This is a dead issue, and has been for at least a year. Microsoft has issued statements clarifying the intent of the EULA, which they admit was "poorly worded".
All you need to do is turn off automatic updates, which is wise policy in any corporate environment. http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci853 127,00.html I work in a hospital. I'm heavily involved in HIPAA compliance, and very familiar with both the privacy and security regulations. There are NO regulations on software change control. Anyone who believes there are should cite the specific regulation that they think covers this area. There is a lot of confusion and misinformation about what the HIPAA regulation require, even in the health care industry. BS like this doesn't help. Don't get me wrong, I'm not defending MS or saying their products are appropriate choices, but this issue is pure FUD. -----Original Message----- From: Gregory A. Gilliss [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 5:13 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] EULA Okay, this is from my girlfriend, so flame her if it's wrong :-) Basically, a HIPAA compliant hospital/practice/etc. that is found to be in violation of, say, the regs on software change control, can be fined up to US$ 10,000 per violation. I would guess that tha *could* be construed as "per personal computer" if they wanted to be dicks about it... But, it gets better...if they hospital/practice/etc that has been inspected and cited doesn't comply with the violated HIPAA regs, they can be closed down. BAM! In practice I do not think that this has happened (yet) because the whole HIPAA thing is so new. However if you look at it from the security perspective, I expect that M$ legal will be amending their existing EULA for health care providers as soon as they read about this... G On or about 2003.09.09 14:08:04 +0000, David Hayes ([EMAIL PROTECTED]) said: > So, if a HIPAA site uses Windows and accepts the SP3 EULA, they're > screwed. If a HIPAA site uses Windows and does not accept the SP3 > EULA, they're screwed. > > Logical conclusion, if a HIPAA site uses Windows, they're screwed. > Thus they should use a different OS? > > -- > David Hayes Network Security Operations Center MCI Network Svcs > email: [EMAIL PROTECTED] vnet: 777-7236 voice: 972-729-7236 > > > On Mon, Sep 08, 2003 at 01:13:21PM -0400, [EMAIL PROTECTED] wrote: > > On Mon, 08 Sep 2003 08:43:14 PDT, D B <[EMAIL PROTECTED]> said: > > > > > does the EULA of Microsoft violate lawyer client > > > privilege ..... as in if my lawyer is using windows > > > is he violating my rights > > > > I can't speak for the legal profession, but the SP3 EULA (the one where you agree to > > allow Microsoft to install, without warning or notification, anything labeled a "security > > patch", even if it breaks 3rd party software), is known to be very bad mojo for sites > > covered by HIPPA, because it cedes software change control. > > > > Of course, if you fail to agree to the EULA and you're a HIPPA site, you're still screwed > > because then you can't install post-SP3 patches. > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Gregory A. Gilliss Telephone: 1 650 872 2420 Computer Engineering E-mail: [EMAIL PROTECTED] Computer Security ICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
