Class Action Over Faulty Software Product
Roy Schestowitz
As you may know, Microsoft has ended its support for Windows 98. To quote an
article from yesterday:
---
...when Microsoft released a patch to fix a security bug found in
several versions of Windows, it did not include a fix for 98 or Me,
saying it was "not feasible to make the extensive changes necessary."
The bug could allow an intruder to take control of a computer running
Windows.
[...]
That doesn't mean computers running these versions of Windows are
obsolete, like the Commodore 64 I still have in my basement.
[...]
Source: http://www.cbc.ca/news/background/tech/windows98.html
---
To quote another:
,----[ Quote ]
| The medium of infection or transmission is the Internet itself, while
| the host is the Windows PC, invariably penetrated through one of a
| common class of software vulnerabilities.
|
| [...]
|
| Botnets will always be with us as long as Windows remains in its
| current, insecure state.
`----
http://www.techworld.com/features/index.cfm?RSS&FeatureID=2675
---
This may seem acceptable for some, but these machines are being hijacked and
are joined to form botnets. These botnets account for 80% of all the SPAM
wordwide and the majority of E-mail traffic (yes, the majority originates
from Windows bots). These machines also attack Web sites, including mine.
Given that I spend hours of my time every week combatting SPAM and attacks
launched by Windows machines (I have proof), all of which due to severe
flaws, can a case be made?
Thanking you in advance,
Roy Schestowitz
Colin Wilson
> are joined to form botnets.
Win98 is probably more secure now than XP - it has attained security
through obscurity.
As long as someone with two brain cells configures a firewall and AV
program, its probably as solid as you're likely to get without a shift
to *nix.
Roy Schestowitz
But this does not quite address the issue. Windows PC's are being hijacked
and cause damage even to those who never set their hands on Microsoft
software. Shouldn't someone be held liable?
Gaz
> Hi all,
>
> As you may know, Microsoft has ended its support for Windows 98. To quote
> an
> article from yesterday:
>
Considering most users have not downloaded a single windows update to their
win98 system since they bought it, why should we be concerned now?
Win98se is an excellent programme, only bettered on x86 by Microsofts own
successors. Maybe in another few years linux will have the same level of
compatibility and ease of use as a home operating system, that win98se had.
What would be decent of MS, would be to now release win98se into the public
domain.
Gaz
Gaz
Those doing the hijacking?????
MS sold you a product, they very generously provided a free service for
downloadable updates for eight years. Do you still believe some kind of
contractual obligation is owed by MS to you?
Gaz
Roy Schestowitz
I take your point, of which I am well aware. However, many
severe flaws remain and they are often discovered /after/
they get exploited (i.e. after machines are compromised).
Only a few days ago, for example, a PowerPoint flaw was
discovered and already exploited (no patch available yet).
So even a fully-patched system remains vulnerable. This
enables people to carry out attacks on Web sites (mine
included), which costs Webmasters time and money, and
botnets also spam the Web (I get about 400 spam per day).
The ISP's seem hopeless because they cannot disconnect every
Windows machines (even fully-patched system are
susceptible). Frankly, I think Microsoft should be held
accountable (in one way or another) for designing a system
very poorly. Many experts have commented on the realisation
that Windows is insecure _by design_. Due to lack of
modularity, it was made easy to capture and the impact on
the Web is severe. And it gets worse by the day (a proven
fact). Can no justice be made? As in the case with the EU,
Microsoft rarely cares unless there is pressure. Even after
two years in the courts, they simply refuse to disclose
comminication protocols and facilitate interoperability
(fair play). When it comes to patches or redesign of
software, they are slow or apathetic. This is a case of
extrating monopoly power. Many people are unable to secure
their system, let alone migrate away, due to lockin and OEM
deals (no preinstalled alternatives).
I would appreciate your advice/help.
Best wishes,
Roy
Roy Schestowitz
> Roy Schestowitz wrote:
>> Hi all,
>>
>> As you may know, Microsoft has ended its support for Windows 98. To quote
>> an
>> article from yesterday:
>>
>
> Considering most users have not downloaded a single windows update to their
> win98 system since they bought it, why should we be concerned now?
