Robert Wyatt wrote:
Simon Hobson wrote:
The **ONLY** defence I can think of is that they assumed an implicit
permission by virtue of the user running the update process to fetch
signature updates. That's a very tenuous thing to infer when pushing an
update that is so different in purpose to what would normally be fetched.
Well, it's not the only defense that I can think of. For exactly how
long had this message appeared before the ClamAV engine actually died?
LibClamAV Warning: ****************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated.
***
LibClamAV Warning: *** DON’T PANIC! Read
http://www.clamav.net/support/faq ***
LibClamAV Warning: *****************************************************
... they're called "idiot lights" for a reason and are disregarded at
the user's peril.
I believe that best practice with this sort of thing is to only issue
warnings and not to actually force a potentially harmful change without
*express* consent of the user.
Ie: NOT passive or implicit consent.
Making potentially harmful changes based only on passive or implicit
consent is.. well 'inconsiderate' is about as mild a phrase as I care to use.
--
Please remember that an email is just like a postcard; it is not
confidential nor private nor secure and can be read by many other people
than the intended recipient. A postcard can be read by anyone at the mail
sorting office and expecting what is written on it to be private and secret
is not realistic. Please hold no higher expectation of email.
If you need to send confidential information in an email you need to use
encryption. PGP is Pretty good for this.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
