For sale: Your source code

• By Mike Gunderloy
• November 3, 2004

Well, maybe not yet. But what does the future hold for those who consider their source code an important proprietary asset?

Halloween this year featured more scary stuff than just ghosts and ghouls. It was also the day (at least in the Pacific time zone) when the Source Code Club posted their second Newsletter in a public Usenet group. Despite their innocent-sounding name, the Source Code Club is a group of hackers who are offering to sell the source to commercial products. Their current menu of source code for sale looks like this:

• Cisco Pix 6.3.1 - $24,000
• Enterasys Dragon IDS - $19.200
• Napster - $12,000

They also claim to have the source code for many other packages that they haven't announced publicly. "If you are requesting something from a Fortune 100 company, there is a good chance that we might already have it, they say. Now, you might think this business is blatantly illegal, and no doubt it is. But that doesn't necessarily mean it's impossible. They're posting their newsletter to Usenet, probably from an Internet cafe somewhere, so that's not traceable. They'll take orders the same way, and require orders to be encrypted using their PGP key, which is at least reasonably unbreakable at the moment. (As of this writing, I don't see any encrypted messages posted to the newsgroup they use, though). For payment, they're using e-gold, which claims to protect the anonymity of its account holders.

Now, it seems reasonably likely that the Source Code Club folks will eventually get caught; going up against Cisco's resources displays at least a strong conviction of invulnerability. But even if these guys get caught, there are deeper issues here. Ten years ago, no one could have dreamed of trying to set up such a business. Ten years from now, advances in cryptography, more forms of currency circulating on the Internet, and improvements in anonymity software are likely to make it impossible to catch a similar operation.

What will it mean when hacker groups can in fact do business this way with impunity? First, it's important to note that the ability to sell wares anonymously won't necessarily imply the ability to get inventory. Your best defense against having your own source code leaked is to pay careful attention to its physical security. These days, if I were developing an important commercial product, I'd make sure there was no path between my development or build machines and the public Internet. Hackers can do lots of things, but they still can't leap over physical disconnections. Second, I'd use software that prevents temporary storage devices (like USB sticks) from connecting to the network, and keep CD and DVD burners out of the development boxes as well.

It's also worth making sure that your business doesn't depend entirely on source code. While the intellectual property that goes into making software is certainly a valuable asset, it shouldn't be your only asset. Think about ancillary services like training, support, and customization in addition to simply selling software.

Finally, note that the Source Code Club business model is based on taking advantage of people wanting to know what's in the software that they purchase. About the pix code, they say "Many intelligence agencies/government organizations will want to know if those 1's and 0's in the pix image really are doing what was advertised. You must ask yourself how well you trust the pix images you download to your appliance from cisco.com." Microsoft (among other companies) has demonstrated how to remove this particular fear factor from customers: share your source code under controlled circumstances. That doesn't mean that you need to adapt an open source model, but when a big customer comes calling, why not walk their engineers through how things work and let them audit their own areas of concern?

Given the shifting landscape of intellectual property, and the threat from groups such as the Source Code Club, these are matters you need to think about sooner rather than later. Otherwise you may wake up some morning and find that your major asset has vanished without your even knowing it was in danger.