Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Courts Government Microsoft News

Microsoft Sued for Defective Software 641

Door-opening Fascist writes "eWeek is reporting that a South Korean citizen action group, People's Solidarity for Participatory Democracy, is suing Microsoft for putting the SQL Slammer vulnerability into Windows. They are doing so on behalf of the South Korean people and businesses affected by SQL Slammer."
This discussion has been archived. No new comments can be posted.

Microsoft Sued for Defective Software

Comments Filter:
  • by Scoria ( 264473 ) * <slashmail AT initialized DOT org> on Tuesday May 06, 2003 @05:54PM (#5896060) Homepage
    Gates: Ballmer, loyal comrade, I've an assignment for you.
    Ballmer: Yes, master?
    Gates: Say, how much would it cost to purchase the country of South Korea?
  • Silly lawsuit (Score:3, Insightful)

    by PD ( 9577 ) * <slashdotlinux@pdrap.org> on Tuesday May 06, 2003 @05:55PM (#5896065) Homepage Journal
    First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.

    Second, it seems that it would be like suing Stephen King for causing nightmares.

    • Re:Silly lawsuit (Score:5, Insightful)

      by Anonymous Coward on Tuesday May 06, 2003 @06:02PM (#5896145)
      First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.

      How so? Last I checked, people who released software under the GPL didn't spend millions on advertising that claims said software is secure and reliable.

      Plus, GPLed software has the source publicly available, so the argument could be made that reviewing the code before deploying it would comprise 'due diligence' on the part of anyone who wished to use that software, and that if someone didn't do that, it's negligence on their part.

      With Microsoft, you can't take a look at their code, you just have to take them at their word (HAH!) when they say how good it is.
      • Re:Silly lawsuit (Score:5, Insightful)

        by cptgrudge ( 177113 ) on Tuesday May 06, 2003 @06:40PM (#5896607) Journal
        ...so the argument could be made that reviewing the code before deploying it would comprise 'due diligence' on the part of anyone who wished to use that software, and that if someone didn't do that, it's negligence on their part.

        Just like those admins that didn't patch their boxes didn't exercise "due diligence"? Even though a patch was availible for months before? Negligent like them?

        • ask Bill ... (Score:3, Interesting)

          by twitter ( 104583 )
          why boxes at Microsoft were not patched against SQL Slammer. Do they sue themselves, fire the admin or simply replace the servers with free software?
      • Re:Silly lawsuit (Score:3, Insightful)

        Plus, GPLed software has the source publicly available, so the argument could be made that reviewing the code before deploying it would comprise 'due diligence' on the part of anyone who wished to use that software, and that if someone didn't do that, it's negligence on their part.

        Sure, but you're thinking logically, not legally. Besides, how much would it cost you by the time you proved this in court? It would probably cost as much or more than a mortgage on a house. How many OSS developers could affo
    • Well the GPL specifically says that it comes with absolutely no warranty and that if it happens to wipe out all your hard drive data, that's just too bad.

      Therefore, assuming that the GPL is immune, we can now relax and laugh at Microsoft's plight. :)
    • Totally agree. I'm (chokes) with MS on this one (gah that hurts to say). However, it brings about an important fallacy in many IT manager's trains of though, you can't hold a software maker libel for their crap product, open source or not. Sorry to say this, but tough banana's PSPD, you made your bed, you sleep in it, and for god's sake try to learn from it.
      • Re:Silly lawsuit (Score:5, Insightful)

        by shaitand ( 626655 ) on Tuesday May 06, 2003 @06:53PM (#5896764) Journal
        I disagree with your statement. If someone wants to sell you a commercial product you SHOULD absolutely be able to hold them liable if their product loses you money.

        If someone gives you something for free it's another story. You sell me your $5000 program, that you only produced once and have now sold 100,000 times, then try to explain to me that I WASN'T supposed to be purchasing something that functioned within reasonable tolerance. Yes I know that's exactly what is done now, but that doesn't mean there shouldn't be consumer protection laws to the contrary.

        There should also be laws against the new conditions in MS EULA that state you cannot share your negative experiences with the software.

        If I install office, when I click finish my computer explodes, I think I should not only be able to sue microsoft for being negligent in distributing the software this way, but I believe I should be able to bitch to my neighbors, news stations, tabloids, rant sites, slashdot or to anyone else I care to.
    • Didn't slammer start in Korea?

      That'd be more like suing Mattel if Stephen King wrote a story that gave you nightmares of barbie dolls.
    • Re:Silly lawsuit (Score:2, Insightful)

      by andyh1978 ( 173377 )

      First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.

