Slashdot Mirror
How to Prevent IP Theft by Your Own Employees?
Cursed by USB asks: "We are a small software startup based in India. Recently one of our employees was caught trying to steal our IP (work) from a computer using a USB thumb drive. While all the staff computers are devoid of floppy drives, cd writers and internet connections, we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use. Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?"
Perhaps you should just make them come to work in the nude? with a cavity search on the way out the door, aka South African diamond mines.
Of course anyone who could produce work worth stealing probally wouldn't work under those conditions.
The force that blew the Big Bang continues to accelerate.
Delete the USB mass storage drivers?
/usr/games/fortune
Deny them the rights necessary to install hardware on their workstations. If not for all employees, for the employees that have access to sensitive information.
Yes, my only tool is a hammer. And you're starting to look like a nail.
when it comes to avoiding intellectual property, I have this plan...but if I told you, I'd have to kill you.
-------
Support Indy Music. Buy
*tokes*
Honestly, do you think this is the proper forum for this question? The majority of the people here pirate everything. You'll probably have better luck at a site like corporatenazisyndicate.com or something.
or something else.
..of course, why would he need an usb drive to steal a 4 byte value?-)
it's possible to disable usb drives as well... some companies have done it. i'm pretty sure you can ask from microsoft how to do it.
but really, if the guy is a coder or whatever.. how are you going to make him not 'steal' your 'ip' which is most importantly ideas.
kick him in the nuts and pay the next guy better?
world was created 5 seconds before this post as it is.
One idea would be to protect yourself.
If so you can't stop them, all they need to do is compress the IP and email it out of the building. The best thing you can do is treat your employees well and when (not if) there is a problem deal with it accordingly.
Meddle thou not in the affairs of Dragons, for thou art crunchy and with most anything.
It's not a total solution, but GFI Network Security Scanner (used to be LANGuard) can scan for unauthorized USB devices and fire off an alert if it detect one on a scan. Demo available at http://www.gfi.com/lannetscan/.
Yes, my only tool is a hammer. And you're starting to look like a nail.
1. you said "IP" suggesting that it is a tangible thing that can be stolen
2. you implied that there is no such thing as trustworthiness in employees
3. you implied that you don't mind having untrustworthy employees as long as they don't affect *you*
Why should we help you? Do your own homework.
Think about it
No E-mail
No External resources (knowledge bases, slashdot)
Nothing
Frankly, I'm suprised you even can get people to work for you, I mean - wow, I haven't worked somewhere without an internet connection on my development machine for almost 15 years now. And it has been north of 20 since I haven't had an internet connection
Frankly, it is much easier to protect your IP, and go after the people that steal it... I mean really what is stopping someone from bringing in a micro hard drive and just taking the whole thing out.
I have mod points and I am not afraid to use them
Have your employees check their brains at the front desk so they can't walk out with snippets of code lodged in their lobes. Or perhaps you may be able to open your source and get help from people who will work on your technology because of interest.
Make an example of the person you caught. Sack them, give them bad references, and sue them for breach of contract... you did put a clause about this into their employment contract, didn't you?
I don't know what your local copyright laws are like, but surely they couldn't do anything commerical with the IP without violating them?
A pizza of radius z and thickness a has a volume of pi z z a
Like you said, hire people you can trust. Then foster a different environment, removing net connections, burners, and floppies is a good way to say, "I don't trust you." Why don't you embrace your employees, make them happy to work for you. Then maybe they won't steal, in fact, I would guess you'd see better productivity.
You've got yourself a self fullfilling prophecy there...
http://monkeyserver.com --- weeeeee
... and even then, it doesn't always work. In the extreme case, you can always copy code using a pen and paper. Unless you're thinking of introducting full cavity searches, you're spinning your wheels. Give up on this "prevention" avenue. Focus more on your hiring process, write up a strict code of conduct, and don't be afraid to fire employees who are caught violating these terms.
Just my $0.02.
Finally, the first US factory was built from plans a person memorized in Europe and wrote down once in the US. So if your employee is very smart, you can't stop him/her anyway. Hire truthworthy people and make it in their best interest to day. It is the only way to protect your business if IP alone can topple you company.
"Those that start by burning books, will end by burning men."
As long as your employees have access to your IP, there is absolutely no way to prevent them from "stealing" it if they are determined to do so. Period.
No amount of security will make your data safe. Data is easy to move, easy to duplicate, and easy to store. During the industrial revolution, American industrial spies stole factory plans from British firms by memorizing them. Unless you know how to erase a person's brain, there will always be a hole.
Technology is making this issue ever-more pressing.
You have two options:
1) Hire only trusted people, and trust them.
2) Don't rely on IP as a business model.
Option 2 may sound stupid, but it's really the only way in the long run. Sell a service, sell a product, but don't try to sell information. If the sole thing your company provides is data, someone will endeavor to get that data for themselves, and then you'll be boned.
A business that relies on the scarcity of information it holds internally can not survive. Even if your employees are all 100% trustworthy, outsiders will still vie for your data.
It may sound pessimistic, but it's the truth.
GeekNights!
Late Night Radio for Geeks!
Start -> Run: regedit
Find the following key:
This allows writing. Change the value to 1. This will prevent writing. Save your registry and reboot. Of course, it's always recomended to backup your registry before making changes.Allegedly, Longhorn will have this control without having to hack the registry.
Free MacMini
... but my employer has patented it.
staff computers are devoid of floppy drives, cd writers and internet connections
...
Do they have Email Access?
This takes not reading the article/blurb to all new lows.
The best way to prevent IP theft is to treat your employees with respect and give them no reason to steal your IP in the first place.
Putting in draconian security rules is just going to piss me off and keep me from doing my job effectively, and quite frankly, make me look for a new job.
Sounds like what you need is GFI LANguard Portable Storage Control.
Good product...I highly recommend it.
____
~ |rip/\/\aster /\/\onkey
--
Given enough personal experience, all stereotypes are shallow.
You should pay them partly with shares,
then they would only be stealing from themself
and their coworkers/Coowners.
