The Ultimate Insider Threat

Justin Hall

Like many folks in the security industry, my early interest in computers was fueled by computer games. I started on the Commodore 64, playing Jumpman on my dad’s lap at age 3. Eventually I graduated from that platform and to the x86 universe, and the combination of local computer shows and dialup BBS’s gave me volumes of shareware games to explore.
 
“Shareware”, for you young kids, is what we old timers used to call game demos.
 
Of course, my favorites were those published by id Software. Catacombs of the Abyss, Commander Keen, Wolfenstein 3D, DOOM, and Quake - classics that shaped both the PC gaming industry as well as much of my adolescence. And so naturally one of my tech heroes has always been legendary id Software founder and programmer John Carmack.
 
Carmack left id Software in 2013 to work for VR startup Oculus, which was later acquired by Facebook. Oculus has been in court since 2014, accused by id Software owner Zenimax Media of stealing intellectual property and using it in their product, a VR headset and accompanying software.
 
A ruling handed down on February 1 awarded Zenimax with $500 million, validating their claim that their code was indeed taken. The how of these kinds of cases is fascinating to me, and so I was stunned to read that the thief of the IP was none other than Carmack. Zenimax’s statement describes the theft:
 
“...when he quit id Software, Carmack admitted he secretly downloaded and stole over 10,000 documents from ZeniMax on a USB storage device, as well as the entire source code to RAGE and the id tech® 5 engine...”
 
This is a classic example of the insider threat: a departing employee has the access, privileges, and understanding to obtain and subsequently use the most sensitive data in the company’s possession. There are a few other key takeaways here:
  • The information security industry often waves its arms about devastating IP theft by state-sponsored attackers from Russia, China, and Iran; in our experience, your average company is much more likely to experience data loss from an insider threat actor.
  • Not only is Oculus out half a billion dollars, it is likely Zenimax will require them to cease use of their stolen source code. Think of the years they’ll need to spend recreating that material from scratch. For a company trying to convince a skeptical market to spend hundreds of dollars on their product, they may be facing serious technical hurdles that keep them from any meaningful progress.
  • Ultimately Zenimax would have had no case against Carmack without the forensic evidence that proved his actions. If you had an employee leave with your company’s crown jewels, would you know about it? Would you be able to prove it happened in a courtroom?
comments powered by Disqus