Microsoft's Little Liability Problem

[mikeymike]

Re-write meaning they change two lines to break it or (more likely) they find some sneaky way around the patent.

Two lines of what?

re: liability case, I think MS won't lose it

Why do you think this?

Because it would undermine their EULA and engine for their entire business model.  If your business earnt you 11 billion dollars a year, how much would you pay lawyers to keep things that way?  How did the antitrust case go again?

[mikeymike]

The problem with the case is that it doesn't just affect ActiveX, but all plug-in technology, including Macromedia's Flash and Sun's Java. Open Source browsers like Mozilla and Konqueror may well be forced to do without any plug-ins whatsoever.

I didn't say it was a good case.  However, it might turn out to be a good case because it might help undermine software IP.

The risk is that Microsoft, being forced to rewrite a bunch of stuff, are going to introduce new "standards" and we'll end up with more websites that don't work with non-Microsoft browsers.
The loss is obviously bad news for Microsoft, but it may be even worse news for the rest of us.

I think you're over-reacting a touch.  If Microsoft could do that, they would have done it already.  Furthermore, the amount of things this new approach would horrendously break, in MS's own products as well as companies who have written products which use those technologies.  It would be kind of like having to re-lay every stretch of road.

MS's attempt to make the Internet proprietary failed, because people wanted it open.  MSN v1 was the attempt.  Their other attempt was with IE4 and channels, that didn't work either.  Since then IE has become a tiny bit more standards compliant.

Basically, MS would have to re-write way too many things, break functionality for virtually everything Internet-centric, and at the end of the day, the customer has to see a benefit at not too great a cost.

[mikeymike]

If they lose the case then "ouch!" indeed, and not just for Microsoft. Open source authors will suddenly become liable for any losses users may suffer as a result of their software having bugs/security flaws. Small commercial developers ditto.

I think the approach that will be taken by MS will go along the following lines - the customer has to be responsible for maintaining the security of the product that they're using.  After all, if a security firm sells a building security system, which requires a 6 month maintenance check, and the customer is aware of that and fails to make the appropriate arrangements, then the customer would be at fault.  If someone doesn't bother using the security features to the best of its abilities, then that is hardly the fault of the product.

However, if the case was that the customer had done everything they could to maintain the security of the product, and MS had failed to notify the public of a horrendous vulnerability (which is currently the case regarding a live attack on IE users, details of which on the NTBugtraq mailing list), then the customer might have a case.

However {2}, say for example with Windows installs, I disable Windows filesharing services.  Then there was a case based on a product I had installed for a customer, and the vuln was to do with IE rather than Windows filesharing services, I'm sure that MS lawyers could make their case on that I had tried to break their product by doing only what any sane sysadmin would do to maintain security.

[minator]

Two lines of what?

Code, comment out something and suddenly Active X doesn't work.  I once went to a presentation by someone who had disassembled IIS and it was full of code that was never executed.

Because it would undermine their EULA and engine for their entire business model.  If your business earnt you 11 billion dollars a year, how much would you pay lawyers to keep things that way?  How did the antitrust case go again?

They lost.
The sanctions were weak because the government changed and decided it couldn't be bothered any more.

However this is very different, this is a civil case being handled by lawyers with previous experience.  Politicians can't help them here.

However, if the case was that the customer had done everything they could to maintain the security of the product, and MS had failed to notify the public of a horrendous vulnerability (which is currently the case regarding a live attack on IE users, details of which on the NTBugtraq mailing list), then the customer might have a case.

But that assumes all computer users are experts and know how to do this.  Part of this case actually covers this because this is not and never shall be the case. Read the write up on OSNews, it explains it very well.

Open source authors will suddenly become liable for any losses users may suffer as a result of their software having bugs/security flaws. Small commercial developers ditto.

They already are liable in Germany.
However there is simply no point in trying to sue someone if they have no money and they haven't made anything from the product.  I think Open Source authors while not being immune won't have anywhere near the same problems.  

One way or another software liability is coming and I for one think it's a good thing.  All other industries are liable for their products and software producers shouldn't be any different.

[bhoggett]

@mikeymike

I think you're over-reacting a touch. If Microsoft could do that, they would have done it already.

Of course, I'm putting forward the worst possible case. However, bear in mind that the article does say MS have said they will be making changes and the W3C believe that will break a lot of people's web sites. As long as they work with the W3C, there's no problem, but should they go off at their own tangent...

