Confidentiality on Virus Sent Docs?

Sulka writes: "The latest Sircam outbreak has sent me a lot of documents from total strangers I've never heard of before. This led me to wonder what would happen if a trade secret doc from company X was leaked like this to me -- I guess the secret wouldn't be a secret anymore. But what's the legal standing of this? Is a virus sending a document the same as someone sending email accidentally to a wrong address? Could I send a M$ Halloween memo that popped to my address to the press?" I have now recieved 1.1 gigabytes of sircam virus email attachments. I'm just glad I don't pay for my bandwidth per k.

Ethis vs. Legal

If something is mailed to you that you didn't request, at least in the state of California, then you are not under any legal obligation to return it. But there are higher laws of human
behavior.

It all depends on how high of a standard you want to live by.

If you received something that is part of an obvious ploy to get you to buy it, the ethics of that situation are different than if you received something that didn't belong to you by accident.

A professor at UC Berkeley has an email address that differs from mine by only a single character. When she started teaching there someone put my email address in place of hers and I've been receiving her emails for the last two years. Apparently once the data entry people at UCB have spoken it is writtten in stone.

At first I deleted her emails until I recognized that it was not accidental. I replied back to the sender and found the correct email address and sent an email to the professor in the Sociology Dept. letting her know of the error. And I've been forwarding her email ever since.

The error occurred because we share the same last name, and we have become friends and exchanged emails over that time. Fortunately, I have not received any intimate or compromising emails.

But in two years, she has not been able to correct the error.

This is not the only time this mix up has occurred. I also recently was included in some high finance emails involving transactions of large sums of money. I contacted the agent at the bank who was making the error and let him know that he was sending the email to the wrong person. It was the right thing to do.

I expect that as the number of ISPs dwindle and users are crowded onto the same ISPs that more of this will occur in the future.

This is a slightly tangent issue, but I was thinking today, on the way to work, that it may eventually become necessary to issue email address, not by an ISP, with their name as part of the email address, but by a federal agency (hopefully not a new one) that would be issued at birth (like SSNs now) and would be used your entire life regardless of your ISP.

The Next Big Thing

Next thing you know, they'll be using that new AT&T text-to-anybody's speech software to deliver viruses by voice mail...

"*ring* Hello?"

"Dude, I opened your attachment and it dialed a 1-900 number! WTF?"

"*My* attachment?"

Re:How about an mp3-spreading virus?

That's really not such a bad idea. If the worm could reliably find mp3's on the infected PC and send them to people in your address book, it's wouldn't take long to have a kind of "unrequested Napster," with surprise songs arriving in your inbox every day. The only downside would be the bandwidth issues with up/downloading files of that size.

And the RIIA couldn't do a thing about it.

Re:1.1 gigabytes?

> Growl! I only received one lousy SirCam-mail. (Spanish version) I can't but feel extremely unpopular, especially when I read things like 1.1 Gig!

I feel totally unloved too, so I'm posting my email addy all over the place:

president@whitehouse.gov
president@whitehouse.gov
president@whitehouse.gov
president@whitehouse.gov
president@whitehouse.gov
president@whitehouse.gov
president@whitehouse.gov
president@whitehouse.gov

love, George Dubya

Re:So what have you guys gotten?

I've gotten lots of drivel, several resumes, payroll records, some dull term papers, a few personal letters, and two recipes (cookies and homemade bread). I posted the recipes (rather tasty-looking, actually) and trashed everything else.

A friend of mine got the text to the secret initiation ceremony of the Dekes fraternity, which is one of the silliest things I've ever read. Faux-occult rituals, robes, secret handshakes and consuming the "sacred goat entrails". Sheesh. Can anybody really make it all the way through such a ceremony without laughing?

Re:All your advice...

grammer Cute! :-)

Re:Hotmail deleted all my mail because of this vir

[mce]

If this is true, you should talk to Hotmail about them having a major security problem, because in that case all Hotmail users clearly are open to all sorts of very nasty denial-of-service attacks.

If your e-mail quota are filling up, they should simply refuse to accept more mail, not delete old stuff. This scheme too is prone to denial of service, but at least your correspondents will know that their message to you was lost and that they should try again later.

--

Re:C. Keep old messages and BOUNCE new ones.

[shogun]

Think of what filesystems would be like if they deleted old files because you were creating new ones: you might delete your kernel

Not if you're one of the up to date bleeding edge people who recompiles with a new kernel every couple of days.

Re:IANAL either

[shogun]

google yourself

If you had said that anywhere but here it could of been taken in a bad way. :)

Re:How does one extract the attached file?

[shaldannon]

Ever heard of something called StarOffice? WordPerfect? AbiWord? strings? :)


if ($user =~ m/shaldannon/i) {
print "\n-- $user :)\n"
}

As in...FBI....

[shaldannon]

...laptops? ;)


if ($user =~ m/shaldannon/i) {
print "\n-- $user :)\n"
}

nice....

[shaldannon]

Can we say "identity theft"? Who needs those $19.95 programs for Windows 3.11 that get sent from hotmail accounts that promise to let you snoop on anyone and everyone? :)


if ($user =~ m/shaldannon/i) {
print "\n-- $user :)\n"
}

Similar situation, no email

[shaldannon]

I work for Nando Media. My name isn't altogether uncommon, but more on that in a bit. Another gentleman, of the same first and last name, works for The News and Observer. The two companies are sister companies (in point of fact, they created us once upon a time).

I work as a programmer. He is an associate editor, or something like that. I'm white. He's not (he's president of the NABJ). We work in different buildings with different office numbers. One of these days I need to go introduce myself to him. In the six months I've been here, he's gotten a package meant for me, I've gotten a package meant for him, and I've gotten probably 10 phone calls for him (two at home around 11 pm, from someone on the west coast).

This isn't just the company mail messing up, or the company switchboard. The regional phone company blew it too. Fortunately, we're both aware of each other's presence, and politely refer the caller/package/etc to the other individual.

What's most frustrating about all this is that that first package was a Valntine's gift sent 2-day mail, with my full name emblazoned, complete with roman numeral (I'm the IVth, ladies and gentlemen), and it still got mis-routed. *SIGH*

It sure seems like it would be fun to compromise someone's secrets, or post everyone's inane family letters, or whatever, until it happens to you. I have to applaud the writer of the parent post for doing the ethically right thing.


if ($user =~ m/shaldannon/i) {
print "\n-- $user :)\n"
}

Check out the Trade Secret Basics FAQ

[Tim+Macinta]

There is a FAQ on Trade Secret Basics at nolo.com. In particular, look at the question titled "What rights does the owner of a trade secret have?" I am not a lawyer, but I think it would be reasonable to assume that the SirCam virus would be covered by the line that talks about "people who learn about a trade secret by accident or mistake" (these people are not allowed to divulge the trade secret). So, I am playing it safe with files sent to me as the result of SirCam and just deleting them.

Re:Check out the Trade Secret Basics FAQ

[Rix]

Hmm, they seem to contradict themselves below that:

There is one group of people that cannot be stopped from using information protected under trade secret law. These are people who discover the secret independently, that is, without using illegal means or violating agreements or state laws.

Given no previous NDA, according to that clause it would seem that only the virus author would be prohibited.

Re:Check out the Trade Secret Basics FAQ

[jdcook]

The Nolo FAQ is pretty good. In most states, if a secret is accidently divulged to you and you know or have reason to know that the information is secret, you have an affirmative duty to not reveal that secret.

If anyone wants to ask, "How am I supposed to know that _________ is a secret? They can't prove that I knew that.", tell them they should try not to be a dumbass. If you get these messages and know you only got them because of a virus, you know there was no intention to send them to you. Don't publish them. Just let it go. Nobody cares.

Re:Well....

[Zachary+Kessin]

Actualy I disagree with that. Of course you have to teach ethics. And ethics is a much more complex subject that most people think. Ethics should be tought and thought about much more than they are are in the most of the USA.

If you don't write down and teach your rules for ethics how can you expect people to learn them and follow them. Ofcourse there are many ethical rules that are or should be rather obvious, like don't take bribes. But there are many others that are less so.
For example there was a case during the Shoah (Holocost) where a man could have bribed the germans to let his son off of a train to the camps, but if he did this somone else's son would have been put on to make the count. Would it be ethical for him to do this? Well Jewish Law states that infact it would not be ethical to do that. After all why should your son live at the expense of someone else. And this is not some theoretical argument of Rabbis debating the Talmud, this is a true story.

Now I will hope that none of us ever faces a choice like that (B''H), but that does not mean that ethical choices do not come up every day in our lives, we should think about them and talk about them and when we have children talk about them with our children so that our children grow up with values and I hope make a better world for their children.

Re:An analogy...

[Zachary+Kessin]

Under Jewish law (Its in the Talmud) You must return a lost object if it has a distinguishing mark, it has not been abandoned by its owner, and it has value. So for example if you found a $50 bill on the street you can keep it, as you have no way of knowing who it belongs to. Or for example you find a copy of a newspaper on a train, you don't have to return it as the owner probably left it there after reading it, so it counts as abandoned. Or for example if a bag of rice falls and breaks and scatters all over the place then it really does not have value. (After all its all over the floor).

On the other hand if you find a wallet with some ID in it, then you should probably return it, as you can know who owns it. Unless you can be reasonable sure that the owner has no hope of finding it again, for example it just washed up on the sea shore. There are a few more rules. I don't remember which tractate of the Talmud this is all in but my Rabbi gave a class on it a while back.

So in that case, if you can figure out who owns the Jewelry some how (Say its in a box with a name) you should return it to them. On the other hand if its box with no name and some gold and dimonds you can reasonably keep it.

If this comes up in real life consult a Rabbi over my post, my memory may be wrong on a detail here.

Re:Well....

[Zachary+Kessin]

The difference is that in the Shoah case that someone would die was not in question. Only who it was going to be. The SUV issue is much less clear cut. If I drive a SUV (I don't) and I hit you, then its not that you will die and I won't its that you have worse odds than I do. Somewhat different issue.

There are other issues I have with SUV's but they are not relivant here.

Re:Hotmail deleted all my mail because of this vir

[AxelBoldt]

HOTMAIL IS FREE!

No it isn't. You have to provide personal information in order to sign up, that's a cost, because people pay money for this kind of valuable information. You have to endure ads in order to read your email, that's a cost because it pollutes your brain.

--

If you fancy trying it out...

[slim]

PubCam is a small Perl script which extracts any SirCam attachments, removes the virus, and produces an index.html listing the files, the sender, and the date header from the mail in question. This makes it very quick and easy to put up a web page of your SirCam spoils.

Beware, though, hosting services such as Tripod don't like it very much!
--

Re:why do people keep doing this?

[shani]

Maybe there's something wrong with a country where the only way to know what's right or wrong is to ask a lawyer (by which we all mean "pay large sums of money to a laywer").

Not surprising since the laws are made by lawyers.

Re:this would include--you?

[Jason+Earl]

My guess is that if you get an email containing sensitive information from somewhere in the United States then it is legal for you to publish it. Of course, I don't know where you live, or have any idea of the laws in your country, but that doesn't stop me from making things up...

In case you hadn't noticed, this particular Ask Slashdot dealt with a legal question. As such the answer depends on your jurisdiction. The answers to legal questions like this quite often vary from state to state, and even from county to county. They certainly vary from country to country. This sort of discussion might not be helpful if you live in Communist China, where you probably have little influence on local laws, but it's at least somewhat germane to anyone who lives in any sort of republic or representative democracy, because the comparison of foreign and domestic law often reveals loopholes that one might wish to avoid in their own jurisdiction.

I imagine that you also have a say in the creation of your local laws (scary as that may seem), and so the quote mentioned above also applies to you. That makes you an official amateur lawmaker, so you might want to become informed a bit. Barring that, you might want to push the back button on your browser and perhaps read a different article if you don't want to discuss an issue that is primarily going to reflect /.'s US audience.

On the other hand, it is possible that you live in some forward-thinking country where they don't have anything as backwards as law. In that case, flame away.

Re:1.1 gigabytes?

[singularity]

I received quite a bit of it (no where near 1.1 gigs, but I would guess at least 10 megs). Part of it has to do with how the email addresses are found by SirCam: It searches the cache of IE and pulls any email addresses off of those web pages.

If your email address is not on a lot of web pages, chances are you will not get enough. If you run /., on the other hand, you have your fill of web pages with your email address on them.

Re:'cause they're not all idiots

[sheldon]

score order has nothing to do with the validity of the opinions.

Courses in ethics...

[Improv]

Fall into two general categories..
1) Indoctrination so you'll be nice to corporate
interests
2) Review of different ethical systems and their
foundations
I suspect by your phrasing that you mean the
first. A code of ethics isn't something objective
that one can learn.. I recall, when I took a
course on ethics when I was an undergrad, we did
debates, and I managed to sway about a third of
the class to the position that intellectual
property is philosophically invalid. Fun.

Re:Courses in ethics...

[MindStalker]

Yea, the college I goto required an ethics class for anyone going into computer related studies. Havn't taken the class yet, but I can almost assume what it teaches.

Re:Confidentiality clauses

[Hallow]

Heh, funny. I don't think you can be held to a contract you never signed. Only the people who signed your contracts with the confidentiality clause could be held accountable to it.

'cause they're not all idiots

[jlusk4]

Why do people keep posing technical legal questions to a bunch of geeks, most of whom haven't even graduated from college yet?

'Cause they're not all clueless idiots, there are a few sharp tacks in the bunch. Plus, one or two of 'em have graduated from college and actually have something to say worth reading. Sort by score order, idiot.

Judging from the uninformed comments above, evidently not, but there are a *ton* of clueless idiots who are more than happy to spout off their opinions on a subject they know nothing about.

Well, duh. What else is new about any online community? Why should /. be any different?

John.

Re:'cause they're not all idiots

[theantix]

score order has nothing to do with the validity of the opinions.

That is _CLEARLY_ false. Score order means a lot. This does not mean that every (Score:5, Insightful) is correct and the best explanation for something. But it is at least much more plausible than something that exists at -1, 0, or 1.

Of course like everything else in the world there are exceptions, and often you will see some clueless luser modded up to 5. Overall though the system works very well. IMHO. IANAL.

Re:haha ha slashdot readers are dumb

[Paladin]

We are not smart salamanders.....are we not men?
What is the law!
Not to walk on all fours...

Re:Huh?

[Kid+Zero]

Well, now see, that's useful information. If you can trust any of them to tell the truth on resumes...
-----------------------------

Here's how to read what you get

[mrbill]

For those people using Solaris (or any other *nix with a "dd"), here's how to strip the "virus"
part of the attachment away from the "document"
part, so you can safely view the documents:

dd bs=512 skip=268 if=infected.filename.ext of=disinfected.filename

Re:1.1 gigabytes?

[Alan+Shutko]

Fair enough -- but if procmail is working as advertised and you route the data to the bit bucket, I don't see how you'd know how much you get in spam/forwarded viruses.

Procmail logs, naturally. It logs message size even when bit-bucketing.

Re:1.1 gigabytes?

[Alan+Shutko]

Of course, by the time it hits procmail, you've already paid for the bandwidth (unless you have mail delivered to a server with procmail outside the net you pay for bandwidth).

Re:IANAL

[maggard]

Nobody is "required" to do squat about email that comes with a destruct-request. If we truly were required then I could then bill the senders for time & services rendered.

All those stupid notices do is communicate that whoever resposible for them has poor grasp of this area of the law and/or is trying to bs folks into playing along.

The information contained in this document is proprietary and confidential and may not be transmitted to others in any form without the express written consent of me. Contravention of this shall result in substantial penalties. To avoid litigation empty your wallet of all high value bills & email them to me.

Re:Well....

[unitron]

Anybody have any info on why this hidden article is hidden? Is this a frequent occurrence?

Re:Well....

[unitron]

What censorship section? I went to preferences and the only choice is to *exclude* stories about censorship but I don't have that checked, I don't have anything checked for exclusion.

Re:Well....

[unitron]

Since this is probably a one story per week kind of thing, why should I have to keep checking everytime I'm online? Why can't I have those stories show on my version of the main page? For that matter, why can't I have *all* stories show on the main page even if only as an entry in a slashbox? And shouldn't these censorship stories be in the Your Rights Online slashbox anyway?

Well...

[Magus311X]

Well your honor, he emailed the trade secrets to me and requested my advice!

Really!
-----

Re:A good way to fight UCITA?

[ewhac]

No, UCITA has provisions against unconscionability. If a term in the "contract" is unconscionable, then it's struck. Unless they were peculiar, no one would knowingly agree to have their computer ransacked by untrustworthy code.

Trouble is, unconscionability is usually determined by a court (read: arduous and expensive).

Schwab

Re:1.1 gigabytes?

[rho]

Fair enough -- but if procmail is working as advertised and you route the data to the bit bucket, I don't see how you'd know how much you get in spam/forwarded viruses.

Luckily for me, my ISP is one of the best on the planet (Netdoor), and they've filtered out Sircam mail at their mail server. I got a couple of the mails on the first day in the wild, I've never seen another since. Didn't even have to touch my procmail files.

Re:1.1 gigabytes?

[rho]

Who checks logfiles? :)

You're absolutely right... didn't think about that.

1.1 gigabytes?

[rho]

I have now recieved 1.1 gigabytes of sircam virus email attachments. I'm just glad I don't pay for my bandwidth per k.

You oughta be glad you don't get paid for your procmail skills.

Re:1.1 gigabytes?

[ebbe11]

I can't but feel extremely unpopular

Another explanation might be that your friends are knowledgable computer users who are able to stop such a thingie in its tracks?

Incidentally, I have received one (1) mail with SirCam in it so far.

Re:1.1 gigabytes?

[Hazzl]

Growl! I only received one lousy SirCam-mail. (Spanish version) I can't but feel extremely unpopular, especially when I read things like 1.1 Gig!

Re:1.1 gigabytes?

[tstock]

:0 B
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6HD o8OkQ6SD
mail/sircam

or /dev/null ...

Re:Well....

[JanneM]

He isn't asking about the moral issues, he wants to know the legal aspects - these are not always congruent, you know.

I vaguely seem to remember that where I live (sweden) you are not free to redistribute or publish stuff that's gotten into your hands by mistake if the stuff is clearly sent to you by mistake or is obviously confidential. We've had some incidents where hospitals or social services have faxed journals and other files to private citizens by mistake, and I think that was the result of those incidents. Note that you are not required to destroy the documents, or alert anybody that the information's got astray, you just aren't allowed to spread it around.

/Janne

You have the info, there are no restrictions

[imp]

As far as I have been able to determine, if you have the information it is yours to do with as you like. There are several court cases where people have come into possession of otherwise private information and were free to publish it. The Supreme court has been somewhat consistant about that in recent years. It is a first amendment thing. If you come by information through an illegal act that you did not commit or encourage to commit, then you can do whatever you want with the information. Witness the poor union negotiator who had his cell conversation taped and later played on the air.

Contract law, btw, requires that all parties sign, or otherwise agree to the contract. With this virus, there's no such agreement between the recipient and those who wish to keep the information private. It would be very hard to prosecute someone for disclosing this information, except maybe a copyright claim which would only protect the instance of the information, not the information itself.

The infected sender might be extremely liable, or not at all. It all would hinge on wheather or not it was possible to take reasonable steps to ensure that such unauthorized disclosure would be prevented.

Bottom line: You can tell people whatever you want to about this. Posting actual documents may expose you to a copyright action (since all documents are copyright at birth), but that would not preclude you from posting summaries.

Re:Credit cards

[fishbowl]

1) the consumer never signed any contracts

Indeed he did! Every time he made a purchase he signed a contract, parties to which include the merchant, the bank, and the purchaser. You agree to pay when you make the purchase. If the merchant doesn't get this agreement, it's his fault and he should take the loss.

This language has been part of the credit card receipt since at least the 1960's; it's not a recent development.

Now, do you have a cite where we can research the
"banks many years ago" who took losses from unsolicited credit cards?

Re:Credit cards

[fishbowl]

>When you sign the piece of paper to buy
>something you say

"I agree to pay above total amount according to card issuer agreement."

That "card issuer agreement" is an ironclad contract that I doubt anyone could squirm out
of paying, at least not on simple questions of semantics.

Now, this is NOT something that just came about
in the last 2 decades! Even the debit card is
not new, just far more common today. The merchant
agreement and banking procedures have not changed
in any substantial way since the 1950's. Certain
trappings around the way we use card-based payments have changed; notably the incredibly high
interest rates on consumer loans, and of course the instantaneous accounting of the transaction
by modem. The ATM is new (since the late '70s, then common in the 80's, now *everywhere*), but
the business model is not.

Until a recent purge of old crap, I could have produced credit card receipts from the '60s to
compare the language of the fine print. It would
be interesting to compare the language on credit
applications also, but I assure you they haven't changed much, except in superficial ways.

It's True

[waldoj]

My girlfriend had this happen to her a couple of years ago. She was quite distraught to have lost 1.5+ years of e-mail. Correspondance with Hotmail only led them to tell her that she shouldn't have had that much spam in her In Box. (We were on vacation for a couple of weeks, and she didn't check e-mail frequently.) She has an account on one of my machines now, so all is well.

-Waldo

Re:So what have you guys gotten?

[Maserati]

We once got a resume, for Senior NT Administrator, with a macro virus in it. I'm also reporting a clueful HR person, as she noticed that it was a .dot file, not a .doc

It's simple: it's the guy's fault.

[Pig+Hogger]

It's very simple. The owner is responsible for what his computer does.

So, it's the company owning the infected computer that's responsible for sending it's secrets out.

--

Re:Well....

[Syberghost]

No, I'm intentionally linking to these ISO's a well-known source of cryptographic software, which has provided a lot of free services for the community, made so that people will be able to use free software without paying unnecessary prices for it, if they so choose.

If Theo doesn't feel like he can support the project without charging, then he shouldn't be engaged in an Open Source project.

Is it slimy if I link to a RedHat ISO, too?

-

Re:Well....

[Syberghost]

He didn't say ethics laws, he said ethics.

Any society that doesn't teach it's ethics will only have them for a single generation.

You need only look around your neighborhood (assuming you're in the US) to see that I'm right.

-

Re:Well....

[Syberghost]

Oh the irony... complaining about ethics, and then offering a link to OpenBSD ISO's in the .sig...

No, irony is thinking it's OK to distribute images of commercial music CDs, but not OK to distribute privately-created CDs of Open Source software.

In fact, if the former is OK, then it should be OK to put images of the official CD up on Napster.

-

It is the fault of the owner of the document.

[GiMP]

The owner of the document must be responsible! They are responsible for the security of their documents. If they are unfortunate to have a virus send their documents out onto the web, then they have not just one fault in their security. And that fault is their own.

First, encrypt your important documents.
Secondly, keep those important documents away from file shares which insecure machines may have access to.
Thirdly, keep your machines secure! This means either running a secure operating system like Unix or removing the network and physical access to your windows boxen.

Victims of computer virii are victims of their own stupidity.

Re:IANAL

[dschuetz]

The information contained in this document is proprietary and confidential and may not be transmitted to others in any form without the express written consent of $COMPANY. If you have received this document in error, please call $NAME at $PHONE and promptly destroy all copies.

