My team has been tasked with the cleanup of several dozen infected PCs. Because the usual tools do not work 100%, we are being told to supplement them with both Spybot and Malwarebytes. The problem is that neither our company nor the customer have purchased a license for either program. Several members of my team, myself included, have brought this fact to their attention. Their answer is to have us immediately uninstall the applications after they have been used.
Since this is a clear violation of the EULA, what would be the best way to escalate this since both management and the customer are behind this?
Immediately contact your local branch of the FBI. They will dispatch several serious men with earpieces and black sunglasses in nondescript sedans to monitor the situation. Are you amenable to wearing a wire?
At any rate, I wouldn’t expect anything to change at the street level. You see, they don’t want your bosses; they’re small fry. They want the suppliers, man. The cartels. The fat cats, that dine upon human misery, pirating Spyboy Search & Destroy on street corners far and wide. Pirating it to kids, man, schoolkids! Those scum must be made to pay.
Also, you will lose your job for a totally unrelated reason several months later and oddly find it very difficult to get another job in IT. Luckily you have righteous conviction to keep you warm, as it’s almost wintertime and cardboard boxes have excellent ventilation.
I give you props for having the balls to actually stand up for what’s right. I can’t really tell you what to do, but I realize that you’re sticking your neck out in a situation where you don’t really have to, and that’s cool.
Yep. Just remember, you’re too young to really inspire pity or appear disabled, so you’ll want to make your sign funny/clever. Try something like “Time Traveller in tough situation, need $$$ for flux capacitor” or “Betcha can’t hit me with a quarter!” (with a hole in the middle of the sign for a target).
There is a corporate license edition of it available. From my reading of the free version’s license though, I’m not actually sure if corporate users are required to use the corporate license, or if it exists merely to satisfy those companies that won’t use free tools without additional support, management features, legal liability, etc.
Edit: Oh wait, there’s this on the corporate version page:
Contrary to this, companies and institutions need to buy licenses for the commercial versions of our software.
They just don’t make that clear from the free version site.
I lost a job for this very reason in 1997 (refused to help distribute and install several hundred copies of the pay versions of Eudora Email and the Netscape browser to customers at a local dial-up ISP I provided support for). On a financial level it wasn’t worth it to me. On a self confidence level, well it still wasn’t worth it to me, because job hunting sucks and can sap the life out of anyone. On a “would I do it again” level… fuck it, I’ll just steal my boss’s password and use all the illegal shit under his I.D., then I will stay employed, my family will stay fed and clothed, Malware Bytes will probably stay in business, and if the shit comes down I’ll just deny everything and bring cookies to work.
Who am I kidding though, I’m kinda stubborn and self righteous, so I’d probably end up fired again.
Get the instructions in WRITING from your boss. Write out what they want you to do and have your boss sign the piece of paper. Not email, paper. Also take along a piece of paper detailing the costs of doing it the Right Way. Your goal is to get them to cave, but if they won’t your goal is to CYA.
How big is the team? Are you all together on this? How tech savvy is your boss?
One approach is to have the entire team tell the boss “It will only cost us this much to do this legally. The risk from doing it illegally is $xxxx. And we’re the ones who will taken to court if somehow we get caught. You do realize that this software talks to their home office and can easily report IPs and who is using it, right?”
If he still says I don’t care, just do it, then you just have to decide what it’s worth to you to do the right thing and how big a deal this is to you.
I just checked both the Spybot and Malwarebytes sites. Am I missing something? Both products seem to be free for corporate use. They have some additional products that you can buy, but I didn’t see anywhere that the free versions are not also free for corporate use. So ummm…yeah.
I think the sensible way to go about this is to suggest that a corporate license for those programs is well worth the price to keep the programs installed on those computers and doing regular checks, instead of these massive one-offs of cleaning house.
IIRC, corporate licenses keep the programs up to date automatically, which depending on how big the office is could save IT quite a bit of time when dealing with new threats.
A lot depends on the context and how professionally one handles the situation. A line IT tech is likely not responsible for licensing compliance so if things go bad the tech only has a responsibility to ensure that the issues was raised and the objections were made and recorded. I’ve had this scenario before and won because I made sure that my objections were noted in a polite email. Leaving a paper trail makes some managers nervous.
One way to make sure that you’ve covered your own liability angle and your own ethical responsibilities is to just send something along the lines of “I’m not sure I understand the licensing here, it looks to me at first glance like we might not be compliant, so can you provide me an assurance that steps X and Y with software Z are exactly what I am instructed to do.”
If you get an email directive saying yes, then go ahead and do it and let the matter drop. You’ve fulfilled your ethical responsibility and at the end of the day it’s probably not your job to make licensing decisions for your employer.
Thanks for the insight, everyone. It’s interesting to see the contrast between people in the industry and not. Most people not in the industry tell me to anonymously send the software companies a packet of evidence.
I’m high enough on the totem pole where I won’t be fired for bringing it up, but not high enough that I can put a stop to it without something strong to back it up. I don’t want the people under me doing this, and to make matters worse I learned that the customer had been doing it for years before we took this contract. I like the idea of sending an email so that the response would be in writing, but iirc I couldn’t get corporate pricing without sending an email with details.
One thing I can say is that the process was NOT written by someone tech savvy. It’s a fucking joke, actually. Anyone that nows what the shit they’re doing would have turned this down in a heartbeat.