Back in high school, I used to fix computers for people to make a little spending money. One time, I went over to this guy's house because his computer wouldn't boot. The conversation went something like this:
Me: Your hard drive is dead. You're going to have to buy a new one.
Him: How much will that cost?
Me: About $100, plus the cost to install it...maybe $130 total.
Him: That's way too much, can't you just fix it?
The moral of this story is that if you system is fundementally broken, there is no band-aid patch that you can apply that will make it un-broken. If you can't hire trustworthy people, you're going to lose IP. Maybe you can implement a few security procedures here and there to slow the rate of loss, but eventually, all your IP is going to walk out the door.
The caliber of your people is the primary factor in determining the sucess of a software company. It's not the tools, the technology, or the procedures...it's the people. If you can't trust your people to do thier job and do it well, you don't have anything. I'd start by fixing that problem, and after that you can worry about USB drives.
I'm sorry, next time I'll put a big ol' ASCII Monty Python foot in my comment, so you know I'm acting silly again.
You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.
Think NSA. I certainly never worked there, but I imagine they're 1) very picky about who they hire, and 2) take security to the extreme, and 3) it's all backed up by serious legal threats. (I believe treason is still eligible for the death penalty, is it not?)
#2 is probably most interesting to those here. Physical security is extreme, with metal detectors detecting guns and hard drives, and enforced by men with guns. Things like USB drives (and even Furbies or cell phones) aren't allowed in at all, and I imagine there's spot searches for things like this.
Places like that often have two networks, a secure and an unsecure one. If you plug a computer into the wrong network, it never leaves the building again. The secure network has no access to the Internet whatsoever.
I imagine there's a lot more that they do, but I'm sure that there's web pages dedicated to this sort of thing if you want to read more about it.
Of course, even this isn't 100% effective -- but I imagine it's pretty close. Of course, it's also extremely expensive and restrictive, and few companies are probably willing to do this sort of thing to their employees -- but I imagine that a few do, perhaps to some key employees in key positions ...
Some problems just can't be solved with technology...
If you had super powers, would you use them for good, or for awesome?
I would suggest that you need to give up. At my last project thumb drives were getting passed around like crazy and nobody was worried about it, and this was a place where they wouldn't give us a network connection. Trust the people that work for you, sue those that screw you, and pay them enough that they aren't easily bribed. As others have mentioned, they have most of the info in their own heads already and there is nothing you can do about that, so make sure they want to stay.
Lasers Controlled Games!
...you can edit the following registry key to change the value of Start from 3 to 4. This will disable the USBSTOR.SYS driver preventing the use of USB filesystems. It will not disable other types of USB devices.
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR
1) Make it clear that you'll sue anyone who steals your IP
2) Make sure it's all clearly copyrighted.
3) Patent it (but don't tell anyone I told you to do this).
My Journal
Don't put up with this nonsense.
Set up security stations and look for people with USB drives. When you discover someone obscounding with IP, call an all hands meeting and cane the SoB. If caning is illegal in your area, just knock the guy to the floor and have the entire group stomp him. (This is also a teambuilding exercise)
Corporal punishment will assert your IP authority and eliminate other disiplinary issues.
Conformity is the jailer of freedom and enemy of growth. -JFK
I think the core difficulty here is that you think you have a technology problem, when what you have is a management problem. If you rule out hiring trustworthy people, and fostering an atmosphere that earns their trust, then you are just wasting your time. Think about this: do you think that putting in time clocks would make physicians (let's say) work harder ?
You also need to think about what it is that you are actually trying to protect. One defect (among many) of the term "intellectual property" is that it leads people to think by analogy with actual (tangible) property. If your IP is in software, what are you trying to protect: the typing of the code, or the ideas the code embodies? If it is the latter, you can't open your employees' skulls and remove the ideas from them.
I worked in, and managed, an investment management firm, where it was a truism that our most important assets walked out the door every night. You have to run the business so that people want to work there; so that they have fun, find the work and their environment interesting, and believe that they will be fairly compensated (financially and otherwise). It isn't necessarily easy, but then that's what you get paid for.
Yeah, right.
Fire all but your most trusted employees and outsource the rest to the US. I hear its all the rage in India.
Nobodies Prefect
Tidbits for Techs Technology Blog
...therefore, do the suggestions in other posts about NDAs and suing have any relevance?
Can't you just have the guy "accidentially" be eaten by a tiger or something?
Use a thumb drive? Lose a thumb!
Of course, that's difficult for the 3rd offense....
RHCE; are you certified? Karma: ambiguous.
I've used Securewave. It's pretty good, it lets you specifiy what USB devices are allowed and block everything else by default. You can also mirror data so you can audit what data people are sending. It works on USB, CD, Floppy, parallel ports, Serial Ports, and I think it does firewire too.
Once it's set-up it's awsome.
I don't work for them, I've just used their product and really liked it.
Cheap storage VM.
It would have to be a pretty big percentage for that scheme to work.
Let's say the employee is considering stealing $1000 (IP, cash, hardware, or equivalent) from The Company.
Pre-employee-ownership:
He owns 0% of The Company. So he gets $1000.
Post-employee-ownership:
He owns 1% of The Company. So he gets $1000, but effectively loses $10 of that. So he actually stole $990.
Give him 10%, you say? Wow. Okay. Doesn't sound scalable, but sure. So he'd still net $900 in his theft.
This won't work and it's exactly why even employees with massive ownership (e.g. CEOs) are still regularly caught pilfering from "their own" company.
Won't work. If the employee is a thief, he's a thief.
I have no idea what the job market's like in India, but one of the best incentives to work hard and behave ones self is to offer glowing refernces to those who conduct themselves honestly. As many people have already pointed out there's very little you can do to prevent ideas leaking from your company.
An aside: If companies could wipe employees memory when they left, every new hire would have as much experience as a graduate straight out of uni...
Instead of trying to fight IP theft, make the sharing of your software permissible and even encourage it. License your software under an open source license.
In the end, you'll realize that the cost of understanding the complete codebase is high enough that it doesn't make sense to try and "steal" the code once you open source it.
