EULAs (was Re: [unisog] Security Issues with Skype

Jim Dillon Jim.Dillon at cusys.edu
Mon May 2 17:52:23 GMT 2005


My take is that Universities are too decentralized to do this well.

In my previous corporate lifetime, fortune 100 manufacturer, our legal staff told us not to be concerned with "shrink wrap" licensing, it wasn't defendable.  Of course this company had 180+ corporate lawyers that were constantly making or breaking the year's financials on intellectual property suits.  Enough to intimidate even a Microsoft.  But that was the legal opinion there.  I doubt Higher Ed can get away with that "opinion" as easily.

A problem Valdis, no doubt, but I'm not sure given the number of years we've lived with it that it is a primary concern.  My annual risk assessment is more concerned with privacy, Web security (ala MarketScore and illegitimate nasty copiers of such techniques) and compliance (PCIDSS, HIPAA Security, etc.) Seems there is a higher chance of significant loss in these areas to me.  This doesn't invalidate your concern, I just push it lower on the risk assessment stack.  I certainly hope it is high on someone else's as I'd like to see the problem go away, it is a non-productive mess at present.

Best regards,

Jim

============================================
Jim Dillon, CISA
IT Audit Manager
University of Colorado Internal Audit
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

"We trained hard...but it seemed that every time we 
were beginning to form up to teams, we would be 
reorganized.  I was to learn later in life that we 
tend to meet any new situation by reorganizing; and
what a wonderful method it can be for creating the 
illusion of progress while producing confusion, 
inefficiency, and demoralization." 
- Petronios Arbiter, 210 B.C.
============================================

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Monday, May 02, 2005 10:33 AM
To: UNIversity Security Operations Group
Subject: EULAs (was Re: [unisog] Security Issues with Skype 


On Tue, 03 May 2005 03:48:24 +1200, Russell Fulton said:
> On the EULA issues some people pointed out that the skype eula is not
> much different to the MS one for XP (both allow the vendor to install
> whatever they like) and if we bar Skype on that grounds we should also
> ban XP.

Out of curiosity, how have other sites dealt with the following 2 issues:

1) The XP EULA granting permission for MS to install anything on machines that
you need to have change control over (I'm told HIPPA has such a requirement, and
there's probably other legal requirements for some sites as well).  (Yes, I
know that you can firewall the box - but the point is that you've still given
the *permission* for MS to do it, whether or not they actually can or do...)

2) The legal status of having an employee who does *not* have authority to sign
binding contracts for your organization (in most cases, essentially all the
worker drones in the cubicles) doing essentially that by clicking through the
EULA (for any product in this case)?




More information about the unisog mailing list