      GPL license text [gnu.org] And in capitals, too:

      NO WARRANTY

      11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

  • by mrseigen ( 518390 ) on Tuesday May 06, 2003 @05:55PM (#5896067) Homepage Journal
    is suing Microsoft
    for putting the SQL Slammer vulnerability into Windows

    Conspiracy theories inside, who actually intends to put a vulnerability into a product? Perhaps this should be "not fixing the vulnerability" or potentially even "ignoring the problem". I don't think any of Microsoft's programmers intentionally insert bugs into their shipping products... although... nah, it couldn't be.
  • Maybe... (Score:4, Insightful)

    by Bendy Chief ( 633679 ) on Tuesday May 06, 2003 @05:56PM (#5896071) Homepage Journal
    Maybe those people and businesses affected by Slammer should have gotten their lazy asses in gear and patched and/or firewalled like all the half-decent sysadmins in the world. Great idea, guys, run a SQL server connected to the net.

    I hope the Judge kicks these people through the goalposts of life.

    • Re:Maybe... (Score:4, Insightful)

      by darkov ( 261309 ) on Tuesday May 06, 2003 @06:18PM (#5896340)
      That's right, Microsoft's defects are our problem, we should get our lazy arses into gear becuase we haven't got anything better to do than evaluate, install, test and support Microsoft's constant patches. God forbid that we spend anytime on what we actually bought the software for, running our business or whatever. Lets all just be extensions of Microsoft's flawed development strategy: we're all testers!

      It seems life's arelady kicked you or your brain through the goalposts.
      • Re:Maybe... (Score:3, Insightful)

        by InsaneGeek ( 175763 )
        I take it you haven't looked at the security patches for Linux lately. Remember the root compromises that were out just a couple of weeks ago, or did you not "evaluate, install, test and support" those root compromise patches.
      • Isn't your job as a sysadmin to "evaluate, install, test, and support" the networks you run?

        Face it. Running unpatched servers connected to the net are the sysadmins' faults. Not Microsoft's. Nobody's forcing them to use Microsoft software.
      • I disagree! (Score:5, Interesting)

        by mabhatter654 ( 561290 ) on Tuesday May 06, 2003 @09:27PM (#5897876)
        How many of you are up-to-date on your recall notices for other stuff? Cars, toasters, appiances, tvs, child car seats, etc...


        yet if your car was to suddenly veer off the road from a known defect you'd expect the auto company to deal with it! Driving the car down the road doesn't generally cause the wheels to just 'fall-off'! That is the issue with MS.


        Maytag repair guys are what 100,000-to-1 with their insalled base? even doctors are about 100-200-to-1. yet PCs are supposed to be 10 or 20-to-1 for admins. It's a crock! If any other business system was this terrible, it would be bankrupt in a year! And MS only answer is that the admin should run around and babysit the system? They offer automated updates, then again blame the admin for not "testing". You all check the gas quality going in your car before you fill up right. Or, you consult medical texts after going to the doctor just to be sure he called your illness right.


        I'm sorry, this stuff should just work. Compaies have invested 10 years and billions of dollars into windows and it still doesn't just work! Billy designed the system so that MS had 'plausable deniability' After all, they don't make hardware [not their fault], or drivers [not their fault], or systems [oems didn't test, not our fault], or software [sure we have Secret APIs but not their fault], they pretend to train admins [but not their fault if admin shamans don't dance right], and of course users because they make the computer do "stuff" MS might not have planned! [if MS did plan it, they'd charge more!] They have no techincal support without outrageous fees [Linux cost is mostly support--and you can afford to use it!] Well, it's basicly like OSS only costs more. They offer the same package of benifits!


        That said, I don't think a lawsuit is the way to go either. We're trying to get rid of stupid IP laws, not tie ourselves to them more! If the liability cost of software goes up, then free software will die a horrible death. We're not sophisticated enough to have software "building codes" yet and license "Software Accountants" to set them up. Even then without 100% control of a system, you just can't have that kind of liability...Then again, maybe that's what MS wants [OK we know they want it] total control of the systems and your wallets!

    • by G27 Radio ( 78394 ) on Tuesday May 06, 2003 @07:10PM (#5896958)
      They should at least have a warning during installation of the software for those who aren't aware. Sort of like the "unplug your computer before installing" warnings that come with hardware. Something like:

      WARNING: Unplug your computer before installing this software. And under no circumstances should you connect it to a network until all the patches have finished downloading and installing.


  • by wfberg ( 24378 ) on Tuesday May 06, 2003 @05:56PM (#5896077)
    Ow wait, South-Korea.. Those are the good guys, right? Dagnammit!
  • by Wakko Warner ( 324 ) * on Tuesday May 06, 2003 @05:56PM (#5896078) Homepage Journal

    Shut up and patch your systems like the rest of the planet.

