You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by NoOp <gl...@sbcglobal.net> on 2012/05/01 01:41:22 UTC
Re: Draft blog post: Avoiding OpenOffice Download Scams
On 04/30/2012 11:10 AM, Rob Weir wrote:
> https://blogs.apache.org/preview/OOo/?previewEntry=draft_avoiding_openoffice_download_scams
>
> I know Louis and others have dealt with these things for longer.
> Anything else I should mention?
>
> I considered adding a discussion of the importance of MD5 hashes,
> etc., but that is not really the skill level of the end user who
> downloads OpenOffice.
>
> I'm also cc'ing trademarks@ since it may be of interest to them and/or
> they might have feedback.
A few questions & a few comments:
1. I am confused regarding the use of "trademarks": 'OpenOffice' and/or
'Apache OpenOffice'. A USTPO search shows only:
Serial Number Reg. Number Word Mark Check Status Live/Dead
1 85298190 OPENOFFICE TARR DEAD
2 79041234 3458383 HIPATH OPENOFFICE TARR LIVE
3 78581289 3063339 OPENOFFICE.ORG TARR LIVE
4 77021413 3287409 OPENOFFICE.ORG TARR LIVE
5 76087516 OPENOFFICE.ORG TARR DEAD
The 'OPENOFFICE' (85298190) mark was the one that Tightrope Interactive
filed and later abandoned. Have Apache applied for 'OpenOffice' and
'Apache OpenOffice' as trademarks? Further:
<http://www.openoffice.org/about/> states:
"Because of trademark issues, OpenOffice.org must insist that all public
communications refer to the project and software as "OpenOffice.org" or
"OpenOffice.org 3.x," and not "OpenOffice" or "Open Office."
Given that, should you not modify your blog from 'OpenOffice' to
OpenOffice.org (or Apache Openoffice if indeed Apache have the trademark
aproval)?
2. I'd recommend caution when generalizing statements about sites
offering support and/or 3rd party installations with the downloads.
While I detest a true scammer, I think it wise to look at sites like
www.openoffice.us.com (Tightrope Interactive) whereby they provide full
disclosure[1]. Further, it is quite likely that the 'user' did indeed
download a 'genuine' copy of AO/OO.o - and only the 3rd party
'add-on'(s) were of issue. I suspect that this is what your 'user' ran
into. Lack of proof that the 3rd party add-ons are actually "spyware" or
"malware" could also lead to trouble.
3. I'd recommend against stating:
o "Remember this simple rule: www.openoffice.org is the official
website for OpenOffice. That is the only official download site for
OpenOffice.".
That puts valid redistributors and applications providers like
PortableApps (http://sourceforge.net/projects/portableoo/) in the 'scam'
area. You may also run into 'user' issues when they go to
www.openoffice.org, begin their download, and then see that the download
is actually coming from a mirror/redirector site ala:
<http://sourceforge.net/projects/openofficeorg.mirror/files/stable/3.3.0/OOo_3.3.0_Linux_x86_install-rpm-wJRE_en-US.tar.gz/download>
Yes, you and I know how the mirror/redirectors work, but you've just
told these 'users' that the only official website for downloading is
www.openoffice.org. Remember, these are likely to be the same 'users'
that neglected to read the T's & C's when they downloaded AO/OOo from
another website.
o "However, what no one has permission to do is modify OpenOffice and
then confuse consumers into believing that it is actually still the
OpenOffice product. ". That is likely to put Apache on the defensive to
prove that the 'consumer' didn't receive a proper copy of AO/OOo. IANAL
so check with your legal folks regarding such statements.
[1] Note: I'm not defending and/or advocating www.openoffice.us.com and
am only using them as a sample. I think they have pretty much covered
all of the disclosure bases:
1. Front web page:
http://www.openoffice.us.com/
They state: "OpenOffice is an open source product licensed under GNU
LGPL v3. Source code for OpenOffice can be found here." and provide a
link to openoffice.org.
