Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Security Flaws May Be Microsoft's Undoing 505

tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough. Update: 01/15 15:00 GMT by J : Bruce Schneier's January Crypto-Gram came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."
This discussion has been archived. No new comments can be posted.

Security Flaws May Be Microsoft's Undoing

Comments Filter:
  • by Zspdude ( 531908 ) on Tuesday January 15, 2002 @02:23AM (#2840631) Homepage
    Just a thought... If they dominate the market... Most software is Microsoft... Microsoft software is buggy and insecure.... Most software is buggy and insecure! They're right on par for the course!
  • by Maserati ( 8679 ) on Tuesday January 15, 2002 @02:26AM (#2840640) Homepage Journal
    Gee, since WU is a big feature of XP (even if MS is still breaking things with new patches) d'you think consumers have an action claim if WU fails to get them a known patch ? Lost data due to a known error could leave MS liable in today's lawsuit-happy world.


    Add in a Gartner analyst casting doubts on MS and raising the trust issue in terms of .NET, and you have some long-term sales issues for Microsoft. The analyst said that if you don't trust Microsoft, you don't use .NET. Then the article reminds us that MS is betting the company on .NET.


    A failure to execute (on security) could get Microsoft executed.

    • Um, have you ever read your Windows license agreements?

      MS is liable for nothing. Your computer could spontaneously blow up and level your house because of the Windows Exploding Computer Feature, and you wouldnt get a dime from them.
      • by Anonymous Coward
        Many countries have consumer protection laws that forbids any such attempt to remove liability for a product you sell. That is, it doesn't matter if you agree to such a thing since the law says it is void. This may not nessecarilly apply to companies (that is not private persons) buying things though since they are not consumers in the aspect of that law. So that case any such license agreement is irelevant since the law says so meaning they ARE liable.
  • Liability. (Score:5, Interesting)

    by Lemmy Caution ( 8378 ) on Tuesday January 15, 2002 @02:27AM (#2840645) Homepage
    The article mentioned a shift in political attitude: lawmakers are considering suspending the protection against liabilty that software makers now enjoy.

    Insofar as it's true that software is flakier and more vulnerable than other products, the questions we might ask are the extent to which liabiliy has motivated other product manufacturers to be a lot more careful in their manufacturing processes, and the extent to which software is "inherently" impossible to get right. Is that perception that software should be exempt from the sort of standards that other goods have accurate, or has that perception been constructed by years of poor software and a lack of accountability?

    • Re:Liability. (Score:5, Insightful)

      by MisterBlister ( 539957 ) on Tuesday January 15, 2002 @02:51AM (#2840704) Homepage
      Software liability also has has consequences for Open Source that must be explored. If Microsoft is liable for bad software, that would also open up Open Source and Free Software programmers to the same liability -- just because you give something away for free doesn't limit your liability if commercial vendors are also held liable. And what OSS/FS companies/vendors/developers can afford to worry about being hit with a liability suit, especially when they are unlikely to derive anywhere near Microsoft-scale profits on their work in the first place?

      Those who yell and scream that Microsoft should be held liable should be careful what they wish for...liability laws would kill off most all of OSS/FS faster than they would kill Microsoft.

      • Maybe it's just me, but with the source, or reasonable access to the source, if there is a problem, I can (or hire someone to do it) find and fix the problem. If I do not have access to the source, then the vendor is the only one in a position to fix any problems.
        • Re:Liability. (Score:2, Insightful)

          Yeah but what if, due to a bug in the software, you lose data worth $50,000? Sure, you're an idiot for not keeping up-to-date backups, but if the types of liability laws being talked about here went into effect, you'd be able to sue the company for this lost data...

          So, having the source is not a panacea..The damage could already be done before you have a chance to fix it, even with an OSS/FS solution.

        • by IronChef ( 164482 ) on Tuesday January 15, 2002 @04:49AM (#2840965)

          Your mistake is wanting to fix the problem rather than litigating a solution. Silly rabbit, you must be some kind of Canadian or something!
      • How would that impact non-US open source developers?

        And what impact does it have for software developped before that change in law? What about old (obsolete) versions? Certainly, you can't be liable for sth you developped before the rules were changed, can you?

      • I dunno... if code is speech then it's kind of like saying to someone "Hey, go jump off a cliff." If they decide to do so as a result are you reliable? MS could get around this too by providing the code (shared-source and whatnot) but as it stands, you have no possible recourse in terms of judging the quality of the product. Closed source software can't really be speech, and as such I would guess that it can't be treated quite the same way as Free Software.

        There is the free price thing too. While I agree with you that if you give something away, you can still be liable, but if you give a friend your old car that you think is fine shape, only to have it blow up his mother, are you liable? I'm not a lawyer so I don't know the answers to these questions, I'm just posing them. There is a distinct difference between what MS does and what Debian does (Redhat may be another matter though).
      • When I read this I didn't think of individual liability suits. If you don't take proper precautions, then you shouldn't have any recourse if you lose all your company's data. That should go for any OS.

        What I think should apply, are Lemon Laws [cars.com], to protect a customer from what is, inherintly, a piece of junk. I'm fairly certain no major version of Linux or BSD falls into that category.

        At any rate, these laws protect buyers, not users.
      • Re:Liability. (Score:2, Interesting)

        There is one fundamental difference between dragging Microsoft into court for security problems that they don't/won't fix and hauling Linus into a similar court:

        Microsoft has artificially created a single point of failure in security.

        That means that Microsoft is a single point of blame - something which cannot exist in the OSS world. This is more fundamental than "many eyes make all bugs shallow" - if there's a hole then you are as responsible for fixing it as the original maintainer. You have the chance to do something about it even if the maintainer isn't interested.

        In that way, an opensource project (even one with just one developer) is, in theory, a collaboration between every user of that system. They have a choice whether to take the good with the bad - they can fix the bad (given time and effort). But Microsoft, through proprietary liscencing of sourcecode has taken all the profit and with it all the risk.
    • Re:Liability. (Score:5, Insightful)

      by Restil ( 31903 ) on Tuesday January 15, 2002 @03:36AM (#2840796) Homepage
      First of all, its not IMPOSSIBLE to get software right. No more difficult than it is to build a car or a housse correctly, and while on occasion they break down, generally speaking they function as they're supposed to with minimal failures.

      You've heard the joke about the first woodpecker destroying civilization if buildings were built the way that software was written. There's a fundamental truth here. Coders, for the most part, are sloppy. Why? Because they CAN be. However, there are examples of cases where software was done correctly the first time. It takes careful planning and controls and peer review, and in most cases the end result is clean code in less time than it would have taken to do it sloppy and spend lots of time cleaning up bugs.

      There SHOULD be accountability here. But people don't hold Microsoft accountable. And I don't blame the monopoly factor either. People have just been brainwashed to believe that its NORMAL that computers crash. Its NORMAL that there are viruses. These things are just a part of life, and there can't be anything done about it. And as long as they believe that, they will keep buying into Microsoft.