    Software isn't a physical thing so it's impossible to make it bug-free.

    You knew about this vulnerability for months, there was a patch for it, and you did nothing about it."

    Pick a defense, any defense...

    - A.P.

    • by Mr Bill ( 21249 ) on Tuesday May 06, 2003 @06:01PM (#5896141)
      I don't think they are complaining about their own systems being compromized, but the network effects of thousands of other computers grinding parts of the internet to a halt.

      My mail server runs on Linux, but it was unavailable for at least 30 minutes because of the Slammer worm. Not because it was vulnerable, but because of all the idiots dumb enough to put SQL server on an open network...
    • by Otter ( 3800 ) on Tuesday May 06, 2003 @06:16PM (#5896311) Journal
      ...and if they do win, there are two possible outcomes:

      1) It's the end of software sales in South Korea. That means Red Hat and FreeBSD, too.

      2) Lawyers come up with some new way to avoid liability. EULA's become more convoluted and "ownership" of software becomes even more tenuous.

      No idea how a case like this would be tried in the Korean system, but that's a lot of damage a witless or simply anti-American jury could do to a major technology power.
  • As much as I hate Microsoft, this is total BS. If this becomes precedent, how the hell can anyone write an opensource app? Software is a clear case of when "buyer beware" is neccesary. Get software from the people you've grown to trust for not releasing bug-ridden shit. I really don't see how it could work any other way.
    • by Malcontent ( 40834 ) on Tuesday May 06, 2003 @06:00PM (#5896130)
      Opponents of open source frequently argue that proprietary products are better then open source because "you can sue somebody".

      Here somebody is suing MS. Let's see how that works out.
  • Precedent? (Score:4, Insightful)

    by mrjive ( 169376 ) on Tuesday May 06, 2003 @05:57PM (#5896083) Homepage Journal
    Although the zealots will be amused by this story, this could set a dangerous precedent for other similar vulnerabilities (especially unintentional ones). What happens, for example, when some group of people (in this case, a country) decides to sue the openSSL group for a flaw in their encryption that allowed credit card numbers to be stolen?

    I'm glad to see that someone is trying to hold MS liable for their mistakes, but this is the wrong way to go about it.
    • What happens, for example, when some group of people (in this case, a country) decides to sue the openSSL group for a flaw in their encryption that allowed credit card numbers to be stolen?

      Your group of people would get laughed at, pointed at, and ridiculed while they are being told to have audited all code they were going to use before using it on production systems. If I wanted, I could read through the entire Apache source code to look for any bugs before compiling it. I can also choose not to do t

      • Ok, so perhaps openSSL was a bad example, but perhaps a for-profit OSS outfit like RedHat could suffer a similar fate.

        I doubt that this case will get very far though, MS's lawyers, armed with the EULA will put the smack down I'm sure.
    • Re:Precedent? (Score:5, Insightful)

      by Realistic_Dragon ( 655151 ) on Tuesday May 06, 2003 @06:11PM (#5896262) Homepage
      In case you didn't notice, free software (being free and supplied at no charge) carries no warranty, expressed or implied.

      This is all fine because they made no representation to you about what it could do. They never made any claims that it was fit for purpose.

      Sure - Mandrake, RedHat et al might be in trouble, but open source software and especially the writers are legally in the clear.

      Personally I believe that if someone impliments OpenSSL badly _in a way that I cannot check_ and requires me to trust my data to them then they _should_ be liable for damages. (So this would cover, say, implimentations of SSL where the host was cracked or traffic sniffed at a later point where it was in plain text, or the key was compromised.) However, this is not the fault of the OpenSSL developers, and so they should not be liable.

      In contrast to this Slammer was caused (in part) by Microsoft making it very hard to install a critical security fix, and not properly notifying people of the peoblem (in their usual 'security fix language' it was described as a minor issue), when part of their responsibility in selling you SQL server was making it secure. Thus they should be at least partly responsible for the damages.
  • by Zebra_X ( 13249 ) on Tuesday May 06, 2003 @05:57PM (#5896087)
    Clearly they haven't read their software agreements. It specifically states that MS is not responsible for damage caused as a result of their products. A better chance to procecute MS would have been during the Code Red incident. One might have argued that not being proactive enough about patching consitituted "negligence" on their part. I guess it can't hurt to try!