The radical sect of Islam would either see you dead or "reverted" to Islam.
The best method is to use linux and set it up securely. This would be pretty easy. Don't give users root access. Remove storage module from kernel. You get the point?
...before it was known as "The Internet".
I remember having near real-time email/USENET conversations with folks in Australia while I was in college in Texas, that is, circa 1978-83. After that, there has not been a span of more than a few months that I have not had at least a dial-up IP connection.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
just have everyone pass through a ridiculously large degausser on their way out of the building...
Plus, everyone with any access to classified data has had all sorts of security checks done, and signed away certain rights.
And, like you pointed out, the NSA can back up security with physical force. You run out of NSA with a hard drive, even assuming you make it past their security (Which is military), you'll have more law enforcement after you than if you just robbed a bank. However, you probably won't make it out of the building...they will just shoot you.
Whereas if someone runs out of a company with a hard drive...well, if the company runs really fast, maybe it can get a court order.
While the NSA can secure their information from employees, that's a long shot from companies being able to do so.
I'm not exactly sure what 'IP' we're talking about here, anyway. Didn't these programmers create the 'IP' in the first place? This question really doesn't make any sense.
If corporations are people, aren't stockholders guilty of slavery?
From what I guess, and I only have limited program development experience, give each team/member partials of the total code. Granted, this will probably slow production or make for an interesting debug session. However, if you're developing something that you're truely worried about being leaked, having, for example, 30 employees with 1 part of the code each won't let them steal anything but that 1/30 of the total IP. So if that happens, so you're out a function, or whatever and you can hanlde his public flogging while the other 29 dutifully type out their 1/30 of the project.
With that, you have 1 guy do the total compiling/debug that you know/trust/guard/make come to work naked with regular cavity checks/etc. Heck, that could be you if you're truely paranoid about it...
Good things come to those who wait on the early bird who gets the worm... hey, wait a sec!
If you don't use windows you can disable the USB. You can also cut the usb connections on the motherboards to physically disable the ports. You might also be able to do it in the BIOS and set a BIOS password.
The GeekNights podcast is going strong. Listen!
Ban camera phones and then hand out usb pen drives and laptops to employees and provide them with huge pipes to the internet.
That's the solution of the very large company for which I work, anyway.
-1: flamebait should really be -1: inciteful
Paid-for advertisements subsidize most of the IP we consume. Perhaps this hidden economy is what makes it so easy for people to really believe this nonsense.
Use *nix. Give the employees only the permissions they need on dumb terminals. Don't put a cdrom or floppy in the computer (to keep them from booting). Alarm the cases so they can't tamper. Install a key logger if you really don't trust someone.
We had a guy who we seriously didn't trust but we couldn't just fire him without cause. We did all the above and he wasn't able to circumvent the protections before we finally had enough evidence (on another matter) to fire him.
Let's review, shall we?
From the post: we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use.
One solution would be to re-architect the systems to be completely terminal-services based. This way no data is actually on the client's system, except the window to the application.
Citrix for windows is the obvious choice, but there are ways to accomplish this with unix, Linux, and even mixing the two environment.
_______
2B1ASK1
Install EMP/HERF guns and degousing coils around the doors so any magnetic or solid slate device is destroyed upon exiting the building. Ban tinfoil and make sure not to employ anyone with a pacemaker. Tell everyone to leave their cellphones in their cars and use an internal VOIP system for communication. Make sure any company healthcare doesn't cover radiation poisoning/cancer so your premiums don't go up.
------ Take away the right to say fuck and you take away the right to say fuck the government.
Remove the USB mass storage device drivers. But that's already been mentioned.
Restrict the user access to the USB devices. This has already been mentioned too. You can do this really easily under Linux.
Why the fuck are you posting such a braindead simple question?
If you can't figure this one out on your own, then you probably don't have any IP worth stealing in the first place. And if you do, it's already long gone by now because you are this stupid. The smart people walked out with it weeks ago.
(And if the company works on military contracts, perhaps they CAN back it up with guys with machine guns. Maybe.)
Yes, it's expensive. Yes, it's not conducive to productivity. But it can be done.
Perhaps. Perhaps not. At my work, I have access to the source code for all our products, but the part I've contributed is exceedingly small (I'm in support, not development.) I guess I could steal it, but 1) who would want it? 2) I'd get sued into oblivion if I did, and probably end up in jail. It's not even remotely worth it. But physically, it would be easy.As for #1, `who would want it?', even our competitors wouldn't want it. They wouldn't touch it with a 10' pole, because if it was ever found out, they'd be sued into oblivion and they know it. No legitimate company wants that sort of exposure.
And even if a single person did write all of this code, if he does it for his employer, on company time, on company computers, it probably belongs to the company, not him. (The specifics would be lined out in his employment contract and other paperwork.) Yes, perhaps he could write it again for somebody else (though often NDAs prohibit that), but few large projects are one-man-shows anymore.
One of these: * Use thin clients * Use Linux. It allows you to make access to devices fine-grained * Use third-party commerical software (google for it)
my sstream of consciousness
Why do the employees want to steal the IP? Because they feel that they have no stake in the business, and they are just working for "the man". So they swipe some data to sell to a competitor because what have they got to lose?
If all the critical employees (i.e. those with access to the data) owned a non-trivial amount of the company, then they *would* have something to lose and would be much less motivated to try it. And they will work a lot harder and not leave after a year and (perfectly legally) deprive you of critical expertise.
If you take a look at history, this IP stuff is a new concept of companies trying to capitalize on every little thing. Historically speaking, one of the biggest times of invention in the U.S. was around the late 19th and early 20th century. And there was no such thing as IP.
If I remember my history correctly Westinghouse worked for Edison for a while and the Dodge brothers were working for Ford when they came up with their ideas for Dodge Motors (and actually sold Ford stock to get the capital to start Dodge). If current practice was in existance back then, we wouldn't have many of the things that exist today that make the world safer and more comfortable. What about Westinghouse inventing the air brake, we might all still be driving black model T Fords.
