July ITAM SAM Licensing Update from Certero

Microsoft License Update

Universal License Terms

Clarity provided regarding training content limitations within Service Terms of Azure Generative AI

• Microsoft have confirmed that Microsoft Generative AI Services do not use either input or output content to train, retrain or improve Azure OpenAI Service foundation models.

• Customers may generate output content to tweak exclusively to the extent permitted within the Azure OpenAI Limited Access registration form (https://aka.ms/oai/access)

Privacy and Security Terms

• Microsoft Sentinel added to the Core Online Service table.
• Microsoft Sentinel has also been added to the Security Practices and Policies table.
• A new clause has been added within the ‘Location of Customer Data at Rest for Core Online Services’ specifically within Office 365 Services regarding data residency.
• Within the Azure Core Services there have been two additions, Azure DDOS Protection designed to prevent against a Denial-of-Service attack, and Azure Bastion a service that provides RDP and SSH access for VMs.

Microsoft Azure Terms

• A new clause has been added regarding Microsoft Defender for Identity and automatic updated. It states that Microsoft Defender for Identity may automatically download and install updates for you, and that without any additional or prior notice you agree to receive these automatic updates.
• There have been some updates to the Azure Maps terms in order to align to them with the merger of Bing Maps functionality.
• Navigation Restrictions
• Database Restriction
• API Results
• Map Content
• Imagery Content
• User Region Parameters
• No Warranty for Accuracy
• Copyright
• Print Rights

Microsoft Defender for Endpoint terms

• There is new product availability with Microsoft Defender for Endpoint F1 and F2, Plan 1 and Plan 2, along with a Plan 2 step up from Plan 1 commercial subscription option and Plan 2 for Student subscription.
• A prerequisite table has been added with links to the Universal License Terms for all Online Services.
• The Microsoft Defender for Endpoint has been added to the Student Use Benefit Entitlements by Qualifying Program.

Risk of installing dodgy extensions from Chrome store way worse than Google's letting on, study suggests

Browser extensions have always been of concern because they have access to sensitive information on the device. They may be able to see the data going into or out of your web browser, depending upon the permissions granted. They've been used by miscreants to spread malware, to track and spy on users, and to steal data.? This is why browser extensions cannot be ignored. But since most extensions are free, there's never been much of a revenue stream that browser store operators can use to fund security.

This week Google have offered reassurance that its vetting of Chrome extensions catches most malicious code. One of the reasons Google undertook its effort to redefine its browser extension architecture several years ago, an initiative known as Manifest v3 and was to limit the abusive potential of extensions.

Researchers affiliated with Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany just published a paper about recent Chrome Web Store data that suggest the risk posed by browser extensions is far greater than Google admits to. The paper, "What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions," is scheduled to be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24) in July. A Security-Noteworthy Extension (SNE) is defined as an extension that contains malware, violates Chrome Web Store policy, or contains vulnerable code. It's thus a more expansive category than simply a set of malicious extensions.

"We find that these SNE are a significant problem: over 346 million users installed a SNE in the last three years (280 million malware, 63 million policy violation, and three million vulnerable)," the authors claim. "In addition, these extensions are staying in the [Chrome Web Store] for years, making thorough vetting of extensions and notification of impacted users all the more critical."

But malicious extensions can also be durable. SNEs remain in the Chrome Web Store for an average of 380 days, if they contain malware, and 1,248 days if they simply contain vulnerable code, according to the paper. The longest surviving malicious extension was available in the store for 8.5 years.

The lack of maintenance means extensions may remain in the store for years after vulnerabilities get disclosed. "At least 78/184 extensions (42%) are still in the CWS and still vulnerable two years after disclosure," the researchers state. "This shows that, while detecting vulnerable extensions is critical, we also need better incentives to encourage and support developers to fix vulnerabilities after disclosure."

And many extensions incorporate vulnerable JavaScript libraries. The team found that a third of extensions (~40,000) use a JavaScript library with a known vulnerability. "We detect over 80,000 uses of vulnerable libraries, impacting almost 500 million extension users," they claim.

Quarterly ILMT Updates and IBM scheduled removing items from the list of sub capacity eligible technologies

IBM released the June 2024 ILMT update – ILMT 9.2.36, details are listed here:?

https://www.ibm.com/docs/en/license-metric-tool?topic=tool-whats-new?

Highlights Include:?

1. Support for installation of the License Metric Tool server on Red Hat Enterprise Linux 9.0?
2. Ability to use your own licensed DB2 instance in support of ILMT when deploying on Linux and not just the DB2 runtime license included in ILMT.
3. More detailed information in the Disconnected scanner return codes – This is to allow greater understanding of issues without the need to contact IBM support.

