[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] <RANT> Cart00ney-Sigs

To: "J.A. Terranson" <measl@xxxxxxx>
Subject: Re: [Full-Disclosure] <RANT> Cart00ney-Sigs
From: bkfsec <bkfsec@xxxxxxxxxxxxxxxx>
Date: Fri, 04 Feb 2005 11:18:41 -0500

J.A. Terranson wrote:

Forgetting for a moment that you cannot bind someone to an agreement just by having them READ IT, you may want to consider that you also can't bind them to a secrecy agreement AFTER giving out the "secret". To put that into English for those who are common-sense-impaired: you have to assert a right of secrecy BEFORE divulging the "protected" information. If you let a secret out BEFORE getting an [valid] agreement to maintain such secrecy, what you have done is to place your supposed secret into the public knowledgebase, from where anyone can do pretty much as they want (albeit subject to a few scattered and mostly unenforceable restrictions such as copyright). If you really, *really*, *REALLY* want to try and assert an agreement of secrecy, you MUST place the "agreement" BEFORE the beginning of your post. Of course, that means displaying the Cart00ney up front, where everyone can see that theres no reason to read further ;-)

Not only that, but in the case of an agreement pertaining to something within the email header (like an e-mail address), the notice of secrecy would have to be made before the header was displayed or parsed.

One could argue that the presence of the address/name on the main view of most mail clients precludes the "agreement" due to lack of notice, and that programatically, the program parses the headers first, and as such they are not subject to the notice of secrecy.

In other words: it's probably technically impossible to bind this agreement to a name/address on e-mail in the first place.

Now, as for those "Confidentiality notice"s you see on large company email
systems, where the lowly little luser has no control over what his moronic
email admin has automatically tagged to the bottom of the email: You DO
realize that there is absolutely zero case law that holds these "notices"
to be enforceable, right?  As a common courtesy, people *may* CHOOSE to
abide, but they don't HAVE to.  And when you send something to a public
list like this, you have completely wiped away even the common courtesy
argument.  I would suggest that you ask your legal department to advise
your email admins to stop making your companies look stupid in public.

Or, even better, don't subscribe/post to security mailing lists from a corporate e-mail address. Considering the content of these lists, advertising the location of your guarded items is generally not advisable under most circumstances. Of course, this all depends on your circumstances.

-Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] some interresting project i just stumbled across...
  - From: Oliver Leitner
- Re: [Full-Disclosure] some interresting project i just stumbled across...
  - From: Michael Simpson
- Re: [Full-Disclosure] some interresting project i just stumbled across...
  - From: Darryl Luff
- Re: [Full-Disclosure] some interresting project i just stumbled across...
  - From: Oliver Leitner
- [Full-Disclosure] <RANT> Cart00ney-Sigs (was: Re: Freenet clone)
  - From: J.A. Terranson

Prev by Date: [Full-Disclosure] Re: [Linux kernel ipv6_setsockopt integer overflow]
Next by Date: Re: [Full-Disclosure] <RANT> Cart00ney-Sigs (was: Re: Freenet clone)
Previous by thread: [Full-Disclosure] <RANT> Cart00ney-Sigs (was: Re: Freenet clone)
Next by thread: Re: [Full-Disclosure] <RANT> Cart00ney-Sigs (was: Re: Freenet clone)
Index(es):
- Date
- Thread