Mailing List Archive

1 2 3 4 5 6 7 8  View All
Re: (no subject) [ In reply to ]
Spiro Harvey wrote:

>So for 405 days you've done no kernel patches? Awesome. I bet that
>server's a bunch of remote exploits waiting to happen (if they haven't
>already).
>
>Using massive uptimes to prove how cool your server is actually just
>shows that you're not doing the right maintenance.

Or it could just be that applying a layered approach to security
means that those vulnerabilities that are there, aren't exploitable.
But then just running a fully up to date system is no guarantee - on
a different server we did get caught by a problem, one not fixed by
any kernel version available at the time from the Debian. Solution -
turn off the features that exposed the vulnerability.

That's the only problem I've had, in several years of running
multiple public facing servers.

Risk is not black and white. Trying to eliminate risk is about as
fruitful as p***ing into the wind. Managing risk is a different
matter. There are risks in not updating, there are risks in updating
- how you weight those risks is a matter of preference, judgement,
and practicality.

You're entitled to your opinion - it just differs from mine.


> > 2) If it aint broke - don't fix it. There's no way I'd attempt a
>> major upgrade in-place when it's a live server used 24*7. For various
>> internal reasons (which I'm sure you can guess) I don't have the
>> resources to do anything but an in-place upgrade if I want to upgrade.
>
>Well if they don't want patches on it, and they're not prepared to give
>you money to have a backup server to do upgrades on, then it can't be
>as critical as they're telling you.

Or it could be a reflection of management priorities - the job pays
the bills, it doesn't mean I like all of it.

> > 3) I can accept that software will go out of support - but I never
>> expected a Miscrosoft-esque remote shutdown.
>
>You should have expected it 6 months ago when the announcement was made.

Well I could have if I'd seen that - but that ground's been covered
to death already.
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
>> > 2) If it aint broke - don't fix it. There's no way I'd attempt a
>>> major upgrade in-place when it's a live server used 24*7. For
>>> various
>>> internal reasons (which I'm sure you can guess) I don't have the
>>> resources to do anything but an in-place upgrade if I want to
>>> upgrade.
>>
>> Well if they don't want patches on it, and they're not prepared to
>> give
>> you money to have a backup server to do upgrades on, then it can't be
>> as critical as they're telling you.
>
> Or it could be a reflection of management priorities - the job pays
> the bills, it doesn't mean I like all of it.

Yes, and most likely the case and most likely the managers screaming
that it should not have failed because they did not authorize the
server to fail. And yes this a weak attempt at humor on my part and
not in need of retort.

>
>> > 3) I can accept that software will go out of support - but I never
>>> expected a Miscrosoft-esque remote shutdown.
>>
>> You should have expected it 6 months ago when the announcement was
>> made.
>
> Well I could have if I'd seen that - but that ground's been covered
> to death already.

But on a more serious note, what method would you like to have had
them take to make you aware of the impending failure? I think they did
due diligence although they failed to provide a link to the EOL page
which should have been prominently displayed on the page the ClamAV
log warning links to. If there are more notification methods they
should have used, then that is where improvement should be made not
debating if they should protect users from signature and other
improvements that may break unsupported versions.......

> --
> Simon Hobson
>
>

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
>Yes, and most likely the case and most likely the managers screaming
>that it should not have failed because they did not authorize the
>server to fail. And yes this a weak attempt at humor on my part and
>not in need of retort.

Not so weak - but it sounds like you've met some of my past managers !

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On 4/19/10 9:22 AM, Jim Preston wrote:

>
> But on a more serious note, what method would you like to have had them
> take to make you aware of the impending failure?

The question wasn't directed to my but I'd like to see them be more selective as
to who should be allowed to use this product. Maybe an IQ test.

dp

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Dennis Peterson wrote:

>The question wasn't directed to my but I'd like to see them be more
>selective as to who should be allowed to use this product. Maybe an
>IQ test.

Really that is an insulting statement - and completely un called for.
It's exactly the sort of attitude that drives people away from the
FOSS movement - an almost religious zeal in supporting a closed shop
mentality.

On one hand, people see a FOSS world inhabited by these religious
zealots espousing the notion that to use a computer you must be some
sort of uber nerd, fluent in multiple languages, and capable of
programming a bare metal computer by thought transference (OK, so
that's a slight exaggeration !). On the other hand, they see
commercial offerings that appear to be made by people who actually
care about people using their stuff - ie making it usable by mere
human beings.