    • IANAKL (Score:4, Interesting)

      by Biff Stu ( 654099 ) on Tuesday May 06, 2003 @06:08PM (#5896237)
      (I am not a Korean laywer)

      Does anybody know if the click-through license is worth a rat's ass in Korea? Does Korean law give the plantifs an edge that they wouldn't have in the US? Any Korean laywers out there?
    • A better chance to procecute MS would have been during the Code Red incident.
      Not really. The patch for that was out for about half a year before the worm struck... definitely negligence.
    • by Skater ( 41976 ) on Tuesday May 06, 2003 @06:47PM (#5896694) Homepage Journal
      Ever go to a hospital? They make you sign something that says you won't sue them if they mess up. So why are there plenty of medical malpractice lawsuits?

      Because clauses like that are "exculpatory" (if I remember the term from my "legal environment" class correctly). They have no meaning, other than to scare the uninformed. As our instructor put it (a lawyer, mind you): "If things like that worked, I'd have a big sign on my car that said, 'Not responsible if I hit you.'"

      --RJ
  • Fellow Americans, this blow by Korea against the great American bastion of Microsoft is just the latest act in a string of transgressions by this rogue state. Te must remember that they are part of the axis of evil. As all of you undoubtedly know from watching the news, we believe they already have several nuclear weapons, and they are currently working on developing more.

    Many American lives have been killed by the Koreans, and if we don't stop Korea now with diplomacy or force if need be, there will cert
  • by default luser ( 529332 ) on Tuesday May 06, 2003 @05:58PM (#5896104) Journal
    I work for a major defense contractor, and our WAN got hit by Slammer today. Brought down all the remote sites for hours.

    Silly how little explots like this can cost millions of dollars.
  • Shifting blame... (Score:3, Insightful)

    by Mortanius ( 225192 ) on Tuesday May 06, 2003 @05:58PM (#5896105) Homepage
    I somehow doubt that Microsoft intentionally put this hole into SQL server, so that should probably steer clear of anything malicious. Negligence, perhaps, but this would open a whole can of worms (at least, if it were to show up in the US courts. Although now that this is happening in SK, I'm sure it'll make its way to our shores soon enough.)

    I feel sorry for the companys who were sent to their knees over this vulnerability, but if there was a patch out months and months beforehand that could've avoided all this, the end-user needs to share some of the blame for this... There's not much more Microsoft could have done for it, if they'd forced the installation of the patch they'd have been even higher on the privacy zealots' shitlists than they already are.

    I do seem to recall in the back of my mind that there was some nasty side-effect of the patch though, although it escapes me at the moment...
  • Like (Score:5, Funny)

    by NetMasta10bt ( 468001 ) on Tuesday May 06, 2003 @05:58PM (#5896106)
    They actually bought Windows in the first place!!
  • by Dishwasha ( 125561 ) on Tuesday May 06, 2003 @05:59PM (#5896115)
    Let it be noted that Microsoft already had SQL SP3 out which fixed the problem before it ever occurred. PSPD should try using a vulnerability that could actually hold water in court like Code Red or it's dirivative, or any other Word ActiveX open-execution macro vulernability.
  • Duh (Score:3, Insightful)

    by JanusFury ( 452699 ) <.moc.liamg. .ta. .ddag.nivek.> on Tuesday May 06, 2003 @05:59PM (#5896117) Homepage Journal
    You buy the software, you choose to use it, YOU DEAL WITH THE CONSEQUENCES.

    True, Slammer was bad, but it's not like MS intentionally added it, and they DID agree to a EULA when they installed it. Of course software companies should be responsible, but it's not like MS isn't trying (though they're not doing a terribly good job.) Idiotic lawsuits like this set a bad precedent.
    • Re:Duh (Score:3, Insightful)

      by blamanj ( 253811 )
      So you'd also like to hear "Your Pinto exploded? To bad, you shouldn't have gotten rear-ended."

      No automobile company would get away with selling products as defective as most commercial software. Why should the software industry be immune from product liability?
      • In this case at the very least, there are two major differences:
        1. Everyone knows Windows is buggy. Everyone knows software is buggy; especially Microsoft software.
        2. You essentially agree not to hold a company liable for bugs when you install their software and agree to the click-through EULA. (This is not true of all software; but is definitely true of MS software.) IANAL, but technically, this lawsuit is a violation of the EULA, which makes it even more preposterous.
        • Your point 2 is not necessarily true. The EULA claims to disclaim certain types of liability, but that is necessarily subject to applicable law. If the law says that you can't give up your implied warrant of merchantability, you haven't given it up even if you sign a document purporting to do so. I don't know what Korean law says on this point, but it's entirely possible that some of the disclaimers in the Microsoft EULA are not legally valid there, in which case Microsoft could be liable. Companies con

      • Re:Duh (Score:5, Insightful)

        by .com b4 .storm ( 581701 ) on Tuesday May 06, 2003 @06:17PM (#5896329)

        So you'd also like to hear "Your Pinto exploded? To bad, you shouldn't have gotten rear-ended."

