Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Government to Force Microsoft to Clean Up Security Holes?

By Dragomire in Technology
Thu Jun 27, 2002 at 04:22:44 PM EST
Tags: Security (all tags)
Security

Reuters is reporting in this article that new proposed legislation would put software developers at the same liability risks of other types of manufacturers. The legislation, which has yet to be written and brought forth for voting, would make software companies liable for security holes within their software.

The first company on the list, should this legislation be created and approved? Microsoft.


Software developers have had it easy, comparatively speaking, than the manufacturers of hardware, or other more tangible items. Car manufacturers are held liable for defects in their automobiles; tire manufacturers are held liable for defects in their tires; toy manufacturers are held liable if they don't place warning labels about choking hazards, or if they make a toy that is actually harmful; etc. Yet software developers have lived behind a shield of no-liability that has protected them from any financial retribution, even if their software is faulty, damages computers it is installed on, or has such blatant security holes that a 12 year old with some HTML knowledge can effectively wipe out someone's hard drive.

Recently, however, a growing number of people both in the software industry, and the judicial system, are beginning to voice opinions that software companies should be just as liable as Firestone, Ford, or Kenner. Many people who use products on their PCs know of things like patches, updates, and security fixes. If you use Windows, it can seem to be a daily occurrence to download the newest security patches for Internet Explorer, Outlook/Outlook Express, Windows itself, etc. And many of us, myself included, simply click the update button and hope that it won't mess our computer up when it "fixes" the problems.

Why now?

It would seem that some people are beginning to get the hint that software developers have become lazy in some respects. Nowhere can this seem more true than in PC gaming, where patches are sometimes required to be downloaded the day a game hits store shelves...patches which should have been in the game to begin with, or fix problems that should have been found in quality assurance and testing. But it also seems that people have begun to grow unhappy with the fact that software developers can release software without it being ready for use.

Why Microsoft?

Microsoft is seen as the deep pocket target of this legislation. But, it isn't exactly unfounded, nor is it unfair to target the monopolistic software giant in this legislation.

Security...

Up until recently, Microsoft has pretty much not done anything about the gigantic security holes in its Windows operating system (OS), it's Internet browser, or it's e-mail programs. It seems the company waits for a security hole to be discovered, and then releases a patch to "fix" the problem, and takes no responsibility if someone's entire computer is compromised. If some reports are to be believed, the company already knows about many of these problems before they release the programs into the marketplace. Supposedly Windows 2000 was released with 20,000 bugs and security holes already known to Microsoft, and yet the software giant released the OS to the market anyway.

Or Lack Thereof.

Some industry people think that Microsoft uses a litmus test of sorts to see where things should be worked on. These people say that security in Microsoft programs is the part of the test that gets the least attention. The odd thing is, the litmus test isn't for the good of the public and commercial users, but for profitability. Security, it seems, is simply not profitable to Microsoft.

Take, for example that 99% of the computer viruses in the world only attack one OS: Windows. These same viruses really only spread to and from, and attack one e-mail program: Microsoft Outlook/Outlook Express. Some people would say that the large amount of viruses attacking Windows is because of its dominance in the computer OS market. It's more accurate to say that they attack Windows because it lacks even the most basic of security in the OS, and in any and all Microsoft suites and programs.

Outlook, for example, can run a virus without you even opening the e-mail, or any attachments it may have, in many cases simply downloading the infected email from your mail server allows the virus to go to work. If the virus is encoded in HTML, Outlook lets the HTML through without any filter, and lets malicious code run directly from the e-mail to your computer by even just clicking on the e-mail to delete it because it automatically opens the email when clicked. Internet Explorer also allows HTML codes to automatically run, unless you specifically tell it not to (something most normal users don't know how to do), which means viruses can be encoded into web pages as well. The OS allows for important files to be overwritten by any program that wants to do so, without letting the user know. And many of the files and file extensions that programs like Outlook use, are also used by Word, Excel, and other applications published by Microsoft, which means if a virus infects one of the programs, it can, and normally does, infect them all.

There have been so many Microsoft Outlook viruses that many of them are not even considered news worthy anymore. And yes, they are all Microsoft Outlook viruses, not generic computer viruses, like Microsoft would like you to believe, since they all affect, run through, and use only Outlook and Outlook Express as their spreading techniques. You have to hand it to Microsoft in deflecting that bit of bad PR by having the media call them computer viruses instead of Microsoft Outlook viruses, imagine what people would think of Microsoft products if these viruses were labeled as they should be?

When these viruses deliver their payload, it can sometimes be as annoying as pop-up windows, or as damaging as the complete formatting, and subsequent loss of data, of the hard disk drive of the computer. When this happens, the receiver of the payload currently has no recourse to get any sort of compensation from Microsoft about it. It doesn't matter if the virus was disguised in an MS Word file, sent to and received by a MS Outlook e-mail program, and used Windows to destroy itself; right now, this isn't Microsoft's fault. Or, at least, Microsoft isn't liable for any damages caused by their lack of security features in their programs.

The Possible Future

If this new legislation is made, then companies like Microsoft are in for a very large eye opener. Of course Microsoft, and other companies, will lobby and throw money around to try and ensure legislation that makes them liable for damages done by security holes never gets past the planning stages, but they can't be sure that that will work.

Analysts say putting a dollar amount on the liability that Microsoft could face is hard to do, but since Microsoft is expected to have around $50 billion in cash reserves and short term investments by June 30, 2001, they would be one of the biggest targets of class action lawsuits. Even if Microsoft was found liable under the new legislation, and forced to pay out just $100 to every person who has been hit with a Microsoft Outlook virus, the money paid out could get into the billions. And that doesn't account for companies that end up losing actual money because of malicious code running through the truck sized holes in Microsoft products, that would be even more money.

So could this new legislation destroy Microsoft? Doubtful. But it could force Microsoft, and other companies, to actually look at the security features they do have, and the holes that they also have, and try to fix them before they become a problem for end users. It's not like hackers and people who write viruses create the security holes, they simply exploit them when they find them. And in Microsoft's case, they have lots of security holes to exploit. Perhaps Microsoft Windows XP Version 26 OSR 37, will actually be more secure than the current versions of the Windows operating systems. If this legislation is made, Microsoft had better hope so.

This legislation won't make programs like Norton's Anti-Virus or MacAfee Anti-Virus obsolete, or unusable; after all there are some security holes that are probably honestly not seen. But if Windows 2000 was released with 20,000 known bugs and security holes, then Microsoft is the one to blame, and should be held liable for any damages doen from the exploitation of those security holes.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Should software companies be held liable for security holes?
o Yes, especially if known about before release. 28%
o Depedning on the circumstances yes or no. 49%
o No, people will find ways to exploit things no matter how hard companies try and stop them. 22%

Votes: 89
Results | Other Polls

Related Links
o article
o Microsoft
o Also by Dragomire


Display: Sort:
Government to Force Microsoft to Clean Up Security Holes? | 102 comments (81 topical, 21 editorial, 0 hidden)
I love stories like this (4.82 / 28) (#1)
by psychologist on Thu Jun 27, 2002 at 04:20:54 AM EST

You are like samson - you kill yourself while trying to destroy your enemy.

Don' you see what this legislation will do? It will completely destroy the small software developer. At the moment, everybody can simply code some shareware application, and release it to the public. Often, there is no money to test rigolously.

If this legislation is passed, and you make this developer liable, then just 2 bugs, and his company is sued out of business.

I hope you will be happy then. Because after this legislation has been around for a while, the only entities still making money from software will be huge companies with huge cash reserves. Like Microsoft.

Not only that (4.81 / 16) (#4)
by paine in the ass on Thu Jun 27, 2002 at 04:39:37 AM EST

It'll be deadly for Free Software in general. The "No warranty" clause of the GPL is a beautiful thing...and if anyone thinks that no open-source/Free Software developers would get hit by liability claims, they need to think again.

But then, that's one reason why the FSF is so dead-set against UCITA, isn't it? How odd that Stallman and Gates might have to get on the same side of an issue if software liability gains any serious headway.


I will dress in bright and cheery colors, and so throw my enemies into confusion.
[ Parent ]

if Gates is smart (3.75 / 4) (#54)
by speek on Thu Jun 27, 2002 at 04:40:57 PM EST

He'll put every ounce of weight he can into getting this passed.

