On Mon, Feb 02, 2004 at 02:55:34PM -0500, Greg Freemyer wrote:
> "Rob created a flat file export of the Customer Database on Dec 15,
> 03. He accessed this flat file at 2pm, Feb 2, 04. This is 2 hours
> after he was notified that he was being fired, so it is possible
> that he was making an improper copy to use outside the company."
I'm amazed that stands up in court for a regular filesystem on a
regular OS[1]. Lots of things mess with atime (some backup software
for example).
If you have permissions on the file you can trivially reset it by hand
if you wanted:
cw@pain:~$ ls -l --time=atime secret-stuff.doc
-rw-r--r-- 2 cw cw 144159 Aug 6 05:33 secret-stuff.doc
cw@pain:~$ touch -r secret-stuff.doc .timeref
cw@pain:~$ ls -l --time=atime .timeref
-rw-r--r-- 1 cw cw 0 Aug 6 05:33 .timeref
cw@pain:~$ cp secret-stuff.doc jokes.doc
cw@pain:~$ ls -l --time=atime secret-stuff.doc
-rw-r--r-- 2 cw cw 144159 Feb 2 15:42 secret-stuff.doc
cw@pain:~$ touch -r .timeref -a secret-stuff.doc
cw@pain:~$ ls -l --time=atime secret-stuff.doc
-rw-r--r-- 2 cw cw 144159 Aug 6 05:33 secret-stuff.doc
As a practical joke I once wrote a daemon that scanned proxy logs and
downloaded random mpegs into various people's home directories..
obviously this frobbed the atime and mtime to try and keep up the
illusion.
> Obviously the above is not rock-solid evidence of IP theft, but it
> is far stronger than if the access time was not available.
I would argue it's not very strong at all.
--cw
|