This is common at many semiconductor companies. Not only is it a ban at one specific semiconductor oem I know of, the usb-ports are disabled and the usb-ports on new issue computers are epoxied to prevent trying to use them.
Semiconductor technology is one of the areas of global-technological competition which surely benefit from secrecy. For example, several years ago one of the c-level executives at this specific OEM was caught taking pictures inside of one of their customer's facility. Only the engineering staff from that oem is allowed inside those facilities now, and only for maintenence activity.
It's a very secret industry, and getting even tighter now since China has been blocked from acquiring the latest semiconductor technology. China has so far invested over $40 billion in boosting their chip-making abilities, to acquire capital, IP, and knowledge-workers. Given their history of borrowing technology from other countries without attribution, if I were at the head of a semiconductor related company, I would clamp down on the secrets ahead of the danger.
It's always been an arms race and nations and companies have always strategically opened themselves up to acquire knowledge.
When Germany was trying to catch up to the industrialised UK, they send business people to the UK to copy the layout of factory floors to reimplement them at home. For the longest time, Japan only allowed trade under restrictive conditions to maximise exposure to foreign technologies while minimising the impact of foreigners in Japan. It's a story as old as history and I honestly don't get why people are upset about it.
It's even beneficial for the ecosystem overall because it helps transmitting knowledge and technology from advanced to disadvantaged regions, which in turn accelerates production and development.
If you honestly don't know why I will explain it to you. It is because it is theft. If I were to steal some or all of your possessions and give it to the disadvantaged, then I suppose you shouldn't honestly get all that upset about it, but I doubt that would happen.
> In economic terms, intellectual property is non-rival, whereas tangible property is rival. As a result, the “piracy” of intellectual property is simply not the same sort of zero-sum game that car theft — or theft of any tangible property — is. And that means that when Hollywood or the U.S. government says that music or movie downloaders are “pirates” or “thieves,” they are indulging in a bit of loose rhetoric. There are, in general, good moral reasons not to take what doesn’t belong to you. But as this video by filmmaker Nina Paley so beautifully illustrates, copying is not theft.
This is a popular argument but I think it is wrong because it uses the wrong analogy. I'll illustrate.
If I buy a candy bar at the store for $0.99 and then you steal it, now you have it and I don't. I'm out $0.99 of value and you stole $0.99 of value.
But what if you steal the candy bar directly from the store? You got $0.99 of value, but the store didn't pay $0.99 for that candy bar; they may have only paid $0.40. What you actually stole from them was two things: $0.40 of inventory and $0.59 of foregone revenue.
Even if you drop $0.40 on the counter as you walk out the door, it would still be considered a theft because the store gets to decide what their retail prices are, not you. You're still stealing $0.59 of foregone revenue.
IP products essentially have an "inventory" cost near zero. Yet, if you take a song or a trade secret without paying for it, you're still taking their foregone revenue. Just like dropping $0.40 on the counter for a $0.99 candy bar, you're dropping $0.00 on the counter for a $0.99 song or $1 million trade secret. Reimbursing someone's inventory cost (even if it's $0.00) does not mean there is no theft occurring.
While the IP itself is non-rival, the revenue from each sale is rival; that is, if you acquire my IP via a pirated copy then I still have my IP, but I don't have the revenue from selling you my IP.
This analogy is also wrong, exactly for the reason that IP is not a physical thing that can be taken - it can only be copied.
Yes, by leaving $0.40, I would be stealing $0.59 of foregone revenue, but that is because the shop doesn't have that candy bar anymore and can't sell it. In case of IP, even if I pirate it, you can still sell it to other people.
Of course you probably can't sell it to me anymore and that may be lost revenue, but it depends if I would be actually willing and able to buy that IP otherwise. And of course it may cause more competition to appear, which will negatively affect your business.
Your candybar arguement is absurd because you can't sell ip direct to consumers. You could manufacture a product that uses it or sell access via some supply limiting portal, but that is much different than actually selling ip.
