Ask HN: How to prevent code leakage by employee(s)?

3 points by westoque ↗ HN
Given the recent code exposure of the company Bilibili[0], I wonder how people here do steps to avoid such things from happening.

[0]: https://technode.com/2019/04/23/bilibili-source-code-leaked-on-github-containing-usernames-and-passwords/

9 comments

[ 3.0 ms ] story [ 35.0 ms ] thread
The easiest way is to use GitHub Enterprise. If thats too expensive, use GitHub CE. Both can be run in AWS cheaply and securely especially if you require VPN access to your VPC.
Sorry if my response my sound naive, but can't anyone just clone/copy the code in GitHub Enterprise and compress and release anywhere if one wanted to?
You could, but it'd be harder to do accidentally which is where most of the GitHub databreaches happen.
YOU HAVEN't FUCKING TOLD ME YOU SON OF A BITCH JK
The reality is mostly this is a legal issue not a technical one.

And 90% of the time source code itself is very much worthless to anyone outside the company. By the general rule 90% of everything is crap.

The other 10% of the time. You need to block things like github on work networks an make it clear that employees will be canned if they are caught copying sensitive info.

Not just canned: charged with criminal offenses, and jailed.

See Sergey Aleynikov, Kang Gao, Jason Vuu, Glen Cressman. And that's just the banks, not defense.

You can solve some of the issues via technology but they can hinder your employees. Basically you have to get people onboard so that you're working towards a shared goal, and that doesn't happen a lot... Security management is a real pain.
If your concern is theft of proprietary source code by employees, there are really only two things you can do:

1) Change to an open source model so there's nothing to steal

2) Treat your employees well, so there's no desire to steal

I've worked at companies who see this as a problem. They take a two-pronged approach: removing opportunity, and enabling detection + punishment.

They filter and scan all Internet access, whitelisting only sites and services that they trust not to have upload functionality (ie. no GitHub, StackExchange, etc).

They disable or remove all removable storage from their PCs and OS images (no CDs, no USBs, no Bluetooth, no Wifi. Desktops are thin clients logging into a Citrix VM).

Phones, cameras, MP3 players, and any other electronics must be left in your locker, and you're scanned (like at the airport) on your way into your office.

But there's nothing you can do about what's in people's heads.

Needless to say, these are horrible places to work. Aside from everything else, it's an absolute productivity killer to have no access to the Internet when coding.

Generally, there's no secret sauce anyway. Source code is only valuable in aggregate, as an expensive and time-consuming thing to build. Stealing one file or one function is typically worthless, which is lucky because it would only take a few weeks to memorize and recreate it, a few lines at a time, anyway.