From owner-freebsd-security Tue Sep 28 0: 9:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 84F6914E61 for ; Tue, 28 Sep 1999 00:09:16 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA14136; Tue, 28 Sep 1999 00:07:14 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909280707.AAA14136@gndrsh.dnsmgr.net> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909272154.RAA92701@cc942873-a.ewndsr1.nj.home.com> from "Crist J. Clark" at "Sep 27, 1999 05:54:21 pm" To: cjclark@home.com Date: Tue, 28 Sep 1999 00:07:14 -0700 (PDT) Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Rodney W. Grimes wrote, > > ... > > > "Companies are permitted to use this program as long as it is not used for > > > revenue-generating purposes. For example, an Internet service provider is > > > allowed to install this program on their systems and permit clients to use > > > SSH to connect; however, actively distributing SSH to clients for the > > > purpose of providing added value requires separate licensing. Similarly, > > > a consultant may freely install this software on a client's machine for > > > his own use, but if he/she sells the client a system that uses SSH as a > > > component, a separate license is required." > > > > > > I'm no lawyer, but it seems like using SSH for helping with dumps > > > would fall well within this license since backing up files does not > > > really generate much revenue for us. > > > > I'm not a lawyer either, but I'll play the advocate here and show > > you why you are at risk. First, you used the word ``much'' in the > > above sentence. _Any_ is _some_ and is _not_ none, henceforth you > > violate ``not used for ...''. > > I forgot the Smiley. I meant 'much' sarcastically, as in, doing > backups generates no revenue. In fact, it costs us money. I think you need to examine your business financial/risk model again. Backup systems have a calculable ROI, if they didn't you wouldn't need one at all.... if you need someone to show you how to calculate this ROI contact me off list. A Return On Investment is revenue by definition, hence forth backup systems are ``revenue generating'' (Note the missing hyphen in that). > > Second, since backups are a critical > > piece of keeping your business operating, and your business, hopefully > > at least, generates revenue you would be in violation of ``revenue-generating > > purposes'', though it would be indirectly. > > But it gives the specific example of an ISP using SSH to _service_ > customers, which is something that does generate revenue. Once you > consider their example of what is acceptable use, it seems quite clear > to me that our use is many steps farther away from revenue generating > and therefore would be permitted. I am having a hard time reading that into what it says. ``and permit clients to use SSH to connect'' is probably what you are trying to use as a basis for this extrapolation. The problem is it is just an example, a poor thing to do in a ``license agreement''. You really have to look through a Blacks Legal dictionary and try to find as many things as you can in the sentence before it and figure out just what is and is not ``revenue-generating'', unless you are doing exactly what the example is. > > As for the other comment someone made about RSA, their license is > basically the same. It prohibits commercial us for "revenue > generating," but otherwise permitted. Again, you need a good definition of ``revenue generating'' in this context, a lawyer can write one for you for <$100.00 :-). Or you could call/email the licensor with a more specific example and see what they have to say about it. The second example in the paragraph at the top of this message starting ``a consultant may freely install this software on a client's'' is an even worse example than the first from a legal prespective. First, ``contractors'' rarely sell ``systems'', they sell consulting, which is a service, systems are not a service, henceforth the example is poorly defined. It also fails to addresses the people who do sell systems, which are normally businesses in there various forms. So though I can install SSH and use it freely as a contractor on a clients machine, the example does not allow us as ``Accurate Automation, Inc.'' to install it on a _customers_ machine for our ``own use''. Is anyone starting to catch the drift here... this is a really badly written license, open to wide and varied interpretations due to what appears to be lack of complete contract law knowledge by the author, or purposefully written in a poor manner to allow wide legal opinion and interpretation as to just what it says. (From certain source I have heard that the GNU GPL was specifically written to be vague, poorly defined and ambiguous in many areas by very crafty lawyers, making it hard for people like me who pay lawyers to tell them what it means to get a real clear answer on certain questions.) > Thanks to everyone for all of your information and opinions on this. Your welcome, and as always the non-standard disclaimer, I am not a lawyer, I am a business man who spends money for real legal advice, might I suggest you do the same. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message