How to Prevent IP Theft by Your Own Employees?

Cursed by USB asks: "We are a small software startup based in India. Recently one of our employees was caught trying to steal our IP (work) from a computer using a USB thumb drive. While all the staff computers are devoid of floppy drives, cd writers and internet connections, we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use. Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?"

Let me be the first to say...

[rednip]

Haw Haw.

Perhaps you should just make them come to work in the nude? with a cavity search on the way out the door, aka South African diamond mines.

Of course anyone who could produce work worth stealing probally wouldn't work under those conditions.

Re:Let me be the first to say...

[Directrix1]

Wow, the expertise must overflow from this place. Software developers who can't figure out how to restrict access from things. Remind me to never outsource.

Re:Let me be the first to say...

[j0nb0y]

Great idea! We'll just make it so our software developers don't have access to the code. Then they won't be able to steal anything!

Oh wait...

Re:Let me be the first to say...

[eoyount]

Who mentioned the GPL?

Re:Let me be the first to say...

[lobsterGun]

I replied to the wrong message.

Re:Let me be the first to say...

[xutopia]

as weird as this may sound I worked for such a company already.

The guy wanted us to write the logic in VB and he would then translate them in whatever language the real source code was in (I think it was C). I worked there 22 days before my direct boss (the crazy guy asking me to code in VB) fired me for being stuborn. I then worked for his boss which later fired him.

I really pissed off the guy by saying that he should plaster his name in the log files like that all the time and that he should try to rotate the logs or something cause it was causing problems filling up the 6 gig hard drives ou clients used.

Re:Let me be the first to say...

[Tassach]

Software developers who can't figure out how to restrict access from things

As others have said, this guy is having a MANAGEMENT problem, not a TECHNOLOGY problem. If you can't trust your professional employees, *NO* technological fix is going to solve your problems.

Creativity and productivity are the two things a startup company, particuarly a software startup, needs the most. Draconian security kills both of these. Likewise, oppressive NDAs and a corporate attitude of mistrust are not going to build loyalty among your employees.

If you don't want your programmers to steal "your" code, treat them like PARTNERS, not EMPLOYEES. There's not much incentive to steal from yourself.

Re:Let me be the first to say...

[Glonoinha]

I would imagine it's not the code, it's the data.
Who cares about a hundred thousand lines of poorly written code when they could walk out with the personal and financial information for 50,000 customers of Dell, IBM, Sears or Citibank. A single 1G USB drive will let someone steal the identities of a zillion people, as was recently reported here on /. - for some of that highly profitable identity theft we keep hearing about.

How about

[adamjaskie]

Delete the USB mass storage drivers?

Re:How about

[jakel2k]

Deleting the drivers would be good but what about internet access? It might be required to do work since the internet is one of the best tools for research and coding.

There are many things that can be done and it all depends on how far you're willing to go.

The first thing is fire the employee and make it known that this person was FIRED for IP theft. Also prosecuting this person to the full extent of the law will also send a message to other staff.

Send out a memo stating that discovering ANY storage media that has been brought in from outside will result in immediate investigation of what is on the media and can be grounds for termination of employment and prosecution. Having people sign NDAs also help with the theft. These things are intimidation and to show the company is serious with this matter.

Then there is the physical side of things. You might consider getting the computer looked in a box with holes for wires and vent holes. Of course you would want trusted members to have keys to access the box. Also security plates just to cover the USB openings might be a valid option.

There is no 100% protection against this. Even the human brain is a storage device and to proect from that you would have to basically lock the employees in the ofice to do the work and after they're done, kill them.

Re:How about

Or better yet, write a service that detects when one is plugged in, and send a notification to a sys admin. It's not that difficult to do.

Re:How about

[the+Man+in+Black]

Even the human brain is a storage device and to proect from that you would have to basically lock the employees in the ofice to do the work and after they're done, kill them.

I seem to recall an oil developer developing a solution to this little issue. Something about ancient Babylon and namshubs. *shrug*

Re:How about

[jakel2k]

Lockers would be a good idea and the ability to be able to lockdown the office area is also a factor. Having the lockers in an open area viewable by everyone in the office might be the best solution. If the employee says they want to listen to music, then state that company policy is the NO media is allowed in that room/section and offer a music database for them to use, (make sure you deal with the legal issues with this as well.)

The company can state that these measures are in place because of the one person. Think of the policy for alcohol at work. You forgot to leave your opened bottle of wisky at home and brought it to work, do you think work would be forgiving then? Warnings can also be used and would be at the discretion of the supervisor / company.

Re:How about

[tomjen]

It is very difficult, as the article summary stated - the computers are devoid of internet access.

If you can make a computer with no internet access send email to anybody - i salute you as the biggest geek on the planet

Re:How about

[spooky_nerd]

"Then there is the physical side of things. You might consider getting the computer looked in a box with holes for wires and vent holes. Of course you would want trusted members to have keys to access the box. Also security plates just to cover the USB openings might be a valid option. " That's a pretty good solution. They did something like this in the call centers at AT&T Wireless. The only downside was having to open the box everytime some idiot moved the keyboard and accidentaly unplugged it.

Re:How about

[wizzy403]

The first thing is fire the employee and make it known that this person was FIRED for IP theft. Also prosecuting this person to the full extent of the law will also send a message to other staff.

The problem is, THERE ARE NO IP LAWS IN INDIA! Let me say that again... THERE ARE NO IP LAWS IN INDIA! You can't prosecute the person, because according to Indian law (where the poster is located) this is not illegal. Definitely something management should think of (but sadly, doesn't) when outsourcing...

Re:How about

[jakel2k]

Even if there are "NO IP LAWS IN INDIA!" The guy can and should get his ass fired and EJECTED from the company. The guy was doing something he know he shouldn't have been doing. Once again it is up to the company to make this guys life miserable as they can.

Re:How about

[innosent]

now where did I put that telegraph plug-in for exchange? No, seriously, you could do that (at the low end-dit-dah), or something like uucp (which is probably the more traditional way of non-internet email)

Re:How about

[batemanm]

If you can make a computer with no internet access send email to anybody - i salute you as the biggest geek on the planet

He didn't say that it didn't have network access just that there is no Internet access. It is quite possible to send email on a local network which is detached from the Internet at large. After saying that we don't actually know if they do have a local network.

Re:How about

[computational+super]

Nah, too much system administration. Just cut off their hands when they start working for you - then they can't put USB drivers into anything.

Re:How about

[Glonoinha]

Yea, that would pretty much protect the data and code from being GMail / Hotmail / XYZ-Random-WebMail'ed out.

Principle of Least Privilege

[Glamdrlng]

Deny them the rights necessary to install hardware on their workstations. If not for all employees, for the employees that have access to sensitive information.

well...

[schnits0r]

when it comes to avoiding intellectual property, I have this plan...but if I told you, I'd have to kill you.

dumb terminals?

[gl4ss]

or something else.

it's possible to disable usb drives as well... some companies have done it. i'm pretty sure you can ask from microsoft how to do it.

but really, if the guy is a coder or whatever.. how are you going to make him not 'steal' your 'ip' which is most importantly ideas.

kick him in the nuts and pay the next guy better? ..of course, why would he need an usb drive to steal a 4 byte value?-)

One idea

[DamienMcKenna]

One idea would be to protect yourself.

Re:One idea

[SunFan]

I don't see how this would protect them, as copyright protection doesn't imply protection of trade secrets, which is what the submitter is probably concerned about. The only real protection for trade secrets is trusting employees, and an NDA might be appropriate in the employment contract. The key isn't to remove all of the technology from the offices, but to create enough dis-incentives to prevent the employees from wanting to steal.

Do they have Email Access?

[Y+Ddraig+Goch]

If so you can't stop them, all they need to do is compress the IP and email it out of the building. The best thing you can do is treat your employees well and when (not if) there is a problem deal with it accordingly.

USB Device Scanner

[Glamdrlng]

It's not a total solution, but GFI Network Security Scanner (used to be LANGuard) can scan for unauthorized USB devices and fire off an alert if it detect one on a scan. Demo available at http://www.gfi.com/lannetscan/.

Mistakes

[xoboots]

1. you said "IP" suggesting that it is a tangible thing that can be stolen

2. you implied that there is no such thing as trustworthiness in employees

3. you implied that you don't mind having untrustworthy employees as long as they don't affect *you*

Why should we help you? Do your own homework.

Re:Mistakes

[TripMaster+Monkey]

Yeah...I hate it when people steal my IP.

Re:Mistakes

[SunFan]

1. you said "IP" suggesting that it is a tangible thing that can be stolen

If IP is a trade secret, than "stealing" means that what was once private is now public. The real theft, then, is a denial of value to the company regarding that IP. Just because it isn't something tangible like jewelry doesn't make it less of a crime.

Re:Mistakes

[SunFan]

Another non-corporate example: imagine being a researcher at a university. You develop a radical new algorithm that takes a O(n^3) process and make it into O(n log n). This algorithm is of great importance in, say, fluid dynamics or something really time-consuming. Unfortunately, you are prepping your work for publication and due credit, when someone breaks in and steals your files and publishes under a different name first. Since you have not published, yet, there really is no protection at all, and you just lost two years of work.