        No automobile company would get away with selling products as defective as most commercial software. Why should the software industry be immune from product liability?

        Well in this case, "you shouldn't have gotten rear-ended" is not a good analogy. A better analogy would be the front door on your house. If you leave it unlocked, well that's pretty stupid. It's not the lock manufacturer's fault you didn't lock it. Similarly, if you don't patch a server for a vulnerability that's been known for months, it's not the software developer's fault.

        This isn't to say Microsoft software is inherently secure or better or blah blah blah. Don't take it that way. But in this case, it is the fault of the sys admins for not patching their damn systems. Or for that matter, running SQL servers accessible by the public internet. There's a difference between getting rear-ended, and backing out into traffic without looking first. If you don't take adequate precautions, you (at the very least) share the burden of guilt for what happens.

        • Re:Duh (Score:3, Interesting)

          by rgmoore ( 133276 ) *

          A better analogy would be the front door on your house. If you leave it unlocked, well that's pretty stupid. It's not the lock manufacturer's fault you didn't lock it.

          But that's a bad analogy, too. Failing to lock a lock is not the same thing as failing to patch a server. Failing to lock your lock (or, to use an automotive equivalent to keep things consistent, leaving your keys in the ignition) is like failing to change the default password on a server- a basic thing that's an inherent part of the job.

      • Auto companies avoid this problem by doing a recall to fix the problem. Software companies avoid this by releasing patches (which MS did do in this case, a LONG time before the worm hit).

        If your Pinto explodes because you ignored the recall, that's your fault, not Ford's.
    • Re:Duh (Score:2, Informative)

      "You buy the software, you choose to use it, YOU DEAL WITH THE CONSEQUENCES."

      For the less well educated we esentially lie in a software monoculture. If you are an average small business owner, what choice do you have _but_ Microsoft products? (Lack of information rather than lack of choice here, not helped by constant FUD from a certain company.)

      Hence, they did not choose to use the product - they were, to a greater or lesser extent, forced.
      • Can you honestly say that in this day and age, the entire country of South Korea is 'forced' to buy and use Microsoft Windows? Hardly. This isn't fair, or reasonable. This is a bunch of south korean businesses that were hit hard by their stupidity/negligence (not patching), trying to recoup their losses by ripping off a company in court. If they were suing Apple or Red Hat, you'd be singing a different tune, I bet.
  • by anotherone ( 132088 ) on Tuesday May 06, 2003 @06:01PM (#5896143)
    They're suing MS, because their (South Korea's) tech people suck? Correct me if I'm wrong but I'm pretty sure that MS had a patch out for the slammer months before the outbreak... it's their own fault if they can't keep their servers updated.
  • by Zeio ( 325157 )
    If they expect governments to enforce the overzealous EULAs, and to insinuate the product has real monetary value and it should be criminal to misuse it, then they should be liable for its actions. The door swings both ways. To use the ridiculous but relevant car analogy, check out Ford/Firestone with the tire recall, they hat to eat a big huge monetary crap-sandwich to make up for that. They also have to provide parts for cars for 5 years after they sell them, by law, and they must also be subject to anti-
  • If this goes through, it could set a precedent of liability for software bugs... that's bad, of course.

    Here's an interesting thought: maybe closed source software could be hit harder by this because keeping the source closed could be considered hiding the vulnerability? IANAL, of course.

    Another thing - aren't there liability issues for engineers in other fields as well - like holding a bridge engineer accountable if the whole thing falls down? Of course, a software bug isn't quite that serious, but st
  • slammer (Score:5, Insightful)

    by Twillerror ( 536681 ) on Tuesday May 06, 2003 @06:04PM (#5896184) Homepage Journal
    Hard sell for the exploit that caused slammer. Maybe other exploits/bugs.

    SQL has a pretty good record for security. The exploit had also been patched before the worm.

    The exploit was not put in on "purpose". I guess it could have been, but that is a pretty hard to believe.

    The virus spread fast, but only because there is not a million SQL servers out there exposed. So it spread across the web fast, big deal.

    Furthermore good administration ( especially for a db server), ie. a good firewall could have blocked it. There is the desktop engine that could have been hit, but most apps that use it are still in the server category.

    The exploit itself is not a defect. Sure it could be used by an attacker, but in itself it didn't make the software defective. This could spawn a big argument. Is an exploit that would never actually impede a program unless someone uses it really a bug?