--
He who can copy, can do - Da Vinci
[ Parent ]

No. (4.50 / 2) (#65)
by paine in the ass on Thu Jun 27, 2002 at 08:07:50 PM EST

Bill won't do much of anything; he doesn't wield that kind of power, he's mostly a figurehead and a mouthpiece these days. Ballmer/MS, however, should fight for UCITA with everything they've got; it implements a wonderful system tthat lets them off scot-free and cripples Free Software.


I will dress in bright and cheery colors, and so throw my enemies into confusion.
[ Parent ]

I think it'd be suicidal (3.66 / 3) (#79)
by ishark on Fri Jun 28, 2002 at 04:08:08 AM EST

Honestly, I think this would be suicidal for Microsoft or any other big corp. I mean, suing out of existence the author of some utility may be nice for a big company which wants to get rid of a "competitor", but lawsuits tend to be aimed at people with money. A company looking for damages has more interest in suing Microsoft than an obscure free software programmer.

What is true is that it would integrate very well with Palladium in becoming a MS killer. I mean, you have a machine which can ONLY run certified software. If it goes bang then it can't be the fault of the user.... And MS has $10^n+1 in the bank :)

[ Parent ]

I don't agree (4.00 / 2) (#35)
by ishark on Thu Jun 27, 2002 at 11:32:03 AM EST

I think that you are overestimating the problem. If a big guy wants to kill the small developer they can already do it: just the cost of the lawsuit will sink a small company.

Also, I've some trouble understanding how free software would be affected (shareware, I don't know). If I offer a brick as a present to a friend and he lets it fall on his foot, it's not like I'll be liable for giving him a brick.... For free software it's even worse: if I put it on my website, it's not even like I'm giving it to someone, but it's THEM taking it without me even knowing. I really have some trouble understanding how I could be held responsible for that.

I mean, this would open up the possibility of me being liable for something you do: you take my car stereo (legally or not) without me knowing about it, you plug it in your car and it blows the entire electrical system. It's me being liable in this case? I put a recipe in a book, while cooking it you destroy your oven (maybe the scale of the temperature is different) and it's my fault? You borrow my notes for the physics course, fail the exam and it's my fault?

What should happen is that software for critical operations requires a certification. In that case you have liability of the developer (and the certification agency). If you use uncertified software you're on your own.

[ Parent ]

are you going to document? (4.00 / 1) (#55)
by speek on Thu Jun 27, 2002 at 04:44:23 PM EST

Is your app documented? Does your website say "get my latest release of XXXX here"? And, will your website describe what your software does? Will the download come with documentation explaining how to use your software?

If yes, you've probably done enough to convince a judge and jury that you intended it for use by others, and then it failed them in unexpected ways, causing damages, etc.

If no, then it's essentially invisible and no one will use it, hence you won't be sued. It's possible in this way that open-source would still exist as a sort of underground movement.

--
He who can copy, can do - Da Vinci
[ Parent ]

Good points (none / 0) (#78)
by ishark on Fri Jun 28, 2002 at 04:02:35 AM EST

Well, usually my apps are barely documented, but I get your point and I fear you may be right.

At the same time I think it would be possible to word thing in order to provide a "misled" impression. Going over your list, if I wanted to give the idea that I'm using the website just "for backup purposes" of my application, I'd probably document with a reference and not a HOWTO (reference I wrote for myself to remember the commands), not writing "get the latest version!" but just giving a list with archive names which include the date, and describing what I do with the application instead of suggesting what other people may do.

I don't know, I get the feeling that if someone really wants to sue me out of existence he'll probably be able anyway (my app will certainly infringe on someone's patent or on some law of some country). Sometime I'm happy that anything I write is so obscure or incomplete that I'll neve have to worry about this :)

[ Parent ]

yes (none / 0) (#82)
by speek on Fri Jun 28, 2002 at 08:50:19 AM EST

Writing software is so much more fun when there are no users.

--
what would be cool, is if there was like a bat signal for tombuck - [ Parent ]

Liabaility (3.50 / 2) (#71)
by X3nocide on Thu Jun 27, 2002 at 09:54:47 PM EST

Has liability cut out the small doctor? I've been told before that software is the only field you can make six figures in and not have to pay for malpractice or liability insurance. It seems that might be changing, and I don't see it as a problem.

I know of many small engineering firms that haven't been killed off by the introduction of liscencure. Obviously there are issues that are not the same and need to be ironed out, like GPL software and such, but I personally welcome a bug liability. Rememeber that Microsoft has the most to lose from this. Nobody wants to sue their vendor out of business, unless you've fucked up so bad that they've decided to cut their losses and switch. Which is part of the motivation behind these sorts of bills...

pwnguin.net
[ Parent ]

Spurious assumption (4.00 / 1) (#86)
by Rogerborg on Fri Jun 28, 2002 at 10:30:49 AM EST

    this legislation will [...] completely destroy the small software developer.

Not so, and I'll tell you why. It could not possibly work if it simply opened up developers to liability based on lost revenue. The whole point of software is that it increases productivity, i.e. the product produced with software is always going to be worth more than the cost of the software. On that basis, the first unlimited lawsuit against any software company for lost productivity would put them out of business. And software companies can't argue it any other way, otherwise they'd be effectively claiming that software is a waste of time and money.

Instead, we'd need a law that assigns reasonable and limited punitive fines for producing bad software. It would have to punish without destroying, to motivate better future behaviour without putting the vendor out of business. And so it would have to take vendor revenue into account.

I've posted this elsewhere, but I'll just recap that this means that a $10 billion fine on Microsoft would equate to a $100 fine on openBSD, given their respective revenues and record of bugs. And if you don't have any revenues, then there's simply no point in fining you. Giving away software means that you're not motivated by money, and so money can't be used as leverage against you. In other words, there's no valid reason or social benefit to punish philanthropy.

I do acknowledge that this presupposes a reasonble law that offers a stick to regulators rather than a carrot to litigators, but our elected representatives are actually fairly good at drawing these up (what with 50% of both Congress and Senate being members of the American Bar Association) given half a chance. Clangers like the DMCA and PATRIOT are the exception, not the rule. When they're drawing up a law that's not handed to them by a lobbyist (along with a fat "campaign contribution"), they do tend to get it right.


"Exterminate all rational thought." - W.S. Burroughs
[ Parent ]

The problem (none / 0) (#102)
by Cro Magnon on Tue Jul 02, 2002 at 05:35:42 PM EST

Is that Microsoft could probably handle a 10 billion dollar fine. Mandrake might go broke from a 20,000 dollar fine! I'm using Mandrake as an example because it's clearly a business (not sure about OBSD), and it's nowhere near as secure (but better than MS).
Information wants to be beer.
[ Parent ]
Software liability is nonsense (2.33 / 9) (#5)
by qpt on Thu Jun 27, 2002 at 05:15:54 AM EST

You will recall that every computer program can be expressed as a unique integer. Moreover, an integer is an abstract object. It is neither created nor destroyed, existing as it does outside of time and space.

Consequently, it is a bit odd to say that a computer program is designed Certainly, one may write a program, just as one might write out any integer, but the program (integer) is hardly one's creation, even if no one has ever happened to write out that integer before. The intellectual effort of computer programming is thus not directed at the creation of anything at all, but at the selection of a particular integer for a particular purpose.

Often, perhaps almost always, the incorrect integer is chosen. Such integers are termed "buggy programs," although this is a bit of a misnomer, since there is nothing wrong with the integer itself. It just happens to be the wrong one for a specific application. Software developers should not be responsible for so-called "buggy programs," though, since they do not even create them. Instead, software developers simply suggest an integer for a certain purpose, all the while emphasizing that they very well might be wrong.

Since the programmer functions as a consultant on the usage of integers rather than a manufacturer of an actual product, he should not be liable for perceived failures in an integer that he did not even create.

Domine Deus, creator coeli et terrae respice humilitatem nostram.

Wrong (3.50 / 2) (#8)
by Kasreyn on Thu Jun 27, 2002 at 05:47:58 AM EST

First off, I find it odd that you think that just because something can be expressed as a number, that makes its developer (or, ok, to use terminology to fit your metaphor, its "chooser") blameless for the results of his choice.

Instead, software developers simply suggest an integer for a certain purpose, all the while emphasizing that they very well might be wrong.

Sadly, this is not the case. Most software developers firmly state that they have selected the exactly correct integer for the solution, and if it comes to their attention that they have not, they usually attempt to hide this fact from the public for as long as possible.

Furthermore, other things can be expressed as numbers. You can express a Ford Explorer as nothing but numbers - quantities and proportions and compositions of materials, number of welds, cpu speed of onboard processor, diameter of steering wheel. The reason why so many people accepted the possibility of a future like "The Matrix" is that we are aware that the physical world can be entirely represented by mathematics.