As a reminder there are several criteria that must be fulfilled for software to be eligible for sub capacity licensing:

• The program is eligible – IPAA & IPAEA https://www.ibm.com/software/passportadvantage/pa_agreements.html?/ https://www.ibm.com/software/passportadvantage/pae_agreements.html

• The processor type is eligible https://public.dhe.ibm.com/software/passportadvantage/SubCapacity/Eligible_Processor_Technology.pdf?
• The virtualization and Operating system are eligible https://public.dhe.ibm.com/software/passportadvantage/SubCapacity/Eligible_Virtualization_Technology.pdf?
• The reporting tool is eligible https://www.ibm.com/software/passportadvantage/ibmlicensemetrictool.html?
• IBM ask that the tool is kept up to date, e.g. ILMT should be updated once per quarter. https://www.ibm.com/docs/en/license-metric-tool?topic=tool-upgrading-latest-version?

The impact of losing sub capacity licensing rights in the event of an audit would likely be several orders of magnitude in terms of cost for the associated software. As such it’s important to keep ahead of the removals from the list of sub capacity eligible technology, this month Red Hat Enterprise Linux 6 and IBM I 7.2 were taken off the list.

https://www.ibm.com/support/pages/node/1079427

EU charges Microsoft with antitrust violations over Teams

The European Commission, the EU’s anti-trust governing body, have accused Microsoft of anti-competitive conduct and of breaching the EU anti-trust rules by bundling together its communication and collaboration product Teams with its productivity applications included in its suites for business, their flagship Microsoft 365 and Office 365 subscription packages. The charge sheet submitted to Microsoft highlighted concerns of an “undue advantage” which presents potential harm to competitors such as Slack and Zoom, with the European Commission’s press release being published on Tuesday 25th June 2024, and the investigations having begun on 27th July 2023 following an initial complaint by Slack Technologies, Inc, which is now owned by Salesforce, Inc. The Commission went on to receive a second complaint regarding Teams by Alfaview GmbH, who raised similar concerns regarding the distribution of Teams.

When Teams was launched Microsoft took the decision to bundle it within its productivity suites for business customers within their Office 365 and Microsoft 365 packages. The European Commission’s preliminary findings are that Microsoft is “dominant worldwide” within the marketplace for “SaaS productive applications for professional use”. As such the Commissions concerns are that since April 2019 due to the manner in which Microsoft bundle the Teams software with their SaaS productivity applications using a suite-centric bundling model, this has restricted competition within in the market for communication and collaboration products, and in allowing competitors to supply individual software applications.

The infringement in question which has triggered the actions by the Commission in Article 102 of the Treaty on the Functioning of the European Union (TFEU) which prohibits the abuse of a dominant market position. In line with this, the practices that would fall foul of Article 102, and that are of concern to the Commission is that Microsoft may have granted ‘Teams’ a “distribution advantage” with the action of bundling as this did not allow customers the choice of whether or not to purchase the software when procuring their SaaS subscriptions. Furthermore, there were issues with interoperability with similar competitor software products and Microsoft software, which subsequently may have prevented competitors from competing and innovating to the detriment of the customers in the European Economic Area.

A statement was given by Margrethe Vestager?, the EU’s executive vice-president in charge of competition policy who stated that “We are concerned that Microsoft may be giving its own communication product Teams an undue advantage over competitors by tying it to its popular productivity suites for business”. Ms Vestager went on to say that “If confirmed, Microsoft’s conduct would be illegal under our competition rules. Microsoft now has the opportunity to reply to our concerns.”

It is important to note that Microsoft have already taken steps in a bid to appease the Commission and avert regulatory action when in April they further expanded their plans to uncouple Teams from Office beyond Europe. However, the Commission’s preliminary finding is that these steps do not go far enough and are not sufficient to address the concerns stated with further changes to ‘Microsoft’s conduct’ required to restore competition.

In response to the charges, Brad Smith, Microsoft president has said: “Having unbundled Teams and taken initial interoperability steps, we appreciate the additional clarity provided today and will work to find solutions to address the commission’s remaining concerns.”

On the other side of the table Sabastian V. Niles?, president at?Salesforce?the now owner of Slack, the instigator of the investigation having lodged the original complaint against Microsoft, stated that the charges against Microsoft were “a win for customer choice and an affirmation that Microsoft’s practices with Teams have harmed competition”.?

There are three potential outcomes to this case, Microsoft win, Microsoft lose, or both parties come to a settlement. This could mean as an end user and an organization there could be a resulting change in software prices should Microsoft be forced to change their license offerings. There could also potentially be more options on the market with more collaboration offerings from new players entering the market with new innovation, either way it is not likely to be a quick battle.

