This could set a potentially dangerous legal precedent. Microsoft are arguing that the malware operation damages Microsoft's brand, instead of putting the fault onto themselves for making vulnerable software.
The malware operation should absolutely be shut down, but other laws (that we have - the CFAA would apply) should be used to do so.
Otherwise any other manufacturer of defective products can argue that someone else (potentially unintentionally) is damaging their brand by triggering a flaw in the product instead of fixing their product. Imagine a car manufacturer whose cars fall apart due to minor irregularities in the road suing the city for not making the roads smooth enough instead of producing better cars that are immune to this problem.
Trademark law says you can't mislead consumers into thinking your thing is the trademark owner's thing. Malware fits this perfectly. There's no new precedent here, dangerous or otherwise.
The car manufacturer / road irregularity analogy does not fit.
> Trademark law says you can't mislead consumers into thinking your thing is the trademark owner's thing.
So, where did you get that these infected machines became a "your thing" and no longer are just Windows (albeit infected/altered)? I don't see the (legal) basis for calling these infected systems no longer Windows systems. If they're still Windows systems, this whole Trademark trick goes pretty much straight out of the window (no pun intended) for that reason alone.
> There's no new precedent here
Unless I'm reading it wrong, Microsoft essentially got itself a verdict that says that something that harms the reputation of their OS actually violates the trademark of that OS. As if their OS getting infected (rather easily) in the first place, isn't enough of a valid reason for a bad reputation.
Just forget for now, about how this also totally ignores that Microsoft probably deserved to have been sued out of existence a long time ago, for (deliberate!) not doing what it could to keep their OS more safe/secure.
Instead, now they pretty much can claim that basically anything that (in their perception) harms their good name and reputation, can be banned from running on their OS (or at least being seized and put under their control). That's the same (il)legal lunacy as currently exists with Apple dictating what can run on their iPhones. I would definitely call that a precedent (I've never heard of such a bonkers trademark case/verdict), and one with an extremely tricky potential for abuse by Microsoft.
It's a good thing that Microsoft has never been caught abusing anything, right.
The quote in the article from the civil complaint makes it sound like the malware itself used MSFT trademarks. If there's another "it" you're reading besides the article, where said quote is shown to be taken out of context, please link.
Is there any evidence that this malware misrepresents itself as Microsoft? The spam emails which seem to be the primary infection vector do not appear to have any Microsoft-related branding.
> Otherwise any other manufacturer of defective products can argue that someone else (potentially unintentionally) is damaging their brand by triggering a flaw in the product instead of fixing their product. Imagine a car manufacturer whose cars fall apart due to minor irregularities in the road suing the city for not making the roads smooth enough instead of producing better cars that are immune to this problem.
I think you're hitting the dead end you get to when you only conceive of the law as considering physical actions, but that's not how it actually works. IANAL, but there's a legal concept called mens rea that's very applicable here. Basically, what's going on in someone's mind is legally relevant, so cases where someone performed an identical physical action for different reasons can be treated differently. So there'd be a difference between:
1. Triggering a bug maliciously for personal gain.
2. Triggering a bug accidentally.
3. Triggering a bug benevolently as part of an effort to fix it.
That distinction would only be relevant if the statute specifically drew it. The ordinary mens rea distinction is between (1) triggering the bug, intending to trigger the bug; and (2) triggering the bug, not intending to trigger the bug.
> This could set a potentially dangerous legal precedent. Microsoft are arguing that the malware operation damages Microsoft's brand, instead of putting the fault onto themselves for making vulnerable software.
I think both can be true. Even if you think Microsoft should be held legally culpable for making vulnerable software, I don't think that should be a "get out of jail free" card for someone exploiting it.
I therefore don't see how agreeing that Microsoft is being harmed by malware authors could possibly result in a legal precedent exonerating them from legal liability over vulnerable software. Courts consider what is presented to them and their rulings tend to be narrow.
To be clear, I am absolutely not arguing that malware authors should get impunity - we have other laws such as the CFAA that should be used to punish this activity.
I am also not saying that software developers should automatically be liable for bugs or security vulnerabilities in their products.
My concern is that such a precedent would then allow software developers to sue on brand damage grounds even in non-malicious cases such as merely documenting an exploit or publishing a proof of concept (designed to test the vulnerability on your own infrastructure), in which case even "mens rea" would not apply since technically documentation/PoC code is intended to let others know about the vulnerability (so they can protect themselves, but that does technically damage the brand, although rightfully in this case).
You're implying that makers and manufacturers could release perfect products with zero defects if they wanted to. No automobiles would ever need recall. No software would ever have a security bug. You do realize that's an impossibly high standard don't you?