So why not hold Ford blameless for rollovers in SUV's, or Firestone for faulty tires? Clearly, they merely selected the wrong car-describing or tire-describing integer.

I can just imagine them standing up in court and blaming integer 123873450692845760982674560298672347623498756947856786x10^25th. Please. Software developers' protected status is overdue to end. We'll see a lot less buggy software, that's for damn sure. A lot less software, period, also, but that's the price.


-Kasreyn
"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
[ Parent ]
You will see no software period. (4.33 / 3) (#12)
by i on Thu Jun 27, 2002 at 06:16:07 AM EST

You will see no free software, that's for sure.

Please bear in mind that a lot of free (along with some non-free) software originates in universities and colleges. This is no coincidence. Writing and releasing software is part and parcel of CS education and research. You will see these activities seriously hindered.

So you will see a lot less CS education and research. Without these, chances to release a bug-free piece of code approach zero real fast.

And another thing. Many American companies will find that not selling their products in the USA (and perhaps packing and moving up north) is somewhat more profitable than facing endless court battles they have no chance to win. Sure, USA may be a bigger market than the rest of the world combined, but the rest of the world is still large enough to operate at a profit.

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]

Hm. (4.00 / 1) (#43)
by Kasreyn on Thu Jun 27, 2002 at 02:28:21 PM EST

"Writing and releasing software is part and parcel of CS education and research. You will see these activities seriously hindered."

Why? Why must one's "student days" programs be applications of the kind where a flaw in their security will bring on serious liability? Is it impossible to practise in a non-harmful way? Are we incapable of having an isolated university network to deploy student-developed applications on as a test bed to avoid external liability?

Perhaps I'm wrong, perhaps things are better as they are. I don't claim to have the vision to know, I guess. All I was trying to do was disput qpt's ridiculous assertion that designing a piece of software is in any way different from designing any other tool, like, say, a vacuum cleaner.


-Kasreyn
"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
[ Parent ]
Some thougts. (none / 0) (#101)
by i on Sun Jun 30, 2002 at 02:11:43 AM EST

Can you conduct a course in operating systems without your students writing actual operating systems? I guess not.

Now, students are not the only people who develop software in universities. Students are the education part, but there's also the research part, and this part benefits even more greatly from external exposure. Of course research and education are intimately coupled: better research usually means better education.

Testing things on an isolated network just never will bring sufficient feedback to the designers. Just imagine what kind of world we would be living in if the original BSD were restricted to an isolated network. We wouldn't have BSD, but what's more important, we also wouldn't have people capable to write one.

Commercially-sponsored research would also die out. Why on earth, say, Microsoft would fund research on Haskell if it's likely to bring in liability?

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]

Haha! (2.00 / 1) (#15)
by qpt on Thu Jun 27, 2002 at 06:21:21 AM EST

You can express a Ford Explorer as nothing but numbers
That is the silliest thing I have ever heard. Sure, one can describe aspects of a Ford Explorer using number, but only a absolute lunatic would think one could express a Ford Explorer as a number.

See, no matter what number you write down, or what you do with it, you do not have a Ford Explorer in a different form. You have a number. Try it! Start writing numbers and see if you ever get a Ford Explorer, or any other automobile in any form. (Hint: you will not.)

Anyway, 123873450692845760982674560298672347623498756947856786x10^25th only has what, seventy-five significant figures? Mighty short program you have there, pal, if you plan on compiling it on any platform I am familiar with.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

You're missing the point... (none / 0) (#76)
by thebabelfish on Thu Jun 27, 2002 at 11:52:35 PM EST

Mighty short program you have there, pal, if you plan on compiling it on any platform I am familiar with.
You've missed the point of his sentence by a mile. He only used 123873450692845760982674560298672347623498756947856786x10^25th as an example to show just how ridiculous your idea is, not as an actual "program" expressed as a number.

"I don't trust goats," --To Catch a Spy
[ Parent ]
What point? (none / 0) (#77)
by qpt on Fri Jun 28, 2002 at 12:14:00 AM EST

All programs are numbers. This fact is not contested by educated people.

Also, numbers exist apart from human action or discovery. This fact is also not contested by educated people.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

This is absolutely true. (4.50 / 2) (#29)
by pb on Thu Jun 27, 2002 at 10:01:28 AM EST

And any digital intellectual property can also be expressed as a number as well; books, movies, you name it.  They're just big numbers.

Unfortunately, some of those numbers are copyrighted too, at least insofar as they express copyrighted works.

Therefore, you should be able to play with your big numbers all you want, provided you're just multiplying War & Peace by The Matrix or something.  But don't try to read or watch them...
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]

Question of liability (4.69 / 13) (#6)
by Irobot on Thu Jun 27, 2002 at 05:32:27 AM EST

First off, Outlook and its ilk are insecure *by design*. MS deserves to catch heat for it.

However, this article made me actually think - it seems to me that there is one important difference between software and the other examples given. I've always heard it phrased as "Faulty software doesn't kill people, faulty [cars|toys|etc] do". Yes, yes...I've heard the "air traffic control software" argument. Let's face it, *most* software is definitely not used in life-threatening situations. But truly fail-safe software (if there is such a thing) should be developed under contract that specifies both the capabilities and the penalties for defect. I won't even go into how easy it is to shoot down the examples in the linked article.

It's not that I think software is fine and dandy in its present state - lots of it sucks. I've worked with enough other people's code to say that definitively. But software is a general, off-the-shelf commodity. I can't think of another product with similar characteristics. One that is so cheap but that has liability potentials of the magnitude called for. Can anyone supply any?

Irobot

"Life is so unlike theory." -- Anthony Trollope
Irobot

The one important thing I have learned over the years is the difference between taking one's work seriously and taking one's self seriously. The first is imperative and the second is disastrous. -- Margot Fonteyn

right on (4.00 / 6) (#23)
by tps12 on Thu Jun 27, 2002 at 09:41:39 AM EST

That is the real problem with this kind of legislation: it fixes a problem that doesn't exist, and significantly raises the cost of developing software. It would have no positive effect (since mission-critical software is already warrantied and guaranteed by contract) and many negative effects (less software, more expensive software, fewer jobs, less tax revenue...I could go on).

Please, if you don't like buggy software, don't purchase software from companies with bad track records. If you vote with your wallet, developers will listen.

[ Parent ]

Software Ecosystems (none / 0) (#69)
by greenrd on Thu Jun 27, 2002 at 09:24:58 PM EST

But as Microsoft is so fond of pointing out, software exists in an ecosystem. If you're using the most secure product available, that's no use at all if you can't interoperate with other organisations using a less secure (M$) product, or if you release confidential info to someone else and they get compromised.


"Capitalism is the absurd belief that the worst of men, for the worst of reasons, will somehow work for the benefit of us all." -- John Maynard Keynes
[ Parent ]

well of course (none / 0) (#70)
by tps12 on Thu Jun 27, 2002 at 09:35:13 PM EST

As a rational person, you need to estimate the costs and risks of interoperating, sharing data, and so forth, and decide what to do based on these estimates.

[ Parent ]
Anti-MS Bullshit (3.80 / 5) (#11)
by DarkZero on Thu Jun 27, 2002 at 06:15:44 AM EST

I have yet to see a new virus/worm announcement that doesn't include "If you've patched Internet Explorer/Outlook/Windows/whatever-MS-product, you don't have to worry about this at all". In fact, many of the announcements for the most prevalent worms tell you that if you've patched Outlook or IE in the last year, then you're fine.

Microsoft has fixed the majority of its security problems, but they're still blamed for the mistakes they made a year ago because no one downloads the patches. Your article does not tackle this issue at all, despite the fact that it is really one of the most important aspects of this law. Since software can't be recalled like a normal faulty product, where does the liability lie for a user whose system is harmed because they were using a version of IE from over a year ago, if not much more? Should software companies have a much, much larger burden put upon them than conventional businesses because they cannot issue recalls or fix their products in any way beyond patches and public announcements that the software is faulty?

Adding Microsoft into one of these debates always produces interesting results. If this were an article about copy protection circumvention legislation including harsh penalties against offenders, everyone would be saying that the internet should not necessarily be held to much stricter standards than the real world just because it is different than what "those stupid politicians" are used to. But when you take the same types of ridiculous penalties and expectations and apply it to Microsoft instead of some little P2P company, suddenly everyone wants law breakers to be castrated and burned at the stake for not meeting ridiculous legal expectations.

