[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-xfs
Subject:    [OT] noatime
From:       Chris Wedgwood <cw () f00f ! org>
Date:       2004-02-02 23:51:46
Message-ID: 20040202235146.GC493 () dingdong ! cryptoapps ! com
[Download RAW message or body]

On Mon, Feb 02, 2004 at 02:55:34PM -0500, Greg Freemyer wrote:

> "Rob created a flat file export of the Customer Database on Dec 15,
> 03.  He accessed this flat file at 2pm, Feb 2, 04.  This is 2 hours
> after he was notified that he was being fired, so it is possible
> that he was making an improper copy to use outside the company."

I'm amazed that stands up in court for a regular filesystem on a
regular OS[1].  Lots of things mess with atime (some backup software
for example).

If you have permissions on the file you can trivially reset it by hand
if you wanted:

cw@pain:~$ ls -l --time=atime secret-stuff.doc
-rw-r--r--    2 cw       cw         144159 Aug  6 05:33 secret-stuff.doc
cw@pain:~$ touch -r secret-stuff.doc .timeref
cw@pain:~$ ls -l --time=atime .timeref
-rw-r--r--    1 cw       cw              0 Aug  6 05:33 .timeref
cw@pain:~$ cp secret-stuff.doc jokes.doc
cw@pain:~$ ls -l --time=atime secret-stuff.doc
-rw-r--r--    2 cw       cw         144159 Feb  2 15:42 secret-stuff.doc
cw@pain:~$ touch -r .timeref -a secret-stuff.doc
cw@pain:~$ ls -l --time=atime secret-stuff.doc
-rw-r--r--    2 cw       cw         144159 Aug  6 05:33 secret-stuff.doc


As a practical joke I once wrote a daemon that scanned proxy logs and
downloaded random mpegs into various people's home directories..
obviously this frobbed the atime and mtime to try and keep up the
illusion.

> Obviously the above is not rock-solid evidence of IP theft, but it
> is far stronger than if the access time was not available.

I would argue it's not very strong at all.



  --cw


[prev in list] [next in list] [prev in thread] [next in thread]