[Beowulf] All Your BASH Are Belong To Us

Lux, Jim (337C) james.p.lux at jpl.nasa.gov
Thu Aug 11 07:05:00 PDT 2011

Interesting.. You wrote:
There is a general understanding that unless explicitly marked in the contents of the script (the text file that is the Bash program), a Bash script is freely available for use and modification by anyone. In some cases there is a copyright notice or a license that allows (or disallows) sharing or modification. These are always explicitly stated at the beginning of the script and obvious to anyone who reads or modifies the script. 

This is, of course, not correct under current law, marking is not required for copyright protection.  pretty much everything is born copyrighted.  Putting markings on it helps you claim for willful infringement (i.e. the recipient can't claim "I didn't know") which helps on the damages situation.  And, under the Berne convention, marking is required to assert your rights in some countries (All Rights Reserved is also required in some places)  Likewise, under current law, registration of copyright isn't required.  Registration allows you to collect statuatory damages for infringement, though.

For trade secrets, it's a bit trickier.  The recipient has to know that it's trade secret, but that can be done by marking on the delivery media, by a separate document, or even by verbal communication (here, this is proprietary, don't disclose it).  And you have to take some means to protect it: claiming something that is trade secret that is printed on bus stop  benches won't fly.  In any case, just because scripts aren't obfuscated doesn't mean they're not subject to trade secret protection.  If the owner of the secret takes some precautions to prevent wide disclosure (e.g. warning the recipient of its proprietary nature).  This is the aspect that will surely be the core of litigation:  would a "reasonable person" have known that the material was subject to trade secret protection.  As we all know, reasonable people differ, and the attorneys on both sides will trot out examples of marking and disclosure practices: good, bad, and indifferent.  As Doug noted, "special measures" need to be taken, but there's no bright line standard for those measures, and, in practice, they can be pretty lax (and would be expected to be proportionate to the value of the secret.. the secret formula for Coke is probably more protected than the schedule for sweeping the floor in the manufacturing plant... both provide competitive advantage to Coke, but one is probably more important)

Something that a lot of tech people  in industry (particularly those coming from academia and working with open source) probably don't really fully understand is that pretty much everything you do for your employer is probably proprietary in some sense, and there is probably a written policy to that effect, which you, as an employee, are expected to be aware of. Or your supervisor told you, or the nice personnel person told you when you hired in 20 years ago, etc.  Mundane operational details of the business might be claimed to provide competitive advantage, especially if they're not "industry standard"  (humorously, if the employer has some really lame practice that's horrible, that might make it protectable.. then you could argue in court about whether it had any value). This is why there are "document review" departments and periodic training:  It helps reduce the problem of "inadvertent disclosure" and "I didn't know".  

This is the really tricky thing about trade secret: inadvertent disclosure can ruin the protection.  There have been cases of deliberately (and nefariously) "losing" trade secret info to spoil the protection.  And then, there is a somewhat notorious case of documents from Intel(?) that were in an envelope at a hotel desk or convention(?) with a person's name on it. Turns out there was a competitor (AMD?) with an employee of the same name, who accidentally got the documents handed to them (Hi, I'm John Smith, I think you have something for me.), opened the envelope, realized the problem, handed them right back, but in later action, it was alleged that this was sufficient to break the protection.  I don't recall all the details, and it probably settled out of court.  It's really complex.. "the bell, having been rung, cannot be unrung" (the phrase shows up in tons of legal writings), but in reality, if the inadvertent disclosure wasn't too big, etc.

Important things:
1) The language it's written in or obfuscation or not makes no difference.
2) the size of the work makes no difference.  "Candy/Is dandy/But liquor/Is quicker" is/was copyrighted by Ogden Nash (used here as fair use, and anyway, the copyright may have expired)
3) the intellectual effort in the work makes no difference (unlike patents, there's no requirement of novelty) (unless you're trying to claim trade secret protection on something that's already public knowledge.. the thing might be public, but the fact that you selected that particular one might be trade secret.)


I am not a lawyer, but I spent all too many (hundreds) of hours in depositions and meetings and court where one of the main issues was the "was there adequate notice of the trade secret status of the information" as well as "did they steal it", not to mention the always popular "can you describe the secret with specificity and particularity".  If the bad guy steals the trade secret and then keeps it secret, it's fairly hard to show that they actually have it.  There are also folks who have developed techniques to evade the restrictions of an NDA ("Sure, I signed it, but that exceeded the scope of my corporate authority, so it's invalid. "  "Technically, I wasn't an employee that afternoon, even though I was in the morning, and I was the next week, but hey, for that afternoon, I wasn't an employee, so I'm not bound by the NDA signed by corporate. Sorry about giving you that business card with the company name on it, but it was what I happened to have in my wallet")

From: beowulf-bounces at beowulf.org [beowulf-bounces at beowulf.org] On Behalf Of Douglas Eadline [deadline at eadline.org]
Sent: Thursday, August 11, 2011 05:04
To: beowulf at beowulf.org
Subject: [Beowulf] All Your BASH Are Belong To Us

Most of you are probably not aware of this story
about trade secrets and Bash scripts on HPC clusters
(I was not until a few months ago)



This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

More information about the Beowulf mailing list