Semiconductor technology is one of the areas of global-technological competition which surely benefit from secrecy. For example, several years ago one of the c-level executives at this specific OEM was caught taking pictures inside of one of their customer's facility. Only the engineering staff from that oem is allowed inside those facilities now, and only for maintenence activity.
It's a very secret industry, and getting even tighter now since China has been blocked from acquiring the latest semiconductor technology. China has so far invested over $40 billion in boosting their chip-making abilities, to acquire capital, IP, and knowledge-workers. Given their history of borrowing technology from other countries without attribution, if I were at the head of a semiconductor related company, I would clamp down on the secrets ahead of the danger.
Impressive choice of words!
When Germany was trying to catch up to the industrialised UK, they send business people to the UK to copy the layout of factory floors to reimplement them at home. For the longest time, Japan only allowed trade under restrictive conditions to maximise exposure to foreign technologies while minimising the impact of foreigners in Japan. It's a story as old as history and I honestly don't get why people are upset about it.
It's even beneficial for the ecosystem overall because it helps transmitting knowledge and technology from advanced to disadvantaged regions, which in turn accelerates production and development.
If I buy a candy bar at the store for $0.99 and then you steal it, now you have it and I don't. I'm out $0.99 of value and you stole $0.99 of value.
But what if you steal the candy bar directly from the store? You got $0.99 of value, but the store didn't pay $0.99 for that candy bar; they may have only paid $0.40. What you actually stole from them was two things: $0.40 of inventory and $0.59 of foregone revenue.
Even if you drop $0.40 on the counter as you walk out the door, it would still be considered a theft because the store gets to decide what their retail prices are, not you. You're still stealing $0.59 of foregone revenue.
IP products essentially have an "inventory" cost near zero. Yet, if you take a song or a trade secret without paying for it, you're still taking their foregone revenue. Just like dropping $0.40 on the counter for a $0.99 candy bar, you're dropping $0.00 on the counter for a $0.99 song or $1 million trade secret. Reimbursing someone's inventory cost (even if it's $0.00) does not mean there is no theft occurring.
While the IP itself is non-rival, the revenue from each sale is rival; that is, if you acquire my IP via a pirated copy then I still have my IP, but I don't have the revenue from selling you my IP.
Yes, by leaving $0.40, I would be stealing $0.59 of foregone revenue, but that is because the shop doesn't have that candy bar anymore and can't sell it. In case of IP, even if I pirate it, you can still sell it to other people.
Of course you probably can't sell it to me anymore and that may be lost revenue, but it depends if I would be actually willing and able to buy that IP otherwise. And of course it may cause more competition to appear, which will negatively affect your business.
Yes, this is the point.
> but it depends if I would be actually willing and able to buy that IP otherwise
I'm not entitled to your money, of course, but in exactly the same way, you're not entitled to my IP (or my candy bar).
> In case of IP, even if I pirate it, you can still sell it to other people.
If everyone followed your logic, no I couldn't.
Additionally it's not inventory because it is not finite. There is a distinction made by GAAP regarding valuation of tangible vs intangible assets because it is much more complex process to valuate intangible assets such as ip.
> it is much more complex process to valuate intangible assets such as ip.
Please note that my argument above assigns a value of $0.00 to the IP itself.
Even at that valuation, you can still commit theft by robbing me of the opportunity to use that IP to generate revenue. By analogy: when you steal a TV, you are charged on the retail price of the TV (the amount you should have paid for it), not the wholesale price (the amount the store paid for it).
Any competitor could limit your opportunity by releasing a functionally similar non infringing product. Would you choose the word 'robbing' in that circumstance?
One would have to use your ip to create a competing product before it would even be copyright infringement, and it still wouldn't be theft since you cannot steal somthing intangible since by definition it only exists as an abstraction which is not the same as zero valued tangible inventory.
As an exercise: walk into Best Buy and pick up a $1,000 TV. On the way out, hand the cashier a check for the wholesale price of that TV. Have you just committed theft? And if so, what specifically have you stolen? You haven't deprived them of the TV itself, since you reimbursed them fully for that.
I guess my point is that my point is that ip is a liscense to manufacture and/or distribute rather than a total monopoly on the idea or demand for the product.
