Trials are supposed to be tried on the basis of actual events. If you start punishing people for potential damages then where does it end?
No, it's always been this way. Actual harm, degree of negligence, danger to others, and intent are all considered in sentencing.
Where I live, drunk drivers automatically get their licenses suspended for 3 years on top of fines and jail time. Even if no one was hurt. Even if there was no accident.
There was no harm and arguably little intent for a particular drunk driver, but the negligence and danger are serious enough.
In this case, the vandals likely could have done much worse with his credentials. The fact that they only made one headline doesn't change his negligence or deliberate involvement in the crime. He could have gotten up to 25 years for the crime he was convicted of, so the sentence was about as light as it could be.
He threw branches, pine cones, and pieces of metal at people below.
Technically, that's probably a battery charge of some sort (laws vary by state) for each person he struck.
Of course he was arrested.
He was also crazy enough that his grandmother got a restraining order against him, so I'd assume there was other disorderly behavior that drew police attention.
His "crime" was the equivalent of spraying graffiti on a wall
His crime was worse than that.
He gave unknown people with nefarious intentions access to the system. He couldn't know with certainty what they were going to do with it.
Maybe they pinky-promised him that they would only post an article or two. But he actually gave them access to do everything he could do. That's how credentials work. He's lucky they only did one stupid thing.
His behavior was grossly negligent and intentional. If we can give a drunk driver fines, jail, and a 10-year suspended license without even causing an accident, then this guy can do a year or two for cooperating with known criminals.
Two years in PITA for a headline that lasted 40 minutes?
Doubtful.
Federal crimes mean federal prison, but there are low- and high-security facilities. I doubt his guy is going to a supermax facility. He'll be in the "country club" prison with other low-risk criminals like bankers.
Unless, of course there is "super classified," "super-duper classified" and possibly "hyper-uber-super-double-secret-probation-classified." Tautologically speaking, classified is pretty much classified, unless you reclassify it.
And, what do you know?
There are: Confidential, Secret, and Top Secret level, along with SCI/SAP silos.
"Going to the restroom" isn't an inherently dangerous situation. Rapists, peepers, and bigots make it that way---women, children, and trans people are not the assholes here.
Maybe we should just switch to unisex bathrooms and be done with it. It works for other places in the world.
I can't access that site from work, so please pardon me if this question was addressed.
How are they going to do this in the United States without committing a federal felony?
Some adware/spyware gets a legal pass because it's bundled with other software and its installation is "authorized" when the user accepts the terms/EULA. Without consent, they cannot legally install anything.
She said the climate policy de facto redistributes wealth. That implies it is predictable effect rather than an intentional goal.
It is not a goal of climate policy, but the restrictions on emissions and the development of alternative energy both have drastic economic impacts. No one is pretending otherwise.
Because of this, the negotiations take place with those economic effects as a significant concern. Everyone knows there is a lot of money at stake. Even the scientists acknowledge the implications.
The difference is that the politicians need to be reelected after the treaty is signed.
The FBI and city of San Bernadino both have a legal right to access the data, so why is it Apple's choice about if they will help them?
The city should have backups and recovery keys if they intend to recover data from an encrypted device. Yes, they own the data, and that means they are responsible for ensuring the availability and integrity of their data.
On iPhone 5 and older, there is no secure enclave and Apple can push iOS updates without the device being unlocked. During development, Apple chose to create versions of iOS that always wiped crypto keys on repeated PIN failures. They have never created a product that can recover or unlock these phones---not for customers, not for testing.
The government wants Apple to create a product that does not exist. This product, if it were ever leaked, would seriously undermine the privacy and security of all iOS users.
And what is the chance of government systems being compromised? Given the hacks of OPM (basically, the federal HR department), NMCI (Navy/Marines intranet), and the State Department---I'd say that is a legitimate concern.
Americans thought it was a war between two states; the British thought it was a national response to armed insurrection.
The Revolutionary War is only a war in hindsight. If the USA lost, it would have been nothing more than a colonial insurrection---and certainly not the first in recorded history.
There are different types of armed conflict, but war as defined by the Geneva Conventions involves nations. As the only legal covenant which is binding on most of the civilized world, its definition is the most sensible to use.
Thus, the wars on drugs, terrors, etc are merely colloquialisms.
The CFAA centers around unauthorized access. Since this activity is encouraged by the system owner---and even has a registration process---the attempts certainly cannot be unauthorized provided they follow the rules of the program.
