Slashdot Mirror
Confidentiality on Virus Sent Docs?
Sulka writes: "The latest Sircam outbreak has sent me a lot of documents from total strangers I've never heard of before. This led me to wonder what would happen if a trade secret doc from company X was leaked like this to me -- I guess the secret wouldn't be a secret anymore. But what's the legal standing of this? Is a virus sending a document the same as someone sending email accidentally to a wrong address? Could I send a M$ Halloween memo that popped to my address to the press?" I have now recieved 1.1 gigabytes of sircam virus email attachments. I'm just glad I don't pay for my bandwidth per k.
There is a FAQ on Trade Secret Basics at nolo.com. In particular, look at the question titled "What rights does the owner of a trade secret have?" I am not a lawyer, but I think it would be reasonable to assume that the SirCam virus would be covered by the line that talks about "people who learn about a trade secret by accident or mistake" (these people are not allowed to divulge the trade secret). So, I am playing it safe with files sent to me as the result of SirCam and just deleting them.
-----
Free P2P Backup, Windows & Linux
Of course, by the time it hits procmail, you've already paid for the bandwidth (unless you have mail delivered to a server with procmail outside the net you pay for bandwidth).
Well your honor, he emailed the trade secrets to me and requested my advice!
Really!
-----
You oughta be glad you don't get paid for your procmail skills.
Potato chips are a by-yourself food.
He isn't asking about the moral issues, he wants to know the legal aspects - these are not always congruent, you know.
I vaguely seem to remember that where I live (sweden) you are not free to redistribute or publish stuff that's gotten into your hands by mistake if the stuff is clearly sent to you by mistake or is obviously confidential. We've had some incidents where hospitals or social services have faxed journals and other files to private citizens by mistake, and I think that was the result of those incidents. Note that you are not required to destroy the documents, or alert anybody that the information's got astray, you just aren't allowed to spread it around.
/Janne
Trust the Computer. The Computer is your friend.
I hate that damned disclaimer. I regularly see it appened to email in mailing lists, and it's always a struggle for me not to respond to the guy that, no, I wasn't the original recipient, and he'd probably better check next time before he sends "proprietary and confidential" info to, say, the Pink Floyd mailing list.
I know that many businesses have such disclaimers automatically tacked on by a server or gateway, but that doesn't make it right. If it's legally binding, then it's legally binding for EVERY email on which it appears, in which case, it shouldn't be on the public mail forums. If they can make a case that the disclaimer doesn't apply there, then, well, why can't I make a case that it never applies?
Anyway, just a pet peeve. :)
And that's probably just from a half dozen attached MSWord interoffice memoes that could have conveyed the same information in, oh, about 20KB of plain text per document, right?
Can't anyone write a simple memo or office communication without using four different fonts and imbedded graphics any more? Some of the impact of things like SirCam are because of the feeling that many office workers have that their memoes won't be taken seriously unless they demonstrate their prowess in MSWord. Apparently they feel that, by not taking advantage of most of the available word processor options, their memo won't have the pizazz necessary to get their coworkers to stop leaving the empty coffee pot on the burner.
Anyway... Does anyone know whether SirCam is pulling documents out of the default document location or is it scanning the entire hard disk for `*.doc'? If it's the former -- and without having read details on how SirCam works, I'm betting this is the case -- companies can limit their exposure by making sure that employees do not keep company confidential material in the default document directory. Or better yet, prohibit those documents from being stored anywhere but on a central file server and never on someone's unsecured desktop and definitely never on a laptop. Unless the company's management doesn't care if their strategic plans were on a stolen laptop, that is.
--
CUR ALLOC 20195.....5804M
I assume from your answer that you imply that ethics would prohibit you from ever disclosing such information (regardless of the legality of said disclosure).
Let's say it's 1942 and Adolf Eichman's transcript of the Wannsee Conference is accidentally faxed to you. Since you took an ethics course, I will assume that you would not be in favor of the Final Solution. Do your ethics continue to compel you into silence?
-- Don't Tase me, bro!
The best ethics aren't passed on. They're derived from Game Theory.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Only in the World of Windows would adding 137kilo-bloat to a word processor document be considered "stealthy."
AFAIK, viruses are still legal. It's only the use of them which is illegal.
Obvious T-shirt fodder:
"My Ethics prof was so convinced he was doing a good job, that he didn't monitor the final exam, which made it real easy for me to get an 'A' in the course by cheating!"
It searches your drive for files with "metallica" and "mp3" in the name, then emails them everywhere :)
Can you imagine a beow*LART* okay, I guess not.
The Uniform Trade Secrets Act (adopted in the majority of states), says that if you acquire information by accident or mistake, and have reason to know it is a trade secret (e.g., because of a confidentiality legend, or even just because the information *looks* like the type of information that is usually confidential), then a legal duty of confidentiality may attach. This principle can apply to misdirected emails, faxes, things falling off of trucks, whatever. The same principle also applies as a matter of "common law" in most of those states that have not adopted the UTSA.