Some people in the FOSS movement understand this - that's why there's
so much work to make things usable by "ordinary people". It's just a
pity there are still the bigots around espousing your view.

Now, if you want a project that employs such restrictions - go and
build one. Being under an open licence, this one is available to all
- either like it or lump it, but either way, keep your insults to
yourself.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Mon, 2010-04-19 at 17:28 -0700, Dennis Peterson wrote:
[...]
> The question wasn't directed to my but I'd like to see them be more selective as
> to who should be allowed to use this product. Maybe an IQ test.

No. Everyone should be allowed to shoot in the foot - with free/open
source or proprietary software.

Bernd
--
Bernd Petrovitsch Email : bernd@petrovitsch.priv.at
LUGA : http://www.luga.at

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Spiro Harvey wrote:
>> Shame you haven't talked to to others - like havp for example - before
>> doing this.
>
> The announcement to EOL the old releases was made at the start of
> october last year. If people using clam as an integral part of their
> software don't read announcements, what fault is that of the clam
> developers?
>
> They had 6 months to sort it out.

The thing is that there are a few little issues here that, as points of law
are not clear yet. In what follows words like 'vendor' may not be used
entirely legally precisely, IANAL, but I am certain that with a bit of
squinting my meaning will be clear.

I know that in certain jurisdictions, reaching out to someone elses
computer (ie not your property) and disabling functionality on it could
constitute a criminal act.

I sincerely hope that someone somewhere under such a jurisdiction goes to
the police and reports the Clamav developers for such an offense.

Why?

Because Clamav is now in the same category as Apple, Amazon and Sony (to
name three that come to mind right away). This is the category of vendors
who have remotely disabled (or removed) software running on computers or
devices belonging to their customers. Not on computers or devices belonging
to the vendor and which are leased to customers, but the *property* of
those customers.

I believe that this is extremely inappropriate behavior for *any* vendor. I
am shocked that an OSS vendor would even consider such an action.

Note the massive amount of negative press that Amazon got for remotely
deleting copies of George Orwell's 1984 from the Kindle. Sony have recently
started remotely disabling Linux functionality on the PS3 iirc. Do we
really want the OSS community to be tarred with the same brush?

This kind of high-handed arrogance NEEDS to be put down and hard.

I imagine that the Clamav team would be hard put to raise a decent legal
defense against this and, so, if they lose such a case a legal precedent
could be set which could conceivably deter this kind of thing from larger
organisations.

I would really love to see that happen even if it destroys the Clamav project.

No hard feelings against them, but if Clamav want to set themselves up as
sacrificial lambs to test a point of law and it ultimately benefits society
at large, great.




--
Please remember that an email is just like a postcard; it is not
confidential nor private nor secure and can be read by many other people
than the intended recipient. A postcard can be read by anyone at the mail
sorting office and expecting what is written on it to be private and secret
is not realistic. Please hold no higher expectation of email.

If you need to send confidential information in an email you need to use
encryption. PGP is Pretty good for this.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On 04/21/2010 02:36 PM, Steve Wray wrote:
>
> Because Clamav is now in the same category as Apple, Amazon and Sony
> (to name three that come to mind right away). This is the category of
> vendors who have remotely disabled (or removed) software running on
> computers or devices belonging to their customers. Not on computers or
> devices belonging to the vendor and which are leased to customers, but
> the *property* of those customers.
.......
> I would really love to see that happen even if it destroys the Clamav
> project.

Whoah! Really long brush you've got there... I invoke GODWIN'S LAW on
this thread. If people developing Open Source software took your threats
seriously - THERE WOULD BE NO OPEN SOURCE