1. Considering the sloppy bullshit that is the root cause of 95%+ security vulnerabilities today, I think talking about "0 security" bugs is a distorting strawman.
2. No one said no recalls. The issue here is Microsoft is going after the exploiter rather than the bug, taking the law into their own hands over dubious pretenses.
That's somewhere in between taking the drivers licenses of Corvair owners and recalling the Corvairs themselves. (We could make a better anology if a black hat actor triggered the car defect.)
3. This could easily be precedent for scenario:
1. Security researcher finds bug and discloses it
2. Big crop declines to pay up / doesn't fix in timely manner, etc.
3. Security researcher goes public
4. Malware is made with exploit
5. Big corp goes vigilante on malware like this *and* sues security researcher, using this trademark justification in *both* cases.
In what sense is Microsoft "taking the law into their own hands"? They filed a lawsuit and convinced the judge to agree with their legal theory. That's how the legal system works.
Isn't a worm just a type of malware? Wikipedia describes malware as "any software intentionally designed to cause damage to a computer, server, client, or computer network".
I'd always assumed that malware was malicious software disguised as something else; the layman term for trojan. TIL that it's much more generic than that.
No, just that they need to be willing to accept the consequences of their mistakes rather than blame third parties. If software development is inherently risky then that's still the responsibility of software developers. If that makes some businesses unviable then the system is working as intended because they were unviable anyway, just profiting by passing costs to other people.
There's a separate sentiment floating around (and that _was_ the tone I caught from the parent comment, though I could be mistaken) that portions of Microsoft produce software with major design flaws that create a horde of other security and performance problems and that they should do better, but actually making better software isn't a necessary step in holding software creators accountable.
It seems like, if Microsoft were trying to absolve themselves of responsibility for defects in their products, the thing to do would be to claim that malware is developed by third parties outside of their control, against the terms of the EULA. What Microsoft is actually doing seems a lot more like taking responsibility. They're cleaning up the mess and helping people when they don't really have a legal requirement to do so.
Every time, a few months before product release, downstream teams start filing bugs on us that boil down to the statement: "please continue to add features, but stop adding bugs".
> This could set a potentially dangerous legal precedent. Microsoft are arguing that the malware operation damages Microsoft's brand, instead of putting the fault onto themselves for making vulnerable software.
I don't think this sets an precedent. Think about it in terms of physical security, a thief's ability to circumvent poor or no security doesn't preclude them from liability for their crimes.
The court has seized their assets and given them to Microsoft so that Microsoft can repair the damage they've done both to Microsoft and to it's customers.
The software is no more vulnerable than any other software (unless automatic updates are disabled). The problem is that Microsoft users are vulnerable, they will do anything that you tell them to.
Furthermore, Microsoft is legally obligated to protect its trademarks, else it looses them, and there is real precedent for that.
> Microsoft are arguing that the malware operation damages Microsoft's brand, instead of putting the fault onto themselves for making vulnerable software.
Isn’t that blaming the victim? If you leave your house unlocked and someone steals stuff, it’s still theft.
This is not a new precedent, it is exactly what trademark law was intended to do. Trademark law is ultimately a consumer protection, designed to protect the public from fraudulent misrepresentation.
It's not going to set any sort of legal precedent. If you don't defend yourself in civil court and the plaintiff doesn't make blatantly unreasonable demands, the court will issue a default judgement and wash their hands of it until you do go to court. If you're blatantly flouting the law, you're entitled to much better legal protections than this case seems to imply.
"Microsoft are arguing that the malware operation damages Microsoft's brand, instead of putting the fault onto themselves for making vulnerable software."
The entire "desktop" software industry championed by Bill Gates has always relied on this belief. Namely, that Windows exploits are the fault of the people who dare to point out the flaws (before they are fixed, if ever), instead of the "engineers" and management who dared to skip quality control and market software that they knew could be exploited.
In para. 49 MS are also arguing that the botnet is causing damage to MS because MS has to expend resources to investigate and clean it up.
Can we consider the courts' time being wasted because of MS failure to perform quality control. Can we consider the losses of the MS software users. Users are not the ones seeking a TRO and damages, though surely they are sufferring more harm than MS from the botnet. Does MS actually own the infected computers.
Anyway, MS arguments are not limited to trademark.
They argue the botnet operators' use of Windows function declarations is copyright infringment (para. 59).
They argue the botnet operators violated the CFAA by accessing MS computers without authorization and caused "a loss to MS" of greater than $5K in the aggregate in one year (para. 67).
They argue the botnet operators violated the ECPA by intercepting communications between MS and financial institutions (para. 74).