>
> Win98se is an excellent programme, only bettered on x86 by Microsofts own
> successors. Maybe in another few years linux will have the same level of
> compatibility and ease of use as a home operating system, that win98se had.
I agree. Windows 98 SE was the last Windows system that I
used and most people refuse to patch it. /However/, let's
change the goalposts and speak of the many XP machines out
there, which after 5 years of 'maturity', continue to be
insecure. The flaw /du jour/ is not going to stop even when
Vista is released. An incentive must be put forward in order
for Microsoft to redesign their O/S until it is secure. They
should not release something that can so easily be used to
attack other residents of the shared network.
The project leader of Windows, Jim Allchin, said some time
ago that 60% of the code in Vista needs to be re-written. So
here we have another semi-baked O/S released onto the
public. It will continue to be compromised and attack the
Web. So what gives? I want to see change. Or else, with the
rise in 'rotten' traffic, brute force will beats people
ability to carry out work.
> What would be decent of MS, would be to now release win98se into the public
> domain.
This was suggested elsewhere. Disclose the source so that
independent develops can patch the system for themselves.
And it /does/ need patching. There is at least one known
(and unpatched) flaw that allows virtually 70 million
computers to be hijacked. There is no remedy and the upgrade
require new hardware.
> Gaz
Colin Wilson
Educate the users of these systems on installing a firewall and AV
software, and how to scan - without being duped by one of the many
"fake" scanners.
You can see my attempt here: http://www.coreutilities.co.uk
Colin Wilson
newsg...@schestowitz.com says...
> An incentive must be put forward in order for Microsoft to
> redesign their O/S until it is secure.
There is - money - the "we can't be bothered to keep fixing this
one, but we're still providing updates for its successor - if you
want updates, you need to buy the newer one."
> So what gives? I want to see change.
Write your own secure OS :-)
Alex Heney
<newsg...@schestowitz.com> wrote:
<snip>
>---
>
>This may seem acceptable for some, but these machines are being hijacked and
>are joined to form botnets. These botnets account for 80% of all the SPAM
>wordwide and the majority of E-mail traffic (yes, the majority originates
>from Windows bots). These machines also attack Web sites, including mine.
>Given that I spend hours of my time every week combatting SPAM and attacks
>launched by Windows machines (I have proof), all of which due to severe
>flaws, can a case be made?
>
Not a chance. Even if class actions were possible in the UK, which
they aren't.
You would have to show that Microsoft had been negligent in creating
the software with those flaws in.
--
Alex Heney, Global Villager
Kleptomania: take something for it
To reply by email, my address is alexATheneyDOTplusDOTcom
Alex Heney
Yes, of course somebody should.
The people who illegally hijack those computers should be held liable.
You can't hold a third party (Microsoft) liable for their actions.
It would be almost impossible to show that a vulnerability found 7
years after the product was released was so obvious that they were
negligent in not spotting it before release.
--
Alex Heney, Global Villager
He who places head in sand, will get kicked in the end!
Roy Schestowitz
> On Sun, 16 Jul 2006 07:25:56 +0100, Roy Schestowitz
> <newsg...@schestowitz.com> wrote:
>
> <snip>
>
>>---
>>
>>This may seem acceptable for some, but these machines are being hijacked
>>and are joined to form botnets. These botnets account for 80% of all the
>>SPAM wordwide and the majority of E-mail traffic (yes, the majority
>>originates from Windows bots). These machines also attack Web sites,
>>including mine. Given that I spend hours of my time every week combatting
>>SPAM and attacks launched by Windows machines (I have proof), all of which
>>due to severe flaws, can a case be made?
>>
>
> Not a chance. Even if class actions were possible in the UK, which
> they aren't.
>
> You would have to show that Microsoft had been negligent in creating
> the software with those flaws in.
