Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Government The Almighty Buck The Courts News

Lawsuit Against Microsoft Over Insecure Software 537

Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"
This discussion has been archived. No new comments can be posted.

Lawsuit Against Microsoft Over Insecure Software

Comments Filter:
  • Following their lead (Score:5, Interesting)

    by (54)T-Dub ( 642521 ) * <tpaine.gmail@com> on Thursday October 02, 2003 @05:22PM (#7118500) Journal
    Valve [valvesoftware.com] might want to take a look at this lawsuit considering their potentially devestaing loss reported [slashdot.org] earlier today. According to Gabe Newell, from whom the source code of their latest was stolen, a hacker gained access to his machine "via a buffer overflow in Outlook's preview pane." Read his entire message here [shacknews.com].
    • INdeed this is an insightful comment regarding a minor software company [somehat involved in the original half-life, but the programmers have moved on and only the company shell remains] receiving what other minor software companies bear on a daily basis.

      Insightful indeed.

    • by Anonymous Coward
      It'd be interesting to know whether that was a buffer overflow in Outlook that was patched, or if it's a new problem. I remember a couple of patches addressing issues with the preview pane, but Valve are the kind of smart guys who could probably identify new problems.

      Anyway, that said, regarding suing Microsoft for security issues; it all comes down to user negligence at the end of the day. If a car company issues a recall for a fuel pump issue, and your car explodes due to a faulty fuel pump, that's your
      • by gfody ( 514448 ) * on Thursday October 02, 2003 @05:56PM (#7118885)
        there is a turn around time.. that is, how long it takes for an exploit to become known well enough that ms is made aware of it plus the time it takes for ms to develope and release a patch.

        to borrow your analogy, it sucks to be one of the few people who's car exploded before the manufacture realized there was a problem and issued a recall.

        I know of a current exploit in explorer (mshta) that can be used to download and execute any application on your computer simply by loading a website. I know it works because a friend of mine used it on me to show off (and I'm up to date with current patches for winxp).

        The scary truth is that until enough harm is done with this exploit it will go undiscovered and unpatched and in the mean time you and I and everybody else are vulnerable to it (unless you don't use windows).
        • by Talez ( 468021 ) on Thursday October 02, 2003 @06:30PM (#7119197)
          I know of a current exploit in explorer (mshta) that can be used to download and execute any application on your computer simply by loading a website. I know it works because a friend of mine used it on me to show off (and I'm up to date with current patches for winxp).

          Link please. Lets leave the anecdotal evidence arguments back in the 20th century where they belong.
    • "Many of the arguments in the lawsuit and some of its language echoed a report issued by computer security experts in late September, which warned that the ubiquitous reach of Microsoft's software on desktops worldwide had made computer networks a national security risk."
      @Stake, are you listening?
  • by chrysalis ( 50680 ) * on Thursday October 02, 2003 @05:23PM (#7118507) Homepage
    The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?

    • Exactally... (Score:3, Informative)

      by Osrin ( 599427 )
      follow the link and read the story, the case is built "on the claim that its market-dominant software is vulnerable to viruses". It does not say that the case "alleges the Redmond software giant produces software with little concern for security" as the /. article suggests. I'm not aware of an OS that isn't vulnerable to viruses. Precedent is a dangerous thing.
    • by midav ( 63224 )
      Absolutely nothing.

      If you get food-poisoned in restaurant, you may go ahead and demand compensation.

      If you eat, what you cooked, whose fault is it, when you get upset stomach?

    • by NanoGator ( 522640 ) on Thursday October 02, 2003 @05:39PM (#7118715) Homepage Journal
      "The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?"

      I'm glad somebody else finally said this.

      There are a few simple things to consider:

      - Software is written by error-prone humans.
      - Software is maliciously used by people who concoct creative ideas.
      - Linux may be more secure by default, but it's still a human error away from having the same type of problem hit it.

      I'll tell you all something, if I'd be scared shitless about releasing an app on the web if it turned out I could be responsible for somebody else being a bastard with it.
    • I hate to say this but I agree...

      HOWEVER, if it could be proved that Microsoft was aware of the problem but did nothing (their famous security through obscurity) then they should be held accountable. There have been many instances where Microsoft was informed of a problem but did nothing. In this case I think they should be held accountable.

      I don't really see this going anywhere because you really have no rights when you buy software.
    • by WhiteWolf666 ( 145211 ) <[sherwin] [at] [amiran.us]> on Thursday October 02, 2003 @05:50PM (#7118823) Homepage Journal
      I suspect that when you PURCHASE software, there are reasons that the developer is more 'legally' accountable for their products then when you use open-source and/or free software.

      Generally, there seem to be more protections against poor products when a transaction is involved-->it is much easier to release your product 'as-is' then it is to sell it.

      Microsoft may also be a unique case----I suspect that the sheer complexity and audacity that is the MS EULA might be easier to challenge in court then a simple, "You can have my software if you like, it might blow up your computer, but its not my problem, and don't say I didn't warn you".

      Additionally, MS claiming that they are developing trustworth products, advertising claims that you can rely on their software, and the overwhelming monopoly position they have on the desktop may place a greater, if not unique, burden upon them.

      You don't often see MS claiming that Window's security faults are your problem, do you? Except in the fine print of a legal document which probably wouldn't stand up in court.

