Lawsuit Against Microsoft Over Insecure Software 537
Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"
Following their lead (Score:5, Interesting)
Re:Following their lead (Score:2, Funny)
Insightful indeed.
Re:Following their lead (Score:2, Insightful)
Anyway, that said, regarding suing Microsoft for security issues; it all comes down to user negligence at the end of the day. If a car company issues a recall for a fuel pump issue, and your car explodes due to a faulty fuel pump, that's your
Re:Following their lead (Score:5, Interesting)
to borrow your analogy, it sucks to be one of the few people who's car exploded before the manufacture realized there was a problem and issued a recall.
I know of a current exploit in explorer (mshta) that can be used to download and execute any application on your computer simply by loading a website. I know it works because a friend of mine used it on me to show off (and I'm up to date with current patches for winxp).
The scary truth is that until enough harm is done with this exploit it will go undiscovered and unpatched and in the mean time you and I and everybody else are vulnerable to it (unless you don't use windows).
Re:Following their lead (Score:5, Funny)
Link please. Lets leave the anecdotal evidence arguments back in the 20th century where they belong.
Re:Following their lead (Score:5, Informative)
Re:by the same token (Score:3)
Re:Following their lead (Score:2, Informative)
@Stake, are you listening?
Re:Following their lead (Score:3, Insightful)
Just to play devils advocate here, but this is no different from Linux/OSS/BSD/Apple software. There have been SSH problems surfacing lately, and who knows if there will be say, an exploit to own someone box through apple's mail.app tomorrow.
There's jus
and for OSS software? (Score:5, Interesting)
Exactally... (Score:3, Informative)
Re:and for OSS software? (Score:2, Insightful)
If you get food-poisoned in restaurant, you may go ahead and demand compensation.
If you eat, what you cooked, whose fault is it, when you get upset stomach?
Re:and for OSS software? (Score:3, Funny)
Re:and for OSS software? (Score:5, Insightful)
I'm glad somebody else finally said this.
There are a few simple things to consider:
- Software is written by error-prone humans.
- Software is maliciously used by people who concoct creative ideas.
- Linux may be more secure by default, but it's still a human error away from having the same type of problem hit it.
I'll tell you all something, if I'd be scared shitless about releasing an app on the web if it turned out I could be responsible for somebody else being a bastard with it.
Re:and for OSS software? (Score:5, Insightful)
It's very simple: Software is in a unique environment where just about anything can happen. Afterall, computers are very generalized in what they do. The nature of this generalized environment is that somebody can be malicious in so many different ways that it's ridiculous to believe that anybody can every make anything totally secure. Once somebody is *in*, then that's it. They can destroy the data on the computer, they can lock it up so nobody can use it, or they can infect another machine.
As for physical products, there's an entirely different environment happens. There are controlled ways to use this product. It's reasonable that your car is on the road driving a certain speed. It's reasonable that if the tire explodes for whatever reason, it does so in such a way that it doesn't get tangled up int he car and lock it up, causing rollover. So what happens when it turns out that the tires are defective, they get recalled. Software can be patched, but not recalled.
So let's talk about a computer on the net here. You've got a Windows computer using Outlook Express. It's on the net 24/7 thanks to broadband. (Spare me the usual uptime jokes about Windows, they were funny back in 99.) Somebody sends you an email, and it causes something to happen in Outlook Express. The exploit was use of a feature in Outlook. Let's say that the hacker didn't use a buffer overflow or anything like that, they just used the default features and found a way to cause mischief with them.
Okay, so somebody went with Microsoft's defaults and they ended up sending a virus to everybody in their contact list. Is Microsoft responsible?
Well, that's the funny thing about computers, the answer is not black and white. First, when the feature was originally developed, was Microsoft negligent for allowing that sort of exploit? that's a toughie. In some ways, yes, in some ways, no. Should Microsoft have anticipated somebody'd be an ass with it? Hindsight is 20/20. Did one programmer put in the activex feature and another programmer put in the 'email everybody on your contact list' feature? Was there a disconnect that prevented the foresight that somebody did that? If so, what about the user? Were they being responsible? Did they take the proper security precautions?