Scenerio: (3.33 / 3) (#20)
by Dragomire on Thu Jun 27, 2002 at 08:28:02 AM EST

You run a buisness and have just completed work for what could amount to a huge monetary contract with someone/some business. You have a network at your office that runs X networking suite/software from Compnay Y.

You come into work the next morning, and find none of the computers are working, and your tape backup only has info up until the night before you finished the proposal/ad/whatever that is hopefully going to bring you the nice contract. You find that all of the computers in the building are empty, completely formatted.

Because you have to spend the time getting the computers back online, as well as trying to re-complete the proposal/ad/whatever from what you had the day before it was finished, you miss your deadline, and lose the contract.

Soon afterwards it is found that there is a huge security hole in Company Y's networking solution, and that Company Y knew about it before release. But they figured it was only a potential threat, not easily exploited, and thus not worth fixing before release. You also find out that this security hole is how a malicious attacker got into your network and essentially caused you to lose your potential contract.

Who's liable in this case? You've potentially lost money because the software developer did not see the security hole as a big deal. You've also really lost time, and money in getting all of your computers back up and running.

Shouldn't the software vendor/developer be liable for your real loss of time and money? Can't it be argued that had they actually fixed the security hole before release, that you would not have missed your deadline, and thus they should be liable for your potenatial loss as well? They should definitely be liable for your real time and loss of money, the question of whether they should be liable for your potential loss is iffy, because you may or may not have gotten the contract based on your proposal/ad/whatever in the first place.

Do you think the software developer should be able to just walk away without any sort of liability for a security problem they already knew existed?

[ Parent ]

suck it up (4.50 / 4) (#25)
by tps12 on Thu Jun 27, 2002 at 09:47:08 AM EST

Well, you probably won't buy from company Y again, will you?

Seriously, unless they've signed a contract that guarantees that they will patch or notify you of any security holes as soon as they know about them, then I don't see from where you think these rights of yours derive.

If you require such a guarantee, then limit yourself to doing business with companies that will give you one. Trying to force them with a law will just result in higher prices and less choice in vendors.

[ Parent ]

Accident vs. Design (4.66 / 3) (#34)
by ebonkyre on Thu Jun 27, 2002 at 10:33:57 AM EST

Have you, by chance, looked at Windows XP Home Edition - the one that most new computers sold at retail are required to carry (in order to keep their OEM licensing)?  The one targeted at non-computer-literate users?  The one that does not even allow you to password-protect your network shares or set file permissions (beyond whether or not other local accounts can access them)?

While MS does get bashed unfairly whenever a virus come along that exploits a hole they fixed a year ago, most of the remaining security flaws are there by design.

The truth hurts sometimes... Nothing beats a nice fat cock. ShiftyStoner
[ Parent ]

When should one be liable?? (4.66 / 6) (#16)
by Stereo on Thu Jun 27, 2002 at 06:50:03 AM EST

One of the things I like about free software is that it allows people to tinker, have good ideas but write bad code, have others work with them on projects and put out a truly quality product that they can take pride in. Such a law would harm free software.

Being liable is clearly a problem if you release your software for free (both meanings here). I think software companies should be liable only if their software is not free. Only when you agree to give up money or "freedom" in exchange of software is it my opinion that you should get a certain quality of service granted in exchange. It's hard to see anyone holding Linux people financially responsible for their product when they give it away.

I think that any stinker laws should have a clause to deal with software that is intended for public good and not personal enrichment. After all, if a hobbyist releases a tool he wrote for his own use that others may find useful, yet doesn't charge for it, he should not be liable for his free tool causing problems with something someone used it for.

However, if he packages it and/or charges for it, he should be responsible for its correct and accurate operation, within reason. If, for example, the software requires certain hardware, he should not be made responsible if his customer doesn't meet said requirements.

It's a really tough question; while we would all like to see large corporations made responsible for lack of code quality, someone who gives away the fruits of their labor in an effort to be helpful must not be harmed. Is this the right way to go?

Quality should usually be handled by the invisible hand of competition, but huge companies, from Mercedes to Microsoft, are so well-established that they can afford to give up on quality. I think that such a measure would protect the consumer from such abuses.

This is just an idea, it's certainly flawed and incomplete. Does anyone care to contribute?


kuro5hin - Artes technicae et humaniores, a fossis


Re: When should one be liable?? (4.50 / 4) (#21)
by Toojays on Thu Jun 27, 2002 at 08:31:22 AM EST

I think the liability should come when a piece of software is marketed and packaged as a consumer product.

I'm not 100% sure about this, but I suspect that if I were to give away plans on how to build a car, or a recipe for some food, I would not be liable if someone took that information and used it to build a defective product. Compiling a computer program from source is fairly analagous with cooking a meal by following a recipe, so the same should apply.

Consumer electronics is probably the most relevant area to look at with this kind of thing in mind. Suppose I buy a stereo system from Sony. If the power supply turns out to be faulty, and it starts a fire which burns my house down, I would expect that Sony would have some liability. Now suppose that instead of buying that stereo, I built it myself based on a schematic from an electronics machine. Could I hold the publisher of the magazine liable?

The people who might know are the insurance litigators. In both the scenarios I described, my insurance company would (hopefully) give me a payout. In the first, they would most likely go after Sony. What would happen in the second case isn't so clear to me, but something like this may have come up in the past somewhere, and would serve as a precendent.



[ Parent ]
flawed analogy (4.40 / 5) (#27)
by tps12 on Thu Jun 27, 2002 at 09:55:48 AM EST

Compiling a computer program from source is more like microwaving a bagel dog.

Writing a program based on a description of an algorithm in a published paper is more like following a recipe.

Also, I question your idea of consumer electronics liability. According to your Sony power supply scenario, the amount of money Sony owes you for their mistake is dependent on the value of your house. What if you use the stereo, not in your house, but in your warehouse of back issues of electronics magazines, valued at $50 million?

For that to make any sense, Sony would need to price its products based on where you would use them. So the stereo is $500 if I'm putting it in my house, $350 if it's going in my summer home, and $10000 if I want it in my warehouse. Otherwise, those who want stereos for their tiny apartments end up subsidizing stereos for other people's warehouses. Obviously, these outcomes are crazy.

The maker of any product, free or not, tangible or not, should only be liable to the extent agreed upon in whatever contract is made at the time of the sale. If Sony wants to offer you home insurance along with their DVD player, that's up to them.

[ Parent ]

I don't know . . . (4.00 / 2) (#66)
by Toojays on Thu Jun 27, 2002 at 08:22:08 PM EST

I found this page on product liability law in Wisconsin.

Under section III, it lists the five key elements of proof in liability cases:

  1. that the product was in defective condition when it left the possession or control of the seller,
  2. that it was unreasonably dangerous to the user or consumer,
  3. that the defect was a cause ( a substantial factor) of the plaintiff's injuries or damages,
  4. that the seller engaged in the business of selling such product or, put negatively, that this is not an isolated or infrequent transaction not related to the principal business of the seller, and
  5. that the product was one which the seller expected to and did reach the user or consumer without substantial change in the condition is was when he sold it.
So Sony could very well be held liable for damage done by a faulty DVD player, however, the plaintiff would have to show that Sony violated "the applicable design and manufacturing safety standards".(second paragraph of linked article)

What's interesting in the free software context is that liability falls on the entity engaged in the business of selling the product. Supposedly this would mean that you couldn't sue Linus for bugs in the Linux kernel, since he doesn't sell it. However, if you paid for your distrubution of Debian/Slackware/Redhat/whatever, you could sue whoever accepted money for it.

Of course this is always sidestepped by the vendor saying that they are selling you the media and a license to use the software, and that the software itself always belongs to the copyright owner.



[ Parent ]
In-sewer-ants (none / 0) (#83)
by bloat on Fri Jun 28, 2002 at 08:52:59 AM EST

For that to make any sense, Sony would need to price its products based on where you would use them. So the stereo is $500 if I'm putting it in my house, $350 if it's going in my summer home, and $10000 if I want it in my warehouse.

It's called insurance. It does cost different amounts depending on where the insured item gets used. For instance it costs me more to insure my car here in London than it would do if I lived in Norfolk for instance.

CheersAndrewC.
--
There are no PanAsian supermarkets down in Hell, so you can't buy Golden Boy peanuts there.
[ Parent ]

exactly (none / 0) (#84)
by tps12 on Fri Jun 28, 2002 at 08:55:27 AM EST

And insurance is normally not an essential part of a stereo. Nor should it be. Sony is already going to spend a lot of time trying to make a safe product, since they have a reputation to maintain. Leave insurance to insurance companies.