      The question is, what sort of general consumer protection laws would apply if the EULA is declared invalid?
      • So what's to stop MS from stamping an "As-is" label on Windows? People will still buy it. Shit, for all I know there's an "as-is" clause in the EULA already, I didn't read it.

        What I do know is that while MS may claim its software is secure, they never suggest it cannot be broken into. So they've never lied to you. My house is pretty secure until you break a window. Is it the window manufacturer's fault?

        Auto companies only issue recalls because they can be sued for wrongful death if a critical part di
    • by javaxman ( 705658 ) on Thursday October 02, 2003 @05:55PM (#7118872) Journal
      you'll notice the case seems to hinge on Microsoft's monopoly status.

      If they did not have a monopoly on desktop computer systems, this type of lawsuit wouldn't be a problem for them. Since, due to all sorts of vendor lock-in promoted by Microsoft itself, it is difficult for users to pick a different desktop, the lack of security in their software ( i.e. buffer overflows everywhere ) ... I don't know. Since I'm not a lawyer, this is where the case falls apart for me.

      But maybe a monopolist which continues to abuse it's position _should_ be held to a higher standard than others ? Is it not arguable that MS has the resources required to audit all of it's code and fix such issues ? Maybe not technically true, but arguable in court...
    • Software Libre isn't sold, it's published. The authors of KDE are liable in the same way that the authors of a book are: you might find it useful, you might find it worthless, or you might just find it interesting. All up to you.

      This is fundamentally different from something sold for its utility but with no attendant literary or educational value.

  • Should Microsoft's software be treated any differently than, say, automobiles?"

    More like Firestones...

  • Oh man... (Score:5, Funny)

    by identity0 ( 77976 ) on Thursday October 02, 2003 @05:25PM (#7118531) Journal
    How long before SCO joins in and sues Microsoft? "Your honor, this code is so crappy, it *clearly* had to come from us!"
  • Except that... (Score:3, Insightful)

    by Atario ( 673917 ) on Thursday October 02, 2003 @05:25PM (#7118536) Homepage
    ...no one gets killed when Dr. Watson pops up and you have to restart Word. When your tire explodes and you flip and burn, well...let's just say it seems more severe.

    (Besides, I think almost no one here would enjoy being held accountable for all the bugs they've written over the years...)
    • Re:Except that... (Score:5, Insightful)

      by blamanj ( 253811 ) on Thursday October 02, 2003 @05:36PM (#7118674)
      Severity isn't the only issue. If your automobile was faulty in a way that caused it to safely pull over to the side of the road but it wouldn't restart for half an hour, you'd still see recalls for lost time and money.

      The danger here isn't just that it feeds a lot of lawyers, and isn't making software manufacturer produce less buggy code -- that's something that's been needed for a long time.

      The danger is that someone like MS says "OK, we'll accept liability, but only if it's our software, running on our operating system, with no additional code on the system that we didn't install, and only on hardware we approve of, and we end up with even more of a monopoly.
    • Re:Except that... (Score:5, Insightful)

      by stonecypher ( 118140 ) <stonecypher&gmail,com> on Thursday October 02, 2003 @05:46PM (#7118782) Homepage Journal
      ...no one gets killed when Dr. Watson pops up and you have to restart Word.

      Notably, lawsuits can be filed for things that just cost tremendous amounts of money. Case in point, the supposition that the Halflife 2 beta may have been leaked through an Outlook preview pane exploit, as other /.ers have already pointed out. Also, consider all of the hubbub about viruses shutting down public services, possibly including a transportation service and a nuclear power plant system in recent history.

      Of course, this all begs the question "why the hell were the nuclear power plant, train system, and half-life build system connected to the internet in the first place?" Folks, here's a gigantic hint: software is insecure. If you want something to be secure, take it off of the fucking intarweb. The nuclear power plant just doesn't need Fark that badly. Let them read it on their PDAs.

      Like the people maintaining those systems don't know better.
  • About time (Score:4, Insightful)

    by Compact Dick ( 518888 ) on Thursday October 02, 2003 @05:25PM (#7118540) Homepage
    Perhaps an "incentive" could be established for commercial software manufacturers to not throw in that horrid clause in their EULAs disclaiming all liability.

    Hopefully the decision will be intelligent enough to exclude free, take-it-as-it-is software.
    • If a car is given away for free, does that mean its manufacturer is free from liability if an error on manufacturer's part leads to the death or injury of the car's occupants?
      • if you give out plans to the car for free, i don't think you're responsible for anything somebody does with them.

        however.. you might never get that car on the road(legally) you built from designs in many countries.

        i guess this would be actually something ms would like the software to be at as well(that the binaries used on public 'roads' would have to be certified, by them of course, and running other software on public networks would be illegal).
    • Re:About time (Score:3, Interesting)

      by ibpooks ( 127372 )
      The incentive is that companies can demand a higher price for life-safety grade software. Same reason a marine life vest costs substantially more than an inflatible pool toy.
  • by Sheetrock ( 152993 ) on Thursday October 02, 2003 @05:26PM (#7118542) Homepage Journal
    Lawsuits aren't going to do anything but make lawyers richer.