Additionally it's not inventory because it is not finite. There is a distinction made by GAAP regarding valuation of tangible vs intangible assets because it is much more complex process to valuate intangible assets such as ip.
Physical inventory and IP are analogous in that they are both types of property that their owner intends to use to generate revenue (and hopefully profit).
> it is much more complex process to valuate intangible assets such as ip.
Please note that my argument above assigns a value of $0.00 to the IP itself.
Even at that valuation, you can still commit theft by robbing me of the opportunity to use that IP to generate revenue. By analogy: when you steal a TV, you are charged on the retail price of the TV (the amount you should have paid for it), not the wholesale price (the amount the store paid for it).
Your intention is irrelevant, limiting your opportunity is not theft. You're using that analogy as an emotional appeal to present the ip holder as a victim.
Any competitor could limit your opportunity by releasing a functionally similar non infringing product. Would you choose the word 'robbing' in that circumstance?
One would have to use your ip to create a competing product before it would even be copyright infringement, and it still wouldn't be theft since you cannot steal somthing intangible since by definition it only exists as an abstraction which is not the same as zero valued tangible inventory.
I think you need to go back up and carefully read from my first post. I'm not talking about competitive markets in general, I'm talking about a specific transaction where you end up with a product I'm selling, but I don't end up with the revenue I was asking for that product.
As an exercise: walk into Best Buy and pick up a $1,000 TV. On the way out, hand the cashier a check for the wholesale price of that TV. Have you just committed theft? And if so, what specifically have you stolen? You haven't deprived them of the TV itself, since you reimbursed them fully for that.
Allow me to present an intangible analogy to illustrate... If I see a chair at ikea and they own a patent on it and I go home and make a chair based on their ip, but don't commercially manufacture and distribute it then did I steal a chair? If it is stolen what have I stolen exactly?
I guess my point is that my point is that ip is a liscense to manufacture and/or distribute rather than a total monopoly on the idea or demand for the product.
Industrial >Espionage<[1] does happen. (When IP is a Trade Secret) If one doesn't want to risk espionage they can patent something, disclosing every detail, in exchange for a state enforced exclusivity over the patent.
As far as taking externalities into account: If someone doesn't behave to be "carbon-neutral" are they stealing from everyone?
Furthermore, the position you are defending is presupposing the ontological position that IP is Property. (Which might not hold in other cultures/countries, specially a Socialist Country with Chinese Characteristics™)
Patent infringement isn't theft and winging it and saying otherwise without a good basis won't convince anyone.
Well if it's theft then it's been going on and used by everyone for thousands of years. To be upset about this is to be upset about gossip. It's an informal means to disseminate information. It will naturally occur in any sufficiently competitive system.
And the key point may be that the ones being 'stolen from' even allow it because the benefit they get from opening up to new markets usually exceeds the risk of having some of your IP copied.
It's not like the traders who ventured to Japan turned around just because they knew that the Japanese would try to catch up by any means, or that the British stopped trading with Germany. (Or that Apple stops to sell or build things in China)
Taken to its logical full extent you might as well build a SCIF. Intelligence agency standard for facility that can handle air gapped SECRET and Top Secret data. If you look at the office park directly west of fort Meade, MD, some of those have SCIFs inside them. Not cheap.
I think it depends on the tier at which the company does its business in. Is the OEM involved in the latest nodes, or are they working with sizes >100nm?
Secrets are kept tight for any company with any tech relating to the latest nodes <10nm. It just so happens that IBM has been working on sub-10nm processes for a long time, so they have a lot of secrets to keep, hence I am not surprised by the article heading.
An implementation I’ve seen had all ports locked down on the laptop itself and physically locked with a plastic plug that can’t be removed without leaving evidence.
The keyboard and mouse were connected to a dock.
On the OS level only HID devices were allowed via USB you could bypass this if you had admin rights but it would leave a trail.
