lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41B1FD84D49E05448A4233378E6BF475163C0F@entmsgnt03.fm.frd.fmlh.edu>
From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: EULA

This is a dead issue, and has been for at least a year. Microsoft has
issued statements clarifying the intent of the EULA, which they admit
was "poorly worded". 

All you need to do is turn off automatic updates, which is wise policy
in any corporate environment.

http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci853
127,00.html

I work in a hospital. I'm heavily involved in HIPAA compliance, and very
familiar with both the privacy and security regulations. There are NO
regulations on software change control. Anyone who believes there are
should cite the specific regulation that they think covers this area.

There is a lot of confusion and misinformation about what the HIPAA
regulation require, even in the health care industry. BS like this
doesn't help.

Don't get me wrong, I'm not defending MS or saying their products are
appropriate choices, but this issue is pure FUD.

-----Original Message-----
From: Gregory A. Gilliss [mailto:ggilliss@...publishing.com] 
Sent: Tuesday, September 09, 2003 5:13 PM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] EULA


Okay, this is from my girlfriend, so flame her if it's wrong :-)

Basically, a HIPAA compliant hospital/practice/etc. that is found to be
in violation of, say, the regs on software change control, can be fined
up to US$ 10,000 per violation. I would guess that tha *could* be
construed
as "per personal computer" if they wanted to be dicks about it...

But, it gets better...if they hospital/practice/etc that has been 
inspected and cited doesn't comply with the violated HIPAA regs,
they can be closed down.  BAM!  In practice I do not think that this has
happened (yet) because the whole HIPAA thing is so new. However if you
look at it from the security perspective, I expect that M$ legal will be
amending their existing EULA for health care providers as soon as they
read
about this...

G

On or about 2003.09.09 14:08:04 +0000, David Hayes (david.hayes@....com)
said:

> So, if a HIPAA site uses Windows and accepts the SP3 EULA, they're
> screwed.  If a HIPAA site uses Windows and does not accept the SP3
> EULA, they're screwed.
> 
> Logical conclusion, if a HIPAA site uses Windows, they're screwed.
> Thus they should use a different OS?
> 
> -- 
> David Hayes    Network Security Operations Center     MCI Network Svcs
> email: david.hayes@....com      vnet: 777-7236     voice: 972-729-7236
> 
> 
> On Mon, Sep 08, 2003 at 01:13:21PM -0400, Valdis.Kletnieks@...edu
wrote:
> > On Mon, 08 Sep 2003 08:43:14 PDT, D B <geggam692000@...oo.com>
said:
> > 
> > > does the EULA of Microsoft violate lawyer client
> > > privilege ..... as in  if my lawyer is using windows
> > > is he violating my rights 
> > 
> > I can't speak for the legal profession, but the SP3 EULA (the one
where you agree to
> > allow Microsoft to install, without warning or notification,
anything labeled a "security
> > patch", even if it breaks 3rd party software), is known to be very
bad mojo for sites
> > covered by HIPPA, because it cedes software change control.
> > 
> > Of course, if you fail to agree to the EULA and you're a HIPPA site,
you're still screwed
> > because then you can't install post-SP3 patches.
> > 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Gregory A. Gilliss                                    Telephone: 1 650
872 2420
Computer Engineering                                   E-mail:
greg@...liss.com
Computer Security                                                ICQ:
123710561
Software Development                          WWW:
http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14
0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