Negligence is a subjective term because there is negligence
that serves a anterior motive (as in the recent WGA spyware,
which got installed as though it was an important update)
and negligence that is due to innocent ignorance. It is a
known fact that Windows has some back doors and it also
comminicates with Microsoft on a daily basis, essentially
delivering some key details such as location. Whether the
design of the O/S was made to accommodate controlled
intrusion (which evidently backfired), I don't know. The
closed-source development model makes it even harder to
back.
And speaking of class action, the incidents I mentioned
above (Window Genuine 'Advantage') have triggered two such
lawsuits in America.
Best wishes,
Roy
Alex Heney
<newsg...@schestowitz.com> wrote:
>__/ [ Alex Heney ] on Sunday 16 July 2006 19:09 \__
>
>> On Sun, 16 Jul 2006 07:25:56 +0100, Roy Schestowitz
>> <newsg...@schestowitz.com> wrote:
>>
>> <snip>
>>
>>>---
>>>
>>>This may seem acceptable for some, but these machines are being hijacked
>>>and are joined to form botnets. These botnets account for 80% of all the
>>>SPAM wordwide and the majority of E-mail traffic (yes, the majority
>>>originates from Windows bots). These machines also attack Web sites,
>>>including mine. Given that I spend hours of my time every week combatting
>>>SPAM and attacks launched by Windows machines (I have proof), all of which
>>>due to severe flaws, can a case be made?
>>>
>>
>> Not a chance. Even if class actions were possible in the UK, which
>> they aren't.
>>
>> You would have to show that Microsoft had been negligent in creating
>> the software with those flaws in.
>
>Negligence is a subjective term because there is negligence
>that serves a anterior motive (as in the recent WGA spyware,
>which got installed as though it was an important update)
>and negligence that is due to innocent ignorance.
Nope.
Neither of those are negligence.
Negligence, in law, means more than just simple carelessness. And
"innocent ignorance" is no more than carelessness.
It can only be negligence if the consequences of failure were (or
should have been known) *and* the likelihood of failure was (or
should have been) known.
In this case, the vulnerability was not found by *anyone* for at least
7 years after the product was released. So it is hard to say they
*should have* known about it.
> It is a
>known fact that Windows has some back doors and it also
>comminicates with Microsoft on a daily basis, essentially
>delivering some key details such as location.
Rubbish.
That is something that paranoid Microsoft haters have speculated
happens.
There is NO evidence that Windows 98 ever did that.
>Whether the
>design of the O/S was made to accommodate controlled
>intrusion (which evidently backfired), I don't know. The
>closed-source development model makes it even harder to
>back.
>
>And speaking of class action, the incidents I mentioned
>above (Window Genuine 'Advantage') have triggered two such
>lawsuits in America.
>
But we don't have them in the UK. The nearest we have is where an
organisation can take action on behalf of its members.
--
Alex Heney, Global Villager
Hell, if you understood everything I said, you'd be me!
Roy Schestowitz
I was advised to add the following argument.
" point which appears to have been
missed from beginning to end in that discussion is that Microsoft
Windows has /never/ been fit for purpose, so they absolutely should be
held responsible. The suggestion that just fitting firewalls and av
will make it all okay is so naive as to be bordering on beyond belief."
I am inclined to agree. Third-party solutions (Microsoft even /sells/ one now
-- OneCare) should not be charged for if all they do is fix an
already-broken product. It's as simple as that.
Alex Heney
<newsg...@schestowitz.com> wrote:
>__/ [ Colin Wilson ] on Sunday 16 July 2006 13:25 \__
>
>>> I would appreciate your advice/help.
>>
>> Educate the users of these systems on installing a firewall and AV
>> software, and how to scan - without being duped by one of the many
>> "fake" scanners.
>>
>> You can see my attempt here: http://www.coreutilities.co.uk
>
>I was advised to add the following argument.
>
>" point which appears to have been
>missed from beginning to end in that discussion is that Microsoft
>Windows has /never/ been fit for purpose, so they absolutely should be
>held responsible.
What a ludicrous statement.
If it was never fit for purpose, then you can bet that many of the
very large companies who have thousands of computers running it would
have taken action.