[ Parent ]
Warranty (5.00 / 1) (#89)
by wierdo on Fri Jun 28, 2002 at 04:57:27 PM EST

Physical products have an implied warranty. In many states, an implied warranty cannot be disclaimed. If Sony sells a stereo, they warranty that it will be useful in some manner for amplifying audio. Legally, if a manufacturer sells you a defective product that causes you harm, they are liable, despite your opinions on insurance. That is how Firestone has been sued so much. That is how Ford has paid out millions in product liability settlements. I consider this a good thing, although it has been very abused as of late.

Unfortunately, an extreme free market just does not work. Consumers get fucked. Witness Standard Oil, or any other of the big trust busts of the 1800s. Most people are too stupid to realize when they are being screwed, so we as a society must protect them, and ourselves, those who are cognizant of the problem. Without product liability, manufacturers would make defective products all the time. They still do, just not usually on the scale that has historically been the case.

FWIW, I wish the world was different. If people weren't so stupid, we could dispense with most regulations on the books, because people would protect themselves. However, as the saying goes, "If ifs and buts were candy and nuts, we'd all have a merry Christmas." Unfortunately, they are not, so we live in the imperfect society we do today. Perhaps Worldcom's cooking the books hasn't opened your eyes to the problem yet.

-Nathan

P.S. The problem is that corporations are largely unaccountable for their actions. Removing accountability has been proven to be a bad thing lately. They obviously need more regulation, not less. I truly wish it could be different.

[ Parent ]

Thanks for the link (3.55 / 9) (#17)
by Rasman on Thu Jun 27, 2002 at 07:41:16 AM EST

Thanks for the hyperlink to Microsoft. I had never heard of those guys...are they new?

---
Brave. Daring. Fearless. Clippy - The Clothes Pin Stuntman
Liability and Security (3.33 / 3) (#24)
by wiredog on Thu Jun 27, 2002 at 09:46:54 AM EST

Bruce Schneier's essay, the responses, the slashdot discussion.

There will probably be nothing in this discussion that isn't in the ones referenced above.

Can't sleep. The clowns will get me.

Game companies (3.50 / 2) (#33)
by godix on Thu Jun 27, 2002 at 10:22:30 AM EST

Forget Microsoft, I'd rather see the various game companies nailed to the wall. They are much worse than Microsoft about patches. For example, Neverwinter Nights had a patch within a few days of it's release. Not only did they patch the game, but they also had to patch their patching software. I've had games that claimed to be multiplayer, but their tech support pages tell you to download a hundred meg patch because multiplayer doesn't work. I've seen games release patches because without it you can't beat the game. Compared to this Microsoft is the epitome of quality software.

Oh, as a side note, if you ever get software like this do what I do. Go to the store and say 'Yes, I know the software is opened. I also know the penalties for false advertising.' It's astounding how quickly they quit argueing once you mention false advertising.....

Not game companies (4.00 / 1) (#37)
by AmberEyes on Thu Jun 27, 2002 at 12:28:51 PM EST

Game publishers. Trust me, game developers would like nothing else but to have an extra month or two to hammer everything out. You want the guys in the suits who value numbers over consumer satisfaction. :)

-AmberEyes


"But you [AmberEyes] have never admitted defeat your entire life, so why should you start now. It seems the only perfect human being since Jesus Christ himself is in our presence." -my Uncle Dean
[ Parent ]
Oh sure (3.00 / 1) (#52)
by PresJPolk on Thu Jun 27, 2002 at 04:31:03 PM EST

You'd have us believe that the ame companies are just these helpless little slaves who'd just love to produce a decent product, but the big mean publisher won't let them?

I say they know what you're getting into, and they voluntarily do it anyway, so they're responsible, too.  They are profiting off of it, anyway.

[ Parent ]

Why do you hate America so much? [n/t] (none / 0) (#63)
by AmberEyes on Thu Jun 27, 2002 at 06:45:51 PM EST

-AmberEyes


"But you [AmberEyes] have never admitted defeat your entire life, so why should you start now. It seems the only perfect human being since Jesus Christ himself is in our presence." -my Uncle Dean
[ Parent ]
Allow me to illustrate things (none / 0) (#72)
by X3nocide on Thu Jun 27, 2002 at 10:14:09 PM EST

Delays happen. Daikatana was delayed for quite some time. q3a was made with like a year's worth of "crunch time." Game developers are typically the lowest salaried and most worked of salaried programmers. If you really want to find out who's crap and who's fault it is, you should probably read FatBabies">http://www.fatbabies.com/index.html">FatBabies sometime. The long and short of it is that its neigh impossible to accurately gauge how long it takes to make software, and publishers hold companies to schedules that shouldn't be. GoD games aimed to be different, and look how that turned out...

pwnguin.net
[ Parent ]
Blaming the programmers (none / 0) (#81)
by PresJPolk on Fri Jun 28, 2002 at 07:55:48 AM EST

I didn't say blame the programmers, I said blame the programming *companies*, that is, those companies that are also responsible for underpaying and overworking the programmers. :-)

And yes, I know that software development can have unpredictable delays just like any other new and relatively unexplored form of engineering.  But again, the companies involved *know* this, but they keep doing it again and again anyway!

And it won't stop until it isn't profitable to do so anymore.  I can still blame them though, the same way I can blame crack dealers even though their business is profitable.

[ Parent ]

Limits of liability (4.71 / 7) (#38)
by mech9t8 on Thu Jun 27, 2002 at 12:43:14 PM EST

A car manufacturer isn't liable for the damage if someone smashes the window with a crowbar, if someone disconnected the brakes, if someone smashes into it with an 18-wheeler.  There are only certain things that manufacturers are liable for, and for the most part, they don't include deliberate attacks - which is what makes up the majority of software security problems.

You can sue the company if there are deadly design flaws for normal use - ie. the car flips over when you're turning.  That's the equivalent of you typing away at Word and then it suddenly reformats you hard drive.  So perhaps there could be protection against that.

The government also prescribes safety standards - a certain amount of force the car should take before blowing up, etc.  

That's the equivalent of laws saying it must protect against certain specific, easily-tested types of attacks.  So, maybe, there could be some tests for that - making sure a box can survive specific types of DOS attacks. Maybe even go so far as to say that it's illegal to release a product with a certain type of easily-defined and tested vulnerability - for instance, buffer overflows.

But most software security problems are new - that's why they're hard to protect against; there's protection for most known flaws within a few days if not weeks of their detection.  By saying software developers are liable, you're saying that they must perfectly protect against every single possible deliberate attack, and that's pretty much impossible for anyone in any line of work.  

Cars don't have to be perfect, they just have to meet certain easily-measured standards for safety.  The problem is that it's hard, if not impossible, to set easily-measured standards for software safety.

--
IMHO

more like.. (3.33 / 3) (#44)
by loteck on Thu Jun 27, 2002 at 02:28:37 PM EST

you typing a letter in word, and your monitor explodes in your face causing instant death.

government tends to get involved when human life is at risk. in this case, it isnt. capitalism should be taking care of this problem. a product doesn't work or is defective, you dont buy that product anymore (or at the very most you start a class action lawsuit, which has already been tried against MS).

I guess since MS has a monopoly on the desktop OS market, and it appears to be using that monopoly illegaly, capitalism has failed in this case. So much money involved here, im not suprised.
--
"You're in tune to the musical sound of loteck hi-fi, the musical sound that moves right round. Keep on moving ya'll." -Mylakovich
"WHAT AN ETERNAL MOBIUS STRIP OF FELLATIATIC BANALITY THIS IS." -Harry B Otch

[ Parent ]

limited liability is enough, I think (5.00 / 3) (#61)
by janra on Thu Jun 27, 2002 at 06:21:38 PM EST

Most warranties specify that flaws in construction and failure under normal use are covered. I think that this is quite enough for software - no need to make them warranty failure under abuse.

If you buy a new car, and the engine falls out while you're driving down the road one day (before the warranty expires), you're covered. If you buy a new house and the front steps collapse after a month, you're covered. Hell, if you buy a printer and the ink cartridge explodes, gumming up the guts and making it completely unusable, you're covered.

But if you're typing away in MS Word and you randomly get a BSOD, causing you to lose work, shouldn't that be covered? In cost, it's not much smaller than the printer example, especially with the $30 printers available nowadays. If you come in one morning to find that your MS Exchange server barfed and died for no apparent reason, causing you to lose a day's worth of possibly critical and time-sensitive email, shouldn't that be covered?