I hate that damned disclaimer. I regularly see it appened to email in mailing lists, and it's always a struggle for me not to respond to the guy that, no, I wasn't the original recipient, and he'd probably better check next time before he sends "proprietary and confidential" info to, say, the Pink Floyd mailing list.

I know that many businesses have such disclaimers automatically tacked on by a server or gateway, but that doesn't make it right. If it's legally binding, then it's legally binding for EVERY email on which it appears, in which case, it shouldn't be on the public mail forums. If they can make a case that the disclaimer doesn't apply there, then, well, why can't I make a case that it never applies?

Anyway, just a pet peeve. :)

Attachments

[rnturn]

``I have now recieved (sic) 1.1 gigabytes of sircam virus email attachments.''

And that's probably just from a half dozen attached MSWord interoffice memoes that could have conveyed the same information in, oh, about 20KB of plain text per document, right?

Can't anyone write a simple memo or office communication without using four different fonts and imbedded graphics any more? Some of the impact of things like SirCam are because of the feeling that many office workers have that their memoes won't be taken seriously unless they demonstrate their prowess in MSWord. Apparently they feel that, by not taking advantage of most of the available word processor options, their memo won't have the pizazz necessary to get their coworkers to stop leaving the empty coffee pot on the burner.

Anyway... Does anyone know whether SirCam is pulling documents out of the default document location or is it scanning the entire hard disk for `*.doc'? If it's the former -- and without having read details on how SirCam works, I'm betting this is the case -- companies can limit their exposure by making sure that employees do not keep company confidential material in the default document directory. Or better yet, prohibit those documents from being stored anywhere but on a central file server and never on someone's unsecured desktop and definitely never on a laptop. Unless the company's management doesn't care if their strategic plans were on a stolen laptop, that is.

--

Re:Attachments

[Suidae]

companies can limit their exposure by making sure that employees do not keep company confidential material in the default document directory.

Ha, as if most Office users could find any document not stored in either 'my documents' or 'c:\' ??

Re:Attachments

[smack_attack]

Does anyone know whether SirCam is pulling documents out of the default document location or is it scanning the entire hard disk for `*.doc'?

I think it bypasses the whole "search for a document" process by simply looking at the recently used list and randomly sending from there.

---

Re:Attachments

[snake_dad]

Can't anyone write a simple memo or office communication without using four different fonts and imbedded graphics any more?

I do that all the time. I fill in the to: field, add some names to the cc: field, and type the rest of the short and concise email. Clean ascii. :-)

In our company such an email actually gets read. Document-attachments are only quickly opened, first line read, last line read, and subsequently ignored.
--

Re:IANAL

[Axe]

Pink Floyd newsgroup, in your case, WAS the intended receipient, so it is legally binding indeed. Did it make sense - no, but it did not nullify this disclaimer..

Re:Confidentiality clauses

[SteveM]

Even if EVERYONE knows about it because ofa virus or a leak, anyone using it is doing so illegally and may be prosecuted for stealing trade secrets. If they delete it, no problem, if they keep it, big illegal problems.

That's fine for people who sign your contract. But what if the info is sent to someone who didn't sign your contract?

This appears to be the question being asked in this Ask /., getting info from "a lot of documents from total strangers I've never heard of before."

Steve M

Re:Confidentiality clauses

[SteveM]

Either way you slice it, there aren't any really difficult questions.

Perhaps not, but they miss the point.

The point of the original question was, if I recieve confidential info from someone I do not know because it was sent to me (in this case specifically due to a virus), are there any legal ramifications to me using or publishing that info?

I do not care what happens to the 'sender'. I don't care who was 'negligent'. I have not signed a contract dealing with this info. I do want to know what can happen to me.

Well, there's only two ways the info can be sent to someone who didn't sign the contract: ...

This is not true. Alice has signed the contract. Bob has not, nor is he the owner. Cindy has not, nor is she the owner. Alice sends it to Bob. Bob sends it to Cindy. Cindy, has received it from someone who is niether the owner nor signed the contract.

There are of course other ways that someone who is neither a contract signee nor an owner of the document can receive it from some one who is not a signee nor owner. I'll leave determining them as an exercise for the reader. (Some hints: Dave is a burglar, Ed is a publisher, Fay is a dumpster diver, ...).

Steve M

Re:IANAL either

[SteveM]

Hmmm... (standard IANAL disclaimer) ...

Chapter 119 talks about intercepting electronic communications. But in this case I did not intercept it, it was sent to me. Thus it would appear that I am a party to this communication, albeit an unintended one.

Chapter 2702 refers to service providers. I am not a service provider. So this would not seem to apply to me.

Chapter 605 reads in part: Except as authorized by chapter 119, Title 18, no person receiving, assisting in receiving, transmitting, or assisting in transmitting, any interstate or foreign communication by wire or radio shall divulge or publish the existence, contents, substance, purport, effect, or meaning thereof, except through authorized channels of transmission or reception, ... (bold added)

The information was sent to me through an authorized channel, email. So this doesn't seem to apply to me either.

It seems these laws refer to either those involved in the transmission of electronic communications or those attempting to intercept such communications. It is not clear that they apply in the case whiere I am the addressee of an email.

Perhaps some one who IAL could provide more insite.

Steve M

Re:Well....

[Col.+Klink+(retired)]

I assume from your answer that you imply that ethics would prohibit you from ever disclosing such information (regardless of the legality of said disclosure).

Let's say it's 1942 and Adolf Eichman's transcript of the Wannsee Conference is accidentally faxed to you. Since you took an ethics course, I will assume that you would not be in favor of the Final Solution. Do your ethics continue to compel you into silence?

Re:IIRC

[esper]

I believe you are correct. I've received two sircam messages, one claiming its attachment was a .doc, the other a .xls, and running strings against them made it quite clear that they were win32 executables created using Delphi or C++ Builder, not Office documents.

Re:Stupid Friends

[esper]

You forgot:

d) SirCam scans through your browser's document cache for mailto: links. Taco admins a high-traffic site, you don't.

There are other requirements for a trade secret.

[Sangui5]

Specifically, a company has to use due dilligence in preventing it from becoming public knowledge. So, if Coca-Cola leaves copies of it's secret formula lying around, they can loose their trade secret protection.

In fact, if you look in the Nolo definition, they say:

Sensible precautions include, for example, marking documents containing trade secrets "Confidential," locking trade secret materials away after business hours, maintaining computer security and limiting access to secrets to people with a reasonable need to know.

Which indicates to me that by allowing its computers to become infected with SirCam a company has not taken the necessary sensible precautions, and is fair game.

Now, you could say that some of these employees are disclosing things that they have no right to disclose, and trade secret protection still exists. However, it is the company's duty to prevent the SirCam infection, not necessarily the individual employees. It is an interesting thing to consider: does the carelessness of the company in becoming infected count as failing to properly keep their secret? I'm sure if SirCam was used as a tool to dupe a specific company into releasing specific information it would count as industrial espionage. However, at this point SirCam is something that is just out there as a general threat, and it means that if you do not take adequate precautions against it your (possible secret) information will be made available to other people.

Now, if you accidently recieve something that is clearly marked as cinfidential, it probably is still protected. But if there is no such clear marking, or if the "confidential" file is spewed all over the place, regardless of marking, I'd think that the former owner of the trade secret is SOL.

Re:How to open safely?

[MSG]

dd if=virus.doc.pif of=clean.doc bs=1 skip=137216

True, but copying byte by byte is really slow. I'd increase the block size to something like 8 or 16K to make that operation a lot faster.

Re:Excellent Question

[Silver+A]

A swimming pool is what's known as an attractive nuisance. You, as a pool owner, are required to take reasonable precautions for the safety of children who might be attracted to it. This means a gate with a lock. It doesn't have to be very secure, just secure enough that people too young to know any better won't be able to easily get in.

Should using Microsoft Outlook be considered an "attractive nuisance"?

Re:Stupid Friends.. learn to read

[josepha48]

"has sent me a lot of documents from total strangers I've never heard of before"

This has nothing to do with hsi friends being stupid. It has to do with getting email from people he does not know, that has attachments.

I got one the other day from someone I don't know. It was a word doc attachment. I'm just glad I use Linux and don't have word or anything loaded on my machine to read that crap.

I don't want a lot, I just want it all!
Flame away, I have a hose!

Re:I feel so unloved!

[ethereal]

If you're at work, do yourself a favor and don't try to bring up said web page :)

Re:Using MS products != Due dilligence

[ethereal]

When more virus creators are aware of how to make viruses to be cross-platform, then any OS will become a target. Only problem is that Windows is the majority here and the reason why it is targeted.

Well, and when it's easy for users to click on strange attachments to run them. I don't see this as being a problem in the *nix world any time soon, unless the Evolution folks add in a "feature" like that.

strange...

[timerider]

.... maybe I only know smart people...

What I got from SirCam so far:

one! single copy of the virus itself (then I upgraded my antivirus mailgate)

one! additional warning from my antivirus mailgate that the little beast tried to get in...

no! (NIL) files from other people...

Re:I havn't received one...

[Sloppy]

Sounds like you need some new friends if they don't know they're sending all that crap to you!

From what I've seen, it's not really a friends thing. I'm getting about a half-megabyte of Sircam mail per day, and none of it is from anyone that I know.

---

Using MS products != Due dilligence

[Sloppy]

If a document is stored on a computer that is known ahead of time to be virus-friendly then I think it's pretty clear that the owner/use of that computer is not exercising due dilligence in protecting that document. It's not like it's a one-time accident. Everyone should know by now, Melissa and ILoveYou were a long time ago.

People who select Microsoft products should be held accountable for the consequences of their choice. If you lose your secret due to someone else's gross carelessness, sue 'em back to the stone age. If you obtain someone else's secret due to someone's gross carelessness, well... you'll have to evaluate the situation.

---

Re:Using MS products != Due dilligence

[Blowit]

Well, this virus can hit any E-Mail software running on Windows. Not isolated to Outlook. It can be executed in Pegasus, Netscape, and other windows based software. This is because people are curious and want to see what the attachment is all about. They run it and boom they are hit with the virus.

When more virus creators are aware of how to make viruses to be cross-platform, then any OS will become a target. Only problem is that Windows is the majority here and the reason why it is targeted.

Re:Well....

[Sloppy]

Which leads to the question of how do ethics get passed on if there is no education in them?

The best ethics aren't passed on. They're derived from Game Theory.

---

Re:IANAL

[HiThere]

And if the virus were written to reverse the characters in every occurence of "without" and to rot13 every occurence of "consent"? Would that still suffice? (Of course, I'm assuming that it's a text file. Otherwise it might be too difficult for a virus.)

Or what if the virus encrypts the files that it sends, perhaps with zip or bzip? (That is certainly as secure as rot13.) Then whose rights are violated if you check on what has been sent to you?

Our current set of laws is totally lunatic. The people who wrote them should be confined in Bedlam (and be chained to the walls, as was traditional).

Caution: Now approaching the (technological) singularity.

Thanks

[HiThere]

Just what we needed :-( , another idea for a virus. And one that will appeal to some. We can only hope that it isn't successful. There are much better ways to use the bandwidth.

Caution: Now approaching the (technological) singularity.

OT: how to be a twit

[maroberts]

You're being a little inconsistent here aren't you?

On the one hand you are criticising lawyers about the 'be quiet, you peasant' attitude to everyone else discussing law, yet on the other hand when Compulawyer (who may be a lawyer or may be just out of short trousers) makes what appear to be perfectly respectable comments you are rather derogatory.

I personally post to a whole range of topics, some of which I know almost less than nothing about, but I still believe my opinion should be expressed and hopefully heard.

Re:OT: how to be a twit

[RGRistroph]

I have no problem being derogatory towards people who try to use some sort of elitist attitude.

I don't think that I'm being inconsistent, either. The ability to read law and post doesn't come with any guarantee that you won't be proved wrong, ridiculed, or even called a twit. It's happened to me.

The "meme" that we have to fight here is the insidious suggestion constantly covertly propagated (via comments like compulawyer's, and incessent IANAL'ing) that a layman can somehow be held accountable for offering legal opinions. Such a concept is so violently against the 1st admendment that it doesn't stand up when stated openly, and only survives by being constantly tacitly implied.

In fact, the idea of licensing lawyers puts restrictions on what LAWYERS can say and do, and puts no restrictions at all on the rest of us. Of course even before we came up with the idea of licensing lawyers, it was illegal to take someone's money or influence them in some way to benefit yourself by lying about what you were; it is this idea of fraud that is twisted into the idea that common people run some risk in the open discussion of legal topics.

Re:It's a lie

[blinx_]

You're either trolling or just plain wrong, it does actually send the attached documents with it. I repeat: It does send the documents.

Try and do a "strings someattacheddocument.doc.pif" if you're on a *nix box. It'll show some of the stuff in the document. Or use dd or something similar to cut the virus stuff from the doc.

Re:A related question

[Ether+Trogg]

Probably not, given that pretty much every software license I've ever read (including Microsoft's) has a clause that says something to the effect of "use this software at your own risk. We do not warrant it to function properly, etc. etc. etc."

My personal favorite license warning comes with some Java VMs, and warns you against using Java for weapons, hospital equipment, and nuclear plants. Damn, and I so wanted to operate that nuclear reactor with my web browser.

Well, you said 'IANAL'

[Gridle]

According to the lawyer types I work with, it's more or less the same as if a fax went through to the wrong number. They are prohibited from disclosing the information if there is a legal blurb on the bottom of the page or wherever that says so.

Or alike how you are prohibited from doing anything with stuff that you receive - without solicitation - to your (physical) mailbox? Wait a minute, that's not the case. Cuecat anyone?

My strong opinion is that the monetary damage that comes from a virus leaking secret documents has to be collected from either the user who was dumb enough to open the virus - or if the spreading of the virus was possible because of a bug in the operating system or software, you have all the reason to get Microsoft to pay for the damages.

The answer is always BBEdit

[Pope]

On a Mac, the answer is always BBEdit! :)

Even the free Lite version will open anything.

I'm a smug Mac user, running Eudora 4 no less, and the only thing that's been sent to me was a Windows shortcut! "blahblah.ext.lnk" or something similar.

.pif were Windows 3.1 files that ran DOS programs.

Pope

What? Bear is driving car? How can that be?!

Re:Public Domain

[Chmarr]

If you get something very interesting, I say send it to every newspaper you can find.

Which totally ignores the original author's copyright on that document or object.

I'm not adverse to you using the information you find, but you're not allowed to redistribute it. That's breach of copyright.

Re:Confidentiality clauses

[Chmarr]

Now for Bob or Alice to release any information may still be a breach, but Carl can do whatever he wants.

No, Carl can't do 'whatever he wants'. Every creation put into existance is protected by copyright, according to the Berne Convention. If the information Carl obtained is plastered with copyright notices, then Carl cannot reasonably claim that he did not know about the document being copyright, and Alice can sue Carl for compensatory damanges. Carl could use the information he obtained, and redistribute that information in a different form, as long as it was 'sufficiently different' according to copyright law.

If the document did not contain copyright information, then Alice could still get a court order to stop Carl distributing the information, but could not sue for compensatory damages as Carl had no reasonable way of ascerting copyright information for the document. Additionally, Alice would still have to prove that she is the copyright holder, which is difficult to do if the document was confidential to begin with.

Re:Even if it _is_ illegal...

[turg]

(obvious, he wouldn't write "this is a virus")

Why not? You don't think people who open up these attachments actually read click-through licenses, do you? I think the author could describe the program's true function in detail without slowing its spread.

Re:What does that say about your friends?

[turg]

Taco's got 1.1 Gigs of attachments from his friends? I must be lucky then, all my friends are smart enough not to click on files attached to emails that look dodgy!

Sircam also gets e-mail addresses from the web browser cache, so Taco's getting it from everyone who's visited slashdot in the last 20 days (or whatever their chache's limit is)

How does it spread?

[Stephen]

Can someone explain to me how this spreads? I too have got lots of emails from strangers. (Although the first one I received was from someone many Slashdotters will have heard of, which confused me for a while.) I thought the normal thing with mail worms was that they would spread to people in your address book -- but I don't suppose I'm in many of these people's address books.

Re:How does it spread?

[chompz]

It harvests email adresses from Temporary Internet Files

Just thought you might like to know why EVERY slashdot poster with a real email displayed to the world is getting hundreds of SirCAM's from slashdot users.

bsc

Re:why do people keep doing this?

[slashkitty]

Well, the legal "experts" on www.askme.com haven't even graduated from high school. I'd say this is a step up.

Re:Well....

[jslag]

Any society that doesn't teach it's ethics will only have them for a single generation.


Oh the irony... complaining about ethics, and then offering a link to OpenBSD ISO's in the .sig...

Ever try opening a sircam doc? (don't.)

[dewboy]

I'm the tech director at a small private school. Several of the faculty decided to open unexpected attachments (despite my advice to the contrary), finding that they "couldn't open the files properly." However, the virus still infected the host system and had to be cleaned. Basically, in my experience, the documents have been modified (they're .pif file extensions with the name of a local private document) and are not the actual document itself.

I havn't received one...

[cybrthng]

You guys must have some serious problems. I havn't received *ONE* nore *SEEN* one of these messages..

1 gigabytes of files? Sounds like you need some new friends if they don't know they're sending all that crap to you!

The only virus/virii i have seen is the snow white and the seven dwarves that hit all the oracle consultants on a weekly basis.. other then that, nothing.. nada..

Re:I havn't received one...

[cybrthng]

still, wouldn't joe shmoe average user realize they are sending out tons of email?? Slashdot tends to have more of a tech savy crowd then elsewhere.

I think it is kind of funny..

Re:I havn't received one...

[update()]

You guys must have some serious problems. I havn't received *ONE* nore *SEEN* one of these messages..gigabytes of files? Sounds like you need some new friends if they don't know they're sending all that crap to you!

SirCam sends mail to any addresses in your IE cache. When your address is all over a site as heavily read as Slashdot, you'll get quite a few of them. You didn't think that the readership here is really composed of Linux wizards, did you...?

Unsettling MOTD at my ISP.

Re:I havn't received one...

[WillSeattle]

You guys must have some serious problems. I havn't received *ONE* nore *SEEN* one of these messages..

All this means is that noone leaves email addressed to you in their InBox who has MSFT Exchange on an IIS machine.

Which is a fancy way of saying that none of your friends and family email you from Bad Systems.

Either that, or you're just an unpopular guy. I've had a few gig myself, had to clean them out of my various accounts so they wouldn't choke.

destroying all copies is not free!

[Mdog]

What happens if they accidentally send you a 100 page document? Not only have they cost you a lot in printing, but now you're ``oblidged'' to take time out of your day and destroy it?

I don't see how you can incur responsibilities for someone else's mistake.
God I wish slashdot had spell check.

Umm...

[TFloore]

What happens if a child finds the gun you left in your dresser and shoots himself? He'll be very very wet or hit by a paint ball.

You keep a supersoaker in your dresser?

I really don't want to know what you do in your bedroom, do I?

Re:Umm...

[loraksus]

ever put marbles in a paintball gun? Or ball bearings? Non-lethal home protection at it's finest.
Depleted uranium would also be cool, but methinks that will be problematic.

Re:Stupid Friends

[nEoN+nOoDlE]

You lucky bastard... I didn't get one freakin SirCam virus e-mail... nobody loves me and all my friends are probably dumber than CmdrTaco's and all use outlook... When these virus writers write a damn e-mail spreading virus, they better make damn sure it spreads everywhere. It prevents hurt feelings that way... It's been a sad week.

Innocent Acquisition

[SEWilco]

Yes, I believe that if a document is sent to you and you did nothing illegal to acquire it then there you have some freedom. Members of the press have numerous examples.

However, what if you sent them the virus intentionally? What if someone else from your company sent them the virus intentionally? What if someone from your company got infected and sent them the virus? What if your server sent out a virus-laden document (and thus no human action was directly involved)?

Re:Depends how ethical you are.

[alkali]

That would indeed be insider information, but it's not clear to me that it would be illegal to trade on it, because you're not an insider, and you didn't misappropriate the information. See Justice Ginsburg's opinion in U.S. v. O'Hagan (1997) (describing theory of insider trading liability).

Demanding money to keep quiet, however, is almost certainly a bad idea. See, for example, N.Y. Penal Law sec. 130.60 ("coercion in the second degree").

Re:Confidentiality clauses

[alkali]

If the contract provides that Bob will exercise "reasonable care" to keep information confidential, negligence will be the standard, but Bob might just flat out promise to keep it confidential and to be held responsible for any leaks. It depends on the contract language.

Depends how ethical you are.

[dkh2]

A truely ethical person would contact the accidental sender with the information.

However, depending on the company, and the product in question, this may be your opportunity to really score some big chash in a couple of ways.

1. Use the insider information to better your position on the stock market.
2. Send the company a letter saying something like "it will cost you $75,000.00 plus taxes for me to keep my mouth shut."

If it's Microsoft, go for option 2, set an at job that posts the information anonymously to several forums at the same time you are in the meeting to sign the ream of legal documents they will want you to sign. Purge your system logs immediately upon your return.

Code commentary is like sex.
If it's good, it's VERY good.

Re:Depends how ethical you are.

[Stephen+Samuel]

legally, you'd be trading on insider information.

Practically, it'd be pretty hard for them to tell the difference between this one trade on hot info, and lucky timing. It'd be even harder for them to prove it, unless they got sircamed your document that detailed plans for exploiting the insider info.

At that point they'd find themselves dealing with the same ethical question...
--

Re:Depends how ethical you are.

[jallen02]

Reply To Sig: Bad commnets in code are MUCH worse than nothing. They can be misleading and you shouldnt comment unless its an effecient comment that is clear and doesnt simply echo what a line of code is doing. A comment should summarize and give a general idea. You shouldnt comment tricky code you should rewrite it ;)

Jeremy

Re:Depends how ethical you are.

[hearingaid]

it depends on your ethical system.

Here's a conundrum:

• you have received a SirCam document;
• you have opened this document;
• you have access to major popular media and could publicize the contents of this document anonymously;
• the document details illegal conduct that caused some pretty major harm to a number of people;
• the sender of this document is not responsible for any of the crimes that you have found documentation for;
• you cannot contact the sender safely; and
• the sender may be in danger if you publish the document.

what would you do?

just trying to say, it might be more complicated than just trade secrets. trade secrets, I'd publish them and be done with it. they're just a form of anti-competitive conduct anyway.

Re:Depends how ethical you are.

[mfkap]

Well, both are good ways to get arrested.

With #1, securities law prohibits trading based on insider information, and it doesn't matter if you yourself are an insider or not.

With #2, it is called extortion, blackmail, etc... and if you give them enough information to get you the money they will have enough information to catch you.

mfkap

Re:Depends how ethical you are.

[Registered+Coward+v2]

option 1 puts you afoul of securities laws. Just because you are not a company "insider" doesn't mena you can't be guilty of trading on inside information.

Re:Yet Another Outlook Virus

[Wonko42]

Too bad SirCam isn't an Outlook virus. It's an executable, smarty-pants.

No change

[ajakk]

IANAL, but the general rule is that precautions must be taken to perserve secrecy. There are two types of precautions: security and confidentiality. In one court case, the judge did not remove the trade secret status of documents even though the plant they were in had no guards, security systems, or locked storage. I would doubt that a judge would say that the lack of an effective virus scanner is lax security. The confidentiality precaution can be met if the document is marked confidential or secret.