      These things generally don't bother the individual. They bother a large corporation as a whole that has to deal with the cleanup after one of the messier outlook viruses goes around. But, the corporation, run by people, simply look past the problem. The sys admins might be screaming bloody murder about it, but everyone else just considers it to be the status quo and goes on with their lives as best they can while the servers are being reloaded.

      In my opinion, Sircam was the first windows virus/worm that had the potential to have a real effect on how people looked at Microsoft. If the virus was somewhat more malicious and made the data that was being sent out easily readable (as well as passing along a virus) and a few big corps had a lot of confidential internal memos sent all over the world.... THEN maybe people would start to reconsider the value of Microsoft
      brand products, as soon as it is made clear to them, that its Microsoft and their software that made all this possible.

      -Restil
      • Re:Liability. (Score:5, Insightful)

        by Goonie ( 8651 ) <robert.merkel@FO ... g minus language> on Tuesday January 15, 2002 @04:26AM (#2840887) Homepage
        First of all, its not IMPOSSIBLE to get software right. No more difficult than it is to build a car or a housse correctly, and while on occasion they break down, generally speaking they function as they're supposed to with minimal failures.

        Hmmm, we've been building permanent dwellings for thousands of years. We've been building software for fifty, and doing so on a large scale for about thirty.

        Not to mention that the complexity and novelty of the average piece of software dwarfs that of all but the most unique and large-scale building projects.

        You've heard the joke about the first woodpecker destroying civilization if buildings were built the way that software was written. There's a fundamental truth here. Coders, for the most part, are sloppy. Why? Because they CAN be. However, there are examples of cases where software was done correctly the first time. It takes careful planning and controls and peer review, and in most cases the end result is clean code in less time than it would have taken to do it sloppy and spend lots of time cleaning up bugs.

        And you think that planning, control, and peer review comes free, and without a lot of pain getting it wrong first?

        Software is still relatively new, and the most complex design task humanity undertakes. It's no wonder we haven't perfected the engineering of it.

        • And you think that planning, control, and peer review comes free, and without a lot of pain getting it wrong first?

          No, he doesn't. The previous poster stated, IMO correctly, that *including* the time it takes to do proper planning, controls and peer review, you get clean code for less time *in total* than it takes to create and subsequently clean up sloppy code. Or do you think cleaning up bugs comes free and involves no pain for the coders? (Nobody's even considering the end users at this point, who are also experiencing pain and cost).

          See Dave Parnas, Software Fundamentals, for some of the classic papers behind this analysis.

          Plan it properly, do it properly, document it properly, and you have saved a whole *load* of wasted time and effort. "An ounce of prevention is worth a pound of cure." And so on.
      • Or build a housse correctly?
        Like the houses in inland Florida when Andrew hit?

        Impossible, maybe not. But highly improbable.
        The key question is how good is good enough? A car at 155 is not the same as a car at 55.

        You're very right about Sircam. Follow the progression since Melissa (Remember Melissa? Melissa was nice!). Now extrapolate ...
    • Re:Liability. (Score:3, Insightful)

      by ukryule ( 186826 )
      Is that perception that software should be exempt from the sort of standards that other goods have accurate, or has that perception been constructed by years of poor software and a lack of accountability?

      This perception is only apparent in the PC industry. There are a whole range of areas where software has to be 'good quality', and the consequences of failure are huge. For example:
      • Embedded software. When was the last time your TV crashed on you? Granted, the software is an order of magniture smaller than for PCs, but the consequence of a big bug in a released piece of consumer electronics is huge (people demand their money back), so it needs to be more rigorously tested.
      • Safety-critical systems. E.g. medical equiment needs to be 'safe', and often has to prove a certain level of testing/reliability before it is legal to sell it. You can be guaranteed that the s/w producers will be liable if an X-Ray machine gives you the wrong dose

      The trouble is, the PC industry has come to accept the usual disclaimers ("No liability for any damage ... we may download virii ...etc.") - and the associated low reliability/safety. One reason for this is that PCs were traditionally the realm of technically savvy people, who value cutting edge features rather than rigoruously tested sw with half the features.

      You would expect increasing reliability as the market moves more to (dumb) consumers - but, of course, everything is slightly screwed by one company having a monopoly ...

      (Just noticed - should the subject of this post be 'Re:Liability' or 'Reliability'?)
      • This is exactly right. To assume that "software is generally of poor quality" insults many, many software developers. For example, the team who developed the avionics for the shuttle took huge and justifiable pride in a process which kept the software correct (see http://www.virtualschool.edu/mon/SocialConstructio n/FeynmanChallengerRpt.html [virtualschool.edu] and scroll down to the section on avionics).

        But much software doesn't have to be written to such a high quality requirement, so it isn't. As, for example, document production isn't safety critical, market forces will decide the level of quality required, and the resulting market profile is a direct result of the care with which purchasing decisions are made.

        Sorry to say this, but we get the software we choose, and the poor state of the market now reflect that we will pay loads of money for something which we buy effectively sight unseen, and where we accept licence agreements which take away our rights to complain.

        Dunstan
    • Re:Liability. (Score:5, Insightful)

      by bockman ( 104837 ) on Tuesday January 15, 2002 @07:31AM (#2841279)
      Software should be sold with a label indicating its quality level, as certified by well-defined and verifiable standards:
      • level-0 is the software provided as-it-is or whith disclaimers that nullify any liability (that is 99% of today commercial and free software)
      • other levels could be defined for software which promises (and therefore is liable for) a well-specified level of accuracy/data integrity/security.
      Companies would price their software accordingly with the quality level they warrant, and people and company could make their own cost/quality/risk trade-off analysis and freely use whathever they want.

      Note that in theory an open-source redistributor could achieve quality level > 0 by submitting the products it distributes to rigorous qualification tests and patching the software accordingly. A problem could be that they should publish their patches, making easier for the competition to do the same. But this is nothing new, being the same dilemma that open-source distributors already face for the works which goes in packaging/integrating the free software.

      • This is an outstanding concept -- it would allow both free and commercial software to pick the standard they intend to adhere to, and be liable in proprotion to the degree that they claim to meet a certain standard of performance (including stability, fitness for purpose, whatever).

        As to whether it actually meets said standard -- yes, it would be good to have an independent testing team, but who's going to fund it? Do you only get to have a rating if you can afford to help support the test process?

        That being the case -- I'd suggest a twofold system: a rating the software author agrees to meet, and a number assigned by independent review when that is available. So if I claim a 3 rating but actually manage a 4, I get a 4/3 rating. Consumers have caught onto similar systems quickly in the past (such as gas mileage ratings on new vehicles).

        To extend the idea another step, the penalties for failing to meet said standard should also be set on the same scale, so there will be no question how heavily any breach of performance standards will be penalized. Frex, if you claim to produce grade 5 software, but it's actually only grade 4, you get one increment worth of penalty. If you claimed grade 4 but it was really grade 1, you get 3 increments worth of penalty. And so on. That way someone who tries but didn't quite get it right doesn't get penalized as much as someone who really screws up and doesn't care.

        If you can't afford the liability, then don't claim the reliability. Simple.

        Occurs to me that liability insurance for software (both individual and corporate products) could quickly become reality under such a scenario, with premiums set apace with the reliability claimed for said software.