Re:Mistakes

[xoboots]

"If IP is a trade secret, than "stealing" means that what was once private is now public. The real theft, then, is a denial of value to the company regarding that IP. Just because it isn't something tangible like jewelry doesn't make it less of a crime."

But a trade secret is a tangible thing in a legal sense. "IP" is specious word with no real bearing or precise meaning. He refered to "IP" and then added "(work)" which really doesn't imply "trade secret" all by itself. In other words, his use of language was so sloppy as to be fud-like, unintelligent and offensive. Your statements, unfortunately, only compound that.

Re:Mistakes

[brontus3927]

A lot of people have a rabid response to those two letters: I.P. What if the poster wasn't trying to prevent "theft" of "IP" but "theft" of customer data. What if it was I caught an employee stealing our customers credit card numbers and SSNs to USB flash drives.

Re:Mistakes

[SunFan]

"'IP' is specious word with no real bearing or precise meaning."

I generally consider IP to be trade secrets, copyright, patents, and the public domain. If someone isn't set up properly in the former, they irrevocably live in the latter. "Theft", in a sense, is moving things into the public domain without permission.

Re:Mistakes

[Ithika]

But copyright is on your side. You have two years of research and intimate knowledge of the subject to prove you did it (plus, no doubt, grant applications and research statements). The university will have regular offsite backups going back quite a while, all showing what you were doing, which will be fairly hard to forge. The thief has only your results.

This kind of thing has been tried before; and failed.

Re:Mistakes

[Tsunayoshi]

You missed the point he was trying to make. I am sure a corporation or such would also have said records/backups/whatever and would ultimately also have copyright law on its side.

I think the point he was trying to make was to shut-up all of the "coporations are evil" people by trying to put the same problem in another light. While I agree that corps are generally only out for the bottom line, working on a project on company time with company assets and being paid for it means they own the work and the results of it (at least my employment contract says so). So walking out the door with a USB stick full of company code IS theft no matter what the "all corporations are evil" people say about it.

Re:Mistakes

[SunFan]

But copyright is on your side.

Can you copyright the *idea* of the algorithm? The theif could re-write everything to avoid traditional word-for-word copyright, and I'm not sure the original researcher could do much once the cat's out of the bag. At a minimum, the original researcher would have to get a good lawyer and deal with a huge interruption in their life. The alternative would be to get a patent, but patents aren't appropriate for all situations.
This is where good security and a tight lip are the best policy.

Re:Mistakes

[Ithika]

I realise what his point was. I was merely attempting to prove that technical precautions are neither relevant nor usable. If they really want to be a productive company they can't stop programmers having access to code. It's as simple as that. If they have a problem with code theft there are laws in most countries (ie, copyright) which provide recourse.

Any attempts to prevent leakage will ultimately fail. Use the laws provided; that's why they exist.

Re:Mistakes

[Ithika]

No, you wouldn't be able to copyright the idea. But if you challenged the source of their algorithm saying "I have work that looks very much like that, with datestamps going back two years, what have you got?" they'd have to either show you your research back (which becomes a matter of copyright) or show no work whatsoever, which is mightily suspicious indeed. One doesn't have O(n.logn) equations dropping out of the sky every day of the week (unfortunately).

Re:Mistakes

[ryanelm]

if intellectual property existed we'd still be in the fucking stone age buying fire from prometheus Corp.

Re:Mistakes

[ross.w]

Customer credit card numbers have no business being in a directory that's accessible to employees, other than those who need to see them. It isn't hard to achieve that.

Re:Mistakes

[photovoltaics]

It certainly would be interesting to hear the employee's side of the story.

I understand that mores and values as well as business procedures are different in India than they are in the US. I was an IT manager and responsible for people both in the US and India for about three years. I've also been to India.

So, I can relate to "Cliff" and not wanting employees to steal from him. I realize there are differences in the way people in the US do business compared to India (or any other place not in the same city-- for that matter). I also understand there is usually more than one side to a story of theft like this.

It certainly doesn't excuse the theft, but why are your employees stealing from you if your working conditions are good? If those conditions aren't good, perhaps you should consider allocating your resources towards your employees' happiness and well-being as opposed to locking down your employees tighter and tighter. Happy employees are much less likely to steal from you, and you're going to spend more money in the long run watching over them than you are going to spend being good to your employees.

Re:Mistakes

[anthony_dipierro]

Just because it isn't something tangible like jewelry doesn't make it less of a crime.

Not in the eyes of the law, maybe, but that doesn't mean the law makes any sense.

Re:Mistakes

[Glonoinha]

Well, that or you could take the guy that did it, chop off his right hand and his left foot, burn one of his eyes right out of his skull, then promote him to line manager.

I pretty much guarantee that the IP theft problem will go away.

(If not, give him a peg, a hook, an eye patch and a parrot and he can be the company pirate mascot.)

Re:Mistakes

[theLOUDroom]

What if it was I caught an employee stealing our customers credit card numbers and SSNs to USB flash drives.

Then we would ask you why the hell they had access to that data in the first place.

Data like that should be accessible to as absolutely few people as possible. I'm talking about a number that you can count on one hand, ESPECIALLY if we're talking about the raw database. Call center employees, for example, only really need access to a system that will give them ONE CC# after they've input ONE SSN/Customer ID#/Name/etc.

A lot of people have a rabid response to those two letters: I.P.

Maybe that's because the term itself is tries to lump three very different types of law into one and claim that they all constitute "property", which is legally not true. It's a deliberately misleading term like "full speed" USB vs "high speed" USB. Even if you agreed with all current patent, copyright and trademark laws, you still might find the term IP, offensive all by itself.
Just using the term "intellectual property", slants the debate by suggesting something that really isn't true.

Wow - wondering about no network

[MerlynEmrys67]

Just wondering how little work I could get done without a network connection

Think about it
No E-mail
No External resources (knowledge bases, slashdot)
Nothing

Frankly, I'm suprised you even can get people to work for you, I mean - wow, I haven't worked somewhere without an internet connection on my development machine for almost 15 years now. And it has been north of 20 since I haven't had an internet connection

Frankly, it is much easier to protect your IP, and go after the people that steal it... I mean really what is stopping someone from bringing in a micro hard drive and just taking the whole thing out.

Re:Wow - wondering about no network

[GigsVT]

You've had Internet since before 1985? That's pretty amazing.

Re:Wow - wondering about no network

[MyGirlFriendsBroken]

It depends how you interpret the an, being an internet or an connection. I automatically assume the former as it is internet with a lower case "i"

Re:Wow - wondering about no network

[soren42]

Just wondering how little work I could get done without a network connection

On the contrary... I was just thinking about how much work I could get done with out an internet connection.

Mostly by the lack the same mechanisms... no e-mail, no slashdot, no websites... (lol) Nothing to do but focus on work.

Oh, wait - I'd need to lose the telephone and the rest of the drivelling idiots that work with me, too. (Or least lock them out of my workspace)

I don't think this is such a bad idea... isolate employees computers for work, and then give them a "communication zone" of PCs they can move to with network connections. Allow them one hour out of every four in the communication zone to do e-mail, surf the web, do research, etc. That's a great idea to increase productivity - especially in tech workers!

/me goes off to start a new productivity consulting firm...

Re:Wow - wondering about no network

[MerlynEmrys67]

Actually 84 - Remember the great switchover of 84... What a day that was. Of course I only got to hear about it as I didn't get on until a couple months later

Re:Wow - wondering about no network

[Karma+Farmer]

You've had Internet since before 1985? That's pretty amazing.

Why? I've been on since the late 80's, and I'm not exactly an early adopter.

Re:Wow - wondering about no network

[MerlynEmrys67]

A connection ???
A modem link to a BBS ? Well, that goes back 25 years now. God the days of Compuserve (remember them, they didn't get the internet and lost out to AOL)

And frankly the whole Capital I thing is stupid, if I wasn't talking about the internet, I would have said, LAN, BBS, or other technology .

Re:Wow - wondering about no network

[XO]

1988 here myself.. And I was definitely not early adopter, either.

But, back in that day, people had internet access through their colleges, and usually when their college tenures were up (and those usually got cut short because of something on the Internet.. heh!) they disappeared, never to be heard from again.

You can't "steal" it if it is free.

[m_chan]

Have your employees check their brains at the front desk so they can't walk out with snippets of code lodged in their lobes. Or perhaps you may be able to open your source and get help from people who will work on your technology because of interest.

Sack them when you catch them

[Andy_R]

Make an example of the person you caught. Sack them, give them bad references, and sue them for breach of contract... you did put a clause about this into their employment contract, didn't you?

I don't know what your local copyright laws are like, but surely they couldn't do anything commerical with the IP without violating them?

Re:Sack them when you catch them

[chris_mahan]

You can't do that.
You can drop them like a bad habit, but you can't give them bad references, you can't sue them for breach of contract. Employment contracts don't include IP clauses. That's why non-disclosure agreements exist. And unless your crap is a trade secret, you're going to have a hard time getting the court to agree with you.

