Slashdot Mirror
Confidentiality on Virus Sent Docs?
Sulka writes: "The latest Sircam outbreak has sent me a lot of documents from total strangers I've never heard of before. This led me to wonder what would happen if a trade secret doc from company X was leaked like this to me -- I guess the secret wouldn't be a secret anymore. But what's the legal standing of this? Is a virus sending a document the same as someone sending email accidentally to a wrong address? Could I send a M$ Halloween memo that popped to my address to the press?" I have now recieved 1.1 gigabytes of sircam virus email attachments. I'm just glad I don't pay for my bandwidth per k.
There is a FAQ on Trade Secret Basics at nolo.com. In particular, look at the question titled "What rights does the owner of a trade secret have?" I am not a lawyer, but I think it would be reasonable to assume that the SirCam virus would be covered by the line that talks about "people who learn about a trade secret by accident or mistake" (these people are not allowed to divulge the trade secret). So, I am playing it safe with files sent to me as the result of SirCam and just deleting them.
-----
Free P2P Backup, Windows & Linux
Well your honor, he emailed the trade secrets to me and requested my advice!
Really!
-----
You oughta be glad you don't get paid for your procmail skills.
Potato chips are a by-yourself food.
I hate that damned disclaimer. I regularly see it appened to email in mailing lists, and it's always a struggle for me not to respond to the guy that, no, I wasn't the original recipient, and he'd probably better check next time before he sends "proprietary and confidential" info to, say, the Pink Floyd mailing list.
I know that many businesses have such disclaimers automatically tacked on by a server or gateway, but that doesn't make it right. If it's legally binding, then it's legally binding for EVERY email on which it appears, in which case, it shouldn't be on the public mail forums. If they can make a case that the disclaimer doesn't apply there, then, well, why can't I make a case that it never applies?
Anyway, just a pet peeve. :)
I assume from your answer that you imply that ethics would prohibit you from ever disclosing such information (regardless of the legality of said disclosure).
Let's say it's 1942 and Adolf Eichman's transcript of the Wannsee Conference is accidentally faxed to you. Since you took an ethics course, I will assume that you would not be in favor of the Final Solution. Do your ethics continue to compel you into silence?
-- Don't Tase me, bro!
Only in the World of Windows would adding 137kilo-bloat to a word processor document be considered "stealthy."
It searches your drive for files with "metallica" and "mp3" in the name, then emails them everywhere :)
Can you imagine a beow*LART* okay, I guess not.
The Uniform Trade Secrets Act (adopted in the majority of states), says that if you acquire information by accident or mistake, and have reason to know it is a trade secret (e.g., because of a confidentiality legend, or even just because the information *looks* like the type of information that is usually confidential), then a legal duty of confidentiality may attach. This principle can apply to misdirected emails, faxes, things falling off of trucks, whatever. The same principle also applies as a matter of "common law" in most of those states that have not adopted the UTSA.
So, no, virus-spread documents cannot be considered liberated from trade secret restrictions, simply because they are zipping around uncontrolled on the Net as a result of the virus. But you would have to know the actual circumstances and contents in order to decide in any given situation if at the end of the day trade secrecy really applied.
Try searching on gnutella for "resume.doc" or "letter" or ".xls". Apparently many people use gnutella at work and set it to share C:\.
.DLL files in various versions of windows, to find a gnutella host sharing everything, and then do the "list all files on this host" thing to look at the user's personal files.
For about a weekend or so it was a sport with me. I downloaded a ton of stuff I am sure was not meant for the public -- there was a breakup letter where the writer stoped midsentence and types "aw fuckit i'll stay with her" (but then for some reason saved the letter ? don't ask me). I also found some business oriented xls files and ppt files. Most interesting was the fact that you could find what I think were people's outlook and eudora mailfiles, those inbox.dbx things. I have no idea how to view those.
Anyway, I got bored and moved on to other shit. The best thing I found was a file called either "private.txt" or "secrete.txt" which looked like the following:
SSN: #########
PIN(ATM): ####
PIN(VISA): ####
WellsFargo: user/passwd
yahoo: user/passwd
(a university student network domain): user/passwd
So I guess this guy decided to consolidate all of his sensitive info into one place, decided to put it on a computer, and then accidently shared it with the whole fucking internet.
I wanted to try the yahoo user/passwd just to see if it was real, but at that point I stopped and thought and decided that actually using the information people were inadvertendly sharing to snoop information they _weren't_ inadvertently sharing was probably where the legal/ethical boundary would be crossed. I never sent email to the yahoo address or the university one because I was afraid of being accused of being a hacker. The sad thing is that my gnutella client automatically moves completed downloads to the shared directory, so it is possible I further shared that file with others before I deleted it.
If there were some way you could filter your gnutella search results on IPs belonging to cable/DSL users in the DC area, or by those belonging to employees of a particular company, etc, then you could really do some damage.
I talked about this with other people and some of them apparently search for the names of
So I guess the moral is, make sure your friends know how to configure their gnutella clients correctly.
...but I *do* get to deal with this on a more-or-less daily basis these days.