    Besides, every time I see an exploit, it's after Microsoft has already issued a patch. This would seem to suggest that they aren't as responsible for the problems as many seem to think they are; as soon as they're aware of an issue, they fix it. Maybe they could design the stuff secure out of the box, but they'd be the first manufacturer to accomplish such a feat.

    Stop using it if it's a problem. There are alternatives now.

    • Ironically... (Score:3, Interesting)

      by Osrin ( 599427 )
      ... this was never really a very big issue for most people until Microsoft starting issuing security bulletins.

      Now they issue a bulletin, somebody exploits its, somebody else does not bother to read it.

      The law suit claims that the update process is too complex, yet these are the same people who complain that no software company has the right to make an update process automatic.
    • by GlassHeart ( 579618 ) on Thursday October 02, 2003 @06:00PM (#7118915) Journal
      every time I see an exploit, it's after Microsoft has already issued a patch.

      That's not a coincidence. A good way to find out where software are vulnerable is by examining the patch issued to fix it. It's only a matter of finishing that analysis and making the exploit before most people have patched, which can be months later.

      If Microsoft can be held legally liable, then it's extremely likely that in the future patches would be automatic and not optional. It's also likely to be more expensive, to cover the cost of "malpractice" insurance.

  • Problems... (Score:5, Informative)

    by littlerubberfeet ( 453565 ) on Thursday October 02, 2003 @05:26PM (#7118544)
    It specifically says in M$'s TOS that the software is not to be used for any life-critical applications. In fact, QNX is the only compnay that will license software for life critical stuff. Microsoft also has a non-responsability clause in their TOS. This is going to be a long, drawn out fight, like the one against tobacco companies.

    Statistically, one could probably claim that Microsoft products have killed people in an indirect manner.
    • QNX is the only compnay that will license software for life critical stuff

      What about Wind River? At a previous job, we were using VxWorks for avionics control.
    • There are actually a number of life-critical operating systems in play, a few of which have been certified by the NSA. DEC and IBM make very large zeros on this sort of thing from airports, et cetera.
    • Re:Problems... (Score:3, Interesting)

      by Cinematique ( 167333 ) *
      I was going to add this to the end of my submission, but I decided to let someone else bring up this very point. While it is true that Microsoft's software is not to be used in life-critical applications, think on a lower scale.

      What about the colleges that need to hire extra support personnel to fix infected Windows computers? What about the networks that are brought to a crawl by worms and Internet related viruses? What about the kids that have their term paper ruined because Word crashed?

      Sure, blame the
  • ...the 9th circus of appeals...
  • ... focused on Security, a great deal of public information on the subject, influence with a wide array of standards bodies and a published strategy covering the topic I'm guessing that this will be a tough case to win in a court.
  • by notcreative ( 623238 ) on Thursday October 02, 2003 @05:28PM (#7118574) Journal

    What are the costs to the user when software vendors are held to the same reliability standards as auto makers?

    Should there be differentiation between operating system stability and application stability?

    What responsibility does the user have for securing their own property?

    How will different countries answer these questions, and what is the implication for US software vendors if there are 80 separate standards of culpability for an operating system?

    And since I should have at least one answer, the speed of light is slower in materials with a higher index of refraction.

  • Oh boy.... (Score:2, Insightful)

    by zapp ( 201236 )
    Should Microsoft's software be treated any differently than, say, automobiles?

    Que all the "If your car was designed by Microsoft" jokes. It would crash every day, you wouldn't be able to open the hood, blah blah blah, shut up people.

    Seriously though, I think that not just Microsoft, but all "critical" level systems should be held accountable. Obviously machinery for hospitals are held accountable - if an XRay machine overdoses a patient with radiation and kills them you better believe the manufacturer is
    • and yes - it should be held accountable if infact it causes the customers conciderable financial (or health, or whatever) damage.


      Only if there's negligence. I could get killed by choking on a Twinkie, but Twinkie wasn't negligent. If MS can show that they do their best to make an exceedingly complicated secure, AND they say "hey, this may not be 100% secure", then they're pretty much covered. Accidents happen. I really doubt that there are people as MS who say, "Hey, I know... let's make this product
  • by borgheron ( 172546 ) on Thursday October 02, 2003 @05:28PM (#7118578) Homepage Journal
    Any ruling making Microsoft liable could be used by the legal system as a precendent to make ALL software companies and/or individuals who produce software *personally* liable damages arising from use. This may look like a "we've got 'em now" scenario, but it might come back to bit us.

    Later, GJC
  • Can any motivated and talented enough 16-year-old car theif break into your car and steal it? Probably, the answer is yes. Sufficiently motivated people can find ways around security. What do you do if you own a car that you don't want stolen? Buy an alarm system and have it installed. Similarly, you buy a firewall and antivirus and install that on Windows.

