Disabling screen prints by remote users?

Hi,

I have a machine which I am opening up to users (developers) accross the
internet. Since the work they are doing is IP copyrighted, I want to
ensure as much as I can, that there is no anauthorised copying etc. I
will be using an NDA and extensive logging (having decided which method
yet). Hwever, one last loophole exists - which is the ability of the
remote user to take scren dumps/prints.

Is there a way to either disable screen prrints or (at least) log such
activity ?

Many thanks

exquisitus wrote:

> Hi,
>
> I have a machine which I am opening up to users (developers) accross the
> internet. Since the work they are doing is IP copyrighted, I want to
> ensure as much as I can, that there is no anauthorised copying etc. I
> will be using an NDA and extensive logging (having decided which method
> yet). Hwever, one last loophole exists - which is the ability of the
> remote user to take scren dumps/prints.
>
> Is there a way to either disable screen prrints or (at least) log such
> activity ?
>
> Many thanks

no.

C.

Davide Bianchi wrote:
> On 2005-03-10, exquisitus <nebulla@alpha-centauri.com> wrote:
>
>>Is there a way to either disable screen prrints or (at least) log such
>>activity ?
>
>
> Put a webcam on every desk.
>
> Seriously, how do you pretend to do such thing? And how do you pretend
> to avoid that the user grab a photocamera and take a snap of the screen
> then? And what about paper and pen?
>
> Davide
>

you make a valid point. However, even though I may not be able to stop a
determined theif, I want to make it as difficult as possible, and I want
to know if they have violated security.

It may seem a bit harsh, but my business depends on the software to give
me an advantage over competitors. I can't do the dev myself so I have
outsourced it, but I need to minimise the security risk as much as possible.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

exquisitus wrote:
> Hi,
>
> I have a machine which I am opening up to users (developers) accross the
> internet. Since the work they are doing is IP copyrighted, I want to
> ensure as much as I can, that there is no anauthorised copying etc. I
> will be using an NDA and extensive logging (having decided which method
> yet). Hwever, one last loophole exists - which is the ability of the
> remote user to take scren dumps/prints.

Actually, I'd say that you have many related loopholes: your remote user could
a) memorize the contents of the screen, or
b) take a photo of the screen, or
c) make a painting or sketch of the screen, or
d) write down the contents of the screen, or
e) dictate the contents of the screen into a recording device, or
f) take a screen dump or screen print of the screen, or
g) redirect the screen draw commands into a file for later playback, or
h) use a screen capture program to make a 'videotape' of the screen, or
.... you get the picture


> Is there a way to either disable screen prrints or (at least) log such
> activity ?

No.

The only 100% reliable method of enforcing IP rights is to terminate the user.
Permenantly.

A number of historical figures have used this technique to ensure that their
craftsmen and scholars could not divulge propriatary information to
unauthorized parties. It /does/ have the disadvantage of removing the user
from the pool of available talent, should you ever need a rewrite or fix,
though :-(

- --
Lew Pitcher

Master Codewright & JOAT-in-training | GPG public key available on request
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCMRKQagVFX4UWr64RAl5hAKCMAdRWbENXoIX5CuIS5y Cg5gRl2wCgg30F
bPGqA17n0S5SM5iNchV27DQ=
=1IHu
-----END PGP SIGNATURE-----

On 2005-03-10, exquisitus <nebulla@alpha-centauri.com> wrote:
>
> I have a machine which I am opening up to users (developers) accross the
> internet. Since the work they are doing is IP copyrighted, I want to
> ensure as much as I can, that there is no anauthorised copying etc. I
> will be using an NDA and extensive logging (having decided which method
> yet). Hwever, one last loophole exists - which is the ability of the
> remote user to take scren dumps/prints.
>
> Is there a way to either disable screen prrints or (at least) log such
> activity ?

Despite what others have told you, there *is* a way to log such
activity: Hire someone to stand behind the programmer with a big log.
Have the logger hit the programmer unconscious with it if they attempt
a screen print. After a few such incidents, you won't need to worry
about any of your programmers printing the screen.

