Microsoft's Little Liability Problem

[mikeymike]

@ bhoggett

Yup, ActiveX would be an appreciated loss to Windows.  I just get the feeling MS are going to wriggle out of it though, particularly as they have stopped developing new standalone versions of IE, as they feel they have permanently won the browser wars.  It's not very profitable developing a free product that has loads of security holes, when there's no chance of any direct revenue.

[mikeymike]

No, the liability case has much larger implications than any patent spat.

Except of course that Microsoft lost that "patent spat", which demands that IE be re-written without ActiveX.

MS won't lose the liability case.

[mikeymike]

Re-write meaning they change two lines to break it or (more likely) they find some sneaky way around the patent.

Two lines of what?

re: liability case, I think MS won't lose it

Why do you think this?

Because it would undermine their EULA and engine for their entire business model.  If your business earnt you 11 billion dollars a year, how much would you pay lawyers to keep things that way?  How did the antitrust case go again?

[mikeymike]

The problem with the case is that it doesn't just affect ActiveX, but all plug-in technology, including Macromedia's Flash and Sun's Java. Open Source browsers like Mozilla and Konqueror may well be forced to do without any plug-ins whatsoever.

I didn't say it was a good case.  However, it might turn out to be a good case because it might help undermine software IP.

The risk is that Microsoft, being forced to rewrite a bunch of stuff, are going to introduce new "standards" and we'll end up with more websites that don't work with non-Microsoft browsers.
The loss is obviously bad news for Microsoft, but it may be even worse news for the rest of us.

I think you're over-reacting a touch.  If Microsoft could do that, they would have done it already.  Furthermore, the amount of things this new approach would horrendously break, in MS's own products as well as companies who have written products which use those technologies.  It would be kind of like having to re-lay every stretch of road.

MS's attempt to make the Internet proprietary failed, because people wanted it open.  MSN v1 was the attempt.  Their other attempt was with IE4 and channels, that didn't work either.  Since then IE has become a tiny bit more standards compliant.

Basically, MS would have to re-write way too many things, break functionality for virtually everything Internet-centric, and at the end of the day, the customer has to see a benefit at not too great a cost.

[mikeymike]

If they lose the case then "ouch!" indeed, and not just for Microsoft. Open source authors will suddenly become liable for any losses users may suffer as a result of their software having bugs/security flaws. Small commercial developers ditto.

I think the approach that will be taken by MS will go along the following lines - the customer has to be responsible for maintaining the security of the product that they're using.  After all, if a security firm sells a building security system, which requires a 6 month maintenance check, and the customer is aware of that and fails to make the appropriate arrangements, then the customer would be at fault.  If someone doesn't bother using the security features to the best of its abilities, then that is hardly the fault of the product.

However, if the case was that the customer had done everything they could to maintain the security of the product, and MS had failed to notify the public of a horrendous vulnerability (which is currently the case regarding a live attack on IE users, details of which on the NTBugtraq mailing list), then the customer might have a case.

However {2}, say for example with Windows installs, I disable Windows filesharing services.  Then there was a case based on a product I had installed for a customer, and the vuln was to do with IE rather than Windows filesharing services, I'm sure that MS lawyers could make their case on that I had tried to break their product by doing only what any sane sysadmin would do to maintain security.

[mikeymike]

Code, comment out something and suddenly Active X doesn't work.

So then Windows Update, every Flash clip, Java clip, embedded movie, audio doesn't work.  I don't think MS are going to hire you at any point soon :-)

re: antitrust
They lost.
The sanctions were weak because the government changed and decided it couldn't be bothered any more.

No, us.gov were bribed with free MS software.  MS won, it just doesn't say it on paper.  Their EULA wasn't judged as illegal either.

But that assumes all computer users are experts and know how to do this. Part of this case actually covers this because this is not and never shall be the case. Read the write up on OSNews, it explains it very well.

If something is going to store information I regard as very important, I take the time out to find out whether it is good enough for the job, and anything I can do to ensure its continuing security.  Ignorance is not an excuse in the eyes of the law.  For example, I don't know everything about swipe account/credit cards, but I learn that I'm not supposed to give just anyone my PIN or such details, because that compromises the security of the product.  If I have a security firm add extra locks to all the ways into my house, I should be expected to learn what is required to ensure the level of security they are advertising.  I can't blame the security company because I leave a key to the front door under a flowerpot.

Please note I am semi playing devil's advocate here.  I think it is wrong that MS software by default is so insecure, but this is probably the way the case will be argued.

On the subject of accountability, of course everyone should be held accountable for their actions, whether they code software or whatever.  However, the guidelines for responsible conduct in maintaining software security are still maturing, so cases are more likely than not to fail in this context except for the occasional extreme case.

[mikeymike]

re: Computer driving tests

My mum successfully completed the european computer 'driving test' recently, she's still as incompetent as ever.  The test is totally Windows-centric, as in it doesn't require the student to learn skills that can be applied to other operating systems.  In short, it is a complete farce.  I learnt more at secondary school on an Acorn than is possible to learn on that stupid euro course.

The problem with learning computers through courses is that they're taught in complete parrot fashion, do this, do that, this'll happen, carry on.  It doesn't teach people to apply skills at all.  The non-computer equivalent would be just learning only the maths questions and answers that will come up in the test.

This is the main reason why my new business also provides private tuition computer courses :-)

[mikeymike]

@ bhoggett

I agree.

I think it'll be about 10 to 20 years before basic computer do's and don'ts similiar to "don't talk to strangers" type lessons for kids (and taken as seriously), become generally used.

[mikeymike]

Besides, I had a couple of hundred people buy my software and in 5 years only ever got 2 bug reports

Your software wouldn't happen to be an operating system would it?

There was a very interesting debate on OSNews a while back where a number of MS admins said they would deliberately not apply patches becasue they are quite likely to break their systems - that is how bad MS patches are.

I'm a winsysadmin as well.  I've never had an MS patch break something that I've not been able to fix.  That isn't to say they'll all perfect and always have been perfect.  Usually the problems come in the shape of unconfiguring things I've configured, which is irritating.  It is a classic excuse in the industry to say that you didn't apply the patch because you were afraid it would break something.  In terms of originality, it ranks about the same as "the dog ate my homework".  It is the job of the sysadmin to test the patch, no matter who wrote it, and to build a test case to make sure it doesn't screw up the production environment.  It is just plain total irresponsibility on the part of the sysadmin if they failed to do this.  No excuse whatsoever.  Except if the dog ate them.

However, my original point was that MS does not need to rewrite IE to remove some features, it's a relatively simple operation and they've done it already.

If you've written software you should know how irritating it is for others to cast judgement on how easy something is if they've never seen the source code or helped develop the product.  The idea that the workaround is based on is simple yes.  Though I imagine the source code for IE is not a pretty sight.

[mikeymike]

If you are a Unix admin I would agree with you but there is NO reason a desktop computer should be any more complex than a DVD player - what do you think a DVD player is anyway?

A DVD player is a computer build for a very specific purpose.  All the logic necessary to do its job can be written on a ROM/firmware/something non-volatile.  The number of different things a user could do to such a product is very small.

A desktop computer is a general purpose tool with an infinite number of different uses.  The operating system has to be designed to manage potentially totally untrustworthy and unstable programs, and for the user to do an infinite number of stupid and dangerous things.

Writing an operating system from scratch is a monumental task.  If it wasn't, there would be hundreds of them around, rather than dozens.  In any monumental task there are a monumental number of things the developer could implement badly.

If you would like to prove me wrong, please start writing an OS from scratch, particularly for the x86 platform.