Also the best way to have your employees take care of you is for you to take care of them. This lesson was taught to me many years ago by a manager I had in retail sales. She really took care of her team and she was rewarded for her efforts. We never missed a sales goal and we won every sales contest in the district for two straight years.
I have little pity for people that treat professionals like kindergarteners and for people who think that they own everything that their employees think about. Treat your people right, give them opportunities to excel and fire the ones that break the rules. Don't punish the honest folks because of a few bad apples.
Look at the Bible for an example. God had Noah build and ark and eight people were saved while the rest of the world was destroyed. The wicked (or rule breakers) were the ones that were punished. Sodom and Gomorrah are another example, Lot and his two daughters escaped the distruction while the cities burned. Lot's wife was punished for looking back but not those with her that obeyed the rules. Why do people think that everything has to be uniform, what is wrong with rewarding those that excel and punishing those that fail to follow the rules?
I have no sig, does anyone have one to spare?
My Discrete Structures professor would have needed some private time after your logical breakdown of that sentence.
"Get a bicycle. You will not regret it, if you live." - Mark Twain, "Taming the Bicycle"
Coders write their code out on paper
Submit code
You key it in
Compile/run/return bug reports
Coders fix bugs
Repeat
Or else you can realize that no matter who it is, even your own family, there's always the chance someone will (at least try to) circumvent anything you put in their way.
I forgot what I wanted to say, but honestly, it was important.
Why not just disable USB flash drives and hard disks by removing the drivers?
But if your office is anything like mine, that is going to kill your workflow. I am always using my USB flash drive when I have to collaborate with my co-workers. Maybe your employees are the problem, not your computers? I take company IP home with me fairly frequently, because if I am enjoying what I am working on at the moment, I tend to take it to a coffee shop or park or whatever and work on it in my spare time for the fun of it.
But if it is your employees that are the problem, you have to take some blame with that - either you are hiring bad people, or you are hiring good people and then systematically crushing their motivation and integrity. I would _NEVER_ do work on the side for a company that locks down so tight. . . I'd be so annoyed with my employer that it would be impossible for me to be able to enjoy anything even remotely related to my job. I'd probably also lose touch with that subtle bond of mutual respect that makes me want to help rather than hurt my employer.
So maybe the solution is to be friends with your employees rather than enemies?
If we are to assume that the IP (work) in question is actually software code, then the whole questions is pointless:
Software is relatively easy to create.
Much more so the second time.
You could spend tons of cash and several months building, for example, an online game. Then I could come around, and re-create that entire thing from scratch, on my own, for virtually no cost, within a few days.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
(1) Hire trustworthy people
(2) Hire people, keep them away from each other. Do not let them access to work theyve already done, and try to induce amnesia all the time. Assign a security guard to each person, and track their off-hour work to make sure they dont steal anything. And make SURE theyre scanned as they leave the building, and confescate all data-carrying media. Like SCO and Microsoft, keep a good legal team and sue people around who seem to do what you do.
Tough choices? Well in IT you have to make tough business choices, and the results will stick with you forever.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
It is because of this reason we have recently converted a 50 employee Broker-Dealer to Terminal Services. We are now able to lock down nearly ALL areas with the added benefit of only having to backup one or two servers. Another benefit is we no longer have to service the individual machines. As long as they can get online, they can get to thier info. They can only print to onsight printers and they cannot download or install anything themselves. This freed up alot of resources. More than we even expected.....
TIME is the Aether...
Snowcrash partially concerns that very idea. Some nasty side-effects though :-)
I've worked with people who worked for the NSA. You skipped a very important thing they do. They compartmentalize the information so that no one person can take anything of value.
So for example if you are solving a PDE you might not know what it is modeling and what the proper initial values are. They guy who knows the solution and the initial values doesn't know what its for. The guy who gets the answer knows what its for but doesn't know the PDE or the solution, etc... The net result is that its fairly hard. This btw drastically increases costs but they are willing to deal with that. Anyone outsourcing to India is highly cost conscious so I doubt they would have the same attitude about development costs.
It doesn't reduce productivity, it destroys it. With the CIA, you can be working on, say, the IRA, and not actually need information about Quebec. (I switched to the CIA because I can actually make up examples...I don't know 90% of what the NSA does at all.)
If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.
And a lot of the CIA's need-to-know works simply by honesty and auditing. People are expected not to learn things they don't need to know, and if they start doing a lot of research into things they don't need to know, auditors start looking closely. That takes a lot of resources and a very formal classification of data, along with very dedicated employees. (Which I'm suspecting is his problem, right there.).
Now, obviously, if something is in an entirely different project, you don't need to see that, but that, frankly, is obvious. If someone's worried about security and hasn't thought of that, they should just give up.
Military contractors get subject to the same scrutiny as the intelligent community. (Although obviously they do a lot less research through classifed data.) But this guy is in India, so I doubt he's a military contractor, and certainly not for the US military.
And, yeah, the reason so few source code thefts happen is that a) you'd get sued into the ground, along with b) source code is, sadly, still nowhere near as reusable as it should be, and c) sometimes it is stolen, and no one learns about it.
If corporations are people, aren't stockholders guilty of slavery?
You should outsource to the US, where there are legal protections for IP. My understanding is that in India, there are none, or very few; so the only way to protect yourself is to restrict physical and logical connections to the work computer, since you can't prosecute after the theft has been accomplished.
And, as other posts have made clear, that's not possible against someone willing to breach security. Just ask the CIA.
--
$tar -xvf
All these people keep mention that thing's "may be different in India"... WHO SAID THIS GUY WAS IN INDIA?
I saw it once, as a joke...
I'll Find You Peer, If It's The Last Thing I Do!!!!
ITYM that after I erase a person's brain, there will always be a hole. There's a fantastic brain-erasing device, an implant made mostly of lead, about 9mm in diameter, installed at high velocity while the erasure candidate begs you please Ghod no. Costs about $0.35 per round^H^H^H^H^H implant, plus court costs.
Re-installing the OS after the wipe is something of a challenge---better to replace the entire unit, after showing it what happened to the previous unit.
This is not my sandwich.