ClamAV devs: your response was appropriate. I speak on behalf of the 99%
of sites unaffected by this. You can tell that as only 10 people seem to
be involved in this thread.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Steve Wray wrote:
> Spiro Harvey wrote:
>>> Shame you haven't talked to to others - like havp for example - before
>>> doing this.
>>
>> The announcement to EOL the old releases was made at the start of
>> october last year. If people using clam as an integral part of their
>> software don't read announcements, what fault is that of the clam
>> developers?
>>
>> They had 6 months to sort it out.
>
> The thing is that there are a few little issues here that, as points
> of law are not clear yet. In what follows words like 'vendor' may not
> be used entirely legally precisely, IANAL, but I am certain that with
> a bit of squinting my meaning will be clear.
>
> I know that in certain jurisdictions, reaching out to someone elses
> computer (ie not your property) and disabling functionality on it
> could constitute a criminal act.
>
> I sincerely hope that someone somewhere under such a jurisdiction goes
> to the police and reports the Clamav developers for such an offense.
>
> Why?
>
> Because Clamav is now in the same category as Apple, Amazon and Sony
> (to name three that come to mind right away). This is the category of
> vendors who have remotely disabled (or removed) software running on
> computers or devices belonging to their customers. Not on computers or
> devices belonging to the vendor and which are leased to customers, but
> the *property* of those customers.
>
> I believe that this is extremely inappropriate behavior for *any*
> vendor. I am shocked that an OSS vendor would even consider such an
> action.
>
> Note the massive amount of negative press that Amazon got for remotely
> deleting copies of George Orwell's 1984 from the Kindle. Sony have
> recently started remotely disabling Linux functionality on the PS3
> iirc. Do we really want the OSS community to be tarred with the same
> brush?
>
> This kind of high-handed arrogance NEEDS to be put down and hard.
>
> I imagine that the Clamav team would be hard put to raise a decent
> legal defense against this and, so, if they lose such a case a legal
> precedent could be set which could conceivably deter this kind of
> thing from larger organisations.
>
> I would really love to see that happen even if it destroys the Clamav
> project.
>
> No hard feelings against them, but if Clamav want to set themselves up
> as sacrificial lambs to test a point of law and it ultimately benefits
> society at large, great.

Well, prosecution would be justified if ClamAV had actually done
something illegal. What they did was modifiy their signature database to
support new features with advance notice and the fact that any
particular installation of unsupported software failed to handle it
properly is the onus of the owners / sysadmins of the individual
systems. If you happen to fall into that category, then it is time to
upgrade your system.

Jim
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Jim Preston wrote:
> Steve Wray wrote:
>> Spiro Harvey wrote:
>>>> Shame you haven't talked to to others - like havp for example - before
>>>> doing this.
>>>
>>> The announcement to EOL the old releases was made at the start of
>>> october last year. If people using clam as an integral part of their
>>> software don't read announcements, what fault is that of the clam
>>> developers?
>>>
>>> They had 6 months to sort it out.
>>
>> The thing is that there are a few little issues here that, as points
>> of law are not clear yet. In what follows words like 'vendor' may not
>> be used entirely legally precisely, IANAL, but I am certain that with
>> a bit of squinting my meaning will be clear.
>>
>> I know that in certain jurisdictions, reaching out to someone elses
>> computer (ie not your property) and disabling functionality on it
>> could constitute a criminal act.
>>
>> I sincerely hope that someone somewhere under such a jurisdiction goes
>> to the police and reports the Clamav developers for such an offense.
>>
>> Why?
>>
>> Because Clamav is now in the same category as Apple, Amazon and Sony
>> (to name three that come to mind right away). This is the category of
>> vendors who have remotely disabled (or removed) software running on
>> computers or devices belonging to their customers. Not on computers or
>> devices belonging to the vendor and which are leased to customers, but
>> the *property* of those customers.
>>
>> I believe that this is extremely inappropriate behavior for *any*
>> vendor. I am shocked that an OSS vendor would even consider such an
>> action.
>>
>> Note the massive amount of negative press that Amazon got for remotely
>> deleting copies of George Orwell's 1984 from the Kindle. Sony have
>> recently started remotely disabling Linux functionality on the PS3
>> iirc. Do we really want the OSS community to be tarred with the same
>> brush?
>>
>> This kind of high-handed arrogance NEEDS to be put down and hard.
>>
>> I imagine that the Clamav team would be hard put to raise a decent
>> legal defense against this and, so, if they lose such a case a legal
>> precedent could be set which could conceivably deter this kind of
>> thing from larger organisations.
>>
>> I would really love to see that happen even if it destroys the Clamav
>> project.
>>
>> No hard feelings against them, but if Clamav want to set themselves up
>> as sacrificial lambs to test a point of law and it ultimately benefits
>> society at large, great.
>
> Well, prosecution would be justified if ClamAV had actually done
> something illegal. What they did was modifiy their signature database to
> support new features with advance notice and the fact that any
> particular installation of unsupported software failed to handle it
> properly is the onus of the owners / sysadmins of the individual
> systems. If you happen to fall into that category, then it is time to
> upgrade your system.