--keith

--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information

On Thu, 10 Mar 2005 14:44:57 +0000 (UTC), exquisitus wrote:
> Davide Bianchi wrote:
>> exquisitus <nebulla@alpha-centauri.com> wrote:
>>
>>>Is there a way to either disable screen prrints or (at least) log such
>>>activity ?
>>
>> Put a webcam on every desk.
>>
>> Seriously, how do you pretend to do such thing? And how do you pretend
>> to avoid that the user grab a photocamera and take a snap of the screen
>> then? And what about paper and pen?
>
> you make a valid point. However, even though I may not be able to stop a
> determined theif, I want to make it as difficult as possible, and I want
> to know if they have violated security.
>
> It may seem a bit harsh, but my business depends on the software to give
> me an advantage over competitors. I can't do the dev myself so I have
> outsourced it, but I need to minimise the security risk as much as possible.

If you can't trust the programmers to not steal your "secrets", then
you can't trust them to write your business software!! PERIOD.
A programmer can do MANY things to you that are much worse than
just copying some of your precious custom software.

In my experience, clients that are ultra-paranoid and think that
everyone is out to steal their "secrets", usually don't actually have
anything to steal. Your competitors can hire programmers too, and
develop their own apps. But if you openly treat the programmers with
suspicion & mistrust, you won't be able to hire (or keep) the best
programmers.

They won't work under those conditions, because they don't HAVE to.

There is NO magic piece of technology that will give you the power
to control the thoughts & actions of your employees.
That's more in the line of cult religion, than linux security.

In any case, you aren't asking questions about LINUX security,
and personnel surveillance methods are off-topic here.

Julia Thorne wrote:
>Is there a way to either disable screen prrints or (at least) log such
>activity ?
>
>Put a webcam on every desk.
>
>Seriously, how do you pretend to do such thing? And how do you pretend
>to avoid that the user grab a photocamera and take a snap of the screen
>then? And what about paper and pen?
If you have non-disclosure agreements with your contractors you should
also make VERY sure that all of the material you provide to them is
marked as "Company Confidential". Talk to your lawyer to make sure your
confidentiality statement is strong. All of your source code and all
documentation that describes the software should have a statement
explaining that this work is "important" to the company and have "great
value".

If your work is marked you have a chance in court. If it isn't you don't
have much if any chance. The simple fact is that if you don't tell
people what is confidential and important to your company how can you
expect them to know this -- even if you have a NDA. The NDA should say
that you will have all important work so marked.

Many of the other replies are very valid too.

Barton L. Phillips wrote:

> Julia Thorne wrote:
>
>> Is there a way to either disable screen prrints or (at least) log such
>> activity ?
>>
>> Put a webcam on every desk.
>>
>> Seriously, how do you pretend to do such thing? And how do you pretend
>> to avoid that the user grab a photocamera and take a snap of the screen
>> then? And what about paper and pen?
>
> If you have non-disclosure agreements with your contractors you should
> also make VERY sure that all of the material you provide to them is
> marked as "Company Confidential". Talk to your lawyer to make sure your
> confidentiality statement is strong. All of your source code and all
> documentation that describes the software should have a statement
> explaining that this work is "important" to the company and have "great
> value".
>
> If your work is marked you have a chance in court. If it isn't you don't
> have much if any chance. The simple fact is that if you don't tell
> people what is confidential and important to your company how can you
> expect them to know this -- even if you have a NDA. The NDA should say
> that you will have all important work so marked.
>
> Many of the other replies are very valid too.

Thank you for your rational response. This is not a matter of not
trusting a programmer located half way accross the world (they may be in
a legal jurisdiction which to all practical intents and purposes renders
an NDA useless). It is simple business sense. There is no sense (common
or otherwise) in me exposing my fledging business to such risks.

Unfortunately, in my experience - a lot of programmers (coders) have
*absolutely* NO business sense.

I was merely carrying out due diligence regarding a potential threat.
Thank you for all who have replied to this post however (no matter how
colorful the response). My conclusion is that it is probably not worth
proceeding along these lines, since it is financial suicide (not to
mention lunacy) to niavely expect anyone who has signed an NDA to
comply. The problem of enforcement is not so much with native/local
developers, but with developers overseas.

