL, of course.
Another thing - aren't there liability issues for engineers in other fields as well - like holding a bridge engineer accountable if the whole thing falls down? Of course, a software bug isn't quite that serious, but still...
let 's put things in perspective ... (Score:3, Interesting)
Anyway there is a very important point about *incidents* like this : they get people's attention about the completly crazy EULAs that some SW companies (namely Micosoft) and content providers (RIAA/Hollywood mob) are currently imposing to they 're costumers ...
imposing a bit of regulation about the limits of what could be put in a EULA is IMHO a very good think ...
if the ppl who launched this lawsuit make the
Cheers from Portugal
Re:GPL = no warranty (Score:5, Interesting)
IANAKL (Score:4, Interesting)
Does anybody know if the click-through license is worth a rat's ass in Korea? Does Korean law give the plantifs an edge that they wouldn't have in the US? Any Korean laywers out there?
Re:lemme get this straight... (Score:5, Interesting)
Re:"Putting" the vuln in? (Score:5, Interesting)
You want to sue someone, sue the sysadmins who
A) Didn't patch
B) Left MS SQL right out on the open internet
C) In short didn't do their jobs.
If you're running MS products it might not be by choice, but there is no excuse for not being aware of patches and the state of your firewall. They were all probably too busy rebooting Windows desktops to have time, but still.
Xenophobic Bigotry by Koreans Against Americans (Score:2, Interesting)
Case in point is the attempt by Micron to buy Hynix. Please read "Micron/Hynix Deal Dead [bizjournals.com]".
Indeed, the current president of South Korea was elected on a wave of anti-American protests. Please read "S.Korea Opens Talks with U.S. on Troop Deployment [reuters.com]".
Now, we have the Korean lawsuit against Microsoft. When a Korean buys Microsoft software, he is subjected to the same disclaimer to which an American is subjected. Namely, the disclaimer is that the software comes with no warranty or guarantee of performance. The disclaimer is printed boldly an almost every software package produced in the Western world. The disclaimer also appears on non-Microsoft products. Why is a Korean incapable of reading a simple disclaimer?
This lawsuit is rubbish and is nothing more than anti-American xenophobic bigotry.
In the face of all this anti-American xenophobic bigotry by the Koreans, how do we treat the Koreans? Please read "An Adopted Way of Life [asianweek.com]" and "Adopting a Culture: One Woman's Struggle for a Korean Identity [columbia.edu]". We Americans have adopted more than 100,000 South Korean orphans. The Koreans do not care about orphans. By contrast, we Americans have given them a home. The website for the "State Department [state.gov]", notes that Americans adopt about 2000 South Korean orphans per year.
ask Bill ... (Score:3, Interesting)
Illegal copies of Windows (Score:3, Interesting)
Possible?
product? (Score:2, Interesting)
I am not sure on the entire liability issue right this second, but comes a time that any "industry" needs to come to grips with reality, and I think that time will be soon probably. Computers and the software to run them have had decades now to get established and to come out of thier "honeymoon" stage, with the EULA "get out of jail free" cards. the hardware is warrantied. The software sure needs something.
There needs to be some sort of consumer protection and warranty. Eventually there will have to be, it's about inevitable. Everything else man made has one. If that means much less "new" is released and a lot more "improved", I'm all for it. If it means less variety but better quality, I am all for it. If it means that "paid for-sale" software with a warranty gets so expensive that "free" dominates with a shareware and volunteer concept, I'm all for it. and I see that as an EXACT dividing line, it's for sale, it needs a warranty, if it's a "freebie, here try this, see if you like it" type deal, it doesn't need a warranty. I think that is fair and rational.
OR, wait until a few more worms or whatever hit all one day, the mother of all net shutdowns, and have the government force something down your throat that is beyond a warranty into planned, controlled, licensed.
As an aside, can you imagine the first major software vendor TO offer a warranty? How much of a marketing edge would that be, given they had really done their auditing and were actually confident their offering was decent enough to offer the warranty? I think they would get uberrich, well deserved cash for superior outstanding coding efforts. I know some custom stuff does, but anything major mass market? Does it even exist yet? I honestly don't know, but myself as joe consumer, I might just be tempted to purchase an OS offering like that, and pay much serious cash for it.
Call me naive (Score:3, Interesting)
First, if Microsoft's EULA already prevents them from being sued, software is as-is, why do they release patches in the first place?
This isn't a question about whether or not a user can sue, but a more basic matter of accountability and responsibility. These are the most fundamental issues in selling anything to the public.
Microsoft is responsible for this snafu, but they have never been held accountable. Their bugs, their glitches, their crashes. Its become a running joke with techies. It shouldn't.
