11.19.08

Gemini version available ♊︎

Liability for Software When Life is at Stake

Posted in Europe, Law, Microsoft, Security, UNIX, Windows at 9:48 am by Dr. Roy Schestowitz

A few months ago we used the London Stock Exchange (LSE) as an example of hugely costly Microsoft failures. The stock market crashed in the technical sense and Microsoft, along with those who are informed or responsible, dodged questions about the problem, which recurs once in several months. That was about money, but this time around it’s about people’s welfare, health, and even lives.

With roughly 320,000,000 zombie PCs out there, how can any sane person put Windows in mission-critical settings like a hospital? Well, that’s just what some people do. They apparently learned nothing from a hospital near Microsoft Corporation turning into a massive botnet and it’s happening again, this time in London. Yesterday’s reports indicate that 3 hospitals were shut down due to Windows virus infections:

BBC: Computer virus affects hospitals

Three London hospitals have been forced to shut down their entire computer systems for at least 24 hours after being hit by a virus.

The Register: PC virus forces three London hospitals into computer shutdown

Three London Hospitals shut down their computer systems on Tuesday in response to a computer virus infection.

[...]

The infection at Barts and London Trust was reportedly caused by the Mytob worm, which contains built-in spyware functionality. Mytob spreads by email and has the ability to plant backdoor software on compromised Windows PCs.

Database leaks are only natural to expect. This means that any person’s personal information and health record can make its way into a hot BitTorrent within hours. It’s wonderful, is it not?

“This means that any person’s personal information and health record can make its way into a hot BitTorrent within hours.”We have already produced and provided some evidence to show that Windows is insecure by design and probably irreparable. Unless it’s overhauled radically or reimplemented from scratch, it can never benefit from several decades of UNIX doctrine, mostly trials and errors which made a robust, scientifically-backed model.

With Microsoft whistleblowers crying foul about critical failures and then getting sacked, one can’t help wondering how Microsoft perceives liability. Appended below are several fairly recent articles about liability, bad software, dangers in healthcare, and questionable EULAs.

For information about the NHS and Microsoft, see this page (to avoid needlessly repeating old references).

_____
[1] Experts are calling for product liability for software

“Product liability does not apply to software,” Gerald Spindler of the Faculty of Law of the University of Göttingen complained. “But what if a whole company comes to a standstill due to faulty software?” he mused.

[2] “Microsoft’s 10Q Risk Factors Lists Conceivable Liability for Data Leaks

Improper disclosure of personal data could result in liability and harm our reputation. We store and process significant amounts of personally identifiable information. It is possible that our security controls over personal data, our training of employees and vendors on data security, and other practices we follow may not prevent the improper disclosure of personally identifiable information. Such disclosure could harm our reputation and subject us to liability under laws that protect personal data, resulting in increased costs or loss of revenue. Our software products also enable our customers to store and process personal data. Perceptions that our products do not adequately protect the privacy of personal information could inhibit sales of our products.

[3] Linux guru argues against security liability

Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write.

[4] New banking code cracks down on out-of-date software

The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection. New Banking Codes for consumers and businesses took effect on Monday.

[5] Secure web browsing through Live Linux distros

Banking isn’t the be-all and end-all: there’s many other reasons you’d want a secure system, separate from what’s on the hard disk, besides Internet banking. Traveller’s can’t necessarily trust the integrity of a computer in an Internet cafe.

[6] Online banking fraud ‘up 8,000%’

The UK has seen an 8,000% increase in fake internet banking scams in the past two years, the government’s financial watchdog has warned.

The Financial Services Authority (FSA) told peers it was “very concerned” about the growth in “phishing”.

[7] Swedish bank hit by ‘biggest ever’ online heist

Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.

[8] Microsoft confirms OneCare zaps Outlook, Outlook Express e-mail

Microsoft Corp. has acknowledged that a bug in its Windows Live OneCare security suite has been causing users’ e-mail to vanish from Outlook and Outlook Express.

[9] In zombies we trust

A little over a year ago, I wrote an editorial where in back-of-the-envelope style (.pdf) I estimated that perhaps 15-30% of all privately owned computers were no longer under the sole control of their owner. In the intervening months, I received a certain amount of hate mail but in those intervening months Vint Cert guessed 20-40%, Microsoft said 2/3rds, and IDC suggested 3/4ths. It is thus a conservative risk position to assume that any random counterparty stands a fair chance of being already compromised.

[10] Your data or your life

As unlikely and alarmist as this sounds, it could really happen. Intracare is the publisher of a popular practice management system called Dr. Notes. When some doctors balked at a drastic increase in their annual software lease, they were cut off from accessing their own patients? information.