As far as taking externalities into account: If someone doesn't behave to be "carbon-neutral" are they stealing from everyone?
Furthermore, the position you are defending is presupposing the ontological position that IP is Property. (Which might not hold in other cultures/countries, specially a Socialist Country with Chinese Characteristics™)
Patent infringement isn't theft and winging it and saying otherwise without a good basis won't convince anyone.
And the key point may be that the ones being 'stolen from' even allow it because the benefit they get from opening up to new markets usually exceeds the risk of having some of your IP copied.
It's not like the traders who ventured to Japan turned around just because they knew that the Japanese would try to catch up by any means, or that the British stopped trading with Germany. (Or that Apple stops to sell or build things in China)
How are they planning to use new laptops that are powered via usb-c?
Secrets are kept tight for any company with any tech relating to the latest nodes <10nm. It just so happens that IBM has been working on sub-10nm processes for a long time, so they have a lot of secrets to keep, hence I am not surprised by the article heading.
The keyboard and mouse were connected to a dock.
On the OS level only HID devices were allowed via USB you could bypass this if you had admin rights but it would leave a trail.
The idea behind these like most other security controls is to prevent accidental leakage and to make it difficult enough that intentional leakage would likely be detecte on time.
A move I've seen being put in place at several locations, is removing local admin rights from all users. Those with advanced needs, like developers, gets a VM which is limited to a specific VLAN, with no access to the production environments.
The principle is sound, implementation is ... difficult, to say the least.
With a few exceptions it's much easier to either poach your competitors or simply buy them outright which is why "corporate espionage" is mainly employed by nation states these days that need to catch up.
It's also important to note that stealing a design isn't that useful these days since you are too far gone what would be more important especially in the semi industry is to know the characteristics of a specific design or process in order to be able to preemptively position your offerings to compete without giving up any unnecessary ground.
In a restricted environment you will have several monitoring agents that track and enforce system integrity.
Example of an actual implementation in the wild:
The only machines that can actually SSH into prod at least have screen-session-recording software, perhaps are kept in a separate room, with a policy of two staff present at all times. The general idea is that the closer you actually get to being able to bypass the checks and controls, the more attention you bring to yourself and your errand.
Yes, it can't be Git and Puppet all the way down, at some point someone will necessarily have access to do something as root on the server that hosts the Git repo that Puppet runs from. But instead of that being every dev on every laptop anywhere in the world, you can make sure it's a very small group of people, from a small number of workstations.
This is difficult and requires a substantial and very competent team to implement correctly.
Of course that's enough to run malware. Just inject Win+R, cmd, enter, <your shell code here>
On restricted workstations even if you can run command prompt which isn’t guaranteed it won’t lead to anything.
The usb port restriction is absolutely true for laptops, but colo desktops probably do not have this restriction, or just a more lax restriction. Also, its not true for all laptops of the company, but usb access does require explicit permissions and a new-issue laptop, so they do have a list of people who have riskier laptops, and may need to be issued a different travel laptop vs engineering laptop.
The laptop's epoxied ports likely prevent distracted traveling workers from having their laptops hacked with usb-keys inserted when they aren't looking.
You cannot access anything besides the power button.
(Edit: Haven't --> Can't)
A docking station usually has a lot more than just USB ports. Mine has three monitor connections, more USB ports than the laptop itself, a power connection, and an RJ-45 jack. One of the benefits is the expanded number of connectors. Another benefit is that I don't have to unplug half a dozen items to take the laptop with me; I just hit the eject button and pick the laptop up. In the same way, reconnecting all that stuff is achieved by just plopping the laptop onto the dock.
Best of both worlds: Portability of the laptop itself, and the easy expansion of the laptop's capabilities in situations where the expansion is useful (e.g. somewhere that I can keep a bunch of big monitors, and would benefit from a non-mobile work area).
You could unlock it, plug in USB, monitors, ethernet, etc. route the cables out through a slot and then lock it. You couldn't reach the the different ports and sockets when it was locked. It was all relatively stout too.
Interestingly, they did have internet in the building but you had to have management permission and go to the security office to access it. If you wanted to download something, it was a fairly involved procedure. They were paranoid about people stealing their stuff and then also very paranoid about misappropriating something they shouldn't and creating legal problems in Europe or North America. They didn't seem to be all that concerned about stealing other people's IT but they wanted to control everything such that it didn't contaminate anything they wanted to sell where it mattered.