As far as the whole thread: Please tell us the name of your company so slashdotters can make sure never to work there.

If you want great protection, epoxy all your usb ports, put printers and other such in a locked room with a guard in front. Use mini-din mouse and keyboard. Epoxy everything else, cable the equipments to the floor (not the desk, too easy to break)

Other thing: use intranet web-based tools, use linux and setup the users not to have rights to do what you don't want them to. Don't allow the users to save files to their machines. Disable browser cache. Disable password/form remember feature.

Finally, tell us the name of your company so we can steer any decent people away from you.

Re:Sack them when you catch them

[Andy_R]

Are you an Indian employment lawyer, or are you just guessing?

Re:Sack them when you catch them

[chris_mahan]

Just because you can do something does not mean you should.

He's a startup in India, and he's already having these kinds of problems. I say he should not havee spent all the dow he did on palm-grease and should have stayed at his produce shop.

If you treat programmers like dirt, they will treat you like dirt. India and China both have the mentality that there are millions of people wanting this job (which there are) so why should they be nice at all to this particualr employees?

So they treat programmers like dirt. And then the programmers steal. And then they what, whip/shoot them? Bad little evil programmers, low-lifes, peasants with a few braincells. No internet for you, no trust, no training. Here's the book, here's the computer, figure it out, or you're outta here.

Where I work we have indian programmers, and they say working in code farms in india was hell, and demeaning as anything else can be. They just use you and throw you away like an old rag.

So, like I said, either this guy closes shop and goes back to his produce stand, or he "behaves" in an ethical, professional manner according to western standards, and then maybe he'll have a shot at the big time.

change your mindset

[monkeyserver.com]

Like you said, hire people you can trust. Then foster a different environment, removing net connections, burners, and floppies is a good way to say, "I don't trust you." Why don't you embrace your employees, make them happy to work for you. Then maybe they won't steal, in fact, I would guess you'd see better productivity.

You've got yourself a self fullfilling prophecy there...

Re:change your mindset

[RabidMonkey]

Things are not, sadly, like this in real life. Even the happiest employee will steal if theres motivation. Motivation includes money, ego, boredom, whatever. Some people, as illogical as it seems, steal because they can. Some like the challenge. Those people aren't going to be hampered by an open office with lots of floppys and burners and internet connections.

If you don't lock the doors, sooner or later someone is going to break in. You ahve to do what you can to stop it.

Re:change your mindset

[symbolic]

Then this is a cost of doing business. People don't like being treated like little children. Protect yourself, but don't piss everyone off in the process- it could easily gain you some adversaries that you wouldn't have had otherwise.

Re:change your mindset

removing net connections, burners, and floppies is a good way to say, "I don't trust you."

Maybe, of course depending on what it is that you're trying to hide maybe that's reasonable. Judging from the use of the term "IP" as to what is being protected, I doubt this is the case in this situation, but maybe what he's calling IP is actually a list of credit card numbers or health care records.

Sometimes you need to say "I don't trust you." Of course, in these situations, you're better off saying "I'm not allowed to trust you" or something similar.

You can only try so much...

[mopslik]

... and even then, it doesn't always work. In the extreme case, you can always copy code using a pen and paper. Unless you're thinking of introducting full cavity searches, you're spinning your wheels. Give up on this "prevention" avenue. Focus more on your hiring process, write up a strict code of conduct, and don't be afraid to fire employees who are caught violating these terms.

Just my $0.02.

Re:You can only try so much...

[nickos]

"you can always copy code using a pen and paper"

That's the "analog hole" - another good reason why DRM and the like will ultimately fail.

Re:You can only try so much...

[mopslik]

You know, I'm a bit wary of clicking any link labelled analog hole on Slashdot...

give up

[sfcat]

IP is very difficult to protect. There are patent laws (I don't know how strong they are in India). But you're employees know what they know and I assume they have access to the net so encryption and email can bypass any other procedures. Generally, the code isn't as valuable as the business contracts you hold anyway. Are you sure the employee was trying to steal the code? Maybe they just wanted to work from home. I don't know, but if your business is so flimsey that someone can steal the code and take your business then maybe you should reevaluate your business strategy.

Finally, the first US factory was built from plans a person memorized in Europe and wrote down once in the US. So if your employee is very smart, you can't stop him/her anyway. Hire truthworthy people and make it in their best interest to day. It is the only way to protect your business if IP alone can topple you company.

There is no way to prevent a determined individual

[Schezar]

As long as your employees have access to your IP, there is absolutely no way to prevent them from "stealing" it if they are determined to do so. Period.

No amount of security will make your data safe. Data is easy to move, easy to duplicate, and easy to store. During the industrial revolution, American industrial spies stole factory plans from British firms by memorizing them. Unless you know how to erase a person's brain, there will always be a hole.

Technology is making this issue ever-more pressing.

You have two options:

1) Hire only trusted people, and trust them.

2) Don't rely on IP as a business model.

Option 2 may sound stupid, but it's really the only way in the long run. Sell a service, sell a product, but don't try to sell information. If the sole thing your company provides is data, someone will endeavor to get that data for themselves, and then you'll be boned.

A business that relies on the scarcity of information it holds internally can not survive. Even if your employees are all 100% trustworthy, outsiders will still vie for your data.

It may sound pessimistic, but it's the truth.

Re:Hey maaaaaan...

[dougmc]

The majority of the people here pirate everything.

Really?

Last I checked, the majority of people here certainly liked free software. But you really can't `pirate' something that's given away from free.

And as for movies and music and other forms of media, you'll find a very wide variety of views on that here, on every side. Probably the only thing that `most' covers is that `most' people here use computers from time to time.

You'll probably have better luck at a site like corporatenazisyndicate.com or something.

That much is probably true. Though I suspect he'll find some answers here too, even though this really isn't the right place, and I'm amazed the question got greenlighted.

Registry control

[brontus3927]

If you are using Windows XP with SP2 you can keep block storage devices from being written to. If you have XP but not SP2, this would be a good reason to install the service pack. If your don't have XP, try searching google for software that will provide the functionality
Start -> Run: regedit

Find the following key:

Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control \StorageDevicePolicies
Name: WriteProtect
Data Type: REG_DWORD
Value: 0

This allows writing. Change the value to 1. This will prevent writing. Save your registry and reboot. Of course, it's always recomended to backup your registry before making changes.

Allegedly, Longhorn will have this control without having to hack the registry.

Re:Registry control

[cjsnell]

Please excuse me if I am being naive, but isn't the hard disk a block storage device? Wouldn't adding this key make the user's drive(s) immutable and make it very difficult to reverse this registry addtion?

Re:Registry control

[mugnyte]

OH, and by the way, don't let your employees read that post.

Re:Registry control

[brontus3927]

Yes a hard disk is a block storage device, but this registry key is USB specific (although I admit it's not obvious).

As for the other post, it is possible to restrict users access to the registry by edititing the registry.

1. Start Registry Editor (Regedt32.exe) and go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Control
2. On the Edit menu, click Add Key.
3. Enter the following values:
Key Name: SecurePipeServers
Class: REG_SZ
4. Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Control\SecurePipeServers
5. On the Edit menu, click Add Key.
6. Enter the following values:
Key Name: winreg
Class: REG_SZ
7. Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Control\SecurePipeServers\winreg
8. On the Edit menu, click Add Value.
9. Enter the following values:
Value Name: Description
Data Type: REG_SZ
String: Registry Server
10. Go to the following subkey.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Control\SecurePipeServers\winreg
11. Select "winreg". Click Security and then click Permissions. Add users or groups to which you want to grant access.
12. Exit Registry Editor and restart Windows.

Or of course, set (restrict) the proper permissions in Group Policy Manager (assuming using XP Pro)

I have a way...

[lbmouse]

... but my employer has patented it.

No, they don't.

staff computers are devoid of floppy drives, cd writers and internet connections
...
Do they have Email Access?

This takes not reading the article/blurb to all new lows.

Re:No, they don't.

[DavidTC]

You have programmers without internet connections? And they actually produce work?

What the hell kind of crazy society is going on in India?

Re:No, they don't.

[SunFan]

"And they actually produce work?"

You ask this in a post to Slashdot...amusing.

Re:No, they don't.

[harikiri]

For situations that require those kind of restrictions, it makes sense to have a PC for coding, and a separate PC for Internet browsing.

A former colleague of mine works at a f*cking large investment bank doing security, and they have two PC's on their desks, one for internal connections, and one for external (Internet) connections. Connecting the two is grounds for being fired.

Respect

[Tozog]

The best way to prevent IP theft is to treat your employees with respect and give them no reason to steal your IP in the first place.

Putting in draconian security rules is just going to piss me off and keep me from doing my job effectively, and quite frankly, make me look for a new job.

Re:Respect

[exp(pi*sqrt(163))]

Really, this is liberal nonsense. There are all kinds of reasons why someone might want to steal IP and being nice to them is only going to eliminate a handful of them (eg. it might stop them stealing code just to spite you). Most obviously, someone might have found a new programming job somewhere else in the world that pays lots more money and having a convenient source of software they could steal from the old company will give them many advantages in the new place. If they act rationally and out of self-interest then no amount of being nice to this person at the old company is going to change the fact that it is advantageous for them to steal the code.