When Slammer first hit, people said installing the patches required taking down the servers, running several patches, and praying it still worked. No garunatees about anything. What's the justification? Time wasn't available. Who could afford to do this? How high was it on MS list of things that had to be done?
But no one is mentioning those same arguments now. Its South Korea's fault for not doing the updates.
As I recall weren't the patches buggy enough to cause another major security hole?
We know Microsoft is responsible. We know who should be held accountable. But MS throws in a disclaimer and all is good. The disclaimer is not a silver bullet. There must be accountability for faulty software, no matter who wrote it.
Will it stifle open source development? Probably scare off crap coders is what it will do. If everyone working together reviews, checks, and verifies, they are going to catch most of the bugs before it goes out the door. The remaining bugs are fixed with patches.
I honestly don't see anything wrong with suing them. The EULA is not a catch all. The EULA should be thrown out, and rewritten. Users have the right to hold developers accountable.
Its about time someone figure out how.
Re:Duh (Score:3, Interesting)
But that's a bad analogy, too. Failing to lock a lock is not the same thing as failing to patch a server. Failing to lock your lock (or, to use an automotive equivalent to keep things consistent, leaving your keys in the ignition) is like failing to change the default password on a server- a basic thing that's an inherent part of the job. Patching a server is more like taking your car in as part of a safety recall.
Both cars with safetly defects and servers with vulnerabilities represent errors on the part of the maker that put the user in danger, and you can draw some strong additional analogies about the process of getting the product fixed. In both cases, for instance, the process of getting everything fixed can take some time- time for the problem to come to light, for the maker to figure out a solution, for users to be notified of the problem, and for the fix to be applied. The balance of liability shifts between maker and user as you progress through the process. If a user gets hurt by a previously unknown problem, you have a strong case for the maker's liability for selling a defective product. The longer the fix has been available, though, the more it becomes the user's responsibility to have the problem corrected. If a Pinto was damaged by fire a year after Ford issued a safety recall, or a MS user is burned by a vulnerability six months after the patch was made public, it is the user's fault for failing to have a needed fix applied.
Re:Read before you file (Score:2, Interesting)
Point is, hiding some whishful text, which the consumer can not see, inside a purchased product can not dictate any kind of restriction or other whishful commitment on the customer's part.
- Give me all you money!
- Why?
- You're wearing a shirt which on the inside, just beside the laudry tag states "Any wearer of this shirt agrees to give all their money to whom ever asks for it".
'ts Stupid.
Re:THIS WILL NOT AFFECT OPEN SOURCE (Score:4, Interesting)
Re:Silly lawsuit (Score:5, Interesting)
On the other hand, Microsoft software is "leased (not sold)," which means any damage done was done by Microsoft property.
How did it work with automobile recalls? (Score:4, Interesting)
This seems to be what this software has done: there was a defect and a capacity for a customer to do work to fix it, they didn't do it, and damage resulted.
Any cases like this with products in the automotive area, and did they favour the defendant or the plantiff?
Best wishes,
Robert
Patch was released long before Slammer (Score:2, Interesting)
the poster is an idiot (Score:3, Interesting)
For those with memory problems... (Score:2, Interesting)
Re:What they'll be told: (Score:4, Interesting)
Software companies like to argue that, because code is intangiable (and, to a lesser extent, because development cycles are so darn short these days) it is impossible to spot and fix every bug in it, so no one should realistically expect software to be reliable all the time.
This argument has become more and more valid over time as companies use it more and more often to justify increasingly defective products.
- A.P.
Re:no warranty does not matter (Score:2, Interesting)
I recall from my business law class that workers once sued a company who manufactured a type of machine they used at work. The machine had a steel casing around it to prevent people from accessing the moving parts. I don't recall how exactly, but part of the casing was removed by the workers and replaced with a cardboard box (perhaps for easy access), and one day, someone was walking on top of the huge machine and stepped on the cardboard covering. Their leg went right through it, of course, and they lost their leg in the gears below. They sued -- not their company, but the manufacturer of the machine for not clearly labeling that removing the casing (or replacing it w/ another material) could be a safety hazard & WON!!! Do I agree with the ruling personally? no... but, there is an implied contract that states that the manufacturer has a duty to warn the buyer of potential safety hazards. The metal casing was assumed to be protection enough, but there was no warning to the customer that removing it while in operation might be unsafe, thus... they were liable.