And that's not even getting into the laughable security designed into XP (see the comment about XP not allowing you to set passwords on shares) or the hole designed into Outlook that causes Outlook to automatically open a program, regardless of what it does, regardless of whether you want it to or not.

You don't even have to make software companies liable for an intruder deliberately breaking your computer to make them a lot more accountable.


--
Discuss the art and craft of writing
That's the problem with world domination... Nobody is willing to wait for it anymore, work slowly towards it, drink more and enjoy the ride more.
[ Parent ]
Gee, that's great (4.62 / 8) (#41)
by trhurler on Thu Jun 27, 2002 at 01:19:56 PM EST

So what's going to happen is, Microsoft is going to pay out money in lawsuits(they CAN'T fix the bugs, and even if they could it would cost more than the lawsuits,) and anyone who DOESN'T have gobs of cash will be driven out of business. Free software? Hah. Nobody will be able to release it for fear of being sued into bankruptcy.

"Microsoft is a monopoly. We're here to introduce legislation that will ELIMINATE their competition in order to improve quality."

Thanks, g-man. You're a real fucking help. Fucking morons.

--
'God dammit, your posts make me hard.' --LilDebbie

Alternatively... (4.00 / 1) (#48)
by dipierro on Thu Jun 27, 2002 at 03:24:15 PM EST

if the law is written to only to apply to software which is sold, then the entire software industry collapses, and Free Software inherits the Earth...

Which is really just an argument as to why this legislation isn't going to be enacted in the first place.



[ Parent ]
Free Software (4.00 / 1) (#49)
by PresJPolk on Thu Jun 27, 2002 at 03:36:23 PM EST

I really doubt free software developers themselves are going to enter into contracts with the US government, so they won't have ny problems here.

The companies that *will* enter into agreements inherit some source code, and can pay programmers to meet whatever requirements they have to meet in order to get money from the government.  It's the same situation Microsoft is in.  Of course, it'll take a lot less work to verify software that is already decent to begin with.

[ Parent ]

Au contraire (none / 0) (#91)
by Alfie on Fri Jun 28, 2002 at 10:13:22 PM EST

It's my understanding that government contracts are currently where Free Software stands the best chance of being profitable for the developers. The money to be made if government were to exclusively use free software is enough to keep quite a few developers busy and fed.

As for the reasons why government might consider free software, they have been discussed here and enumerated in a response by Peruvian Congressman Dr. Edgar David Villanueva Nuñez.



[ Parent ]
glad you said it (3.50 / 2) (#53)
by speek on Thu Jun 27, 2002 at 04:39:28 PM EST

I was going to make a similar comment. My take is slightly different - being that Microsoft will be the only company big and brave enough to continue to make software in such a world, and they will simply put massive effort into CYA policies and getting their code "certified" (ie CYA'ified), and yes, keep massive amounts of cash to pay off the inevitable dicey lawsuits. But, hell, having no competition, they won't mind a bit.

And this won't help free software one bit. If you think the legislation will somehow "miss" software under Open-Source licenses, you're really deluded.

--
He who can copy, can do - Da Vinci
[ Parent ]

Why? (4.00 / 1) (#59)
by epepke on Thu Jun 27, 2002 at 05:47:35 PM EST

Why do you think that Microsoft is going to have to pay out money in lawsuits? The've been conviced of abusing their monopoly power and essentially nothing has happened to them. What's going to happen? Is the Department of Justice going to spend millions of dollars and another half decade trying to get them to pay? Oooh, I bet they're just quaking in their boots about this one.

Of course, if we were living in a parallel universe where they actually did have to pay, they'd be able to afford it. But what exactly is to prevent them from respecting any of these rulings exactly as much as they've respected any other ruling?


The truth may be out there, but lies are inside your head.--Terry Pratchett


[ Parent ]
Heh (5.00 / 1) (#60)
by trhurler on Thu Jun 27, 2002 at 06:08:01 PM EST

Ignoring a DoJ settlement(or more accurately, interpreting it in odd ways,) is entirely different from failure to comply with contractual obligations, especially with the DoD. If you suspect for even a moment that they would get away with this, go ask IBM what happens when you yank the DoD around. IBM could buy a Microsoft every few months and still be profitable, but NOBODY fucks with the DoD, size be damned. They've flat out occupied buildings with soldiers to get their way in the past - and found legal justification for doing it.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
Maybe (4.00 / 1) (#62)
by epepke on Thu Jun 27, 2002 at 06:24:56 PM EST

Maybe it will turn out like the South Park movie. The DoD was powerful enough even to stop Joe McCarthy.

But I find it hard to believe that the DoD needs a law like this one. They have contracts. However, Microsoft has fucked with the DoD before and gotten away with it.


The truth may be out there, but lies are inside your head.--Terry Pratchett


[ Parent ]
I thought it was neat that... (4.00 / 2) (#47)
by mingofmongo on Thu Jun 27, 2002 at 03:03:05 PM EST

there was one place left where the government hadn't dug its regulatory tallons into yet. It was too good to last. Soon the only thing you'll be able to create without looking over your shoulder, will be editorials.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion

Incredibly Vague article (3.33 / 3) (#50)
by PresJPolk on Thu Jun 27, 2002 at 03:44:15 PM EST

That article provides almost no actual information.  Look at who it does quotes:

- A *former* government lawyer
- A Microsoft executive
- A Microsoft customer
- A computer security consultant

Is *one* of these people drafting, sponsoring, or otherwise in any position to talk about some change in law or policy? No.  It's just generic talk about software quality and security.

A US Air Force officer is also quoted, but he doesn't even hint at a change in policy.  He just whines about bad software quality.  (One wonders why he doesn't just try an alternative to MS if he finds MS products so bad.)

I'm left to conclude that nothing actually is happening.  There is no news here.

The Rights of a Creator (3.66 / 3) (#51)
by kurtmweber on Thu Jun 27, 2002 at 03:51:15 PM EST

Microsoft has every right to write buggy, perforated software for whatever reason they choose, as long as no fraud or physical force is used. Users have every right to choose to use or not use Microsoft's products, and they are responsible for the consequences of their choices.

Kurt Weber
Any field of study can be considered 'complex' when it starts using Hebrew letters for symbols.--me
I'd agree (4.00 / 1) (#73)
by Humuhumunukunukuapuaa on Thu Jun 27, 2002 at 10:29:30 PM EST

But in that case I demand the right to sue the ass of all the morons, all hundred thousand of them, whose servers tried to infect my server with Code Red, Simba and all the rest.  Someone needs to be held responsible.  Either it's the provider of the software or Microsoft.  And don't say it's completely the fault of the virus writer.  It's not the virus writer who actually spread the damn things.

[ Parent ]
For most users its a Hobson's Choice (none / 0) (#92)
by MuglyWumple on Sat Jun 29, 2002 at 12:28:15 PM EST

I wish I had a choice other than Microsoft. Unfortunately the applications that I need are available in only one flavor - MSWindows. The computer that I bought already had MSWindows on it. I had no choice in the matter. I visit websites that only render properly in IE.

Sure I could opt for Linux or MacOS and be like the lone voice yelling "Injustice!" into the wilderness. Unfortunately, I need to get work done.


[ Parent ]

Then you have a choice to make (none / 0) (#93)
by kurtmweber on Sat Jun 29, 2002 at 02:22:44 PM EST

You have to decide whether or not the benefits of getting your work done are worth the price of using the products necessary to get that work done.

The computer that I bought alread had MSWindows on it. I had no choice in the matter.
Hrm...so you were FORCED to buy that particular computer? So you were FORCED to buy a computer period?

Kurt Weber
Any field of study can be considered 'complex' when it starts using Hebrew letters for symbols.--me
[ Parent ]
Yes, you're right (none / 0) (#94)
by MuglyWumple on Sat Jun 29, 2002 at 03:46:22 PM EST

Yes, you're right. My options have been dictated by the choices I've made to be a part of society, to have a career, to participate in the computer world. So, should these choices be forcing me to use Microsoft products? They do now.

The issue is not whether I have the final, ultimate decision or not, but rather how one decision forces another.

[ Parent ]

That's beside the point (none / 0) (#95)
by kurtmweber on Sat Jun 29, 2002 at 03:54:02 PM EST

The issue in fact IS whether you have a decision. One decision may lead to requiring you to make other decisions, but was the first decision not ultimately your decision in the first place?