I am not a lawyer but I do think that this is something that the
authorities might possibly examine.

I do think that pushing out an update which disables functionality without
explicitly requesting permission to make such a change *before* making that
change *should* be criminal.

Ie: without someone on the server which is about to have a service stopped
having to at least press the 'y' key on their keyboard, for example.

This kind of thing really is extremely arrogant, I can see no other way to
put it. Sorry if that offends.




--
Please remember that an email is just like a postcard; it is not
confidential nor private nor secure and can be read by many other people
than the intended recipient. A postcard can be read by anyone at the mail
sorting office and expecting what is written on it to be private and secret
is not realistic. Please hold no higher expectation of email.

If you need to send confidential information in an email you need to use
encryption. PGP is Pretty good for this.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Well, prosecution would be justified if ClamAV had actually done
something illegal. What they did was modifiy their signature database to
support new features with advance notice and the fact that any
particular installation of unsupported software failed to handle it
properly is the onus of the owners / sysadmins of the individual
systems. If you happen to fall into that category, then it is time to
upgrade your system.
>
> I am not a lawyer but I do think that this is something that the
> authorities might possibly examine.
>
> I do think that pushing out an update which disables functionality
> without explicitly requesting permission to make such a change
> *before* making that change *should* be criminal.
>
> Ie: without someone on the server which is about to have a service
> stopped having to at least press the 'y' key on their keyboard, for
> example.
>
> This kind of thing really is extremely arrogant, I can see no other
> way to put it. Sorry if that offends.

And I am sure that authorities will examine it and I sincerely hope they
waste as much of YOUR tax dollars as possible doing so.

And no offense taken by your posting.

Jim
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Steve Wray wrote:
> I am not a lawyer but I do think that this is something that the
> authorities might possibly examine.
>
> I do think that pushing out an update which disables functionality
> without explicitly requesting permission to make such a change
> *before* making that change *should* be criminal.
>
> Ie: without someone on the server which is about to have a service
> stopped having to at least press the 'y' key on their keyboard, for
> example.
>
> This kind of thing really is extremely arrogant, I can see no other
> way to put it. Sorry if that offends.
>
PS: They did explicitly request permission by allowing users to comment
on their proposed changes for 6 months. Where were your objections
during that time?

Jim
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On 4/21/10 05:38 , Jim Preston wrote:
> Steve Wray wrote:
>> I am not a lawyer but I do think that this is something that the
>> authorities might possibly examine.
>>
>> I do think that pushing out an update which disables functionality
>> without explicitly requesting permission to make such a change
>> *before* making that change *should* be criminal.
>>
>> Ie: without someone on the server which is about to have a service
>> stopped having to at least press the 'y' key on their keyboard, for
>> example.
>>
>> This kind of thing really is extremely arrogant, I can see no other
>> way to put it. Sorry if that offends.
>>
> PS: They did explicitly request permission by allowing users to
> comment on their proposed changes for 6 months. Where were your
> objections during that time?
>
> Jim
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
I always chuckle when "aggressors" shoot themselves in the foot like
that... Shows they've not actually READ the threads, and just jump on
their high horses like righteous knights...
I was itching to type that reply, but - more like a just knight than a
righteous knight <G> - first read the rest of the posts... Thank you for
doing it, so I don't "have" to get in to the discussion again...

--FP
Thinking it's always good to realize there's people standing behind you
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Tue, 2010-04-20 at 20:34 -0700, Jim Preston wrote:
> Well, prosecution would be justified if ClamAV had actually done
> something illegal.

They did. Releasing 'code' that they new had a potential to harm or
interfere with the operation of systems. It's a clearly defined CRIMINAL
offence in my part of the world. I suspect that this state of affairs is
also true in the USA if the case of Gary McKinnon is used as a point of
reference. Perhaps, Jim, you would like to offer the name and address of
the person pushing this code out if it does not bother you at all? I'm
sure there are a few pissed people in the UK and Europe who would like
to even the score up on behalf of Gary McKinnon.

It is also clearly a case of blackmail. 'If you don't do this, I will
break that' - again, that is a criminal offence in most parts of the
civilised world. (I do accept that this may have been the work of
*Americans* who may have lower moral and ethical standards than the rest
of the world).