They argue the botnet operators have committed trespass to chattels, i.e., MS computers and networks (para. 99).
They argue the botnet operators have been unjustly enriched through the use of MS software and online account infrastructure (para. 105).
They even argue conversion, as if the software still belongs to MS, not its users (para 112). Not all of these claims are going to stick, obviously.
Software warranties still haven't changed much over the past three decades in terms of product liability under US law. Unless the software causes physical damage to property or physical injury to persons, software companies can successfully disclaim liability for defects. Sadly, Windows users, who always accept MS's licensing terms, generally have no claims against MS for the losses they suffer as a result of Windows' vulnerabilities.
Perhaps the only way to force quality controls into software "engineeering" is to allocate more products liability risk to those multi-billion dollar companies who produce mass market software. If you hate the sound of that, don't worry. I doubt it is ever going to happen.
To me, the "Microsoft brand" is synonymous with vulnerablities, botnets and malware. This is only because I know the full history of the software. In the complaint MS argues users might associate degradation of performance with Windows instead of the botnet (para 48). In theory, MS could make this argument against any author of third party software running on Windows that hides itself from the user's awareness and, for whatever reason, degrades performance.
Today's MS Windows, with its "software subscription" model, IMO is functionally tantamount to a so-called botnet, the only differences being "authorisation" (driven by use of dark patterns) and the definition of "malicious" (intent). Please forgive the provocative nature of that statement. What I mean is MS, like a "botnet", has centralised "command and control" of users' computers through centralised or decentralised communication to install software (updates), it can intercept users' electronic communications through telemetry and it does "exfiltrate" user data to MS. What makes the botnet "bad" and MS "good" is not the means by which each operates (they each excercise considerable remote control over Windows users) but the ends they seek to achieve. Controlling users' computers remotely, under a very thin veil of "authorisation", has become accepted behaviour.
The dangerous precedent I see is Microsoft making justice for itself (with authorization from a judge, but still, when did Microsoft become law-enforcement?).
Blaming Microsoft for building "vulnerable software" because someone is targeting their OS with their malware is like blaming Boeing because their planes were used for the 9/11 attacks.
I disagree that's a valid comparison. If the terrorists were able to remotely override Boeing's autopilot from the ground, and use that to steer the planes into the towers, Boeing would absolutely have been blamed, and rightly so.
Nobody blamed Boeing for not putting locks on their cockpit doors.
The public actually doesn't generally place much blame on manufacturers of hardware for third party manipulation unless the point of the device is security. Nobody expects a car is invulnerable to sabotage.
This isn’t a criminal matter, it’s a civil matter. They filed a lawsuit and convinced a judge their legal position was right, they didn’t do their own vigilante justice.
> This could set a potentially dangerous legal precedent. Microsoft are arguing that the malware operation damages Microsoft's brand, instead of putting the fault onto themselves for making vulnerable software.
I agree with you.
Why on earth would opening a .doc document infect a freaking computer? Imagine opening a freaking json file and getting infected by a crypto virus... The real problem is with Words or whatever software Microsoft has built that allows some code execution VIA a .doc document. They must of have so much technical debt nobody's willing to touch some old code anymore or something... IMHO, this and the fact they ditched their own browser engine in favour of Google's because it couldn't compete says a lot about the state of engineering in some Microsoft teams...
This kind of problem is ubiquitous in native software. Any program that takes user input and is not written in a memory safe language is likely to be exploitable in this way.
This is doubly true for programs that execute user scripts. And it is inevitable for programs that support binary file embedding and file manipulation through those scripts - a feature some users of Word actually use.
> Why on earth would opening a .doc document infect a freaking computer?
It’s more like a friend sends you source code and your IDE compiles it in the background only to discover that the act of compiling it had it shove some executable in ~/bin.
For over five years now, the default for Word is not to run code/macros. Some corporate IT has that disabled or they might still be running office 2012/07.
That's fine, you can install Linux or TempleOS or whatever if Windows is bad.
The only thing you can reasonably demand of Microsoft is (a) reasonably disclosure of the risk, and (b) not forcing their product into a separate product like your Dell hardware purchase.
If you want insurance against imperfect security form MS, be prepared to pay more than $179 per PC.
I've been waiting for this story to bubble up with a reasonable amount of traction before commenting so I'm glad it did. I found this quote somewhat Funny, somewhat Sad.
.. “They are running normally and their ransomware operations are pretty much back in full swing,” Holden said. “The are not slowing down because they still have a great deal of stolen data.”
Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.