Kurt Weber
Any field of study can be considered 'complex' when it starts using Hebrew letters for symbols.--me
[ Parent ]
B&W (none / 0) (#96)
by MuglyWumple on Sat Jun 29, 2002 at 04:12:06 PM EST

It is easy to argue the black/white of it. Of course I make choices. I am no automaton. I'd argue  instead the costs of those decisions, for there lies  control and manipulation.  I'd gladly say F-off to Microsoft and never touch it again. However I'm not willing to risk career, nor put those who depend on me for the privilege of escaping from Planet Bill.

[ Parent ]
Aha! (none / 0) (#97)
by kurtmweber on Sat Jun 29, 2002 at 04:40:24 PM EST

So you decided what was more important to you and acted based on that decision.

Kurt Weber
Any field of study can be considered 'complex' when it starts using Hebrew letters for symbols.--me
[ Parent ]
Aha! (none / 0) (#98)
by MuglyWumple on Sat Jun 29, 2002 at 05:10:19 PM EST

So you won't complain when "Where do you want to go today," means what part of Microsoft would you like? After all, its your choice.

[ Parent ]
Pretty much (none / 0) (#100)
by kurtmweber on Sat Jun 29, 2002 at 09:28:16 PM EST

Pretty much...I may not like the choices I'm given, but I have a choice. And at any rate, I'm free to not use computers at all if it gets to be too bad.

Kurt Weber
Any field of study can be considered 'complex' when it starts using Hebrew letters for symbols.--me
[ Parent ]
open software (4.00 / 1) (#56)
by speek on Thu Jun 27, 2002 at 04:46:53 PM EST

So, what happens when open-source software developers start releasing their software anonymously? One could, right now, use Freenet to release one's open-source software, and no one would know who made it or released. The developer(s) could still even discuss bugs and technical problems with their users without revealing themselves.

They'd have to do this law one better and make non-certified software illegal to use, and that would be a big step.

--
He who can copy, can do - Da Vinci

Hyperbole much? (1.50 / 2) (#57)
by Fon2d2 on Thu Jun 27, 2002 at 04:59:32 PM EST

As pointed out by an earlier post, there are certain things the software manufacturer should not be held liable for. After all, the real estate agent isn't liable if your house is burglarized. The funny thing is, none of this would really be an issue if Microsoft weren't a monopoly, but that's really only the case in the desktop market since I don't see what prevents a business from using a different OS on a system-wide level. And of course I wouldn't expect security to be as high a priority for the home desktop. None of this, however, means that Microsoft doesn't take security into serious consideration. A lot of security holes come about due to the nature of the C programming langauge, something C# fixes. But I'm sure you'll lambast Microsoft for that effort as well. The funniest part about all of this is how open source enthusiasts will still get away scott free. Would Stallman ever be liable if a malicious hacker accessed my computer through an emacs security hole. I seriously doubt it.

C#? Mmm....no. (4.00 / 1) (#58)
by countzro on Thu Jun 27, 2002 at 05:35:52 PM EST

It's entirely possible, and not at all difficult to write unsafe, dangerous code in C#.

And on a related note, C# is not meant to fix C. C#'s closest language relative is Java. Basically, the way I see it, C# *is* Java, but with some nifty syntactic sugar thrown in.

[ Parent ]
Way around the problem? (none / 0) (#80)
by hollo on Fri Jun 28, 2002 at 07:39:35 AM EST

As pointed out by an earlier post, there are certain things the software manufacturer should not be held liable for. After all, the real estate agent isn't liable if your house is burglarized.

The estate agent claimed to sell you a house though. If the description in the estate agent's window had talked about the burglar alarm system though, and the burglar got in because it didn't work, then you might have more luck.

Isn't the way to get round this to carefully taylor the descriptions of your programs. For example instead of saying "Foo is a secure, stable, and robust http server" you could say "Foo is a program with unpredictable behaviour. It may or may not serve web pages. It also may or may not provide unauthenticated users with the ability to execute arbitrary code, and/or execute arbitrary code unrelated to the process of serving web pages itself. On the author's machine it most frequent behaviour is to serve web pages." Maybe not the marketing department's dream, but I could see it being difficult to compain in court that a program specifically advertised as potentially giving remote root access had done so. Otherwise you could sue the telnetd authors because, as advertised, it gives remote access to passwordless accounts.



[ Parent ]
Wrong problem (2.00 / 1) (#64)
by gidds on Thu Jun 27, 2002 at 07:37:24 PM EST

The problem isn't M$'s poor security.  The problem is their stranglehold on the industry that prevents people choosing alternatives.  Change that, and the commercial pressure will force everyone to take security seriously.

Andy/
Wrong (none / 0) (#68)
by greenrd on Thu Jun 27, 2002 at 09:14:35 PM EST

IIS doesn't have a monopoly. Yet its security record is still apalling, and still potentially a danger to national security.

Market forces don't always work. The trouble with market theory is people just aren't that rational.


"Capitalism is the absurd belief that the worst of men, for the worst of reasons, will somehow work for the benefit of us all." -- John Maynard Keynes
[ Parent ]

Microsoft would *support* such laws (5.00 / 3) (#67)
by duncan bayne on Thu Jun 27, 2002 at 09:05:09 PM EST

Of course Microsoft, and other companies, will lobby and throw money around to try and ensure legislation that makes them liable for damages done by security holes never gets past the planning stages, but they can't be sure that that will work.

Yes, they'll squash any attempt to make them financially liable. But it's in their best interests to have the government lean on them to produce secure software, because it'd be very easy for them to respond by forcing adoption of Palladium, with government backing.

One evil empire helping another. No surprises there.



The Possibility of a Secure OS (5.00 / 2) (#74)
by Kryptonik on Thu Jun 27, 2002 at 10:44:13 PM EST

OpenBSD, widely regarded as the most secure (and usable) operating system recently had a remote root hole. This is an open sourced system made by security zealots whose sole purpose is to create a secure OS, and yet a bug got through them.

Code isn't like tires or most manufactured goods. It is incredibly complex and maintained sometimes by hundreds of different people. Even with the most strict security standards a company or organization cannot hope to create a 100% secure OS.

IMHO the market should punish Microsoft by shifting to more secure OS's, which is has been doing over the last year. This switch would be facilitated if more people made an effort to explain to the general public that viruses exist mostly because of Microsoft's lax security.

Basically, there is no such thing as a perfect system, so, even though I cannot stand Microsoft's products, they shouldn't be punished for them.

Careful with the oranges and apples comparisons (none / 0) (#85)
by Rogerborg on Fri Jun 28, 2002 at 10:17:05 AM EST

    OpenBSD, widely regarded as the most secure (and usable) operating system recently had a remote root hole.

That's right. One remote root hole in the default install in six years, against "revenues" (i.e. donations) of tens or low hundreds of thousands of dollars. Contrast with Microsoft over the same period. Hundreds of flaws against tens or low hundreds of billions of dollars of revenue.

On any reasonable system of punative penalties, a fine of $1,000 for openBSD would translate into something like a fine of $100 billion for Microsoft. Realistically, we'd be talking more like $100 for openBSD and $10 billion for Microsoft. Heck, if it came to that, I'd contribute that $100 to openBSD on the spot, and (interestingly) I suspect a lot of other people would too.

In fact, I suggest that fining openBSD would be the best thing that could happen to it. The sympathy and support that it would generate would probably bring in more money in a week that it typically gets in a year in donations.

Further, it would amount to an official government line on just how secure various flavours of software actually are. You could discount vendor hype and FUD, and just have to look at the FTC/DoJ figures to see that openBSD has one flaw against Microsoft's hundreds.

If we really believe that open source software is inherently more robust and secure than proprietary, we should have no qualms about putting our money where our mouth is. I for one would welcome such a law, because it would quantify the debate once and for all.


"Exterminate all rational thought." - W.S. Burroughs
[ Parent ]

First, a lower bar. (none / 0) (#75)
by Apuleius on Thu Jun 27, 2002 at 11:28:11 PM EST

Before making apiece of software secure comes making it reliable, that is, making it DTRT (FRVO) without hostile interference. Making it DTRT with a hostile actor is a great deal harder. First, companies should be made liable for unreliable programs. That just might cause the culture in these paces to change, and then make it easier to make companies responsible for insecure programs.


There is a time and a place for everything, and it's called college. (The South Park chef)
what happened to the free market? (none / 0) (#87)
by startled on Fri Jun 28, 2002 at 02:16:59 PM EST

This is disgusting. People know what they're buying, and they still do it-- yet you blame it on the software companies?