The correct thing to do would be to warn users of older versions that no
update was possible, leaving it running. Not to deliberately and
purposely crash it, and anything that depends on it. The mechanism
clearly exists to do that, no??:

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.94.2 Recommended version: 0.96

It was notable to see the difficulty people had trying to update. Try
googling this: 'update clamav', first hit:
http://www.clamav.net/lang/en/
Now, from that link, try and find instructions on *how* to upgrade. It's
pretty appalling to find the info needed. It's fair to say You've had a
number of months to make sure that good, easy to find information is
easy to find in order to match the carnage you knew it would create for
some people. Sure, there is an email support list, but when clam has
crashed your mail server, that's about as much use as a chocolate tea
pot.

But in all of this ding dong something else rather amazing strikes me.
In a world of over 6 billion people there was not much noise made about
this in real terms, which may suggest just how insignificant CLAM is as
a project - this rather amuses me given the clear intent of breaking
systems was, in my view, more sinister. I hold the opinion that it was,
in part, an attempt to get people to notice CLAM and how they depend on
it, and in reality only a handful of people in this big wide world even
noticed it. It did not even make news anywhere. In fact, all it has done
is piss off a few people who may well stop using it - after all, it's
mostly only protecting windows machines at the gateway, and it does such
a poor job of it they all tend to rely on local AV anyway. Save the
clock cycles and future hassle and ditch it being plausible advice.


I'm sure the big players like Trend & Barracuda who sell CLAM in their
own products were not hurt by this spiteful, malicious and wicked act.
Nor was I. I guess they are used to issues with CLAM having to make
daily apologies for all the stuff it misses, let alone this little
moment in it's history. The people who probably suffered were just a
chunk of small businesses struggling to make ends meet, tiny clinics in
the middle of Africa hanging off a dial-up, or other groups with not
much money or time. I'm sure they really needed the hassle of this on
top of everything else. I do hope your mother would be very proud of
you :-)

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
> From: clamav-users-bounces@lists.clamav.net [mailto:clamav-users-
> bounces@lists.clamav.net] On Behalf Of Jim Preston
> Steve Wray wrote:
> > Spiro Harvey wrote:
> >>> Shame you haven't talked to to others - like havp for example -
> before
> >>> doing this.
> >>
> >> The announcement to EOL the old releases was made at the start of
> >> october last year. If people using clam as an integral part of their
> >> software don't read announcements, what fault is that of the clam
> >> developers?
> >>
> >> They had 6 months to sort it out.
> >
> > The thing is that there are a few little issues here that, as points
> > of law are not clear yet. In what follows words like 'vendor' may not
> > be used entirely legally precisely, IANAL, but I am certain that with
> > a bit of squinting my meaning will be clear.
> >
> > I know that in certain jurisdictions, reaching out to someone elses
> > computer (ie not your property) and disabling functionality on it
> > could constitute a criminal act.
> >
> > I sincerely hope that someone somewhere under such a jurisdiction
> goes
> > to the police and reports the Clamav developers for such an offense.
> > ....
> > ....
>
> Well, prosecution would be justified if ClamAV had actually done
> something illegal. What they did was modifiy their signature database
> to
> support new features with advance notice and the fact that any
> particular installation of unsupported software failed to handle it
> properly is the onus of the owners / sysadmins of the individual
> systems. If you happen to fall into that category, then it is time to
> upgrade your system.
>

If it aint broke - don't fix it
People it is broken because YOU didn't want to fix it.
There was a message (not everybody saw the message but it was there and every deb, rpm, god knows which format developer/owner/maker who case about his product had 6 months to FIX it so the system wasn't going to break.

If you
- compiled by hand: it's your problem
- installed a deb/rpm and your distro isn't updating because you didn't want to upgrade it: your problem
Who are you going to beat if your system is hacked? Debian/ubuntu/RedHat
- installed a deb/rpm and your distro isn't updating because your distro is EOL: it's your problem
Who are you going to beat if your system is hacked? Debian/ubuntu/RedHat

If your lock of the front door is very easy to break open do you want to change locks?


People please forget stupid child plays like my uptime is bigger than your uptime.