        Perhaps it could start as a voluntary system, which develops coercive force on the software industry as consumers become accustomed to the concept and as more funding for independent testing becomes available -- the system would make it in the publishers' best interest to support it, perhaps with some charity testing for free software.

        Anyone else have ideas for how to extend the concept?

  • Ahem... (Score:5, Funny)

    by nurightshu ( 517038 ) <rightshu@cox.net> on Tuesday January 15, 2002 @02:27AM (#2840646) Homepage Journal

    ...begun to raise concerns...

    Begun to raise concerns?! That's like saying, "In other news, repeated appearances of the star Sol on an approximate 24 hour basis have begun to raise concerns that it may do so tomorrow."

    Microsoft never built operating systems with security in mind. The last time I checked, the security testing group at MS consisted of two Norwegian Black rats, a four-year-old, and a blind, deaf, chimpanzee with a drinking habit. It still hasn't occurred to them that improving their security might, in fact, be a good thing.

    There, I feel better.

    • Re:Ahem... (Score:5, Funny)

      by servasius_jr ( 258414 ) on Tuesday January 15, 2002 @02:37AM (#2840669)
      The last time I checked, the security testing group at MS consisted of two Norwegian Black rats, a four-year-old, and a blind, deaf, chimpanzee with a drinking habit.

      This allegation you're making is both hurtful and untrue. That chimpanzee is a friend of mine, and I'll have you know that he only drinks socially, and conducts himself with the utmost professionalism.
    • Re:Ahem... (Score:2, Insightful)

      The problem is more one of diversity. If you place 500 million machines out in the wild all running the same software. Then any exploits found in that software will leave all those machines vulnerable. It doesn't matter if its Windows or Linux.
    • Re:Ahem... (Score:2, Interesting)

      by jtra ( 525331 )
      The last time I checked, the security testing group at MS consisted of ...

      Last time MS security has been interviewed ( Interview With Microsoft's Chief of Security [slashdot.org]) their chief did talk rather about their physical security like locking a door at night and obfucating their product to be protected (hence word security) againts their concurrency.

    • Yeah, so we all know it insecure.. That's a given, however I have come up with a super secure patch. Whenever I step away from the machine I unplug the ethernet cable. When I go away for vacation I usually pull the plug AND apply a little epoxy to the ethernet jack for extra security.

      So if anyone wants to see my website, please send me some email first.. be prepared for a little delay, that epoxy is tough to dig out of that little hole.
    • Re:Ahem... (Score:3, Funny)

      by Rogerborg ( 306625 )
      • The last time I checked, the security testing group at MS consisted of two Norwegian Black rats, a four-year-old, and a blind, deaf, chimpanzee with a drinking habit

      Typical anti-MS FUD. When I asked Microsoft PR to verify this, they assured me that the "rats" are in fact Siberian hamsters [teenink.com]

  • Product liability (Score:5, Interesting)

    by stjobe ( 78285 ) on Tuesday January 15, 2002 @02:28AM (#2840648) Homepage
    A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft's and other software companies' special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.

    Interesting, but in the case of free software, what would this mean for the developers? We all want Microsoft to be held responsible in some way for their security holes and such, but would we want to be treated the same way ourselves? What would happen when an author of a piece of free software was dragged to court because the software was buggy? And what would happen if it was Microsoft who did the dragging?
    • by sheldon ( 2322 ) on Tuesday January 15, 2002 @02:38AM (#2840672)
      Such a move will further entrench software development into the hands of a few large companies.

      Is it good? I don't know, I guess it depends on what your priorities are. If what you really want is rock solid quality software, then yes it's good.

      If you want rapid innovation, then probably not.

      It'd definately kill off free software because you'd need to be trained, licensed and bonded in order to write software. Just like engineers who design bridges, etc.

      Perhaps it is the natural progression of the market. If you look at other industries, over time they concentrated their power into the hands of a few large companies. Oil, Automobiles, Televisions, Radio, etc.

      That's why it's always important to see both sides of an issue. The title of this article as posted to /. is pretty anti-Microsoft. But ask yourself, out of all the companies developing software which one has the intelligence and the financial resources to react to such a change?

      The only one I can think of is Microsoft. This wouldn't be their undoing, it'd only make them stronger.

      Microsoft isn't going anywhere, time to get used to that.
      • If the likes of Sheldon is against this, I'm definitely for it ;)

        Seriously- I don't buy most of what he's saying here, I'm just reading the 'nooooooo! i'm meltiinnnngg!' between the lines. The REAL prospect upsetting Sheldon is the prospect of product liability _eviscerating_ Microsoft.

        They're awfully vulnerable around about now, can't continue their geometric progression that props up their stock, and I don't believe in the myth about their piles of cash- I suspect that is a useful lie. Everyone wants to believe that is true, but who has seriously done the accounting work? Microsoft lie, you can't forget that.

      • >Microsoft isn't going anywhere, time to get used to that.
        And Rome will never fall, Martin Luther will get nowhere. and I hear great things about Enron.

        Companies fail. Its a fact. Yes, I agree that MS has the $40billion or so lying around to keep any legal actions in circles for decades, and is smart enough to keep the public and the press off the issues, as well as fix the bugs when they can. But they're a company like any other, companies fail. Deal with it.
      • The only one I can think of is Microsoft. This wouldn't be their undoing, it'd only make them stronger.

        So, it is actually in their best interest to do shitty software, in order to prompt lawmakers for such a change in law. Once the law is passed, they clean up their act, and watch with glee as OSS developers get sued into oblivion by liability lawyers...

        Such law should have a provision that it only applies to commercial software (i.e. software that is sold for a price, or on the base of signed license contracts). Free (as in speech) software should be excluded from such liability. Free (as in beer) software would still be covered, by considering it as promotional material to sell commercial software (i.e. give away Internet Explorter to sell Windows).

        • Such law should have a provision that it only applies to commercial software (i.e. software that is sold for a price, or on the base of signed license contracts).

          I see. So it's OK for people to run around advocating Linux or Apache as a serious alternative to WinXP or IIS, but the former are not to be subject to the same liability and the contributors not subject to the same incentives? Realistically, these two claims are not compatible.

      • Re:Product liability (Score:2, Interesting)

        by Nephrite ( 82592 )
        Oh, I'd like the USA to pass this law. This will move software development to other countries which deserve to have better technology leaving the USA with monopolistic m$ and its bugs.
    • Hard to establish liability for free software. But shareware authors who charge a small fee (and hence make a direct profit) might be easier to target should this liability idea take hold. Shareware would become enough of a liability for small-time authors that they would be forced to either give up and find a publisher with deep pockets, or else give up revenue all together and just give their software away for free. Perhaps a threshold could be established to determine when liability kicks in?
    • The point is that Proprietry software comes without source, and you are expected to live with the quality that is shiped to you.... Even if it takes your company down when your ERP database crashes!! Linux (and other free software) - Is offered with source, and you are invited to examine / amend the source to suit your needs - If your companys database fails under this setup - You only have yourselves to blame!