Indian programming isnt worth a crap anyways.
No I didnt spell check this post...
Your code (and everybody else's) is not nearly as valuable as you (they) think.
> Think NSA
A friend of mine works at NDS (they develop smart card technology for, amonng others, DirecTV).
She told me that a part of her hiring process was a (voluntary) polygraph test.
look at the ASUS Pundit: it has a security key feature. This is not just an encrypted HD. Take the key out, the HD does not exist; take the HD: nothing but unstructured garbage, takes a long time to figure out I bet.
Put a 400G HD into it, have two, that's your safe. sure, to actually work on SW it has to be checked out. There's the weak point: your people. Once advice: corporate culture: pay them enough! Create a trusting environment, not just another body mill. Attract individuals, not low bidders.
If "Cursed by USB" had a brain, he'd engage the GPO to deny loading device drivers by particular groups of users. Since Windows easily supports this and drivers for thumb-drives are typically on the thumb-drives, themselves, this policy would be a great place to start.
Second place to start would be to fire the idiots who think they're higher than the corporate policy, then outsource their jobs to Americans who give a shit.
Third, WTF were you thinking? Indians, trustworthy? LOL... you actually used those two words in the same sentence??? That's funny... its like, here's my gun, here's my ammo, I know you hate me and want me to die, but I trust you.
Riiiiiiiiight...
We are a small software startup based in India.
Does something about this situation sound at all strange to anyone but me? Small start-up, taking strong security measures to lock down the developers' machines so they can't steal (presumeably) code they write while at work?
"Small start-up" means a group of up to perhaps a dozen college friends getting together to realize a shared idea. Although somewhere down the road some betrayal may occur and lead to a messy legal situation, it simply doesn't apply until the company no longer counts as a start-up.
Perhaps I just have a problem with the chosen wording, but this sounds like a deeper (and unspoken, as asked) issue than "how can I lock down my PCs to block removeable media".
The only real threat to your bottom line is that he'll come out with a competing product based on your IP. If he does that, you can send the lawyers after him with a clear conscience.
If he doesn't do that, then don't worry about it. He's not making any money at your expense, and you're saving money by not paying his salary anymore. Getting all paranoid and angry about this is just wasting YOUR mental effort.
"Great idea! We'll just make it so our software developers don't have access to the code. Then they won't be able to steal anything!"
The military already came up with a solution. I'll let all you braintrusts figure out what it was.
By outsourcing your labor force to the US, you can significantly reduce the amount of fraud by your own native-country employees.
All the Indian companies are doing it. It's becoming a trend.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
...that releasing the code under the GPL is out.
I am very small, utmostly microscopic.
Im not quite sure how you would steal an IP using a thumb drive....
Please explain?
I worked somewhere where usbdrv.sys was not installed on the machines thereby disabling the abiltiy of placing a thumb drive in the machine.
Use static IP's instead so they can't be released.
0:)
Come on... the original article isn't a troll??????
Windows XP Service Pack 2 (SP2) introduces a new registry subkey that lets you mark USB-based storage devices such as memory sticks as read-only devices. This is a useful security capability that can prevent users from copying data from their systems and taking that data offsite via a USB device. To enable the USB write protection, perform the following steps:
o l\StorageDevicePolicies subkey. (Create the StorageDevicePolicies subkey if it doesn't already exist.)
1. Start the registry editor (regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
3. From the Edit menu, select New, DWORD Value.
4. Type the name WriteProtect and press Enter.
5. Double-click the new value and set it to 1. Click OK.
6. Close the registry editor.
7. Restart the computer.
To disable this change, you can either set WriteProtect to 0 or delete it.
You should be able to roll this out as part of Group Policy or a startup script.
IF in a Windows 2000/2003 domain. Remove admin rights and create custom ADM files to control USB access via group policy. You can set the USB ports to work, not work, work for read only disk storage or work for read write disk storage depending on the need of the user.
;USB Controller Security TemplateE NAME "Start"
N AME "Start"
x xxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x xxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx n d another:l icies"
See below for examples and how you may want to modify them to fit your needs.
#if version = 3
CLASS MACHINE
CATEGORY !!USBDevices
POLICY !!usbehci
#if version >= 4
EXPLAIN !!Usbdeviceshelp
#endif
KEYNAME "SYSTEM\CurrentControlSet\Services\usbehci"
VALU
VALUEON NUMERIC 4
VALUEOFF NUMERIC 0
END POLICY
POLICY !!usbhub
#if version >= 4
EXPLAIN !!Usbdeviceshelp2
#endif
KEYNAME "SYSTEM\CurrentControlSet\Services\usbhub"
VALUE
VALUEON NUMERIC 4
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
[strings]
USBDevices="HBS USB Security Settings"
usbehci="USB Controller Security"
usbhub="USB Root Hub Security"
Usbdeviceshelp ="Contains settings to control the behavior of USB controller. Enabling this setting will disable USB for all users."
Usbdeviceshelp2 ="Contains settings to control the behavior of USB Root Hub. Enabling this setting will disable USB for all users."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Heres ia another one:
CLASS MACHINE
CATEGORY !!categoryname
POLICY !!policyname
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintext
PART !!labeltext DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[strings]
categoryname="Restrict Drives"
policyname="Disable the USB Drive"
explaintext="Disables the computers USB Drive completely"
labeltext="Disable USB Drive"
Enabled="Enabled"
Disabled="Disabled"
A
CLASS MACHINE
CATEGORY "USB Storage"
POLICY "Write Protect USB Storage"
EXPLAIN !!USBhelp
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePo
VALUENAME "WriteProtect"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
[strings]
USBhelp="The setting will mark USB devices Read Only and should prevent writing to USB drives."
(And if the company works on military contracts, perhaps they CAN back it up with guys with machine guns. Maybe.)
I love guns - on a shooting range. If some company i work for decied, that machine guns are needed i will be out so fast. I would never produce anything and be scared to death every day.