The system broke, because of a good reason(more/beter signatures) so update.
If you don't want to update your complete server buy a very small new one ($400) and install only clamav on it or install it with vmware/kvm/xen/....


met vriendelijke groet,
 
Maurice Lucas
 
TAOS-IT
………………………………………………………………....
Paulus Buijsstraat 191
2613 HR  Delft
www.taos-it.nl
KvK Haaglanden nr. 27254410
 
  Denk aan het milieu; is het afdrukken van deze e-mail echt noodzakelijk?


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
In message <4BCE64A1.8040601@cwa.co.nz> Steve Wray
<steve.wray@cwa.co.nz> was claimed to have wrote:

>The thing is that there are a few little issues here that, as points of law
>are not clear yet. In what follows words like 'vendor' may not be used
>entirely legally precisely, IANAL, but I am certain that with a bit of
>squinting my meaning will be clear.
>
>I know that in certain jurisdictions, reaching out to someone elses
>computer (ie not your property) and disabling functionality on it could
>constitute a criminal act.

ClamAV developers didn't reach out to anyone.

Rather, most minimally competent ClamAV administrators configure their
systems to connect to ClamAV's servers on a regular basis and download
updated definition files.

More importantly, administrators configured their systems to stop
flowing mail in the event of a ClamAV failure. This is a configuration
choice, it's fairly trivial to configure mail to flow through unscanned
if you value a false sense of security over the potential of an outage.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
> -----Original Message-----
> From: clamav-users-bounces@lists.clamav.net [mailto:clamav-users-
> bounces@lists.clamav.net] On Behalf Of lists
> Sent: woensdag 21 april 2010 8:10
> To: ClamAV users ML
> Subject: Re: [Clamav-users] (no subject)
>
> On Tue, 2010-04-20 at 20:34 -0700, Jim Preston wrote:
> > Well, prosecution would be justified if ClamAV had actually done
> > something illegal.
>
> They did. Releasing 'code' that they new had a potential to harm or
> interfere with the operation of systems. It's a clearly defined
> CRIMINAL
> offence in my part of the world. I suspect that this state of affairs
> is
> also true in the USA if the case of Gary McKinnon is used as a point of
> reference. Perhaps, Jim, you would like to offer the name and address
> of
> the person pushing this code out if it does not bother you at all? I'm
> sure there are a few pissed people in the UK and Europe who would like
> to even the score up on behalf of Gary McKinnon.
>
> It is also clearly a case of blackmail. 'If you don't do this, I will
> break that' - again, that is a criminal offence in most parts of the
> civilised world. (I do accept that this may have been the work of
> *Americans* who may have lower moral and ethical standards than the
> rest
> of the world).

Please show us some evidence that clamav made you install there free product on your server.
Why didn't you install "some other product"?
Is it your server? Then you have the power to install every product you want onto the machine but YOU choose Clamav and they didn't ordered/payed/beat you to dead if you didn't install there product.



met vriendelijke groet,
 
Maurice Lucas
 
TAOS-IT
………………………………………………………………....
Paulus Buijsstraat 191
2613 HR  Delft
www.taos-it.nl
KvK Haaglanden nr. 27254410
 
  Denk aan het milieu; is het afdrukken van deze e-mail echt noodzakelijk?


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Wed, 2010-04-21 at 08:27 +0200, Maurice Lucas - TAOS-IT wrote:
> > -----Original Message-----
> > From: clamav-users-bounces@lists.clamav.net [mailto:clamav-users-
> > bounces@lists.clamav.net] On Behalf Of lists
> > Sent: woensdag 21 april 2010 8:10
> > To: ClamAV users ML
> > Subject: Re: [Clamav-users] (no subject)
> >
> > On Tue, 2010-04-20 at 20:34 -0700, Jim Preston wrote:
> > > Well, prosecution would be justified if ClamAV had actually done
> > > something illegal.
> >
> > They did. Releasing 'code' that they new had a potential to harm or
> > interfere with the operation of systems. It's a clearly defined
> > CRIMINAL
> > offence in my part of the world. I suspect that this state of affairs
> > is
> > also true in the USA if the case of Gary McKinnon is used as a point of
> > reference. Perhaps, Jim, you would like to offer the name and address
> > of
> > the person pushing this code out if it does not bother you at all? I'm
> > sure there are a few pissed people in the UK and Europe who would like
> > to even the score up on behalf of Gary McKinnon.
> >
> > It is also clearly a case of blackmail. 'If you don't do this, I will
> > break that' - again, that is a criminal offence in most parts of the
> > civilised world. (I do accept that this may have been the work of
> > *Americans* who may have lower moral and ethical standards than the
> > rest
> > of the world).
>
> Please show us some evidence that clamav made you install there free product on your server.
> Why didn't you install "some other product"?
> Is it your server? Then you have the power to install every product you want onto the machine but YOU choose Clamav and they didn't ordered/payed/beat you to dead if you didn't install there product.
>
Doesn't change a thing. If you threaten me with a course of action, if I
fail to do something that is blackmail. It's nothing else. It does not
matter if the product is free.

