Ask HN: How to prevent code leakage by employee(s)?
Given the recent code exposure of the company Bilibili[0], I wonder how people here do steps to avoid such things from happening.
[0]: https://technode.com/2019/04/23/bilibili-source-code-leaked-on-github-containing-usernames-and-passwords/
9 comments
[ 3.0 ms ] story [ 35.0 ms ] threadAnd 90% of the time source code itself is very much worthless to anyone outside the company. By the general rule 90% of everything is crap.
The other 10% of the time. You need to block things like github on work networks an make it clear that employees will be canned if they are caught copying sensitive info.
See Sergey Aleynikov, Kang Gao, Jason Vuu, Glen Cressman. And that's just the banks, not defense.
1) Change to an open source model so there's nothing to steal
2) Treat your employees well, so there's no desire to steal
I've worked at companies who see this as a problem. They take a two-pronged approach: removing opportunity, and enabling detection + punishment.
They filter and scan all Internet access, whitelisting only sites and services that they trust not to have upload functionality (ie. no GitHub, StackExchange, etc).
They disable or remove all removable storage from their PCs and OS images (no CDs, no USBs, no Bluetooth, no Wifi. Desktops are thin clients logging into a Citrix VM).
Phones, cameras, MP3 players, and any other electronics must be left in your locker, and you're scanned (like at the airport) on your way into your office.
But there's nothing you can do about what's in people's heads.
Needless to say, these are horrible places to work. Aside from everything else, it's an absolute productivity killer to have no access to the Internet when coding.
Generally, there's no secret sauce anyway. Source code is only valuable in aggregate, as an expensive and time-consuming thing to build. Stealing one file or one function is typically worthless, which is lucky because it would only take a few weeks to memorize and recreate it, a few lines at a time, anyway.