Even back in 1995, there was talk about internet security. Watch out for malicious files. Careful what you open! Should the user have at least looked at the security settings? Some would say, yes. Computers are not simple devices. Nor are they assembly line machines, almost all of them are unique in some form or another. It's sort of like depending on TV to have your values in mind when it blasts programming to your children.
What about patches? Microsoft can't 'recall' the product reasonably. (look at all the pirated copies of Windows out there) So what do they do? They release a patch. Should users stay on top of patching? Of course! MS puts all this effort into fixing stuff, at some point they just cannot be blamed for the damage caused by a virus or worm.
Anyway, I've babbled too much here. You asked why software is different. The short and very simple answer is that responsibility is shared between both the software maker and the user to a larger degree than most products. Worse, the exploits that are often used don't really apply in a negligence case in the real world. Buffer underruns come to mind. Somebody has to be fairly slick to figure that one out. It's sort of like figuring out the exact sonic frequency it'd take to make a car's tires explode, and then figuring out a way to broadcast it in such a way that it affects cars all over the place. Is Firestone responsible for negligence for not protecting thier tires against this type of attack? Afterall, materials resonate at certainn frequencies. Are they negligent for leaving that vulnerability o
Re:and for OSS software? (Score:3, Insightful)
Um, no, you're comparing apples to oranges here. There's a significant difference between software for PCs and software to do a very specific task, such as controlling brakes on a car.
"It is all a matter of how you approach programming."
There's more to it than that. No approach of programmi
Re:and for OSS software? (Score:5, Insightful)
If you make statements like this, you obviously don't have a clue about programming anything more than little helper utilities.
All code is split into small, specific tasks. They're call functions.
The interation between the small specific tasks is where you have problems. You get even more problems when parts of the system have to maintain some sort of "state" about what's going on.
Mix 1000 of these things together, and it's hard to keep working right. Now mix 10,000 of them. Now deal with 100,000 of them.
Next, throw a few extra simple things like threads into the mix and tell me that you will know the implication of the interaction of all of those pieces at any given moment in time.
Re:and for OSS software? (Score:3, Insightful)
HOWEVER, if it could be proved that Microsoft was aware of the problem but did nothing (their famous security through obscurity) then they should be held accountable. There have been many instances where Microsoft was informed of a problem but did nothing. In this case I think they should be held accountable.
I don't really see this going anywhere because you really have no rights when you buy software.
Re:and for OSS software? (Score:5, Insightful)
Generally, there seem to be more protections against poor products when a transaction is involved-->it is much easier to release your product 'as-is' then it is to sell it.
Microsoft may also be a unique case----I suspect that the sheer complexity and audacity that is the MS EULA might be easier to challenge in court then a simple, "You can have my software if you like, it might blow up your computer, but its not my problem, and don't say I didn't warn you".
Additionally, MS claiming that they are developing trustworth products, advertising claims that you can rely on their software, and the overwhelming monopoly position they have on the desktop may place a greater, if not unique, burden upon them.
You don't often see MS claiming that Window's security faults are your problem, do you? Except in the fine print of a legal document which probably wouldn't stand up in court.
The question is, what sort of general consumer protection laws would apply if the EULA is declared invalid?
Re:and for OSS software? (Score:3, Insightful)
What I do know is that while MS may claim its software is secure, they never suggest it cannot be broken into. So they've never lied to you. My house is pretty secure until you break a window. Is it the window manufacturer's fault?
Auto companies only issue recalls because they can be sued for wrongful death if a critical part di
IF you read the article... (Score:5, Interesting)
If they did not have a monopoly on desktop computer systems, this type of lawsuit wouldn't be a problem for them. Since, due to all sorts of vendor lock-in promoted by Microsoft itself, it is difficult for users to pick a different desktop, the lack of security in their software ( i.e. buffer overflows everywhere )
But maybe a monopolist which continues to abuse it's position _should_ be held to a higher standard than others ? Is it not arguable that MS has the resources required to audit all of it's code and fix such issues ? Maybe not technically true, but arguable in court...
One small difference (Score:2)
This is fundamentally different from something sold for its utility but with no attendant literary or educational value.
