Hacker Crackdown

By Michael Schwartz

I was recently on the road visiting my customers both new and old. During this trip I also wanted to check in with those customers we quoted but never got an actual purchase order from. I wanted to understand why they were not doing business with us. I wanted to gain a better perspective from their point. Maybe it would help us become a better company, service them better. But this trip turned out a little different. Instead I discovered many calibration labs don’t understand many of the risks associated with employees and the software that can be found on their computers.

Do you know what's on your company servers?
Do you know what’s on your company servers?

During one visit with a potential customer who expressed great interest in doing business with us in the past, I discovered they had chosen to hire an experienced programmer bringing all development in-house as opposed to outsourcing it. This wasn’t a deal breaker by any means; I have several customers who have in-house developers. With them we tend to work on the very complex MET/CAL® procedures as well as building drivers and tools, so I shifted the conversation and the meeting went very well.

Later that afternoon, I visited the calibration lab, where their new programmer was showing me what he was working on related to automation. I was very impressed this programmer had some very well written procedures as well as a large library of procedures, something that would normally take years to accomplish. And therein was the problem, because he had only been working for this company less than one year. What he was showing me was all the software he had copied off the computer from the company where he worked before he came to this job. I watched him as he would open a procedure, and then quickly delete the name of the company information where the procedure was created.

This reminded me of the book The Hacker Crackdown: Law and Disorder on the Electronic Frontier by Bruce Sterling.* In it, the author describes bulletin board systems as the “life-blood of the digital underground” during the 1980’s. But many boards existed for legitimate exchange of information as well. It just so happened that illicit data had been stored on computer systems unknown to those who owned and used them for business. Some of these people had equipment confiscated and were even charged and jailed.

Then I remembered a different experience when I was onsite at a much larger customer’s calibration lab where I witnessed an employee, “John,” escorted out of the building. I remember talking to the technician earlier that day and thinking to myself “John seemed to be a really sharp tech.” And as we all know in the metrology world, it is hard to find and keep good technicians. I was perplexed, why was John being fired on the spot—what did he do that was so offensive?

Later, I casually asked one of the managers about the incident. The answer was amazing: Earlier that week, John had copied some personal files up to the company’s server from his thumb drive, and then copied them to another thumb drive because his workstation only had one USB port. The files were movies of significant enough size to catch the attention of IT who contacted his manager. He was warned at that time, “No personal files are to be copied onto any company computers.” I was there for his second offense when he had copied a Word® document to the server—his homework for a class he had been taking—and they fired him on the spot!

I am not giving any legal advice here, but I think I know and understand why the company let John go on the spot without hesitation for what most people would consider a minor infraction. My takeaway was simple: Because the movies were more than likely stolen property, the company and their legal team knew the company was liable for possessing the stolen property on their servers. In the end, it didn’t matter how good of a tech John was, he was not worth the risk of being in possession of stolen intellectual property (IP).

So those star programmers—the ones hired away from the competition—if they are really star programmers, they don’t need the IP from their previous job. If that IP ends up on the company computers, then the company is at risk for legal litigation. It really doesn’t matter how it got there or who put it there, because in the end a company is legally responsible for the actions of its employees. And all too often, it’s a disgruntled ex-employee who reports the company for having illegal IP on company computers.

* The Hacker Crackdown was first published in 1992 and later digitized. MIT currently hosts a copy online at http://www.mit.edu/hacker/hacker.html. This book is a classic read for any techie.