Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: <RANT> Cart00ney-Sigs
From: bkfsec <bkfsec () sdf lonestar org>
Date: Fri, 04 Feb 2005 11:18:41 -0500

J.A. Terranson wrote:

Forgetting for a moment that you cannot bind someone to an agreement just
by having them READ IT, you may want to consider that you also can't bind
them to a secrecy agreement AFTER giving out the "secret".  To put that
into English for those who are common-sense-impaired: you have to assert a
right of secrecy BEFORE divulging the "protected" information.  If you let
a secret out BEFORE getting an [valid] agreement to maintain such secrecy,
what you have done is to place your supposed secret into the public
knowledgebase, from where anyone can do pretty much as they want (albeit
subject to a few scattered and mostly unenforceable restrictions such as
copyright).  If you really, *really*, *REALLY* want to try and assert an
agreement of secrecy, you MUST place the "agreement" BEFORE the beginning
of your post.  Of course, that means displaying the Cart00ney up front,
where everyone can see that theres no reason to read further ;-)
Not only that, but in the case of an agreement pertaining to something within the email header (like an e-mail address), the notice of secrecy would have to be made before the header was displayed or parsed.

One could argue that the presence of the address/name on the main view of most mail clients precludes the "agreement" due to lack of notice, and that programatically, the program parses the headers first, and as such they are not subject to the notice of secrecy.

In other words: it's probably technically impossible to bind this agreement to a name/address on e-mail in the first place.

Now, as for those "Confidentiality notice"s you see on large company email
systems, where the lowly little luser has no control over what his moronic
email admin has automatically tagged to the bottom of the email: You DO
realize that there is absolutely zero case law that holds these "notices"
to be enforceable, right?  As a common courtesy, people *may* CHOOSE to
abide, but they don't HAVE to.  And when you send something to a public
list like this, you have completely wiped away even the common courtesy
argument.  I would suggest that you ask your legal department to advise
your email admins to stop making your companies look stupid in public.

Or, even better, don't subscribe/post to security mailing lists from a corporate e-mail address. Considering the content of these lists, advertising the location of your guarded items is generally not advisable under most circumstances. Of course, this all depends on your circumstances.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]