Confidentiality Agreements & Self-Promotion

Hi all,

I'm curious as to what users of the forum do to increase/promote their online brand and how do you avoid trouble with current/past companies regarding confidentiality and work-product?

I have a very small foot-print online currently consisting mostly of a few cross-references or common aliases/account names to my facebook, my linkedin and my domain (which is used for a number of things behind the scenes but publicly appears as email only).

There is of course public record information out there when you search for various pieces of my PII and some old bits of information out there that can be found when you google some of my information but for the most part, I've kept my overall online presence to a minimum while keeping seperate and segregated accounts for security/privacy reasons both from penetration of various sites by hackers and/or the ability to follow the small, seemingly unrelated and inocuous PII digital breadcrumbs we all inevitably seem to leave behind back to their source and through that, the discovery of other pieces of PII.

In addition to my security concerns, I've also have never understood the appeal of Twitter and the like, I doubt I ever will and I dont see myself using the service any time soon, if ever. Sorry but my life and your life are just not that interesting, the news is available elsewhere and I dont really care what celebrities do with their day... Ill give you a hint, it's often not all that different from ours; they wake up; they get ready; they eat; they go to work; they work; they come home; they relax and they do it all again tomorrow, for the most part, just like the rest of us.

That being said, I have been considering trying improve my online "brand" and ways I might go about doing it. I was giving some thought to sanitizing and documenting out (style to be determined but current considerations are a private forum, a blog, wiki or custom webpage) some of the more interesting issues I've come across over time, including fixes, bits of code, scripts, one-liners and other configurations I've done in the past.

Like most people, I generally keep a running record of information and issues I work on so I can refer back to it later if needed. For a long time, I kept this information in a private me-only server but the private server did not make it back online following my last move so when my co-worker and I were discussing an issue I knew I had run into previously, I had to refer to hardcopy.

As I was going through the papers, I kept thinking how I really needed a better organizational method and how even my old private-only site as lwimited as there were no tags or other easy ways to sort/search through the data. Since I didnt want to spend all day going through papers, I also took to searching google but I wasn't all that hopeful... It was one of those esoteric problems where limited documentation was to be found when I originally had the problem and fewer people still had documented their solutions to the problem online... So imagine my surprise when the first site to pop up had the exact answer I needed.... Imagine my further shock to learn that the author is (loosely) a fomer co-worker (we worked in the same department but different divisions, different shifts, days, customers, etc) and that the sanitized documentation was extremely close to my original documentation.

I dont want to get into a debate on the page itself or its contents. Its possible they found the solution on their own and Im going to give them the benefit of the doubt on that despite the esoteric nature of the issue. Ultimately, its not important

What is important is how he was able to post this information. At every employer I've worked with, I have signed a some form of confidentiality agreement, some form of agreement regarding the company's ownership and/or right to retain work-product, intellectual property and patents and though I have always declined signing non-competes, I have been presented with a fair number of them.

Such confidentiality/work-product agreements are pretty common and as a result, I have always avoided releasing even sanitized versions publicly for security reasons and to avoid any accusations of impropriety or theft of company property/work-product and yet there also seems to be no end to blogs and posts out there that follow a similar theme/topic demonstrating how-to's, code snippets, full scripts and other problem resolutions that often were resolved while under the employ of a third party.

In the past, I have avoided releasing even sanitized versions of information publicly out of security concerns regarding what information that may be missed during sanitzation or other wise inferred despite the sanitization and what can be learned about the deployment from the configuration even after santitazation as a result. Together with PII breadcrumbs that are impossible to completely sanitize, posting a configuration publicly is increasing the security risks of that system even

So how do you redress and reconcile the posts with applicable policies of your past or present employer? Has it ever caused you issue with an employer past or present or have you ever been asked about it in an interview?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Danielm7

DustyBlue wrote: »

In addition to my security concerns, I've also have never understood the appeal of Twitter and the like, I doubt I ever will and I dont see myself using the service any time soon, if ever. Sorry but my life and your life are just not that interesting, the news is available elsewhere and I dont really care what celebrities do with their day... Ill give you a hint, it's often not all that different from ours; they wake up; they get ready; they eat; they go to work; they work; they come home; they relax and they do it all again tomorrow, for the most part, just like the rest of us.

You seem to have a really skewed view of twitter. Not everyone follows the Kardashians. I follow people and companies in the security field mostly, there are interesting updates, I really don't care what someone had for lunch.

What is important is how he was able to post this information. At every employer I've worked with, I have signed a some form of confidentiality agreement, some form of agreement regarding the company's ownership and/or right to retain work-product, intellectual property and patents and though I have always declined signing non-competes, I have been presented with a fair number of them.

The restrictions are common, your coworker just doesn't care.

There is a difference between, "I work at X company, here are the systems we run and how we configure everything!" vs. "I'm a security enthusiast, today I'm interested in X, here is a guide and some suggestions for hiccups I've found while setting it up."

You could make up a fake name or handle and use that for everything, of course if you want credit for doing all that when applying to jobs then you're going to have to tell the future employers that the fake name belongs to you.

DustyBlue

Danielm7 wrote: »

You seem to have a really skewed view of twitter. Not everyone follows the Kardashians. I follow people and companies in the security field mostly, there are interesting updates, I really don't care what someone had for lunch.

