[ISN] Source code stolen from U.S. software company in India

InfoSec News isn at c4i.org
Wed Aug 11 01:43:17 EDT 2004

Forwarded from: "David M. Bittlingmeier, MS, CISSP, PMP" <david at bittlingmeier.com>
Cc: weld at atstake.com

Chris ~ 

Having recently returned from a three week assignment reviewing
outsourcing in India I will point out that the 'Best of breed' in
India companies are less at risk than many U.S. companies.  While
policies and/or laws may or may not 'raise the bar' a MAJOR way to
protect from this is followed by those companies that wish too.  Much
like U.S. centric companies, there is no 'one size fits all' and each
vendor has to be reviewed to 'know' what the risks are or are not.  
Using the Internet is an easier 'risk' to overcome than say a USB 1GB
drive that can be plugged into a workstation (even a 64mb USB drive
which are almost free now a days).

The point, from my experience, is that each company has to be reviewed
and re-reviewed regularly to 'know' that the data is secured, be that
India, U.K., USA and other countries that I have reviewed.

Best Regards,


Sorry ~ If you can not receive HTML e-mails the formatting may be off


David M. Bittlingmeier, MS, CISSP, PMP

CISSP (Certified Information Systems Security Professional)

PMP (Project Management Professional Credential) 


Bittlingmeier and Associates 

Pacifica, Ca

*       E-mail:  david at bittlingmeier.com
(       Phone:  650.359.5005 
È       Mobile:  415.260.5170

WEBSITE:     www.bittlingmeier.com <http://www.bittlingmeier.com/> 


CONFIDENTIALITY NOTICE: This e-mail message and any attachments are for the
sole use of the intended recipient(s) and may contain proprietary,
confidential, trade secret or privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited and may be a violation
of law. If you are not the intended recipient or a person responsible for
delivering this message to an intended recipient, please contact the sender
by reply e-mail and destroy all copies of the original message.

-----Original Message-----
From: isn-bounces at attrition.org [mailto:isn-bounces at attrition.org] On Behalf
Of InfoSec News
Sent: Monday, August 09, 2004 5:45 AM
To: isn at attrition.org
Subject: RE: [ISN] Source code stolen from U.S. software company in India

Forwarded from: Chris Wysopal <weld at atstake.com>


"The company said that according to a report obtained from its branch in
India, a recently hired software engineer used her Yahoo e-mail account,
which now allows 100MB of free storage space, to upload and ship the copied
files out of the research facility. The company detected the theft and is
trying to prevent the employee from further distributing the source code and
other confidential information."

What this means is large free web email storage facilities make intellectual
property theft easier.  Just zip and send an attachement to yourself.

But this is the real kicker:

"Though the Indian branch of Jolly Technologies requires employees to sign a
similar employment agreement, the sluggish Indian legal system and the
absence of intellectual property laws make it nearly impossible to enforce
such agreements, the company said.


The company said it has decided to delay further recruitment and halt
development activities in India until better legal safeguards are in place."

Is this true?  Can Indian employees steal source code with no legal
repercussions?  Wow, think of all the code that is outsourced to India these
days with no legal protections. And it is all a Yahoo file attachment away.


More information about the ISN mailing list