For instance, if I go to a shop and they give me a radio free. I take
that radio home and use it. If that shop then calls me up and says 'If
you don't change that radio, I'm going to break it' it is a case of
blackmail.

Have a nice day :-)

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Steve Wray wrote:

>I know that in certain jurisdictions, reaching out to someone elses
>computer (ie not your property) and disabling functionality on it
>could constitute a criminal act.

I am also of the opinion that it was illegal under UK law.

>I sincerely hope that someone somewhere under such a jurisdiction
>goes to the police and reports the Clamav developers for such an
>offense.
>
>Why?
<snip>

I don't. As already pointed out, there are enough threats to FOSS and
we don't need to be shooting ourselves in the collective foot over
this.


Jason Haar wrote:

>ClamAV devs: your response was appropriate. I speak on behalf of the 99%
>of sites unaffected by this. You can tell that as only 10 people seem to
>be involved in this thread.

Only 10 people who thought it worth while to put their hands up and
say something about it. There will be many who will have seen the
threads and decided they have nothing more to add than "me too", and
probably a fair number that are waiting for their friendly tech to
unbreak their appliance.


Jim Preston wrote:

>Well, prosecution would be justified if ClamAV had actually done
>something illegal. What they did was modifiy their signature
>database to support new features with advance notice and the fact
>that any particular installation of unsupported software failed to
>handle it properly is the onus of the owners / sysadmins of the
>individual systems. If you happen to fall into that category, then
>it is time to upgrade your system.

So, suppose you live on some lane where there's a problem with people
racing up and down at night on motorcycles with no lights etc. You've
remonstrated with them to be more responsible, but they've not
listened. Eventually, you put a notice up in your garden giving them
6 months to sort themselves out as then you'll be doing something
about it.
Do you really think the police and courts would accept an argument of
"it was their own fault, I warned them, they carried on so it's not
my fault they decapitated themselves with the wire I strung across
the lane" ? There are so many areas where just telling someone you
are going to do something does NOT make it legal - and for good
reason.

You did not tell ME, therefore you did not have permission FROM ME to
makes changes to the way MY server operates. Giving notice that you
are going to trespass does not make that trespass legal, even if you
had come directly to me door and told me in person - which of course
no-one did even in computer terms of making any sort of related
message appear on my system.
Describing it as "issuing an update to signatures" is just semantics
- the signature was known to, and described as being solely to, break
the system (or at least the ClamAV element of it. No matter how the
server is configured, that is going to affect operations - either
stop mail from moving, or stop it being scanned.
You also cannot claim that my downloading of updates constitutes an
invite - it constitutes an invite to put AV sig updates on there for
the purpose of detecting new threats. A poison pill update doesn't
fit that description.


Jim Preston wrote:

>PS: They did explicitly request permission by allowing users to
>comment on their proposed changes for 6 months. Where were your
>objections during that time?

See above, that does NOT in any way constitute requesting my
permission. If you got up one morning and found your car gone from
the drive, I'd guess you'd call the police and report it stolen.
Would you accept if the manufacturer had recalled it, and in lieu of
actually asking your personal permission, had placed an add in a few
trade journals to say that they'd just be lifting them off owners
drives ? Would you accept that by not responding to one of those ads,
you'd given them permission ? Do you think the police and courts
would ?


Dave Warren wrote:

>ClamAV developers didn't reach out to anyone.
>
>Rather, most minimally competent ClamAV administrators configure their
>systems to connect to ClamAV's servers on a regular basis and download
>updated definition files.

That again is trying to use fine points of language to excuse
trespass. As stated above, the relation between users and the ClamAV
team is based on "by running Freshclam, the user is inviting the team
to supply AV updates for the purposes of detecting new threats" - and
I'm fairly sure that any reasonable person would consider it stopped
there.