I know there are some interesting updates but it seems to be distinctly more junk than it is good things. Even those gems are usually just reposts of things that are found elsewhere...

What do you post on twitter?

Danielm7 wrote: »

There is a difference between, "I work at X company, here are the systems we run and how we configure everything!" vs. "I'm a security enthusiast, today I'm interested in X, here is a guide and some suggestions for hiccups I've found while setting it up."

So the former co-worker says I work at X company in Y role but nowhere does it in anyway indicate that this is something encountered at the company.

But to me, you're splitting hairs... no matter what way you slice it, the end result still seems clear to me. A fake name or claiming to be providing 'suggestions" for hiccups found while setting something up will not provide you any protection in court if it is linked back to you and the employer is pursuing a theft of work-product or breach of confidentiality agreement against you...

The only limitation to this comes in when you are dealing with certain "fixed" configurations where your work is no longer considered "work-product"

Danielm7

DustyBlue wrote: »

I know there are some interesting updates but it seems to be distinctly more junk than it is good things. Even those gems are usually just reposts of things that are found elsewhere...

What do you post on twitter?

So the former co-worker says I work at X company in Y role but nowhere does it in anyway indicate that this is something encountered at the company.

But to me, you're splitting hairs... no matter what way you slice it, the end result still seems clear to me. A fake name or claiming to be providing 'suggestions" for hiccups found while setting something up will not provide you any protection in court if it is linked back to you and the employer is pursuing a theft of work-product or breach of confidentiality agreement against you...

The only limitation to this comes in when you are dealing with certain "fixed" configurations where your work is no longer considered "work-product"

I don't really post anything on twitter, you don't have to if you don't want to, you can just follow other people. Or, you can just not use twitter, it's not exactly a requirement, I'm a light user if anything.

I'm not sure what you're talking about posting online if everything you want to do you're considering a breach of confidentiality agreement. Say you work with Windows 2012 server, it would take about 8 seconds to find out what most companies are using for the majority of their systems, is it really a breach of confidentiality if you write blog posts talking about features on 2012 server? How about the same for Cisco routers? For scripts you wrote while at a certain job, you aren't supposed to, but many people take them with you. I wouldn't post them online though, I'm talking more general things and personal side projects. How about you just work on your linkedin profile and go to some local / in-person networking type meetups?

apr911

Danielm7 wrote: »

I don't really post anything on twitter, you don't have to if you don't want to, you can just follow other people. Or, you can just not use twitter, it's not exactly a requirement, I'm a light user if anything.

Im a with dusty a bit on twitter. There are plenty of people to follow with "interesting" posts but even those "interesting" posts are usually just news that has broken elsewhere.

I just havent found reliable value in it, especially as a method to promote myself. You yourself arent really "using" twitter... Following people is great but RSS feeds on most sites work well too and Dusty's point seems to have been more about not seeing the value in themselves, with a commentary on not understanding how its so popular rather than arguing twitter is useless...

Danielm7 wrote: »

I'm not sure what you're talking about posting online if everything you want to do you're considering a breach of confidentiality agreement. Say you work with Windows 2012 server, it would take about 8 seconds to find out what most companies are using for the majority of their systems, is it really a breach of confidentiality if you write blog posts talking about features on 2012 server? How about the same for Cisco routers? For scripts you wrote while at a certain job, you aren't supposed to, but many people take them with you. I wouldn't post them online though, I'm talking more general things and personal side projects. How about you just work on your linkedin profile and go to some local / in-person networking type meetups?

For me, Im a senior admin and the types of issues and things I've encountered that would serve value for the "community" are the esoteric items that dont seem to be readily found. Those are the things to me that I'd want to post. Any Tom, Dick or Harry can post how to configure an IIS page and yeah, it'd be hard for any company to claim a breach of confidentiality but the deep dive issues and esoteric things that would "promote" me... That's a bit harder to do without triggering a work-product issue

DustyBlue

apr911 wrote: »

Dusty's point seems to have been more about not seeing the value in themselves, with a commentary on not understanding how its so popular rather than arguing twitter is useless...

apr911 hit the nail on the head. Sorry if I confused the issue but I dont understand the appeal of twitter in general but on a personal front, I cant seem to find a way to utilize twitter in a way to promote myself and online brand.

joelsfood

There are plenty of valuable people and feeds to follow on twitter for IT purposes.

As to blogging, there's no reason you can't do that without violating a confidentiality agreement. I've done posts here and on my blog that in no way violate CA (my VMware/iSCSI post on my blog I couldn't even tell you which company it was anymore), but still manage to share valuable experience with others.

TLeTourneau

I don't use Twitter so I have no input there. As for work product, do you forget everything you've done for a company once you leave or do you utilize the knowledge gained in new positions? I know I don't forget how to write scripts and what resolutions to previous isuues are. Work product is a funny thing when working with off the shelf platforms, even the deep dive issues. If, for example, you worked an issue involving multiple vendors and found an issue that was uncommon or new due to a bug introduced with a new release (or one of the thousands of other things that can happen when software interacts with other software and/or hardware) and was resolved by some registry modifications is that resolution covered by a CA as work product? I tend to think it's not in that circumstance and those are the kind of things that can be shared. Now if I write a custom script for a proprietary application then I may not want to share that. Just my opinion, for what it's worth.