Slashdot Mirror
How to Prevent IP Theft by Your Own Employees?
Cursed by USB asks: "We are a small software startup based in India. Recently one of our employees was caught trying to steal our IP (work) from a computer using a USB thumb drive. While all the staff computers are devoid of floppy drives, cd writers and internet connections, we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use. Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?"
when it comes to avoiding intellectual property, I have this plan...but if I told you, I'd have to kill you.
-------
Support Indy Music. Buy
or something else.
..of course, why would he need an usb drive to steal a 4 byte value?-)
it's possible to disable usb drives as well... some companies have done it. i'm pretty sure you can ask from microsoft how to do it.
but really, if the guy is a coder or whatever.. how are you going to make him not 'steal' your 'ip' which is most importantly ideas.
kick him in the nuts and pay the next guy better?
world was created 5 seconds before this post as it is.
One idea would be to protect yourself.
It's not a total solution, but GFI Network Security Scanner (used to be LANGuard) can scan for unauthorized USB devices and fire off an alert if it detect one on a scan. Demo available at http://www.gfi.com/lannetscan/.
Yes, my only tool is a hammer. And you're starting to look like a nail.
Like you said, hire people you can trust. Then foster a different environment, removing net connections, burners, and floppies is a good way to say, "I don't trust you." Why don't you embrace your employees, make them happy to work for you. Then maybe they won't steal, in fact, I would guess you'd see better productivity.
You've got yourself a self fullfilling prophecy there...
http://monkeyserver.com --- weeeeee
... and even then, it doesn't always work. In the extreme case, you can always copy code using a pen and paper. Unless you're thinking of introducting full cavity searches, you're spinning your wheels. Give up on this "prevention" avenue. Focus more on your hiring process, write up a strict code of conduct, and don't be afraid to fire employees who are caught violating these terms.
Just my $0.02.
As long as your employees have access to your IP, there is absolutely no way to prevent them from "stealing" it if they are determined to do so. Period.
No amount of security will make your data safe. Data is easy to move, easy to duplicate, and easy to store. During the industrial revolution, American industrial spies stole factory plans from British firms by memorizing them. Unless you know how to erase a person's brain, there will always be a hole.
Technology is making this issue ever-more pressing.
You have two options:
1) Hire only trusted people, and trust them.
2) Don't rely on IP as a business model.
Option 2 may sound stupid, but it's really the only way in the long run. Sell a service, sell a product, but don't try to sell information. If the sole thing your company provides is data, someone will endeavor to get that data for themselves, and then you'll be boned.
A business that relies on the scarcity of information it holds internally can not survive. Even if your employees are all 100% trustworthy, outsiders will still vie for your data.
It may sound pessimistic, but it's the truth.
GeekNights!
Late Night Radio for Geeks!
Start -> Run: regedit
Find the following key:
This allows writing. Change the value to 1. This will prevent writing. Save your registry and reboot. Of course, it's always recomended to backup your registry before making changes.Allegedly, Longhorn will have this control without having to hack the registry.
Free MacMini
Great idea! We'll just make it so our software developers don't have access to the code. Then they won't be able to steal anything!
Oh wait...
If you had super powers, would you use them for good, or for awesome?
--
Given enough personal experience, all stereotypes are shallow.
You should pay them partly with shares,
then they would only be stealing from themself
and their coworkers/Coowners.
You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.
Think NSA. I certainly never worked there, but I imagine they're 1) very picky about who they hire, and 2) take security to the extreme, and 3) it's all backed up by serious legal threats. (I believe treason is still eligible for the death penalty, is it not?)
#2 is probably most interesting to those here. Physical security is extreme, with metal detectors detecting guns and hard drives, and enforced by men with guns. Things like USB drives (and even Furbies or cell phones) aren't allowed in at all, and I imagine there's spot searches for things like this.
Places like that often have two networks, a secure and an unsecure one. If you plug a computer into the wrong network, it never leaves the building again. The secure network has no access to the Internet whatsoever.
I imagine there's a lot more that they do, but I'm sure that there's web pages dedicated to this sort of thing if you want to read more about it.
Of course, even this isn't 100% effective -- but I imagine it's pretty close. Of course, it's also extremely expensive and restrictive, and few companies are probably willing to do this sort of thing to their employees -- but I imagine that a few do, perhaps to some key employees in key positions ...
