product liability (was 'we should all be uncomfortable with the extent to which luck..')

Your analogy is flawed.

The question is, should Firestone be responsible for someone going around
slashing the tires? No they shouldn't.

Then why should Microsoft or any other software manufacturer be responsible
for the damage done by third parties?

You could make the argument that Microsoft should have designed more
security into their products to prevent security breaches of this nature,
but you could also argue that Firestone should make their tires out of
kevlar to prevent people from slashing them.

We shouldn't hold the software manufacturers responsible, unless they
willingly and knowingly left the security flaw in place. We should hold
the programmers that release malicious code responsible.

                    William Allen
                    Simpson To: nanog@nanog.org
                    <wsimpson@greend cc: caida@caida.org
                    ragon.com> Subject: product liability (was 'we should all be uncomfortable with the extent to which
                    Sent by: luck..')
                    owner-nanog@meri
                    t.edu
                                                                                                                                                 
                    07/25/01 02:42
                    AM
                                                                                                                                                 
Perhaps a different approach is in order -- product liability.

When Firestone made a large number of bad tires, they compensated the
purchasers by PAYING for replacement, including those that had not yet
been injured. That included the upgrade, and the installation cost.

Network operators have been injured by the distribution of buggy software
from M$. We need to be compensated for our time and expenses.

End users need to be compensated for their costs to upgrade.

A check in the mail would be a better incentive to administrators than
"automatic" updates.

"Wayne E. Bouchard" wrote:

Better analogy:

Microsoft is advertising "high security padlocks", but is instead selling
locks that dont work at all.

-Dan

* Dan Hollis sez:

: Microsoft is advertising "high security padlocks", but is instead selling
: locks that dont work at all.

After finding out they were flawed, Microsoft offered everyone a
replacement/bugfix. While there's no proof that these padlocks are
actually high-secure, they are more secure than what came with the
purchase initially.

Microsoft has - and I believe Firestone would do the same - informed all
registered customers as soon as the fix was available. In addition there
was quite some buzz about the .ida vulnerability a while ago.

While one might argue that it's Microsoft's resposibility to communicate
those flaws better, they indeed offered better padlocks and a mechanic
(setup.exe) to install them.

A customer refusing to open his door to the guy walking around and
informing him of flawed tires, not opening his mail and - even if aware
that the padlocks are screwed - neglects to put the new ones on (at no
cost, mind you), should be slapped with the UNIX bible until unconscious
for endangering others and himself in a particularly stupid manner.

Let's just repeat that:

- Microsoft is a known flawed OS

- IIS is a known flawed component of this flawed OS

- There are more than a few sites out there selling or offering security
  advise for free

- The fix has been out for months

- The fix has already been exploited by smaller, less media active worms

- The owners of said Websites in some/most cases offer services to a
  third party, are therefore by no means 'the poor schmock with the
  Firestone tires' but rather 'the owner of Ryder, Inc.'. These servers
  put customer data and confidential information in jeopardy long before
  the worm struck and in quite a few cases still do, even though most of
  the attack points are fixable.

- Few of the infected hosts have learned a damned thing from this
  attack, just look for iisadmpwd at those hosts - a week after the
  attack.

... facts dutyfully ignored by said 'Administrator's of said boxen.

In this case network and system administrators had a bad time with long
hours trying to stop something from happening that did not need to
happen and that would have not happened would 90% of the socalled
Internet Experts out there understand even the basics of their work.

I am not ready to push the blame towards M$, even though I'd love to see
that Monopoly drown in a big bucket full of the tears and sweat shed by
innocent bystanders who got hit by crap like this one, but in this case
the perp sits somewhere else and needs to - at least for once - be made
aware of the mess he created and the costs that resulted from it.

I actually talked to an intellectual property attorney about this today... just in passing, but his remark was

"Microsoft is not responsible for someone else committing criminal acts. If you leave your house unlocked, that doesn't mean it is NOT breaking and entering if someone comes in and steals things."

The analogy is further flawed in that the comparison is between problems in the real world that can cause real injury or death to real people versus a piece of software that operates in a virtual world... even if it is a real pain in the butt. Remember, if this stuff was easy and simple, we'd be a commodity....

[I speak ONLY for myself !]

/back to my rock/

Michael

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

True,
  
  But, as someone mentioned, microsoft is marketing high security
padlocks.

