Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Prevent IP Theft by Your Own Employees?

Posted by Cliff on from the corporate-espionage dept.

Cursed by USB asks: "We are a small software startup based in India. Recently one of our employees was caught trying to steal our IP (work) from a computer using a USB thumb drive. While all the staff computers are devoid of floppy drives, cd writers and internet connections, we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use. Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?"

6 of 236 comments (clear)

  1. Use linux by John+Harrison · · Score: 2, Interesting
    Roll your own distro that removes support for USB drives.

    I would suggest that you need to give up. At my last project thumb drives were getting passed around like crazy and nobody was worried about it, and this was a place where they wouldn't give us a network connection. Trust the people that work for you, sue those that screw you, and pay them enough that they aren't easily bribed. As others have mentioned, they have most of the info in their own heads already and there is nothing you can do about that, so make sure they want to stay.

    --
    Lasers Controlled Games!
  2. Re:Wow - wondering about no network by soren42 · · Score: 3, Interesting

    Just wondering how little work I could get done without a network connection

    On the contrary... I was just thinking about how much work I could get done with out an internet connection.

    Mostly by the lack the same mechanisms... no e-mail, no slashdot, no websites... (lol) Nothing to do but focus on work.

    Oh, wait - I'd need to lose the telephone and the rest of the drivelling idiots that work with me, too. (Or least lock them out of my workspace)

    I don't think this is such a bad idea... isolate employees computers for work, and then give them a "communication zone" of PCs they can move to with network connections. Allow them one hour out of every four in the communication zone to do e-mail, surf the web, do research, etc. That's a great idea to increase productivity - especially in tech workers!

    /me goes off to start a new productivity consulting firm...
    --

    "Adventure? Excitement? A Jedi craves not these things."
  3. Re:How about by Anonymous Coward · · Score: 1, Interesting

    Or better yet, write a service that detects when one is plugged in, and send a notification to a sys admin. It's not that difficult to do.

  4. Re:There is no way to prevent a determined individ by DavidTC · · Score: 2, Interesting
    There's no reason a company can't do these things too. Yes, it's a lot of work, and therefore expensive, and yes, it reduces productivity. Which is probably why most employers don't go to this much trouble, but it is possible, and probably done.

    It doesn't reduce productivity, it destroys it. With the CIA, you can be working on, say, the IRA, and not actually need information about Quebec. (I switched to the CIA because I can actually make up examples...I don't know 90% of what the NSA does at all.)

    If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.

    And a lot of the CIA's need-to-know works simply by honesty and auditing. People are expected not to learn things they don't need to know, and if they start doing a lot of research into things they don't need to know, auditors start looking closely. That takes a lot of resources and a very formal classification of data, along with very dedicated employees. (Which I'm suspecting is his problem, right there.).

    Now, obviously, if something is in an entirely different project, you don't need to see that, but that, frankly, is obvious. If someone's worried about security and hasn't thought of that, they should just give up.

    Military contractors get subject to the same scrutiny as the intelligent community. (Although obviously they do a lot less research through classifed data.) But this guy is in India, so I doubt he's a military contractor, and certainly not for the US military.

    And, yeah, the reason so few source code thefts happen is that a) you'd get sued into the ground, along with b) source code is, sadly, still nowhere near as reusable as it should be, and c) sometimes it is stolen, and no one learns about it.

    --
    If corporations are people, aren't stockholders guilty of slavery?
  5. Re:There is no way to prevent a determined individ by droleary · · Score: 2, Interesting

    If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.

    I disagree. For modern programming, excessive exposure serves more to hinder productivity. That's why complex systems benefit from OO development; knowing how a part is used doesn't mean having to know the details of how a part works. A clear boundary between your code/responsibility and that of others means it's not only simpler to track down errors, but it also goes a long way towards keeping it from all walking out the door (and allows you better figure out who did take any parts that do leak).

    And, yeah, the reason so few source code thefts happen is that a) you'd get sued into the ground, along with b) source code is, sadly, still nowhere near as reusable as it should be, and c) sometimes it is stolen, and no one learns about it.

    I've contracted at a lot of places, and I'd say it's mostly 'b'. That's also why seeing other's source is usually counterproductive. I can't count the number of times I've seen stuff and and asked myself "How can you run a company on code this shitty?" The fewer messes you're exposed to, the less extraneous cleanup you're tempted to do. The additional benefits you get by thwarting would-be thieves is just icing on the cake.

  6. Re:There is no way to prevent a determined individ by DavidTC · · Score: 2, Interesting
    I wondered if I should mention black box coding, or coding to spec, or whatever you want to call it.

    In theory you can churns out little blocks of code that others put to together.

    In reality, that's very difficult, and requires fundamental shifts in methodology and a complete rewrite of any existing project. And a very large investment at the start figuring everything out, which is near impossible.

    Almost everyone who thinks they do that just fake it. There are probably a few modules with well-defined input and output, but trying to manage everything to that level, from the start, would require a year of work between design and implimentation. Hopefully something like that emerges organically, but having it from the start is different.

    And all that does is shift your 'IP' up one level. Now the important thing is the amazingly well designed spec document. Yes, fewer people have access to it, but OTOH it's much easier to use if stolen, and it's not even copyright infringement, or at least not provable copyright infringement.

    And it's still going to kill productivity. Programmers are going to spend all their time looking up exactly what other people's code is supposed to do, never quite knowing if the other code works correctly, and waiting forever for compiles, which they have to do remotely as they don't have the whole source tree, and thus can't do incrimentally...

    --
    If corporations are people, aren't stockholders guilty of slavery?