    Code red was a buffer overrun in an ISAPI .DLL. Even though no one ever used the .DLLs in question ( I think it was .hda, .hdq files ) they could have been. You could argue that someone could have written a program that used to long a URL and crashed IIS. The slammer was using a port in a way it was never intended to be used.

    I agree that companies should be held accountable, but intent and the way a company handles the defect also.

    MS essentially called a recall by issueing the patch. It said, send in the part and we'll fix it, but in a more modern approach. How can you sue a company that found the exploit and offered a free fix?

    • SQL SQL Server (Score:3, Insightful)

      by jpetts ( 208163 )
      SQL has a pretty good record for security.

      I have noticed a trend recently that people are more and more often referring to SQL Server as SQL. This is wrong! SQL is an ISO standard [jcc.com], and this habit, which I have noticed especially among Microsoft staff, of trying to conflate the standard with the Microsoft product is just another example of the company trying to create a meme that is misleading.
  • by DataShark ( 25965 ) on Tuesday May 06, 2003 @06:05PM (#5896191) Homepage
    if we see this in a *absolut* way then it is a bad, bad, thing because it increases greatly the cost of putting a product in the market (be it open source or not).

    Anyway there is a very important point about *incidents* like this : they get people's attention about the completly crazy EULAs that some SW companies (namely Micosoft) and content providers (RIAA/Hollywood mob) are currently imposing to they 're costumers ...

    imposing a bit of regulation about the limits of what could be put in a EULA is IMHO a very good think ...


    if the ppl who launched this lawsuit make the /. cummunity, and the online community in general, think a bit about this issues then they made already a very good thing ... (ah, and btw i 'm yet to see MS loose in court ... :-( )


    Cheers from Portugal

    • by Cheffo Jeffo ( 556675 ) on Tuesday May 06, 2003 @06:19PM (#5896353)
      But, you're missing the more important point, this suit has NOTHING to do with EULAs, except for a bunch of /.rs trying to hammer home a (valid) point by squinting until they see an opening that fits their needs.

      Consider the reasons why Slammer was such a problem:

      - there was a bug in SS2K
      - exploit used a stateless connection (UDP)
      - the state of Internet border security is "allow everything but ..."
      - admins didn't apply a patch that had been available for 6 MONTHS (more than enough time to test)
      - admins don't properly protect their servers

      Of these, only the first is Microsoft's fault and they are the only ones who fixed their contribution to the problem proactively.

      But, since Microsoft has deep pockets and geeks hate them, let's sue them ...

      Time to grab some perspective -- patch and defend your fucking systems, people !!!

      Cheers,

      JAKD

  • by WndrBr3d ( 219963 ) * on Tuesday May 06, 2003 @06:05PM (#5896194) Homepage Journal
    Obviously they haven't read Microsofts EULA for SQL Server 2000 which simply states:

    Owned.
  • Kim Jong Il [markfiore.com] pointed to buggy software produced at redmond as sure signs of american belligerence against DPRK.

    "american hegemoney moust stop ! the secureless systems we have can be used to launch attack on our country", he was heard saying.
  • by JackMonkey ( 631985 ) on Tuesday May 06, 2003 @06:12PM (#5896276)
    Following Microsoft's audit of South Korea, North Korea has agreed to dismantle its nuclear program, fearing repercussions.
  • by Anonymous Coward
    For wrecking Blizzard's Diablo servers.
  • by Ryan C. ( 159039 ) on Tuesday May 06, 2003 @06:18PM (#5896338)
    or "or fitness for a particular use" is a concept in most legal systems and is what would determine this case. In the U.S., even if the license says "this may not work, tough.", the consumer still has a right expect it to work for the advertised purpose.

    So you could recover damages from a car that explodes when you try to start it, since that's not what a "car" is supposed to do. But you can't recover damages froma car that explodes when you hit a tree, since that is outside the expected use of a car.

    I'd say there's no case here since SQL did what it was supposed to do, it just had a flaw. Since the flaw was not covered by any warranty, tough luck.

    -Ryan C.
  • by camusflage ( 65105 ) on Tuesday May 06, 2003 @06:19PM (#5896354)
    This is funny, considering the crushing amount of spam that comes from misconfigured boxen in the .sk address space. As has been pointed out, the patch was available well before slammer hit. That they didn't apply it points more to poor administration than anything else.
  • by skinfitz ( 564041 ) on Tuesday May 06, 2003 @06:36PM (#5896543) Journal
    Has anyone actually tried to interpret the SQL Server license agreement?

    In court:

    Judge: "So can the court see the software license for this software?"

    (shuffling of paper)

    "Ah we see from this that you have 10 user licenses for your SQL server."

    "Yes your honour"

    "...yet your server was connected to the Internet - correct?"