In another case,however , a company sold an old computer with confidential data encrypted on it. They forgot to erase the harddrive. The person who bought the computer found out the password from a previous employee, and got to the information. The judge ruled that they forfeited protection by not erasing it.

Re:Hotmail deleted all my mail because of this vir

[jonathan_ingram]

... so how would you spell 'whinge'? 'winge' isn't right. Or do you think that 'whinge' is an alternate spelling of 'whine' (which it isn't)?

Re:IANAL

[jonathan_ingram]

There was also a competition on The Register a while back to find the stupidest email disclaimers used by their readers. My favorite, and the winner for the longest email disclaimer, is this one:

This report has been prepared by the division, group, subsidiary or affiliate of UBS AG ("UBS") identified herein. In certain countries UBS AG is referred to as UBS SA, which is a translation of UBS AG, its registered legal name. UBS Warburg is a business group of UBS AG. This report is for distribution only under such circumstances as may be permitted by applicable law, including the following: This report has no regard to the specific investment objectives, financial situation or particular needs of any specific recipient. The report is published solely for informational purposes and is not to be construed as a solicitation or an offer to buy or sell any securities or related financial instruments. The securities described herein may not be eligible for sale in all jurisdictions or to certain categories of investors. The report is based on information obtained from sources believed to be reliable but is not guaranteed as being accurate, nor is it a complete statement or summary of the securities, marketsor developments referred to in the report. The report should not be regarded by recipients as a substitute for the exercise of their own judgement. Any opinions expressed in this report are subject to change without notice and UBS is not under any obligation to update or keep current the information contained herein. UBS and/or its directors, officers and employees may have or have had interests or long or short positions in, and may at any time make purchases and/or sales as principal or agent, or UBS may act or have acted as market-maker in the relevant securities or related financial instruments discussed in this report. Furthermore, UBS may have or have had a relationship with or may provide or has provided corporate finance, capital markets and/or other financial services to the relevant companies. Employees of UBS may serve or have served as officers or directors of the relevant companies. UBS may rely on information barriers, such as "Chinese Walls," to control the flow of information contained in one or more areas within UBS, into other areas, units, divisions, groups, or affiliates of UBS.

Options, derivative products and futures are not suitable for all investors, and trading in these instruments is considered risky. Past performance is not necessarily indicative of future results. Foreign currency rates of exchange may adversely affect the value, price or income of any security or related instrument mentioned in this report. Clients wishing to effect transactions should contact their local sales representative. UBS accepts no liability whatsoever for any loss or damage of any kind arising out of the use of all or any part of this report. Additional information will be made available upon request.

EEA: This report has been issued by UBS Warburg Ltd., regulated in the UK by the Securities and Futures Authority. In the UK this report is for distribution to persons who are not UK private customers. Customers should approach the analyst(s) named on the cover regarding the contents of this report. For investment advice, trade execution or any other queries, customers should contact their London representative. Switzerland: This report is being distributed in Switzerland by UBS AG. Italy: Should persons receiving this research in Italy require additional information or wish to effect transactions in the relevant securities, they should contact either Giubergia UBS Warburg SIM SpA, an associate of UBS SA, in Milan or UBS Warburg (Italia) SIM SpA, a subsidiary of UBS SA, in Milan or its London or Lugano Branch. South Africa: UBS Warburg Securities (South Africa) (Pty) Ltd. (incorporating J.D. Anderson & Co.) is a member of the JSE Securities Exchange SA. United States: This report is being distributed to US persons by either UBS Warburg LLC or by UBS PaineWebber Inc., subsidiaries of UBS AG; or (ii) by a division, group, subsidiary or affiliate of UBS AG, that is not registered as a US broker-dealer (a "non-US affiliate"), to major US institutional investors only. UBS Warburg LLC or UBS PaineWebber Inc. accepts responsibility for the content of a report prepared by another non-US affiliate when distributed to US persons by UBS Warburg LLC or UBS PaineWebber Inc. All transactions by a US person in the securities mentioned in this report must be effected through UBS Warburg LLC or UBS PaineWebber Inc., and not through a non-US affiliate. Canada: This report is being distributed by UBS Bunting Warburg Inc., a subsidiary of UBS AG and a member of the principal Canadian stock exchanges & CIPF. A statement of its financial condition and a list of its directors and senior officers will be provided upon request. Singapore: This report is being distributed in Singapore by UBS Warburg Pte. Ltd. Hong Kong: This report is being distributed in Hong Kong to investors who fall within section 3(1) of the Securities Ordinance (Cap 333) by UBS Warburg Asia Limited. Japan: This report is being distributed in Japan by UBS Warburg (Japan) Limited to institutional investors only. Australia: This report is being distributed in Australia by UBS Warburg Australia Limited in relation to fixed income securities, and UBS Warburg Australia Equities Limited in relation to equity securities. New Zealand: This report is being distributed in New Zealand by UBS Warburg New Zealand Ltd in relation to fixed income securities and UBS Warburg New Zealand Equities Ltd in relation to equity securities.

+ 2001. All rights reserved. No part of this report may be reproduced or distributed in any manner without the written permission of UBS. UBS specifically prohibits the re-distribution of this report, via the Internet or otherwise, and accepts no liability whatsoever for the actions of third parties in this respect.

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.

Re:encryption

[displaytest]

If you hadn't noticed, the president and vice-president always travel on separate planes. A real-life example of redundancy, although I'm not sure it was completely fail-safe from 1989-1992.

I was having fun with this.

[Restil]

Too bad the virus seems to have been patched up. I'm not getting sent random files anymore :( But it was rather fun reading through the crap that people store on their harddisks. I just wish I got something more interesting. All I got was a bunch of word files containing poetry and a newsletter for some club. I can see some REAL potential fun with this though if more interesting files were sent.

Since we're currently discussing the legality of this, someone who's brave enough should set up a repository for files we've received and who we received them from, with cross reference links, etc. If someone was infected, theres a good chance that a large quantity of the data stored on his harddisk is available to the internet at large. If all this information was displayed publicly (LEGALLY even), what a nice incentive to switch to a less virus prone operating system.

-Restil

Re:I was having fun with this.

[archen]

actually I sort of already posted a lot of what I've gotten. Well I didn't post the content, or the mail addresses, but I did sort of post summaries of what I recieved. And no I am NOT in anyones addressbook, I just happen to have the misfortune of having a webpage which people visited with this virus around.

I wrote a simple perl script to take out the junk. Basically

read(FILE, $buffer, 137216);

then print the rest of the file to a new file. I guess I never thought much about the ethics, I more or less considered it compensation for the stupidity of those who got it and sent it to me. Well I never got anything too comprimising, but it's interesting to see what "normal" people put on their computers.

Re:Hotmail deleted all my mail because of this vir

[Vryl]

Thanks, Microsoft!

Jesus, you are an ungrateful son of a bitch, aren't you?

HOTMAIL IS FREE!

Go whinge to your ISP about the email address you actually pay for, or shut the hell up.

Re:Hotmail deleted all my mail because of this vir

[Vryl]

Fuck, you're a twit, Axel.

Has anyone ever paid any money whatsoever to Microsoft for using Hotmail?

(clue: no)

Hotmail is free, fuckwit. My point stands. You have paid them nothing, no transaction took place, they are not obligated to you.

Like I said, people who whinge about free services really should go and pay for something that can be contractually bound.

Re:IANAL

[jmauro]

Even then, how often would the message be attached to incoming mail? SirCam has it's own MailServer embedded within it. Unless the firewall is attaching it to all outgoing mail, then it would never even see the light of day.

Re:Excellent Question

[SpinyNorman]

That's a bogus argument if there ever was one!

Most criminals are enticed by what they go after.

But, hey this is America, so naturally we can't hold the criminals accountable - after all, we don't hold anybody accountable for their own stupidity or bad luck - just find someone standing close by to sue.

:-(

Re:Excellent Question

[SpinyNorman]

I think that real-world analogies are a good way to determine the proper way to treat a cybercrime, but unfortunately some of the real world laws are rather loopy.

For example, if the neighbors kid trespasses onto your property and drowns in your pool, then YOU are to blame (in NY/CT).

Re:Excellent Question

[SpinyNorman]

If I've invited someone to my home, then IMO it's only reasonable if I'm liable for any accident they have have if it's a result of gross negligence on my behalf or failure to warn them of some non-obvious danger. However, if someone slips on ice on my property, then I can't see how you can reasonably claim that to be my fault - if the weather is icy then YOU take care (similarly if coffee is hot at McDonalds YOU should take care).

American law seems to assume by default that you can sue someone if you have an accident on their property, or using their product, regardless of whether this was a result of negligence on your behalf or whether it was simply bad luck or stupidity on their part. Only in America does a metal ladder need a warning against resting it against power lines - in the rest of the world people know better, and accept the consequnces if they fuck up - their reaction would be "I can't believe I was so stupid!", not "Who can I sue for this?...".

Re:How to open safely?

[Snowfox]

I'm interested in seeing what all these idiots are sending me (call me nosy; I also look at car wrecks when I drive by). What's the safest way to open these attachments on a Windows 98 machine that is not running Outlook?

Save the file on your harddisk, then remove the first 137216 bytes. You need a hex editor to do that.

Only in the World of Windows would adding 137kilo-bloat to a word processor document be considered "stealthy."

i don't know legally...

[zook]

I have no idea what the legal answer is, but it seems to me that morally it comes down to whether you believe it's the fault of the person who sent it, or the person who wrote Sircam.

If you blame the Sircam author, then it seems akin to publishing documents that have been stolen from a company.

If you blame the sender, then it comes down to publishig documents that they've already released, albeit accidently.

Personally, my reaction would be different in each case.

Re:It's a lie

[penguinboy]

It does indeed send documents - they're just embedded in the attachment. Running one I got through 'strings' showed that one particular document contained the sender's name, address, phone number, and social security number.

Re:Well....

[Grand+Facade]

wadaya expect from a marketing major?

Re:Well....

[gorilla]

Ethics don't last as long as a single generation anyway. They're always changing, always evolving.

Re:If you really want to get nosy

[Xenna]

Yesterday I tried entering:

confidential

In google, and guess what it came up with? A 'secret' directory on said company's web-site with a few dozen docs marked Confidential.

Pretty smart guys...

Regards,
Xenna

Re:Confidentiality clauses

[Greg+Lindahl]

Bzzt. Carl is limited in what he can do, because he doesn't own the copyright to the document. So no, he can't publish it without violating that copyright. But copyright won't prevent him from showing it to other people, or publishing a fair use subset of the document.

Maybe 'informed consent,' not 'consideration'

[coyote-san]

The word he's looking for is NOT 'consideration' or 'quid pro quo'. That's something very different - the idea that all contracts must offer something of value to all parties. It may only be "$1 and other considerations," but there has to be *something*.

As a counterexample, the Microsoft tax arguably violates that since I'm forced to pay for a software license of absolutely zero value to me, a software license that I can't even transfer to another party due to their "OEM license vs. retail license" provisions. I'm out hard cash, and have nothing of value (to me) for it. But it's a large corporation that's able to *ahem* make its own law.

What the original poster was refering to is closer to "informed consent," but even that isn't quite right.

Credit cards

[coyote-san]

Many years ago, banks actually sent out unsolicited credit cards.

Not pre-approved credit card offers, actual working credit cards.

Some people used them, charging to the max. Then refused to make any payment, daring the bank to collect. The banks tried, but failed since 1) the consumer never signed any contracts and 2) the bank had no reasonable expectation that every credit card would be properly delivered and not stolen from an unlocked mailbox.

Ironically, it was the people who refused to make any payments who got away with this. Make any payment, even a dollar, and you clearly indicated agreement to repay the charges.

Re:Credit cards

[coyote-san]

Just why do you think every receipt now includes that legalese?!

BIG HINT: It was because the banks had to take a big hit once because they approved charges even though the customer had signed nothing promising repayment. Because they got unsolicited credit cards and the credit card slips at that time didn't include that contract.

As for the cite, try checking damn near any undergraduate business law book. Audacity magazine also covered it. It all went down when Mastercharge (which later became Mastercard) (iirc) tried to take the relatively limit-use general credit card introduced by Diner's Card in the 50s to the mass market. All of this happened in the late 1960s.

It was a major case because it actually covered *anything* you received without solicitation. Charities used to send you token gifts (e.g. ties), then try to guilt you into donations. No more. Sleazy companies would "accidently" send you stuff, stuff it was cheaper to pay for than ship back. No more - they can demand it back, but they have to pay for shipping.

(BTW, a general cluestick: most of the "new" problems faced by the internet today are little different than those encountered repeatedly during the past 100 years. The only difference is that companies are trying - and often succeeding - to rewrite the rules because so many people have forgotten the hard-earned lessons in the past.)

Re:Credit cards

[clare-ents]

"
Indeed he did! Every time he made a purchase he signed a contract, parties to which include the merchant, the bank, and the purchaser. You agree to pay when you make the purchase. If the merchant doesn't get this agreement, it's his fault and he should take the loss.
"

When you sign the piece of paper to buy something you say

"
I $name authorize $bank to transfer $funds out of $account to pay for these goods.
"

what you haven't agreed is to pay the bank.

Re:Credit cards

[hearingaid]

you fail to understand.

when you make a purchase, you effect a contract between yourself and the vendor. if you charge the purchase, you are saying to the vendor "I will not pay you; this other person will." if the other person does not pay up, you have violated your contract with the vendor, yes.

normally, third parties will only guarantee to cover your payments for one of two reasons:

1. they like you (hey gigolo);
2. you have a business relationship with them.

the banks wanted to setup reason #2 with the card-holders. the problem with reason #2 is that it normally requires the entering into of a contract, between the card-holder and the bank. unfortunately, in these old cases, the banks failed to actually complete the formalities of a contract. so their card-holders decided to treat the banks as gigolos.

big deal. the banks know better now.

Re:Confidentiality clauses

[csbruce]

You cannot forward a document to a stranger and then legally bind that stranger to behave according to the content of that document. Not in the USA.

At least not without a click button...

Re:Stupid Friends

[BAKup]

Well, I know some people who use Eudora, and *they* got it. All you need to do is be stupid and open the attachment, and it'll infect and send messages to everyone anyways, it doesn't *need* the outlook/oexpress address book. So for once, it's not an outlook issue.

Re:There's no more privacy on windows

[BAKup]

He probally used ZoneAlarm, which will lets you block programs from accessing the internet while letting other programs work normally. It's a very good way to do it, but it just takes one lapse to screw everything up.

Re:why do people keep doing this?

[Thalia]

Yes, there are secret lawyers on Slashdot. Really.

I do agree that posing these questions to Slashdot in general is rather silly. I've attempted once to volunteer to provide a "not a legal opinion" opinion on legal questions (specifically intellectual property, since that's my area of expertise)... but I never got a response. I think in general Slashdot prefers inane rants to reasoned opinions.

Thalia

Oh, in case you were wondering, you should delete the files that SirCam sent to you. You can be held liable for disclosing a trade secret. Odds are, however, that no jury would convict you. Still, it's an expensive/painful process, so unless the information is valuable enough that you're willing to risk jail time, just delete it all.

Re:Encrypted polymorphic viruses and the DMCA

[JimDabell]

AFAIK, viruses are still legal. It's only the use of them which is illegal.

A related question

[Hal-9001]

Can Microsoft be accountable for damage done by the Sircam virus (e.g. libel, industrial espionage)? Might give them an incentive to patch those security holes rather than release them to the public...

Re:How to open safely?

[Hal-9001]

Unplug the modem/NIC...

Re:How to open safely?

[Hal-9001]

And the worm will go where?

pif and com files

[wiredog]

IIRC, pif files are text, emacs should handle it. Com files are executables, you'll need a disassembler AND emacs to view them.

Re:IIRC

[Reziac]

The ones I've received appear to be the virus executable prepended to a document. One that I got appears to be a M$Project file. Friend got one that apparently started life as a payroll spreadsheet. Since he's unemployed, I suggested that he add himself to the payroll and send it back. :)

Re:Excellent Question

[emac]

An older woman used to dry her puddel in the oven. One day she decided to go high-tech and bought herself a microwave. "Since food gets quicker done in the [microwave] oven", she thought, "why not dry my puddel in there too".

Acutally, it's spelled poodle. Not to be confused with a puddle, which is what the poodle probably melted into during microwaving.
--

Attention Rob!

[nakaduct]

I have now recieved 1.1 gigabytes of sircam virus email attachments.

It's the twenty-first century; you no longer need to italicize the word "gigabytes". In related news, you also needn't follow its use with a parenthetical "one thousand megabytes!"

Re:Attention Rob!

[Phork]

umm, no, try 1024 megabytes.

Re:Attention Rob!

[snake_dad]

eleven hundred megabytes :-)
--

Re:IANAL

[M-G]

In Robichaux's book Managing Microsoft Exchange Server, he has a little section devoted to e-mail disclaimer messages:

"Most of the people I see asking about this work for either financial services firms (including brokerage houses and investment bankers) or law firms. Draw your own conclusions."
...
"A better solution might be to ask whether having a disclaimer like this really buys you anything. The preceding example says that email is confidential, which it normally isn't, and that you can't rely on it. Does adding a 2KB block of meaningless boilerplate text to every outgoing message actually accomplish anything productive?"

Re:Confidentiality clauses

[Simon+Brooke]

In contracts I am writing up at the moment, there are standard confidentiality clauses. This means, that for anyone to be released from a confidentiality clause, then teh information has to be legally published. Even if EVERYONE knows about it because ofa virus or a leak, anyone using it is doing so illegally and may be prosecuted for stealing trade secrets.

And I am writing contracts which say 'all your base are belong to us'.

You can write 'em how you like. Just don't expect a court to enforce 'em.

Now that documents can distribute themselves

[drivers]

Now that [MS] documents can distribute themselves automatically, can we finally truely say that "information wants to be free" ?

Re:Hotmail deleted all my mail because of this vir

[greenrd]

If your e-mail quota are filling up, they should simply refuse to accept more mail, not delete old stuff.

Uh, that is a denial of service attack. I don't particularly care if they delete mail I haven't bothered to file or save - I do care if they start preventing mail getting to me!

Re:IANAL either

[anticypher]

But I am an FCC engineer. FCC engineers are required to know the relevant laws. From time to time, these questions pop up for international companies wanting to do business in the states and europe. The CISSP also requires knowledge of the legal aspects of sysadmin or security personel who may receive electronic communications not intended for them.

The relevant parts of US Federal Law are contained under the Code of Federal Regulations, also known as the U.S. Code, part 47 covers telecoms and the FCC and part 18 is criminal laws and punishments

18 USC 119 bars the disclosure of any electronic communications to which you are not a party

18 USC 2702 defines the criminal act of disclosing intercepted communications

47 USC 605 (the Communications Act of 1934) also bans the disclosure or use of third-party communications.

There are similar laws here in Europe, but I can't find any of those bookmarks. If anyone is interested, google yourself.

the AC

Archiving "proprietary" emails sent to public list

[devphil]

The GCC development lists get this kind of thing a lot. Occasionally someone will suggest blocking emails originating from these kinds of auto-appended, shit-fer-brains mail servers. The idea seems to be gaining more and more support, especially considering that everything sent to the lists is archived forever.

The trick of course is to filter (and bounce with a helpful note) such messages /before/ distributing them.

Hmmmm... on a related note, many of the *-bug@gnu.org mailing lists have all kinds of crap stored in their archive, because RMS forbids the gnu.org admins to do any kind of spam filtering on the lists. (Go check out, say, the archives for gdb-bug.) The main lists at @gcc.gnu.org are filtered, but the ones at @gnu.org are not. If some proprietary information is sent to one of those @gnu.org lists, they could be in trouble.

Re:So what have you guys gotten?

[British]

I'm gonna ask again. Has someone setup a website of received documents(non-confidential or what not) via the virus? There's gotta be some juicy stuff from a Senator or something.

Re: A Better Question is...

[LinuxHam]

I have yet to receive a *single* piece of Sircam-inspired email. I can see over a gig coming in at some poor bastard's company that runs Outlook. Imagine your entire company's roster being in your Outlook address book? Jee-zus. My sister got well over 300 copies of ILOVEYOU and my Mom's company got slammed so bad they turned off the Exchange servers for 2 days. I got 3 copies of that one, and 1 copy of PrettyPark.exe.

Hey, maybe my circle-of-friends really is that much smarter. Cool.
--
Steve Jackson

Re:An analogy...

[TheTomcat]

those are both flawed.

When the jewelery is sent/stolen from the store, then there is no longer jewelery at the store.

Maybe if the thief made COPIES of the jewelery and sent the copies.... ?

Re:Public Domain

[Tackhead]

> Frankly, I don't see the difference between leaving an unencrypted document on a computer, and leaving an unshredded document in a trash can, or sending an unencoded message over radio. It up to the author and the intended recipient to keep things secure if they don't want their secrets to get out.

I think you're right, except I strongly dispute your use of the words "Public Domain" in the Subject: headers

If the document contains "company confidential" information, such as a trade secret like the formula for Coke, you may argue that you obtained it legally, because the sender, umm, sent it to you, even if not knowingly, and you may be free to republish that trade secret. (Interesting aside -- the Berne convention may well protect, by default, all such documents. You may be free to transcribe the trade secret in your own words, but republishing coke_formula.doc would be in violation of Coke, Inc's copyright over the "work" of its employee, even if the "work" was just a company internal memo.)

If it's material nonpublic information ("insider information") on a company, the instant you read it, you become an insider under SEC regulations. Any gains you make while trading based on this information are illegal, and the SEC can (and should) come down on you like a ton of bricks.

If it's classified information (i.e. in the .gov sense of the word, not the corporate sense of the word), you have a legal obligation not to disseminate it, you probably have a legal obligation to stop reading when you discover that it's classified, and you may even have a legal obligation to delete it (and to delete it as securely as you can), once you've stopped reading it.

Which leaves open an interesting question for you .mil and .spooky types out there -- while recipients are clearly "better off" (in the sense of "less risk to themselves from pissing off three-letter agencies by exposing their pointy-haired-bosses as clueless") by just deleting it (albeit securely), do recipients have any obligation to report the leak, and if so, to whom should it be reported? (The Catch-22 is that if you don't have clearance for the information, you probably don't have clearance to know to whom you can report it without further compromising security! Do you just put on your Groucho Marx glasses, run to the nearest U.S. embassy, and frisbee the disc over the wall? :-)

All three SirCam risks ("company confidential", "insider information", and "classified") extend to more than just today's virus/worm, BTW. Just about anyone buying a used computer or laptop runs the risk that the machine was improperly wiped, and that they may come into posession of information they wouldn't (and shouldn't) ordinarily have access to.

Re:How do you prove it?

[Tackhead]

> What if I want to send internal documents to a competitor, or some other outside source. Could I claim immunity if I could "fake" the virus? Or rather, could I get the virus then purposely send an outsider a document and claim it was due to the virus? Or better yet, ensure that you get the virus, and that the only thing it can find to send is a series of very specific documents you WANT leaked?

In a previous Slashdot post, I was in a very paranoid mood, and I speculated that this is precisely what the author of SirCam intended.

I'm reserving judgement on whether I was "being too paranoid" or "not being paranoid enough" until we find the author.

Re:Well....

[Tackhead]

> Taking a course in ethics only requires you to know about them (and not even that if you don't care to get particularly good marks.) It does not require you to actually believe them, much less act according to them.

