[LINK] Let's Sue Microsoft [Was: Code Red puts Microsoft in hot seat]

Robin Whittle rw@firstpr.com.au
Mon, 06 Aug 2001 21:28:42 +1000 

I don't think it is reasonable to sue Microsoft on grounds of
unconscionable conduct because there was a bug in their IIS web server. 
Complex software has all sorts of potential problems.  As far as I know,
Microsoft responded quickly to the problem with a patch - and it is up
to people who use the software to keep an eye on security updates. 
Microsoft has free mailing lists, web pages etc. for this purpose.

This is not an unreasonable arrangement in the case of IIS, since it is
sold to network administrators and other people who run computers
connected permanently to the Net, and any such person should take their
security responsibilities seriously.

Since many people who know almost nothing about computers have heard
about Code Red now, and the thing is still proliferating, this means
that there are a large number of people connecting computers to the net
and running servers who have not a single clue about computer security. 
While perhaps Microsoft could and should do more to clue these people up
or make it harder for them to deploy every bit of software by default
without thinking about it, I don't think this cluelessness is
Microsoft's fault.  

I may not know the whole story - what is it about Microsoft's actions
which are supposedly unconscionable regarding IIS and Code Red?


What I think *could* be regarded as unconscionable conduct is the
default setting of Windows to hide the extension of filenames for types
it recognises, and to do this when Outlook Express presents an emailed
attachment to the user.  This *actively* works against the ability of
the user to understand the security implications of clicking the
attachment.  SirCam and other worms/viruses replicate a *lot* faster
because of this dumb (I believe culpably wrong) default behaviour of the
operating system, because they name an attachment "PrettyGirl.JPG.exe"
and the Microsoft software - by default and without any security
cautions - presents this to the user as: "PrettyGirl.JPG".


    - Robin