Steve Wray wrote:
I know that in certain jurisdictions, reaching out to someone elses
computer (ie not your property) and disabling functionality on it
could constitute a criminal act.
I am also of the opinion that it was illegal under UK law.
I sincerely hope that someone somewhere under such a jurisdiction
goes to the police and reports the Clamav developers for such an
offense.
Why?
<snip>
I don't. As already pointed out, there are enough threats to FOSS and
we don't need to be shooting ourselves in the collective foot over
this.
Jason Haar wrote:
ClamAV devs: your response was appropriate. I speak on behalf of the 99%
of sites unaffected by this. You can tell that as only 10 people seem to
be involved in this thread.
Only 10 people who thought it worth while to put their hands up and
say something about it. There will be many who will have seen the
threads and decided they have nothing more to add than "me too", and
probably a fair number that are waiting for their friendly tech to
unbreak their appliance.
Jim Preston wrote:
Well, prosecution would be justified if ClamAV had actually done
something illegal. What they did was modifiy their signature
database to support new features with advance notice and the fact
that any particular installation of unsupported software failed to
handle it properly is the onus of the owners / sysadmins of the
individual systems. If you happen to fall into that category, then
it is time to upgrade your system.
So, suppose you live on some lane where there's a problem with people
racing up and down at night on motorcycles with no lights etc. You've
remonstrated with them to be more responsible, but they've not
listened. Eventually, you put a notice up in your garden giving them
6 months to sort themselves out as then you'll be doing something
about it.
Do you really think the police and courts would accept an argument of
"it was their own fault, I warned them, they carried on so it's not
my fault they decapitated themselves with the wire I strung across
the lane" ? There are so many areas where just telling someone you
are going to do something does NOT make it legal - and for good
reason.
You did not tell ME, therefore you did not have permission FROM ME to
makes changes to the way MY server operates. Giving notice that you
are going to trespass does not make that trespass legal, even if you
had come directly to me door and told me in person - which of course
no-one did even in computer terms of making any sort of related
message appear on my system.
Describing it as "issuing an update to signatures" is just semantics
- the signature was known to, and described as being solely to, break
the system (or at least the ClamAV element of it. No matter how the
server is configured, that is going to affect operations - either
stop mail from moving, or stop it being scanned.
You also cannot claim that my downloading of updates constitutes an
invite - it constitutes an invite to put AV sig updates on there for
the purpose of detecting new threats. A poison pill update doesn't
fit that description.
Jim Preston wrote:
PS: They did explicitly request permission by allowing users to
comment on their proposed changes for 6 months. Where were your
objections during that time?
See above, that does NOT in any way constitute requesting my
permission. If you got up one morning and found your car gone from
the drive, I'd guess you'd call the police and report it stolen.
Would you accept if the manufacturer had recalled it, and in lieu of
actually asking your personal permission, had placed an add in a few
trade journals to say that they'd just be lifting them off owners
drives ? Would you accept that by not responding to one of those ads,
you'd given them permission ? Do you think the police and courts
would ?
Dave Warren wrote:
ClamAV developers didn't reach out to anyone.
Rather, most minimally competent ClamAV administrators configure their
systems to connect to ClamAV's servers on a regular basis and download
updated definition files.
That again is trying to use fine points of language to excuse
trespass. As stated above, the relation between users and the ClamAV
team is based on "by running Freshclam, the user is inviting the team
to supply AV updates for the purposes of detecting new threats" - and
I'm fairly sure that any reasonable person would consider it stopped
there.
By their own admission, the ClamAV team send an update which was not
to detect new threats, it was specifically and solely to make certain
installations stop working properly. No if's but's or maybe's, that
is the stated intention of the update.
It caused computer systems to stop working correctly, it was
deliberately designed to do so, and it was delivered in a manner that
could not be considered to be covered by the implied consent of
running Freshclam to fetch threat signature updates.
AND, it was not the only option available to them - so there isn't
even any defence of it being absolutely necessary "for the public
good".
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
