How to Prevent IP Theft by Your Own Employees? 236
Cursed by USB asks: "We are a small software startup based in India. Recently one of our employees was caught trying to steal our IP (work) from a computer using a USB thumb drive. While all the staff computers are devoid of floppy drives, cd writers and internet connections, we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use. Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?"
Let me be the first to say... (Score:2, Informative)
Perhaps you should just make them come to work in the nude? with a cavity search on the way out the door, aka South African diamond mines.
Of course anyone who could produce work worth stealing probally wouldn't work under those conditions.
Re:Let me be the first to say... (Score:3, Funny)
Re:Let me be the first to say... (Score:4, Funny)
Oh wait...
Re:Let me be the first to say... (Score:2)
The guy wanted us to write the logic in VB and he would then translate them in whatever language the real source code was in (I think it was C). I worked there 22 days before my direct boss (the crazy guy asking me to code in VB) fired me for being stuborn. I then worked for his boss which later fired him.
I really pissed off the guy by saying that he should plaster his name in the log files like that all the time and that he should try to
Re:Let me be the first to say... (Score:4, Insightful)
Creativity and productivity are the two things a startup company, particuarly a software startup, needs the most. Draconian security kills both of these. Likewise, oppressive NDAs and a corporate attitude of mistrust are not going to build loyalty among your employees.
If you don't want your programmers to steal "your" code, treat them like PARTNERS, not EMPLOYEES. There's not much incentive to steal from yourself.
Re:Let me be the first to say... (Score:2)
How about (Score:3, Insightful)
Re:How about (Score:4, Insightful)
There are many things that can be done and it all depends on how far you're willing to go.
The first thing is fire the employee and make it known that this person was FIRED for IP theft. Also prosecuting this person to the full extent of the law will also send a message to other staff.
Send out a memo stating that discovering ANY storage media that has been brought in from outside will result in immediate investigation of what is on the media and can be grounds for termination of employment and prosecution. Having people sign NDAs also help with the theft. These things are intimidation and to show the company is serious with this matter.
Then there is the physical side of things. You might consider getting the computer looked in a box with holes for wires and vent holes. Of course you would want trusted members to have keys to access the box. Also security plates just to cover the USB openings might be a valid option.
There is no 100% protection against this. Even the human brain is a storage device and to proect from that you would have to basically lock the employees in the ofice to do the work and after they're done, kill them.
Re:How about (Score:4, Insightful)
I seem to recall an oil developer developing a solution [amazon.com] to this little issue. Something about ancient Babylon and namshubs. *shrug*
Principle of Least Privilege (Score:2, Insightful)
well... (Score:3, Funny)
dumb terminals? (Score:4, Insightful)
it's possible to disable usb drives as well... some companies have done it. i'm pretty sure you can ask from microsoft how to do it.
but really, if the guy is a coder or whatever.. how are you going to make him not 'steal' your 'ip' which is most importantly ideas.
kick him in the nuts and pay the next guy better?
One idea (Score:3, Informative)
Re:One idea (Score:5, Insightful)
I don't see how this would protect them, as copyright protection doesn't imply protection of trade secrets, which is what the submitter is probably concerned about. The only real protection for trade secrets is trusting employees, and an NDA might be appropriate in the employment contract. The key isn't to remove all of the technology from the offices, but to create enough dis-incentives to prevent the employees from wanting to steal.
Do they have Email Access? (Score:3, Informative)
No, they don't. (Score:2, Funny)
staff computers are devoid of floppy drives, cd writers and internet connections
...
Do they have Email Access?
This takes not reading the article/blurb to all new lows.
Re:No, they don't. (Score:2, Insightful)
What the hell kind of crazy society is going on in India?
Re:No, they don't. (Score:2, Funny)
"And they actually produce work?"
You ask this in a post to Slashdot...amusing.
USB Device Scanner (Score:4, Informative)
Mistakes (Score:2, Insightful)
2. you implied that there is no such thing as trustworthiness in employees
3. you implied that you don't mind having untrustworthy employees as long as they don't affect *you*
Why should we help you? Do your own homework.
Re:Mistakes (Score:2)
Yeah...I hate it when people steal my IP.
Re:Mistakes (Score:2)
If IP is a trade secret, than "stealing" means that what was once private is now public. The real theft, then, is a denial of value to the company regarding that IP. Just because it isn't something tangible like jewelry doesn't make it less of a crime.