That said, it would be wise to read all of the program rules, as violating them might render the access unauthorized. That would put someone in federal felony territory.
While I would hope the DoD would be forgiving of anyone who bends a minor rule, there is no guarantee beyond what is written.
And what happens in the case of billing issues, which are, by the way, quite frequent? If you have to go back and forth with BC/BS 10 times to get a claim approved for payment, what happens when you can only transfer the necessary files once a day?
Everyone thinks air gapping is a magic bullet. And it is never practical.
A hardened gateway device sitting between the two networks might work though. Most importantly, it won't run an obsolete operating system with a plethora of public vulnerabilities nor does it require FDA certification when modified.
You could imagine something which accepts only well-formed and authorized requests in a standard format, exposes no other service, and then communicates to the medical equipment on the other side in whatever manner those devices require. But then you'd need to actually build that device because it doesn't exist right now.
Already broken? Maybe. But as long as the medical function is not impaired, it will still fulfill its primary purpose. And changing the software can trigger an expensive recertification process.
Plus, when every choice is broken, what do you do? Just toss all the machines? Diagnose patients without MRIs and ultrasounds? The doctors and medical directors don't really have many options.
Hospital IT should setup these devices with network ACLs that permit only the barest minimum communication required for the device to work. Figuring that out takes time and effort, so lazy IT might not push management---or management may balk at the cost and tradeoffs.
With many of the management servers and workstations running severely outdated operating systems, the only secure option is total isolation from internet-connected business systems. Isolating equipment requires effort from other people though---in particular, the users who need to move data to or from that device.
Between poor vendor support and the requirement to digitally manage and exchange medical records, hospitals are between a rock and a hard place. I would like to see the FDA impose device security requirements, as that is the only way to force the vendors' hands.
So you're taking a stand on less than 1% of the population? If dialup isn't strictly extinct, it's an extremely endangered species.
Supporting dialup users simply isn't a major concern for a lot of companies anymore.
With about half of dialup users being poor (unable to afford broadband) or outright luddites (unwilling to change for any reason) according to that report, I can't really blame tech companies for ignoring them.
It makes sense to put out a statement like that when you've been warning people for years that the system is overgrown, decaying, and in need of massive investment.
Intermittent problems are always the most difficult to diagnose, so I'd expect it to take some time.
But the public will expect an immediate statement, because no one has patience in the face of engineering challenges.
So I agree in principle with them for making the statement and also with you for stating that it does not belong on Slashdot. There should be a post about this in a month or three when they figure out what the problem is.
Their goal as a publicly-traded corporation is to make money. Why would they ever give up a huge stream of revenue that they "earn" simply by signing a bunch of legal paperwork every few years?
Unless there is a clear way for "real open-source trust" to turn into American dollars, it will never happen. Even good things like marketing, perception, and outreach have little value compared to cold cash; in fact, those things are pursued solely because they tend to bring in money in the future.
I agree with the open source philosophy, but American CEOs are expected to care about profits over ideas. Failure to earn dividends leads to replacement; failing to make nice with another group of people generally has no consequences at all.
If Comcast actually spent money on construction and started the permit process, they were materially invested in upholding their end of the bargain. That makes fraud seem rather unlikely.
It is reasonable to have an option to terminate a contract when delivery is so slow---but slow delivery doesn't constitute fraud unless the contract specified a delivery timeframe and Comcast knew in advance they couldn't fulfill it. Fraud is intentional, so there must be evidence that they knew they couldn't deliver on a contract before they entered it.
Plus, Comcast claimed that their Business Server Order Agreement is not a legally binding contract. If this is true, then they can't be liable for breaching it.
The guy with the best lawyers wins, especially if he plans ahead.
There are three tiers of updates: critical, recommended, and optional.
Turning on automatic updates sets Windows Update to automatically download and install critical updates. It will prompt for a reboot if necessary.
There is an option to receive recommended updates the same way as critical updates. If this is selected, the same thing happens for recommended updates. Since Microsoft made Windows 10 a recommended update recently, a lot of people recently became eligible for automatic installation of Windows 10. Windows 10 was previously an optional update.
Windows Update can also be configured to never check for updates, check but prompt before download, or download but prompt before install. In all of these cases, the user is shown a list of updates and can choose individually which ones are installed.
Most of this whining is from people who don't know how they setup Windows Update or have trouble keeping up with current events.