2. Download Terms:
<http://www.openoffice.us.com/openoffice/download-terms.php>
Pretty well spell out what the terms are.
3. Terms of Service:
<http://www.openoffice.us.com/openoffice/terms-of-service.php>
4. Privacy:
<http://www.openoffice.us.com/openoffice/privacy.php>
5. Support:
<http://www.openoffice.us.com/openoffice/openoffice-support.php>
They provide links to OOo support. However they do not charge for this
"support" & state in their other pages that they make their money off of
advertising (see 6 below)
6. Disclaimer:
<http://www.openoffice.us.com/openoffice/disclaimer.php>
Pretty clear IMO that Pricegong and Weatherbug are their advertisers.
Does Apache really want to get into a legal cat fight with Earth
Networks (WeatherBug is a brand of Earth Networks).
Point being is that while you want to head off 'scammers', you also have
to be careful
Re: Draft blog post: Avoiding OpenOffice Download Scams
Posted by Rob Weir <ro...@apache.org>.
On Mon, Apr 30, 2012 at 10:01 PM, NoOp <gl...@sbcglobal.net> wrote:
> On 04/30/2012 06:12 PM, Rob Weir wrote:
>> On Mon, Apr 30, 2012 at 7:41 PM, NoOp <...> wrote:
> ...
>>> o "However, what no one has permission to do is modify OpenOffice and
>>> then confuse consumers into believing that it is actually still the
>>> OpenOffice product. ". That is likely to put Apache on the defensive to
>>> prove that the 'consumer' didn't receive a proper copy of AO/OOo. IANAL
>>> so check with your legal folks regarding such statements.
>>>
>>
>> Absurd.
>
> And why would you feel that this is absurd? The entire blog is in
> reference to "Avoiding OpenOffice Download Scams". In the second
> paragraph you state:
>
Thanks for taking the time to send feedback on the draft blog post.
This is greatly appreciated.
Regards,
-Rob
Re: Draft blog post: Avoiding OpenOffice Download Scams
Posted by NoOp <gl...@sbcglobal.net>.
On 04/30/2012 06:12 PM, Rob Weir wrote:
> On Mon, Apr 30, 2012 at 7:41 PM, NoOp <...> wrote:
...
>> o "However, what no one has permission to do is modify OpenOffice and
>> then confuse consumers into believing that it is actually still the
>> OpenOffice product. ". That is likely to put Apache on the defensive to
>> prove that the 'consumer' didn't receive a proper copy of AO/OOo. IANAL
>> so check with your legal folks regarding such statements.
>>
>
> Absurd.
And why would you feel that this is absurd? The entire blog is in
reference to "Avoiding OpenOffice Download Scams". In the second
paragraph you state:
"the first thing I ask is, "Where did you download OpenOffice from?"
In today's case, when the user checked his browser's history he found
what I suspected, that it was not a genuine copy of OpenOffice,
downloaded from www.openoffice.org, but a modified version that was
installing applications that are variously known as "adware", "spyware"
or "malware". "
My point is that I think you may be setting Apache up for having to
prove that this claim is true. The user goes back to the website, claims
that Apache informed him/her that this was not a "genuine copy" of
OpenOffice(sic).
User then goes to the BBB or media and claims the same. Website
operator turns around and sues Apache; Apache are required to prove that
it was not a "genuine copy".
Sorry, but many of these 'scammers' in the past have simply pointed
their downloader to an OOo mirror - so the binary is an
md5sum/bit-for-bit "genuine copy". Even if someone (scammer or
otherwise) were copy to their server & supply the download from there,
it very likely may actually be a bit-for-bit "genuine copy". Here is a
good example:
<http://download.cnet.com/OpenOffice-org/3000-18483_4-10263109.html>
Keep in mind (from your draft): "Note that OpenOffice, with its open
source software license, permits you and anyone else to redistribute it.
You can make copies, give them away, sell them, put them on your
website, etc. These are all permissions you have under the license."