By their own admission, the ClamAV team send an update which was not
to detect new threats, it was specifically and solely to make certain
installations stop working properly. No if's but's or maybe's, that
is the stated intention of the update.

It caused computer systems to stop working correctly, it was
deliberately designed to do so, and it was delivered in a manner that
could not be considered to be covered by the implied consent of
running Freshclam to fetch threat signature updates.

AND, it was not the only option available to them - so there isn't
even any defence of it being absolutely necessary "for the public
good".

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
In message <1271831753.5073.28.camel@localhost>, lists writes:
>For instance, if I go to a shop and they give me a radio free. I take
>that radio home and use it. If that shop then calls me up and says 'If
>you don't change that radio, I'm going to break it' it is a case of
>blackmail.

A better analogy would be that the shop calls you up to say "We're
switching to digital, your analog radio will stop working in six
months", and, in six months time, the radio no longer has anything to
listen to...

//Christer

--
| Hagåkersgatan 18C | Phone: Home +46 31 43 52 03 CTH: +46 31 772 5431 |
| S-431 41 Mölndal | Cell: +46 707 53 57 57 |
| Sweden | Mail: mort@chalmers.se |
"An NT server can be run by an idiot, and usually is." -- Tom Holub, a.h.b-o-i


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Wed, 21 Apr 2010 08:20:08 +0200
Maurice Lucas - TAOS-IT <mslucas@taos-it.nl> wrote:

> If your lock of the front door is very easy to break open do you want to change locks?

Sorry to jump in.
There is a pretty famous film made by Michael Moore where he tested exactly
this topic (closed doors) in Canada and found out that leaving doors unlocked
right away can indeed make more sense than shooting anybody coming in because
of own paranoia.
If one really does not have the moral insight to understand that you never
should harm others' systems only because you feel that it is your right to do
so, well, how would you argue with someone like that?
Isn't the project all about fighting software that tries to harm your computer
_somehow_?
I see no signs that the project team feels to have crossed a border line they
shouldn't have. And that is even more sad. Nobody beats you for making a
mistake. People only beat you for not being able to learn from it and simply
say "sorry, we did not foresee the problems we created. This was not our
intention. we try to avoid this in the future."
Instead they only say "Bad luck. Your fault. Expect equivalent for future
releases."
There have already been projects in the past that suffered a lot from such a
point of view. The ones still alive mostly got forked.
Btw, I was not hit by the problem - this time.

> [...]
> met vriendelijke groet,
>  
> Maurice Lucas


--
Regards,
Stephan

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Christer Boräng wrote:
>In message <1271831753.5073.28.camel@localhost>, lists writes:
>>For instance, if I go to a shop and they give me a radio free. I take
>>that radio home and use it. If that shop then calls me up and says 'If
>>you don't change that radio, I'm going to break it' it is a case of
>>blackmail.
>
>A better analogy would be that the shop calls you up to say "We're
>switching to digital, your analog radio will stop working in six
>months", and, in six months time, the radio no longer has anything to
>listen to...

Not a good analogy either.
If you want to use that one, it's more like a
major broadcaster deciding to go digital - and
then comeing round to blow up your radio to stop
you listening to the local station you actually
want to listen to that is still on analogue.
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Wed, 21 Apr 2010 08:15:35 +0100
Simon Hobson <linux@thehobsons.co.uk> articulated:

[snip]

I had thought by now that this thread would have died a natural death.
Obviously, I was mistaken. It has continued to pollute this forum for
nearly a week.

What has become conspicuously apparent is that if those who are doing
the most complaining had spend even one percent of that time keeping
their systems up-to-date and keeping themselves abreast of current
development and deployment strategies with the software they employ,
this whole discussion would be academic.

In the interest of eliminating any further waste of my time or computer
resources, I am now instigating a kill filter on this thread.

Have a nice day!

--
Jerry
ClamAV.user@seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Jerry wrote:

> What has become conspicuously apparent is that if those who are doing
> the most complaining had spend even one percent of that time keeping
> their systems up-to-date and keeping themselves abreast of current
> development and deployment strategies with the software they employ,
> this whole discussion would be academic.
>
> In the interest of eliminating any further waste of my time or computer
> resources, I am now instigating a kill filter on this thread.

+1


--

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
> > In the interest of eliminating any further waste of my time or
> > computer resources, I am now instigating a kill filter on this
> > thread.
>
> +1

+1

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

1 2 3 4 5 6 7 8  View All