[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java & Netscape security [NOISE]

Alice de Nonymous writes:
> > Fred is right. I used to work for Goldman Sachs & their internet usage
> > policy stated that when you write to Internet or Usenet from a GS account,
> > it will reflect on the firm no matter how you disclaim it.

> I think this is true, and is where we start to get into reputations and
> trust.
> If someone from Goldman Sachs posts to a Usenet group discussing abortion
> or gun-control, and says that: "These opinions are my own and not my
> employers."  Then, we can accept that, no matter how silly their opinions
> are.

Unfortunately, most employers won't accept this. A couple of years ago Sun
Micro fired Philip Stromer for posting homophobic jokes to Usenet. A good
friend of mine was fired from Microsoft for sending politically incorrect
articles to a Ukrainian mailing list. (He was born in Ukraine.) Someone
complained to MS and he was axed. Interestingly, most of his offensive messages
came from his CompuServe account; only a couple of tamer ones were from his
microsoft.com address. The complainer and Microsoft apparently felt that since
he was known to work for Microsoft, it didn't matter that he posted mostly from

I think Goldman's policy on Internet use is pretty reasonable. I'm attaching
at the end a couple of interesting e-mails that explain their philosophy.

> But there is a difference in the way we look at it if someone from Goldman
> Sachs posts to misc.invest.stocks instead and says that the Goldman Sachs
> Strip Coupon Fund is better than the one from Merrill Lynch -- that it's
> safer and produces higher returns because Goldman uses cubic spline
> interpolation methodologies to interpolate the yield curve, while Merrill
> Lynch doesn't.  There is a difference here.

Hmm... If it looks remotely like marketing, it'd better carry the usual
disclaimers that past returns are no indication of future returns etc. :)

> In the first case, the poster is not commenting about anything to do with
> their work, -- it really is just one man's opinion -- while in the second
> they are actually commenting upon something their employer is selling.

Even in the first case, the poster is using a Goldman e-mail address, which is
comparable to using Goldman stationery to write a personal letter. If he says
something pro- or anti-gun/abortion that might antagonize a potential client
and cause him not to do business with GS, then GS is right not to like this.

> If the employee tries to add, "these opinions are my own, and do not
> reflect the opinion of my employer" then we have a huge credibility
> problem.

I think these disclaimers are just silly and can't be taken seriously.
If he posted an article to alt.sex.pedophile discussing his desire to have
sex with children, surely this would reflect on Goldman no matter how he
disclaimed it, and he would deservedly be in trouble.

> You really can't have it both ways.  You can't post officially and
> unofficially at the same time, unless it really does have nothing to do
> with your work.

Goldman's policy seems to indicate that if you post from a commercial
ISP and don't claim to speak on behalf of Goldman, they don't care what
they say. This is better than some...

But consider this hypo. Joe Shmoe, an analyst with GS Research, posts an
article to misc.invest.* saying that he likes stock XYZZY. He posts from
another ISP and doesn't mention that he works for Goldman. But one of the many
kooks that invest misc.invest.* recognized Joe and shouts: *LOOK! THIS IS JOE
SHMOE FROM GS RESEARCH! *. At which point, the readers take Joe Shmoe's
postings much more seriously, and Goldman asks him whether he's put XYZZY on
the restricted list. (Disclaimer: I definitely don't speak for Goldman and am
just supposing what might happen in a situation like this :)

> If you post from Sun Engineering, and you are posting to a group that
> focuses on Sun, and you are talking about a Sun product, then people are
> going to take your comments as an official statement from Sun. You are
> that product's spokesperson, whether you disclaim or not, and should act
> accordingly.  No matter what, that's the way people are going to see it.

I would venture as far as to say that if you post from Netcom, but are known to
work for X, then you have much more crediblity speaking about X's products or
future plans that some unknown person. Your reputation is thus both enhanced by
X and partially owned by X. X would be within its right to ask you not to speak
about X's affairs in public. The readers would have the right to assume that
you know more about X's affairs and deicision-making than someone from the
street. Greater credibility carries with it greater responsibility, both to X
and to the readers. If you want a reputation that's independent from X, you
could get an ISP account under an assumed name, or post via an anonymous
remailer, and build a reputation from scratch.

Here are a couple of quotes regarding Goldman's Internet usage guidelines:

Date: Wed, 10 May 1995 12:35:49 -0400
Resent-From: [email protected] (DLV)
From: Gary Schermerhorn <[email protected]>
Subject: Internet GuideLines
To: [email protected]
Message-Id: <[email protected]>
Mime-Version: 1.0
X-Mailer: Z-Mail (3.2.0 06sep94)
X-Mailer: Mozilla/0.96 Beta (Windows)
Content-Type: text/plain;  charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Many of you have asked me for the firm's Internet Guidelines.  I have
attached them below.  Call me or Hans if you have any questions.