Some problems just can't be solved with technology...
If you had super powers, would you use them for good, or for awesome?
...you can edit the following registry key to change the value of Start from 3 to 4. This will disable the USBSTOR.SYS driver preventing the use of USB filesystems. It will not disable other types of USB devices.
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR
Don't put up with this nonsense.
Set up security stations and look for people with USB drives. When you discover someone obscounding with IP, call an all hands meeting and cane the SoB. If caning is illegal in your area, just knock the guy to the floor and have the entire group stomp him. (This is also a teambuilding exercise)
Corporal punishment will assert your IP authority and eliminate other disiplinary issues.
Conformity is the jailer of freedom and enemy of growth. -JFK
On the contrary... I was just thinking about how much work I could get done with out an internet connection.
Mostly by the lack the same mechanisms... no e-mail, no slashdot, no websites... (lol) Nothing to do but focus on work.
Oh, wait - I'd need to lose the telephone and the rest of the drivelling idiots that work with me, too. (Or least lock them out of my workspace)
I don't think this is such a bad idea... isolate employees computers for work, and then give them a "communication zone" of PCs they can move to with network connections. Allow them one hour out of every four in the communication zone to do e-mail, surf the web, do research, etc. That's a great idea to increase productivity - especially in tech workers!
"Adventure? Excitement? A Jedi craves not these things."
I think the core difficulty here is that you think you have a technology problem, when what you have is a management problem. If you rule out hiring trustworthy people, and fostering an atmosphere that earns their trust, then you are just wasting your time. Think about this: do you think that putting in time clocks would make physicians (let's say) work harder ?
You also need to think about what it is that you are actually trying to protect. One defect (among many) of the term "intellectual property" is that it leads people to think by analogy with actual (tangible) property. If your IP is in software, what are you trying to protect: the typing of the code, or the ideas the code embodies? If it is the latter, you can't open your employees' skulls and remove the ideas from them.
I worked in, and managed, an investment management firm, where it was a truism that our most important assets walked out the door every night. You have to run the business so that people want to work there; so that they have fun, find the work and their environment interesting, and believe that they will be fairly compensated (financially and otherwise). It isn't necessarily easy, but then that's what you get paid for.
Yeah, right.
Deleting the drivers would be good but what about internet access? It might be required to do work since the internet is one of the best tools for research and coding.
There are many things that can be done and it all depends on how far you're willing to go.
The first thing is fire the employee and make it known that this person was FIRED for IP theft. Also prosecuting this person to the full extent of the law will also send a message to other staff.
Send out a memo stating that discovering ANY storage media that has been brought in from outside will result in immediate investigation of what is on the media and can be grounds for termination of employment and prosecution. Having people sign NDAs also help with the theft. These things are intimidation and to show the company is serious with this matter.
Then there is the physical side of things. You might consider getting the computer looked in a box with holes for wires and vent holes. Of course you would want trusted members to have keys to access the box. Also security plates just to cover the USB openings might be a valid option.
There is no 100% protection against this. Even the human brain is a storage device and to proect from that you would have to basically lock the employees in the ofice to do the work and after they're done, kill them.
So it's better to treat your employees like untrusted criminals to try and prevent the 1% who are criminals and might steal your code?
Seriously, if I work on something that is your IP, any system you put in place to prevent me from stealing it is just going to make it harder to do my job and frustrate me. Even if I no longer have access to the code, I still know the general way things work and could probably reproduce the code in a much shorter period of time. And besides, no matter how harsh the security, if I need access to it to do my job, I still have access in some way or other. If I am determined, I could still steal it.
Even the human brain is a storage device and to proect from that you would have to basically lock the employees in the ofice to do the work and after they're done, kill them.
I seem to recall an oil developer developing a solution to this little issue. Something about ancient Babylon and namshubs. *shrug*
El riesgo vive siempre!
This kind of thing has been tried before; and failed.
the layman's guide to computer science
Creativity and productivity are the two things a startup company, particuarly a software startup, needs the most. Draconian security kills both of these. Likewise, oppressive NDAs and a corporate attitude of mistrust are not going to build loyalty among your employees.
If you don't want your programmers to steal "your" code, treat them like PARTNERS, not EMPLOYEES. There's not much incentive to steal from yourself.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?