  If someone breaks into your business (your door was unlocked,
despite the fact the security system said that all the doors were
locked (as advertised)) and does damage that causes you to lose 250k,
you could/should go after the security company..

  Leaving your door unlocked doesn't preclude the criminal from being
arrested, but if you purchased a lock under the belief it worked, and
it doesn't, and that caused you damages, then the lockmaker is open
to liability.

  Now, in the real world, you'd have INSURANCE to cover this, and I
have a hunch we'll start to see more people insuring against
hacking/DoS's..

- --
Matt Levine
@Home: matt@deliver3.com
@Work: matt@eldosales.com
ICQ : 17080004
PGP : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6C0D04CF

- -----Original Message-----
Of Dave Stewart

So what point *does* microsoft become negligently liable? Never?

Ask your attorney friend if he can think of *ANY* situation where m$ could
be found negligent.

Microsoft is giving a *great* sales pitch about reliability, stability,
security, etc. but simply not delivering what they are advertising. This
game of deceit is costing consumers billions.

How long in the real world before the FTC would come down like a ton of
bricks for false/fraudulent advertising on non-software company doing the
same thing?

-Dan

Dan Hollis wrote:

> Your analogy is flawed.
> The question is, should Firestone be responsible for someone going around
> slashing the tires? No they shouldn't.
> Then why should Microsoft or any other software manufacturer be responsible
> for the damage done by third parties?

Better analogy:

Microsoft is advertising "high security padlocks", but is instead selling
locks that dont work at all.

-Dan

OK... I'll admit this might be a better analogy. However, I don't
believe
that my analogy is "should Firestone be responsible for slashing tires".
My analogy was "Given that road hazards exist, and given that Micro$oft
knew their tires were particularly vunlerable to this obvious road
hazzard,
did Micro$oft have a greater responsibility for recall or should they be
subject to recovery of damages by injured third parties." In my
opinion,
they should, indeed, be in such a situation. If you SELL a product that
you know is defective or later learn is defective in design such that it
is likely to cause or contribute to harm, your failure to recall that
product actively creates a liability for the consequences.

Owen

m$ stuff is being used in flight control systems now, if I remember
correctly. the navy also had a spin using nt in a "smart ship" trial, much
to their detriment.

-Dan

M$'s click/shrinkwrap licenses, as far as I can remember, discliam liability
for any and all security problems. (And a lot of other stuff too.)

--Adam

Not in anything I would pilot or ride in!!!!

Think about the Class 5 switches and IBM mainframes. It took YEARS to get anything done because of the critical nature of their functions. If people are going to put their lives in the balance, then they should spend the time to research their choices. People who just toss up a web server, run their business, and then complain when it crashes obviously didn't take it too seriously. Same with networks. It costs major $ to assure no single point of failure and quit frankly most people won't spend the $.. Or they can't recoup the costs by selling service.. It's not easy, I understand that.

Look at the traffic controller industry. There is a significant amount of work to assure that you NEVER get a double green / crossing traffic situation. The technology in there is 30+ years old. If the 68000 chip croaks, the old tech relays prevent light violations.

Man we are WAY off any operational topic here. My apologies to the group trying to get some work done here..

Michael (Speaking for myself ONLY)

Since software, in theory, can't cause physical danger, I suspect
the shrink wrap license makes Microsoft immune to any liability.

If they advertise false claims then they could punishable under some
states consumer protection laws. Look for the disclaimers.

Now if you claim that you are forced to agree to the shrink wrap
licence because of they are a monopoly and you are forced to use
the product ... an iffy argument ... then you may have a something.

BTW - It looks like Windows 2000 is subject to the BSD telnetd
exploit.

Yo Joseph!

Funny..

I don't remember IBM or EDS being sued on the times when ATC has failed.
Jeppeson hasn't been sued for issuing incorrect maps either. Software
programmers arent sued when monitoring machines in hospitals fail. Oh
that's right, because there are neat things called "Limits of
Liability", "Gross Negligence", and "Malicious Intent".

Look up the work indemnity. There is a reason why it is in most
boilerplate. In the mean time, I would suggest that people who have no
concept of the legal system refrain from comment about any of this. The
concept of this entire thread is nothing more than mental masturbation.

.chance

Software programmers arent sued when monitoring machines in hospitals
fail.

