Re: Deny access to copy files

["Liam Jewell" <ljjewell () gmail com>]

The harder you make it to take the source code, the more likely they
are to try and thwart it, even if it's just for the challenge, and not
bad intentions.  They'll  ALWAYS find a way, it's a computer after
all.

On Mon, Jun 2, 2008 at 5:28 PM, Yahsodhan Deshpande
<yahsodhan.deshpande () nevisnetworks com> wrote:
> Hi Ahmed,
>   How about creating a virtual machine (which is hardened enough), and
> then allow the access to the code only via the virtual machine.
>
>   Hardening the VM would be a task in itself, but it would solve much
> of the issues related to USB and mass storage devices.
>
> Regards,
> Yashodhan
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Adam Pal
> Sent: Monday, June 02, 2008 1:15 PM
> To: Ahmed Khalid
> Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com
> Subject: Re: Deny access to copy files
>
> Hello Ahmed,
>
> Sounds more like you try washing your hands without getting wet :)
> I can hardly imagine, that the programmers should be able to read but
> not to copy, so if they need to programm they need access to the code.
> I think its more frustrating for programmers to know that they have to
> work with "handcuffs".
> I think the problem lies much deeper :
> do you trust your programmers?
> If not, hire another, if yes, no such measurements needed, or better
> say not more than written agreements about security policy.
> About blocking web access:
> As i can remember that one of the core problems of security is that
> you cannot protect your data efficiently from attackers within the
> company.
> I can remember about agreements which contain things like:
> -not connecting mobile storage devices to the workstation (this can be
> monitored)
> -not connecting mobile devices to the internal network (this can also
> be monitored)
> -not taking parts of code out of the company (which can also be
> monitored)
>
> Of course, bad-intentioned people will be able to bypass such
> agreements but i preffer to assume that in your staff are good people
> only.
> One more - what about using interfaces for programming? Doing so,
> every one holds only a small, unusable piece of the "puzzle".
>
>
> --
> Best regards,
>  Adam Pal
>
> Sunday, June 1, 2008, 8:20:25 PM, you wrote:
>
> <==============Original message text===============
> AK> I am working for a software house, they are developing a software
> product
> AK> and their requirement is to restrict programmers to take the code
> out of
> AK> office premises due to company policy. I am trying to configure a
> windows
> AK> based machine which denies access to copy files to external storage
> devices
> AK> connected to USB. There is an NTFS permission "Read + Execute" I
> guess this
> AK> could do the work but is there any other way to do it?
>
> AK> They also don't need programmers to take the code with them in their
> email.
> AK> I can restrict SMTP and POP ports but when it comes to web based
> emails I am
> AK> clueless,  How can I restrict web based emails like hotmail, gmail,
> yahoo
> AK> there are so many of these and if I somehow manage to block all web
> based
> AK> email sites someone can write a script to send emails, if not a
> script HTTP
> AK> tunneling would bypass any checks and bounds defined by my
> proxy/gateway
> AK> machine. How can I block such thing?
>
> AK> Any help would be highly appreciated.
>
> AK> Regards,
> AK> Ahmed Khalid
>
> <===========End of original message text===========