I have three Windows 7/8 machines at home, and exactly none of them have installed Windows 10. Why not? Because I set them all to check for updates and ask me before downloading anything.
Both communism and socialism purport to "share" the capital among all citizens. Supposedly, the political or social institutions allow all members of society to have a say in how the capital is used.
What mechanism does distributism have to enforce this? Historic implementations of socialism and communism have lacked such mechanisms and thus have been plagued by corruption, oligarchy, or outright dictatorship.
If subsidiarity is supposed to serve this function, then what of the economies of scale that are available to massive corporations? Independent workers and smaller groups often cannot create the same output that is possible through a large-scale coordinated effort. Is the reduced efficiency implied by strict subsidiarity required, or is there another mechanism to ensure that power is not consolidated and subsequently used to control the capital?
Application whitelisting, generally by publisher certificate, is the only way to lock things down meaningfully. Use hash-based exceptions for unsigned apps. Too bad all the tools are priced for enterprise.
SELinux is good, but it takes a lot of work to get it into shape if you are doing anything that lacks an out-of-the-box config.
Behavior-based anomaly detection is the next big thing. But the last I checked, it takes forever to establish your baselines, and false positives are the norm. Too many false positives is like crying wolf. People stop checking the alerts, admins create exceptions with little or no justification, or sometimes there are just too many to investigate individually.
But almost all of these alternatives are better than bloated crapware that only protects you against the oldest and least sophisticated threats. Most malware is spread over half the planet before there is a signature for it.
#2 - Drones have significantly lower weight capacity and range. If you need high-quality or non-visible spectrum video, they won't work. If you need multiple angles or manual adjustment of the camera to get the right image, they won't work. Be real about the limitations.
#3 - Amateur pilots have a ton of training and safety regulations to deal with. Drone operators basically have nothing. The only thing keeping drones safe is the fact they weigh less than a small book. If and when we develop larger drones, the risk will increase in line with their weight and velocity.
And, actually, we do allow horses and carriages on the roads. In most states, they are required to have reflective badges indicating they are slow-moving vehicles---just like farm and construction vehicles. There are several states where seeing Amish buggies on the road is not a once-in-a-lifetime experience.
Honestly, most of the posts trashing MS on technical points are crap. Either the understanding of the tech is wrong, or there is total ignorance of supported/recommended solutions.
I'm not supporting MS any reasonable sense. I hate W10 telemetry, and forcing it on users is bad.
I will not install the OS on my personal PCs unless I can shut it off. And I'm not buying a 5-pack of Enterprise licenses to do it (that's the smallest number to qualify as a volume customer, and it's more than I need).
But people here are complaining about an automatic process that only occurs if you let it. You must set Windows install updates automatically and also choose to receive recommended updates the same way as critical updates, otherwise it will not happen.
Windows Update asks you what you want the first time you run it, so this is on the user---if the user is even slightly tech-savvy. I have some sympathy for ignorant users, but the paranoid attitude on Slashdot is completely unfounded. There are at least four different ways to prevent this automatic upgrade from happening.
You could just enable the Group Policy option that prohibits OS upgrades through Windows Update. With that set, even administrators cannot run the Windows 10 update.
Also, those tweaks are something you should probably script if it's time-consuming and the software is that important. This would ensure that all the settings are recorded somewhere and that the redeployment of machines can happen quickly when needed.
If you buy Windows under a volume license, you should be getting Software Assurance. Otherwise, this is what happens. That has always been the way it worked.
Maintaining SA over the life of the system costs about as much as buying upgrades as they come out, but you get access to a lot of good tools in addition to upgrade/downgrade rights. If you also get SA on your server licenses and CALs, you can upgrade anything in the organization whenever you want without waiting for management to approve a new licensing purchase---simpler budgeting, easier migration planning.
Or you should have checked the terms before changing them over to your volume license. Microsoft was very clear from the beginning---no free upgrades for volume customers no matter what consumer/OEM licensees get.
Even now, you could reinstall from OEM media, activate with the OEM key, and upgrade to Windows 10.
If you're managing licensing for them and don't understand the implications of your decisions, you are doing them a disservice.
Slashdot Mirror
Trials are supposed to be tried on the basis of actual events. If you start punishing people for potential damages then where does it end?
No, it's always been this way. Actual harm, degree of negligence, danger to others, and intent are all considered in sentencing.