This situation is completely unconscionable. There can be no truly open doctor-patient relationship when an unrelated third party is the de facto owner of and gatekeeper to all related data.

[11] Use Health Vault, Lose Your Rights

Microsoft has announced (NY Times Article) Health Vault. What should have followed here is a review of the service by my actually trying it.

[...]

Heard enough? So had I. I’m absolutely going to pass on Health Vault. In addition to looking like the Microsoft Passport debacle redux, this is a very one-sided contract. They can harm you but you cannot harm them. There is no way for any 3rd party to verify that their privacy and security software works.

[12] Microsoft Healthvault Patient Safety in Question

One topic I’ve not seen addressed is the safety and effectiveness of the data within HV – and I don’t mean “safety” as in the data is secure from unauthorized access or misuse. I mean “safety” as in the utilization of data stored in HV by other applications won’t result in an unsatisfactory patient outcome, you know, like death or injury.

[13] HealthVault: No Commitments and a Sleeping Watchdog.

Has Microsoft committed to keeping the promises that it has already made? No, just the opposite. Their privacy policy concludes:“We may occasionally update this privacy statement”

Which means that when the commitments that Microsoft has made regarding HealthVault become inconvenient, they will simply change them.

[14] HealthVault: Failing the seven generations test

…My mother died of ovarian cancer. My grandmother took a drug while my mother was in utero that increase the chances that my mother would get ovarian cancer. Any consideration given to my mothers genetic propensity to get cancer must take into account this environmental influence…My grandmothers medical record will remain relevant for at least five generations…How long should we be keeping our electronic medical records? We should ensure that they are available for the next seven generations…A private, for-profit, corporation is an inappropriate storehouse for records that the next seven generations will need. Corporations do not last long enough. Consider the Dow Jones Industrial Average, of the original 12 companies that made up the index, only one is still listed…

[...]

But this is still Microsoft we are talking about, which all things being equal, is especially bad. Microsoft has a history of abusing standards, and using those abuses to enable and extend its monopolies. In short they have a history of “being evil” in exactly the sort of way that we cannot afford to have impact our healthcare records.

[15] Bill Gates: Vista is so secure it could run life support systems

While on a visit in Romania, where Bill Gates participated in the celebration of 10 years since the Microsoft branch has been running there, and the launch of Vista, Microsoft?s president declared that, with the right ammount of administration, the new Vista could run life support systems in hospitals.

[16] Do Microsoft’s EULAs have any real legal basis?

“Microsoft has no special exemption from the sale of goods act.” Well, no, probably not – but it might still be selling you “services” instead of “goods”. But the real point to remember is that it doesn’t matter a jot what the “logical” position is, it is what the courts decide that matters.

As far as I know, no one has tested Microsoft’s EULAs in a UK court and, until someone does, Microsoft will just go on assuming that they work. And I don’t fancy the risk of taking on Microsoft’s expensive lawyers in court myself…

[17] EULA La Vista, Baby

Well, I’ve taken a good look at the license agreement — I had insomnia — and I’ve discovered some clauses that will freeze your blood, curl your hair, and do your nails.

[18] Vista’s EULA Product Activation Worries

Mark Rasch looks at the license agreement for Windows Vista and how its product activation component, which can disable operation of the computer, may be like walking on thin ice.

[...]

“Does the Microsoft EULA adequately tell you what will happen if you don’t activate the product or if you can’t establish that it is genuine? Well, not exactly. It does tell you that some parts of the product won’t work – but it also ambiguously says that the product itself won’t work. Moreover, it allows Microsoft, through fine print in a generally unread and non negotiable agreement, to create an opportunity for economic extortion.”

[19] MSN Music Debacle Highlights EULA Dangers

MSN Music’s EULA is a case in point. When active, MSN Music’s webpage touted that customers could “choose their device and know its going to work”.

But when customers went to purchase songs, they were shown legalese that stated the download service and the content provided were sold without warrantee. In other words, Microsoft doesn’t promise you that the service or the music will work, or that you will always have access to music you bought. The flashy advertising promised your music, your way, but the fine print said, our way or the highway.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

3 Comments

  1. David Gerard said,

    November 19, 2008 at 9:58 am

    Gravatar

    I was particularly pleased to see in the Daily Telegraph report mention of the fact that this is a Windows virus. Every time there’s a press report of a computer virus outbreak that doesn’t mention this fact, I think there should be many letters written pointing out that there are no Mac or Linux viruses in the wild, despite repeated attempts at scaremongering by insecurity companies.