Re:Respect

[Tozog]

So it's better to treat your employees like untrusted criminals to try and prevent the 1% who are criminals and might steal your code?

Seriously, if I work on something that is your IP, any system you put in place to prevent me from stealing it is just going to make it harder to do my job and frustrate me. Even if I no longer have access to the code, I still know the general way things work and could probably reproduce the code in a much shorter period of time. And besides, no matter how harsh the security, if I need access to it to do my job, I still have access in some way or other. If I am determined, I could still steal it.

Re:Respect

[jbolden]

Content employees generally don't look for new jobs. They also generally do their best for the workplace and don't engage in things like theft. Its not like business schools don't do research on this sort of thing. High employee satisfaction pays huge dividends. American corporations treat their employees badly inspite of the extra profits that can be earned with good treatment not because of them.

If you're using Linux, you have two options:

[Trelane]

1. Remove support for USB Mass Storage in the kernel and remove any usb mass storage drivers in the kernel (also disable firewire or do the same for firewire devices)
2. (if you use 2.6.x or later and udev) Modify your udev rules to make usb mass storage devices (and whatever devices you wish) to appear where you want it to (e.g. in a mode 000 directory) and with the user/group and perms you want it to have.

Re:If you're using Linux, you have two options:

[fulldecent]

I don't think they're using 2.anything, more like 4.something

Re:If you're using Linux, you have two options:

[Trelane]

aight, for clarity, "If you're using Linux kernel version 2.6.0 or later"

Make them owners.

[AeiwiMaster]

You should pay them partly with shares,
then they would only be stealing from themself
and their coworkers/Coowners.

Reminds me of a story...

[Dr.+Bent]

Back in high school, I used to fix computers for people to make a little spending money. One time, I went over to this guy's house because his computer wouldn't boot. The conversation went something like this:

Me: Your hard drive is dead. You're going to have to buy a new one.

Him: How much will that cost?

Me: About $100, plus the cost to install it...maybe $130 total.

Him: That's way too much, can't you just fix it?

The moral of this story is that if you system is fundementally broken, there is no band-aid patch that you can apply that will make it un-broken. If you can't hire trustworthy people, you're going to lose IP. Maybe you can implement a few security procedures here and there to slow the rate of loss, but eventually, all your IP is going to walk out the door.

The caliber of your people is the primary factor in determining the sucess of a software company. It's not the tools, the technology, or the procedures...it's the people. If you can't trust your people to do thier job and do it well, you don't have anything. I'd start by fixing that problem, and after that you can worry about USB drives.

Re:Reminds me of a story...

[Nate53085]

you were gonna charge the guy 30 to install it??

Re:Reminds me of a story...

[Dr.+Bent]

$20 an hour + a %10 finders fee for any hardware was my normal rate.

Pretty cheap considering it's a house call.

Re:Reminds me of a story...

[Karma+Farmer]

you were gonna charge the guy 30 to install it??

It's rediculously cheap, but he was in high school. Heck, a lot of high schoolers work at mcdonalds for $6 an hour. Going to someone's home and installing a hard drive for $30 probably sounds like a lot of money to a high schooler.

Re:Reminds me of a story...

[Nate53085]

heh..I meant it was expensive. But I'm a college student who will work on someones computer for a pizza and a 2 liter of dew.

Re:Hey maaaaaan...

[TripMaster+Monkey]

nslookup corporatenazisyndicate.com

** server can't find corporatenazisyndicate.com:

Gord bless the humor impaired.

[misfit13b]

I'm sorry, next time I'll put a big ol' ASCII Monty Python foot in my comment, so you know I'm acting silly again.

Re:There is no way to prevent a determined individ

[dougmc]

As long as your employees have access to your IP, there is absolutely no way to prevent them from "stealing" it if they are determined to do so. Period.

Why do people like to end a statement with `Period.' as if it were the last word on the issue, when it clearly is not? Wishful thinking?

You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.

Think NSA. I certainly never worked there, but I imagine they're 1) very picky about who they hire, and 2) take security to the extreme, and 3) it's all backed up by serious legal threats. (I believe treason is still eligible for the death penalty, is it not?)

#2 is probably most interesting to those here. Physical security is extreme, with metal detectors detecting guns and hard drives, and enforced by men with guns. Things like USB drives (and even Furbies or cell phones) aren't allowed in at all, and I imagine there's spot searches for things like this.

Places like that often have two networks, a secure and an unsecure one. If you plug a computer into the wrong network, it never leaves the building again. The secure network has no access to the Internet whatsoever.

I imagine there's a lot more that they do, but I'm sure that there's web pages dedicated to this sort of thing if you want to read more about it.

Of course, even this isn't 100% effective -- but I imagine it's pretty close. Of course, it's also extremely expensive and restrictive, and few companies are probably willing to do this sort of thing to their employees -- but I imagine that a few do, perhaps to some key employees in key positions ...

Mod Parent Up

[j0nb0y]

Some problems just can't be solved with technology...

Re:Mod Parent Up

[anthony_dipierro]

Some problems just can't be solved at all. I believe the saying is that "three people can keep a secret, if two of them are dead." This is true if you're going to be ultra-paranoid, but in reality it's possible to make the cost of obtaining the information more than the value of the information, and that's usually good enough. This can be done with technology, and any sane scheme is going to use technological protections as well as social ones (lumping legal protections in with the social ones).

Use linux

[John+Harrison]

Roll your own distro that removes support for USB drives.

I would suggest that you need to give up. At my last project thumb drives were getting passed around like crazy and nobody was worried about it, and this was a place where they wouldn't give us a network connection. Trust the people that work for you, sue those that screw you, and pay them enough that they aren't easily bribed. As others have mentioned, they have most of the info in their own heads already and there is nothing you can do about that, so make sure they want to stay.

If you are running Windows XP....

[sybarite]

...you can edit the following registry key to change the value of Start from 3 to 4. This will disable the USBSTOR.SYS driver preventing the use of USB filesystems. It will not disable other types of USB devices.

HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR

Re:If you are running Windows XP....

[Miros]

damn, you stole my suggestion =) Top notch though, it is the best solution.

Re:If you are running Windows XP....

[LuckyStarr]

Nice one. :)

How to disable Firewire filesystems then? Does a key for that exist as well? I don't have Windows here, so I can't check.

Re:If you are running Windows XP....

[leuk_he]

Fill the firewire connections with glue. You don't need them. If you do need them it is (9 out of 10 cases) for mass storeage devices, and then wholeidea of blocking them is problemmatic anyway.

Re:Hey maaaaaan...

[dougmc]

and pirated that copy of Windows.

You're guessing. You may be right, and you may not be. I'm sure the /. logs could tell the story of what sort of browsers are used (except for those that pretend to be something else), and one could extrapolate what OSs are used and things could be measured that way, but that still wouldn't tell you if that copy of Windows was pirated or not. Lots of /.ers who use Windows probably also bought the computer with it preinstalled.

The original claim was :

The majority of the people here pirate everything.

and there's two parts to that claim -- majority and everything. Perhaps the majority of people here have pirated something (be it software, music, movies, TV (broadcast, cable, satellite) or a ship at sea) but I seriously doubt that the majority pirates *everything*.

Two options

[samael]

1) Make it clear that you'll sue anyone who steals your IP

2) Make sure it's all clearly copyrighted.

3) Patent it (but don't tell anyone I told you to do this).

Surveillance & punishment

[duffbeer703]

Don't put up with this nonsense.

Set up security stations and look for people with USB drives. When you discover someone obscounding with IP, call an all hands meeting and cane the SoB. If caning is illegal in your area, just knock the guy to the floor and have the entire group stomp him. (This is also a teambuilding exercise)

Corporal punishment will assert your IP authority and eliminate other disiplinary issues.

Asking the Wrong Question

[richg74]

Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?

I think the core difficulty here is that you think you have a technology problem, when what you have is a management problem. If you rule out hiring trustworthy people, and fostering an atmosphere that earns their trust, then you are just wasting your time. Think about this: do you think that putting in time clocks would make physicians (let's say) work harder ?

You also need to think about what it is that you are actually trying to protect. One defect (among many) of the term "intellectual property" is that it leads people to think by analogy with actual (tangible) property. If your IP is in software, what are you trying to protect: the typing of the code, or the ideas the code embodies? If it is the latter, you can't open your employees' skulls and remove the ideas from them.

I worked in, and managed, an investment management firm, where it was a truism that our most important assets walked out the door every night. You have to run the business so that people want to work there; so that they have fun, find the work and their environment interesting, and believe that they will be fairly compensated (financially and otherwise). It isn't necessarily easy, but then that's what you get paid for.

Re:Asking the Wrong Question

[Wylfing]

I think the core difficulty here is that you think you have a technology problem, when what you have is a management problem.

How absolutely, utterly true. What will you do in a few years when human sense data can be (and is commonly) directly stored as bits? A blind person gets optical implants and can now see. I supposed you would refuse to hire her because she might recover what she's seen from the storage buffers. You'll never overcome this "problem" with technological solutions -- eventually those solutions are going to spill over into human management problems anyway (i.e., the blind person).

Now there are two ways to think about this. (1) You have a management problem, as parent said. This is true in the limited term. But (2) there is something unnatural about trying to lock down ideas as if they were property. It can't be done, and crushing enabling technologies everywhere you find them isn't going to make it any more possible.

Simple

[Safety+Cap]

• Hire the best people you can
• Treat them well and with respect
• Pay them what they deserve

Re:Simple

[himself]

I worked at a high-profile architecture firm, one of the oldest continually-operating shops in the country, which people were fighting to get into. The architects as a group were smart and hard-working.
I removed the Zip drives & floppy drives so people couldn't walk out with the data files. Why? Because they represented so many hours of work: the specs were the output of skilled engineers, the drawings had taken many, many hours to produce, and the databases of correspondence could be mined for best practices by lazy competitors -- and there were certainly other things to be gleaned from our files.
Were we storm troopers for doing this? By no means: our archivist was happy to share our old stuff (going back 125+ years) but ongoing projects were just that, ongoing. And probably the real reason is that the software tools -- CAD programs, home-grown project management databases, etc. -- we had at work were very expensive and pretty mature: anyone in their field would *love* to have free use of them.
Even though our architects were very excited to work there, and had a policy of "no personal use" of the sysytems, I still had to fish out one of their own Zip disks from the empty drive bays every few days. You know, right behind where they'd peeled off or slit through where I'd "only" put clear packing tape and a sign reading "NO ZIP DRIVE, NO FLOPPY DRIVE." *snort*

Re:Simple

[theLOUDroom]

Even though our architects were very excited to work there, and had a policy of "no personal use" of the sysytems, I still had to fish out one of their own Zip disks from the empty drive bays every few days. You know, right behind where they'd peeled off or slit through where I'd "only" put clear packing tape and a sign reading "NO ZIP DRIVE, NO FLOPPY DRIVE." *snort*

Maybe that's because your policy is ridiculous.
If you come up with a ridiclous security policy that interferes with other legitimate actions, people will deliberately circumvent it.
What you're doing is like putting 12 deadbolts on a crappy door. People realize that it's silly and they're just going to leave it propped open.
Did you ever consider, for example, only giving people access to the files they NEED access to rather than crippling their machines?

Were we storm troopers for doing this? By no means: our archivist was happy to share our old stuff (going back 125+ years) but ongoing projects were just that, ongoing. And probably the real reason is that the software tools -- CAD programs, home-grown project management databases, etc. -- we had at work were very expensive and pretty mature: anyone in their field would *love* to have free use of them.

It sounds to me like you aren't even really sure why you did this. It's always great when people who aren't even sure about what they're doing start interfering with other people's ability to get actual work done.

Outsource!

[toygeek]

Fire all but your most trusted employees and outsource the rest to the US. I hear its all the rage in India.

He said it's in India...

[The+Barking+Dog]

...therefore, do the suggestions in other posts about NDAs and suing have any relevance?

Can't you just have the guy "accidentially" be eaten by a tiger or something?

the easy way....

[Bad+Boy+Marty]

Use a thumb drive? Lose a thumb!

Of course, that's difficult for the 3rd offense....

Securewave

[pnutjam]

I've used Securewave. It's pretty good, it lets you specifiy what USB devices are allowed and block everything else by default. You can also mirror data so you can audit what data people are sending. It works on USB, CD, Floppy, parallel ports, Serial Ports, and I think it does firewire too.

Once it's set-up it's awsome.
I don't work for them, I've just used their product and really liked it.

Won't work

It would have to be a pretty big percentage for that scheme to work.

Let's say the employee is considering stealing $1000 (IP, cash, hardware, or equivalent) from The Company.

Pre-employee-ownership:
He owns 0% of The Company. So he gets $1000.

Post-employee-ownership:
He owns 1% of The Company. So he gets $1000, but effectively loses $10 of that. So he actually stole $990.

Give him 10%, you say? Wow. Okay. Doesn't sound scalable, but sure. So he'd still net $900 in his theft.

This won't work and it's exactly why even employees with massive ownership (e.g. CEOs) are still regularly caught pilfering from "their own" company.

Won't work. If the employee is a thief, he's a thief.

That's the stick, here's the carrot...

[nickos]

I have no idea what the job market's like in India, but one of the best incentives to work hard and behave ones self is to offer glowing refernces to those who conduct themselves honestly. As many people have already pointed out there's very little you can do to prevent ideas leaking from your company.

An aside: If companies could wipe employees memory when they left, every new hire would have as much experience as a graduate straight out of uni...

Some of us knew about it...

[marcus]

...before it was known as "The Internet".

I remember having near real-time email/USENET conversations with folks in Australia while I was in college in Texas, that is, circa 1978-83. After that, there has not been a span of more than a few months that I have not had at least a dial-up IP connection.

Re:There is no way to prevent a determined individ

[DavidTC]

The NSA operates on a need-to-know basis where people can't access information they don't need even if they pass the classification level. And very few of them have write access to any data besides their specific responsiblity.

Plus, everyone with any access to classified data has had all sorts of security checks done, and signed away certain rights.

And, like you pointed out, the NSA can back up security with physical force. You run out of NSA with a hard drive, even assuming you make it past their security (Which is military), you'll have more law enforcement after you than if you just robbed a bank. However, you probably won't make it out of the building...they will just shoot you.

Whereas if someone runs out of a company with a hard drive...well, if the company runs really fast, maybe it can get a court order.

While the NSA can secure their information from employees, that's a long shot from companies being able to do so.

I'm not exactly sure what 'IP' we're talking about here, anyway. Didn't these programmers create the 'IP' in the first place? This question really doesn't make any sense.

Partial Coding

[dethwulf]

From what I guess, and I only have limited program development experience, give each team/member partials of the total code. Granted, this will probably slow production or make for an interesting debug session. However, if you're developing something that you're truely worried about being leaked, having, for example, 30 employees with 1 part of the code each won't let them steal anything but that 1/30 of the total IP. So if that happens, so you're out a function, or whatever and you can hanlde his public flogging while the other 29 dutifully type out their 1/30 of the project.

With that, you have 1 guy do the total compiling/debug that you know/trust/guard/make come to work naked with regular cavity checks/etc. Heck, that could be you if you're truely paranoid about it...

Linux

[Apreche]

If you don't use windows you can disable the USB. You can also cut the usb connections on the motherboards to physically disable the ports. You might also be able to do it in the BIOS and set a BIOS password.

tiny blurry pictures are the most dangerous

[djdead]

Ban camera phones and then hand out usb pen drives and laptops to employees and provide them with huge pipes to the internet.

That's the solution of the very large company for which I work, anyway.

Terminal services

[eyeball]

One solution would be to re-architect the systems to be completely terminal-services based. This way no data is actually on the client's system, except the window to the application.

Citrix for windows is the obvious choice, but there are ways to accomplish this with unix, Linux, and even mixing the two environment.

erase 'em

[delirium+of+disorder]

Install EMP/HERF guns and degousing coils around the doors so any magnetic or solid slate device is destroyed upon exiting the building. Ban tinfoil and make sure not to employ anyone with a pacemaker. Tell everyone to leave their cellphones in their cars and use an internal VOIP system for communication. Make sure any company healthcare doesn't cover radiation poisoning/cancer so your premiums don't go up.

Re:erase 'em

[Intron]

You forgot the spot check X-ray machine and random body cavity searches.

Re:erase 'em

[ErikZ]

Feh. EMP guns are for people who aren't serious about security. Real men use Tesla Coils.

Umm....

[tacocat]

Remove the USB mass storage device drivers. But that's already been mentioned.

Restrict the user access to the USB devices. This has already been mentioned too. You can do this really easily under Linux.

Why the fuck are you posting such a braindead simple question?

If you can't figure this one out on your own, then you probably don't have any IP worth stealing in the first place. And if you do, it's already long gone by now because you are this stupid. The smart people walked out with it weeks ago.

Re:There is no way to prevent a determined individ

[dougmc]

The NSA operates on a need-to-know basis where people can't access information they don't need even if they pass the classification level. And very few of them have write access to any data besides their specific responsiblity.

There's no reason a company can't do these things too. Yes, it's a lot of work, and therefore expensive, and yes, it reduces productivity. Which is probably why most employers don't go to this much trouble, but it is possible, and probably done.

While the NSA can secure their information from employees, that's a long shot from companies being able to do so.

A determined company can do many of the same things that the NSA does. Sure, they can't really back it up with guys with machine guns, but they can probably have armed security guards. Perhaps even off-duty police. They can do most of the same security checks, and make them sign similar non disclosure agreements.

(And if the company works on military contracts, perhaps they CAN back it up with guys with machine guns. Maybe.)

Yes, it's expensive. Yes, it's not conducive to productivity. But it can be done.

I'm not exactly sure what 'IP' we're talking about here, anyway. Didn't these programmers create the 'IP' in the first place?

Perhaps. Perhaps not. At my work, I have access to the source code for all our products, but the part I've contributed is exceedingly small (I'm in support, not development.) I guess I could steal it, but 1) who would want it? 2) I'd get sued into oblivion if I did, and probably end up in jail. It's not even remotely worth it. But physically, it would be easy.

As for #1, `who would want it?', even our competitors wouldn't want it. They wouldn't touch it with a 10' pole, because if it was ever found out, they'd be sued into oblivion and they know it. No legitimate company wants that sort of exposure.

And even if a single person did write all of this code, if he does it for his employer, on company time, on company computers, it probably belongs to the company, not him. (The specifics would be lined out in his employment contract and other paperwork.) Yes, perhaps he could write it again for somebody else (though often NDAs prohibit that), but few large projects are one-man-shows anymore.

Re:Hey maaaaaan...

[Curtman]

Lots of /.ers who use Windows probably also bought the computer with it preinstalled.

Sure.. But I still think most geeks prefer to build their own.

I seriously doubt that the majority pirates *everything*.

I don't think it matters if you steal a little bit, or steal a lot. You'd be a thief either way.

Here is what I would suggest:

[Tamerlan]

One of these: * Use thin clients * Use Linux. It allows you to make access to devices fine-grained * Use third-party commerical software (google for it)

Make them owners

[wayne606]

Why do the employees want to steal the IP? Because they feel that they have no stake in the business, and they are just working for "the man". So they swipe some data to sell to a competitor because what have they got to lose?

If all the critical employees (i.e. those with access to the data) owned a non-trivial amount of the company, then they *would* have something to lose and would be much less motivated to try it. And they will work a lot harder and not leave after a year and (perfectly legally) deprive you of critical expertise.

Look at history, PLEASE!!!

[gi-tux]

If you take a look at history, this IP stuff is a new concept of companies trying to capitalize on every little thing. Historically speaking, one of the biggest times of invention in the U.S. was around the late 19th and early 20th century. And there was no such thing as IP.

If I remember my history correctly Westinghouse worked for Edison for a while and the Dodge brothers were working for Ford when they came up with their ideas for Dodge Motors (and actually sold Ford stock to get the capital to start Dodge). If current practice was in existance back then, we wouldn't have many of the things that exist today that make the world safer and more comfortable. What about Westinghouse inventing the air brake, we might all still be driving black model T Fords.

Also the best way to have your employees take care of you is for you to take care of them. This lesson was taught to me many years ago by a manager I had in retail sales. She really took care of her team and she was rewarded for her efforts. We never missed a sales goal and we won every sales contest in the district for two straight years.

I have little pity for people that treat professionals like kindergarteners and for people who think that they own everything that their employees think about. Treat your people right, give them opportunities to excel and fire the ones that break the rules. Don't punish the honest folks because of a few bad apples.

Look at the Bible for an example. God had Noah build and ark and eight people were saved while the rest of the world was destroyed. The wicked (or rule breakers) were the ones that were punished. Sodom and Gomorrah are another example, Lot and his two daughters escaped the distruction while the cities burned. Lot's wife was punished for looking back but not those with her that obeyed the rules. Why do people think that everything has to be uniform, what is wrong with rewarding those that excel and punishing those that fail to follow the rules?

Re:Look at history, PLEASE!!!

[ErikZ]

Because manager's don't have godlike abilities to sense who is breaking the rules.

So they have to set things up to make it harder to break the rules.

This guy would love to have you as a student.

[Tsunayoshi]

"and there's two parts to that claim -- majority and everything. Perhaps the majority of people here have pirated something (be it software, music, movies, TV (broadcast, cable, satellite) or a ship at sea) but I seriously doubt that the majority pirates *everything*."

My Discrete Structures professor would have needed some private time after your logical breakdown of that sentence.

Re:Hey maaaaaan...

[XO]

Actually, no matter the operating system, since about 1989, aside from the operating system, I have used almost exclusively free software. (pre 1989 was the Commodore days, well, everything was either from a magazine, or pirated, period) The only thing I use that is commercial software on my own computers in that time has been operating systems and games.

It's certainly quite possible to get away with free software in the Windows world. (at least, it was a few years back.. I know now that the entry bar for programming for anything has been raised drastically, there's probably a lot fewer pieces of free software out there than there used to be)

On the other hand, I totally agree that the vast majority of Slashdot posters (i can't speak for the non posters), if they own a copy of Windows personally, probably pirated it.

Paper to keyboard

[jim_redwagon]

Best way I can think of:

Coders write their code out on paper

Submit code

You key it in

Compile/run/return bug reports

Coders fix bugs

Repeat

Or else you can realize that no matter who it is, even your own family, there's always the chance someone will (at least try to) circumvent anything you put in their way.

Disable USB drives?

[Bastian]

Why not just disable USB flash drives and hard disks by removing the drivers?

But if your office is anything like mine, that is going to kill your workflow. I am always using my USB flash drive when I have to collaborate with my co-workers. Maybe your employees are the problem, not your computers? I take company IP home with me fairly frequently, because if I am enjoying what I am working on at the moment, I tend to take it to a coffee shop or park or whatever and work on it in my spare time for the fun of it.

But if it is your employees that are the problem, you have to take some blame with that - either you are hiring bad people, or you are hiring good people and then systematically crushing their motivation and integrity. I would _NEVER_ do work on the side for a company that locks down so tight. . . I'd be so annoyed with my employer that it would be impossible for me to be able to enjoy anything even remotely related to my job. I'd probably also lose touch with that subtle bond of mutual respect that makes me want to help rather than hurt my employer.

So maybe the solution is to be friends with your employees rather than enemies?

Re:Hey maaaaaan...

[peragrin]

That's because it's stealthy.

To enter you must ping the webserver on several ports in the correct order.

Shh don't say a word about it.

if we are to assume....

[XO]

If we are to assume that the IP (work) in question is actually software code, then the whole questions is pointless:

Software is relatively easy to create.
Much more so the second time.

You could spend tons of cash and several months building, for example, an online game. Then I could come around, and re-create that entire thing from scratch, on my own, for virtually no cost, within a few days.

Options

[mnmn]

(1) Hire trustworthy people

(2) Hire people, keep them away from each other. Do not let them access to work theyve already done, and try to induce amnesia all the time. Assign a security guard to each person, and track their off-hour work to make sure they dont steal anything. And make SURE theyre scanned as they leave the building, and confescate all data-carrying media. Like SCO and Microsoft, keep a good legal team and sue people around who seem to do what you do.

Tough choices? Well in IT you have to make tough business choices, and the results will stick with you forever.

One Thing We Have Done

[awarlaw]

It is because of this reason we have recently converted a 50 employee Broker-Dealer to Terminal Services. We are now able to lock down nearly ALL areas with the added benefit of only having to backup one or two servers. Another benefit is we no longer have to service the individual machines. As long as they can get online, they can get to thier info. They can only print to onsight printers and they cannot download or install anything themselves. This freed up alot of resources. More than we even expected.....

Snowcrash

[trurl7]

Snowcrash partially concerns that very idea. Some nasty side-effects though :-)

compartmentalized

[jbolden]

I've worked with people who worked for the NSA. You skipped a very important thing they do. They compartmentalize the information so that no one person can take anything of value.

So for example if you are solving a PDE you might not know what it is modeling and what the proper initial values are. They guy who knows the solution and the initial values doesn't know what its for. The guy who gets the answer knows what its for but doesn't know the PDE or the solution, etc... The net result is that its fairly hard. This btw drastically increases costs but they are willing to deal with that. Anyone outsourcing to India is highly cost conscious so I doubt they would have the same attitude about development costs.

Re:There is no way to prevent a determined individ

[DavidTC]

There's no reason a company can't do these things too. Yes, it's a lot of work, and therefore expensive, and yes, it reduces productivity. Which is probably why most employers don't go to this much trouble, but it is possible, and probably done.

It doesn't reduce productivity, it destroys it. With the CIA, you can be working on, say, the IRA, and not actually need information about Quebec. (I switched to the CIA because I can actually make up examples...I don't know 90% of what the NSA does at all.)

If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.

And a lot of the CIA's need-to-know works simply by honesty and auditing. People are expected not to learn things they don't need to know, and if they start doing a lot of research into things they don't need to know, auditors start looking closely. That takes a lot of resources and a very formal classification of data, along with very dedicated employees. (Which I'm suspecting is his problem, right there.).

Now, obviously, if something is in an entirely different project, you don't need to see that, but that, frankly, is obvious. If someone's worried about security and hasn't thought of that, they should just give up.

Military contractors get subject to the same scrutiny as the intelligent community. (Although obviously they do a lot less research through classifed data.) But this guy is in India, so I doubt he's a military contractor, and certainly not for the US military.

And, yeah, the reason so few source code thefts happen is that a) you'd get sued into the ground, along with b) source code is, sadly, still nowhere near as reusable as it should be, and c) sometimes it is stolen, and no one learns about it.

Outsource to the US

[Johnny+Mnemonic]

You should outsource to the US, where there are legal protections for IP. My understanding is that in India, there are none, or very few; so the only way to protect yourself is to restrict physical and logical connections to the work computer, since you can't prosecute after the theft has been accomplished.

And, as other posts have made clear, that's not possible against someone willing to breach security. Just ask the CIA.

I have a question...

[Supernoma]

All these people keep mention that thing's "may be different in India"... WHO SAID THIS GUY WAS IN INDIA?

I saw it once, as a joke...

Re:There is no way to prevent a determined individ

[theonetruekeebler]

Unless you know how to erase a person's brain, there will always be a hole.

ITYM that after I erase a person's brain, there will always be a hole. There's a fantastic brain-erasing device, an implant made mostly of lead, about 9mm in diameter, installed at high velocity while the erasure candidate begs you please Ghod no. Costs about $0.35 per round^H^H^H^H^H implant, plus court costs.

Re-installing the OS after the wipe is something of a challenge---better to replace the entire unit, after showing it what happened to the previous unit.

I wouldnt worry about it....

[override11]

Indian programming isnt worth a crap anyways.

The good news is

[ClosedSource]

Your code (and everybody else's) is not nearly as valuable as you (they) think.

Re:Hey maaaaaan...

[Curtman]

there's probably a lot fewer pieces of free software out there than there used to be)

Depends what you mean by free I guess.. There's tonnes of limited, but 0 cost software around, like opera, zoom player, avast, MSN, etc.. But tonnes more free software like Firefox, VLC, ClamWin, Gaim, etc. People seem to eventually learn the lesson that using the $0 stuff or better yet the free stuff is much better than dealing with trojaned cracks, and crippled apps. At least my friends do, but maybe that's because I fill their heads full of OSS propaganda. Stealing Windows is very common among them though. I don't harass them too much about that as long as they don't ask me to do it for them.

Re:There is no way to prevent a determined individ

[alexo]

> Think NSA

A friend of mine works at NDS (they develop smart card technology for, amonng others, DirecTV).

She told me that a part of her hiring process was a (voluntary) polygraph test.

Something fishy here...

[pla]

We are a small software startup based in India.

Does something about this situation sound at all strange to anyone but me? Small start-up, taking strong security measures to lock down the developers' machines so they can't steal (presumeably) code they write while at work?


"Small start-up" means a group of up to perhaps a dozen college friends getting together to realize a shared idea. Although somewhere down the road some betrayal may occur and lead to a messy legal situation, it simply doesn't apply until the company no longer counts as a start-up.


Perhaps I just have a problem with the chosen wording, but this sounds like a deeper (and unspoken, as asked) issue than "how can I lock down my PCs to block removeable media".

bfd

[fred+fleenblat]

The only real threat to your bottom line is that he'll come out with a competing product based on your IP. If he does that, you can send the lawyers after him with a clear conscience.

If he doesn't do that, then don't worry about it. He's not making any money at your expense, and you're saving money by not paying his salary anymore. Getting all paranoid and angry about this is just wasting YOUR mental effort.

I hear that outsourcing labor helps this

[bergeron76]

By outsourcing your labor force to the US, you can significantly reduce the amount of fraud by your own native-country employees.

All the Indian companies are doing it. It's becoming a trend.

So I take it...

[gatkinso]

...that releasing the code under the GPL is out.

not clear?

[dmf415]

Im not quite sure how you would steal an IP using a thumb drive....

Please explain?

Disable USBDRV.sys

[serialdj]

I worked somewhere where usbdrv.sys was not installed on the machines thereby disabling the abiltiy of placing a thumb drive in the machine.

Re:degausser

[bhtooefr]

Quoting a Memorex FAQ on flash media:

15. If these things are digital film, should I keep them out of the airport X-ray machines?
X-rays can damage photographic film because they are a form of energy similar to light energy, but we cannot see it. Film will "see" X-rays and record them. The energy is not enough to affect flash media, so they are safe for the X-ray equipment used in airports. Very large doses of radiation, however, such as those proposed as security for U.S. postal letters, will destroy flash media as well as any information on them.

Hmm... enough radiation to fry the media, but not enough to fry the employee...

A degausser won't work, as flash media isn't magnetic (it'll kill a USB hard drive, though). MAYBE a HUGE amount of ESD would do the trick, but it could also be lethal.

Simple solution

[thebra]

Use static IP's instead so they can't be released.

Are you using Windows/Group Policy?

[docubot]

Windows XP Service Pack 2 (SP2) introduces a new registry subkey that lets you mark USB-based storage devices such as memory sticks as read-only devices. This is a useful security capability that can prevent users from copying data from their systems and taking that data offsite via a USB device. To enable the USB write protection, perform the following steps:

1. Start the registry editor (regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\StorageDevicePolicies subkey. (Create the StorageDevicePolicies subkey if it doesn't already exist.)
3. From the Edit menu, select New, DWORD Value.
4. Type the name WriteProtect and press Enter.
5. Double-click the new value and set it to 1. Click OK.
6. Close the registry editor.
7. Restart the computer.

To disable this change, you can either set WriteProtect to 0 or delete it.

You should be able to roll this out as part of Group Policy or a startup script.

Re:There is no way to prevent a determined individ

[tomjen]

(And if the company works on military contracts, perhaps they CAN back it up with guys with machine guns. Maybe.)

I love guns - on a shooting range. If some company i work for decied, that machine guns are needed i will be out so fast. I would never produce anything and be scared to death every day.

Re:Hey maaaaaan...

[AuMatar]

So it doesn't matter if I steal a pencil or a car, its the same crime?

In that case- where did you park?

Re:Hey maaaaaan...

[Curtman]

So it doesn't matter if I steal a pencil or a car, its the same crime?

No. You're a thief either way. The crime is different.

Pay your people well and treat them with respect

[davidwr]

In Mexico, they were having problems with cops taking bribes. Now they pay them a lot better, and they have less of a problem.

Hire trustworthy people, treat them well and pay them well - 1% above market rate if you can afford it - and they won't be tempted ... as much.

For the few that do get through, termination with a negative reference and, if applicable, legal action is probably your best bet. Reasonable, non-intrusive practices such as eliminating USB mass-storage drivers or making them read-only might prove helpful.

Two words

[chrisatslashdot]

epoxy putty

My appologies to the bloke I stole this idea from. Sorry I can't remember the source.

Threats or chmod

[dacarr]

If you need to restrict access, you can always do like my drug-addicted former employer did and breathe down everybody's neck. Of course, that's dishonorable, so perhaps chmod would be in your best interests. While it stems some of it, it won't stop people stealing the data from where they have access, so you basically need to give threats of legal action if they're caught. Not knowing what laws are like in India, I'd recommend checking with an attorney for this.

Software Solutions Will Not Work

[Dial-Up]

Changing the Windows registry will not work.

Changing settings in Linux will not work.

You can hack Windows and hardcode the specific identifications of your USB devices into the code, and allow no other USB devices to function, if you want, but that still will not stop people.

One could easily bring in Knoppix, or something equivalent, and boot into an environment that doesn't share the restrictions.

Disable booting from CD in the BIOS? Most motherboards have a clear CMOS jumper. Maybe you could change the BIOS code, but then you could probably find another image on the internet and flash it again.

As long as these guys have physical access to the computer, a software solution will not work.

Usb ports...

[NemosomeN]

Just solder the usb devices directly onto the card, and epoxy the hole. When it comes down to it, even if one fails the price to replace isn't too bad.

Steal your IP?

[anthony_dipierro]

What good is your IP if they don't have anyone routing it to them?

Re:Open Source

[anthony_dipierro]

I have to agree with this one. The best way to stop IP theft is to not have IP in the first place. Make money by providing a useful good or service to people, not by keeping secrets.

Re:There is no way to prevent a determined individ

[anthony_dipierro]

But this guy is in India, so I doubt he's a military contractor, and certainly not for the US military.

No, but maybe he works for an an Indian call center. OK, it's a software company, so he's probably talking about source code, but maybe not (using the ambiguous term "IP" makes it hard to know for sure).

Commercial Solutions can do it

[mikeanuzis]

Two commercial solutions can do it no problem:
1) CSA ( Cisco Security Agent)
2) Tablus (www.tablus.com)

Tablus can also disable CD-R, copy/pasting, printing, screenshots, all sorts of other things.

super glue / modelling cement

[aneroid]

once u've got ur usb devices (peripherals) attached, superglue the empty ones...or use fevicol. anything that would require someone to use a screw driver/knife to get the hardened gum out of the the ports. hopefully, someone having a go at their pc with a knife isn't considered normal...well, not at the office anyway, and would be noticed.

u'd also have to use a strong adhesive to make sure the devices already connected can't be _replaced_ with pen drives, etc. for temporary IP theft accessibility.

ps: there are alternatives to superglue. whatever u do use, just make sure there isn't some household thing they can use to disolve it easily.

post-preview edit: u could try looking for or making a program that makes loud noises on the PC speaker* if a device is attached or removed after having "saved" the hardware "profile".

*: i know that can be turned off so make sure ur program un-mutes and goes to max volume.

Re:There is no way to prevent a determined individ

[droleary]

If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.

I disagree. For modern programming, excessive exposure serves more to hinder productivity. That's why complex systems benefit from OO development; knowing how a part is used doesn't mean having to know the details of how a part works. A clear boundary between your code/responsibility and that of others means it's not only simpler to track down errors, but it also goes a long way towards keeping it from all walking out the door (and allows you better figure out who did take any parts that do leak).