      Put this another way, You could sue a TV Manufacturer, should a TV blowup your house, but if you opted to put together a TV from parts purchased from Maplins, I doubt if you could take them to court should things not work as expected.

      • The point is that Proprietry software comes without source, and you are expected to live with the quality that is shiped to you....

        Note that some "free" software comes in binary only form too. So you need to distinguish between software where you have the source (which could include various proprietry licences) and software where you don't.
    • Maybe it still works this way. There was a time when you could go to a small-time farmer and get a gallon of fresh, whole, unpasturized milk. The standards were not the same as what was required for the local dairies. Milk from one or two cows. If there is a problem, the spread is severly limited. The local dairy combines milk from thousands of cows. Any problem affects thousands.
      What I'm trying to say is that this should have no effect on authors of free software. Besides, with the source you do have recourse. If all else fails, you can fix it yourself.
    • by AtrN ( 87501 ) on Tuesday January 15, 2002 @04:01AM (#2840846) Homepage
      I think it'll go the way of the car industry with hot rods looked down on. Machines (h/w + OS) will need to be certified before they can be "driven" on the public roads ('net). People who drive (admins) need licenses (MSCE, oh god no!) before hooking the machine to the 'net. Cops look out for drivers (probe open relays etc...) and eat donuts while reading /.
  • by dimator ( 71399 ) on Tuesday January 15, 2002 @02:31AM (#2840652) Homepage Journal
    Has shoddy security caused Microsoft any grief so far? A month after a hole is found, they fix it, and no one seems to care after that. Sure, people that don't like Microsoft remember it and add it to their encyclopedia of Microsoft holes to whine about, but people that like Microsoft fix it and go on with life. Who do they place the blame on? The "evil hacker", not the poor software.

    People are so accepting of insecurity that they are even willing to spend cash money on antivirus suite after antivirus suite every year. It's just become a part of the cost of owning a PC.
  • A surprising sign of how quickly opinion is changing came last week. A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft's and other software companies' special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.

    Now THIS is what could really get them; forget about breaking them up, this could obliterate them totally. They could probably beat most lawsuits with enough lawyers, but they'd run up such a huge tab doing so that it could easily threaten the survival of the company. Look at what happened to Dow Corning.
  • Slashdotters may want to hurt Microsoft by breaking it up, but we've seen that the legal process is slow and generally ineffective.

    Nailing them with the FBI, IT professionals, and security experts may actually do real damage to sales.

    The greatest part is, I bet most of the people challenging Microsoft are Slashdotters. Their arguments sound like +5 moderated posts, IMHO.
  • I was talking to some folks, and we mentioned that the world is becoming more dependent on information that is ONLY stored electronically, and not on paper. Perhaps the time is coming where something (like a major filesystem eating bug in XP or the next SuperVirus (TM)) will destroy a large portion of the internet's data. (An example is , who recently lost everything in a major raid update crash. [storagereview.com]

    So what we should do is plan and prepare for this eventuality. If we have the equivalent of backup generators and emergency equipment in the digital arena, we can take over when the main system stumbles. It's not going to be long until someone devises a way to seriously crash a significant portion of the machines in the world - all the recent virii have been relatively harmless - it would not take much at all to program a relatively smart virus that would do serious damage (IE hit network drives first, destroy files that are heavily used, only strike at night, morph code, etc.)

    Ah, well. This is just a bunch of blathering, but we should thing about how to use the "enemy's" weakness against it. We need to make sure that linux is seen as more stable and more secure because it is BY DEFAULT - if people start using it and get burned, they'll go back to Microsoft.
  • by tswinzig ( 210999 ) on Tuesday January 15, 2002 @02:38AM (#2840671) Journal
    ...except instead of 'security' it was 'stability.' Now Win2K/WinXP can stay up and running for weeks and months on end, and you don't hear too much about Windows stability problems for users of the new OS versions.

    Windows has been unstable for years. Did it threaten Microsoft even one iota? Nope.

    Dream on, sorry...
  • Making software developers liable for damage due to blatent, criminal negligence would seem to be a good idea on its surface, but given how money corrupts our political system, any such incipient bill being developed in Congress could be easily be turned on its head. If every software developer is held liable for *any* damage caused by their product, imagine the destruction such a law would wreak on the free source movement. Who would dare donate code, faced with such huge potential liability? Bye-bye gnu cc, bye bye Linux.

    Reasonable diligence should be exercised to protect security, but no large, complex piece of software can be bug-free. Building software ain't the same as building bridges, boy!
  • The more MS screws things up and has major problems the better. The more often they have them, the better.

    Why? Because the more these things happen, the more the people who REALLY need to know about them will find out.

    Mr dot-com who pays others to run his damn site, will think twice about paying people to host his site on such garbage.

    And the end result will be one (or more) less vulnerable sites out there.

    Bring it on, damnit.
  • Effect on GNU GPL (Score:3, Insightful)

    by soundsop ( 228890 ) on Tuesday January 15, 2002 @02:41AM (#2840681) Homepage

    Removing the limits on liability would not only affect Microsoft, but the GNU GPL. Would you want to be personally responsible for any GPL'ed code you wrote? Perhaps the solution would be to form a corporation and assign GPL copyright to it.

    Anyway, at the very least, this sort of law would light a fire under the ass of the software engineering community. Maybe it cause some actual progress!

    • Re:Effect on GNU GPL (Score:2, Interesting)

      by prockcore ( 543967 )
      "Would you want to be personally responsible for any GPL'ed code you wrote?"

      Absolutely... all my GPL'd software comes with a money-back guarrantee.
    • Removing the limits on liability would not only affect Microsoft, but the GNU GPL. Would you want to be personally responsible for any GPL'ed code you wrote? Perhaps the solution would be to form a corporation and assign GPL copyright to it.

      A better solution would be to have a law which distinguished between "you can see and modify the code as much as you like", "You can see the source code, but cannot change it", "all you get is the binary".
  • by lcorc79 ( 549464 ) on Tuesday January 15, 2002 @02:41AM (#2840682) Homepage
    Ok, since when is Microsoft's troubles with security flaws being bad for business news? Anyway ....

    XP users said the updates cause systems to become unstable and some device drivers to stop working. [companion article]

    I'll note that I haven't seen any problems recently on my XP box - in fact thanks to a BIOS update and a new video driver it's running smoother than ever (for what that's worth). Have any /. users [those brave enough to admit they run XP on at least one box] seen these problems?

    Either way, I certainly always like to know what's going on in my system - so I never have it automatically install updates. For those interested in turning off the automatic downloads (highly recommended) - go to Control Panel, System, and the Automatic Updates tab. I have it set on the middle option (to notify, but not download/install automatically). Of course, I have a *legal* version of the OS, you warez kiddies will probably be a little more paranoid about any notifications. *grin*.
    • My friend downloaded new drivers for his USB keyboard and mouse last week (they were working so dont ask why he did that), when he rebooted his mouse and keyboard would not work. He connected his PS2 mouse/kb and got them working, then rolled back the drivers, on reboot, USB still didnt work, and now his PS2 devices didn't work either. He tried getting into safe mode to do a system restore, but even in safe mode they didn't work. He ended up having to format.