I could forsee a case against Microsoft for not giving advice for proper protection against viruses (such as putting up a firewall, using anti-virus software, not opening e-mail attachments from people you don't know & never opening an executable (bat, exe, com, vbs) without knowing exactly what it is, etc. Of course, you couldn't win any damages for physical pain and suffering, but perhaps monetary compensation for work, money, and/or computers lost due to their negligence in warning a user.
hmm... I'd have to ask a lawyer about that b/c it could be considered "common sense" in the computing age, but... hey... if you can win a few million for spilling hot coffee on yourself from a fast-food place, who knows?!?!? ;-)
Re:Xenophobic Bigotry by Koreans Against Americans (Score:1, Interesting)
When a child is orphaned, s/he is basically in a cultural void. There are no resources apportioned to orphans because 100% is given towards family.
And as a system, it has its' faults, but it insures grandma is never dumped off in a nursing home (unless all of her relatives are dead).
I disagree! (Score:5, Interesting)
yet if your car was to suddenly veer off the road from a known defect you'd expect the auto company to deal with it! Driving the car down the road doesn't generally cause the wheels to just 'fall-off'! That is the issue with MS.
Maytag repair guys are what 100,000-to-1 with their insalled base? even doctors are about 100-200-to-1. yet PCs are supposed to be 10 or 20-to-1 for admins. It's a crock! If any other business system was this terrible, it would be bankrupt in a year! And MS only answer is that the admin should run around and babysit the system? They offer automated updates, then again blame the admin for not "testing". You all check the gas quality going in your car before you fill up right. Or, you consult medical texts after going to the doctor just to be sure he called your illness right.
I'm sorry, this stuff should just work. Compaies have invested 10 years and billions of dollars into windows and it still doesn't just work! Billy designed the system so that MS had 'plausable deniability' After all, they don't make hardware [not their fault], or drivers [not their fault], or systems [oems didn't test, not our fault], or software [sure we have Secret APIs but not their fault], they pretend to train admins [but not their fault if admin shamans don't dance right], and of course users because they make the computer do "stuff" MS might not have planned! [if MS did plan it, they'd charge more!] They have no techincal support without outrageous fees [Linux cost is mostly support--and you can afford to use it!] Well, it's basicly like OSS only costs more. They offer the same package of benifits!
That said, I don't think a lawsuit is the way to go either. We're trying to get rid of stupid IP laws, not tie ourselves to them more! If the liability cost of software goes up, then free software will die a horrible death. We're not sophisticated enough to have software "building codes" yet and license "Software Accountants" to set them up. Even then without 100% control of a system, you just can't have that kind of liability...Then again, maybe that's what MS wants [OK we know they want it] total control of the systems and your wallets!
Re:Silly lawsuit (Score:4, Interesting)
Not bloody likely, though. This lawsuit is being brought in South Korea, so that even if they win, the precedent doesn't really apply over here (here being U.S. in my case).
EWeek article on WHY many didn't patch (Score:5, Interesting)
"...many IT departments did not install the initial patch because installation could not be scripted. Instead, DBAs were required to manually stop each instance of the software running in their organizations, rename or remove some files, and paste the patch files into each instance
Non-MSft customers suing for damage caused by MS? (Score:2, Interesting)
All these comments about EULA, and whether a product was purchased, and you get what you pay for, and Open Software has no warranty, etc. are not relevant.
If MS released software into the wild which caused widespread actual loss to Internet-connected systems and their owners, whether or not those owners were MS customers, then is MS liable for those damages?
Starts to sound like going after the author of a virus/worm. The boundary between the actual virus/worm which exploits a security flaw and the ubiquitous system which contains the flaw gets very fuzzy in the eyes of a lawyer who might be able to prove negligence.
Of course, IANAL (sounds pr0n-like, doesn't it?), but I wonder about ambulance-chasing or its equivalent, and definitely view it with mixed emotions. No matter how much I might side with the plaintiffs in this case.
Re:One more responsible party (Score:3, Interesting)
No, it's more like if Ford made a defect in the locking system where there is another hole right below the keyhole, and if you stick a pencil in it, the door pops open. No key needed. Who is more stupid? The company who made a car with such a stupid design flaw, the idiot who bought a car with stupid defects and stupid design flaws, or the idiot who thinks it's fun to abuse the situation and go joyriding in everyone's cars?
Re:Maybe... (Score:2, Interesting)
I'm so sick of you MS bootlickers (yes, that's exactly what you are).
MS SQL has 11% marketshare (according to MS themselves), yet the only mass-infection hit it and not somebody else. Coincidence?
IIS runs only 25% (and sinking) of webservers, yet ALL mass-infections so far hit it and none Apache which runs over 60%.
It's a fact that MS software comes with a higher risk than anything else. No system is perfectly secure, true, but if you really think that MS software is equally secure as anything else, especially GPL software, then you are living in a dreamworld.