  • by Anonymous Coward
    If you wish for them to be held liable, remember it's only fair that Apple, or even Linus be held liable as well when Linux or OSX get's hacked (and don't even mention that it could never happen - it already has, many times). Anything else would be hyposcrisy.
  • as much as i think their products are crap, i don't like lawsuits. it's simply legal lottery. when they violated anti-trust laws, nail 'em to the wall. but this is really asinine. last time i checked, they never marketed windows with security being one of the features. if they purposely left holes in their software, then go after them. go after the people who made the decision. negligence is punishable. incompetence shouldn't be. just don't buy their crap. i realize the option isn't there for desk
  • Of course it should, they're different things.
  • Car manufacturers must make their cars safe because there are already laws in place that apply to everyone. You can't all of a sudden decide to pick on one companies' product. They are not breaking any existing regulations, and so they shouldn't be held liable. Moreover, they could certainly claim that they did not intend for their product to be insecure, so they had no malicious intent. Lastly, they can always play the end-user license card.
  • Poor Gabe (Score:2, Informative)

    Gabe Newell - Founder/Managing Director

    Gabe held a number of positions in the Systems, Applications, and Advanced Technology divisions during his 13 years at Microsoft. His responsibilities included running program management for the first two releases of Windows, starting the company's multimedia division, and, most recently, leading the company's efforts on the Information Highway PC. His most significant contribution to Half-Life was his statement "C'mon, people, you can't show the player a really big

  • by ThogScully ( 589935 ) <neilsd@neilschelly.com> on Thursday October 02, 2003 @05:31PM (#7118626) Homepage
    I'm up for some MS-bashing as much as the next slashdotter, but this isn't the way to beat Microsoft or get them to release secure code.

    Capitalism holds the answer - provide a better alternative that takes away their market share forcing them to improve or be left behind. With them being a monopoly, this problem is far greater in difficulty, but progress is always being made. Free software is getting viably close to many of the roles that many people use Windows for.

    I'd rather wait for that to happen than have another frivolous lawsuit like this. I'll feel better about the successs of better software all around if MS gets to be better because of competition from free software getting better.
    -N
    • Capitalism is how they got where they are. This is imbecilic.
      • That's true, I admit... but the market is supposed to level itself out. I don't personally believe monopolies are inherently bad until abused. Once they're abused, you're in a position like the software world where Microsoft dominates and can stand in the way of real innovation and anything that would unseat their power.

        If they didn't abuse their monopoly why proprietary standards (like office suite file formats for example) and didn't pressure manufactures (both hardware and software) to only support Wi
  • Interesting Case (Score:5, Interesting)

    by pavon ( 30274 ) on Thursday October 02, 2003 @05:32PM (#7118642)
    At first I though that this could be a very interesting case for many points. But its central argument appears to be poorly constructed. They are suing microsoft because their monopoly makes their insecurity a bigger problem. I'm all in agreement with the "monoculture is bad" argument for many reasons, but you can't sue someone for being a monopoly, or for the bad effects being a monopoly. Companies can only be held accountable for leveraging a monopoly, and this case has already been heard and decided on. The fact that we know more bad stuff that can happen because of their monopoly does not provide any more evidence that they are indeed leveraging their monopoly, so why do they think bringing them to court again over the same issues will result in a different ruling. Do they really think they have more resources and motivation to pursue this than the US and state governments combined?

    The other two claims are the interesting ones. Can software writers be held accountable for damages caused by flaws in their software? Even if they put an "anti-warrantee" in their license? (I hope not) Are click-through licenses agreements valid in this case? These are all question that would have to be asked.
  • Negligence (Score:3, Insightful)

    by Ogrez ( 546269 ) on Thursday October 02, 2003 @05:33PM (#7118645)
    No matter what the EULA, or any warranty, expressed or implied states, the only proof needed to hold sofware makers responsible for their creations is to prove that the software was vulnerable due to negligence on the manufacturers part. There are many states and possibly even US law that dictates that you cannot disclaim responsibility due to negligence...

    Oh yeah.. AIANAL...
  • ..you should ditch what you are using, no matter how convinient it is..

    the story on shacknews for example on how valve got trojaned.. why on earth did they keep using software they knew was suspectible to be trojaned? or kept using webmail that was compromised(why did they use webmail, and outlook, in the first place is beyond me too if they really were trying to keep a lid on things, they're quite awful to trust)?

    **Shortly afterwards my machine started acting weird (right-clicking on executables would cr
    • Re:sometimes.. (Score:4, Insightful)

      by Muggins the Mad ( 27719 ) on Thursday October 02, 2003 @06:32PM (#7119217)
      > the story on shacknews for example on how valve got trojaned..
      > why on earth did they keep using software they knew was suspectible to be trojaned?

      To me, this is the place responsibility needs to lie. It's the people who choose systems that are *known* to be bad for important things. Find the forces that "made" them use Outlook and there is a first line of blame.

      If a power plant uses MS Windows or Linux for a critical system and it blows up, it's the person who made that call who should be held mostly responsible due to negligence.

      If manufacturers are making claims that their systems are secure, or are useable for critical work, then that's probably a case of false advertising and should be dealt with as such.

      Valve should be looking to see if its own staff were negligent first. Who was responsible for choosing a known bad, internet connected, system for storing very important data?

      Just the same as if I left a printout of the source code in the local pub by accident. If it was an Outlook exploit, then I don't see this as any different fundamentally.

      If you have a multi-million dollar asset, you should put some effort into protecting it. Not blame HP for letting you print it out and leave it in the pub.

      If I was working on the source for Doom 4, you can be damned sure I wouldn't keep it on my internet connected debian box.

      - Muggins the Mad
  • They're claiming that releasing a security fix is "unfair competition." The people sueing don't want Microsoft to release security fixes at all...