Re:Mistakes (Score:3, Insightful)
Another non-corporate example: imagine being a researcher at a university. You develop a radical new algorithm that takes a O(n^3) process and make it into O(n log n). This algorithm is of great importance in, say, fluid dynamics or something really time-consuming. Unfortunately, you are prepping your work for publication and due credit, when someone breaks in and steals your files and publishes under a different name first. Since you have not published, yet, there really is no protection at all, and y
Re:Mistakes (Score:4, Informative)
This kind of thing has been tried before; and failed.
Re:Mistakes (Score:2)
Any attempts to prevent leakage will ultimately fail. Use the laws provided; that's why they exist.
Re:Mistakes (Score:2)
Re:Mistakes (Score:2)
But a trade secret is a tangible thing in a legal sense. "IP" is specious word with no real bearing or precise meaning. He refered to "IP" and then added "(work)" which really doesn't imply "trade secret" all by itself. In other words, his use of language w
Re:Mistakes (Score:2)
"'IP' is specious word with no real bearing or precise meaning."
I generally consider IP to be trade secrets, copyright, patents, and the public domain. If someone isn't set up properly in the former, they irrevocably live in the latter. "Theft", in a sense, is moving things into the public domain without permission.
Re:Mistakes (Score:3, Insightful)
Wow - wondering about no network (Score:3, Insightful)
Think about it
No E-mail
No External resources (knowledge bases, slashdot)
Nothing
Frankly, I'm suprised you even can get people to work for you, I mean - wow, I haven't worked somewhere without an internet connection on my development machine for almost 15 years now. And it has been north of 20 since I haven't had an internet connection
Frankly, it is much easier to protect your IP, and go after the people that steal it... I mean really what is stopping someone from bringing in a micro hard drive and just taking the whole thing out.
Re:Wow - wondering about no network (Score:4, Interesting)
On the contrary... I was just thinking about how much work I could get done with out an internet connection.
Mostly by the lack the same mechanisms... no e-mail, no slashdot, no websites... (lol) Nothing to do but focus on work.
Oh, wait - I'd need to lose the telephone and the rest of the drivelling idiots that work with me, too. (Or least lock them out of my workspace)
I don't think this is such a bad idea... isolate employees computers for work, and then give them a "communication zone" of PCs they can move to with network connections. Allow them one hour out of every four in the communication zone to do e-mail, surf the web, do research, etc. That's a great idea to increase productivity - especially in tech workers!
Re:Wow - wondering about no network (Score:2)
It depends how you interpret the an, being an internet or an connection. I automatically assume the former as it is internet with a lower case "i"
Re:Wow - wondering about no network (Score:2)
A modem link to a BBS ? Well, that goes back 25 years now. God the days of Compuserve (remember them, they didn't get the internet and lost out to AOL)
And frankly the whole Capital I thing is stupid, if I wasn't talking about the internet, I would have said, LAN, BBS, or other technology .
Re:Wow - wondering about no network (Score:2)
Re:Wow - wondering about no network (Score:2)
Why? I've been on since the late 80's, and I'm not exactly an early adopter.
Re:Wow - wondering about no network (Score:2)
But, back in that day, people had internet access through their colleges, and usually when their college tenures were up (and those usually got cut short because of something on the Internet.. heh!) they disappeared, never to be heard from again.
You can't "steal" it if it is free. (Score:3, Insightful)
Sack them when you catch them (Score:2)
I don't know what your local copyright laws are like, but surely they couldn't do anything commerical with the IP without violating them?
That's the stick, here's the carrot... (Score:2)
An aside: If companies could wipe employees memory when they left, every new hire would have as much experience as a graduate straight out of uni...
Re:Sack them when you catch them (Score:2)
change your mindset (Score:5, Insightful)
You've got yourself a self fullfilling prophecy there...
Re:change your mindset (Score:2)
If you don't lock the doors, sooner or later someone is going to break in. You ahve to do what you can to stop it.
You can only try so much... (Score:5, Insightful)
Just my $0.02.
Mod Parent Up (Score:4, Informative)
Re:You can only try so much... (Score:2)
That's the "analog hole" [publicknowledge.org] - another good reason why DRM and the like will ultimately fail.
There is no way to prevent a determined individual (Score:5, Insightful)
No amount of security will make your data safe. Data is easy to move, easy to duplicate, and easy to store. During the industrial revolution, American industrial spies stole factory plans from British firms by memorizing them. Unless you know how to erase a person's brain, there will always be a hole.
Technology is making this issue ever-more pressing.