Re:and for OSS software? (Score:2)
Re:and for OSS software? (Score:2)
Re:and for OSS software? (Score:4, Interesting)
Off the top of my head, I can think of three clauses that are common to all EULAs for proprietary software:
* no reverse engineering
* no copying
* no warranty
If MS can be held liable for defects, then so can all software producers. Speaking as one, I don't like the sound of that.
Re:and for OSS software? (Score:3, Insightful)
Let's say a railroad system goes down (like the one in Maryland that went down because of SoBig) because of a hole in some MS code. I don't think it's MS's sole responsibility, BUT they do play a large part in the failure.
I think of it like this- if someone writes a book or flier that is to be seen by thousands of people, and there is a typo or error
Re:and for OSS software? (Score:2)
And waving your hands and screaming "NO! NO! Never!" declares your agreement with the EULA, and is legally binding
Automobiles? (Score:2)
More like Firestones...
Oh man... (Score:5, Funny)
Except that... (Score:3, Insightful)
(Besides, I think almost no one here would enjoy being held accountable for all the bugs they've written over the years...)
Re:Except that... (Score:5, Insightful)
The danger here isn't just that it feeds a lot of lawyers, and isn't making software manufacturer produce less buggy code -- that's something that's been needed for a long time.
The danger is that someone like MS says "OK, we'll accept liability, but only if it's our software, running on our operating system, with no additional code on the system that we didn't install, and only on hardware we approve of, and we end up with even more of a monopoly.
Re:Except that... (Score:5, Insightful)
Notably, lawsuits can be filed for things that just cost tremendous amounts of money. Case in point, the supposition that the Halflife 2 beta may have been leaked through an Outlook preview pane exploit, as other
Of course, this all begs the question "why the hell were the nuclear power plant, train system, and half-life build system connected to the internet in the first place?" Folks, here's a gigantic hint: software is insecure. If you want something to be secure, take it off of the fucking intarweb. The nuclear power plant just doesn't need Fark that badly. Let them read it on their PDAs.
Like the people maintaining those systems don't know better.
About time (Score:4, Insightful)
Hopefully the decision will be intelligent enough to exclude free, take-it-as-it-is software.
Re:About time (Score:2)
Re:About time (Score:2)
however.. you might never get that car on the road(legally) you built from designs in many countries.
i guess this would be actually something ms would like the software to be at as well(that the binaries used on public 'roads' would have to be certified, by them of course, and running other software on public networks would be illegal).
Re:About time (Score:3, Interesting)
Re:About time (Score:2)
I don't know what people want them to do. (Score:5, Insightful)
Besides, every time I see an exploit, it's after Microsoft has already issued a patch. This would seem to suggest that they aren't as responsible for the problems as many seem to think they are; as soon as they're aware of an issue, they fix it. Maybe they could design the stuff secure out of the box, but they'd be the first manufacturer to accomplish such a feat.
Stop using it if it's a problem. There are alternatives now.
Ironically... (Score:3, Interesting)
Now they issue a bulletin, somebody exploits its, somebody else does not bother to read it.
The law suit claims that the update process is too complex, yet these are the same people who complain that no software company has the right to make an update process automatic.
Re:I don't know what people want them to do. (Score:5, Interesting)
That's not a coincidence. A good way to find out where software are vulnerable is by examining the patch issued to fix it. It's only a matter of finishing that analysis and making the exploit before most people have patched, which can be months later.
If Microsoft can be held legally liable, then it's extremely likely that in the future patches would be automatic and not optional. It's also likely to be more expensive, to cover the cost of "malpractice" insurance.
Problems... (Score:5, Informative)
Statistically, one could probably claim that Microsoft products have killed people in an indirect manner.
Re:Problems... (Score:2)
What about Wind River? At a previous job, we were using VxWorks for avionics control.
Re:Problems... (Score:2)
Re:Problems... (Score:3, Interesting)
What about the colleges that need to hire extra support personnel to fix infected Windows computers? What about the networks that are brought to a crawl by worms and Internet related viruses? What about the kids that have their term paper ruined because Word crashed?
Sure, blame the
Great another case for... (Score:2)
Given that Microsoft has hundreds of people... (Score:2)
More Questions than Answers (Score:4, Insightful)
What are the costs to the user when software vendors are held to the same reliability standards as auto makers?