    What kind of crap is that?

    • Its the kind of crap I've come to expect from companies that dont want to compete but just want the governemnt to hand them market share. Its the kibs of all those parents who sued the schools becuase they (the kids) where getting bad grades. The've grown up and expect the same kind of treatment from the real world. The sad part is they may get it.
  • Fit for purpose? (Score:5, Insightful)

    by samj ( 115984 ) * <samj@samj.net> on Thursday October 02, 2003 @05:38PM (#7118713) Homepage
    Here in Australia we take things into account like the price of the goods and the purpose for which they were intended. You're not, for example, going to have much luck suing someone over those $2 scissors you were using to conduct major surgery, but you may succeed with the $200 surgical variety.

    Now if MS were happy charging a reasonable (given the price of hardware, say, $100 - 10% of a machine's value rather than $1500 and 150%!) price for their software, and weren't running around trying to force their way into everything with a processor [slashdot.org] then they'd probably be safer from such claims than they are now.
  • Consider this.... (Score:5, Interesting)

    by thewiz ( 24994 ) on Thursday October 02, 2003 @05:39PM (#7118720)
    Back in the 1980s, a Japanese worker was killed by a robot on an assembly line due to a software failure. And robot control systems are very throughly tested before a new model of robot is released. Microsoft is trying to muscle their way into the embedded marketplace; do you want software that has plenty of known defects/security issues running your robot?

    • > Back in the 1980s, a Japanese worker was killed by a robot on an assembly line due to a software failure. And robot control systems are very throughly tested before a new model of robot is released. Microsoft is trying to muscle their way into the embedded marketplace; do you want software that has plenty of known defects/security issues running your robot?

      At least with a MS-controlled robot you can hope it BSODs before it crushes you in a beserk rampage.

  • No (Score:2, Troll)

    by nate nice ( 672391 )
    It shouldn't be held to the same liabilities as an automobile. An automobile has the potential to hurt or kill people in it if it has defects. It is the responsibility of the auto company to make sure their cars will not hurt people due to their engineering flaws. In the case of Windows, no one is stopping you from using another operating system if theirs is not stable enough for your use. I think you should be able to get a refund if their software doesn't do what it says it can and then move to Linux,
    • Re:No (Score:5, Insightful)

      by fajoli ( 181454 ) on Thursday October 02, 2003 @06:13PM (#7119040)
      It shouldn't be held to the same liabilities as an automobile. An automobile has the potential to hurt or kill people in it if it has defects. It is the responsibility of the auto company to make sure their cars will not hurt people due to their engineering flaws. In the case of Windows, no one is stopping you from using another operating system if theirs is not stable enough for your use. I think you should be able to get a refund if their software doesn't do what it says it can and then move to Linux, OS X or whatever else you would like to use. Suing MS for bad software is like saying you cannot use something else. I use something else so why can't California?

      Yet automobile manufacturers are also sued for nonhazardous situations. I think Toyota was sued for premature engine failure due to sludge build-up. I think suing Microsoft is more in line with this thinking.

      Using your logic, there is no expectation of fitness for use for software at all. You can have all the features in the world. Just don't expect to use them.

      'Use something else,' you say. How would you like your car "Microsoft" dealer to tell you that after you discover your car is a lemon? Oh, by the way, all the other manufacturers cars don't work on Microsoft Roads. And there is no refund.
  • Not Secure? Your kidding me? My Microsoft consultant told me those were features not security exploits!
  • by kaan ( 88626 ) on Thursday October 02, 2003 @05:42PM (#7118750)
    From the article: "Microsoft's eclipsing dominance in desktop software has created a global security risk," the lawsuit filed in Los Angeles said. "As a result of Microsoft's concerted effort to strengthen and expand its monopolies by tightly integrating applications with its operating system ... the world's computer networks are now susceptible to massive, cascading failure."

    I think the above statement is pretty interesting. What it says (to me) is that the issue isn't that there are bugs or security problems with Microsoft products, nor is the issue that Microsoft dominates (or weighs heavily in) many software markets. The issue seems to be that Microsoft does both of these things, which results in a ubiquitous and totally insecure majority around the world.

    This reminds me of the general pattern where Microsoft is busted for doing something that another company did first or is also guilty of. The non-Microsoft instance (could be a small company, or a large company with a small component) can usually can get away with it because of scale, whereas Microsoft cannot since it's on such a large scale that everyone notices and cannot ignore it. One of many examples is the "OS integrated with the browser" war. Nobody gave a shit when IBM shipped OS/2 warp with built-in browser support even though in principle it was the same thing Microsoft did with Internet Explorer. IBM's reach was minimal with OS/2, so it was rather irrelevant what they did. Not so with Microsoft.

    So is this class-action suit setting a precedent that bugs in your software will lead to lawsuits? I don't think so. I also don't think it claims that being a gigantic, far-reaching company is bad. Just don't mix the two, or the wolves will come after you.
  • Should Microsoft's software be treated any differently than, say, automobiles?"

    If your 1974 Pinto explodes, then whose fault it is, depends on when the event occurs. If you get blown up in a Pinto in 1974, it's Ford's fault. If you get blown up in a 1974 Pinto in 2003, it is your fault.