I nearly created a situation when I pulled out my phone to take a picture of an "engrish" sign they had on the wall.
It'll be interesting to see how the security culture in the US changes or doesn't, a lot of younger developers would be put off if you attempted to somehow restrict their access to the internet from work computers or restricted your ability to plug a phone or some arbitrary device in for charging of whatever. At every job I've had this century it has been fairly trivial to download nearly all of their source code and take it home if you wanted to. Trying to take the politics out of it, we're very much engaged in a cyber cold war with a number of nations that absolutely want to take our secrets; I won't speculate on the real impact but the Russians did meddle in our election.
Well sure. I think the idea is to prevent mistakes and people just randomly plugging usb sticks they get from conferences as gifts or when they work from home. People will forget and do that anyway even if it is the rule.
When someone start disassembling the laptop or runs around with a screw driver trying to get the epoxy out of the ports, it would a bit hard to claim it was an accidental mistake. In that case, those people can probably find a way to exfiltrate data or to infect the system without the aid of USB keys.
Or just monitor connected USB devices and shutdown if something unapproved is installed, a la USBKill.
USB disconnect disabling whole USB host is trivial to code. You would disable on disconnect instead of whitelisting as there can be USB host bugs.
Add a boot password so that only admin can start the machine...
Plus the are solutions where drivers are also put in a VM to further reduce attack surface.
The Renminbi is very difficult to convert.
I live and work in China and move far than that a year. Also the NZ / Australian property markets are both in a bubble caused by Chinese cash investment by wealthy individuals, 100k CNY won't buy anything.
100k CNY is only 15k USD.
That means many current day laptops can't be charged.
Have you tried other modulations?
It made the rounds on show HN a couple years ago. Also my dirty secret is that it isn't really JS, it's C via emscripten https://github.com/quiet/quiet
Currently supports everything Liquid DSP supports which is GMSK, PSK, QAM, OFDM and a lot more. Working on adding DSSS soon
edit: Here's a sort of lab/playground https://quiet.github.io/quiet-profile-lab
TEMPEST is probably easier and more reliable than this.
If I had to smuggle some data out of a PC I'd use the audio card at a very low volume but known frequencies to output the data the FSK way, leaving a phone near the speaker recording the audio, then at home I'd reconstruct the data just as old modems did 40 years ago.
Other methods could also be used: blinking a pixel (or the optical mouse led left on the phone camera), raising the cpu power usage by making it run busy loops according to data ones and zeroes (nobody would object a bluetooth power consumption measurement device connected to the PCs mains cord), or manipulating innocuous fields into IP packets such as the Time To Live: make it higher than X and it's a one, make it lower and it'a a zero; routers will ignore the trivial difference but a passive (100% undetectable) tap into the network cable still allows to sniff the data. Actually, unless the infrastructure is instructed to report Ethernet frames sent to wrong addresses, one could send malformed frames carrying data into the payload so that they could be ignored at switch level but still readable by a tap on the cable: that would allow data smuggling at blazing fast speeds, much higher than USB.
The amount of idiocy I've seen with storing sensitive and work intensive documents in USB sticks is horrible.
Will the measures taken damage the company more than the benefit of the increased security?
In my eyes, banning storage media without a practical replacement is on the wrong side of the risk analysis equation. Sure, it's not desirable that files can be moved without full access control and auditing, but if people don't have a tool that works the same way then all your employees who rely on it will suffer.
It would have been great to see a standard encrypted portable drive, probably with the decryption software on a different partition establish a foothold in the world. With the addition of DLP software, that could have allowed employees to continue to do their work while mitigating the risk of lost or stolen data.
edit: what this doesn't cover is transferring large files quickly, or transferring files to a computer that isn't currently configured with the systems required for file transfers.
If I'm giving a presentation to hundreds or thousands of people in 30 minutes and a laptop goes down/won't connect to projector, presentation wasn't loaded or was corrupted on the speaker laptop, things go sideways in a bunch of other ways (and they do), I don't want to be in the position of depending on the network to pull down a presentation from somewhere. Especially if I don't have my own laptop with me as is at least sometimes the case.