Should there be differentiation between operating system stability and application stability?
What responsibility does the user have for securing their own property?
How will different countries answer these questions, and what is the implication for US software vendors if there are 80 separate standards of culpability for an operating system?
And since I should have at least one answer, the speed of light is slower in materials with a higher index of refraction.
Oh boy.... (Score:2, Insightful)
Que all the "If your car was designed by Microsoft" jokes. It would crash every day, you wouldn't be able to open the hood, blah blah blah, shut up people.
Seriously though, I think that not just Microsoft, but all "critical" level systems should be held accountable. Obviously machinery for hospitals are held accountable - if an XRay machine overdoses a patient with radiation and kills them you better believe the manufacturer is
Re:Oh boy.... (Score:2)
Only if there's negligence. I could get killed by choking on a Twinkie, but Twinkie wasn't negligent. If MS can show that they do their best to make an exceedingly complicated secure, AND they say "hey, this may not be 100% secure", then they're pretty much covered. Accidents happen. I really doubt that there are people as MS who say, "Hey, I know... let's make this product
WHY THIS IS NOT GOOD... (Score:5, Interesting)
Later, GJC
It's a matter of motivation (Score:2, Interesting)
Beware what you wish happen to MS. (Score:2, Insightful)
i don't like it (Score:2)
Should Microsoft's software be treated any... (Score:2)
No laws already in place (Score:2, Insightful)
Poor Gabe (Score:2, Informative)
Gabe held a number of positions in the Systems, Applications, and Advanced Technology divisions during his 13 years at Microsoft. His responsibilities included running program management for the first two releases of Windows, starting the company's multimedia division, and, most recently, leading the company's efforts on the Information Highway PC. His most significant contribution to Half-Life was his statement "C'mon, people, you can't show the player a really big
Lawsuits aren't the way (Score:5, Interesting)
Capitalism holds the answer - provide a better alternative that takes away their market share forcing them to improve or be left behind. With them being a monopoly, this problem is far greater in difficulty, but progress is always being made. Free software is getting viably close to many of the roles that many people use Windows for.
I'd rather wait for that to happen than have another frivolous lawsuit like this. I'll feel better about the successs of better software all around if MS gets to be better because of competition from free software getting better.
-N
Re:Lawsuits aren't the way (Score:2)
Re:Lawsuits aren't the way (Score:2)
If they didn't abuse their monopoly why proprietary standards (like office suite file formats for example) and didn't pressure manufactures (both hardware and software) to only support Wi
Re:WRONG !!!!!! (Score:3, Insightful)
Read my post again and you'll find you agree with it (also my reply to the other person who replied to me). I didn't say that the monopoly wasn't a problem and wasn't being abused. Capitalism as a system is not responsible for that though - as you pointed out, it's the government's lax attitude toward big business and antitrust issues at the root of that problem.
I already described the ways Microsoft abused this monopoly,
Interesting Case (Score:5, Interesting)
The other two claims are the interesting ones. Can software writers be held accountable for damages caused by flaws in their software? Even if they put an "anti-warrantee" in their license? (I hope not) Are click-through licenses agreements valid in this case? These are all question that would have to be asked.
Negligence (Score:3, Insightful)
Oh yeah.. AIANAL...
sometimes.. (Score:2)
the story on shacknews for example on how valve got trojaned.. why on earth did they keep using software they knew was suspectible to be trojaned? or kept using webmail that was compromised(why did they use webmail, and outlook, in the first place is beyond me too if they really were trying to keep a lid on things, they're quite awful to trust)?
**Shortly afterwards my machine started acting weird (right-clicking on executables would cr
Re:sometimes.. (Score:4, Insightful)
> why on earth did they keep using software they knew was suspectible to be trojaned?
To me, this is the place responsibility needs to lie. It's the people who choose systems that are *known* to be bad for important things. Find the forces that "made" them use Outlook and there is a first line of blame.
If a power plant uses MS Windows or Linux for a critical system and it blows up, it's the person who made that call who should be held mostly responsible due to negligence.
If manufacturers are making claims that their systems are secure, or are useable for critical work, then that's probably a case of false advertising and should be dealt with as such.