    If you experience loss due to Windows' flakiness in 1990, it is Microsoft's fault. If you experience loss due to Windows' flakiness in 2003, it is your fault.

    Don't buy something that is infamous for being a piece of

  • Should anyone's software be treated differently from the auto industry?

    I figure when MS can start charging $20,000 per OS license, then maybe we can expect bullet proof software safety. The kind of engineering required to give some kind of guarantee or waranty against "bad things" that these people are expecting would cause the cost of software to be prohibitive. Heck it may not even be possible if the software is complex enough. At some point you have to say well we've gotten it as hardened as is feasi
  • by Bitmanhome ( 254112 ) <bitman@pob[ ]com ['ox.' in gap]> on Thursday October 02, 2003 @05:51PM (#7118835)
    All software sold today is sold as unsuitable for any purpose. It says that, right in the license. So claiming your software is insecure is moot; you didn't buy secure software. You just bought some crap off the shelf and expected it to meet your needs. It didn't; and nobody's surprised.

    But this case is even worse than that -- It involves Microsoft's ware, which is known to be insecure. It's in the news every single day. Trusting your corporate secrets to of-the-shelf software is just stupid, doubly so for MS ware.
  • to link their trustworthy computing platform to the security overflow issues...C'mon meatheads, one has very little to do with the other. The trust wrothy computing crap will cover locking the user out of their own PC. The security holes almost exclusivly derive from their STUPID decision to 'mingle' the code from IE and the local file explorer. The locl file handles had years of secure testing while the internet call were coded by nitwits on the fly after 27 hours of caffienated creativity. They work usual
  • by globalar ( 669767 ) on Thursday October 02, 2003 @05:53PM (#7118857) Homepage
    Firstly, software is your choice. Your complaints about MS software may be worthy of attention. However, you chose to use MS. And now that this is /., we all know there are alternatives. You can buy them on the Internet and even in some stores.

    "The lawsuit, which was filed on Tuesday in Los Angeles Superior Court, also claims that Microsoft's security warnings are too complex to be understood by the general public and serve instead to tip off "fast-moving" hackers on how to exploit flaws in its operating system."

    If you cannot interpret the information MS provides you, there are thousands of web pages and forums to help you. These are free as well. There are services which you can contract to do the work for you. Using computers has a cost. Using machines connected to the Internet has a cost. It is not the fault of MS that someone exploited the OS. They were irresponsible for leaving the vulnerabilities there, but unless you want to make the claim that they intentionally attempted to provide you with an insecure OS, then I do not understand the argument. XP does not say on the box "hack-proof: Try It!".

    I have a little idea:

    Software that directly controls physical devices (automobiles for example) which are themselves regulated should be held accountable to similar standards as the device which the software controls. They should be legally linked.

    Software that does word processing, serves web pages, browses the Internet, sends email, etc. would not fall into this trap. We have disclaimers on lots of things saying don't use x with y or p as a q. So mark your software accordingly.

  • "Should Microsoft's software be treated any differently than, say, automobiles?"

    I've never been physically injured from a PC crash.
  • by A_Non_Moose ( 413034 ) on Thursday October 02, 2003 @05:58PM (#7118904) Homepage Journal
    well, for the joke that sprang to mind immediatly:

    It goes;
    A Mechanical Engineer, Marketer and Programmer were driving in the mountains, when the car's brakes failed and they crashed into one of the breakdown barriers (big mounds of gravel to stop trucks).

    The Mechanical Engineers says, "I will look under the car and determine why the brakes failed, and how to fix it so it does not happen again".

    The Marketers says, "I've got to tell the car company, so that word can get out if this needs to be a recall notice".

    The Engineer and Markerter look at the Programmer who says, "I think we should push it back up the hill and see if we can get it to crash again".

    Think about it... this seems very close to Microsoft's Mentality: all windows users are crash test dummies.

    Case(s) in point: The remote code execution in Windows Media Player that allowed content to be executed (similar to the MIDI flaw in dx9.0a and below) was fixed in 6.x versions and re-opened in subsequent versions, not once, but at least 3 times!

    The RPC vulnerability wasn't fixed until the second time, hence the need for *another* patch because Microsoft had not FIXED the vulnerability, just enough to protect against the first exploit.
    (little dutch boy story ring a bell, mr pavalov?)

    And their strategy for integrating everything into the OS is actually driving XP users back to 98se.
    Yes, 98se where the IM client, browser, outlook express, media player, passport and another half dozen things aren't integrated into the OS (as proven by 98lite).

    Why?

    It *annoys* the piss out of people.

    Wonder why?
  • No (Score:2, Interesting)

    by plj ( 673710 )
    Should Microsoft's software be treated any differently than, say, automobiles?

    No, it shouldn't. This would perhaps slow down software development a bit, but commercial software manufacturers should have similar responsibility over their products like any other industry.

    Like our (Finnish) Product Responsibility Law points out (not literally but practically): "Manufacturer must repair manufacturing defects, whether the product still has warranty time left or not, or give a full refund." This should mean: "
  • by ewhac ( 5844 ) on Thursday October 02, 2003 @06:00PM (#7118917) Homepage Journal

    Though I am adamantly opposed to shrinkwrap "licenses," the one thing they do that I happen to agree with is the disclaimer of liability.