Obvious T-shirt fodder:

"My Ethics prof was so convinced he was doing a good job, that he didn't monitor the final exam, which made it real easy for me to get an 'A' in the course by cheating!"

Re:Confidentiality clauses

[jovlinger]

yes.
arguably, bob has been negligent in letting his computer be infected. A very clear analogy is Bob keeping the confidential documents in a physically insecure place, where a casual visitor can easily read them.

It is then up to the courts to decide to which extent Bob has been negligent. Has he been negligent in running an OS which is known to have many security holes? Is he responisble for keeping it secure?

Guru Bruce Schneier predicts that computer security will only become a concern for people like bob when their insurance premiums and legal risk of prosecution hurt them where it counts.

This is a commonly recurring theme on comp.risks (well recommended for friday afternoon reading).

Exactly! How could they possibly prosecute?

[Myself]

I'd love to hear what the lawyers say to this one.

Click through licenses on virii/DDoS

[Myself]

This topic came up at our local 2600 meeting last month. How about a handy little program that says, buried in the EULA somewhere, that the user is solely responsible for traffic generated by his machine. Then the program turns out the be the zombie for a massive DDoS, and once everyone's installed it, it turns around and nukes someone.

Better yet, mail checks to universities that say "by depositing this check, you agree that it constitutes total payment for any information technology and computing resources that the issuer(s) may use, and you grant license to the issuer(s) to use said resources for whatever purpose they see fit". Cut a few thousand checks for $1 each, then go root whoever cashes them. AT&T, eat your heart out.

Re:Click through licenses on virii/DDoS

[bentini]

Nobody cashes checks that small. It's just a bad idea, because of what you propose.

Re:How about an mp3-spreading virus?

[Myself]

The more I think about this, the more I like it. My musical tastes are pretty broad already, but they could be a lot broader. I could set up an email address just for this, then I'd post my address on some list of "victims", and we'd all put each other in our Outlook address books.

How about an mp3-spreading virus?

[Myself]

It searches your drive for files with "metallica" and "mp3" in the name, then emails them everywhere :)

Can you imagine a beow*LART* okay, I guess not.

Re:How about an mp3-spreading virus?

[hivolt]

Ah, but then running said virus (even unintentionally) would be copyright infringement.

Re:Hotmail deleted all my mail because of this vir

[JFMulder]

Come on, msot of you people will always be whining every time something you don't like happens and Microsoft is in whole or part involved. What do you want Microsoft to do? Delete your old messages because you are receiving new ones, or keep the old ones and flush the new ones, which might contain an important e-mail. I can't believe this post is taken seriously.

"The answer to the Question of Life, the Universe and Everything is... 42"

Re:Stupid Friends

[MikeBabcock]

None of the sircam messages I've received are from people I remember ever corresponding with. A number of them are sent to auto-collected (spam-bot) E-mail addresses I leave trailing around to see how long it takes for them to get picked up.

Re:Intentional espionage?

[MikeBabcock]

Odd supposition ... since the hard-coded addresses seem to be the Whitehouse and Pentagon ... but wait ... ;-)

Re:Intentional espionage?

[MikeBabcock]

Although I was confusing the addresses with Code Red, I wouldn't think it difficult to produce a worm that appeared to mail random documents while scanning for keywords and E-mail specific documents to specific people on purpose as well.

Ethically, or Legally?

[michael_cain]

Ethically, it's a no-brainer. They're trade secrets, they were revealed to you by accident, so forget that you ever saw them.

Legally (IANAL but I spend too much time talking to them), the company that owns the trade secrets is obligated to take reasonable precautions to protect them, or they lose their status. For example, if you leave documents laying around in public places, they are probably no longer legally secrets. Given Outlook's history, I am not sure that storing the documents on a machine with Outlook loaded meets the test of a reasonable precaution. It would be an interesting case to argue, especially if copies were delivered to dozens of people...

Must take reasonable care...

[q2k]

I sign a lot of non-disclosure agreements and there is always a clause along the lines of "must take reasonable care to prevent accidental disclosure blah blah blah..." Appropriate virus protection seems like it would be covered under reasonable care so failure to block the virus could make you liable for releasing the information under an NDA, I think. If the document were clearly and obviously confidential I suspect the receiver could be liable for damages if they took some active part in disseminating the document. Just receiving it and deleting it should be safe.

However, IANAL.

Re:Well....

[medcalf]

My ethics compel me to patent the fax machine, and quickly.

Re:There's no more privacy on windows

[telemnar]

It's a windows box. Things like ipchains don't exist there.

Chances are it was ZoneAlarm, which seems to be one of the more popular personal firewalls... (it's free, go figure) This one blocks things on the application level, not port or service type.

So the alert the kid saw was something along the lines of "....doc.exe is trying to access the internet." then a choice to allow or deny it. So, actually, yes, it probably did require some actual ignorance on the part of whoever allowed it.

And by the way, 25 is just the default service port. The client port could be anything from 1024 to 65535.

Re:this would include--you?

[aallan]

The US has a representative government and laws are by the people and for the people. Non-lawyers must discuss these matters and try to come to terms with them, because ultimately we all decide on what laws we want to be governed by.

Hello? This is the rest of the world! Hello? *jumps up and down frantically waving* There are a considerable number of people that don't live within the boundaries of the USA, some of them even read Slashdot.

Al.
--

Forget trade secrets, what about DMCA

[bwt]

Sircam is a circumvention device that clearly is aimed at violating technological protection measures (your computer's filesystem secutiry) that control access to copyrighted works and that facilitate copyright infringement (unauthorized sending of files is copyright infringement).

The DMCA text bans distribution with no reference to whether this is knowing or intentional.

I would therefore argue that all victims of Sircam have violated the DMCA by sending the circumvention device in their outgoing mail.

Moreover, anyone who uses the TPM in question (Microsoft OS) and stores copyrighted documents (anything you author is copyrighted) in their "My Documents" folder has a cause of action.

As for trade secrets, misappropriation only occurs when the transfer occurs in violation of a duty of confidentiality. Since the receipiant did not aide and abet or even encourage the document's transfer, I don't see any way to attach such a duty to them. Additionally, since the document in question is essentially an attack, the doctrine of unclean hands should prevent the upstream party from suing the downstream party for what is essentially the upstream party's negligence. The virus author did misappropriate the trade secrets since there is a duty not to break into computers.

Re:Confidentiality clauses

[bradleyjg]

"If you want to use the copyrighted works, you have to abide by the license of the copyright holder. You have no inherent, natural, or legal right to use a copyrighted work, simply because you think you paid an appropriate price for it."

Leaving aside legal rights, that there is no inherent or natural right to use a copyrighted work is far from clear. In the state of nature (hence natural rights) real property rights exist - I clearly have a claim to my moccasins and if you take them I have a legitimate complaint. On the other hand if we are sitting around a fire, and you tell a story there is no presumption that I won't retell the story. Even if you ask me not to retell the story, there is no clear obligation on my part not to do so.
Intellectual property is a creature of law; its purpose is "To promote the progress of science and useful arts."
That being said we are not a state of nature, so natural and inherent rights are less important than legal rights.
Whether or not a copyright holder can bind the purchaser to arbitrary contract terms disclosed after the sale (especially when dealing with software which is generally not returnable) is a separate issue.

Nature of trade secrets

[Bullschmidt]

I'm almost positive trade secrets have little protection under law, by their very nature. If they are to be protected, they can't be secret. The real question here is not "what can I do with a trade secret I have," but rather, "did I break any laws to get it?"

Trade secrets have been exploited many times, since the information is not patented/copywrited. In this case, as far as I can tell, you did nothing illegal by receiving this data without ever requesting it. In fact, you could argue you received it unwillingly.

Re:Nature of trade secrets

[budgenator]

IANAL but I was lead to understand that if a TS falls into your hands, its yours to use. If you compensate some one to drop it into your hands, you've done a no-no. Of course now matter how you got it, your lawyer might have to explain to Mega-Corp's very large and bored legal DEPARTMENT, in court how you got it ect all at $300.00 an hour.

Re: A Better Question is...

[Stonehand]

One trick that SirCam pulls is scanning not only the Outlook addressbook, but also the web pages cached of certain browsers (don't recall which ones). If a /. reader gets infected, well, it'll send mail to quite a few /.ers who don't munge their addresses. I'm pretty sure that accounts for a lot of the SirCam mail I've gotten, certainly from the stranger places such as the RAND think-tank and various places in Mexico.

Re:Well

[plague3106]

Sorry, but if something enters my mail box, accident or not, its mine. The person sending the email needs to take care that they don't get the address wrong; likewise, it is their responsibility not to run programs that could send mail on their behalf.

Re:Hotmail deleted all my mail because of this vir

[jhoffoss]

Serves ya right for using hotmail for critical communications!

(Yes, I know the address next to my name is @hotmail.com, but I've never once received a message that wasn't SPAM or a one-time registration info message.)
---

Re:IANAL

[BlueUnderwear]

> Several of the companies I've worked for are trying to require users to have a .sig that automatically attaches the legal blurb to every email. I doubt they intended for it to prevent the loss of proprietary information due to viruses, but it's a nice side benefit. ;-)

Moreover, the sig would not even appear on the viral mails. Sircam doesn't use any mail client to send itself to its recipients; it connects directly to port 25 of the mail server. Outlook (if installed) is only used as one among several sources of addresses. The only thing that would work is a blurb appended by the server, rather than a plain old client signature.

Re:IANAL

[BlueUnderwear]

No, it has its own mail client attached. It still needs to talk to a server to get the mail delivered. Think about it.

It could however go directly to the recipient's server. However, that possibility is blockable by a firewall, which would block all port 25 traffic except from/to the company's mail server.

Re:1.1 GB

[ahodgson]

I've seen people send single messages that were > 500MB. Besides, ISP's know that Sircam is out there.

Inadvertent Disclosure Doesn't Kill Trade Secrecy

[dilute]

The Uniform Trade Secrets Act (adopted in the majority of states), says that if you acquire information by accident or mistake, and have reason to know it is a trade secret (e.g., because of a confidentiality legend, or even just because the information *looks* like the type of information that is usually confidential), then a legal duty of confidentiality may attach. This principle can apply to misdirected emails, faxes, things falling off of trucks, whatever. The same principle also applies as a matter of "common law" in most of those states that have not adopted the UTSA.

So, no, virus-spread documents cannot be considered liberated from trade secret restrictions, simply because they are zipping around uncontrolled on the Net as a result of the virus. But you would have to know the actual circumstances and contents in order to decide in any given situation if at the end of the day trade secrecy really applied.

Re:IANAL

[staplin]

Several of the companies I've worked for are trying to require users to have a .sig that automatically attaches the legal blurb to every email. I doubt they intended for it to prevent the loss of proprietary information due to viruses, but it's a nice side benefit. ;-)

However, I've always tried to fight this "requirement" for all email. Sure, it makes sense if I'm actually attaching a document that could have IP or whatnot, but if I'm sending an email that says "Hey, let's go for beers after work" I really hate having a legal disclaimer attached to it. Especially when the disclaimer is longer than the message.

IIRC

[Lxy]

There's a miconception about Sircam. My memory tells me that Sircam DOES NOT send documents. It uses a file name from a document and sends itself using that file name. For instance if I have company_secrets.doc and I get Sircam, it will send out the Sircam executable NAMED company_secrets.doc, but the actual attachment will not contain any text from the true .doc file.

Then again, if a user with company_secrets.doc on his PC is dumb enough to open an infected attachment he deserves what he gets.

Re:IIRC

[jmorzins]

The parent post said: My memory tells me that Sircam DOES NOT send documents.

Your memory is telling you incorrect things. Sircam DOES send documents. In fact, this helps lure the user into a sense of complacency. Double click on the "GeForce2.doc.pif" file (whose .pif extension is never visible in Window's file browser), and MSWord opens up the GeForce2.doc file that SirCam mailed from the infected computer. The user thinks "odd, why was I mailed this document?", and might not worry about it being a virus.

Re:Excellent Question

[El+Kevbo]

What happens if someone steals your car and causes a fatal accident with it?
Sue.

What happens if a child finds the gun you left in your dresser and shoots himself?
Sue.

What happens if someone breaks into your house, trips over something and breaks a leg?
Sue.

Well, that seems to be the answer to everyone's problems in America...

Different than a fax?

[palme999]

How is this different than a misdirected fax? Although potentially embarrassing for me a recipient of a misdialed fax is ethically oblicated to ingore/trash it.

AFAIK they aren't legally obligated to pretend they didn't see but certainly ethically.

Re:Ever try opening a sircam doc? (don't.)

[Moonshadow]

It's got the document embedded in it. If you remove the first ~137k you'll get the document. Somebody else posted the exact number of bytes. Or you can just open it in your favorite text editor and browse through it.

So far I've gotten portions of the Lord of the Rings, some kid's essay on trains, and several other things. Nothing really fun though.

Re:encryption

[Ruds]

Do you contract/work at IBM, or does somebody else call slides/transparencies foils? Does anyone know the reason for the name foils?

ObOnTopic: Of course, most electronic/semiconductor, hell, every company I've seen tends to paste the word Confidential on everything. Still, you find confidential stuff on the walls, in the "non-confidential only" recycling/trash cans, etc.

Matt

Re:Confidentiality clauses

[Chris27183]

the word you are after is "consideration"

Re:In my legal opinion....

[RGRistroph]

Regardless of what level of effort is required to define something as a trade secret, it is still a fact that once it is in the open, it is not a trade secrete any more. You can go after the person who first released it for damages, but all the other people using that information are probably on safe ground.

Trade secrete laws are more likely to be state laws rather than federal laws, unlike copyright and patents, so it may vary from place to place.

In general, I think the thrust of the system is to punish those who betray other people's trust, but encourage the secrete-keepers to come within the covenant of the patent system, where essential you trade publication (anyone can read the patent) for a limited government enforced monopoly.

Re:In my legal opinion....

[RGRistroph]

I stand by my ground on the trade secret issue. In these days of findlaw and other searches perhaps you'd like to site a case or two where someone innocently came upon tradesecret information and was denied the use of it.

I think the real legal misinformation here is your snooty remark about not commenting on the law if you are not a lawyer. I and any other person with about an 8th grade education are perfectly capable of reading the law, it is just words in the english language. The whole "you be quiet you peasant, only us lawyers can discuss these affairs" belongs in Europe, not America. I'd be more willing to put up with it if lawyers actually knew anything, but as you can see by checking out that NY Times Magazine article from a few weeks ago, a fifteen year old who watches Court TV knows more than you guys. And finally, you lower yourself to the point of that sniveling false concern that I might be posting legal information while not a lawyer. I am not a lawyer, and I'm damn proud of it. I think people will weigh my opinions on the law or other subjects more because of it.

However, you have the tone of someone who is clinging to a parchment. Why don't you just come right out and tell us where you are licensed ? Is it possible that I could actually pay you a token sum for your legal advice on trade secretes, just so you'd be actually putting something on the line ?

By the way, if anyone is looking for examples of how to be a twit, they'll find plenty in Compulawyer's userinfo. He likes to post these dignified little tidbits on trivial nonsense, and seems to be on the search for some area in which his mature opinions on software engineering practices requiring correctness proofs and etc will be worshipped by a bunch of cub scouts.

Re:Use an Anonymous Remailer at a webcafe.

[RGRistroph]

Dude, the purpose of sending him a warning that he was sharing that file would be to STOP his accounts from being wiped out. The deal is, what with people like that Schwartz guy at Intel being prosecuted for doing their job, I'm not about to pop up and helpfully tell anybody anything about any security problems. If the document is at a company or government there is no telling how they might react.

So I think the anonymous mail thing is a good one. Thanks.

If you really want to get nosy

[RGRistroph]

Try searching on gnutella for "resume.doc" or "letter" or ".xls". Apparently many people use gnutella at work and set it to share C:\.

For about a weekend or so it was a sport with me. I downloaded a ton of stuff I am sure was not meant for the public -- there was a breakup letter where the writer stoped midsentence and types "aw fuckit i'll stay with her" (but then for some reason saved the letter ? don't ask me). I also found some business oriented xls files and ppt files. Most interesting was the fact that you could find what I think were people's outlook and eudora mailfiles, those inbox.dbx things. I have no idea how to view those.

Anyway, I got bored and moved on to other shit. The best thing I found was a file called either "private.txt" or "secrete.txt" which looked like the following:

SSN: #########
PIN(ATM): ####
PIN(VISA): ####
WellsFargo: user/passwd
yahoo: user/passwd
(a university student network domain): user/passwd

So I guess this guy decided to consolidate all of his sensitive info into one place, decided to put it on a computer, and then accidently shared it with the whole fucking internet.

I wanted to try the yahoo user/passwd just to see if it was real, but at that point I stopped and thought and decided that actually using the information people were inadvertendly sharing to snoop information they _weren't_ inadvertently sharing was probably where the legal/ethical boundary would be crossed. I never sent email to the yahoo address or the university one because I was afraid of being accused of being a hacker. The sad thing is that my gnutella client automatically moves completed downloads to the shared directory, so it is possible I further shared that file with others before I deleted it.

If there were some way you could filter your gnutella search results on IPs belonging to cable/DSL users in the DC area, or by those belonging to employees of a particular company, etc, then you could really do some damage.

I talked about this with other people and some of them apparently search for the names of .DLL files in various versions of windows, to find a gnutella host sharing everything, and then do the "list all files on this host" thing to look at the user's personal files.

So I guess the moral is, make sure your friends know how to configure their gnutella clients correctly.

Re:If you really want to get nosy

[Johnny5000]

If someone is using a file sharing service, how are we supposed to know if they meant to share certain files? It's not like a fax to a wrong number where it says- To Freddy Snerdlick, a shared file on a file sharing service is meant to be given to everyone using that service. Its not our job to figure out what they meant to share and what they didnt. I cant tell that they meant to share this mp3 and this avi, but not this mpeg and certainly not this text file.

I used to search Napster for "mic in track.mp3"
which is usually people recording themselves singing (usually awful), talking into the mic, doing mini comedy skits, and sometimes recordings of... uhhh more private things.

It was pretty entertaining for a while.

-J5K

Re:alone?

[SRMoore]

Heh.. you better knock on wood as you say that =)

Re:Confidentiality clauses

[Gill+Bates]

ok, off topic, but I give up. what is IANAL???

I Am Not A Lawyer

Acronym used on Slashdot (at least that's the first place I recall seeing it) to prefix a post which then proceeds to give legal advice.

Re:Excellent Question

[Theodrake]

> Don't you just love the US...

Where any idiot can spread Urban Legends to their hearts delight

A good way to fight UCITA?

[jmv]

As some suggested, "What if you write that displays a EULA before causing damage?". Since the UCITA gives a lot of power to EULAs, it might be legal. Now if there appears tons of such virii (and you can't presecute the writer, some people are going to like that), the only way to fight that could be to dump UCITA... Of course, it's a bit far fetched, but how knows?

Re:A good way to fight UCITA?

[jmv]

no one would knowingly agree to have their computer ransacked by untrustworthy code.

Sure, but how many people actually read the agreement? I'm sure you could write in bold letters "THIS WILL DESTROY YOUR COMPUTER" and people will still click "I agree".

Re:A good way to fight UCITA?

[jasonk3]

no one would knowingly agree to have their computer ransacked by untrustworthy code

I beg to differ...lots of people have agreed to install the Windows XP beta.

Yet Another Outlook Virus

[orkysoft]

There have been dozens of Outlook viruses recently, and people still use Outlook and open the attachments.

One could reasonably say that people don't mind getting their computers infected by these viruses, and having their documents sent out, meaning they're not meant to be confidential.

That said, I did reply to those SirCam mails I got telling the sender to get rid of Outlook. I didn't pay much attention to the attachment, and deleted it shortly afterwards, to save space in my web mail box.

IANAL

[Zaphod+B]

...but I *do* get to deal with this on a more-or-less daily basis these days.

According to the lawyer types I work with, it's more or less the same as if a fax went through to the wrong number. They are prohibited from disclosing the information if there is a legal blurb on the bottom of the page or wherever that says so.

I never thought I'd see the day when I'd welcome more legalese on documents... but any sensitive documents should really have that blurb, quoted (well, mostly) here:

The information contained in this document is proprietary and confidential and may not be transmitted to others in any form without the express written consent of $COMPANY. If you have received this document in error, please call $NAME at $PHONE and promptly destroy all copies.

In the case of financial documents, which is what I concern myself with, the use of them for gain is tantamount to insider trading and is a Bad Thing for He Who Gets Caught.

Zaphod B

Re:IANAL

[KjetilK]

According to my lay understanding of the laws around here (Norway), such disclaimers are bullshit. E-mail is like postcards, it's regarded as public. If you transmit confidential information it is your responsibility to encrypt it.

Re:IANAL

[hysterion]

I never thought I'd see the day when I'd welcome more legalese on documents... but any sensitive documents should really have that blurb, quoted (well, mostly) here:

The information contained in this document is proprietary and confidential and may not be transmitted to others in any form without the express written consent of $COMPANY. If you have received this document in error, please call $NAME at $PHONE and promptly destroy all copies.

This is straight out of the museum of stupid disclaimers, right?

Re:IANAL

[Zipo+Bibrok+5*10**8]

This legalese might be able to apply in the country in which it was written (and maybe other friendly countries), but would presumably be of about as much value as a Microsoft Office licence in many parts of the world.

Once stripped of the legalese, such a document could then be sold back to the country of origin, where it could be published freely. The recipient could presumably legitimately claim that they knew nothing of any restrictions.

In a world of global communications, laws will not protect anyone. Unless you really want a one-world government.

Zipo

Re:Hotmail deleted all my mail because of this vir

[jdcook]

Hotmail will delete old mail over new mail. It has happened to me. But when it did, I wrote them and they restored my account back to a certain date. I got all of my stuff back.

Re:You are responsible for your actions, that's it

[TheCarp]

Veruy true. That is not the case here however.

It is the case that it *IS* addressed to you, however the contents were not intended to be sent to you.

There is a term for this, its known as "Shit out of luck".

-Steve

Re:Confidentiality clauses

[TheCarp]

Actually, the document *IS* copyrighted. You still could be found guilty of copyright infringement for publishing such a document.

However, just forwarding a copy to a friend, probably not (a debatable point actually).

Redistributing the information in another form? Wouldn't be covered by copyright. So you could perhaps write a summary or article about it, and then publish that.

-Steve

Re:Confidentiality clauses

[TheCarp]

You wanna find out?

Lawyers don't tend to break legs, burn down houses, or allow you to experience restful sleep with the fishes.

Then again, some may argue that thats because they don't have the common decency to just beat the crap out of you or kill you and get it over with.

-Steve

Re:You are responsible for your actions, that's it

[TheCarp]

> Anyone wishing to "use" the contents of the
> information they receive as a result of
> SirCam is still subject to copyright,
> trademark, insider trading regulations, etc
> etc.

Well of course, the original author would still hold copyright and all, but thats a side issue. Fair Use still applies. I see no reason why you would be bound to not reveal the information contained therein (if not the document itself, as that would be copyright).

> Now ethically, you'd probably just want to hit
> delete on all those emails without even
> bothering to look at them.

Of course that is unless you are looking at them specifically with the intention of figuring out whose information was compromised, so that you can warn them of the virus infection.

