2/6 Our parent company is considering forbidding us from taking laptops
off the premises due to possible src code loss. Considering that
many of us work from home the majority of the time, this does not
sit well. We need to come up with a proposal for keeping the
src (or entire disk) on an encyrpted drive. I used PGP desktop
a while back but never did any disk intensive activity (eg compilation)
on it. Has anyone been subjected to similar measures and have any
suggestions? Thanks.
\_ Yeah, plenty of companies are hiring. Start looking for another
job now.
\_ I love my job. Not interested in a new one. -op
\_ Do you think this is the last PHB decision they will make?
You love it now, but this is just a harbinger of things
to come. I am sorry I cannot be more positive. There has
got to be some way of encrypting things for you but I
don't know what it is.
\_ Maybe not, CHKP is an agent of the Mossad, so I wouldn't
put anything past them, but, regardless, i need to wait
a few more years for the remainder of my options to vest.
-op
\_ Write up a reasoned explanation of why this won't help. Particularly
in a technical field (development), it's always near trivial to find
ways around this unless they completely isolate your work network
from the internet. (i.e. you can't go to websites, check popmail,
etc) If there are any such "holes" that those evil, evil employees
could just copy the code out through, encrypting it locally won't
help.
\_ The issue is not that they don't want employees stealing the
src, the issue is that laptops are prime targets for theft and
if someone were to get their laptop stolen, release of the
src code would be disasterous. Of course there are plenty
of ways to get around it. -op
\_ Out of curiosity, does anyone know how often data from
stolen laptops ends up getting into the wrong hands?
I would have guessed that most laptops get stolen
by crackheads who sell them to the local pawn shop for a
hundred dollars, who then erases the harddrive and sells
it for two hundred to some random moron. At what point in
this chain does data get sent to some competing software
company? Are there people out there making a living
cruising the silicon valley pawn shops for sellable data on
stolen hard drives?
\_ magnetic tape, flashdrive/CF/SD/etc, laptop HD in a USB/FW case ...
iPod/etc ...
\_ Again I'm not looking for ways to take src code home. I'm
looking for a reasonable solution for securing the data on
the laptop to mollify their concerns and to prevent me
from having to jump through such hoops. I still have VPN
access to CVS from my desktop at home and if it were to come to
it would just ditch the laptop. -op
\_ it was meant as examples to give your company to prove
how fucking stupid they are.
\_ Uhm, if you have VPN access to the company what makes
the company think that someone can't just steal your
computer at home and get the source code there? I'm sure
that you encrypt your data, but that's not a guarentee
that someone else who works under similar conditions will.
Anyway, what's so important about the source code? MS had
its source code for Winblows leaked, it's not like someone
is going to go and develop a competing product anytime soon.
And if your software is that valuable, people can just
reverse it through brute-force decompilation and analysis.
\_ It looks like PGP Corporate deployed using smart cards or tokens
(e.g. RSA SecurID doodads) is probably what you want. I just
glanced at the marketing drivel on the website so you'll need to
read further to be sure, but this looks like a reasonable place to
start:
http://www.pgp.com/products/desktop/disk
-dans
\_ We had very good success with Safeguard Easy (both boot sector
protection and on-the-fly disk crypto.) If you're feeling
adventurous, you can play with MS EFS on top, but your PKI
admins had better know what they're doing. -John
\_ Most responses don't really understand the problem. Working in
an environment where much of our software is classified as a
munition, I do. It is about accountability more than actual
prevention of theft. They *know* you can steal the source and
if they were concerned about that they'd do what the DoD does
and make you leave it at work. They are concerned about the
laptop being stolen. Whether or not it is easy to obtain the
source by hacking into the system over VPN is irrelevant. In
our particular case, it is just disallowed. Period. You can
take the executables, but not the source. I, too, am interested
in a good solution but I think none exists. However, I do not
understand why the desktop is allowed. That is just as much of
a no-no.
\_ I would just take the source code home and be done with it. |
http://csua.com/feed/