    Writing solid software is hard. Writing solid software to run on cheap, unreliable hardware is even harder. Though we ridicule software vendors, crashing software is a fact of life. One day, new technologies or engineering practices may appear to make writing reliable software easier, or to allow the user to "reverse" the machine back to the last known good state so they can at least save their work. But for now, software is flaky and, undesireable though it may be, users need to plan appropriately.

    That said, however, I believe there should be an exemption to the liability shield. Off the top of my head, the following factors should be considered to determine if liability should apply:

    • The scale of the failure (millions of compromised machines versus one guy's pr0n collection);
    • The vendor's demonstrated history of design/product flaws at first release;
    • The vendor's demonstrated history of correcting design/product flaws after release.

    The scale of each factor would be weighed to determine whether the software vendor should suffer liability. This standard should be set fairly high. If a company is consistently pro-active in correcting bugs, releasing patches, and informing users; or the failures are comparatively minor; or their products exhibit failures on a comparatively rare basis -- in other words, if they are clearly a good, conscientious citizen of the computing community -- then the vendor should escape liability. OTOH, if a company can be shown to persistently use flawed methodologies and designs, and they regularly ignore bug reports until the excrement hits the rotary impeller, and the bug can cause widespread havoc, then the vendor should be exposed to liability.

    Needless to say, Microsoft's 25-year history of releasing junk and not giving a $#!+ about it should be a reasonable foundation for a liability suit.

    Schwab

  • by Anthony Boyd ( 242971 ) on Thursday October 02, 2003 @06:03PM (#7118943) Homepage

    I put out some free Perl & PHP code [outshine.com], and planned to release some more next week. But I partly rely on the BSD license to protect me from liability. What does this case mean for someone like me? While I think I'm such a good programmer that eventually my code will be super-tight, I know I'm a poor enough programmer that it will take many iterations and bug reports to get there. Should I only release code when I'm certain no security issues exist (which probably means I'd never release stuff)?

  • OpenBSD: Only one remote hole in the default install, in more than 7 years!
    Microsoft: Where do you want to go today?

    All this time, I thought Microsoft was talking to their customers when they were really talking to the hackers and script kiddies.
  • by JavaSavant ( 579820 ) on Thursday October 02, 2003 @06:06PM (#7118968) Homepage
    ...and the businesses that use their software were coastal Alaska, does the sea life have to clean the oil off the shore every time one of Microsoft's products is exploited for it's insecurity? Why is a software company treated any differently than an energy company when something happens that involves their product and harms it's surrounding environment? It's about time a law suit like this came around.
  • by dstone ( 191334 ) on Thursday October 02, 2003 @06:22PM (#7119114) Homepage
    This man speaks the truth: "if I were on life-support, I'd rather have it run by a Gameboy than a Windows box"
    -- Cliff Wells, 2002.03.13, in comp.lang.python (original UseNet article [google.ca])
  • by isaac ( 2852 ) on Thursday October 02, 2003 @06:29PM (#7119189)
    Some claims in this lawsuit seem to be predicated on a particular California data-protection statute. However, I think the real elephant in the room is the question of EULA disclaimers of liability, and the enforceability of EULAs in general.

    There's a principle codified in the Uniform Commercial Code that a product that is sold by a merchant (i.e. one whose primary business is involved in selling products of the given type) must be "merchantible," meaning "fit for the ordinary purposes for which such goods are used." UCC sec. 2-314. This is called the implied warranty of merchantibility. It may be explicitly disclaimed in a written contract (and every EULA includes a term disclaiming express and implied warranties of merchantibility).

    Here's the rub: retail software sales are clearly sales. When you go to the store and buy a pc preloaded with MS Windows,or even a boxed copy of windows, you are not presented with a contract at the time of sale. You pay your money and leave with a box - clearly a sale. Only when you boot up your new computer for the first time, or install your new OS do you have these new non-negotiable terms sprung on you without your approval or consent.

    First - a "take-it-or-leave-it" contract like a EULA purports to be is called a contract of adhesion. These contracts are enforceable, but courts are generally inclined to take a close look at adhesion contracts where one party has disproportionate power over the other.

    Second - In the real world, one party may not unilaterally add to or amend a contract, or impose terms on a sale, without the consent of the other party. (They can try, but the new terms will not be enforceable in court.) "Aha", says Microsoft, "but you agreed! You clicked 'I agree.'" Well, wait a second - what are your alternatives? If you bought a boxed copy of windows, the retailer will not, as a matter of policy, accept a return. So basically Microsoft (and every other commercial software vendor) is saying to you "We already have your money. You're not getting it back. Now agree to these additional terms or get bent." I rather suspect a court, even an extremely conservative one, would take a dim view of this arrangement. (except in Virginia and Maryland, the two UCITA states where click-wrap EULAs are explicitly enforceable.)

    And since we're on the topic of adhesion contracts and Microsoft, how about the additional terms they add when you use Windows Update to fix new vulnerabilities? Talk about strongarm tactics - "either accept these new terms or accept that this software which we sold,er,licensed you with network capability (but of course we claimed it was fit for no purpose at all) is no longer suitable for its advertised purpose." Bite me. That's not duress, but it's it's damn sleazy.