  2. Roy Schestowitz said,

    November 19, 2008 at 10:03 am

    Gravatar

    The BBC did not mention this. The Register did. It figures. ;-)

    Microsoft BBC

  3. Needs Sunlight said,

    November 20, 2008 at 9:18 am

    Gravatar

    It’s more than just the viruses that M$ is vulnerable to. The products just aren’t stable for mission critical use. When you look at the server and infrastructure products from M$ it’s even worse.

    Nowadays, pretty much every time I have contact with hospital information systems MS problems rear their ugly head. People I know have on multiple occasions not had their medical records available. Mostly this an annoyance and means they don’t get proper treatment. However, in a different situation, that could mean easily life or death. Hospital staff I interview *lose* over 10 hours per week to Windows-specific failures. That’s the functional equivalent of a > 20% downsizing in service…

    Top heads of departments, already with high workloads and high pressure, go without e-mail and rely on phone and fax. This is because instead of using a mail server (like simta, sendmail, postfix, etc) or collaborative software (like Zimbra, Kolab or Citadel) they use MS. Result? Critical messages lost or delayed.

    In worse cases even the phone is not a refuge. When MS products infect voice mail, replacing mature, stable technologies, then even the phone is not reliable. Again, a phone call, call forwarding and voice mail *are* serious matters of life and death in a hospital. Normally, Asterisk, Meridian, Definity or many other proven systems are used.

    When enough people lose kids, grandparents and elderly parents to lost messages, blocked phones, or unavailable or corrupted medical records, the damage will already have been done.

    Eventually Gates, Ballmer, Allichin, and the whole lot can be said to be party to manslaughter or similar. However, the real blame here and now lands on those making, actively or through inaction, the decision to allow M$ in the hospital.

DecorWhat Else is New


  1. Links 16/05/2022: FreeBSD 13.1 and Inkscape 1.2 Released

    Links for the day



  2. Archiving Latest Posts in Geminispace (Like a Dated Web Directory But for Gemini)

    Earlier today we saw several more people crossing over from the World Wide Web to Gemini; we're trying to make a decent aggregator and archive for the rapidly-expanding Geminispace, which will soon have 2,500 capsules that are known to Lupa alone



  3. Microsoft Vidal Does Not Want to Listen (USPTO is Just for Megacorporations)

    Microsoft Vidal knows her real bosses. They’re international corporations (multinationals like Microsoft), not American people.



  4. Links 16/05/2022: China Advances on GNU/Linux and Maui 2.1.2 is Out

    Links for the day



  5. Jim Zemlin: Chief Revenue Officer in 'Linux' Seat-Selling Foundation

    Board seats in the Linux Foundation are basically a product on sale, based internal documents



  6. Reminder: Linux Foundation's Last IRS Filing is Very Old (Same Year the CFO Left)

    People really need to ask the Linux Foundation, directly, why its filings are years behind; this seems like a sensitive subject



  7. Linux Foundation Does Not Speak for GNU/Linux Users

    There's a serious problem in the "Linux" world as the so-called 'Linux' Foundation claims to speak for us (the GNU/Linux community) while in fact speaking against us (on the payroll of those looking to extinguish us)



  8. IBM's Lennart Poettering on Breaking Software for Pseudo Novelty

    Recently-uploaded ELCE 2011 clip shows a panel with Linus Torvalds, Alan Cox, Thomas Gleixner, Paul McKenney, and Lennart Poettering (relevant to novelty or perceived novelty that mostly degrades the experience of longtime users, e.g. Wayland and systemd)



  9. IRC Proceedings: Sunday, May 15, 2022

    IRC logs for Sunday, May 15, 2022



  10. Links 15/05/2022: Linux 5.18 RC7 and Calls for More Mass Surveillance

    Links for the day



  11. Audio: Mark Shuttleworth Marketed to Young Males, With Sexy Pictures

    The Web is rotting away, old links become broken links within months or years, so I’ve decided to encode a 3-minute segment of the whole as Ogg



  12. What a Difference Half a Decade Makes (When Linux Foundation is 'Having Fun')

    Media shaming campaigns may have taken their toll on the founder of Linux, who is now bossed by someone who rejects Linux and is married to a Microsoft booster. Like Richard Stallman under FSF guidance (and conditions for return, mostly for fear of further media assaults and attack dogs), he has become a more publicity-shy and private person. The Linux Foundation has in effect reduced the founder of what it’s called after (Linux) into a weekly release manager and mascot, whose brand it is gradually diluting/cheapening.