You have two options:
1) Hire only trusted people, and trust them.
2) Don't rely on IP as a business model.
Option 2 may sound stupid, but it's really the only way in the long run. Sell a service, sell a product, but don't try to sell information. If the sole thing your company provides is data, someone will endeavor to get that data for themselves, and then you'll be boned.
A business that relies on the scarcity of information it holds internally can not survive. Even if your employees are all 100% trustworthy, outsiders will still vie for your data.
It may sound pessimistic, but it's the truth.
Re:There is no way to prevent a determined individ (Score:5, Insightful)
You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.
Think NSA. I certainly never worked there, but I imagine they're 1) very picky about who they hire, and 2) take security to the extreme, and 3) it's all backed up by serious legal threats. (I believe treason is still eligible for the death penalty, is it not?)
#2 is probably most interesting to those here. Physical security is extreme, with metal detectors detecting guns and hard drives, and enforced by men with guns. Things like USB drives (and even Furbies or cell phones) aren't allowed in at all, and I imagine there's spot searches for things like this.
Places like that often have two networks, a secure and an unsecure one. If you plug a computer into the wrong network, it never leaves the building again. The secure network has no access to the Internet whatsoever.
I imagine there's a lot more that they do, but I'm sure that there's web pages dedicated to this sort of thing if you want to read more about it.
Of course, even this isn't 100% effective -- but I imagine it's pretty close. Of course, it's also extremely expensive and restrictive, and few companies are probably willing to do this sort of thing to their employees -- but I imagine that a few do, perhaps to some key employees in key positions ...
compartmentalized (Score:2)
So for example if you are solving a PDE you might not know what it is modeling and what the proper initial values are. They guy who knows the solution and the initial values doesn't know what its for. The guy who gets the answer knows what its for but doesn't know the PDE or the solution, etc... The net result is that its fai
Re:There is no way to prevent a determined individ (Score:3, Insightful)
There's no reason a company can't do these things too. Yes, it's a lot of work, and therefore expensive, and yes, it reduces productivity. Which is probably why most employers don't go to this much trouble, but it is possible, and probably done.
Re:There is no way to prevent a determined individ (Score:2, Interesting)
It doesn't reduce productivity, it destroys it. With the CIA, you can be working on, say, the IRA, and not actually need information about Quebec. (I switched to the CIA because I can actually make up examples...I don't know 90% of what the NSA does at all.)
If you
Re:There is no way to prevent a determined individ (Score:3, Interesting)
If you're programming, either someone needed to create a hell of a lot of documentation, or you need to see code you're not directly working on. There's a difference between 'you only get one volume of the encyclopedia for the report you're writing' and 'you only get one quarter of the blueprint of the car you're designing'.
I disagree. For modern programming, excessive exposure serves more to hinder productivity. That's why complex systems benefit from OO development; knowing how a part is used does
Re:There is no way to prevent a determined individ (Score:2)
ITYM that after I erase a person's brain, there will always be a hole. There's a fantastic brain-erasing device, an implant made mostly of lead, about 9mm in diameter, installed at high velocity while the erasure candidate begs you please Ghod no. Costs about $0.35 per round^H^H^H^H^H implant, plus court costs.
Re-installing the OS after the wipe is something of a challenge---better to replace the entire unit, after showing it w
Registry control (Score:5, Informative)
Start -> Run: regedit
Find the following key:
This allows writing. Change the value to 1. This will prevent writing. Save your registry and reboot. Of course, it's always recomended to backup your registry before making changes.Allegedly, Longhorn will have this control without having to hack the registry.
Re:Registry control (Score:2)
Please excuse me if I am being naive, but isn't the hard disk a block storage device? Wouldn't adding this key make the user's drive(s) immutable and make it very difficult to reverse this registry addtion?
Re:Registry control (Score:2)
As for the other post, it is possible to restrict users access to the registry by edititing the registry.
Re:Registry control (Score:2)
OH, and by the way, don't let your employees read that post.
Respect (Score:2, Insightful)
Putting in draconian security rules is just going to piss me off and keep me from doing my job effectively, and quite frankly, make me look for a new job.
Re:Respect (Score:2)
Re:Respect (Score:3, Insightful)
Seriously, if I work on something that is your IP, any system you put in place to prevent me from stealing it is just going to make it harder to do my job and frustrate me. Even if I no longer have access to the code, I still know the general way things work and could probably reproduce the code in a much shorter period of time. And besides, no matter how harsh the security,
Re:Respect (Score:2)
If you're using Linux, you have two options: (Score:5, Informative)
Re:If you're using Linux, you have two options: (Score:2)
Re:If you're using Linux, you have two options: (Score:2)
Make them owners. (Score:5, Insightful)
then they would only be stealing from themself
and their coworkers/Coowners.