Valve should be looking to see if its own staff were negligent first. Who was responsible for choosing a known bad, internet connected, system for storing very important data?
Just the same as if I left a printout of the source code in the local pub by accident. If it was an Outlook exploit, then I don't see this as any different fundamentally.
If you have a multi-million dollar asset, you should put some effort into protecting it. Not blame HP for letting you print it out and leave it in the pub.
If I was working on the source for Doom 4, you can be damned sure I wouldn't keep it on my internet connected debian box.
- Muggins the Mad
Let me get this straight... (Score:2)
What kind of crap is that?
Re:Let me get this straight... (Score:3, Insightful)
Fit for purpose? (Score:5, Insightful)
Now if MS were happy charging a reasonable (given the price of hardware, say, $100 - 10% of a machine's value rather than $1500 and 150%!) price for their software, and weren't running around trying to force their way into everything with a processor [slashdot.org] then they'd probably be safer from such claims than they are now.
Consider this.... (Score:5, Interesting)
Re: Consider this.... (Score:3, Funny)
> Back in the 1980s, a Japanese worker was killed by a robot on an assembly line due to a software failure. And robot control systems are very throughly tested before a new model of robot is released. Microsoft is trying to muscle their way into the embedded marketplace; do you want software that has plenty of known defects/security issues running your robot?
At least with a MS-controlled robot you can hope it BSODs before it crushes you in a beserk rampage.
No (Score:2, Troll)
Re:No (Score:5, Insightful)
Yet automobile manufacturers are also sued for nonhazardous situations. I think Toyota was sued for premature engine failure due to sludge build-up. I think suing Microsoft is more in line with this thinking.
Using your logic, there is no expectation of fitness for use for software at all. You can have all the features in the world. Just don't expect to use them.
'Use something else,' you say. How would you like your car "Microsoft" dealer to tell you that after you discover your car is a lemon? Oh, by the way, all the other manufacturers cars don't work on Microsoft Roads. And there is no refund.
As Secure As A Frogs Butt (Score:2)
important part of the suit (Score:3, Insightful)
I think the above statement is pretty interesting. What it says (to me) is that the issue isn't that there are bugs or security problems with Microsoft products, nor is the issue that Microsoft dominates (or weighs heavily in) many software markets. The issue seems to be that Microsoft does both of these things, which results in a ubiquitous and totally insecure majority around the world.
This reminds me of the general pattern where Microsoft is busted for doing something that another company did first or is also guilty of. The non-Microsoft instance (could be a small company, or a large company with a small component) can usually can get away with it because of scale, whereas Microsoft cannot since it's on such a large scale that everyone notices and cannot ignore it. One of many examples is the "OS integrated with the browser" war. Nobody gave a shit when IBM shipped OS/2 warp with built-in browser support even though in principle it was the same thing Microsoft did with Internet Explorer. IBM's reach was minimal with OS/2, so it was rather irrelevant what they did. Not so with Microsoft.
So is this class-action suit setting a precedent that bugs in your software will lead to lawsuits? I don't think so. I also don't think it claims that being a gigantic, far-reaching company is bad. Just don't mix the two, or the wolves will come after you.
What is a reasonable expectation? (Score:2)
If your 1974 Pinto explodes, then whose fault it is, depends on when the event occurs. If you get blown up in a Pinto in 1974, it's Ford's fault. If you get blown up in a 1974 Pinto in 2003, it is your fault.
If you experience loss due to Windows' flakiness in 1990, it is Microsoft's fault. If you experience loss due to Windows' flakiness in 2003, it is your fault.
Don't buy something that is infamous for being a piece of
Should Microsoft's software be treated different.. (Score:2, Insightful)
I figure when MS can start charging $20,000 per OS license, then maybe we can expect bullet proof software safety. The kind of engineering required to give some kind of guarantee or waranty against "bad things" that these people are expecting would cause the cost of software to be prohibitive. Heck it may not even be possible if the software is complex enough. At some point you have to say well we've gotten it as hardened as is feasi
I have no sympathy for this moron (Score:4, Insightful)
But this case is even worse than that -- It involves Microsoft's ware, which is known to be insecure. It's in the news every single day. Trusting your corporate secrets to of-the-shelf software is just stupid, doubly so for MS ware.