This, of course, assumes that you know its a virus. One could just as easily be a linux user who saw an attachment and immediatly used strongs
on it to get at the text.

-Steve

Re:Well....

[TheCarp]

Actually....

Ethically speaking, you would never find out what happened at the Wannsee Conference, because as soon as you realise that it was sent to you in error, you would destroy it - without even reading it yourself.

This assumes of course that your standard of ethics values personal privacy very highly. Then again, what if you discover the contents of the document while trying to ascertain the origin and to verify that you were not the intended recipient?

-Steve

Re:You are responsible for your actions, that's it

[TheCarp]

Of course....

Lets say company X is a mial order business, screws up an order and sends me the Widget that you ordered, when I havn't actually ordered anything at all from them.

Guess what? The widget is mine, and I don't have to pay for it. They still owe you a widget of course, and have to send you one, but I am under no obligation to pay them, or return the widget.

This may not work outside of the US, but thats the precedent here. Things that are sent to you in an unsolicited manner become yours, and no further obligation can be placed on you.

A perfect exampl eof this is a few months back when I ordered a bunch of stuff form thinkgeek. They sent my order twice - once almost exactly one week after the first one arrived.

Now, being an ethical person, and being a person who LIKES thinkgeek alot, I sent the second package back to them. However, I would have been well within my rights to keep it and not have them charge me for it a second time.

-Steve

Re:Hotmail deleted all my mail because of this vir

[cworley]

>But when it did, I wrote them and they restored my account back to a certain date. I got all of my stuff back.

I've tried writting them, they haven't responded -- but, it's only been three days, much to quick for Microsoft.

Re:Hotmail deleted all my mail because of this vir

[cworley]

> Serves ya right for using hotmail for critical communications!

I agree, but this is where lots of my old email addresses from previous employers gets routed -- don't quite feel like calling them up and having them change it again.

There is a program, "gotmail", that I've used for copying hotmail email to my local inbox -- it looks very good on the recieving end (not all the hotmail crap you'd get in your message if you forwarded it).

I don't want to use this automatically/periodically on my Inbox because of all the junk mail that gets delivered to that address (more than a decade of Usenet posts with my old addresses gets about 20 spams per day).

Hotmail deleted all my mail because of this virus

[cworley]

I was out of town for a week... didn't check my hotmail account.

During that time, my hotmail Inbox filled up with these sorts of messages (large attachements with the text: "I send you this file in order to have your advice").

Once it reached the maximum size for hotmail diskspace, hotmail started automatically deleteing older messages: all the messages in all of my folders had been deleted by the time I checked my hotmail account.

All that was left was spam in my Inbox.

Thanks, Microsoft!

Trade Secrets are just that...

[SIGFPE]

...secrets. If you leak them they're not secret any more and you no longer have protection.

If you have some intellectual property you have 4 ways to protect it:

• Trade Mark
• Copyright
• Patent
• Trade Secret

The first three rely on government protection. The last one relies on your own ability to keep it secret. If you're unable to keep it secret then you should use one of the first three methods to protect yourself. If you fail to keep it secret and don't use one of the other methods then you are unprotected and there's nothing you can do - that's why the other methods exist.

IANAL But I recently had one explain all this to me.

--

Re:Trade Secrets are just that...

[RulesLawyer]

I_A_AL, and that's exactly what I rember learning in law school. If the secret gets out, it's not a secret any more.

Ethically it's a different question, but legally, you can set the information free (as in speech).

You couldn't legally publish it verbatim or hand out free (as in beer) copies of it because of copyright protection. But the information itself (and not the expression of the information) is no longer protected.

yeah mod this down it's the truth

[sideshow]

Send the company a letter saying something like "it will cost you $75,000.00 plus taxes for me to keep my mouth shut." If it's Microsoft, go for option 2

People wonder why the Linux community tells everyone they should use a product that doesn't promote the extortion of other businesses unless of course the business being extorted is Microsoft.

Linux doesn't need hipocrites so please go somewhere else.

Excellent Question

[zpengo]

Some legal things to consider:

• What happens if someone steals your car and causes a fatal accident with it?
• What happens if a child finds the gun you left in your dresser and shoots himself?
• What happens if someone breaks into your house, trips over something and breaks a leg?

Re:Excellent Question

[pornking]

The path from your property line to your doorbell is a public accessway. That's not trespassing unless you have specifically barred that person from your property. therefore, the walkway is an invitation, at least for the purposes of going up to your home to visit or communicate in some fashion. Therefore, as you say, it's only reasonale if I'm liable for any accident they have if it's a result of gross negligence on my behalf or failure to warn etc...

American law says almost nothing about when you can sue. You can sue for anything. The question is whether you can convince a jury of the defendant's culpability. The preexisting law is this area is primarily common law. That means that it is the accumulated decisions of juries for the last 500 years or so.

Again, you are responsible for the safety of others on your property if either you invited them, they are on the path to your doorbell, or they are too young to know any better and wander onto your land from elsewhere.

Where did metal ladders come in? That's the action of a responsible adult. Nowhere has what I've said come anywhere close to your example, and in fact, I agree with you on that point. So what?

When you find out there is something you should be doing but are not, and the majority (at least on juries) regards obvious and necessary, your reaction should be "I guess I should take responsibility for my own affairs", not "Why aren't other people more responsible?". It's true that it might not be necessary if all parents were more responsible, but human life is at stake. Redundancy is a good thing.

Re:Excellent Question

[pornking]

Let me get this straight. Are you honestly comparing the actions of a child too young to know any better with those of a criminal? The law is pretty clear. A swimming pool is what's known as an attractive nuisance. You, as a pool owner, are required to take reasonable precautions for the safety of children who might be attracted to it. This means a gate with a lock. It doesn't have to be very secure, just secure enough that people too young to know any better won't be able to easily get in.

I know what you're going to say. The parents are responsible. You are correct, but every once in a while, a kid gets away from his parents. Perfect 24 hour surveillance is difficult to maintain. Not only is the pool rule a good idea, but it is also simple common sense.

You talk about holding criminals responsible. That's fine. You sound like a very strong believer in personal responsibility. Why don't you accept your responsibility to others when it comes to your property?

There is a limited but important set of circumstances where you are responsible for the safety of others on your property:

• You invite someone into your home. You are responsible for warning about or eliminating nonobvious hazards. This is common sense.
• Public accessways to your home. People visiting your home, invited or uninvited, are expected to come up your front walk, and up your front steps. If they are icy and your visitor slips, you are responsible. This is common sense.
• A hazard which may be encountered by children too young to know any better. Especially an attractive hazard. This is common sense.

None of these cases has anything to do with the safety of a thief who breaks into your house or the irresponsible actions of people who should be responsible.

Isn't it funny how many of the people who talk about personal responsibility have a blind spot when it comes to their own?

Re:Excellent Question

[jbarnett]

Perfect 24 hour surveillance is difficult to maintain.

We have been watching you for 7 years, 24 hour surveillance isn't that tough. Oh and you know that thing you do with the rubber duck, baby oil and picutres of goats? Stop it now.

Re:Excellent Question

[aardvarkjoe]

He didn't say it was illegal to have kids and guns in the same house -- he said you were responsible if you leave a gun where your children can get to it, and they shoot themselves.

I don't quite agree with his statement that there should never be guns in a home with children (although I do think that anyone getting a gun should think hard about it first), however, if you own a gun, it should be under control at all times. Locking it up, keeping it on or near your person is reasonable. Unattended in a dresser is not.

Re:Excellent Question

[egerlach]

True story:

I can't remember where this happened, but I remember reading the article in Business class when we were talking about Law. Anyways, someone was having a pool party at their house. Most of those attending were drunk. A good time was being had by all.

The next door neighbour had built a shed up against the fence which seperated the two properties, and he was using it to store tools, etc. (No, this was not Arthur "two-sheds" Jackson). Some of the drunk people decided they could make the 10-foot long jump from the top of the shed into the pool. Needless to say, the first one that tried didn't make it, and suffered irreperable damage (don't recall exactly what.)

Here's where the story gets good: The injured party sues, guess who: The Neighbour! And he won! Why? The court ruled that the Neighbour had been negligent when he had built the shed, not anticipating the case that people next door would get drunk and try to jump from it into their pool.

So those questions are more interesting than you think....

Re:Excellent Question

[hearingaid]

What happens if someone steals your car and causes a fatal accident with it?

See Kierthos' post. you don't have to worry about insurance rates either; you're not liable, so long as you weren't negligent in protecting your car. at least, not in most jurisdictions. no liability, no insurance claim, no problem.

What happens if a child finds the gun you left in your dresser and shoots himself?

I would almost say, see Kierthos' post. However, if you took reasonable precautions to keep the gun safe (for example, if it was unloaded, and the bullets were locked away somewhere), then it's just a horrible, horrible accident. odds are, though, you're not observing good gun safety. negligence is illegal.

What happens if someone breaks into your house, trips over something and breaks a leg?

this is an interesting question.

normally, it's their tough luck.

however, there are cases where burglars have sued over home-defense systems that were excessive. you're allowed to use a certain amount of force to defend your property. the actual amount varies by jurisdiction. (I believe, for example, in Arizona there are no limits, nor any warning necessary. if you're on private property, you better get explicit permission. however, in Canada you're not allowed to use lethal force to defend property, only people.)

Re:Excellent Question

[Kierthos]

Some legal things to consider:

What happens if someone steals your car and causes a fatal accident with it?

They are charged with theft and aggravated assault. Unless you gave them the gun, you are not technically liable. Let's face it, your hypothetical person committed a felony by stealing the gun. How is this your fault? (Well, unless you live in a country with fierce gun laws.)

What happens if a child finds the gun you left in your dresser and shoots himself?

You are liable, as case law has shown. The proper place for a gun in any household that has children is not in the house. Failing that, use a gun safe.

What happens if someone breaks into your house, trips over something and breaks a leg?

They committed a crime by breaking in, and therefore should not benefit in any suit brought by actions during the commission of a crime. Well, generally speaking, but I think some idiot judge in Minnesota (or Michigan, can't recall which) gave the judgement to the crook when he got shot while breaking into a house.

However, with this virus, you didn't break into anyone else's computer and take their docs. Depending on the jurisdiction, you may be legally bound to report what happened to the owner of the document, you may not. But in most places, you are not allowed to diseminate the document in any way, shape, or form. And blackmail is a no-no in most countries too.

As always, IANAL.
Kierthos

Re:Excellent Question

[Xibby]

What happens if someone steals your car and causes a fatal accident with it? Given my car, it's quite likely the theif was the one who died.

What happens if a child finds the gun you left in your dresser and shoots himself?
He'll be very very wet or hit by a paint ball.

What happens if someone breaks into your house, trips over something and breaks a leg?
Not only will they have a broken leg, they'll be covered in doggie drool. So with a broken leg and buckets of doggie drool, they'll be searching for the missing portable phone. And if all he broke was his leg, he's lucky. There's lots of stuff to trip over in my house.

Re:Excellent Question

[kraada]

I don't know about the first two, but I remember hearing of a case of something very similar to the third. A person broke into a house, and was in the process of committing larceny when the homeowner's dog attacked the burglar. The burglar ended up with some extent of injury, took the homeowner to court, and won. I don't remember how much he sued for, but it was significant enough to disgust me. *shrug* take it for what you will.

Re:Excellent Question

[banshee2000]

Another true story ...

My friend has his car in the garage for a tuneup. An employee of the garage took the car on a joyride late Saturday night and crashed into a guy's hedge. The hedge owner sued the car owner (my friend) and won damages. Screwy laws.

Strangers

[zpengo]

total strangers I've never heard of before

Those are the worst kind of strangers!

Re:Just a polite request

[awarlaw]

however,
in arbitration it can be used to show cause.

IANAL but, i have seen it done.

Re:why do people keep doing this?

[twitter]

Why indeed are you reading this? Don't like it, move on.

Now all you geeky people, please stop talking and get back to work. egomaniac will be very upset if he does not get his daily dose of good technical humor, insight and amusement.

Very Ethical, damn it.

[twitter]

I recieved a picture of two people making love. It was so beautiful I just had to give it back to the sender, so I pressed the outlook reply button. You know, the one with the puble arrow and face. Well, funny thing, the sender never answered. I looked up Mellisa Perez from Big Media Group and tried calling and mailing, but she did not know what I was talking about. At this point I decided to post it on the New York subway with my email address so whoever owned that picture could get it back from me. If you have been victimized by this terrible virus and think you might be missing a photo like that, send me a copy or near copy. If the copy matches, I'll send you back my electronic original.

I love you, Mellisa!

why do people keep doing this?

[egomaniac]

Why do people keep posing technical legal questions to a bunch of geeks, most of whom haven't even graduated from college yet? Is there some secret stash of lawyers on Slashdot that I'm not aware of yet?

Judging from the uninformed comments above, evidently not, but there are a *ton* of clueless idiots who are more than happy to spout off their opinions on a subject they know nothing about. But hey, that's what most Slashdot discussions are anyway.

Trade secrets are covered by a myriad of laws, and you can get in serious trouble for divulging them even if you learned of them by accident. Call a lawyer to find out more details. Slashdot can't provide much help on legal questions, as we've proved over and over and over again...

--- egomaniac

Re:why do people keep doing this?

[Frizzle+Fry]

Huh? The questions he's talking about aren't about right or wrong they're about what the law is. And lawyers are, almost by definition, people who are paid to know what the law is and go to school for many years to learn this. I don't see anything "wrong" with that. I think maybe there is something "wrong" when people who aren't lawyers assume that they cna just guess what the law probably is and that'll be right.

--

Re:why do people keep doing this?

[Mike1024]

Hey,

Is there some secret stash of lawyers on Slashdot that I'm not aware of yet?

Sure!

CmdrTaco) Hmm... Got another law 'Ask Slashdot' here.
Hemos) Another? What's it about?
JonKatz) It's a case that has the ugliest implications not only for the press (online and off) but for open discussion of technology, and especially for the First Amendment.
CmdrTaco) Some guy wants to know if he can post secret documents he gets e-mailed.
Roblimo) Are you sure we want to post this? Don't you think slashdot is posting too many law-related stories, when there are no lawyers reading? We don't want the site to get boring...
JonKatz) Slashdot is at times witty, imaginative and entertaining, no small accomplishment, especially this summer. It reminds us that when it comes to ominous design and atmosphere, nobody can top CmdrTaco. Where he seems to have trouble is with storytelling.
Hemos) Well, we could just blindly post it... or we might have to break out the.... SECRET STASH OF LAWYERS!
CmdrTaco) Great idea! Where did you leave the lawyers, Cliff?
Cliff) They're in the fridge, behind the Jolt.

I think that's about how it went.

Michael

Update

[festers]

This post brought to you by the Redundancy Dept. of Redundancy.


--------

Re:You are responsible for your actions, that's it

[mmmmbeer]

I disagree. After all, this is your mail. So it's not the same as getting someone else's mail in your mailbox. It's like getting someone else's mail in your envelope. (I do agree with the comment about insider info, though. IANAL, but I think it doesn't matter how you get the information.)

Why don't we explore this a bit. Let's say Mr. X is writing some letters, and he accidentally puts Mr. Y's letter in Mr. Z's envelope, and vice-versa. What are the legal implications of that? Are Mr. Y and Z free to use any information therein, even if it is clearly not meant for them?

Re:Confidentiality clauses

[martinflack]

The lawyers out there will know the Latin word (and there is one) but there has to be something received by both parties entering into a contract for that contract to be enforceable in the USA.

You cannot forward a document to a stranger and then legally bind that stranger to behave according to the content of that document. Not in the USA.

You are correct. But that isn't the issue. Yes, without meeting of the minds and mutual consideration there is no agreement. But actually with confidential information that can be argued to be "trade secrets" you're up against common law for trade secrets, not contract law. There doesn't have to be an agreement in place for you to have to follow the *law* which gives rights to trade secret holders. If you received plans_to_kill_linux_in_5_years.doc from someone@microsoft.com accidentally, such a notice would not be intending to form an agreement with you, it would be intending to provide immediate constructive notice of trade secret status.

BTW, IANAL. Just my 0.02 USD

Intentional espionage?

[Fencepost]

A friend of mine is of the opinion that Sircam was originally intended as a corporate espionage tool that would be basically untracable. I think he's wrong and that anything intended for that would be better-written, but I don't think that something similar would be out of the question.

If Sircam had a way to get messages back to a particular point from several generations along, I'd agree with him completely.

Personally I actually have glanced at the contents of one of the Sircam messages that was sent to me (in a hex editor), but only because the filename was my birthday.

-- fencepost

Re:Intentional espionage?

[Fencepost]

Does it actually include hardcoded addresses? The SARC description doesn't include any mention of that in the list of ways it gets addresses, and I haven't saved a copy to scan for strings. Perhaps you're confusing it with CodeRed?

For someone who wanted to do non-discriminating bulk corporate espionage like this (even using a better-designed worm), there'd be a high likelihood that nothing important would be uncovered anyway. Given the huge number of documents that companies produce, only a very small percentage of them would be of use to a competitor.

-- fencepost

Re:Encrypted polymorphic viruses and the DMCA

[Fencepost]

I'm not questioning whether viruses are legal or not (I don't actually know what the law is on this, but I also don't think it matters). While I think your typical virus writer should be kept away from computers until he grows up, I don't think that he gives up copyright to his works any more than people posting to Usenet do.

Anyway, I feel fairly confident that the DMCA doesn't say anything about whether the encrypted materials are legal or not - it's breaking the encryption and using (having? disseminating?) the tools to do so that's made illegal. Is there anyone here who doesn't think the antivirus vendors have developers building their own tools and sharing within their teams?

-- fencepost

Encrypted polymorphic viruses and the DMCA

[Fencepost]

Oh my...

Consider a virus writer being caught, then going after the major antivirus software vendors for breaking the encryption on his virus...

-- fencepost

Re:Encrypted polymorphic viruses and the DMCA

[digitaltraveller]

Oh my... Consider a virus writer being caught, then going after the major antivirus software vendors for breaking the encryption on his virus...

Not far off. A guy who wrote a bsd telnet exploit that was posted to bugtraq complained that bugtraq infringed on his copyright by posting it. It had a copyright notice on it (under a pseudonym - obviously). The problem was the exploit has been in the wild for a little while now. So that brings up an interesting question. If someone hacks your machine and leaves a copy of the exploit, are you LEGALLY prevented from posting it to bugtraq because of a copyright notice attached to it. The implications of this sort of stuff are mind blowing. The Knee jerk lawmakers solution here would be to outlaw the use of copyrights under pseudonyms. (eg. Like Mark Twain)
BTW: Slashcode sucks. As of 2 months ago I routinely get "Invalid Form Key" error every time I try to submit a comment.

Re:Encrypted polymorphic viruses and the DMCA

[grammar+fascist]

He'd get slammed down in court, easily. No intellectual property law of any kind covers illegal property.

Re:alone? Hell No !

[kuiken]

I get about 1 or 2 pieces of spam every month and the only viruses (SP?) i had was "Your PC is now stoned" and something called windows

Even if it _is_ illegal...

[mikeage]

...What if some clever virus/worm writer put a click through license. Would that be legal? If so, how much "honesty" (obvious, he wouldn't write "this is a virus") is required to ensure that a victim actually agrees?

On another note... are you saying I can't post those so-called confidential emails between Slashdot and goatse.cx paying for click-throughs?

--

Wow, that's a lot of spam

[MrResistor]

I guess that would be why Pac Bell sent me a virus warning about it. I'd never recieved a virus warning from an ISP before.

Of course, they keep sending them, so I wonder how much that really cuts down the traffic on their system...

Gee.. I feel unloved (uninfected)

[SirGeek]

In all this time, I've only gotten 2 emails from sircam.. Funky. I guess that most people I deal with have "some" intelligence...

Re:Gee.. I feel unloved (uninfected)

[Tyrall]

Well, I've had 173 of them from one guy (to 3 different accounts). This is despite 2 emails telling him about it. Still, the only way I know I've 'had' 173 of them is my mail logs dropping them into the nearest bit bucket :)

Re:Gee.. I feel unloved (uninfected)

[Nihilanth]

I've only gotten one email..but frighteningly enough it was from a WEBSITE that I ordered COMPUTER PARTS from with my CREDIT CARD NUMBER. I wish I had looked more carefully at which company it was before i deleted it, so i could avoid them in the future.

I have just finished coding a new email virus...

[mr_gerbik]

...that attaches our favorite goatse.cx photograph to the email. The virus only sends itself to Chinese email addresses. The subject of the email is "Now thats what I call Code RED"

Trade Secrets

[Merk00]

Given that the trade secret was gotten fradulently and that you knew that it was gotten fradulently, then spreading the trade secret would be a violation of federal law. So you would be responsible for it.

Re:Trade Secrets

[studerby]

Trade secrets enjoy no legal protection.

Maybe where you live, but in the U.S. almost every state has a Trade Secret law.

Here's Florida's, which is modeled on the national UNIFORM TRADE SECRETS ACT, and is therefore the same or similar to most states' act.

In answer to the original question, note 688.002,especially (2)(b)3., which reads in part:

(2)"Misappropriation" means:
(a)...
(b) Disclosure or use of a trade secret of another without express or implied consent by a person who:
1. ...
2. ...
3. Before a material change of his position, knew or had reason to know that it was a trade secret and that knowledge of it had been acquired by accident or mistake.

Without the 'Before a material change of his position' clause, it would seem that this law would clearly prohibit redistribution of "SirCam secrets". However, that clause (to me) seems to imply that the person who acquired the secret throgh mistake or accident is presumed to be an employee or in some other particular relationship to the owner of the secret, and not a stranger, thus not prohibiting distribution by such an "innocent" stranger even when that stranger knows it's a secret.

However, I'm not a lawyer...

Re:Trade Secrets

[hearingaid]

trade secrets aren't federal, either in the US or Canada. they're state or provincial jurisdiction.

Re:How to open safely?

[SuiteSisterMary]

Go to either windows\startmenu or documents and settings\profile\sendto and put a shortcut to notepad in there. Then take a file, any file, right click, send to, notepad. Boom.

Re:An analogy...

[SuiteSisterMary]

No, actually, the better analogy would be somebody breaks into the jewlery store, steals the jewlery, boxes it up, puts in a note saying 'I send this jewelery for you to try out. Please to wear it and tell me what you think' and mails it from the store's address. Is it 'ethical' for you then wear it?

Re:Well....

[SuiteSisterMary]

The fact that you're even asking this question tells me that you've never taken a course in ethics before.

Any society that needs to write down it's ethics laws, let alone teach them is already fucked beyond repair.

Re:Confidentiality clauses

[regen]

True, Carl is still bound by other laws and regulations (such as Copyright law), but the point I was trying to make is that Carl is not bound by the contract.

Re:Confidentiality clauses

[regen]

This means, that for anyone to be released from a confidentiality clause, then teh information has to be legally published.

Let us say that Alice and Bob enter into a contract, with a confidentiality clause. Bob's computer is infected with SirCam and it mails the contract to Carl. Carl then publishes the contract in a news paper. Alice may have grounds to sue Bob for breach of contract (Bob's copy was leaked) but doesn't have grounds to sue Carl for a breach since Carl was never a party to the contract.