Freedom or George Bush
USB ports will still be for other hardware- ok that can be easy to sidestep but if you want to block the ports somehow (including silicone)it's on to the next hole.
your slurping speed may vary:
cdburner? slurp
bootable cd reader? knoppix slurp
Parallel port? slurp
serial port? slurp
cel phone w/ serial/usb cable in modem mode? slurp
installable wifi card? slurp
cpu case access? slurp
internet acceess? slurp
able to xfer files to a less suspicious machine (like your manager's nice wifi capable laptop) and start at the top of the list? slurp
So now that all of that is nicely locked up, and assuming your server is locked up, a quick and easy attack would be right on your network wiring. Cut the cable somewhere and insert an access point, and/or a tiny switch and a pocket NAS for 'dump now slurp later'. access points hide easily.
How ambitiously do you want to persue it on the physical level? Management level is probably the right area to handle most of this problem, but this might be a US perspective. When our india based outsouce companies visited us for a tour they tried to steal everything they could! - production aids & instructions, email lists, software we used, memos!, tried to separate the group so some could escape the group and sneak off, etc. I busted one escapee using the copy machine and shoving papers in his jacket. He told one of the production workers that the owner told him he should copy all the things he requested and was quite smug when busted, but he only got things that looked interesting or were available other places. They required active observation and coralling during their entire visit. I'm sure if left alone with a computer they could probably employ any of the techniques listed above. Their attitude of this behaviour seemed to be 'that's business and we're being opportunistic'. I've had visitors try shady things before, but not as an entire group without some level of guilt. So since that is how 'business' is done with this company we manage their visits. 4 trained employees to 1 visitor to 'answer questions' and escort to/from bathrooms, monitors have fake work on them, etc. etc.
In Mexico, they were having problems with cops taking bribes. Now they pay them a lot better, and they have less of a problem.
... as much.
Hire trustworthy people, treat them well and pay them well - 1% above market rate if you can afford it - and they won't be tempted
For the few that do get through, termination with a negative reference and, if applicable, legal action is probably your best bet. Reasonable, non-intrusive practices such as eliminating USB mass-storage drivers or making them read-only might prove helpful.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
epoxy putty
My appologies to the bloke I stole this idea from. Sorry I can't remember the source.
Simple people talk of people, better people talk of events, great people talk of ideas.
which is what the term "Intellectual Property" tends to imply.
If you discover knowledge, and you claim you own "rights" to it, you deny me my fundamental right to know what you do, or to express that knowledge. You restrict what my intellect can produce; and recast it in terms of "property rights". That's why it's an objectionable term: it's deliberately named in order to favour the priveledge of the monopolist's discovery.
"Monopoly Granted As A Government Reward for Conceptual Discovery, Be That Discovery Accomplished By Sheer Dumb Luck Or By Careful Directed Search" is a more accurate term, but admittedly doesn't roll well off the tongue.
--
AC
It's a little difficult to give a good answer to this question. In the first place, what were his motives? Is he fairly compensated (which can be relative to his own opinion)? Does he have an immediate financial need? Does he have his own business/product in mind? How can you possibly know the answer to any of these questions? Get to know your employees.
It's not going to be easy and it's going to be directly related to how much you care about people in the first place, especially if you're a crapy employer looking out for the wrong #1. I'm in the process of reading a book called "The Customer Comes Second" (the book gives plenty of practical examples on how to treat your employees). I agree, the customer does come second, right after the employee. If that's the employer's attitude, then the employee will make the customer feel as good as you make your employee feel.
There are exceptions to to that rule, but that's not the point. You have to start with generalities because that's what will work most of the time.
From a technical standpoint, if you are able to limit who is able to mount any thing or the an USB device, then you'll stop that kind of copying. It should be somewhat easy in Linux, if automounting of USB devices is not present and that the mount command is not available to the normal user if the device is not specified in the fstab. Even then, under Linux, if the user is able reboot the machine, edit the boot loader (pass parameters to it), then they will have access. But, that is avoidable also.
Hope at least some of this helps.
If you need to restrict access, you can always do like my drug-addicted former employer did and breathe down everybody's neck. Of course, that's dishonorable, so perhaps chmod would be in your best interests. While it stems some of it, it won't stop people stealing the data from where they have access, so you basically need to give threats of legal action if they're caught. Not knowing what laws are like in India, I'd recommend checking with an attorney for this.
This sig no verb.
A determined company can do many of the same things that the NSA does. Sure, they can't really back it up with guys with machine guns, but they can probably have armed security guards.
You might want to check with your legal department on that one! Your armed guards have no right to shoot anyone!
Most countries make murder illegal, even for corporate gain. In those countries (like, say, the USA), you simply can't kill someone because he violated an IP agreement. (And India apparently doesn't have much in the way of IP law at all). In those countries where IP laws exist, violating them is a matter for the civil courts, not the criminal ones.
In most western countries, if you order a guard to pull the trigger on someone for merely violating civil law, then the guard goes to jail for murder, and you go to jail for inducing him to commit murder.
Sure, your company can still file a civil suit against the estate of the victim: but be aware that their relatives will probably be countersuing for damages (killing people is a tort, unsurprisingly). Your company will typically lose a great deal of money this way, plus losing three employees (one to the grave, two to jail). I submit that this is a poor way to run a company.
The NSA and CIA ares special cases: both are de-facto arms of the US military: charged with ensuring "national security", and legally empowered to override civilian rights wherever it is deemed necessary. They can get away with things you can't.
--
AC
I would go back to basics. Not to say sorting the USB problem isn't a bad idea though.
Trust isn't an easy thing to build but it is the basis of progress, power and wealth. I'm sure there's books on this sort of thing.
Allow employees to take what they will but if they make money from it then that's clearly violation.
Nothing works without trust I'm afraid. Your business is indepted to those employees who come in everyday. We are only fortunate that it is human nature to be more helpful that evil. If you can't trust employees then everything breaks down. It's probably the biggest problem you face.
As my dad told me: "Don't ever employ anyone"
Everytime I start work somewhere I immediately start looking around for ways to make the most of the situation and frankly, if it harms no one I'll do it.
> American industrial spies stole factory plans from British firms by memorizing them.