What I love is how M$ tries (Score:2)
Automobiles and Software (Score:3, Insightful)
"The lawsuit, which was filed on Tuesday in Los Angeles Superior Court, also claims that Microsoft's security warnings are too complex to be understood by the general public and serve instead to tip off "fast-moving" hackers on how to exploit flaws in its operating system."
If you cannot interpret the information MS provides you, there are thousands of web pages and forums to help you. These are free as well. There are services which you can contract to do the work for you. Using computers has a cost. Using machines connected to the Internet has a cost. It is not the fault of MS that someone exploited the OS. They were irresponsible for leaving the vulnerabilities there, but unless you want to make the claim that they intentionally attempted to provide you with an insecure OS, then I do not understand the argument. XP does not say on the box "hack-proof: Try It!".
I have a little idea:
Software that directly controls physical devices (automobiles for example) which are themselves regulated should be held accountable to similar standards as the device which the software controls. They should be legally linked.
Software that does word processing, serves web pages, browses the Internet, sends email, etc. would not fall into this trap. We have disclaimers on lots of things saying don't use x with y or p as a q. So mark your software accordingly.
software vs automobiles (Score:2, Funny)
I've never been physically injured from a PC crash.
The auto analogy is quite close.. (Score:5, Insightful)
It goes;
A Mechanical Engineer, Marketer and Programmer were driving in the mountains, when the car's brakes failed and they crashed into one of the breakdown barriers (big mounds of gravel to stop trucks).
The Mechanical Engineers says, "I will look under the car and determine why the brakes failed, and how to fix it so it does not happen again".
The Marketers says, "I've got to tell the car company, so that word can get out if this needs to be a recall notice".
The Engineer and Markerter look at the Programmer who says, "I think we should push it back up the hill and see if we can get it to crash again".
Think about it... this seems very close to Microsoft's Mentality: all windows users are crash test dummies.
Case(s) in point: The remote code execution in Windows Media Player that allowed content to be executed (similar to the MIDI flaw in dx9.0a and below) was fixed in 6.x versions and re-opened in subsequent versions, not once, but at least 3 times!
The RPC vulnerability wasn't fixed until the second time, hence the need for *another* patch because Microsoft had not FIXED the vulnerability, just enough to protect against the first exploit.
(little dutch boy story ring a bell, mr pavalov?)
And their strategy for integrating everything into the OS is actually driving XP users back to 98se.
Yes, 98se where the IM client, browser, outlook express, media player, passport and another half dozen things aren't integrated into the OS (as proven by 98lite).
Why?
It *annoys* the piss out of people.
Wonder why?
No (Score:2, Interesting)
No, it shouldn't. This would perhaps slow down software development a bit, but commercial software manufacturers should have similar responsibility over their products like any other industry.
Like our (Finnish) Product Responsibility Law points out (not literally but practically): "Manufacturer must repair manufacturing defects, whether the product still has warranty time left or not, or give a full refund." This should mean: "
Microsoft is a Special Case, and should Eat It (Score:5, Interesting)
Though I am adamantly opposed to shrinkwrap "licenses," the one thing they do that I happen to agree with is the disclaimer of liability.
Writing solid software is hard. Writing solid software to run on cheap, unreliable hardware is even harder. Though we ridicule software vendors, crashing software is a fact of life. One day, new technologies or engineering practices may appear to make writing reliable software easier, or to allow the user to "reverse" the machine back to the last known good state so they can at least save their work. But for now, software is flaky and, undesireable though it may be, users need to plan appropriately.
That said, however, I believe there should be an exemption to the liability shield. Off the top of my head, the following factors should be considered to determine if liability should apply:
The scale of each factor would be weighed to determine whether the software vendor should suffer liability. This standard should be set fairly high. If a company is consistently pro-active in correcting bugs, releasing patches, and informing users; or the failures are comparatively minor; or their products exhibit failures on a comparatively rare basis -- in other words, if they are clearly a good, conscientious citizen of the computing community -- then the vendor should escape liability. OTOH, if a company can be shown to persistently use flawed methodologies and designs, and they regularly ignore bug reports until the excrement hits the rotary impeller, and the bug can cause widespread havoc, then the vendor should be exposed to liability.
