Skip to main content

Paranoia and Industrial Espionage

I have recently (yesterday) taken a project for work. It looks like it will be an interesting project, but that is all I can say about it. The reason that is all I can say is that I am under the mother of all NDAs, because the people my company is working with are crazy paranoid.

In order to work on this project, I have had to swear to maintain a secure working environment at all times, consisting of:

  • Either shutting down my laptop with a minimum 15-character BIOS password or locking it in Windows with a minimum 80-character password if I am not actively developing.

  • Locking my room at all times, when I am developing or when I am not in the room.

  • No one can be in the room at the same time as I am developing.

  • The directory where the files are must be encrypted using a passphrase with a minimum of 1024 bits of entropy (the English language has 1.0-1.5 bits of entropy per letter...)

  • The VoIP conferences I have had thus far to our partners on this and my own company regarding the project have been carried out by a custom app that encrypts the data stream with a 4096-bit encryption key.

  • The development computer cannot be, at any time while in the development OS, connected to any network of any kind, unless a special "firewall" is running which essentially asks our partners about the security of, from what I can tell, every packet.

  • Any files I not longer am using, be they source code, compiled files, or even little scratch notes must be shredded with a program from a very specific list of programs approved by our partners, minimum 7 passes, recommended 25, with at least four passes being random data, and the rest being zeroes.

  • Any paper documents I produce are expressly forbidden, but must be shredded with a specific list of shredders and then either incinerated or ground into pulp (my contact at our partners recommended using a blender or smoothie maker) and flushed.

  • Whiteboards have their own separate mention in the security document, which involves using paper towels and isopropyl alcohol to erase the board every five minutes, with the paper towels being required to be ground to pulp.

  • Wireless keyboards are banned for purposes of development and entering keys and passphrases.

  • DVI cables are banned for purposes of development.

  • I need to run a white-noise generator on my laptop to drown out any keystroke noise I make.

  • I had to generate a 4096-bit PGP key for my work email, and all messages regarding the project must be encrypted and signed. The key itself must be destroyed after this project is over.

  • Violations of this NDA carry a recommended $500,000 fine and a recommended 15-year jail term, and the NDA has a 75-year expiry date, no matter what happens to either of the two companies, unless the NDA is specifically lifted by our partners.

I am a little weirded out by all of this...I mean, I have been called paranoid before, but these people make me look like a little kid, trusting the nice stranger on the street with candy. I feel like I should be wearing a tin foil hat and winding a Faraday cage around my room. The security aspects of this project are taking significantly longer than the actual dev work, and I almost regret telling my boss I would help him with this, except that is by far the coolest project I have ever worked on.

In other news, I registered for (almost) all my courses for next semester last night. The one exception is Diff. Eq., which I want to take the half-semester course. However, Banweb refuses to allow me to take that unless I also take the half-semester Lin. Alg. course, for which I already have credit. This issue has already been sent to my advisor.


November 7 2008, 23:03:14

For the opposite end of the security spectrum today, I directed a copy of all the network traffic at the office I work at to my dev box so I could sniff it.