[Dfey-nw-discuss] Fwd: Software freedom (problems at the University)

[Tim Dobson]

Another unsurprising instance of braindead bureaucracy and EULAs you
have to work miracles to avoid breaking...

-------- Original Message --------
Subject: [Liverpool] Software freedom (problems at the University)
Date: Wed, 16 Dec 2009 17:06:01 +0000
From: Vladimir <address@hidden>
Reply-To: Liverpool Linux User Group <address@hidden>
To: Liverpool Linux User Group <address@hidden>

Hello, everyone!

Once again I am shocked by the University's practices regarding the
software and standards. So will forward my email that I just sent to
them, looking for any comments and suggestions (as I expect, this is
going to go far this time). The email is pretty much self-explanatory:


----------------------------------
To whom it may concern:

I am writing to report a problem which is preventing me from connecting
to a University wireless encrypted network, so called "SuperRoamNet".

I do not use Microsoft software neither do I run their OS on any of my
machines.
I have a macbook, running either latest OS X v 10.5.8 or Linux (kernel
2.6.x) which I was trying to connect to SuperRoamNet.

The University computing services require students to download Sophos
anti-virus software to be able to pass the "security check" of some
sort, to "prove" that their machine is not infected by malicious
software that could be potentially detected by Sophos anti-virus
application (or should I say *could not be detected* - will come back to
this later).
Without coming back to the discussion I had at the computer helpdesk
with the people working there, about the mathematical possibility for a
Mac OS X or indeed any other BSD based or *nix system, there are
reasons that prevent me from installing your proprietary Sophos
anti-virus application.

The reasons are hidden in EULA of Sophos. While 90+% or the general
public are not concerned with what is being inside those licence
agreements, I am one of those people, who is very careful with software
licences.
I want you to read this letter carefully, as I have put a substantial
amount of my personal time to compose it.

So I can not agree to the following parts of the Sophos EULA:


*12.1.1 You expressly give Sophos permission to include and publish Your
name and logo on lists of Sophos’s customers for the Licensed Products*

No, I do not wish that my name/logo was published on the lists of
Sophos's customers, as I do not wish to be a customer of this company.


*13.4 You shall permit Sophos or an independent certified accountant
appointed by Sophos access on written notice to Your premises and Your
books of account and records at any time during normal business hours
for the purpose of inspecting, auditing, verifying or monitoring the
manner and performance of Your obligations under this End-User Licence
Agreement *

This is ridiculous. No comments.

*13.5 Sophos may at its sole discretion subcontract any of its rights or
obligations hereunder to any of its subsidiaries, resellers,
distributors or dealers, as applicable.*


Meaning that at "its sole discretion" they can drop their
responsibilities any time. What kind of a contract is this?

*3.1** **Evaluation. You may use the Software for evaluation purposes
only in a test environment without payment of a fee for a maximum of 30
days or such other duration as is specified by Sophos at its sole
discretion.  *

Although I was assured by the staff at the support desk that the
application is 'free' (as in free beer), this seems not to be the case.
It seems that all the students at the University are using the software
illegaly [after 30 days of evaluation period].

*3.4 Restrictions. You are not permitted to:*
*[...]*
*3.4.7 use the Licensed Products in or in association with safety
critical applications such as, without limitation, medical systems,
transport management systems, vehicle and power generation applications
including but not limited to nuclear power applications;*


I do run critical applications on my computer. That is ssh logins to
remote servers for example. Or transferring valuable and sensitive
personal data across the backup servers. And yes, I am a performing
musician and a sound-engineer. I do run critical applications at the
concerts and festivals. Sometimes it is a EQ/limiter/compressor
application through which the main signal to the FOH is routed. These
are critical applications, which to my view fall under the definition of
 "not limited to..." in chapter 3.4.7

But even if I wasn't running these applications (rendering my portable
computer useless), agreeing to the EULA, I would still not be able to
install it, as the licence agreement simply doesn't allow me to sign it
on the basis of the following paragraph:

*3.4.8 use the Licensed Products for the purposes of competing with
Sophos, including without limitation competitive intelligence.*


You see: GNU/Linux operating systems are bullet-proof from the viruses
that might be invented in the future, by design. At the moment such
malicious software, that would require a GNU/Linux system to add an
extra layer of security (i.e. anti-virus application), simply doesn't
exist. So GNU/Linux system may be considered a product that is competing
with Sophos, by the means of developing a different kind of environment
that doesn't need the type of commercial products of proprietary nature
that Sophos provides.
Being an active Open Source society member, I do contribute to the
developing community on a regular basis, and my constant efforts include
improving the environment of GNU/Linux operating systems. Therefore by
using the Sophos software I would
gain the *competitive intelligence, *which is forbidden by the chapter
above.

*5.4 You shall at Your own expense hold harmless, defend and fully and
effectively indemnify Sophos against any claims, proceedings, damages,
costs, expenses or other liability whatsoever arising out of, resulting
from or relating to Your use of the Licensed Products (including without
limitation breach of Your warranty in Clause 5.3) and/or any Suggestions.*

I don't know any person in a clear state of mind who could sign this
after reading this paragraph.


------------------------------------------------------------


I think there's enough of the evidence, that I can't sign this EULA. But
that wouldn't be the whole picture if we didn't look at the paragraph 6.1
which says:

*6.1 [...] SOPHOS DOES NOT WARRANT THAT THE LICENSED PRODUCTS WILL
DETECT AND/OR CORRECTLY IDENTIFY AND/OR DISINFECT ALL THREATS,
APPLICATIONS (WHETHER MALICIOUS OR OTHERWISE) OR OTHER COMPONENTS.*


Yes, in BIG CAPITAL LETTERS, they say, that even after you agree to
"defend and fully and effectively indemnify" them against any damages,
claims, costs, proceedings "whatsoever" and allow them to publish your
name and logo somewhere publicly, and even after you allow them into
your home as described in paragraph 13.4, even after all that they do
not guarantee that their software will do what it is intended to do.

So coming back to the first lines of this email; it seems that the model
that the University computer services employ to "check" the machines
running Unix family operating systems (and in fact MS Windows machines
too) is useless. What is the point of requiring the protection for a
very very very theoretical threat (virtually non-existent) by the means
of the tool that "doesn't warrant" any protection whatsoever?


I do ask you to register the hardware mac address of the my machine to
my MWS services username bypassing your normal procedures which are
useless, as I just showed you in this email.
Requiring the signing of this draconian licence agreement can be
considered as a discrimination on the grounds of my operating system
choice, my personal beliefs and political views.

Looking forward to hear back from you as soon as possible,

Sincerely,


Vladimir J.
-------------------------------------