There should be various other ways to get to a presentation and I even have a setup to present from my iPhone (which I've actually had to use as a fallback), but a USB stick is a good, simple backup that I've used more than once.
Show up at a building site without your helmet and hiwiz? Unless there's a spare set around, you're going home. We need to get into the same mindset around cyber security.
Cybersecurity is indeed important. But it's about managing risk, not minimizing it no matter the cost. And what I'd do at an event like this one is quite different from Defcon where I'd take the most stringent precautions possible.
Lots and lots of vessels have painfully slow satellite links - think <=64kbps - whereas the others mostly have very slow satellite links - ~512kbps.
Trust me, in such conditions you do not want to cough and ask whether you can download your training material off the corporate VPN...
(Heck, in many cases, shipowner policy prevents any third party computer from being connected to any onboard IT infrastructure, anyway.)
The likely “replacement” is that IBM employees will have to use some sort of corporate VPN to work remotely.
Corportate VPNs are great, but if they don't perform people are going to work around them.
IBM may not want people remote working, but they'll be happy to have people working remotely at nights, on weekends, etc.
It's the field people that are going to have it rough. Even the best 4G LTE stick won't matter if you're installing in the basement of a huge complex.
Second, such networks generally have an approved way of getting data on to them, typically involves handing your USB stick or DVD to someone with access to a particular machine with unblocked ports and specially firewalled off access to a particular shared drive on the network, and nothing else.
Practical example from past. Policy denies creating user accounts for externals. In big orgs you anyways sometimes have the need to have some external do work on systems. Idealistic view is that employee baby sits the ext guy and performs everything on behalf of him. But in reality people have their own work and deadlines, so it becomes tempting to just log on and let the ext work on your credentials.
Leaving data lying around on a stick is one vector. Malware and other considerations is quite another that should be discussed more often. Especially if your posture is jelly-filled.
I'm guessing they got burned here at least once with a relatively large dataset that somebody left in a cafe somewhere.
Keeping sensitive data off the cloud altogether is the more sensible option.
When you're a large global company like IBM you become the target of lot of groups.
Not that they shouldn't take this measure regardless. But there's a very specific reason it's happening now.
It's amazing how many people will plug in any flash drive they find in a parking lot.
Now apparently you can't even use common tools to get the job done. If I had a big meeting I wouldn't take a chance on the network to keep my presentation.
Presentations would be the big inconvenience for me. I always carry a backup on a USB stick when I'm presenting at an event or conference. Just today, I loaded a presentation onto a conference laptop that was supposed to have been preloaded but wasn't. I could probably have worked around by getting the presentation off the network but I never like to depend on WiFi at an event.
ADDED: Especially for an external public presentation, I'd get it onto a USB stick one way or the other.
Then you are an active threat to your networks security. You sound like you have an incentive and willingness to put in effort and take personal risks to circumvent the security protocol at your workplace. Looking at employees without bad intents, this is as bad as it gets.
This is a great example why social engineering is unlikely to go out of style anytime soon. People who think they know better and are confident in being qualified to take a risk are never in short supply.
If we were talking about handling the private signing keys I would agree with you. Different types of data have different levels of security needed. Over classifying trivial data just makes it harder to get things done.
Strictly speaking, If a user in a workplace where this behavior is against the security policy acts like this or expresses this opinion, namely, that they wont be stopped by a security policy to hold their presentation, they are a user group that arent just a possible attack vector but a possible attacker them self.
If your company forbids the usage of USB ports, they do that for a reason, whether individual users think that is reasonable or not. This isnt just about possibly leaking data, but introducing stuff in an environment that is supposed to be closed. Differently put, as a bad faithed person, I will gladly borrow you my USB Stick to transfer your important files so you dont get in trouble for having technical hickups. I also will take you up on the "thank you" snacks and will also watch silently when you get in trouble for intentionally breaking security policies and infecting the network.
The vast majority of people in an organization don't work with sensitive material. It makes much more sense to do this on a per department basis.
Policies like this that ignore on the ground reality and make it hard to get work done encourage abuse of the rules. When the rules are too draconian people will work around them and it encourages disrespect for other rules - especially the ones that actually do improve security.