What is "absurd" is the FUD leading 'users' to believe that the only
valid/genuine place a copy of OOo can be obtained is from
www.openoffice.org. Certainly it is best practice to do so, but that is
not the ony place they can obtain a "genuine copy".
Gary Lee
>
>> [1] Note: I'm not defending and/or advocating www.openoffice.us.com and
>> am only using them as a sample. I think they have pretty much covered
>> all of the disclosure bases:
>
> Not necessarily. Putting a disclaimer does not mean you can do
> whatever you want. How far do you think you would get with a domain
> name called Microsoft.us.com, offering modified versions of products
> and using Microsoft logos, but then putting a small disclaimer on the
> page? 24 hours? 36 hours?
>
>> 1. Front web page:
>> http://www.openoffice.us.com/
>> They state: "OpenOffice is an open source product licensed under GNU
>> LGPL v3. Source code for OpenOffice can be found here." and provide a
>> link to openoffice.org.
>> 2. Download Terms:
>> <http://www.openoffice.us.com/openoffice/download-terms.php>
>> Pretty well spell out what the terms are.
>> 3. Terms of Service:
>> <http://www.openoffice.us.com/openoffice/terms-of-service.php>
>> 4. Privacy:
>> <http://www.openoffice.us.com/openoffice/privacy.php>
>> 5. Support:
>> <http://www.openoffice.us.com/openoffice/openoffice-support.php>
>> They provide links to OOo support. However they do not charge for this
>> "support" & state in their other pages that they make their money off of
>> advertising (see 6 below)
>> 6. Disclaimer:
>> <http://www.openoffice.us.com/openoffice/disclaimer.php>
>> Pretty clear IMO that Pricegong and Weatherbug are their advertisers.
>> Does Apache really want to get into a legal cat fight with Earth
>> Networks (WeatherBug is a brand of Earth Networks).
>>
>> Point being is that while you want to head off 'scammers', you also have
>> to be careful
>>
>
Re: Draft blog post: Avoiding OpenOffice Download Scams
Posted by Rob Weir <ro...@apache.org>.
On Mon, Apr 30, 2012 at 7:41 PM, NoOp <gl...@sbcglobal.net> wrote:
> On 04/30/2012 11:10 AM, Rob Weir wrote:
>> https://blogs.apache.org/preview/OOo/?previewEntry=draft_avoiding_openoffice_download_scams
>>
>> I know Louis and others have dealt with these things for longer.
>> Anything else I should mention?
>>
>> I considered adding a discussion of the importance of MD5 hashes,
>> etc., but that is not really the skill level of the end user who
>> downloads OpenOffice.
>>
>> I'm also cc'ing trademarks@ since it may be of interest to them and/or
>> they might have feedback.
>
> A few questions & a few comments:
>
> 1. I am confused regarding the use of "trademarks": 'OpenOffice' and/or
> 'Apache OpenOffice'. A USTPO search shows only:
> Serial Number Reg. Number Word Mark Check Status Live/Dead
> 1 85298190 OPENOFFICE TARR DEAD
> 2 79041234 3458383 HIPATH OPENOFFICE TARR LIVE
> 3 78581289 3063339 OPENOFFICE.ORG TARR LIVE
> 4 77021413 3287409 OPENOFFICE.ORG TARR LIVE
> 5 76087516 OPENOFFICE.ORG TARR DEAD
>
> The 'OPENOFFICE' (85298190) mark was the one that Tightrope Interactive
> filed and later abandoned. Have Apache applied for 'OpenOffice' and
> 'Apache OpenOffice' as trademarks? Further:
> <http://www.openoffice.org/about/> states:
> "Because of trademark issues, OpenOffice.org must insist that all public
> communications refer to the project and software as "OpenOffice.org" or
> "OpenOffice.org 3.x," and not "OpenOffice" or "Open Office."
> Given that, should you not modify your blog from 'OpenOffice' to
> OpenOffice.org (or Apache Openoffice if indeed Apache have the trademark
> aproval)?