Given that 90% plus of ALL the companies in the world who use personal
computers at all will be using various versions of Windows very
successfully, I think one has to accept that it is fit for purpose.
> The suggestion that just fitting firewalls and av
>will make it all okay is so naive as to be bordering on beyond belief."
>
Well yes, you do have to know how to use them, and keep them up to
date.
>I am inclined to agree. Third-party solutions (Microsoft even /sells/ one now
>-- OneCare) should not be charged for if all they do is fix an
>already-broken product.
But that isn't what it does.
> It's as simple as that.
I wish you luck, Mr Quixote :-)
--
Alex Heney, Global Villager
Oxymoron: Rap Music.
marvelus
wrote:
The class action would be in the US. UK citizens have been part of
class actions in America eg one of thoes big auction houses ( I forget
its name) that fixed prices.
Jethro
Alex Heney wrote:
> On Sun, 16 Jul 2006 07:25:56 +0100, Roy Schestowitz
> <newsg...@schestowitz.com> wrote:
>
> <snip>
>
> >---
> >
> >This may seem acceptable for some, but these machines are being hijacked and
> >are joined to form botnets. These botnets account for 80% of all the SPAM
> >wordwide and the majority of E-mail traffic (yes, the majority originates
> >from Windows bots). These machines also attack Web sites, including mine.
> >Given that I spend hours of my time every week combatting SPAM and attacks
> >launched by Windows machines (I have proof), all of which due to severe
> >flaws, can a case be made?
> >
>
> Not a chance. Even if class actions were possible in the UK, which
> they aren't.
>
...and on the front cover of the Times today :
http://www.timesonline.co.uk/article/0,,29390-2273443.html
class actions to be allowed in UK ...
Roy Schestowitz
,----[ Quote ]
| BRITISH business is facing a billion-pound assault by consumer groups
| as ministers prepare to allow a version of US-style class actions against
| dodgy retailers and shoddy workmanship for the first time.
`----
Bring some matches; I'll bring the stickman.
Alex Heney
wrote:
>On Sun, 16 Jul 2006 19:49:51 +0100, Roy Schestowitz
><newsg...@schestowitz.com> wrote:
>
<snip>
>>
>>And speaking of class action, the incidents I mentioned
>>above (Window Genuine 'Advantage') have triggered two such
>>lawsuits in America.
>>
>
>But we don't have them in the UK. The nearest we have is where an
>organisation can take action on behalf of its members.
Funnily enough, this Morning's Times has an article on a proposal to
allow for that type of class action here :-)
You still wouldn't succeed against Microsoft, of course, but that is
another point.
--
Alex Heney, Global Villager
Skiier: Someone who pays an arm and a leg to break them.
Roy Schestowitz
> On Sun, 16 Jul 2006 21:27:36 +0100, Alex Heney <m...@privacy.net>
> wrote:
>
>>On Sun, 16 Jul 2006 19:49:51 +0100, Roy Schestowitz
>><newsg...@schestowitz.com> wrote:
>>
> <snip>
>
>>>
>>>And speaking of class action, the incidents I mentioned
>>>above (Window Genuine 'Advantage') have triggered two such
>>>lawsuits in America.
>>>
>>
>>But we don't have them in the UK. The nearest we have is where an
>>organisation can take action on behalf of its members.
>
> Funnily enough, this Morning's Times has an article on a proposal to
> allow for that type of class action here :-)
>
> You still wouldn't succeed against Microsoft, of course, but that is
> another point.
I was enquiring and seeking discussion. Whether this whole
thing is practical or not is an open question. One thing is
for sure: Windows botnets -- the outcome of Windows' sloppy
design and deadline-driven testing -- will be costing me
many hours of work for the rest of my life. SPAM, SPAM, SPAM
and DDOS attacks. Thank you, almighty masters of Redmond.
You have a considerable impact on one who never cared for
your products. And I am not even alluding to the issue of
interoperability (locking out other companies and their
clients) and the reluctance to describe communication
protocols to the EU (either due to revenue in jeopardy, or
because a gaping hole that needs hiding).