Now for Bob or Alice to release any information may still be a breach, but Carl can do whatever he wants.

C. Keep old messages and BOUNCE new ones.

[yerricde]

Delete your old messages because you are receiving new ones, or keep the old ones and flush the new ones

Or keep the old ones and BOUNCE the new ones

which might contain an important e-mail

that the sender knows did not arrive, from the bounce message. Think of what filesystems would be like if they deleted old files because you were creating new ones: you might delete your kernel!

Translation into an older meme's paradigm

[yerricde]

"I send you this file in order to have your advice"

or

"All my file are belong to you" ?

What does that say about your friends?

[Grab]

Taco's got 1.1 Gigs of attachments from his friends? I must be lucky then, all my friends are smart enough not to click on files attached to emails that look dodgy!

And this is rather blatant. I mean, do many ppl have friends who send an email saying 'I send you this file in order to have your advice'? Everyone I know passed 3rd-grade English...

Grab.

Re:Let me give this one a spin...

[jbarnett]

If said thing was placed with the intent to trip a person, it is the homeowner's fault that the theif was hurt.

So I do not have the right to protect my home, family and/or property?

Re:Huh?

[ahknight]

Funny, my recruiter just sent me a shitload of other people's resumes. Yes, it appears he infected himself more than once, nay, repeatedly.

The upside is I know where I stand in the tech world now, squarely in the middle. =)

Re:An analogy...

[ender_]

Not quite right.

If the robber made some photocopies of some documents

(remember: the company hasn't lost any physical property, just a copy)

and set them on your door

(remember: tampering with a mail box is a federal offense, sending e-mail is not)

could you look at these and keep them?

The answer is a definite maybe.

Re:Confidentiality clauses

[SLi]

You have no inherent, natural, or legal right to use a copyrighted work, simply because you think you paid an appropriate price for it.

That's just pure BS. Ever heard of the first sale principle? Essentially, the copyright holder has legally no control of the work after first sale (other than preventing copying, derivative works and public performance). Well, in most countries anyway, including US (France is different).

Re:Confidentiality clauses

[SLi]

Well, there's nothing new in sending threatening letters to ignorant customers.

C:\Windows\applog\sirc32.lgc

[Morris+Schneiderman]

In the process of removing this virus from a computer, I noticed something that I've not read about on any of the virus monitoring sites.

The worm wrote what seems to be a log file to:

c:\windows\applog\sirc32.lgc

This is a plain text file that looks innocent enough when opened with notepad. But it includes a column of numbers that just might be dangerous if processed as input by the wrong program...

Re:C:\Windows\applog\sirc32.lgc

[compwizrd]

Erm, all programs seem to do that when run under 98 (maybe 95?)

Re:C:\Windows\applog\sirc32.lgc

[DrVxD]

Yep. The applog is where Win98 keeps the data to do the "defrag so my programs run less slowly" thing.

--

Re:Confidentiality clauses

[Storm+Damage]

The lawyers out there will know the Latin word (and there is one) but there has to be something received by both parties entering into a contract for that contract to be enforceable in the USA.

Quid pro quo, loosely translated as "this for that."

How about intentionally doing it

[dpilot]

Why not a new form of industrial espionage?

Even better, take this into the political activism-type space. Send your virus into Evil Corporatist Inc, and have it start broadcasting junk off of hard drives all over the place. EVERYBODY gets the damaging evidence. Plus imbed it in the body, don't make it an attachment.

Call it "No Secrets".

1.1 GB

[Kondoor]

For the love of pete, what kind of connection do you have? I've got to assume your on a corporate lan connection, hasnt your network\email admin came over and asked you what the heck was going on yet?

Re:1.1 GB

[Kondoor]

I'm not saying that 1.1 GB is that big, but I am making an assumption that 1.1 GB traveled thru there email gateway just from Sircam attachments and that all of it is external. Passing 1.1 GB of mail to 1 user all coming from an external source should put up a red flag.

Re:you could go on with this all day...

[ZeroZen]

Hahaha Excerpt from diceware.com: "Some Tips For maximum security make sure you are alone and close the curtains. Write on a hard surface - not on a pad of paper. After you memorize your passphrase, burn your notes, pulverize the ashes and flush them down the toilet. "

How does one extract the attached file?

[martinde]

In linux, without executing the virus? I've been wanting to see all of the things I was sent.

Re:Maybe 'informed consent,' not 'consideration'

[DHam]

The word he's looking for is NOT 'consideration' or 'quid pro quo'. That's something very different - the idea that all contracts must offer something of value to all parties. It may only be "$1 and other considerations," but there has to be *something*.

That's what consideration is. The doctrine of consideration says that each party to a contract must promise something. It's also known as the "peppercorn" doctrine because the something promised only needs to have nominal value - like a peppercorn, for example.

How to open safely?

[jcoleman]

I'm interested in seeing what all these idiots are sending me (call me nosy; I also look at car wrecks when I drive by). What's the safest way to open these attachments on a Windows 98 machine that is not running Outlook?

Re:How to open safely?

[sowalsky]

notepad

Re:How to open safely?

[Docrates]

Rename regedit.exe to regedit.com, this way the virus can't enter the line in the registry that makes it run everytime you fart or sneeze

Create a folder named "documents i don't want seen by anyone" and move everything you have in \my documents there (even folders). This way the one time the virus will run (when you open the attachment) it won't find shit to send.

Re:How to open safely?

[shepd]

>I'm trying to imagine how long it would take to print out on the teletype.

Yes. This is the future. Forget the past. It is wrong to know of the past. It is wrong to support the past. The future is always.

Re:How to open safely?

[shepd]

The worm's payload is to delete things on your computer once out of every twenty times. I don't play russian roulette with my machine.

Re:How to open safely?

[shepd]

How about this for fast?

dd if=virus.doc.pif of=clean.doc bs=137216 skip=1

I don't care to see if it works ;-), fortunately I don't know anyone who's been infected...

Re:How to open safely?

[mttlg]

I'm interested in seeing what all these idiots are sending me (call me nosy; I also look at car wrecks when I drive by). What's the safest way to open these attachments on a Windows 98 machine that is not running Outlook?

One overly-complicated yet fairly safe and easy to clean up option I can think of off the top of my head is to use something that emulates a Windows box (like VirtualPC), disable networking, and infect away. Once you're done playing, just quit the emulator, delete the Windows hard drive file, and all is well.

Re:How to open safely?

[Gibbys+Box+of+Trix]

Yes... that works.

ahem... I mean, that looks like it might work... My ethics have prevented me from trying such an operation... I immediately deleted all SirCam emails, of course.
--

Re:How to open safely?

[KarmaBlackballed]

Unplug the modem/NIC...

No. That is not enough ... your machine will still get infected.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Re:How to open safely?

[KarmaBlackballed]

To be blunt: Shutting off the internet and then opening the infected attachment is like putting on a condom and then injecting yourself with HIV. It is not about where else the virus goes ... the point is now you have it.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Re:How to open safely?

[linuxrunner]

Seriously... There are just way too many responses giving you difficult answers with hex editors, etc... Just open it up using note-pad. Remove the .doc file extenseion and replace it with .txt and click it. You should read some of the files I've been receiving. Interesting stuff. If you don't see you extensions, then change that.

Start -> Settings -> Active Desktop -> Customize my Desktop -> Folder Options -> Click 'Yes' -> View Tab -> 3rd one down is the hide file extensions choice. Make sure it is unchecked. Have fun! Carter

Re:How to open safely?

[tlk+nnr]

I'm interested in seeing what all these idiots are sending me (call me nosy; I also look at car wrecks when I drive by). What's the safest way to open these attachments on a Windows 98 machine that is not running Outlook?

Save the file on your harddisk, then remove the first 137216 bytes. You need a hex editor to do that.

Or with Cygwin it's

$dd if=virus.doc.pif of=clean.doc bs=1 skip=137216

Rename it to the actual file type and open it.
Do not double click it, instead open it from the correct app (just in case you didn't remove the virus properly - Word doesn't open windows executables)

Re:How to open safely?

[Spamlent+Green]

This only answers half your question, but BBEdit (Mac only..) should be able to open them.

Stupid Friends

[austinij]

I have now recieved 1.1 gigabytes of sircam virus email attachments. I'm just glad I don't pay for my bandwidth per k.

Wow, talk about a lot of stupid friends. I've only gotten a few of the SirCam virus emails, so I have to assume either a) people don't like me enough to put me in their address book, b) my friends are smarter than CmdrTaco's, c) my friends don't use outlook

Re:Stupid Friends

[Drakantus]

Attachments do not automatically open with outlook 97 or outlook 2000. What version do you use that automaticly opens attachments?

Re:Stupid Friends

[banshee2000]

Well I got two letters using Pronto, but of course I didn't open them. With Outlook attachments auto open ... huge difference.

Re:Stupid Friends

[banshee2000]

I don't use outlook. I use Pronto mail ... a linux mail client.

Confidentiality clauses

[michaelsimms]

In contracts I am writing up at the moment, there are standard confidentiality clauses. This means, that for anyone to be released from a confidentiality clause, then teh information has to be legally published. Even if EVERYONE knows about it because ofa virus or a leak, anyone using it is doing so illegally and may be prosecuted for stealing trade secrets.
If they delete it, no problem, if they keep it, big illegal problems.
IANAL, but I hired one and thats what they said.

Re:Confidentiality clauses

[Suidae]

So, if its a 'trade secret' but not marked as such, and I release it, can I be prosecuted?

IMO, the whole deal of 'trade secrets' is stupid, you shouldn't get any kind of legal protection (other than copyright) for secret documents. They are protected BY BEING SECRET, if it gets out, it ain't SECRET anymore. If you want legal protection, get a patent.

Re:Confidentiality clauses

[sydb]

RTFG (Read The Friendly Google).

Re:Confidentiality clauses

[sydb]

Code red... hehe! We run Apache here. My colleagues are all thick as mince, so one of them says to me, "This email virus, Code Red, I wonder how long it will be till it affects us! Scary!"

Now, this guy is a Unix admin.

Hello?

Sorry, I just felt the need to tell somebody! I work with fucking imbeciles. Please, someone somewhere give me a different job!!!

Re:Confidentiality clauses

[gailt]

Get another lawyer. The owner of a trade secret has to be able to prove that s/he took appropriate steps to protect its confidentiality, in order to enforce his rights. First challenge would be defending keeping an unencrypted "secret" on an unprotected (from viruses) machine. The recipient, however, has done nothing wrong - if not a party to any confidentiality agreement, s/he has no obligation to protect the "secret" - tho the ethical thing would be to notify the infected sender.

Re:Confidentiality clauses

[Planesdragon]

Any special terms in your contract don't apply to those who aren't parties to that contract. (i.e., saying "you can't say "MS Sucks" in a contract doesn't make it so for everyone else)

Your lawyer might know of other laws that apply (say, copyright and patent laws), but the contract certainly won't stop them.

(Which is beside the matter... the hypotehtical SirCam victim didn't steal the document, he was sent it by your company's hardware.)

IANALBIPOOTI (I am not a lawyer but i play one on the internet)

never take legal advice from strangers on the internet. I am a stranger.

Re:Confidentiality clauses

[nihilvt]

In contracts I am writing up at the moment, there are standard confidentiality clauses. This means, that for anyone to be released from a confidentiality clause, then teh information has to be legally published.

Doesn't one have to sign into a legally binding contract? A contract doesn't automatically include everyone in the world simply because the contract claims to. I don't see how an inadvertant discoverer of a non-patented/non-copyrighted document gets automagically included in the confidentiality clause.

Re:Confidentiality clauses

[SecurityGuy]

I exchanged money for a copy of the program. What do I get in exchange for the restriction that I can make only one backup copy? That I can't reverse engineer it? That I can't write a review saying the product proves sufficient monkeys and typewriters can write software as well as Shakespeare, and publish it?

Nope, sorry, it goes like this:

Go to store
Exchange money for software
Go home
Open box
Exchange rights for...nothing?

Which is where UCITA comes in. It legitimizes this non-transaction.

Re:Confidentiality clauses

[KarmaBlackballed]

In the case of a EULA, you have purchased the product --- which presumably is of value to you. There is quid-pro-quo in that case.

An uninvited email has no quid-pro-quo.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Re:Confidentiality clauses

[KarmaBlackballed]

Here is my simple rule: Once I find out it is no longer a secret. Sue me.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Re:Confidentiality clauses

[KarmaBlackballed]

The lawyers out there will know the Latin word (and there is one) but there has to be something received by both parties entering into a contract for that contract to be enforceable in the USA.

You cannot forward a document to a stranger and then legally bind that stranger to behave according to the content of that document. Not in the USA.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Re:Confidentiality clauses

[ddillman]

Sounds good in theory. What about the EULA in most software? Have you ever signed a EULA? Me either. In fact, now that UCITA is here, you don't even have to click, you just have to open the package, which you usually have to do before you get to the EULA to even know what it says.

Re:Confidentiality clauses

[BlueTurnip]

And there could be other laws involved too, such as California's Trade Secret laws. (See the Califonia DeCSS case, for instance.)

So just because Carl isn't bound by that specific contract doesn't leave him in the free and clear. There may be other state/local or even federal laws that come into play. I'd consult with a lawyer before releasing anyone's secrets to the press.

Re:Confidentiality clauses

[TeraCo]

Friendly google? That sounds almost malicious in nature..

Now behave son, or the friendly google will get you.

PS: [O/T but..] This code-red thing here in the office is driving me nuts, everyone is running around saying "oh no.. oh no.. oh no..". Come on people, it wasn't an issue 19 days ago, why is it an issue now that CNN have written dire warnings of doom and gloom.

Re:Confidentiality clauses

[psychalgia]

ok, off topic, but I give up. what is IANAL???

Re:Confidentiality clauses

[caca_phony]

Anything you write has your implied copyright, things can be done to make it more enforcable, though.

Re:Confidentiality clauses

[LowellPorter]

IANAL (I) (A)m (N)ot (A) (L)awyer

Re:Well

[www.sorehands.com]

It got to you, via a virus. That means that:

• You did not do anything illegal to get it
• They did not take sufficent precautions to prevent the leak.

I would guess you would be safe in releasing it. But, if it got to you, it probably got to many others so the leak would not be traceable.

See a lawyer.

Re:An analogy...

[Dr.+A.+van+Code]

At the risk of being moderated offtopic...

Under Jewish law ... you must return a lost object if it has a distinguishing mark, it has not been abandoned by its owner, and it has value.

That reminds me of a news story I saw recently on on one of the news magazine shows, about how the major airlines do a lousy job at finding and returning lost baggage. And there's a business down in Alabama that buys lost luggage from the airlines (after it's been lost for a certain amount of time, and the airlines have given up hope of returning it) and sells the contents.

Even if some of the contents are identifiable (say, a ring with an inscription), once the bags have been sold to the unclaimed baggage center your only recourse would be to buy the item back. Even if you could show that the item belonged to you, your pleas would fall on deaf ears.

Another fine example of corporate ethics.

Well a friend of a friend of a friend told me

Re:haha ha slashdot readers are dumb

[Dr.+A.+van+Code]

The intelligence of a group of people is the equal to the IQ of the dumbest member of the group, divided by the number of people in the group.

Well a friend of a friend of a friend told me

Re:Well....Hmmm!

[Chessucat]

Well, most people aren't going to spread it around
anyway, maybe read it, if it juicy enough.
"Hmmm..., it's says here L. Torvalds takes 50mg of Prozac per day according to this report that was mistakely fax to my number."
I guess it takes one to design one!

!Selah
/Chess

Who made sircam?

[juha0]

I have now recieved 1.1 gigabytes of sircam virus email attachments. I'm just glad I don't pay for my bandwidth per k.

Actually sircam is made by desperate ISPs, cause they need more revenue. Poor modem users...

I recieved a couple

[PHanT0]

I took a look at one of the docuemtns I got. I admit it...

Even though I had no idea who the guy was, I wanted to know so I could e-mail him back with some indication that I actually did recieve the file.

Maybe it was wrong, maybe it was right, but I 'd say he's thankful I did it, 'cause I wasn't even sure what the e-mail was about until I looked...

My 2 cents.

An analogy...

[Lizard_King]

... to perhaps clarify your question.

Imagine a theif who robbed a jewelry store and while being pursued by the police, he/she places the stolen goods in your mailbox on the street. You find the jewelry in the morning. Questions: Is the jewelry now yours? What's the ethical thing to do in this situation?

The ethical thing to do would be to notify the authorities so they can return the jewelry to its rightful and legal owner. Who should be notified in this case? The sender? The sender's company?

Re:I got someone's stock option contract...

[skinhead]

If someone would give you 'company secrets' he got by breaking into an office, do you think you could keep them (or send them away)? I don't know much about the laws around the world, but I'm sure that in every civilized nation, there's a law against possession of and/or delivering stolen property.

Re:Well....

[shepd]

If the article isn't too important but still belongs on slashdot I believe it gets posted to the section itself rather than the homepage (for an example of this as a common occurrence, check the ask slashdot section).

Click the censorship section and you'll see the story listed.

If you are bored and want more hot stories try: http://slashdot.org/comments.pl

Slashdot has all sorts of hidden stuff, alas this story was just hard to find (IMO). For hidden stuff, try to find the trolltalk sid.

Ahhh, hidden sids... That's pointlessly fun.

Re:I feel so unloved!

[shepd]

Awww, be fair. Don't you know I always do this after getting an attachment in pine (or mutt or whatever):

- Save the attachment.
- Exit pine.
- chmod a+x the attachment.
- sudo ./<attachment name>

Re:Well....

[shepd]

http://slashdot.org/search.pl?topic=censorship

Next time you see the guy eating the black square beside an article, give him a click. :-)

Not a section, really, more like a topic search. Same thing, more load. Isn't slashcode wonderful?

Then again, I can't complain. I can't even begin to imagine how complicated the slashcode was to write...

you could go on with this all day...

[kchayer]

If a document is top secret, it shouldnt be stored on a networked computer. If it is stored on a networked computer, then it should be encrypted. problem solved. encrypting important documents should be as important as backing them up.

You shouldn't set your email program to automatically execute attachments...

You shouldn't open attachments from someone you don't know...

Oh wait, you might get the virus from someone you DO know, but you shouldn't open attachments unless you know what they are and were expecting them...

Always use BCC:

Keep your virus definitions up to date...

Keep your programs/operating system/server up to date with the latest patches...

Always backup your data...

You shouldn't be superuser-equivalent unless you need it briefly to change something...

You should choose a password that is not easy to guess...

You should change your password regularly...

You shouldn't use the same password on different systems...

Do not feed the bears...

It could go on and on. Your idea is fine. It represents one of the many things that *should* be done. But who is going to do it? The fact of the matter remains, people won't follow good security practices because it's inconvenient, they don't want to, they don't know about them, or their Aunt Ruth has a beard.

The point of the question above is that when someone receives something confidental, accidentally, the ethical thing to do is to delete it. Who's responsible? Well, the virus writer, if the file was spread as a result of a virus. Sure, the user should have kept his document secure, but he didn't. Are users guilty of violating any of the above policies? Sure. Are sysadmins? Yep. We do it too.

Of course, we need to educate our users and enforce security policies. Saying "this will work; problem solved" isn't sufficient. Proactive education, policies, and enforcement are the answer. Now I've got to get back to work and do it!

"I say consider this day seized!" -Hobbes

Re:you could go on with this all day...

[einhverfr]

I disagree with the idea that people avoid good security practices solely because they are inconvenient. I think that another real problem is that people don't know better. During the initial CRW outbreak, I spoke to many IIS engineers who thought that the latest security update was to be downloaded from Norton and asked the question, "What if I don't have a backup?" OK, so if they did these things, I might not have to talk to them when their servers went down, but the point is that this is the sort of mentality that spreads viruses.

You can have a relatively secure network without sacrificing much convenience. It is when you start getting into more secure settings that inconvenience becomes a problem. But people don't use even the most basic security measures because they don't know better. Good security can be very convenient and is certainly a lot more convenient than working on trying to figure out why a strange behavior is happening on production machines for 36 hrs straight. In fact, my most of my most secure installations have been very convenient for the users and administrators... It just takes more planning and knowlege...

Sig: Tell all your friends NOT to download the Advanced Ebook Processor:

Re:you could go on with this all day...

[kalamazoo904]

The fact of the matter remains, people won't follow good security practices because it's inconvenient, they don't want to, they don't know about them, or their Aunt Ruth has a beard.

Some of the things listed above could be automated, or a program could be set up, run by the administrator, that auto-LARTs those who do stupid stuff like this. For example:

Keep your virus definitions up to date...

Keep your programs/operating system/server up to date with the latest patches...

...I do believe that both M$ and Linux have automated these. The others could be easily automated. Probably should be....

Re:Inadvertent Disclosure Doesn't Kill Trade Secre

[Suidae]

What if the virus first filters out all paragraphs or sentances containing 'trade' and 'secret' before sending the document?

Re:Well....

[Suidae]

So don't give an inch

Thats what the NRA is all about. Funny though, most people bitch about them being so hard-line.

Incase you didn't get the memo...

[cr@ckwhore]

Just incase you didn't get the memo, its not wise to store critical documents in your "my documents" folder. "My Documents" are everybody elses documents too.

Re:So what have you guys gotten?

[compwizrd]

List of logins and passwords, dialin lines, home phone number of the guy, network layouts, HR documents, resume's, various engineering documents, etc

All from the same guy.

Emailed him back a few times, emailed root,abuse and postmaster.. tried to whois the domain, but the registrar's whois database was broken. I'll just keep collecting I guess.

I think some of it is cause of Inflex emailing him back, telling him this email has been blocked due to attachments not allowed. And then it emails me another document right. It's great fun, it seems to email two in a row, and then picks a new one.

IAAL...

[SPYvSPY]

...and I read /. for purely masochistic reasons. I keep quiet because if geeks are too stubborn to learn the law, they won't listen to me anyway.

Re:IAAL...

[praedor]

Why the hell would I want to learn the law? I got a useful and interesting degree, not a crap degree. Besides, laws are written by lawyers for the enrichment of lawyers.

I don't give a crap for your "lawyer" laws.

If someone sends me an email intentionally or accidently, it is MINE. I would post it to the world if it contained interesting information - provided it isn't private personal information - UNLESS it is private, embarrassing, personal information about ANY Republican politico. If that, then it is going out worldwide...

You poor sucker...

[SPYvSPY]

What laws would you propose? None? I doubt you'd like anarchy much, since you covet your personal mailbox so much. Are the rules of right and fair supposed to fall down from the sky, or should we just consult you when we have a disagreement? Since you are so victimized by lawyers, why wouldn't you want to protect yourself against them? I did -- I got a law degree and a black belt by age 25. Now no one can fuck with me, especially people like you. HAND.

Re:alone?

[loraksus]

everytime you have to put an email in use; support@verizon.com, support@aol.com or support@microsoft.com
Be creative. malda@slashdot.org is also a good one to use (watch my karma drop quickly now)

Hypocratic Oath?

[g-14]

I am not really sure how you can be at fault if the documents were sent to you without your request, and then you opened them and discovered that they were trade secrets/plans to take over the world/etc...

Being an information security analyst (one of the many hats that I wear), anything that demands that level of confidentiality is treated VERY differently than "My Letter to my mom.doc"
Documents of that nature have to be encrypted and stored on a SECURE network (aka sitting behind a firewall or localhost network ONLY).