MS's attempt to make the Internet proprietary failed, because people wanted it open. MSN v1 was the attempt. Their other attempt was with IE4 and channels, that didn't work either. Since then IE has become a tiny bit more standards compliant.

True, and there's a reasonable chance it will stay that way, but MS are powerful enough to take the other route. I'm not at all convinced they have given up on controlling the Internet yet. For instance, Microsoft have recently contacted rival instant messaging client developers to inform them that they are implementing new licensing requirements that require developers to either pay a license fee or be locked out of MSN. The leopard doesn't seem ready to change its spots quite yet.

As for the liability case, I agree with you. I find it highly unlikely that Microsoft will lose it. At the very worst (for them) they'll reach an out of court settlement with the plaintiff that does not involve them admitting any wrongdoing. That way, no precedent gets set, and no culpability is admitted. I doubt we're about to see any major changes in EULA practices.

[bhoggett]

@minator

They already are liable in Germany.
However there is simply no point in trying to sue someone if they have no money and they haven't made anything from the product. I think Open Source authors while not being immune won't have anywhere near the same problems.

Rubbish. That's like saying that people can leave their doors open because thieves only steal from rich homes.

There are large companies involved in many open source projects. Open source isn't just about a few bedroom programmers writing software in their spare time, you know. IBM invested 1 billion dollars last year in Linux development, for instance. Litigators would just target people like IBM for their actions, even if IBM were not directly responsible for the security leak.

Will widespread software liability be a good thing? Yes, but only if users are forced to pass a test before being allowed to use computers, the same way you need a driving license to drive a car. Operating a computer is not like operating a DVD player, and users can do a lot of damage, to themselves and to other people, by misusing the technology. It's only reasonable to restrict computer use to those who are qualified, no?

How likely is that to happen, do you think?

[mikeymike]

Code, comment out something and suddenly Active X doesn't work.

So then Windows Update, every Flash clip, Java clip, embedded movie, audio doesn't work.  I don't think MS are going to hire you at any point soon :-)

re: antitrust
They lost.
The sanctions were weak because the government changed and decided it couldn't be bothered any more.

No, us.gov were bribed with free MS software.  MS won, it just doesn't say it on paper.  Their EULA wasn't judged as illegal either.

But that assumes all computer users are experts and know how to do this. Part of this case actually covers this because this is not and never shall be the case. Read the write up on OSNews, it explains it very well.

If something is going to store information I regard as very important, I take the time out to find out whether it is good enough for the job, and anything I can do to ensure its continuing security.  Ignorance is not an excuse in the eyes of the law.  For example, I don't know everything about swipe account/credit cards, but I learn that I'm not supposed to give just anyone my PIN or such details, because that compromises the security of the product.  If I have a security firm add extra locks to all the ways into my house, I should be expected to learn what is required to ensure the level of security they are advertising.  I can't blame the security company because I leave a key to the front door under a flowerpot.

Please note I am semi playing devil's advocate here.  I think it is wrong that MS software by default is so insecure, but this is probably the way the case will be argued.

On the subject of accountability, of course everyone should be held accountable for their actions, whether they code software or whatever.  However, the guidelines for responsible conduct in maintaining software security are still maturing, so cases are more likely than not to fail in this context except for the occasional extreme case.

[mikeymike]

re: Computer driving tests

My mum successfully completed the european computer 'driving test' recently, she's still as incompetent as ever.  The test is totally Windows-centric, as in it doesn't require the student to learn skills that can be applied to other operating systems.  In short, it is a complete farce.  I learnt more at secondary school on an Acorn than is possible to learn on that stupid euro course.

The problem with learning computers through courses is that they're taught in complete parrot fashion, do this, do that, this'll happen, carry on.  It doesn't teach people to apply skills at all.  The non-computer equivalent would be just learning only the maths questions and answers that will come up in the test.

This is the main reason why my new business also provides private tuition computer courses :-)

[bhoggett]

@mikeymike

 :-D

Heh, I agree: relevant computer user "permits" are unlikely to happen because so few people take the complexity of computer use seriously. People are told "buy a computer, it's really easy and you'll be able to do lots of stuff", and so they blame the system rather than their own incompetence when things turn out a little more complicated than they were led to believe.

That's why I think developers should have the right to say "use this at your own risk" if they see fit. It's then up to the user to decide whether he wants to use that software considering the risk, or else use something with a license that covers him in any eventuality. Blanket laws that enforce liability regardless are an absolute nightmare scenario.