The idea behind these like most other security controls is to prevent accidental leakage and to make it difficult enough that intentional leakage would likely be detecte on time.
> you could bypass this if you had admin rights but it would leave a trail
A move I've seen being put in place at several locations, is removing local admin rights from all users. Those with advanced needs, like developers, gets a VM which is limited to a specific VLAN, with no access to the production environments.
The principle is sound, implementation is ... difficult, to say the least.
And if you're willing to run a lot of screencaps or re-type the stuff you see on another computer you can still get the data out. Before modems were common in the hands of unwashed masses my friend and I would transfer files on the phone by spelling out blocks in hex. Slow but with a checksum every 16 bytes it was good enough to get some work done. If the data is high value enough it would probably be worth it.
Airgapped exfil is a whole research field. Priority one is making accidental leaks or infections all but impossible. Priority two is making large scale intentional leaks as slow and difficult as possible. As long as there are human eyes on the data, some level of leaking is possible.
Any host based DLP will monitor and block screen caps you also need to get them out some how.
Printing will also be heavily restricted and monitored.
Sure no DLP solution would beat pen and paper but that’s not a good way to exfiltrate data these days and a security guard checking people leaving a restricted area would be a good enough way to plug any leaks.
All of these technologies are great to prevent employees from casually stealing data but as history has proven, usually while the front is well guarded, the back end many times has quite a few holes for hackers to exploit. It's like they say, the most secure computer is the one not connected to the network.
People like to dramatize things way too much, most "breaches" are accidental there are 1000's of companies that manage to keep their data secure on a daily basis despite targeted attacks.
With a few exceptions it's much easier to either poach your competitors or simply buy them outright which is why "corporate espionage" is mainly employed by nation states these days that need to catch up.
It's also important to note that stealing a design isn't that useful these days since you are too far gone what would be more important especially in the semi industry is to know the characteristics of a specific design or process in order to be able to preemptively position your offerings to compete without giving up any unnecessary ground.
Oh yeah you don’t have admin rights or they are restricted via UAC and an agent that allows you to promote only certain apps and then restricts inheritance of permissions from these apps.
In a restricted environment you will have several monitoring agents that track and enforce system integrity.
Well, bias towards "infrastructure as code" and minimise the need to actually access the servers. Read logs through Splunk, configure through version controlled Puppet (or similar tools).
The only machines that can actually SSH into prod at least have screen-session-recording software, perhaps are kept in a separate room, with a policy of two staff present at all times. The general idea is that the closer you actually get to being able to bypass the checks and controls, the more attention you bring to yourself and your errand.
Yes, it can't be Git and Puppet all the way down, at some point someone will necessarily have access to do something as root on the server that hosts the Git repo that Puppet runs from. But instead of that being every dev on every laptop anywhere in the world, you can make sure it's a very small group of people, from a small number of workstations.
This is difficult and requires a substantial and very competent team to implement correctly.
To be fair, they are not completely locked down like I may have made it sound.
The usb port restriction is absolutely true for laptops, but colo desktops probably do not have this restriction, or just a more lax restriction. Also, its not true for all laptops of the company, but usb access does require explicit permissions and a new-issue laptop, so they do have a list of people who have riskier laptops, and may need to be issued a different travel laptop vs engineering laptop.
The laptop's epoxied ports likely prevent distracted traveling workers from having their laptops hacked with usb-keys inserted when they aren't looking.
I've seen the 'USB ports get taped up for a visiting engineers computer' thing before - so I wonder what they do with a MacBookPro nowadays (there is no separate display or power connector!)
A docking station usually has a lot more than just USB ports. Mine has three monitor connections, more USB ports than the laptop itself, a power connection, and an RJ-45 jack. One of the benefits is the expanded number of connectors. Another benefit is that I don't have to unplug half a dozen items to take the laptop with me; I just hit the eject button and pick the laptop up. In the same way, reconnecting all that stuff is achieved by just plopping the laptop onto the dock.