That's an old Republican Party trick. They're too lazy to actually do work themselves so they just steal from others. Just look at the current ruler of the US. He never created anything in his life. He never accomplished anything in his life. The only thing he has done is absorb the training from the Bush Crime Family. Only the Democratic party members are the ones actively producing something in that horrible country.
Be very careful whenever dealing with one of those people from the US. I have never met one that wasn't actively working to steal.
I see that you're running lastest o/s. And have a USB questions. You should reinstall everything and call back. Thank you for calling TECH-Support.
I see that you're running latest o/s v2 and have already reinstalled. Please remove the power supply from the CPU case. Only authorized users should be allowed to install a power supply. This will solve your USB question. Thank you for calling TECH-Support
I see that you're running latest o/s v2 and have already reinstalled. Removing the power supply is not an option. You don't have the latest releast, you'll need to upgrade. Thank you for calling TECH-Support
I see that you're running latest o/s v2 and have already reinstalled. Removing the power supply is not an option. You can disable the USB ports by, excuse me, excuse me, excuse me. I see you need the USB port for authorized users. Another option is to solder the authorized device to the USB port. Thank you for calling TECH-Support.
I see your system has shorted out, started a fire. Your unauthorized tampering has voided your support contract. Thank you for calling TECH-Support.
How about don't outsource our jobs to India in the first place ? Many of us slashdotters are jobless because of this upsetting trend to turn the software industry into a Nike sweatshop. You get what you pay for! Or if they're really that good, pay them the same money you'd pay an american or european programmer and maybe they won't be tempted to steal from you anymore. Common sense!
-Billco, Fnarg.com
Changing the Windows registry will not work.
Changing settings in Linux will not work.
You can hack Windows and hardcode the specific identifications of your USB devices into the code, and allow no other USB devices to function, if you want, but that still will not stop people.
One could easily bring in Knoppix, or something equivalent, and boot into an environment that doesn't share the restrictions.
Disable booting from CD in the BIOS? Most motherboards have a clear CMOS jumper. Maybe you could change the BIOS code, but then you could probably find another image on the internet and flash it again.
As long as these guys have physical access to the computer, a software solution will not work.
Just solder the usb devices directly onto the card, and epoxy the hole. When it comes down to it, even if one fails the price to replace isn't too bad.
I hate grammar Nazi's.
What good is your IP if they don't have anyone routing it to them?
pure FUD.
Here is some information..
Shows how much you know about India and outsourcing, moron!
But this guy is in India, so I doubt he's a military contractor, and certainly not for the US military.
No, but maybe he works for an an Indian call center. OK, it's a software company, so he's probably talking about source code, but maybe not (using the ambiguous term "IP" makes it hard to know for sure).
Two commercial solutions can do it no problem:
1) CSA ( Cisco Security Agent)
2) Tablus (www.tablus.com)
Tablus can also disable CD-R, copy/pasting, printing, screenshots, all sorts of other things.
once u've got ur usb devices (peripherals) attached, superglue the empty ones...or use fevicol. anything that would require someone to use a screw driver/knife to get the hardened gum out of the the ports. hopefully, someone having a go at their pc with a knife isn't considered normal...well, not at the office anyway, and would be noticed.
u'd also have to use a strong adhesive to make sure the devices already connected can't be _replaced_ with pen drives, etc. for temporary IP theft accessibility.
ps: there are alternatives to superglue. whatever u do use, just make sure there isn't some household thing they can use to disolve it easily.
post-preview edit: u could try looking for or making a program that makes loud noises on the PC speaker* if a device is attached or removed after having "saved" the hardware "profile".
*: i know that can be turned off so make sure ur program un-mutes and goes to max volume.
If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.
I disagree. For modern programming, excessive exposure serves more to hinder productivity. That's why complex systems benefit from OO development; knowing how a part is used doesn't mean having to know the details of how a part works. A clear boundary between your code/responsibility and that of others means it's not only simpler to track down errors, but it also goes a long way towards keeping it from all walking out the door (and allows you better figure out who did take any parts that do leak).
And, yeah, the reason so few source code thefts happen is that a) you'd get sued into the ground, along with b) source code is, sadly, still nowhere near as reusable as it should be, and c) sometimes it is stolen, and no one learns about it.
I've contracted at a lot of places, and I'd say it's mostly 'b'. That's also why seeing other's source is usually counterproductive. I can't count the number of times I've seen stuff and and asked myself "How can you run a company on code this shitty?" The fewer messes you're exposed to, the less extraneous cleanup you're tempted to do. The additional benefits you get by thwarting would-be thieves is just icing on the cake.
Don't fuck over your employees. Don't lowball their salaries. Don't short them on vacation time. Be fair in the promotion process.
It's easier to keep employees happy than it is to monitor their every activity.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.
The world has changed and we all have become metal men.
In theory you can churns out little blocks of code that others put to together.
In reality, that's very difficult, and requires fundamental shifts in methodology and a complete rewrite of any existing project. And a very large investment at the start figuring everything out, which is near impossible.
Almost everyone who thinks they do that just fake it. There are probably a few modules with well-defined input and output, but trying to manage everything to that level, from the start, would require a year of work between design and implimentation. Hopefully something like that emerges organically, but having it from the start is different.
And all that does is shift your 'IP' up one level. Now the important thing is the amazingly well designed spec document. Yes, fewer people have access to it, but OTOH it's much easier to use if stolen, and it's not even copyright infringement, or at least not provable copyright infringement.
And it's still going to kill productivity. Programmers are going to spend all their time looking up exactly what other people's code is supposed to do, never quite knowing if the other code works correctly, and waiting forever for compiles, which they have to do remotely as they don't have the whole source tree, and thus can't do incrimentally...
If corporations are people, aren't stockholders guilty of slavery?
Make a few million bucks off of the blood and sweat of the working class and then try again.
In linux, it's possible to selectively enable USB drivers for certain typs of devices. The boxes we have at work will only support USB keyboards and Mice. Any other device won't be recognized.
It gets more complicated when you have network connections...
It's good to use your head, but not as a battering ram.
