Re: <RANT> Cart00ney-Sigs

[bkfsec <bkfsec () sdf lonestar org>]

J.A. Terranson wrote:

> Forgetting for a moment that you cannot bind someone to an agreement just
> by having them READ IT, you may want to consider that you also can't bind
> them to a secrecy agreement AFTER giving out the "secret".  To put that
> into English for those who are common-sense-impaired: you have to assert a
> right of secrecy BEFORE divulging the "protected" information.  If you let
> a secret out BEFORE getting an [valid] agreement to maintain such secrecy,
> what you have done is to place your supposed secret into the public
> knowledgebase, from where anyone can do pretty much as they want (albeit
> subject to a few scattered and mostly unenforceable restrictions such as
> copyright).  If you really, *really*, *REALLY* want to try and assert an
> agreement of secrecy, you MUST place the "agreement" BEFORE the beginning
> of your post.  Of course, that means displaying the Cart00ney up front,
> where everyone can see that theres no reason to read further ;-)
>  
Not only that, but in the case of an agreement pertaining to something 
within the email header (like an e-mail address), the notice of secrecy 
would have to be made before the header was displayed or parsed.

One could argue that the presence of the address/name on the main view 
of most mail clients precludes the "agreement" due to lack of notice, 
and that programatically, the program parses the headers first, and as 
such they are not subject to the notice of secrecy.

In other words: it's probably technically impossible to bind this 
agreement to a name/address on e-mail in the first place.

> Now, as for those "Confidentiality notice"s you see on large company email
> systems, where the lowly little luser has no control over what his moronic
> email admin has automatically tagged to the bottom of the email: You DO
> realize that there is absolutely zero case law that holds these "notices"
> to be enforceable, right?  As a common courtesy, people *may* CHOOSE to
> abide, but they don't HAVE to.  And when you send something to a public
> list like this, you have completely wiped away even the common courtesy
> argument.  I would suggest that you ask your legal department to advise
> your email admins to stop making your companies look stupid in public.
>
>  
Or, even better, don't subscribe/post to security mailing lists from a 
corporate e-mail address.  Considering the content of these lists, 
advertising the location of your guarded items is generally not 
advisable under most circumstances.  Of course, this all depends on your 
circumstances.

         -Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html