We were discussing this [1] a bit here at the office when a co worker who was part of the conversation ( non IT ) guy was listening in and dropped in the question if an end user computer is compromised who would be legally liable for any harm and financial loss that might be caused by.
Which got us a bit baffled since we dont speak legalize so it would be good if this gets cleared for us.
The argument he was making was that if an end users computer gets compromised due to a default configuration not an exploited bug in software and it can be proven without an shadow of doubt that that it was the cause for the harm and any financial loss that the...
The novice end user as has absolutely no idea what ssh is and what it's used for.
The end user has not agreed to have read any documentation that may or may not mentioning this being enabled. ( I'm not sure if we mention that it is enabled on the DVD )
There is no mentioning of it being enabled during or immediately after install or after a user logged in for the first time.
There is no apparent option for the end user to disable it either during or after install or after a user logged in for the first time
If the above holds true then the project in question would be liable for any harm/financial loss caused by .
So who's liable in this scenario..
Is it the end user? Is it the network provider? Is it the entity that is responsible for the network the end user is connected to.? Is it Red Hat/Fedora ?
Did FESCO contact the legal team when it revisited [2] and sanctioned which service where permitted to be enabled by default as specific exceptions?
Thanks JBG
1. http://lists.fedoraproject.org/pipermail/security/2011-May/001483.html 2. https://fedoraproject.org/wiki/Starting_services_by_default
On Thu, May 19, 2011 at 12:08:05PM +0000, "Jóhann B. Guðmundsson" wrote:
We were discussing this [1] a bit here at the office when a co worker who was part of the conversation ( non IT ) guy was listening in and dropped in the question if an end user computer is compromised who would be legally liable for any harm and financial loss that might be caused by.
Which got us a bit baffled since we dont speak legalize so it would be good if this gets cleared for us.
The argument he was making was that if an end users computer gets compromised due to a default configuration not an exploited bug in software and it can be proven without an shadow of doubt that that it was the cause for the harm and any financial loss that the...
The novice end user as has absolutely no idea what ssh is and what it's used for.
The end user has not agreed to have read any documentation that may or may not mentioning this being enabled. ( I'm not sure if we mention that it is enabled on the DVD )
There is no mentioning of it being enabled during or immediately after install or after a user logged in for the first time.
There is no apparent option for the end user to disable it either during or after install or after a user logged in for the first time
If the above holds true then the project in question would be liable for any harm/financial loss caused by .
So who's liable in this scenario..
Is it the end user? Is it the network provider? Is it the entity that is responsible for the network the end user is connected to.? Is it Red Hat/Fedora ?
Did FESCO contact the legal team when it revisited [2] and sanctioned which service where permitted to be enabled by default as specific exceptions?
The Fedora distribution itself is wrapped with GPLv2, which includes a "no warranty" statement. To what extent does that not apply?
On Thursday 19 May 2011 17:17:56 Paul W. Frields wrote:
The Fedora distribution itself is wrapped with GPLv2, which includes a "no warranty" statement. To what extent does that not apply?
It seems that he is basing his analysis on a negligence claim rather than on a contract claim. The real issue would therefore be whether the distributor owes a duty to the user - which in turn draws in issues of foreseeability.
Ciaran
On 05/19/2011 11:27 AM, Ciaran Farrell wrote:
It seems that he is basing his analysis on a negligence claim rather than on a contract claim. The real issue would therefore be whether the distributor owes a duty to the user - which in turn draws in issues of foreseeability.
You have to imagine that if there was a solid basis for suit in such matters that Microsoft would have long since been bankrupted. ;)
~tom
== Fedora Project
On Thu, May 19, 2011 at 10:27 AM, Ciaran Farrell cfarrell@suse.de wrote:
On Thursday 19 May 2011 17:17:56 Paul W. Frields wrote:
The Fedora distribution itself is wrapped with GPLv2, which includes a
"no warranty" statement. To what extent does that not apply?
It seems that he is basing his analysis on a negligence claim rather than on a contract claim. The real issue would therefore be whether the distributor owes a duty to the user - which in turn draws in issues of foreseeability.
I hate to mention "that other company," but I think it's pretty clear that Microsoft has proven there's no legal threat from end users having their machines compromised by leaving vulnerable services open by default without informing that user.
On Thursday 19 May 2011 17:30:46 Christofer C. Bell wrote:
On Thu, May 19, 2011 at 10:27 AM, Ciaran Farrell cfarrell@suse.de wrote:
On Thursday 19 May 2011 17:17:56 Paul W. Frields wrote:
The Fedora distribution itself is wrapped with GPLv2, which includes a
"no warranty" statement. To what extent does that not apply?