Where I live, drunk drivers automatically get their licenses suspended for 3 years on top of fines and jail time. Even if no one was hurt. Even if there was no accident.
There was no harm and arguably little intent for a particular drunk driver, but the negligence and danger are serious enough.
In this case, the vandals likely could have done much worse with his credentials. The fact that they only made one headline doesn't change his negligence or deliberate involvement in the crime. He could have gotten up to 25 years for the crime he was convicted of, so the sentence was about as light as it could be.
He threw branches, pine cones, and pieces of metal at people below.
Technically, that's probably a battery charge of some sort (laws vary by state) for each person he struck.
Of course he was arrested.
He was also crazy enough that his grandmother got a restraining order against him, so I'd assume there was other disorderly behavior that drew police attention.
His "crime" was the equivalent of spraying graffiti on a wall
His crime was worse than that.
He gave unknown people with nefarious intentions access to the system. He couldn't know with certainty what they were going to do with it.
Maybe they pinky-promised him that they would only post an article or two. But he actually gave them access to do everything he could do. That's how credentials work. He's lucky they only did one stupid thing.
His behavior was grossly negligent and intentional. If we can give a drunk driver fines, jail, and a 10-year suspended license without even causing an accident, then this guy can do a year or two for cooperating with known criminals.
Two years in PITA for a headline that lasted 40 minutes?
Doubtful.
Federal crimes mean federal prison, but there are low- and high-security facilities. I doubt his guy is going to a supermax facility. He'll be in the "country club" prison with other low-risk criminals like bankers.
Unless, of course there is "super classified," "super-duper classified" and possibly "hyper-uber-super-double-secret-probation-classified." Tautologically speaking, classified is pretty much classified, unless you reclassify it.
And, what do you know?
There are: Confidential, Secret, and Top Secret level, along with SCI/SAP silos.
I wish I had mod points. We make up new terms when we notice a consistent thing they can describe.
When industrial mass-production started to be guided by branding, we got "design language".
"Going to the restroom" isn't an inherently dangerous situation. Rapists, peepers, and bigots make it that way---women, children, and trans people are not the assholes here.
Maybe we should just switch to unisex bathrooms and be done with it. It works for other places in the world.
I can't access that site from work, so please pardon me if this question was addressed.
How are they going to do this in the United States without committing a federal felony?
Some adware/spyware gets a legal pass because it's bundled with other software and its installation is "authorized" when the user accepts the terms/EULA. Without consent, they cannot legally install anything.
She said the climate policy de facto redistributes wealth. That implies it is predictable effect rather than an intentional goal.
It is not a goal of climate policy, but the restrictions on emissions and the development of alternative energy both have drastic economic impacts. No one is pretending otherwise.
Because of this, the negotiations take place with those economic effects as a significant concern. Everyone knows there is a lot of money at stake. Even the scientists acknowledge the implications.
The difference is that the politicians need to be reelected after the treaty is signed.
The FBI and city of San Bernadino both have a legal right to access the data, so why is it Apple's choice about if they will help them?
The city should have backups and recovery keys if they intend to recover data from an encrypted device. Yes, they own the data, and that means they are responsible for ensuring the availability and integrity of their data.
On iPhone 5 and older, there is no secure enclave and Apple can push iOS updates without the device being unlocked. During development, Apple chose to create versions of iOS that always wiped crypto keys on repeated PIN failures. They have never created a product that can recover or unlock these phones---not for customers, not for testing.
The government wants Apple to create a product that does not exist. This product, if it were ever leaked, would seriously undermine the privacy and security of all iOS users.
And what is the chance of government systems being compromised? Given the hacks of OPM (basically, the federal HR department), NMCI (Navy/Marines intranet), and the State Department---I'd say that is a legitimate concern.
Americans thought it was a war between two states; the British thought it was a national response to armed insurrection.
The Revolutionary War is only a war in hindsight. If the USA lost, it would have been nothing more than a colonial insurrection---and certainly not the first in recorded history.
There are different types of armed conflict, but war as defined by the Geneva Conventions involves nations. As the only legal covenant which is binding on most of the civilized world, its definition is the most sensible to use.
Thus, the wars on drugs, terrors, etc are merely colloquialisms.
The CFAA centers around unauthorized access. Since this activity is encouraged by the system owner---and even has a registration process---the attempts certainly cannot be unauthorized provided they follow the rules of the program.