    "Correct your honour"

    "But according to this license agreement, you must acquire a separate CAL for each Device that ... accesses or otherwise utilizes the services of the Server Software [microsoft.com] (which techically includes every worm infected machine) and seeing as the server was behind a website, that would come under Hardware or software that reduces the number of Devices directly accessing or using the Server Software does not reduce the number of required CALs. The number you need is based on the number of distinct inputs to the hardware or software "front end." ...so therefore you would theoretically need a license for anyone who could access your site, which right now is a total of around 619 Million people [glreach.com] if it is connected to the Internet.

    *thud*

    Judge:"...and then we have the Windows 2000 server CAL's..."
  • Software Liability (Score:5, Insightful)

    by astro ( 20275 ) on Tuesday May 06, 2003 @07:00PM (#5896862) Homepage
    I'll get modded down as redundant, but it needs to be said as many times as possible (and I don't see much of it in this thread [reading @ +1]):

    A legal remedy here would set a really bad precedent - as a software developer who is not unrealistic about my skill level, I am terrified of software liability becoming either law or accepted assumption.

    If MS loses this, I see absolutely no way I could defend myself if, god forbid, a program I wrote or even maintained caused catastrophic dataloss, or in worse cases, physical injury.

    Note: Ironically, just *yesterday* I was bitch-slapped, albeit in an odd way, by Slammer: in certain situations, applying one of the hotfixes to SQL server that closes the Slammer vuln. without having SQL Server SP2 installed *completely* horks up SQL Server. The ISP (Rackspace) of a dedicated rack unit I "manage" on contract (client has almost no $$$) installed said hotfix in the process of physical maintenance, so I got a panicked call from my client in NYC that the "server is down". A couple of hours worth of research later, I was fine, but it sucked my afternoon away.

    I hate the stacks of dependant/conflicting patches and service packs, not to mention the damn bugs, but I'd prefer to take the risks on this end than be open to litigation of software I write contains bugs.

    --astro
  • by sielwolf ( 246764 ) on Tuesday May 06, 2003 @07:01PM (#5896872) Homepage Journal
    I'm also wondering if/how many of the copies of Windows that precipitated in Slammer were legal. Asia is notorious for its pirated software problems. Not that I'm insinuating anything but Microsoft might be able to say "Well a lot of the machines were illegal anyway therefore in breach of our support. I'm sorry but we can't be held accountable for criminal use blah blah blah-"

    Possible?
  • by Ballresin ( 398599 ) on Tuesday May 06, 2003 @07:03PM (#5896896) Homepage Journal
    Gates: Hey lapdog...get over here!
    Ballmer: Sir, I don't like it when you call me...
    Gates: Shut up lapdog.
    Ballmer: Yes, sir.
    Gates: Buy Korea.
    Ballmer: What's by Korea?
    Gates: No, purchase it.
    Ballmer: Which one?
    Gates: There's more than one?
    Ballmer: North and South.
    Gates: Oh...does it matter? No. Buy both.
    Ballmer: I don't have that kind of money sir.
    Gates: Charge it to the company.
    Ballmer: Yes sir.
  • Call me naive (Score:3, Interesting)

    by pkinetics ( 549289 ) on Tuesday May 06, 2003 @07:16PM (#5897019)
    but I see something a little different about this.

    First, if Microsoft's EULA already prevents them from being sued, software is as-is, why do they release patches in the first place?

    This isn't a question about whether or not a user can sue, but a more basic matter of accountability and responsibility. These are the most fundamental issues in selling anything to the public.

    Microsoft is responsible for this snafu, but they have never been held accountable. Their bugs, their glitches, their crashes. Its become a running joke with techies. It shouldn't.

    When Slammer first hit, people said installing the patches required taking down the servers, running several patches, and praying it still worked. No garunatees about anything. What's the justification? Time wasn't available. Who could afford to do this? How high was it on MS list of things that had to be done?

    But no one is mentioning those same arguments now. Its South Korea's fault for not doing the updates.

    As I recall weren't the patches buggy enough to cause another major security hole?

    We know Microsoft is responsible. We know who should be held accountable. But MS throws in a disclaimer and all is good. The disclaimer is not a silver bullet. There must be accountability for faulty software, no matter who wrote it.

    Will it stifle open source development? Probably scare off crap coders is what it will do. If everyone working together reviews, checks, and verifies, they are going to catch most of the bugs before it goes out the door. The remaining bugs are fixed with patches.

    I honestly don't see anything wrong with suing them. The EULA is not a catch all. The EULA should be thrown out, and rewritten. Users have the right to hold developers accountable.

    Its about time someone figure out how.