      But he's an idiot (see http://elitemrp.net/blake/ or my sig for more info about him), but still, he lost everything because he didn't have a chance to backup.

      So yes, I've seen it, sort of, because he did this manually using windows update, not the auto update feature, but i think if he had auto update on it would have happened anyway.


      • your sig! Now I understand the reason for the auto update feature.

      • My boss had something similar. New laptop. Not keyboard/mouse, but couldn't make a network connection. Finally I booted RedHat 7.2 Systems Administrator Survival CD, downloaded NTFS kernal module, and put about 3 gig of stuff where I could later recover. (Hint to RedHat: It'd be easier rescuing broken XP systems if you included the NTFS (READ ONLY) kernel module.) Reinstalled and reloaded. 1000MHz with 512Meg. Pathetic performance. Turned off what eye-candy I could find. Brought it back to somewhat reasonable.
  • by wo1verin3 ( 473094 ) on Tuesday January 15, 2002 @02:43AM (#2840685) Homepage
    There are hundreds of quicker ways to have your windows box become unstable...

    Installing programs --> unsupported
    Installed additional hardware --> unsupported
    System booting --> unsupported
    Using a monitor --> unsupported
    Bypassing a circumvention device --> unsupported
    DVD Playback --> unsupported

    ever try to get help from MS, or esculate a real bug with them for any of the above?

    How much worse could the software be without updates? :)
  • Patches not enough (Score:5, Insightful)

    by smoon ( 16873 ) on Tuesday January 15, 2002 @02:44AM (#2840688) Homepage
    I recently had to rebuild a web server after a machine crashed, and getting NT4, IIS Option pack, etc. up and running with all patches was a _very_ long task.

    It's not enough that Microsoft patches their products -- they are still shipping CDs of NT4 and win2k with the original 'release' of the product, so installing it means the original install plus a dozen or more service packs, hotfixes, etc. This makes it very tempting for internal corporate PC usage to just skip most of the patches to save time, and makes the process of securing Microsoft software that much more difficult.

    They should just release new 'point' versions of the OS with every service pack, and stop selling the out of date CDs! Maybe this would cut down on the useless churn of moving from NT4 to 2K to XP to whatever -- and that would have to be good.
    • Yes, they stopped doing it. I've not seen a Win2000 with SP1 or SP2 come through my MSDN subscription yet.
  • I found it interesting that Microsoft's employees have acknowledged problems and said that they're working to fix them:
    Microsoft acknowledges that it needs to do a better job of making the systems it sells more secure. The Redmond, Wash.-based company has begun offering free virus-related support, intensified its checks for holes and convened an industry working group on how to create a world of "trusted computing."

    "We're going to make our systems more resistant and more resilient," said Microsoft's director of security assurance, Steve Lipner. "We want to be unquestionably, unequivocally the best."

    [snip]

    Microsoft's Lipner agreed that there are trade-offs between features customers want and security. He said the company has changed its approach. New versions of Outlook block incoming mail from spreading through the address book, and the Information Server is now turned off within the network server software.

    "If the question is, 'is there tension between feature-rich, usable products and secure products?' the answer is 'absolutely,'" Lipner said. "We're absolutely moving that line more toward security, and if we have to give up some functionality or ease of use, we're paying that price."

    This is markedly different from the previous Microsoft responses on security. Based on the previous responses, I would have expected them to deny that the problem was with their software, and say that the problem was with rogue hackers (running Linux or something... God only knows what those Linux types get up to ;-)). But here this guy says right out that their software needs to be more secure. Is this really a shift in company-wide policy? Has MS really had a change of heart? Could it be that he's trying to talk up Microsoft's commitment to security without doing anything? Or could he want to improve the influence and size of his little corner of the world? Judging by the spate of dodgy XP patches, something went wrong, and possibly in his department. It would be interesting to read a full interview which really got into the nitty gritty on what happened around some of the recent problems. Of course, the odds of Lipner agreeing to such an interview are pretty slim.
  • I despise XP (Score:2, Flamebait)

    by Dolly_Llama ( 267016 )
    The final straw for me came when XP on boot would demand i send error reports to the mothership without explaining what went wrong AND since these were tied into IE, I'd get a POP-UP AD!!

    I'm buying a powerbook tomorrow, I swear to Bob..

  • YAMBA (Score:4, Troll)

    by MisterBlister ( 539957 ) on Tuesday January 15, 2002 @03:03AM (#2840731) Homepage
    Yet another Microsoft bashing article..

    Yes, Microsoft products have security faults, whose doesn't? Microsoft's get more notice because of the insane amount of marketshare they have, also Microsoft's software is less mature than the UNIX offerings people often compare it to in terms of tight security.

    I remember back in the late 80s and early 90s how much of a joke UNIX security in general was. Back then you could pretty much root any non-.gov UNIX system on the Internet, remotely, at will.. (thanks in large part to SENDMAIL though many other pieces of software had problems as well). People who bitch and moan about how long it takes Microsoft to fix bugs compared to UNIX vendors must not have been around when you could change the IFS under SunOS and easily root the box using any SUID program that did a system() or exec() call (quite a few, at the time)...Even after Sun, etc, fixed that bug it remained unpatched in a huge number of systems for years....

    Unix security is better now, but that's in large part due to maturity...Microsoft software will improve as well..Look at how much they've improved stability already when compared to Win95...It will happen...slowly, perhaps.

    • The security holes in Unix are as old as I am; anyone bitten by them is IMHO too dumb to read a book and some web posts. You still find un-chroot'd BIND, for example, and bizzare Sendmail installations that are rootable. BUT for the most part, the fact that Unix is mature is a big boost. But we're talking Windows here; the security flaws affect my dad, Aunt Millie, and everyone else who thinks they need a computer but is barely technical enough to turn it on. Sendmail holes affect them in esoteric, hard-to-describe ways; maybe a missed email because the affected server was being reinstalled. They'll never really know. But if UPNP is on so they can use their remote to change tracks on the MP3 player, and that turns their box into an attack platform.... That's directly affecting their life.
    • YAMA (Score:3, Interesting)

      by krmt ( 91422 )
      Yet Another Microsoft Apologist

      What about Apple? Are we forgetting the fact that the original Mac was relatively secure for over a decade, despite granting full root access to whoever? Yes, there were virii and trojans and whatnot (can't really be prevented) but the design of the system prevented a lot of problems for the average user. These are the same average users who are going to be affected by the XP problems, not UNIX admins.

      MS-DOS and its descendants were around for even longer than the Mac, and the NT system is very mature. Why can't they match Apple's security?

      I'm sick of MS apologists. Microsoft makes shit. It's shit that's getting better, but it's still shit. Don't whine and say it's unfair. They have the money, the power, and the resources to make what is far and away the best software in the world. And yet we get articles like this, and we get people like you whining about how MS is being treated unfairly. Forget it.

      As the market leaders who the majority of the world depend on for their computing needs they deserve heavy criticism.
      As predatory monopolists they deserve heavy criticism.
      As people who promise security they deserve heavy criticism.
      As people who would like nothing better than to see Windows everywhere, and the GPL and Linux and Apache and SAMBA wiped off the planet they deserve heavy criticism.