In reality, that's very difficult, and requires fundamental shifts in methodology and a complete rewrite of any existing project. And a very large investment at the start figuring everything out, which is near impossible.
Not true. I'm good at consulting precisely because I see the big picture, but also I see a very "organic" path to get there from whatever mess is the current state of affairs. Too many people seem to think everything is equally dirty and needs to be sparkling clean all at once. I'm not saying it's easy to "grow" a good solution, and there is often a bit of a paradox where you have crap old code as the foundation of nice new code, but I would say that not only is it very possible, it is very possibly the only way to keep a business from dying.
And it's still going to kill productivity. Programmers are going to spend all their time looking up exactly what other people's code is supposed to do, never quite knowing if the other code works correctly, and waiting forever for compiles, which they have to do remotely as they don't have the whole source tree, and thus can't do incrimentally...
Then that business just didn't partition the code correctly. Nothing's perfect, and you have to properly assign resources to get the right results. If you have some core code that is critical to your business and may be flawed, do you really want any junior coder with CVS access to be able to screw around with it in the name of a bug hunt, or do you want domain experts to be informed through regular channels that allow everyone to verify that the actual behavior and the expected behavior match?
All of this already exists in successful systems. Most companies don't need access to the source code of their OS in order to be productive. Most application developers don't need pour over the code to all the libraries they link to. Most GUI developers don't need to know more than the interfaces of the business objects they visualize. And the end user will script it all without even understanding that such black boxes exist. If you're not seeing that kind of thing where you are, you either need to fix it or get out.
Coding correctly in small bits and pieces is not the same as operating a 'Manhattan project' where everyone knows exactly what they are supposed to do, and has no ability to even see anything else. Just because you should treat objects as blackboxes you can't see inside doesn't mean actually making them blackboxes you can't see inside is useful.
In the real world, people realize 'Hey, we do this a lot. Someone write a function to do it and we'll add it to the spec'. That can't happen if you have no idea what anyone else is doing. Everyone would constantly reinvent the wheel. Unless you have some sort of God handing down exactly perfect specifications to start with, that get followed to the letter.
And we all know, 90% of development is finding the bugs, and the bugs that cause you problems aren't always magically located in your own code.
Like I said, if you're operating in that enviroment, people can't even compile their own code, because they don't have read access to all the code they need to do so.
If corporations are people, aren't stockholders guilty of slavery?
And, hell, half the time it's not even read access to the code that matters, what matters is reading the comments to see what takes what arguments, or looking to see exactly how they called some unrelated thing else so you can be consistent.
If dependence on an undocumented API is your concern, you have bigger problems than code theft. Or, briefly, your box is not black.
Coding correctly in small bits and pieces is not the same as operating a 'Manhattan project' where everyone knows exactly what they are supposed to do, and has no ability to even see anything else. Just because you should treat objects as blackboxes you can't see inside doesn't mean actually making them blackboxes you can't see inside is useful.
Again, I gave example after example that demonstrate is it not only useful, but often more productive. The assumption, of course, is that someone sees inside the box and takes responsibility for it working as expected.
In the real world, people realize 'Hey, we do this a lot. Someone write a function to do it and we'll add it to the spec'. That can't happen if you have no idea what anyone else is doing. Everyone would constantly reinvent the wheel. Unless you have some sort of God handing down exactly perfect specifications to start with, that get followed to the letter.
If the only way you have of discovering design redundancies is by manually scanning code, again, "bigger problems". It sounds like you've worked in some real crap environments.
Like I said, if you're operating in that enviroment, people can't even compile their own code, because they don't have read access to all the code they need to do so.
I have one word that will change your life: linking. Seriously, have you really been surround by such crap that proper development practices seem like fantasy? That and the whole "90% bugs" thing makes me think you must be joking.
You can disable usb drives. I found this out when one of our support techs could not use one to load a file I gave them on to their computer. Frankly It bothers me just a little bit since it seems useless. Nothing would stop them from using a Gmail account to mail the stuff to themselves. Sigh... Being a developer my machines have no limitations on them.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
A determined employee will always be able to find a way to sneak information out of your door, and the more you irritate and harass your employees by treating them like children, the more likely it is they'll want to do so!
Let's say you manage to permanently disable all usb storage device drivers in the building, and every machine is in a padlocked cage and set up to trigger alarms if anyone tries to mess with the hardware, and you've got every network connection rigged to alarms so that no one can remove a cable and insert a recording device.
A determined thief will still find a way around it. Maybe they'll sneak in a digital camera and film a bunch of screen shots. (How long would it take to display all the code you care about at ten screens-full per second? Not long enough, I suspect.) Or maybe they'll create a hardware malfunction and use that as cover to get their hands on a hard drive or to insert a logger somewhere. Or maybe they'll take the most interesting bits, compress it, turn it into ascii, and print it in place of pages 51-74 of a new equipment manual before sneaking it out in their pockets. Or perhaps they'll just show up around midnight with bolt cutters and do it the low tech way.
Or, if your IP is really novel and interesting, they'll simply remember important parts and sell them to someone else willing to flush out the details in their own way.
Unless you've got brilliant and scrupulously honest security people and you're willing to make the lives of your employees miserable by passing them through metal detectors on the way in and out of the building, and every scrap of media in the office is locked up at all times before being securely destroyed, and none of your employees are ever permitted to send any material anywhere in any format, you're out of luck.
That isn't to say you shouldn't discourage people from removing material. Sternly telling them not to take a bit of work home with them on the weekend is one thing. But once you've made it clear that they're forbidden to do so, trying to outwit the determined thief is bound not only to fail, but also to irritate your trustworthy employees.
Trust is something that is hard to earn and easy to lose.
I assume you lock the doors to your house/car/caravan/accomodation when you leave?
Isn't that just treating you neighbours as "untrusted criminals to try and prevent the 1% who are criminals and might steal your [stuff]"?!
It sucks, I know. I remember when we had to start locking our family car and our house. My dad had his wallet stolen from the car one night.
Now, I sometimes lock the house when I'm in it.
What a world!