  • by Mundocani ( 99058 ) on Tuesday May 06, 2003 @07:21PM (#5897062)
    Strangely, none of the posts so far have mentioned the author(s) of Slammer as being one of those responsible for this mess. They're certainly harder to find (ok, they'll probably never be found), but shouldn't the culpability be shared with those who exploited the problem? It's not as though the server didn't perform its primary function correctly (storage and retrieval of database records), it's that it had a security vulnerability.

    To borrow the Ford Pinto analogy from previous posts, it seems somewhat like somebody cutting your brake lines and then you suing Ford for making the lines so easily accessible. I think the person who cut the lines is truely responsible.
    • No, it's more like if Ford made a defect in the locking system where there is another hole right below the keyhole, and if you stick a pencil in it, the door pops open. No key needed. Who is more stupid? The company who made a car with such a stupid design flaw, the idiot who bought a car with stupid defects and stupid design flaws, or the idiot who thinks it's fun to abuse the situation and go joyriding in everyone's cars?

    • To borrow the Ford Pinto analogy from previous posts, it seems somewhat like somebody cutting your brake lines and then you suing Ford for making the lines so easily accessible. I think the person who cut the lines is truely responsible.

      No it's not. You are clearly unaware of the facts of the situation. Yes, MS had a patch out before the worm hit, but:
      • The bug was downplayed as minor.
      • The patch was not a service pack, nor was it scriptable, and it required you to shut down the server.
      • Even if you i
  • by afflatus_com ( 121694 ) on Tuesday May 06, 2003 @08:12PM (#5897442) Homepage
    If there is any legal eagles in the audience, what is the precedent involving a seriously defective car that causes injury/death/damage? This defect would have a notice sent out somewhere/somehow offering the capacity to take the car back to the shop and replace the defective part, but the user either didn't know or didn't follow through with the effort involved.

    This seems to be what this software has done: there was a defect and a capacity for a customer to do work to fix it, they didn't do it, and damage resulted.

    Any cases like this with products in the automotive area, and did they favour the defendant or the plantiff?

    Best wishes,
    Robert
  • by Colonel Panic ( 15235 ) on Tuesday May 06, 2003 @08:31PM (#5897560)
    Truely, if any one (or any company) deserved to be sued for putting out shitty software, its Micro$oft. ...But, I think that this is a really bad idea and sets a very bad precedent that could ruin the software industry as we know it (and I'm including Open Source here - especially open source).

    If people start flinging lawsuits at software producers then it'll kill open source pretty quick (OK, maybe kill is too strong; how about 'chill' or 'drastically reduce').
    Micro$oft at least has $40Billion in the bank to fight such suits, but your average open source programmer doesn't have enough cash to even hire a lawyer for a couple of hours. These sorts of lawsuits could quickly have a chilling effect on OSS creation. ...Not that OSS would die altogether, but we would have to start releasing code anonymously.
    • Truely, if any one (or any company) deserved to be sued for putting out shitty software, its Micro$oft. ...But, I think that this is a really bad idea and sets a very bad precedent that could ruin the software industry as we know it (and I'm including Open Source here - especially open source).

      Commence conspiracy theory:

      Bill gates to South Korea: Hey, you know, you've been pissed off about our software not working? Well, here's 2 billion dollars. Sue us, and don't put up much of a fight.
      S. Korea: Why w
  • by nsda's_deviant ( 602648 ) on Tuesday May 06, 2003 @08:51PM (#5897688)
    the eWeek article is refering to this Chosun Ilbo article [chosun.com] in a Korean daily newspaper. The lawsuit is part of the 3 way lawsuit against the South Korean Information Minister, ISPs, and the South Korean division of Microsoft. Again this is the SOUTH KOREAN division of Microsoft for failing to inform Korean ISPs of the patch and its signifigance. These are people and businesses who were knocked off the grid for days and had nothign to do with microsoft's licensing. Thus a class action lawsuit. The idiot poster makes it sound completelly different.
  • BAD Korlas (Score:3, Insightful)

    by Unregistered ( 584479 ) on Tuesday May 06, 2003 @08:52PM (#5897693)
    They can't sue m$ for this.
    1) A patch exists.
    2) Software has bugs. It's a fact of life. If you dont' like bugs, don't use software. (Or hardware for that matter).
    3) M$ never claimed their products are perfectly secure. "Secure" is relative. M$ platforms are secure to an extent. Weather that's goo enough is up to the individual.

    Once again another case of M$ being in the right. I hate these, but it's stupid to say they're bad JUST because they're M$. They do enough bad stuff to satisfy anyone's faming needs. I'm glad that a fair number of perople do oppose this, though.

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...