That said, it would be wise to read all of the program rules, as violating them might render the access unauthorized. That would put someone in federal felony territory.
While I would hope the DoD would be forgiving of anyone who bends a minor rule, there is no guarantee beyond what is written.
When the imaging system vendor only supplies and supports Windows 2000 or XP workstations in 2016, you're looking at a serious problem.
The problem is Windows, specifically the obsolete and unsupported versions of Windows that the equipment manufacturers force the hospitals to use.
And inadequate isolation of these vulnerable hosts.
And what happens in the case of billing issues, which are, by the way, quite frequent? If you have to go back and forth with BC/BS 10 times to get a claim approved for payment, what happens when you can only transfer the necessary files once a day?
Everyone thinks air gapping is a magic bullet. And it is never practical.
A hardened gateway device sitting between the two networks might work though. Most importantly, it won't run an obsolete operating system with a plethora of public vulnerabilities nor does it require FDA certification when modified.
You could imagine something which accepts only well-formed and authorized requests in a standard format, exposes no other service, and then communicates to the medical equipment on the other side in whatever manner those devices require. But then you'd need to actually build that device because it doesn't exist right now.
Already broken? Maybe. But as long as the medical function is not impaired, it will still fulfill its primary purpose. And changing the software can trigger an expensive recertification process.
Plus, when every choice is broken, what do you do? Just toss all the machines? Diagnose patients without MRIs and ultrasounds? The doctors and medical directors don't really have many options.
Hospital IT should setup these devices with network ACLs that permit only the barest minimum communication required for the device to work. Figuring that out takes time and effort, so lazy IT might not push management---or management may balk at the cost and tradeoffs.
With many of the management servers and workstations running severely outdated operating systems, the only secure option is total isolation from internet-connected business systems. Isolating equipment requires effort from other people though---in particular, the users who need to move data to or from that device.
Between poor vendor support and the requirement to digitally manage and exchange medical records, hospitals are between a rock and a hard place. I would like to see the FDA impose device security requirements, as that is the only way to force the vendors' hands.
So you're taking a stand on less than 1% of the population? If dialup isn't strictly extinct, it's an extremely endangered species.
Supporting dialup users simply isn't a major concern for a lot of companies anymore.
With about half of dialup users being poor (unable to afford broadband) or outright luddites (unwilling to change for any reason) according to that report, I can't really blame tech companies for ignoring them.
It makes sense to put out a statement like that when you've been warning people for years that the system is overgrown, decaying, and in need of massive investment.
Intermittent problems are always the most difficult to diagnose, so I'd expect it to take some time.
But the public will expect an immediate statement, because no one has patience in the face of engineering challenges.
So I agree in principle with them for making the statement and also with you for stating that it does not belong on Slashdot. There should be a post about this in a month or three when they figure out what the problem is.
Their goal as a publicly-traded corporation is to make money. Why would they ever give up a huge stream of revenue that they "earn" simply by signing a bunch of legal paperwork every few years?
Unless there is a clear way for "real open-source trust" to turn into American dollars, it will never happen. Even good things like marketing, perception, and outreach have little value compared to cold cash; in fact, those things are pursued solely because they tend to bring in money in the future.
I agree with the open source philosophy, but American CEOs are expected to care about profits over ideas. Failure to earn dividends leads to replacement; failing to make nice with another group of people generally has no consequences at all.
If Comcast actually spent money on construction and started the permit process, they were materially invested in upholding their end of the bargain. That makes fraud seem rather unlikely.
It is reasonable to have an option to terminate a contract when delivery is so slow---but slow delivery doesn't constitute fraud unless the contract specified a delivery timeframe and Comcast knew in advance they couldn't fulfill it. Fraud is intentional, so there must be evidence that they knew they couldn't deliver on a contract before they entered it.
Plus, Comcast claimed that their Business Server Order Agreement is not a legally binding contract. If this is true, then they can't be liable for breaching it.
The guy with the best lawyers wins, especially if he plans ahead.
There are three tiers of updates: critical, recommended, and optional.
Turning on automatic updates sets Windows Update to automatically download and install critical updates. It will prompt for a reboot if necessary.
There is an option to receive recommended updates the same way as critical updates. If this is selected, the same thing happens for recommended updates. Since Microsoft made Windows 10 a recommended update recently, a lot of people recently became eligible for automatic installation of Windows 10. Windows 10 was previously an optional update.