“There is a conversation happening in the back channels,” Holden said. “Normally, they will ask for [a ransom amount] that is something like 10 percent of the victim company’s annual revenues. Now, some of the guys involved are talking about increasing that to 100 percent or 150 percent.”
Ok wow, I missed that and thanks for reporting it. If the edit window is still open I will ammend the url link to reflect the source article. Oh & have an upvote :)
I think this is allowing a civil case to be brought by Microsoft, and therefore the ability for them to bring their significant capital and legal counsel to bear, rather than just waiting for the criminal justice system to get around to doing something about it.
If Microsoft can make a civil suit and gain control of the botnet infra, rather than just get damages, can I get poisoned by a mine/factor and get equity in the factory?
What's weird is that presumably the botnet party, the natural counterparty, didn't show up in court, but MS appeals to a third party (domain registry) to get control of their assets rather than something more neutral for damages.
The legal basis is that a court awards a remedy[1] for harm done (or being done). Often that's monetary damages, but it doesn't have to be. The courts chooses what remedy is appropriate.
I'm not sure that's relevant though. This might just be a preliminary injunction[2] rather than a final decision, whereas your "get equity in the factory" seems to be thinking about a final remedy rather than a preliminary injunction sought to minimize ongoing damage.
I sure hope it's a preliminary injunction! That would be like me taking temporary control of the factory smoke stack or discharge pipe. Great precedent in that case.
If the spikes somehow lock the garage closed, that's security. If they're instead designed to impale people who force it open that's going to be illegal in most places even if trespassing is also a criminal offence there. Not least because the law may authorise people to force that garage open, and it doesn't want authorised people getting hurt, regardless of how you feel about that.
> Users subject to the negative effects of these malicious applications incorrectly believe that Microsoft and Windows are the source of their computing device problems. There is great risk that users may attribute this problem to Microsoft and associate these problems with Microsoft’s Windows products, thereby diluting and tarnishing the value of the Microsoft and Windows trademarks and brands.
So does this mean that anybody who made software for windows 7 can sue microsoft for the windows 10 forced "optional" upgrade if it broke their software?
Could they seize windows update servers as part of their trademark suit?
I can’t tell what actually happened from this article. Were physical servers seized? I’m not sure I understand how trademark law would enable that versus just criminal prosecution.
My understating is that Microsoft only attacked and seized their domains. I don't think they actually have remote control over the servers, end even if they have the owners could simply just wipe and reinstall. And since these servers are physically located in countries like Russia or China I doubt Microsoft has the capability to do a physical sizing even if they wanted to.
That being said and given the power corporations are gaining year by year it will not be long before Microsoft will file to have their own SWAT team to physically size or destroy computers and/or crackers.
The registry is a single entity that decides which names exist under a particular domain hierarchy, providing this capability might be contracted out to somebody else to do on behalf of the "real" owners of that domain for example the COM domain registry is operated by Verisign under contract.
One or more Registrars provide (mostly sell) the service of managing entries in that registry. For all the popular commercial TLDs there are multiple commercial registrars. The registrars have to abide by rules set by the registry (since if they did not the registry can just stop them providing any services) even if they are not under the same legal jurisdiction as the registry.
For the gTLDs the rules for this playing field are set by ICANN. It would like these rules to apply everywhere, but the ccTLDs are assigned to sovereign entities, and like a two year old, sovereign entities do not take kindly to being told what to do.
> A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant’s trademarks.
> “Users subject to the negative effects of these malicious applications incorrectly believe that Microsoft and Windows are the source of their computing device problems. There is great risk that users may attribute this problem to Microsoft and associate these problems with Microsoft’s Windows products, thereby diluting and tarnishing the value of the Microsoft and Windows trademarks and brands.”
> Microsoft said it will leverage the seized Trickbot servers to identify and assist Windows users impacted by the Trickbot malware in cleaning the malware off of their systems.
> But so far it’s not clear whether Microsoft succeeded in commandeering all of Trickbot’s control servers, or when exactly the coordinated seizure of those servers occurred.
The article says it's not clear if it's happened or how.
Just because a court rules in one party's favor doesn't necessarily mean it applies outside of the jurisdiction of the court.
That being said if they were working in coordination with law enforcement then the servers could have at least been secured in a relatively short period of time.
The malware operation should absolutely be shut down, but other laws (that we have - the CFAA would apply) should be used to do so.
Otherwise any other manufacturer of defective products can argue that someone else (potentially unintentionally) is damaging their brand by triggering a flaw in the product instead of fixing their product. Imagine a car manufacturer whose cars fall apart due to minor irregularities in the road suing the city for not making the roads smooth enough instead of producing better cars that are immune to this problem.