These companies obviously did not take the time to protect their docs, so why should you suffer with information that resides on your computer. You signed no confidentiality agreement nor did you sign a contract.

Personally, if a file came to me and I discovered that I could make $$ by playing the stock market with the information, I would release the information at the same instant that I made the trade(s) - combats the insider trading charge and I get to walk away with lots of $$$$ =)

Re:1.1 GB is nothing

[Coz]

In some corporations, managers at a certain level MUST retain all email. Even trivial crud like going-away parties, or "The network is going down at 5 pm" - in these lawsuit-happy days, it's evidence.

I was forced to take Project Management I (out of 4 - they needed someone to interpret between the bean-counters and the techies, and I could write coherently) and the first rule they tell our PMs is Never Delete Anything.

Not that they can't archive it off, back it up, or store it on the local file server, like good Managers - but that would require Thought.

Re:Well....

[Alien54]

The fact that you're even asking this question tells me that you've never taken a course in ethics before. Any society that needs to write down it's ethics laws, let alone teach them is already fucked beyond repair.

Which leads to the question of how do ethics get passed on if there is no education in them?

Verizon

[dameatrius]

I was lucky enough to have Verizon purchase information on me. I received an email from them with one of their files (and I have never purchased or inquired about any service from them). First they give away people's SSN's, Birthdates and CC#'s, now they are spreading virus'. Maybe there should be a new rule, if you are dumb enough to spread a virus, you should be shot dead. Perfect Darwinian solution :)

encryption

[hex1848]

If a document is top secret, it shouldnt be stored on a networked computer. If it is stored on a networked computer, then it should be encrypted. problem solved. encrypting important documents should be as important as backing them up.

Re:encryption

[Sebastopol]

If a document is top secret, it shouldnt be stored on a networked computer. If it is stored on a networked computer, then it should be encrypted. problem solved.

Obviously you don't spend much time in the real world. ;-)

There's confidential shit blantantly displayed EVERYWHERE in typical semi/electronic corporations. No one gives a rat's ass about security except within the first three weeks of security training with every new project. And as a contractor I would expect more security around me considering i'm not 'one of the team'.

Eventually confidential docs appear on unsecure laptop desktops... hell, at one company i contracted with, i found 'top secret' foils blowing around in the parking lot...

i wonder if it's like this in other industries... (medical, pharmecutical, genetic engineer)...


---

Doesn't Have Anything to Do With The Law...

[brulman]

When the post-man accidentaly delivers mail addressed to your neighbor, do you read it? Not if you have any class. You deliver it to your neighbor yourself. In the instance of email, one might respond to the originating address and inform them their information has ended up on your system, but I don't think this is necessary. Just delete it.

Re:Doesn't Have Anything to Do With The Law...

[brulman]

I get your point, but then again I'd imagine in most circumstances I could tell from the first line or two that I wasn't the intended recipient. An earlier poster mentioned ethics, and I'd like to think I'd do the right thing in this situation. I haven't received any email from this virus either, so it hasn't really come up for me. I have a friend who was pissed off at his manager for hitting on a cute new female employee a couple years ago (my friend wanted to hit on her himself, but that isn't really the point of the story.) He wrote up a long-winded and vitrolic email criticising the manager professionally and personally, just venting and being silly, then promptly sent the email to me, another friend, and the manager! Total brain-fart. He promptly realized his mistake, walked over to the manager's desk and said "I accidentally sent you an email a minute ago. Sorry about that. Could you delete it?" Then watched while his manager deleted the email. He didn't get the manager to purge it from the trashcan (Outlook) though, and a week later he was fired. The moral of the story? There are probably several... recheck addresses, make sure you are sending to the right person...use PGP...don't trust anything of a sensitive nature to the net...anyway I've babbled enough, back to work.

Re:Doesn't Have Anything to Do With The Law...

[hearingaid]

actually, it's a federal offense to open mail that isn't addressed to you. this means that nosy parents who open their children's mail, even if it comes from, say, Leather Lovers'R'Us, are felons. but anyway.

this is more like the following situation: the postman changes the label on your neighbour's mail to you, and deposits it on your step. in that case, the postman is breaking the law, you're okay.

opening documents in your mailbox is fine. they're addressed to you. duh.

Re:Doesn't Have Anything to Do With The Law...

[AlXtreme]

The email/virus isn't sent to someone else, but to your address. Wouldn't you open a letter sent to you from a stranger? I would, just out of curiousity :)

to bad the worm doesn't work in wine ;)

Re:Doesn't Have Anything to Do With The Law...

[Compulawyer]

Of course it has somthign to do with the law. A court could decide that because the virus was able to email the docs to people who are not obligated to keep the information secret, then all protection is lost. The key inquiry is what steps the company took to protect the information. In fact, take this scenario:

Company A regularly updates its virus software but the timing was off for this update and they were infected. Company B haphazardly updates its virus protection. Company A may keeps its trade secret protection. Company B does not. Why? Because A took reasonable steps to protect itself and B did not.

Re:Well....

[DrVxD]

No, you are both wrong, irony is like 10,000 spoons when all you need is a knife. Or at least like a traffic jam, when your already late

Still wrong (but you're getting closer). Irony is when somebody writes a song about "ironic stuff" and none of the stuff is actually ironic. (Don't you think?)
--
When it Absolutely Positively Has to Get There, Mistsubishi Evolution VI. Accept no substitute

--

Educate!

[KjetilK]

I have been thinking about the same issue, and so I took the chance to educate the people I got this stuff from. What I told them was basically that this virus could well publish confidential information, but what's worse, the design flaws that makes a virus like this possible, also makes possible a deliberate attack on them. Viruses are not really a problem, it's the security flaws that makes them possible that is the problem, and if you use anti-virus software, it means you are aware of the flaw, but you do nothing to fix it.

I also take the opportunity to tell them to drop M$.

OT: Funny case in Norway

[KjetilK]

We had a case with this typo-squatter got it pretty bad. What happened was that one of the biggest companies in Norway, Kvaerner, was being traded seriously, they were talking billions there. This guy had gotten kvearner.com, and somebody managed to send confidential information worth millions to the wrong address, the stuff ended up in the squatters mailbox.

He claimed he wasn't squatting, that he had registered a company "KV-Earner", but when you call your company "Domainname Trading", that excuse seems rather lame. Also, whether or not he was squatting is really irrelevant.

First he warned them that they were sending to the wrong address, but they just continued sending it to him. When Kvaerner understood what had gone wrong, they tried to buy the domain name from him for nothing, but he refused. Then, they got the police to knock down his doors and arrest him for blackmail...

Well, there is a quite minimal KV-Earner-page there now, so I guess the police lost the case (when it comes to technology, they loose everything in court).

While I don't have much sympathy for squatters, it is completely irrelevant in this case. It is the moron who managed to send information worth millions to the wrong address unencrypted who should pay (and get fired). I find it just incredible that people send confidential information unencrypted.

All your advice...

[SigmoidCurve]

Waitaminute...Does this mean that all those people weren't really asking for my advice? I've spent the last 3 days correcting grammer mistakes, making content suggestions and it's all a hoax?!?

I just thought maybe my editorial skills were so widely known.

LOL:)

czep

Re:Well....

[msblack]

Have you seen 39 US 3009(c)? One could argue
this also applies to electronic mail.

Re:Classes in Ethics?

[dbirchall]

After having me (and my classmates) on-campus for a semester, the first university I attended decided that having an "Ethics in Technology" course, required for graduation, was a splendid idea.

I can't imagine where they got that idea... I mean, we were just traversing the 'net by telnetting from one Cisco to another (this was in the late '80s).

Anyway, I wound up not coming back the next semester (my grades weren't good... I flunked Freshman Orientation, which should tell you something) and started playing with computers for money instead. I guess maybe I've picked up some ethics along the way.

Maybe.

--

Re:Hotmail deleted all my mail because of this vir

[TimboJones]

From Merriam-Webster:

Main Entry: whinge
Pronunciation: 'hwinj, 'winj
Function: intransitive verb
Inflected Form(s): whinged; whinging or whingeing
Etymology: from (assumed) Middle English, from Old English hwinsian; akin to Old High German winsOn to moan
Date: 12th century
British : to complain fretfully : WHINE

So... how exactly is it not an alternate form (spelling+pronunciation) of 'whine?'

Re:You are responsible for your actions, that's it

[ichimunki]

While that is true of widgets you receive in the mail, you do not, by receiving mail automatically receive the right to reproduce the contents of the mail as well.

Anyone wishing to "use" the contents of the information they receive as a result of SirCam is still subject to copyright, trademark, insider trading regulations, etc etc.

So getting a .doc from a hapless MS employee that details their impending takeover of some Linux company or dotcom is not technically useful information since you can't go trading stock based on it. Getting nude pictures of your ex taken by his/her new partner (because he/she was too lazy to take you out of the address book) is nice, but you can't share them.

Now ethically, you'd probably just want to hit delete on all those emails without even bothering to look at them.

I feel so unloved!

[Mtgman]

I haven't gotten ANY documents as a result of the sircam worm. I did get a really cool email from a chic named "Wendi" though. Aparently she found my email address in her outbox on something she had sent me earlier(she lost my emails you see). She told me she got a webcam and took some pics of herself and posted them on her website. I just have to be sure not to tell Todd about these pics. It feels so naughty somehow :) Here is the email

Hello this is Wendi!
I Lost your e-mails boy i am glad i found the address in my outbox!!

i just went out and bought a webcam and snapped a few pics of me and posted them here http://wendi3487.devil.ru

be sure to check them out and let me know how you like them!
DO NOT TELL TODD!!!!

He would get really pissed at me for showing anyone these pics. He thinks I took them for him.. :)

http://wendi3487.devil.ru

love ya!
Wendi
xoxoxoxoxoxoxoxoxo

Now I'm searching my outbox looking for emails for her address, she sounds hot! This Todd fellow kind of scares me though, if he's like the other guys I know from .ru he could probably kick my pasty white arse.

Steven

Re:I feel so unloved!

[relm256]

Join the club. Probably a result of having friends who use only Linux/*BSD on their home boxen. I wonder how far an ELF binary worm as an e-mail attatchment will go. Probably not very far.

When they're not sure of what they are saying...

[quintessent]

I've noticed a lot of attorneys have begun to use this abbreviation:

IANASR (I am not a Slashdot reader)

Re:I got someone's stock option contract...

[11223]

Look, pal, you better believe yourself into getting a lawyer, because you could get into some serious legal trouble doing that. Whether or not you believe there's any legal trouble doesn't mean you won't end up in jail, kid.

Re: A Better Question is...

[caseydk]

Just think what could be done if something like this was distributed by a group that had a financial stake in the software that it infected...

Maybe all of those vba,vbs, etc virii could phone home with reg numbers, ip addresses, and a few .doc's with the word memo in the filename (just to get some actual names)...

just think of what fun the BSA & M$ could have with that... "download the latest patch or we'll know that you (MIGHT) have pirated something!!"

just some food for thought

Re:So what have you guys gotten?

[InsaneFolder]

I didn't get this, but someone I work with did, and it gave the whole office a nice laugh. He got a message with the resume of someone applying for position of network administrator. We didn't recognize the e-mail, so it seemed to come to two possibilities:
1) This guy's not the one you want to hire, as he can't even keep his own machine safe.
2) This company really should hire him, because their system's been compromised.
Not sure which is worse...

-InsaneFolder

Re:Ever try opening a sircam doc? (don't.)

[sh00z]

(they're .pif file extensions with the name of a local private document) and are not the actual document itself.

Not necessarily. I was ignoring all of the SirCam documents I got until one floated in with the title "credit application.doc.pif" on it. I planned to let the sender know, but the e-mail account had been terminated (maybe because of the virus?) Then, being a good citizen, and completely fearless because I'm running a Mac, I opened it to see if there was a name/phone. Turns out it was a blank credit application, but a perfectly readable document otherwise.

I really do feel sorry for the Victims of Microsoft. I hope that this and Code Red will wake a few people up.

Re:Hotmail deleted all my mail because of this vir

[pcidevel]

If your e-mail quota are filling up, they should simply refuse to accept more mail, not delete old stuff. This scheme too is prone to denial of service, but at least your correspondents will know that their message to you was lost and that they should try again later.

I don't think this guy is speaking the truth.. my wife uses hotmail and this is exactly what happens when she runs out of space, hotmail stops accepting new mails. She has NEVER had a mail automatically deleted by hotmail (in over 2 years of hotmail usage)...

Re:You are responsible for your actions, that's it

[jratcliffe]

Correct, mostly. Actually, if I recall my MBA finance class session on this, you _could_ trade on that information. Although it is inside information, you are not an insider. By the same token, if you are sitting in a restaurant, and you hear someone at the next table, who you recognize to be a company's CEO (not a company for which you work), say "Gee, once those earnings come out tomorrow, our stock is going to soar," you can trade on that info.

Re:There's no more privacy on windows

[smnolde]

That personal firewall (ZoneAlarm) blocks ports based on what program is running. It would allow OE to access port 25, but you can block other programs from using port 25 also.

The crappy part is that Social Engineering prevailed.

There's no more privacy on windows

[smnolde]

With this SirCam virus, there can no longer be privacy on windows machines.

I explained this to a church leader who had his computer flailed with this virus. There is no user security on Win98. It gets better on WinNT and Win2k, but there is nothing preventing this virus from sending out anything on your computer. This time it was only a few DOC files.

The church leader is on a minister search committee and had MANY private docs on his computer. Every notion of security and privacy just went out the window as soon as SirCam hit.

The worst part about it he did have a personal firewall, but his young child's friend/cousin/other allowed SirCam access to the internet.

Re:There's no more privacy on windows

[Vancouverite]

This is where the different types of firewalls affect what happens. ZoneAlarm only permits programs which have been granted permission the right to send or receive on any port. If you have ZoneAlarm up and SirCam tries to send data, then SirCam is blocked.

Re:There's no more privacy on windows

[baptiste]

The worst part about it he did have a personal firewall, but his young child's friend/cousin/other allowed SirCam access to the internet.

Well, thats what it was supposed to do. If the friend shut down port 25, the minister wouldn't be able to send email. Sircam acts just like any email client and there is no reason for a personal firewall to block that. In this instance, a personal firewall is useless since nobody is going to block port 25 outgoing.

Re:There's no more privacy on windows

[baptiste]

And by the way, 25 is just the default service port. The client port could be anything from 1024 to 65535.

I realize that - I was talking about a firewall blocking connections to port 25 as the destination port.

SirCamExchange.com?

[TOTKChief]

Well, it would appear that Matthew Haughey of MetaFilter has considered building SirCamExchange.com [according to betterwhois, it's still available...]. He compares it to FilePile, but I find the idea rather...inane. Oh well.

Am i the only one

[evanbd]

who hasn't gotten a single one of these? Not one. I have yet to get infected by one of these worms, but still -- I got copies of the others. I feel all lonesome.

Re:Am i the only one

[Jucius+Maximus]

"who hasn't gotten a single one of these?"

I haven't gotten any sircam messages or infected by worms at all... I've gotten several of the W32.hybris messages (hahaha@sexyfun.net, snowhite, etc) but never bothered to open them. Later on I found out it was a worm.

Re:Am i the only one

[boskone]

I agree, none of my addresses have recieved any of these, and I'm in high tech dealing with vendors and customers all the time, so my email is well publicized as I get aobut 20 spams a day at work. (mostly pr0n and loan offers) I've gotten every other worm though, mostly from people I would have thought were smarter. We had an EVP of our company send out the anna worm.. boy that was awkward...

Re:Am i the only one

[snake_dad]

Just wondering: have you received any now?

Since your email address is shown in the header, some "helpful" slashdot reader might have decided to welcome you into the wonderful world of SirCam by sending you a copy manually...
--

Re:Am i the only one

[banshee2000]

Since your email address is shown ... some "helpful" slashdot reader might have decided to welcome you into the wonderful world of SirCam by sending you a copy manually.

Ironically I think that's exactly how I got my two copies. Sorry I will not send you one coz I never was too good at sharing :P.

Re:You are responsible for your actions, that's it

[hearingaid]

let's deal with this one by one.

1. copyright: you can't copy the emailed document. you can summarize and paraphrase it, however.
2. trademark: I can't see how this could apply.
3. insider trading: this would be interesting, and complicated. suppose you get an email from company x detailing how it's going to double all its forecasts. then you buy a few thousand shares, only to sell in a little bit.

   now, if you were to do this in the normal way, by getting the email from your friend inside the company, it'd be insider trading, and you'd be busted. however, with this situation, you could argue that you didn't know how accurate the data was. you might be getting a faked report, or something. some cooked books. it can happen.

   I'd want legal advice before trying it though. or securities insurance.

although I still think the ethical issues are more complicated than most slashdotters seem to be saying. 'course, I haven't had a single SirCam email to my knowledge (maybe my junkfilters have killed some). says something about me I guess :)

The relevant section

[hearingaid]

people who learn about a trade secret by accident or mistake, but had reason to know that the information was a protected trade secret

the phrase "reason to believe" is tricky. what's more, trade secrets law in the US is state jurisdiction. this is a highly complex area.

part of the reason why it's complex is that trade secret law is so fuzzy, and many courts dislike it. there's a basic idea that companies should apply for patents instead. if they seek to protect their processes by keeping them secret, they should get less protection from the law.

in some jurisdictions, if you're a competitor, and you get a SirCam document, just by you opening and reading the document, the trade secret is gone. if this happens to you, contact a lawyer.

Re:Must take reasonable care...

[hearingaid]

the phrase "reasonable care" is defined by a judge, btw. I don't know of any cases yet. this would be so much fun to litigate.

oo. :)

p2p

[Bender+Unit+22]

I have also got a lot of sircam mails. Most of them seems to be MP3 files. It could be the next p2p network :-)
And don't worry, my pine does not seem to spread it. :-)
--------
For sale: Rhesus-Monkey-Torture-Kit 40$

not 1337

[Bender+Unit+22]

I>I have now recieved 1.1 gigabytes of sircam virus email attachments. I'm just glad I don't pay for my bandwidth per k. Could this indicate that all those /. readers are not as cool as they claim. :)
That could also explain the amount of FP postings or maybe there is a FP virus out there, posting random comments linking to people with strange hobbies concering animals. :)
--------
For sale: Rhesus-Monkey-Torture-Kit 40$

So what have you guys gotten?

[update()]

In today's tidBits, there's an article about SirCam, with some Mac user gloating but also an interesting list of what the author has received. (The article, by the way, is by a Jamie McCarthy - is that our beloved Slashdot editor of whiny articles about censorship and porn-deprived children?)

So what's the most interesting thing you guys have seen? I've gotten a time card template, a cover letter for a job application at IBM and a lot of gibberish. Please don't post anyone's dirty laundry! Just wondering what the worst has been.

By the way, what's the best way for a MacOS/Linux user to view those .pif and .com files? I've never seen those formats before.

Unsettling MOTD at my ISP.

Re:So what have you guys gotten?

[baptiste]

I've gotten tons of these emails, mostly from customers I've sent or received email from.

A sampling of what I've seen:

• My fav - a legal brief from a lawyer
• Some customer lists (in Excel format)
• One file was called 'codes.xls' I didn't open it but it could have been useful :)
• I got a couple porn pictures
• 3 resumes (love it)

I've sent a reply to every single user I've gotten SirCam from with detailed info on how the virus works and how to get rid of it with links to SARC, etc. I've only had one person reply and apologize. Everyone else is strangely silent :)

Re:So what have you guys gotten?

[Smedrick]

Nothing terribly interesting. I got a works cited page, a history paper, and an essay on cloning. Judging from the material I would assume the papers were for a college course, which is unfortunate for the author because the writing was atrocious. Poor guy...I hope the professor wasn't too hard on him.

--

Nolo Definitions

[drDugan]

Nolo Law has a Trade Secret Basics FAQ where I was able to learn a lot. Specifically, they state that the definition has a carve-out for "improper acquisition and theft." -- Meaning I DO think that you would be legally bound to maintain that as a trade secret, just as if you has stolen the documents yourself.

I got someone's stock option contract...

[KarmaBlackballed]

And I deleted it. However, if it had contained some neat company secrets I would not have felt any remorse in sharing it nor do I believe there is any legal obligation for anyone to refrain from doing so.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Re:I got someone's stock option contract...

[johann6]

What about getting things like that in the mail? Is it ethically better to mail it back to the person or throw it out? I received a stock option contract for someone else in the mail. It was labeled wrong. I think thats almost worse than junk mail, so i tossed it in the trash.

Just a polite request

[KarmaBlackballed]

If you have received this document in error, please call $NAME at $PHONE and promptly destroy all copies.

That is just a request. It is not the law and is not enforceable through the courts. Be careful what you fax and where you fax it. Same with email, virus facilitated or not.

There is a reason employers, real estate agents, car salesmen, etc, ask you to sign, sign, initial and sign again. If it was as simple as writing a blurb, then all anyone would have to do is "show you" the contract.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Liability is clear

[KarmaBlackballed]

It sucks, but if confidentiality is breached the sucker that got taken by the virus is liable in the USA if they were negligent. For example, if it was reasonable for the employee to follow company policy and not open attachments and ignored that policy ... they are burned.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Re:Hotmail deleted all my mail because of this vir

[Jucius+Maximus]

"Once it reached the maximum size for hotmail diskspace, hotmail started automatically deleteing older messages: all the messages in all of my folders had been deleted by the time I checked my hotmail account. "

Perhaps you should consider using free e-mail from graffiti.net. They give you a 20 mb mailbox and 20 mb hosting. Yes, that is 40 mb total.

Public Domain

[MystHat]

Frankly, I don't see the difference between leaving an unencrypted document on a computer, and leaving an unshredded document in a trash can, or sending an unencoded message over radio. It up to the author and the intended recipient to keep things secure if they don't want their secrets to get out. If you get something very interesting, I say send it to every newspaper you can find.

This Might Have Been the Author's Objective

[vodoolady]

To get trade secrets.

Sending one countries' secrets to another

[ttys00]

Lets say I live in a random country that has no connection at all with the US. Say I was sent a bunch of corporate secrets, by SirCam or misaddressed email or however, that were worth a lot of money for a company in the US, and I decided to exploit that. Could I be sued or imprisoned for something that is a crime in the US? The answer is no, because the US has no treaties with my random country. The company has no recourse, but I could possibly destroy them with what I know.

The internet crosses all boundaries, but the laws that affect it do not.

We should sue MSFT for violating trade secrets act

[WillSeattle]

Seriously, if they hadn't sold us their OS and their email package and their IIS software, the trade secrets would still be that.

But their continued lack of action on this front has left us, the consumers, in the position where they are enabling other people (virus writers) to release our trade secrets.

We should sue them for every penny they're worth, and have the BSA search their offices for pirated or virus-capable software.

It's only fair ...

Darn, you gave away my virus patent!

[WillSeattle]

Sure, but how many people actually read the agreement? I'm sure you could write in bold letters "THIS WILL DESTROY YOUR COMPUTER" and people will still click "I agree".

Now that you've given away my patent, a clickable virus with a UCITA-enforced contract, which presents a binding electronic agreement whereby which the user agrees to give in perpetuity all trade secrets, patents, financial instruments, and suchlike in return for permission to run the virus. Of course, I was also planning on patenting the virus that clicks the button for you, as a time saver ....