So, no, virus-spread documents cannot be considered liberated from trade secret restrictions, simply because they are zipping around uncontrolled on the Net as a result of the virus. But you would have to know the actual circumstances and contents in order to decide in any given situation if at the end of the day trade secrecy really applied.
Try searching on gnutella for "resume.doc" or "letter" or ".xls". Apparently many people use gnutella at work and set it to share C:\.
.DLL files in various versions of windows, to find a gnutella host sharing everything, and then do the "list all files on this host" thing to look at the user's personal files.
For about a weekend or so it was a sport with me. I downloaded a ton of stuff I am sure was not meant for the public -- there was a breakup letter where the writer stoped midsentence and types "aw fuckit i'll stay with her" (but then for some reason saved the letter ? don't ask me). I also found some business oriented xls files and ppt files. Most interesting was the fact that you could find what I think were people's outlook and eudora mailfiles, those inbox.dbx things. I have no idea how to view those.
Anyway, I got bored and moved on to other shit. The best thing I found was a file called either "private.txt" or "secrete.txt" which looked like the following:
SSN: #########
PIN(ATM): ####
PIN(VISA): ####
WellsFargo: user/passwd
yahoo: user/passwd
(a university student network domain): user/passwd
So I guess this guy decided to consolidate all of his sensitive info into one place, decided to put it on a computer, and then accidently shared it with the whole fucking internet.
I wanted to try the yahoo user/passwd just to see if it was real, but at that point I stopped and thought and decided that actually using the information people were inadvertendly sharing to snoop information they _weren't_ inadvertently sharing was probably where the legal/ethical boundary would be crossed. I never sent email to the yahoo address or the university one because I was afraid of being accused of being a hacker. The sad thing is that my gnutella client automatically moves completed downloads to the shared directory, so it is possible I further shared that file with others before I deleted it.
If there were some way you could filter your gnutella search results on IPs belonging to cable/DSL users in the DC area, or by those belonging to employees of a particular company, etc, then you could really do some damage.
I talked about this with other people and some of them apparently search for the names of
So I guess the moral is, make sure your friends know how to configure their gnutella clients correctly.
...but I *do* get to deal with this on a more-or-less daily basis these days.
According to the lawyer types I work with, it's more or less the same as if a fax went through to the wrong number. They are prohibited from disclosing the information if there is a legal blurb on the bottom of the page or wherever that says so.
I never thought I'd see the day when I'd welcome more legalese on documents... but any sensitive documents should really have that blurb, quoted (well, mostly) here:
In the case of financial documents, which is what I concern myself with, the use of them for gain is tantamount to insider trading and is a Bad Thing for He Who Gets Caught.
Zaphod B
Zaphod B
When duplication is outlawed, only outlaws will have
I was out of town for a week... didn't check my hotmail account.
During that time, my hotmail Inbox filled up with these sorts of messages (large attachements with the text: "I send you this file in order to have your advice").
Once it reached the maximum size for hotmail diskspace, hotmail started automatically deleteing older messages: all the messages in all of my folders had been deleted by the time I checked my hotmail account.
All that was left was spam in my Inbox.
Thanks, Microsoft!
When I die, please cast my ashes upon Bill Gates -- for once, make him clean up after me!
If you have some intellectual property you have 4 ways to protect it:
- Trade Mark
- Copyright
- Patent
- Trade Secret
The first three rely on government protection. The last one relies on your own ability to keep it secret. If you're unable to keep it secret then you should use one of the first three methods to protect yourself. If you fail to keep it secret and don't use one of the other methods then you are unprotected and there's nothing you can do - that's why the other methods exist.IANAL But I recently had one explain all this to me.
---- SIGFPE
Those are the worst kind of strangers!
Got Rhinos?
Why do people keep posing technical legal questions to a bunch of geeks, most of whom haven't even graduated from college yet? Is there some secret stash of lawyers on Slashdot that I'm not aware of yet?
Judging from the uninformed comments above, evidently not, but there are a *ton* of clueless idiots who are more than happy to spout off their opinions on a subject they know nothing about. But hey, that's what most Slashdot discussions are anyway.
Trade secrets are covered by a myriad of laws, and you can get in serious trouble for divulging them even if you learned of them by accident. Call a lawyer to find out more details. Slashdot can't provide much help on legal questions, as we've proved over and over and over again...
--- egomaniac
ZFS: because love is never having to say fsck
Consider a virus writer being caught, then going after the major antivirus software vendors for breaking the encryption on his virus...
-- fencepost
fencepost
just a little off
On another note... are you saying I can't post those so-called confidential emails between Slashdot and goatse.cx paying for click-throughs?
--
-- Is "Sig" copyrighted by www.sig.com?
