How much risk is exposing all the sources to a third party? [closed]

Question

I've been arguing with a co-worker about how necessary it is to wipe or destroy the hard disks that were used for storing the sources and are replaced with bigger ones or discarded.

His point is that no piece of source code exposed to a third party gives that party any competitive advantage. My point is that it only takes ten minutes to set up a wiping program and start it before leaving and in the morning you have a disk that contains no data that could be possibly recovered - doesn't hurt and compeletely removes the risk.

Now really how risky is it to throw away a hard drive containing a working copy of a repository of a commercial product having 10 million lines of source code?

Answer 1

The Drake Equation states that

N = R * d * p * e * c * x * y * z

where

N is the probability that doing this will result in the bankruptcy of your company, leaving you and all your co-workers unemployed and starving.

R is the number of hard drives discarded every year without first being erased

d is the fraction of those hard drives that are fished out of dumpsters

p is the fraction of recovered drives that are ever plugged in and fired up

e is the number of such drives that are subsequently listed on eBay because their contents look interesting

c is the number of competitors you have who browse eBay looking for trade secrets

x is the probability that your discarded drive contains something they can use

y is the probability that they do actually use that information

z is the probability that their use of such information ruins your company.

To estimate the risk that someone will work out it was you and sue/prosecute you for the damage you caused, calculate

(N / t) * m

where t is the number of people on your team, and m is the number of managers who are paying enough attention to work out who did what.

If you can prove that any of the coefficients involved is zero, then your strategy is risk-free. Otherwise there's a very small chance you'll bankrupt your company, starve your colleagues and end up in jail.

Answer 2

I also would not worry that much about leaking source code - the source alone is of limited value without the technical and domain knowledge required to use it. If you just want to copy stuff, you'll pirate the binary. Still, it's probably better to keep it private if you don't want to release it.

I'd be more concerned about private data on the drives. Private or confidential business email, test data with confidential information (think employee database or similar). That might cause you/your company lawsuits from affected parties.

So definitely wipe the disks. Even just checking that there's nothing sensitive on the disks is more work than just wiping them.

Answer 3

Without wiping it, it's very risky. If you see the disk on ebay, you'll find that most buyers will run a recovery software on it.

In order to sell it safely, it's enough to overwrite the whole disk once. The myth that it's possible to recover data after it has been overwritten is really a myth. Not even the NSA could do it.

If you don't have a special disk wiper, either use a script language to write a single big file onto the disk until it's full or format the disk and uncheck the "quick format" option. On Linux/Unix, use dd if=/dev/zero of=/dev/xxx and be really really sure that the device given is the correct one.

Answer 4

It all boils down to the unintended release of somebody's intellectual property with an associated value.

Who owns the Intellectual Property?

If it belongs to your company then the Board should be very annoyed to see an asset being released - it complicates corporate actions (Q. Is there any chance that other parties have access to this technology?)

SO WIPE THE DISK

If it belongs to a third party (perhaps work done by your company for them) then they'll be pissed (Q. Can we have our money back please?)

SO WIPE THE DISK

Aren't there any corporate IT standards in your organisation? Are you likely to get asked difficult questions?

SO WIPE THE DISK

Answer 5

I wouldn't take such a big risk. I'd do it on every hard disk I want to give/sell:

Boot up a Linux system from a Live CD/USB and run:

shred /dev/xxx

Answer 6

I'd say it depends on the source code. I'm sure Google wouldn't risk throwing a hard-drive away that contains their complete search algorithm. That would sell on Ebay. On the other hand, if yours is 'just another application' for some insurance company which won't interest any living soul except for you and the company itself, then why bother?

Then again, if you're really concerned, just grab a big hammer and smash your harddrive to smithereens.

Answer 7

While the source code may be of limited value to a 3rd party there is always a bit more in the source code than just pure statements, there may be comments describing algorithms or trade secrets, names/email addresses of programmers/customers or code describing some encryption scheme/copy protection. If somebody is knowledgeable and has patience he can learn a lot from the code.

The bottom line: better be safe than sorry.

Answer 8

It is a question of how to treat information.Any proprietary information, source code, documents, or any other type of information that can fall into the hands of a competitor, or anyone else that may misuse or take advantage, is simply to be avoided. Unless it needs huge investments, big chunks of your time, and is generally causes hassles for you, there is no reason not to cleanup before you throw it out of your sight.

I am nervous that IP and information security (even if someone didnt strictly classify it as such) is stilla matter of debate in most of our work zones.

Answer 9

Any malicious, competent person with your source code has a much better chance of finding security holes and exploits in your system, even ones that you might not be aware of.

It may not compile, but it's a tour-guide into your world. Wipe it.