According to the lawyer types I work with, it's more or less the same as if a fax went through to the wrong number. They are prohibited from disclosing the information if there is a legal blurb on the bottom of the page or wherever that says so.
I never thought I'd see the day when I'd welcome more legalese on documents... but any sensitive documents should really have that blurb, quoted (well, mostly) here:
In the case of financial documents, which is what I concern myself with, the use of them for gain is tantamount to insider trading and is a Bad Thing for He Who Gets Caught.
Zaphod B
Zaphod B
When duplication is outlawed, only outlaws will have
I was out of town for a week... didn't check my hotmail account.
During that time, my hotmail Inbox filled up with these sorts of messages (large attachements with the text: "I send you this file in order to have your advice").
Once it reached the maximum size for hotmail diskspace, hotmail started automatically deleteing older messages: all the messages in all of my folders had been deleted by the time I checked my hotmail account.
All that was left was spam in my Inbox.
Thanks, Microsoft!
When I die, please cast my ashes upon Bill Gates -- for once, make him clean up after me!
Those are the worst kind of strangers!
Got Rhinos?
Why do people keep posing technical legal questions to a bunch of geeks, most of whom haven't even graduated from college yet? Is there some secret stash of lawyers on Slashdot that I'm not aware of yet?
Judging from the uninformed comments above, evidently not, but there are a *ton* of clueless idiots who are more than happy to spout off their opinions on a subject they know nothing about. But hey, that's what most Slashdot discussions are anyway.
Trade secrets are covered by a myriad of laws, and you can get in serious trouble for divulging them even if you learned of them by accident. Call a lawyer to find out more details. Slashdot can't provide much help on legal questions, as we've proved over and over and over again...
--- egomaniac
ZFS: because love is never having to say fsck
Consider a virus writer being caught, then going after the major antivirus software vendors for breaking the encryption on his virus...
-- fencepost
fencepost
just a little off
On another note... are you saying I can't post those so-called confidential emails between Slashdot and goatse.cx paying for click-throughs?
--
-- Is "Sig" copyrighted by www.sig.com?
Let us say that Alice and Bob enter into a contract, with a confidentiality clause. Bob's computer is infected with SirCam and it mails the contract to Carl. Carl then publishes the contract in a news paper. Alice may have grounds to sue Bob for breach of contract (Bob's copy was leaked) but doesn't have grounds to sue Carl for a breach since Carl was never a party to the contract.
Now for Bob or Alice to release any information may still be a breach, but Carl can do whatever he wants.
The Economics of Website Security
You shouldn't set your email program to automatically execute attachments...
You shouldn't open attachments from someone you don't know...
Oh wait, you might get the virus from someone you DO know, but you shouldn't open attachments unless you know what they are and were expecting them...
Always use BCC:
Keep your virus definitions up to date...
Keep your programs/operating system/server up to date with the latest patches...
Always backup your data...
You shouldn't be superuser-equivalent unless you need it briefly to change something...
You should choose a password that is not easy to guess...
You should change your password regularly...
You shouldn't use the same password on different systems...
Do not feed the bears...
It could go on and on. Your idea is fine. It represents one of the many things that *should* be done. But who is going to do it? The fact of the matter remains, people won't follow good security practices because it's inconvenient, they don't want to, they don't know about them, or their Aunt Ruth has a beard.
The point of the question above is that when someone receives something confidental, accidentally, the ethical thing to do is to delete it. Who's responsible? Well, the virus writer, if the file was spread as a result of a virus. Sure, the user should have kept his document secure, but he didn't. Are users guilty of violating any of the above policies? Sure. Are sysadmins? Yep. We do it too.
Of course, we need to educate our users and enforce security policies. Saying "this will work; problem solved" isn't sufficient. Proactive education, policies, and enforcement are the answer. Now I've got to get back to work and do it!
"I say consider this day seized!" -Hobbes
"I say consider this day seized!" -Hobbes
"Tomorrow we'll seize the day and throttle it!" -Calvin
The lawyers out there will know the Latin word (and there is one) but there has to be something received by both parties entering into a contract for that contract to be enforceable in the USA.
You cannot forward a document to a stranger and then legally bind that stranger to behave according to the content of that document. Not in the USA.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~
--- -- - -
Give me LIBERTY, or give me a check.
What happens if someone steals your car and causes a fatal accident with it? Given my car, it's quite likely the theif was the one who died.
What happens if a child finds the gun you left in your dresser and shoots himself?
He'll be very very wet or hit by a paint ball.
What happens if someone breaks into your house, trips over something and breaks a leg?
Not only will they have a broken leg, they'll be covered in doggie drool. So with a broken leg and buckets of doggie drool, they'll be searching for the missing portable phone. And if all he broke was his leg, he's lucky. There's lots of stuff to trip over in my house.
I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
I send this Ask Slashdot to you to get your advice.
Save the file on your harddisk, then remove the first 137216 bytes. You need a hex editor to do that.
Or with Cygwin it's
$dd if=virus.doc.pif of=clean.doc bs=1 skip=137216Rename it to the actual file type and open it.
Do not double click it, instead open it from the correct app (just in case you didn't remove the virus properly - Word doesn't open windows executables)