Let us say that Alice and Bob enter into a contract, with a confidentiality clause. Bob's computer is infected with SirCam and it mails the contract to Carl. Carl then publishes the contract in a news paper. Alice may have grounds to sue Bob for breach of contract (Bob's copy was leaked) but doesn't have grounds to sue Carl for a breach since Carl was never a party to the contract.
Now for Bob or Alice to release any information may still be a breach, but Carl can do whatever he wants.
The Economics of Website Security
Wow, talk about a lot of stupid friends. I've only gotten a few of the SirCam virus emails, so I have to assume either a) people don't like me enough to put me in their address book, b) my friends are smarter than CmdrTaco's, c) my friends don't use outlook
In contracts I am writing up at the moment, there are standard confidentiality clauses. This means, that for anyone to be released from a confidentiality clause, then teh information has to be legally published. Even if EVERYONE knows about it because ofa virus or a leak, anyone using it is doing so illegally and may be prosecuted for stealing trade secrets.
If they delete it, no problem, if they keep it, big illegal problems.
IANAL, but I hired one and thats what they said.
Tux Games. Your complete source for native Linux games.
- You did not do anything illegal to get it
- They did not take sufficent precautions to prevent the leak.
I would guess you would be safe in releasing it. But, if it got to you, it probably got to many others so the leak would not be traceable.See a lawyer.
Fight Spammers!
You shouldn't set your email program to automatically execute attachments...
You shouldn't open attachments from someone you don't know...
Oh wait, you might get the virus from someone you DO know, but you shouldn't open attachments unless you know what they are and were expecting them...
Always use BCC:
Keep your virus definitions up to date...
Keep your programs/operating system/server up to date with the latest patches...
Always backup your data...
You shouldn't be superuser-equivalent unless you need it briefly to change something...
You should choose a password that is not easy to guess...
You should change your password regularly...
You shouldn't use the same password on different systems...
Do not feed the bears...
It could go on and on. Your idea is fine. It represents one of the many things that *should* be done. But who is going to do it? The fact of the matter remains, people won't follow good security practices because it's inconvenient, they don't want to, they don't know about them, or their Aunt Ruth has a beard.
The point of the question above is that when someone receives something confidental, accidentally, the ethical thing to do is to delete it. Who's responsible? Well, the virus writer, if the file was spread as a result of a virus. Sure, the user should have kept his document secure, but he didn't. Are users guilty of violating any of the above policies? Sure. Are sysadmins? Yep. We do it too.
Of course, we need to educate our users and enforce security policies. Saying "this will work; problem solved" isn't sufficient. Proactive education, policies, and enforcement are the answer. Now I've got to get back to work and do it!
"I say consider this day seized!" -Hobbes
"I say consider this day seized!" -Hobbes
"Tomorrow we'll seize the day and throttle it!" -Calvin
Well, it would appear that Matthew Haughey of MetaFilter has considered building SirCamExchange.com [according to betterwhois, it's still available...]. He compares it to FilePile, but I find the idea rather...inane. Oh well.
-- Geof F. Morris
What happens if someone steals your car and causes a fatal accident with it? Given my car, it's quite likely the theif was the one who died.
What happens if a child finds the gun you left in your dresser and shoots himself?
He'll be very very wet or hit by a paint ball.
What happens if someone breaks into your house, trips over something and breaks a leg?
Not only will they have a broken leg, they'll be covered in doggie drool. So with a broken leg and buckets of doggie drool, they'll be searching for the missing portable phone. And if all he broke was his leg, he's lucky. There's lots of stuff to trip over in my house.
I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
I send this Ask Slashdot to you to get your advice.
I'm sure the authors of all these recent viruses would just love to implement this. I can think of lots of fun things to do now:
Outlook virus that sends not only itself to all persons in the address book, but also a random file from "My Documents" or somesuch. Especially good if the virus picks files that are .doc, .xls, etc.
IIS exploit that fully allows "visitors" to read all cgi scripts, as well as perform "updates" to these scripts.
Now, if you'll all excuse me, I've got some MS exploits to write....
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
IANAL, but I did ask one in passing about this. It is difficult to get a short, concise answer from a lawyer about anything BTW...
Based on that conversation, this is what I understand the situation to be here in Canada: if there is no pre-existing NDA in effect, a person who receives a document labelled "confidential" is not under any legal obligation to maintain that confidentiality.
I was cautioned however, that there would be no guarantee that any information received in such a manner would be accurate or authentic...
Caveat emptor.
*** Where are we going? And what's with this handbasket?
Save the file on your harddisk, then remove the first 137216 bytes. You need a hex editor to do that.
Or with Cygwin it's
$dd if=virus.doc.pif of=clean.doc bs=1 skip=137216Rename it to the actual file type and open it.
Do not double click it, instead open it from the correct app (just in case you didn't remove the virus properly - Word doesn't open windows executables)