  13. Links 15/05/2022: GNU libiconv 1.17

    Links for the day



  14. [Meme] Unitary Patent and Unified Patent Court (UPC) Cannot Be Reconciled With the Law

    Unitary Patent and Unified Patent Court (UPC)? Impossible. But Team UPC counts on an endless torrent of fake news managing to convince you (and more importantly politicians) otherwise.



  15. Even Team Battistelli is Sometimes Admitting -- Out in Public! -- That Unified Patent Court (UPC) is Neither Legal Nor Desirable

    Daniel X. Thomas and other people who are “too old to punish” (consequences to their career profoundly minimised owing to seniority) are among those who push back against the Unitary Patent or Unified Patent Court (UPC); any sane person — not a career-climbing litigation zealot — can identify the pertinent facts and realise that what’s going on here is an injustice of unprecedented proportions in the patent discipline



  16. [Meme] Common Sense at EPO

    The European examiners who deal with patents prefer a system that works for science, for Europe, not for foreign megacorporations that amass millions of low-quality patents and weaponise these to discourage competition



  17. Patent Granting at the EPO Has Collapsed by 24% Owing to Much-Needed Industrial Action

    Seeing that the EPO’s management routinely violates the law and even the very legal basis of the EPO’s existence (it is a monopoly in Europe; no body has the authority to compete against it), the EPO’s examiners have embarked on a ‘Work-to-Rule’ campaign — working in compliance with the rules as defined 49 years ago and revised over the decades — and the European Patent Convention (EPC) takes priority over unlawful demands from middle and upper management; this is proving highly effective so far and it will carry on until demands are met, i.e. until the law is obeyed and staff is treated with respect/dignity



  18. [Meme] Milan is a Suburb in London

    As long as Italy is not the UK and London means London “proper” (not the French town called London) the UPCA is invalid and no matter how much Team UPC (and its puppets in EPO management) may plead, this whole system is bound to implode



  19. The Latest Propaganda Tactics of Team UPC: Pretending Unified Patent Court Already Exists and Unitary Patents Are Default When If Fact None Even Exists

    8 years ago Benoît Battistelli said that the UPC was imminent; now, after 4 years of António Campinos, it’s still not here and Team UPC speculators say it won’t happen this year, either; just like the EPO constantly lies (both to the public and to its very own staff) Team UPC continues to lie to itself (self-delusion) and to us; both also routinely break the law, engage in deliberate violations of longstanding conventions, and scrap constitutions, which in turn becomes a breaking point for the EU’s credibility and the legal profession



  20. Links 15/05/2022: More Azure Shutdowns and Windows Security Blunders Aplenty

    Links for the day



  21. IRC Proceedings: Saturday, May 14, 2022

    IRC logs for Saturday, May 14, 2022



  22. Links 15/05/2022: Pika Backup 0.4

    Links for the day



  23. Changes in the Site and the Capsule

    A 10-minute explanation of what we've been up to lately and what's changing; hopefully I'll have a lot more free time in months to come and we'll be able to produce about a dozen posts per day



  24. Links 14/05/2022: Alt Linux 10.0 Released

    Links for the day



  25. Links 14/05/2022: Builder GTK 4 Porting and Raspberry Pi Matrix Dashboard

    Links for the day



  26. Elon Musk is Right About Twitter Faking Its Importance and Using Doctored, Manipulated 'Stats' (or Bots) to Boost Valuation Based on Lies

    Today’s empirical proof that Twitter is totally faking its relevance and reach/influence, based on “Analytics” of my long-inactive account; the SEC will once again — quite likely as usual — let Musk get away with it, killing a company for personal gain as a temporary shareholder who amassed a ton of free publicity (he paid nothing at all and sent the company into a death spiral, pretty much in the same way Microsoft and Icahn did Yahoo! or Microsoft and Elop did Nokia)



  27. Who Brings Home the Bacon (Revenue), Sheela or James (Jim)?

    Sheela (yes, wife of the nontechnical Linux Foundation chief, who equates Microsoft critics with people who kick puppies) has a history working with several companies that are closely connected to Microsoft (not just Bakkt); can that be reconciled as not a conflict of interest?



  28. The 'Original' Linus Torvalds on Self-Hosting

    The fast-aging founder of Linux spoke as shown above (2005); so much has changed since then…



  29. IRC Proceedings: Friday, May 13, 2022

    IRC logs for Friday, May 13, 2022



  30. Links 13/05/2022: NetworkManager 1.38 and Pseudo-Security

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts