Slashdot Mirror
How to Prevent IP Theft by Your Own Employees?
Cursed by USB asks: "We are a small software startup based in India. Recently one of our employees was caught trying to steal our IP (work) from a computer using a USB thumb drive. While all the staff computers are devoid of floppy drives, cd writers and internet connections, we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use. Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?"
Perhaps you should just make them come to work in the nude? with a cavity search on the way out the door, aka South African diamond mines.
Of course anyone who could produce work worth stealing probally wouldn't work under those conditions.
The force that blew the Big Bang continues to accelerate.
Delete the USB mass storage drivers?
/usr/games/fortune
when it comes to avoiding intellectual property, I have this plan...but if I told you, I'd have to kill you.
-------
Support Indy Music. Buy
or something else.
..of course, why would he need an usb drive to steal a 4 byte value?-)
it's possible to disable usb drives as well... some companies have done it. i'm pretty sure you can ask from microsoft how to do it.
but really, if the guy is a coder or whatever.. how are you going to make him not 'steal' your 'ip' which is most importantly ideas.
kick him in the nuts and pay the next guy better?
world was created 5 seconds before this post as it is.
One idea would be to protect yourself.
If so you can't stop them, all they need to do is compress the IP and email it out of the building. The best thing you can do is treat your employees well and when (not if) there is a problem deal with it accordingly.
Meddle thou not in the affairs of Dragons, for thou art crunchy and with most anything.
It's not a total solution, but GFI Network Security Scanner (used to be LANGuard) can scan for unauthorized USB devices and fire off an alert if it detect one on a scan. Demo available at http://www.gfi.com/lannetscan/.
Yes, my only tool is a hammer. And you're starting to look like a nail.
1. you said "IP" suggesting that it is a tangible thing that can be stolen
2. you implied that there is no such thing as trustworthiness in employees
3. you implied that you don't mind having untrustworthy employees as long as they don't affect *you*
Why should we help you? Do your own homework.
Think about it
No E-mail
No External resources (knowledge bases, slashdot)
Nothing
Frankly, I'm suprised you even can get people to work for you, I mean - wow, I haven't worked somewhere without an internet connection on my development machine for almost 15 years now. And it has been north of 20 since I haven't had an internet connection
Frankly, it is much easier to protect your IP, and go after the people that steal it... I mean really what is stopping someone from bringing in a micro hard drive and just taking the whole thing out.
I have mod points and I am not afraid to use them
Have your employees check their brains at the front desk so they can't walk out with snippets of code lodged in their lobes. Or perhaps you may be able to open your source and get help from people who will work on your technology because of interest.
Like you said, hire people you can trust. Then foster a different environment, removing net connections, burners, and floppies is a good way to say, "I don't trust you." Why don't you embrace your employees, make them happy to work for you. Then maybe they won't steal, in fact, I would guess you'd see better productivity.
You've got yourself a self fullfilling prophecy there...
http://monkeyserver.com --- weeeeee
... and even then, it doesn't always work. In the extreme case, you can always copy code using a pen and paper. Unless you're thinking of introducting full cavity searches, you're spinning your wheels. Give up on this "prevention" avenue. Focus more on your hiring process, write up a strict code of conduct, and don't be afraid to fire employees who are caught violating these terms.
Just my $0.02.
As long as your employees have access to your IP, there is absolutely no way to prevent them from "stealing" it if they are determined to do so. Period.
No amount of security will make your data safe. Data is easy to move, easy to duplicate, and easy to store. During the industrial revolution, American industrial spies stole factory plans from British firms by memorizing them. Unless you know how to erase a person's brain, there will always be a hole.
Technology is making this issue ever-more pressing.
You have two options:
1) Hire only trusted people, and trust them.
2) Don't rely on IP as a business model.
Option 2 may sound stupid, but it's really the only way in the long run. Sell a service, sell a product, but don't try to sell information. If the sole thing your company provides is data, someone will endeavor to get that data for themselves, and then you'll be boned.
A business that relies on the scarcity of information it holds internally can not survive. Even if your employees are all 100% trustworthy, outsiders will still vie for your data.
It may sound pessimistic, but it's the truth.
GeekNights!
Late Night Radio for Geeks!
Last I checked, the majority of people here certainly liked free software. But you really can't `pirate' something that's given away from free.
And as for movies and music and other forms of media, you'll find a very wide variety of views on that here, on every side. Probably the only thing that `most' covers is that `most' people here use computers from time to time.
That much is probably true. Though I suspect he'll find some answers here too, even though this really isn't the right place, and I'm amazed the question got greenlighted.Start -> Run: regedit
Find the following key:
This allows writing. Change the value to 1. This will prevent writing. Save your registry and reboot. Of course, it's always recomended to backup your registry before making changes.Allegedly, Longhorn will have this control without having to hack the registry.
Free MacMini
staff computers are devoid of floppy drives, cd writers and internet connections
...
Do they have Email Access?
This takes not reading the article/blurb to all new lows.
The best way to prevent IP theft is to treat your employees with respect and give them no reason to steal your IP in the first place.
Putting in draconian security rules is just going to piss me off and keep me from doing my job effectively, and quite frankly, make me look for a new job.
--
Given enough personal experience, all stereotypes are shallow.
You should pay them partly with shares,
then they would only be stealing from themself
and their coworkers/Coowners.
You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.
Think NSA. I certainly never worked there, but I imagine they're 1) very picky about who they hire, and 2) take security to the extreme, and 3) it's all backed up by serious legal threats. (I believe treason is still eligible for the death penalty, is it not?)
#2 is probably most interesting to those here. Physical security is extreme, with metal detectors detecting guns and hard drives, and enforced by men with guns. Things like USB drives (and even Furbies or cell phones) aren't allowed in at all, and I imagine there's spot searches for things like this.
Places like that often have two networks, a secure and an unsecure one. If you plug a computer into the wrong network, it never leaves the building again. The secure network has no access to the Internet whatsoever.
I imagine there's a lot more that they do, but I'm sure that there's web pages dedicated to this sort of thing if you want to read more about it.
Of course, even this isn't 100% effective -- but I imagine it's pretty close. Of course, it's also extremely expensive and restrictive, and few companies are probably willing to do this sort of thing to their employees -- but I imagine that a few do, perhaps to some key employees in key positions ...
Some problems just can't be solved with technology...
If you had super powers, would you use them for good, or for awesome?
I would suggest that you need to give up. At my last project thumb drives were getting passed around like crazy and nobody was worried about it, and this was a place where they wouldn't give us a network connection. Trust the people that work for you, sue those that screw you, and pay them enough that they aren't easily bribed. As others have mentioned, they have most of the info in their own heads already and there is nothing you can do about that, so make sure they want to stay.
Lasers Controlled Games!
...you can edit the following registry key to change the value of Start from 3 to 4. This will disable the USBSTOR.SYS driver preventing the use of USB filesystems. It will not disable other types of USB devices.
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR
The original claim was :
and there's two parts to that claim -- majority and everything. Perhaps the majority of people here have pirated something (be it software, music, movies, TV (broadcast, cable, satellite) or a ship at sea) but I seriously doubt that the majority pirates *everything*.Don't put up with this nonsense.
Set up security stations and look for people with USB drives. When you discover someone obscounding with IP, call an all hands meeting and cane the SoB. If caning is illegal in your area, just knock the guy to the floor and have the entire group stomp him. (This is also a teambuilding exercise)
Corporal punishment will assert your IP authority and eliminate other disiplinary issues.
Conformity is the jailer of freedom and enemy of growth. -JFK
I think the core difficulty here is that you think you have a technology problem, when what you have is a management problem. If you rule out hiring trustworthy people, and fostering an atmosphere that earns their trust, then you are just wasting your time. Think about this: do you think that putting in time clocks would make physicians (let's say) work harder ?
You also need to think about what it is that you are actually trying to protect. One defect (among many) of the term "intellectual property" is that it leads people to think by analogy with actual (tangible) property. If your IP is in software, what are you trying to protect: the typing of the code, or the ideas the code embodies? If it is the latter, you can't open your employees' skulls and remove the ideas from them.
I worked in, and managed, an investment management firm, where it was a truism that our most important assets walked out the door every night. You have to run the business so that people want to work there; so that they have fun, find the work and their environment interesting, and believe that they will be fairly compensated (financially and otherwise). It isn't necessarily easy, but then that's what you get paid for.
Yeah, right.
Fire all but your most trusted employees and outsource the rest to the US. I hear its all the rage in India.
Nobodies Prefect
Tidbits for Techs Technology Blog
It would have to be a pretty big percentage for that scheme to work.
Let's say the employee is considering stealing $1000 (IP, cash, hardware, or equivalent) from The Company.
Pre-employee-ownership:
He owns 0% of The Company. So he gets $1000.
Post-employee-ownership:
He owns 1% of The Company. So he gets $1000, but effectively loses $10 of that. So he actually stole $990.
Give him 10%, you say? Wow. Okay. Doesn't sound scalable, but sure. So he'd still net $900 in his theft.
This won't work and it's exactly why even employees with massive ownership (e.g. CEOs) are still regularly caught pilfering from "their own" company.
Won't work. If the employee is a thief, he's a thief.
From what I guess, and I only have limited program development experience, give each team/member partials of the total code. Granted, this will probably slow production or make for an interesting debug session. However, if you're developing something that you're truely worried about being leaked, having, for example, 30 employees with 1 part of the code each won't let them steal anything but that 1/30 of the total IP. So if that happens, so you're out a function, or whatever and you can hanlde his public flogging while the other 29 dutifully type out their 1/30 of the project.
With that, you have 1 guy do the total compiling/debug that you know/trust/guard/make come to work naked with regular cavity checks/etc. Heck, that could be you if you're truely paranoid about it...
Good things come to those who wait on the early bird who gets the worm... hey, wait a sec!
Install EMP/HERF guns and degousing coils around the doors so any magnetic or solid slate device is destroyed upon exiting the building. Ban tinfoil and make sure not to employ anyone with a pacemaker. Tell everyone to leave their cellphones in their cars and use an internal VOIP system for communication. Make sure any company healthcare doesn't cover radiation poisoning/cancer so your premiums don't go up.
------ Take away the right to say fuck and you take away the right to say fuck the government.
(And if the company works on military contracts, perhaps they CAN back it up with guys with machine guns. Maybe.)
Yes, it's expensive. Yes, it's not conducive to productivity. But it can be done.
Perhaps. Perhaps not. At my work, I have access to the source code for all our products, but the part I've contributed is exceedingly small (I'm in support, not development.) I guess I could steal it, but 1) who would want it? 2) I'd get sued into oblivion if I did, and probably end up in jail. It's not even remotely worth it. But physically, it would be easy.As for #1, `who would want it?', even our competitors wouldn't want it. They wouldn't touch it with a 10' pole, because if it was ever found out, they'd be sued into oblivion and they know it. No legitimate company wants that sort of exposure.
And even if a single person did write all of this code, if he does it for his employer, on company time, on company computers, it probably belongs to the company, not him. (The specifics would be lined out in his employment contract and other paperwork.) Yes, perhaps he could write it again for somebody else (though often NDAs prohibit that), but few large projects are one-man-shows anymore.
That's because it's stealthy.
To enter you must ping the webserver on several ports in the correct order.
Shh don't say a word about it.
i thought once I was found, but it was only a dream.
It doesn't reduce productivity, it destroys it. With the CIA, you can be working on, say, the IRA, and not actually need information about Quebec. (I switched to the CIA because I can actually make up examples...I don't know 90% of what the NSA does at all.)
If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.
And a lot of the CIA's need-to-know works simply by honesty and auditing. People are expected not to learn things they don't need to know, and if they start doing a lot of research into things they don't need to know, auditors start looking closely. That takes a lot of resources and a very formal classification of data, along with very dedicated employees. (Which I'm suspecting is his problem, right there.).
Now, obviously, if something is in an entirely different project, you don't need to see that, but that, frankly, is obvious. If someone's worried about security and hasn't thought of that, they should just give up.
Military contractors get subject to the same scrutiny as the intelligent community. (Although obviously they do a lot less research through classifed data.) But this guy is in India, so I doubt he's a military contractor, and certainly not for the US military.
And, yeah, the reason so few source code thefts happen is that a) you'd get sued into the ground, along with b) source code is, sadly, still nowhere near as reusable as it should be, and c) sometimes it is stolen, and no one learns about it.
If corporations are people, aren't stockholders guilty of slavery?
Windows XP Service Pack 2 (SP2) introduces a new registry subkey that lets you mark USB-based storage devices such as memory sticks as read-only devices. This is a useful security capability that can prevent users from copying data from their systems and taking that data offsite via a USB device. To enable the USB write protection, perform the following steps:
o l\StorageDevicePolicies subkey. (Create the StorageDevicePolicies subkey if it doesn't already exist.)
1. Start the registry editor (regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
3. From the Edit menu, select New, DWORD Value.
4. Type the name WriteProtect and press Enter.
5. Double-click the new value and set it to 1. Click OK.
6. Close the registry editor.
7. Restart the computer.
To disable this change, you can either set WriteProtect to 0 or delete it.
You should be able to roll this out as part of Group Policy or a startup script.
In Mexico, they were having problems with cops taking bribes. Now they pay them a lot better, and they have less of a problem.
... as much.
Hire trustworthy people, treat them well and pay them well - 1% above market rate if you can afford it - and they won't be tempted
For the few that do get through, termination with a negative reference and, if applicable, legal action is probably your best bet. Reasonable, non-intrusive practices such as eliminating USB mass-storage drivers or making them read-only might prove helpful.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.
I disagree. For modern programming, excessive exposure serves more to hinder productivity. That's why complex systems benefit from OO development; knowing how a part is used doesn't mean having to know the details of how a part works. A clear boundary between your code/responsibility and that of others means it's not only simpler to track down errors, but it also goes a long way towards keeping it from all walking out the door (and allows you better figure out who did take any parts that do leak).
And, yeah, the reason so few source code thefts happen is that a) you'd get sued into the ground, along with b) source code is, sadly, still nowhere near as reusable as it should be, and c) sometimes it is stolen, and no one learns about it.
I've contracted at a lot of places, and I'd say it's mostly 'b'. That's also why seeing other's source is usually counterproductive. I can't count the number of times I've seen stuff and and asked myself "How can you run a company on code this shitty?" The fewer messes you're exposed to, the less extraneous cleanup you're tempted to do. The additional benefits you get by thwarting would-be thieves is just icing on the cake.
Don't fuck over your employees. Don't lowball their salaries. Don't short them on vacation time. Be fair in the promotion process.
It's easier to keep employees happy than it is to monitor their every activity.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
In theory you can churns out little blocks of code that others put to together.
In reality, that's very difficult, and requires fundamental shifts in methodology and a complete rewrite of any existing project. And a very large investment at the start figuring everything out, which is near impossible.
Almost everyone who thinks they do that just fake it. There are probably a few modules with well-defined input and output, but trying to manage everything to that level, from the start, would require a year of work between design and implimentation. Hopefully something like that emerges organically, but having it from the start is different.
And all that does is shift your 'IP' up one level. Now the important thing is the amazingly well designed spec document. Yes, fewer people have access to it, but OTOH it's much easier to use if stolen, and it's not even copyright infringement, or at least not provable copyright infringement.
And it's still going to kill productivity. Programmers are going to spend all their time looking up exactly what other people's code is supposed to do, never quite knowing if the other code works correctly, and waiting forever for compiles, which they have to do remotely as they don't have the whole source tree, and thus can't do incrimentally...
If corporations are people, aren't stockholders guilty of slavery?