Re: Harsher action for copy paste
Code theft does happen, even in the mainstream world. A stack overflow (https://security.stackexchange.com/ques … ource-code) answer states some good tips below:
Disclaimer: I work for a very big company that does a good job in this area, but my answer is my own personal opinion and is not indicative of my employer's position or policies.
First of all, how to protect code from being leaked:
• Network Security: This is the obvious one -- if Chinese hackers get credentials into your internal systems, they'll go for your source code (if for no other reason than the fact that the source code will tell them where to go next). So basic computer security has to be a "given".
• Access Control: Does your receptionist need access to your code repository? Probably not. Limit your exposure.
• Be selective in hiring and maintain a healthy work environment: DLP measures like scanning outbound email is nifty in theory, but if your engineer is smart enough to be of any use to you at all, they're smart enough to figure out how to circumvent your DLP measures. Your employees shouldn't have a reason to leak your source code. If they do, you've done something horribly, horribly wrong.
• Monitor your network: This is an extension of the "network security" answer but with a Digital Loss Prevention emphasis. If you see a sudden spike in DNS traffic, that may be your source code getting exfiltrated by an attacker. OK, now ask yourself if you would even know if there was a sudden spike in DNS traffic from your network. Probably not.
• Treat mobile devices differently: Phones and laptops get lost really often. They also get stolen really often. You should never store sensitive information (including source code, customer data, and trade secrets) on mobile devices. Seriously. Never. That doesn't mean you can't use mobile devices to access and edit source code. But if a laptop goes missing, you should be able to remotely revoke any access that laptop has to sensitive data. Typically that means that code and documents are edited "in the cloud" (see c9.io, koding.com, Google Docs, etc) with proper authentication and all that. This can be done with or without trusting a third party, depending on how much work you want to put in to it. If your solution doesn't support 2-factor then pick another solution; you want to reduce your exposure with this measure, not increase it.
Second, how to prevent malicious code modification; there really is only one answer to this question: change control.
For every character of code in your repository, you must know exactly who added (or deleted) that code, and when. This is so easy to do with today's technology that it's almost more difficult to not have change tracking in place. If you use Git or Mercurial or any modestly usable source control system, you get change tracking and you rely on it heavily.
But to up the trustworthiness a bit, I would add that every change to your repository must be signed-off by at least one other person besides the author submitting the change. Tools like Gerrit can make this simple. Many certification regimes require code reviews anyway, so enforcing those reviews at checkin-time means that malicious actors can't act alone in getting bad code into your repo, helps prevent poorly-written code from being committed, and helps ensure that at least 2 people understand each change submitted.
I'd like to ask, why should it be the forum administrators responsibility to monitor who steels code and who doesn't? I agre that the forum moderators should remove games that have (actual proven) code theft, but that is all they should do. Punishment of someone because they stole code clearly won't help, since if they did it once, they'll do it again. As the above quotation says: "Your employees shouldn't have a reason to leak your source code. If they do, you've done something horribly, horribly wrong." Granted, people who collaborate on games aren't "employees," but the point still stands.
I'm also quite sad that people haven't employed the above measures already (it really isn't that hard, ever heard of Keybase)? I'm also quite saddened that people haven't considered license agreements, non-disclosure agreements or both to secure their code. After all, if you've got someone legally bound by an NDA, license agreement or both, you can legally go after them if they do steel code from you (provided, of course, tha you can prove that they actually did steel your code and didn't just reverse engineer it). Reverse engineering and code theft are two very different beasts, after all.
-- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