      So fuck whining about how MS is treated unfairly. If we complain enough then maybe they'll listen for a change.
    • by _Sprocket_ ( 42527 ) on Tuesday January 15, 2002 @06:28AM (#2841173)


      Yes, Microsoft products have security faults, whose doesn't? Microsoft's get more notice because of the insane amount of marketshare they have, also Microsoft's software is less mature than the UNIX offerings people often compare it to in terms of tight security.


      ...


      I remember back in the late 80s and early 90s how much of a joke UNIX security in general was.


      ...


      Unix security is better now, but that's in large part due to maturity...Microsoft software will improve as well..Look at how much they've improved stability already when compared to Win95...It will happen...slowly, perhaps.


      In a previous comment [slashdot.org] on another article, I noted that Unix has spent its time "in the trenches". Infosec history is full of Unix and its exploits... and its eventual improvement. But it is too easy to look at this history and learn the wrong lesson.


      Unix's history of security flaws is less about Unix and more about infosec awareness. Unix changed as the understanding of infosec and security principles changed. While time has allowed more of these flaws to be discovered and removed from the Unix code base, the process over the years has been more about knowing what to look for (or even to bother looking). And as this understanding of infosec principles, concepts, and procedures has increased entirely new chunks of unix code has materialized - sometimes to fill a void, but often to replace another project's functionality with a new design that has taken security issues in consideration during its inception.


      In short, Unix does benefit from its maturity. But the greater lesson is the infosec mind set. The tao of security, if you will. And these are concepts that can be applied to any project / OS.


      The claims that Microsoft will "get there" with maturity are misleading. Microsoft may indeed improve. But its not maturity of their code base that's at issue. The issue is whether Microsoft will begin to understand Security and design systems based on that understanding.


      Microsoft has shown signs of improvement with a sudden handful of security tool offerings. But unfortunately, these are really superficial afterthoughts to an already flawed environment.


      Microsoft's problem is not technical; its cultural. Microsoft is a technology company that excels at marketing. Articles by Microsoft coders talk about the push from Marketing to add additional features at the cost of bug-hunting and resolution.


      This kind of environment clashes with two infosec concepts. The first is that vulnerabilities are bugs - something malfunctions in an unexpected way, leaving the system vulnerable to intentional manipulation of this bug. The second is that there is an inverse relationship between functionality and security. Increasing the number of features, and the ease of using these features, often threatens a system's security.


      Marketing at Microsoft will first have to care about infosec issues (this may be happening as Microsoft gets more and more negative press). Then Microsoft will have to strive to design secure systems even at the cost of features (and possibly even abandoning or severely restructuring current systems).


      It will take a maturity of a different kind.

  • by squaretorus ( 459130 ) on Tuesday January 15, 2002 @03:07AM (#2840739) Homepage Journal
    That a majority of people do not trust MS is not surprising. I don't trust my government, my bankers, my customers, hell... I doubt the guy at the supermarket.

    I maybe trust my mum and dad, and aunt jemima for her tasty pancakes [auntjemima.com] - but a software company???

    People are cynical enough that they just bumble through life looking over their shoulder bitching about stuff.

    I just bought a new laptop - it came with XP pro - already I'm having problems with it. But I bitch about it over coffee and just get on with things. I had to register the software - something I bitched about. IIS won't work properly - bitch bitch bitch. Norton seems to be checking every file every 2 minutes making the thing unusable for the first hour in a day - bitch bitch bitch.

    Would I buy another the same - probably.

    The trust issue won't hurt MS as much as we'd like to think. And it won't help the alternatives much either.

    The movie industry sucks - but a good percentage of you reading this will run out and give them 30 dollars for Tron someday soon.
  • Liability. (Score:2, Interesting)

    by ImaLamer ( 260199 )
    Why shouldn't they be held liable in certain situations?

    This is supposed to be a huge world economic product - they can get this way without any consequences? No worries?

    The software costs money. They push a license agreement on you when you pick the product up at the store, when you buy a computer with windows pre-loaded, you are making a contract.

    Okay, so in the agreement they sneak in some language that keeps them out of trouble. The problem is before you agreed to that 'contract' you were promised certain things. The product is defective.

    Data problems, in most cases, won't affect someone's well-being. But there is data at stake. Their data costs $99 and up. Is your data worth any less? They promise to provide a secure and somewhat stable operating system.

    This isn't always the case. It's only becoming an issue because they make so much money in the business. Shouldn't we ask more of Microsoft?

    Well, if we can't sue, the gov't does nothing, and products continue to be shipped while 'broken' then something needs to be done.

    Simply say it with your pocket book. Pass up on upgrading to XP. Do what ever you think is necessary. Buy an Apple.

    I know it's not easy; but don't you feel that many other M$ customers - if not yourself - feel as if Windows is needed? It is in certain situations, but does everyone need it? No.

    There are options. Not every option will work for all the people, but let's start to choose something else.

    OR! Hold them liable
  • The Nightmare (Score:5, Insightful)

    by Convergence ( 64135 ) on Tuesday January 15, 2002 @03:19AM (#2840757) Homepage Journal

    The nightmare scenario.. Three hours from when a widespread bug (like the recent XP one) and having millions of windows machines trashing everything they touch.

    That is the future, and it will happen someday.

    • Here's how:

    Use the warhol worm [berkeley.edu] spreading technique. Read it and be frightened. He claims 8 MINUTES from first infection to millions of infections.

    I'm not quite as confident as he is in that number. But I'll definitely agree that 2 hours is more than enough time. (1 million vulnerable hosts, 5 scans/sec. Start with 1000 hosts, each second, 5000 probes, finding one vulnerable host. Thus, after 15 minutes, 2000 hosts, and doubling every 15 minutes.)

    And, the more vulnerable hosts, the faster it spreads.

    Now imagine a truly destructive payload. One which does not delete files, but corrupts them, starting with the fileservers. It restores datestamps to make it impossible to identify what files are corrupted.

    Three hours from exploit to millions of computers corrupting thousands of files. Antivirus won't keep up, hell, warninsgs won't even reach most people until after its demolished their fileserver. With obfuscation techniques, the worm could survive 3 hours without being reverse-engineered.

    It spreads so fast, there's no defense. It spreads so fast, you won't be aware its trashing all files until its already started. The only reason we've survived this long is that nobody really competent has worked on a worm.

    Be afraid. Be very afraid. The only question is when it will occur, and whether you will be running Windows when the time comes. I hope you keep good backups.

    • by Frank Sullivan ( 2391 ) on Tuesday January 15, 2002 @12:05PM (#2842689) Homepage
      On most modern PCs, the BIOS is flashable. The control chips on the IDE drives are flashable. The CPU has flashable instructions. These are all there to deliver upgrades in case of a bug.

      Now, imagine a virus that destroys the IDE control chips on each drive (no accessing the data again, short of mechanically removing the platters), destroys the BIOS (no booting again short of physical replacement of the BIOS chip), and destroys the CPU (instructions are broken, starting with the ability to update the instructions).