Won't work (Score:2, Insightful)
Let's say the employee is considering stealing $1000 (IP, cash, hardware, or equivalent) from The Company.
Pre-employee-ownership:
He owns 0% of The Company. So he gets $1000.
Post-employee-ownership:
He owns 1% of The Company. So he gets $1000, but effectively loses $10 of that. So he actually stole $990.
Give him 10%, you say? Wow. Okay. Doesn't sound scalable, but sure. So he'd still net $900 in his theft.
This won't work and it's
Reminds me of a story... (Score:2)
Me: Your hard drive is dead. You're going to have to buy a new one.
Him: How much will that cost?
Me: About $100, plus the cost to install it...maybe $130 total.
Him: That's way too much, can't you just fix it?
The moral of this story is that if you system is fundementally broken, there is no band-ai
Re:Reminds me of a story... (Score:2)
$20 an hour + a %10 finders fee for any hardware was my normal rate.
Pretty cheap considering it's a house call.
Re:Reminds me of a story... (Score:2)
It's rediculously cheap, but he was in high school. Heck, a lot of high schoolers work at mcdonalds for $6 an hour. Going to someone's home and installing a hard drive for $30 probably sounds like a lot of money to a high schooler.
Use linux (Score:3, Interesting)
I would suggest that you need to give up. At my last project thumb drives were getting passed around like crazy and nobody was worried about it, and this was a place where they wouldn't give us a network connection. Trust the people that work for you, sue those that screw you, and pay them enough that they aren't easily bribed. As others have mentioned, they have most of the info in their own heads already and there is nothing you can do about that, so make sure they want to stay.
If you are running Windows XP.... (Score:5, Informative)
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR
Re:If you are running Windows XP.... (Score:2)
How to disable Firewire filesystems then? Does a key for that exist as well? I don't have Windows here, so I can't check.
Two options (Score:2)
2) Make sure it's all clearly copyrighted.
3) Patent it (but don't tell anyone I told you to do this).
Surveillance & punishment (Score:4, Funny)
Set up security stations and look for people with USB drives. When you discover someone obscounding with IP, call an all hands meeting and cane the SoB. If caning is illegal in your area, just knock the guy to the floor and have the entire group stomp him. (This is also a teambuilding exercise)
Corporal punishment will assert your IP authority and eliminate other disiplinary issues.
Asking the Wrong Question (Score:5, Insightful)
I think the core difficulty here is that you think you have a technology problem, when what you have is a management problem. If you rule out hiring trustworthy people, and fostering an atmosphere that earns their trust, then you are just wasting your time. Think about this: do you think that putting in time clocks would make physicians (let's say) work harder ?
You also need to think about what it is that you are actually trying to protect. One defect (among many) of the term "intellectual property" is that it leads people to think by analogy with actual (tangible) property. If your IP is in software, what are you trying to protect: the typing of the code, or the ideas the code embodies? If it is the latter, you can't open your employees' skulls and remove the ideas from them.
I worked in, and managed, an investment management firm, where it was a truism that our most important assets walked out the door every night. You have to run the business so that people want to work there; so that they have fun, find the work and their environment interesting, and believe that they will be fairly compensated (financially and otherwise). It isn't necessarily easy, but then that's what you get paid for.
Re:Asking the Wrong Question (Score:3, Insightful)
How absolutely, utterly true. What will you do in a few years when human sense data can be (and is commonly) directly stored as bits? A blind person gets optical implants and can now see. I supposed you would refuse to hire her because she might recover what she's seen from the storage buffers. You'll never overcome this "problem" with technological solutions -- eventually those solu
Simple (Score:4, Insightful)
Re:Simple (Score:2)
I removed the Zip drives & floppy drives so people couldn't walk out with the data files. Why? Because they represented so many hours of work: the specs were the output of skilled engineers, the drawings had taken many, many hours to produce, and the databases of correspondence could be mined for best
Outsource! (Score:3, Funny)
Securewave (Score:2)
Once it's set-up it's awsome.
I don't work for them, I've just used their product and really liked it.
Partial Coding (Score:2, Informative)
tiny blurry pictures are the most dangerous (Score:2)
That's the solution of the very large company for which I work, anyway.