Best of both worlds: Portability of the laptop itself, and the easy expansion of the laptop's capabilities in situations where the expansion is useful (e.g. somewhere that I can keep a bunch of big monitors, and would benefit from a non-mobile work area).
Another common approach is thin clients that connect to VM's running on servers in protected rooms. My company does that. From there, most critical apps are web apps they monitor. Specific things that need Windows or Linux run in the VM's. There's even some solutions that support connecting USB devices to thin clients for use on remote VM's with some security on that process. I have no idea if that security is good but there's potential for secure devices designed for these use cases.
While visiting a Chinese division of an American company I worked for about 8 years ago they had Dell desktops, in a tower configuration and they had a metal (steel) super structure around them. A case within a case.
You could unlock it, plug in USB, monitors, ethernet, etc. route the cables out through a slot and then lock it. You couldn't reach the the different ports and sockets when it was locked. It was all relatively stout too.
Interestingly, they did have internet in the building but you had to have management permission and go to the security office to access it. If you wanted to download something, it was a fairly involved procedure. They were paranoid about people stealing their stuff and then also very paranoid about misappropriating something they shouldn't and creating legal problems in Europe or North America. They didn't seem to be all that concerned about stealing other people's IT but they wanted to control everything such that it didn't contaminate anything they wanted to sell where it mattered.
I nearly created a situation when I pulled out my phone to take a picture of an "engrish" sign they had on the wall.
It'll be interesting to see how the security culture in the US changes or doesn't, a lot of younger developers would be put off if you attempted to somehow restrict their access to the internet from work computers or restricted your ability to plug a phone or some arbitrary device in for charging of whatever. At every job I've had this century it has been fairly trivial to download nearly all of their source code and take it home if you wanted to. Trying to take the politics out of it, we're very much engaged in a cyber cold war with a number of nations that absolutely want to take our secrets; I won't speculate on the real impact but the Russians did meddle in our election.
> Are cases locked / glued shut? It seems like it would be easy enough to connect a new usb header...
Well sure. I think the idea is to prevent mistakes and people just randomly plugging usb sticks they get from conferences as gifts or when they work from home. People will forget and do that anyway even if it is the rule.
When someone start disassembling the laptop or runs around with a screw driver trying to get the epoxy out of the ports, it would a bit hard to claim it was an accidental mistake. In that case, those people can probably find a way to exfiltrate data or to infect the system without the aid of USB keys.
Doing so would trigger a USB disconnection event, which under a sufficiently paranoid ecosystem would immediately terminate the entire enclosure and lock the door and call security.
Epoxy is a pain, just use a sticky connector envelope instead.
USB disconnect disabling whole USB host is trivial to code. You would disable on disconnect instead of whitelisting as there can be USB host bugs.
Add a boot password so that only admin can start the machine...
Plus the are solutions where drivers are also put in a VM to further reduce attack surface.
I've never had a problem converting modest amounts of CNY <-> USD at any bank in China or in the USA. Are you referring to capital export controls (~100k CNY/year)?
I live and work in China and move far than that a year. Also the NZ / Australian property markets are both in a bubble caused by Chinese cash investment by wealthy individuals, 100k CNY won't buy anything.
They could glue in a USB data blocker, which is a thing that plugs into a USB port and has a USB socket on the other end and has the power lines connected between the port and socket but not the data lines.
Semiconductor technology is one of the areas of global-technological competition which surely benefit from secrecy. For example, several years ago one of the c-level executives at this specific OEM was caught taking pictures inside of one of their customer's facility. Only the engineering staff from that oem is allowed inside those facilities now, and only for maintenence activity.
It's a very secret industry, and getting even tighter now since China has been blocked from acquiring the latest semiconductor technology. China has so far invested over $40 billion in boosting their chip-making abilities, to acquire capital, IP, and knowledge-workers. Given their history of borrowing technology from other countries without attribution, if I were at the head of a semiconductor related company, I would clamp down on the secrets ahead of the danger.