Re: Proposal to have NDAs for sysadmins

From: Olav Vitters <olav vitters nl>
To: gnome-infrastructure gnome org
Subject: Re: Proposal to have NDAs for sysadmins
Date: Mon, 10 Nov 2014 13:48:58 +0100

On Mon, Nov 10, 2014 at 01:11:44PM +0100, Andrea Veri wrote:

2014-11-10 2:07 GMT+01:00 Olav Vitters <olav vitters nl>:

In case of weird stuff happening, I have posted IP addresses and ranges
in #sysadmin. Non-sysadmins are in that channel. This NDA is too black
and white. Sharing a few IP addresses during investigation is totally
different from sharing the entire access log.


Honestly that's a very bad habit, you should not post any IP address
on a public channel with or without a NDA in place. The idea is to
communicate that information privately to the user having difficulties
accessing the service itself. What I generally do is:


I was talking about strange behaviour. Meaning: a DDoS or potential
spammer. Then *I POSSIBLY WILL* (and have) mention that IP address in
e.g. the sysadmin channel. That is complete normal behaviour. NDA means
I can be sued as a result.

This NDA exercise seems to far like a checkbox to have, without actually
considering what the intention is. I guess the idea is "GNOME should
have a privacy policy". Cool, but that doesn't require GNOME to have the
option to sue a sysadmin.

Helping out shouldn't lead to myself being exposed to legal risk. In
Netherlands, my employer is responsible for my actions. Here you're
doing something for free and then get legal responsibility with it.

1. check the user experiencing difficulties is really the one it claims to be
2. ask for the IP to be sent privately to start diagnose
3. keep chatting privately or switch to the public channel for other
debugging comments


Does not apply.

Another example is for instance the access that has been granted to
someone logging into webapps or e.g. bugzilla. They'll have access to
the apache logs as well. Did a sysadmin now disclose things to a
non-sysadmin? Is that person limited by an NDA?


Well, this is very limited now that logs aren't stored on
/var/log/httpd anymore. All logs are now sent to a main logging host
(log01-back) which is only accessible by sysadmins. Just one or two
services (l10n, ego, bugzilla) have their logs exposed to one or two
people I trust for debugging purposes. (or for scripts requiring the
file to be located on the same machine as the script itself for
obvious reasons)


You're ignoring my point. If you grant bugzilla permissions will or
won't I possible expose myself to being sued? Instead of e.g. apache
logs, it can be the Bugzilla database or anything else. The NDA is very
broad, giving answers on specific cases won't ease my mind at all.

In the time I was only a bugmaster (not a sysadmin), I regularly
downloaded the entire Bugzilla database. Including passwords, IP
addresses and all.


Yes, and that's legit as long as you don't disclose the private
contents of the database itself which is the point of the NDA.


Not my point. As a bugmaster, it seems you don't need to sign the NDA.
Thus totally ok to share the information. Thus bad if as a sysadmin I'd
grant bugzilla shell to anyone. Sharing any IP address with a bugmaster:
could be sued. I think I am a good judge when something should be kept
private and when not. I have shared IP addresses to just bugmasters.
That's a breach of this NDA!

all reasonable steps to protect the secrecy of and avoid disclosure or
use any of this confidential information. I will notify the board in


This is too vague vague. IP addresses aren't confidential, they can
affect someones privacy. I understand the reasoning behind the text, but
it is written in a way where I could pretend that I can disclose
confidential information. The text refers to "this confidential
information" with IP addresses.


No, please read the relevant text once again:

""" I agree and confirm that I will not publish, sell, transfer or
otherwise share any information gained in the scope of my sysadmin
work for the GNOME Foundation with anyone outside the sysadmin team
and the Foundation board without prior written approval from the
board. Amongst other things, this includes user passwords for GNOME
services and IP addresses of visitors to GNOME websites. """

IP addresses are part of the items you should not publish, sell or
trasfer to anyone.


No, it doesn't state that. It states "any information". That is very
broad. Learning e.g. something new about e.g. Python as part of sysadmin
work *will* be part of this NDA. Then if what I learned is public, then
I am not going to be sued.

Instead it should start with confidential and privacy related information and say that these things
should not be disclosed if learned during sysadmin work.


This is exactly what the text I quoted above says. Any information you
could gather during your sysadmin work should never be disclosed to
third parties, *including* IP addresses and user passwords.


The text is legal text. The way I read it, it doesn't state above. There
is a big uncertainty 

-- 
Regards,
Olav

Follow-Ups:
- Re: Proposal to have NDAs for sysadmins
  - From: Andrea Veri

References:
- Proposal to have NDAs for sysadmins
  - From: Ekaterina Gerasimova
- Re: Proposal to have NDAs for sysadmins
  - From: Olav Vitters
- Re: Proposal to have NDAs for sysadmins
  - From: Andrea Veri

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]