      Cross this with Warhol propogation techniques. While you're at it, delay the payload long enough to maximize propogation rates, but not long enough to allow antiviral reaction.

      This could lead to *hardware kill rates* on the order of 10%-50% (or more) of the computers on the Internet. None of those computers would ever work again, and data stored on them could not be easily recovered.

      All of this is doable from publicly documented information, crossed with the Microsoft wormhole-of-the-week.

      Are you frightened? I am.
      • by TFloore ( 27278 ) on Tuesday January 15, 2002 @03:26PM (#2844384)
        Destroying a computer is not the worst you can do.

        Corrupting the data on the computer is MUCH worse.

        Think of a database for an ecommerce server. A virus that understands the database format, and turns every 7 into a 3 in the database. Credit card numbers (I'm sorry, sir, your card has been declined), prices, product IDs, addresses, zip codes, telephone numbers (hope this doesn't happen to your phone company), social security numbers. Everything on that database.

        Then it transmits itself to another host, and removes itself from that machine, attempting to cover its tracks.

        Destroying the computer is *nice* compared to letting it run for the next month with incorrect data. You just corrupted the next 7 million transactions that system processes. And how much does it cost to correct that? Restoring a nuked server is cheap by comparison.

        Which would be worse for a serious ecommerce business? Being down for a day? Or having to check every transaction that was processed for the last 30 days, and dealing with mischarged customers, fraud charges from CC#s billed incorrectly, incorrect products shipped, lost packages that were misaddressed...

        Destroying a system is bad for a home user... corrupting it can be deadly for a business.
      • Fearmongering. (Score:3, Interesting)

        by Kjella ( 173770 )
        Actually most flashable cards have a backup non-flashable ROM, mainly in case the power goes during a BIOS flashing or similar. Also, chips can't turn off write access to themselves so if you just have a valid ROM to boot it, you can overwrite the BIOS again with a working version. When there was this BIOS-overwriting virus some years ago, there were a few laptops that didn't have a backup chip, probably to save space, and they choked permanently. The remaining ones were just to reflash, problem solved. After that, they've learned.

        Kjella
  • ERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess Control Service

    Original release date: January 14, 2002 Last revised: -- Source: CERT/CC

    A complete revision history can be found at the end of this file.

    Systems Affected

    * Systems running CDE

    Overview

    The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running the CDE Subprocess Control Service buffer overflow vulnerability identified in CA-2001-31 and discussed in VU#172583.

    Read More... [cert.org]

    Reports from places like cert [cert.org] and bugtraq [securityfocus.com] show that there are just as many exploits out there for *nix based systems.

    Network security of this nature is clearly not working when being applied at the OS or software levels, and a more flexible solution than the standard firewall is needed.

    What would your opinion be of a 'mini-firewall' included as standard on all new network cards. The firewall would have packet filtering rules filtering out 'generic suspicious traffic' (such as bar an IP address for a day if something containing default.ida and a hell of a lot of 'N's comes through). The rules would be held on a flash ROM, which could be updated when necessary with software from a trusted source such as CERT [cert.org] and digitally signed by a non-trusted one such as Verisign [verisign.org].

    Software could also be written to instruct the card to open certain ports and update the rules so that safe traffic for that software can pass through.

    Unfortunately, the extra $20-30(?) would probably sink it dead in the water, not to mention the hassle of having to reprogram all network software to work with it. How does the idea stand in theory, though?

  • Losing the press? (Score:5, Insightful)

    by banky ( 9941 ) <gregg&neurobashing,com> on Tuesday January 15, 2002 @03:34AM (#2840794) Homepage Journal
    In the "Great OSS Boom of '99" the press was all awash with Linux this, Linux that. MS stayed true to its course, kept on with the updates, and got XP out the door.

    Now it seems things have changed: more and more, I am seeing articles that are negative of MS. "XP isn't stable", "too many updates", "XP isn't secure", "W2k was fine, why did they change it?" is what I see more and more of. Red Hat gets decent nods, and now even Apple of all people is selling a Unix operating system, albeit one that is packaged in a lamp.

    Is MS at risk of losing the press?

    Articles like this must drive them absolutely BONKERS. Forget the /. bias, we're nothing. An article a week like this, even as a back-page editorial, is enough to cost them how many customers?

    How many of the system integrators like the guy in the article will just give up and stop dealing with XP, or worse yet, call Big Blue?

    If MS loses the appeal of the popular press - promoting every new release as stable and secure - then they're screwed, even without the class action suits and liability claims. Any more FBI warnings will serve as months of fodder for the rags to hammer on them.
    • Just wait 'till the press starts a feeding frenzy on the Microsoft worm du jour. ;-)
      Once the magic aura is gone and they start looking, .... (chortle, snicker, gufaw, hehe, ...)
  • by tomgilder ( 255203 ) on Tuesday January 15, 2002 @03:37AM (#2840800) Homepage
    Hello! I'm sure everyone will be glad to know that currently IE (even
    a fully patched IE6) can currently...

    * Run any command or program off the hard disk
    * Monitor the users clipboard, and steal the contents
    * Read or steal any file off the local disk
    * Check existence of any local file
    * Access the DOM, cookies, or read the content of any other website
    regardless of domain, protocol or security zones
    * Fake the file name in a download dialog

    ..although most of those only work if active scripting is enabled.

    These security holes are all *proven* to work, and could easily be
    used to create a devastating worm. Some of them are about a month old,
    and still not patched by MS. Delightful.

    The two latest exploits are http://tom.vpwsys.co.uk/clipboard/ (mine!)
    and http://www.osioniusx.com - see http://www.securityfocus.com for
    more.
  • by Dr. Tom ( 23206 ) <tomh@nih.gov> on Tuesday January 15, 2002 @03:38AM (#2840803) Homepage
    Next time you release a software product, delete that "NO WARRANTY" clause from the license. State that you will fix any bugs that are found for one full year from when the user downloaded the program. You may even be confident enough of your code to offer a money-back guarantee (if it's shareware, for example). See how adding lines like that to your tarball affects how you code and debug.

    Dare Microsoft to even think about this. Their worst fear is a world where people choose software based on quality.

    Seriously, we don't need to whine about what some legislators are doing about the big bad wolf's coding practices. What we need to do is start setting the example. Say "I write good code!" and stand behind those words. Somebody who knows how should create a version of the GPL that includes appropriate warrantees for Free Software. The "Quality GPL" (GQL?). You don't have to use it, if you think your code is buggy or is a development version. Right now we just click on "Stable Branch" and that sends a message to those in the know, but how much better if you go visit a software repository and find piles of code that are stamped with a license that guarantees that the product is free from defects in workmanship (modifying the source code voids the original warranty, of course, and people who re-release modified code are under obligation to change the license to reflect that).

    We want people to get the idea that software that claims to be stable yet comes with the phrase "NO WARRANTY" is probably a steaming turd. Especially if they paid good money for it.