And, yeah, the reason so few source code thefts happen is that a) you'd get sued into the ground, along with b) source code is, sadly, still nowhere near as reusable as it should be, and c) sometimes it is stolen, and no one learns about it.

I've contracted at a lot of places, and I'd say it's mostly 'b'. That's also why seeing other's source is usually counterproductive. I can't count the number of times I've seen stuff and and asked myself "How can you run a company on code this shitty?" The fewer messes you're exposed to, the less extraneous cleanup you're tempted to do. The additional benefits you get by thwarting would-be thieves is just icing on the cake.

Easiest answer

[Lord+Kano]

Don't fuck over your employees. Don't lowball their salaries. Don't short them on vacation time. Be fair in the promotion process.

It's easier to keep employees happy than it is to monitor their every activity.

LK

Insightful? Confused is more accurate

[mykdavies]

As long as your employees have access to your IP, there is absolutely no way to prevent them from "stealing" it if they are determined to do so. Period.

Why do people like to end a statement with `Period.' as if it were the last word on the issue, when it clearly is not? Wishful thinking?

You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.

Re:There is no way to prevent a determined individ

[DavidTC]

I wondered if I should mention black box coding, or coding to spec, or whatever you want to call it.

In theory you can churns out little blocks of code that others put to together.

In reality, that's very difficult, and requires fundamental shifts in methodology and a complete rewrite of any existing project. And a very large investment at the start figuring everything out, which is near impossible.

Almost everyone who thinks they do that just fake it. There are probably a few modules with well-defined input and output, but trying to manage everything to that level, from the start, would require a year of work between design and implimentation. Hopefully something like that emerges organically, but having it from the start is different.

And all that does is shift your 'IP' up one level. Now the important thing is the amazingly well designed spec document. Yes, fewer people have access to it, but OTOH it's much easier to use if stolen, and it's not even copyright infringement, or at least not provable copyright infringement.

And it's still going to kill productivity. Programmers are going to spend all their time looking up exactly what other people's code is supposed to do, never quite knowing if the other code works correctly, and waiting forever for compiles, which they have to do remotely as they don't have the whole source tree, and thus can't do incrimentally...

It's known as "affluence cloaking".

[misfit13b]

They have a firewall that blocks clients based on net annual income.

Make a few million bucks off of the blood and sweat of the working class and then try again.

USB driver support

[raider_red]

In linux, it's possible to selectively enable USB drivers for certain typs of devices. The boxes we have at work will only support USB keyboards and Mice. Any other device won't be recognized.

It gets more complicated when you have network connections...

Re:There is no way to prevent a determined individ

[droleary]

In reality, that's very difficult, and requires fundamental shifts in methodology and a complete rewrite of any existing project. And a very large investment at the start figuring everything out, which is near impossible.

Not true. I'm good at consulting precisely because I see the big picture, but also I see a very "organic" path to get there from whatever mess is the current state of affairs. Too many people seem to think everything is equally dirty and needs to be sparkling clean all at once. I'm not saying it's easy to "grow" a good solution, and there is often a bit of a paradox where you have crap old code as the foundation of nice new code, but I would say that not only is it very possible, it is very possibly the only way to keep a business from dying.

And it's still going to kill productivity. Programmers are going to spend all their time looking up exactly what other people's code is supposed to do, never quite knowing if the other code works correctly, and waiting forever for compiles, which they have to do remotely as they don't have the whole source tree, and thus can't do incrimentally...

Then that business just didn't partition the code correctly. Nothing's perfect, and you have to properly assign resources to get the right results. If you have some core code that is critical to your business and may be flawed, do you really want any junior coder with CVS access to be able to screw around with it in the name of a bug hunt, or do you want domain experts to be informed through regular channels that allow everyone to verify that the actual behavior and the expected behavior match?

All of this already exists in successful systems. Most companies don't need access to the source code of their OS in order to be productive. Most application developers don't need pour over the code to all the libraries they link to. Most GUI developers don't need to know more than the interfaces of the business objects they visualize. And the end user will script it all without even understanding that such black boxes exist. If you're not seeing that kind of thing where you are, you either need to fix it or get out.

Re:There is no way to prevent a determined individ

[DavidTC]

I'm not talking about write access. I'm talking about read access. And, hell, half the time it's not even read access to the code that matters, what matters is reading the comments to see what takes what arguments, or looking to see exactly how they called some unrelated thing else so you can be consistent.

Coding correctly in small bits and pieces is not the same as operating a 'Manhattan project' where everyone knows exactly what they are supposed to do, and has no ability to even see anything else. Just because you should treat objects as blackboxes you can't see inside doesn't mean actually making them blackboxes you can't see inside is useful.

In the real world, people realize 'Hey, we do this a lot. Someone write a function to do it and we'll add it to the spec'. That can't happen if you have no idea what anyone else is doing. Everyone would constantly reinvent the wheel. Unless you have some sort of God handing down exactly perfect specifications to start with, that get followed to the letter.

And we all know, 90% of development is finding the bugs, and the bugs that cause you problems aren't always magically located in your own code.

Like I said, if you're operating in that enviroment, people can't even compile their own code, because they don't have read access to all the code they need to do so.

Re:There is no way to prevent a determined individ

[droleary]

And, hell, half the time it's not even read access to the code that matters, what matters is reading the comments to see what takes what arguments, or looking to see exactly how they called some unrelated thing else so you can be consistent.

If dependence on an undocumented API is your concern, you have bigger problems than code theft. Or, briefly, your box is not black.

Coding correctly in small bits and pieces is not the same as operating a 'Manhattan project' where everyone knows exactly what they are supposed to do, and has no ability to even see anything else. Just because you should treat objects as blackboxes you can't see inside doesn't mean actually making them blackboxes you can't see inside is useful.

Again, I gave example after example that demonstrate is it not only useful, but often more productive. The assumption, of course, is that someone sees inside the box and takes responsibility for it working as expected.

In the real world, people realize 'Hey, we do this a lot. Someone write a function to do it and we'll add it to the spec'. That can't happen if you have no idea what anyone else is doing. Everyone would constantly reinvent the wheel. Unless you have some sort of God handing down exactly perfect specifications to start with, that get followed to the letter.

If the only way you have of discovering design redundancies is by manually scanning code, again, "bigger problems". It sounds like you've worked in some real crap environments.

Like I said, if you're operating in that enviroment, people can't even compile their own code, because they don't have read access to all the code they need to do so.

I have one word that will change your life: linking. Seriously, have you really been surround by such crap that proper development practices seem like fantasy? That and the whole "90% bugs" thing makes me think you must be joking.

If using WindowsXP.

[LWATCDR]

You can disable usb drives. I found this out when one of our support techs could not use one to load a file I gave them on to their computer. Frankly It bothers me just a little bit since it seems useless. Nothing would stop them from using a Gmail account to mail the stuff to themselves. Sigh... Being a developer my machines have no limitations on them.

Don't try.

[munpfazy]

A determined employee will always be able to find a way to sneak information out of your door, and the more you irritate and harass your employees by treating them like children, the more likely it is they'll want to do so!

Let's say you manage to permanently disable all usb storage device drivers in the building, and every machine is in a padlocked cage and set up to trigger alarms if anyone tries to mess with the hardware, and you've got every network connection rigged to alarms so that no one can remove a cable and insert a recording device.

A determined thief will still find a way around it. Maybe they'll sneak in a digital camera and film a bunch of screen shots. (How long would it take to display all the code you care about at ten screens-full per second? Not long enough, I suspect.) Or maybe they'll create a hardware malfunction and use that as cover to get their hands on a hard drive or to insert a logger somewhere. Or maybe they'll take the most interesting bits, compress it, turn it into ascii, and print it in place of pages 51-74 of a new equipment manual before sneaking it out in their pockets. Or perhaps they'll just show up around midnight with bolt cutters and do it the low tech way.

Or, if your IP is really novel and interesting, they'll simply remember important parts and sell them to someone else willing to flush out the details in their own way.

Unless you've got brilliant and scrupulously honest security people and you're willing to make the lives of your employees miserable by passing them through metal detectors on the way in and out of the building, and every scrap of media in the office is locked up at all times before being securely destroyed, and none of your employees are ever permitted to send any material anywhere in any format, you're out of luck.

That isn't to say you shouldn't discourage people from removing material. Sternly telling them not to take a bit of work home with them on the weekend is one thing. But once you've made it clear that they're forbidden to do so, trying to outwit the determined thief is bound not only to fail, but also to irritate your trustworthy employees.

Trust and respect ...

[pbhj]

Trust is something that is hard to earn and easy to lose.

I assume you lock the doors to your house/car/caravan/accomodation when you leave?

Isn't that just treating you neighbours as "untrusted criminals to try and prevent the 1% who are criminals and might steal your [stuff]"?!

It sucks, I know. I remember when we had to start locking our family car and our house. My dad had his wallet stolen from the car one night.

Now, I sometimes lock the house when I'm in it.

What a world!