Let's take the games example. You, I, and every other gamer knows that a game bought on release day will likely be buggy-- and gamers are the only ones who buy games on release day. If you buy it, and it's buggy, why do you act surprised? Why do you act like this needs government intervention? Wait a week, read some reviews, talk to people. If you think it's worth your money, buy it. If it sounds too buggy, DON'T. Or was someone forcing you to buy it on release day?

The same thing goes for MS software. Every couple of weeks we hear about another massive security hole. Hey, there's another hole in IE that allows someone to root your box. There's a shock. Look, Windows Media Player somehow allows someone to wipe your drive, go figure. I know their products are full of security holes, you know it, and above all, corporate IT managers know it. But they still buy their products, so obviously they don't care enough to change their buying habits.

To go back to your car analogy. If a car was sold with a big sign saying, "this will explode in flames", no one would buy it. But people buy the latest copies of Windows knowing full well the latest IIS or Windows Media Player or Outlook Express hole hasn't been patched.

Take responsibility for the way you spend your money, nay, the way you live your life. Just because you can't control yourself doesn't mean the government has to step in and do it for you.

Actual results of this legislation? (none / 0) (#88)
by adh on Fri Jun 28, 2002 at 02:53:37 PM EST

On one hand, making software companies financially liable for bugs might make them somewhat more focused on finding and eliminating problems in their code. However, I don't think you'll ever see a bug-free release. It's extremely difficult to eliminate *all* these defects you're talking about, and, really, it's not completely a question of decision-making errors in a company like Microsoft's upper echelons of management. In other words, Microsoft isn't conspiring to create buggy code (as opposed to the very real way they seem to be conspiring to monopolize segments of the software market). I would go as far as to say that software producers, Microsoft included, are trying hard to reduce the number of defects in their code.

Given this, that it *isn't* a situation where software producers can just snap their fingers and produce bug-free code (and it's just that they haven't been properly motivated to up until this point), this type of financial liability will do one or both of two things:

  1. Push back release dates and increase the cost of producing software by increasing the need for testing and stricter coding methods.
  2. Cause the de facto cost of each software project produced using the old, bug-prone methods by creating the threat of costly litigation.
So we have, overall, an increase in the cost of producing software, which isn't really a surprise. Now, what happens when we increase the cost of producing a good? If I recall my Economics 101 lessons correctly, this extra finiancial burden is carried more by the producers the more elastic the demand, and more by the consumers the more inelastic the demand. (For those jargon-challenged out there, [in]elastic demand means pretty much what you'd expect it to, i.e. [in]flexibility in whether you will buy something depending on its cost.) Now, considering that people will still need to use PCs with a functioning OS and still want email, and that Microsoft essentially has a monopoly on that market, we'd expect most of the extra burden to fall on consumers. In other words, when it comes to many Microsoft products, the cost of this new litigation will be spread out among the consumers of the products, rather than Microsoft itself.

Alright, maybe that foray into freshman year economics was ill-advised, but overall the process makes sense: increasing the cost of producing software will increase the price (of all software); for a few consumers the new price will be too high, and they won't purchase the software, but the rest of us will just eat the added cost.

As some other comments have alluded to, I think the real solution here is a move towards more accurate information in the marketplace. It seems to me that producing software is a zero-sum game in the sense that we're not going to force software producers to make their code less buggy without taking away from another area (slowing production, adding cost, reducing functionality, etc.). I think it makes sense to let the consumer decide what their priorities are rather than forcing the issue with legislation and litigation. E.g. if I want a high functionality / buggier piece of software rather than a low functionality / less buggy piece of software, I want to be able to make that choice. The problem seems to be that because software is very complex, it's not always clear to the consumer (myself included) exactly what they're getting, and so I applaud your article in that it's raising awareness on the issue and adding information to the marketplace.

<pipe dream> If the government is going to do something, I would prefer that they allocate some money to create a body that would be able to objectively evaluate software so that consumers are well-informed enough to make efficient decisions. </pipe dream>

Yes! I agree whole-heartedly! (none / 0) (#90)
by Desco on Fri Jun 28, 2002 at 05:37:30 PM EST

I am a software engineer, first off. I work for a company that is one of the biggest names in drivetrain development, and our software is considered the "de facto" standard in the industry. I also develop on my own. That being said, I totally agree with this legislation! Now one thing about this article's approach-- the reason companies like Ford, Firestone, and Kenner are subject to strict quality controls is if they have a defect, people die. The same cannot be said for most software, though theoreticaly, a bug in my company's software could cause deaths... Therefore, I consider this a faulty argument. A better example would be phone, credit, and real estate companies where a defect in their services won't directly cause death, but will cause the victim a load of problems. I don't have to tell you this, but increasingly comptuers, software, and the internet contain, process, and transmit information vital to the country and its companies. They should be held to the same standards and expectations as these companies who's defects are non-lethel. (Though then again, given the reputations of the phone and credit card companies, maybe my example is totally useless... ^__^) Either way, I think vital-software manufacturers (Operating systems, antivirus, firewall, networking, office productivity, etc) should be accountable for defects. Not so much emphasis should be placed on non-vital software such as games, though they should definately still be held accountable for viruses and other damaging defects in their software.
-Desco-
Retardedity (none / 0) (#99)
by Graymalkin on Sat Jun 29, 2002 at 08:23:58 PM EST

It seems to me every commercial software license I've ever read has contained a CYA clause. If their software slashes my tires and impregnates my sister they are not responsible because I agreed to the license saying they weren't. If I agreed to those terms I ought to be more pissed off at myself than them. What this amounts to is people whining about a descision they made. Whether it is the IT director or some dude sitting in his basement, they agreed to the vendor's licensing terms.

The key to the commercial software business isn't selling jewel cases and CD-ROM, it is selling lucrative service contracts. The net profits from selling copies of Office are going to be much smaller than the net profits from people buying a support contract for Office. The money made from support contracts far outweighs the cost of maintaining a development support group to fix problems with the software. This is especially true if you're Microsoft where you make money off nearly every PC sold anywhere. All of the big boys in the industry work in this fashion. They also specifically state they aren't liable for damages caused by their software and you have agreed to that.

Why do they produce shitty software? It is cheaper. With a hundred person dev team, each working on a small section of the overall project with some engineers directing the overall effort; the process moves along fairly quickly and people can be used in the most efficient way. A video codec expert is not trying to understand the intricacies of database driver development. To have a ultra-thurough and competent bug hunting staff you need to at the very least double your dev team. Even then every bug squashed introduces more. Software would go from just at the level of affordability to the level of ridiculousness. No company is going to go to their shareholders and say "we have to drop the margins to virtually nothing so we could make an extra bug free release". They'd be hung out the office window by their toes. Ergo the price of the products would skyrocket. For Microsoft this might not be terribly damaging do to their size. For smaller developers there would be a very bleak future in store.

If you begin to analyze that mindset you realize Open Source developers would be totally fucked out of existance. With the CYA clauses being meaningless it would not be economically viable to release a program for free ever. The first OpenSSH or BIND hole that got a box rooted would mean lawsuits up the wazoo for the OS developers. The ONLY reason the GPL works is because of the CYA clause. Not having to provide a warranty means you can release some shitball code and it is the risk of the user accepting the licensing terms to use said code. Oddly enough this is the thing people don't seem to get when calling for this. The little guy would end up fucked while the big boys would be the only ones capable of publishing software. It would be stupid to even think of forming an incorporated entity to release any OS code because any bug or hole in it would result in a legal and financial bitchslapping. Even the open nature of the code wouldn't prevent the buck stopping somewhere and someone having a supoena delivered to them.

Anything designed to punish Microsoft can too easily come back and bite in the ass all of the little developers trying to take pot shots at MS. No Microsoft specific law would be created, it would be a blanket under which all software developers would be smothered under. The commercial software industry would be destroyed. With it a good portion of our economy would suffer. While much privately developed software exists there is a definite reliance on commercial software solutions. Laws requiring stricter QA would mean a higher barrier of entry and higher prices driving everyone but Microsoft and some other big boys out of business. You'd go from having ahandful of options to a single option with a Microsoft logo on it. Said logo would cost four times as much as it costs now. Software would rarely be upgraded because of the high price. The whole sector will stagnate forcing more companies out of business. In the end Microsoft will still win and be even more of a monopoly.

Government to Force Microsoft to Clean Up Security Holes? | 102 comments (81 topical, 21 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!