Windows Update can also be configured to never check for updates, check but prompt before download, or download but prompt before install. In all of these cases, the user is shown a list of updates and can choose individually which ones are installed.
Most of this whining is from people who don't know how they setup Windows Update or have trouble keeping up with current events.
I have three Windows 7/8 machines at home, and exactly none of them have installed Windows 10. Why not? Because I set them all to check for updates and ask me before downloading anything.
Both communism and socialism purport to "share" the capital among all citizens. Supposedly, the political or social institutions allow all members of society to have a say in how the capital is used.
What mechanism does distributism have to enforce this? Historic implementations of socialism and communism have lacked such mechanisms and thus have been plagued by corruption, oligarchy, or outright dictatorship.
If subsidiarity is supposed to serve this function, then what of the economies of scale that are available to massive corporations? Independent workers and smaller groups often cannot create the same output that is possible through a large-scale coordinated effort. Is the reduced efficiency implied by strict subsidiarity required, or is there another mechanism to ensure that power is not consolidated and subsequently used to control the capital?
Antivirus is borderline useless these days.
Application whitelisting, generally by publisher certificate, is the only way to lock things down meaningfully. Use hash-based exceptions for unsigned apps. Too bad all the tools are priced for enterprise.
SELinux is good, but it takes a lot of work to get it into shape if you are doing anything that lacks an out-of-the-box config.
Behavior-based anomaly detection is the next big thing. But the last I checked, it takes forever to establish your baselines, and false positives are the norm. Too many false positives is like crying wolf. People stop checking the alerts, admins create exceptions with little or no justification, or sometimes there are just too many to investigate individually.
But almost all of these alternatives are better than bloated crapware that only protects you against the oldest and least sophisticated threats. Most malware is spread over half the planet before there is a signature for it.
#2 - Drones have significantly lower weight capacity and range. If you need high-quality or non-visible spectrum video, they won't work. If you need multiple angles or manual adjustment of the camera to get the right image, they won't work. Be real about the limitations.
#3 - Amateur pilots have a ton of training and safety regulations to deal with. Drone operators basically have nothing. The only thing keeping drones safe is the fact they weigh less than a small book. If and when we develop larger drones, the risk will increase in line with their weight and velocity.
And, actually, we do allow horses and carriages on the roads. In most states, they are required to have reflective badges indicating they are slow-moving vehicles---just like farm and construction vehicles. There are several states where seeing Amish buggies on the road is not a once-in-a-lifetime experience.
Honestly, most of the posts trashing MS on technical points are crap. Either the understanding of the tech is wrong, or there is total ignorance of supported/recommended solutions.
I'm not supporting MS any reasonable sense. I hate W10 telemetry, and forcing it on users is bad.
I will not install the OS on my personal PCs unless I can shut it off. And I'm not buying a 5-pack of Enterprise licenses to do it (that's the smallest number to qualify as a volume customer, and it's more than I need).
But people here are complaining about an automatic process that only occurs if you let it. You must set Windows install updates automatically and also choose to receive recommended updates the same way as critical updates, otherwise it will not happen.
Windows Update asks you what you want the first time you run it, so this is on the user---if the user is even slightly tech-savvy. I have some sympathy for ignorant users, but the paranoid attitude on Slashdot is completely unfounded. There are at least four different ways to prevent this automatic upgrade from happening.
Talk about doing things the hard way.
You could just enable the Group Policy option that prohibits OS upgrades through Windows Update. With that set, even administrators cannot run the Windows 10 update.
Also, those tweaks are something you should probably script if it's time-consuming and the software is that important. This would ensure that all the settings are recorded somewhere and that the redeployment of machines can happen quickly when needed.
If you buy Windows under a volume license, you should be getting Software Assurance. Otherwise, this is what happens. That has always been the way it worked.
Maintaining SA over the life of the system costs about as much as buying upgrades as they come out, but you get access to a lot of good tools in addition to upgrade/downgrade rights. If you also get SA on your server licenses and CALs, you can upgrade anything in the organization whenever you want without waiting for management to approve a new licensing purchase---simpler budgeting, easier migration planning.
Or you should have checked the terms before changing them over to your volume license. Microsoft was very clear from the beginning---no free upgrades for volume customers no matter what consumer/OEM licensees get.
Even now, you could reinstall from OEM media, activate with the OEM key, and upgrade to Windows 10.
If you're managing licensing for them and don't understand the implications of your decisions, you are doing them a disservice.