EULAs (was Re: [unisog] Security Issues with Skype
Jim.Dillon at cusys.edu
Mon May 2 17:52:23 GMT 2005
My take is that Universities are too decentralized to do this well.
In my previous corporate lifetime, fortune 100 manufacturer, our legal staff told us not to be concerned with "shrink wrap" licensing, it wasn't defendable. Of course this company had 180+ corporate lawyers that were constantly making or breaking the year's financials on intellectual property suits. Enough to intimidate even a Microsoft. But that was the legal opinion there. I doubt Higher Ed can get away with that "opinion" as easily.
A problem Valdis, no doubt, but I'm not sure given the number of years we've lived with it that it is a primary concern. My annual risk assessment is more concerned with privacy, Web security (ala MarketScore and illegitimate nasty copiers of such techniques) and compliance (PCIDSS, HIPAA Security, etc.) Seems there is a higher chance of significant loss in these areas to me. This doesn't invalidate your concern, I just push it lower on the risk assessment stack. I certainly hope it is high on someone else's as I'd like to see the problem go away, it is a non-productive mess at present.
Jim Dillon, CISA
IT Audit Manager
University of Colorado Internal Audit
jim.dillon at cusys.edu
Dept. Phone: 303-492-9730
"We trained hard...but it seemed that every time we
were beginning to form up to teams, we would be
reorganized. I was to learn later in life that we
tend to meet any new situation by reorganizing; and
what a wonderful method it can be for creating the
illusion of progress while producing confusion,
inefficiency, and demoralization."
- Petronios Arbiter, 210 B.C.
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Monday, May 02, 2005 10:33 AM
To: UNIversity Security Operations Group
Subject: EULAs (was Re: [unisog] Security Issues with Skype
On Tue, 03 May 2005 03:48:24 +1200, Russell Fulton said:
> On the EULA issues some people pointed out that the skype eula is not
> much different to the MS one for XP (both allow the vendor to install
> whatever they like) and if we bar Skype on that grounds we should also
> ban XP.
Out of curiosity, how have other sites dealt with the following 2 issues:
1) The XP EULA granting permission for MS to install anything on machines that
you need to have change control over (I'm told HIPPA has such a requirement, and
there's probably other legal requirements for some sites as well). (Yes, I
know that you can firewall the box - but the point is that you've still given
the *permission* for MS to do it, whether or not they actually can or do...)
2) The legal status of having an employee who does *not* have authority to sign
binding contracts for your organization (in most cases, essentially all the
worker drones in the cubicles) doing essentially that by clicking through the
EULA (for any product in this case)?
More information about the unisog