Needless to say, Microsoft's 25-year history of releasing junk and not giving a $#!+ about it should be a reasonable foundation for a liability suit.
Schwab
What does this mean for small-time geeks? (Score:3, Insightful)
I put out some free Perl & PHP code [outshine.com], and planned to release some more next week. But I partly rely on the BSD license to protect me from liability. What does this case mean for someone like me? While I think I'm such a good programmer that eventually my code will be super-tight, I know I'm a poor enough programmer that it will take many iterations and bug reports to get there. Should I only release code when I'm certain no security issues exist (which probably means I'd never release stuff)?
Truth in advertizing... (Score:2)
Microsoft: Where do you want to go today?
All this time, I thought Microsoft was talking to their customers when they were really talking to the hackers and script kiddies.
If Microsoft Were Exxxon... (Score:3, Insightful)
Microsoft and life-critical systems (Score:5, Funny)
-- Cliff Wells, 2002.03.13, in comp.lang.python (original UseNet article [google.ca])
It's called "merchantibility" (Score:3)
There's a principle codified in the Uniform Commercial Code that a product that is sold by a merchant (i.e. one whose primary business is involved in selling products of the given type) must be "merchantible," meaning "fit for the ordinary purposes for which such goods are used." UCC sec. 2-314. This is called the implied warranty of merchantibility. It may be explicitly disclaimed in a written contract (and every EULA includes a term disclaiming express and implied warranties of merchantibility).
Here's the rub: retail software sales are clearly sales. When you go to the store and buy a pc preloaded with MS Windows,or even a boxed copy of windows, you are not presented with a contract at the time of sale. You pay your money and leave with a box - clearly a sale. Only when you boot up your new computer for the first time, or install your new OS do you have these new non-negotiable terms sprung on you without your approval or consent.
First - a "take-it-or-leave-it" contract like a EULA purports to be is called a contract of adhesion. These contracts are enforceable, but courts are generally inclined to take a close look at adhesion contracts where one party has disproportionate power over the other.
Second - In the real world, one party may not unilaterally add to or amend a contract, or impose terms on a sale, without the consent of the other party. (They can try, but the new terms will not be enforceable in court.) "Aha", says Microsoft, "but you agreed! You clicked 'I agree.'" Well, wait a second - what are your alternatives? If you bought a boxed copy of windows, the retailer will not, as a matter of policy, accept a return. So basically Microsoft (and every other commercial software vendor) is saying to you "We already have your money. You're not getting it back. Now agree to these additional terms or get bent." I rather suspect a court, even an extremely conservative one, would take a dim view of this arrangement. (except in Virginia and Maryland, the two UCITA states where click-wrap EULAs are explicitly enforceable.)
And since we're on the topic of adhesion contracts and Microsoft, how about the additional terms they add when you use Windows Update to fix new vulnerabilities? Talk about strongarm tactics - "either accept these new terms or accept that this software which we sold,er,licensed you with network capability (but of course we claimed it was fit for no purpose at all) is no longer suitable for its advertised purpose." Bite me. That's not duress, but it's it's damn sleazy.
</RANT> Whew. I'm not a lawyer, and none of this is legal advice, of course.
-Isaac
This is a terrible thing, in a way. (Score:4, Insightful)
Should this class action go through the courts and succeed, it sets a hell of a precedent. Specifically, it implies that software should be thoroughly engineered and reasonably defect-free prior to release, with no damaging defects at the point of release. It essentially also says that releasing patches after the fact is not good enough (and that it's not the customer's responsibility to apply them), which causes two minefields I'll try and touch on later.
Trying to enforce defect-free software is a great idea - except that, as we all know, software exhibits weak-link behaviour, and that in turn suggests that you'd need to get rid of 100% of defects to be absolutely certain that no damaging defects exist. You can't over-engineer software in the way you can, say, a building, to protect against potentially damaging structural defects. Oftentimes, over-engineering software makes it more prone to the kind of defect that makes the software useless.