>
I'm not sure how familiar you are with US trademark law, but there are
registered trademarks, denoted with (R) or an R-in-circle, as well as
unregistered trademarks, denoted by a "TM". In the US unregistered
trademarks offer quite a bit of protection.
I agree that we should update the page that you linked to.
> 2. I'd recommend caution when generalizing statements about sites
> offering support and/or 3rd party installations with the downloads.
> While I detest a true scammer, I think it wise to look at sites like
> www.openoffice.us.com (Tightrope Interactive) whereby they provide full
> disclosure[1]. Further, it is quite likely that the 'user' did indeed
> download a 'genuine' copy of AO/OO.o - and only the 3rd party
> 'add-on'(s) were of issue. I suspect that this is what your 'user' ran
> into. Lack of proof that the 3rd party add-ons are actually "spyware" or
> "malware" could also lead to trouble.
>
My blog post does not refer to any website or distributor.
> 3. I'd recommend against stating:
>
> o "Remember this simple rule: www.openoffice.org is the official
> website for OpenOffice. That is the only official download site for
> OpenOffice.".
>
> That puts valid redistributors and applications providers like
> PortableApps (http://sourceforge.net/projects/portableoo/) in the 'scam'
> area. You may also run into 'user' issues when they go to
> www.openoffice.org, begin their download, and then see that the download
> is actually coming from a mirror/redirector site ala:
> <http://sourceforge.net/projects/openofficeorg.mirror/files/stable/3.3.0/OOo_3.3.0_Linux_x86_install-rpm-wJRE_en-US.tar.gz/download>
There is only one official download site. There may be other sites
that offer legitimate copies of OpenOffice as well, and are not scams.
But that does not make them official download sites.
But point taken about not confusing users when they face redirects to
mirror sites, etc. I think I can clarify that.
> Yes, you and I know how the mirror/redirectors work, but you've just
> told these 'users' that the only official website for downloading is
> www.openoffice.org. Remember, these are likely to be the same 'users'
> that neglected to read the T's & C's when they downloaded AO/OOo from
> another website.
>
Right. So we can talk about "links to downloads" being on
download.openoffice.org.
> o "However, what no one has permission to do is modify OpenOffice and
> then confuse consumers into believing that it is actually still the
> OpenOffice product. ". That is likely to put Apache on the defensive to
> prove that the 'consumer' didn't receive a proper copy of AO/OOo. IANAL
> so check with your legal folks regarding such statements.
>
Absurd.
> [1] Note: I'm not defending and/or advocating www.openoffice.us.com and
> am only using them as a sample. I think they have pretty much covered
> all of the disclosure bases:
Not necessarily. Putting a disclaimer does not mean you can do
whatever you want. How far do you think you would get with a domain
name called Microsoft.us.com, offering modified versions of products
and using Microsoft logos, but then putting a small disclaimer on the
page? 24 hours? 36 hours?
> 1. Front web page:
> http://www.openoffice.us.com/
> They state: "OpenOffice is an open source product licensed under GNU
> LGPL v3. Source code for OpenOffice can be found here." and provide a
> link to openoffice.org.
> 2. Download Terms:
> <http://www.openoffice.us.com/openoffice/download-terms.php>
> Pretty well spell out what the terms are.
> 3. Terms of Service:
> <http://www.openoffice.us.com/openoffice/terms-of-service.php>
> 4. Privacy:
> <http://www.openoffice.us.com/openoffice/privacy.php>
> 5. Support:
> <http://www.openoffice.us.com/openoffice/openoffice-support.php>
> They provide links to OOo support. However they do not charge for this
> "support" & state in their other pages that they make their money off of
> advertising (see 6 below)
> 6. Disclaimer:
> <http://www.openoffice.us.com/openoffice/disclaimer.php>
> Pretty clear IMO that Pricegong and Weatherbug are their advertisers.
> Does Apache really want to get into a legal cat fight with Earth
> Networks (WeatherBug is a brand of Earth Networks).
>
> Point being is that while you want to head off 'scammers', you also have
> to be careful
>