Thanks for your feedback

exquisitus wrote:
>
> Thank you for your rational response. This is not a matter of not
> trusting a programmer located half way accross the world (they may be in
> a legal jurisdiction which to all practical intents and purposes renders
> an NDA useless). It is simple business sense. There is no sense (common
> or otherwise) in me exposing my fledging business to such risks.
>
> Unfortunately, in my experience - a lot of programmers (coders) have
> *absolutely* NO business sense.
>
> I was merely carrying out due diligence regarding a potential threat.
> Thank you for all who have replied to this post however (no matter how
> colorful the response). My conclusion is that it is probably not worth
> proceeding along these lines, since it is financial suicide (not to
> mention lunacy) to niavely expect anyone who has signed an NDA to
> comply. The problem of enforcement is not so much with native/local
> developers, but with developers overseas.
>
> Thanks for your feedback
>
One parting comment about NDAs and out-sourcing coding/programming. Your
point is well taken regarding out sourced programming to other
countries. It is very hard to be sure what you are up against. For one
the patent and even Copyright laws differ from country to country, as
well as the countries willingness to enforce any agreements with
non-nationals.

I thought your comment about 'programmers (coders) have absolutely no
business sense' was interesting as I have meet/worked-for many managers,
presidents, and CEOs who also had no business sense.

Here is a suggestion that might help. Instead of letting your
out-sourced help look at your source code, provide them with interface
documentation and a description of the work you want done. I know this
is a lot of work but then again it will go a long way towards your
understanding what it is you want and need done. If you give your
programmers a clear API document and a clear specification of the work
you need done you will both preserve your intellectual property (your
source code), you will have a much better chance of getting reasonable
estimates of the cost, and you will be a long way along in your end user
documentation.

This is a bit of the black box approach used when people back engineer
things. I know that I don't need to see all the code of a project in
order to do a task if I know what and how to call the existing code. In
fact a lot of the time it is better not to see existing code. If you
never see the code you don't have to worry about accidentally breaching
confidentiality.

All the things I said about marking documents as "Company Confidential"
still holds with regards to the API and the specification however.

I hope this helps.

Barton L. Phillips wrote:

> exquisitus wrote:
>
>>
>> Thank you for your rational response. This is not a matter of not
>> trusting a programmer located half way accross the world (they may be
>> in a legal jurisdiction which to all practical intents and purposes
>> renders an NDA useless). It is simple business sense. There is no
>> sense (common or otherwise) in me exposing my fledging business to
>> such risks.
>>
>> Unfortunately, in my experience - a lot of programmers (coders) have
>> *absolutely* NO business sense.
>>
>> I was merely carrying out due diligence regarding a potential threat.
>> Thank you for all who have replied to this post however (no matter how
>> colorful the response). My conclusion is that it is probably not worth
>> proceeding along these lines, since it is financial suicide (not to
>> mention lunacy) to niavely expect anyone who has signed an NDA to
>> comply. The problem of enforcement is not so much with native/local
>> developers, but with developers overseas.
>>
>> Thanks for your feedback
>>
> One parting comment about NDAs and out-sourcing coding/programming. Your
> point is well taken regarding out sourced programming to other
> countries. It is very hard to be sure what you are up against. For one
> the patent and even Copyright laws differ from country to country, as
> well as the countries willingness to enforce any agreements with
> non-nationals.
>
> I thought your comment about 'programmers (coders) have absolutely no
> business sense' was interesting as I have meet/worked-for many managers,
> presidents, and CEOs who also had no business sense.
>
> Here is a suggestion that might help. Instead of letting your
> out-sourced help look at your source code, provide them with interface
> documentation and a description of the work you want done. I know this
> is a lot of work but then again it will go a long way towards your
> understanding what it is you want and need done. If you give your
> programmers a clear API document and a clear specification of the work
> you need done you will both preserve your intellectual property (your
> source code), you will have a much better chance of getting reasonable
> estimates of the cost, and you will be a long way along in your end user
> documentation.
>
> This is a bit of the black box approach used when people back engineer
> things. I know that I don't need to see all the code of a project in
> order to do a task if I know what and how to call the existing code. In
> fact a lot of the time it is better not to see existing code. If you
> never see the code you don't have to worry about accidentally breaching
> confidentiality.
>
> All the things I said about marking documents as "Company Confidential"
> still holds with regards to the API and the specification however.
>
> I hope this helps.
>

Very much so Barton, it does help. Infact I have just started doing
something quite similar to waht you suggested, before I read this post.
Once it became obvious that I could not enforce the type of restriction
I wanted.

I am currently putting together an interface backed by a bridge design
pattern that will allow me to achieve this level of security (as you may
have guessed - I am a coder myself)

Many thanks for your help