This precedent I percieve in turn means that the open source community - specifically, the people "managing" a given software project - are open to the same kind of litigation as, well, Microsoft are facing. I sure as hell don't want to be sued because my software's not perfect...
As for basically disregarding patches, well, that raises one major issue: it makes the vendor responsible for deploying those, which in turn either requires a "returns" policy on software (unworkable!), or requires that they have the ability to deploy software (privacy issues).
In short, this disquiets me. While I've been waiting for this kind of legal action to happen for a while, and in the long term it'll probably lead to much more reliable, much better software, I don't think the software industry as a whole is really ready for this kind of thing yet. Frankly, we still suck at making reliable software, and that's not just something Microsoft can take the hit for...
Re:This is a terrible thing, in a way. (Score:3, Interesting)
No. Actually, some of us aren't ignorant, and know what a microkernel is.
This could cut both ways (Score:4, Insightful)
There is a mechanism in place to pressure M$ (and all of us) to ensure product quality: competition.
I think that Windows sucks; but Windows 2000 sucks quite a bit less than 98 did; It seems that M$ has taken notice of the alternatives, and is beginning to come around in terms of security and quality of their software (not saying that they don't have a long way to go, still) presumably due to market pressure.
Besides, look at it this way: I hate Windows because it sucks; If/when M$ improves the quality of their OS (and other software), don't we all win?
I am a Linux fan; but if M$ produces a product that is truly an attractive alternative, from both quality and price standpoints, I am not going to ignore it because of some "religious" viewpoint. (Nor will I bother myself with Windows until they do).
The point is, this is a textbook example of a situation where the govmint should keep out of it, and let capitalism/competition work things out naturally. People are just beginning to be exposed to Linux (and others) as real alternatives; M$ will naturally have to improve, or die.
Monopolies are supposed to play by different rules (Score:3, Interesting)
Which takes us to Microsoft. They've been declared a monopoly by the US government, so they really do need to get a different set of rules to follow in the areas where MS is a monopoly (web browser, desktop OS, and perhaps office suite). I know you're probably thinking that there are other choices, but for most people, using an alternate OS is akin to building a windmill for your power supply - not for the average consumer.
The electric company has to maintain a certain quality of service. A city block can't go without power for two weeks, and we can expect to not experience wildly fluctuating power levels coming out of our outlets. Likewise, MS, as a monopoly, needs to supply a product that doesn't put us at higher risk than, say, one of the many competitors the company has illegally muscled out of the industry. Sure, it sounds tough, but MS brought this on itself, and it isn't nearly as tough as the challenges it put forth to all its former competitors.
How many lawsuits against car manufacturers in the (Score:3, Insightful)
Except. (Score:5, Insightful)
In other words: it has reached the point where even people who are not Microsoft product users are harmed by Microsoft's irresponsibility. The messes created by the holes in MS products make EVERYONE a possible target for collateral damage.
Re:When you clicked on EULA (Score:2)
Ehh..
There is some common sense ground here. I don't think it's as black and white as you're saying.
I'm not sure if I think they have a legal case or not. I certainly hope they don't, though. I'm worried about the ripples that could be caused by this case. Remember when sexual harassment was a big deal? Remember all those stupid lawsuits that stemmed from that? Could this turn into one of those things?
Re:Valve might have something to say about that (Score:2)
Probably something along the lines of "Oh, look. A somewhat convenient and visually appealing way of reading email. Surely if there were still a problem with using this, Microsoft would have put out an update that would disable this feature/bug as a security hole."
Re:too complex? (Score:2)
You don't even do that. I think that at least on XP, Windows Update defaults to 100% automatic.
Re:Microsoft needs to be stopped at 50% marketshar (Score:3, Interesting)
Re:Great time to be a lawyer (Score:2)
Open source, on the other hand, says you ne
Re:This is stupid (Score:2)
In fact, if that happened and someone store your car and drove it into another car, the car company WOULD be liable. And in this case Microsoft should be liable too.
Re:nope (Score:3, Interesting)
Do you know who beta tests Microsoft products?
The paying consumer.
Who beta tests automobiles?
Hundreds and hundreds of professional test engineers until the end product is as safe as the government regulates.
Currently, in the US, it is illegal to write