Terminal services (Score:2)
Citrix for windows is the obvious choice, but there are ways to accomplish this with unix, Linux, and even mixing the two environment.
erase 'em (Score:3, Funny)
Umm.... (Score:2)
Remove the USB mass storage device drivers. But that's already been mentioned.
Restrict the user access to the USB devices. This has already been mentioned too. You can do this really easily under Linux.
Why the fuck are you posting such a braindead simple question?
If you can't figure this one out on your own, then you probably don't have any IP worth stealing in the first place. And if you do, it's already long gone by now because you are this stupid. The smart people walked out with it weeks ago.
Make them owners (Score:2)
If all the critical employees (i.e. those with access to the data) owned a non-trivial amount of the company, then they *would* have something to lose and would be much less motivated to try it. And they will work a lot harder and not leave after a year and (perfectly legally) depr
Look at history, PLEASE!!! (Score:2)
If I remember my history correctly Westinghouse worked for Edison for a while and the Dodge brothers were working for Ford when they came up with their ideas for Dodge Motors (and actually sold Ford stock to get the capital to start
Disable USB drives? (Score:2)
But if your office is anything like mine, that is going to kill your workflow. I am always using my USB flash drive when I have to collaborate with my co-workers. Maybe your employees are the problem, not your computers? I take company IP home with me fairly frequently, because if I am enjoying what I am working on at the moment, I tend to take it to a coffee shop or park or whatever and work on it in my spare time for the fun
if we are to assume.... (Score:2)
Software is relatively easy to create.
Much more so the second time.
You could spend tons of cash and several months building, for example, an online game. Then I could come around, and re-create that entire thing from scratch, on my own, for virtually no cost, within a few days.
Options (Score:2)
(2) Hire people, keep them away from each other. Do not let them access to work theyve already done, and try to induce amnesia all the time. Assign a security guard to each person, and track their off-hour work to make sure they dont steal anything. And make SURE theyre scanned as they leave the building, and confescate all data-carrying media. Like SCO and Microsoft, keep a good legal team and sue people around who seem to do what you do.
Tough choices? Well in IT you have to ma
Outsource to the US (Score:2)
You should outsource to the US, where there are legal protections for IP. My understanding is that in India, there are none, or very few; so the only way to protect yourself is to restrict physical and logical connections to the work computer, since you can't prosecute after the theft has been accomplished.
And, as other posts have made clear, that's not possible against someone willing to breach security. Just ask the CIA.
I wouldnt worry about it.... (Score:2)
The good news is (Score:2)
Easiest answer (Score:3)
It's easier to keep employees happy than it is to monitor their every activity.
LK
Re:Hey maaaaaan... (Score:3, Insightful)
Really?
Last I checked, the majority of people here certainly liked free software. But you really can't `pirate' something that's given away from free.
And as for movies and music and other forms of media, you'll find a very wide variety of views on that here, on every side. Probably the only thing that `most' covers is that `most' people here use computers from time to time.
Re:Hey maaaaaan... (Score:3, Insightful)
You're guessing. You may be right, and you may not be. I'm sure the /. logs could tell the story of what sort of browsers are used (except for those that pretend to be something else), and one could extrapolate what OSs are used and things could be measured that way, but that still wouldn't tell you if that copy of Windows was pirated or not. Lots of /.ers who use Windows probably also bought the computer with it preinstalled.
The original claim was :
Re:Hey maaaaaan... (Score:2)
Sure.. But I still think most geeks prefer to build their own.
I seriously doubt that the majority pirates *everything*.
I don't think it matters if you steal a little bit, or steal a lot. You'd be a thief either way.
Re:Hey maaaaaan... (Score:2)
It's certainly quite possible to get away with free software in the Windows world. (at least, it was a few years back.. I know now that the entry bar
Re:Hey maaaaaan... (Score:2)
Depends what you mean by free I guess.. There's tonnes of limited, but 0 cost software around, like opera, zoom player, avast, MSN, etc.. But tonnes more free software like Firefox, VLC, ClamWin, Gaim, etc. People seem to eventually learn the lesson that using the $0 stuff or better yet the free stuff is much better than dealing with trojaned cracks, and crippled apps. At least my friends do, but maybe that's because
Re:Hey maaaaaan... (Score:2)
Re:Hey maaaaaan... (Score:3, Funny)
To enter you must ping the webserver on several ports in the correct order.
Shh don't say a word about it.