    Naturally, you can't predict how some people will use your product. "No, sir, the VCR does not function under water." Your code might not work on an SGI, either, if you developed it under HPUX. Using the product in a manner not intended will void the warranty. Sometimes it's not a bug, it really is a feature (or the lack of one). But if somebody finds a bug, you WILL fix it, won't you? Why not put that in writing? Even offer a monetary reward to the first finder (how about $2.56?) of every bug.

    Note that agreeing to fix bugs, or claiming that your product is bug free, is completely different from assuming liability if the user uses your program to kill himself. That's a completely different story.

    • What we need to do is start setting the example. Say "I write good code!"

      Maybe I do, but is your compiler equally well written? How about the port of glibc to your hardware platform?

      Application software sits on an operating system and depends on OS libraries. Open source software is often compiled from scratch, and you do not have control over which compiler is used or which build of the libraries.

      I would never make a guarantee that my software would operate as I expected 100% of the time, unless I had control of the deployment environment.

      For example, look at the stability of games console software compared to most PC-based games. It is a genuine shock if your console game hangs on you - I can count the number of times its happend to me on the fingers of one hand, going back to my SNES-using days. The reason is that the developer is able to test in the exact environment the software will be used. This is a luxury not available to most, and I believe stability (unavoidably) suffers as a result.

      Cheers,
      Ian

  • by Rinikusu ( 28164 ) on Tuesday January 15, 2002 @04:24AM (#2840882)
    that's the most stupJ00 4r3 0wn3d!id thing I've ever heard! My Windows XP box h45 b33n h4x0rd h4h4h4h4h4! sorry, I don't know what's wrong with my keyboard10wn3dj00 it keeps messing up.. but anyway, Microsoft security is perfectly fine here
  • Software Liability (Score:2, Insightful)

    by astro ( 20275 )
    I will admit readily that I haven't read many of the comments here, but I have to say this:

    Many of you should think twice before hailing Microsoft's downfall should it happen to stem from software fault liability.

    Read the article - part of the major point is that a legal precedent could be set that would allow for far greater liability on the part of software developers that deliver flawed code.

    Think about that for a second - all of the software that *you* have developed for clients that have pushed the boundaries on budgets and timelines is *totally free of bugs*? Even totally free of bugs that might eat their data one day? Myself, I occasionally lose sleep thinking about a bug that I *know* is in code that I delivered to a client that has no more funding to pay me with to clean up the system.

    I personally feel that I have legitimate protection from liability for loss in those situations given that I expose the problem to the client, honestly tell them how much it will cost for me to fix it, and explain that the coverage for corner cases wasn't there given the budget they provided.

    Are you ready to stand in court against precedent that you are liable for the business cost of a bug in your code? I'm not.

    I am not a MS loyalist in the least (yes, I'm posting this from Win2k, my work platform for clients that I do Win work for) - in fact I wish to see serious stipulations on their bundling and BIOS issues mainly - but I don't think this is the right angle to crucify them on because it will come down and affect me.

    From what I understand of the current /. crowd, this may come down on you a hell of a lot more - do you carry terribly expensive Omissions and Errors insurance? I didn't think so.

    -astro
  • Thoughts on liabity (Score:2, Interesting)

    by vadim_t ( 324782 )
    I'm thinking we need a new license, how somebody mentioned above. This is how I think things should work:

    Commercial vendors are responsible for what they produce. After all they sell the work for money. Programs should work as advertised. If Win98 is advertised as faster than 95, then it must be faster. If it's better for playing DOS games, then it should be indeed better. If MS says it's secure (*snort*), then it should be secure. The vendor shall be responsible for serious security bugs, but not user stupidity. Not preventing you from doing an 'rm -rf /' doens't qualify.

    GPL should remain as it is. That's logical, many GPL works are *in progress*. Open Source applications take advantage of the openess, which lets them be released early, in an incomplete state. For example, suppose I am a technician and make my own TV. A friend comes to my house.
    Friend: Whoa, what's that?
    Me: The TV I've been making
    Friend: Can I try it?
    Me: Sure, but it's not finished. Be very careful with it.

    Now, should I be liable for damages if the TV that I already said is experimental catches fire? Of course not! I didn't make it as a professional work, it's just a toy I let somebody try.

    An useful addition would be the QGPL (Quality GPL somebody mentioned). Standard GPL, but with additions. How about:
    The software must be reasonably secure. That is, it won't let people break into computer, and won't delete all the data on your hard disk. The bug that doesn't render correctly HTML for site foo.com doesn't qualify.
    All the reported bugs will be fixed in the next stable release
    Perhaps as some people do, like D. J. Bernstein (the author of djbdns) offer a reward for serious bugs.
    Maybe something else

    Ideas? Comments?

  • Register article (Score:2, Informative)

    by nagora ( 177841 )
    You all need to have a look at this [theregister.co.uk] article at the Reg'.

    TWW

  • Seven years ago viruses came on floppy disks and they traveled slowly. Now a smart virus could infect millions of computers within an hour. This is an enormous threat and it is only through luck that no very malicious internet viruses have been written already.

    While Microsoft has a shocking attitude towards security, the real problem is not their software itself. The problem is that they are a monopoly. If everyone runs the same software, even a small vulnerability can bring the entire network down.

    Microsoft should be more security conscious but that really does not solve the core problem.

    Unfortunately, most people do not see security as enough of a priority to deal with the cost and hassle of changing software. The only solution I can think of is to encourage people to make backups. Backups do not help when a virus destroys hardware but they are better than nothing.

    Eventually, there will be a truly devastating internet virus. We have gotten lucky this far but our luck will not carry us indefinitely.

  • This web page from Fairfield City [fairfield-city.org] should be enough to convince you that Microsoft security is good enough for storing credit cards, your e-money, financial records and anything else.
  • by f00zbll ( 526151 ) on Tuesday January 15, 2002 @07:22AM (#2841268)
    Having dealt with security issues and tried to fight for tighter security vs convienance, management always choose convienance. I'm sure others have seen the same problem, but I'll say it anyways.

    To really implement tight security (the only kind that will prevent 95% of viruses) means a drastic change in microsoft's entire line of products. The fact is most people know better, but when they sit down at a computer their brains turn off and click everything. Only way microsoft can prevent all these email viruses isn't to turn off "launch attachment", because people will turn it on the first time they get an attachment. It's to require users save the file, scan the file and limit user account in windows. That means users have to login as the administrator to install programs and do updates. I'm sure people are saying, "just like unix."

    Will people put up with less convienance after they've had it for 8 years? My guess is probably not. In the best case scenario, people will slowly get used it and take 25 years to replace all the old software. Short of giving away their software, microsoft will have a huge headache of replacing all the outdated version with hacker friendly features.

  • by mcrbids ( 148650 ) on Tuesday January 15, 2002 @11:19AM (#2842380) Journal
    Ok, Quotes of the day;

    First:

    "Microsoft treats security problems as public relations problems," said Bruce Schneier of Counterpane Internet Security in Cupertino, Calif.
    And then:
    "We're going to make our systems more resistant and more resilient," said Microsoft's
    director of security assurance, Steve Lipner. "We want to be unquestionably, unequivocally the best."

    Director of Security Assurance ??!?!

    If you can imagine a more Dilbertified position within a company....

...though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War"

Working...