[mikeymike]

@ bhoggett

I agree.

I think it'll be about 10 to 20 years before basic computer do's and don'ts similiar to "don't talk to strangers" type lessons for kids (and taken as seriously), become generally used.

[minator]

So then Windows Update, every Flash clip, Java clip, embedded movie, audio doesn't work.  I don't think MS are going to hire you at any point soon

Given that Microsoft are famous for doing exactly that with their patches they hardly need to hire me :-D

Besides, I had a couple of hundred people buy my software and in 5 years only ever got 2 bug reports 8-)

There was a very interesting debate on OSNews a while back where a number of MS admins said they would deliberately not apply patches becasue they are quite likely to break their systems - that is how bad MS patches are.

However, my original point was that MS does not need to rewrite IE to remove some features, it's a relatively simple operation and they've done it already.

Operating a computer is not like operating a DVD player, and users can do a lot of damage, to themselves and to other people,

If you are a Unix admin I would agree with you but there is NO reason a desktop computer should be any more complex than a DVD player - what do you think a DVD player is anyway?

MS simply don't make systems that good and don't test them enough.  

Contrast that with my Camera, Phone or Camcorder all of which are highly complex real time systems which to date have worked perfectly *every* time.  These things are every bit as complex as a PC if not more so but the only way I'm going to harm anyone with my camcorder is if I smack them around the head with it.

If you consider these bad examples I can of course also show you a complex, secure but very easy to use Mac...

Future security problems with Windows were predicted *years* ago but did they do anything about it?

That's like saying that people can leave their doors open because thieves only steal from rich homes.

Unless you are acting out of pure spite you don't sue someoone who can't afford to pay out - that's the first thing the lawyer will tell you.

There are large companies involved in many open source projects. Open source isn't just about a few bedroom programmers writing software in their spare time, you know.

I'm quite aware of that but I was talking about bedroom coders.

Litigators would just target people like IBM for their actions, even if IBM were not directly responsible for the security leak.

They'd be laughed out of court for that exact reason.

Open Source and the law could get interesting because unless you were suing the company who supplied the software you would have to track down the exact cause of the fault and who wrote it before you could even begin a legal action.  You couldn't prove guilt otherwise.

With MS you only sue the company, not the individual programmer.

[mikeymike]

Besides, I had a couple of hundred people buy my software and in 5 years only ever got 2 bug reports

Your software wouldn't happen to be an operating system would it?

There was a very interesting debate on OSNews a while back where a number of MS admins said they would deliberately not apply patches becasue they are quite likely to break their systems - that is how bad MS patches are.

I'm a winsysadmin as well.  I've never had an MS patch break something that I've not been able to fix.  That isn't to say they'll all perfect and always have been perfect.  Usually the problems come in the shape of unconfiguring things I've configured, which is irritating.  It is a classic excuse in the industry to say that you didn't apply the patch because you were afraid it would break something.  In terms of originality, it ranks about the same as "the dog ate my homework".  It is the job of the sysadmin to test the patch, no matter who wrote it, and to build a test case to make sure it doesn't screw up the production environment.  It is just plain total irresponsibility on the part of the sysadmin if they failed to do this.  No excuse whatsoever.  Except if the dog ate them.

However, my original point was that MS does not need to rewrite IE to remove some features, it's a relatively simple operation and they've done it already.

If you've written software you should know how irritating it is for others to cast judgement on how easy something is if they've never seen the source code or helped develop the product.  The idea that the workaround is based on is simple yes.  Though I imagine the source code for IE is not a pretty sight.

[mikeymike]

If you are a Unix admin I would agree with you but there is NO reason a desktop computer should be any more complex than a DVD player - what do you think a DVD player is anyway?

A DVD player is a computer build for a very specific purpose.  All the logic necessary to do its job can be written on a ROM/firmware/something non-volatile.  The number of different things a user could do to such a product is very small.

A desktop computer is a general purpose tool with an infinite number of different uses.  The operating system has to be designed to manage potentially totally untrustworthy and unstable programs, and for the user to do an infinite number of stupid and dangerous things.

Writing an operating system from scratch is a monumental task.  If it wasn't, there would be hundreds of them around, rather than dozens.  In any monumental task there are a monumental number of things the developer could implement badly.

If you would like to prove me wrong, please start writing an OS from scratch, particularly for the x86 platform.