    </RANT> Whew. I'm not a lawyer, and none of this is legal advice, of course.

    -Isaac

  • by The Fink ( 300855 ) <slashdot@diffidence.org> on Thursday October 02, 2003 @07:43PM (#7119758) Homepage
    (Disclaimer: I am
    not a Microsoft sympathiser. I'll use whatever's best - most cost effective, reliable, whatever else defines "best" at the specific point in time, often the customer - for a given task. Sometimes, that's Windows, oftentimes not. Also, I'm no lawyer.)
    As much as I'm pissed off at the most recent vulnerabilities and the problems that they've caused, I see this lawsuit as causing massive problems for the entire industry, including the open source crowd.

    Should this class action go through the courts and succeed, it sets a hell of a precedent. Specifically, it implies that software should be thoroughly engineered and reasonably defect-free prior to release, with no damaging defects at the point of release. It essentially also says that releasing patches after the fact is not good enough (and that it's not the customer's responsibility to apply them), which causes two minefields I'll try and touch on later.

    Trying to enforce defect-free software is a great idea - except that, as we all know, software exhibits weak-link behaviour, and that in turn suggests that you'd need to get rid of 100% of defects to be absolutely certain that no damaging defects exist. You can't over-engineer software in the way you can, say, a building, to protect against potentially damaging structural defects. Oftentimes, over-engineering software makes it more prone to the kind of defect that makes the software useless.

    This precedent I percieve in turn means that the open source community - specifically, the people "managing" a given software project - are open to the same kind of litigation as, well, Microsoft are facing. I sure as hell don't want to be sued because my software's not perfect...

    As for basically disregarding patches, well, that raises one major issue: it makes the vendor responsible for deploying those, which in turn either requires a "returns" policy on software (unworkable!), or requires that they have the ability to deploy software (privacy issues).

    In short, this disquiets me. While I've been waiting for this kind of legal action to happen for a while, and in the long term it'll probably lead to much more reliable, much better software, I don't think the software industry as a whole is really ready for this kind of thing yet. Frankly, we still suck at making reliable software, and that's not just something Microsoft can take the hit for...

    • as we all know, software exhibits weak-link behaviour, and that in turn suggests that you'd need to get rid of 100% of defects to be absolutely certain that no damaging defects exist.

      No. Actually, some of us aren't ignorant, and know what a microkernel is.

      This precedent I percieve in turn means that the open source community - specifically, the people "managing" a given software project - are open to the same kind of litigation as, well, Microsoft are facing. I sure as hell don't want to be sued becaus

  • by Breakerofthings ( 321914 ) on Thursday October 02, 2003 @08:46PM (#7120204)
    If they can obtain a judgement against M$ for shitty software, then that means that the standard waiver of liability in the EULA is not enforceable, which likely means that the similar waiver of liability in the GPL, etc. is not enforceable, which means that you and I could potentially find ourselves in the same position for something we gave away for free, not to mention the effect it would have on those who run mom-and-pop software shops.

    There is a mechanism in place to pressure M$ (and all of us) to ensure product quality: competition.

    I think that Windows sucks; but Windows 2000 sucks quite a bit less than 98 did; It seems that M$ has taken notice of the alternatives, and is beginning to come around in terms of security and quality of their software (not saying that they don't have a long way to go, still) presumably due to market pressure.

    Besides, look at it this way: I hate Windows because it sucks; If/when M$ improves the quality of their OS (and other software), don't we all win?

    I am a Linux fan; but if M$ produces a product that is truly an attractive alternative, from both quality and price standpoints, I am not going to ignore it because of some "religious" viewpoint. (Nor will I bother myself with Windows until they do).

    The point is, this is a textbook example of a situation where the govmint should keep out of it, and let capitalism/competition work things out naturally. People are just beginning to be exposed to Linux (and others) as real alternatives; M$ will naturally have to improve, or die.
  • If you're a monopoly, then the government should be setting some special rules for you to abide by. A sort of guarantee of quality of service, I believe. Utility companies, for example, can't behave in the same manner as shoe manufacturers because you can always buy a different brand of shoes. But the local electric company has to run its business according to some government standards, since consumers have little choice but to use that company's electric service (I'm ignoring the differences between electric suppliers and the company that delivers it, which could be two different companies).

    Which takes us to Microsoft. They've been declared a monopoly by the US government, so they really do need to get a different set of rules to follow in the areas where MS is a monopoly (web browser, desktop OS, and perhaps office suite). I know you're probably thinking that there are other choices, but for most people, using an alternate OS is akin to building a windmill for your power supply - not for the average consumer.

    The electric company has to maintain a certain quality of service. A city block can't go without power for two weeks, and we can expect to not experience wildly fluctuating power levels coming out of our outlets. Likewise, MS, as a monopoly, needs to supply a product that doesn't put us at higher risk than, say, one of the many competitors the company has illegally muscled out of the industry. Sure, it sounds tough, but MS brought this on itself, and it isn't nearly as tough as the challenges it put forth to all its former competitors.
  • by avandesande ( 143899 ) on Friday October 03, 2003 @08:12AM (#7122984) Journal
    30s? Business computing is only a decade or two old... It is still very experimental. I think people that incorporate computers into their business systems should expect to take a few arrows.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...