Stephen Kowalchuk wrote:
Greetings,
As such, I would argue that M$ release of a product with such widely known exploitable vulnerabilities into a the market including customers of any given relay service entity may, indeed, create standing for that service entity to sue M$ on the basis of costs incurred due to M$ negligence and negligent business practices.
Owen
While this is true, license agreements for most software products indicate that the product is expressly sold "as-is", and that you agree explicitly that the manufacturer is not responsible. This would most likely kill any product liability lawsuits, especially because the product performs to specification.
I think you, and several others, are missing one key point. One class of injured party, namely the ISPs who had to deal with servers overloaded by the created spam, never bought the Microsoft software, nor are they (in most cases, I suspect) using ANYTHING written by Microsoft in the course of providing services to clients. With that in mind, the ISPs are not party to the "as-is" license. The ISPs could sue their own customers for using Microsoft software which contains dangerous features and defaults, or they might be able to sue Microsoft for releasing software damaging to the Internet infrastructure.
Trying to sue Microsoft for producing software with varying levels of security (defaulted to the lowest security level) is like trying to sue an automobile manufacturer because their cars are easy to steal. While it may be possible to seek damages under lemon laws, if the car performs as specified there is little one can say except "damn, that's a stupid way to build a car..."
Actually, I think it's a lot like the States suing the tobacco companies for producing a product which creates high medicaid bills. If Microsoft was aware of the potential for damage, and did nothing, and the ISPs suffered as a result they're not unlike the States who had to pick up the tab for someone else's use of a dangerous product.
I think the best way to stop the poor security in MS products is to vote with your wallet. I'll grant that sometimes this is impractical, but it is IMHO the only way to guide any software manufacturer to the features and functionalities that consumers truly need. The only problem with this logic is that Microsoft still has a long list of ill-informed and poorly-educated consumers to chew on before they run out of steam.
The ISPs could, I suppose, block all POP and SMTP traffic from Outlook Express clients, and block all web requests from Internet Explorer. Neither is really practical. How else do you propose ISPs vote with their wallets? -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com