Individual programmers might not be sued, but companies have been sued,
successfully.

In the late 1980s there was a string of radiation machine failures due to
software bugs which ended up killing patients.

IIRC when the families of the victims sued, the software company chose to
settle out of court rather than go to trial.

Look up the work indemnity. There is a reason why it is in most
boilerplate. In the mean time, I would suggest that people who have no
concept of the legal system refrain from comment about any of this. The
concept of this entire thread is nothing more than mental masturbation.

The facts prove you wrong.

-Dan

Yo Chance!

I don't remember IBM or EDS being sued on the times when ATC has failed.
Jeppeson hasn't been sued for issuing incorrect maps either. Software
programmers arent sued when monitoring machines in hospitals fail. Oh
that's right, because there are neat things called "Limits of
Liability", "Gross Negligence", and "Malicious Intent".

Do some research. Just because you have not heard about it does not
mean it did not happen. Jeppeson lost a BIG one after the AA crash in Cali.
Jeppesson still has suits pending about Ron Brown's (US Commerce
Secretary) going down in Kosovo. Technicare (a former client of mine)
lost a BIG one after the runaway software on a CAT scanner fried a patient
to death. Never heard of anyone dieing due to an ATC outage so that
issue is still open.

In any case, the comment I was replying to was about software not
being able to hurt anybody. The US legal system found in two of the
cases above that it can and has.

RGDS
GARY

I don't know about IBM or EDS, but in both of those cases, only a
portion
of ATC has failed, and there were backup plans in place to deal with
such
failures. I do not believe there has been a test case here, as yet.
You
can bet your ass they'd get sued if two planes collided during an outage
and the collision was attributed in part to the failure of their
system(s).

As to Jepessen, you obviously don't remember the lawsuit filed over the
737
crash that took out Commerce Secretary Ron Brown. Jepessen was sued
over
that crash, even though their charts were within specifications and
correct
according to the available definitions of correct.

It is rare that a Jepessen chart error leads to a crash, but it is
almost
uheard of for them to not get sued in the event of a crash that might
possibly be blamed on a chart error.

Owen

Chance Whaley wrote:

My fault for not making a distinction between the ATC issues and
healthcare issues. The developers of ATC software are granted indemnity
in the US. Jeppeson falls under this except for cases of: 'Gross
Negligence', 'Malicious Intent', and a few others. Otherwise no
development house in the world would touch the systems. See any aviation
software boilerplate, and the last paragraph in my email here.

As for healthcare issues - I was making statement to software developed
on MS platforms (and there are quite a few). From the license on _every_
piece of MS software:

High Risk Activities. The Software is not fault-tolerant and is not
designed or intended for use in hazardous environments requiring
fail-safe performance, including without limitation, in the operation of
nuclear facilities, aircraft navigation or communication systems, air
traffic control, weapons systems, direct life-support machines, or any
other application in which the failure of the Software could lead
directly to death, personal injury, or severe physical or property
damage (collectively, "High Risk Activities"). Microsoft expressly
disclaims any express or implied warranty of fitness for High Risk
Activities.

MS encourages all of its developers to use its standard boilerplate.
Specific contracts are made for healthcare software and their buyers -
it typically includes "Limits of Liability". Please don't quote decades
old cases, as they were the impetus for the changes in software
liability law.

First action for any attorney in a tort case is "sue everyone even
remotely connected with anything to do with anything". Courts have a
tendency to throw these things out now. Do we not remember the cases
against Chrysler and AC/Delco for the "software" in their cruise-control
being incorrect a few years ago. People sued Chrysler, Chrysler sued
AC/Delco. Attorneys vs. Chrysler got heard (and settled out of court).
Chrysler vs. AC/Delco got thrown out.

.chance

Yo Chance!

Oh really? Then what about the Avrotec primary flight control system
and the Avidyne nav system? They run NT and they are FAA certified
for their purpose. So maybe _every_ piece, except a few?

Here is an article on WinNT powering the Avrotech in the new Lancair 400.
It is being used as the PRIMARY flight control system on an FAA certified
plane:
  http://www.avweb.com/articles/colum400/

RGDS
GARY

Note that several tire manufacturers have been quite busy designing
tires that are self-sealing for at least minor punctures.

Draw your own software analogies.

        Valdis Kletnieks
        Operating Systems Analyst
        Virginia Tech