Should Microsoft lose however, it could be extremely costly for them, as any infringement proven following an inadequate defence, with sufficient evidence of infringement, can allow the Commission to impose a fine of up to 10% of the company’s annual worldwide turnover. This is a battle far from over.

Oracle Java license teams to begin targeting users who don’t think they use Oracle?

Oracle have a team based in India that are contracting organizations worldwide about their Java use. Oracle track product downloads and IP addresses that can be traced back to an organization.

Oracle first introduced two new licensing models which began charging license fees for its commercial Java platform and Standard Edition (Java SE) back in April 2019. Oracle has been phasing-in it’s Java SE Universal Subscription since January 2024 as a replacement for it’s per user/processor model. Organization adapting to the new licensing terms can expect the per-employee model to be vastly more expensive than the legacy model.

Most Oracle and Java users are aware of these recent licensing changes. However, there are still organizations who are using Java but haven’t had exposure to Oracle’s other applications, such as Database or Middleware. So they don’t have a relationship with Oracle and might not understand it’s approach to commercial negotiations.

Organizations have been uninstalling Oracle Java in favor of open-source alternatives for their runtime and development environments. However, as Oracle track the Java SE downloads, they are well aware of non-compliant Java SE usage. Even though the Universal pricing arrangement was introduced in January 2023, Oracle is entitled to ask for backdated payments to charge for people already using Java within the last three years. Oracle will usually overlook unlicensed software if you agree to sign up to the new subscription model. But be cautious, as this may not be cost-effective if you already have legacy Oracle agreements.

https://www.theregister.com/2024/06/20/oracle_java_licence_teams/

Concern on both sides of the Atlantic increases following cyberattacks on hospitals?

As ransomware attacks on the global health sector continue to grow, the UK and the US are seeing much-needed defence initiatives appear.?

The ongoing attack on the NHS is proving it again, hospitals are an ideal prey for ransomware attacks. In fact, the risks healthcare providers encounter when their services aren’t operative are potentially vital for patients, meaning they rarely have time to resort to alternative options (such as ransomware decryptors) and must pay the ransom asked by attackers to retrieve access to their IT services quickly.?

Not only is healthcare data powerful material for ransomware gangs, but it is also valuable on the black market. In 2019, Ernst & Young reported that NHS data held in 55 million patients’ records was worth ￡9.6bn a year, making it a coveted target for hackers.?

With such attacks increasingly targeting the global health sector, Microsoft announced on Monday that it would launch a cybersecurity program to help rural US hospitals defend themselves from such threats.?

As part of this initiative, the tech giant will provide its products and solutions to rural health facilities for reduced prices (up to 75% discount) or at no cost for one year. “Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans’ access to critical care” said Anne Neuberger, Deputy National Security Advisory for Cyber and Emerging Technologies.?

Adobe is Sued by the U.S. Department of Justice?

The Department of Justice have accused Adobe of withholding important T's & C's that left people with hefty bills if they wanted to cancel their subscription and subsequently filed a lawsuit against the company.

DOJ wrote that “Adobe has harmed consumers by enrolling them in its default, most lucrative subscription plan without clearly disclosing important plan terms.” And that Adobe pushed consumers toward the “annual paid monthly” subscription without informing them that cancelling the plan in the first year would cost hundreds of dollars. Also “During enrolment, Adobe hides material terms of its APM plan in fine print and behind option textboxes and hyperlinks, proving disclosures that are designed to go unnoticed and that most consumers never see,” according to the complaint. “Adobe then deters cancellations by employing an onerous and complicated cancellation process.”

The DOJ’s complaint says Adobe has violated federal laws designed to protect consumers. The government is seeking “injunctive relief, civil penalties, equitable monetary relief, as well as other relief.”

Adobe shifted to a subscription model in 2012 and started requiring consumers to pay for access to the company’s software on a recurring basis. In the past, users could access the company’s software after paying a one-time fee.

“Subscription services are convenient, flexible and cost effective to allow users to choose the plan that best fits their needs, timeline and budget,” said Adobe’s General Counsel and Chief Trust Officer Dana Rao, in a statement. “Our priority is to always ensure our customers have a positive experience. We are transparent with the terms and conditions of our subscription agreements and have a simple cancellation process.”

Adobe says it plans to refute the claims in court.

Subscriptions account for most of the adobe’s revenue, according to the Federal Trade Commission, which launched a similar lawsuit against Amazon last year, saying it “knowingly” complicates the ability of customers of its Prime service to cancel their subscriptions.