> [Image] Internet Access (including Internet mail)
>     ------------------------------------------------------------------------
> The Firm has clear policies on the appropriate usage of computer
> resources listed in a pamphlet entitled "The Keys To Information
> Security". This pamphlet is distributed to all new employees during
> their New Employee Orientation on the first day of employment. The
> policy in part:
>      Goldman Sachs' computers and software should be used for
>      business purposes only. Software and data created on Firm
>      systems or by Firm employees are the property of Goldman
>      Sachs. Only authorized use of the systems is permitted.
> You should be aware that unauthorized use of the systems may result in
> disciplinary action by the Firm, possibly including termination.
>     ------------------------------------------------------------------------
> Q: What does "for business purposes only" mean?
> A: It means that except for de minimis personal use, you should only
> use the Internet (including Mosaic and Internet mail) for tasks
> related to your job function.
>     ------------------------------------------------------------------------
> Q: Does this mean I cannot browse the Internet unless I know what I'm
> retrieving?
> A: The Internet is a resource beyond comprehension; even some of the
> Firm's veteran Internet surfers do not know about most of it. Browsing
> the Internet while looking for business-related resources is
> acceptable. Browsing the Internet with the intent of looking for
> non-business-related resources (such as the latest copy of Tetris) is
> not acceptable. Using the Internet to retrieve recreational pictures
> and other non-business items is not acceptable.
>     ------------------------------------------------------------------------
> Q: What if I have an Internet application I want to use that isn't
> currently supported?
> A: Consult with the Information Security group ([email protected]).
>     ------------------------------------------------------------------------
> Q: How does anyone know what I look at on the Internet?
> A: All Internet services leave an audit trail which is kept by the
> Information Security group. This logfile can be requested by your
> manager.
>     ------------------------------------------------------------------------
> Q: Why is the Firm concerned about Internet access?
> A: There is a charge to the Firm for the Internet use time. Other than
> de minimis personal use, non-business use constitutes theft of Firm
> property.
> In addition, many Internet applications (especially Mosaic) can
> potentially consume large amounts of network bandwidth. This has a
> significant impact upon your environment and can consume limited
> shared resources such as bandwidth and CPU. Heavy recreational usage
> of Internet services could consume bandwidth needed to deliver
> critical business data.
> Furthermore, certain accessed materials such as sexually-oriented
> materials may be offensive to others whom it is visible.
> Finally, when you send mail or news out to the Internet from a Firm
> system, you not only leave a trail throughout the Internet with the
> Goldman's name on it, but you also provide people on the Internet with
> an impression of Goldman, regardless of how you disclaim it. Plainly
> put, do not use the Internet (including email and news) for
> non-business related work.
>     ------------------------------------------------------------------------
> Q: How does this apply to Internet mail?
> A: Internet mail follows the same guidelines as Internet connections.
> You should not use Internet mail for purpose not related to your job
> function. One example of an appropriate usage would be for a system
> administrator to use a mailing list to learn more about a particular
> software package, such as Kerberos.
> An inappropriate use would be if you joined a list of bicyclists in
> the area and had that mail sent to your email account at work. Such
> mail is not related to your job-function (unless you happen to be the
> Goldman Investment Research Analyst assigned to bicyclists on the
> Information Superhighway).
>     ------------------------------------------------------------------------
> Q: So is it okay to correspond with clients through Internet mail?
> A: Communicating with clients is carefully controlled by the
> Compliance people in for your business unit. You should obtain the
> same internal approvals when sending email to clients over the
> Internet as you get when sending paper mail to them. If you have any
> questions, check with your Compliance person first; do not send email
> to a client with the intention of resolving these issues later.
>     ------------------------------------------------------------------------
> Q: What about Usenet news and mailing lists?
> A: When you post to Usenet news or send mail to a mailing list, you
> are providing an impression to the world of Goldman. Even if you
> "disclaim" what you are saying as "only your opinions", anything you
> say will continue to reflect on the Firm. Do not use news and mailing
> lists for personal or non-business purposes.
>     ------------------------------------------------------------------------
> Q: I really want to play with the Internet without all these
> constraints, what should I do?
> A: There are dozens of business that provide personal connections to
> the Internet for a very low cost (between $10 and $30 / month). If you
> want to explore the Internet, purchase a membership for one of the
> these services and explore the Internet on your own time, without
> using Firm computers or networks.
>     ------------------------------------------------------------------------
> Q: Where should I go if I have more questions?
> A: Your supervisor can help you determine what Internet resources may
> or may not be related to your job function.
>     ------------------------------------------------------------------------
> Unix Information Security Staff / [email protected]

Date: Mon, 08 May 1995 12:09:27 -0400
From: Gary Schermerhorn <[email protected]>
Subject: Internet Usage
To: [email protected]
Message-Id: <[email protected]>
Mime-Version: 1.0
X-Mailer: ZM-Win (3.2.1 11Sep94)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7BIT

Just a reminder about Internet usage policy; Please read the 'Internet Access
Policy' statement, which is available on the GSAM Home page, or email me and I
will send you a copy.

ALL World Wide Web accesses are monitored against a list of known servers and
keywords which are understood to be inappropriate.  This list is available to me
each month.  You should all avoid Web access that will end up on this list.
Inappropiate use of the Web is equivalent to inappropriate phone usage (e.g.,
900 numbers).

Please read the Internet Access Guidelines.  Encourage your staff, particularly
new staff, to read them also.  The spirit of the guidelines is very clear.

Gary Schermerhorn                  ([email protected])
Goldman Sachs Asset Management
(212) 902-3344 (phone)
(212) 902-1384 (fax)


<a href="mailto:[email protected]">Dr. Dimitri Vulis</a>
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps