Your source code, for sale

R.A. Hettinga rah at shipwright.com
Wed Nov 3 16:24:43 PST 2004 

<http://www.adtmag.com/print.asp?id=10225>
 
 - ADTmag.com

Your source code, for sale

By Mike Gunderloy

Well, maybe not yet. But what does the future hold for those who consider
their source code an important proprietary asset?

Halloween this year featured more scary stuff than just ghosts and ghouls.
It was also the day (at least in the Pacific time zone) when the Source
Code Club posted their second Newsletter in a public Usenet group. Despite
their innocent-sounding name, the Source Code Club is a group of hackers
who are offering to sell the source to commercial products. Their current
menu of source code for sale looks like this:
	* 	Cisco Pix 6.3.1 - $24,000
	* 	Enterasys Dragon IDS - $19.200
	* 	Napster - $12,000

They also claim to have the source code for many other packages that they
haven't announced publicly. "If you are requesting something from a Fortune
100 company, there is a good chance that we might already have it, they
say. Now, you might think this business is blatantly illegal, and no doubt
it is. But that doesn't necessarily mean it's impossible. They're posting
their newsletter to Usenet, probably from an Internet cafe somewhere, so
that's not traceable. They'll take orders the same way, and require orders
to be encrypted using their PGP key, which is at least reasonably
unbreakable at the moment. (As of this writing, I don't see any encrypted
messages posted to the newsgroup they use, though). For payment, they're
using e-gold, which claims to protect the anonymity of its account holders.

Now, it seems reasonably likely that the Source Code Club folks will
eventually get caught; going up against Cisco's resources displays at least
a strong conviction of invulnerability. But even if these guys get caught,
there are deeper issues here. Ten years ago, no one could have dreamed of
trying to set up such a business. Ten years from now, advances in
cryptography, more forms of currency circulating on the Internet, and
improvements in anonymity software are likely to make it impossible to
catch a similar operation.

What will it mean when hacker groups can in fact do business this way with
impunity? First, it's important to note that the ability to sell wares
anonymously won't necessarily imply the ability to get inventory. Your best
defense against having your own source code leaked is to pay careful
attention to its physical security. These days, if I were developing an
important commercial product, I'd make sure there was no path between my
development or build machines and the public Internet. Hackers can do lots
of things, but they still can't leap over physical disconnections. Second,
I'd use software that prevents temporary storage devices (like USB sticks)
from connecting to the network, and keep CD and DVD burners out of the
development boxes as well.

It's also worth making sure that your business doesn't depend entirely on
source code. While the intellectual property that goes into making software
is certainly a valuable asset, it shouldn't be your only asset. Think about
ancillary services like training, support, and customization in addition to
simply selling software.

Finally, note that the Source Code Club business model is based on taking
advantage of people wanting to know what's in the software that they
purchase. About the pix code, they say "Many intelligence
agencies/government organizations will want to know if those 1's and 0's in
the pix image really are doing what was advertised. You must ask yourself
how well you trust the pix images you download to your appliance from
cisco.com." Microsoft (among other companies) has demonstrated how to
remove this particular fear factor from customers: share your source code
under controlled circumstances. That doesn't mean that you need to adapt an
open source model, but when a big customer comes calling, why not walk
their engineers through how things work and let them audit their own areas
of concern?

Given the shifting landscape of intellectual property, and the threat from
groups such as the Source Code Club, these are matters you need to think
about sooner rather than later. Otherwise you may wake up some morning and
find that your major asset has vanished without your even knowing it was in
danger.


Mike Gunderloy, MCSE, MCSD .NET, MCDBA is an independent software
consultant and author working in eastern Washington. He's the editor of
ADT's Developer Central newsletter and author of numerous books and
articles. You can reach him at MikeG1 at larkfarm.com.

This article originally appeared in the
November 2004 issue of Application Development Trends.


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list