Sigh, now what am I gonna do to Make More Money!

Re:Well....

[bstrahm]

Too late... The fax machine dates back to around the 1860's using the telegraph to transmit pixels... It is fun looking into the history of technology

Let me give this one a spin...

[pornaholic]

This is what I've picked up from news of similar incidents.
<disclaimer>Anyone who takes this as legal advice deserves whatever comes of it.</disclaimer>

• What happens if someone steals your car and causes a fatal accident with it?

The person that stole your car is responsible for any actions he takes. Since the car is considered a weapon when used to kill another person, the situation is the same as if a person took a cop's gun and killed the cop - it's obviously not the cop.
I guess the important thing would be that your insurance goes up...

• What happens if a child finds the gun you left in your dresser and shoots himself?

Negligence - all the parent's fault. They get the full weight of the law and (hopefully) their own guilt to weigh them down for a long time to come.

• What happens if someone breaks into your house, trips over something and breaks a leg?

If said thing was placed with the intent to trip a person, it is the homeowner's fault that the theif was hurt. However, if aforementioned thing which he tripped over was obviously not placed with malicious intent, it is the theif's problem.

So we need some really clever people to come up with apparently un-intentional booby-trap ideas for the home. If we don't get those, then I'd like to see some of the new-age non-lethal weapons employed in home and vehicle security systems. Imagine a burglar stuck in foam until the cops arrive, or netted and hanging from the ceiling...

Boycott sigs! - oh damn...

I've got all kinds of IP thanks to Sircam

[jtownatpunk.net]

One particular food service company's been "sending" me stuff for two days. Stuff that, if the names are accurate, contains all kinds of top secret stuff. Formulas for drink flavorings, "CANCEL VISA CARD", saction by the board of health, pricing proposals, container proposals, a personal document that appears to have something to do with UCLA, reports on competitors, etc. And I got all that just from reading the file names. I'm sure there's plenty of juicy stuff tucked away in the 100+ files that have come from their machine. And that's just one company.

I've just left it all locked in quarrantine for now and have no intention of ever cleaning any of it up or reading it. I want to keep it there to remind people why we have virus scanning software that automatically updantes and cannot be disabled. And why it's important to never, ever, ever open an email attachment that seems suspicious. Even if it's from someone you know.

Thin Ice

[MasterOfDisaster]

IANAL, but anything you do with documents sent to you by SirCam is risky. I belive it's the same as if a "hacker" cracked their servers, and gave people access to the files. They may be there, you may have access to them. however, you cannot use them, because the documents were still "protected" by the company.

Re:Hotmail deleted all my mail because of this vir

[Extimes]

actually, if you hit some limits, it gives you 14 days to clean up before old messages get killed

Last weekend

[jsse]

friends came to my house and started talking about new email virus and their methods to prevent them. It seems that they've a great time infecting each other.

When it came to my turn I said:

"I don't use Outlook."

It was a long silence after that. To break the ice, I repeated:

"I don't use Outlook."

Sometime the solution to problems is so obvious and simple.

Legally speaking and confidentiality

[Choco-man]

the only way you're going to know that it's a confidential document is that it's going to have "confidential" enblazoned on it. the company has done it's job to notify you that you should not be looking at this material. you now have knowledge that this is confidential, and you are expected to treat it as such. you need to destroy it, and behave as if you never learned anything. if you are found to harbor or knowingly distribute that information, once you have been made aware that it is confidential, you then become liable.

Re:Ever try opening a sircam doc? (don't.)

[morcego]

No, it IS the document.
A good example I have for this is a .zip.pif Sircam infected file I received.
unzip -v listed the files without a problem, only saying there was some garbage on the begining of the file.
So, believe be, the document was there (checked also with a bounch of .doc.* and .xls.* that got here).

---

What's With That....?

[suwain_2]

To date, I've received two e-mails with 'virus' attachments. I have not known either person. What's with that?! Do viruses have the capabilities to randomly generate valid e-mail addresses?

BTW, I'm yet to get *anything* from SirCam, I'm so disappointed... :D
________________________________________________

Re:You are responsible for your actions, that's it

[papskier]

Except that in this case there is no bug in the system. It did exactly what it was written to do. The user double clicked, and the executable did it's job. The program that the user ran did exactly what it was supposed to do, and that was to mail you a random document. IANAL, and so I don't know how it would play out in court, but I'd love to see it.

Re:alone?

[astr0boy]

i have no idea. lucky i guess, i dont even bother to put in fake info for web signups.

-----

Re:alone?

[astr0boy]

i should have. THANKS SLASHDOT

-----

alone?

[astr0boy]

i must be the only person in the world who has never gotten spam or a virus before... strange...

-----

Re:alone?

[EllisDees]

I can believe the never gotten a virus part - I haven't either. It's the no spam thing that's blowing me away! How in the hell do you keep from getting it?

Spam as a social phenomenon

[dasmegabyte]

1.1 gigs, eh Taco? Funny, I haven't received a single e-mail from Sircam yet, and I'm on a half dozen mailing lists and have no spam filter.

I guess I just have a contacts list full of people who aren't stupid enough to open random attachments to cryptic e-mails. Or, in my mom's case, are entirely too stupid to open attachments in the first place, and keep leaving messages on my answering machine to help them open attachments so they can "give all these people advice".

Anyway, I guess that's something to be said about being an editor for slashdot...you get e-mail from a lot of idiots. And you wanted to write off the effects of this virus as a strictly MS phenomenon!

Re:Spam as a social phenomenon

[snake_dad]

(-1 redundant :-/ )

Taco received those emails because SirCam scans the webbrowser cache of infected machines. The people who send the worm to Taco have probably visited slashdot recently, or another webpage that has cmdrTaco's email address on it.
--

Re:Well....

[dachshund]

The fact that you're even asking this question tells me that you've never taken a course in ethics before...

The fact that it required a course for you to understand basic ethics tells me that... oh hell, I don't know.

So...

[cavemanf16]

What you're saying is...

I send this Ask Slashdot to you to get your advice.

Re:Well....

[Bobo+the+Space+Chimp]

> A parallel to this would be people who drive
> SUVs because they are safer to the people inside
> the SUV, but *way* more dangerous to whoever
> they smash into.

Who they smash into is usually an environmentalist, and the loss of one so deficient in critical thinking ability is no major issue.

> So they're more likely to survive a crash, and
> more likely to kill the other person in a crash.
> That doesnt sound ethical either.

So the ethical person drives around in a ping pong ball? Better yet, drive around in an open frame so you won't be killing anyone save a pedestrian, sacrificing your life so others may live. You may go ahead and evolve your genes and memes out of society if you wish to, I shan't.

No, better that scientists and engineers and business people create cheaper oil, and eventually, cheap replacements for oil (or synthetic gas) so that we may all drive huge, but clean, gas hogs to work by ourselves. And widen those highways while you're at it. We don't pay you to force feely-good austerity down our throats!

What was the topic about again?

Would somebody PLEASE

[blair1q]

Would somebody PLEASE write a mail worm that DISABLES SCRIPT EXECUTION after mailing itself to everyone on the recipient's lists?

--Blair
"I had the chicken pox. ONCE."

Re:More importantly DMCA

[entraxon]

Hey, great idea...maybe you can send out a virus with copies of DeCSS, so the MPAA can sue everyone in the world!!!

Thanks, Taco...

[clark625]

I'm sure the authors of all these recent viruses would just love to implement this. I can think of lots of fun things to do now:

Outlook virus that sends not only itself to all persons in the address book, but also a random file from "My Documents" or somesuch. Especially good if the virus picks files that are .doc, .xls, etc.

IIS exploit that fully allows "visitors" to read all cgi scripts, as well as perform "updates" to these scripts.

Now, if you'll all excuse me, I've got some MS exploits to write....

Re:Well....

[tb3]

I was forced to take a 'mandatory' ethics course once. The company I was working for had some problems with some of its salespeople, and instituted a company-wide ethics program in response. A pure CYA move so that the next time it happened the company could fire 'em and say "It wasn't our fault, we gave them ethics training."

You even had to provide your social security number, to prove you had attended the course. Needless to say, this was high on my lists of leaving at the exit interview.

Me: "If you thought I had poor ethics, you shouldn't have hired me in the first place!"

Interviewer: *sigh* "Yes, we've ben hearing that a lot."

But I bet most of it was news to the salespeople.

Re:Can anybody translate this for me?

[lukehan]

Have you tried this? Babel Fish

In my legal opinion....

[Compulawyer]

I am not aware of any reported court cases dealing with this exact fact pattern. However, I can tell you that the ability to protect a trade secret depends in large part on the steps taken to protect the secret. Traditionally, this means doing things like having employees sign confidentiality agreements and limiting the number of people who can access certain information.

Inquiries to decide whether something is truly protectable as a trade secret are extremely fact intensive. If this were my case, I would be examining how widespead news of this virus was and what steps the company took to protect itself from the virus, and depending on who I was representing, argue either for or against the proposition that those steps were reasonable.

If I was trying to defeat a claim that information should be protected as a trade secret, I would probably even argue that a company that needs to protect trade secrets was unreasonable in running Microsoft software. Lest you think I am merely MS bashing, be advised that at least one insurance company writing policies covering information and computer assets charges higher premiums to policy holders who run MS software because of the increased security risk to the comapny, which directly translates into increased risk of loss for the insurer.

Re:In my legal opinion....

[Compulawyer]

You are incorrect in many respects. If a trade secret is revealed in a way that does not cause it to lose its status as a trade secret, then the company can still exclude others from using the information. Also, there are federal laws covering trade secrets (like the Electronic Espionage Act). The likelihood that federal law covers trade secrets is high enough so that is no longer "more likely" that state laws control. And although there is some tension among the various forms of protection for intellectual property, the choice is driven not by a system of encourgaement for one form over another, but rather by the type of protection that most closely fits your needs.

Finally, if you are not a lawyer, I wish you would refrain from offering opinions aqs to what the law is, especially those that are so clearly incorrect. If you are a lawyer, do some research before posting if you don't know the subject.

Re:Well....

[why-is-it]

IANAL, but I did ask one in passing about this. It is difficult to get a short, concise answer from a lawyer about anything BTW...

Based on that conversation, this is what I understand the situation to be here in Canada: if there is no pre-existing NDA in effect, a person who receives a document labelled "confidential" is not under any legal obligation to maintain that confidentiality.

I was cautioned however, that there would be no guarantee that any information received in such a manner would be accurate or authentic...

Caveat emptor.

The same as a letter you found on the street!

[Tricolor+Paulista]

Consider this: because somebody in anger throws an envelope, even an unglued, unstamped one, thru a window and it falls at your feet, do you have a right to open and read it? Of course not!!

The problem here, I'm afraid, has nothing to do with technology, computers or viruses, but with ethics!

Slightly OT: This is depressing...

[JimMcLeod]

This is depressing. I haven't received ANY virus emails, so I'm feeling left out. Could somebody PLEASE put me in their Contacts list? Pretty please?

I'm so lonely!

no

[janpod66]

A company has to take reasonable care to keep their trade secret information secret. Otherwise, they don't enjoy any protection. For example, their network has to be secured, and physical access to the work location has to be well controlled. Arguably, they aren't taking reasonable care if their mailer has known security holes and sends out the documents all over the place.

Of course, if you sign a contract, you personally may be bound not to talk about things even if they are widely known. Furthermore, if you leak the information, you may be liable. But that doesn't apply to people who didn't sign those contracts.

this would include--you?

[janpod66]

Slashdot can't provide much help on legal questions, as we've proved over and over and over again...

You misunderstand why people discuss these matters. The US has a representative government and laws are by the people and for the people. Non-lawyers must discuss these matters and try to come to terms with them, because ultimately we all decide on what laws we want to be governed by. Arguably, trade secret law has gone way too far in protecting information held by companies.

The question raised by the message illustrates an important point and is worthy of discussion. If you don't like the level of discussion on Slashdot, I suggest you contribute to its elevation, rather than flaming randomly.

So???

[janpod66]

The thread is about whether legal issues should be discussed by non-lawyers at all. I argued that there is at least one group for whome it makes sense to discuss US legal matters. If there are others, great. Please stop your knee from jerking.

3 req.s of a contract include "Legal Purpose"

[InsMonkey]

For a contract to be binding it must include 3 elements: 1) Consideration. Something of value has to be exchanged. 2) Competent parties. Everyone involved has to meet the legal definition of "competent". This excludes children and lunatics (i.e. most of Microsoft's customers). 3) Legal Purpose. No aspect of the contract can break the law. Mafia contract killings are an example of contracts that fail this test. A virus contract would also fail this test.

Re:3 req.s of a contract include "Legal Purpose"

[banshee2000]

For a contract to be binding it must include 3 elements ... and 3) Legal Purpose .... A virus contract would also fail this test.

Thank you ... that's the answer I was after above :).

Re:Well....

[TeraCo]

No, irony is thinking it's OK to distribute images of commercial music CDs, but not OK to distribute privately-created CDs of Open Source software.

No, you are both wrong, irony is like 10,000 spoons when all you need is a knife. Or at least like a traffic jam, when your already late.

Damn, where is that irony nazi again.

Re:Well....

[TeraCo]

Yes, it was a joke :)

Doesn't anyone else remember the big flame war about irony? :P

Well....

[FreakOfTheWeek]

The fact that you're even asking this question tells me that you've never taken a course in ethics before...

Re:Well....

[Johnny5000]

"For example there was a case during the Shoah (Holocost) where a man could have bribed the germans to let his son off of a train to the camps, but if he did this somone else's son would have been put on to make the count. "

A parallel to this would be people who drive SUVs because they are safer to the people inside the SUV, but *way* more dangerous to whoever they smash into. So they're more likely to survive a crash, and more likely to kill the other person in a crash. That doesnt sound ethical either.

-J5K

Re:Well....

[shimmin]

Taking a course in ethics only requires you to know about them (and not even that if you don't care to get particularly good marks.) It does not require you to actually believe them, much less act according to them.

Re:Well....

[Lars+T.]

According to this article in German: http://www.heise.de/tp/deutsch/inhalt/te/9196/1.ht ml, the DoD seems to think that secret material they themselves accidently published is still confidential, and can't legaly be republished.

There is also an hidden article on Slashdot about the case: http://slashdot.org/articles/01/07/30/1558227.shtm l.

Re:Well....

[JHuizingh]

I've never taken a COURSE in ethics, but I know what the right thing to do is. That's not always the fun thing though :).

haha ha slashdot readers are dumb

[newt_sd]

does anyone find it funny that most people that probably sent the virus to him are avid slashdot readers. There goes the whole slashdot community as genius theory

Rather than random attachments to random addresses

[NutscrapeSucks]

Hopefully this outbreak will bring to light the enormous possibilities of industrial espionage that e-mailed executables have. While for the most part this stuff has been for the annoyance factor only, it would be easy to imagine a modified version that attacked a particular company or companies, searching for key words in documents and mailing them back to a specific address or posting them to usenet or whatever.

IT's response has been pretty much limited to updating virus definitions. That's not good enough if somebody is out specifically for your company in particular. Time to either get smarter users (yeah, right!) or block all executables at the mail server.

How do you prove it?

[siegesama]

Can you prove that the documents were sent to you due to viral activity?

What if I want to send internal documents to a competitor, or some other outside source. Could I claim immunity if I could "fake" the virus? Or rather, could I get the virus then purposely send an outsider a document and claim it was due to the virus? Or better yet, ensure that you get the virus, and that the only thing it can find to send is a series of very specific documents you WANT leaked?

Of course, you'd also have to fit all the criteria. You'd have to have outlook, and ms office, and people in your outlook address book. Those using lotus notes (and I pity them because I am one) and smart-suite (or evolution and abiword, etc) are immune and hence could not fake it. The document(s) sent would also have to be infected.

I don't (but then, I'm clueless) think that anyone on the receiving end could be held responsible should anything be sent to them, but the sender might be in trouble.

Re:IAAL...Confused

[banshee2000]

Now I'm confused. If when launched, this worm automatically goes out to everyone in your address book and then goes out to everyone in someone else's address book that launches it, why are you to be held responsible? I don't get it and I'd really like an explanation please

IANAL, but

[4thAce]

In the example you mention, I don't think that you would run afoul of criminal laws, but I wouldn't think you'd stand much of a chance avoiding a civil case from their suits.

Which is the closest analogy to this sort of thing?

1. You are renovating your house and discover a wall containing some old letters containing incriminating evidence regarding an Uncle Scrooge, and send them to a historian.
2. You are out on a windy day in Atlanta and the wind drops a piece of paper at your feet. When you realize that it is the formula for the secret ingredient for Coca-Cola, and you proceed to post it to Usenet.
3. You are on IRC and someone just happens to mention the Sultan of Brunei's credit card number without your asking. You're off to Amazon.com to order a few items off of your wishlist.
4. You go to the Olympics not to watch the games but to collect mosquitoes, which you process in your personal human cloning lab in order to produce a master race.

Re:Huh?

[allism]

Me neither...I feel left out...Or does this just mean my friends are smarter than your friends?

Sound like PokeMON!

[MrSquish]

trade? like that Pokeman thing? hehe

Re: A Better Question is...

[dohcvtec]

... for the love of Pete what kind of friends do you have? You must know a _lot_ of people that fell for the old 'open the attachment' trick.

Re:Rather than random attachments to random addres

[JeyKottalam]

"Time to either get smarter users (yeah, right!) or block all executables at the mail server"

Well, most of these sysadmins are still trying to figure out what "Simtap" and Pee-Oh-Pee-Three do.

How Unfortunate

[pmz]

If trade secrets leak out of a company, because the employees put critical secrets on networked computers running Outlook, then that's just too bad. If companies haven't learned by now the dangers of casual networking, then they deserve what they get.

Even worse than these viruses are advertising spy programs that setup shop as a background process on PCs. These scare me more because they are installed discretely with otherwise well-known software and track your activities. No networked computer is safe. No matter how much you try to secure it, it still is not safe. There are people, if only the network admins, who can easily know everything you do without you knowing that they know.

Important trade secrets should be stored on totally isolated networks that have no route to the Internet. The computers should be stored behind securely locked doors. The set of people who know of this inner network should be controlled at all times. This is the only way to truly secure a computer. Anything less is foolish.

AB

[hivolt]

Suppose there existed a two-stage virus that behaves as follows: In mode A, it would search for particular files, or files containing very particular data, such as eBook processor or Windoze source code (two purely hypothetical examples). If it did not find the file, it would spread in mode A. Otherwise, it would spread in mode B. In mode B it would carry the file, much as Sir Cam does, but it would perform no searches.

Would everyone that ran the mode B virus be prosecutable, even if they ran it accidentally?

Trade Secrets

[javahacker]

Trade secrets enjoy no legal protection. To get legal protection you register it (patent) with the government. Since you didn't break into their equipment to get it, there should be no way to prosecute you if you distributed it.

You might want to consider if it would be financially better for you to sell your silence to the company involved. If it really is essential information to keep secret, it could be worth it for them to pay you off.

On the other hand, they could accuse you of stealing it, get all of your computers confiscated, and let you suffer through the legal system proving your innocence, while they come up with a way to control the damage.

Do you feel lucky?

Just this once, shoot the messenger

[Nihilanth]

I don't know what the "legal" ramifications of leaking a document like this through a virus would be, but i would certainly expect the company to hold the individual responsible for abusing company property in this way. The person who downloaded the file and clicked on it could conceivably be fully accountable to the company for the damages they've incurred, and rightfully so, i beleive. I would imagine the company would sue the employee foolish enough to leak the document in this way. It would be easy enough to do, you could track where the file came from, who's machine it was sent by, when it was sent, etc.

What -I- would be interested to know (since it relates directly to my current employment) is how the government would treat the leaking of defense information overseas as a result of this virus. Would the person who infected the machine be arrested for treason/espionage? Interesting question...

As for who is "logically" or "ethically" responsible for the damages, I firmly beleive the person who downloaded the file and allowed it to execute is the one at fault. Viruses like this specific one depend on ignorance to propagate, and theres really no excuse for ignorance.

Re:Just this once, shoot the messenger

[Nihilanth]

Of course, this is true for anything classified "confidential" or higher, "Noforn", a lower level of classification, can be processed on unisolated networks. I wonder, however, how wise this policy is given that the sircam virus could potentially send something like that overseas.

Ah well. People with that kind of responsability are smart enough not to download arbitrary attachments anyway, i was just curious

Re:Just this once, shoot the messenger

[Nihilanth]

We're not talking about a high level of technical ability, we're talking about a principal that is (arguably) common sense. More importantly, It would be hard to imagine that a large company wouldn't release a computer usage policy, including this little tidbit of common sense. Since use of company resources should be contingent upon awareness of and agreement with the company's policy, someone who just blows said policy off and downloads an attachment anyway should be -extremely- liable. These official policies are commonplace, and most people simply don't bother reading them, or lack the faculties to understand what they're reading.

To expound, anyone who uses company property and takes on the responsabilities that come with it (and implicitly agree to the usage policy through their continued employment) "should have known better".

Re:Just this once, shoot the messenger

[Nihilanth]

You missed my point, i should have arranged those sentances more clearly.

Companies that employs people who use computers connected to the internet almost always have a written computer usage policy.

Employees who use company computers are expected to read and understand these guidelines.

Employees who have read and understand those guidelines are responsible for adhering to them.

Ergo, employees who damage company property through their own carelessness are responsible for said damage.

Of course, im sure there are a few companies out there that have a lassez-faire (sp?) attitude towards company computer usage, the point was that it's possible for the company to correctly place the blame where it belongs, not nessisarily that it always will.

Re:Just this once, shoot the messenger

[Nihilanth]

A company may have a different view, since it's resources are the ones being damaged...

But i think i understand your point now better than i did before (assuming this is the same person). I thought for a moment about what would happen if that scenario occured at the corp. I intern at, and what you're saying makes a lot more sense in reality.

I guess the posative effect of this is that it would encourage businesses that have "luddites" (i love that word, by the way) accessing their computers to proliferate basic guidelines (in memos or whatever) to keep their computers safe, and educating users in the process.

Re:Documents from Narco-Traffickers or Guerrilla

[Nihilanth]

Wow..i wish my email adress was flooded with secretely intercepted documents about money laundering and kidnapping.

you know, what if this virus was inserted into that area of the world purposefully to expose illegal operations and aid law enforcement? not a bad idea, except its a bit of an infringement of privacy.

i guess the downside to getting all those files is that the originators CAN track you down and kill you, id consider a quick adress change/plastic surgery

You are responsible for your actions, that's it

[paranoidia]

Legally, (IANAL) I would think it would be the same as if you got some mail in your mailbox that wasn't yours. You are not at fault for having the information, but you are then responsible for your actions with that info. If you got some insider info on a company, and made millions off that stock, you would be liable for insider info fraud. So you could read away, but just don't do anything with it that you might regret.

Re:You are responsible for your actions, that's it

[paranoidia]

no, I disagree. The content in the e-mail does not belong to you, even though the e-mail does. Technically you have it, but that does not mean it belongs to you. Think of it this way...Lets say in some business there is an automated system of sending out info. If there's a bug in the system, and someone else get's some info, it's not theirs, it just ended up in their box. Same thing here, something took info and sent it to a random person. That document is someone elses in your box.