It seems that he is basing his analysis on a negligence claim rather than on a contract claim. The real issue would therefore be whether the distributor owes a duty to the user - which in turn draws in issues of foreseeability.
I hate to mention "that other company," but I think it's pretty clear that Microsoft has proven there's no legal threat from end users having their machines compromised by leaving vulnerable services open by default without informing that user.
I agree. I was just pointing out that the warranty based claim was not the only one conceivable :-)
On 05/19/2011 03:17 PM, Paul W. Frields wrote:
The Fedora distribution itself is wrapped with GPLv2, which includes a "no warranty" statement. To what extent does that not apply?
That is a good question.
This is an deliberate decision to make it like this this is not a software flaw and I'm not sure GPLv2 covers bad decision making on our behalf.
Another example we have ambassadors around the world that hand out the dvd to people with various IT skill level ranging from none to experts.
Now an novice end user takes home his Fedora dvd installs which he got handed at some event by our representative.
At install time he sets the root password "tinkerbell" month later he finds him self in some legal/financial jam because some cracker rented himself a cloud or simply build himself one, cracked that novices end users box in 0.1s and did his evil doing.
Is our end user left out in outhouse scratching their head for simply not knowing any better holding a subpoena in one hand and $50K fine in the other?
Is the project liable and or those that made that bad decision ( FESCO in this case ) ?
Are our ambassadors liable themselves liable for handing out that dvd at that event?
JBG
On Thu, 2011-05-19 at 15:41 +0000, "Jóhann B. Guðmundsson" wrote:
On 05/19/2011 03:17 PM, Paul W. Frields wrote: Are our ambassadors liable themselves liable for handing out that dvd at that event?
On that specific question, and with my ambassador hat on, I have always felt responsible for what happened to the people I had installed Fedora for.
Not legally liable, but ethically responsible. If they had a problem, they could send me an email, and I would have helped them fix it.
I know it doesn't answer your question about any legal liability, but in practice, if you are nice to people and offer your help, they will rarely sue you anyway. :)
On 05/19/2011 03:55 PM, Mathieu Bridon wrote:
On Thu, 2011-05-19 at 15:41 +0000, "Jóhann B. Guðmundsson" wrote:
On 05/19/2011 03:17 PM, Paul W. Frields wrote: Are our ambassadors liable themselves liable for handing out that dvd at that event?
On that specific question, and with my ambassador hat on, I have always felt responsible for what happened to the people I had installed Fedora for.
Not legally liable, but ethically responsible. If they had a problem, they could send me an email, and I would have helped them fix it.
I know it doesn't answer your question about any legal liability, but in practice, if you are nice to people and offer your help, they will rarely sue you anyway. :)
I think someone facing jail time and substantial fine for doing absolutely nothing wrong will think everything but nice about those that put him in that jam in the first place.
But it begs the question how well the project is protected in this regard and how well it's members are protected should they be sued individually.
For example would Red Hat/Fedora provide legal support for that end user or would Red Hat/Fedora provide legal support if in that hypothetical scenario the end user decides to sue the Ambassador or fesco members indvidually those that vote yes to the idea of doing this?
And so fourth and so on.
Perhaps we need a wiki page that clarifies what legal rights Fedora users/representatives have.
JBG
On 05/19/2011 12:09 PM, "Jóhann B. Guðmundsson" wrote:
Perhaps we need a wiki page that clarifies what legal rights Fedora users/representatives have.
It wouldn't mean anything, to be blunt. If you're worried about that, consult your own counsel.
I'd rather not have people believe me (IANAL) or Red Hat (They Are Not Your Lawyers), then have something happen in their jurisdiction and feel like we mislead them.
In my ever so humble, non-lawyer opinion, I think a Fedora ambassador has a much better chance of getting hit by a comet while on a date with Angelina Jolie.
~tom
== Fedora Project
On 05/19/2011 06:07 PM, Tom Callaway wrote:
On 05/19/2011 12:09 PM, "Jóhann B. Guðmundsson" wrote:
Perhaps we need a wiki page that clarifies what legal rights Fedora users/representatives have.
It wouldn't mean anything, to be blunt. If you're worried about that, consult your own counsel.
I'm not worried I was just curious since this just spurred into discussion here @work it was best just to ask the expert(s) if there was any and as you have bluntly stated there isn't any.
I'd rather not have people believe me (IANAL) or Red Hat (They Are Not Your Lawyers), then have something happen in their jurisdiction and feel like we mislead them.
Of course they only cover Red Hat employs so only Red Hat employees on the Board Fesco Ambassadors etc are covered and yup different country's different laws.
In my ever so humble, non-lawyer opinion, I think a Fedora ambassador has a much better chance of getting hit by a comet while on a date with Angelina Jolie.
Agreed the chance of this ever happening is very low.
JBG