Those rules arent draconian, someone somewhere was hired to make a risk assessment and found them to be necessary. You dont circumvent them period. Thats the responsibility of each an every employee. No matter if you think they are stupid, it isnt your call to make, except if someone hires you for exactly that, then they are your responsibility to do right.
Most attacks arent some espionage stuff, its plain and simply precaution against fraud and theft. And they target people who are to proud for their own good who never think of themself being at threat. Which is sadly something a lot of computer scientists have a bit of a problem with. No one wants to believe they could be duped like that, they surely would know it better. Security policies are there to not have to rely on individual egos and look at it more realisticly. Most of us will be duped when taken advantage of in a bad moment without enough time to think about it. Thats why people do it.
There is a reason even the CEO and CSO have to wear their badges. There is a reason a lot of Snowdens colleges started to get really scared once it became clear which credentials he used to access the files. And they were lucky, he could have been a criminal and sure as hell wouldnt have mentioned that those data leakages where his responsibility. He could have simply been a criminal transferring money in their names.
Meetings happen daily, an iffy wifi connection is enough to waste the time of everyone in the meeting (10 minutes x 15 people is 2.5 person hours). These mundane things happen day in and day out. Someone walking around with an audio based keylogger is dramatically less likely to happen (and this ban on USB drives wouldn't prevent that anyways).
If you ignore the cost of people's time then pretty much every security idea makes sense. But its not a good way to run a business.
They have to protect sensitive client data. Need to protect against illegitimate leaks of data. And the universal way that they communicate with clients, opposing parties, regulators? Email.
You can't force the SEC to accept your new encrypted cloud solution, nor can you require opposing counsel to use YOUR solution. And communicating with hostile parties is the entire organization's reason for existing.
"Simple and reasonable" IT approaches to problems frequently break down when faced with people whose job it is to deal with other organizations.
Otherwise I fail to see the point, anyone could easily just send anything to anywhere over the net. Don't need a USB.
Therefore, It seems to me this is about unintentional leaks of information, not intentional.
Anyways, did IBM have a big leak recently or something? This seems rather draconian to have been put into place without some fairly strong motivations.
Yes, this is almost certainly about leaks to publications such as El Reg. Eg. https://www.theregister.co.uk/2018/02/26/ibm_gives_services_...
From what I've seen some firms' internal security practices in general seem more to be about appearances whereas other firms tighten and scrutinize everything as if the company's reputation and survival depended on it.
If your company does not have some kind of removable media policy then you are probably working for a very small company.
For that you would need the capabilities of a world-class IT outsourcing company.
Yes, but think about what verifying that would look like. Epoxy is much easier to install and it doesn't disappear 3 months later when a Windows update ships.
I work for an European company (travel/tourism) and the day they hired me (4 years ago) I got a corporate laptop with Windows 7 which would accept usb mouses, keyboards, charge smartphones... but would not "mount" anything that had storage.
Interestingly enough I can connect my (personal) iPhone, and I can read pictures stored there, but I cannot write to it - I haven't tried installing iTunes because I don't need to backup to my work laptop so no idea how it would work with dedicated sw, but for sure there is no need to use epoxy glue or physical locks.
(Granted, I never tried to see how strong the protection was because it's not my specialty and frankly I don't care, but it looks like it works well enough as it is).
Fortunately I was also hosting it on my own server in various formats - nope, they can’t access the external network.
I ended up burning the whole set to a spindle of dvds, which they could then import .. and shred.
Wouldn't that cause a lot of break-ins?
The "portable devices" in the actual body of the article is phrased differently from the title, like so:
portable storage devices like a USB, SD card, or flash drive
... which is in turn sourced from an article in The Register.
However, the solution is to create tools that are easier to use and get the job done better than USB pen-drives. IBM seems to be all about the stick, no carrot. If they really enforce this (and as a former IBMer, I can tell you they are really long on pronouncements and very short on actual follow-through) I just foresee people bringing more laptops and multiple laptops around into places they previously would have brought a USB drive. E.g. if you can't easily move that Powerpoint from Laptop A to Laptop B because you're in some low-bandwidth hellhole, well, guess you're bringing both laptops along for the ride.
Perhaps a solution would be a combination of the two. E.g. dongle converts USB protocol to (say) XYZ protocol, and software converts from XYZ protocol to readable filesystem.